diff --git a/.envrc b/.envrc index 051d09d..90160da 100644 --- a/.envrc +++ b/.envrc @@ -1 +1,5 @@ -eval "$(lorri direnv)" +if ! has nix_direnv_version || ! nix_direnv_version 3.0.6; then + source_url "https://raw.githubusercontent.com/nix-community/nix-direnv/3.0.6/direnvrc" "sha256-RYcUJaRMf8oF5LznDrlCXbkOQrywm0HDv1VjYGaJGdM=" +fi + +use flake .#develop diff --git a/.git-crypt/keys/default/0/6F7069FE6B96E894E60EC45C6EEFA706CB17E89B.gpg b/.git-crypt/keys/default/0/6F7069FE6B96E894E60EC45C6EEFA706CB17E89B.gpg index 9587742..fd34c43 100644 Binary files a/.git-crypt/keys/default/0/6F7069FE6B96E894E60EC45C6EEFA706CB17E89B.gpg and b/.git-crypt/keys/default/0/6F7069FE6B96E894E60EC45C6EEFA706CB17E89B.gpg differ diff --git a/.gitignore b/.gitignore index 5e0fed2..8c927b6 100644 --- a/.gitignore +++ b/.gitignore @@ -2,3 +2,10 @@ *.qcow2 .*.log .env +**/result +.direnv/ + +# nixago: ignore-linked-files +/treefmt.toml + +/debug-logs diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml deleted file mode 100644 index efb4d91..0000000 --- a/.gitlab-ci.yml +++ /dev/null @@ -1,10 +0,0 @@ -stages: - - build - -build: - stage: build - tags: - - nix - script: - # Test the nix-shell - - just run-with-channels 'nix-shell --run "echo OK"' diff --git a/.sops.yaml b/.sops.yaml new file mode 100644 index 0000000..9ad6d2c --- /dev/null +++ b/.sops.yaml @@ -0,0 +1,129 @@ +# This example uses YAML anchors which allows reuse of multiple keys +# without having to repeat yourself. +# Also see https://github.com/Mic92/dotfiles/blob/master/nixos/.sops.yaml +# for a more complex example. + +# use `ssh-keyscan | ssh-to-age` to get the age key for a remote machine +# use `for file in $(grep -lr "sops:") secrets; do sops updatekeys -y $file; done` for updating +keys: + - &steveej 6F7069FE6B96E894E60EC45C6EEFA706CB17E89B + - &steveej-age age1tkvtkw62xy90xc5xdcq836wgyrwlwmdslh76cete5g98vvvhj34qvwdw0g + - &steveej-t14 age17jxphuql70wjkd84azn62ltx9ky69hyvkac23lm8f2j92lznf9hseqq0vl + - &steveej-x13s age1y9urllccdcemlv7g5z4peuzeh5ah0a8nu6cnkvym8v2vfhqjd5jql483c6 + - &elias-e525 age1pmznn2tjpelpmxjxqef48rse5ujggf9kcr8x5vewuadqcw03aavqwy54zm + - &justyna-p300 age1ye4fa0v37shz8q4e5uf9cp2avygcp9jtetmnj2sv9y9mqc7gjyksq2cjy8 + + - &sj-vps-htz0 age18dmqd7r7fanrfmdxsvwgv9psvhs3hw5ydpvw0na0dv3dlrg4rs3q2wpvgv + - &sj-srv1 age18dmqd7r7fanrfmdxsvwgv9psvhs3hw5ydpvw0na0dv3dlrg4rs3q2wpvgv + - &router0-dmz0 age1qju6ms625tlgcjwc9p447seu2p8gu0cr63e5gv5y0wx9mvgmre9slxzzs0 + - &router0-ifog age1dktk5glcuu34u9t6kp3g2vqyj7dy0elray38t8n75mwa6l0s0vdst2cy00 + - &router0-hosthatch age1v458x2q70yt0a6m6cq5ehemphtrzfzyhmeg3r872vsyyf65asgwstmqqk4 + - &hstk0 age10xwq7a4y256yhv02j0u80te0vt4krgfjc68r0uw07t96z7ggmpwqtv38a0 + +creation_rules: + - path_regex: ^(.+/|)secrets/[^/]+$ + key_groups: + - pgp: + - *steveej + age: + - *steveej-age + - *steveej-x13s + - *elias-e525 + + - *router0-dmz0 + + - *sj-srv1 + - *hstk0 + - *router0-ifog + - *router0-hosthatch + - path_regex: ^secrets/steveej-t14/.+$ + key_groups: + - pgp: + - *steveej + age: + - *steveej-age + - *steveej-t14 + - path_regex: ^secrets/desktop/.+$ + key_groups: + - pgp: + - *steveej + age: + - *steveej-age + - *steveej-t14 + - *steveej-x13s + - path_regex: ^secrets/servers/.+$ + key_groups: + - pgp: + - *steveej + age: + - *steveej-age + - *sj-srv1 + - path_regex: ^nix/os/containers/.+_secrets.+$ + key_groups: + - pgp: + - *steveej + age: + - *steveej-age + - *sj-srv1 + - path_regex: ^secrets/holochain-infra/.+$ + key_groups: + - pgp: + - *steveej + age: + - *steveej-age + - path_regex: ^secrets/router0-dmz0/.+$ + key_groups: + - pgp: + - *steveej + age: + - *steveej-age + - *router0-dmz0 + - path_regex: ^secrets/router0-ifog/.+$ + key_groups: + - pgp: + - *steveej + age: + - *steveej-age + - *router0-ifog + - path_regex: ^secrets/router0-hosthatch/.+$ + key_groups: + - pgp: + - *steveej + age: + - *steveej-age + - *router0-hosthatch + - path_regex: ^secrets/sj-vps-htz0/.+$ + key_groups: + - pgp: + - *steveej + age: + - *steveej-age + - *sj-vps-htz0 + - path_regex: ^secrets/sj-srv1/.+$ + key_groups: + - pgp: + - *steveej + age: + - *steveej-age + - *sj-srv1 + - path_regex: ^secrets/hstk0/.+$ + key_groups: + - pgp: + - *steveej + age: + - *steveej-age + - *hstk0 + - path_regex: ^secrets/steveej-x13s/.+$ + key_groups: + - pgp: + - *steveej + age: + - *steveej-age + - *steveej-x13s + - path_regex: ^secrets/work-holo/.+$ + key_groups: + - pgp: + - *steveej + age: + - *steveej-age + - *steveej-x13s diff --git a/.vscode/settings.json b/.vscode/settings.json new file mode 100644 index 0000000..660429d --- /dev/null +++ b/.vscode/settings.json @@ -0,0 +1,20 @@ +{ + "editor.defaultFormatter": "ibecker.treefmt-vscode", + "editor.formatOnSave": true, + "nix.enableLanguageServer": true, + "nix.serverPath": "nil", + "nix.serverSettings": { + // settings for 'nil' LSP + "nil": { + "autoArchive": true, + "diagnostics": { + "ignored": ["unused_binding", "unused_with"] + }, + "formatting": { + "command": ["treefmt", "--stdin", ".nil.nix"] + } + } + }, + "treefmt.command": "treefmt", + "treefmt.config": "" +} diff --git a/Justfile b/Justfile index 2cce8b8..c7fa7b3 100755 --- a/Justfile +++ b/Justfile @@ -1,317 +1,321 @@ -_DEFAULT_VERSION_TMPL: - echo "{{invocation_directory()}}/nix/variables/versions.tmpl.nix" - -_DEFAULT_VERSION: - echo "{{invocation_directory()}}/nix/variables/versions.nix" +# _DEFAULT_VERSION_TMPL: +# echo "{{invocation_directory()}}/nix/variables/versions.tmpl.nix" _usage: - just -l + just -l # Re-render the default versions update-default-versions: - #!/usr/bin/env bash - template="$(just _DEFAULT_VERSION_TMPL)" - outfile="$(just _DEFAULT_VERSION)" - esh -o ${outfile} ${template} + nix flake update _get_nix_path versionsPath: - echo $(set -x; nix-build --no-link --show-trace {{invocation_directory()}}/nix/default.nix -A channelSources --argstr versionsPath {{versionsPath}}) + echo $(set -x; nix-build --no-link --show-trace {{ invocation_directory() }}/nix/default.nix -A channelSources --argstr versionsPath {{ versionsPath }}) _device recipe dir +moreargs="": - #!/usr/bin/env bash - set -ex - source $(just -v _get_nix_path {{invocation_directory()}}/{{dir}}/versions.nix) - $(set -x; nix-build --no-link --show-trace $(dirname {{dir}})/default.nix -A recipes.{{recipe}} --argstr dir {{dir}} {{moreargs}}) + #!/usr/bin/env bash + set -ex + unset NIX_PATH + source $(just -v _get_nix_path {{ invocation_directory() }}/{{ dir }}/versions.nix) + $(set -x; nix-build --no-link --show-trace $(dirname {{ dir }})/default.nix -A recipes.{{ recipe }} --argstr dir {{ dir }} {{ moreargs }}) _render_templates: - #!/usr/bin/env bash - set -ex - if ! ip route get 1.1.1.1; then - echo No route to WAN. Skipping template rendering... - else - source $(just -v _get_nix_path {{invocation_directory()}}/nix/variables/versions.nix) - nix/scripts/pre-eval-fixed.sh nix/home-manager/profiles/dotfiles/vcsh{.tmpl,}.nix - fi + #!/usr/bin/env bash + set -ex + if ! ip route get 1.1.1.1; then + echo No route to WAN. Skipping template rendering... + else + source $(just -v _get_nix_path {{ invocation_directory() }}/nix/variables/versions.nix) + # nix/scripts/pre-eval-fixed.sh nix/home-manager/profiles/dotfiles/vcsh{.tmpl,}.nix + fi -_rebuild-device dir rebuildarg="dry-activate" +moreargs="": _render_templates - #!/usr/bin/env bash - set -ex - just -v _device rebuild {{dir}} --argstr rebuildarg {{rebuildarg}} {{moreargs}} - -rebuild-remote-device device target rebuildarg="dry-activate" : - #!/usr/bin/env bash - set -ex - just -v _rebuild-device nix/os/devices/{{device}} {{rebuildarg}} --argstr moreargs "'--target-host\ {{target}}'" +rebuild-remote-device device +rebuildargs="dry-activate": + #!/usr/bin/env bash + set -ex + nix run .#colmena -- apply --impure --on {{ device }} {{ rebuildargs }} # Rebuild this device's NixOS -rebuild-this-device rebuildarg="dry-activate": - #!/usr/bin/env bash - set -e - - function parse_hm_rebuildarg() { - case $1 in - switch) - echo switch - ;; - *) - echo build - ;; - esac - } - - export SYSREBUILD_LOG=.$(hostname -s)_sysrebuild.log - export HOMEREBUILD_LOG=.$(hostname -s)_homerebuild.log - - echo Rebuilding system in {{rebuildarg}}-mode... - if just -v _rebuild-device nix/os/devices/$(hostname -s) {{rebuildarg}} > ${SYSREBUILD_LOG} 2>&1 ; then - echo System rebuild successful - else - cat ${SYSREBUILD_LOG} - echo ERROR: system rebuild failed - exit 1 - fi - - if type home-manager > /dev/null 2>&1; then - echo Rebuilding home in $(parse_hm_rebuildarg {{rebuildarg}})-mode... - source $(just -v _get_nix_path {{invocation_directory()}}/nix/os/devices/$(hostname -s)/versions.nix) - if home-manager -v $(parse_hm_rebuildarg {{rebuildarg}}) > ${HOMEREBUILD_LOG} 2>&1 ; then - echo Home rebuild successful - else - cat ${HOMEREBUILD_LOG} - echo ERROR: home rebuild failed - exit 1 - fi - fi +rebuild-this-device +rebuildargs="dry-activate": + nix run .#colmena -- apply-local --impure --sudo {{ rebuildargs }} # Re-render the versions of a remote device and rebuild its environment -update-remote-device device target rebuildmode='switch': - #!/usr/bin/env bash - set -e +update-remote-device devicename +rebuildargs='build': + #!/usr/bin/env bash + set -e - template=nix/os/devices/{{device}}/versions.tmpl.nix - outfile=nix/os/devices/{{device}}/versions.nix - - if ! test -e ${template}; then - template="$(just _DEFAULT_VERSION_TMPL)" - fi + ( + set -xe + cd nix/os/devices/{{ devicename }} + nix flake update + ) - esh -o ${outfile} ${template} - if ! test "$(git diff ${outfile})"; then - echo Already on latest versions - exit 0 - fi + just -v rebuild-remote-device {{ devicename }} {{ rebuildargs }} - just -v rebuild-remote-device {{device}} {{target}} dry-activate || { - echo ERROR: rebuild in mode 'dry-active' failed after updating ${outfile} - exit 1 - } - - just -v rebuild-remote-device {{ device }} {{ target }} {{ rebuildmode }} || { - echo ERROR: rebuild in mode '{{ rebuildmode }}' failed after updating ${outfile} - exit 1 - } - - git commit -v ${outfile} -m "nix/os/devices/{{ device }}: bump versions" + git commit -v nix/os/devices/{{ devicename }}/flake.{nix,lock} -m "nix/os/devices/{{ devicename }}: bump versions" # Re-render the versions of the current device and rebuild its environment -update-this-device rebuild-mode='switch': - #!/usr/bin/env bash - set -e +update-this-device rebuild-mode='switch' +moreargs='': + #!/usr/bin/env bash + set -e - template=nix/os/devices/$(hostname -s)/versions.tmpl.nix - outfile=nix/os/devices/$(hostname -s)/versions.nix + ( + set -xe + cd nix/os/devices/$(hostname -s) + nix flake update + ) - if ! test -e ${template}; then - template="$(just _DEFAULT_VERSION_TMPL)" - fi + just -v rebuild-this-device {{ rebuild-mode }} {{ moreargs }} - esh -o ${outfile} ${template} - if ! test "$(git diff ${outfile})"; then - echo Already on latest versions - exit 0 - fi - - export SYSREBUILD_LOG=.$(hostname -s)_sysrebuild.log - just -v rebuild-this-device dry-activate || { - echo ERROR: Update failed, reverting ${outfile}... - exit 1 - } - - just -v rebuild-this-device {{rebuild-mode}} || { - echo ERROR: Rebuilding in {{rebuild-mode}}-mode failed - exit 1 - } - - git commit -v ${outfile} -m "nix/os/devices/$(hostname -s): bump versions" + git commit -v nix/os/devices/$(hostname -s)/flake.{nix,lock} -m "nix/os/devices/$(hostname -s): bump versions" # Rebuild an offline system rebuild-disk device: - #!/usr/bin/env bash - set -xe + #!/usr/bin/env bash + set -xe - just -v disk-mount {{device}} - trap "set +e; just -v disk-umount {{device}}" EXIT - just -v disk-install {{device}} + just -v disk-mount {{ device }} + trap "set +e; just -v disk-umount {{ device }}" EXIT + just -v disk-install {{ device }} # Re-render the versions of the given offline system and reinstall it in offline-mode update-disk dir: - #!/usr/bin/env bash - set -exuo pipefail + #!/usr/bin/env bash + set -exuo pipefail - dir={{dir}} + dir={{ dir }} - template={{dir}}/versions.tmpl.nix - outfile={{dir}}/versions.nix + template={{ dir }}/versions.tmpl.nix + outfile={{ dir }}/versions.nix - if ! test -e ${template}; then - template="$(just _DEFAULT_VERSION_TMPL)" - fi + if ! test -e ${template}; then + template="$(just _DEFAULT_VERSION_TMPL)" + fi - esh -o ${outfile} ${template} - if ! test "$(git diff ${outfile})"; then - echo Already on latest versions - exit 0 - fi + esh -o ${outfile} ${template} + if ! test "$(git diff ${outfile})"; then + echo Already on latest versions + exit 0 + fi - export SYSREBUILD_LOG=.{{dir}}_sysrebuild.log - just -v rebuild-disk {{dir}} || { - echo ERROR: Update of {{dir}} failed, reverting ${outfile}... - exit 1 - } + export SYSREBUILD_LOG=.{{ dir }}_sysrebuild.log + just -v rebuild-disk {{ dir }} || { + echo ERROR: Update of {{ dir }} failed, reverting ${outfile}... + exit 1 + } - git commit -v ${outfile} -m "${dir}: bump versions" + git commit -v ${outfile} -m "${dir}: bump versions" # Iterate on a qtile config by running it inside Xephyr. (un-/grab the mouse with Ctrl + Shift-L) hm-iterate-qtile: - #!/usr/bin/env bash - set -xe - home-manager switch || just -v rebuild-this-device switch - Xephyr -ac -br -resizeable :1 & - XEPHYR_PID=$! - echo ${XEPHYR_PID} - DISPLAY=:1 $(grep qtile ~/.xsession) & - echo "Xephyr started. un-/grab the mouse with Ctrl + Shift-L" - wait $! - kill ${XEPHYR_PID} + #!/usr/bin/env bash + set -xe + home-manager switch || just -v rebuild-this-device switch + Xephyr -ac -br -resizeable :1 & + XEPHYR_PID=$! + echo ${XEPHYR_PID} + DISPLAY=:1 $(grep qtile ~/.xsession) & + echo "Xephyr started. un-/grab the mouse with Ctrl + Shift-L" + wait $! + kill ${XEPHYR_PID} # !!! DANGERIOUS !!! This wipes the disk which is configured for the given device. disk-prepare dir: - just -v _device diskPrepare {{dir}} --argstr rebuildarg "dummy" + just -v _device diskPrepare {{ dir }} disk-relabel dir previous: - just -v _device diskRelabel {{dir}} --argstr rebuildarg "dummy" --argstr previousDiskId {{previous}} + just -v _device diskRelabel {{ dir }} --argstr previousDiskId {{ previous }} # Mount the target disk specified by device configuration directory. The 'dir' argument points to a device configuration, e.g. 'nix/os/devices/steveej-live-mmc-SL32G_0x259093f6' disk-mount dir: - just -v _device diskMount {{dir}} --argstr rebuildarg "dummy" + just -v _device diskMount {{ dir }} # Unmount target disk, specified by device configuration directory disk-umount dir: - just -v _device diskUmount {{dir}} --argstr rebuildarg "dummy" + just -v _device diskUmount {{ dir }} # Perform an offline installation on the mounted target disk, specified by device configuration directory disk-install dir: _render_templates - just -v _device diskInstall {{dir}} --argstr rebuildarg "dummy" + just -v _device diskInstall {{ dir }} verify-n-unlock sshserver attempts="10": - #!/usr/bin/env bash - set -e - : ${VNCSOCK:?VNCSOCK must be set} - : ${VNCPW:?VNCPW must be set} + #!/usr/bin/env bash + set -e + env \ + GETPW="just _get_pass_entry Infrastructure/VPS/{{ sshserver }} DRIVE_PW" \ + SSHOPTS="$(just _get_pass_entry Infrastructure/VPS/{{ sshserver }} SSHOPTS)" \ + VNCSOCK="$(just _get_pass_entry Infrastructure/VPS/{{ sshserver }} VNCSOCK)" \ + VNCPW="$(just _get_pass_entry Infrastructure/VPS/{{ sshserver }} VNCPW)" \ + \ + just _verify-n-unlock {{ sshserver }} {{ attempts }} - export MAGICK_ARGS="-filter Catrom -density 72 -resample 300 -contrast -normalize -despeckle -type grayscale -sharpen 1 -posterize 3 -negate -gamma 100 -blur 1x65535" - export TESS_ARGS="-c debug_file=/dev/null --psm 4" +_verify-n-unlock sshserver attempts: + #!/usr/bin/env bash + set -e + : ${VNCSOCK:?VNCSOCK must be set} + : ${VNCPW:?VNCPW must be set} - function send() { - local what="${1:?need something to send}" - ssh -4 ${SSHOPTS:?need sshopts} root@{{sshserver}} "echo -e ${what}>> /dev/tty0" &>/dev/null - } + export MAGICK_ARGS="-filter Catrom -density 72 -resample 300 -contrast -normalize -despeckle -type grayscale -sharpen 1 -posterize 3 -negate -gamma 100 -blur 1x65535" + export TESS_ARGS="-c debug_file=/dev/null --psm 4" - function expect() { - local what="${1:?need something to expect}" - vncdo --server=${VNCSOCK} --password=${VNCPW} --disable-desktop-resizing --nocursor capture $PWD/screenshot.bmp - convert ${MAGICK_ARGS} screenshot.bmp screenshot.tiff - tesseract ${TESS_ARGS} screenshot.tiff screenshot - grep --quiet "${what}" screenshot.txt - } + function send() { + local what="${1:?need something to send}" + ssh -4 ${SSHOPTS:?need sshopts} root@{{ sshserver }} "echo -e ${what}>> /dev/tty0" &>/dev/null + } - function send_and_expect() { - local send="${1:?need something to send}" - local expect="${2:?need something to expect}" - if ! send "${send}"; then - echo warning: cannot send > /dev/stderr - return -1 - fi - expect "${expect}" - } + function expect() { + local what="${1:?need something to expect}" + vncdo --server=${VNCSOCK} --password=${VNCPW} --disable-desktop-resizing --nocursor capture $PWD/screenshot.bmp + convert ${MAGICK_ARGS} screenshot.bmp screenshot.tiff + tesseract ${TESS_ARGS} screenshot.tiff screenshot + grep --quiet "${what}" screenshot.txt + } - trap 'E=$?; set +e; rm screenshot.*; echo Exiting...; kill $(jobs -p | cut -d " " -f 4); exit $E' EXIT + function send_and_expect() { + local send="${1:?need something to send}" + local expect="${2:?need something to expect}" + if ! send "${send}"; then + echo warning: cannot send > /dev/stderr + return -1 + fi + expect "${expect}" + } - for i in `seq 1 {{attempts}}`; do - echo Attempt $i... - expect="$(pwgen -0 12)" - send="'\0033\0143'${expect}" - if send_and_expect "${send}" "${expect}"; then - pipe=$(mktemp -u) - mkfifo ${pipe} - exec 3<>${pipe} - rm ${pipe} + trap 'E=$?; set +e; rm screenshot.*; echo Exiting...; kill $(jobs -p | cut -d " " -f 4); exit $E' EXIT - echo Verification succeeded at attempt $i. Unlocking remote drive... - ssh -4 ${SSHOPTS} root@{{sshserver}} "cryptsetup-askpass" <&3 &>/dev/null & - eval ${GETPW} | head -n1 >&3 + for i in `seq 1 {{ attempts }}`; do + echo Attempt $i... + expect="$(pwgen -0 12)" + send="'\0033\0143'${expect}" + if send_and_expect "${send}" "${expect}"; then + pipe=$(mktemp -u) + mkfifo ${pipe} + exec 3<>${pipe} + rm ${pipe} - for j in `seq 1 120`; do - sleep 0.5 - if expect '— success'; then - echo Unlock successful. - exit 0 - fi - done + echo Verification succeeded at attempt $i. Unlocking remote drive... + ssh -4 ${SSHOPTS} root@{{ sshserver }} "cryptsetup-askpass" <&3 &>/dev/null & + eval ${GETPW} | head -n1 >&3 - echo Unlock failed... - exit 1 - fi - done - echo Verification failed {{attempts}} times. Giving up... - exit 1 + for j in `seq 1 120`; do + sleep 0.5 + if expect '— success'; then + echo Unlock successful. + exit 0 + fi + done + + echo Unlock failed... + exit 1 + fi + done + echo Verification failed {{ attempts }} times. Giving up... + exit 1 _get_pass_entry path key: - pass show {{path}}| grep -E "^{{key}}:" | awk '{ print $2 }' - # jq -sR 'split("\n") | map(split(":"))' <(pass show Infrastructure/VPS/CFB4ED74 | grep -E "^[A-Za-z_]+:") + pass show {{ path }}| grep -E "^{{ key }}:" | sed -E 's/^[^:]+: *//g' run-with-channels +cmds: - #!/usr/bin/env bash - source $(just -v _get_nix_path {{invocation_directory()}}/nix/variables/versions.nix) - {{cmds}} + #!/usr/bin/env bash + source $(just -v _get_nix_path {{ invocation_directory() }}/nix/variables/versions.nix) + {{ cmds }} install-config config root: - sudo just run-with-channels nixos-install -I nixos-config={{invocation_directory()}}/{{config}} --root {{root}} --no-root-passwd + sudo just run-with-channels nixos-install -I nixos-config={{ invocation_directory() }}/{{ config }} --root {{ root }} --no-root-passwd # Switch between gpg-card capable devices which have a copy of the same key -switch-gpg-card: - #!/usr/bin/env bash - # - # Derived from https://github.com/drduh/YubiKey-Guide/issues/19. - # - # Connect the new device and then run this script to make it known to gnupg. - # - set -xe - KEY_ID=$(gpg --card-status | rg sec | rg -o '[0-9A-Z]{16}') +switch-gpg-card key-id="6EEFA706CB17E89B": + #!/usr/bin/env bash + # + # Derived from https://github.com/drduh/YubiKey-Guide/issues/19. + # + # Connect the new device and then run this script to make it known to gnupg. + # + set -xe + if [[ -n "{{ key-id }}" ]]; then + KEY_ID="{{ key-id }}" + else + KEY_ID=$(gpg --card-status | rg sec | rg -o '[0-9A-Z]{16}') + fi - # export pubkey and ownertrust - gpg2 --output "${KEY_ID}".pubkey --export "${KEY_ID}" - # if this fails the trust in the key is missing and can be fixed with `gpg --edit-key ${KEY_ID}` - gpg2 --export-ownertrust | rg "${KEY_ID}" > "${KEY_ID}".ownertrust + # export pubkey and ownertrust + gpg2 --output "${KEY_ID}".pubkey --export "${KEY_ID}" + # if this fails the trust in the key is missing and can be fixed with `gpg --edit-key ${KEY_ID}` + gpg2 --export-ownertrust | rg "${KEY_ID}" > "${KEY_ID}".ownertrust - # delete the key - gpg --yes --delete-secret-and-public-keys "${KEY_ID}" + # delete the key + gpg --yes --delete-secret-and-public-keys "${KEY_ID}" - # import pubkey and ownertrust back and cleanup - gpg2 --import "${KEY_ID}".pubkey - gpg2 --import-ownertrust < "${KEY_ID}".ownertrust - rm "${KEY_ID}".{pubkey,ownertrust} + # import pubkey and ownertrust back and cleanup + gpg2 --import "${KEY_ID}".pubkey + gpg2 --import-ownertrust < "${KEY_ID}".ownertrust + rm "${KEY_ID}".{pubkey,ownertrust} - # refresh the gpg agent - gpg-connect-agent "scd serialno" "learn --force" /bye - gpg --card-status + # refresh the gpg agent + gpg-connect-agent "scd serialno" "learn --force" /bye + gpg --card-status + +# Connect to `remote` UUID, and turn it into a short name +uuid-to-device-name remote: + #!/usr/bin/env bash + set -e -o pipefail + ssh {{ remote }} 'nix run nixpkgs.dmidecode -c dmidecode -s system-uuid' | xxhsum --quiet -H1 | awk '{print $1}' + +test-connection: + #! /usr/bin/env nix-shell + #! nix-shell -p curl zsh + #! nix-shell -i zsh + #! nix-shell --pure + + while true; do + FAILURE="false" + output=$( + echo "$(date)\n---" + for url in \ + "https://172.16.0.1:65443/0.7/gui/#/login/" \ + "https://192.168.0.1" \ + "http://172.172.171.9" \ + "https://172.172.171.10:65443" \ + "https://172.172.171.11:65443" \ + "https://172.172.171.13:443" \ + "https://172.172.171.14:443" \ + "http://172.172.171.15:22" \ + "http://172.172.171.16:22" \ + "https://crates.io" \ + "https://holo.host" \ + ; \ + do + print "trying ${url}": $( + curl_output=$(curl --http0.9 -k --head --connect-timeout 0.5 ${url} 2>&1) + # if [ $? -ne 0 ]; then + if [[ "$curl_output" == *timeout* ]]; then + echo failure: $(echo ${curl_output} | tail -n1) + # BUG: outer FAILURE is not set by this + FAILURE="true" + else + echo success + fi + ) + done + ) + clear + echo ${output} + + if [[ ${FAILURE} == "true" ]]; then + echo something failed + tracepath -m5 -n1 172.16.0.1 + tracepath -m5 -n1 192.168.0.1 + fi + + sleep 5 + done + +cachix-use name: + nix run nixpkgs/nixos-unstable#cachix -- use {{ name }} -m nixos -d nix/os/ + +update-sops-keys: + for file in $(egrep -lr '"?sops"?:') secrets; do sops updatekeys -y $file; done + +deploy-router0-dmz0: + NIX_SSHOPTS="-o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null -o CheckHostIP=no" nixos-rebuild switch --impure --flake .\#router0-dmz0 --target-host root@192.168.20.1 + +ttyusb: + screen -fa /dev/ttyUSB0 115200 diff --git a/README.md b/README.md index 486235b..5d32951 100644 --- a/README.md +++ b/README.md @@ -1,4 +1,5 @@ # steveej's infra + This repository helps me to manage all computer infrastructure. This is mostly achieved with the help of [Nix](https://nixos.org). @@ -19,7 +20,7 @@ In the unlikely case that you actually read this and have any questions please d - [ ] development environments - [x] (Semi-) automatic synchronization of important repositories - [x] Modification strategy - The approach is to use vcsh for the dotfiles + The approach is to use vcsh for the dotfiles - [x] dotfiles - [x] Toplevel Justfile for simple actions - [x] mount/umount disks @@ -29,19 +30,56 @@ In the unlikely case that you actually read this and have any questions please d - [x] annotate recipes with some documentation - [x] declare shell.nix with runtime deps - [x] partition/encrypt/format disks -- [ ] Document bootstrap process +- [x] Maybe make this a nix-overlay +- [x] refactor as a nix flake and adopt an existing framework + - [x] devShell version + - [x] ~~version templating~~ obsolete due to the usage of flakes + - [x] elias-e525 + - [x] steveej-t14 + - [x] contabo vps + - [x] sj-pve0 +- [x] use an existing secret management framework +- [x] adapt (or abandon?) _just_ recipes + + - [x] `rebuild-this-device` + - [x] `update-this-device` + - [x] `rebuild-remote-device` + - [x] `update-remote-device` + + evaluate, and understand a path to using these tools in a pull-based fashion: + + - [x] [colmena](https://github.com/zhaofengli/colmena) + - bootstrapping: https://github.com/zhaofengli/colmena/issues/68 + - [ ] deploy-rs + +- [x] 🚧 find a better alternative for the qtile-desktop + current issues: + + - floating windows often get lost in the background + - plugging in-/out- screen crashes the desktop + + evaluate: + + - [x] ~~🚧 gnome3 + pop-shell~~ + - [x] ~~leftwm + eww (+ wayland?)~~ + +- [ ] (Re-)document bootstrap process + - [ ] `apt install sudo cryptsetup` as a requirements on a deb admin machine - [ ] a new machine - [ ] an install media - [ ] Design disaster recovery - [ ] Automatic synchronization of other state files - see https://gitlab.com/steveeJ/nix-expressions/issues/2 -- [ ] Recycle *\_archived* -- [x] Maybe make this a nix-overlay +- [ ] Recycle _\_archived_ +- [ ] container migrations + - [ ] ensure DDNS is updated _before_ the containers are started ## Bugs + - [ ] home-manager leaves ~/.gnupg at 0755 ## Usage -*(These are reminders for my future self)* + +_(These are reminders for my future self)_ ``` just --list @@ -50,9 +88,37 @@ just --list ## Bootstrap ### A new machine -* ensure the dotfiles repo has a branch with the new machine's hostname -* boot with an install media and go through setup +- ensure the dotfiles repo has a branch with the new machine's hostname + +- boot with an install media and go through setup #### Post-Install Setup -* `gpg2 --edit-card; fetch` + +- `chmod --recursive g-rwx,o-rwx ~/.gnupg` +- `gpg2 --edit-card; fetch` +- clone password-manager and infra repositories +- gpg2: ultimately trust my own key + +## Swapping out a disk + +1. offline-bitwise copy of drive +2. disconnect remove the previous drive +3. replace the driveId in the device's hw.nix +4. run the `just disk-relabel nix/os/devices/ ` command to rename the filesystem and volume group + +## Rebuilding an offline system + +``` +( +sudo cryptsetup open /dev/sdb3 steveej-t14s-cryptroot +sleep 5 + +sudo mkdir -p /mnt/root +sudo mount /dev/mapper/nvme--WD_BLACK_SN850X_4000GB_2227DT443901-root /mnt/root -o subvol=nixos +sudo mount /dev/sdb2 /mnt/root/boot +sudo mount /dev/mapper/nvme--WD_BLACK_SN850X_4000GB_2227DT443901-root /mnt/root/home -o subvol=home + +sudo nixos-install -v --flake .#steveej-t14 --root /mnt/root/ --no-root-password +) +``` diff --git a/_archive/environments/dev/cross.nix b/_archive/environments/dev/cross.nix deleted file mode 100644 index 59b6b3d..0000000 --- a/_archive/environments/dev/cross.nix +++ /dev/null @@ -1,89 +0,0 @@ -import /home/steveej/src/github/NixOS/nixpkgs/default.nix { - crossSystem = rec { - config = "armv7l-unknown-linux-gnueabi"; - bigEndian = false; - arch = "arm"; - float = "hard"; - fpu = "vfpv3-d16"; - withTLS = true; - libc = "glibc"; - platform = { - name = "armv7l-hf-multiplatform"; - gcc = { - arch = "armv7-a"; - fpu = "neon"; - float = "hard"; - }; - kernelMajor = "2.6"; # Using "2.6" enables 2.6 kernel syscalls in glibc. - kernelHeadersBaseConfig = "multi_v7_defconfig"; - kernelBaseConfig = "multi_v7_defconfig"; - kernelArch = "arm"; - kernelDTB = true; - kernelAutoModules = false; - kernelExtraConfig = '' - NAMESPACES y - BTRFS_FS y - BTRFS_FS_POSIX_ACL y - OVERLAY_FS y - FUSE_FS y - ''; - kernelTarget = "zImage"; - uboot = null; - }; - openssl.system = "linux-generic32"; - gcc = { - arch = "armv7-a"; - fpu = "neon"; - float = "hard"; - }; - }; -} -# pkgs.config = { -# packageOverrides = super: let self = super.pkgs; in { -# linux_4_0 = super.linux_3_18.override { -# kernelPatches = super.linux_3_18.kernelPatches ++ [ -# # we'll also add one of our own patches -# { patch = ./dts.patch; name = "dts-fix"; } -# ]; -# -# # add "CONFIG_PPP_FILTER y" option to the set of kernel options -# extraConfig = '' -# HAVE_IMX_ANATOP y -# HAVE_IMX_GPC y -# HAVE_IMX_MMDC y -# HAVE_IMX_SRC y -# SOC_IMX6 y -# SOC_IMX6Q y -# SOC_IMX6SL y -# PCI_IMX6 y -# ARM_IMX6Q_CPUFREQ y -# IMX_WEIM y -# AHCI_IMX y -# SERIAL_IMX y -# SERIAL_IMX_CONSOLE y -# I2C_IMX y -# SPI_IMX y -# PINCTRL_IMX y -# PINCTRL_IMX6Q y -# PINCTRL_IMX6SL y -# POWER_RESET_IMX y -# IMX_THERMAL y -# IMX2_WDT y -# IMX_IPUV3_CORE y -# DRM_IMX y -# DRM_IMX_FB_HELPER y -# DRM_IMX_PARALLEL_DISPLAY y -# DRM_IMX_TVE y -# DRM_IMX_LDB y -# DRM_IMX_IPUV3 y -# DRM_IMX_HDMI y -# MMC_SDHCI_ESDHC_IMX y -# IMX_SDMA y -# PWM_IMX y -# DEBUG_IMX6Q_UART y -# -# PPP_FILTER y -# ''; -# }; -# }; -# }; diff --git a/_archive/environments/dev/go/default.nix b/_archive/environments/dev/go/default.nix deleted file mode 100644 index e67468d..0000000 --- a/_archive/environments/dev/go/default.nix +++ /dev/null @@ -1,89 +0,0 @@ -{ gitpkgs ? import /home/steveej/src/github/NixOS/nixpkgs {} -, pkgs ? gitpkgs -, name ? "generic" -, version -, extraBuildInputs ? [] -, extraShellHook ? "" -}: -let - go = builtins.getAttr "go_${version}" pkgs; - commonVimRC = '' - let g:tagbar_type_go = { - \ 'ctagstype' : 'go', - \ 'kinds' : [ - \ 'p:package', - \ 'i:imports:1', - \ 'c:constants', - \ 'v:variables', - \ 't:types', - \ 'n:interfaces', - \ 'w:fields', - \ 'e:embedded', - \ 'm:methods', - \ 'r:constructor', - \ 'f:functions' - \ ], - \ 'sro' : '.', - \ 'kind2scope' : { - \ 't' : 'ctype', - \ 'n' : 'ntype' - \ }, - \ 'scope2kind' : { - \ 'ctype' : 't', - \ 'ntype' : 'n' - \ }, - \ 'ctagsbin' : 'gotags', - \ 'ctagsargs' : '-sort -silent' - \ } - - " vim-go { - let g:go_highlight_functions = 1 - let g:go_highlight_methods = 1 - let g:go_highlight_structs = 1 - let g:go_highlight_interfaces = 1 - let g:go_highlight_operators = 1 - let g:go_highlight_build_constraints = 1 - let g:go_fmt_command = 'gofmt' - let g:go_fmt_options= '-s' - let g:go_def_mode = 'godef' - let g:go_def_reuse_buffer = 0 - - au FileType go nmap gds (go-def-split) - au FileType go nmap gdv (go-def-vertical) - au FileType go nmap gdt (go-def-tab) - au FileType go nmap gi (go-imports) - " } - ''; - buildInputs = with pkgs; [ - glibc.out - glibc.static - - go - gotools - #gotools.bin - #gocode.bin - #godef godef.bin - godep - #godep.bin - gox.bin - #ginkgo ginkgo.bin - #gomega -# ( import ./vim-go.nix { pkgs=gitpkgs; commonRC=commonVimRC; } ) -# ( import ./neovim-go.nix { pkgs=gitpkgs; commonRC=commonVimRC; } ) - ]; - -in pkgs.stdenv.mkDerivation { - inherit name; - buildInputs = extraBuildInputs ++ buildInputs; - shellHook = '' - goname=${go.version}_$name - # FIXME: setPS1 $goname - export GOROOT=${go}/share/go - export GOPATH="$HOME/.gopath_$goname" - export PATH="$HOME/.gopath_$goname/bin:$PATH" - unset name - unset SSL_CERT_FILE - - ${extraShellHook} - ''; -} diff --git a/_archive/environments/dev/go/neovim-go.nix b/_archive/environments/dev/go/neovim-go.nix deleted file mode 100644 index c160104..0000000 --- a/_archive/environments/dev/go/neovim-go.nix +++ /dev/null @@ -1,15 +0,0 @@ -{ commonRC, ... } @ args : - -(import ../../pkg-configuration/vim-derivates/neovim.nix args // { - additionalRC = commonRC + '' - " deoplete { - let g:deoplete#enable_at_startup = 1 - let g:deoplete#enable_smart_case = 1 - " } - ''; - additionalPlugins = [ - "deoplete-go" - "deoplete-nvim" - "vim-go" - ]; -}) diff --git a/_archive/environments/dev/pandoc.nix b/_archive/environments/dev/pandoc.nix deleted file mode 100644 index 93a3fb1..0000000 --- a/_archive/environments/dev/pandoc.nix +++ /dev/null @@ -1,26 +0,0 @@ -{ gitpkgs ? import /home/steveej/src/github/NixOS/nixpkgs {} -, pkgs ? gitpkgs -, name ? "generic" -, version ? "Stable" -, extraBuildInputs ? [] -}: -let - commonVimRC = '' - ''; -in pkgs.stdenv.mkDerivation { - inherit name; - buildInputs = with pkgs; [ - ( import ./vim-pandoc.nix { pkgs=gitpkgs; commonRC=commonVimRC; }) - pandoc - texlive.combined.scheme-medium - python27Packages.pandocfilters - python27Packages.htmltreediff - python27Packages.html5lib - python27Packages.dbus-python - ] ++ extraBuildInputs; - shellHook = '' - pandocname=pandoc_${pkgs.pandoc.version} - setPS1 $pandocname - unset name - ''; -} diff --git a/_archive/environments/dev/rkt.nix b/_archive/environments/dev/rkt.nix deleted file mode 100644 index 072018c..0000000 --- a/_archive/environments/dev/rkt.nix +++ /dev/null @@ -1,72 +0,0 @@ -{ -pkgs ? import /home/steveej/src/github/NixOS/nixpkgs {}, -mkGoEnv ? import ./go.nix, -rktPath, -}: -let - rktBasebuildInputs = with pkgs; [ - glibc.out - glibc.static - autoreconfHook - gnupg1 - squashfsTools - cpio - tree - intltool - libtool - pkgconfig - libgcrypt - gperf - libcap - libseccomp - libzip - eject - iptables - bc - acl - trousers - systemd - ]; - extraShellHook = '' - TARGET=$GOPATH/src/github.com/coreos/rkt - if [[ -e ${rktPath}/rkt/rkt.go ]]; then - pushd ${rktPath} - else - echo rktPath must be run the rkt repository clone, but got '${rktPath}' - exit 1 - fi - if ! [[ -e $TARGET/rkt/rkt.go ]]; then - mkdir -p $TARGET - echo $PWD - sudo -E mount -o bind $PWD $TARGET - fi - pushd $TARGET - ''; -in { - go15 = mkGoEnv { - inherit pkgs; - - name = "rktGo15"; - version = "1_5"; - extraBuildInputs = rktBasebuildInputs; - inherit extraShellHook; - }; - - go16 = mkGoEnv { - inherit pkgs; - - name = "rktGo16"; - version = "1_6"; - extraBuildInputs = rktBasebuildInputs; - inherit extraShellHook; - }; - - go17 = mkGoEnv { - inherit pkgs; - - name = "rktGo17"; - version = "1_7"; - extraBuildInputs = rktBasebuildInputs; - inherit extraShellHook; - }; -} diff --git a/_archive/environments/dev/rust/.envrc b/_archive/environments/dev/rust/.envrc deleted file mode 100644 index 051d09d..0000000 --- a/_archive/environments/dev/rust/.envrc +++ /dev/null @@ -1 +0,0 @@ -eval "$(lorri direnv)" diff --git a/_archive/environments/dev/rust/default.nix b/_archive/environments/dev/rust/default.nix deleted file mode 100644 index acb6104..0000000 --- a/_archive/environments/dev/rust/default.nix +++ /dev/null @@ -1,32 +0,0 @@ -{ gitpkgs ? import /home/steveej/src/github/NixOS/nixpkgs {} -, pkgs ? gitpkgs -, name ? "generic" -, version ? "Stable" -, extraBuildInputs ? [] -}: -let - rustPackages = builtins.getAttr "rust${version}" pkgs; - rustc = rustPackages.rustc; - rustShellHook = { rustc, name }: '' - rustname=rust_${rustc.version}_${name} - setPS1 $rustname - unset name - ''; - commonVimRC = '' - ''; -in pkgs.stdenv.mkDerivation { - inherit name; - buildInputs = with rustPackages;[ - ( import ./vim-rust.nix { pkgs=gitpkgs; commonRC=commonVimRC; - inherit rustc; - racerd=pkgs.rustracerd; - }) - rustc cargo - ] ++ [ - pkgs.rustfmt - ] ++ extraBuildInputs; - shellHook = (rustShellHook){ - inherit name; - inherit rustc; - }; -} diff --git a/_archive/environments/dev/vim-go.nix b/_archive/environments/dev/vim-go.nix deleted file mode 100644 index 977d555..0000000 --- a/_archive/environments/dev/vim-go.nix +++ /dev/null @@ -1,20 +0,0 @@ -{ commonRC, ... } @ args : - -import ../../pkg-configuration/vim-derivates/vim.nix (args // { - name = "vim-for-go"; - additionalRC = commonRC + '' - " Disable AutoComplPop. - let g:acp_enableAtStartup = 0 - " Use neocomplete. - let g:neocomplete#enable_at_startup = 1 - " Use smartcase. - let g:neocomplete#enable_smart_case = 1 - if !exists('g:neocomplete#sources#omni#input_patterns') - let g:neocomplete#sources#omni#input_patterns = {} - endif - ''; - additionalPlugins = [ - "neocomplete" - "vim-go" - ]; -}) diff --git a/_archive/environments/dev/vim-pandoc.nix b/_archive/environments/dev/vim-pandoc.nix deleted file mode 100644 index 7e17759..0000000 --- a/_archive/environments/dev/vim-pandoc.nix +++ /dev/null @@ -1,22 +0,0 @@ -{ commonRC -, -... } @ args : - -import ../../pkg-configuration/vim-derivates/vim.nix (args // { - name = "vim-for-pandoc"; - additionalRC = commonRC + '' - set statusline+=%#warningmsg# - set statusline+=%{SyntasticStatuslineFlag()} - set statusline+=%* - - let g:syntastic_always_populate_loc_list = 1 - let g:syntastic_auto_loc_list = 1 - let g:syntastic_check_on_open = 1 - let g:syntastic_check_on_wq = 0 - ''; - additionalPlugins = [ - "vim-pandoc" - "vim-pandoc-syntax" - "vimpreviewpandoc" - ]; -}) diff --git a/_archive/environments/dev/vim-rust.nix b/_archive/environments/dev/vim-rust.nix deleted file mode 100644 index 4b4ade9..0000000 --- a/_archive/environments/dev/vim-rust.nix +++ /dev/null @@ -1,46 +0,0 @@ -{ commonRC -, rustc -, racerd, -... } @ args : - -import ../../pkg-configuration/vim-derivates/vim.nix (args // { - name = "vim-for-rust"; - additionalRC = commonRC + '' - set statusline+=%#warningmsg# - set statusline+=%{SyntasticStatuslineFlag()} - set statusline+=%* - - let g:syntastic_always_populate_loc_list = 1 - let g:syntastic_auto_loc_list = 1 - let g:syntastic_check_on_open = 1 - let g:syntastic_check_on_wq = 0 - - " tagbar - let g:tagbar_type_rust = { - \ 'ctagstype' : 'rust', - \ 'kinds' : [ - \'T:types,type definitions', - \'f:functions,function definitions', - \'g:enum,enumeration names', - \'s:structure names', - \'m:modules,module names', - \'c:consts,static constants', - \'t:traits,traits', - \'i:impls,trait implementations', - \] - \} - - let g:syntastic_rust_checkers = ["rustc"] - - "rustfmt - let g:rustfmt_autosave = 1 - - let g:ycm_auto_trigger = 1 - let g:ycm_rust_src_path = '${rustc.src}/src' - let g:ycm_racerd_binary_path = '${racerd.out}/bin/racerd' - - ''; - additionalPlugins = [ - "rust-vim" - ]; -}) diff --git a/_archive/environments/fhs/android.nix b/_archive/environments/fhs/android.nix deleted file mode 100644 index 616618b..0000000 --- a/_archive/environments/fhs/android.nix +++ /dev/null @@ -1,42 +0,0 @@ -{ pkgs ? import {} }: - -(pkgs.buildFHSUserEnv { - name = "devfhs"; - multiPkgs = pkgs: (with pkgs; [ - android-udev-rules - sudo - gawk - bzip2 - file - gcc - getopt - git - gnumake - ncurses - openssl - patch - perl - pkgconfig - python - openssh - subversion - unzip - wget - which - vim - zlib - libusb - libusb1 - systemd - strace - swt - xorg.libXtst - glib - gtk2 - gnome.gtk - ]); - profile = '' - export LD_LIBRARY_PATH=$LD_LIBRARY_PATH:/lib:/lib64:/lib32:/usr/lib32:/usr/lib64:${pkgs.xorg.libXtst}/lib:${pkgs.glib}/lib:${pkgs.gtk2}/lib - ''; - runScript = "bash"; -}).env diff --git a/_archive/environments/fhs/vscode.nix b/_archive/environments/fhs/vscode.nix deleted file mode 100644 index e6d3b4b..0000000 --- a/_archive/environments/fhs/vscode.nix +++ /dev/null @@ -1,38 +0,0 @@ -{ pkgs ? import {} }: - -(pkgs.buildFHSUserEnv { - name = "everydayFHS"; - targetPkgs = pkgs: (with pkgs; - [ which - gitFull - zsh - file - direnv - - xdg_utils - xsel - - vscode - - # vscode live share - gnome3.gcr - libgnome_keyring3 - liburcu - libunwind - lttng-ust - curl - openssl - libkrb5 - libuuid - icu - zlib - libsecret - ]); - multiPkgs = pkgs: (with pkgs; - [ - ]); - profile = '' - export SHELL=/bin/zsh - ''; - # FIXME runScript = "$SHELL"; -}).env diff --git a/_archive/nixos-configuration/common/pkg/neovim.nix b/_archive/nixos-configuration/common/pkg/neovim.nix deleted file mode 100644 index 2226a39..0000000 --- a/_archive/nixos-configuration/common/pkg/neovim.nix +++ /dev/null @@ -1,10 +0,0 @@ -{ config -, pkgs -, ... } @ args: - -{ - environment.systemPackages = [ - pkgs.xsel - (import ../../../pkg-configuration/vim-derivates/neovim.nix args) - ]; -} diff --git a/_archive/nixos-configuration/common/pkg/vim.nix b/_archive/nixos-configuration/common/pkg/vim.nix deleted file mode 100644 index d3cd726..0000000 --- a/_archive/nixos-configuration/common/pkg/vim.nix +++ /dev/null @@ -1,9 +0,0 @@ -{ pkgs -, ... } @ args: - -{ - environment.systemPackages = [ - pkgs.xsel - (import ../../../pkg-configuration/vim-derivates/vim.nix (args // { name = "vim"; })) - ]; -} diff --git a/_archive/nixos-configuration/common/user/steveej.nix b/_archive/nixos-configuration/common/user/steveej.nix deleted file mode 100644 index dbea0b7..0000000 --- a/_archive/nixos-configuration/common/user/steveej.nix +++ /dev/null @@ -1,20 +0,0 @@ -{ config -, pkgs -, ... }: - -let - passwords = import ../passwords.crypt.nix; - keys = import ../keys.nix; - inherit (import ../lib) mkUser; -in { - users.mutableUsers = false; - users.defaultUserShell = pkgs.zsh; - - users.extraUsers.steveej = mkUser { - uid = 1000; - hashedPassword = passwords.users.steveej; - }; - - security.pam.enableU2F = true; - security.pam.services.steveej.u2fAuth = true; -} diff --git a/certificates/sat-r220-02.lab.eng.rdu2.redhat.com.crt b/certificates/sat-r220-02.lab.eng.rdu2.redhat.com.crt deleted file mode 100644 index a836e9b..0000000 --- a/certificates/sat-r220-02.lab.eng.rdu2.redhat.com.crt +++ /dev/null @@ -1,98 +0,0 @@ -Certificate: - Data: - Version: 3 (0x2) - Serial Number: - d0:17:d1:86:81:d4:f1:28 - Signature Algorithm: sha256WithRSAEncryption - Issuer: C=US, ST=North Carolina, L=Raleigh, O=Katello, OU=SomeOrgUnit, CN=sat-r220-02.lab.eng.rdu2.redhat.com - Validity - Not Before: Nov 2 15:37:13 2018 GMT - Not After : Jan 17 15:37:13 2038 GMT - Subject: C=US, ST=North Carolina, L=Raleigh, O=Katello, OU=SomeOrgUnit, CN=sat-r220-02.lab.eng.rdu2.redhat.com - Subject Public Key Info: - Public Key Algorithm: rsaEncryption - Public-Key: (2048 bit) - Modulus: - 00:ba:03:39:e3:af:3e:c7:89:bd:d0:07:66:83:18: - 9c:c0:da:56:e8:bb:37:fe:03:67:94:9a:1c:9d:47: - da:6a:a7:6e:56:6d:0a:73:05:79:0e:44:61:71:78: - 33:33:79:b1:ce:a6:9d:87:d0:01:81:10:d5:e3:21: - 0f:d0:e9:ef:86:dc:13:34:62:42:47:81:f6:ce:d8: - 78:de:00:0c:a6:5d:25:d8:cc:72:6a:c4:7c:e1:5b: - 84:2b:e2:3c:b6:51:7e:8e:e6:e1:55:7d:b4:c8:e7: - 98:76:eb:20:15:48:6f:2e:91:ca:b7:17:d4:d9:76: - 5b:40:1c:7e:4c:0b:6f:2c:63:fa:78:c5:8b:b5:36: - b6:01:d9:da:58:a9:06:76:32:18:ca:b2:7c:2d:aa: - 4f:4e:f5:67:30:4c:a6:a3:e3:ef:7c:1d:d3:67:de: - da:a5:b9:57:0d:74:01:c3:24:a9:03:61:98:91:c2: - 1f:1d:a4:36:d2:a6:f4:95:6f:01:6a:99:41:ea:f0: - 8c:7a:7d:a0:0d:34:93:a3:80:cb:19:fb:1a:e1:c4: - 0b:60:5c:8d:33:ea:90:ed:98:d2:2a:06:6e:a2:02: - 1f:f8:2c:1e:d4:d0:d4:8f:93:8d:c9:fe:21:39:6a: - 5b:7b:60:5d:2a:9c:1e:3f:51:31:b1:be:56:28:cb: - 4d:cd - Exponent: 65537 (0x10001) - X509v3 extensions: - X509v3 Basic Constraints: - CA:TRUE - X509v3 Key Usage: - Digital Signature, Key Encipherment, Certificate Sign, CRL Sign - X509v3 Extended Key Usage: - TLS Web Server Authentication, TLS Web Client Authentication - Netscape Cert Type: - SSL Server, SSL CA - Netscape Comment: - Katello SSL Tool Generated Certificate - X509v3 Subject Key Identifier: - 72:CD:88:06:03:FE:5D:A2:D0:B3:20:C7:37:74:06:84:A8:A8:13:DF - X509v3 Authority Key Identifier: - keyid:72:CD:88:06:03:FE:5D:A2:D0:B3:20:C7:37:74:06:84:A8:A8:13:DF - DirName:/C=US/ST=North Carolina/L=Raleigh/O=Katello/OU=SomeOrgUnit/CN=sat-r220-02.lab.eng.rdu2.redhat.com - serial:D0:17:D1:86:81:D4:F1:28 - - Signature Algorithm: sha256WithRSAEncryption - 70:fe:c6:9f:1a:62:e8:b0:a6:25:df:e8:51:6c:e9:08:48:00: - 72:2b:d8:a2:95:6e:57:01:8e:2a:9c:a0:14:f8:c9:8a:e3:5d: - 48:64:f9:0f:81:e7:3e:b1:c2:cb:a0:ec:55:d6:e4:7f:c0:46: - 7b:bc:66:15:88:61:73:3b:ea:9e:ea:cb:32:79:35:bc:dc:eb: - 6f:d8:d0:89:c2:ae:fd:02:43:cd:e0:38:d6:9c:16:d7:6d:bb: - 2c:73:53:3c:82:56:51:d8:96:71:e1:28:49:31:be:fb:ed:23: - 08:e5:8d:eb:48:c7:25:5d:ef:0e:30:22:d3:93:7f:f1:66:b8: - 7f:8f:5c:d2:97:e7:13:0e:5b:06:1d:fd:97:1d:a5:24:93:d9: - 8a:d2:ba:51:00:b3:71:c8:61:da:79:31:64:75:96:d0:b8:d8: - 45:57:24:40:2f:11:d6:63:70:f5:bf:8d:fc:7f:1b:b9:ad:e0: - 16:6a:89:9b:6a:0c:d3:e3:b5:14:b4:5c:36:8a:b0:dd:15:4d: - 4e:77:e9:9b:29:df:e9:e3:27:dc:87:f8:6e:5d:a9:14:42:5c: - 8b:7b:13:9d:8b:c7:7a:4d:6d:52:7e:5f:02:9f:21:15:de:98: - 5d:f5:25:30:d3:fa:b4:34:f3:ff:8d:36:c7:e3:1c:d3:b1:f7: - b6:7b:ad:40 ------BEGIN CERTIFICATE----- -MIIFEDCCA/igAwIBAgIJANAX0YaB1PEoMA0GCSqGSIb3DQEBCwUAMIGOMQswCQYD -VQQGEwJVUzEXMBUGA1UECAwOTm9ydGggQ2Fyb2xpbmExEDAOBgNVBAcMB1JhbGVp -Z2gxEDAOBgNVBAoMB0thdGVsbG8xFDASBgNVBAsMC1NvbWVPcmdVbml0MSwwKgYD -VQQDDCNzYXQtcjIyMC0wMi5sYWIuZW5nLnJkdTIucmVkaGF0LmNvbTAeFw0xODEx -MDIxNTM3MTNaFw0zODAxMTcxNTM3MTNaMIGOMQswCQYDVQQGEwJVUzEXMBUGA1UE -CAwOTm9ydGggQ2Fyb2xpbmExEDAOBgNVBAcMB1JhbGVpZ2gxEDAOBgNVBAoMB0th -dGVsbG8xFDASBgNVBAsMC1NvbWVPcmdVbml0MSwwKgYDVQQDDCNzYXQtcjIyMC0w -Mi5sYWIuZW5nLnJkdTIucmVkaGF0LmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEP -ADCCAQoCggEBALoDOeOvPseJvdAHZoMYnMDaVui7N/4DZ5SaHJ1H2mqnblZtCnMF -eQ5EYXF4MzN5sc6mnYfQAYEQ1eMhD9Dp74bcEzRiQkeB9s7YeN4ADKZdJdjMcmrE -fOFbhCviPLZRfo7m4VV9tMjnmHbrIBVIby6RyrcX1Nl2W0AcfkwLbyxj+njFi7U2 -tgHZ2lipBnYyGMqyfC2qT071ZzBMpqPj73wd02fe2qW5Vw10AcMkqQNhmJHCHx2k -NtKm9JVvAWqZQerwjHp9oA00k6OAyxn7GuHEC2BcjTPqkO2Y0ioGbqICH/gsHtTQ -1I+Tjcn+ITlqW3tgXSqcHj9RMbG+VijLTc0CAwEAAaOCAW0wggFpMAwGA1UdEwQF -MAMBAf8wCwYDVR0PBAQDAgGmMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcD -AjARBglghkgBhvhCAQEEBAMCAkQwNQYJYIZIAYb4QgENBCgWJkthdGVsbG8gU1NM -IFRvb2wgR2VuZXJhdGVkIENlcnRpZmljYXRlMB0GA1UdDgQWBBRyzYgGA/5dotCz -IMc3dAaEqKgT3zCBwwYDVR0jBIG7MIG4gBRyzYgGA/5dotCzIMc3dAaEqKgT36GB -lKSBkTCBjjELMAkGA1UEBhMCVVMxFzAVBgNVBAgMDk5vcnRoIENhcm9saW5hMRAw -DgYDVQQHDAdSYWxlaWdoMRAwDgYDVQQKDAdLYXRlbGxvMRQwEgYDVQQLDAtTb21l -T3JnVW5pdDEsMCoGA1UEAwwjc2F0LXIyMjAtMDIubGFiLmVuZy5yZHUyLnJlZGhh -dC5jb22CCQDQF9GGgdTxKDANBgkqhkiG9w0BAQsFAAOCAQEAcP7Gnxpi6LCmJd/o -UWzpCEgAcivYopVuVwGOKpygFPjJiuNdSGT5D4HnPrHCy6DsVdbkf8BGe7xmFYhh -czvqnurLMnk1vNzrb9jQicKu/QJDzeA41pwW1227LHNTPIJWUdiWceEoSTG+++0j -COWN60jHJV3vDjAi05N/8Wa4f49c0pfnEw5bBh39lx2lJJPZitK6UQCzcchh2nkx -ZHWW0LjYRVckQC8R1mNw9b+N/H8bua3gFmqJm2oM0+O1FLRcNoqw3RVNTnfpmynf -6eMn3If4bl2pFEJci3sTnYvHek1tUn5fAp8hFd6YXfUlMNP6tDTz/402x+Mc07H3 -tnutQA== ------END CERTIFICATE----- diff --git a/default.nix b/default.nix index b5e1171..6aba02e 100644 --- a/default.nix +++ b/default.nix @@ -4,11 +4,9 @@ # Having pkgs default to is fine though, and it lets you use short # commands such as: # nix-build -A mypackage - -{ pkgs ? import {} }: - - { - overlays = import ./nix/overlays; + pkgs ? import { }, +}: +{ pkgs = import ./nix/pkgs { inherit pkgs; }; } diff --git a/flake.lock b/flake.lock new file mode 100644 index 0000000..51825f5 --- /dev/null +++ b/flake.lock @@ -0,0 +1,1491 @@ +{ + "nodes": { + "aphorme_launcher": { + "flake": false, + "locked": { + "lastModified": 1719922896, + "narHash": "sha256-mOtCz42NFQn+0xPF3gBX4WHfo5UEClSsJ/tF8RdFQkY=", + "owner": "Iaphetes", + "repo": "aphorme_launcher", + "rev": "c7c7ce9f91a31cced181fa501a2cad3c68035def", + "type": "github" + }, + "original": { + "owner": "Iaphetes", + "ref": "main", + "repo": "aphorme_launcher", + "type": "github" + } + }, + "colmena": { + "inputs": { + "flake-compat": "flake-compat", + "flake-utils": "flake-utils", + "nix-github-actions": "nix-github-actions", + "nixpkgs": [ + "nixpkgs" + ], + "stable": "stable" + }, + "locked": { + "lastModified": 1746816769, + "narHash": "sha256-ymQzXrfHVT8/RJiGbfrNjEeuzXQan46lUJdxEhgivdM=", + "owner": "zhaofengli", + "repo": "colmena", + "rev": "df694ee23be7ed7b2d8b42c245a640f0724eb06c", + "type": "github" + }, + "original": { + "owner": "zhaofengli", + "repo": "colmena", + "type": "github" + } + }, + "crane": { + "locked": { + "lastModified": 1733286231, + "narHash": "sha256-mlIDSv1/jqWnH8JTiOV7GMUNPCXL25+6jmD+7hdxx5o=", + "owner": "ipetkov", + "repo": "crane", + "rev": "af1556ecda8bcf305820f68ec2f9d77b41d9cc80", + "type": "github" + }, + "original": { + "owner": "ipetkov", + "repo": "crane", + "type": "github" + } + }, + "disko": { + "inputs": { + "nixpkgs": [ + "nixos-anywhere", + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1727359191, + "narHash": "sha256-5PltTychnExFwzpEnY3WhOywaMV/M6NxYI/y3oXuUtw=", + "owner": "nix-community", + "repo": "disko", + "rev": "67dc29be3036cc888f0b9d4f0a788ee0f6768700", + "type": "github" + }, + "original": { + "owner": "nix-community", + "ref": "master", + "repo": "disko", + "type": "github" + } + }, + "espanso": { + "flake": false, + "locked": { + "lastModified": 1711840403, + "narHash": "sha256-4y5yHFfA8SmtSJVC2YleoHCUXkgqee+k9A2pRUzqzDo=", + "owner": "espanso", + "repo": "espanso", + "rev": "db97658d1d80697a635b57801696c594eacf057b", + "type": "github" + }, + "original": { + "owner": "espanso", + "repo": "espanso", + "rev": "db97658d1d80697a635b57801696c594eacf057b", + "type": "github" + } + }, + "fenix": { + "inputs": { + "nixpkgs": [ + "nixpkgs" + ], + "rust-analyzer-src": "rust-analyzer-src" + }, + "locked": { + "lastModified": 1733380458, + "narHash": "sha256-H+IQB6cJ7ji/YD537pcSUWlwGGJ49RoYylBonyNW9hk=", + "owner": "nix-community", + "repo": "fenix", + "rev": "08c9e4e29865b60cb81189f8e4de0dccaf297865", + "type": "github" + }, + "original": { + "owner": "nix-community", + "repo": "fenix", + "type": "github" + } + }, + "flake-compat": { + "flake": false, + "locked": { + "lastModified": 1650374568, + "narHash": "sha256-Z+s0J8/r907g149rllvwhb4pKi8Wam5ij0st8PwAh+E=", + "owner": "edolstra", + "repo": "flake-compat", + "rev": "b4a34015c698c7793d592d66adbab377907a2be8", + "type": "github" + }, + "original": { + "owner": "edolstra", + "repo": "flake-compat", + "type": "github" + } + }, + "flake-compat_2": { + "flake": false, + "locked": { + "lastModified": 1696426674, + "narHash": "sha256-kvjfFW7WAETZlt09AgDn1MrtKzP7t90Vf7vypd3OL1U=", + "owner": "edolstra", + "repo": "flake-compat", + "rev": "0f9255e01c2351cc7d116c072cb317785dd33b33", + "type": "github" + }, + "original": { + "owner": "edolstra", + "repo": "flake-compat", + "type": "github" + } + }, + "flake-compat_3": { + "locked": { + "lastModified": 1717312683, + "narHash": "sha256-FrlieJH50AuvagamEvWMIE6D2OAnERuDboFDYAED/dE=", + "owner": "nix-community", + "repo": "flake-compat", + "rev": "38fd3954cf65ce6faf3d0d45cd26059e059f07ea", + "type": "github" + }, + "original": { + "owner": "nix-community", + "repo": "flake-compat", + "type": "github" + } + }, + "flake-parts": { + "inputs": { + "nixpkgs-lib": "nixpkgs-lib" + }, + "locked": { + "lastModified": 1733312601, + "narHash": "sha256-4pDvzqnegAfRkPwO3wmwBhVi/Sye1mzps0zHWYnP88c=", + "owner": "hercules-ci", + "repo": "flake-parts", + "rev": "205b12d8b7cd4802fbcb8e8ef6a0f1408781a4f9", + "type": "github" + }, + "original": { + "owner": "hercules-ci", + "repo": "flake-parts", + "type": "github" + } + }, + "flake-parts_2": { + "inputs": { + "nixpkgs-lib": [ + "nixos-anywhere", + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1726153070, + "narHash": "sha256-HO4zgY0ekfwO5bX0QH/3kJ/h4KvUDFZg8YpkNwIbg1U=", + "owner": "hercules-ci", + "repo": "flake-parts", + "rev": "bcef6817a8b2aa20a5a6dbb19b43e63c5bf8619a", + "type": "github" + }, + "original": { + "owner": "hercules-ci", + "repo": "flake-parts", + "type": "github" + } + }, + "flake-parts_3": { + "inputs": { + "nixpkgs-lib": [ + "nixpkgs-wayland", + "nix-eval-jobs", + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1722555600, + "narHash": "sha256-XOQkdLafnb/p9ij77byFQjDf5m5QYl9b2REiVClC+x4=", + "owner": "hercules-ci", + "repo": "flake-parts", + "rev": "8471fe90ad337a8074e957b69ca4d0089218391d", + "type": "github" + }, + "original": { + "owner": "hercules-ci", + "repo": "flake-parts", + "type": "github" + } + }, + "flake-parts_4": { + "inputs": { + "nixpkgs-lib": [ + "nixvim", + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1743550720, + "narHash": "sha256-hIshGgKZCgWh6AYJpJmRgFdR3WUbkY04o82X05xqQiY=", + "owner": "hercules-ci", + "repo": "flake-parts", + "rev": "c621e8422220273271f52058f618c94e405bb0f5", + "type": "github" + }, + "original": { + "owner": "hercules-ci", + "repo": "flake-parts", + "type": "github" + } + }, + "flake-parts_5": { + "inputs": { + "nixpkgs-lib": [ + "nur", + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1733312601, + "narHash": "sha256-4pDvzqnegAfRkPwO3wmwBhVi/Sye1mzps0zHWYnP88c=", + "owner": "hercules-ci", + "repo": "flake-parts", + "rev": "205b12d8b7cd4802fbcb8e8ef6a0f1408781a4f9", + "type": "github" + }, + "original": { + "owner": "hercules-ci", + "repo": "flake-parts", + "type": "github" + } + }, + "flake-utils": { + "locked": { + "lastModified": 1659877975, + "narHash": "sha256-zllb8aq3YO3h8B/U0/J1WBgAL8EX5yWf5pMj3G0NAmc=", + "owner": "numtide", + "repo": "flake-utils", + "rev": "c0e246b9b83f637f4681389ecabcb2681b4f3af0", + "type": "github" + }, + "original": { + "owner": "numtide", + "repo": "flake-utils", + "type": "github" + } + }, + "flake-utils_10": { + "inputs": { + "systems": "systems_6" + }, + "locked": { + "lastModified": 1710146030, + "narHash": "sha256-SZ5L6eA7HJ/nmkzGG7/ISclqe6oZdOZTNoesiInkXPQ=", + "owner": "numtide", + "repo": "flake-utils", + "rev": "b1d9ab70662946ef0850d488da1c9019f3a9752a", + "type": "github" + }, + "original": { + "owner": "numtide", + "repo": "flake-utils", + "type": "github" + } + }, + "flake-utils_2": { + "inputs": { + "systems": "systems" + }, + "locked": { + "lastModified": 1710146030, + "narHash": "sha256-SZ5L6eA7HJ/nmkzGG7/ISclqe6oZdOZTNoesiInkXPQ=", + "owner": "numtide", + "repo": "flake-utils", + "rev": "b1d9ab70662946ef0850d488da1c9019f3a9752a", + "type": "github" + }, + "original": { + "owner": "numtide", + "repo": "flake-utils", + "type": "github" + } + }, + "flake-utils_3": { + "locked": { + "lastModified": 1653893745, + "narHash": "sha256-0jntwV3Z8//YwuOjzhV2sgJJPt+HY6KhU7VZUL0fKZQ=", + "owner": "numtide", + "repo": "flake-utils", + "rev": "1ed9fb1935d260de5fe1c2f7ee0ebaae17ed2fa1", + "type": "github" + }, + "original": { + "owner": "numtide", + "repo": "flake-utils", + "type": "github" + } + }, + "flake-utils_4": { + "locked": { + "lastModified": 1653893745, + "narHash": "sha256-0jntwV3Z8//YwuOjzhV2sgJJPt+HY6KhU7VZUL0fKZQ=", + "owner": "numtide", + "repo": "flake-utils", + "rev": "1ed9fb1935d260de5fe1c2f7ee0ebaae17ed2fa1", + "type": "github" + }, + "original": { + "owner": "numtide", + "repo": "flake-utils", + "type": "github" + } + }, + "flake-utils_5": { + "locked": { + "lastModified": 1653893745, + "narHash": "sha256-0jntwV3Z8//YwuOjzhV2sgJJPt+HY6KhU7VZUL0fKZQ=", + "owner": "numtide", + "repo": "flake-utils", + "rev": "1ed9fb1935d260de5fe1c2f7ee0ebaae17ed2fa1", + "type": "github" + }, + "original": { + "owner": "numtide", + "repo": "flake-utils", + "type": "github" + } + }, + "flake-utils_6": { + "locked": { + "lastModified": 1653893745, + "narHash": "sha256-0jntwV3Z8//YwuOjzhV2sgJJPt+HY6KhU7VZUL0fKZQ=", + "owner": "numtide", + "repo": "flake-utils", + "rev": "1ed9fb1935d260de5fe1c2f7ee0ebaae17ed2fa1", + "type": "github" + }, + "original": { + "owner": "numtide", + "repo": "flake-utils", + "type": "github" + } + }, + "flake-utils_7": { + "locked": { + "lastModified": 1653893745, + "narHash": "sha256-0jntwV3Z8//YwuOjzhV2sgJJPt+HY6KhU7VZUL0fKZQ=", + "owner": "numtide", + "repo": "flake-utils", + "rev": "1ed9fb1935d260de5fe1c2f7ee0ebaae17ed2fa1", + "type": "github" + }, + "original": { + "owner": "numtide", + "repo": "flake-utils", + "type": "github" + } + }, + "flake-utils_8": { + "inputs": { + "systems": "systems_3" + }, + "locked": { + "lastModified": 1731533236, + "narHash": "sha256-l0KFg5HjrsfsO/JpG+r7fRrqm12kzFHyUHqHCVpMMbI=", + "owner": "numtide", + "repo": "flake-utils", + "rev": "11707dc2f618dd54ca8739b309ec4fc024de578b", + "type": "github" + }, + "original": { + "owner": "numtide", + "repo": "flake-utils", + "type": "github" + } + }, + "flake-utils_9": { + "inputs": { + "systems": "systems_4" + }, + "locked": { + "lastModified": 1731533236, + "narHash": "sha256-l0KFg5HjrsfsO/JpG+r7fRrqm12kzFHyUHqHCVpMMbI=", + "owner": "numtide", + "repo": "flake-utils", + "rev": "11707dc2f618dd54ca8739b309ec4fc024de578b", + "type": "github" + }, + "original": { + "owner": "numtide", + "repo": "flake-utils", + "type": "github" + } + }, + "get-flake": { + "locked": { + "lastModified": 1714237590, + "narHash": "sha256-9gtHdGbzFHaR20xORN8IYd67ROWS+1nqQ5CsPf9MD8I=", + "owner": "ursi", + "repo": "get-flake", + "rev": "a6c57417d1b857b8be53aba4095869a0f438c502", + "type": "github" + }, + "original": { + "owner": "ursi", + "repo": "get-flake", + "type": "github" + } + }, + "ixx": { + "inputs": { + "flake-utils": [ + "nixvim", + "nuschtosSearch", + "flake-utils" + ], + "nixpkgs": [ + "nixvim", + "nuschtosSearch", + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1737371634, + "narHash": "sha256-fTVAWzT1UMm1lT+YxHuVPtH+DATrhYfea3B0MxG/cGw=", + "owner": "NuschtOS", + "repo": "ixx", + "rev": "a1176e2a10ce745ff8f63e4af124ece8fe0b1648", + "type": "github" + }, + "original": { + "owner": "NuschtOS", + "ref": "v0.0.7", + "repo": "ixx", + "type": "github" + } + }, + "jay": { + "flake": false, + "locked": { + "lastModified": 1732789238, + "narHash": "sha256-Yc87dku8r8m7YeVT9VBwfXYPdEfQbb8JKWbOMts6VqY=", + "owner": "mahkoh", + "repo": "jay", + "rev": "558fe3d3cef435108c7d31f9b3503263a14d38b0", + "type": "github" + }, + "original": { + "owner": "mahkoh", + "repo": "jay", + "type": "github" + } + }, + "lib-aggregate": { + "inputs": { + "flake-utils": "flake-utils_8", + "nixpkgs-lib": "nixpkgs-lib_2" + }, + "locked": { + "lastModified": 1733055216, + "narHash": "sha256-yB2y7tGJxDI/SDQ0D7b6ocRtLTPm93u8ybdIKQGXRDE=", + "owner": "nix-community", + "repo": "lib-aggregate", + "rev": "f67bf0781c69a46bf3a1469f83c98518aa3054c3", + "type": "github" + }, + "original": { + "owner": "nix-community", + "repo": "lib-aggregate", + "type": "github" + } + }, + "nix-eval-jobs": { + "inputs": { + "flake-parts": "flake-parts_3", + "nix-github-actions": "nix-github-actions_2", + "nixpkgs": "nixpkgs_4", + "treefmt-nix": "treefmt-nix_2" + }, + "locked": { + "lastModified": 1732631228, + "narHash": "sha256-/7Wyhp00yecUMPNz79gGZpjos8OLHqOfdiWWIQfZA1M=", + "owner": "nix-community", + "repo": "nix-eval-jobs", + "rev": "8f56354b794624689851b2d86c2ce0209cc8f0cf", + "type": "github" + }, + "original": { + "owner": "nix-community", + "repo": "nix-eval-jobs", + "type": "github" + } + }, + "nix-github-actions": { + "inputs": { + "nixpkgs": [ + "colmena", + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1729742964, + "narHash": "sha256-B4mzTcQ0FZHdpeWcpDYPERtyjJd/NIuaQ9+BV1h+MpA=", + "owner": "nix-community", + "repo": "nix-github-actions", + "rev": "e04df33f62cdcf93d73e9a04142464753a16db67", + "type": "github" + }, + "original": { + "owner": "nix-community", + "repo": "nix-github-actions", + "type": "github" + } + }, + "nix-github-actions_2": { + "inputs": { + "nixpkgs": [ + "nixpkgs-wayland", + "nix-eval-jobs", + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1731952509, + "narHash": "sha256-p4gB3Rhw8R6Ak4eMl8pqjCPOLCZRqaehZxdZ/mbFClM=", + "owner": "nix-community", + "repo": "nix-github-actions", + "rev": "7b5f051df789b6b20d259924d349a9ba3319b226", + "type": "github" + }, + "original": { + "owner": "nix-community", + "repo": "nix-github-actions", + "type": "github" + } + }, + "nix-vscode-extensions": { + "inputs": { + "flake-compat": "flake-compat_2", + "flake-utils": "flake-utils_2", + "nixpkgs": "nixpkgs" + }, + "locked": { + "lastModified": 1740852064, + "narHash": "sha256-A2zUu1n8Bg505s/GUIYUSQFLmYJAvx/01A2OkGAkevk=", + "owner": "nix-community", + "repo": "nix-vscode-extensions", + "rev": "1b34da949d188b205b4132c2b726415fa19d5086", + "type": "github" + }, + "original": { + "owner": "nix-community", + "repo": "nix-vscode-extensions", + "type": "github" + } + }, + "nix4vscode": { + "inputs": { + "nixpkgs": "nixpkgs_2", + "rust-overlay": "rust-overlay", + "systems": "systems_2" + }, + "locked": { + "lastModified": 1733089477, + "narHash": "sha256-G08QoIxpJlnP9PiUdo2ypmKOrgodwVD6pWEa/8CaDOE=", + "owner": "nix-community", + "repo": "nix4vscode", + "rev": "60f266d2584461611a9e91ad44bbda5c1b0f91f8", + "type": "github" + }, + "original": { + "owner": "nix-community", + "repo": "nix4vscode", + "type": "github" + } + }, + "nixago": { + "inputs": { + "flake-utils": "flake-utils_3", + "nixago-exts": "nixago-exts", + "nixpkgs": [ + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1714086354, + "narHash": "sha256-yKVQMxL9p7zCWUhnGhDzRVT8sDgHoI3V595lBK0C2YA=", + "owner": "jmgilman", + "repo": "nixago", + "rev": "5133633e9fe6b144c8e00e3b212cdbd5a173b63d", + "type": "github" + }, + "original": { + "owner": "jmgilman", + "repo": "nixago", + "type": "github" + } + }, + "nixago-exts": { + "inputs": { + "flake-utils": "flake-utils_4", + "nixago": "nixago_2", + "nixpkgs": [ + "nixago", + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1676070308, + "narHash": "sha256-QaJ65oc2l8iwQIGWUJ0EKjCeSuuCM/LqR8RauxZUUkc=", + "owner": "nix-community", + "repo": "nixago-extensions", + "rev": "e5380cb0456f4ea3c86cf94e3039eb856bf07d0b", + "type": "github" + }, + "original": { + "owner": "nix-community", + "repo": "nixago-extensions", + "type": "github" + } + }, + "nixago-exts_2": { + "inputs": { + "flake-utils": "flake-utils_6", + "nixago": "nixago_3", + "nixpkgs": [ + "nixago", + "nixago-exts", + "nixago", + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1655508669, + "narHash": "sha256-BDDdo5dZQMmwNH/GNacy33nPBnCpSIydWFPZs0kkj/g=", + "owner": "nix-community", + "repo": "nixago-extensions", + "rev": "3022a932ce109258482ecc6568c163e8d0b426aa", + "type": "github" + }, + "original": { + "owner": "nix-community", + "repo": "nixago-extensions", + "type": "github" + } + }, + "nixago_2": { + "inputs": { + "flake-utils": "flake-utils_5", + "nixago-exts": "nixago-exts_2", + "nixpkgs": [ + "nixago", + "nixago-exts", + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1676070010, + "narHash": "sha256-iYzJIWptE1EUD8VINAg66AAMUajizg8JUYN3oBmb8no=", + "owner": "nix-community", + "repo": "nixago", + "rev": "d480ba6c0c16e2c5c0bd2122852d6a0c9ad1ed0e", + "type": "github" + }, + "original": { + "owner": "nix-community", + "ref": "rename-config-data", + "repo": "nixago", + "type": "github" + } + }, + "nixago_3": { + "inputs": { + "flake-utils": "flake-utils_7", + "nixpkgs": [ + "nixago", + "nixago-exts", + "nixago", + "nixago-exts", + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1655405483, + "narHash": "sha256-Crd49aZWNrpczlRTOwWGfwBMsTUoG9vlHDKQC7cx264=", + "owner": "nix-community", + "repo": "nixago", + "rev": "e6a9566c18063db5b120e69e048d3627414e327d", + "type": "github" + }, + "original": { + "owner": "nix-community", + "repo": "nixago", + "type": "github" + } + }, + "nixos-anywhere": { + "inputs": { + "disko": "disko", + "flake-parts": "flake-parts_2", + "nixos-images": "nixos-images", + "nixos-stable": "nixos-stable", + "nixpkgs": [ + "nixpkgs" + ], + "treefmt-nix": "treefmt-nix" + }, + "locked": { + "lastModified": 1733093391, + "narHash": "sha256-tktgkyaBCJDJs0qVyREpETTcpDY7FZbnDurTAM9jIOE=", + "owner": "numtide", + "repo": "nixos-anywhere", + "rev": "9ba099b2ead073e0801b863c880be03a981f2dd1", + "type": "github" + }, + "original": { + "owner": "numtide", + "ref": "main", + "repo": "nixos-anywhere", + "type": "github" + } + }, + "nixos-images": { + "inputs": { + "nixos-stable": [ + "nixos-anywhere", + "nixos-stable" + ], + "nixos-unstable": [ + "nixos-anywhere", + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1727367213, + "narHash": "sha256-7O4pi8MmcJpA0nYUQkdolvKGyu6zNjf2gFYD1Q0xppc=", + "owner": "nix-community", + "repo": "nixos-images", + "rev": "3e7978bab153f39f3fc329ad346d35a8871420f7", + "type": "github" + }, + "original": { + "owner": "nix-community", + "repo": "nixos-images", + "type": "github" + } + }, + "nixos-stable": { + "locked": { + "lastModified": 1727264057, + "narHash": "sha256-KQPI8CTTnB9CrJ7LrmLC4VWbKZfljEPBXOFGZFRpxao=", + "owner": "NixOS", + "repo": "nixpkgs", + "rev": "759537f06e6999e141588ff1c9be7f3a5c060106", + "type": "github" + }, + "original": { + "owner": "NixOS", + "ref": "nixos-24.05", + "repo": "nixpkgs", + "type": "github" + } + }, + "nixpkgs": { + "locked": { + "lastModified": 1740547748, + "narHash": "sha256-Ly2fBL1LscV+KyCqPRufUBuiw+zmWrlJzpWOWbahplg=", + "owner": "NixOS", + "repo": "nixpkgs", + "rev": "3a05eebede89661660945da1f151959900903b6a", + "type": "github" + }, + "original": { + "owner": "NixOS", + "ref": "nixpkgs-unstable", + "repo": "nixpkgs", + "type": "github" + } + }, + "nixpkgs-2211": { + "locked": { + "lastModified": 1688392541, + "narHash": "sha256-lHrKvEkCPTUO+7tPfjIcb7Trk6k31rz18vkyqmkeJfY=", + "owner": "nixos", + "repo": "nixpkgs", + "rev": "ea4c80b39be4c09702b0cb3b42eab59e2ba4f24b", + "type": "github" + }, + "original": { + "owner": "nixos", + "ref": "nixos-22.11", + "repo": "nixpkgs", + "type": "github" + } + }, + "nixpkgs-2411": { + "locked": { + "lastModified": 1733261153, + "narHash": "sha256-eq51hyiaIwtWo19fPEeE0Zr2s83DYMKJoukNLgGGpek=", + "owner": "nixos", + "repo": "nixpkgs", + "rev": "b681065d0919f7eb5309a93cea2cfa84dec9aa88", + "type": "github" + }, + "original": { + "owner": "nixos", + "ref": "nixos-24.11", + "repo": "nixpkgs", + "type": "github" + } + }, + "nixpkgs-2505": { + "locked": { + "lastModified": 1747953325, + "narHash": "sha256-y2ZtlIlNTuVJUZCqzZAhIw5rrKP4DOSklev6c8PyCkQ=", + "owner": "nixos", + "repo": "nixpkgs", + "rev": "55d1f923c480dadce40f5231feb472e81b0bab48", + "type": "github" + }, + "original": { + "owner": "nixos", + "ref": "nixos-25.05", + "repo": "nixpkgs", + "type": "github" + } + }, + "nixpkgs-gimp": { + "locked": { + "lastModified": 1735507908, + "narHash": "sha256-VA+khC0S0di6w5Yv1kBNRpAihnt2prT/ehQzsKMhEoA=", + "owner": "jtojnar", + "repo": "nixpkgs", + "rev": "771cf18187fefcfaababd35834917c621447fee8", + "type": "github" + }, + "original": { + "owner": "jtojnar", + "ref": "gimp-meson", + "repo": "nixpkgs", + "type": "github" + } + }, + "nixpkgs-lib": { + "locked": { + "lastModified": 1733096140, + "narHash": "sha256-1qRH7uAUsyQI7R1Uwl4T+XvdNv778H0Nb5njNrqvylY=", + "type": "tarball", + "url": "https://github.com/NixOS/nixpkgs/archive/5487e69da40cbd611ab2cadee0b4637225f7cfae.tar.gz" + }, + "original": { + "type": "tarball", + "url": "https://github.com/NixOS/nixpkgs/archive/5487e69da40cbd611ab2cadee0b4637225f7cfae.tar.gz" + } + }, + "nixpkgs-lib_2": { + "locked": { + "lastModified": 1733015484, + "narHash": "sha256-qiyO0GrTvbp869U4VGX5GhAZ00fSiPXszvosY1AgKQ8=", + "owner": "nix-community", + "repo": "nixpkgs.lib", + "rev": "0e4fdd4a0ab733276b6d2274ff84ae353f17129e", + "type": "github" + }, + "original": { + "owner": "nix-community", + "repo": "nixpkgs.lib", + "type": "github" + } + }, + "nixpkgs-unstable": { + "locked": { + "lastModified": 1739446958, + "narHash": "sha256-+/bYK3DbPxMIvSL4zArkMX0LQvS7rzBKXnDXLfKyRVc=", + "owner": "nixos", + "repo": "nixpkgs", + "rev": "2ff53fe64443980e139eaa286017f53f88336dd0", + "type": "github" + }, + "original": { + "owner": "nixos", + "ref": "nixos-unstable", + "repo": "nixpkgs", + "type": "github" + } + }, + "nixpkgs-vscodium": { + "locked": { + "lastModified": 1733212471, + "narHash": "sha256-M1+uCoV5igihRfcUKrr1riygbe73/dzNnzPsmaLCmpo=", + "owner": "nixos", + "repo": "nixpkgs", + "rev": "55d15ad12a74eb7d4646254e13638ad0c4128776", + "type": "github" + }, + "original": { + "owner": "nixos", + "ref": "nixos-unstable", + "repo": "nixpkgs", + "type": "github" + } + }, + "nixpkgs-wayland": { + "inputs": { + "flake-compat": "flake-compat_3", + "lib-aggregate": "lib-aggregate", + "nix-eval-jobs": "nix-eval-jobs", + "nixpkgs": "nixpkgs_5" + }, + "locked": { + "lastModified": 1733388169, + "narHash": "sha256-WCfVVHIuxnz4O7O9BY76apUkA//ujG7rqkjAWCw0ujY=", + "owner": "nix-community", + "repo": "nixpkgs-wayland", + "rev": "fe88399ae2d22a5381c65a51f8e5a0e4f2e7a38b", + "type": "github" + }, + "original": { + "owner": "nix-community", + "repo": "nixpkgs-wayland", + "type": "github" + } + }, + "nixpkgs_2": { + "locked": { + "lastModified": 1722421184, + "narHash": "sha256-/DJBI6trCeVnasdjUo9pbnodCLZcFqnVZiLUfqLH4jA=", + "owner": "nixos", + "repo": "nixpkgs", + "rev": "9f918d616c5321ad374ae6cb5ea89c9e04bf3e58", + "type": "github" + }, + "original": { + "owner": "nixos", + "ref": "nixos-unstable", + "repo": "nixpkgs", + "type": "github" + } + }, + "nixpkgs_3": { + "locked": { + "lastModified": 1722415718, + "narHash": "sha256-5US0/pgxbMksF92k1+eOa8arJTJiPvsdZj9Dl+vJkM4=", + "owner": "NixOS", + "repo": "nixpkgs", + "rev": "c3392ad349a5227f4a3464dce87bcc5046692fce", + "type": "github" + }, + "original": { + "owner": "NixOS", + "ref": "nixpkgs-unstable", + "repo": "nixpkgs", + "type": "github" + } + }, + "nixpkgs_4": { + "locked": { + "lastModified": 1732238832, + "narHash": "sha256-sQxuJm8rHY20xq6Ah+GwIUkF95tWjGRd1X8xF+Pkk38=", + "owner": "NixOS", + "repo": "nixpkgs", + "rev": "8edf06bea5bcbee082df1b7369ff973b91618b8d", + "type": "github" + }, + "original": { + "owner": "NixOS", + "ref": "nixpkgs-unstable", + "repo": "nixpkgs", + "type": "github" + } + }, + "nixpkgs_5": { + "locked": { + "lastModified": 1733212471, + "narHash": "sha256-M1+uCoV5igihRfcUKrr1riygbe73/dzNnzPsmaLCmpo=", + "owner": "nixos", + "repo": "nixpkgs", + "rev": "55d15ad12a74eb7d4646254e13638ad0c4128776", + "type": "github" + }, + "original": { + "owner": "nixos", + "ref": "nixos-unstable", + "repo": "nixpkgs", + "type": "github" + } + }, + "nixvim": { + "inputs": { + "flake-parts": "flake-parts_4", + "nixpkgs": [ + "nixpkgs" + ], + "nuschtosSearch": "nuschtosSearch", + "systems": "systems_5" + }, + "locked": { + "lastModified": 1748175278, + "narHash": "sha256-nXrZ25veLlj1WwVblFO28oHSOabjORGn8YLQ/9OtuSA=", + "owner": "nix-community", + "repo": "nixvim", + "rev": "f54941e333ea2afd0b03ba09f5cb90bb1c6f8130", + "type": "github" + }, + "original": { + "owner": "nix-community", + "repo": "nixvim", + "type": "github" + } + }, + "nur": { + "inputs": { + "flake-parts": "flake-parts_5", + "nixpkgs": [ + "nixpkgs" + ], + "treefmt-nix": "treefmt-nix_3" + }, + "locked": { + "lastModified": 1737225765, + "narHash": "sha256-wyJcROV/d6POpZRlfk79EWsRHZH0iP6aC5uhmM1cH98=", + "owner": "nix-community", + "repo": "NUR", + "rev": "7c2500d3cc3a1d4f51493ba208721ea7c2a4380f", + "type": "github" + }, + "original": { + "owner": "nix-community", + "repo": "NUR", + "type": "github" + } + }, + "nuschtosSearch": { + "inputs": { + "flake-utils": "flake-utils_9", + "ixx": "ixx", + "nixpkgs": [ + "nixvim", + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1745046075, + "narHash": "sha256-8v4y6k16Ra/fiecb4DxhsoOGtzLKgKlS+9/XJ9z0T2I=", + "owner": "NuschtOS", + "repo": "search", + "rev": "066afe8643274470f4a294442aadd988356a478f", + "type": "github" + }, + "original": { + "owner": "NuschtOS", + "repo": "search", + "type": "github" + } + }, + "ofi-pass": { + "flake": false, + "locked": { + "lastModified": 1723412133, + "narHash": "sha256-rOVbz4v1+DHPJMvRtxdOFWdOHlaxI7G2vm0bgEV/0Cg=", + "owner": "sereinity", + "repo": "ofi-pass", + "rev": "2b6aa6a3fc0504e63df4ac3449e0065a1a4d19d0", + "type": "github" + }, + "original": { + "owner": "sereinity", + "repo": "ofi-pass", + "type": "github" + } + }, + "openvscode-server": { + "flake": false, + "locked": { + "lastModified": 1714076069, + "narHash": "sha256-Yc16L13Z8AmsGoSFbvy+4+KBdHxvqLMwZLeU2/dAQVU=", + "owner": "gitpod-io", + "repo": "openvscode-server", + "rev": "7920868fc0c6f4e584cca7791c71d300f2bc3a56", + "type": "github" + }, + "original": { + "owner": "gitpod-io", + "ref": "openvscode-server-v1.88.1", + "repo": "openvscode-server", + "type": "github" + } + }, + "prs": { + "flake": false, + "locked": { + "lastModified": 1719086486, + "narHash": "sha256-YQYiN1T7YHYQYv6GoRNdi7Jq93+U+ydoF64tZxuVW+0=", + "owner": "timvisee", + "repo": "prs", + "rev": "07f17a93d19fb6bc92c9c7f3ae3f5cc750b1f973", + "type": "gitlab" + }, + "original": { + "owner": "timvisee", + "repo": "prs", + "rev": "07f17a93d19fb6bc92c9c7f3ae3f5cc750b1f973", + "type": "gitlab" + } + }, + "root": { + "inputs": { + "aphorme_launcher": "aphorme_launcher", + "colmena": "colmena", + "crane": "crane", + "disko": [ + "nixos-anywhere", + "disko" + ], + "espanso": "espanso", + "fenix": "fenix", + "flake-parts": "flake-parts", + "get-flake": "get-flake", + "jay": "jay", + "nix-vscode-extensions": "nix-vscode-extensions", + "nix4vscode": "nix4vscode", + "nixago": "nixago", + "nixos-anywhere": "nixos-anywhere", + "nixpkgs": [ + "nixpkgs-2505" + ], + "nixpkgs-2211": "nixpkgs-2211", + "nixpkgs-2411": "nixpkgs-2411", + "nixpkgs-2505": "nixpkgs-2505", + "nixpkgs-gimp": "nixpkgs-gimp", + "nixpkgs-unstable": "nixpkgs-unstable", + "nixpkgs-vscodium": "nixpkgs-vscodium", + "nixpkgs-wayland": "nixpkgs-wayland", + "nixvim": "nixvim", + "nur": "nur", + "ofi-pass": "ofi-pass", + "openvscode-server": "openvscode-server", + "prs": "prs", + "radicalePkgs": [ + "nixpkgs-2211" + ], + "rperf": "rperf", + "sops-nix": "sops-nix", + "srvos": "srvos", + "treefmt-nix": "treefmt-nix_4", + "yofi": "yofi" + } + }, + "rperf": { + "flake": false, + "locked": { + "lastModified": 1712257145, + "narHash": "sha256-IMHpJWGja69nTwF9JJOaOZeC5zxzXGanSShompQfBJE=", + "owner": "steveej-forks", + "repo": "rperf", + "rev": "ec7e1fb3a776fce09ca7c497e1d1962c56ef3785", + "type": "github" + }, + "original": { + "owner": "steveej-forks", + "repo": "rperf", + "type": "github" + } + }, + "rust-analyzer-src": { + "flake": false, + "locked": { + "lastModified": 1733330394, + "narHash": "sha256-1jwtAQYtErSsfkEQFvZJ9wJBrLGltzlvZKZzPXhpfpE=", + "owner": "rust-lang", + "repo": "rust-analyzer", + "rev": "f499faf72bcd2abbfbf3d7171e5191100547a3df", + "type": "github" + }, + "original": { + "owner": "rust-lang", + "ref": "nightly", + "repo": "rust-analyzer", + "type": "github" + } + }, + "rust-overlay": { + "inputs": { + "nixpkgs": "nixpkgs_3" + }, + "locked": { + "lastModified": 1722565199, + "narHash": "sha256-2eek4vZKsYg8jip2WQWvAOGMMboQ40DIrllpsI6AlU4=", + "owner": "oxalica", + "repo": "rust-overlay", + "rev": "a9cd2009fb2eeacfea785b45bdbbc33612bba1f1", + "type": "github" + }, + "original": { + "owner": "oxalica", + "repo": "rust-overlay", + "type": "github" + } + }, + "sops-nix": { + "inputs": { + "nixpkgs": [ + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1733128155, + "narHash": "sha256-m6/qwJAJYcidGMEdLqjKzRIjapK4nUfMq7rDCTmZajc=", + "owner": "Mic92", + "repo": "sops-nix", + "rev": "c6134b6fff6bda95a1ac872a2a9d5f32e3c37856", + "type": "github" + }, + "original": { + "owner": "Mic92", + "repo": "sops-nix", + "type": "github" + } + }, + "srvos": { + "inputs": { + "nixpkgs": [ + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1733365027, + "narHash": "sha256-Vl0pOGckECuFoMbiotwj65jjoFE8Mc2yUXNIllttxkI=", + "owner": "numtide", + "repo": "srvos", + "rev": "6047d415ca8dc7eae73dd17c832f7dc08ad544f4", + "type": "github" + }, + "original": { + "owner": "numtide", + "repo": "srvos", + "type": "github" + } + }, + "stable": { + "locked": { + "lastModified": 1746557022, + "narHash": "sha256-QkNoyEf6TbaTW5UZYX0OkwIJ/ZMeKSSoOMnSDPQuol0=", + "owner": "NixOS", + "repo": "nixpkgs", + "rev": "1d3aeb5a193b9ff13f63f4d9cc169fb88129f860", + "type": "github" + }, + "original": { + "owner": "NixOS", + "ref": "nixos-24.11", + "repo": "nixpkgs", + "type": "github" + } + }, + "systems": { + "locked": { + "lastModified": 1681028828, + "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=", + "owner": "nix-systems", + "repo": "default", + "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e", + "type": "github" + }, + "original": { + "owner": "nix-systems", + "repo": "default", + "type": "github" + } + }, + "systems_2": { + "locked": { + "lastModified": 1681028828, + "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=", + "owner": "nix-systems", + "repo": "default", + "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e", + "type": "github" + }, + "original": { + "owner": "nix-systems", + "repo": "default", + "type": "github" + } + }, + "systems_3": { + "locked": { + "lastModified": 1681028828, + "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=", + "owner": "nix-systems", + "repo": "default", + "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e", + "type": "github" + }, + "original": { + "owner": "nix-systems", + "repo": "default", + "type": "github" + } + }, + "systems_4": { + "locked": { + "lastModified": 1681028828, + "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=", + "owner": "nix-systems", + "repo": "default", + "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e", + "type": "github" + }, + "original": { + "owner": "nix-systems", + "repo": "default", + "type": "github" + } + }, + "systems_5": { + "locked": { + "lastModified": 1681028828, + "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=", + "owner": "nix-systems", + "repo": "default", + "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e", + "type": "github" + }, + "original": { + "owner": "nix-systems", + "repo": "default", + "type": "github" + } + }, + "systems_6": { + "locked": { + "lastModified": 1681028828, + "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=", + "owner": "nix-systems", + "repo": "default", + "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e", + "type": "github" + }, + "original": { + "owner": "nix-systems", + "repo": "default", + "type": "github" + } + }, + "treefmt-nix": { + "inputs": { + "nixpkgs": [ + "nixos-anywhere", + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1727252110, + "narHash": "sha256-3O7RWiXpvqBcCl84Mvqa8dXudZ1Bol1ubNdSmQt7nF4=", + "owner": "numtide", + "repo": "treefmt-nix", + "rev": "1bff2ba6ec22bc90e9ad3f7e94cca0d37870afa3", + "type": "github" + }, + "original": { + "owner": "numtide", + "repo": "treefmt-nix", + "type": "github" + } + }, + "treefmt-nix_2": { + "inputs": { + "nixpkgs": [ + "nixpkgs-wayland", + "nix-eval-jobs", + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1723303070, + "narHash": "sha256-krGNVA30yptyRonohQ+i9cnK+CfCpedg6z3qzqVJcTs=", + "owner": "numtide", + "repo": "treefmt-nix", + "rev": "14c092e0326de759e16b37535161b3cb9770cea3", + "type": "github" + }, + "original": { + "owner": "numtide", + "repo": "treefmt-nix", + "type": "github" + } + }, + "treefmt-nix_3": { + "inputs": { + "nixpkgs": [ + "nur", + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1733222881, + "narHash": "sha256-JIPcz1PrpXUCbaccEnrcUS8jjEb/1vJbZz5KkobyFdM=", + "owner": "numtide", + "repo": "treefmt-nix", + "rev": "49717b5af6f80172275d47a418c9719a31a78b53", + "type": "github" + }, + "original": { + "owner": "numtide", + "repo": "treefmt-nix", + "type": "github" + } + }, + "treefmt-nix_4": { + "inputs": { + "nixpkgs": [ + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1738953846, + "narHash": "sha256-yrK3Hjcr8F7qS/j2F+r7C7o010eVWWlm4T1PrbKBOxQ=", + "owner": "numtide", + "repo": "treefmt-nix", + "rev": "4f09b473c936d41582dd744e19f34ec27592c5fd", + "type": "github" + }, + "original": { + "owner": "numtide", + "repo": "treefmt-nix", + "type": "github" + } + }, + "yofi": { + "inputs": { + "flake-utils": "flake-utils_10", + "nixpkgs": [ + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1725018627, + "narHash": "sha256-uBEU/aKl9jlJ8vIK556TaqSBEHx6/t6AE4fbt/AoRfA=", + "owner": "l4l", + "repo": "yofi", + "rev": "09901e75cbdf2147553ab888adde480e57baa0d1", + "type": "github" + }, + "original": { + "owner": "l4l", + "ref": "master", + "repo": "yofi", + "type": "github" + } + } + }, + "root": "root", + "version": 7 +} diff --git a/flake.nix b/flake.nix new file mode 100644 index 0000000..c68eef7 --- /dev/null +++ b/flake.nix @@ -0,0 +1,388 @@ +# flake.nix +{ + inputs = { + # TODO: where has this been used? + # dotfiles = { + # url = "git+https://forgejo.www.stefanjunker.de/steveej/dotfiles.git"; + # flake = false; + # }; + + # flake and infra basics + nixpkgs-2211.url = "github:nixos/nixpkgs/nixos-22.11"; + radicalePkgs.follows = "nixpkgs-2211"; + nixpkgs-2411.url = "github:nixos/nixpkgs/nixos-24.11"; + nixpkgs-2505.url = "github:nixos/nixpkgs/nixos-25.05"; + nixpkgs-unstable.url = "github:nixos/nixpkgs/nixos-unstable"; + nixpkgs.follows = "nixpkgs-2505"; + flake-parts.url = "github:hercules-ci/flake-parts"; + get-flake.url = "github:ursi/get-flake"; + + srvos.url = "github:numtide/srvos"; + srvos.inputs.nixpkgs.follows = "nixpkgs"; + nixos-anywhere.url = "github:numtide/nixos-anywhere/main"; + nixos-anywhere.inputs.nixpkgs.follows = "nixpkgs"; + disko.follows = "nixos-anywhere/disko"; + + nixpkgs-wayland.url = "github:nix-community/nixpkgs-wayland"; + + nix-vscode-extensions.url = "github:nix-community/nix-vscode-extensions"; + nixpkgs-vscodium.url = "github:nixos/nixpkgs/nixos-unstable"; + + # needs to be in sync with `vscodium --version` from `nixpkgs-vscodium` + openvscode-server.url = "github:gitpod-io/openvscode-server/openvscode-server-v1.88.1"; + openvscode-server.flake = false; + + colmena = { + url = "github:zhaofengli/colmena"; + inputs.nixpkgs.follows = "nixpkgs"; + }; + + # libraries for building applications + fenix = { + url = "github:nix-community/fenix"; + inputs.nixpkgs.follows = "nixpkgs"; + }; + crane.url = "github:ipetkov/crane"; + + sops-nix = { + url = "github:Mic92/sops-nix"; + inputs.nixpkgs.follows = "nixpkgs"; + }; + + # applications + aphorme_launcher = { + url = "github:Iaphetes/aphorme_launcher/main"; + flake = false; + }; + + yofi = { + url = "github:l4l/yofi/master"; + flake = true; + inputs.nixpkgs.follows = "nixpkgs"; + }; + + ofi-pass = { + url = "github:sereinity/ofi-pass"; + flake = false; + }; + + jay = { + url = "github:mahkoh/jay"; + flake = false; + }; + + prs = { + # url = "gitlab:timvisee/prs/v0.5.2"; + url = "gitlab:timvisee/prs/07f17a93d19fb6bc92c9c7f3ae3f5cc750b1f973"; + flake = false; + }; + + rperf = { + url = "github:steveej-forks/rperf"; + flake = false; + }; + + # nixpkgs-logseq.url = "github:steveej-forks/nixpkgs/logseq-linux-arm64-selfbuilt-appimage"; + + espanso = { + flake = false; + url = "github:espanso/espanso/db97658d1d80697a635b57801696c594eacf057b"; + }; + + nix4vscode = { + url = "github:nix-community/nix4vscode"; + # inputs.nixpkgs.follows = "nixpkgs"; + }; + nixvim = { + # TODO: pin to nixos-24.11 once available + url = "github:nix-community/nixvim"; + inputs.nixpkgs.follows = "nixpkgs"; + }; + treefmt-nix = { + url = "github:numtide/treefmt-nix"; + inputs.nixpkgs.follows = "nixpkgs"; + }; + nixago = { + url = "github:jmgilman/nixago"; + inputs.nixpkgs.follows = "nixpkgs"; + }; + + nur = { + url = "github:nix-community/NUR"; + inputs.nixpkgs.follows = "nixpkgs"; + }; + + nixpkgs-gimp.url = "github:jtojnar/nixpkgs/gimp-meson"; + }; + + outputs = + inputs@{ + self, + flake-parts, + nixpkgs, + ... + }: + let + inherit (nixpkgs) lib; + + systems = [ + "x86_64-linux" + "aarch64-linux" + ]; + in + flake-parts.lib.mkFlake { inherit inputs; } ( + { withSystem, ... }: + { + flake.colmenaHive = inputs.colmena.lib.makeHive ( + lib.lists.foldl (sum: cur: lib.attrsets.recursiveUpdate sum cur) + { meta.nixpkgs = import inputs.nixpkgs.outPath { system = builtins.elemAt systems 0; }; } + # FIXME: this doesn't seem to work to apply overlays into a node's nixpkgs import + # try this instead: https://github.com/zhaofengli/colmena/issues/60#issuecomment-1510496861 + ( + builtins.map + ( + nodeName: + import ./nix/os/devices/${nodeName} { + inherit nodeName; + repoFlake = self; + repoFlakeWithSystem = withSystem; + nodeFlake = self.inputs.get-flake (self + "/nix/os/devices/${nodeName}"); + } + ) + [ + "steveej-t14" + "steveej-x13s" + "steveej-x13s-rmvbl" + "elias-e525" + # "justyna-p300" + + # "srv0-dmz0" + # "router0-dmz0" + "router0-ifog" + "router0-hosthatch" + + "sj-srv1" + ] + ) + ); + + flake.lib = { + inherit withSystem; + + prsFn = + { + lib, + prs, + skim, + rustPlatform, + makeWrapper, + }: + + prs.overrideAttrs (attrs: rec { + pname = "prs"; + + src = self.inputs.prs; + version = self.inputs.prs.shortRev; + + nativeBuildInputs = attrs.nativeBuildInputs ++ [ + makeWrapper + ]; + + cargoDeps = rustPlatform.fetchCargoVendor { + inherit src; + hash = "sha256-6kCqrwcHFy7cEl2JM+CzTWDM9abepumzdcJLq1ChzUk="; + }; + + postFixup = '' + wrapProgram $out/bin/prs \ + --prefix PATH : ${lib.makeBinPath [ skim ]} + ''; + }); + }; + + # this makes nixos-anywhere work + flake.nixosConfigurations = + let + colmenaHiveNodes = self.outputs.colmenaHive.nodes; + router0-dmz0 = (inputs.get-flake (self + "/nix/os/devices/router0-dmz0")).nixosConfigurations; + in + colmenaHiveNodes + // { + router0-dmz0 = router0-dmz0.native; + + # for now deploy directly with: + # nixos-rebuild switch --flake .\#router0-dmz0_cross --build-host localhost --target-host root@192.168.10.1 + router0-dmz0_cross = router0-dmz0.cross; + + steveej-x13s_cross = + (inputs.get-flake (self + "./nix/os/devices/steveej-x13s")).nixosConfigurations.cross; + steveej-x13s-rmvbl_cross = + (inputs.get-flake ./nix/os/devices/steveej-x13s-rmvbl).nixosConfigurations.cross; + }; + + inherit systems; + + perSystem = + { + self', + inputs', + system, + config, + lib, + pkgs, + ... + }: + { + imports = [ ./nix/modules/flake-parts/perSystem/default.nix ]; + + packages = + let + dcpj4110dw = pkgs.callPackage (self + /nix/pkgs/dcpj4110dw) { }; + + craneLibFn = (inputs.crane.mkLib inputs.nixpkgs.legacyPackages.${system}).overrideToolchain; + + craneLib = craneLibFn inputs'.fenix.packages.stable.toolchain; + + local-xwayland = pkgs.writeShellScriptBin "local-xwayland" '' + set -x + ${pkgs.wayland-proxy-virtwl}/bin/wayland-proxy-virtwl \ + --wayland-display=wayland-3 \ + --xwayland-binary=${pkgs.xwayland}/bin/Xwayland \ + --x-display=0 \ + # --x-unscale=3 \ + --verbose + ''; + in + { + dcpj4110dwDriver = dcpj4110dw.driver; + dcpj4110dwCupswrapper = dcpj4110dw.cupswrapper; + + inherit (inputs'.colmena.packages) colmena; + + nomad = inputs'.nixpkgs-unstable.legacyPackages.nomad_1_6; + + ledger-live-desktop-wrapped = pkgs.writeShellScriptBin "ledger-live-desktop-wrapped" '' + set -x + pkill -9 wayland-proxy-v + export NIXOS_OZONE_WL="" + ${pkgs.wayland-proxy-virtwl}/bin/wayland-proxy-virtwl \ + --wayland-display=wayland-3 \ + --xwayland-binary=${pkgs.xwayland}/bin/Xwayland \ + --x-display=3 \ + & + # --x-unscale=3 \ + #--verbose \ + + export PROXYPID="$!" + + trap "kill -9 \$PROXYPID" EXIT + # trap "pkill -9 wayland-proxy-v" EXIT + + env \ + WAYLAND_DISPLAY=wayland-3 \ + DISPLAY=:3 \ + ledger-live-desktop + ''; + + syncthing-container-webui = pkgs.writeShellScriptBin "reverse-port-forward-syncthing-container" '' + ssh root@${self.colmena.sj-vps-htz0.deployment.targetHost} -L 8385:syncthing.containers:8384 + ''; + + rperf = craneLib.buildPackage { + src = inputs.rperf; + nativeBuildInputs = [ pkgs.pkg-config ]; + buildInputs = [ ]; + }; + + inherit local-xwayland; + + inherit (inputs'.nixpkgs-gimp.legacyPackages) gimp; + + }; + + formatter = + let + settingsNix = { + projectRootFile = ".git/config"; + + package = inputs'.nixpkgs-unstable.legacyPackages.treefmt2; + + programs = { + nixfmt.enable = true; + deadnix.enable = true; + statix.enable = true; + + shfmt.enable = true; + shellcheck.enable = true; + + prettier.enable = true; + just = { + enable = true; + includes = [ + "*/Justfile" + "Justfile" + ]; + }; + } // pkgs.lib.optionalAttrs (pkgs.system != "riscv64-linux") { shellcheck.enable = true; }; + + settings = { + global.excludes = [ + "LICENSE" + "secrets/" + ".git-crypt/" + + # unsupported extensions + "*.{enc,gif,png,svg,tape,mts,lock,mod,sum,toml,env,envrc,gitignore}" + ]; + + formatter = { + deadnix = { + priority = 1; + options = [ "--no-underscore" ]; + }; + + nixfmt = { + priority = 2; + }; + + statix = { + priority = 3; + }; + + prettier = { + options = [ + "--tab-width" + "2" + ]; + includes = [ "*.{css,html,js,json,jsx,md,mdx,scss,ts,yaml}" ]; + }; + }; + }; + }; + eval = inputs.treefmt-nix.lib.evalModule pkgs settingsNix; + in + eval.config.build.wrapper.overrideAttrs (_: { + passthru = { + inherit (eval.config) package settings; + }; + }); + + devShells = + let + all = import ./nix/devShells.nix { + inherit + self + self' + inputs' + pkgs + ; + }; + in + all + // { + default = all.develop; + }; + }; + } + ); +} diff --git a/misc/x13s_bt_firmware/hpnv21g.b8c.crypt.fw b/misc/x13s_bt_firmware/hpnv21g.b8c.crypt.fw new file mode 100644 index 0000000..ea5b5b8 Binary files /dev/null and b/misc/x13s_bt_firmware/hpnv21g.b8c.crypt.fw differ diff --git a/nix/container-images/build.sh b/nix/container-images/build.sh index 6cfab1a..1025cb4 100755 --- a/nix/container-images/build.sh +++ b/nix/container-images/build.sh @@ -1,7 +1,7 @@ #!/usr/bin/env bash set -xe -[ ! -z "$NAME" ] +[ -n "$NAME" ] nix-build . --show-trace -A "$NAME" -docker image rm "$NAME":latest --force +docker image rm "$NAME":latest --force docker load -i result diff --git a/nix/container-images/default.nix b/nix/container-images/default.nix index e6d6f0b..67f516d 100644 --- a/nix/container-images/default.nix +++ b/nix/container-images/default.nix @@ -1,14 +1,10 @@ -{ pkgs ? import {} +{ + pkgs ? import { }, }: - let - baseEnv = [ - "SSL_CERT_FILE=${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt" - ]; - - -in rec { - + baseEnv = [ "SSL_CERT_FILE=${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt" ]; +in +rec { base = pkgs.dockerTools.buildImage rec { name = "base"; @@ -41,50 +37,52 @@ in rec { }; }; - s3ql = let - entrypoint = pkgs.writeScript "entrypoint" '' - #!${pkgs.stdenv.shell} + s3ql = + let + entrypoint = pkgs.writeScript "entrypoint" '' + #!${pkgs.stdenv.shell} - if [ -z "$S3QL_BUCKET" ]; then - echo S3QL_BUCKET not set - exit 1 - fi + if [ -z "$S3QL_BUCKET" ]; then + echo S3QL_BUCKET not set + exit 1 + fi - if [ -z "$S3QL_STORAGE_URL" ]; then - echo S3QL_STORAGE_URL not set - exit 1 - fi + if [ -z "$S3QL_STORAGE_URL" ]; then + echo S3QL_STORAGE_URL not set + exit 1 + fi - if [ -z "$S3QL_CACHESIZE" ]; then - echo S3QL_CACHESIZE not set - exit 1 - fi + if [ -z "$S3QL_CACHESIZE" ]; then + echo S3QL_CACHESIZE not set + exit 1 + fi - set -x + set -x - if [ "$S3QL_SKIP_FSCK" != "1" ]; then - fsck.s3ql \ - --authfile $S3QL_AUTHINFO2 \ + if [ "$S3QL_SKIP_FSCK" != "1" ]; then + fsck.s3ql \ + --authfile $S3QL_AUTHINFO2 \ + --log none \ + --cachedir $S3QL_CACHE_DIR \ + $S3QL_STORAGE_URL + fi + + exec mount.s3ql \ + --cachedir "$S3QL_CACHE_DIR" \ + --authfile "$S3QL_AUTHINFO2" \ + --cachesize "$S3QL_CACHESIZE" \ + --fg \ + --compress lzma-6 \ + --threads 4 \ --log none \ - --cachedir $S3QL_CACHE_DIR \ - $S3QL_STORAGE_URL - fi + --allow-root \ + "$S3QL_STORAGE_URL" \ + /bucket - exec mount.s3ql \ - --cachedir "$S3QL_CACHE_DIR" \ - --authfile "$S3QL_AUTHINFO2" \ - --cachesize "$S3QL_CACHESIZE" \ - --fg \ - --compress lzma-6 \ - --threads 4 \ - --log none \ - --allow-root \ - "$S3QL_STORAGE_URL" \ - /bucket - - # FIXME: touch .isbucket after mount - ''; - in pkgs.dockerTools.buildImage { + # FIXME: touch .isbucket after mount + ''; + in + pkgs.dockerTools.buildImage { name = "s3ql"; fromImage = interactive_base; contents = [ @@ -95,11 +93,11 @@ in rec { runAsRoot = '' #!${pkgs.stdenv.shell} mkdir -p /usr/bin - cp -a ${pkgs.fuse}/bin/fusermount /usr/bin + cp -a ${pkgs.fuse}/bin/fusermount /usr/bin chmod +s /usr/bin/fusermount echo user_allow_other >> /etc/fuse.conf ''; - + config = { Env = baseEnv ++ [ "HOME=/home/s3ql" @@ -109,49 +107,49 @@ in rec { ]; Cmd = [ entrypoint ]; Volumes = { - "/var/cache/s3ql" = {}; - "/etc/s3ql/authinfo2" = {}; - "/buckets" = {}; - "/tmp" = {}; + "/var/cache/s3ql" = { }; + "/etc/s3ql/authinfo2" = { }; + "/buckets" = { }; + "/tmp" = { }; + }; }; }; - }; - syncthing = let - entrypoint = pkgs.writeScript "entrypoint" '' - #!${pkgs.stdenv.shell} - set -x - if [ ! -e /data/.isbucket ]; then - echo ERROR: Bucket not mounted at /data - exit 1 - fi + syncthing = + let + entrypoint = pkgs.writeScript "entrypoint" '' + #!${pkgs.stdenv.shell} + set -x + if [ ! -e /data/.isbucket ]; then + echo ERROR: Bucket not mounted at /data + exit 1 + fi - if [ -z "$SYNCTHING_GUI_ADDRESS" ]; then - echo ERROR: SYNCTHING_GUI_ADDRESS is not set - exit 1 - fi + if [ -z "$SYNCTHING_GUI_ADDRESS" ]; then + echo ERROR: SYNCTHING_GUI_ADDRESS is not set + exit 1 + fi - if [ ! -w "$SYNCTHING_HOME" ]; then - echo ERROR : SYNCTHING_HOME is not writable - fi + if [ ! -w "$SYNCTHING_HOME" ]; then + echo ERROR : SYNCTHING_HOME is not writable + fi - exec syncthing \ - -home $SYNCTHING_HOME \ - -gui-address=$SYNCTHING_GUI_ADDRESS \ - -no-browser - ''; - in pkgs.dockerTools.buildImage { + exec syncthing \ + -home $SYNCTHING_HOME \ + -gui-address=$SYNCTHING_GUI_ADDRESS \ + -no-browser + ''; + in + pkgs.dockerTools.buildImage { name = "syncthing"; fromImage = interactive_base; contents = pkgs.syncthing; - + config = { - Env = baseEnv ++ [ - "SYNCTHING_HOME=/home/syncthing" - ]; + Env = baseEnv ++ [ "SYNCTHING_HOME=/home/syncthing" ]; Cmd = [ entrypoint ]; Volumes = { - "/data" = {}; + "/data" = { }; }; }; }; diff --git a/nix/default.nix b/nix/default.nix index 2512b43..f8947e0 100644 --- a/nix/default.nix +++ b/nix/default.nix @@ -1,26 +1,33 @@ { versionsPath }: - let - channelVersions = (import versionsPath); - mkChannelSource = name: + channelVersions = import versionsPath; + mkChannelSource = + name: let channelVersion = builtins.getAttr name channelVersions; - in builtins.fetchGit { + in + builtins.fetchGit { # Descriptive name to make the store path easier to identify inherit name; inherit (channelVersion) url ref rev; - }; - nixPath = builtins.foldl' (path: elemName: - let - elem = builtins.getAttr elemName channelVersions; - elemPath = (mkChannelSource elemName); - suffix = if builtins.hasAttr "suffix" elem then elem.suffix else ""; - in - path + ":" + builtins.concatStringsSep "=" [ elemName elemPath ] + suffix - ) "" (builtins.attrNames channelVersions); - pkgs = import (mkChannelSource "nixpkgs") {}; + }; + nixPath = builtins.concatStringsSep ":" ( + builtins.map ( + elemName: + let + elem = builtins.getAttr elemName channelVersions; + elemPath = mkChannelSource elemName; + suffix = if builtins.hasAttr "suffix" elem then elem.suffix else ""; + in + builtins.concatStringsSep "=" [ + elemName + elemPath + ] + + suffix + ) (builtins.attrNames channelVersions) + ); + pkgs = import (mkChannelSource "nixpkgs") { }; in - { inherit nixPath; channelSources = pkgs.writeText "channels.rc" '' diff --git a/nix/devShells.nix b/nix/devShells.nix new file mode 100644 index 0000000..fc4b55e --- /dev/null +++ b/nix/devShells.nix @@ -0,0 +1,105 @@ +{ + self, + self', + inputs', + pkgs, +}: +{ + install = pkgs.mkShell { + name = "infra-install"; + packages = with pkgs; [ + nixos-install-tools + inputs'.disko.packages.disko + just + git + git-crypt + gnupg + ]; + }; + + develop = pkgs.mkShell { + name = "infra-develop"; + inputsFrom = [ self'.devShells.install ]; + packages = with pkgs; [ + self'.formatter # .package + inputs'.colmena.packages.colmena + dconf2nix + inputs'.nixos-anywhere.packages.nixos-anywhere + nurl + vcsh + ripgrep + # pass + age + age-plugin-yubikey + ssh-to-age + yubico-piv-tool + inputs'.sops-nix.packages.default + sops + nil + nix-index + + apacheHttpd + + # vncdo + # tesseract + # imagemagick + + # lm_sensors + + # nmap + # sysstat + # lshw + # xxHash + # linssid + # wavemon + # wirelesstools + + # zathura + # xorg.xwininfo + # glxinfo + # autorandr + # arandr + # playerctl + # x11docker + # fwupd + + # ntfy + # hedgedoc-cli + + xwayland + pulsemixer + + (pkgs.writeShellScriptBin "rflk" '' + exec nix run nixpkgs#$@ + '') + + (pkgs.writeShellScriptBin "r11" '' + exec env NIXOS_OZONE_WL="" WAYLAND_DISPLAY="" $@ + '') + + jq + yq + wireguard-tools + + screen + + inputs'.nixpkgs-unstable.legacyPackages.kanidm + + (flameshot.override { enableWlrSupport = true; }) + ]; + + # Set Environment Variables + RUST_BACKTRACE = 1; + + KANIDM_URL = + self.nixosConfigurations.sj-srv1.config.containers.webserver.config.services.kanidm.serverSettings.origin; + + shellHook = builtins.concatStringsSep "\n" [ + # (self.inputs.nixago.lib.${pkgs.system}.make { + # data = self'.formatter.settings; + # output = "treefmt.toml"; + # format = "toml"; + # }).shellHook + ]; + }; +} diff --git a/nix/home-manager/configuration/graphical-fullblown.nix b/nix/home-manager/configuration/graphical-fullblown.nix index e368858..a4ab582 100644 --- a/nix/home-manager/configuration/graphical-fullblown.nix +++ b/nix/home-manager/configuration/graphical-fullblown.nix @@ -1,89 +1,102 @@ -{ pkgs }: - +{ + pkgs, + lib, + config, + # these come in via home-manager.extraSpecialArgs and are specific to each node + nodeFlake, + repoFlake, + ... +}: let - zshCurried = import ../programs/zsh.nix { inherit pkgs; }; + pkgsUnstable = + pkgs.pkgsUnstable + or (import nodeFlake.inputs.nixpkgs-unstable { inherit (pkgs) system config overlays; }); in - -{ pkgs -, config -, ... }: - -let - # gitpkgs = import /home/steveej/src/github/NixOS/nixpkgs {}; - unstablepkgs = import { config = config.nixpkgs.config; }; - masterpkgs = import { config = config.nixpkgs.config; }; - -in { +{ imports = [ ../profiles/common.nix - ../profiles/qtile-desktop.nix - ../profiles/dotfiles.nix - ../programs/firefox.nix - ../programs/chromium.nix + # ../profiles/dotfiles.nix # FIXME: fix homeshick when no WAN connection is available # ../programs/homeshick.nix + + # ../profiles/gnome-desktop.nix + # ../profiles/experimental-desktop.nix + + ../programs/redshift.nix + + ../programs/gpg-agent.nix + ../programs/pass.nix + + ../programs/espanso.nix + + ../programs/firefox.nix + ../programs/chromium.nix + ../programs/libreoffice.nix ../programs/neovim.nix - ../programs/pass.nix - zshCurried - ../programs/podman.nix ../programs/vscode + { home.packages = [ pkgsUnstable.markdown-oxide ]; } ]; - nixpkgs.config = { - pidgin = { - openssl = true; - gnutls = true; - }; + home.sessionVariables.HM_CONFIG = "graphical-fullblown"; + home.sessionVariables.GOPATH = "$HOME/src/go"; + home.sessionVariables.PATH = pkgs.lib.concatStringsSep ":" [ + "$HOME/.local/bin" + "$PATH" + ]; - packageOverrides = pkgs: with pkgs; { - }; - }; - - home.sessionVariables = { - # TODO: find a way to prevent using a store path for the current file - # HM_CONFIG_PATH=builtins.toString "${./.}"; - HM_CONFIG="graphical-fullblown"; - - GOPATH="$HOME/src/go"; - - PATH=pkgs.lib.concatStringsSep ":" [ - "$HOME/.local/bin" - "$PATH" + nixpkgs.config.allowInsecurePredicate = + pkg: + builtins.elem (lib.getName pkg) [ + "electron-28.3.3" + "electron-27.3.11" ]; - }; - home.packages = [] - ++ (with pkgs; [ + nixpkgs.config.permittedInsecurePackages = [ + "electron-28.3.3" + "electron-27.3.11" + ]; + + nixpkgs.config.allowUnfree = [ + "electron-28.3.3" + "electron-27.3.11" + ]; + + # nixpkgs.config.allowUnfreePredicate = pkg: + # builtins.elem (lib.getName pkg) [ + # "smartgithg" + # "electron-27.3.11" + # ]; + + home.packages = + (with pkgs; [ # Authentication - cacert - fprintd - openssl - mkpasswd + # cacert + # fprintd + # openssl + # mkpasswd # Nix package related tools patchelf - nix-index - nox + # nix-index nix-prefetch-scripts - nix-prefetch-github + nix-tree # Version Control Systems - pijul - gitless + gitFull + # gitless gitRepo git-lfs # Process/System Administration htop - gnome3.gnome-tweak-tool + # gnome.gnome-tweaks xorg.xhost dmidecode evtest # Archive Managers - sshfsFuse - xarchive + sshfs-fuse p7zip zip unzip @@ -93,98 +106,74 @@ in { # Password Management gnupg yubikey-manager - yubikey-neo-manager yubikey-personalization yubikey-personalization-gui - gnome3.gnome_keyring - gnome3.seahorse + + # gnome.gnome-keyring + gcr + seahorse # Language Support hunspellDicts.en-us hunspellDicts.de-de # Messaging/Communication - signal-desktop - pidgin - hexchat + # pidgin + # hexchat + pkgsUnstable.element-desktop aspellDicts.en aspellDicts.de - skype - unstablepkgs.jitsi-meet-electron - zoom-us # broken as of 2019-10-30 - bluejeans-gui - thunderbird - gnome3.evolution # gnome4.glib_networking - # telegram - unstablepkgs.tdesktop - gnome3.cheese + # skypeforlinux + # pkgsUnstable.jitsi-meet-electron + thunderbird-128 + # betterbird + + # FIXME: depends on insecure openssl 1.1.1t + # kotatogram-desktop + pkgsUnstable.tdesktop + pkgsUnstable.signal-desktop # Virtualization - virtmanager - # (pkgs.lib.hiPrio qemu) - # virtualbox - # vagrant - # docker_compose - # unstablepkgs.kubernetes - # unstablepkgs.minikube - # unstablepkgs.openshift - # (unstablepkgs.minikube.overrideAttrs (oldAttrs: { - # patches = oldAttrs.patches ++ [ - # (builtins.fetchurl { url ="https://patch-diff.githubusercontent.com/raw/kubernetes/minikube/pull/2517.diff"; }) - # ]; - # })) - appimage-run - + virt-manager # Remote Control Tools remmina - freerdp - teamviewer + # freerdp # Audio/Video Players - ffmpeg + # ffmpeg vlc - audacity - spotify - python38Packages.youtube-dl-light + # v4l-utils + # audacity + # spotify + yt-dlp + (writeShellScriptBin "youtube-dl-audio" "${yt-dlp}/bin/yt-dlp --extract-audio --audio-format best --audio-quality 9 \${@:?}") libwebcam + libcamera + snapshot # Network Tools - openvpn tcpdump iftop iperf bind socat - # 2019-03-05: broken on 19.03 linssid - iptraf-ng - ipmitool + nethogs - # samba - iptables - nftables - wireshark - - # Code Editors - # unstablepkgs.atom - xclip - xsel + # Code Editing and Programming + # TODO(remove or use): pkgsUnstable.lapce + # TODO(remve or use): pkgsUnstable.helix # Image/Graphic/Design Tools - gnome3.eog - gimp - imagemagick - exiv2 - graphviz - inkscape - # barcode - qrencode - zbar - feh - # digikam + eog + # gimp + # imagemagick + # exiv2 + # graphviz + # inkscape + # qrencode - - # Modelling Tools + # TODO: remove or move these: Modelling Tools # plantuml # umlet # staruml @@ -193,99 +182,46 @@ in { # astah-community # Misc Development Tools - qrcode - # travis - jq - # prometheus - cdrtools + # qrcode + # jq + # cdrtools # Document Processing and Management - # zathura - mendeley - # zotero - pandoc - - # LaTeX - perlPackages.YAMLTiny - perlPackages.FileHomeDir - perlPackages.UnicodeLineBreak - (texlive.combine { - inherit (texlive) - scheme-small - texlive-de - texlive-en - texlive-scripts - collection-langgerman - - latexindent - latexmk - - algorithms - cm-super - - preprint - enumitem - draftwatermark - everypage - ulem - placeins - minted ifplatform fvextra xstring framed - ; - }) - - pdftk - masterpdfeditor + nautilus + pcmanfm + # mendeley + evince + xournalpp # File Synchronzation - seafile-client - grive2 - dropbox + maestral rsync # Filesystem Tools - ntfs3g - ddrescue - ncdu - woeusb - unetbootin - pcmanfm - hdparm - testdisk - python38Packages.binwalk - gptfdisk - gparted - smartmontools - - ## Android - androidenv.androidPkgs_9_0.platform-tools + # ntfs3g + # ddrescue + # ncdu + # hdparm + # binwalk + # gptfdisk + # gparted + # smartmontools ## Python - myPython - - # Code generators - # unstablepkgs.swagger-codegen + # packages'.myPython # Misc Desktop Tools - # TODO: this may be required if brightness control isn't working - # brightnessctl - ltunify - # solaar # TODO: conflicts with solar over udev rules - dex - # kitty - busyboxStatic - xorg.xbacklight + # ltunify + # dex coreutils lsof - x11_ssh_askpass - xdotool - xdg_utils + xdg-utils xdg-user-dirs - gnome3.dconf + dconf picocom glib.dev # contains gdbus tool alacritty - roxterm - unstablepkgs.wally-cli + # wally-cli man-pages # Screen recording @@ -295,11 +231,58 @@ in { # shutter # kazam # doesn't start # xvidcap # doesn't keep the recording rectangle - obs-studio - screenkey # shotcut # openshot-qt + # introduces python: screenkey - ledger-live-desktop - ]); + # avidemux # broken + # handbrake + + # snes9x + # snes9x-gtk + # this is a displaymanager! + # libretro.snes9x2010 + # retroarchFull + + # pkgs.logseq-bin + pkgs.logseq + # (pkgs.callPackage "${repoFlake.inputs.nixpkgs-logseq}/pkgs/by-name/lo/logseq-bin/package.nix" { }) + ]) + ++ (with repoFlake.packages.${pkgs.system}; [ gimp ]) + ++ (lib.lists.optionals (!pkgs.stdenv.targetPlatform.isAarch64) [ + pkgsUnstable.ledger-live-desktop + + # unsupported on aarch64-linux + pkgs.androidenv.androidPkgs_9_0.platform-tools + pkgs.teamviewer + pkgs.discord + pkgsUnstable.session-desktop + pkgsUnstable.rustdesk + ]); + + systemd.user.startServices = true; + + services.syncthing.enable = true; + + services.udiskie = { + enable = true; + automount = false; + notify = true; + }; + + # TODO: uncomment this when it's in stable home-manger + # programs.joshuto = { + # enable = true; + # }; + + # systemd.user.services.maestral = { + # Unit.Description = "Maestral daemon"; + # Install.WantedBy = ["default.target"]; + # Service = { + # ExecStart = "${pkgs.maestral}/bin/maestral start -f"; + # ExecStop = "${pkgs.maestral}/bin/maestral stop"; + # Restart = "on-failure"; + # Nice = 10; + # }; + # }; } diff --git a/nix/home-manager/configuration/graphical-gnome3.nix b/nix/home-manager/configuration/graphical-gnome3.nix new file mode 100644 index 0000000..4dbcba2 --- /dev/null +++ b/nix/home-manager/configuration/graphical-gnome3.nix @@ -0,0 +1,8 @@ +{ pkgs, ... }: +{ + home.packages = with pkgs; [ + gnome-tweaks + gnome-keyring + seahorse + ]; +} diff --git a/nix/home-manager/configuration/graphical-removable.nix b/nix/home-manager/configuration/graphical-removable.nix index cd62667..73c9ff3 100644 --- a/nix/home-manager/configuration/graphical-removable.nix +++ b/nix/home-manager/configuration/graphical-removable.nix @@ -1,17 +1,5 @@ -{ pkgs }: - -let - zshCurried = import ../programs/zsh.nix { inherit pkgs; }; -in - -{ pkgs -, config, -... }: - -let - unstablepkgs = import { config = config.nixpkgs.config; }; - -in { +{ pkgs, ... }: +{ imports = [ ../profiles/common.nix ../profiles/qtile-desktop.nix @@ -23,109 +11,89 @@ in { ../programs/libreoffice.nix ../programs/neovim.nix ../programs/pass.nix - zshCurried ]; - nixpkgs.config = { - pidgin = { - openssl = true; - gnutls = true; - }; + home.packages = with pkgs; [ + # Nix package related tools + patchelf + nix-index + nix-prefetch-scripts - packageOverrides = pkgs: with pkgs; { - }; - }; + # Version Control Systems + gitless - home.sessionVariables = { - }; + # Process/System Administration + htop + gnome-tweaks + xorg.xhost + dmidecode + evtest + # Archive Managers + sshfs-fuse + xarchive + p7zip + zip + unzip + gzip + lzop - home.packages = - [] ++ (with pkgs; [ - # Nix package related tools - patchelf - nix-index - nix-prefetch-scripts + # Password Management + gnome-keyring + seahorse - # Version Control Systems - gitless + # Remote Control Tools + remmina + freerdp - # Process/System Administration - htop - gnome3.gnome-tweak-tool - xorg.xhost - dmidecode - evtest + # Network Tools + openvpn + tcpdump + iftop + iperf + bind + socat - # Archive Managers - sshfsFuse - xarchive - p7zip - zip - unzip - gzip - lzop + # samba + iptables + nftables + wireshark - # Password Management - gnome3.gnome_keyring - gnome3.seahorse + # Code Editors + xclip + xsel - # Remote Control Tools - remmina - freerdp + # Image/Graphic/Design Tools + gnome.eog + gimp + inkscape - # Network Tools - openvpn - tcpdump - iftop - iperf - bind - socat + # Misc Development Tools + qrcode + jq + cdrtools - # samba - iptables - nftables - wireshark + # Document Processing and Management + zathura - # Code Editors - xclip - xsel - unstablepkgs.vscode + # File Synchronzation + rsync - # Image/Graphic/Design Tools - gnome3.eog - gimp - inkscape + # Filesystem Tools + ntfs3g + ddrescue + ncdu + woeusb + unetbootin + pcmanfm + hdparm + testdisk + binwalk + gptfdisk - # Misc Development Tools - qrcode - jq - cdrtools + packages'.myPython - # Document Processing and Management - zathura - - # File Synchronzation - rsync - - # Filesystem Tools - ntfs3g - ddrescue - ncdu - unstablepkgs.woeusb - unetbootin - pcmanfm - hdparm - testdisk - python38Packages.binwalk - gptfdisk - - ## Python - myPython - - busyboxStatic - - # Virtualization - virtmanager - ]); + # Virtualization + virtmanager + ]; } diff --git a/nix/home-manager/configuration/text-minimal.nix b/nix/home-manager/configuration/text-minimal.nix deleted file mode 100644 index 5937909..0000000 --- a/nix/home-manager/configuration/text-minimal.nix +++ /dev/null @@ -1,35 +0,0 @@ -{ pkgs, extraPackages ? [] }: - -let - zshCurried = import ../programs/zsh.nix { inherit pkgs; }; -in - -{ pkgs -, config -, ... }: - -let - -in { - imports = [ - ../profiles/common.nix - ../profiles/nix-channels.nix - ../programs/neovim.nix - zshCurried - ]; - - nixpkgs.config = { - packageOverrides = pkgs: with pkgs; { - }; - }; - - home.sessionVariables = { - }; - - home.packages = extraPackages - ++ (with pkgs; [ - iperf3 - telnet - speedtest-cli - ]); -} diff --git a/nix/home-manager/lib.nix b/nix/home-manager/lib.nix index 0c240cc..7436034 100644 --- a/nix/home-manager/lib.nix +++ b/nix/home-manager/lib.nix @@ -1,22 +1,19 @@ -{ -}: +_: { + mkSimpleTrayService = + { execStart }: + { + Unit = { + Description = ""; + After = [ "graphical-session-pre.target" ]; + PartOf = [ "graphical-session.target" ]; + }; -let + Install = { + WantedBy = [ "graphical-session.target" ]; + }; -in { - mkSimpleTrayService = { execStart }: { - Unit = { - Description = "pasystray applet"; - After = [ "graphical-session-pre.target" ]; - PartOf = [ "graphical-session.target" ]; + Service = { + ExecStart = execStart; + }; }; - - Install = { - WantedBy = [ "graphical-session.target" ]; - }; - - Service = { - ExecStart = execStart; - }; - }; } diff --git a/nix/home-manager/profiles/common.nix b/nix/home-manager/profiles/common.nix index b350058..77f6e57 100644 --- a/nix/home-manager/profiles/common.nix +++ b/nix/home-manager/profiles/common.nix @@ -1,54 +1,97 @@ -{ pkgs -, ... -}: +{ pkgs, lib, ... }: +{ + home.stateVersion = lib.mkDefault "23.11"; -let -in { - # TODO: re-enable this with the appropriate version + # TODO: re-enable this with the appropriate version? # programs.home-manager.enable = true; # programs.home-manager.path = https://github.com/rycee/home-manager/archive/445c0b1482c38172a9f8294ee16a7ca7462388e5.tar.gz; - nixpkgs.overlays = builtins.attrValues (import ../../overlays); - + # TODO: move this to an OS snippet? nixpkgs.config = { - allowBroken = true; + allowBroken = false; allowUnfree = true; + allowUnsupportedSystem = true; + + allowInsecurePredicate = + pkg: + builtins.elem (lib.getName pkg) [ + "electron-32.3.3" + "electron" + ]; + + permittedInsecurePackages = [ + "electron-32.3.3" + "electron" + ]; + + allowUnfreePredicate = + pkg: + builtins.elem (lib.getName pkg) [ + "obsidian" + "vivaldi" + "aspell-dict-en-science" + ]; }; home.keyboard = { layout = "us"; variant = "altgr-intl"; - options = [ - "nodeadkeys" - # "caps:swapescape" + options = [ + # nodeadkeys doesn't make sense with us layout: see https://man.archlinux.org/man/xkeyboard-config.7 for valid options + # "nodeadkeys" + # "caps:swapescape" ]; }; - programs.direnv.enable = true; - services.lorri.enable = true; + xdg.enable = true; - home.sessionVariables = { - NIXPKGS_ALLOW_UNFREE = "1"; - # Don't create .pyc files. - PYTHONDONTWRITEBYTECODE = "1"; - }; + programs.direnv.enable = true; + + # Don't create .pyc files. + home.sessionVariables.PYTHONDONTWRITEBYTECODE = "1"; programs.command-not-found.enable = true; programs.fzf.enable = true; - home.packages = - [] ++ (with pkgs; [ - # git helpers - git-crypt + home.packages = with pkgs; [ + coreutils - vcsh - # Authentication - cacert - openssl - mkpasswd + vcsh - just - ripgrep - du-dust - ]); + htop + iperf3 + nethogs + + # Authentication + cacert + openssl + mkpasswd + + just + ripgrep + du-dust + + elfutils + exfat + file + tree + pwgen + proot + + parted + pv + tmux + wget + curl + + # git helpers + git-crypt + gitFull + pastebinit + gist + mr + + usbutils + pciutils + ]; } diff --git a/nix/home-manager/profiles/dotfiles.nix b/nix/home-manager/profiles/dotfiles.nix index 2609ee2..a7bddd9 100644 --- a/nix/home-manager/profiles/dotfiles.nix +++ b/nix/home-manager/profiles/dotfiles.nix @@ -1,13 +1,6 @@ -{ pkgs -, config -, ... -}: - -let - vcshActivationScript = pkgs.callPackage ./dotfiles/vcsh.nix {}; - -in { - home.activation.vcsh = config.lib.dag.entryAfter["linkGeneration"] '' - $DRY_RUN_CMD ${vcshActivationScript} - ''; +_: { + # TODO: fix the dotfiles + # home.activation.vcsh = config.lib.dag.entryAfter["linkGeneration"] '' + # $DRY_RUN_CMD ${vcshActivationScript} + # ''; } diff --git a/nix/home-manager/profiles/dotfiles/vcsh.tmpl.nix b/nix/home-manager/profiles/dotfiles/vcsh.tmpl.nix index 521a126..2a866f2 100644 --- a/nix/home-manager/profiles/dotfiles/vcsh.tmpl.nix +++ b/nix/home-manager/profiles/dotfiles/vcsh.tmpl.nix @@ -1,39 +1,42 @@ -{ pkgs -, repoHttps ? "https://gitlab.com/steveeJ/dotfiles.git" -, repoSsh ? "git@gitlab.com:/steveeJ/dotfiles.git" -, ... +{ + pkgs, + repoHttps ? "https://gitlab.com/steveeJ/dotfiles.git", + repoSsh ? "git@gitlab.com:/steveeJ/dotfiles.git", + ... }: - let - repoBareLocal = pkgs.runCommand "fetchbare" { - outputHashMode = "recursive"; - outputHashAlgo = "sha256"; - outputHash = "0000000000000000000000000000000000000000000000000000"; - } '' - ( - set -xe - export GIT_SSL_CAINFO=${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt - export SSL_CERT_FILE=${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt - ${pkgs.git}/bin/git clone --mirror ${repoHttps} $out - ) - ''; + repoBareLocal = + pkgs.runCommand "fetchbare" + { + outputHashMode = "recursive"; + outputHashAlgo = "sha256"; + outputHash = "0000000000000000000000000000000000000000000000000000"; + } + '' + ( + set -xe + export GIT_SSL_CAINFO=${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt + export SSL_CERT_FILE=${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt + ${pkgs.git}/bin/git clone --mirror ${repoHttps} $out + ) + ''; +in +pkgs.writeScript "activation-script" '' + export HOST=$(hostname -s) -in pkgs.writeScript "activation-script" '' - export HOST=$(hostname -s) + function set_remotes { + ${pkgs.vcsh}/bin/vcsh dotfiles remote set-url origin $1 + ${pkgs.vcsh}/bin/vcsh dotfiles remote set-url --push origin $2 + } - function set_remotes { - ${pkgs.vcsh}/bin/vcsh dotfiles remote set-url origin $1 - ${pkgs.vcsh}/bin/vcsh dotfiles remote set-url --push origin $2 - } - - if ! test -d $HOME/.config/vcsh/repo.d/dotfiles.git; then - echo Cloning dotfiles for $HOST... - ${pkgs.vcsh}/bin/vcsh clone -b $HOST ${repoBareLocal} dotfiles - set_remotes ${repoHttps} ${repoSsh} - else - set_remotes ${repoBareLocal} ${repoSsh} - echo Updating dotfiles for $HOST... - ${pkgs.vcsh}/bin/vcsh pull $HOST || true - set_remotes ${repoHttps} ${repoSsh} - fi - '' + if ! test -d $HOME/.config/vcsh/repo.d/dotfiles.git; then + echo Cloning dotfiles for $HOST... + ${pkgs.vcsh}/bin/vcsh clone -b $HOST ${repoBareLocal} dotfiles + set_remotes ${repoHttps} ${repoSsh} + else + set_remotes ${repoBareLocal} ${repoSsh} + echo Updating dotfiles for $HOST... + ${pkgs.vcsh}/bin/vcsh pull $HOST || true + set_remotes ${repoHttps} ${repoSsh} + fi +'' diff --git a/nix/home-manager/profiles/experimental-desktop.nix b/nix/home-manager/profiles/experimental-desktop.nix new file mode 100644 index 0000000..d57a051 --- /dev/null +++ b/nix/home-manager/profiles/experimental-desktop.nix @@ -0,0 +1,10 @@ +{ packages', ... }: +{ + imports = [ ../profiles/wayland-desktop.nix ]; + + home.packages = [ + # experimental WMs + packages'.jay + packages'.magmawm + ]; +} diff --git a/nix/home-manager/profiles/gnome-desktop.nix b/nix/home-manager/profiles/gnome-desktop.nix new file mode 100644 index 0000000..e403b71 --- /dev/null +++ b/nix/home-manager/profiles/gnome-desktop.nix @@ -0,0 +1,100 @@ +{ pkgs, ... }: +{ + imports = [ ../profiles/wayland-desktop.nix ]; + + services = { + gnome-keyring.enable = false; + blueman-applet.enable = true; + flameshot.enable = true; + pasystray.enable = true; + }; + + # TODO: remove this comment once i'm sure everything works + # xdg.configFile."autostart/gnome-keyring-ssh.desktop".text = '' + # [Desktop Entry] + # Type=Application + # Hidden=true + # ''; + + services.gpg-agent.pinentry.package = pkgs.pinentry-gnome3; + + dconf.settings = + let + manualKeybindings = [ + { + binding = "Print"; + command = "flameshot gui"; + name = "flameshot"; + } + + { + binding = "t"; + command = "alacritty"; + name = "alacritty"; + } + ]; + + numWorkspaces = 10; + customKeybindingBaseName = "org/gnome/settings-daemon/plugins/media-keys/custom-keybindings/custom"; + customKeybindingsNames = builtins.genList (i: "/${customKeybindingBaseName}${toString i}/") ( + (builtins.length manualKeybindings) + numWorkspaces # for sending to the workspace + ); + + workspacesKeyBindingsOffset = builtins.length manualKeybindings; + + # with this we can make use of all number keys [0-9] + mapToNumber = + i: + if i < 10 then + i + else if i == 10 then + 0 + else + throw "i exceeds 10: ${i}"; + in + { + "org/gnome/settings-daemon/plugins/media-keys" = { + custom-keybindings = customKeybindingsNames; + screenreader = "@as []"; + screensaver = [ "l" ]; + }; + + # disable the builtin [1-9] functionality + "org/gnome/shell/keybindings" = builtins.listToAttrs ( + (builtins.genList (i: { + name = "switch-to-application-${toString (i + 1)}"; + value = [ ]; + }) numWorkspaces) + ++ [ + { + name = "toggle-overview"; + value = [ ]; + } + ] + ); + + # remap it to switching to the workspaces + "org/gnome/desktop/wm/keybindings" = builtins.listToAttrs ( + builtins.genList (i: { + name = "switch-to-workspace-${toString (i + 1)}"; + value = [ "${toString (mapToNumber (i + 1))}" ]; + }) numWorkspaces + ); + } + // builtins.listToAttrs ( + builtins.genList (i: { + name = "${customKeybindingBaseName}${toString i}"; + value = builtins.elemAt manualKeybindings i; + }) (builtins.length manualKeybindings) + ) + // builtins.listToAttrs ( + builtins.genList (i: { + name = "${customKeybindingBaseName}${toString (workspacesKeyBindingsOffset + i)}"; + value = { + binding = "${toString (mapToNumber (i + 1))}"; + command = "wmctrl -r :ACTIVE: -t ${toString i}"; + name = "Send to workspace ${toString (i + 1)}"; + }; + }) numWorkspaces + ); +} diff --git a/nix/home-manager/profiles/nix-channels.nix b/nix/home-manager/profiles/nix-channels.nix index 4a0eebe..fc52ec6 100644 --- a/nix/home-manager/profiles/nix-channels.nix +++ b/nix/home-manager/profiles/nix-channels.nix @@ -1,26 +1,22 @@ -{ pkgs -, config -, ... -}: +{ pkgs, config, ... }: +{ + home.file.".nix-channels".text = ""; -let -in { - home.file.".nix-channels".text = '' - ''; - - home.activation.removeExistingNixChannels = config.lib.dag.entryBefore ["checkLinkTargets"] '' + home.activation.removeExistingNixChannels = config.lib.dag.entryBefore [ "checkLinkTargets" ] '' $DRY_RUN_CMD ${pkgs.writeScript "activation-script" '' - set -ex - if test -f $HOME/.nix-channels; then - echo Uninstalling available channels... - while read url channel; do - nix-channel --remove $channel - done < $HOME/.nix-channel - echo Moving existing file away... - touch $HOME/.nix-channels.dummy - mv --backup=numbered $HOME/.nix-channels.dummy $HOME/.nix-channels - rm $HOME/.nix-channels - fi + set -ex + if test -f $HOME/.nix-channels; then + echo Uninstalling available channels... + if test -f $HOME/.nix-channel; then + while read url channel; do + nix-channel --remove $channel + done < $HOME/.nix-channel + fi + echo Moving existing file away... + touch $HOME/.nix-channels.dummy + mv --backup=numbered $HOME/.nix-channels.dummy $HOME/.nix-channels + rm $HOME/.nix-channels + fi ''}; ''; } diff --git a/nix/home-manager/profiles/qtile-desktop.nix b/nix/home-manager/profiles/qtile-desktop.nix index 004f821..84d9c21 100644 --- a/nix/home-manager/profiles/qtile-desktop.nix +++ b/nix/home-manager/profiles/qtile-desktop.nix @@ -1,17 +1,15 @@ -{ pkgs -, ... -}: - +{ pkgs, ... }: let - inherit (import ../lib.nix { }) - mkSimpleTrayService - ; - audio = pkgs.writeScript "audio" '' - #!${pkgs.bash}/bin/bash - export PATH=${with pkgs; lib.makeBinPath [ - pulseaudio findutils gnugrep - ]}:$PATH + audio = pkgs.writeShellScript "audio" '' + export PATH=${ + with pkgs; + lib.makeBinPath [ + pulseaudio + findutils + gnugrep + ] + }:$PATH export MUTEFILE=''${TEMPDIR:-/tmp}/.qtilemute case $1 in @@ -33,13 +31,9 @@ let esac ''; terminalCommand = "${pkgs.alacritty}/bin/alacritty"; - # terminalCommand = "${pkgs.roxterm}/bin/roxterm"; - dpmsScript = pkgs.writeScript "dpmsScript" '' - #!${pkgs.bash}/bin/bash - export PATH=${with pkgs; lib.makeBinPath [ - xlibs.xset - ]}:$PATH + dpmsScript = pkgs.writeShellScript "dpmsScript" '' + export PATH=${with pkgs; lib.makeBinPath [ xorg.xset ]}:$PATH set -xe @@ -61,11 +55,8 @@ let esac ''; - screenLockCommand = pkgs.writeScript "screenLock" '' - #!${pkgs.bash}/bin/bash - export PATH=${with pkgs; lib.makeBinPath [ - i3lock - ]}:$PATH + screenLockCommand = pkgs.writeShellScript "screenLock" '' + export PATH=${with pkgs; lib.makeBinPath [ i3lock ]}:$PATH revert() { ${dpmsScript} default @@ -78,229 +69,190 @@ let revert ''; + initScreen = pkgs.writeShellScript "initScreen" '' + # ${pkgs.xorg.xinput}/bin/xinput set-prop "ZSA Moonlander Mark I Mouse" "libinput Natural Scrolling Enabled" 1 + ${pkgs.autorandr}/bin/autorandr -c + ${pkgs.feh}/bin/feh --bg-scale ${pkgs.nixos-artwork.wallpapers.simple-blue}/share/artwork/gnome/nix-wallpaper-simple-blue.png + ${dpmsScript} default + ''; qtileConfig = pkgs.writeScript "qtile_config.py" '' -from libqtile.config import Key, Screen, Group, Drag, Click -from libqtile.command import lazy -from libqtile import layout, bar, widget -from libqtile import hook + from libqtile.config import Key, Screen, Group, Drag, Click + from libqtile.command import lazy + from libqtile import layout, bar, widget + from libqtile import hook -import logging, os -logger = logging.getLogger() -logger.setLevel(logging.WARN) + import logging, os + logger = logging.getLogger() + logger.setLevel(logging.WARN) -handler = logging.handlers.RotatingFileHandler( - os.path.join(os.getenv('TEMPDIR', default="/tmp"), '.qtilelog'), maxBytes=10240000, - backupCount=7 -) -handler.setLevel(logging.WARN) -logger.addHandler(handler) - -# @hook.subscribe.screen_change -# def restart_on_randr(qtile, ev): -# import time -# -# with open(os.path.join(os.environ['TEMPDIR', default="/tmp"], ".qtilelastrestart"), "w"): -# pass -# -# lastRestart = 0 -# with open(os.path.join(os.environ['TEMPDIR', default="/tmp"], ".qtilelastrestart"), "r+") as lastRestartFile: -# lastRestartStr = lastRestartFile.read() -# if len(lastRestartStr) > 0: -# lastRestart = float(lastRestartStr) -# -# print("screen changed. (last change: %s)" % lastRestart) -# -# delta=time.time()-lastRestart -# if delta > 3: -# import subprocess -# lastRestartFile.seek(0) -# lastRestartFile.write("%s" % time.time()) -# lastRestartFile.truncate() -# -# subprocess.call(["autorandr","-c"]) -# qtile.cmd_restart() -# else: -# print("screen is changing too fast: %s" % delta) -# -# active_screen = 0 -# @hook.subscribe.client_focus -# def focus_changed(window): -# global active_screen -# pass -# active_screen = window.group.screen.index -# -# @hook.subscribe.current_screen_change -# def move_widget(): -# global active_screen -# systray = widget.Systray() -# logging.warn("Screen changed to %i" % active_screen) - -key_super = "mod4" -key_alt = "mod1" -key_control = "control" - -keys = [ - # https://github.com/qtile/qtile/blob/develop/libqtile/xkeysyms.py - Key([key_super], "Return", lazy.spawn("${terminalCommand}")), - Key([key_super], "backslash", lazy.spawn("${terminalCommand}")), - Key([key_super], "apostrophe", lazy.spawn("${terminalCommand}")), - Key([key_super], "r", lazy.spawncmd()), - Key([key_super], "w", lazy.window.kill()), - - Key([key_alt, key_super], "l", lazy.spawn('${pkgs.bash}/bin/sh -c "loginctl lock-session $XDG_SESSION_ID"')), - Key([key_alt, key_super], "s", lazy.spawn("${pkgs.systemd}/bin/systemctl suspend")), - - # Key([key_super, key_control], "r", lazy.restart()), - Key([key_super, key_control], "r", lazy.spawn("${pkgs.autorandr}/bin/autorandr -c && ${dpmsScript} default"), lazy.restart()), - Key([key_super, key_control], "q", lazy.shutdown()), - - # Toggle between different layouts as defined below - Key([key_super], "Tab", lazy.next_layout()), - - # MonadTall keybindings - Key([key_super], "h", lazy.layout.left()), - Key([key_super], "l", lazy.layout.right()), - Key([key_super], "j", lazy.layout.down()), - Key([key_super], "k", lazy.layout.up()), - Key([key_super, key_control], "h", lazy.layout.shuffle_left()), - Key([key_super, key_control], "l", lazy.layout.shuffle_right()), - Key([key_super, key_control], "j", lazy.layout.shuffle_down()), - Key([key_super, key_control], "k", lazy.layout.shuffle_up()), - Key([key_super, key_control], "space", lazy.layout.toggle_split()), - Key([key_control, key_alt], "h", lazy.layout.grow_left()), - Key([key_control, key_alt], "j", lazy.layout.grow_down()), - Key([key_control, key_alt], "k", lazy.layout.grow_up()), - Key([key_control, key_alt], "l", lazy.layout.grow_right()), - Key([key_super], "n", lazy.layout.normalize()), - Key([key_super], "o", lazy.layout.maximize()), - - # Stack - Key([key_super], "h", lazy.layout.previous().when('stack')), - Key([key_super], "l", lazy.layout.next().when('stack')), - Key([key_super], "j", lazy.layout.up().when('stack')), - Key([key_super], "k", lazy.layout.down().when('stack')), - Key([key_super, key_control], "j", lazy.layout.shuffle_up().when('stack')), - Key([key_super, key_control], "k", lazy.layout.shuffle_down().when('stack')), - Key([key_super, key_control], "h", lazy.layout.client_to_previous().when('stack')), - Key([key_super, key_control], "l", lazy.layout.client_to_next().when('stack')), - - # Columns - Key([key_super], "h", lazy.layout.left().when('columns')), - Key([key_super], "l", lazy.layout.right().when('columns')), - Key([key_super], "j", lazy.layout.down().when('columns')), - Key([key_super], "k", lazy.layout.up().when('columns')), - Key([key_super, key_control], "j", lazy.layout.shuffle_down().when('columns')), - Key([key_super, key_control], "k", lazy.layout.shuffle_up().when('columns')), - Key([key_super, key_control], "h", lazy.layout.shuffle_left().when('columns')), - Key([key_super, key_control], "l", lazy.layout.shuffle_right().when('columns')), - - # Max - Key([key_super], "j", lazy.layout.next()), - Key([key_super], "k", lazy.layout.previous()), - - # Multimedia Keys - Key([], "XF86AudioPlay", lazy.spawn("${pkgs.dbus}/bin/dbus-send --print-reply --dest=org.mpris.MediaPlayer2.spotify /org/mpris/MediaPlayer2 org.mpris.MediaPlayer2.Player.PlayPause")), - Key([], "XF86AudioPrev", lazy.spawn("${pkgs.dbus}/bin/dbus-send --print-reply --dest=org.mpris.MediaPlayer2.spotify /org/mpris/MediaPlayer2 org.mpris.MediaPlayer2.Player.Previous")), - Key([], "XF86AudioNext", lazy.spawn("${pkgs.dbus}/bin/dbus-send --print-reply --dest=org.mpris.MediaPlayer2.spotify /org/mpris/MediaPlayer2 org.mpris.MediaPlayer2.Player.Next")), - ## Microsoft Comfort Curve specific - Key([key_super, "shift"], "XF86TouchpadToggle", lazy.spawn("${pkgs.dbus}/bin/dbus-send --print-reply --dest=org.mpris.MediaPlayer2.spotify /org/mpris/MediaPlayer2 org.mpris.MediaPlayer2.Player.Previous")), - Key([key_alt, key_super], "XF86TouchpadToggle", lazy.spawn("${pkgs.dbus}/bin/dbus-send --print-reply --dest=org.mpris.MediaPlayer2.spotify /org/mpris/MediaPlayer2 org.mpris.MediaPlayer2.Player.Next")), - Key([], "XF86AudioMute", lazy.spawn("${audio} mute")), - Key([], "XF86AudioLowerVolume", lazy.spawn("${audio} lower")), - Key([], "XF86AudioRaiseVolume", lazy.spawn("${audio} raise")), - Key([], "Print", lazy.spawn("${pkgs.flameshot}/bin/flameshot gui")), -] -groups = [Group(i) for i in "1234567890"] - -for i in groups: - # super + letter of group = switch to group - keys.append( - Key([key_super], i.name, lazy.group[i.name].toscreen()) + handler = logging.handlers.RotatingFileHandler( + os.path.join(os.getenv('TEMPDIR', default="/tmp"), '.qtilelog'), maxBytes=10240000, + backupCount=7 ) + handler.setLevel(logging.WARN) + logger.addHandler(handler) - # super + shift + letter of group = switch to & move focused window to group - keys.append( - Key([key_super, key_control], i.name, lazy.window.togroup(i.name)) - ) + key_super = "mod4" + key_alt = "mod1" + key_control = "control" -layouts = [ - layout.Columns(num_columns=3, border_focus='#00ff00', border_width=2), - layout.Max(), - # layout.Stack(num_stacks=3, border_focus='#00ff00', border_width=2, autosplit=True, previous_on_rm=True), - # layout.Wmii(border_focus='#00ff00'), - # layout.MonadTall(ratio=0.6, border_focus='#00ff00'), -] + keys = [ + # https://github.com/qtile/qtile/blob/master/libqtile/backend/x11/xkeysyms.py + Key([key_super], "Return", lazy.spawn("${terminalCommand}")), + Key([key_super], "r", lazy.spawncmd()), + Key([key_super], "w", lazy.window.kill()), -widget_defaults = dict( - font='Arial', - fontsize=16, - padding=3, -) + Key([key_alt, key_super], "l", lazy.spawn('${pkgs.bash}/bin/sh -c "loginctl lock-session $XDG_SESSION_ID"')), + Key([key_alt, key_super], "s", lazy.spawn("${pkgs.systemd}/bin/systemctl suspend")), -screens_count = 4 -screens = [] -for i in range(0, screens_count+1): - j = i+1 - widgets = [ - widget.TextBox("Screen %i" % j, name="Screen %i" % j), - widget.GroupBox(), - widget.WindowName(), - widget.Prompt(), - widget.CPUGraph(), - widget.ThermalSensor(), - widget.Memory(), - widget.Net(interface='eth0'), - widget.Net(interface='wlan0'), - widget.Clock(format='%Y-%m-%d %a %I:%M %p'), + Key([key_super, key_control], "r", lazy.spawn("${initScreen}")), + Key([key_super, key_control], "q", lazy.shutdown()), + + # Toggle between different layouts as defined below + Key([key_super], "Tab", lazy.next_layout()), + + # this is usefull when floating windows get buried + Key([key_super], "Escape", lazy.window.bring_to_front()), + + # common to all layouts + Key([key_control, key_alt], "h", lazy.layout.grow_left()), + Key([key_control, key_alt], "j", lazy.layout.grow_down()), + Key([key_control, key_alt], "k", lazy.layout.grow_up()), + Key([key_control, key_alt], "l", lazy.layout.grow_right()), + Key([key_super], "n", lazy.layout.normalize()), + Key([key_super], "o", lazy.layout.maximize()), + + # MonadTall keybindings + Key([key_super], "h", lazy.layout.left().when(layout="monad")), + Key([key_super], "l", lazy.layout.right().when(layout="monad")), + Key([key_super], "j", lazy.layout.down().when(layout="monad")), + Key([key_super], "k", lazy.layout.up().when(layout="monad")), + Key([key_super, key_control], "h", lazy.layout.shuffle_left().when(layout="monad")), + Key([key_super, key_control], "l", lazy.layout.shuffle_right().when(layout="monad")), + Key([key_super, key_control], "j", lazy.layout.shuffle_down().when(layout="monad")), + Key([key_super, key_control], "k", lazy.layout.shuffle_up().when(layout="monad")), + Key([key_super, key_control], "space", lazy.layout.toggle_split().when(layout="monad")), + + # Stack + Key([key_super], "h", lazy.layout.previous().when(layout='stack')), + Key([key_super], "l", lazy.layout.next().when(layout='stack')), + Key([key_super], "j", lazy.layout.up().when(layout='stack')), + Key([key_super], "k", lazy.layout.down().when(layout='stack')), + Key([key_super, key_control], "j", lazy.layout.shuffle_up().when(layout='stack')), + Key([key_super, key_control], "k", lazy.layout.shuffle_down().when(layout='stack')), + Key([key_super, key_control], "h", lazy.layout.client_to_previous().when(layout='stack')), + Key([key_super, key_control], "l", lazy.layout.client_to_next().when(layout='stack')), + + # Columns + Key([key_super], "h", lazy.layout.left().when(layout="columns")), + Key([key_super], "l", lazy.layout.right().when(layout="columns")), + Key([key_super], "j", lazy.layout.next().when(layout="columns")), + Key([key_super], "k", lazy.layout.previous().when(layout="columns")), + Key([key_super, key_control], "j", lazy.layout.shuffle_down().when(layout="columns")), + Key([key_super, key_control], "k", lazy.layout.shuffle_up().when(layout="columns")), + Key([key_super, key_control], "h", lazy.layout.shuffle_left().when(layout="columns")), + Key([key_super, key_control], "l", lazy.layout.shuffle_right().when(layout="columns")), + Key([key_super, key_control], "space", lazy.layout.toggle_split().when(layout="columns")), + + # Max + Key([key_super], "j", lazy.layout.down().when(layout="max")), + Key([key_super], "k", lazy.layout.up().when(layout="max")), + + # TODO: these are required to make the 'columns' layout work, but why? + Key([key_super], "j", lazy.layout.next()), + Key([key_super], "k", lazy.layout.previous()), + + # Multimedia Keys + Key([], "XF86AudioPlay", lazy.spawn("${pkgs.playerctl}/bin/playerctl play-pause")), + Key([], "XF86AudioPrev", lazy.spawn("${pkgs.playerctl}/bin/playerctl previous")), + Key([], "XF86AudioNext", lazy.spawn("${pkgs.playerctl}/bin/playerctl next")), + # TODO: the next two don't work yet + Key([], "XF86AudioRewind", lazy.spawn("${pkgs.playerctl}/bin/playerctl offset 10-")), + Key([], "XF86BackForward", lazy.spawn("${pkgs.playerctl}/bin/playerctl offset 10+")), + Key([], "XF86AudioMute", lazy.spawn("${audio} mute")), + Key([], "XF86AudioLowerVolume", lazy.spawn("${audio} lower")), + Key([], "XF86AudioRaiseVolume", lazy.spawn("${audio} raise")), + Key([], "Print", lazy.spawn("${pkgs.flameshot}/bin/flameshot gui")), ] - if i is 0: - widgets.insert(-1, widget.Systray()) + groups = [Group(i) for i in "1234567890"] - screens.append(Screen(bottom=bar.Bar(widgets, 30))) + for i in groups: + # super + letter of group = switch to group + keys.append( + Key([key_super], i.name, lazy.group[i.name].toscreen()) + ) - keys.append(Key([key_super, "shift"], "%i" % (i+1), lazy.to_screen(i))) + # super + shift + letter of group = switch to & move focused window to group + keys.append( + Key([key_super, key_control], i.name, lazy.window.togroup(i.name)) + ) -# subscribe.current_screen_change(func) + layouts = [ + layout.Columns(num_columns=3, border_focus='#00ff00', border_width=2), + layout.Max(), + # layout.Stack(num_stacks=3, border_focus='#00ff00', border_width=2, autosplit=True, previous_on_rm=True), + # layout.Wmii(border_focus='#00ff00'), + # layout.MonadTall(ratio=0.6, border_focus='#00ff00'), + ] -dgroups_key_binder = None -dgroups_app_rules = [] -main = None -follow_mouse_focus = False -bring_front_click = True -cursor_warp = False -auto_fullscreen = True -focus_on_window_activation = "urgent" + widget_defaults = dict( + font='Arial', + fontsize=16, + padding=3, + ) + + screens_count = 4 + screens = [] + for i in range(0, screens_count+1): + j = i+1 + widgets = [ + widget.TextBox("Screen %i" % j, name="Screen %i" % j), + widget.GroupBox(), + widget.WindowName(), + widget.Prompt(), + widget.CPUGraph(), + widget.ThermalSensor(tag_sensor = "CPU"), + widget.Memory(), + # widget.Net(interface='eth0'), + widget.Net(interface='wlan0'), + widget.Clock(format='%Y-%m-%d %a %I:%M %p'), + ] + if i is 0: + widgets.insert(-1, widget.Systray()) + + screens.append(Screen(bottom=bar.Bar(widgets, 30))) + + keys.append(Key([key_super, "shift"], "%i" % (i+1), lazy.to_screen(i))) + + dgroups_key_binder = None + dgroups_app_rules = [] + follow_mouse_focus = False + bring_front_click = False + cursor_warp = False + auto_fullscreen = True + auto_minimize = False + # focus_on_window_activation = "urgent" -# Drag floating layouts. -mouse = [ - Drag([key_super,key_control], "Button1", lazy.window.set_position_floating(), start=lazy.window.get_position()), - Drag([key_super,key_control], "Button2", lazy.window.set_size_floating(), start=lazy.window.get_size()), - Click([key_super,key_control], "Button3", lazy.window.disable_floating()) -] -floating_layout = layout.Floating() + # Drag floating layouts. + mouse = [ + # Drag([key_super,key_control], "Button1", lazy.window.set_position_floating(), start=lazy.window.get_position()), + # Drag([key_super,key_control], "Button2", lazy.window.set_size_floating(), start=lazy.window.get_size()), + Click([key_super,key_control], "Button3", lazy.window.disable_floating()) + ] -wmname = "LG3D" + # disable any floating + @hook.subscribe.client_new + def disable_floating_for_all_new_windows(window): + window.floating = False + + @hook.subscribe.client_new + def print_new_window(window): + print("new window: ", window) ''; -in { - systemd.user = { - startServices = true; - services = { - redshift-gtk = mkSimpleTrayService { - execStart = "${pkgs.redshift}/bin/redshift-gtk -v -l 47.6691:9.1698 -t 7000:4500 -m randr"; - }; - - pasystray = mkSimpleTrayService { - execStart = "${pkgs.pasystray}/bin/pasystray"; - }; - - cbatticon = mkSimpleTrayService { - execStart = "${pkgs.cbatticon}/bin/cbatticon"; - }; - }; - }; - +in +{ services = { gnome-keyring.enable = true; blueman-applet.enable = true; @@ -310,43 +262,32 @@ in { lockCmd = "${screenLockCommand}"; }; network-manager-applet.enable = true; - syncthing.enable = true; - gpg-agent = { - enable = true; - enableScDaemon = true; - enableSshSupport = true; - grabKeyboardAndMouse = true; - extraConfig = "pinentry-program ${pkgs.pinentry-gtk2}/bin/pinentry"; - }; flameshot.enable = true; + pasystray.enable = true; + cbatticon.enable = true; + }; + + home.pointerCursor = { + name = "Vanilla-DMZ"; + package = pkgs.vanilla-dmz; + size = 32; + x11.enable = true; + gtk.enable = true; }; xsession = { - enable = true; - windowManager.command = "${pkgs.qtile}/bin/qtile -c ${qtileConfig}"; - initExtra = '' - # ${pkgs.xorg.xinput}/bin/xinput set-prop "ErgoDox EZ ErgoDox EZ Mouse" "libinput Natural Scrolling Enabled" - ${pkgs.autorandr}/bin/autorandr -c - ${pkgs.feh}/bin/feh --bg-scale ${pkgs.nixos-artwork.wallpapers.simple-blue}/share/artwork/gnome/nix-wallpaper-simple-blue.png - ${dpmsScript} default - ''; - - pointerCursor = { - name = "Vanilla-DMZ-AA"; - package = pkgs.vanilla-dmz; - size = 32; - }; + enable = false; + windowManager.command = "${pkgs.qtile}/bin/qtile start -c ${qtileConfig}"; + initExtra = "${initScreen}"; }; home.packages = with pkgs; [ # X Tools/Libraries lightdm - qtile - gnome3.networkmanagerapplet - autorandr - arandr - gnome3.gnome_themes_standard - gnome3.adwaita-icon-theme + networkmanagerapplet + gnome-icon-theme + gnome.gnome-themes-extra + adwaita-icon-theme lxappearance xorg.xcursorthemes pavucontrol diff --git a/nix/home-manager/profiles/sway-desktop.nix b/nix/home-manager/profiles/sway-desktop.nix new file mode 100644 index 0000000..65ba632 --- /dev/null +++ b/nix/home-manager/profiles/sway-desktop.nix @@ -0,0 +1,262 @@ +/* + TODO: create helper scripts for sharing of a screen portion + ``` + + # this will create a new output named HEADLESS-. increments by 1 with each invocation even if the output is `unplug`ged. + swaymsg create_output + + # find the name and the workspace number + swaymsg -t get_outputs | jq '.[] | select(.name | test("HEADLESS-.*")) | (.name, .current_workspace)' + + swaymsg output HEADLESS-1 mode 1920@108060Hz + + # mirror the headless workspace on the current one + nix run nixpkgs\#wl-mirror -- HEADLESS-1 + + # shift windows to the workspace and switch the focus to it +*/ +{ + pkgs, + config, + lib, + # packages', + ... +}: +let + + lockCmd = "${pkgs.swaylock}/bin/swaylock -efF --color '#000000'"; + displayOffCmd = "${pkgs.sway}/bin/swaymsg 'output * power off'"; + displayOnCmd = "${pkgs.sway}/bin/swaymsg 'output * power on'"; + swapOutputWorkspaces = ../../../scripts/sway-swapoutputworkspaces.sh; +in +{ + imports = [ + ../profiles/wayland-desktop.nix + ../programs/waybar.nix + ]; + + services.dunst = { + enable = true; + }; + + services.gpg-agent.pinentry.package = pkgs.pinentry-gnome3; + + home.packages = [ + pkgs.swayidle + pkgs.swaylock + + ## themes + pkgs.adwaita-icon-theme + pkgs.hicolor-icon-theme + pkgs.gnome-icon-theme + + ## fonts + # pkgs.nerd-fonts # TODO: reinstall selected ones + pkgs.dejavu_fonts # just a basic good fond + pkgs.font-awesome_5 # needed by i3status-rust + pkgs.font-awesome + pkgs.roboto + pkgs.ttf_bitstream_vera + + pkgs.noto-fonts + pkgs.noto-fonts-cjk-sans + pkgs.noto-fonts-cjk-serif + pkgs.noto-fonts-emoji + pkgs.noto-fonts-emoji-blob-bin + pkgs.noto-fonts-extra + pkgs.noto-fonts-lgc-plus + + pkgs.liberation_ttf + pkgs.fira-code + pkgs.fira-code-symbols + pkgs.mplus-outline-fonts.githubRelease + pkgs.dina-font + pkgs.monoid + pkgs.hermit + ### found on colemickens' repo + pkgs.gelasio # metric-compatible with Georgia + pkgs.powerline-symbols + pkgs.iosevka-comfy.comfy-fixed + + ## experimental stuff + pkgs.fuzzel + ]; + + # TODO: configure kanshi to always set the 5K resolution + # DP-1 "Philips Consumer Electronics Company PHL 499P9 AU02419010010 (DP-1 via DP)" + # Make: Philips Consumer Electronics Company + # Model: PHL 499P9 + # Serial: AU02419010010 + # Physical size: 1190x340 mm + # Enabled: yes + # Modes: + # 3840x1080 px, 59.967999 Hz (preferred) + # 5120x1440 px, 59.977001 Hz (current) + + wayland.windowManager.sway = { + enable = true; + systemd.enable = true; + xwayland = false; + + config = + let + modifier = "Mod4"; + inherit (config.wayland.windowManager.sway.config) + left + right + up + down + ; + in + { + inherit modifier; + bars = [ ]; + + input = { + "type:keyboard" = + { + xkb_layout = config.home.keyboard.layout; + xkb_variant = config.home.keyboard.variant; + } + // lib.attrsets.optionalAttrs (builtins.length (config.home.keyboard.options or [ ]) > 0) { + xkb_options = builtins.concatStringsSep "," config.home.keyboard.options; + }; + + "type:touchpad" = { + natural_scroll = "enabled"; + }; + + # alternatively run this command + # swaymsg input "1386:914:Wacom_Intuos_Pro_S_Pen" tool_mode "* relative" + # and then switch to a different VT (alt+ctrl+f2) and back + "1386:914:Wacom_Intuos_Pro_S_Pen" = { + tool_mode = "* relative"; + }; + }; + + keybindings = lib.mkOptionDefault { + # as of 2023-05-21 the `!!` arg parsing mode was broken for me on yofi + # "${modifier}+d" = "exec ${packages'.yofi}/bin/yofi binapps"; + "${modifier}+d" = "exec ${pkgs.fuzzel}/bin/fuzzel --show-actions"; + + # only 1-9 exist on the default config + "${modifier}+0" = "workspace number 0"; + "${modifier}+Shift+0" = "move container to workspace number 0"; + + # disable splitting for now as i sometimes trigger it accidentally and then get stuck with it + "${modifier}+b" = "nop"; + "${modifier}+v" = "nop"; + + # move workspace to output + "${modifier}+Control+Shift+${left}" = "move workspace to output left"; + "${modifier}+Control+Shift+${right}" = "move workspace to output right"; + "${modifier}+Control+Shift+${up}" = "move workspace to output up"; + "${modifier}+Control+Shift+${down}" = "move workspace to output down"; + # move workspace to output with arrow keys + "${modifier}+Control+Shift+Left" = "move workspace to output left"; + "${modifier}+Control+Shift+Right" = "move workspace to output right"; + "${modifier}+Control+Shift+Up" = "move workspace to output up"; + "${modifier}+Control+Shift+Down" = "move workspace to output down"; + + # TODO: i've been hitting this one accidentally way too often. find a better place. + # "${modifier}+Shift+e" = "exec ${pkgs.sway}/bin/swaymsg exit"; + "${modifier}+q" = "kill"; + "${modifier}+Shift+q" = + "exec ${pkgs.sway}/bin/swaymsg -t get_tree | ${pkgs.jq}/bin/jq 'recurse(.nodes[], .floating_nodes[]) | select(.focused).pid' | ${pkgs.findutils}/bin/xargs -L1 kill -9"; + + "${modifier}+x" = "exec ${swapOutputWorkspaces}"; + + "${modifier}+Ctrl+l" = "exec ${lockCmd}"; + + "--locked XF86AudioPlay" = "exec ${pkgs.playerctl}/bin/playerctl play-pause"; + "XF86AudioPrev" = "exec ${pkgs.playerctl}/bin/playerctl previous"; + "XF86AudioNext" = "exec ${pkgs.playerctl}/bin/playerctl next"; + + "XF86AudioRaiseVolume" = "exec ${pkgs.pulsemixer}/bin/pulsemixer --change-volume +5"; + "XF86AudioLowerVolume" = "exec ${pkgs.pulsemixer}/bin/pulsemixer --change-volume -5"; + "--locked XF86AudioMute" = "exec ${pkgs.pulsemixer}/bin/pulsemixer --toggle-mute"; + + "Print" = "exec ${pkgs.shotman}/bin/shotman --capture region"; + }; + + terminal = "alacritty"; + startup = + [ + { + command = builtins.toString ( + pkgs.writeShellScript "ensure-graphical-session" '' + ( + ${pkgs.coreutils}/bin/sleep 0.2 + ${pkgs.systemd}/bin/systemctl --user restart graphical-session.target + ) & + '' + ); + } + ] + ++ lib.optionals config.services.swayidle.enable [ + { + command = builtins.toString ( + pkgs.writeShellScript "ensure-graphical-session" '' + ( + ${pkgs.coreutils}/bin/sleep 0.2 + ${pkgs.systemd}/bin/systemctl --user restart swayidle + ) & + '' + ); + } + ]; + + colors.focused = lib.mkOptionDefault { childBorder = lib.mkForce "#ffa500"; }; + + window.titlebar = false; + window.border = 4; + + # this maps to focus_on_window_activation + focus.newWindow = "urgent"; + + window.commands = [ + { + command = "border pixel 0, floating enable, fullscreen disable, move absolute position 0 0"; + criteria.app_id = "flameshot"; + } + ]; + }; + }; + + services.swayidle = { + enable = true; + timeouts = [ + { + timeout = 10; + command = "if ${pkgs.procps}/bin/pgrep -x swaylock; then ${displayOffCmd}; fi"; + resumeCommand = displayOnCmd; + } + { + timeout = 60 * 5; + command = lockCmd; + } + { + timeout = 60 * 6; + command = displayOffCmd; + resumeCommand = displayOnCmd; + } + ]; + events = [ + { + event = "before-sleep"; + command = builtins.concatStringsSep "; " [ + lockCmd + "${pkgs.playerctl}/bin/playerctl pause" + ]; + } + { + event = "after-resume"; + command = displayOnCmd; + } + { + event = "lock"; + command = lockCmd; + } + ]; + }; +} diff --git a/nix/home-manager/profiles/wayland-desktop.nix b/nix/home-manager/profiles/wayland-desktop.nix new file mode 100644 index 0000000..2f0d2ee --- /dev/null +++ b/nix/home-manager/profiles/wayland-desktop.nix @@ -0,0 +1,87 @@ +{ + pkgs, + lib, + repoFlake, + ... +}: +let + + nixpkgs-wayland' = repoFlake.inputs.nixpkgs-wayland.packages.${pkgs.system}; +in +{ + fonts.fontconfig.enable = true; + + # services.gpg-agent.pinentryFlavor = lib.mkForce null; + # services.gpg-agent.extraConfig = '' + # pinentry-program "${wayprompt}/bin/pinentry-wayprompt" + # ''; + + services = { + blueman-applet.enable = true; + network-manager-applet.enable = true; + }; + + systemd.user.targets.tray = { + Unit = { + Description = "Home Manager System Tray"; + Requires = [ "graphical-session-pre.target" ]; + }; + }; + + home.packages = + with pkgs; + [ + # required by network-manager-applet + networkmanagerapplet + + wlr-randr + wayout + wl-clipboard + wmctrl + + nixpkgs-wayland'.shotman + + # identifies key input syms + wev + + # TODO: whwat's this for? + # wltype + + qt5.qtwayland + qt6.qtwayland + # libsForQt5.qt5.qtwayland + # libsForQt6.qt6.qtwayland + + # audio + playerctl + helvum + pasystray + sonusmix + pwvucontrol + + # probably required by flameshot + # xdg-desktop-portal xdg-desktop-portal-wlr + # grim + + waypipe + ] + ++ (lib.lists.optionals (!pkgs.stdenv.isAarch64) + # TODO: broken on aarch64 + [ ] + ); + + home.sessionVariables = { + XDG_SESSION_TYPE = "wayland"; + NIXOS_OZONE_WL = "1"; + MOZ_ENABLE_WAYLAND = "1"; + WLR_NO_HARDWARE_CURSORS = "1"; + }; + + home.pointerCursor = { + name = "Vanilla-DMZ"; + package = pkgs.vanilla-dmz; + size = 32; + x11.enable = true; + gtk.enable = true; + }; +} diff --git a/nix/home-manager/programs/chromium.nix b/nix/home-manager/programs/chromium.nix index 0585746..aa3f531 100644 --- a/nix/home-manager/programs/chromium.nix +++ b/nix/home-manager/programs/chromium.nix @@ -1,23 +1,81 @@ -{ -... +{ + name, + lib, + pkgs, + ... }: +let + extensions = + [ + #undetectable adblocker + { id = "gcfcpohokifjldeandkfjoboemihipmb"; } + # ublock origin + { id = "cjpalhdlnbpafiamejdnhcphjbkeiagm"; } + + # # YT ad block + # {id = "cmedhionkhpnakcndndgjdbohmhepckk";} + + # # Adblock Plus + # {id = "cfhdojbkjhnklbpkdaibdccddilifddb";} + + # Cookie Notice Blocker + { id = "odhmfmnoejhihkmfebnolljiibpnednn"; } + # i don't care about cookies + { id = "fihnjjcciajhdojfnbdddfaoknhalnja"; } + + # NopeCHA + { id = "dknlfmjaanfblgfdfebhijalfmhmjjjo"; } + + # h264ify + { id = "aleakchihdccplidncghkekgioiakgal"; } + + # clippy + # {id = "honbeilkanbghjimjoniipnnehlmhggk"} + + { + id = "dcpihecpambacapedldabdbpakmachpb"; + updateUrl = "https://raw.githubusercontent.com/iamadamdev/bypass-paywalls-chrome/master/updates.xml"; + } + + # cookie autodelete + { id = "fhcgjolkccmbidfldomjliifgaodjagh"; } + + # unhook + { id = "khncfooichmfjbepaaaebmommgaepoid"; } + ] + ++ (lib.lists.optionals ((builtins.match "^steveej.*" name) != null) [ + # polkadotjs + { id = "mopnmbcafieddcagagdcbnhejhlodfdd"; } + + # rabby wallet + { id = "acmacodkjbdgmoleebolmdjonilkdbch"; } + + # phantom wallet + { id = "bfnaelmomeimhlpmgjnjophhpkkoljpa"; } + + # Vimium C + { id = "hfjbmagddngcpeloejdejnfgbamkjaeg"; } + + # TODO: this causes scrolling the tab bar all the way to the end. look for a different one or report + # always right + { id = "npjpaghfnndnnmjiliibnkmdfgbojokj"; } + + # shazam music + { id = "mmioliijnhnoblpgimnlajmefafdfilb"; } + ]); +in { programs.chromium = { enable = true; + inherit extensions; + # TODO: extensions currently don't work with ungoogled-chromium + package = pkgs.chromium; }; - nixpkgs.config = { - chromium = { - # 2019-03-05: missing on 19.03 enablePepperPDF = true; - enablePepperFlash = false; - }; - }; - - programs.browserpass = { - browsers = [ - "chromium" - ]; + programs.brave = { + # TODO: enable this on aarch64-linux + enable = true && !pkgs.stdenv.targetPlatform.isAarch64; + inherit extensions; }; } - diff --git a/nix/home-manager/programs/emacs.nix b/nix/home-manager/programs/emacs.nix deleted file mode 100644 index 2b606a9..0000000 --- a/nix/home-manager/programs/emacs.nix +++ /dev/null @@ -1,24 +0,0 @@ -{ pkgs, -... -}: - -{ - programs.emacs = { - enable = true; - extraPackages = epkgs: (with epkgs; [ - nix-mode - magit # ; Integrate git - zerodark-theme # ; Nicolas' theme - undo-tree # ; to show the undo tree - # zoom-frm # ; increase/decrease font size for all buffers %lt;C-x C-+> - ]) ++ (with epkgs.melpaPackages; [ - evil - ]) ++ (with epkgs.elpaPackages; [ - auctex # ; LaTeX mode - beacon # ; highlight my cursor when scrolling - nameless # ; hide current package name everywhere in elisp code - ]) ++ (with pkgs; [ - pkgs.notmuch # From main packages set - ]); - }; -} diff --git a/nix/home-manager/programs/espanso.nix b/nix/home-manager/programs/espanso.nix new file mode 100644 index 0000000..8297183 --- /dev/null +++ b/nix/home-manager/programs/espanso.nix @@ -0,0 +1,82 @@ +{ pkgs, ... }: +{ + services.espanso = { + package = pkgs.espanso-wayland; + # package = pkgs.espanso-wayland.overrideAttrs (_: { + # src = repoFlake.inputs.espanso; + + # cargoLock = { + # # lockFile = "${repoFlake.inputs.espanso.outPath}/Cargo.lock"; + # lockFile = repoFlake.inputs.espanso + "/Cargo.lock"; + # outputHashes = { + # "yaml-rust-0.4.6" = "sha256-wXFy0/s4y6wB3UO19jsLwBdzMy7CGX4JoUt5V6cU7LU="; + # }; + # }; + # }); + + enable = false; + configs = { + default = { + # backend = "Inject"; + # backend = "Clipboard"; + }; + }; + matches = + let + playerctl = ''${pkgs.coreutils}/bin/env DBUS_SESSION_BUS_ADDRESS="unix:path=/run/user/$(${pkgs.coreutils}/bin/id -u)/bus" ${pkgs.playerctl}/bin/playerctl''; + in + { + default = { + matches = [ + { + trigger = ":vpos"; + replace = "{{output}}"; + vars = [ + { + name = "output"; + type = "script"; + params = { + args = [ + (pkgs.writeScript "espanso" '' + #! ${pkgs.python3}/bin/python + import subprocess, os, math, datetime + + id=str(os.getuid()) + result=subprocess.run(args=["${pkgs.playerctl}/bin/playerctl", "position"], env={"DBUS_SESSION_BUS_ADDRESS": "unix:path=/run/user/"+id+"/bus"},capture_output=True) + result.check_returncode() + + position_secs = math.trunc(float(result.stdout)) + position_human = datetime.timedelta(seconds=position_secs) + print("%s - %s" % (position_human, position_secs)) + '') + ]; + }; + } + ]; + } + { + trigger = ":vtit"; + replace = "{{output}}"; + vars = [ + { + name = "output"; + type = "script"; + params = { + args = [ (pkgs.writeShellScript "espanso" "${playerctl} metadata title") ]; + }; + } + ]; + } + { + trigger = ":dunno"; + replace = "¯\\_(ツ)_/¯"; + } + { + trigger = ":shrug"; + replace = "¯\\_(ツ)_/¯"; + } + ]; + }; + }; + }; +} diff --git a/nix/home-manager/programs/firefox.nix b/nix/home-manager/programs/firefox.nix index f93f020..b9c575f 100644 --- a/nix/home-manager/programs/firefox.nix +++ b/nix/home-manager/programs/firefox.nix @@ -1,19 +1,451 @@ -{ pkgs -, ... -}: - { - programs.firefox = { - enable = true; - enableAdobeFlash = false; - }; + repoFlake, + pkgs, + config, + lib, + ... +}: +let + # Search extension names with below command: + # nix flake show --json "gitlab:rycee/nur-expressions?dir=pkgs/firefox-addons" --all-systems | jq -r '.packages."x86_64-linux" | keys[]' | rg QUERY + ryceeAddons = with pkgs.nur.repos.rycee.firefox-addons; [ + ublock-origin - programs.browserpass = { - browsers = [ - "firefox" + # bypass-paywalls-clean (can't use, was creating popups) + consent-o-matic + terms-of-service-didnt-read + + auto-tab-discard + + # redirector # For nixos wiki + # darkreader + + facebook-container + control-panel-for-twitter + # containerise + facebook-tracking-removal + vimium + cookie-autodelete + auto-tab-discard + istilldontcareaboutcookies + + youtube-recommended-videos + + display-_anchors + ]; + + customAddons = [ + + ]; + + search = { + force = true; + default = "ddg"; + privateDefault = "ddg"; + + order = [ + "ddg" + "ecosia" + "google" ]; }; - home.file.".mozilla/native-messaging-hosts/passff.json".source = "${pkgs.passff-host}/share/passff-host/passff.json"; -} + mkProfile = + override: + lib.recursiveUpdate { + extensions.packages = ryceeAddons ++ customAddons; + inherit search; + settings = { + # automatically enable extensions + "extensions.autoDisableScopes" = 0; + + "middlemouse.paste" = false; + + "browser.download.useDownloadDir" = false; + "browser.tabs.insertAfterCurrent" = true; + "browser.tabs.warnOnClose" = true; + "browser.toolbars.bookmarks.visibility" = "never"; + "browser.quitShortcut.disabled" = false; + + # restore the previous session automatically + "browser.startup.page" = 3; + "browser.sessionstore.resume_from_crash" = true; + "browser.sessionstore.restore_pinned_tabs_on_demand" = true; + "browser.sessionstore.restore_on_demand" = true; + + "browser.urlbar.suggest.bookmark" = true; + "browser.urlbar.suggest.engines" = true; + "browser.urlbar.suggest.history" = true; + "browser.urlbar.suggest.openpage" = true; + "browser.urlbar.suggest.topsites" = false; + "browser.urlbar.trimHttps" = true; + + "sidebar.position_start" = false; + "findbar.highlightAll" = true; + + "browser.tabs.hoverPreview.enabled" = true; + + # Disable fx accounts + "identity.fxaccounts.enabled" = false; + # Disable "save password" prompt + "signon.rememberSignons" = false; + # Harden + "privacy.trackingprotection.enabled" = true; + "dom.security.https_only_mode" = true; + + # Disable irritating first-run stuff + "browser.disableResetPrompt" = true; + "browser.download.panel.shown" = true; + "browser.feeds.showFirstRunUI" = false; + "browser.messaging-system.whatsNewPanel.enabled" = false; + "browser.rights.3.shown" = true; + "browser.shell.checkDefaultBrowser" = false; + "browser.shell.defaultBrowserCheckCount" = 1; + "browser.startup.homepage_override.mstone" = "ignore"; + "browser.uitour.enabled" = false; + "startup.homepage_override_url" = ""; + "trailhead.firstrun.didSeeAboutWelcome" = true; + "browser.bookmarks.restore_default_bookmarks" = false; + "browser.bookmarks.addedImportButton" = true; + + # Disable "Save to Pocket" or Pocket entirely + "extensions.pocket.enabled" = false; + + # Disable telemetry + "toolkit.telemetry.enabled" = false; + "toolkit.telemetry.unified" = false; + "toolkit.telemetry.archive.enabled" = false; + "datareporting.healthreport.uploadEnabled" = false; + "app.shield.optoutstudies.enabled" = false; + "browser.discovery.enabled" = false; + "browser.newtabpage.activity-stream.feeds.telemetry" = false; + "browser.newtabpage.activity-stream.telemetry" = false; + "browser.ping-centre.telemetry" = false; + "datareporting.healthreport.service.enabled" = false; + "datareporting.policy.dataSubmissionEnabled" = false; + "datareporting.sessions.current.clean" = true; + "devtools.onboarding.telemetry.logged" = false; + "toolkit.telemetry.bhrPing.enabled" = false; + "toolkit.telemetry.firstShutdownPing.enabled" = false; + "toolkit.telemetry.hybridContent.enabled" = false; + "toolkit.telemetry.newProfilePing.enabled" = false; + "toolkit.telemetry.prompted" = 2; + "toolkit.telemetry.rejected" = true; + "toolkit.telemetry.reportingpolicy.firstRun" = false; + "toolkit.telemetry.server" = ""; + "toolkit.telemetry.shutdownPingSender.enabled" = false; + "toolkit.telemetry.unifiedIsOptIn" = false; + "toolkit.telemetry.updatePing.enabled" = false; + + # Disable any feeds on the new tab page + "browser.newtabpage.activity-stream.showTopSites" = false; + "browser.newtabpage.activity-stream.default.sites" = lib.mkForce [ ]; + "browser.newtabpage.activity-stream.discoverystream.enabled" = false; + "browser.newtabpage.activity-stream.feeds.topsites" = false; + "browser.newtabpage.activity-stream.showSponsoredTopSites" = false; + "browser.newtabpage.activity-stream.improvesearch.topSiteSearchShortcuts" = false; + "browser.newtabpage.blocked" = lib.genAttrs [ + # Youtube + "26UbzFJ7qT9/4DhodHKA1Q==" + # Facebook + "4gPpjkxgZzXPVtuEoAL9Ig==" + # Wikipedia + "eV8/WsSLxHadrTL1gAxhug==" + # Reddit + "gLv0ja2RYVgxKdp0I5qwvA==" + # Amazon + "K00ILysCaEq8+bEqV/3nuw==" + # Twitter + "T9nJot5PurhJSy8n038xGA==" + ] (_: 1); + "browser.topsites.blockedSponsors" = [ + "adidas" + "temuaffiliateprogram.pxf" + "s.click.aliexpress" + ]; + + # enable userChrome + "toolkit.legacyUserProfileCustomizations.stylesheets" = true; + "devtools.chrome.enabled" = true; + "devtools.debugger.remote-enabled" = true; + + # disable translations for some languages + "browser.translations.neverTranslateLanguages" = [ + "en" + "de" + ]; + "browser.translations.automaticallyPopup" = false; + + # enable pipewire (and libcamera) sources + "media.webrtc.camera.allow-pipewire" = true; + + }; + + userChrome = + let + name = override.color or colors.grey; + value = colorValues."${name}".normal; + valueBright = colorValues."${name}".highlight; + valueDark = colorValues."${name}".inactive; + in + '' + @namespace url("http://www.mozilla.org/keymaster/gatekeeper/there.is.only.xul"); /* only needed once */ + + #nav-bar { + background-color: ${value} !important; + color: black !important; + } + + /* don't show close button on background tabs */ + #tabbrowser-tabs[closebuttons="activetab"] .tabbrowser-tab:not([selected]):not([pinned]):not([hover]) .tab-close-button { + display: none !important; + } + + /* show close button on hover */ + #tabbrowser-tabs[closebuttons="activetab"] .tabbrowser-tab:not([selected]):not([pinned]):hover .tab-close-button { + display: -moz-inline-box !important; + } + + + /* default */ + #TabsToolbar { + background: ${valueDark} !important; + } + + /* default tab */ + #TabsToolbar #tabbrowser-tabs .tabbrowser-tab .tab-content { + background: ${value} !important; + opacity: 0.8 + } + + /* selected tab */ + #TabsToolbar #tabbrowser-tabs .tabbrowser-tab[selected] .tab-content { + background: ${valueBright} !important; + box-shadow: 0 8px 16px 0 rgba(0,0,0,0.2), 0 6px 20px 0 rgba(0,0,0,0.19); + } + + /* hovered tab */ + #TabsToolbar #tabbrowser-tabs .tabbrowser-tab:hover:not([selected]) .tab-content { + background: ${valueBright} !important; + } + + /* unloaded/pending tab */ + #TabsToolbar #tabbrowser-tabs .tabbrowser-tab[pending] .tab-content { + background: ${valueDark} !important; + } + ''; + + # /* new tab */ + # #TabsToolbar #tabbrowser-tabs #tabs-newtab-button .toolbarbutton-icon { + # background: unset !important; + # } + + # #TabsToolbar #tabbrowser-tabs #tabs-newtab-button { + # /* background: var(--default_tabs_bg_newtab) !important; + # } + + # /* hovered new tab */ + # #TabsToolbar #tabbrowser-tabs #tabs-newtab-button:hover { + # background: var(--default_tabs_bg_newtab_hovered) !important; + # } + + } (builtins.removeAttrs override [ "color" ]); + + # TODO: insert the id automatically + mkProfiles = attrs: builtins.mapAttrs (_k: v: v) attrs; + + colors = builtins.mapAttrs (name: _: name) colorValues; + + colorValues = { + blue = { + normal = "#49b1fc"; + highlight = "#05a9fc"; # Brighter blue + inactive = "#1f81c6"; # Darker blue + }; + green = { + normal = "#51cd00"; + highlight = "#5ae200"; # Brighter green + inactive = "#45ad00"; # Darker green + }; + orange = { + normal = "#ff9800"; + highlight = "#ffb74d"; # Brighter orange + inactive = "#c76a00"; # Darker orange + }; + red = { + normal = "#f6685e"; + highlight = "#ff4336"; # Brighter red + inactive = "#aa463f"; # Darker red + }; + yellow = { + normal = "#fced4b"; + highlight = "#fce705"; # Brighter yellow + inactive = "#dbbe00"; # Darker yellow + }; + purple = { + normal = "#9c27b0"; + highlight = "#ab47bc"; # Brighter purple + inactive = "#7b1fa2"; # Darker purple + }; + pink = { + normal = "#e91e63"; + highlight = "#ff6090"; # Brighter pink + inactive = "#c2185b"; # Darker pink + }; + brown = { + normal = "#795548"; + highlight = "#a88b6f"; # Brighter brown + inactive = "#4e3b30"; # Darker brown + }; + grey = { + normal = "#9e9e9e"; + highlight = "#bdbdbd"; # Brighter grey + inactive = "#757575"; # Darker grey + }; + teal = { + normal = "#009688"; + highlight = "#26c6da"; # Brighter teal + inactive = "#00796b"; # Darker teal + }; + }; + +in +{ + nixpkgs.overlays = [ + repoFlake.inputs.nur.overlays.default + ]; + + nixpkgs.config.allowUnfreePredicate = + pkg: + builtins.elem (lib.getName pkg) [ + "youtube-recommended-videos" + ]; + + programs.librewolf = { + enable = false; + }; + programs.firefox = { + enable = true; + package = pkgs.firefox; + + profiles = + lib.filterAttrs (_: v: config.home.username == "steveej" || (v.isDefault or false)) + (mkProfiles { + "personal" = mkProfile { + id = 0; + isDefault = true; + color = colors.blue; + }; + "comms" = mkProfile { + id = 1; + color = colors.blue; + }; + "admin" = mkProfile { + id = 2; + color = colors.blue; + }; + "infra" = mkProfile { + id = 3; + color = colors.blue; + }; + "finance" = mkProfile { + id = 4; + color = colors.yellow; + }; + "business-admin" = mkProfile { + id = 5; + color = colors.teal; + }; + "business-comms" = mkProfile { + id = 6; + color = colors.teal; + }; + "business-dev" = mkProfile { + id = 7; + color = colors.teal; + }; + "holo-dev" = mkProfile { + id = 8; + color = colors.green; + }; + "holo-infra" = mkProfile { + id = 9; + color = colors.green; + }; + "holo-comms" = mkProfile { + id = 10; + color = colors.green; + }; + "justyna" = mkProfile { + id = 11; + color = colors.pink; + }; + "justyna-office" = mkProfile { + id = 12; + color = colors.pink; + }; + "tech-research" = mkProfile { + id = 13; + color = colors.purple; + }; + }); + + # policies = { + # # search via policy. the other one doesn't always work because of schema version mismatch + # SearchEngines = { + # Default = "Qwant"; + # PreventInstalls = true; + + # Add = [ + # { + # Method = "GET"; + # Alias = "qwant"; + # Description = "Description"; + # # PostData= "name=value&q={searchTerms}"; + + # Name = "Qwant"; + # SuggestURLTemplate = "https://api.qwant.com/api/suggest/?q={searchTerms}"; + # URLTemplate = "https://www.qwant.com/?q={searchTerms}"; + # } + # ]; + # }; + # }; + + }; + + # create one desktop entry for each profile + xdg.desktopEntries = lib.mapAttrs' ( + k: _v: + lib.nameValuePair "firefox-profile-${k}" { + categories = [ + "Network" + "WebBrowser" + ]; + exec = "${lib.getExe config.programs.firefox.package} -P ${k}"; + genericName = "Web Browser"; + icon = + builtins.replaceStrings [ ".desktop" ] [ "" ] + config.programs.firefox.package.desktopItem.name; + mimeType = [ + "text/html" + "text/xml" + "application/xhtml+xml" + "application/vnd.mozilla.xul+xml" + "x-scheme-handler/http" + "x-scheme-handler/https" + ]; + name = "Firefox: ${k}"; + startupNotify = true; + settings.StartupWMClass = + # To group windows of different profiles. + # Set WM_CLASS on Xorg using --class, set app-id on Wayland using --name. + #if profile.name == "default" + #then "firefox" + #else "firefox-${profile.name}"; + "firefox"; + terminal = false; + type = "Application"; + } + ) config.programs.firefox.profiles; +} diff --git a/nix/home-manager/programs/gpg-agent.nix b/nix/home-manager/programs/gpg-agent.nix new file mode 100644 index 0000000..6357087 --- /dev/null +++ b/nix/home-manager/programs/gpg-agent.nix @@ -0,0 +1,24 @@ +{ + lib, + pkgs, + osConfig, + ... +}: +{ + home.packages = [ pkgs.gcr ]; + + programs.gpg.enable = true; + services.gpg-agent = { + enable = true; + enableScDaemon = !osConfig.services.pcscd.enable; + enableSshSupport = true; + grabKeyboardAndMouse = true; + pinentry.package = lib.mkDefault pkgs.pinentry-gtk2; + extraConfig = '' + no-allow-external-cache + ''; + + defaultCacheTtl = 0; + maxCacheTtl = 0; + }; +} diff --git a/nix/home-manager/programs/homeshick.nix b/nix/home-manager/programs/homeshick.nix index dc05362..4ba0dfe 100644 --- a/nix/home-manager/programs/homeshick.nix +++ b/nix/home-manager/programs/homeshick.nix @@ -1,38 +1,29 @@ -{ pkgs -, config -, ... -}: +{ pkgs, config, ... }: +{ + home.sessionVariables.HOMESHICK_DIR = "${pkgs.homeshick}"; -let - # TODO: clean up the impurity in here - -in { - home.sessionVariables = { - HOMESHICK_DIR="${pkgs.homeshick}"; - }; - - home.activation.bootstrapRepos = config.lib.dag.entryAfter ["writeBoundary"] '' + home.activation.bootstrapRepos = config.lib.dag.entryAfter [ "writeBoundary" ] '' $DRY_RUN_CMD ${pkgs.writeScript "activation-script" '' - set -e - echo home-manager path is ${config.home.path} - echo home is $HOME + set -e + echo home-manager path is ${config.home.path} + echo home is $HOME - source ${pkgs.homeshick}/homeshick.sh - type homeshick - - # echo Updating homeshick - # ln -sfT ${pkgs.homeshick} "$HOMESICK_REPOS"/.homeshick - # mv -Tf "$HOMESICK_REPOS"/{.,}homeshick + source ${pkgs.homeshick}/homeshick.sh + type homeshick + + # echo Updating homeshick + # ln -sfT ${pkgs.homeshick} "$HOMESICK_REPOS"/.homeshick + # mv -Tf "$HOMESICK_REPOS"/{.,}homeshick ''}; ''; nixpkgs.config = { - - packageOverrides = pkgs: with pkgs; { - homeshick = builtins.fetchGit { - url = "https://github.com/andsens/homeshick.git"; - ref = "master"; + packageOverrides = + pkgs: with pkgs; { + homeshick = builtins.fetchGit { + url = "https://github.com/andsens/homeshick.git"; + ref = "master"; + }; }; - }; }; } diff --git a/nix/home-manager/programs/libreoffice.nix b/nix/home-manager/programs/libreoffice.nix index 7edf5b9..2091dc8 100644 --- a/nix/home-manager/programs/libreoffice.nix +++ b/nix/home-manager/programs/libreoffice.nix @@ -1,14 +1,8 @@ -{ pkgs, -... -}: +{ pkgs, nodeFlake, ... }: +let + pkgsStable = nodeFlake.inputs.nixpkgs-stable.legacyPackages.${pkgs.system}; +in { - home.sessionVariables = { - # Workaround for Libreoffice to force gtk3 - SAL_USE_VCLPLUGIN = "gtk3"; - }; - - home.packages = with pkgs; [ - libreoffice-fresh - ]; + home.packages = [ pkgsStable.libreoffice ]; } diff --git a/nix/home-manager/programs/neovim.nix b/nix/home-manager/programs/neovim.nix index 3f6fa44..fa5c94a 100644 --- a/nix/home-manager/programs/neovim.nix +++ b/nix/home-manager/programs/neovim.nix @@ -1,166 +1,163 @@ -{ pkgs, -... -}: +{ repoFlake, pkgs, ... }: +{ + imports = [ repoFlake.inputs.nixvim.homeManagerModules.nixvim ]; -let - unstablepkgs = import {}; - -in { - home.sessionVariables = { - EDITOR = "nvim"; - }; - - nixpkgs.config = { - pidgin = { - openssl = true; - gnutls = true; - }; - - packageOverrides = pkgs: with pkgs; { - neovim = unstablepkgs.neovim; - vimPlugins = unstablepkgs.vimPlugins; - }; - }; - - programs.neovim = { + programs.nixvim = { enable = true; + defaultEditor = true; + vimdiffAlias = true; + vimAlias = true; - extraPythonPackages = (ps: with ps; [ ]); - extraPython3Packages = (ps: with ps; [ ]); + extraPython3Packages = ps: with ps; [ ]; - configure = { - customRC = builtins.readFile ./neovim/vimrc; - vam = { - knownPlugins = with pkgs; vimPlugins // { - delimitMate = vimUtils.buildVimPlugin { - name = "delimitMate-vim"; - src = fetchFromGitHub { - owner = "Raimondi"; - repo = "delimitMate"; - rev = "728b57a6564c1d2bdfb9b9e0f2f8c5ba3d7e0c5c"; - sha256 = "0fskm9gz81dk8arcidrm71mv72a7isng1clssqkqn5wnygbiimsn"; - }; - buildInputs = [ zip vim ]; - }; + # extraConfigVim = builtins.readFile ./neovim/vimrc; - yaml-folds = vimUtils.buildVimPlugin { - name = "vim-yaml-folds"; - src = fetchFromGitHub { - owner = "pedrohdz"; - repo = "vim-yaml-folds"; - rev = "0672d9a3b685b51b4c49d8716c2ad4e27cfa5abd"; - sha256 = "0yp2jgaqiria79lh75fkrs77rw7nk518bq63w9bvyy814i7s4scn"; - }; - buildInputs = [ zip vim ]; - }; + clipboard = { + register = "unnamedplus"; + providers.wl-copy.enable = true; + }; - vim-yaml = vimUtils.buildVimPlugin { - name = "vim-yaml"; - src = fetchFromGitHub { - owner = "stephpy"; - repo = "vim-yaml"; - rev = "e97e063b16eba4e593d620676a0a15fa98613979"; - sha256 = "0vqahbrnr43lxanpziyrmzaqqb3cmyny8ry1xvmy2xyd1larzfrk"; - }; - }; - - - vim-markdown-toc = vimUtils.buildVimPlugin { - name = "vim-markdown-toc"; - src = fetchFromGitHub { - owner = "mzlogin"; - repo = "vim-markdown-toc"; - rev = "a6e227023f405a7c39590a8aaf0d54dde5614a2e"; - sha256 = "1vpsnjzc7hvrkp6mq68myxl3k1x363iif58rrd17njcsa4jh1zwy"; - }; - }; - vim-perl = vimUtils.buildVimPlugin { - name = "vim-perl"; - src = fetchFromGitHub { - owner = "vim-perl"; - repo = "vim-perl"; - rev = "21d0a0d795336acf8a9306da35f379c32cfc5e08"; - sha256 = "0f2sa0v3djd89k16n4saji9n7grziyhkljq75dskcbv8r19m8i1j"; - }; - }; - - git-blame = vimUtils.buildVimPlugin { - name = "git-blame"; - src = fetchFromGitHub { - "owner" = "zivyangll"; - "repo" = "git-blame.vim"; - "rev" = "a5b666840eead1b1ea1c351038da6ce026716bb6"; - "sha256" = "181siphb87yzln9433159ssa6vmm1h2dd0kqhlx7bgsi51gng4rv"; - }; - }; - - tlib = vimPlugins.tlib_vim; + plugins = { + airline = { + enable = true; + settings = { + powerline_fonts = 1; + skip_empty_sections = 1; + theme = "papercolor"; }; + }; + fugitive.enable = true; + gitblame.enable = true; + lsp = { + enable = true; + }; - pluginDictionaries = let - default = [ - "delimitMate" - "vim-airline" - "vim-airline-themes" - "ctrlp" - "vim-css-color" - "rainbow_parentheses" - "vim-colorschemes" - "vim-colorstepper" - "vim-signify" - "fugitive" - "vim-indent-guides" - "UltiSnips" - "fzfWrapper" + nix.enable = true; - "ncm2" - "ncm2-bufword" - "ncm2-path" - "ncm2-tmux" - "ncm2-ultisnips" - "nvim-yarp" + # TODO: enable in next release + # numbertoggle.enable = true; - "LanguageClient-neovim" + # successfor to ctrlp and fzf + telescope.enable = true; - "Improved-AnsiEsc" - "tabular" - "git-blame" + todo-comments.enable = true; - # Nix - "vim-addon-nix" "tlib" - "vim-addon-vim2nix" + toggleterm.enable = true; - # LaTeX - "vim-latex-live-preview" - "vimtex" + treesitter = { + enable = true; - # YAML - "yaml-folds" - "vim-yaml" - - # Perl - # "vim-perl" - - - # markdown - "vim-markdown" - "vim-markdown-toc" - - # misc syntax support - "vim-bazel" "maktaba" - ]; - in [ - { names = default; } - { names = default ++ [ - ]; - filename_regex = ".*\.nix\$"; - } - { names = default ++ [ - ]; - filename_regex = ".*\.tex\$"; - } + grammarPackages = with pkgs.vimPlugins.nvim-treesitter.builtGrammars; [ + bash + json + lua + make + markdown + nix + regex + toml + vim + vimdoc + xml + yaml ]; }; + + treesitter-context.enable = true; + treesitter-refactor.enable = true; + + # This plugin trims trailing whitespace and lines. + trim.enable = true; + + web-devicons.enable = true; }; + + # plugins = with pkgs; + # [ + # # yaml-folds + # { + # plugin = vimUtils.buildVimPlugin { + # name = "vim-yaml-folds"; + # src = fetchFromGitHub { + # owner = "pedrohdz"; + # repo = "vim-yaml-folds"; + # rev = "890ccd8e5370808d569e96dbb06cbeca2cf5993a"; + # sha256 = "018z6xcwrq58q6lj6gwhrifjaxkmrlkkg0n86s6mjjlwkbs2qa4m"; + # }; + # buildInputs = [zip vim]; + # }; + # } + + # { + # plugin = vimUtils.buildVimPlugin { + # name = "vim-yaml"; + # src = fetchFromGitHub { + # owner = "stephpy"; + # repo = "vim-yaml"; + # rev = "e97e063b16eba4e593d620676a0a15fa98613979"; + # sha256 = "0vqahbrnr43lxanpziyrmzaqqb3cmyny8ry1xvmy2xyd1larzfrk"; + # }; + # }; + # } + + # { + # plugin = vimUtils.buildVimPlugin { + # name = "git-blame"; + # src = fetchFromGitHub { + # "owner" = "zivyangll"; + # "repo" = "git-blame.vim"; + # "rev" = "9d144b7bed5d8f1c9259551768b7f3b3d1294917"; + # "sha256" = "06zb5xcc59k25rpwl46j82fcqckiznmj97v6i0mwlb8jhqqrhy9j"; + # }; + # }; + # } + # ] + # ++ (with pkgs.vimPlugins; [ + # delimitMate + # vim-airline + # vim-airline-themes + # ctrlp + # vim-css-color + # rainbow_parentheses + # vim-colorschemes + # vim-colorstepper + # vim-signify + # fugitive + # vim-indent-guides + # UltiSnips + # fzfWrapper + + # ncm2 + # ncm2-bufword + # ncm2-path + # ncm2-tmux + # ncm2-ultisnips + # nvim-yarp + + # LanguageClient-neovim + + # Improved-AnsiEsc + # tabular + + # # Nix + # vim-addon-nix + # tlib + # vim-addon-vim2nix + + # # LaTeX + # vim-latex-live-preview + # vimtex + + # # YAML + # vim-yaml + + # # markdown + # vim-markdown + # vim-markdown-toc + + # # misc syntax support + # vim-bazel + # maktaba + # ]); }; } diff --git a/nix/home-manager/programs/neovim/vimrc b/nix/home-manager/programs/neovim/vimrc index 21987f5..f3cb42b 100644 --- a/nix/home-manager/programs/neovim/vimrc +++ b/nix/home-manager/programs/neovim/vimrc @@ -46,9 +46,11 @@ noremap :tabp let g:ctrlp_map = '' set wildignore+=*/site/*,*.so,*.swp,*.zip let g:ctrlp_custom_ignore = { -\ 'dir': '\v[\/]\.(git|hg|svn|)$$', +\ 'dir': '\v[\/]\.(git|hg|svn)$$', \ 'file': '\v\.(exe|so|dll)$$', \ } +"let g:ctrlp_max_files=0 +"let g:ctrlp_max_depth=1000 "let g:ctrlp_match_func = { 'match': 'pymatcher#PyMatch' } "let g:pydiction_location = '~/.vim/bundle/pydiction/complete-dict' diff --git a/nix/home-manager/programs/obs-studio.nix b/nix/home-manager/programs/obs-studio.nix new file mode 100644 index 0000000..d99747d --- /dev/null +++ b/nix/home-manager/programs/obs-studio.nix @@ -0,0 +1,25 @@ +{ pkgs, lib, ... }: +{ + programs.obs-studio = { + enable = true; + plugins = + builtins.map + ( + plugin: + (plugin.overrideAttrs (attrs: { + meta = lib.mkMerge [ + { inherit (attrs) meta; } + { meta.platforms = [ pkgs.stdenv.system ]; } + ]; + })) + ) + ( + with pkgs.obs-studio-plugins; + [ + # wlrobs + obs-backgroundremoval + obs-pipewire-audio-capture + ] + ); + }; +} diff --git a/nix/home-manager/programs/openvscode-server.nix b/nix/home-manager/programs/openvscode-server.nix new file mode 100644 index 0000000..4b01360 --- /dev/null +++ b/nix/home-manager/programs/openvscode-server.nix @@ -0,0 +1,37 @@ +{ pkgs, repoFlake, ... }: +let + pkgsVscodium = import repoFlake.inputs.nixpkgs-vscodium { inherit (pkgs) system config; }; +in +{ + home.packages = [ + pkgs.nil + pkgs.nixd + pkgs.nixfmt-rfc-style + + # TODO: automate linking this + # 1. get the commit with: `codium --version` + # 2. create the binary directory: `mkdir -p /home/steveej/.vscodium-server/bin/c8ce3ba4bc6b30b3b10edc61481cb85b1d2396bc/bin/` + # 3. link the binary. this relies on the client-side setting `"remote.SSH.experimental.serverBinaryName": "openvscode-server"` : ln -s $(which openvscode-server) /home/steveej/.vscodium-server/bin/c8ce3ba4bc6b30b3b10edc61481cb85b1d2396bc/bin/ + + /* + e.g.: + ``` + ( + set -e + export COMMIT=$(codium --version | rg '^[0-9a-f]{40}$') + ssh bm-hostkey0 "pkill -9 openvscode; rm -rf /home/steveej/.vscodium-server/bin/$COMMIT; mkdir -p /home/steveej/.vscodium-server/bin/$COMMIT/bin/; ln -s \$(which openvscode-server) /home/steveej/.vscodium-server/bin/$COMMIT/bin/" + ) + ``` + */ + + (pkgsVscodium.openvscode-server.overrideAttrs (attrs: { + src = repoFlake.inputs.openvscode-server; + version = "1.94.2"; + yarnCache = attrs.yarnCache.overrideAttrs (_: { + outputHash = "sha256-89c6GYLT2RzHqwxBKegYqB6g5rEJ6/nH53cnfV7b0Tt="; + }); + })) + + pkgs.waypipe + ]; +} diff --git a/nix/home-manager/programs/pass.nix b/nix/home-manager/programs/pass.nix index 5b892f5..43805e0 100644 --- a/nix/home-manager/programs/pass.nix +++ b/nix/home-manager/programs/pass.nix @@ -1,23 +1,17 @@ -{ pkgs -, ... -}: - +{ repoFlake, pkgs, ... }: { - home.sessionVariables = { - # required by pass-otp - PASSWORD_STORE_EXTENSIONS_DIR = "$HOME/.nix-profile/lib/password-store/extensions"; - PASSWORD_STORE_ENABLE_EXTENSIONS = "true"; - }; - - programs.browserpass = { - enable = true; - }; + # required by pass-otp + # home.sessionVariables.PASSWORD_STORE_EXTENSIONS_DIR = "$HOME/.nix-profile/lib/password-store/extensions"; + # home.sessionVariables.PASSWORD_STORE_ENABLE_EXTENSIONS = "true"; + # programs.browserpass.enable = true; - home.packages = with pkgs; [ - pass-otp - qtpass - rofi-pass - gnupg + home.packages = [ + pkgs.gnupg + + # broken on wayland + # rofi-pass + + (pkgs.callPackage repoFlake.lib.prsFn { + }) ]; } - diff --git a/nix/home-manager/programs/podman.nix b/nix/home-manager/programs/podman.nix deleted file mode 100644 index 193e981..0000000 --- a/nix/home-manager/programs/podman.nix +++ /dev/null @@ -1,160 +0,0 @@ -{ pkgs -, ... -}: - -let - cniConfigDir = let - loopback = pkgs.writeText "00-loopback.conf" '' - { - "cniVersion": "0.3.0", - "type": "loopback" - } - ''; - - podman-bridge = pkgs.writeText "87-podman-bridge.conflist" '' - { - "cniVersion": "0.3.0", - "name": "podman", - "plugins": [ - { - "type": "bridge", - "bridge": "cni0", - "isGateway": true, - "ipMasq": true, - "ipam": { - "type": "host-local", - "subnet": "10.88.0.0/16", - "routes": [ - { "dst": "0.0.0.0/0" } - ] - } - }, - { - "type": "portmap", - "capabilities": { - "portMappings": true - } - } - ] - } - ''; - in pkgs.runCommand "cniConfig" {} '' - set -x - mkdir $out; - ln -s ${loopback} $out/${loopback.name} - ln -s ${podman-bridge} $out/${podman-bridge.name} - ''; - - containersConf = pkgs.writeText "containers.conf" '' - # containers.conf is the default configuration file for all tools using libpod to - # manage containers - - # Default transport method for pulling and pushing for images - image_default_transport = "docker://" - - # Paths to search for the conmon container manager binary. If the paths are empty or no valid path was found, then the $PATH environment variable will be used as the fallback. - conmon_path = [ - "${pkgs.conmon}/bin/conmon" - ] - - # --runtime ${pkgs.crun}/bin/crun \ - runtime = "crun" - - # Environment variables to pass into conmon - conmon_env_vars = [ - ] - - # CGroup Manager - valid values are "systemd" and "cgroupfs" - # cgroup_manager = "systemd" - cgroup_manager = "cgroupfs" - - # Maximum size of log files (in bytes) - # -1 is unlimited - max_log_size = -1 - - # Whether to use chroot instead of pivot_root in the runtime - no_pivot_root = false - - # Directory containing CNI plugin configuration files - cni_config_dir = "${cniConfigDir}" - - # Directories where the CNI plugin binaries may be located - cni_plugin_dir = [ - "${pkgs.cni-plugins}/bin" - ] - - # Default CNI network for libpod. - # If multiple CNI network configs are present, libpod will use the network with - # the name given here for containers unless explicitly overridden. - # The default here is set to the name we set in the - # 87-podman-bridge.conflist included in the repository. - # Not setting this, or setting it to the empty string, will use normal CNI - # precedence rules for selecting between multiple networks. - cni_default_network = "podman" - - # Default libpod namespace - # If libpod is joined to a namespace, it will see only containers and pods - # that were created in the same namespace, and will create new containers and - # pods in that namespace. - # The default namespace is "", which corresponds to no namespace. When no - # namespace is set, all containers and pods are visible. - #namespace = "" - - # Default pause image name for pod pause containers - pause_image = "k8s.gcr.io/pause:3.1" - - # Default command to run the pause container - pause_command = "/pause" - - # Determines whether libpod will reserve ports on the host when they are - # forwarded to containers. When enabled, when ports are forwarded to containers, - # they are held open by conmon as long as the container is running, ensuring that - # they cannot be reused by other programs on the host. However, this can cause - # significant memory usage if a container has many ports forwarded to it. - # Disabling this can save memory. - enable_port_reservation = true - - # Default libpod support for container labeling - # label=true - ''; -in { - home.packages = with pkgs; [ - podman - ]; - - home.file.".config/containers/containers.conf".source = containersConf; - - home.file.".config/containers/registries.conf".text = '' - [registries.search] - registries = ['docker.io', 'quay.io', 'registry.fedoraproject.org'] - - [registries.insecure] - registries = [] - - #blocked (docker only) - [registries.block] - registries = [] - ''; - - home.file.".config/containers/storage.conf".text = '' - [storage] - driver = "btrfs" - ''; - - home.file.".config/containers/policy.json".text = '' - { - "default": [ - { - "type": "insecureAcceptAnything" - } - ], - "transports": - { - "docker-daemon": - { - "": [{"type":"insecureAcceptAnything"}] - } - } - } - ''; -} diff --git a/nix/home-manager/programs/radicale.nix b/nix/home-manager/programs/radicale.nix new file mode 100644 index 0000000..be31268 --- /dev/null +++ b/nix/home-manager/programs/radicale.nix @@ -0,0 +1,89 @@ +{ + config, + lib, + pkgs, + osConfig, + ... +}: +let + libdecsync = pkgs.python3Packages.buildPythonPackage rec { + pname = "libdecsync"; + version = "2.2.1"; + + src = pkgs.python3Packages.fetchPypi { + inherit pname version; + hash = "sha256-Mukjzjumv9VL+A0maU0K/SliWrgeRjAeiEdN5a83G0I="; + }; + + propagatedBuildInputs = [ + # pkgs.libxcrypt-legacy + ]; + }; + radicale-storage-decsync = pkgs.python3Packages.buildPythonPackage rec { + pname = "radicale_storage_decsync"; + version = "2.1.0"; + + src = pkgs.python3Packages.fetchPypi { + inherit pname version; + hash = "sha256-X+0MT5o2PjsKxca5EDI+rYyQDmUtbRoELDr6e4YXKCg="; + }; + + buildInputs = [ + pkgs.radicale + # pkgs.libxcrypt-legacy + # pkgs.libxcrypt + ]; + + nativeCheckInputs = [ + # pkgs.libxcrypt-legacy + # pkgs.libxcrypt + ]; + + propagatedBuildInputs = [ + libdecsync + pkgs.python3Packages.setuptools + ]; + }; + radicale-decsync = pkgs.radicale.overrideAttrs (old: { + propagatedBuildInputs = old.propagatedBuildInputs ++ [ radicale-storage-decsync ]; + }); + + mkRadicaleService = + { suffix, port }: + let + radicale-config = pkgs.writeText "radicale-config-${suffix}" '' + [server] + hosts = localhost:${builtins.toString port} + + [auth] + type = htpasswd + htpasswd_filename = ${osConfig.sops.secrets.radicale_htpasswd.path} + htpasswd_encryption = bcrypt + + [storage] + type = radicale_storage_decsync + filesystem_folder = ${config.xdg.dataHome}/radicale/radicale-${suffix} + decsync_dir = ${config.xdg.dataHome}/decsync/decsync-${suffix} + ''; + in + { + systemd.user.services."radicale-${suffix}" = { + Unit.Description = "Radicale with DecSync (${suffix})"; + Service = { + ExecStart = "${radicale-decsync}/bin/radicale -C ${radicale-config}"; + Restart = "on-failure"; + }; + Install.WantedBy = [ "default.target" ]; + }; + }; +in +builtins.foldl' (sum: cur: lib.recursiveUpdate sum (mkRadicaleService cur)) { } [ + { + suffix = "personal"; + port = 5232; + } + { + suffix = "family"; + port = 5233; + } +] diff --git a/nix/home-manager/programs/redshift.nix b/nix/home-manager/programs/redshift.nix new file mode 100644 index 0000000..9e45594 --- /dev/null +++ b/nix/home-manager/programs/redshift.nix @@ -0,0 +1,28 @@ +_: +let + passwords = import ../../variables/passwords.crypt.nix; +in +{ + services.gammastep = { + enable = true; + provider = "manual"; + enableVerboseLogging = true; + inherit (passwords.location.stefan) longitude latitude; + temperature = { + # day = 6700; + day = 3000; + night = 3000; + }; + tray = true; + settings = { + general = { + adjustment-method = "wayland"; + }; + gammastep = { + # brightness-day = 1.0; + brightness-day = 0.5; + brightness-night = 0.5; + }; + }; + }; +} diff --git a/nix/home-manager/programs/salut.nix b/nix/home-manager/programs/salut.nix new file mode 100644 index 0000000..415e3be --- /dev/null +++ b/nix/home-manager/programs/salut.nix @@ -0,0 +1,31 @@ +{ pkgs, packages', ... }: +# useful testing command: +# for i in `seq 0 10`; do nix shell nixpkgs#libnotify --command notify-send notifiiiiiii "$i"; sleep 1; done +let + inherit (import ../lib.nix { }) mkSimpleTrayService; +in +{ + home.packages = [ packages'.salut ]; + + xdg.configFile."salut/config.ini" = { + enable = true; + text = '' + [notifications] + timeout = 5000 + + [window] + auto-hide = true + anchor = bottom-right + transition = slidebottom + + [mode] + single = true + + [style] + preference = dark + ''; + onChange = "${pkgs.systemd}/bin/systemctl --user restart salut"; + }; + + systemd.user.services.salut = mkSimpleTrayService { execStart = "${packages'.salut}/bin/salut"; }; +} diff --git a/nix/home-manager/programs/vscode/default.nix b/nix/home-manager/programs/vscode/default.nix index 6e54887..676829c 100644 --- a/nix/home-manager/programs/vscode/default.nix +++ b/nix/home-manager/programs/vscode/default.nix @@ -1,483 +1,134 @@ -{ pkgs, ... }: - +{ + config, + pkgs, + repoFlake, + lib, + ... +}: let - packagedExtensions = with pkgs.vscode-extensions; [ - bbenoist.Nix - ms-vscode-remote.remote-ssh - ]; - - marketPlaceExtensions = pkgs.vscode-utils.extensionsFromVscodeMarketplace [ - { - name = "vim"; - publisher = "vscodevim"; - version = "1.17.1"; - sha256 = "10f8jz52gr6k2553awa66m006wszj9z2rnshsic6h2aawxiz3zq1"; - } - { - name = "remote-ssh-edit"; - publisher = "ms-vscode-remote"; - version = "0.56.0"; - sha256 = "1gy03ff2xqg7q3y4j47z2l94x5gbw0mjd5h4cl3n0q3iaswk1c1r"; - } - { - name = "Theme-NaturalContrast-With-HC"; - publisher = "74th"; - version = "1.0.0"; - sha256 = "1wxwk059znkflip0c8hyqdfq0h15n4idmff4bnnfdggiqjwhr5rm"; - } - { - name = "markdown-toc"; - publisher = "AlanWalk"; - version = "1.5.6"; - sha256 = "0hh38i2dpmrm2akcd4jkxchp6b374m5jzcqm1jqqmkqjmlig7qm5"; - } - { - name = "Paper-tmTheme"; - publisher = "DiryoX"; - version = "0.4.0"; - sha256 = "0l8hgbwwg87ysfb22rvwgmkk91i4vjd0kgi30c1bn26bm2pd1gw0"; - } - { - name = "Monokai-Polished"; - publisher = "Mit"; - version = "0.3.1"; - sha256 = "11h7sfwp9ikwc8z6bkyxk1678ymfpff8i2p876b208yrq8dy2kr1"; - } - { - name = "dot"; - publisher = "Stephanvs"; - version = "0.0.1"; - sha256 = "0rq0wvnbcggg4zb4swxym77knfjma0v9lwf3x45p22qsqx2crvgf"; - } - { - name = "rust-snippets"; - publisher = "ZakCodes"; - version = "0.0.1"; - sha256 = "152i23mh8j2l26zpwid3hllxc2abkhr3g939rvxk8bry137vryy2"; - } - { - name = "better-comments"; - publisher = "aaron-bond"; - version = "2.1.0"; - sha256 = "0kmmk6bpsdrvbb7dqf0d3annpg41n9g6ljzc1dh0akjzpbchdcwp"; - } - { - name = "vscode-icalendar"; - publisher = "af4jm"; - version = "1.0.1"; - sha256 = "0g15f2595ayy9ch4f2ccd8prc51q1mwslilk8sk2ldsmdksaya79"; - } - { - name = "hugofy"; - publisher = "akmittal"; - version = "0.1.1"; - sha256 = "02rjwmy7z4qfxws8lgdki53q4b2hjklxn2nlxx3w04kahr759dlg"; - } - { - name = "asciidoctor-vscode"; - publisher = "asciidoctor"; - version = "2.8.4"; - sha256 = "0j019vwmd83mbc75kfcqzmpvqzsp3s595cgh6n9978k9q0zjrqad"; - } - { - name = "markdown-preview-github-styles"; - publisher = "bierner"; - version = "0.1.6"; - sha256 = "1plj6a1hgbhb740zbw4pbnk7919cx1s6agf5xiiqbb9485x2pqiw"; - } - { - name = "made-of-code"; - publisher = "brian-yu"; - version = "0.0.5"; - sha256 = "1cmw63vrpzxv8vkgq674xa2wqqag0a8spr623ngi87925f17p965"; - } - { - name = "better-toml"; - publisher = "bungcip"; - version = "0.3.2"; - sha256 = "08lhzhrn6p0xwi0hcyp6lj9bvpfj87vr99klzsiy8ji7621dzql3"; - } - { - name = "tabulous"; - publisher = "bwildeman"; - version = "1.2.0"; - sha256 = "0hbp345i19ncvn1v792nr257gmw0nz09nhjniiypnzvz9wszw2j9"; - } - { - name = "bracket-pair-colorizer"; - publisher = "CoenraadS"; - version = "1.0.61"; - sha256 = "0r3bfp8kvhf9zpbiil7acx7zain26grk133f0r0syxqgml12i652"; - } - { - name = "mustache"; - publisher = "dawhite"; - version = "1.1.1"; - sha256 = "1j8qn5grg8v3n3v66d8c77slwpdr130xzpv06z1wp2bmxhqsck1y"; - } - { - name = "vscode-nomnoml"; - publisher = "doctorrustynelson"; - version = "0.3.0"; - sha256 = "07nr6n5ai8m6rap8av47mqi3vv6zchymiqfw8jlbl4hsryszyr43"; - } - { - name = "gitlens"; - publisher = "eamodio"; - version = "11.0.5"; - sha256 = "1fi8j5r6cd82a50hv2lwzqnvyvhxf9waamkviyh0wyqi5i1k4q88"; - } - { - name = "monokai-light"; - publisher = "ethansugar"; - version = "0.2.1"; - sha256 = "1xn74arpv58hwdywaxvv9xhljl23wsqdpyfrgn9nvd29gsiz71w0"; - } - { - name = "Theme-Monokai-Contrast"; - publisher = "gerane"; - version = "0.0.5"; - sha256 = "1m1n1izdjgng0q3yljccwjxj0s60p5nfw3hlw7hb467a1wz479pm"; - } - { - name = "Theme-snappy-light"; - publisher = "gerane"; - version = "0.0.5"; - sha256 = "0syrm921l4lka6dmg258c2zi0a758acvcs8y0qm0kjim7h7xxf0w"; - } - { - name = "vscode-pull-request-github"; - publisher = "GitHub"; - version = "0.21.3"; - sha256 = "0p03v6y1gh62jby74vkhi897mzj8dg9xb561v0b99x81r9zhwqw0"; - } - { - name = "go"; - publisher = "golang"; - version = "0.19.0"; - sha256 = "1xr2c4xn0w68fdcbm8d2wqfb9dxf03w38367ghycrzmz2p4syr98"; - } - { - name = "terraform"; - publisher = "hashicorp"; - version = "2.3.0"; - sha256 = "0696q8nr6kb5q08295zvbqwj7lr98z18gz1chf0adgrh476zm6qq"; - } - { - name = "bonsai"; - publisher = "hawkeyegold"; - version = "1.4.0"; - sha256 = "0r7bxx1lgbg6p97xwd2wr8j7slz720a1v6vzpd0fhcq83vqzkl89"; - } - { - name = "live-html-previewer"; - publisher = "hdg"; - version = "0.3.0"; - sha256 = "0hv5plh44q97355j5la83r8hjsxpv9d173mba34xr4p82a3pcq5p"; - } - { - name = "yuml"; - publisher = "JaimeOlivares"; - version = "3.5.1"; - sha256 = "01phwj8kn2zmzpjk97wacnc8iiby0szv40b1030fkcm3szafnya0"; - } - { - name = "latex-workshop"; - publisher = "James-Yu"; - version = "8.14.0"; - sha256 = "12bh2gpmak7vgzhjnvk2hw0yqm6wkd7vsm4ki4zbqa6lpriscjyi"; - } - { - name = "plantuml"; - publisher = "jebbs"; - version = "2.13.16"; - sha256 = "0672x0a1c9yk0g4vka40f4amgxir2bs25zg6qsims9plj0x2s4si"; - } - { - name = "tasks-chooser"; - publisher = "jeremyfa"; - version = "0.3.0"; - sha256 = "0bq80wv7zf94cgn94ll3jj68z35p13r0zw5by62dnlnj1sv7dghi"; - } - { - name = "asciidoctor-vscode"; - publisher = "joaompinto"; - version = "2.8.0"; - sha256 = "06nx627fik3c3x4gsq01rj0v59ckd4byvxffwmmigy3q2ljzsp0x"; - } - { - name = "contrast-theme"; - publisher = "johndugan"; - version = "1.1.10"; - sha256 = "0hib85318940ajfbzqrpgqh4jr39w18aq6babargbf64yxg94mbw"; - } - { - name = "theme-dark-plus-contrast"; - publisher = "k3a"; - version = "0.1.101"; - sha256 = "137kq6i6xn394msjrhj7v6c8shrvw9yf8i01mf4yl4aan2bw3419"; - } - { - name = "vscode-gist"; - publisher = "kenhowardpdx"; - version = "3.0.3"; - sha256 = "033iry115hbd5jbdr04frbrcgfpfnsc2z551nlfsaczbg4j9dydw"; - } - { - name = "quick-open"; - publisher = "leizongmin"; - version = "1.1.0"; - sha256 = "03avjgkvl2w51f0lvvfksa6lxqb4i9jgz2c74hw686yaydj8mfsp"; - } - { - name = "rainbow-csv"; - publisher = "mechatroner"; - version = "1.7.1"; - sha256 = "0w5mijs4ll5qjkpyw7qpn1k40pq8spm0b3q72x150ydbcini5hxw"; - } - { - name = "openapi-lint"; - publisher = "mermade"; - version = "1.2.0"; - sha256 = "0q81ifgr211apymbs21y0l3x8n324k6mh7p8kykz2xz38cslyq49"; - } - { - name = "swagger-doc-viewer"; - publisher = "mimarec"; - version = "1.0.4"; - sha256 = "1vvqwmfav6c2r1xkyfczm564bi2cpa9nklj35w3h3hrp4f6dnvpx"; - } - { - name = "vscode-clang"; - publisher = "mitaki28"; - version = "0.2.3"; - sha256 = "0xbg2frb4dxv7zl43gi25w2mkkh4xq2aidcf5i8b4imys9h720yr"; - } - { - name = "prettify-json"; - publisher = "mohsen1"; - version = "0.0.3"; - sha256 = "1spj01dpfggfchwly3iyfm2ak618q2wqd90qx5ndvkj3a7x6rxwn"; - } - { - name = "vscode-docker"; - publisher = "ms-azuretools"; - version = "1.8.1"; - sha256 = "08691mwb3kgmk5fnjpw1g3a5i7qwalw1yrv2skm519wh62w6nmw8"; - } - { - name = "python"; - publisher = "ms-python"; - version = "2020.11.371526539"; - sha256 = "0iavy4c209k53jkqsbhsvibzjj3fjxa500rv72fywgb2vxsi9fc3"; - } - { - name = "jupyter"; - publisher = "ms-toolsai"; - version = "2020.11.372831992"; - sha256 = "0r39xqrbkzcfkz6rca039s87ibx79a983y8lbiglhkmw3bp4p658"; - } - # fails to download C/C++ tools - # { - # name = "cpptools"; - # publisher = "ms-vscode"; - # version = "1.1.2"; - # sha256 = "09z1vrshvwimdrpsnfs4lyzca2qixp3h85xib8jf2fpxdjl3r5vg"; - # } - { - name = "vscode-quick-open-create"; - publisher = "nocksock"; - version = "0.6.0"; - sha256 = "0ipkjm74xpx44h130rmbnkjwsi63kcvq6fr0b0nxqqc9aa9jk22j"; - } - { - name = "indent-rainbow"; - publisher = "oderwat"; - version = "7.4.0"; - sha256 = "1xnsdwrcx24vlbpd2igjaqlk3ck5d6jzcfmxaisrgk7sac1aa81p"; - } - { - name = "phantypist"; - publisher = "paulofallon"; - version = "1.0.3"; - sha256 = "0rsaklwsd9i25p9j82ivblkbsk5cwjm22afzc2cq5klkbz9vxg62"; - } - { - name = "swaggitor"; - publisher = "qnsolutions"; - version = "0.1.1"; - sha256 = "0dhygxawxjhm0q1nmxwwcyhnk4hm1yzadnhc5ha7amdg7gddlrc1"; - } - { - name = "vscode-yaml"; - publisher = "redhat"; - version = "0.13.0"; - sha256 = "046kdk73a5xbrwq16ff0l64271c6q6ygjvxaph58z29gyiszfkig"; - } - { - name = "papercolor-vscode"; - publisher = "rozbo"; - version = "0.4.0"; - sha256 = "0fla4dfxm6ppqgfvp9rc2izhnv0909yk3r38xmh15ald84i1jhzm"; - } - { - name = "iferrblocks"; - publisher = "rstuven"; - version = "1.1.1"; - sha256 = "0ncj1g2dqa1wwqmj27w1356f4b9nlk2narvgyjn208axfwifz1lw"; - } - { - name = "rust"; - publisher = "rust-lang"; - version = "0.7.8"; - sha256 = "039ns854v1k4jb9xqknrjkj8lf62nfcpfn0716ancmjc4f0xlzb3"; - } - { - name = "bracket-jumper"; - publisher = "sashaweiss"; - version = "1.1.8"; - sha256 = "11sj7h13yjcpd94x07wlmck7cmidk1kla00kjq7wfw2xc1143rqs"; - } - { - name = "just"; - publisher = "skellock"; - version = "2.0.0"; - sha256 = "1ph869zl757a11f8iq643f79h8gry7650a9i03mlxyxlqmspzshl"; - } - { - name = "line-endings"; - publisher = "steditor"; - version = "1.0.3"; - sha256 = "1mdybbhs771w8r9xqy1n7x2is2vhh6axkssarb2yy7gps3v81ik7"; - } - { - name = "code-spell-checker"; - publisher = "streetsidesoftware"; - version = "1.10.0"; - sha256 = "1172wcw1a1mbx8nrlnh1hyizs9abzvqmhwgc6bmp8wvxk8hk4x3i"; - } - { - name = "code-spell-checker-german"; - publisher = "streetsidesoftware"; - version = "0.1.8"; - sha256 = "117ba1m427d7nqh2p4djjswbksz1nvy2zkgdnm2iis17gzxscbmz"; - } - { - name = "code-spell-checker-german"; - publisher = "streetsidesoftware"; - version = "0.1.8"; - sha256 = "117ba1m427d7nqh2p4djjswbksz1nvy2zkgdnm2iis17gzxscbmz"; - } - { - name = "code-spell-checker"; - publisher = "streetsidesoftware"; - version = "1.10.0"; - sha256 = "1172wcw1a1mbx8nrlnh1hyizs9abzvqmhwgc6bmp8wvxk8hk4x3i"; - } - { - name = "vscode-open-in-github"; - publisher = "sysoev"; - version = "1.14.0"; - sha256 = "1whyrsckx0gikgjj1812dlsykck7cs696wz9fn4fhcishp9479hp"; - } - { - name = "html-preview-vscode"; - publisher = "tht13"; - version = "0.2.5"; - sha256 = "0k75ivigzjfq8y4xwwrgs2iy913plkwp2a68f0i4bkz9kx39wq6v"; - } - { - name = "scrolloff"; - publisher = "tickleforce"; - version = "0.0.4"; - sha256 = "1n5xcbcwdj54c9dlscd5igdbga6v9wv5j1qbhjb7p2mf7sbps3cq"; - } - { - name = "shellcheck"; - publisher = "timonwong"; - version = "0.12.1"; - sha256 = "0apvbs90mdjk5y6vy2v4azwxhdjqfypqp5d5hh9rlgxyq4m0azz2"; - } - { - name = "sort-lines"; - publisher = "Tyriar"; - version = "1.9.0"; - sha256 = "0l4wibsjnlbzbrl1wcj18vnm1q4ygvxmh347jvzziv8f1l790qjl"; - } - # slow and currently not needed - # { - # name = "vscode-lldb"; - # publisher = "vadimcn"; - # version = "1.6.0"; - # sha256 = "15m0idk75bvbzfxipdxwz2vpdklr15zv92h4mxxpr8db9jjr32vi"; - # } - { - name = "vim"; - publisher = "vscodevim"; - version = "1.17.1"; - sha256 = "10f8jz52gr6k2553awa66m006wszj9z2rnshsic6h2aawxiz3zq1"; - } - { - name = "prettify-selected-json"; - publisher = "vthiery"; - version = "1.0.3"; - sha256 = "0g2svrls7x4w75fj6rr839mrwd3sn912vn6ysiy0sasnnc55rpgb"; - } - { - name = "debug"; - publisher = "webfreak"; - version = "0.25.0"; - sha256 = "0qm2jgkj17a0ca5z21xbqzfjpi0hzxw4h8y2hm8c4kk2bnw02sh1"; - } - { - name = "clang-format"; - publisher = "xaver"; - version = "1.9.0"; - sha256 = "0bwc4lpcjq1x73kwd6kxr674v3rb0d2cjj65g3r69y7gfs8yzl5b"; - } - { - name = "vscode-capnp"; - publisher = "xmonader"; - version = "1.0.0"; - sha256 = "0z2shl6qvr3y3m5y63v69x94rzyb2cmf5046afx2yswnll6j52fc"; - } - { - name = "plsql-language"; - publisher = "xyz"; - version = "1.8.2"; - sha256 = "16xxa6w03wzd95v1cycmjvw9hfg3chvpclrn28v0qsa3lir1mxrr"; - } - { - name = "markdown-pdf"; - publisher = "yzane"; - version = "1.4.4"; - sha256 = "00cjwjwzsv3wx2qy0faqxryirr2hp60yhkrlzsk0avmvb0bm9paf"; - } - { - name = "vscode-proto3"; - publisher = "zxh404"; - version = "0.5.2"; - sha256 = "1jmmbz3i0hxq5ka4rsk07mynxh3pkh5g736d9ryv1czhnrb06lwf"; - } - ]; + pkgsVscodium = import repoFlake.inputs.nixpkgs-vscodium { inherit (pkgs) system config; }; in - { programs.vscode = { enable = true; - extensions = [] - ++ packagedExtensions - ++ marketPlaceExtensions - ; + package = pkgsVscodium.vscodium; + profiles.default.extensions = + with pkgsVscodium.vscode-extensions; + [ + eamodio.gitlens + mkhl.direnv + tomoki1207.pdf + vscodevim.vim + + # bbenoist.nix + jnoortheen.nix-ide + + ms-vscode.theme-tomorrowkit + nonylene.dark-molokai-theme + + ms-python.vscode-pylance + + # TODO: these are not in nixpkgs + + # fredwangwang.vscode-hcl-format + # hashicorp.hcl + # mindaro-dev.file-downloader + # ms-vscode.remote-explorer + + # TODO: not compatible with vscodium + # ms-vscode-remote.remote-ssh + ] + ++ ( + let + extensions = repoFlake.inputs.nix-vscode-extensions.extensions.${pkgs.system}; + in + with extensions.vscode-marketplace; + with extensions.vscode-marketplace-release; + [ + + serayuzgur.crates + rust-lang.rust-analyzer + swellaby.vscode-rust-test-adapter + + tamasfe.even-better-toml + golang.go + jeff-hykin.better-go-syntax + blueglassblock.better-json5 + nefrob.vscode-just-syntax + # fabianlauer.vs-code-xml-format + + bierner.emojisense + ] + ) + ++ ( + let + nix4vscodeToml = pkgs.writeText "nix4vscode.toml" '' + vscode_version = "${config.programs.vscode.package.version}" + + [[extensions]] + publisher_name = "FelixZeller" + extension_name = "markdown-oxide" + + [[extensions]] + publisher_name = "ibecker" + extension_name = "treefmt-vscode" + + [[extensions]] + publisher_name = "AntiAntiSepticeye" + extension_name = "vscode-color-picker" + + # [[extensions]] + # publisher_name = "nefrob" + # extension_name = "vscode-just-syntax" + + [[extensions]] + publisher_name = "fabianlauer" + extension_name = "vs-code-xml-format" + ''; + + nix4vscodeNix = + pkgs.runCommand "nix4vscode.nix" + { + # nix4vscode needs internet access + __noChroot = true; + requiredSystemFeatures = [ "recursive-nix" ]; + buildInputs = [ + pkgs.nix + pkgs.cacert + (pkgs.callPackage "${repoFlake.inputs.nix4vscode.outPath}/nix/package.nix" { }) + # pkgs.strace + ]; + # outputHashAlgo = "sha256"; + # outputHashMode = "recursive"; + # outputHash = lib.fakeSha256; + } + '' + # set -x + # export RUST_BACKTRACE=full + # export RUST_LOG=trace + export HOME=$(mktemp -d) + # strace -ffZyyY + nix4vscode ${nix4vscodeToml} > $out + ''; + nix4vscodeExtensions = builtins.removeAttrs (pkgs.callPackage nix4vscodeNix { }) [ + "override" + "overrideDerivation" + ]; + nix4vscodeExtensions' = lib.attrsets.mapAttrsToList ( + _: v: builtins.head (builtins.attrValues v) + ) nix4vscodeExtensions; + in + nix4vscodeExtensions' + ); + mutableExtensionsDir = true; }; + + home.packages = [ + pkgs.nil + pkgs.nixfmt-rfc-style + ]; } - # TODO: automate -# rustup install stable -# rustup component add rust-analysis --toolchain stable -# rustup component add rust-src --toolchain stable -# rustup component add rls --toolchain stable - ### original list: # 74th.Theme-NaturalContrast-With-HC # AlanWalk.markdown-toc diff --git a/nix/home-manager/programs/waybar.css b/nix/home-manager/programs/waybar.css new file mode 100644 index 0000000..664a47f --- /dev/null +++ b/nix/home-manager/programs/waybar.css @@ -0,0 +1,5 @@ +#custom-cputemp { + padding: 0 10px; + background-color: #f0932b; + color: #ffffff; +} diff --git a/nix/home-manager/programs/waybar.nix b/nix/home-manager/programs/waybar.nix new file mode 100644 index 0000000..a559dfc --- /dev/null +++ b/nix/home-manager/programs/waybar.nix @@ -0,0 +1,86 @@ +{ pkgs, repoFlake, ... }: +{ + home.packages = [ + # required by any bar that has a tray plugin + pkgs.libappindicator-gtk3 + pkgs.libdbusmenu-gtk3 + ]; + + programs.waybar = { + enable = true; + package = + repoFlake.inputs.nixpkgs-wayland.outputs.packages.${pkgs.stdenv.hostPlatform.system}.waybar; + style = pkgs.lib.readFile "${pkgs.waybar.src}/resources/style.css" + pkgs.lib.readFile ./waybar.css; + systemd.enable = true; + settings = { + mainBar = { + layer = "top"; + position = "bottom"; + height = 30; + output = + # hide the bar on HEADDLESS displays as i use them only for screensharing + (builtins.genList (i: "!HEADLESS-${builtins.toString i}") 99) ++ [ "*" ]; + # output = [ + # "eDP-1" + # "DP-*" + # ]; + + modules-left = [ + "sway/workspaces" + "sway/mode" + # "wlr/taskbar" + ]; + + "sway/workspaces" = { + disable-scroll = true; + all-outputs = false; + }; + + modules-center = [ + "sway/window" + # "custom/hello-from-waybar" + ]; + + modules-right = [ + "tray" + + "cpu" + "memory" + "custom/cputemp" + "custom/fan" + "battery" + "pulseaudio" + "clock" + "clock#date" + ]; + + tray.spacing = 10; + + cpu.format = " {usage}%"; + memory.format = " {}%"; + "temperature" = { + hwmon-path = "/sys/class/hwmon/hwmon3/temp1_input"; + format = " {temperatureC} °C"; + }; + + "custom/cputemp" = { + format = " {}"; + exec = "${pkgs.lm_sensors}/bin/sensors | ${pkgs.gawk}/bin/awk '/CPU:/ {print $2}'"; + interval = 2; + }; + "custom/fan" = { + format = "  {} rpm "; + exec = "${pkgs.lm_sensors}/bin/sensors | ${pkgs.gawk}/bin/awk '/fan1:/ {print $2}'"; + interval = 2; + }; + battery.format = "🔋 {}%"; + pulseaudio = { + format = "🔉 {volume}%"; + # on-click-middle = ''${pkgs.sway}/bin/swaymsg exec "${pkgs.pavucontrol}/bin/pavucontrol"''; + }; + clock.format = "{:%H:%M %p}"; + "clock#date".format = "{:%a, %d %b '%y}"; + }; + }; + }; +} diff --git a/nix/home-manager/programs/zsh.nix b/nix/home-manager/programs/zsh.nix index 112f336..96f9982 100644 --- a/nix/home-manager/programs/zsh.nix +++ b/nix/home-manager/programs/zsh.nix @@ -1,7 +1,9 @@ -{ pkgs }: - -{ ... }: - +{ + config, + lib, + pkgs, + ... +}: let just-plugin = let @@ -23,8 +25,8 @@ let _describe 'command' subcmds ''; - - in pkgs.stdenv.mkDerivation { + in + pkgs.stdenv.mkDerivation { name = "just-completions"; version = "0.1.0"; phases = "installPhase"; @@ -34,60 +36,77 @@ let cp ${plugin_file} $PLUGIN_PATH/_just chmod --recursive a-w $out ''; - }; - -in { + }; +in +{ programs.zsh = { enable = true; - # will be called again by oh-my-zsh - enableCompletion = false; - enableAutosuggestions = true; - initExtra = '' - PROMPT='%F{%(!.red.green)}%n%f@%m %(?.%F{green}✓%f.%F{red}✗ ($?%))%f %F{blue}%~%f %F{magenta}$(git_prompt_info)%f$prompt_newline%_%F{%(!.red.green)}$(prompt_char)%f ' - RPROMPT="" - - # Automatic rehash - zstyle ':completion:*' rehash true - - if [ -f $HOME/.shrc.d/sh_aliases ]; then - . $HOME/.shrc.d/sh_aliases - fi - - ${if builtins.hasAttr "homeshick" pkgs then '' - source ${pkgs.homeshick}/homeshick.sh - fpath=(${pkgs.homeshick}/completions $fpath) - '' else '' - ''} - - # Disable intercepting of ctrl-s and ctrl-q as flow control. - stty stop ''' -ixoff -ixon - - # don't cd into directories when executed - unsetopt AUTO_CD - - export NIX_PATH="${pkgs.nixPath}" - - # print lines without termination - setopt PROMPT_CR - setopt PROMPT_SP - export PROMPT_EOL_MARK="" + profileExtra = '' + . "${config.home.profileDirectory}/etc/profile.d/hm-session-vars.sh" ''; - sessionVariables = { - # Add more envrionment variables here - }; + # will be called again by oh-my-zsh + enableCompletion = false; + autosuggestion.enable = true; + initContent = + let + inNixShell = ''$([[ -n "$IN_NIX_SHELL" ]] && printf " 🐚")''; + in + '' + if test ! -n "$TMPDIR" -a -z "$TMPDIR"; then + unset TMPDIR + fi + + if test ! -n "$TMP" -a -z "$TMP"; then + unset TMP + fi + + + PROMPT='%F{%(!.red.green)}%n%f@%m %(?.%F{green}✓%f.%F{red}✗ ($?%))%f %F{blue}%~%f${inNixShell}%F{magenta}$(git_prompt_info)%f$prompt_newline%_%F{%(!.red.green)}$(prompt_char)%f ' + RPROMPT="" + + # Automatic rehash + zstyle ':completion:*' rehash true + + if [ -f $HOME/.shrc.d/sh_aliases ]; then + . $HOME/.shrc.d/sh_aliases + fi + + ${ + if builtins.hasAttr "homeshick" pkgs then + '' + source ${pkgs.homeshick}/homeshick.sh + fpath=(${pkgs.homeshick}/completions $fpath) + '' + else + "" + } + + # Disable intercepting of ctrl-s and ctrl-q as flow control. + stty stop ''' -ixoff -ixon + + # don't cd into directories when executed + unsetopt AUTO_CD + + # print lines without termination + setopt PROMPT_CR + setopt PROMPT_SP + export PROMPT_EOL_MARK="" + + ${lib.optionalString config.services.gpg-agent.enable '' + export SSH_AUTH_SOCK="$XDG_RUNTIME_DIR/gnupg/S.gpg-agent.ssh" + ''} + + ${lib.optionalString config.programs.neovim.enable '' + export EDITOR="nvim" + ''} + ''; plugins = [ { - # will source zsh-autosuggestions.plugin.zsh name = "zsh-autosuggestions"; - src = pkgs.fetchFromGitHub { - owner = "zsh-users"; - repo = "zsh-autosuggestions"; - rev = "v0.6.3"; - sha256 = "1h8h2mz9wpjpymgl2p7pc146c1jgb3dggpvzwm9ln3in336wl95c"; - }; + src = pkgs.zsh-autosuggestions; } { name = "enhancd"; @@ -95,8 +114,8 @@ in { src = pkgs.fetchFromGitHub { owner = "b4b4r07"; repo = "enhancd"; - rev = "v2.2.4"; - sha256 = "1smskx9vkx78yhwspjq2c5r5swh9fc5xxa40ib4753f00wk4dwpp"; + rev = "v2.5.1"; + sha256 = "sha256-kaintLXSfLH7zdLtcoZfVNobCJCap0S/Ldq85wd3krI="; }; } { diff --git a/nix/modules/flake-parts/colmena.nix b/nix/modules/flake-parts/colmena.nix new file mode 100644 index 0000000..136a5a1 --- /dev/null +++ b/nix/modules/flake-parts/colmena.nix @@ -0,0 +1,8 @@ +{ lib, ... }: +{ + options.flake.colmena = lib.mkOption { + # type = lib.types.attrsOf lib.types.unspecified; + type = lib.types.raw; + default = { }; + }; +} diff --git a/nix/modules/flake-parts/perSystem/default.nix b/nix/modules/flake-parts/perSystem/default.nix new file mode 100644 index 0000000..da1e42a --- /dev/null +++ b/nix/modules/flake-parts/perSystem/default.nix @@ -0,0 +1,37 @@ +{ pkgs, ... }: +{ + packages = { + myPython = pkgs.python310.withPackages ( + ps: + with ps; + [ + pep8 + yapf + flake8 + # autopep8 (broken) + # pylint (broken) + ipython + llfuse + dugong + defusedxml + wheel + pip + virtualenv + cffi + # pyopenssl + urllib3 + # mistune (insecure) + sympy + + flask + + pyaml + requests + ] + ++ [ + pkgs.pypi2nix + pkgs.libffi + ] + ); + }; +} diff --git a/nix/ops/nano/configuration.nix b/nix/ops/nano/configuration.nix deleted file mode 100644 index afc3626..0000000 --- a/nix/ops/nano/configuration.nix +++ /dev/null @@ -1,65 +0,0 @@ -# Edit this configuration file to define what should be installed on -# your system. Help is available in the configuration.nix(5) man page -# and in the NixOS manual (accessible by running ‘nixos-help’). - -{ n, pkgs, ... }: - -{ - imports = - [ # Include the results of the hardware scan. - ./hardware-configuration.nix - ]; - - # Use the GRUB 2 boot loader. - boot.loader.grub.enable = true; - boot.loader.grub.version = 2; - # Define on which hard drive you want to install Grub. - boot.loader.grub.device = "/dev/sdb"; - - networking.hostName = "nano${toString n}"; # Define your hostname. - # networking.wireless.enable = true; # Enables wireless support via wpa_supplicant. - - # Select internationalisation properties. - # i18n = { - # consoleFont = "Lat2-Terminus16"; - # consoleKeyMap = "us"; - # defaultLocale = "en_US.UTF-8"; - # }; - - # Set your time zone. - # time.timeZone = "Europe/Amsterdam"; - - # List packages installed in system profile. To search by name, run: - # $ nix-env -qaP | grep wget - # environment.systemPackages = with pkgs; [ - # wget - # ]; - - # List services that you want to enable: - - # Enable the OpenSSH daemon. - services.openssh.enable = true; - services.openssh.permitRootLogin = "yes"; - - # Enable CUPS to print documents. - services.printing.enable = false; - - # Enable the X11 windowing system. - services.xserver.enable = false; - # services.xserver.layout = "us"; - # services.xserver.xkbOptions = "eurosign:e"; - - # Enable the KDE Desktop Environment. - # services.xserver.displayManager.kdm.enable = true; - # services.xserver.desktopManager.kde4.enable = true; - - # Define a user account. Don't forget to set a password with ‘passwd’. - # users.extraUsers.guest = { - # isNormalUser = true; - # uid = 1000; - # }; - - # The NixOS release to be compatible with for stateful data such as databases. - system.stateVersion = "16.03"; - -} diff --git a/nix/ops/nano/hardware-configuration.nix b/nix/ops/nano/hardware-configuration.nix deleted file mode 100644 index 501306c..0000000 --- a/nix/ops/nano/hardware-configuration.nix +++ /dev/null @@ -1,23 +0,0 @@ -# Do not modify this file! It was generated by ‘nixos-generate-config’ -# and may be overwritten by future invocations. Please make changes -# to /etc/nixos/configuration.nix instead. -{ config, lib, pkgs, ... }: - -{ - imports = - [ - ]; - - boot.initrd.availableKernelModules = [ "xhci_pci" "ehci_pci" "ahci" "usb_storage" "usbhid" "sd_mod" ]; - boot.kernelModules = [ "kvm-intel" ]; - boot.extraModulePackages = [ ]; - - fileSystems."/" = - { device = "/dev/disk/by-uuid/e02a410e-5044-440f-90e9-b573e51f1315"; - fsType = "ext4"; - }; - - swapDevices = [ ]; - - nix.maxJobs = 2; -} diff --git a/nix/ops/nanos@kn.nix b/nix/ops/nanos@kn.nix deleted file mode 100644 index d2003da..0000000 --- a/nix/ops/nanos@kn.nix +++ /dev/null @@ -1,26 +0,0 @@ -{ nixpkgs ? import {} -, nrNanos ? 1 # Number of nanos -}: - -let - pkgs = nixpkgs; - webserver = { services.httpd.enable = true; - services.httpd.adminAddr = "mail@stefanjunker.de"; - services.httpd.documentRoot = "${pkgs.nixops}/share/doc/nixops/"; - networking.firewall.allowedTCPPorts = [ 80 ]; - }; - - mkNano = { n }: { - imports = [ - (import ./nano/configuration.nix {inherit pkgs n;}) - ../configuration/common/user/root.nix - ]; - deployment.targetEnv = "none"; - deployment.targetHost = "nano${toString n}"; - }; - - mkNanos = n: nixpkgs.lib.nameValuePair "nano${toString n}" ( - mkNano { inherit n; } - ); - -in nixpkgs.lib.listToAttrs (map mkNanos (nixpkgs.lib.range 0 (nrNanos - 1))) diff --git a/nix/os/cachix.nix b/nix/os/cachix.nix new file mode 100644 index 0000000..0d14a2f --- /dev/null +++ b/nix/os/cachix.nix @@ -0,0 +1,12 @@ +# WARN: this file will get overwritten by $ cachix use +{ lib, ... }: +let + folder = ./cachix; + toImport = name: _value: folder + ("/" + name); + filterCaches = key: value: value == "regular" && lib.hasSuffix ".nix" key; + imports = lib.mapAttrsToList toImport (lib.filterAttrs filterCaches (builtins.readDir folder)); +in +{ + inherit imports; + nix.settings.substituters = [ "https://cache.nixos.org/" ]; +} diff --git a/nix/os/cachix/nixpkgs-wayland.nix b/nix/os/cachix/nixpkgs-wayland.nix new file mode 100644 index 0000000..1c0cca7 --- /dev/null +++ b/nix/os/cachix/nixpkgs-wayland.nix @@ -0,0 +1,8 @@ +{ + nix = { + settings.substituters = [ "https://nixpkgs-wayland.cachix.org" ]; + settings.trusted-public-keys = [ + "nixpkgs-wayland.cachix.org-1:3lwxaILxMRkVhehr5StQprHdEo4IrE8sRho9R9HOLYA=" + ]; + }; +} diff --git a/nix/os/containers/backup.nix b/nix/os/containers/backup.nix index 6ade22f..2c2c171 100644 --- a/nix/os/containers/backup.nix +++ b/nix/os/containers/backup.nix @@ -1,185 +1,125 @@ -{ config -, hostAddress -, localAddress +{ + config, + hostAddress, + localAddress, + subvolumes, + targetPathSuffix ? "", + autoStart ? false, }: - let - unstablepkgs = import { config = config.nixpkgs.config; }; - passwords = import ../../variables/passwords.crypt.nix; - bucket = "bkp"; - subvolumeParentDir = "/var/lib"; + subvolumeParentDir = "/var/lib/container-volumes"; +in +{ + config = + { pkgs, ... }: + { + system.stateVersion = "20.03"; # Did you read the comment? - subvolumeDir = "/var/lib/container-volumes"; - subvolumeSnapshot = "/var/lib/container-volumes.snapshot"; + imports = [ ../profiles/containers/configuration.nix ]; - bkpSource = subvolumeSnapshot; - bkpDestination = "/container/backup"; - cacheDir = "/var/lib/rclone-cachedir"; - - wasabiRc = pkgs: pkgs.writeText "rc" '' - [wasabi-${bucket}] - type = s3 - provider = Wasabi - env_auth = false - - #bkp user - access_key_id = ${passwords.storage.wasabi.bkp.key} - secret_access_key = ${passwords.storage.wasabi.bkp.secret} - - region = us-east-1 - endpoint = s3.wasabisys.com - location_constraint = - acl = - server_side_encryption = - storage_class = - ''; - - - bkp-mount-rclone-manual = pkgs: { - enable = true; - description = "bkp-mount-rclone-manual service"; - path = with pkgs; [ unstablepkgs.rclone utillinux ]; - serviceConfig = { - Type = "notify"; - }; - script = '' - export PATH="$PATH:/run/wrappers/bin" - exec rclone --config ${wasabiRc pkgs} mount wasabi-${bucket}:${bucket} ${bkpDestination} \ - --stats=50m --stats-log-level=NOTICE \ - --cache-dir=${cacheDir} \ - --vfs-cache-mode=full - - ''; - preStart = '' - mkdir -p ${bkpDestination} - mkdir -p ${cacheDir} - ''; - postStop = '' - sync - umount ${bkpDestination} \ - || umount -l ${bkpDestination} \ - || : - - rmdir ${bkpDestination} - ''; - }; - - -in { - config = { pkgs, ... }: { - imports = [ - ../profiles/containers/configuration.nix - ]; - - environment.systemPackages = with pkgs; [ - btrfs-progs - rdup rdedup - iptraf-ng nethogs - rclone - ]; - - networking.firewall.enable = true; - - systemd.services."bkp-mount-rclone-manual" = bkp-mount-rclone-manual pkgs; - - systemd.services."bkp-sync-rclone" = { - enable = true; - description = "bkp-sync-rclone service"; - - serviceConfig = { - Type = "oneshot"; - }; - - after = [ - "bkp-run.service" + environment.systemPackages = with pkgs; [ + btrfs-progs + btrbk ]; - requires = [ - "bkp-run.service" - ]; + networking.firewall.enable = true; - path = with pkgs; [ unstablepkgs.rclone utillinux ]; - script = '' - set -x - echo Starting rclone sync... - rclone --config ${wasabiRc pkgs} sync \ - ${bkpDestination}/rdedup/ wasabi-${bucket}:${bucket}/rdedup/ \ - --stats=50m --stats-log-level=WARNING - echo Finished rclone sync... - ''; - }; + systemd.services."bkp-sync" = { + enable = true; + description = "bkp-sync service"; - systemd.services."bkp-run" = { - enable = true; - description = "bkp-run"; + serviceConfig = { + Type = "oneshot"; + }; - serviceConfig = { - Type = "oneshot"; + after = [ "bkp-run.service" ]; + + requires = [ "bkp-run.service" ]; + + path = with pkgs; [ utillinux ]; + script = '' + set -x + true + ''; }; - partOf = [ - "bkp-sync-rclone.service" - ]; + systemd.services."bkp-run" = { + enable = true; + description = "bkp-run"; - path = with pkgs; [ btrfs-progs rdup rdedup coreutils ]; - preStart = '' - echo Creating new btrfs snapshot of ${subvolumeDir} at ${subvolumeSnapshot} - btrfs subvolume snapshot -r ${subvolumeDir} ${subvolumeSnapshot} - ''; - script = '' - #! ${pkgs.bash}/bin/bash - set -Eeuxo pipefail + serviceConfig = { + Type = "oneshot"; + }; - export RUST_BACKTRACE=1 - export TIMESTAMP=$(date +"%Y%m%d.%H%M%S") + partOf = [ "bkp-sync.service" ]; - echo Starting rdup/rdedup backup... - for d in `ls -1 ${bkpSource}`; do - echo Determining backup source size ${bkpSource}/$d... - du -hs ${bkpSource}/$d - rdup -x /dev/null ${bkpSource}/$d | rdedup -v -ttt --dir=${bkpDestination}/rdedup store $d-''${TIMESTAMP} - done - sync - echo Finished rdup/rdedup backup... + path = with pkgs; [ + btrfs-progs + btrbk + coreutils + ]; - echo Removing all previous backups... - rdedup --dir=${bkpDestination}/rdedup list | grep -v ''${TIMESTAMP} | xargs echo rdedup --dir=${bkpDestination}/rdedup remove + script = + let + btrbkConf = pkgs.writeText "cfg" '' + timestamp_format long + ssh_identity ${passwords.storage.backupTarget.keyPath} + ssh_user ${passwords.storage.backupTarget.user} + ssh_compression no + backend_remote btrfs-progs-sudo + compat_remote busybox + btrfs_commit_delete each + snapshot_create onchange + snapshot_preserve_min latest + snapshot_preserve 7d 4w + target_preserve_min latest + target_preserve 7d 4w 12m *y - echo Running rdedup garbage-collector... - time rdedup -v -ttt --dir=${bkpDestination}/rdedup gc + volume ${subvolumeParentDir} + target ${passwords.storage.backupTarget.target}/container-volumes/${targetPathSuffix} + ${builtins.foldl' (sum: elem: sum + " subvolume " + elem + "\n") "" subvolumes} + ''; + in + '' + #! ${pkgs.bash}/bin/bash + set -Eeuxo pipefail - echo Determining backup destination size ${bkpDestination}/rdedup... - du -hs ${bkpDestination}/rdedup - ''; - postStop = '' - btrfs subvolume delete ${subvolumeSnapshot} - ''; - }; + btrbk -c ${btrbkConf} --progress ''${@:-run} + ''; + }; - systemd.timers."bkp" = { - description = "Timer to trigger bkp periodically"; - enable = true; - wantedBy = [ "timer.target" "multi-user.target" ]; - timerConfig = { - # Obtained using `systemd-analyze calendar "Wed 23:00"` - # OnCalendar = "Wed *-*-* 23:00:00"; - OnStartupSec="2d"; - Unit = "bkp-sync-rclone.service"; - OnUnitInactiveSec="2d"; - Persistent="true"; + systemd.timers."bkp" = { + description = "Timer to trigger bkp periodically"; + enable = true; + wantedBy = [ + "timer.target" + "multi-user.target" + ]; + timerConfig = { + # Obtained using `systemd-analyze calendar "Wed 23:00"` + # OnCalendar = "Wed *-*-* 23:00:00"; + OnStartupSec = "1m"; + Unit = "bkp-sync.service"; + OnUnitInactiveSec = "2h"; + Persistent = "true"; + }; }; }; - }; - autoStart = true; + inherit autoStart; bindMounts = { "${subvolumeParentDir}" = { - hostPath = "/var/lib/"; + hostPath = subvolumeParentDir; isReadOnly = false; }; + "/etc/secrets/" = { + hostPath = "/var/lib/container-volumes/backup/etc-secrets"; + isReadOnly = true; + }; + "/dev/fuse" = { hostPath = "/dev/fuse"; isReadOnly = false; @@ -187,12 +127,16 @@ in { }; allowedDevices = [ - { node = "/dev/fuse"; modifier = "rw"; } + { + node = "/dev/fuse"; + modifier = "rw"; + } ]; + extraFlags = [ "--resolv-conf=bind-host" ]; + privateNetwork = true; - forwardPorts = [ - ]; + forwardPorts = [ ]; inherit hostAddress localAddress; } diff --git a/nix/os/containers/mailserver.nix b/nix/os/containers/mailserver.nix index d82740a..22ef959 100644 --- a/nix/os/containers/mailserver.nix +++ b/nix/os/containers/mailserver.nix @@ -1,149 +1,228 @@ -{ hostAddress -, localAddress -, imapsPort ? 993 -, sievePort ? 4190 +{ + specialArgs, + hostBridge, + hostAddress, + localAddress, + imapsPort ? 993, + sievePort ? 4190, + autoStart ? false, }: +{ + inherit specialArgs; + config = + { + pkgs, + config, + repoFlake, + ... + }: + { + system.stateVersion = "22.05"; # Did you read the comment? -let - passwords = import ../../variables/passwords.crypt.nix; + imports = [ + ../profiles/containers/configuration.nix -in { + repoFlake.inputs.sops-nix.nixosModules.sops + ../profiles/common/user.nix + ]; - config = { pkgs, ... }: { - imports = [ - ../profiles/containers/configuration.nix - ../profiles/common/user.nix - ]; + networking.firewall.allowedTCPPorts = [ + imapsPort + sievePort + ]; - networking.firewall.enable = false; + # FIXME: find out how to use the `defaultSopsFile` so i don't have to specify each secret separately + # sops.defaultSopsFile = ./mailserver_secrets.yaml; - services.ddclientovh = { + sops.age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ]; + sops.secrets.email_mailStefanjunkerDe = { + sopsFile = ./mailserver_secrets.yaml; + owner = config.users.users.steveej.name; + }; + sops.secrets.email_mailStefanjunkerDeHetzner = { + sopsFile = ./mailserver_secrets.yaml; + owner = config.users.users.steveej.name; + }; + sops.secrets.email_schtifATwebDe = { + sopsFile = ./mailserver_secrets.yaml; + owner = config.users.users.steveej.name; + }; + sops.secrets.email_dovecot_steveej = { + sopsFile = ./mailserver_secrets.yaml; + owner = config.users.users.dovecot2.name; + }; + + # TODO: switch to something other than ddclient as it's no longer maintained + + # TODO: switch to a let's encrypt certificate + sops.secrets.dovecotSslServerCert = { + sopsFile = ./mailserver_secrets.yaml; + owner = config.users.users.dovecot2.name; + }; + sops.secrets.dovecotSslServerKey = { + sopsFile = ./mailserver_secrets.yaml; + owner = config.users.users.dovecot2.name; + }; + services.dovecot2 = { enable = true; - domain = "mailserver.svc.stefanjunker.de"; - }; - services.dovecot2 = { - enable = true; + protocols = [ "sieve" ]; - modules = [ pkgs.dovecot_pigeonhole ]; - protocols = [ "sieve" ]; + enableImap = true; + enableLmtp = true; + enablePAM = true; + showPAMFailure = true; + mailLocation = "maildir:~/.maildir"; + sslServerCert = config.sops.secrets.dovecotSslServerCert.path; + sslServerKey = config.sops.secrets.dovecotSslServerKey.path; - enableImap = true; - enableLmtp = true; - enablePAM = true; - showPAMFailure = true; - mailLocation = "maildir:~/.maildir"; - sslServerCert = "/etc/secrets/server.pem"; - sslServerKey = "/etc/secrets/server.key"; + #configFile = "/etc/dovecot/dovecot2_manual.conf"; + extraConfig = '' + auth_mechanisms = cram-md5 digest-md5 + auth_verbose = yes - #configFile = "/etc/dovecot/dovecot2_manual.conf"; - extraConfig = '' - auth_mechanisms = cram-md5 digest-md5 - auth_verbose = yes - - passdb { - driver = passwd-file - args = scheme=CRYPT username_format=%u /etc/dovecot/users - } + passdb { + driver = passwd-file + args = scheme=CRYPT username_format=%u /etc/dovecot/users + } - protocol lda { - postmaster_address = "mail@stefanjunker.de" - mail_plugins = $mail_plugins sieve - } + protocol lda { + postmaster_address = "mail@stefanjunker.de" + mail_plugins = $mail_plugins sieve + } - protocol imap { - mail_max_userip_connections = 64 - } - ''; + protocol imap { + mail_max_userip_connections = 64 + } + ''; + }; - }; + environment.systemPackages = [ + pkgs.dovecot_pigeonhole + ]; - environment.etc."dovecot/users".text = '' - steveej:${passwords.email.steveej} - ''; + environment.etc."dovecot/users".source = config.sops.secrets.email_dovecot_steveej.path; - systemd.services.steveej-getmail-stefanjunker = { - enable = true; - wantedBy = [ "multi-user.target" ]; - serviceConfig.User = "steveej"; - serviceConfig.Group = "dovecot2"; - serviceConfig.RestartSec = 600; - serviceConfig.Restart = "always"; - description = "Getmail service"; - path = [ ]; - script = let - rc = pkgs.writeText "mailATstefanjunker.de.getmail.rc" '' - [options] - verbose = 1 - read_all = 0 - delete_after = 30 + systemd.services.steveej-getmail-stefanjunker = { + enable = true; + wantedBy = [ "multi-user.target" ]; + serviceConfig.User = "steveej"; + serviceConfig.Group = "dovecot2"; + serviceConfig.RestartSec = 600; + serviceConfig.Restart = "always"; + description = "Getmail service"; + path = [ pkgs.getmail6 ]; + script = + let + rc = pkgs.writeText "mailATstefanjunker.de.getmail.rc" '' + [options] + verbose = 1 + read_all = 0 + delete_after = 30 - [retriever] - type = SimpleIMAPSSLRetriever - server = ssl0.ovh.net - port = 993 - username = mail@stefanjunker.de - password = ${passwords.email.mailStefanjunkerDe} - mailboxes = ('INBOX',) + [retriever] + type = SimpleIMAPSSLRetriever + server = ssl0.ovh.net + port = 993 + username = mail@stefanjunker.de + password_command = ("${pkgs.coreutils}/bin/cat", "${config.sops.secrets.email_mailStefanjunkerDe.path}") + mailboxes = ('INBOX',) - [destination] - type = MDA_external - path = ${pkgs.dovecot}/libexec/dovecot/dovecot-lda + [destination] + type = MDA_external + path = ${pkgs.dovecot}/libexec/dovecot/dovecot-lda + ''; + in + '' + getmail --idle=INBOX --rcfile=${rc} ''; - in '' - ${pkgs.getmail}/bin/getmail --rcfile=${rc} --idle=INBOX - ''; - }; + }; - systemd.services.steveej-getmail-webde = { - enable = true; - wantedBy = [ "multi-user.target" ]; - serviceConfig.User = "steveej"; - serviceConfig.Group = "dovecot2"; - description = "Getmail service"; - path = [ pkgs.getmail ]; - serviceConfig.RestartSec = 1000; - serviceConfig.Restart = "always"; - script = let - rc = pkgs.writeText "schtifATweb.de.getmail.rc" '' - [options] - verbose = 1 - read_all = 0 - delete_after = 30 + systemd.services.steveej-getmail-stefanjunker-hetzner = { + enable = true; + wantedBy = [ "multi-user.target" ]; + serviceConfig.User = "steveej"; + serviceConfig.Group = "dovecot2"; + serviceConfig.RestartSec = 60; + serviceConfig.Restart = "always"; + description = "Getmail service"; + path = [ pkgs.getmail6 ]; + script = + let + rc = pkgs.writeText "mailATstefanjunker.de.getmail.rc" '' + [options] + verbose = 2 + read_all = 0 + delete_after = 30 - [retriever] - type = SimpleIMAPSSLRetriever - server = imap.web.de - port = 993 - username = schtif - password = ${passwords.email.schtifATwebDe} - mailboxes = ('INBOX',) + [retriever] + type = SimpleIMAPSSLRetriever + server = mail.your-server.de + port = 993 + username = mail@stefanjunker.de + password_command = ("${pkgs.coreutils}/bin/cat", "${config.sops.secrets.email_mailStefanjunkerDeHetzner.path}") + mailboxes = ('INBOX',) - [destination] - type = Maildir - path = ~/.maildir/ + [destination] + type = MDA_external + path = ${pkgs.dovecot}/libexec/dovecot/dovecot-lda + ''; + in + '' + getmail --rcfile=${rc} --idle=INBOX + ''; + }; + + systemd.services.steveej-getmail-webde = { + enable = true; + wantedBy = [ "multi-user.target" ]; + serviceConfig.User = "steveej"; + serviceConfig.Group = "dovecot2"; + description = "Getmail service"; + path = [ pkgs.getmail6 ]; + serviceConfig.RestartSec = 1000; + serviceConfig.Restart = "always"; + script = + let + rc = pkgs.writeText "schtifATweb.de.getmail.rc" '' + [options] + verbose = 1 + read_all = 0 + delete_after = 30 + + [retriever] + type = SimpleIMAPSSLRetriever + server = imap.web.de + port = 993 + username = schtif + password_command = ("${pkgs.coreutils}/bin/cat", "${config.sops.secrets.email_schtifATwebDe.path}") + mailboxes = ('INBOX',) + + [destination] + type = Maildir + path = ~/.maildir/ + ''; + in + '' + getmail --rcfile=${rc} --idle=INBOX ''; - in '' - getmail --rcfile=${rc} - ''; }; }; - autoStart = true; + inherit autoStart; bindMounts = { - "/etc/secrets/" = { - hostPath = "/var/lib/container-volumes/mailserver/etc-secrets"; - isReadOnly = false; - }; + # FIXME/REMINDER: this is used so that the container can decrypt the secrets that are deployed to the host + "/etc/ssh/ssh_host_ed25519_key".isReadOnly = true; + "/etc/ssh/ssh_host_ed25519_key.pub".isReadOnly = true; - "/home" = { + "/home" = { hostPath = "/var/lib/container-volumes/mailserver/home"; isReadOnly = false; }; }; - privateNetwork = true ; + privateNetwork = true; forwardPorts = [ { # imaps @@ -160,5 +239,5 @@ in { } ]; - inherit hostAddress localAddress; + inherit hostBridge hostAddress localAddress; } diff --git a/nix/os/containers/mailserver_secrets.yaml b/nix/os/containers/mailserver_secrets.yaml new file mode 100644 index 0000000..9814c66 --- /dev/null +++ b/nix/os/containers/mailserver_secrets.yaml @@ -0,0 +1,53 @@ +email_mailStefanjunkerDe: ENC[AES256_GCM,data:sSBunuv4wipvl720vBrObPVlwMqf8MCWPA==,iv:57SPbRgdO1OtCunFbRJ9rLadWfrCF072lv27ond6qQ0=,tag:DpTeij/rGCK2NQMre5xBsw==,type:str] +email_mailStefanjunkerDeHetzner: ENC[AES256_GCM,data:HvPU/tV2uwutE8q6BzMjkw==,iv:sxERmGojxJhTre2XhslD/B3hesJaP8Cn6TJ7G2WygQw=,tag:JeRI3a2oc/cMJWqyiICgYw==,type:str] +email_schtifATwebDe: ENC[AES256_GCM,data:OOmxkHcM25A+rSmPE1lmvUylv0TT2qWWeA==,iv:ysnRyv4WwbnovgEZcwmk1Rdo6U7gBWDFvGIxgF/m/5A=,tag:9b7q+mceiDx5y8qVVHjBhw==,type:str] +email_dovecot_steveej: ENC[AES256_GCM,data:nZJX2ZIe2pJTzBIU/XRZaiiy9NmUtJydaOvSAQT3icCEeLTvgah48mgrz14eGPuOEupVqKII5jpHw3Xid+QWzdIels0B9M4+GgVT85yVAaPQKw==,iv:vb2bKtgeJI4fvRfKoR8AoBpv9WOkAAKQ3DzMInGF4SA=,tag:p6q0rfyG0g1hF8PR476TZQ==,type:str] +email_postmasterStefanjunkerDe: ENC[AES256_GCM,data:mUe2SbT1aj6yCav0X0lZ04rxYjJjQfKOqw==,iv:ZtOca09m2ne36cmLem/dNnmrsTV6fWaluuoPS85HdGc=,tag:2Z8RwuKJteXUKyuzpFzyfg==,type:str] +dovecotSslServerCert: ENC[AES256_GCM,data:ylK0IIj2vdY0mXOqSgA5zYmFYGote/uMtDWy2rwHhuSoirnADu+k6pYrH4UUTB9BQsDpCzuU4vb4Rz2pQuB0PJ9iZ3XI2fTxft+UxZI4wwAkvHXeJWxLnEvySQW3mnk2uJBaeAxhkXZ55SrKA0h1u/luiXlCoLD197yqJsaR7ldlTImfiIwZPoSRJvo33/UsEIfxlmNMrJk6kgWp9Ay1pT+K3ymWTzBaxzMypUM+Wb4BulgR62qCBxoVjXPP4tVsBwRN6LREeKpP6zIZSjNNU5SWkf2GVDuRl6AMfh8UUq5aRQqNrorRm0p9FR5CXvJZH6gOxh1jSaXGFRbyfEwlaBrzU3NYqXA4tVTh6jKeRy6tmkw3KHhV3kOeJhJ5YQy4IM4Tv03zp5M/rCCIDoZLZsmNKYpLHYKfKORBYt/XlOfnXFVW/dp+q7lMiy2vPPNaVzH6aFrlzIEUyQBfawbHPBnIN09rmW9cIzZC5n3owzq8jj8aWDILqgun7RFOnBWBaG2JE9imXoS66cKAvzGf1wpjN2pELQOpSI1dVuENxMC+K8dTu/2RN2Xe0t6x6FlHK7PHB+JNGsGOHjrga+Z2rWTqcOtY30XZpBSqoZ4XxhcFtp+gxwBuW6zjzS4hEBz1/BJTYLD0dolTp3Vzo93bsezAr+iUfNrfzESTfg8fRH89tdPCeSPv4lfi+Bo4un41x6+x14Kf66Sz5AR7dBQzypNC3ChGCKtp29ZBBee+5oQWvrYBVybbOdD+uaS6pRC/Uydubx+cDGyU1vn50Iq4XTkmiy0m8joHa7gwgOggSeDoZK8lSnwCEwssWZaxzWfO8/8gxEDJD74ki+0GzkGCSIW7EIDiEEBSuL971bqgmKOgKmzqeHYxMpO3DbrFSQVIBUzlcPMoL9GuMHnF9UWT8u3Oo4eIh8rgwJQ4tbIdIbOop1LKLSKjtt/ny4+fGjrF1gzYWHu6RDMHkl9h/AplsHH6r8x3L3rM40O8mOG/SVgqA2GTN+0pviLAPzvQ+Xb0xRQH3vfXXMkufpQtb2o0xlh4pgJw+6a4QrjSq6ZJ3saA8TeC3F6BzIEr6nAwljBMSY4v8wBQivquENBCbqo4St5h+eleKpqbpyLJQYgCyvrUST8kNa014eZjNMLnJ1XBmPO9vpUk/2FJkSpaPAPQ7thqhRBEhe+GsnkScqqrq7gLpNIX4o/HR2b70T/8/4G7uZ3KPScW25TX9D9cI7LFON3Sfprn5LK6hm2nxTmjhaD0rWNnDCkfqDfzRJeQV9kW5Hfn0rBOIsmUoQEcgeCqNKenr/lalRRiifsHDdTUwzSJLgHm09RJI4CVZ+ovPHENRW02VPP9YBupemrZazN3ttj3pin8QRRcOM0w7jeGjfSyih0E4JfiC8NzLWhBpFtBSSxi79QD2vkz17ububf37p5XMg0KfClubQgnNKxlbQ/Me7xxp1X0JlmyxpwIhaaLoz9f+268/9n4RKBGDjAY9D0jZ2zcNm+MpkoG1IIWzPBtBiGTfs+HZPH3GKiEcnkEVcUbDZis9zERamYKDMMPqfAm3KsQLXxUVyuy3cuikGxg7ab+41b1s4MtyoeoUIeRruc60Gg+rSv+d0Jl/YP9Lb5/WBGwNKzm/1R70hJnbTWRt/kKZRKsVY2rcb+FH6vXBjFAHgiszFns5oXS0Q3jhVHH4i3IUn+M6HsbqDIaJ4t4Jvtcx+ESNC2NHKCSxKe4UePng8xJ+91jB04DxdJFlTrZ7RBgjmmiMR8DPF6XiYi+awZtUaTKjZev8SPl4vSobu5aqnct0F5O6aPGB/T8nHlXevdkuQ//7BXc0RwN1ZBZzGqzc8+NzIBa9aB96XnlXPDek1C5Cc9/yVWelM9dWwTzUECBWanTRFt1uz7hpoeemGI0X7IV4DXe26yZot2PlRLFBGL/5lnoSZcjfjym1yyjd5guLdRSHOihPoDDV0JR88BDzDSS/Fx4tRCxKCuaQos+QiMlZ+yJnY9v/K88NtX9X+cRr1ZFS9Li1+uBhbJamWgtWpSJireAGZkLFSEu5GpmfcofuzDsuSYsG6wDLMpJGgRvGJeDuZ4pJTMz1dhjjWUw3blpoJW99zHVDwuSMUNEOFnFgu9BNsoq2caoDcNcm7yA0dsNl1sS3ECsBAg18KsMHA5bL6gXhAkCGOzUVBzW0NRUm8SvHloB73LvfBiFHkpqkqS8KsQZkGts+vBcVAjfDYHYy+TvcaiO0I7xEOUZMdkjuZFOkh2Q0x7pQzCarYs=,iv:6zMCqVVdsbJmEr9YDQ5FqYhRcV36aM585YZz/Dd+b3c=,tag:LCDn6L/VJvW8St1CHXcObw==,type:str] +dovecotSslServerKey: ENC[AES256_GCM,data:KYpQZbioLGrp/6R6j/c4uJhBpoDT2aj7UffQQug8Otzr/0rk51tavsjg4YRQGIv+ZpFYpWAuHbhW4O8AsRgpi0AX3hKsZICEdNubfK5zfd+SInXveaVFbHHjOuzcqftraUrqx9APu+omk4LlpxpWTbj/bAcRnRBn0C093AeJNi1giaCZd4NxmmkYqwYzrjUc6LYHvICEnjA87ZVpeOKE/6B2Ng5QWDKhZNmjy7YDXAk4DS+P2grLmoGvnz6ubtaypSzaKXYTFz/uxEvtCCPlIaJHm3Nz0i0j1rjX3S/w3c26zuIFtwCmAQzGnHyQwbx7ILwCXfnyQnpM7+R5+fxcYvcK2GEJyTGzg/JFa++TI1YO+wpknjzxK3Sa8aX0pUbx/TEjnY3+tRnx7YNuih2ZNZrPHy8uJJtO9Aef84Sq5vLQG5n1/ya0pVhjCbs1pgpeK/qT3ikLbkcJg6NxAq3hqqQdR4TTkZBwKLVfzcMXLDZB0GphhVvtO0W7afRCE+nA/FPDT2NN6WLD15cN5F8w6USi0iQlwFb+TE8nt1ghhoGmwCMx+lX1Bk/jdIlYtJ62T8+T3nRVJ6ZRlUa1rkbAADaWZVvLR2/ylaEkeYFo/CC6lUg4DWPCVoGFxaWaU+ZaIDjbiYcqGQFBwq8JZ44hAOyJQpb7N1zgDVyPh/xr+ukmjutFuu97FY55VTn+8eipRiR4TZpPRH+KvB/FmlLNaim76YZCRH9Dv2ENbz9fXpWv7P+yh06+ci9HKvjNAzR6NRr368tK2srEEhWzFv+nAsRetzc2VcfwNMcg5/mvlWHVZSmONXC5adEo/W5XgJgUnH/fkz5IRPY/1iteq8PTCPUkubzF+qT2+suzEDnvgXlaKsqHkrk+n8YySl+GRABnasmnBYdb8vboDM41ptw3PXDoL+l07o6KxTwPOWWl9BVNMT8VzL7gAl+dlxjkEUSqn53OrsYDluxefBa3c0rfvk8CCvOMjgLkagK9O+VavqJEo00zd3f0ZzMcIoRebuDzYILw3DTrG/qyLXGsRoybBr+qcuSVBzM5RnjcToFJO4W/0EIdH1drZmqHdNgSNwPPRSNCivrhV25syUCrTee/xkDVUr47z67pK/5Mh0ewlwq0hcl/dBoA0YP/PptntK0CHfistD8chNtdMk3PyzqSiFaDPQ3T4wdc3zTNUjXeQ5643k5weJXFPg4tUuCCa8HxUJHd5sLnNY0OaRBwh2SLkQlcXYFQDzVHSoVscR3tf+57L7aF2hVQT2QtJKdZQjOyMg5YK0UlVc3tkyPZzyjOVaP7eTCRKwXI1NminHmmy1ZzZ+w+8+oX8cfvE9HdbqDoDp0MnkicS0+5S0lZwkRWrjUx/gS4aMWLbCHUQHY8wm+fmyDLJ/oI4ukdUI5YLOutlCsIY+aotnVMoORgdd/EPeZVYJmci/pvMjPF9Eard0aD4rLA7z/HwGgc3VEGmNluE+20BXO3bFIqwa9tzMqzOJB0qglP35MjVGiUe6Svq13DAmSOnzN+WqcVbTMJG8J1bwKqvmaN8AEpO0zU94ZhHspUtGyQQ0D6sMsw9jqJ1WyLE7aXeFR6OHrpw3DC2mCpr/qX8QFsveeyB83Za2+CuVVi2sqGAKYzkwlUPkeuaxfBak0apwJsF2trT1uMvPOuIda8k4XhtYLxah2BDJZIoMqUVz2xcN4OuW8bdSX/lepsyZZO34VEQDLBa2dxCCHJmCKf6io/0YlswNKGDQh+DI935KTdqBnHSJ9IjvADQuu+K37aS0L9V0ZLXiM5SBQtbB7kQpHjvivq97ru7QpFqJf8HCl1vDs4gJ/NV+J0+CX6dQTQOtHvwxD2CPGiiSv40ycoJAcwiqTh5T+hRPtca6bSes/jGN5iQjfLCRbwvL/ItLLAK3F2cEIdKZnfhJkdEAIwWFLvR4R5I7ZcCK5GgKz5dPROup8BAONA8XxcJWXaXV0YkfEmCDbZYMFC7pcx4NAnGp881RyAaG/HlstBHHVagpP2fwZ8K0J/2KPillOq/Die+vNc2++hx4EuftvNkZhSd+7zIYNKHQd0M4Ea74flgmmW5lG73bE1BkhVd2DsgEDihH19/vJjFH4PxKINKp0ij4jMyq9w+WsGiUqSDaQz/MZJ8wjzaSjvmSj4qlOAitr/s3f041e77rMb0W2ieCtYEy7IsebIqIWgKn/crm5FhyUtBCPEqFZgAKS313bXUio8LktqXCrZjZ0ZG8DmQG6hnK4PstKlIUQoNuFnb8Bp1zDgY4i2hb6Zmu7NnqnOaJJTjSGwaZOav0oMousn67BuFtwoMaGp+OjCopZ3HPfg19usnjvWpOgccXWYlQc0HOlGXUq+otKlXtQwAjUvz50GmV+lY3t4rpCgqk+pj9iH62xuzDQ01FOXl+v3Ehnw97mNJk9YarueG0Hl/1f6dhwXnjeEv35LLyWUjQolOoYgycEkgQ/cCCOSm7zgK1VT0oTLFISai8IG0qDP9HCszteHZhp+y4bsXQfAJTY11QLr7hx9/nQmVlHksDN5Wsno4wbkT+D2xb5EaDU2RBqZfTVcbRBWRtAhQcRPxdaUXyI7oKEaFg8fvQZ8wK/Ae+L18ub+Latb5W69dUVT6I13tPleXDl1oen9BXzaX7sygSpY4lJoXlu+SCKyNTMrC36PrB39QUWosw03ZsiKT5xjgN5+1m32yv4cg8lAwNCR4xxShrnhSbZ328yifaAuTnSawZmUGBVxPx4glVcvNUOXW2UvVtmeKU0SG1E+UGBAq7/UfaadMM7BsjyaaKpBa/tXZTm0rn8UiFqujvgNjQ3F/3ybRdlO5d6eMI9Na+1gqg6qxYSGR0H0wAdPhtyGRxpumehAQGeMKd49Sg6jspaf3NAjjuZ0Yp+eJV9652WqVZ7xtCNqRURV353h+XPGR+ZZ9siHRDQ+NcbxPkfbHw0/RTvZvEIdaDi5+DLh6tgIxMEtOpwTlfFrOUDaIcmWvzk92VtBFuafvoGzTipryTnMszjCsUTvyEPN8jPd6r8UmOFGXF2aVNksmn/bI97i4s1kYLgY8XsEOyx+Q9pUTkTEMn2JWgnEcSOAtaX1ZskHnfueKzUPb+/YWb+z8SNCgnUqHqa42qBqwlhdshzYhhfKhEisUptirzzp1kcbyHrug5PzHxh8Qri2pjHxSHYQ5sjig6K6B1YEuHP6uo19fL6BdgGlhKroiOF/6TMAcE9V3+yqvDdsW/IC0QXLHIBKC7wlDgLc25ltGogD/76P6tViDAb6+HNSSXJO056Ovq0z2BrXhnq1AmWa99mVnOLJwafRWPZC,iv:XxnAsh6yx9gICi3N6oTttpGXvguGZImWNIMp9srDJLM=,tag:M9gFSD5PNIfoCLet6Vy6QA==,type:str] +hetznerDnsApiToken: ENC[AES256_GCM,data:JfL4Xg9TZu4Og35g0SwfrI1uxiqgdFa7p5AQcfiPwLY=,iv:yOak3uXX7CNglu8O2UW/1sOI7BGZxpRQAFJCvRbzU0Y=,tag:6orkQIy7BxACziLWpYoS5Q==,type:str] +sops: + age: + - recipient: age1tkvtkw62xy90xc5xdcq836wgyrwlwmdslh76cete5g98vvvhj34qvwdw0g + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSArQjVya2RyY1MxQUxtTHdX + MGlZRWdxZ3VXb01KbCtTSkJMR3dkZkZ0UGw0CitXcldZT3NJWExYZG50QnowMVhV + WDBpc0VFYjZnZDJDSWhUcHFHTzBiYkUKLS0tIFlrMmlxUkNVZExSNGN4VlMxcUw1 + VW8rSVdDcGZKcHpocjdqZldiaFpqRlUKfQNcKrI6PuyeFv06Es8NsHm8I7NzxJ1k + ir088kx66xcXeEiyA4DnIcAWG9O6HEVXXnSahAIE2jcupSSouDF3ug== + -----END AGE ENCRYPTED FILE----- + - recipient: age18dmqd7r7fanrfmdxsvwgv9psvhs3hw5ydpvw0na0dv3dlrg4rs3q2wpvgv + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB0OGlqTEhtaGR2Yi8vTVcv + NUtvd0ptS3h5Rnd1RGNuYlY2bHMrUmpKWHhRCkJpYjloQWhSM0FsNlNYSVcvWktV + VkkvblAyRXBadUJjK3h3c2JJbDZHc0kKLS0tIEhMbVZsekM5VDRhbDB0KzdyK1li + dWdhSGtFN1oybGpIb294ZE0zcDFUaEkK/AyEXeVmiYk1/IZdkyNGN4bccMFx5+JE + BazBF2NkztUWnyhqRvyp0cBucx7h/HhRSzqxwSr20lvv8XpRPGh8Iw== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2023-07-17T12:01:21Z" + mac: ENC[AES256_GCM,data:003nzaNWdXLscJy9XZcwAb93M9Eo3Bdg9s5MHHiv4/TitaaZE7VghWHKv5DrcoA0GGdN9SnIVqHd+o6OPVER91XLVxoiX7ixtlu1RIRfqdama3RRPtSki5wP5wPz6qF4vRBIKfrTpZK7thXLYs2NhCB9HJYljNhcgLtzEG5bWgY=,iv:tEP530Pij3bt3hc5PCYGjFFyPiKgo34dHm23Xtmrxt8=,tag:macr/U8R5+wktTBJ9OqI/w==,type:str] + pgp: + - created_at: "2025-06-05T09:49:08Z" + enc: |- + -----BEGIN PGP MESSAGE----- + + hQIMAw+OdhfgD3wfAQ/8DFSjoJYmO4+yvi4WT6mgrlzmAIvX0Ozch9XY+6DDOwiN + 746QgI6FI5NpmayTbhddhL1J3tiWkzOyAMhxd8JVNDdZHDJ9lDMCq5s/6yYJZvst + qpoU2pjeYFc+ag+H7m8d5dIaR352aBlKw+MMGOvBinM+5qAWNWo1Vams/9HV3BAV + vsFKLSj3eo3/MjjzY3bPlfBwhkDnudzfVJXcY7GhbVVzaQKXosoGjMfCKvSQNMWr + z52P40pfkXx1nWUt79G4xcH/G+lCUlz93RmS89sLS+YrrjKGQc4xcYpqpNjy5Xdw + rz+nGuOsMKXqLuxYJVuiTcxN0agVily9BTifUYiJZfS9cpbMvLwTyUOcc64EVCKH + Gg0b5l5DhyUKKk3klzgeXTlj2zPhKjGVT2MnZShZRspfGfV6T7iP761YD4ucaExd + 1+/cegyfeCNAykt4lD6ACeQXRLDs8rU2hUjpN3J6AemLW+Aj/ZnRVZWzgIvnDEEY + pyz/rAk5J6m7Q7909TcMuFg3j9ENeJZuRSwxwF0MRUYLZByKCH3QY9CE3mCh7Xni + p5znHpYaYqNIoiTmbBcxEx4mYRXUkorLTJXt4AO7zQB24ZReLDRsSzvrnQqyLIdA + b4pK2k2/L0Hagu2SZFvfhgw4qWZpIlgcoOVbe2dkmbIXMbjb8SuF/2jFwushALjS + XAG+iXYORCrvsuJoNjnQtSW0OGqYwuNNvWo2Ymyg2sA6CW+O6gsCZpZE0FKHcbl/ + FxgecFBl+P6Dk4OOewie+E4cZWIq2uXQch8QPSk5huuyUms6VZI2fre83dMv + =mHmB + -----END PGP MESSAGE----- + fp: 6F7069FE6B96E894E60EC45C6EEFA706CB17E89B + unencrypted_suffix: _unencrypted + version: 3.7.3 diff --git a/nix/os/containers/mycelium/flake.lock b/nix/os/containers/mycelium/flake.lock new file mode 100644 index 0000000..0a7597d --- /dev/null +++ b/nix/os/containers/mycelium/flake.lock @@ -0,0 +1,124 @@ +{ + "nodes": { + "flake-compat": { + "flake": false, + "locked": { + "lastModified": 1696426674, + "narHash": "sha256-kvjfFW7WAETZlt09AgDn1MrtKzP7t90Vf7vypd3OL1U=", + "owner": "edolstra", + "repo": "flake-compat", + "rev": "0f9255e01c2351cc7d116c072cb317785dd33b33", + "type": "github" + }, + "original": { + "owner": "edolstra", + "repo": "flake-compat", + "type": "github" + } + }, + "flake-parts": { + "inputs": { + "nixpkgs-lib": [ + "nix-snapshotter", + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1704152458, + "narHash": "sha256-DS+dGw7SKygIWf9w4eNBUZsK+4Ug27NwEWmn2tnbycg=", + "owner": "hercules-ci", + "repo": "flake-parts", + "rev": "88a2cd8166694ba0b6cb374700799cec53aef527", + "type": "github" + }, + "original": { + "owner": "hercules-ci", + "repo": "flake-parts", + "type": "github" + } + }, + "nix-snapshotter": { + "inputs": { + "flake-compat": "flake-compat", + "flake-parts": "flake-parts", + "nixpkgs": [ + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1723875769, + "narHash": "sha256-66GofByLJ+S4ZZphIC+vJKeL9VJ2bzH2VbcJ3OqteMM=", + "owner": "pdtpartners", + "repo": "nix-snapshotter", + "rev": "6eaadfd8f89e5e7d79b2013626bbd36e388159da", + "type": "github" + }, + "original": { + "owner": "pdtpartners", + "repo": "nix-snapshotter", + "type": "github" + } + }, + "nixlib": { + "locked": { + "lastModified": 1728781282, + "narHash": "sha256-hUP9oxmnOmNnKcDOf5Y55HQ+NnoT0+bLWHLQWLLw9Ks=", + "owner": "nix-community", + "repo": "nixpkgs.lib", + "rev": "16340f605f4e8e5cf07fd74dcbe692eee2d4f51b", + "type": "github" + }, + "original": { + "owner": "nix-community", + "repo": "nixpkgs.lib", + "type": "github" + } + }, + "nixos-generators": { + "inputs": { + "nixlib": "nixlib", + "nixpkgs": [ + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1728867876, + "narHash": "sha256-NCyOA8WZNoojmXH+kBDrQj3LwvakYNzSc0h+LTXkmPE=", + "owner": "nix-community", + "repo": "nixos-generators", + "rev": "fdf142111597f6c6283cf5ffe092b6293a3911d0", + "type": "github" + }, + "original": { + "owner": "nix-community", + "repo": "nixos-generators", + "type": "github" + } + }, + "nixpkgs": { + "locked": { + "lastModified": 1728897630, + "narHash": "sha256-0utJPs4o2Mody8GDwo4hnGuxc8dJqju4u9lLJY4d/Lw=", + "owner": "NixOS", + "repo": "nixpkgs", + "rev": "c9f0b4a395289ce18727e2a8e43cae6796693ccc", + "type": "github" + }, + "original": { + "owner": "NixOS", + "ref": "nixos-unstable-small", + "repo": "nixpkgs", + "type": "github" + } + }, + "root": { + "inputs": { + "nix-snapshotter": "nix-snapshotter", + "nixos-generators": "nixos-generators", + "nixpkgs": "nixpkgs" + } + } + }, + "root": "root", + "version": 7 +} diff --git a/nix/os/containers/mycelium/flake.nix b/nix/os/containers/mycelium/flake.nix new file mode 100644 index 0000000..1527acf --- /dev/null +++ b/nix/os/containers/mycelium/flake.nix @@ -0,0 +1,371 @@ +{ + inputs = { + nixpkgs.url = "github:NixOS/nixpkgs/nixos-unstable-small"; + # nixpkgs-systemd256.url = "github:NixOS/nixpkgs/962cf03fb8c782c5e00f465397e03dc84284acc9"; + nixos-generators = { + url = "github:nix-community/nixos-generators"; + inputs.nixpkgs.follows = "nixpkgs"; + }; + nix-snapshotter = { + url = "github:pdtpartners/nix-snapshotter"; + inputs.nixpkgs.follows = "nixpkgs"; + }; + }; + outputs = + { self, nixpkgs, ... }: + let + systems = [ + "aarch64-linux" + "x86_64-linux" + ]; + forAllSystems = nixpkgs.lib.genAttrs systems; + in + { + nixosConfigurations.default = nixpkgs.lib.nixosSystem { + system = "aarch64-linux"; + + specialArgs = { }; + + modules = [ + ( + { + config, + modulesPath, + pkgs, + lib, + ... + }: + { + nixpkgs.overlays = [ + (_final: _previous: { + # inherit (self.inputs.nixpkgs-systemd256.legacyPackages.${pkgs.system}) systemd systemdMinimal; + # systemd = + # self.inputs.nixpkgs-systemd256.legacyPackages.${pkgs.system}.systemd.overrideAttrs (prevAttrs: { + # src = /home/steveej/src/others/systemd; + + # withAppArmor = false; + # withRepart = false; + # withHomed = false; + # withAcl = false; + # withEfi = false; + # withBootloader = false; + # withCryptsetup = false; + # withLibBPF = false; + # withOomd = false; + # withFido2 = false; + # withApparmor = false; + # withDocumentation = false; + # withUtmp = false; + # withQrencode = false; + # withVmspawn = false; + # withMachined = false; + # withLogTrace = true; + # withArchive = false; + # # don't need these but cause errors for exampel files not found + # # withLogind = false; + # }) + # pkgs.systemdMinimal.override { + # # getting errors with these disabled + # withCoredump = true; + # withCompression = true; + # withLogind = true; + # withSysusers = true; + # withUserDb = true; + # } + # pkgs.systemdMinimal + # pkgs.systemd.override { + # withRepart = false; + # withHomed = false; + # withAcl = false; + # withEfi = false; + # withBootloader = false; + # withCryptsetup = false; + # withLibBPF = false; + # withOomd = false; + # withFido2 = false; + # withApparmor = false; + # withDocumentation = false; + # withUtmp = false; + # withQrencode = false; + # withVmspawn = false; + # withMachined = false; + # withLogTrace = true; + # # don't need these but cause errors for exampel files not found + # # withLogind = false; + # } + # ; + }) + ]; + + imports = [ (modulesPath + "/profiles/minimal.nix") ]; + system.stateVersion = "24.11"; + + # https://github.com/hercules-ci/arion/blob/c24c185e67f093298a081900b49ca18716077dec/src/nix/modules/nixos/container-systemd.nix + boot.isContainer = true; + # boot.tmp.useTmpfs = true; + boot.loader.grub.enable = lib.mkForce false; + boot.loader.systemd-boot.enable = lib.mkForce false; + services.journald.console = "/dev/console"; + services.journald.storage = "none"; + # boot.specialFileSystems = lib.mkForce {}; + + services.nscd.enable = false; + system.nssModules = lib.mkForce [ ]; + systemd.services.systemd-logind.enable = false; + systemd.services.console-getty.enable = false; + + systemd.sockets.nix-daemon.enable = false; + systemd.services.nix-daemon.enable = false; + systemd.oomd.enable = false; + networking.useDHCP = false; + networking.firewall.enable = false; + + # system.build.earlyMountScript = + # lib.mkForce '' + # ''; + # system.activationScripts.specialfs = + # lib.mkForce '' + # ''; + boot.postBootCommands = '' + ls -lha /run + mkdir -p /run/wrappers + ''; + + boot.kernelParams = [ "systemd.log_level=debug" ]; + + # services.udev.enable = false; + + # TODO: this is only needed because `/run/current-system` is missing + # environment.variables.PATH = "${lib.makeBinPath config.environment.systemPackages}:$PATH"; + + systemd.mounts = lib.mkForce [ ]; + fileSystems = lib.mkForce { }; + + services.mycelium.enable = false; + services.mycelium.keyFile = "/var/lib/secrets/mycelium-keyfile"; + systemd.services.mycelium.serviceConfig.DynamicUser = lib.mkForce false; + systemd.services.mycelium.serviceConfig.User = lib.mkForce "root"; + systemd.services.mycelium.serviceConfig.ExecStart = lib.mkForce ( + pkgs.writeShellScript "mycelium" '' + while true; do + ls -lha $CREDENTIALS_DIRECTORY + sleep 5 + done + '' + ); + + systemd.services.testing-credentials = { + wantedBy = [ "multi-user.target" ]; + path = [ pkgs.coreutils ]; + + serviceConfig = { + # SyslogIdentifier = "testing-credentials"; + # StateDirectory = "testing-credentials"; + # DynamicUser = true; + # User = "tc"; + # ProtectHome = true; + # ProtectSystem = true; + # LoadCredential = [ + # "mycelium-keyfile:${self.nixosConfigurations.default.config.services.mycelium.keyFile}" + # "hosts:/etc/hosts" + # ]; + SetCredential = "mycelium-keyfile:not secret string"; + ExecStart = lib.mkForce ( + pkgs.writeShellScript "mycelium" '' + cd $STATE_DIRECTORY + pwd + env + while true; do + ls -lha $CREDENTIALS_DIRECTORY + sleep 5 + done + '' + ); + }; + }; + + services.caddy = { + enable = true; + globalConfig = '' + auto_https off + ''; + virtualHosts.":80" = { + extraConfig = '' + respond "hello from ${config.networking.hostName}" + ''; + }; + }; + } + ) + ]; + }; + packages = forAllSystems ( + system: + let + name = "mycelium"; + inherit (self.inputs) nix-snapshotter; + + config = { + entrypoint = "${self.nixosConfigurations.default.config.system.build.toplevel}/init"; + # port = 2379; + args = [ ]; + # nodePort = 30001; + }; + + myceliumPorts = { + tcp = [ 9651 ]; + udp = [ + 9650 + 9651 + ]; + }; + + inherit (config) + entrypoint + # port + + args + # nodePort + + ; + + pkgs = import nixpkgs { overlays = [ nix-snapshotter.overlays.default ]; }; + + image = pkgs.nix-snapshotter.buildImage { + inherit name; + resolvedByNix = true; + config = { + entrypoint = [ entrypoint ]; + env = [ + # this is read by the `/init` script and prevents various incompatible commands like mount, etc. + # the value of this doesn't seem to matter as long as it's not an empty string. + "container=nerd" + "SYSTEMD_LOG_LEVEL=debug" + ]; + volumes = { + # "/var/lib/private/mycelium/key.bin" = {}; + # "/run" = {}; + # "/tmp" = {}; + # "/etc" = {}; + }; + copyToRoot = [ + # self.nixosConfigurations.default.config.system.build.toplevel + ]; + }; + }; + in + { + k8s = + let + pod = pkgs.writeText "${name}-pod.json" ( + builtins.toJSON { + apiVersion = "v1"; + kind = "Pod"; + metadata = { + inherit name; + labels = { + inherit name; + }; + }; + spec.containers = [ + { + inherit name args; + image = "nix:0${image}"; + ports = [ + { + name = "mycelium-tcp-0"; + containerPort = builtins.elemAt myceliumPorts.tcp 0; + } + { + name = "mycelium-udp-0"; + protocol = "UDP"; + containerPort = builtins.elemAt myceliumPorts.udp 0; + } + { + name = "mycelium-udp-1"; + protocol = "UDP"; + containerPort = builtins.elemAt myceliumPorts.udp 1; + } + ]; + } + ]; + } + ); + + service = pkgs.writeText "${name}-service.json" ( + builtins.toJSON { + apiVersion = "v1"; + kind = "Service"; + metadata.name = "${name}-service"; + spec = { + type = "NodePort"; + selector = { + inherit name; + }; + ports = [ + { + name = "mycelium-tcp-0"; + port = builtins.elemAt myceliumPorts.tcp 0 + 50000; + targetPort = "mycelium-tcp-0"; + } + { + name = "mycelium-udp-0"; + protocol = "UDP"; + port = builtins.elemAt myceliumPorts.udp 0 + 50000; + targetPort = "mycelium-udp-0"; + } + { + name = "mycelium-udp-1"; + protocol = "UDP"; + port = builtins.elemAt myceliumPorts.udp 1 + 50000; + targetPort = "mycelium-udp-1"; + } + ]; + }; + } + ); + in + pkgs.runCommand "declarative-k8s" { } '' + mkdir -p $out/share/k8s + cp ${pod} $out/share/k8s/ + cp ${service} $out/share/k8s/ + ''; + + inherit image; + + start = pkgs.writeShellApplication { + name = "start"; + text = '' + set -x + rm -rf ./result + nix build --impure .#image + sudo nix2container load ./result + sudo -E nerdctl run --name ${name} --privileged -dt \ + --cgroup-manager cgroupfs \ + --volume "$PWD/key.bin.crypt:${self.nixosConfigurations.default.config.services.mycelium.keyFile}:ro" \ + "nix:0$(readlink result):latest" + ''; + }; + + stop = pkgs.writeShellApplication { + name = "stop"; + text = '' + set +e + sudo -E nerdctl stop -t 60 ${name} + sudo -E nerdctl rm --force ${name} + sudo -E nerdctl system prune --all --force + sudo systemctl stop nix-snapshotter + sudo systemctl stop containerd + mount | rg -No '(/var/lib/container|/tmp/initial)[^ ]+' | tac | xargs sudo umount -l + sudo systemctl start containerd + sudo systemctl start nix-snapshotter + ''; + + # tmpfs on /run/credentials/mycelium.service type tmpfs (ro,nosuid,nodev,noexec,relatime,nosymfollow,size=1024k,nr_inodes=1024,mode=700,noswap) + + # mount -t tmpfs tmpfs /run/credentials/mycelium.service -o ro,nosuid,nodev,noexec,relatime,nosymfollow,size=1024k,nr_inodes=1024,mode=700,noswap + }; + } + ); + }; +} diff --git a/nix/os/containers/syncthing.nix b/nix/os/containers/syncthing.nix index 9ab498a..4cd736a 100644 --- a/nix/os/containers/syncthing.nix +++ b/nix/os/containers/syncthing.nix @@ -1,29 +1,82 @@ -{ hostAddress -, localAddress -, syncthingPort ? 22000 -}: - { + specialArgs, + hostBridge, + hostAddress, + localAddress, + syncthingPort ? 22000, + syncthingLocalAnnouncePort ? 21027, + smbTcpPort ? 445, + autoStart ? false, +}: +{ + inherit specialArgs; + config = + { ... }: + { + system.stateVersion = "20.05"; # Did you read the comment? - config = { config, pkgs, ... }: { - imports = [ - ../profiles/containers/configuration.nix - ]; + imports = [ ../profiles/containers/configuration.nix ]; - networking.firewall.enable = true; - networking.firewall.allowedTCPPorts = [ - # syncthing gui - 8384 - ]; + networking.firewall.allowedTCPPorts = [ + # syncthing gui + 8384 + ]; - services.syncthing = { - enable = true; - openDefaultPorts = true; - guiAddress = "0.0.0.0:8384"; + services.syncthing = { + enable = true; + openDefaultPorts = true; + guiAddress = "0.0.0.0:8384"; + }; + + services.samba = { + enable = true; + securityType = "user"; + openFirewall = true; + settings = { + global = { + "workgroup" = "DMZ"; + "server string" = "syncthing"; + "netbios name" = "syncthing"; + "security" = "user"; + #"use sendfile" = "yes"; + #"max protocol" = "smb2"; + # note: localhost is the ipv6 localhost ::1 + "hosts allow" = "192.168.23. 127.0.0.1 localhost"; + "hosts deny" = "0.0.0.0/0"; + "guest account" = "nobody"; + "map to guest" = "bad user"; + }; + "scan-stefan" = { + "path" = "/var/lib/syncthing/Sync/Home::Scan::Stefan"; + "browseable" = "yes"; + "read only" = "no"; + "guest ok" = "no"; + "create mask" = "0644"; + "directory mask" = "0755"; + "force user" = "syncthing"; + "force group" = "syncthing"; + }; + + "scan-justyna" = { + "path" = "/var/lib/syncthing/Sync/Home::Scan::Justyna"; + "browseable" = "yes"; + "read only" = "no"; + "guest ok" = "no"; + "create mask" = "0644"; + "directory mask" = "0755"; + "force user" = "syncthing"; + "force group" = "syncthing"; + }; + }; + }; + + # TODO: find out if smbpasswd file is still used and set it here. or find an alternative + # sops.secrets.smbpasswd = { + # }; + # environment.etc."samba/smbpasswd".source = config.sops.secrets.smbpasswd.text; }; - }; - autoStart = true; + inherit autoStart; bindMounts = { "/var/lib/syncthing/" = { @@ -39,7 +92,22 @@ hostPort = syncthingPort; protocol = "tcp"; } + { + containerPort = 22000; + hostPort = syncthingPort; + protocol = "udp"; + } + { + containerPort = 21027; + hostPort = syncthingLocalAnnouncePort; + protocol = "udp"; + } + { + containerPort = 445; + hostPort = smbTcpPort; + protocol = "tcp"; + } ]; - inherit hostAddress localAddress; + inherit hostBridge hostAddress localAddress; } diff --git a/nix/os/containers/webserver.nix b/nix/os/containers/webserver.nix index 089f266..5992906 100644 --- a/nix/os/containers/webserver.nix +++ b/nix/os/containers/webserver.nix @@ -1,76 +1,436 @@ -{ hostAddress -, localAddress -, httpsPort ? 443 -}: { - config = { config, pkgs, lib, ... }: { - imports = [ - ../profiles/containers/configuration.nix - ]; +{ + specialArgs, + hostBridge, + hostAddress, + localAddress, + httpPort, + httpsPort, + forgejoSshPort, + autoStart ? false, +}: +let + domain = "www.stefanjunker.de"; +in +{ + inherit specialArgs; + config = + { + config, + pkgs, + lib, + repoFlake, + nodeFlake, + system, + ... + }: + let + nixpkgs-kanidm = nodeFlake.inputs.nixpkgs-unstable; + in + { + system.stateVersion = "22.05"; # Did you read the comment? - networking.firewall.enable = false; + disabledModules = [ + "services/misc/forgejo.nix" + "services/security/kanidm.nix" + ]; - services.ddclientovh = { + imports = [ + "${nodeFlake.inputs.nixpkgs-unstable}/nixos/modules/services/misc/forgejo.nix" + "${nixpkgs-kanidm}/nixos/modules/services/security/kanidm.nix" + + ../profiles/containers/configuration.nix + + repoFlake.inputs.sops-nix.nixosModules.sops + ]; + + sops.defaultSopsFile = ./webserver_secrets.yaml; + + networking.firewall.allowedTCPPorts = [ + httpPort + httpsPort + forgejoSshPort + ]; + + sops.age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ]; + sops.secrets.hedgedoc_environment_file = { + sopsFile = ./webserver_secrets.yaml; + owner = config.users.users.hedgedoc.name; + }; + + services.caddy = { enable = true; - domain = "www.stefanjunker.de"; - }; + logFormat = '' + level ERROR + ''; + virtualHosts."${domain}" = { + extraConfig = '' + redir /hedgedoc* https://hedgedoc.${domain} - services.nginx.enable = true; - services.nginx.virtualHosts."stefanjunker.de" = { - default = true; - onlySSL = true; - root = "/var/www/stefanjunker.de/htdocs"; + basic_auth /justyna/202505_prt_teil1* { + prt $2a$14$y7tZYZxTlJ2JFsBtRM.D8Ok0oHhWt53mGXk.xJMLXc/JF.bTtOWaq + } - sslCertificate = "/etc/secrets/stefanjunker.de/nginx/nginx.crt"; - sslCertificateKey = "/etc/secrets/stefanjunker.de/nginx/nginx.key"; + file_server /* { + browse + root /var/www/stefanjunker.de/htdocs/caddy + pass_thru + } - locations."/fi" = { - index = "index.php"; + # respond "Hi" + # respond (not /*/*) "Hi" + ''; + }; + + virtualHosts."hedgedoc.${domain}" = { + extraConfig = '' + reverse_proxy http://[::1]:3000 + ''; + }; + + virtualHosts."authelia.${domain}" = { + extraConfig = '' + reverse_proxy http://127.0.0.1:${builtins.toString config.services.authelia.instances.default.settings.server.port} + ''; + }; + + virtualHosts."lldap.${domain}" = { + extraConfig = '' + reverse_proxy http://127.0.0.1:${builtins.toString config.services.lldap.settings.http_port} + ''; + }; + + virtualHosts."forgejo.${domain}" = { + extraConfig = '' + reverse_proxy http://127.0.0.1:${builtins.toString config.services.forgejo.settings.server.HTTP_PORT} + ''; + }; + + virtualHosts."kanidm.${domain}" = { + extraConfig = '' + reverse_proxy https://${builtins.toString config.services.kanidm.serverSettings.bindaddress} { + transport http { + tls_server_name ${config.services.kanidm.serverSettings.domain} + } + } + ''; + }; }; - locations."~ ^(.+\.php)(.*)$".extraConfig = '' - fastcgi_split_path_info ^(.+\.php)(.*)$; + services.hedgedoc = { + enable = true; + settings = { + domain = "hedgedoc.${domain}"; + urlPath = ""; + protocolUseSSL = true; + db = { + dialect = "sqlite"; + storage = "/var/lib/hedgedoc/db.hedgedoc.sqlite"; + }; - fastcgi_pass unix:${config.services.phpfpm.pools.mypool.socket}; - fastcgi_index index.php; - ''; - }; + allowAnonymous = false; + allowAnonymousEdits = false; + allowGravatar = false; + allowFreeURL = false; + defaultPermission = "private"; - services.phpfpm.pools.mypool = { - user = "nobody"; - phpPackage = pkgs.php5; - settings = { - "listen.owner" = config.services.nginx.user; - "pm" = "dynamic"; - "pm.max_children" = 5; - "pm.start_servers" = 2; - "pm.min_spare_servers" = 1; - "pm.max_spare_servers" = 3; - "pm.max_requests" = 500; + allowEmailRegister = false; + email = false; - "php_admin_value[error_reporting]" = "E_ALL & ~E_NOTICE & ~E_WARNING & ~E_STRICT & ~E_DEPRECATED"; + ldap = { + url = "ldap://127.0.0.1:${builtins.toString config.services.lldap.settings.ldap_port}"; + bindDn = "uid=admin,ou=people,dc=stefanjunker,dc=de"; + # these are set via the `environmentFile` + # bindCredentials = "$LDAP_ADMIN_PASSWORD"; + searchBase = "ou=people,dc=stefanjunker,dc=de"; + searchFilter = "(&(memberOf=cn=hedgedoc,ou=groups,dc=stefanjunker,dc=de)(uid={{username}}))"; + useridField = "uid"; + }; + + oauth2 = + let + originURL = config.services.kanidm.serverSettings.origin; + in + { + providerName = "kanidm (${originURL})"; + + authorizationURL = "${originURL}/ui/oauth2"; + tokenURL = "${originURL}/oauth2/token"; + userProfileURL = "${originURL}/oauth2/openid/hedgedoc/userinfo"; + + scope = "openid email profile"; + # rolesClaim = "roles"; + # accessRole = "role/hedgedoc"; + + userProfileUsernameAttr = "name"; + userProfileDisplayNameAttr = "displayname"; + userProfileEmailAttr = "email"; + + clientID = "hedgedoc"; + # set via the `environmentFile` + # clientSecret = "$CMD_OAUTH2_CLIENT_SECRET"; + }; + + uploadsPath = "/var/lib/hedgedoc/uploads"; + }; + + environmentFile = config.sops.secrets.hedgedoc_environment_file.path; }; - }; - # the custom php5 we're using here has no fpm-systemd, so the default `Type = "notify"` won't work - systemd.services."phpfpm-mypool" = { - serviceConfig = { - Type = lib.mkForce "simple"; + services.jitsi-meet = { + enable = false; + hostName = "meet.${domain}"; + config = { + prejoinPageEnabled = true; + }; + caddy.enable = true; + nginx.enable = false; }; + + sops.secrets.authelia_storageEncryptionKey = { + sopsFile = ./webserver_secrets.yaml; + owner = config.users.users.authelia-default.name; + }; + + sops.secrets.authelia_jwtSecret = { + sopsFile = ./webserver_secrets.yaml; + owner = config.users.users.authelia-default.name; + }; + + services.authelia.instances.default = + let + baseDir = "/var/lib/authelia-default"; + in + { + enable = true; + secrets.storageEncryptionKeyFile = config.sops.secrets.authelia_storageEncryptionKey.path; + secrets.jwtSecretFile = config.sops.secrets.authelia_jwtSecret.path; + settings = { + theme = "auto"; + default_2fa_method = "totp"; + log.level = "debug"; + + server = { + disable_healthcheck = true; + host = "127.0.0.1"; + port = 9091; + # path = "authelia"; + }; + + storage = { + local.path = "${baseDir}/authelia.sqlite"; + }; + + authentication_backend = { + file.path = "${baseDir}/first_factor.yaml"; + file.search.email = true; + file.search.case_insensitive = false; + }; + + access_control = { + default_policy = "one_factor"; + }; + + session.domain = "stefanjunker.de"; + + notifier = { + disable_startup_check = true; + filesystem.filename = "${baseDir}/notification.txt"; + }; + }; + }; + + users.groups.lldap = { }; + users.users.lldap = { + isSystemUser = true; + group = "lldap"; + }; + + sops.secrets.lldap_jwtSecret = { + sopsFile = ./webserver_secrets.yaml; + owner = config.users.users.lldap.name; + }; + + sops.secrets.lldap_adminPassword = { + sopsFile = ./webserver_secrets.yaml; + owner = config.users.users.lldap.name; + }; + + sops.secrets.lldap_environmentFile = { + sopsFile = ./webserver_secrets.yaml; + owner = config.users.users.lldap.name; + }; + + services.lldap = { + enable = true; + environment = { + LLDAP_JWT_SECRET_FILE = config.sops.secrets.lldap_jwtSecret.path; + LLDAP_LDAP_USER_PASS_FILE = config.sops.secrets.lldap_adminPassword.path; + }; + environmentFile = config.sops.secrets.lldap_environmentFile.path; + + settings = { + verbose = true; + + ldap_base_dn = "dc=stefanjunker,dc=de"; + http_url = "https://lldap.${domain}"; + + ## Options to configure SMTP parameters, to send password reset emails. + ## To set these options from environment variables, use the following format + ## (example with "password"): LLDAP_SMTP_OPTIONS__PASSWORD + smtp_options = { + ## Whether to enabled password reset via email, from LLDAP. + enable_password_reset = true; + + # port = 465; + ## How the connection is encrypted, either "NONE" (no encryption), "TLS" or "STARTTLS". + # smtp_encryption = "TLS"; + }; + + # database_url = "sqlite:///var/lib/lldap/users.db?mode=rwc"; + }; + }; + + sops.secrets.FORGEJO_JWT_SECRET = { }; + sops.secrets.FORGEJO_INTERNAL_TOKEN = { }; + sops.secrets.FORGEJO_SECRET_KEY = { }; + + services.forgejo = { + enable = true; + package = nodeFlake.inputs.nixpkgs-unstable.legacyPackages.${pkgs.system}.forgejo; + settings = { + service.DISABLE_REGISTRATION = true; + server.HTTP_ADDR = "127.0.0.1"; + server.START_SSH_SERVER = true; + server.SSH_PORT = forgejoSshPort; + server.ROOT_URL = "https://forgejo.${domain}"; + server.HTTP_PORT = 3001; + + # TODO: how do i get a 3072 length SSH key with the yubikey? + "ssh.minimum_key_sizes".RSA = 2048; + }; + secrets = { + oauth2.JWT_SECRET = lib.mkForce config.sops.secrets.FORGEJO_JWT_SECRET.path; + security.INTERNAL_TOKEN = lib.mkForce config.sops.secrets.FORGEJO_INTERNAL_TOKEN.path; + security.SECRET_KEY = lib.mkForce config.sops.secrets.FORGEJO_SECRET_KEY.path; + }; + }; + + systemd.services.lldap.serviceConfig.User = config.users.users.lldap.name; + systemd.services.lldap.serviceConfig.Group = config.users.groups.lldap.name; + systemd.services.lldap.serviceConfig.DynamicUser = lib.mkForce false; + + # combine a path watcher with a service that transfers the certs by caddy to kanidm + # TODO: had an issue where the certificate in kanidm was expired, despite caddy having a refreshed certificate + systemd.paths.kanidm-tls-watch = { + enable = true; + requiredBy = [ "kanidm.service" ]; + pathConfig = { + PathChanged = [ + "${config.services.caddy.dataDir}/.local/share/caddy/certificates/acme-v02.api.letsencrypt.org-directory/${config.services.kanidm.serverSettings.domain}/${config.services.kanidm.serverSettings.domain}.key" + "${config.services.caddy.dataDir}/.local/share/caddy/certificates/acme-v02.api.letsencrypt.org-directory/${config.services.kanidm.serverSettings.domain}/${config.services.kanidm.serverSettings.domain}.crt" + ]; + Unit = "kanidm-tls-update.service"; + }; + }; + systemd.services.kanidm-tls-update = + let + dbDir = builtins.dirOf config.services.kanidm.serverSettings.db_path; + in + { + enable = true; + requiredBy = [ "kanidm.service" ]; + unitConfig = { + # ConditionPathExists = [ + # "${config.services.caddy.dataDir}/.local/share/caddy/certificates/acme-v02.api.letsencrypt.org-directory/${config.services.kanidm.serverSettings.domain}/${config.services.kanidm.serverSettings.domain}.key" + # "${config.services.caddy.dataDir}/.local/share/caddy/certificates/acme-v02.api.letsencrypt.org-directory/${config.services.kanidm.serverSettings.domain}/${config.services.kanidm.serverSettings.domain}.crt" + # ]; + }; + serviceConfig.Type = "oneshot"; + script = + let + tlsDir = builtins.dirOf config.services.kanidm.serverSettings.tls_key; + in + '' + set -xe + + cat "${config.services.caddy.dataDir}/.local/share/caddy/certificates/acme-v02.api.letsencrypt.org-directory/${config.services.kanidm.serverSettings.domain}/${config.services.kanidm.serverSettings.domain}.key" > tls.key + cat "${config.services.caddy.dataDir}/.local/share/caddy/certificates/acme-v02.api.letsencrypt.org-directory/${config.services.kanidm.serverSettings.domain}/${config.services.kanidm.serverSettings.domain}.crt" > tls.chain + + chown ${config.systemd.services.kanidm.serviceConfig.User}:${config.systemd.services.kanidm.serviceConfig.Group} tls.{key,chain} + chmod 400 tls.{key,chain} + + # create the kanidm directory in case it's missing + if [[ ! -d ${tlsDir} ]]; then + mkdir -p ${tlsDir} + chown -R ${config.systemd.services.kanidm.serviceConfig.User}:${config.systemd.services.kanidm.serviceConfig.Group} ${tlsDir} + chmod 700 ${tlsDir} + fi + + mv tls.key ${config.services.kanidm.serverSettings.tls_key} + mv tls.chain ${config.services.kanidm.serverSettings.tls_chain} + + if [[ ! -d ${dbDir} ]]; then + mkdir -p ${dbDir} + chown -R ${config.systemd.services.kanidm.serviceConfig.User}:${config.systemd.services.kanidm.serviceConfig.Group} ${dbDir} + chmod 700 ${dbDir} + fi + ''; + }; + + systemd.services.kanidm.serviceConfig = + let + dbDir = builtins.dirOf config.services.kanidm.serverSettings.db_path; + in + # stateDir = "/var/lib/${config.systemd.services.kanidm.serviceConfig.StateDirectory}"; + { + # ExecStartPre = '' + # mkdir -p ${dbDir} + # ''; + BindPaths = [ + dbDir + # stateDir + ]; + }; + + services.kanidm = + let + dataDir = "/var/lib/kanidm"; + in + { + package = nixpkgs-kanidm.legacyPackages.${pkgs.system}.kanidm; + + enablePam = false; + enableClient = false; + + enableServer = true; + serverSettings = { + role = "WriteReplica"; + log_level = "debug"; + + domain = "kanidm.${domain}"; + origin = "https://kanidm.${domain}"; + + bindaddress = "127.0.0.1:8444"; + + # don't expose ldap + # ldapbindaddress = "[::1]:6636"; + + tls_key = "${dataDir}/tls/tls.key"; + tls_chain = "${dataDir}/tls/tls.chain"; + + online_backup = { + schedule = "00 06 * * *"; + }; + }; + }; }; - services.mysql = { - enable = true; - package = pkgs.mariadb; - }; - }; - - autoStart = true; + inherit autoStart; bindMounts = { - "/etc/secrets/" = { - hostPath = "/var/lib/container-volumes/webserver/etc-secrets"; - isReadOnly = true; - }; + # FIXME/REMINDER: this is used so that the container can decrypt the secrets that are deployed to the host + "/etc/ssh/ssh_host_ed25519_key".isReadOnly = true; + "/etc/ssh/ssh_host_ed25519_key.pub".isReadOnly = true; "/var/www" = { hostPath = "/var/lib/container-volumes/webserver/var-www"; @@ -81,17 +441,55 @@ hostPath = "/var/lib/container-volumes/webserver/var-lib-mysql"; isReadOnly = false; }; + + "/var/lib/hedgedoc" = { + hostPath = "/var/lib/container-volumes/webserver/var-lib-hedgedoc"; + isReadOnly = false; + }; + + "/var/lib/authelia-default" = { + hostPath = "/var/lib/container-volumes/webserver/var-lib-authelia-default"; + isReadOnly = false; + }; + + "/var/lib/lldap" = { + hostPath = "/var/lib/container-volumes/webserver/var-lib-lldap"; + isReadOnly = false; + }; + + "/var/lib/forgejo" = { + hostPath = "/var/lib/container-volumes/webserver/var-lib-forgejo"; + isReadOnly = false; + }; + + "/var/lib/kanidm" = { + hostPath = "/var/lib/container-volumes/webserver/var-lib-kanidm"; + isReadOnly = false; + }; }; privateNetwork = true; forwardPorts = [ + { + # http + containerPort = 80; + hostPort = httpPort; + protocol = "tcp"; + } { # https containerPort = 443; hostPort = httpsPort; protocol = "tcp"; } + + { + # forgejo ssh + containerPort = forgejoSshPort; + hostPort = forgejoSshPort; + protocol = "tcp"; + } ]; - inherit hostAddress localAddress; + inherit hostBridge hostAddress localAddress; } diff --git a/nix/os/containers/webserver_secrets.yaml b/nix/os/containers/webserver_secrets.yaml new file mode 100644 index 0000000..d5c1dcd --- /dev/null +++ b/nix/os/containers/webserver_secrets.yaml @@ -0,0 +1,55 @@ +hedgedoc_environment_file: ENC[AES256_GCM,data:gPTokPMGBAN/lGGeUs95vg45yVrrSmFCKWTjlMV4V+YnflcqiaZvifX9+0fe3DELwNL4kY4st4N0MadhLkTiSieyp46fP8Dujk4Prhi7JWweBDsN4WtxcwJfAdowgh5LTzqM3zggC/J9NGR/zgJGLYraOqsFueXycxDxntE+8MlepYFGsND4WbFHNRvsVd7xUWerZZD+JFhws2sjwC9DqoJ+mBX4u9J2faSrL3okBGwRpEZlJhe6/8pT0l1aVxI0b/9UsLUL/him/vVqY8ygMP8O95gzuDEaCtwSXw08ylhb3g3YHdMh9ZOe9dPNVocVFrB15HfxeY4KzRCVfvgmBsSiUrgUAZQ8aav2ZWHPKQ==,iv:AVtx/43MK5KVxP59olEmbkUzLhd0cBjPpVeiAJGELfM=,tag:Hd3edeUzLgHnwAwPiMGp4A==,type:str] +authelia_storageEncryptionKey: ENC[AES256_GCM,data:BLj2+w0jUOiiqljd4WcYt90I1Y/tm6vYRn9IPvv7k+ykjeWeafDcb9LpAbYZ82iAbCDZ6cDnTIJSH50TYFM1Bw==,iv:DfrFuTMS6rzWS1F7hIloD7Eb9N6LV6MDsPGEidTCIkM=,tag:4TxiUuWj8LLCAe+3SQWthA==,type:str] +authelia_jwtSecret: ENC[AES256_GCM,data:CtvhPJDlM8kZDh3MWI6jBEIK5P/Rc0ZY3JfQ/1qn2FyZ0kOE9CMznRQdzi125Mlh+LgfhS00aeY/esuSJ1YKnw==,iv:o29+Ja4E4USpxD5Bgg4nGpj1WdK+uJJeuyqa3c92Pys=,tag:Ko/6PqIM7FyvqMJAepTNKw==,type:str] +lldap_jwtSecret: ENC[AES256_GCM,data:Jd05K5zZZcdFY9P+PM1ycpl4eKr7THXzlEC2gxhfq0kZ0c7NrmqpnxLFyMOoq0oZwFXQ3aE29N+dYYCbWgEs0g==,iv:k9Y4XZcFSUaaOvooMzH1AlHaI/RiZZ0cpSqTU6jzsUU=,tag:EHwIMQ00Z+IrXAKgugMbmQ==,type:str] +lldap_adminPassword: ENC[AES256_GCM,data:qZviC+/V25iHWS2d5KKrMfCLmmWKAkXoiLW3NJyZWIvMRbFPtfJGv/5e++idcKNLdPHRgvGpdeTpOdZNK7ETSQ==,iv:jX8bzgYVXZfMQ8Qxa7WaUiQFE/mBmQWZ3o000njeEC8=,tag:4Rd3WVGIw1rBLKND4xPbMg==,type:str] +lldap_environmentFile: ENC[AES256_GCM,data:TpdO1N2MgHWI4TipvlwfVjnKppzpluI9WA3ejbgT8jrRXXTCA94PS734wDHLtEAIwKdIQd/JGDS+1kbdvgDL3F3HIOX5HLz9h7CtkDBYT6qOy0Zb0tNHjmJco6dL/iMwuzglXxu2460nadO+lHoTs3DA3lesghzpJzm41hgElzcxXS2sa/hsV+kjmbyfu6Xi94kbqcHBLA/mppWmLSgJN6wu/bO07XfaSB1ghHnAR7BL9XZDjoNDzljZAXDpDBw3WD6mwoZeIjGbkEuL4nUnkS6CkA+y7IORA24XGGAczRxZp4vLfUOnnlFCPGIHBsRTbrTB4bcEDBK4+5gHfNhXxvD5VlNMb4TPqYdcEIxkgMxZNLV5U2LTlzn18HNOCvsPb9XOOtY21j6qHMMQDXZREmn5NsW0HXM4gNZ0fC9UEe1MYBhyE3gGEGDzzDUrrQCGLm7/1OC7NRlzuI7M/5DlgcREwK1PkjPDmfRCAq86l0N5lMP/A7MMq2SJWcZvf+ot3fInugq485773vgWWl2Rodl08SZ8YHnzj0L6anPu856v2BsIotE0iRJSCpzA2ZgOJ9RViBfoq6F3beJKLnGN7oGb8XBviRTnXrTN6BTuFyv3dIZ7qcuTGTY+ucjRXfGJ1TVlVQBbiqhQDz5c9D5e0RVnRe3AkMXeDMOd4GlWW5gsJSuZtlYq1aMEf/Bx+4WMyY/Wh+Jk1xxf30bth5L1dW82p6fNFhEuKabtkBALOg/CQzYczMeGP9ai6BWgZL8QPlQoEUpHh59Vz91V6unQSOJ2PNr5wzC6j75IKInVjcp4d1S9K2UAxg+HETn5p9T1sBRdAAVz0YgO5902FwDTsA+2x6Q=,iv:U94CNFxQ8kyIYdH0EyqQIJ3s7QKaLlMa+5coO0dQnto=,tag:KZEizL99W5BtcaXSnYXFhg==,type:str] +#ENC[AES256_GCM,data:uNqahO8WF6QFNkbPnQq2UDKn/gFt0H56keUb,iv:CDVKC3ER5rsKoMmBi2g5g+F3ZfKc3+Rs8bjxFhgSPZ4=,tag:oGPl6TB/nghGwWvVBLFlGQ==,type:comment] +FORGEJO_JWT_SECRET: ENC[AES256_GCM,data:nVz9x7+K+rBIZxuQP7o0WNFHUz89eR9cwBjfSAx9/WH5PF+/aWazZOJpVg==,iv:4qpHo143fe/sVhKfYDwxr+YiBZ2q/WWViYSwoxz0i/k=,tag:smSsJsqa6uZKarcoOMUjwQ==,type:str] +FORGEJO_INTERNAL_TOKEN: ENC[AES256_GCM,data:EIono9HSyvp1nQM0ij3ln3IUXO4moFbRgVddeV0BZBXmZG05jdjZ1SIXo/BxoSmRKnjllR7P00CpajNM5zORldlsBId5oAYL5GZtY3/nmxeXucJidknuow22G7Z8wRJJGBdishbgQhmc,iv:1D93gTUF1+DUR8qLJgML+oUhvSslhxEjGnbBC/PWHXw=,tag:NZB+mwba4TzLcUANZLDRTw==,type:str] +FORGEJO_SECRET_KEY: ENC[AES256_GCM,data:CewYFZtcXKUD5/oSM0Q32rhw+urdA0eQhdYp8EFHUXxEtL6f5NWK6IOwIlMuEv1/FjtTWlqxWekOZpmxBRzwnw==,iv:qLyVB7Nc+rDbBoO5g82/vPdykwOATHCSDLhvS+fK9PM=,tag:4NMhUvKmrRd6qrcQq3R8wA==,type:str] +sops: + age: + - recipient: age1tkvtkw62xy90xc5xdcq836wgyrwlwmdslh76cete5g98vvvhj34qvwdw0g + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBuTitidDZpWVJsZWxmWDFa + emdyTSszczVNbDhZSlVjeWRDMDdXQmg4QmpBCmNLZ0tob2hsRHhlTXY5VHZEY01T + MUtRdUxBM0lmeEo2OVBMdElrYVVvY1EKLS0tIHIwWllkQU9RRjF1U0F0OWdCKzlq + Y3ZxSWI3MUxQNEljNXlUSnlTdlpxazAKKjJYqcDsBzo6yOYDkgtBZntxhsHjqOyZ + yg5G8vtuOiDvPLvODzI/I9VupGyLwEkxaFc67bpg4u/1Cql7oaAADQ== + -----END AGE ENCRYPTED FILE----- + - recipient: age18dmqd7r7fanrfmdxsvwgv9psvhs3hw5ydpvw0na0dv3dlrg4rs3q2wpvgv + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBsdFg1cm9JTFFyUmYxb1ZP + WWtKTDE4bDBya3pWakJ0bFVkSnZvdExGMlNVCmo0N1BvNnV4MERUTjU2blUzbngv + VDduRWd2K1VlK1k2OWp6L0JhTERnOUEKLS0tIGV0aFZMTGRHNW5HUUhGRkYxNGMz + dHJwN0R1eHkyWXpiVDlRcldHT0gvV28KRiwauYvF4CCu5LeW7+kR3GSkZ+rpIbsC + JF9vV3rxbE9SdJ3nP6CyYQX7tQ6rbXtOKawq3k+z4zV/Dw7gYSNn5Q== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2024-10-16T12:28:51Z" + mac: ENC[AES256_GCM,data:nrd2czzJlBcFfwn6lzh4qqco+/XsU2J6BqvQqMtskh3mL4Xx25IAzxiCno0KlNGr6o4YsuZP5anOX9RvrDq76Us3JQ7pDi3iQGPhmg+SE9u3Rwqn1/3YConvdfPV2DNB+tuyG3UVoRqpA4d+HdcYjN9n1UKk54R6UdSm9UrA+zc=,iv:Juupyet09zUAMu7bmVxq+/Q0bXJAzR0wAyt6vKNns3w=,tag:owdUWuXrQcDdiWi+1geY9A==,type:str] + pgp: + - created_at: "2025-06-05T09:49:08Z" + enc: |- + -----BEGIN PGP MESSAGE----- + + hQIMAw+OdhfgD3wfAQ/8DIuNUO6tpyuG0j4Ros6MjHs1USkfY+2ntzqyugGe4OpA + cXLzXWGT7pCxE6bcd7FepG/Nln17219siP9PX1WqEl324GnKXjbAbczjnu/9ggeF + bUWBhKFwGivVXDfO8VusG0MN41tJMoDwAelaJdgnXnbAwHISJ20UzFtnTBx67ALs + 5pqHzOf7uuY7eZbl79iEiBJ8Ecj/Y3yrcANbVXQtET7X5629nTMHuizFsym9fy0p + 6elwdrJSGPlncWA/+wsec5WIxwOsrLoEz8rvFpZJo/YI4/5heiL6RmgqKODzAhFp + +PD/VoksJQ0lynzH2jBUKNte7UU5fyMAn9CEu0eY7sNRHpEKWjj/uPoWPkaV3JQ/ + Au2YN9VV0qkyqYZ/6mU1L+Ukaci3kG/hJKM9MxXZ6rVEsuOnbuHPgW9jW/xogo38 + /522CAF+NThKPWbiS/VDHyUsH+h2ubh9jGyFuesP/dNhXbc+6vkcIIBgfsb2IWt1 + Fc2fvUlX9tpJYobk3PmyR88DHv4pXPkgIIEqW6JUHmkjdH+q82sGsRtni58eWUj6 + DXn09tSpM3gu02wlqobca1qrOIKVsQJ/bHB4p6PRFoeqx6Yzfdy8h4WvT75PONGD + DGW7uLYo/ISb/SDgbclNw6vlYsI7ZFtYDTWxtCjrYXFBqRSMftgreRwhi8gU0rTS + XAFXAkIp4B0y8cfxofqJyDsZmil0gJraJpkz/Y0JA+jXlQ2jHlC03xoMZIn60RKn + XI91UY65PAyoQ0LROa/TRBFCLJarLFcCSeth4MhDq06f4spXYtCV9i+2HNBj + =bUJ6 + -----END PGP MESSAGE----- + fp: 6F7069FE6B96E894E60EC45C6EEFA706CB17E89B + unencrypted_suffix: _unencrypted + version: 3.8.1 diff --git a/nix/os/devices/167.233.1.14/hw.nix b/nix/os/devices/167.233.1.14/hw.nix deleted file mode 100644 index 126fc35..0000000 --- a/nix/os/devices/167.233.1.14/hw.nix +++ /dev/null @@ -1,56 +0,0 @@ -{ ... }: - -let - stage1Modules = [ - # "aesni_intel" - # "kvm-intel" - "aes_x86_64" - - "virtio_balloon" - "virtio_scsi" - "virtio_net" - "virtio_pci" - "virtio_ring" - "virtio" - "scsi_mod" - - "virtio_blk" - "virtio_ring" - "bochs_drm" - "ata_piix" - "pata_acpi" - "ata_generic" - ]; - -in -{ - fileSystems."/boot" = { - device = "/dev/disk/by-uuid/354fb107-2f4a-42ad-80dd-9dddb61bfd02"; - fsType = "ext4"; - }; - - fileSystems."/" = { - device = "/dev/disk/by-uuid/993cce35-cc1f-40cc-b07a-5ea58b99fb5b"; - fsType = "btrfs"; - options = [ "subvol=root" ]; - neededForBoot = true; - }; - - fileSystems."/home" = { - device = "/dev/disk/by-uuid/993cce35-cc1f-40cc-b07a-5ea58b99fb5b"; - fsType = "btrfs"; - options = [ "subvol=home" ]; - neededForBoot = true; - }; - - swapDevices = [ { device = "/dev/disk/by-uuid/d16b5f4a-f38c-41c6-8aae-1625be815f9d"; } ]; - - boot.loader.grub = { - device = "/dev/vda"; - }; - - boot.initrd.availableKernelModules = stage1Modules; - boot.initrd.kernelModules = stage1Modules; - boot.extraModprobeConfig = '' - ''; -} diff --git a/nix/os/devices/167.233.1.14/pkg.nix b/nix/os/devices/167.233.1.14/pkg.nix deleted file mode 100644 index bad7478..0000000 --- a/nix/os/devices/167.233.1.14/pkg.nix +++ /dev/null @@ -1,30 +0,0 @@ -{ config -, pkgs -, lib -, ... -}: - -{ - nixpkgs.config.packageOverrides = pkgs: with pkgs; { - nixPath = (import ../../../default.nix { versionsPath = ./versions.nix; }).nixPath; - }; - home-manager.users.steveej = import ../../../home-manager/configuration/text-minimal.nix { - inherit pkgs; - extraPackages = [ - # required by vscode's remote-ssh plugin - pkgs.nodejs - - # allow clipboard exchanges - pkgs.xsel - pkgs.xclip - ]; - }; - - nix.buildMachines = [ - { hostName = "localhost"; - system = "x86_64-linux"; - supportedFeatures = ["kvm" "nixos-test" "big-parallel" "benchmark"]; - maxJobs = 4; - } - ]; -} diff --git a/nix/os/devices/167.233.1.14/system.nix b/nix/os/devices/167.233.1.14/system.nix deleted file mode 100644 index e57d1b0..0000000 --- a/nix/os/devices/167.233.1.14/system.nix +++ /dev/null @@ -1,104 +0,0 @@ -{ pkgs -, lib -, config -, ... }: - -let - keys = import ../../../variables/keys.nix; - -in { - # TASK: new device - networking.hostName = "sj-pvehtz-0"; # Define your hostname. - # networking.domain = ""; - - networking.firewall.enable = true; - networking.firewall.allowedTCPPorts = [ - # iperf3 - 5201 - ]; - networking.firewall.logRefusedConnections = false; - - networking.usePredictableInterfaceNames = false; - - networking.interfaces.eth0 = { - mtu = 1400; - useDHCP = false; - ipv4.addresses = [ - { "address" = "167.233.1.14"; "prefixLength" = 29; } - ]; - ipv6.addresses = [ - ]; - }; - - networking.defaultGateway = { - address = "167.233.1.9"; - interface = "eth0"; - }; - - networking.defaultGateway6 = { - address = "fe80::1"; - interface = "eth0"; - }; - - networking.nameservers = [ - "1.1.1.1" - ]; - - networking.nat = { - enable = true; - internalInterfaces = [ "ve-+" ]; - externalInterface = "eth0"; - }; - - # Kubernetes - # services.kubernetes.roles = ["master" "node"]; - - # virtualization - virtualisation = { - docker.enable = true; - }; - - services.spice-vdagentd.enable = true; - services.qemuGuest.enable = true; - - systemd.services."sshd-status" = { - enable = true; - description = "sshd-status service"; - path = [ pkgs.systemd ]; - script = '' - systemctl status sshd | grep -i tasks - ''; - }; - - systemd.services.sshd.serviceConfig = { - TasksMax = 32; - }; - - systemd.timers."sshd-status" = { - description = "Timer to trigger sshd-status periodically"; - enable = true; - wantedBy = [ "timer.target" "multi-user.target" ]; - timerConfig = { - OnActiveSec="360s"; - OnUnitActiveSec="360s"; - AccuracySec="1s"; - Unit = "sshd-status.service"; - }; - }; - - nix.gc = { - automatic = true; - }; - - networking.useHostResolvConf = true; - - services.openssh.forwardX11 = true; - - # This value determines the NixOS release from which the default - # settings for stateful data, like file locations and database versions - # on your system were taken. It‘s perfectly fine and recommended to leave - # this value at the release version of the first install of this system. - # Before changing this value read the documentation for this option - # (e.g. man configuration.nix or on https://nixos.org/nixos/options.html). - system.stateVersion = "20.09"; # Did you read the comment? -} diff --git a/nix/os/devices/167.233.1.14/versions.nix b/nix/os/devices/167.233.1.14/versions.nix deleted file mode 100644 index 519781a..0000000 --- a/nix/os/devices/167.233.1.14/versions.nix +++ /dev/null @@ -1,37 +0,0 @@ -let - nixpkgs = { - url = "https://github.com/NixOS/nixpkgs/"; - ref = "nixos-20.09"; - rev = "51aaa3fa1b69559456f9bd4968bd5b179a784f67"; - }; -in - -{ - inherit nixpkgs; - "channels-nixos-stable" = nixpkgs; - "channels-nixos-20.03" = { - url = "https://github.com/NixOS/nixpkgs/"; - ref = "nixos-20.03"; - rev = "ff6fda61600cc60404bab5cb6b18b8636785b7bc"; - }; - "channels-nixos-19.09" = { - url = "https://github.com/NixOS/nixpkgs/"; - ref = "nixos-19.09"; - rev = "75f4ba05c63be3f147bcc2f7bd4ba1f029cedcb1"; - }; - "channels-nixos-unstable" = { - url = "https://github.com/NixOS/nixpkgs/"; - ref = "nixos-unstable"; - rev = "24c9b05ac53e422f1af81a156f1fd58499eb27fb"; - }; - "nixpkgs-master" = { - url = "https://github.com/NixOS/nixpkgs/"; - ref = "master"; - rev = "9b3e35d991ea6a43f256069dcb2e006006730d05"; - }; - "home-manager-module" = { - url = "https://github.com/nix-community/home-manager"; - ref = "release-20.09"; - rev = "7339784e07217ed0232e08d1ea33b610c94657d8"; - }; -} diff --git a/nix/os/devices/167.233.1.14/versions.tmpl.nix b/nix/os/devices/167.233.1.14/versions.tmpl.nix deleted file mode 100644 index a19cc09..0000000 --- a/nix/os/devices/167.233.1.14/versions.tmpl.nix +++ /dev/null @@ -1,37 +0,0 @@ -let - nixpkgs = { - url = "https://github.com/NixOS/nixpkgs/"; - ref = "nixos-20.09"; - rev = "<% git ls-remote https://github.com/nixos/nixpkgs nixos-20.09 | awk '{ print $1 }' | tr -d '\n' -%>"; - }; -in - -{ - inherit nixpkgs; - "channels-nixos-stable" = nixpkgs; - "channels-nixos-20.03" = { - url = "https://github.com/NixOS/nixpkgs/"; - ref = "nixos-20.03"; - rev = "<% git ls-remote https://github.com/nixos/nixpkgs nixos-20.03 | awk '{ print $1 }' | tr -d '\n' -%>"; - }; - "channels-nixos-19.09" = { - url = "https://github.com/NixOS/nixpkgs/"; - ref = "nixos-19.09"; - rev = "<% git ls-remote https://github.com/nixos/nixpkgs nixos-19.09 | awk '{ print $1 }' | tr -d '\n' -%>"; - }; - "channels-nixos-unstable" = { - url = "https://github.com/NixOS/nixpkgs/"; - ref = "nixos-unstable"; - rev = "<% git ls-remote https://github.com/nixos/nixpkgs nixos-unstable | awk '{ print $1 }' | tr -d '\n' -%>"; - }; - "nixpkgs-master" = { - url = "https://github.com/NixOS/nixpkgs/"; - ref = "master"; - rev = "<% git ls-remote https://github.com/NixOS/nixpkgs.git master | head -n1 | awk '{ print $1 }' | tr -d '\n' -%>"; - }; - "home-manager-module" = { - url = "https://github.com/nix-community/home-manager"; - ref = "release-20.09"; - rev = "<% git ls-remote https://github.com/nix-community/home-manager.git release-20.09 | awk '{ print $1 }' | tr -d '\n' -%>"; - }; -} diff --git a/nix/os/devices/default.nix b/nix/os/devices/default.nix index 932f730..02b0212 100644 --- a/nix/os/devices/default.nix +++ b/nix/os/devices/default.nix @@ -1,40 +1,58 @@ -{ pkgs ? import {} -, ownLib ? import ../lib/default.nix { } -, dir -, rebuildarg -, moreargs ? "" -, diskId ? (import ((builtins.getEnv "PWD")+"/${dir}/hw.nix") {}).hardware.encryptedDisk.diskId -, gitRoot ? "$(git rev-parse --show-toplevel)" -, previousDiskId ? "" -}: - +{ + dir, + pkgs ? import { }, + ownLib ? import ../lib/default.nix { inherit (pkgs) lib; }, + gitRoot ? "$(git rev-parse --show-toplevel)", + # FIXME: why do these need explicit mentioning? + moreargs ? "", + rebuildarg ? "", + ... +}@args: let - rebuildargsSudo = [ "switch" "boot" ]; - rebuild = pkgs.writeScript "script" '' - #!/usr/bin/env bash - set -xe + rebuildargsSudo = [ + "switch" + "boot" + ]; + rebuild = + { + gitRoot, + rebuildarg ? "dry-activate", + moreargs ? "", + ... + }: + pkgs.writeScript "script" '' + #!/usr/bin/env bash + set -xe - pushd ${gitRoot}/${dir} - export NIXOS_CONFIG="$PWD"/configuration.nix + pushd ${gitRoot}/${dir} + export NIXOS_CONFIG="$PWD"/configuration.nix - [[ -e "''${NIXOS_CONFIG}" ]] + [[ -e "''${NIXOS_CONFIG}" ]] - ${if (builtins.elem rebuildarg rebuildargsSudo) - && builtins.match ".*--target-host.*" moreargs == null - then - "sudo -E \\" - else - "" - } - nixos-rebuild --show-trace -I nixos-config=''${NIXOS_CONFIG} ${rebuildarg} ${moreargs} - if test -L result; then - rm result - fi - ''; + if test -L result; then + rm result + fi - -in { + ${ + if + (builtins.elem rebuildarg rebuildargsSudo) && (builtins.match ".*--target-host.*" moreargs) == null + then + "sudo -E \\" + else + "" + } + nixos-rebuild --show-trace -I nixos-config=''${NIXOS_CONFIG} ${rebuildarg} ${moreargs} + ''; +in +{ recipes = { - inherit rebuild; - } // (import ./disk.nix { inherit pkgs ownLib dir rebuildarg moreargs diskId gitRoot previousDiskId; }); + rebuild = rebuild { + inherit gitRoot; + inherit moreargs; + inherit rebuildarg; + } + # // pkgs.lib.attrsets.optionalAttrs (moreargs != "") { inherit moreargs; } + # // pkgs.lib.attrsets.optionalAttrs (rebuildarg != "") { inherit rebuildarg; } + ; + } // (import ./disk.nix (args // { inherit pkgs ownLib gitRoot; })); } diff --git a/nix/os/devices/disk.nix b/nix/os/devices/disk.nix index 58fb360..f639344 100644 --- a/nix/os/devices/disk.nix +++ b/nix/os/devices/disk.nix @@ -1,22 +1,25 @@ -{ pkgs -, ownLib -, dir -, rebuildarg -, moreargs -, diskId -, gitRoot -, previousDiskId ? "" +{ + pkgs, + ownLib, + dir, + gitRoot, + diskId ? (import ((builtins.getEnv "PWD") + "/${dir}/hw.nix") { }).hardware.opinionatedDisk.diskId, + encrypted ? + (import ((builtins.getEnv "PWD") + "/${dir}/hw.nix") { }).hardware.opinionatedDisk.encrypted, + previousDiskId ? "", + ... }: - let - mntRootVol="/mnt/${diskId}-root"; - -in rec { + mntRootVol = "/mnt/${diskId}-root"; +in +rec { diskMount = pkgs.writeScript "script" '' #!/usr/bin/env bash set -xe echo Mounting ${diskId} - sudo cryptsetup luksOpen ${ownLib.disk.bootLuksDevice diskId} ${ownLib.disk.luksName diskId} + ${pkgs.lib.strings.optionalString encrypted '' + sudo cryptsetup luksOpen ${ownLib.disk.bootLuksDevice diskId} ${ownLib.disk.luksName diskId} + ''} sleep 1 sudo vgchange -ay ${ownLib.disk.volumeGroup diskId} sudo mkdir -p /mnt @@ -32,7 +35,9 @@ in rec { sudo umount -Rl ${mntRootVol} sudo rmdir ${mntRootVol} sudo vgchange -an ${ownLib.disk.volumeGroup diskId} - sudo cryptsetup close ${ownLib.disk.luksName diskId} + ${pkgs.lib.strings.optionalString encrypted '' + sudo cryptsetup close ${ownLib.disk.luksName diskId} + ''} sync ''; @@ -45,9 +50,10 @@ in rec { [[ -e "''${NIXOS_CONFIG}" ]] [[ -e "${mntRootVol}/nixos" ]] - sudo -E $SHELL <''; + }; +in +{ + inherit nixpkgs; + nixos = nixpkgs // { + suffix = "/nixos"; + }; + "channels-nixos-stable" = nixpkgs; + + "channels-nixos-unstable" = { + url = "https://github.com/NixOS/nixpkgs/"; + ref = "nixos-unstable"; + rev = '' + <% git ls-remote https://github.com/nixos/nixpkgs nixos-unstable | awk '{ print $1 }' | tr -d ' + ' -%>''; + }; + "nixpkgs-master" = { + url = "https://github.com/NixOS/nixpkgs/"; + ref = "master"; + rev = '' + <% git ls-remote https://github.com/NixOS/nixpkgs.git master | head -n1 | awk '{ print $1 }' | tr -d ' + ' -%>''; + }; + "home-manager-module" = { + url = "https://github.com/nix-community/home-manager"; + ref = "release-21.11"; + rev = '' + <% git ls-remote https://github.com/nix-community/home-manager.git release-21.11 | awk '{ print $1 }' | tr -d ' + ' -%>''; + }; +} diff --git a/nix/os/devices/fwhost2/boot.nix b/nix/os/devices/fwhost2/boot.nix new file mode 100644 index 0000000..639698f --- /dev/null +++ b/nix/os/devices/fwhost2/boot.nix @@ -0,0 +1,5 @@ +{ lib, ... }: +{ + boot.loader.grub.efiInstallAsRemovable = lib.mkForce true; + boot.loader.efi.canTouchEfiVariables = lib.mkForce false; +} diff --git a/nix/os/devices/fwhost2/configuration.nix b/nix/os/devices/fwhost2/configuration.nix new file mode 100644 index 0000000..fbdc4c0 --- /dev/null +++ b/nix/os/devices/fwhost2/configuration.nix @@ -0,0 +1,12 @@ +{ ... }: +{ + imports = [ + ../../profiles/common/configuration.nix + ../../modules/opinionatedDisk.nix + + ./system.nix + ./hw.nix + ./pkg.nix + ./user.nix + ]; +} diff --git a/nix/os/devices/fwhost2/hw.nix b/nix/os/devices/fwhost2/hw.nix new file mode 100644 index 0000000..a8891e3 --- /dev/null +++ b/nix/os/devices/fwhost2/hw.nix @@ -0,0 +1,11 @@ +_: { + # TASK: new device + hardware.opinionatedDisk = { + enable = true; + encrypted = false; + diskId = "ata-ST9500325AS_S2WGAP8C"; + }; + + hardware.enableRedistributableFirmware = true; + boot.extraModprobeConfig = ""; +} diff --git a/nix/os/devices/fwhost2/pkg.nix b/nix/os/devices/fwhost2/pkg.nix new file mode 100644 index 0000000..aacf501 --- /dev/null +++ b/nix/os/devices/fwhost2/pkg.nix @@ -0,0 +1,17 @@ +{ pkgs, ... }: +{ + nixpkgs.config.packageOverrides = + pkgs: with pkgs; { + inherit ((import ../../../default.nix { versionsPath = ./versions.nix; })) nixPath; + }; + home-manager.users.steveej = import ../../../home-manager/configuration/text-minimal.nix { + inherit pkgs; + }; + + environment.systemPackages = with pkgs; [ + iw + wirelesstools + ]; + + system.stateVersion = "21.11"; +} diff --git a/nix/os/devices/fwhost2/system.nix b/nix/os/devices/fwhost2/system.nix new file mode 100644 index 0000000..652347f --- /dev/null +++ b/nix/os/devices/fwhost2/system.nix @@ -0,0 +1,86 @@ +{ pkgs, lib, ... }: +let + passwords = import ../../../variables/passwords.crypt.nix; +in +{ + # TASK: new device + networking.hostName = "fwhost2"; # Define your hostname. + + networking.useDHCP = false; + + networking.firewall.enable = lib.mkForce false; + networking.firewall.allowedTCPPorts = [ + # iperf3 + 5201 + ]; + + networking.firewall.logRefusedConnections = false; + networking.usePredictableInterfaceNames = false; + + networking.bridges.breth.interfaces = [ + "eth0" + "eth1" + ]; + networking.bridges.breth.rstp = true; + + networking.defaultGateway.address = "172.172.171.10"; + networking.nameservers = [ "172.172.171.10" ]; + + # WAN interfaces, currently unused because the OPNsense guest acts as a router. + networking.vlans.wan1.id = 3; + networking.vlans.wan1.interface = "breth"; + networking.interfaces.wan1.ipv4.addresses = [ + { + address = "192.168.0.16"; + prefixLength = 24; + } + ]; + + networking.vlans.wan2.id = 4; + networking.vlans.wan2.interface = "breth"; + networking.interfaces.wan2.ipv4.addresses = [ + { + address = "172.16.0.16"; + prefixLength = 12; + } + ]; + + # Local interfaces, all accessed via VLAN tags on the main bridge + networking.vlans.lan.id = 1; + networking.vlans.lan.interface = "breth"; + networking.interfaces.lan.ipv4.addresses = [ + { + address = "172.172.171.16"; + prefixLength = 24; + } + ]; + + networking.vlans.dmz.id = 5; + networking.vlans.dmz.interface = "breth"; + + networking.vlans.family.id = 6; + networking.vlans.family.interface = "breth"; + + networking.vlans.guests.id = 7; + networking.vlans.guests.interface = "breth"; + + services.hostapd = { + enable = false; + hwMode = "g"; + interface = "wlan0"; + ssid = "noowhere-lan"; + wpaPassphrase = passwords.wifi.noowhere-lan; + extraConfig = '' + bridge=breth + ''; + }; + + virtualisation = { + libvirtd = { + onShutdown = "shutdown"; + enable = true; + }; + }; + + boot.kernelPackages = lib.mkForce pkgs.linuxPackages_latest; +} diff --git a/nix/os/devices/fwhost2/user.nix b/nix/os/devices/fwhost2/user.nix new file mode 100644 index 0000000..47efa02 --- /dev/null +++ b/nix/os/devices/fwhost2/user.nix @@ -0,0 +1,6 @@ +_: { + # users.extraUsers.steveej2 = mkUser { + # uid = 1001; + # openssh.authorizedKeys.keys = keys.users.steveej.openssh; + # }; +} diff --git a/nix/os/devices/fwhost2/versions.nix b/nix/os/devices/fwhost2/versions.nix new file mode 100644 index 0000000..276eb87 --- /dev/null +++ b/nix/os/devices/fwhost2/versions.nix @@ -0,0 +1,30 @@ +let + nixpkgs = { + url = "https://github.com/NixOS/nixpkgs/"; + ref = "nixos-21.11"; + rev = "386234e2a61e1e8acf94dfa3a3d3ca19a6776efb"; + }; +in +{ + inherit nixpkgs; + nixos = nixpkgs // { + suffix = "/nixos"; + }; + "channels-nixos-stable" = nixpkgs; + + "channels-nixos-unstable" = { + url = "https://github.com/NixOS/nixpkgs/"; + ref = "nixos-unstable"; + rev = "5aaed40d22f0d9376330b6fa413223435ad6fee5"; + }; + "nixpkgs-master" = { + url = "https://github.com/NixOS/nixpkgs/"; + ref = "master"; + rev = "4fa26474495acc710fa2b88e7a3f51d90ad3a530"; + }; + "home-manager-module" = { + url = "https://github.com/nix-community/home-manager"; + ref = "release-21.11"; + rev = "697cc8c68ed6a606296efbbe9614c32537078756"; + }; +} diff --git a/nix/os/devices/fwhost2/versions.tmpl.nix b/nix/os/devices/fwhost2/versions.tmpl.nix new file mode 100644 index 0000000..d3d0c19 --- /dev/null +++ b/nix/os/devices/fwhost2/versions.tmpl.nix @@ -0,0 +1,38 @@ +let + nixpkgs = { + url = "https://github.com/NixOS/nixpkgs/"; + ref = "nixos-21.11"; + rev = '' + <% git ls-remote https://github.com/nixos/nixpkgs nixos-21.11 | awk '{ print $1 }' | tr -d ' + ' -%>''; + }; +in +{ + inherit nixpkgs; + nixos = nixpkgs // { + suffix = "/nixos"; + }; + "channels-nixos-stable" = nixpkgs; + + "channels-nixos-unstable" = { + url = "https://github.com/NixOS/nixpkgs/"; + ref = "nixos-unstable"; + rev = '' + <% git ls-remote https://github.com/nixos/nixpkgs nixos-unstable | awk '{ print $1 }' | tr -d ' + ' -%>''; + }; + "nixpkgs-master" = { + url = "https://github.com/NixOS/nixpkgs/"; + ref = "master"; + rev = '' + <% git ls-remote https://github.com/NixOS/nixpkgs.git master | head -n1 | awk '{ print $1 }' | tr -d ' + ' -%>''; + }; + "home-manager-module" = { + url = "https://github.com/nix-community/home-manager"; + ref = "release-21.11"; + rev = '' + <% git ls-remote https://github.com/nix-community/home-manager.git release-21.11 | awk '{ print $1 }' | tr -d ' + ' -%>''; + }; +} diff --git a/nix/os/devices/hstk0/.gitignore b/nix/os/devices/hstk0/.gitignore new file mode 100644 index 0000000..b2be92b --- /dev/null +++ b/nix/os/devices/hstk0/.gitignore @@ -0,0 +1 @@ +result diff --git a/nix/os/devices/hstk0/README.md b/nix/os/devices/hstk0/README.md new file mode 100644 index 0000000..60ee180 --- /dev/null +++ b/nix/os/devices/hstk0/README.md @@ -0,0 +1,6 @@ +## bootstrapping + +``` +# TODO: generate an SSH host-key and deploy it via --extra-files +nixos-anywhere --flake .\#sj-bm-hostkey0 root@185.130.227.252 +``` diff --git a/nix/os/devices/hstk0/configuration.nix b/nix/os/devices/hstk0/configuration.nix new file mode 100644 index 0000000..32fad43 --- /dev/null +++ b/nix/os/devices/hstk0/configuration.nix @@ -0,0 +1,146 @@ +{ + repoFlake, + pkgs, + lib, + nodeFlake, + nodeName, + system, + ... +}: +{ + disabledModules = [ ]; + + imports = [ + nodeFlake.inputs.disko.nixosModules.disko + repoFlake.inputs.sops-nix.nixosModules.sops + + nodeFlake.inputs.srvos.nixosModules.roles-nix-remote-builder + { + roles.nix-remote-builder.schedulerPublicKeys = [ + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINQ22z5rDdCLYH+MEoEt+tXJXTJqoeZNqvJl2n4aB+Kn steveej@steveej-x13s" + + # TODO: make this a reference to the private key's secret + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIC8FHuK0k86iBWq41+NAhVwJqH1ZpGJe+q01m7iLviz6 root@steveej-t14" + ]; + } + + ../../snippets/nix-settings.nix + { nix.settings.sandbox = lib.mkForce "relaxed"; } + + ../../snippets/mycelium.nix + + # user config + ../../profiles/common/user.nix + { + users.commonUsers = { + enable = true; + enableNonRoot = true; + }; + } + + ../../snippets/home-manager-with-zsh.nix + # { + # home-manager.users.steveej = {pkgs, ...}: { + # imports = [ + # ../../../home-manager/programs/pass.nix + # ../../../home-manager/programs/openvscode-server.nix + # ]; + # }; + # } + ]; + + services.openssh = { + enable = true; + openFirewall = true; + settings.PermitRootLogin = "yes"; + extraConfig = '' + StreamLocalBindUnlink yes + ''; + }; + + boot = { + kernel = { + sysctl = { + "net.ipv4.conf.all.forwarding" = true; + "net.ipv6.conf.all.forwarding" = true; + }; + }; + }; + + networking = { + hostName = nodeName; + useNetworkd = true; + useDHCP = true; + + nat.enable = true; + firewall.enable = true; + + firewall.allowedTCPPorts = [ 5201 ]; + firewall.allowedUDPPorts = [ 5201 ]; + }; + + disko.devices = + let + disk = id: { + type = "disk"; + device = "/dev/${id}"; + content = { + type = "gpt"; + partitions = { + boot = { + size = "1M"; + type = "EF02"; # for grub MBR + }; + mdadm = { + size = "100%"; + content = { + type = "mdraid"; + name = "raid0"; + }; + }; + }; + }; + }; + in + { + disk = { + sda = disk "sda"; + sdb = disk "sdb"; + }; + mdadm = { + raid0 = { + type = "mdadm"; + level = 0; + content = { + type = "gpt"; + partitions = { + primary = { + size = "100%"; + content = { + type = "filesystem"; + format = "btrfs"; + mountpoint = "/"; + }; + }; + }; + }; + }; + }; + }; + + system.stateVersion = "24.05"; + + boot.kernelPackages = pkgs.linuxPackages_latest; + boot.initrd.includeDefaultModules = true; + boot.initrd.kernelModules = [ + "dm-raid" + "dm-integrity" + "xhci_pci_renesas" + ]; + + hardware.enableRedistributableFirmware = true; + + virtualisation.libvirtd.enable = true; + + boot.binfmt.emulatedSystems = [ "aarch64-linux" ]; +} diff --git a/nix/os/devices/hstk0/default.nix b/nix/os/devices/hstk0/default.nix new file mode 100644 index 0000000..62e6cc1 --- /dev/null +++ b/nix/os/devices/hstk0/default.nix @@ -0,0 +1,37 @@ +{ + nodeName, + repoFlake, + nodeFlake, + ... +}: +let + system = "x86_64-linux"; +in +{ + meta.nodeSpecialArgs.${nodeName} = { + inherit + repoFlake + nodeName + nodeFlake + system + ; + packages' = repoFlake.packages.${system}; + }; + + meta.nodeNixpkgs.${nodeName} = import nodeFlake.inputs.nixpkgs.outPath { inherit system; }; + + ${nodeName} = { + deployment.targetHost = "185.130.224.33"; + deployment.replaceUnknownProfiles = false; + + # nixpkgs.pkgs = nodeFlake.inputs.nixpkgs.legacyPackages.${system}; + + imports = [ + nodeFlake.inputs.home-manager.nixosModules.home-manager + + ./configuration.nix + ]; + + networking.hostName = nodeName; + }; +} diff --git a/nix/os/devices/hstk0/flake.lock b/nix/os/devices/hstk0/flake.lock new file mode 100644 index 0000000..8389a6a --- /dev/null +++ b/nix/os/devices/hstk0/flake.lock @@ -0,0 +1,124 @@ +{ + "nodes": { + "disko": { + "inputs": { + "nixpkgs": [ + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1719401812, + "narHash": "sha256-QONBQ/arBsKZNJuSd3sMIkSYFlBoRJpvf1jGlMfcOuI=", + "owner": "nix-community", + "repo": "disko", + "rev": "b6a1262796b2990ec3cc60bb2ec23583f35b2f43", + "type": "github" + }, + "original": { + "owner": "nix-community", + "repo": "disko", + "type": "github" + } + }, + "get-flake": { + "locked": { + "lastModified": 1714237590, + "narHash": "sha256-9gtHdGbzFHaR20xORN8IYd67ROWS+1nqQ5CsPf9MD8I=", + "owner": "ursi", + "repo": "get-flake", + "rev": "a6c57417d1b857b8be53aba4095869a0f438c502", + "type": "github" + }, + "original": { + "owner": "ursi", + "repo": "get-flake", + "type": "github" + } + }, + "home-manager": { + "inputs": { + "nixpkgs": [ + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1718530513, + "narHash": "sha256-BmO8d0r+BVlwWtMLQEYnwmngqdXIuyFzMwvmTcLMee8=", + "owner": "nix-community", + "repo": "home-manager", + "rev": "a1fddf0967c33754271761d91a3d921772b30d0e", + "type": "github" + }, + "original": { + "owner": "nix-community", + "ref": "release-24.05", + "repo": "home-manager", + "type": "github" + } + }, + "nixpkgs": { + "locked": { + "lastModified": 1719253556, + "narHash": "sha256-A/76RFUVxZ/7Y8+OMVL1Lc8LRhBxZ8ZE2bpMnvZ1VpY=", + "owner": "nixos", + "repo": "nixpkgs", + "rev": "fc07dc3bdf2956ddd64f24612ea7fc894933eb2e", + "type": "github" + }, + "original": { + "owner": "nixos", + "ref": "nixos-24.05", + "repo": "nixpkgs", + "type": "github" + } + }, + "nixpkgs-unstable": { + "locked": { + "lastModified": 1719254875, + "narHash": "sha256-ECni+IkwXjusHsm9Sexdtq8weAq/yUyt1TWIemXt3Ko=", + "owner": "nixos", + "repo": "nixpkgs", + "rev": "2893f56de08021cffd9b6b6dfc70fd9ccd51eb60", + "type": "github" + }, + "original": { + "owner": "nixos", + "ref": "nixos-unstable", + "repo": "nixpkgs", + "type": "github" + } + }, + "root": { + "inputs": { + "disko": "disko", + "get-flake": "get-flake", + "home-manager": "home-manager", + "nixpkgs": "nixpkgs", + "nixpkgs-unstable": "nixpkgs-unstable", + "srvos": "srvos" + } + }, + "srvos": { + "inputs": { + "nixpkgs": [ + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1719189969, + "narHash": "sha256-6MSZrWvXSvUKIr0iC9eSbQ09NSm+j1Oh4o9Gentu1CU=", + "owner": "numtide", + "repo": "srvos", + "rev": "4f314be1307c8d5f1fb3d882a67e09dbdf285850", + "type": "github" + }, + "original": { + "owner": "numtide", + "repo": "srvos", + "type": "github" + } + } + }, + "root": "root", + "version": 7 +} diff --git a/nix/os/devices/hstk0/flake.nix b/nix/os/devices/hstk0/flake.nix new file mode 100644 index 0000000..6c9b22f --- /dev/null +++ b/nix/os/devices/hstk0/flake.nix @@ -0,0 +1,52 @@ +{ + inputs = { + nixpkgs.url = "github:nixos/nixpkgs/nixos-24.05"; + nixpkgs-unstable.url = "github:nixos/nixpkgs/nixos-unstable"; + + get-flake.url = "github:ursi/get-flake"; + + home-manager.url = "github:nix-community/home-manager/release-24.05"; + home-manager.inputs.nixpkgs.follows = "nixpkgs"; + + disko.url = "github:nix-community/disko"; + disko.inputs.nixpkgs.follows = "nixpkgs"; + srvos.url = "github:numtide/srvos"; + srvos.inputs.nixpkgs.follows = "nixpkgs"; + }; + + # outputs = _: {}; + + outputs = + { + self, + get-flake, + nixpkgs, + ... + }: + let + system = "x86_64-linux"; + nodeName = "hostkey-0"; + + mkNixosConfiguration = + { + extraModules ? [ ], + ... + }@attrs: + nixpkgs.lib.nixosSystem ( + nixpkgs.lib.attrsets.recursiveUpdate attrs { + specialArgs = { + nodeFlake = self; + repoFlake = get-flake ../../../..; + inherit nodeName; + }; + + modules = [ ./configuration.nix ] ++ extraModules; + } + ); + in + { + nixosConfigurations = { + native = mkNixosConfiguration { inherit system; }; + }; + }; +} diff --git a/nix/os/devices/hydra.json b/nix/os/devices/hydra.json index 3723c24..a0204bc 100644 --- a/nix/os/devices/hydra.json +++ b/nix/os/devices/hydra.json @@ -1,16 +1,24 @@ { - "enabled": 1, - "hidden": false, - "description": "Jobsets", - "nixexprinput": "src", - "nixexprpath": "default.nix", - "checkinterval": 300, - "schedulingshares": 100, - "enableemail": false, - "emailoverride": "", - "keepnr": 3, - "inputs": { - "src": { "type": "git", "value": "git://github.com/shlevy/declarative-hydra-example.git", "emailresponsible": false }, - "nixpkgs": { "type": "git", "value": "git://github.com/NixOS/nixpkgs.git release-16.03", "emailresponsible": false } + "enabled": 1, + "hidden": false, + "description": "Jobsets", + "nixexprinput": "src", + "nixexprpath": "default.nix", + "checkinterval": 300, + "schedulingshares": 100, + "enableemail": false, + "emailoverride": "", + "keepnr": 3, + "inputs": { + "src": { + "type": "git", + "value": "git://github.com/shlevy/declarative-hydra-example.git", + "emailresponsible": false + }, + "nixpkgs": { + "type": "git", + "value": "git://github.com/NixOS/nixpkgs.git release-16.03", + "emailresponsible": false } + } } diff --git a/nix/os/devices/router0-dmz0/.gitignore b/nix/os/devices/router0-dmz0/.gitignore new file mode 100644 index 0000000..b2be92b --- /dev/null +++ b/nix/os/devices/router0-dmz0/.gitignore @@ -0,0 +1 @@ +result diff --git a/nix/os/devices/router0-dmz0/configuration.nix b/nix/os/devices/router0-dmz0/configuration.nix new file mode 100644 index 0000000..07c6b1c --- /dev/null +++ b/nix/os/devices/router0-dmz0/configuration.nix @@ -0,0 +1,1298 @@ +# TODO: don't pull in bluez (or any bluetooth components) +{ + repoFlake, + pkgs, + lib, + config, + nodeFlake, + nodeName, + localDomainName, + system, + ... +}: +let + inherit (nodeFlake.inputs) nixos-nftables-firewall nixos-sbc; + + vlanRangeStart = builtins.head vlanRange; + vlanRangeEnd = builtins.elemAt vlanRange ((builtins.length vlanRange) - 1); + vlanRange = builtins.map (vlanid: (lib.strings.toInt vlanid)) (builtins.attrNames vlans); + vlanRangeWith0 = [ 0 ] ++ vlanRange; + + mkVlanIpv4HostAddr = + { + vlanid, + host, + thirdIpv4SegmentMin ? 20, + cidr ? true, + }: + let + # reserve the first subnet for vlanid == 0 + # number the other subnets continously from there + offset = if vlanid == 0 then thirdIpv4SegmentMin else thirdIpv4SegmentMin + 1 - vlanRangeStart; + in + builtins.concatStringsSep "." [ + "192" + "168" + (toString (vlanid + offset)) + "${toString host}${lib.strings.optionalString cidr "/24"}" + ]; + + defaultVlan = { + name = "${localDomainName}"; + packet_priority = 0; + }; + + vlans = { + "2".name = "dmz"; + "2".packet_priority = -5; + + "3".name = "iot"; + "3".packet_priority = -5; + + "4".name = "office"; + "4".packet_priority = -10; + + "5".name = "guests"; + "5".packet_priority = 10; + }; + + vlansByName = lib.attrsets.mapAttrs' ( + vlanid': attrs: + lib.attrsets.nameValuePair attrs.name ( + attrs + // { + id = lib.strings.toInt vlanid'; + id' = vlanid'; + } + ) + ) vlans; + + getVlanDomain = + { vlanid }: + if vlanid == 0 then defaultVlan.name else vlans."${toString vlanid}".name + "." + defaultVlan.name; + + bridgeInterfaceName = "br-lan"; + mkInterfaceName = + { vlanid }: + if vlanid == 0 then bridgeInterfaceName else "${bridgeInterfaceName}.${toString vlanid}"; + + dmzExposedHost = "sj-srv1"; + dmzExposedHostDomain = "dmz.internal"; + dmzExposedHostFQDN = "${dmzExposedHost}.${dmzExposedHostDomain}"; + dmzExposedHostIpv4 = mkVlanIpv4HostAddr { + vlanid = vlansByName.dmz.id; + host = 99; + cidr = false; + }; + + dmzExposedHostMACaddr = + repoFlake.nixosConfigurations.${dmzExposedHost}.config.systemd.network.netdevs."10-dmz0".netdevConfig.MACAddress; +in +{ + imports = [ + nixos-sbc.nixosModules.default + nixos-sbc.nixosModules.boards.bananapi.bpir3 + { + sbc.version = "0.2"; + sbc.bootstrap.rootFilesystem = "btrfs"; + sbc.wireless.wifi.acceptRegulatoryResponsibility = true; + } + + repoFlake.inputs.sops-nix.nixosModules.sops + + ../../profiles/common/user.nix + ../../snippets/nix-settings.nix + + nixos-nftables-firewall.nixosModules.default + + { + services.openssh.enable = true; + services.openssh.settings.PermitRootLogin = "yes"; + + users.commonUsers = { + enable = true; + enableNonRoot = false; + rootPasswordFile = config.sops.secrets.passwords-root.path; + }; + + sops.defaultSopsFile = ../../../../secrets/${nodeName}/secrets.yaml; + sops.defaultSopsFormat = "yaml"; + + sops.secrets.passwords-root.neededForUsers = true; + + # sops.secrets.wlan0_saePasswordsFile = {}; + sops.secrets.wlan0_wpaPskFile = { }; + } + ]; + + # sops.secrets.ssh_host_ed25519_key = { + # sopsFile = ../../../../secrets/${nodeName}/secrets.yaml; + # format = "yaml"; + + # path = "/etc/ssh/ssh_host_ed25519_key"; + # mode = "0600"; + # }; + # sops.secrets.ssh_host_ed25519_key_pub = { + # sopsFile = ../../../../secrets/${nodeName}/secrets.yaml; + # format = "yaml"; + + # path = "/etc/ssh/ssh_host_ed25519_key.pub"; + # mode = "0600"; + # }; + # sops.secrets.ssh_host_rsa_key = { + # sopsFile = ../../../../secrets/${nodeName}/secrets.yaml; + # format = "yaml"; + + # path = "/etc/ssh/ssh_host_rsa_key"; + # mode = "0600"; + # }; + # sops.secrets.ssh_host_rsa_key_pub = { + # sopsFile = ../../../../secrets/${nodeName}/secrets.yaml; + # format = "yaml"; + + # path = "/etc/ssh/ssh_host_rsa_key.pub"; + # mode = "0644"; + # }; + + boot = { + kernel = { + sysctl = { + "net.ipv4.conf.all.forwarding" = true; + "net.ipv6.conf.all.forwarding" = true; + }; + }; + }; + + networking = { + hostName = nodeName; + useNetworkd = true; + useDHCP = false; + + # these will be configured via nftables + nat.enable = lib.mkForce false; + firewall.enable = lib.mkForce false; + + # Use the nftables firewall instead of the base nixos scripted rules. + # This flake provides a similar utility to the base nixos scripting. + # https://github.com/thelegy/nixos-nftables-firewall/tree/main + + # TODO: configure packet_priority for VLANs (see https://wiki.nftables.org/wiki-nftables/index.php/Configuring_chains#Base_chain_priority, https://wiki.nftables.org/wiki-nftables/index.php/Setting_packet_metainformation#packet_priority) + nftables = { + enable = true; + + stopRuleset = ""; + chains = { + prerouting = { + "exposeHost" = { + after = [ "hook" ]; + rules = + let + wanInterfaces = builtins.concatStringsSep ", " config.networking.nftables.firewall.zones.wan.interfaces; + in + [ + "iifname { ${wanInterfaces} } tcp dport 220 redirect to 22" + "iifname { ${wanInterfaces} } dnat ip to ${dmzExposedHostIpv4}" + ]; + }; + }; + }; + + firewall = { + enable = true; + snippets.nnf-common.enable = true; + # included in the above + # snippets.nnf-conntrack.enable = true; + zones = + { + lan.interfaces = [ (mkInterfaceName { vlanid = 0; }) ]; + vlan.interfaces = builtins.map (vlanid: (mkInterfaceName { inherit vlanid; })) vlanRange; + # lan.ipv4Addresses = ["192.168.0.0/16"]; + wan.interfaces = [ + "wan" + "lan0" + ]; + vpn.interfaces = [ + "wg0" + "wg1" + "wg2" + ]; + } + // + # generate a zone for each vlan + lib.attrsets.mapAttrs (_key: value: { + interfaces = [ (mkInterfaceName { vlanid = value.id; }) ]; + }) vlansByName; + rules = + let + ipv6IcmpTypes = [ + "destination-unreachable" + "echo-reply" + "echo-request" + "packet-too-big" + "parameter-problem" + "time-exceeded" + + # Without the nd-* ones ipv6 will not work. + "nd-neighbor-solicit" + "nd-router-advert" + "nd-neighbor-advert" + ]; + ipv4IcmpTypes = [ + "destination-unreachable" + "echo-reply" + "echo-request" + "source-quench" + "time-exceeded" + "router-advertisement" + ]; + allowIcmpLines = [ + "ip protocol icmp icmp type { ${builtins.concatStringsSep ", " ipv4IcmpTypes} } accept" + "ip6 nexthdr icmpv6 icmpv6 type { ${builtins.concatStringsSep ", " ipv6IcmpTypes} } accept" + ]; + in + { + fw = { + from = [ "fw" ]; + verdict = "accept"; + }; + + office-to-dmz = { + from = [ "office" ]; + to = [ "dmz" ]; + verdict = "accept"; + }; + + lan-to-fw = { + from = [ "lan" ]; + to = [ + "fw" + "lan" + ]; + verdict = "accept"; + }; + + lan-to-wan = { + from = [ "lan" ]; + to = [ "wan" ]; + verdict = "accept"; + }; + + vlan-to-wan = { + from = [ "vlan" ]; + to = [ "wan" ]; + verdict = "accept"; + }; + + vlan-to-fw = { + allowedUDPPortRanges = [ + { + from = 53; + to = 53; + } + { + from = 67; + to = 68; + } + { + from = 5201; + to = 5201; + } + ]; + allowedTCPPortRanges = [ + { + from = 22; + to = 22; + } + { + from = 53; + to = 53; + } + { + from = 5201; + to = 5201; + } + ]; + from = [ "vlan" ]; + to = [ "fw" ]; + extraLines = allowIcmpLines ++ [ "drop" ]; + }; + + to-wan-nat = { + from = [ + "lan" + "vlan" + ]; + to = [ "wan" ]; + masquerade = true; + verdict = "accept"; + }; + + wan-to-dmz = { + from = [ "wan" ]; + to = [ "dmz" ]; + verdict = "accept"; + }; + + wan-to-fw = { + from = [ "wan" ]; + to = [ "fw" ]; + allowedTCPPortRanges = [ + { + from = 22; + to = 22; + } + ]; + extraLines = allowIcmpLines ++ [ "drop" ]; + }; + + to-vpn-nat = { + from = [ + "lan" + "vlan" + ]; + to = [ "vpn" ]; + masquerade = false; + verdict = "accept"; + }; + }; + }; + }; + }; + + sops.secrets.wg0-privatekey = { + mode = "440"; + group = "systemd-network"; + }; + sops.secrets.wg1-privatekey = { + mode = "440"; + group = "systemd-network"; + }; + sops.secrets.wg0-peer0-psk = { + mode = "440"; + group = "systemd-network"; + }; + sops.secrets.wg1-peer0-psk = { + mode = "440"; + group = "systemd-network"; + }; + + # TODO: this shouldn't be necessary _at all_ + systemd.services.sfp-quirk = { + enable = true; + wantedBy = [ + "network.target" + "multi-user.target" + ]; + + requires = [ + "sys-subsystem-net-devices-lan4.device" + "sys-subsystem-net-devices-eth1.device" + ]; + + after = [ + "sys-subsystem-net-devices-lan4.device" + "sys-subsystem-net-devices-eth1.device" + ]; + + path = [ + pkgs.ethtool + pkgs.iproute2 + pkgs.coreutils + ]; + + script = '' + set -xeE + + ip l set dev lan4 down + ip l set dev eth1 down + + sleep 0.5 + + ethtool -s lan4 duplex full autoneg off + ethtool -s eth1 duplex full autoneg off + + sleep 0.5 + + ip l set dev lan4 up + ip l set dev eth1 up + + echo quirk applied, fingers crossed. + ''; + }; + + systemd.network = { + wait-online.anyInterface = true; + config.networkConfig = { + IPv4Forwarding = true; + IPv6Forwarding = true; + }; + links = { + # TODO: this doesn't work, thus shoving it into a quirk service. however, there's a proper solution beyond any of this. + # "00-eth1" = { + # enable = true; + # matchConfig.Name = "eth1"; + # linkConfig = { + # # BitsPerSecond = "2500M"; + # Duplex= "full"; + # AutoNegotiation = false; + # }; + # }; + # "00-lan4" = { + # enable = true; + # matchConfig.Name = "lan4@eth0"; + # linkConfig = { + # # BitsPerSecond = "1000M"; + # Duplex= "full"; + # AutoNegotiation = false; + # }; + # }; + }; + netdevs = + let + router0-ifog_wg0Endpoint = "${repoFlake.colmena.router0-ifog.deployment.targetHost}:${builtins.toString repoFlake.nixosConfigurations.router0-ifog.config.systemd.network.netdevs.wg0.wireguardConfig.ListenPort}"; + + router0-ifog_wg1Endpoint = "${repoFlake.colmena.router0-ifog.deployment.targetHost}:${builtins.toString repoFlake.nixosConfigurations.router0-ifog.config.systemd.network.netdevs.wg1.wireguardConfig.ListenPort}"; + + router0-hosthatch_wg0Endpoint = "${repoFlake.colmena.router0-hosthatch.deployment.targetHost}:${builtins.toString repoFlake.nixosConfigurations.router0-hosthatch.config.systemd.network.netdevs.wg0.wireguardConfig.ListenPort}"; + in + { + # Create the bridge interface + "20-${bridgeInterfaceName}" = { + netdevConfig = { + Kind = "bridge"; + Name = bridgeInterfaceName; + }; + + extraConfig = '' + [Bridge] + STP=yes + VLANFiltering=yes + VLANProtocol=802.1q + DefaultPVID=0 + ''; + }; + + wg0 = { + enable = true; + netdevConfig = { + Name = "wg0"; + Kind = "wireguard"; + }; + wireguardConfig = { + PrivateKeyFile = builtins.toString config.sops.secrets.wg0-privatekey.path; + FirewallMark = 100; + }; + wireguardPeers = [ + { + AllowedIPs = [ + # this allows all traffic to be routed through this interface + "0.0.0.0/0" + + # # alternatively, specific destinations could be allowed + + # # remote peer wg addr + # "10.0.0.0/32" + + # "1.1.1.1/32" + # # ifconfig.co. + # "172.67.168.106" + # "104.21.54.91" + ]; + PersistentKeepalive = 15; + PresharedKeyFile = builtins.toString config.sops.secrets.wg0-peer0-psk.path; + PublicKey = "/RPDdqPzr9iRc7zR0bRkt9aS2QCt+b2K3WbsNg8XamM="; + Endpoint = router0-ifog_wg0Endpoint; + } + ]; + }; + + wg1 = { + enable = true; + netdevConfig = { + Name = "wg1"; + Kind = "wireguard"; + }; + wireguardConfig = { + PrivateKeyFile = builtins.toString config.sops.secrets.wg1-privatekey.path; + FirewallMark = 101; + }; + wireguardPeers = [ + { + AllowedIPs = [ + # this allows all traffic to be routed through this interface + "0.0.0.0/0" + ]; + PersistentKeepalive = 15; + PresharedKeyFile = builtins.toString config.sops.secrets.wg1-peer0-psk.path; + PublicKey = "/RPDdqPzr9iRc7zR0bRkt9aS2QCt+b2K3WbsNg8XamM="; + Endpoint = router0-ifog_wg1Endpoint; + } + ]; + }; + + wg2 = { + enable = true; + netdevConfig = { + Name = "wg2"; + Kind = "wireguard"; + }; + wireguardConfig = { + PrivateKeyFile = builtins.toString config.sops.secrets.wg0-privatekey.path; + FirewallMark = 102; + }; + wireguardPeers = [ + { + AllowedIPs = [ + # this allows all traffic to be routed through this interface + "0.0.0.0/0" + + # # alternatively, specific destinations could be allowed + + # # remote peer wg addr + # "10.0.0.0/32" + + # "1.1.1.1/32" + # # ifconfig.co. + # "172.67.168.106" + # "104.21.54.91" + ]; + PersistentKeepalive = 15; + PresharedKeyFile = builtins.toString config.sops.secrets.wg0-peer0-psk.path; + PublicKey = "/RPDdqPzr9iRc7zR0bRkt9aS2QCt+b2K3WbsNg8XamM="; + Endpoint = router0-hosthatch_wg0Endpoint; + } + ]; + }; + } + # generate the vlan devices. these will be tagged on the main bridge + // builtins.foldl' (acc: cur: acc // cur) { } ( + builtins.map + ( + { vlanid, vlanid' }: + { + "20-${mkInterfaceName { inherit vlanid; }}" = { + netdevConfig = { + Kind = "vlan"; + Name = "${mkInterfaceName { inherit vlanid; }}"; + }; + vlanConfig.Id = vlanid; + }; + } + ) + ( + builtins.map (vlanid: { + inherit vlanid; + vlanid' = builtins.toString vlanid; + }) vlanRange + ) + ); + networks = + let + commonWanOptions = { + networkConfig = { + # start a DHCP Client for IPv4/6 Addressing/Routing + DHCP = true; + DNSOverTLS = true; + DNSSEC = true; + + # accept Router Advertisements for Stateless IPv6 Autoconfiguraton (SLAAC) + IPv6AcceptRA = true; + IPv6PrivacyExtensions = false; + DHCPPrefixDelegation = true; + }; + dhcpV4Config = { + UseDNS = false; + UseDomains = false; + UseHostname = false; + }; + dhcpV6Config = { + UseDNS = false; + UseDomains = false; + UseHostname = false; + PrefixDelegationHint = "::/56"; + UseDelegatedPrefix = true; + WithoutRA = "solicit"; + }; + ipv6AcceptRAConfig = { + UseDNS = false; + UseDomains = false; + }; + + # TODO: enable these somehow + # extraConfig = '' + # [IPv6AcceptRA] + # # FIXME: supported in nixos-24.11 + # DHCPv6Client=solicit + + # # FIXME: not supported at all yet + # UsePREF64=true + # ''; + }; + in + { + # places options here that should always exist + "lo" = { + matchConfig.Name = "lo"; + + # these are roughly equivalent to: + # ip rule add fwmark 100 priority 0 table 100 + # ip rule add fwmark 100 priority 1 prohibit + # ip rule add fwmark 101 priority 0 table 101 + # ip rule add fwmark 101 priority 1 prohibit + routingPolicyRules = [ + { + FirewallMark = 100; + Priority = 30000; + Table = 100; + } + { + FirewallMark = 100; + Priority = 30001; + Table = 100; + Type = "prohibit"; + } + { + FirewallMark = 101; + Priority = 30000; + Table = 101; + } + { + FirewallMark = 101; + Priority = 30001; + Table = 101; + Type = "prohibit"; + } + { + FirewallMark = 102; + Priority = 30000; + Table = 102; + } + { + FirewallMark = 102; + Priority = 30001; + Table = 102; + Type = "prohibit"; + } + ]; + }; + # use lan0 as secondary WAN interface + "10-lan0-wan" = lib.attrsets.recursiveUpdate commonWanOptions { + matchConfig.Name = "lan0"; + # make routing on this interface a dependency for network-online.target + # linkConfig.RequiredForOnline = "routable"; + linkConfig.RequiredForOnline = "no"; + + dhcpV4Config = { + RouteMetric = 2000; + }; + + # similar to + # ip route add default via 172.16.0.1 table 101 + routes = [ + { + Gateway = "_dhcp4"; + Table = 101; + } + ]; + }; + "10-wan" = lib.attrsets.recursiveUpdate commonWanOptions { + matchConfig.Name = "wan"; + # make routing on this interface a dependency for network-online.target + # linkConfig.RequiredForOnline = "routable"; + linkConfig.RequiredForOnline = "no"; + + dhcpV4Config = { + RouteMetric = 1000; + }; + + # similar to + # ip route add default via 192.168.0.1 table 100 + routes = [ + { + Gateway = "_dhcp4"; + Table = 100; + } + { + Gateway = "_dhcp4"; + Table = 102; + } + ]; + }; + + # Connect the bridge ports to the bridge + "30-lan1" = { + matchConfig.Name = "lan1"; + networkConfig = { + Bridge = bridgeInterfaceName; + ConfigureWithoutCarrier = true; + }; + linkConfig.RequiredForOnline = "enslaved"; + + bridgeVLANs = [ + { + VLAN = vlansByName.dmz.id; + PVID = vlansByName.dmz.id; + EgressUntagged = vlansByName.dmz.id; + } + ]; + }; + + "30-lan2" = { + matchConfig.Name = "lan2"; + networkConfig = { + Bridge = bridgeInterfaceName; + ConfigureWithoutCarrier = true; + }; + linkConfig.RequiredForOnline = "enslaved"; + + bridgeVLANs = [ + { + VLAN = vlansByName.office.id; + PVID = vlansByName.office.id; + EgressUntagged = vlansByName.office.id; + } + ]; + }; + + "30-lan3" = { + matchConfig.Name = "lan3"; + networkConfig = { + Bridge = bridgeInterfaceName; + ConfigureWithoutCarrier = true; + }; + linkConfig.RequiredForOnline = "enslaved"; + + bridgeVLANs = [ + { + VLAN = "${toString vlanRangeStart}-${toString vlanRangeEnd}"; + } + ]; + }; + "30-lan4" = { + matchConfig.Name = "lan4"; + networkConfig = { + Bridge = bridgeInterfaceName; + ConfigureWithoutCarrier = true; + }; + linkConfig.RequiredForOnline = "enslaved"; + + bridgeVLANs = [ + { + VLAN = vlansByName.office.id; + PVID = vlansByName.office.id; + EgressUntagged = vlansByName.office.id; + } + ]; + }; + "30-eth1" = { + matchConfig.Name = "eth1"; + networkConfig = { + Bridge = bridgeInterfaceName; + ConfigureWithoutCarrier = true; + }; + linkConfig.RequiredForOnline = "enslaved"; + + bridgeVLANs = [ + { + VLAN = vlansByName.dmz.id; + PVID = vlansByName.dmz.id; + EgressUntagged = vlansByName.dmz.id; + } + ]; + }; + # Configure the bridge for its desired function + "40-${bridgeInterfaceName}" = { + matchConfig.Name = bridgeInterfaceName; + bridgeConfig = { }; + address = [ + (mkVlanIpv4HostAddr { + vlanid = 0; + host = 1; + }) + ]; + networkConfig = { + ConfigureWithoutCarrier = true; + }; + # Don't wait for it as it also would wait for wlan and DFS which takes around 5 min + linkConfig.RequiredForOnline = "no"; + linkConfig.ActivationPolicy = "always-up"; + + bridgeVLANs = [ + { + VLAN = "${toString vlanRangeStart}-${toString vlanRangeEnd}"; + } + ]; + + vlan = builtins.map (vlanid: (mkInterfaceName { inherit vlanid; })) vlanRange; + }; + + "50-wg0" = { + enable = true; + matchConfig.Name = "wg0"; + address = [ "10.0.0.1/31" ]; + + routes = [ + # { + # # test the set uprouting to a specific IP + # Destination = "${repoFlake.colmena.sj-bm-hostkey0.deployment.targetHost}/32"; + # MultiPathRoute = "10.0.0.0 1"; + # } + ]; + }; + "50-wg1" = { + enable = true; + matchConfig.Name = "wg1"; + address = [ "10.0.0.3/31" ]; + routes = [ + # { + # Destination = "${repoFlake.colmena.sj-bm-hostkey0.deployment.targetHost}/32"; + # MultiPathRoute = "10.0.0.2 1"; + # } + ]; + }; + + "50-wg2" = { + enable = true; + matchConfig.Name = "wg2"; + address = [ "10.0.1.1/31" ]; + + routes = [ + # TODO: add a testing route here + ]; + }; + } + # configuration for the hostapd dynamic interfaces + # * netdev type vlan + # * host address for vlan + # * vlan config for wlan interface + // builtins.foldl' (acc: cur: acc // cur) { } ( + builtins.map + ( + { vlanid, vlanid' }: + { + # configure the tagged vlan device with an address and vlan filtering. + # dnsmasq is configured to serve the respective /24 range on each tagged device. + # this device only receives traffic for the given vlanid and sends tagged traffic to the bridge. + "41-${mkInterfaceName { inherit vlanid; }}" = { + matchConfig.Name = "${mkInterfaceName { inherit vlanid; }}"; + address = [ + (mkVlanIpv4HostAddr { + inherit vlanid; + host = 1; + }) + ]; + networkConfig = { + ConfigureWithoutCarrier = true; + + # the client shouldn't be allowed to send us RAs, that would be weird. + IPv6AcceptRA = false; + + DHCPPrefixDelegation = true; + IPv6SendRA = true; + }; + + dhcpPrefixDelegationConfig = { + UplinkInterface = "wan"; + Assign = true; + SubnetId = vlanid; + Announce = true; + }; + + linkConfig.RequiredForOnline = "no"; + linkConfig.ActivationPolicy = "always-up"; + + bridgeVLANs = [ + { + VLAN = vlanid; + } + ]; + }; + + # configure the wlan interface as a bridge member that + # * only gets traffic for vid 15 + # * untags traffic after receiving it + # * tags traffic that comes out of it + "41-wlan0.${vlanid'}" = { + matchConfig.Name = "wlan0.${vlanid'}"; + networkConfig = { + Bridge = bridgeInterfaceName; + ConfigureWithoutCarrier = true; + }; + + linkConfig.RequiredForOnline = "no"; + + bridgeVLANs = [ + { + VLAN = vlanid; + PVID = vlanid; + EgressUntagged = vlanid; + } + ]; + }; + + # "50-${mkInterfaceName {inherit vlanid;}}" = { + # matchConfig.Name = "${mkInterfaceName {inherit vlanid;}}"; + # address = [ + # (mkVlanIpv4HostAddr { + # inherit vlanid; + # host = 1; + # }) + # ]; + # networkConfig = { + # ConfigureWithoutCarrier = true; + # }; + # linkConfig.RequiredForOnline = "no"; + # }; + } + ) + ( + builtins.map (vlanid: { + inherit vlanid; + vlanid' = builtins.toString vlanid; + }) vlanRange + ) + ); + }; + + # wireless access point + services.hostapd = { + enable = true; + # package = nodeFlake.packages.${system}.hostapd_patched; + radios = + let + # generated with https://miniwebtool.com/mac-address-generator/ + mkBssid = i: "34:56:ce:0f:ed:4${toString i}"; + in + { + wlan0 = { + band = "2g"; + # FIXME: apparently setting this could cause bugs, testing disabling it for a while. + # countryCode = "CH"; + channel = 0; # 0 would mean Automatic Channel Selection + + settings = { + # TODO: this would be faster but x13s on windows can't connect when it's enabled. + # ieee80211n = 1; + + # Exclude DFS channels from ACS + # This option can be used to exclude all DFS channels from the ACS channel list + # in cases where the driver supports DFS channels. + acs_exclude_dfs = 0; + }; + + # use 'iw phy#1 info' to determine your VHT capabilities + wifi4 = { + enable = true; + require = false; + capabilities = [ + "HT20" + "HT40+" + "LDPC" + "SHORT-GI-20" + "SHORT-GI-40" + "TX-STBC" + "RX-STBC1" + "MAX-AMSDU-7935" + + "40-INTOLERANT" + + # not supported by BPI-R3 module + # "DELAYED-BA" + # "DSSS_CCK-40" + ]; + }; + + wifi5 = { + enable = false; + require = false; + }; + + wifi6 = { + enable = false; + require = false; + }; + + networks = { + wlan0 = + let + iface = "wlan0"; + in + { + ssid = "mlsia"; + bssid = mkBssid 0; + + # enables debug logging + logLevel = 0; + + authentication.mode = "wpa2-sha256" + # "wpa3-sae-transition" + # "wpa3-sae" + ; + + authentication.wpaPskFile = config.sops.secrets."${iface}_wpaPskFile".path; + + # TODO: unfortunately SAE passwords don't work per VLAN like PSKs do + # authentication.saePasswordsFile = config.sops.secrets."${iface}_saePasswordsFile".path; + + # see https://w1.fi/cgit/hostap/plain/hostapd/hostapd.conf for reference + settings = { + # disable syslog because it duplicates stdout + logger_syslog = lib.mkForce 0; + + # bridge = bridgeInterfaceName; + + # wpa_psk_file = config.sops.secrets.wlan0_wpaPskFile.path; + # not yet supported on hostapd 2.10 + # sae_password_file = config.sops.secrets.wlan0_saePasswordsFile.path; + + # resources on vlan tagging + # https://wireless.wiki.kernel.org/en/users/Documentation/hostapd#dynamic_vlan_tagging + # https://forum.openwrt.org/t/individual-per-passphrase-wifi-vlans-using-wpa-psk-file-no-radius-required/161696/4 + + dynamic_vlan = 1; + # this option currently requires a patch to hostapd + vlan_no_bridge = 1; + + /* + not used due to the above vlan_no_bridge setting + vlan_tagged_interface = bridgeInterfaceName; + vlan_naming = 1; + vlan_bridge = "br-${iface}."; + */ + + vlan_file = + let + generated = builtins.map ( + vlanid: "${builtins.toString vlanid} ${iface}.${builtins.toString vlanid}" + ) vlanRange; + + wildcard = [ + # Optional wildcard entry matching all VLAN IDs. The first # in the interface + # name will be replaced with the VLAN ID. The network interfaces are created + # (and removed) dynamically based on the use. + # see https://w1.fi/cgit/hostap/tree/hostapd/hostapd.vlan + "* ${iface}.#" + ]; + + file = pkgs.writeText "hostapd.vlan" (builtins.concatStringsSep "\n" (generated ++ wildcard)); + filePath = toString file; + in + filePath; + + wpa_key_mgmt = lib.mkForce ( + builtins.concatStringsSep " " [ + "WPA-PSK" + + # TODO: the printer can't connect when this is on + # "WPA-PSK-SHA256" + + # unfortunately SAE doesn't support VLAN passwords in the way i'd like to use them + # "SAE" + ] + ); + + # wpa_psk_radius = 0; + wpa_pairwise = "CCMP"; + wmm_enabled = 1; + + # IEEE 802.11i (authentication) related configuration + # Encrypt management frames to protect against deauthentication and similar attacks. + # 0 := disabled; 1 := optional; 2 := required + ieee80211w = 1; + # sae_require_mfp = 1; + # sae_groups = "19 20 21"; + + # [ENABLE-TLSv1.3] = enable TLSv1.3 (experimental - disabled by default) + tls_flags = "[ENABLE-TLSv1.3]"; + + # TODO: debugging for wifi drops happens below here + # Require IEEE 802.1X authorization + ieee8021x = 0; + + # Optionally, hostapd can be configured to use an integrated EAP server + # to process EAP authentication locally without need for an external RADIUS + # server. This functionality can be used both as a local authentication server + # for IEEE 802.1X/EAPOL and as a RADIUS server for other devices. + + # Use integrated EAP server instead of external RADIUS authentication + # server. This is also needed if hostapd is configured to act as a RADIUS + # authentication server. + eap_server = 0; + + # Disassociate stations based on excessive transmission failures or other + # indications of connection loss. This depends on the driver capabilities and + # may not be available with all drivers. + disassoc_low_ack = 0; + + skip_inactivity_poll = 1; + + # TODO: check if this is required. multicast can be more efficient so it'd be nice to disable this. + multicast_to_unicast = 0; + }; + }; + }; + }; + }; + }; + + services.resolved.enable = false; + + services.dnsmasq = { + enable = true; + settings = { + domain-needed = true; + bogus-priv = true; + no-resolv = true; + localise-queries = true; + + proxy-dnssec = true; + conntrack = true; + + # enable for debugging + # log-debug = true; + # log-queries = true; + + # disable negative caching + no-negcache = true; + local-ttl = 0; + dhcp-ttl = 0; + + # v6 config + enable-ra = true; + + dhcp-range = + let + mkDhcpRange = + { tag, vlanid }: + builtins.concatStringsSep "," [ + tag + (mkVlanIpv4HostAddr { + inherit vlanid; + host = 100; + cidr = false; + }) + (mkVlanIpv4HostAddr { + inherit vlanid; + host = 199; + cidr = false; + }) + "12h" + # "slaac" + # "ra-stateless" + # "ra-names" + ]; + in + builtins.map ( + vlanid: + mkDhcpRange { + tag = mkInterfaceName { inherit vlanid; }; + inherit vlanid; + } + ) vlanRangeWith0; + + dhcp-host = builtins.concatStringsSep "," [ + dmzExposedHostMACaddr + dmzExposedHostIpv4 + dmzExposedHostFQDN + ]; + + expand-hosts = true; + + # don't use /etc/hosts as this would advertise ${nodeName} as localhost + no-hosts = true; + + server = [ + # upstream DNS servers + + # https://dnsforge.de/ + "176.9.93.198" + "176.9.1.117" + "2a01:4f8:151:34aa::198" + "2a01:4f8:141:316d::117" + + # https://dismail.de/info.html#dns + "116.203.32.217" + "2a01:4f8:1c1b:44aa::1" + "159.69.114.157" + "2a01:4f8:c17:739a::2" + ]; + + domain = + [ "/${getVlanDomain { vlanid = 0; }}/,local" ] + ++ builtins.map ( + vlanid: + "${getVlanDomain { inherit vlanid; }},${ + mkVlanIpv4HostAddr { + inherit vlanid; + host = 0; + cidr = true; + } + },local" + ) vlanRangeWith0; + + # TODO: compare this to using `interface-name` + dynamic-host = builtins.map ( + vlanid: + builtins.concatStringsSep "," [ + # "${getVlanDomain{inherit vlanid;}}" "0.0.0.1" (mkInterfaceName {inherit vlanid;}) + "${nodeName}.${getVlanDomain { inherit vlanid; }}" + "0.0.0.1" + (mkInterfaceName { inherit vlanid; }) + ] + ) vlanRangeWith0; + + dhcp-option-force = builtins.map ( + vlanid: + "${mkInterfaceName { inherit vlanid; }},option:domain-search,${getVlanDomain { inherit vlanid; }}" + ) vlanRangeWith0; + + # auth-server = [ + # (builtins.concatStringsSep "," [ + # "www.stefanjunker.de" + # # (mkInterfaceName { vlanid = vlansByName.dmz.id; }) + # # (mkInterfaceName { vlanid = vlansByName.office.id; }) + # ]) + # ]; + + cname = [ + "mailserver.svc.stefanjunker.de,${dmzExposedHost}" + "www.stefanjunker.de,${dmzExposedHost}" + "hedgedoc.www.stefanjunker.de,${dmzExposedHost}" + "jitsi.www.stefanjunker.de,${dmzExposedHost}" + "lldap.www.stefanjunker.de,${dmzExposedHost}" + "forgejo.www.stefanjunker.de,${dmzExposedHost}" + "kanidm.www.stefanjunker.de,${dmzExposedHost}" + ]; + }; + }; + + system.stateVersion = "24.11"; + + # boot.kernelPackages = pkgs.linuxPackages_bpir3_6_6; + + environment.systemPackages = [ + pkgs.ethtool + pkgs.vim + pkgs.iperf3 + + pkgs.wireguard-tools + pkgs.tshark + pkgs.tmux + + (pkgs.writeShellScriptBin "dbg-ip" '' + echo links: + ip -br -c l + echo + echo addresses: + ip -br -c a + echo + echo vlans: + bridge -c vlan + '') + + (pkgs.writeShellScriptBin "dbg-dnsmasq" '' + # get the rendered in-use config + pgrep -a dnsmasq | grep -Eo '[^ ]*conf' | xargs cat | grep -Eo '[^=]*conf' | xargs cat + '') + ]; +} diff --git a/nix/os/devices/router0-dmz0/default.nix b/nix/os/devices/router0-dmz0/default.nix new file mode 100644 index 0000000..a0520dc --- /dev/null +++ b/nix/os/devices/router0-dmz0/default.nix @@ -0,0 +1,41 @@ +{ + system ? "aarch64-linux", + nodeName, + repoFlake, + nodeFlake, + localDomainName ? "internal", + ... +}: +{ + meta.nodeSpecialArgs.${nodeName} = { + inherit + repoFlake + nodeName + nodeFlake + system + ; + packages' = repoFlake.packages.${system}; + nodePackages' = nodeFlake.packages.${system}; + + inherit (nodeFlake.inputs.bpir3.packages.${system}) armTrustedFirmwareMT7986; + + inherit localDomainName; + }; + + meta.nodeNixpkgs.${nodeName} = import nodeFlake.inputs.nixpkgs.outPath { inherit system; }; + + ${nodeName} = { + deployment.targetHost = "${nodeName}.${localDomainName}"; + deployment.replaceUnknownProfiles = true; + + # nixpkgs.pkgs = nodeFlake.inputs.nixpkgs.legacyPackages.${system}; + + imports = [ + nodeFlake.inputs.home-manager.nixosModules.home-manager + + ./configuration.nix + ]; + + networking.hostName = nodeName; + }; +} diff --git a/nix/os/devices/router0-dmz0/flake.lock b/nix/os/devices/router0-dmz0/flake.lock new file mode 100644 index 0000000..8f55026 --- /dev/null +++ b/nix/os/devices/router0-dmz0/flake.lock @@ -0,0 +1,224 @@ +{ + "nodes": { + "dependencyDagOfSubmodule": { + "inputs": { + "nixpkgs": [ + "nixos-nftables-firewall", + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1656615370, + "narHash": "sha256-IZDqz1aSySoqf1qtVQg+oJMHfC4IlT55Zoa7EkjvPug=", + "owner": "thelegy", + "repo": "nix-dependencyDagOfSubmodule", + "rev": "98eb563d80b35acafbfc1abb9ccee569c1efb19c", + "type": "github" + }, + "original": { + "owner": "thelegy", + "repo": "nix-dependencyDagOfSubmodule", + "type": "github" + } + }, + "disko": { + "inputs": { + "nixpkgs": [ + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1738148035, + "narHash": "sha256-KYOATYEwaKysL3HdHdS5kbQMXvzS4iPJzJrML+3TKAo=", + "owner": "nix-community", + "repo": "disko", + "rev": "18d0a984cc2bc82cf61df19523a34ad463aa7f54", + "type": "github" + }, + "original": { + "owner": "nix-community", + "repo": "disko", + "type": "github" + } + }, + "get-flake": { + "locked": { + "lastModified": 1714237590, + "narHash": "sha256-9gtHdGbzFHaR20xORN8IYd67ROWS+1nqQ5CsPf9MD8I=", + "owner": "ursi", + "repo": "get-flake", + "rev": "a6c57417d1b857b8be53aba4095869a0f438c502", + "type": "github" + }, + "original": { + "owner": "ursi", + "repo": "get-flake", + "type": "github" + } + }, + "home-manager": { + "inputs": { + "nixpkgs": [ + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1736373539, + "narHash": "sha256-dinzAqCjenWDxuy+MqUQq0I4zUSfaCvN9rzuCmgMZJY=", + "owner": "nix-community", + "repo": "home-manager", + "rev": "bd65bc3cde04c16755955630b344bc9e35272c56", + "type": "github" + }, + "original": { + "owner": "nix-community", + "ref": "release-24.11", + "repo": "home-manager", + "type": "github" + } + }, + "hostapd": { + "flake": false, + "locked": { + "lastModified": 1738518662, + "narHash": "sha256-MeE2FTG7Jh4BqchSvevJH7IsqTotjemndLzev8TkiRk=", + "ref": "refs/heads/main", + "rev": "c12fc97e3b59742e0c5743fceae6a87a8b13a576", + "revCount": 20282, + "type": "git", + "url": "git://w1.fi/hostap.git?branch=main" + }, + "original": { + "type": "git", + "url": "git://w1.fi/hostap.git?branch=main" + } + }, + "nixos-nftables-firewall": { + "inputs": { + "dependencyDagOfSubmodule": "dependencyDagOfSubmodule", + "nixpkgs": [ + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1715521768, + "narHash": "sha256-BQkkBqDemoPRd2a4G94I9w9fNE0IxWtVsQ9SalnNqCQ=", + "owner": "thelegy", + "repo": "nixos-nftables-firewall", + "rev": "2c5a19966b4dfc5ca92df7eb250c68f90be653c8", + "type": "github" + }, + "original": { + "owner": "thelegy", + "repo": "nixos-nftables-firewall", + "type": "github" + } + }, + "nixos-sbc": { + "inputs": { + "nixpkgs": [ + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1738254353, + "narHash": "sha256-SYpvOn0v/wi8lrgEBhobjKFvFWPlJ3gP7SZPfyw9td0=", + "owner": "nakato", + "repo": "nixos-sbc", + "rev": "21be4ab012197a2eea4bbff8315c40f26f715a18", + "type": "github" + }, + "original": { + "owner": "nakato", + "repo": "nixos-sbc", + "type": "github" + } + }, + "nixpkgs": { + "locked": { + "lastModified": 1738702386, + "narHash": "sha256-nJj8f78AYAxl/zqLiFGXn5Im1qjFKU8yBPKoWEeZN5M=", + "owner": "nixos", + "repo": "nixpkgs", + "rev": "030ba1976b7c0e1a67d9716b17308ccdab5b381e", + "type": "github" + }, + "original": { + "owner": "nixos", + "ref": "nixos-24.11", + "repo": "nixpkgs", + "type": "github" + } + }, + "nixpkgs-unstable": { + "locked": { + "lastModified": 1738680400, + "narHash": "sha256-ooLh+XW8jfa+91F1nhf9OF7qhuA/y1ChLx6lXDNeY5U=", + "owner": "nixos", + "repo": "nixpkgs", + "rev": "799ba5bffed04ced7067a91798353d360788b30d", + "type": "github" + }, + "original": { + "owner": "nixos", + "ref": "nixos-unstable", + "repo": "nixpkgs", + "type": "github" + } + }, + "openwrt": { + "flake": false, + "locked": { + "lastModified": 1691699580, + "narHash": "sha256-CV+ufXPEr5Nz2O2FBnnuPeHNsFQ7c5s0uW39u/q3cUo=", + "ref": "main", + "rev": "847984c773d819d5579d5abae4b80a4983103ed9", + "revCount": 58166, + "type": "git", + "url": "https://github.com/openwrt/openwrt.git" + }, + "original": { + "ref": "main", + "rev": "847984c773d819d5579d5abae4b80a4983103ed9", + "type": "git", + "url": "https://github.com/openwrt/openwrt.git" + } + }, + "root": { + "inputs": { + "disko": "disko", + "get-flake": "get-flake", + "home-manager": "home-manager", + "hostapd": "hostapd", + "nixos-nftables-firewall": "nixos-nftables-firewall", + "nixos-sbc": "nixos-sbc", + "nixpkgs": "nixpkgs", + "nixpkgs-unstable": "nixpkgs-unstable", + "openwrt": "openwrt", + "srvos": "srvos" + } + }, + "srvos": { + "inputs": { + "nixpkgs": [ + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1738198321, + "narHash": "sha256-lhnHBXO9Y8xEn92JqxjancdL8Gh16ONuxZp60iZfmX4=", + "owner": "numtide", + "repo": "srvos", + "rev": "7d5a4aaadac9ff63f9ed4347df95175aceee5079", + "type": "github" + }, + "original": { + "owner": "numtide", + "repo": "srvos", + "type": "github" + } + } + }, + "root": "root", + "version": 7 +} diff --git a/nix/os/devices/router0-dmz0/flake.nix b/nix/os/devices/router0-dmz0/flake.nix new file mode 100644 index 0000000..d56e72a --- /dev/null +++ b/nix/os/devices/router0-dmz0/flake.nix @@ -0,0 +1,107 @@ +{ + inputs = { + nixpkgs.url = "github:nixos/nixpkgs/nixos-24.11"; + nixpkgs-unstable.url = "github:nixos/nixpkgs/nixos-unstable"; + + get-flake.url = "github:ursi/get-flake"; + + home-manager.url = "github:nix-community/home-manager/release-24.11"; + home-manager.inputs.nixpkgs.follows = "nixpkgs"; + + disko.url = "github:nix-community/disko"; + disko.inputs.nixpkgs.follows = "nixpkgs"; + srvos.url = "github:numtide/srvos"; + srvos.inputs.nixpkgs.follows = "nixpkgs"; + + nixos-sbc.url = "github:nakato/nixos-sbc" + # "github:steveej-forks/nakato_nixos-sbc//bpi-r3_kernel-6.12" + # "github:steveej-forks/nakato_nixos-sbc//bpi-r3_kernel-6.13" + # "github:steveej-forks/nakato_nixos-sbc/kernel-6.9_and_cross-compile" + # "github:steveej-forks/nakato_nixos-sbc/kernel-6.10_and_cross-compile" + # "git+file:///home/steveej/src/others/nakato_nixos-sbc/" + ; + nixos-sbc.inputs.nixpkgs.follows = "nixpkgs"; + + nixos-nftables-firewall.url = "github:thelegy/nixos-nftables-firewall"; + nixos-nftables-firewall.inputs.nixpkgs.follows = "nixpkgs"; + + hostapd.url = "git://w1.fi/hostap.git?branch=main"; + hostapd.flake = false; + + openwrt.url = "git+https://github.com/openwrt/openwrt.git?ref=main&rev=847984c773d819d5579d5abae4b80a4983103ed9"; + openwrt.flake = false; + + # TODO: would be nice if this worked but it throws an error when using the input as a patch: + # error: flake input has unsupported input type 'file' + # hostapd_patch_vlan_no_bridge = { + # url = "file+https://raw.githubusercontent.com/openwrt/openwrt/847984c773d819d5579d5abae4b80a4983103ed9/package/network/services/hostapd/patches/710-vlan_no_bridge.patch"; + # flake = false; + # }; + + # repoFlake.url = "path:../../../.."; + }; + + outputs = + { + self, + get-flake, + nixpkgs, + ... + }: + let + nativeSystem = "aarch64-linux"; + nodeName = "router0-dmz0"; + + mkNixosConfiguration = + { + extraModules ? [ ], + ... + }@attrs: + nixpkgs.lib.nixosSystem ( + nixpkgs.lib.attrsets.recursiveUpdate attrs { + specialArgs = + (import ./default.nix { + system = nativeSystem; + inherit nodeName; + + repoFlake = get-flake ../../../..; + # repoFlake = get-flake ./.; + # repoFlake = self.inputs.repoFlake; + nodeFlake = self; + }).meta.nodeSpecialArgs.${nodeName}; + + modules = [ + ./configuration.nix + + # flake registry + { + nixpkgs.overlays = builtins.attrValues self.overlays; + nix.registry.nixpkgs.flake = nixpkgs; + } + ] ++ extraModules; + } + ); + in + { + nixosConfigurations = { + native = mkNixosConfiguration { system = nativeSystem; }; + + cross = mkNixosConfiguration { + extraModules = [ + { + nixpkgs.buildPlatform.system = "x86_64-linux"; + nixpkgs.hostPlatform.system = nativeSystem; + } + ]; + }; + }; + + overlays.default = _final: previous: { + hostapd = previous.hostapd.overrideDerivation (attrs: { + patches = attrs.patches ++ [ + "${self.inputs.openwrt}/package/network/services/hostapd/patches/710-vlan_no_bridge.patch" + ]; + }); + }; + }; +} diff --git a/nix/os/devices/router0-hosthatch/configuration.nix b/nix/os/devices/router0-hosthatch/configuration.nix new file mode 100644 index 0000000..af02b3d --- /dev/null +++ b/nix/os/devices/router0-hosthatch/configuration.nix @@ -0,0 +1,337 @@ +{ + repoFlake, + pkgs, + lib, + config, + nodeFlake, + nodeName, + system, + variables, + ... +}: +{ + system.stateVersion = "24.05"; + + imports = [ + nodeFlake.inputs.disko.nixosModules.disko + nodeFlake.inputs.srvos.nixosModules.mixins-terminfo + + repoFlake.inputs.sops-nix.nixosModules.sops + + ../../snippets/nix-settings.nix + ../../profiles/common/user.nix + + nodeFlake.inputs.nixos-nftables-firewall.nixosModules.default + + { + services.openssh.enable = true; + services.openssh.settings.PermitRootLogin = "yes"; + + users.commonUsers = { + enable = true; + enableNonRoot = false; + rootPasswordFile = config.sops.secrets.passwords-root.path; + }; + + # sops.age.keyFile = "/etc/age.key"; + # sops.age.sshKeyPaths = []; + + sops.defaultSopsFile = ../../../../secrets/${nodeName}/secrets.yaml; + sops.defaultSopsFormat = "yaml"; + + sops.secrets.passwords-root.neededForUsers = true; + } + + # TODO: extract this into single-disk VM BIOS module + { + boot.loader.systemd-boot.enable = false; + boot.loader.grub.efiSupport = false; + + # forcing seems required or else there's an error about duplicated devices + boot.loader.grub.devices = lib.mkForce [ "/dev/vda" ]; + + disko.devices.disk.vda = { + device = "/dev/vda"; + type = "disk"; + content = { + type = "gpt"; + partitions = { + boot = { + size = "1M"; + type = "EF02"; # for grub MBR + }; + root = { + size = "100%"; + content = { + type = "btrfs"; + extraArgs = [ "-f" ]; # Override existing partition + subvolumes = { + # Subvolume name is different from mountpoint + "/rootfs" = { + mountpoint = "/"; + }; + "/nix" = { + mountOptions = [ "noatime" ]; + mountpoint = "/nix"; + }; + "/boot" = { + mountpoint = "/boot"; + }; + }; + }; + }; + }; + }; + }; + + boot.initrd.kernelModules = [ + "virtio_balloon" + "virtio_scsi" + "virtio_net" + "virtio_pci" + "virtio_ring" + "virtio" + "scsi_mod" + + "virtio_blk" + "virtio_ring" + "ata_piix" + "pata_acpi" + "ata_generic" + ]; + } + ]; + + # sops.secrets.ssh_host_ed25519_key = { + # sopsFile = ../../../../secrets/${nodeName}/secrets.yaml; + # format = "yaml"; + + # path = "/etc/ssh/ssh_host_ed25519_key"; + # mode = "0600"; + # }; + # sops.secrets.ssh_host_ed25519_key_pub = { + # sopsFile = ../../../../secrets/${nodeName}/secrets.yaml; + # format = "yaml"; + + # path = "/etc/ssh/ssh_host_ed25519_key.pub"; + # mode = "0600"; + # }; + # sops.secrets.ssh_host_rsa_key = { + # sopsFile = ../../../../secrets/${nodeName}/secrets.yaml; + # format = "yaml"; + + # path = "/etc/ssh/ssh_host_rsa_key"; + # mode = "0600"; + # }; + # sops.secrets.ssh_host_rsa_key_pub = { + # sopsFile = ../../../../secrets/${nodeName}/secrets.yaml; + # format = "yaml"; + + # path = "/etc/ssh/ssh_host_rsa_key.pub"; + # mode = "0644"; + # }; + + boot = { + kernel = { + sysctl = { + "net.ipv4.conf.all.forwarding" = true; + "net.ipv6.conf.all.forwarding" = true; + }; + }; + }; + + networking = { + hostName = nodeName; + useNetworkd = true; + useDHCP = true; + usePredictableInterfaceNames = false; + + interfaces.eth0.ipv4.addresses = [ + { + address = variables.ipv4; + prefixLength = variables.ipv4length; + } + ]; + defaultGateway = { + interface = "eth0"; + address = variables.ipv4gateway; + }; + nameservers = [ variables.ipv4dns ]; + + # these will be configured via nftables + nat.enable = lib.mkForce false; + firewall.enable = lib.mkForce false; + + # Use the nftables firewall instead of the base nixos scripted rules. + # This flake provides a similar utility to the base nixos scripting. + # https://github.com/thelegy/nixos-nftables-firewall/tree/main + + nftables = { + enable = true; + + firewall = { + enable = true; + snippets.nnf-common.enable = true; + + zones.wan = { + interfaces = [ "eth0" ]; + }; + + zones.vpn = { + interfaces = [ + "wg0" + "wg1" + ]; + }; + + rules = { + to-fw = { + from = "all"; + to = [ "fw" ]; + verdict = "drop"; + + allowedTCPPorts = [ + 22 + 5201 + ]; + allowedUDPPorts = [ + 22 + 5201 + config.systemd.network.netdevs.wg0.wireguardConfig.ListenPort + config.systemd.network.netdevs.wg1.wireguardConfig.ListenPort + ]; + }; + + vpn-to-wan-nat = { + from = [ "vpn" ]; + to = [ "wan" ]; + masquerade = true; + verdict = "accept"; + }; + }; + }; + }; + }; + + sops.secrets.wg0-privatekey = { + mode = "440"; + group = "systemd-network"; + }; + sops.secrets.wg0-peer0-psk = { + mode = "440"; + group = "systemd-network"; + }; + sops.secrets.wg1-privatekey = { + mode = "440"; + group = "systemd-network"; + }; + sops.secrets.wg1-peer0-psk = { + mode = "440"; + group = "systemd-network"; + }; + + systemd.network.enable = true; + systemd.network.netdevs.wg0 = { + enable = true; + netdevConfig = { + Name = "wg0"; + Kind = "wireguard"; + }; + wireguardConfig = { + ListenPort = 51820; + # PublicKey /RPDdqPzr9iRc7zR0bRkt9aS2QCt+b2K3WbsNg8XamM= + PrivateKeyFile = builtins.toString config.sops.secrets.wg0-privatekey.path; + }; + wireguardPeers = [ + { + wireguardPeerConfig = { + AllowedIPs = [ + "10.0.1.1/32" + "192.168.0.0/16" + ]; + PersistentKeepalive = 15; + PresharedKeyFile = builtins.toString config.sops.secrets.wg0-peer0-psk.path; + PublicKey = "hsjIenUFV/FBqplIKxSL/Zn2zDAfojlIKHMxPA6RC04="; + }; + } + ]; + }; + systemd.network.netdevs.wg1 = { + enable = true; + netdevConfig = { + Name = "wg1"; + Kind = "wireguard"; + }; + wireguardConfig = { + ListenPort = 51821; + # PublicKey /RPDdqPzr9iRc7zR0bRkt9aS2QCt+b2K3WbsNg8XamM= + PrivateKeyFile = builtins.toString config.sops.secrets.wg1-privatekey.path; + }; + wireguardPeers = [ + { + wireguardPeerConfig = { + AllowedIPs = [ + "10.0.1.3/31" + "192.168.0.0/16" + ]; + PersistentKeepalive = 15; + PresharedKeyFile = builtins.toString config.sops.secrets.wg1-peer0-psk.path; + PublicKey = "Ha5hsarCRO8LX9SrkopUeP14ebLdFgxXUC0ezrobax4="; + }; + } + ]; + }; + systemd.network.networks.wg0 = { + enable = true; + matchConfig.Name = "wg0"; + address = [ "10.0.1.0/31" ]; + + routes = [ + { + routeConfig = { + Destination = "192.168.0.0/16"; + MultiPathRoute = "10.0.1.1 1"; + }; + } + ]; + }; + systemd.network.networks.wg1 = { + enable = true; + matchConfig.Name = "wg1"; + address = [ "10.0.1.2/31" ]; + + routes = [ + { + routeConfig = { + Destination = "192.168.0.0/16"; + MultiPathRoute = "10.0.1.3 1"; + }; + } + ]; + }; + + environment.systemPackages = [ + pkgs.ethtool + pkgs.neovim + pkgs.tmux + + pkgs.wireguard-tools + pkgs.tshark + + (pkgs.writeShellScriptBin "dbg-ip" '' + echo links: + ip -br -c l + echo + echo addresses: + ip -br -c a + echo + echo vlans: + bridge -c vlan + '') + + (pkgs.writeShellScriptBin "dbg-dnsmasq" '' + # get the rendered in-use config + pgrep -a dnsmasq | grep -Eo '[^ ]*conf' | xargs cat | grep -Eo '[^=]*conf' | xargs cat + '') + ]; +} diff --git a/nix/os/devices/router0-hosthatch/default.nix b/nix/os/devices/router0-hosthatch/default.nix new file mode 100644 index 0000000..fd2c485 --- /dev/null +++ b/nix/os/devices/router0-hosthatch/default.nix @@ -0,0 +1,38 @@ +{ + system ? "x86_64-linux", + nodeName, + repoFlake, + nodeFlake, + ... +}: +let + variables = import ./variables.crypt.nix; +in +{ + meta.nodeSpecialArgs.${nodeName} = { + inherit + repoFlake + nodeName + nodeFlake + system + variables + ; + packages' = repoFlake.packages.${system}; + nodePackages' = nodeFlake.packages.${system}; + }; + + meta.nodeNixpkgs.${nodeName} = import nodeFlake.inputs.nixpkgs.outPath { inherit system; }; + + ${nodeName} = { + deployment.targetHost = variables.ipv4; + deployment.replaceUnknownProfiles = true; + + imports = [ + nodeFlake.inputs.home-manager.nixosModules.home-manager + + ./configuration.nix + ]; + + networking.hostName = nodeName; + }; +} diff --git a/nix/os/devices/router0-hosthatch/flake.lock b/nix/os/devices/router0-hosthatch/flake.lock new file mode 100644 index 0000000..f66687f --- /dev/null +++ b/nix/os/devices/router0-hosthatch/flake.lock @@ -0,0 +1,151 @@ +{ + "nodes": { + "dependencyDagOfSubmodule": { + "inputs": { + "nixpkgs": [ + "nixos-nftables-firewall", + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1656615370, + "narHash": "sha256-IZDqz1aSySoqf1qtVQg+oJMHfC4IlT55Zoa7EkjvPug=", + "owner": "thelegy", + "repo": "nix-dependencyDagOfSubmodule", + "rev": "98eb563d80b35acafbfc1abb9ccee569c1efb19c", + "type": "github" + }, + "original": { + "owner": "thelegy", + "repo": "nix-dependencyDagOfSubmodule", + "type": "github" + } + }, + "disko": { + "inputs": { + "nixpkgs": [ + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1719864345, + "narHash": "sha256-e4Pw+30vFAxuvkSTaTypd9zYemB/QlWcH186dsGT+Ms=", + "owner": "nix-community", + "repo": "disko", + "rev": "544a80a69d6e2da04e4df7ec8210a858de8c7533", + "type": "github" + }, + "original": { + "owner": "nix-community", + "repo": "disko", + "type": "github" + } + }, + "home-manager": { + "inputs": { + "nixpkgs": [ + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1719827385, + "narHash": "sha256-qs+nU20Sm8czHg3bhGCqiH+8e13BJyRrKONW34g3i50=", + "owner": "nix-community", + "repo": "home-manager", + "rev": "391ca6e950c2525b4f853cbe29922452c14eda82", + "type": "github" + }, + "original": { + "owner": "nix-community", + "ref": "release-24.05", + "repo": "home-manager", + "type": "github" + } + }, + "nixos-nftables-firewall": { + "inputs": { + "dependencyDagOfSubmodule": "dependencyDagOfSubmodule", + "nixpkgs": [ + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1715521768, + "narHash": "sha256-BQkkBqDemoPRd2a4G94I9w9fNE0IxWtVsQ9SalnNqCQ=", + "owner": "thelegy", + "repo": "nixos-nftables-firewall", + "rev": "2c5a19966b4dfc5ca92df7eb250c68f90be653c8", + "type": "github" + }, + "original": { + "owner": "thelegy", + "repo": "nixos-nftables-firewall", + "type": "github" + } + }, + "nixpkgs": { + "locked": { + "lastModified": 1719838683, + "narHash": "sha256-Zw9rQjHz1ilNIimEXFeVa1ERNRBF8DoXDhLAZq5B4pE=", + "owner": "nixos", + "repo": "nixpkgs", + "rev": "d032c1a6dfad4eedec7e35e91986becc699d7d69", + "type": "github" + }, + "original": { + "owner": "nixos", + "ref": "nixos-24.05", + "repo": "nixpkgs", + "type": "github" + } + }, + "nixpkgs-unstable": { + "locked": { + "lastModified": 1719848872, + "narHash": "sha256-H3+EC5cYuq+gQW8y0lSrrDZfH71LB4DAf+TDFyvwCNA=", + "owner": "nixos", + "repo": "nixpkgs", + "rev": "00d80d13810dbfea8ab4ed1009b09100cca86ba8", + "type": "github" + }, + "original": { + "owner": "nixos", + "ref": "nixos-unstable", + "repo": "nixpkgs", + "type": "github" + } + }, + "root": { + "inputs": { + "disko": "disko", + "home-manager": "home-manager", + "nixos-nftables-firewall": "nixos-nftables-firewall", + "nixpkgs": "nixpkgs", + "nixpkgs-unstable": "nixpkgs-unstable", + "srvos": "srvos" + } + }, + "srvos": { + "inputs": { + "nixpkgs": [ + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1719965291, + "narHash": "sha256-IQiO6VNESSmgxQkpI1q86pqxRw0SZ45iSeM1jsmBpSw=", + "owner": "numtide", + "repo": "srvos", + "rev": "1844f1a15ef530c963bb07c3846172fccbfb9f74", + "type": "github" + }, + "original": { + "owner": "numtide", + "repo": "srvos", + "type": "github" + } + } + }, + "root": "root", + "version": 7 +} diff --git a/nix/os/devices/router0-hosthatch/flake.nix b/nix/os/devices/router0-hosthatch/flake.nix new file mode 100644 index 0000000..3057b9a --- /dev/null +++ b/nix/os/devices/router0-hosthatch/flake.nix @@ -0,0 +1,19 @@ +{ + inputs = { + nixpkgs.url = "github:nixos/nixpkgs/nixos-24.05"; + nixpkgs-unstable.url = "github:nixos/nixpkgs/nixos-unstable"; + + home-manager.url = "github:nix-community/home-manager/release-24.05"; + home-manager.inputs.nixpkgs.follows = "nixpkgs"; + + disko.url = "github:nix-community/disko"; + disko.inputs.nixpkgs.follows = "nixpkgs"; + srvos.url = "github:numtide/srvos"; + srvos.inputs.nixpkgs.follows = "nixpkgs"; + + nixos-nftables-firewall.url = "github:thelegy/nixos-nftables-firewall"; + nixos-nftables-firewall.inputs.nixpkgs.follows = "nixpkgs"; + }; + + outputs = _: { }; +} diff --git a/nix/os/devices/router0-hosthatch/variables.crypt.nix b/nix/os/devices/router0-hosthatch/variables.crypt.nix new file mode 100644 index 0000000..38c17df Binary files /dev/null and b/nix/os/devices/router0-hosthatch/variables.crypt.nix differ diff --git a/nix/os/devices/router0-ifog/configuration.nix b/nix/os/devices/router0-ifog/configuration.nix new file mode 100644 index 0000000..9bc91ee --- /dev/null +++ b/nix/os/devices/router0-ifog/configuration.nix @@ -0,0 +1,337 @@ +{ + repoFlake, + pkgs, + lib, + config, + nodeFlake, + nodeName, + system, + variables, + ... +}: +{ + system.stateVersion = "23.11"; + + imports = [ + nodeFlake.inputs.disko.nixosModules.disko + nodeFlake.inputs.srvos.nixosModules.mixins-terminfo + + repoFlake.inputs.sops-nix.nixosModules.sops + + ../../snippets/nix-settings.nix + ../../profiles/common/user.nix + + nodeFlake.inputs.nixos-nftables-firewall.nixosModules.default + + { + services.openssh.enable = true; + services.openssh.settings.PermitRootLogin = "yes"; + + users.commonUsers = { + enable = true; + enableNonRoot = false; + rootPasswordFile = config.sops.secrets.passwords-root.path; + }; + + # sops.age.keyFile = "/etc/age.key"; + # sops.age.sshKeyPaths = []; + + sops.defaultSopsFile = ../../../../secrets/${nodeName}/secrets.yaml; + sops.defaultSopsFormat = "yaml"; + + sops.secrets.passwords-root.neededForUsers = true; + } + + # TODO: extract this into single-disk VM BIOS module + { + boot.loader.systemd-boot.enable = false; + boot.loader.grub.efiSupport = false; + + # forcing seems required or else there's an error about duplicated devices + boot.loader.grub.devices = lib.mkForce [ "/dev/vda" ]; + + disko.devices.disk.vda = { + device = "/dev/vda"; + type = "disk"; + content = { + type = "gpt"; + partitions = { + boot = { + size = "1M"; + type = "EF02"; # for grub MBR + }; + root = { + size = "100%"; + content = { + type = "btrfs"; + extraArgs = [ "-f" ]; # Override existing partition + subvolumes = { + # Subvolume name is different from mountpoint + "/rootfs" = { + mountpoint = "/"; + }; + "/nix" = { + mountOptions = [ "noatime" ]; + mountpoint = "/nix"; + }; + "/boot" = { + mountpoint = "/boot"; + }; + }; + }; + }; + }; + }; + }; + + boot.initrd.kernelModules = [ + "virtio_balloon" + "virtio_scsi" + "virtio_net" + "virtio_pci" + "virtio_ring" + "virtio" + "scsi_mod" + + "virtio_blk" + "virtio_ring" + "ata_piix" + "pata_acpi" + "ata_generic" + ]; + } + ]; + + # sops.secrets.ssh_host_ed25519_key = { + # sopsFile = ../../../../secrets/${nodeName}/secrets.yaml; + # format = "yaml"; + + # path = "/etc/ssh/ssh_host_ed25519_key"; + # mode = "0600"; + # }; + # sops.secrets.ssh_host_ed25519_key_pub = { + # sopsFile = ../../../../secrets/${nodeName}/secrets.yaml; + # format = "yaml"; + + # path = "/etc/ssh/ssh_host_ed25519_key.pub"; + # mode = "0600"; + # }; + # sops.secrets.ssh_host_rsa_key = { + # sopsFile = ../../../../secrets/${nodeName}/secrets.yaml; + # format = "yaml"; + + # path = "/etc/ssh/ssh_host_rsa_key"; + # mode = "0600"; + # }; + # sops.secrets.ssh_host_rsa_key_pub = { + # sopsFile = ../../../../secrets/${nodeName}/secrets.yaml; + # format = "yaml"; + + # path = "/etc/ssh/ssh_host_rsa_key.pub"; + # mode = "0644"; + # }; + + boot = { + kernel = { + sysctl = { + "net.ipv4.conf.all.forwarding" = true; + "net.ipv6.conf.all.forwarding" = true; + }; + }; + }; + + networking = { + hostName = nodeName; + useNetworkd = true; + useDHCP = true; + usePredictableInterfaceNames = false; + + interfaces.eth0.ipv4.addresses = [ + { + address = variables.ipv4; + prefixLength = variables.ipv4length; + } + ]; + defaultGateway = { + interface = "eth0"; + address = variables.ipv4gateway; + }; + nameservers = [ variables.ipv4dns ]; + + # these will be configured via nftables + nat.enable = lib.mkForce false; + firewall.enable = lib.mkForce false; + + # Use the nftables firewall instead of the base nixos scripted rules. + # This flake provides a similar utility to the base nixos scripting. + # https://github.com/thelegy/nixos-nftables-firewall/tree/main + + nftables = { + enable = true; + + firewall = { + enable = true; + snippets.nnf-common.enable = true; + + zones.wan = { + interfaces = [ "eth0" ]; + }; + + zones.vpn = { + interfaces = [ + "wg0" + "wg1" + ]; + }; + + rules = { + to-fw = { + from = "all"; + to = [ "fw" ]; + verdict = "drop"; + + allowedTCPPorts = [ + 22 + 5201 + ]; + allowedUDPPorts = [ + 22 + 5201 + config.systemd.network.netdevs.wg0.wireguardConfig.ListenPort + config.systemd.network.netdevs.wg1.wireguardConfig.ListenPort + ]; + }; + + vpn-to-wan-nat = { + from = [ "vpn" ]; + to = [ "wan" ]; + masquerade = true; + verdict = "accept"; + }; + }; + }; + }; + }; + + sops.secrets.wg0-privatekey = { + mode = "440"; + group = "systemd-network"; + }; + sops.secrets.wg0-peer0-psk = { + mode = "440"; + group = "systemd-network"; + }; + sops.secrets.wg1-privatekey = { + mode = "440"; + group = "systemd-network"; + }; + sops.secrets.wg1-peer0-psk = { + mode = "440"; + group = "systemd-network"; + }; + + systemd.network.enable = true; + systemd.network.netdevs.wg0 = { + enable = true; + netdevConfig = { + Name = "wg0"; + Kind = "wireguard"; + }; + wireguardConfig = { + ListenPort = 51820; + # PublicKey /RPDdqPzr9iRc7zR0bRkt9aS2QCt+b2K3WbsNg8XamM= + PrivateKeyFile = builtins.toString config.sops.secrets.wg0-privatekey.path; + }; + wireguardPeers = [ + { + wireguardPeerConfig = { + AllowedIPs = [ + "10.0.0.1/32" + "192.168.0.0/16" + ]; + PersistentKeepalive = 15; + PresharedKeyFile = builtins.toString config.sops.secrets.wg0-peer0-psk.path; + PublicKey = "hsjIenUFV/FBqplIKxSL/Zn2zDAfojlIKHMxPA6RC04="; + }; + } + ]; + }; + systemd.network.netdevs.wg1 = { + enable = true; + netdevConfig = { + Name = "wg1"; + Kind = "wireguard"; + }; + wireguardConfig = { + ListenPort = 51821; + # PublicKey /RPDdqPzr9iRc7zR0bRkt9aS2QCt+b2K3WbsNg8XamM= + PrivateKeyFile = builtins.toString config.sops.secrets.wg1-privatekey.path; + }; + wireguardPeers = [ + { + wireguardPeerConfig = { + AllowedIPs = [ + "10.0.0.3/31" + "192.168.0.0/16" + ]; + PersistentKeepalive = 15; + PresharedKeyFile = builtins.toString config.sops.secrets.wg1-peer0-psk.path; + PublicKey = "Ha5hsarCRO8LX9SrkopUeP14ebLdFgxXUC0ezrobax4="; + }; + } + ]; + }; + systemd.network.networks.wg0 = { + enable = true; + matchConfig.Name = "wg0"; + address = [ "10.0.0.0/31" ]; + + routes = [ + { + routeConfig = { + Destination = "192.168.0.0/16"; + MultiPathRoute = "10.0.0.1 1"; + }; + } + ]; + }; + systemd.network.networks.wg1 = { + enable = true; + matchConfig.Name = "wg1"; + address = [ "10.0.0.2/31" ]; + + routes = [ + { + routeConfig = { + Destination = "192.168.0.0/16"; + MultiPathRoute = "10.0.0.3 1"; + }; + } + ]; + }; + + environment.systemPackages = [ + pkgs.ethtool + pkgs.neovim + pkgs.tmux + + pkgs.wireguard-tools + pkgs.tshark + + (pkgs.writeShellScriptBin "dbg-ip" '' + echo links: + ip -br -c l + echo + echo addresses: + ip -br -c a + echo + echo vlans: + bridge -c vlan + '') + + (pkgs.writeShellScriptBin "dbg-dnsmasq" '' + # get the rendered in-use config + pgrep -a dnsmasq | grep -Eo '[^ ]*conf' | xargs cat | grep -Eo '[^=]*conf' | xargs cat + '') + ]; +} diff --git a/nix/os/devices/router0-ifog/default.nix b/nix/os/devices/router0-ifog/default.nix new file mode 100644 index 0000000..fd2c485 --- /dev/null +++ b/nix/os/devices/router0-ifog/default.nix @@ -0,0 +1,38 @@ +{ + system ? "x86_64-linux", + nodeName, + repoFlake, + nodeFlake, + ... +}: +let + variables = import ./variables.crypt.nix; +in +{ + meta.nodeSpecialArgs.${nodeName} = { + inherit + repoFlake + nodeName + nodeFlake + system + variables + ; + packages' = repoFlake.packages.${system}; + nodePackages' = nodeFlake.packages.${system}; + }; + + meta.nodeNixpkgs.${nodeName} = import nodeFlake.inputs.nixpkgs.outPath { inherit system; }; + + ${nodeName} = { + deployment.targetHost = variables.ipv4; + deployment.replaceUnknownProfiles = true; + + imports = [ + nodeFlake.inputs.home-manager.nixosModules.home-manager + + ./configuration.nix + ]; + + networking.hostName = nodeName; + }; +} diff --git a/nix/os/devices/router0-ifog/flake.lock b/nix/os/devices/router0-ifog/flake.lock new file mode 100644 index 0000000..f66687f --- /dev/null +++ b/nix/os/devices/router0-ifog/flake.lock @@ -0,0 +1,151 @@ +{ + "nodes": { + "dependencyDagOfSubmodule": { + "inputs": { + "nixpkgs": [ + "nixos-nftables-firewall", + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1656615370, + "narHash": "sha256-IZDqz1aSySoqf1qtVQg+oJMHfC4IlT55Zoa7EkjvPug=", + "owner": "thelegy", + "repo": "nix-dependencyDagOfSubmodule", + "rev": "98eb563d80b35acafbfc1abb9ccee569c1efb19c", + "type": "github" + }, + "original": { + "owner": "thelegy", + "repo": "nix-dependencyDagOfSubmodule", + "type": "github" + } + }, + "disko": { + "inputs": { + "nixpkgs": [ + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1719864345, + "narHash": "sha256-e4Pw+30vFAxuvkSTaTypd9zYemB/QlWcH186dsGT+Ms=", + "owner": "nix-community", + "repo": "disko", + "rev": "544a80a69d6e2da04e4df7ec8210a858de8c7533", + "type": "github" + }, + "original": { + "owner": "nix-community", + "repo": "disko", + "type": "github" + } + }, + "home-manager": { + "inputs": { + "nixpkgs": [ + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1719827385, + "narHash": "sha256-qs+nU20Sm8czHg3bhGCqiH+8e13BJyRrKONW34g3i50=", + "owner": "nix-community", + "repo": "home-manager", + "rev": "391ca6e950c2525b4f853cbe29922452c14eda82", + "type": "github" + }, + "original": { + "owner": "nix-community", + "ref": "release-24.05", + "repo": "home-manager", + "type": "github" + } + }, + "nixos-nftables-firewall": { + "inputs": { + "dependencyDagOfSubmodule": "dependencyDagOfSubmodule", + "nixpkgs": [ + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1715521768, + "narHash": "sha256-BQkkBqDemoPRd2a4G94I9w9fNE0IxWtVsQ9SalnNqCQ=", + "owner": "thelegy", + "repo": "nixos-nftables-firewall", + "rev": "2c5a19966b4dfc5ca92df7eb250c68f90be653c8", + "type": "github" + }, + "original": { + "owner": "thelegy", + "repo": "nixos-nftables-firewall", + "type": "github" + } + }, + "nixpkgs": { + "locked": { + "lastModified": 1719838683, + "narHash": "sha256-Zw9rQjHz1ilNIimEXFeVa1ERNRBF8DoXDhLAZq5B4pE=", + "owner": "nixos", + "repo": "nixpkgs", + "rev": "d032c1a6dfad4eedec7e35e91986becc699d7d69", + "type": "github" + }, + "original": { + "owner": "nixos", + "ref": "nixos-24.05", + "repo": "nixpkgs", + "type": "github" + } + }, + "nixpkgs-unstable": { + "locked": { + "lastModified": 1719848872, + "narHash": "sha256-H3+EC5cYuq+gQW8y0lSrrDZfH71LB4DAf+TDFyvwCNA=", + "owner": "nixos", + "repo": "nixpkgs", + "rev": "00d80d13810dbfea8ab4ed1009b09100cca86ba8", + "type": "github" + }, + "original": { + "owner": "nixos", + "ref": "nixos-unstable", + "repo": "nixpkgs", + "type": "github" + } + }, + "root": { + "inputs": { + "disko": "disko", + "home-manager": "home-manager", + "nixos-nftables-firewall": "nixos-nftables-firewall", + "nixpkgs": "nixpkgs", + "nixpkgs-unstable": "nixpkgs-unstable", + "srvos": "srvos" + } + }, + "srvos": { + "inputs": { + "nixpkgs": [ + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1719965291, + "narHash": "sha256-IQiO6VNESSmgxQkpI1q86pqxRw0SZ45iSeM1jsmBpSw=", + "owner": "numtide", + "repo": "srvos", + "rev": "1844f1a15ef530c963bb07c3846172fccbfb9f74", + "type": "github" + }, + "original": { + "owner": "numtide", + "repo": "srvos", + "type": "github" + } + } + }, + "root": "root", + "version": 7 +} diff --git a/nix/os/devices/router0-ifog/flake.nix b/nix/os/devices/router0-ifog/flake.nix new file mode 100644 index 0000000..3057b9a --- /dev/null +++ b/nix/os/devices/router0-ifog/flake.nix @@ -0,0 +1,19 @@ +{ + inputs = { + nixpkgs.url = "github:nixos/nixpkgs/nixos-24.05"; + nixpkgs-unstable.url = "github:nixos/nixpkgs/nixos-unstable"; + + home-manager.url = "github:nix-community/home-manager/release-24.05"; + home-manager.inputs.nixpkgs.follows = "nixpkgs"; + + disko.url = "github:nix-community/disko"; + disko.inputs.nixpkgs.follows = "nixpkgs"; + srvos.url = "github:numtide/srvos"; + srvos.inputs.nixpkgs.follows = "nixpkgs"; + + nixos-nftables-firewall.url = "github:thelegy/nixos-nftables-firewall"; + nixos-nftables-firewall.inputs.nixpkgs.follows = "nixpkgs"; + }; + + outputs = _: { }; +} diff --git a/nix/os/devices/router0-ifog/variables.crypt.nix b/nix/os/devices/router0-ifog/variables.crypt.nix new file mode 100644 index 0000000..1dec120 Binary files /dev/null and b/nix/os/devices/router0-ifog/variables.crypt.nix differ diff --git a/nix/os/devices/sj-srv1/README.md b/nix/os/devices/sj-srv1/README.md new file mode 100644 index 0000000..394da55 --- /dev/null +++ b/nix/os/devices/sj-srv1/README.md @@ -0,0 +1 @@ +## bootstrapping diff --git a/nix/os/devices/sj-srv1/configuration.nix b/nix/os/devices/sj-srv1/configuration.nix new file mode 100644 index 0000000..5184bd1 --- /dev/null +++ b/nix/os/devices/sj-srv1/configuration.nix @@ -0,0 +1,23 @@ +{ nodeName, config, ... }: +{ + disabledModules = [ ]; + imports = [ + ../../profiles/common/configuration.nix + { + users.commonUsers = { + enable = true; + enableNonRoot = true; + rootPasswordFile = config.sops.secrets.passwords-root.path; + }; + + sops.secrets.passwords-root = { + sopsFile = ../../../../secrets/${nodeName}/secrets.yaml; + neededForUsers = true; + format = "yaml"; + }; + } + + ./system.nix + ./hw.nix + ]; +} diff --git a/nix/os/devices/sj-srv1/default.nix b/nix/os/devices/sj-srv1/default.nix new file mode 100644 index 0000000..c9076b9 --- /dev/null +++ b/nix/os/devices/sj-srv1/default.nix @@ -0,0 +1,29 @@ +{ + nodeName, + repoFlake, + nodeFlake, + ... +}: +let + system = "x86_64-linux"; +in +{ + meta.nodeSpecialArgs.${nodeName} = { + inherit repoFlake nodeName nodeFlake; + packages' = repoFlake.packages.${system}; + }; + + meta.nodeNixpkgs.${nodeName} = import nodeFlake.inputs.nixpkgs.outPath { inherit system; }; + + ${nodeName} = { + deployment.targetHost = "${nodeName}.dmz.internal"; + # deployment.targetHost = "www.stefanjunker.de"; + deployment.replaceUnknownProfiles = false; + + imports = [ + nodeFlake.inputs.home-manager.nixosModules.home-manager + + ./configuration.nix + ]; + }; +} diff --git a/nix/os/devices/sj-srv1/flake.lock b/nix/os/devices/sj-srv1/flake.lock new file mode 100644 index 0000000..bb96205 --- /dev/null +++ b/nix/os/devices/sj-srv1/flake.lock @@ -0,0 +1,100 @@ +{ + "nodes": { + "home-manager": { + "inputs": { + "nixpkgs": [ + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1747556831, + "narHash": "sha256-Qb84nbYFFk0DzFeqVoHltS2RodAYY5/HZQKE8WnBDsc=", + "owner": "nix-community", + "repo": "home-manager", + "rev": "d0bbd221482c2713cccb80220f3c9d16a6e20a33", + "type": "github" + }, + "original": { + "owner": "nix-community", + "ref": "release-25.05", + "repo": "home-manager", + "type": "github" + } + }, + "nixpkgs": { + "locked": { + "lastModified": 1747953325, + "narHash": "sha256-y2ZtlIlNTuVJUZCqzZAhIw5rrKP4DOSklev6c8PyCkQ=", + "owner": "nixos", + "repo": "nixpkgs", + "rev": "55d1f923c480dadce40f5231feb472e81b0bab48", + "type": "github" + }, + "original": { + "owner": "nixos", + "ref": "nixos-25.05", + "repo": "nixpkgs", + "type": "github" + } + }, + "nixpkgs-kanidm": { + "locked": { + "lastModified": 1729071019, + "narHash": "sha256-c4J/ZiMbjMf98FawO5XJaTWqvrvIXpxnIpxu4OV3CGA=", + "owner": "steveej-forks", + "repo": "nixpkgs", + "rev": "984b1d5a286d3a072b840b30ec49d96878d01e64", + "type": "github" + }, + "original": { + "owner": "steveej-forks", + "ref": "kanidm", + "repo": "nixpkgs", + "type": "github" + } + }, + "nixpkgs-master": { + "locked": { + "lastModified": 1748090750, + "narHash": "sha256-q98rD+6llf/9ABNZc0lbSgGVjqMvkx4QL8LTs1jt+FY=", + "owner": "nixos", + "repo": "nixpkgs", + "rev": "a9e3bbb8995849e5daa0cf5e03a09c1df63bf933", + "type": "github" + }, + "original": { + "owner": "nixos", + "ref": "master", + "repo": "nixpkgs", + "type": "github" + } + }, + "nixpkgs-unstable": { + "locked": { + "lastModified": 1748074755, + "narHash": "sha256-b3SC3Q3cXr4tdCN3WVTFqMP8I9OwaXXcj1aVoSVaygw=", + "owner": "nixos", + "repo": "nixpkgs", + "rev": "c3ee76c437067f1ae09d6e530df46a3f80977992", + "type": "github" + }, + "original": { + "owner": "nixos", + "ref": "nixos-unstable-small", + "repo": "nixpkgs", + "type": "github" + } + }, + "root": { + "inputs": { + "home-manager": "home-manager", + "nixpkgs": "nixpkgs", + "nixpkgs-kanidm": "nixpkgs-kanidm", + "nixpkgs-master": "nixpkgs-master", + "nixpkgs-unstable": "nixpkgs-unstable" + } + } + }, + "root": "root", + "version": 7 +} diff --git a/nix/os/devices/sj-srv1/flake.nix b/nix/os/devices/sj-srv1/flake.nix new file mode 100644 index 0000000..c13b5ad --- /dev/null +++ b/nix/os/devices/sj-srv1/flake.nix @@ -0,0 +1,14 @@ +{ + inputs.nixpkgs.url = "github:nixos/nixpkgs/nixos-25.05"; + inputs.nixpkgs-unstable.url = "github:nixos/nixpkgs/nixos-unstable-small"; + inputs.nixpkgs-master.url = "github:nixos/nixpkgs/master"; + + inputs.nixpkgs-kanidm.url = "github:steveej-forks/nixpkgs/kanidm"; + + inputs.home-manager = { + url = "github:nix-community/home-manager/release-25.05"; + inputs.nixpkgs.follows = "nixpkgs"; + }; + + outputs = _: { }; +} diff --git a/nix/os/devices/sj-srv1/hw.nix b/nix/os/devices/sj-srv1/hw.nix new file mode 100644 index 0000000..ca9158b --- /dev/null +++ b/nix/os/devices/sj-srv1/hw.nix @@ -0,0 +1,55 @@ +_: +let + stage1Modules = [ + "virtio_balloon" + "virtio_scsi" + "virtio_net" + "virtio_pci" + "virtio_ring" + "virtio" + "scsi_mod" + + "virtio_blk" + "virtio_ring" + "ata_piix" + "pata_acpi" + "ata_generic" + + "aesni_intel" + "kvm_amd" + "nvme" + "nvme_core" + + "thunderbolt" + "e1000e" + + "usbcore" + "xhci_hcd" + "usbnet" + "snd_usb_audio" + "usbhid" + "snd_usbmidi_lib" + "cdc_mbim" + "cdc_ncm" + "usb_storage" + "cdc_wdm" + "uvcvideo" + "btusb" + "xhci_pci" + "cdc_ether" + "uas" + ]; +in +{ + imports = [ + ../../modules/opinionatedDisk.nix + ]; + hardware.opinionatedDisk = { + enable = true; + encrypted = false; + diskId = "virtio-virtio-paeNi8Fof9Oe"; + earlyDiskIdOverride = "ata-INTEL_SSDSC2KB019TZ_PHYI315001FW1P9DGN"; + }; + + boot.initrd.kernelModules = stage1Modules; +} diff --git a/nix/os/devices/sj-srv1/system.nix b/nix/os/devices/sj-srv1/system.nix new file mode 100644 index 0000000..c5e4c43 --- /dev/null +++ b/nix/os/devices/sj-srv1/system.nix @@ -0,0 +1,220 @@ +{ + pkgs, + lib, + config, + repoFlake, + nodeFlake, + nodeName, + ... +}: +let + hostBridgeAddress = "192.168.101.1"; +in +{ + imports = [ + ../../snippets/systemd-resolved.nix + { + # make sure it uses the DNS that comes in via DHCP + networking.nameservers = lib.mkForce [ ]; + services.resolved.enable = true; + + # provide DNS to the containers + services.resolved.extraConfig = '' + DNSStubListenerExtra=${hostBridgeAddress} + ''; + networking.firewall.interfaces.br0.allowedTCPPorts = [ 53 ]; + networking.firewall.interfaces.br0.allowedUDPPorts = [ 53 ]; + } + ]; + + programs.wireshark.enable = true; + environment.systemPackages = [ pkgs.dnsutils ]; + + networking.firewall.enable = true; + networking.nftables.enable = true; + networking.nftables.flushRuleset = true; + + networking.firewall.allowedTCPPorts = [ + # iperf3 + 5201 + ]; + + networking.firewall.logRefusedConnections = false; + + networking.usePredictableInterfaceNames = false; + + networking.useNetworkd = true; + networking.useDHCP = false; + + networking.nat = { + enable = true; + internalInterfaces = [ "br0" ]; + externalInterface = "dmz0"; + }; + + networking.bridges = { + br0 = { + interfaces = [ ]; + }; + }; + networking.interfaces = { + br0 = { + ipv4.addresses = [ + { + address = hostBridgeAddress; + prefixLength = 24; + } + ]; + }; + }; + + systemd.network.netdevs."10-dmz0" = { + enable = true; + netdevConfig = { + Name = "dmz0"; + Kind = "macvlan"; + MACAddress = "1c:69:7a:07:08:6f"; + }; + + macvlanConfig = { + Mode = "bridge"; + }; + }; + + systemd.network.networks."20-eth0" = { + enable = true; + matchConfig.Name = "eth0"; + + linkConfig.RequiredForOnline = "carrier"; + networkConfig.LinkLocalAddressing = "no"; + + # TODO: i'm not sure if and if so why this is required + macvlan = [ "dmz0" ]; + + DHCP = "no"; + }; + + systemd.network.networks."30-dmz0" = { + enable = true; + matchConfig.Name = "dmz0"; + DHCP = "yes"; + + dhcpV4Config.UseDNS = true; + dhcpV6Config.UseDNS = true; + }; + + boot.kernel.sysctl = { + "net.ipv4.ip_forward" = 1; + "net.ipv6.ip_forward" = 1; + }; + + # virtualization + virtualisation = { + docker.enable = false; + }; + + nix.gc = { + automatic = true; + }; + + sops.secrets.restic-password.sopsFile = ../../../../secrets/${nodeName}/secrets.yaml; + + # adapted from https://github.com/lilyinstarlight/foosteros/blob/5c75ded111878970fd4f600c7adc013f971d5e71/config/restic.nix + services.restic.backups.${nodeName} = + let + btrfs = "${pkgs.btrfs-progs}/bin/btrfs"; + in + { + initialize = true; + repository = "sftp://u217879-sub3@u217879-sub3.your-storagebox.de:23/restic/${nodeName}"; + + paths = [ "/backup" ]; + + pruneOpts = [ + "--keep-daily 7" + "--keep-weekly 5" + "--keep-monthly 12" + "--keep-yearly 2" + ]; + + timerConfig = { + OnCalendar = lib.mkDefault "daily"; + Persistent = true; + }; + + passwordFile = config.sops.secrets.restic-password.path; + + backupPrepareCommand = '' + ${btrfs} su snapshot -r /var/lib/container-volumes /backup/container-volumes + ''; + backupCleanupCommand = '' + ${btrfs} su delete /backup/container-volumes + ''; + }; + + containers = { + mailserver = import ../../containers/mailserver.nix { + specialArgs = { + inherit repoFlake nodeFlake; + hostAddress = hostBridgeAddress; + }; + + autoStart = true; + + hostBridge = "br0"; + hostAddress = hostBridgeAddress; + localAddress = "192.168.101.10/24"; + + imapsPort = 993; + sievePort = 4190; + }; + + webserver = import ../../containers/webserver.nix { + specialArgs = { + inherit repoFlake nodeFlake; + hostAddress = hostBridgeAddress; + }; + + autoStart = true; + + hostBridge = "br0"; + hostAddress = hostBridgeAddress; + localAddress = "192.168.101.11/24"; + + httpPort = 80; + httpsPort = 443; + forgejoSshPort = 2222; + }; + + syncthing = import ../../containers/syncthing.nix { + specialArgs = { + inherit repoFlake nodeFlake; + hostAddress = hostBridgeAddress; + }; + autoStart = true; + + hostBridge = "br0"; + hostAddress = hostBridgeAddress; + localAddress = "192.168.101.12/24"; + + syncthingPort = 22000; + }; + }; + + virtualisation.libvirtd = { + enable = true; + onShutdown = "shutdown"; + parallelShutdown = 3; + }; + + # VM storage + # fileSystems."/mnt/8078-532D".device = "/dev/disk/by-uuid/8078-532D"; + + # This value determines the NixOS release from which the default + # settings for stateful data, like file locations and database versions + # on your system were taken. It‘s perfectly fine and recommended to leave + # this value at the release version of the first install of this system. + # Before changing this value read the documentation for this option + # (e.g. man configuration.nix or on https://nixos.org/nixos/options.html). + system.stateVersion = "22.11"; # Did you read the comment? +} diff --git a/nix/os/devices/sj-vps-htz0/README.md b/nix/os/devices/sj-vps-htz0/README.md new file mode 100644 index 0000000..5c32f8e --- /dev/null +++ b/nix/os/devices/sj-vps-htz0/README.md @@ -0,0 +1,18 @@ +## bootstrapping + +``` +systemctl stop dhcpcd +ip a add 167.233.1.14/29 dev ens18 +ip l set mtu 1400 dev ens18 +ip r add default via 167.233.1.9 +echo "nameserver 1.1.1.1" >> /etc/resolv.conf +mkdir ~/.ssh +``` + +### ssh key + +run locally: + +``` +ssh-add -L | tr \\n \\r | xdotool selectwindow windowfocus type --delay 50 --window %@ --file - +``` diff --git a/nix/os/devices/vmd32387.contaboserver.net/boot.nix b/nix/os/devices/sj-vps-htz0/boot.nix similarity index 84% rename from nix/os/devices/vmd32387.contaboserver.net/boot.nix rename to nix/os/devices/sj-vps-htz0/boot.nix index 18fcc13..ed21f9c 100644 --- a/nix/os/devices/vmd32387.contaboserver.net/boot.nix +++ b/nix/os/devices/sj-vps-htz0/boot.nix @@ -1,7 +1,4 @@ -{ lib -, ... -}: - +{ lib, ... }: { boot.loader.grub.efiSupport = lib.mkForce false; boot.extraModulePackages = [ ]; diff --git a/nix/os/devices/sj-vps-htz0/configuration.nix b/nix/os/devices/sj-vps-htz0/configuration.nix new file mode 100644 index 0000000..0f9e008 --- /dev/null +++ b/nix/os/devices/sj-vps-htz0/configuration.nix @@ -0,0 +1,25 @@ +{ nodeName, config, ... }: +{ + disabledModules = [ ]; + imports = [ + ../../profiles/common/configuration.nix + { + users.commonUsers = { + enable = true; + enableNonRoot = true; + rootPasswordFile = config.sops.secrets.passwords-root.path; + }; + + sops.secrets.passwords-root = { + sopsFile = ../../../../secrets/${nodeName}/secrets.yaml; + neededForUsers = true; + format = "yaml"; + }; + } + ../../modules/opinionatedDisk.nix + + ./system.nix + ./hw.nix + ./boot.nix + ]; +} diff --git a/nix/os/devices/sj-vps-htz0/default.nix b/nix/os/devices/sj-vps-htz0/default.nix new file mode 100644 index 0000000..7683a53 --- /dev/null +++ b/nix/os/devices/sj-vps-htz0/default.nix @@ -0,0 +1,28 @@ +{ + nodeName, + repoFlake, + nodeFlake, + ... +}: +let + system = "x86_64-linux"; +in +{ + meta.nodeSpecialArgs.${nodeName} = { + inherit repoFlake nodeName nodeFlake; + packages' = repoFlake.packages.${system}; + }; + + meta.nodeNixpkgs.${nodeName} = import nodeFlake.inputs.nixpkgs.outPath { inherit system; }; + + ${nodeName} = { + deployment.targetHost = "${nodeName}.infra.stefanjunker.de"; + deployment.replaceUnknownProfiles = false; + + imports = [ + nodeFlake.inputs.home-manager.nixosModules.home-manager + + ./configuration.nix + ]; + }; +} diff --git a/nix/os/devices/sj-vps-htz0/flake.lock b/nix/os/devices/sj-vps-htz0/flake.lock new file mode 100644 index 0000000..56c2d36 --- /dev/null +++ b/nix/os/devices/sj-vps-htz0/flake.lock @@ -0,0 +1,83 @@ +{ + "nodes": { + "home-manager": { + "inputs": { + "nixpkgs": [ + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1700392168, + "narHash": "sha256-v5LprEFx3u4+1vmds9K0/i7sHjT0IYGs7u9v54iz/OA=", + "owner": "nix-community", + "repo": "home-manager", + "rev": "28535c3a34d79071f2ccb68671971ce0c0984d7e", + "type": "github" + }, + "original": { + "owner": "nix-community", + "ref": "release-23.05", + "repo": "home-manager", + "type": "github" + } + }, + "nixpkgs": { + "locked": { + "lastModified": 1700501263, + "narHash": "sha256-M0U063Ba2DKL4lMYI7XW13Rsk5tfUXnIYiAVa39AV/0=", + "owner": "nixos", + "repo": "nixpkgs", + "rev": "f741f8a839912e272d7e87ccf4b9dbc6012cdaf9", + "type": "github" + }, + "original": { + "owner": "nixos", + "ref": "nixos-23.05", + "repo": "nixpkgs", + "type": "github" + } + }, + "nixpkgs-master": { + "locked": { + "lastModified": 1700758842, + "narHash": "sha256-WNpG3F/0dktkYbG6O8Put9GtBw4C4vb1KwtIibfXYEE=", + "owner": "nixos", + "repo": "nixpkgs", + "rev": "359d577687ea3eb033590cf1259f0355e30b9c6f", + "type": "github" + }, + "original": { + "owner": "nixos", + "ref": "master", + "repo": "nixpkgs", + "type": "github" + } + }, + "nixpkgs-unstable": { + "locked": { + "lastModified": 1700641131, + "narHash": "sha256-M3bsoVMQM2PcuBWb6n1KDNeMX87svcSj/4qlBcVqs3k=", + "owner": "nixos", + "repo": "nixpkgs", + "rev": "da41de71f62bf7fb989a04e39629b8adbf8aa8b5", + "type": "github" + }, + "original": { + "owner": "nixos", + "ref": "nixos-unstable-small", + "repo": "nixpkgs", + "type": "github" + } + }, + "root": { + "inputs": { + "home-manager": "home-manager", + "nixpkgs": "nixpkgs", + "nixpkgs-master": "nixpkgs-master", + "nixpkgs-unstable": "nixpkgs-unstable" + } + } + }, + "root": "root", + "version": 7 +} diff --git a/nix/os/devices/sj-vps-htz0/flake.nix b/nix/os/devices/sj-vps-htz0/flake.nix new file mode 100644 index 0000000..f8ca24f --- /dev/null +++ b/nix/os/devices/sj-vps-htz0/flake.nix @@ -0,0 +1,12 @@ +{ + inputs.nixpkgs.url = "github:nixos/nixpkgs/nixos-23.05"; + inputs.nixpkgs-unstable.url = "github:nixos/nixpkgs/nixos-unstable-small"; + inputs.nixpkgs-master.url = "github:nixos/nixpkgs/master"; + + inputs.home-manager = { + url = "github:nix-community/home-manager/release-23.05"; + inputs.nixpkgs.follows = "nixpkgs"; + }; + + outputs = _: { }; +} diff --git a/nix/os/devices/sj-vps-htz0/hw.nix b/nix/os/devices/sj-vps-htz0/hw.nix new file mode 100644 index 0000000..080bb40 --- /dev/null +++ b/nix/os/devices/sj-vps-htz0/hw.nix @@ -0,0 +1,27 @@ +_: +let + stage1Modules = [ + "virtio_balloon" + "virtio_scsi" + "virtio_net" + "virtio_pci" + "virtio_ring" + "virtio" + "scsi_mod" + + "virtio_blk" + "virtio_ring" + "ata_piix" + "pata_acpi" + "ata_generic" + ]; +in +{ + hardware.opinionatedDisk = { + enable = true; + encrypted = false; + diskId = "virtio-virtio-paeNi8Fof9Oe"; + }; + + boot.initrd.kernelModules = stage1Modules; +} diff --git a/nix/os/devices/sj-vps-htz0/system.nix b/nix/os/devices/sj-vps-htz0/system.nix new file mode 100644 index 0000000..7380a35 --- /dev/null +++ b/nix/os/devices/sj-vps-htz0/system.nix @@ -0,0 +1,109 @@ +{ + pkgs, + config, + nodeName, + ... +}: +let + wireguardPort = 51820; +in +{ + imports = [ ../../snippets/systemd-resolved.nix ]; + + networking.firewall.enable = true; + networking.nftables.enable = true; + + networking.firewall.allowedTCPPorts = [ + # iperf3 + 5201 + ]; + networking.firewall.allowedUDPPorts = [ wireguardPort ]; + + networking.firewall.logRefusedConnections = false; + + networking.usePredictableInterfaceNames = false; + + networking.dhcpcd.enable = false; + + networking.interfaces.eth0 = { + mtu = 1400; + useDHCP = true; + ipv4.addresses = [ + { + "address" = "167.233.1.14"; + "prefixLength" = 29; + } + ]; + ipv6.addresses = [ ]; + }; + + networking.defaultGateway = { + address = "167.233.1.9"; + interface = "eth0"; + }; + + networking.defaultGateway6 = { + address = "fe80::1"; + interface = "eth0"; + }; + + networking.nat = { + enable = true; + internalInterfaces = [ + "ve-*" + "wg*" + ]; + externalInterface = "eth0"; + }; + + networking.firewall.filterForward = true; + networking.firewall.extraForwardRules = '' + meta nfproto ipv4 tcp flags syn tcp option maxseg size set 1360; + meta nfproto ipv6 tcp flags syn tcp option maxseg size set 1340; + ''; + + sops.secrets.wg0-private.sopsFile = ../../../../secrets/${nodeName}/secrets.yaml; + sops.secrets.wg0-psk-steveej-psk.sopsFile = ../../../../secrets/${nodeName}/secrets.yaml; + + networking.wireguard.enable = true; + networking.wireguard.interfaces.wg0 = { + # eth0 MTU (1400) - 80 + mtu = 1320; + ips = [ "192.168.99.1/31" ]; + listenPort = wireguardPort; + privateKeyFile = config.sops.secrets.wg0-private.path; + peers = [ + { + allowedIPs = [ "192.168.99.2/32" ]; + publicKey = "O3k4jEdX6jkV1fHP/J8KSH5tvi+n1VvnBTD5na6Naw0="; + presharedKeyFile = config.sops.secrets.wg0-psk-steveej-psk.path; + } + ]; + }; + + # virtualization + virtualisation = { + docker.enable = false; + }; + + services.spice-vdagentd.enable = true; + services.qemuGuest.enable = true; + + nix.gc = { + automatic = true; + }; + + containers = { }; + + home-manager.users.steveej = import ../../../home-manager/configuration/text-minimal.nix { + inherit pkgs; + }; + + # This value determines the NixOS release from which the default + # settings for stateful data, like file locations and database versions + # on your system were taken. It‘s perfectly fine and recommended to leave + # this value at the release version of the first install of this system. + # Before changing this value read the documentation for this option + # (e.g. man configuration.nix or on https://nixos.org/nixos/options.html). + system.stateVersion = "22.11"; # Did you read the comment? +} diff --git a/nix/os/devices/srv0-dmz0/README.md b/nix/os/devices/srv0-dmz0/README.md new file mode 100644 index 0000000..c76c8a0 --- /dev/null +++ b/nix/os/devices/srv0-dmz0/README.md @@ -0,0 +1,6 @@ +## bootstrapping + +``` +# TODO: generate an SSH host-key and deploy it via --extra-files +nixos-anywhere --flake .\#srv0-dmz0 root@srv0.dmz0.noosphere.life +``` diff --git a/nix/os/devices/srv0-dmz0/configuration.nix b/nix/os/devices/srv0-dmz0/configuration.nix new file mode 100644 index 0000000..5514edf --- /dev/null +++ b/nix/os/devices/srv0-dmz0/configuration.nix @@ -0,0 +1,135 @@ +{ + modulesPath, + repoFlake, + config, + ... +}: +let + disk = "/dev/disk/by-id/ata-INTEL_SSDSC2BW240A4_PHDA435602332403GN"; +in +{ + disabledModules = [ ]; + imports = [ + repoFlake.inputs.disko.nixosModules.disko + repoFlake.inputs.srvos.nixosModules.server + (modulesPath + "/profiles/all-hardware.nix") + + repoFlake.inputs.srvos.nixosModules.mixins-terminfo + repoFlake.inputs.srvos.nixosModules.mixins-systemd-boot + + repoFlake.inputs.sops-nix.nixosModules.sops + + ../../profiles/common/user.nix + ]; + + ## bare-metal machines + srvos.boot.consoles = [ "tty0" ]; + boot.loader.grub.enable = false; + boot.loader.efi.canTouchEfiVariables = false; + + disko.devices.disk.main = { + device = disk; + type = "disk"; + content = { + type = "table"; + format = "gpt"; + partitions = [ + { + name = "boot"; + start = "0"; + end = "1M"; + part-type = "primary"; + flags = [ "bios_grub" ]; + } + { + name = "ESP"; + start = "1M"; + end = "512M"; + bootable = true; + content = { + type = "filesystem"; + format = "vfat"; + mountpoint = "/boot"; + }; + } + { + name = "root"; + start = "512M"; + end = "100%"; + part-type = "primary"; + bootable = true; + content = { + type = "btrfs"; + extraArgs = [ "-f" ]; # Override existing partition + subvolumes = { + # Subvolume name is different from mountpoint + "/rootfs" = { + mountpoint = "/"; + }; + "/nix" = { + mountOptions = [ "noatime" ]; + }; + }; + }; + } + ]; + }; + }; + + hardware.enableAllFirmware = true; + nixpkgs.config.allowUnfree = true; + + hardware.enableRedistributableFirmware = true; + hardware.cpu.intel.updateMicrocode = true; + + services.openssh.enable = true; + + systemd.network.enable = true; + systemd.network.networks."10-lan" = { + matchConfig.Name = "eth*"; + networkConfig = { + # enable DHCP for IPv4 *and* IPv6 + DHCP = "yes"; + + # accept Router Advertisements for Stateless IPv6 Autoconfiguraton (SLAAC) + IPv6AcceptRA = true; + }; + }; + networking.dhcpcd.enable = false; + + networking.firewall.enable = true; + networking.firewall.allowedTCPPorts = [ + 22 + + # iperf3 + 5201 + ]; + networking.firewall.logRefusedConnections = false; + networking.usePredictableInterfaceNames = false; + + networking.nat = { + enable = true; + internalInterfaces = [ "ve-+" ]; + externalInterface = "eth0"; + }; + + # Kubernetes + # services.kubernetes.roles = ["master" "node"]; + + # virtualization + # virtualisation = {docker.enable = true;}; + + nix.gc = { + automatic = true; + }; + + containers = { }; + + # This value determines the NixOS release from which the default + # settings for stateful data, like file locations and database versions + # on your system were taken. It‘s perfectly fine and recommended to leave + # this value at the release version of the first install of this system. + # Before changing this value read the documentation for this option + # (e.g. man configuration.nix or on https://nixos.org/nixos/options.html). + system.stateVersion = "23.11"; # Did you read the comment? +} diff --git a/nix/os/devices/srv0-dmz0/default.nix b/nix/os/devices/srv0-dmz0/default.nix new file mode 100644 index 0000000..3af624b --- /dev/null +++ b/nix/os/devices/srv0-dmz0/default.nix @@ -0,0 +1,30 @@ +{ + nodeName, + repoFlake, + nodeFlake, + ... +}: +let + system = "x86_64-linux"; +in +{ + meta.nodeSpecialArgs.${nodeName} = { + inherit repoFlake nodeName nodeFlake; + packages' = repoFlake.packages.${system}; + }; + + meta.nodeNixpkgs.${nodeName} = import nodeFlake.inputs.nixpkgs.outPath { inherit system; }; + + ${nodeName} = { + deployment.targetHost = "srv0.dmz0.noosphere.life"; + deployment.replaceUnknownProfiles = false; + + imports = [ + nodeFlake.inputs.home-manager.nixosModules.home-manager + + ./configuration.nix + ]; + + networking.hostName = nodeName; + }; +} diff --git a/nix/os/devices/srv0-dmz0/flake.lock b/nix/os/devices/srv0-dmz0/flake.lock new file mode 100644 index 0000000..4e1a641 --- /dev/null +++ b/nix/os/devices/srv0-dmz0/flake.lock @@ -0,0 +1,83 @@ +{ + "nodes": { + "home-manager": { + "inputs": { + "nixpkgs": [ + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1716736833, + "narHash": "sha256-rNObca6dm7Qs524O4st8VJH6pZ/Xe1gxl+Rx6mcWYo0=", + "owner": "nix-community", + "repo": "home-manager", + "rev": "a631666f5ec18271e86a5cde998cba68c33d9ac6", + "type": "github" + }, + "original": { + "owner": "nix-community", + "ref": "release-24.05", + "repo": "home-manager", + "type": "github" + } + }, + "nixpkgs": { + "locked": { + "lastModified": 1717144377, + "narHash": "sha256-F/TKWETwB5RaR8owkPPi+SPJh83AQsm6KrQAlJ8v/uA=", + "owner": "nixos", + "repo": "nixpkgs", + "rev": "805a384895c696f802a9bf5bf4720f37385df547", + "type": "github" + }, + "original": { + "owner": "nixos", + "ref": "nixos-24.05", + "repo": "nixpkgs", + "type": "github" + } + }, + "nixpkgs-master": { + "locked": { + "lastModified": 1717242134, + "narHash": "sha256-2X835ZESUaQ/KZEuG9HkoEB7h0USG5uvkSUmLzFkxAE=", + "owner": "nixos", + "repo": "nixpkgs", + "rev": "61c1d282153dbfcb5fe413c228d172d0fe7c2a7e", + "type": "github" + }, + "original": { + "owner": "nixos", + "ref": "master", + "repo": "nixpkgs", + "type": "github" + } + }, + "nixpkgs-unstable": { + "locked": { + "lastModified": 1717216113, + "narHash": "sha256-DniggN0kphCCBpGlS2WyDPoNqxQoRFlhN2GMk35OHiM=", + "owner": "nixos", + "repo": "nixpkgs", + "rev": "21959d8d44197094aebc74ead6ca4a53bcce0adb", + "type": "github" + }, + "original": { + "owner": "nixos", + "ref": "nixos-unstable-small", + "repo": "nixpkgs", + "type": "github" + } + }, + "root": { + "inputs": { + "home-manager": "home-manager", + "nixpkgs": "nixpkgs", + "nixpkgs-master": "nixpkgs-master", + "nixpkgs-unstable": "nixpkgs-unstable" + } + } + }, + "root": "root", + "version": 7 +} diff --git a/nix/os/devices/srv0-dmz0/flake.nix b/nix/os/devices/srv0-dmz0/flake.nix new file mode 100644 index 0000000..2f27989 --- /dev/null +++ b/nix/os/devices/srv0-dmz0/flake.nix @@ -0,0 +1,12 @@ +{ + inputs.nixpkgs.url = "github:nixos/nixpkgs/nixos-24.05"; + inputs.nixpkgs-unstable.url = "github:nixos/nixpkgs/nixos-unstable-small"; + inputs.nixpkgs-master.url = "github:nixos/nixpkgs/master"; + + inputs.home-manager = { + url = "github:nix-community/home-manager/release-24.05"; + inputs.nixpkgs.follows = "nixpkgs"; + }; + + outputs = _: { }; +} diff --git a/nix/os/devices/srv0.home-ch.stefanjunker.de/boot.nix b/nix/os/devices/srv0.home-ch.stefanjunker.de/boot.nix new file mode 100644 index 0000000..9ddbde9 --- /dev/null +++ b/nix/os/devices/srv0.home-ch.stefanjunker.de/boot.nix @@ -0,0 +1,4 @@ +_: { + boot.loader.grub.efiSupport = true; + boot.extraModulePackages = [ ]; +} diff --git a/nix/os/devices/vmd32387.contaboserver.net/configuration.nix b/nix/os/devices/srv0.home-ch.stefanjunker.de/configuration.nix similarity index 68% rename from nix/os/devices/vmd32387.contaboserver.net/configuration.nix rename to nix/os/devices/srv0.home-ch.stefanjunker.de/configuration.nix index ffce549..b29548c 100644 --- a/nix/os/devices/vmd32387.contaboserver.net/configuration.nix +++ b/nix/os/devices/srv0.home-ch.stefanjunker.de/configuration.nix @@ -1,11 +1,9 @@ { ... }: - { - disabledModules = [ - ]; + disabledModules = [ ]; imports = [ ../../profiles/common/configuration.nix - ../../modules/encryptedDisk.nix + ../../modules/opinionatedDisk.nix ./system.nix ./hw.nix diff --git a/nix/os/devices/srv0.home-ch.stefanjunker.de/hw.nix b/nix/os/devices/srv0.home-ch.stefanjunker.de/hw.nix new file mode 100644 index 0000000..a89e29a --- /dev/null +++ b/nix/os/devices/srv0.home-ch.stefanjunker.de/hw.nix @@ -0,0 +1,33 @@ +_: +let + stage1Modules = [ + "aesni_intel" + "kvm-intel" + + "virtio_balloon" + "virtio_scsi" + "virtio_net" + "virtio_pci" + "virtio_ring" + "virtio" + + "scsi_mod" + "uas" + "usb_storage" + + "xhci_hcd" + "xhci_pci" + ]; +in +{ + # TASK: new device + hardware.opinionatedDisk = { + enable = true; + encrypted = false; + diskId = "usb-JMicron_Generic_0123456789ABCDEF-0:0"; + }; + + boot.initrd.availableKernelModules = stage1Modules; + boot.initrd.kernelModules = stage1Modules; + boot.extraModprobeConfig = ""; +} diff --git a/nix/os/devices/srv0.home-ch.stefanjunker.de/pkg.nix b/nix/os/devices/srv0.home-ch.stefanjunker.de/pkg.nix new file mode 100644 index 0000000..607e7f3 --- /dev/null +++ b/nix/os/devices/srv0.home-ch.stefanjunker.de/pkg.nix @@ -0,0 +1,57 @@ +{ config, pkgs, ... }: +{ + nixpkgs.config.packageOverrides = + pkgs: with pkgs; { + inherit ((import ../../../default.nix { versionsPath = ./versions.nix; })) nixPath; + }; + home-manager.users.steveej = import ../../../home-manager/configuration/text-minimal.nix { + inherit pkgs; + }; + + nix.buildMachines = [ + { + hostName = "localhost"; + system = "x86_64-linux"; + supportedFeatures = [ + "kvm" + "nixos-test" + "big-parallel" + "benchmark" + ]; + maxJobs = 4; + } + ]; + + # services.hydra = { + # enable = false; + # hydraURL = "http://localhost:3000"; # externally visible URL + # notificationSender = "hydra@${config.networking.hostName}.stefanjunker.de"; # e-mail of hydra service + # # a standalone hydra will require you to unset the buildMachinesFiles list to avoid using a nonexistant /etc/nix/machines + # buildMachinesFiles = []; + # # you will probably also want, otherwise *everything* will be built from scratch + # useSubstitutes = true; + # }; + + # services.gitlab-runner = { + # enable = false; + + # extraPackages = with pkgs; [ + # bash + # gitlab-runner + # nix + # gitFull + # git-crypt + # ]; + + # concurrent = 2; + # checkInterval = 0; + # services = { + # nixRunner = { + # executor = "shell"; + # runUntagged = true; + # registrationConfigFile = "/etc/secrets/gitlab-runner/nix-runner.registration"; + # tagList = [ "nix" ]; + # }; + # }; + # }; +} diff --git a/nix/os/devices/srv0.home-ch.stefanjunker.de/system.nix b/nix/os/devices/srv0.home-ch.stefanjunker.de/system.nix new file mode 100644 index 0000000..84bb74d --- /dev/null +++ b/nix/os/devices/srv0.home-ch.stefanjunker.de/system.nix @@ -0,0 +1,63 @@ +_: { + # TASK: new device + networking.hostName = "srv0"; # Define your hostname. + # networking.domain = "home-ch.stefanjunker.de"; + + networking.firewall.enable = true; + networking.firewall.allowedTCPPorts = [ + # iperf3 + 5201 + ]; + networking.firewall.logRefusedConnections = false; + + networking.usePredictableInterfaceNames = false; + networking.dhcpcd = { + enable = true; + persistent = true; + }; + + networking.interfaces.eth0 = { + useDHCP = true; + # ipv6.addresses = [ + # { address = "2a02:c207:3003:2387::1"; prefixLength = 64; } + # ]; + }; + + # networking.defaultGateway6 = { + # address = "fe80::1"; + # interface = "eth0"; + # }; + + networking.nat = { + enable = true; + internalInterfaces = [ "ve-+" ]; + externalInterface = "eth0"; + }; + + # Kubernetes + # services.kubernetes.roles = ["master" "node"]; + + # virtualization + virtualisation = { + docker.enable = true; + }; + + nix.gc = { + automatic = true; + }; + + networking.useHostResolvConf = false; + services.resolved = { + enable = true; + }; + + containers = { }; + + # This value determines the NixOS release from which the default + # settings for stateful data, like file locations and database versions + # on your system were taken. It‘s perfectly fine and recommended to leave + # this value at the release version of the first install of this system. + # Before changing this value read the documentation for this option + # (e.g. man configuration.nix or on https://nixos.org/nixos/options.html). + system.stateVersion = "20.03"; # Did you read the comment? +} diff --git a/nix/os/devices/srv0.home-ch.stefanjunker.de/versions.nix b/nix/os/devices/srv0.home-ch.stefanjunker.de/versions.nix new file mode 100644 index 0000000..1bc2086 --- /dev/null +++ b/nix/os/devices/srv0.home-ch.stefanjunker.de/versions.nix @@ -0,0 +1,21 @@ +let + nixpkgs = { + url = "https://github.com/NixOS/nixpkgs/"; + ref = "nixos-22.05"; + rev = "040c6d8374d090f46ab0e99f1f7c27a4529ecffd"; + }; +in +{ + inherit nixpkgs; + "channels-nixos-stable" = nixpkgs; + "nixpkgs-master" = { + url = "https://github.com/NixOS/nixpkgs/"; + ref = "master"; + rev = "5527a41eb304aa7c77efeefbda0e17ca105a4c8c"; + }; + "home-manager-module" = { + url = "https://github.com/nix-community/home-manager"; + ref = "release-22.05"; + rev = "b81e128fc053ab3159d7b464d9b7dedc9d6a6891"; + }; +} diff --git a/nix/os/devices/srv0.home-ch.stefanjunker.de/versions.tmpl.nix b/nix/os/devices/srv0.home-ch.stefanjunker.de/versions.tmpl.nix new file mode 100644 index 0000000..5817e21 --- /dev/null +++ b/nix/os/devices/srv0.home-ch.stefanjunker.de/versions.tmpl.nix @@ -0,0 +1,27 @@ +let + nixpkgs = { + url = "https://github.com/NixOS/nixpkgs/"; + ref = "nixos-22.05"; + rev = '' + <% git ls-remote https://github.com/nixos/nixpkgs nixos-22.05 | awk '{ print $1 }' | tr -d ' + ' -%>''; + }; +in +{ + inherit nixpkgs; + "channels-nixos-stable" = nixpkgs; + "nixpkgs-master" = { + url = "https://github.com/NixOS/nixpkgs/"; + ref = "master"; + rev = '' + <% git ls-remote https://github.com/NixOS/nixpkgs.git master | head -n1 | awk '{ print $1 }' | tr -d ' + ' -%>''; + }; + "home-manager-module" = { + url = "https://github.com/nix-community/home-manager"; + ref = "release-22.05"; + rev = '' + <% git ls-remote https://github.com/nix-community/home-manager.git release-22.05 | awk '{ print $1 }' | tr -d ' + ' -%>''; + }; +} diff --git a/nix/os/devices/steveej-nuc7pjyh-work/configuration.nix b/nix/os/devices/steveej-nuc7pjyh-work/configuration.nix index 40aeaeb..d009275 100644 --- a/nix/os/devices/steveej-nuc7pjyh-work/configuration.nix +++ b/nix/os/devices/steveej-nuc7pjyh-work/configuration.nix @@ -1,5 +1,4 @@ { ... }: - { imports = [ ../../profiles/common/configuration.nix diff --git a/nix/os/devices/steveej-nuc7pjyh-work/hw.nix b/nix/os/devices/steveej-nuc7pjyh-work/hw.nix index 30186d1..76ab1b9 100644 --- a/nix/os/devices/steveej-nuc7pjyh-work/hw.nix +++ b/nix/os/devices/steveej-nuc7pjyh-work/hw.nix @@ -1,6 +1,4 @@ -{ ... }: - -{ +_: { # TASK: new device hardware.encryptedDisk = { enable = true; diff --git a/nix/os/devices/steveej-nuc7pjyh-work/system.nix b/nix/os/devices/steveej-nuc7pjyh-work/system.nix index 8d673ba..efe0db2 100644 --- a/nix/os/devices/steveej-nuc7pjyh-work/system.nix +++ b/nix/os/devices/steveej-nuc7pjyh-work/system.nix @@ -1,9 +1,7 @@ { pkgs, lib, ... }: - -let -in { +{ services.udev.extraRules = ''SUBSYSTEM=="sgx", MODE="0660", GROUP="sgx"''; - users.groups.sgx = {}; + users.groups.sgx = { }; networking.hostName = "steveej-nuc7pjyh-work"; # Define your hostname. boot.kernelPackages = lib.mkForce pkgs.linuxPackages_sgx_latest; } diff --git a/nix/os/devices/steveej-nuc7pjyh-work/user.nix b/nix/os/devices/steveej-nuc7pjyh-work/user.nix index 05a9670..e37d392 100644 --- a/nix/os/devices/steveej-nuc7pjyh-work/user.nix +++ b/nix/os/devices/steveej-nuc7pjyh-work/user.nix @@ -1,20 +1,29 @@ -{ config -, pkgs -, ... }: - +{ pkgs, ... }: let - passwords = import ../../../variables/passwords.crypt.nix; keys = import ../../../variables/keys.nix; - inherit (import ../../lib/default.nix { }) mkUser; - -in { + inherit (import ../../lib/default.nix { inherit (pkgs) lib; }) mkUser; +in +{ users.extraUsers.sjunker = mkUser { uid = 1001; openssh.authorizedKeys.keys = keys.users.steveej.openssh; - shell = pkgs.posh { image = "quay.io/enarx/fedora"; run_args = "-v /dev/sgx:/dev/sgx"; }; + shell = pkgs.posh { + image = "quay.io/enarx/fedora"; + run_args = "-v /dev/sgx:/dev/sgx"; + }; extraGroups = [ "sgx" ]; - subUidRanges = [{ startUid = 100000; count = 65536; }]; - subGidRanges = [{ startGid = 100000; count = 65536; }]; + subUidRanges = [ + { + startUid = 100000; + count = 65536; + } + ]; + subGidRanges = [ + { + startGid = 100000; + count = 65536; + } + ]; }; } diff --git a/nix/os/devices/steveej-rmvbl-mmc-SL32G_0x259093f6/configuration.nix b/nix/os/devices/steveej-rmvbl-mmc-SL32G_0x259093f6/configuration.nix index 87284bc..9682eb6 100644 --- a/nix/os/devices/steveej-rmvbl-mmc-SL32G_0x259093f6/configuration.nix +++ b/nix/os/devices/steveej-rmvbl-mmc-SL32G_0x259093f6/configuration.nix @@ -1,5 +1,4 @@ { ... }: - { imports = [ ../../profiles/common/configuration.nix diff --git a/nix/os/devices/steveej-rmvbl-mmc-SL32G_0x259093f6/hw.nix b/nix/os/devices/steveej-rmvbl-mmc-SL32G_0x259093f6/hw.nix index 1c7f7a3..4af1def 100644 --- a/nix/os/devices/steveej-rmvbl-mmc-SL32G_0x259093f6/hw.nix +++ b/nix/os/devices/steveej-rmvbl-mmc-SL32G_0x259093f6/hw.nix @@ -1,6 +1,4 @@ -{ ... }: - -{ +_: { # TASK: new device hardware.encryptedDisk = { enable = true; diff --git a/nix/os/devices/steveej-rmvbl-mmc-SL32G_0x259093f6/system.nix b/nix/os/devices/steveej-rmvbl-mmc-SL32G_0x259093f6/system.nix index 4ac0ac9..7f69ec0 100644 --- a/nix/os/devices/steveej-rmvbl-mmc-SL32G_0x259093f6/system.nix +++ b/nix/os/devices/steveej-rmvbl-mmc-SL32G_0x259093f6/system.nix @@ -1,5 +1,3 @@ -{ ... }: - -{ +_: { networking.hostName = "steveej-rmvbl-mmc-SL32G_0x259093f6"; # Define your hostname. } diff --git a/nix/os/devices/steveej-rmvbl-sdep0/configuration.nix b/nix/os/devices/steveej-rmvbl-sdep0/configuration.nix index 860f09f..861a9ea 100644 --- a/nix/os/devices/steveej-rmvbl-sdep0/configuration.nix +++ b/nix/os/devices/steveej-rmvbl-sdep0/configuration.nix @@ -1,9 +1,9 @@ { ... }: - { - nixpkgs.config.packageOverrides = pkgs: with pkgs; { - nixPath = (import ../../../default.nix { versionsPath = ./versions.nix; }).nixPath; - }; + nixpkgs.config.packageOverrides = + pkgs: with pkgs; { + inherit ((import ../../../default.nix { versionsPath = ./versions.nix; })) nixPath; + }; imports = [ ../../profiles/common/configuration.nix diff --git a/nix/os/devices/steveej-rmvbl-sdep0/hw.nix b/nix/os/devices/steveej-rmvbl-sdep0/hw.nix index 34dd81c..c42f909 100644 --- a/nix/os/devices/steveej-rmvbl-sdep0/hw.nix +++ b/nix/os/devices/steveej-rmvbl-sdep0/hw.nix @@ -1,9 +1,6 @@ -{ ... }: - -{ +_: { # TASK: new device - hardware.encryptedDisk = { - enable = true; - diskId = "usb-SanDisk_Extreme_Pro_12345978EC62-0:0"; - }; + hardware.opinionatedDisk.diskId = "usb-SanDisk_Extreme_Pro_12345978EC62-0:0"; + hardware.opinionatedDisk.encrypted = true; + hardware.enableRedistributableFirmware = true; } diff --git a/nix/os/devices/steveej-rmvbl-sdep0/system.nix b/nix/os/devices/steveej-rmvbl-sdep0/system.nix index 4374ff2..d409681 100644 --- a/nix/os/devices/steveej-rmvbl-sdep0/system.nix +++ b/nix/os/devices/steveej-rmvbl-sdep0/system.nix @@ -1,5 +1,4 @@ -{ ... }: - -{ +_: { networking.hostName = "steveej-rmvbl-sdep0"; # Define your hostname. + system.stateVersion = "21.05"; } diff --git a/nix/os/devices/steveej-rmvbl-sdep0/versions.nix b/nix/os/devices/steveej-rmvbl-sdep0/versions.nix index 90388f6..3771f25 100644 --- a/nix/os/devices/steveej-rmvbl-sdep0/versions.nix +++ b/nix/os/devices/steveej-rmvbl-sdep0/versions.nix @@ -1,11 +1,10 @@ let nixpkgs = { url = "https://github.com/NixOS/nixpkgs/"; - ref = "nixos-20.09"; - rev = "19db3e5ea2777daa874563b5986288151f502e27"; + ref = "nixos-22.11"; + rev = ''0040164e473509b4aee6aedb3b923e400d6df10b''; }; in - { inherit nixpkgs; nixos = nixpkgs // { @@ -15,16 +14,21 @@ in "channels-nixos-unstable" = { url = "https://github.com/NixOS/nixpkgs/"; ref = "nixos-unstable"; - rev = "2247d824fe07f16325596acc7faa286502faffd1"; + rev = ''d9f759f2ea8d265d974a6e1259bd510ac5844c5d''; + }; + "channels-nixos-unstable-small" = { + url = "https://github.com/NixOS/nixpkgs/"; + ref = "nixos-unstable-small"; + rev = ''9c34c8adba80180608794cce600b10183b048942''; }; "nixpkgs-master" = { url = "https://github.com/NixOS/nixpkgs/"; ref = "master"; - rev = "8d4af2e08c3d161fa482fe8e14af721e79ae7a09"; + rev = ''f9adb566707a492bd3d17fee1e223695d939b52a''; }; "home-manager-module" = { url = "https://github.com/nix-community/home-manager"; - ref = "release-20.09"; - rev = "63f299b3347aea183fc5088e4d6c4a193b334a41"; + ref = "release-22.11"; + rev = ''d6f3ba090ed090ae664ab5bac329654093aae725''; }; } diff --git a/nix/os/devices/steveej-rmvbl-sdep0/versions.tmpl.nix b/nix/os/devices/steveej-rmvbl-sdep0/versions.tmpl.nix new file mode 100644 index 0000000..92abc4a --- /dev/null +++ b/nix/os/devices/steveej-rmvbl-sdep0/versions.tmpl.nix @@ -0,0 +1,44 @@ +let + nixpkgs = { + url = "https://github.com/NixOS/nixpkgs/"; + ref = "nixos-22.11"; + rev = '' + <% git ls-remote https://github.com/nixos/nixpkgs nixos-22.11 | awk '{ print $1 }' | tr -d ' + ' -%>''; + }; +in +{ + inherit nixpkgs; + nixos = nixpkgs // { + suffix = "/nixos"; + }; + "channels-nixos-stable" = nixpkgs; + "channels-nixos-unstable" = { + url = "https://github.com/NixOS/nixpkgs/"; + ref = "nixos-unstable"; + rev = '' + <% git ls-remote https://github.com/nixos/nixpkgs nixos-unstable | awk '{ print $1 }' | tr -d ' + ' -%>''; + }; + "channels-nixos-unstable-small" = { + url = "https://github.com/NixOS/nixpkgs/"; + ref = "nixos-unstable-small"; + rev = '' + <% git ls-remote https://github.com/nixos/nixpkgs nixos-unstable-small | awk '{ print $1 }' | tr -d ' + ' -%>''; + }; + "nixpkgs-master" = { + url = "https://github.com/NixOS/nixpkgs/"; + ref = "master"; + rev = '' + <% git ls-remote https://github.com/NixOS/nixpkgs.git master | head -n1 | awk '{ print $1 }' | tr -d ' + ' -%>''; + }; + "home-manager-module" = { + url = "https://github.com/nix-community/home-manager"; + ref = "release-22.11"; + rev = '' + <% git ls-remote https://github.com/nix-community/home-manager.git release-22.11 | awk '{ print $1 }' | tr -d ' + ' -%>''; + }; +} diff --git a/nix/os/devices/steveej-t14/boot.nix b/nix/os/devices/steveej-t14/boot.nix new file mode 100644 index 0000000..d3ff0b5 --- /dev/null +++ b/nix/os/devices/steveej-t14/boot.nix @@ -0,0 +1,12 @@ +{ lib, pkgs, ... }: +{ + boot.loader.grub.efiInstallAsRemovable = lib.mkForce true; + boot.loader.efi.canTouchEfiVariables = lib.mkForce false; + boot.kernelPackages = lib.mkForce pkgs.linuxPackages_latest; + + # boot.tmpOnTmpfs = lib.mkForce false; + boot.tmp.tmpfsSize = "100%"; + + # TODO: make this work + # systemd.tmpfiles.rules = lib.mkForce [ "d /tmp 1777 root root 1d" ]; +} diff --git a/nix/os/devices/steveej-t14/configuration.nix b/nix/os/devices/steveej-t14/configuration.nix new file mode 100644 index 0000000..f5ccca0 --- /dev/null +++ b/nix/os/devices/steveej-t14/configuration.nix @@ -0,0 +1,77 @@ +{ ... }: +{ + imports = [ + ../../snippets/home-manager-with-zsh.nix + ../../snippets/nix-settings-holo-chain.nix + # TODO: double-check whether this works at all after the most recent changes + # ../../snippets/radicale.nix + ../../snippets/sway-desktop.nix + ../../snippets/timezone.nix + + ../../profiles/common/configuration.nix + ../../profiles/graphical/configuration.nix + ../../modules/opinionatedDisk.nix + ../../cachix.nix + + ./system.nix + ./hw.nix + ./pkg.nix + ./user.nix + ./boot.nix + + # samba seerver + (_: { + # networking.firewall.enable = lib.mkForce false; + services.samba-wsdd.enable = true; # make shares visible for windows 10 clients + networking.firewall.allowedTCPPorts = [ + 5357 # wsdd + ]; + networking.firewall.allowedUDPPorts = [ + 3702 # wsdd + ]; + services.samba = { + enable = true; + + securityType = "user"; + + extraConfig = '' + workgroup = ARBEITSGRUPPE + server string = steveej-t14 + netbios name = steveej-t14 + security = user + + # use sendfile = yes + + # for executables on windows + acl allow execute always = True + + # legacy windows quirks + max protocol = NT1 + min protocol = NT1 + ntlm auth = yes + + # client max protocol = SMB1 + # client min protocol = NT1 + + # note: localhost is the ipv6 localhost ::1 + hosts allow = 192.168. 127.0.0.1 localhost + hosts deny = 0.0.0.0/0 + guest account = nobody + map to guest = bad user + ''; + shares = { + voodoo = { + path = "/home/steveej/Desktop/voodoo"; + browseable = "yes"; + "read only" = "no"; + "guest ok" = "no"; + "create mask" = "0644"; + "directory mask" = "0755"; + # "force user" = "steveej"; + # "force group" = "users"; + }; + }; + }; + }) + ]; +} diff --git a/nix/os/devices/steveej-t14/default.nix b/nix/os/devices/steveej-t14/default.nix new file mode 100644 index 0000000..d7e6d28 --- /dev/null +++ b/nix/os/devices/steveej-t14/default.nix @@ -0,0 +1,27 @@ +{ + nodeName, + repoFlake, + repoFlakeWithSystem, + nodeFlake, + ... +}: +let + system = "x86_64-linux"; +in +{ + meta.nodeSpecialArgs.${nodeName} = { + inherit repoFlake nodeName nodeFlake; + packages' = repoFlake.packages.${system}; + repoFlakeInputs' = repoFlakeWithSystem system ({ inputs', ... }: inputs'); + }; + + meta.nodeNixpkgs.${nodeName} = import nodeFlake.inputs.nixpkgs.outPath { inherit system; }; + + ${nodeName} = { + deployment.targetHost = nodeName; + deployment.replaceUnknownProfiles = false; + deployment.allowLocalDeployment = true; + + imports = [ (repoFlake + "/nix/os/devices/${nodeName}/configuration.nix") ]; + }; +} diff --git a/nix/os/devices/steveej-t14/flake.lock b/nix/os/devices/steveej-t14/flake.lock new file mode 100644 index 0000000..5960780 --- /dev/null +++ b/nix/os/devices/steveej-t14/flake.lock @@ -0,0 +1,137 @@ +{ + "nodes": { + "home-manager": { + "inputs": { + "nixpkgs": [ + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1705273357, + "narHash": "sha256-JAlkxgJbWh7+auiT0rJL3IUXXtkULRqygfxQA6mvLgc=", + "owner": "nix-community", + "repo": "home-manager", + "rev": "924d91e1e4c802fd8e60279a022dbae5acb36f2d", + "type": "github" + }, + "original": { + "owner": "nix-community", + "ref": "release-23.11", + "repo": "home-manager", + "type": "github" + } + }, + "nixpkgs-2211": { + "locked": { + "lastModified": 1688392541, + "narHash": "sha256-lHrKvEkCPTUO+7tPfjIcb7Trk6k31rz18vkyqmkeJfY=", + "owner": "nixos", + "repo": "nixpkgs", + "rev": "ea4c80b39be4c09702b0cb3b42eab59e2ba4f24b", + "type": "github" + }, + "original": { + "owner": "nixos", + "ref": "nixos-22.11", + "repo": "nixpkgs", + "type": "github" + } + }, + "nixpkgs-2305": { + "locked": { + "lastModified": 1704290814, + "narHash": "sha256-LWvKHp7kGxk/GEtlrGYV68qIvPHkU9iToomNFGagixU=", + "owner": "nixos", + "repo": "nixpkgs", + "rev": "70bdadeb94ffc8806c0570eb5c2695ad29f0e421", + "type": "github" + }, + "original": { + "owner": "nixos", + "ref": "nixos-23.05", + "repo": "nixpkgs", + "type": "github" + } + }, + "nixpkgs-2311": { + "locked": { + "lastModified": 1705183652, + "narHash": "sha256-rnfkyUH0x72oHfiSDhuCHDHg3gFgF+lF8zkkg5Zihsw=", + "owner": "nixos", + "repo": "nixpkgs", + "rev": "428544ae95eec077c7f823b422afae5f174dee4b", + "type": "github" + }, + "original": { + "owner": "nixos", + "ref": "nixos-23.11", + "repo": "nixpkgs", + "type": "github" + } + }, + "nixpkgs-master": { + "locked": { + "lastModified": 1705325703, + "narHash": "sha256-ckwq5uZTOg79p6j9Op4tuKUiEIf0gaLskMS5g43MfVI=", + "owner": "nixos", + "repo": "nixpkgs", + "rev": "7081bd488c8fd2a1ac54fda9676e22e6f8fb581f", + "type": "github" + }, + "original": { + "owner": "nixos", + "ref": "master", + "repo": "nixpkgs", + "type": "github" + } + }, + "nixpkgs-unstable": { + "locked": { + "lastModified": 1705133751, + "narHash": "sha256-rCIsyE80jgiOU78gCWN3A0wE0tR2GI5nH6MlS+HaaSQ=", + "owner": "nixos", + "repo": "nixpkgs", + "rev": "9b19f5e77dd906cb52dade0b7bd280339d2a1f3d", + "type": "github" + }, + "original": { + "owner": "nixos", + "ref": "nixos-unstable", + "repo": "nixpkgs", + "type": "github" + } + }, + "nixpkgs-unstable-small": { + "locked": { + "lastModified": 1705249824, + "narHash": "sha256-ZLPa6YWHeX+/yzaxU7uMWq9eMMncffrzkgOXe6AODMU=", + "owner": "nixos", + "repo": "nixpkgs", + "rev": "0c741cd9fbdc435b7ca88e17efc371b48e7c23b8", + "type": "github" + }, + "original": { + "owner": "nixos", + "ref": "nixos-unstable-small", + "repo": "nixpkgs", + "type": "github" + } + }, + "root": { + "inputs": { + "home-manager": "home-manager", + "nixpkgs": [ + "nixpkgs-2311" + ], + "nixpkgs-2211": "nixpkgs-2211", + "nixpkgs-2305": "nixpkgs-2305", + "nixpkgs-2311": "nixpkgs-2311", + "nixpkgs-master": "nixpkgs-master", + "nixpkgs-unstable": "nixpkgs-unstable", + "nixpkgs-unstable-small": "nixpkgs-unstable-small" + } + } + }, + "root": "root", + "version": 7 +} diff --git a/nix/os/devices/steveej-t14/flake.nix b/nix/os/devices/steveej-t14/flake.nix new file mode 100644 index 0000000..504ce45 --- /dev/null +++ b/nix/os/devices/steveej-t14/flake.nix @@ -0,0 +1,16 @@ +{ + inputs.nixpkgs-2211.url = "github:nixos/nixpkgs/nixos-22.11"; + inputs.nixpkgs-2305.url = "github:nixos/nixpkgs/nixos-23.05"; + inputs.nixpkgs-2311.url = "github:nixos/nixpkgs/nixos-23.11"; + inputs.nixpkgs-unstable.url = "github:nixos/nixpkgs/nixos-unstable"; + inputs.nixpkgs-master.url = "github:nixos/nixpkgs/master"; + + inputs.nixpkgs.follows = "nixpkgs-2311"; + + inputs.home-manager = { + url = "github:nix-community/home-manager/release-23.11"; + inputs.nixpkgs.follows = "nixpkgs"; + }; + + outputs = _: { }; +} diff --git a/nix/os/devices/steveej-t14/hw.nix b/nix/os/devices/steveej-t14/hw.nix new file mode 100644 index 0000000..0fa593a --- /dev/null +++ b/nix/os/devices/steveej-t14/hw.nix @@ -0,0 +1,143 @@ +_: { + # TASK: new device + hardware.opinionatedDisk = { + enable = true; + encrypted = true; + diskId = "nvme-WD_BLACK_SN850X_4000GB_2227DT443901"; + earlyDiskIdOverride = "usb-JMicron_Generic_0123456789ABCDEF-0:0"; + }; + + # boot.loader.grub.device = lib.mkForce "/dev/disk/by-id/usb-JMicron_Generic_0123456789ABCDEF-0:0"; + + # see https://linrunner.de/tlp/ + services.tlp = { + enable = false; + settings = { + CPU_DRIVER_OPMODE_ON_AC = "active"; + CPU_DRIVER_OPMODE_ON_BAT = "passive"; + + CPU_SCALING_GOVERNOR_ON_AC = "performance"; + CPU_SCALING_GOVERNOR_ON_BAT = "powersave"; + + CPU_ENERGY_PERF_POLICY_ON_AC = "performance"; + CPU_ENERGY_PERF_POLICY_ON_BAT = "power"; + + CPU_BOOST_ON_AC = "0"; + CPU_BOOST_ON_BAT = "0"; + + RADEON_DPM_PERF_LEVEL_ON_AC = "low"; + RADEON_DPM_PERF_LEVEL_ON_BAT = "low"; + RADEON_POWER_PROFILE_ON_AC = "low"; + RADEON_POWER_PROFILE_ON_BAT = "low"; + RADEON_DPM_STATE_ON_AC = "battery"; + RADEON_DPM_STATE_ON_BAT = "battery"; + + # SOUND_POWER_SAVE_ON_AC="1"; + SOUND_POWER_SAVE_ON_BAT = "1"; + + PLATFORM_PROFILE_ON_AC = "performance"; + PLATFORM_PROFILE_ON_BAT = "low-power"; + + RUNTIME_PM_ON_AC = "on"; + RUNTIME_PM_ON_BAT = "auto"; + + PCIE_ASPM_ON_AC = "default"; + PCIE_ASPM_ON_BAT = "powersupersave"; + + START_CHARGE_THRESH_BAT0 = "80"; + STOP_CHARGE_THRESH_BAT0 = "85"; + + WOL_DISABLE = "Y"; + # WIFI_PWR_ON_AC="on"; + # WIFI_PWR_ON_BAT = "on"; + DEVICES_TO_DISABLE_ON_STARTUP = "wwan"; + # #DEVICES_TO_DISABLE_ON_LAN_CONNECT="wifi wwan"; + # #DEVICES_TO_DISABLE_ON_WIFI_CONNECT="wwan"; + # #DEVICES_TO_DISABLE_ON_WWAN_CONNECT="wifi"; + + SATA_LINKPWR_ON_AC = "max_performance"; + SATA_LINKPWR_ON_BAT = "min_power"; + }; + }; + + # see https://www.kernel.org/doc/html/v6.6/admin-guide/laptops/thinkpad-acpi.html#fan-control-and-monitoring-fan-speed-fan-enable-disable + services.thinkfan = { + enable = false; + levels = [ + # ["level auto" 0 60] + [ + 0 + 0 + 60 + ] + [ + 1 + 60 + 65 + ] + [ + 1 + 65 + 75 + ] + [ + 2 + 75 + 78 + ] + [ + 3 + 78 + 80 + ] + [ + 4 + 80 + 82 + ] + [ + 5 + 82 + 84 + ] + [ + 6 + 84 + 86 + ] + [ + 7 + 86 + 88 + ] + [ + "level full-speed" + 88 + 999 + ] + ]; + + extraArgs = [ + "-b-3" + "-s1" + ]; + }; + + hardware.enableRedistributableFirmware = true; + boot.initrd.kernelModules = [ + "aesni_intel" + "kvm_amd" + "nvme" + "nvme_core" + + "thunderbolt" + "e1000e" + + "usbcore" + "xhci_hcd" + "usbhid" + "usb_storage" + "xhci_pci" + "uas" + ]; +} diff --git a/nix/os/devices/steveej-t14/pkg.nix b/nix/os/devices/steveej-t14/pkg.nix new file mode 100644 index 0000000..4e53eaf --- /dev/null +++ b/nix/os/devices/steveej-t14/pkg.nix @@ -0,0 +1,103 @@ +{ pkgs, ... }: +{ + system.stateVersion = "23.05"; + home-manager.users.root = _: { home.stateVersion = "22.05"; }; + home-manager.users.steveej = _: { + home.stateVersion = "22.05"; + imports = [ + ../../../home-manager/configuration/graphical-fullblown.nix + + (_: { + programs.chromium.extensions = [ + # can define host-specific extensions here + ]; + }) + ]; + + home.sessionVariables = { }; + + home.packages = with pkgs; [ ]; + }; + + # TODO: fix the following errors with regreet + # + # Failed to create /var/empty/.cache for shader cache (Operation not permitted)---disabling. + # amdgpu: amdgpu_cs_ctx_create2 failed. (-13) + # Failed to create /var/empty/.cache for shader cache (Operation not permitted)---disabling. + # ERROR: Couldn't create log file '/var/log/regreet/log': Permission denied (os error 13) + # 2023-05-22T10:31:42.52900769+02:00 WARN regreet::tomlutils: Missing TOML file: /var/cache/regreet/cache.toml + # 2023-05-22T10:31:42.52902325+02:00 WARN regreet::tomlutils: Missing TOML file: /etc/greetd/regreet.toml + # + # (regreet:505614): Gtk-WARNING **: 10:31:42.532: Theme parser warning: :6:17-18: Empty declaration + # Failed to create /var/empty/.cache for shader cache (Operation not permitted)---disabling. + services.greetd = + let + # exec "${pkgs.greetd.gtkgreet}/bin/gtkgreet -l; swaymsg exit" + swayConfig = pkgs.writeText "greetd-sway-config" '' + # `-l` activates layer-shell mode. Notice that `swaymsg exit` will run after gtkgreet. + exec "dbus-update-activation-environment --systemd DISPLAY WAYLAND_DISPLAY SWAYSOCK; ${pkgs.greetd.regreet}/bin/regreet; swaymsg exit" + bindsym Mod4+shift+e exec swaynag \ + -t warning \ + -m 'What do you want to do?' \ + -b 'Poweroff' 'systemctl poweroff' \ + -b 'Reboot' 'systemctl reboot' + ''; + in + { + enable = false; + settings = { + vt = 1; + default_session = { + command = "${pkgs.sway}/bin/sway --config ${swayConfig}"; + }; + }; + }; + + environment.etc."greetd/environments".text = '' + sway + ''; + + # fonts = let + # prefs.font = rec { + # size = 13; + # default = sans; + + # sans = { family = "Noto Sans"; package = pkgs.noto-fonts; }; + # serif = { family = "Noto Serif"; package = pkgs.noto-fonts; }; + # # monospace = { family = "Iosevka Fixed"; package = pkgs.iosevka-bin; }; + # monospace = { family = "Iosevka Comfy Fixed"; package = pkgs.iosevka-comfy.comfy-fixed; }; + # # monospace = { family = "Go Mono"; package = pkgs.go-font; }; + # # monospace = { family = "Jetbrains Mono"; package = pkgs.jetbrains-mono; }; + # fallback = { family = "Font Awesome 5 Free"; package = pkgs.font-awesome; }; + # emoji = { family = "Noto Color Emoji"; package = pkgs.noto-fonts-emoji; }; + # + # allPackages = (map (p: p.package) + # [ + # default + # sans + # serif + # monospace + # fallback + # emoji + # ]) ++ + # (with pkgs; [ + # liberation_ttf # free corefonts-metric-compatible replacement + # ttf_bitstream_vera + # gelasio # metric-compatible with Georgia + # powerline-symbols + # ]); + # }; + # in { + # # fonts = prefs.font.allPackages; + + # # fontconfig = { + # # enable = true; + # # defaultFonts = { + # # serif = [ prefs.font.serif.family ]; + # # sansSerif = [ prefs.font.sans.family ]; + # # monospace = [ prefs.font.monospace.family ]; + # # emoji = [ prefs.font.emoji.family ]; + # # }; + # # }; + # }; +} diff --git a/nix/os/devices/steveej-t14/system.nix b/nix/os/devices/steveej-t14/system.nix new file mode 100644 index 0000000..db19a3b --- /dev/null +++ b/nix/os/devices/steveej-t14/system.nix @@ -0,0 +1,120 @@ +{ + pkgs, + lib, + config, + repoFlake, + ... +}: +let + localTcpPorts = [ + 22 + + # syncthing + 22000 + + # iperf3 + 5201 + ]; + + localUdpPorts = [ + # syncthing + 22000 + 21027 + ]; +in +{ + nix.settings = { + substituters = [ ]; + trusted-public-keys = [ ]; + }; + + nix.distributedBuilds = true; + nix.buildMachines = [ + { + hostName = repoFlake.colmena.sj-bm-hostkey0.deployment.targetHost; + # TODO: make this a reference + sshUser = "nix-remote-builder"; + protocol = "ssh-ng"; + system = "x86_64-linux"; + maxJobs = 32; + speedFactor = 100; + supportedFeatures = repoFlake.nixosConfigurations.steveej-t14.config.nix.settings.system-features; + } + + { + hostName = repoFlake.colmena.sj-bm-hostkey0.deployment.targetHost; + # TODO: make this a reference + sshUser = "nix-remote-builder"; + protocol = "ssh-ng"; + system = "aarch64-linux"; + maxJobs = 32; + speedFactor = 100; + supportedFeatures = repoFlake.nixosConfigurations.router0-dmz0.config.nix.settings.system-features; + } + ]; + + networking.networkmanager.enable = true; + + networking.extraHosts = ''''; + + networking.bridges."virbr1".interfaces = [ ]; + networking.interfaces."virbr1".ipv4.addresses = [ + { + address = "10.254.254.254"; + prefixLength = 24; + } + ]; + + # needed to make wireguard managed by networkmanager route all traffic through it + networking.firewall.checkReversePath = false; + + networking.firewall.enable = true; + services.openssh.openFirewall = false; + + # TODO: upstream feature for inverse rule to work: `! --in-interface zt+` + networking.firewall.interfaces."eth+".allowedTCPPorts = localTcpPorts; + networking.firewall.interfaces."eth+".allowedUDPPorts = localUdpPorts; + networking.firewall.interfaces."wlan+".allowedTCPPorts = localTcpPorts; + networking.firewall.interfaces."wlan+".allowedUDPPorts = localUdpPorts; + + networking.firewall.logRefusedConnections = false; + networking.usePredictableInterfaceNames = false; + + services.fwupd.enable = true; + + services.fprintd.enable = true; + security.pam.services = { + login.fprintAuth = true; + sudo.fprintAuth = true; + }; + + # virtualization + virtualisation = { + libvirtd = { + enable = true; + }; + + virtualbox.host = { + enable = false; + addNetworkInterface = false; + }; + + podman = { + enable = true; + dockerCompat = true; + # defaultNetwork.dnsname.enable = true; + }; + }; + + services.samba.extraConfig = '' + # client min protocol = NT1 + ''; + + security.pki.certificateFiles = [ "${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt" ]; + + services.xserver.videoDrivers = lib.mkForce [ "amdgpu" ]; + + hardware.ledger.enable = true; + + boot.binfmt.emulatedSystems = [ "aarch64-linux" ]; +} diff --git a/nix/os/devices/steveej-t14/user.nix b/nix/os/devices/steveej-t14/user.nix new file mode 100644 index 0000000..dacf1f4 --- /dev/null +++ b/nix/os/devices/steveej-t14/user.nix @@ -0,0 +1,17 @@ +{ config, pkgs, ... }: +let + keys = import ../../../variables/keys.nix; + inherit (pkgs.callPackage ../../lib/default.nix { }) mkUser; +in +{ + users.users.steveej2 = mkUser { + uid = 1001; + openssh.authorizedKeys.keys = keys.users.steveej.openssh; + hashedPasswordFile = config.sops.secrets.sharedUsers-steveej.path; + }; + + nix.settings.trusted-users = [ "steveej" ]; + + security.pam.u2f.enable = true; + security.pam.services.steveej.u2fAuth = true; +} diff --git a/nix/os/devices/steveej-t480s-work/hw.nix b/nix/os/devices/steveej-t480s-work/hw.nix deleted file mode 100644 index 43a91a7..0000000 --- a/nix/os/devices/steveej-t480s-work/hw.nix +++ /dev/null @@ -1,34 +0,0 @@ -{ ... }: - -let - stage1Modules = [ - "aesni_intel" - "kvm-intel" - "aes_x86_64" - "nvme" - "nvme_core" - - "pcieport" - "thunderbolt" - "e1000e" - "xhci_pci" - "hxci_hcd" - ]; - -in -{ - # TASK: new device - hardware.encryptedDisk = { - enable = true; - diskId = "ata-Crucial_CT750MX300SSD1_16161311C7A6"; - }; - - # boot.initrd.availableKernelModules = stage1Modules; - boot.initrd.kernelModules = stage1Modules; - boot.extraModprobeConfig = '' - options kvm-intel nested=1 - options kvm-intel enable_shadow_vmcs=1 - options kvm-intel enable_apicv=1 - options kvm-intel ept=1 - ''; -} diff --git a/nix/os/devices/steveej-t480s-work/pkg.nix b/nix/os/devices/steveej-t480s-work/pkg.nix deleted file mode 100644 index aa7035f..0000000 --- a/nix/os/devices/steveej-t480s-work/pkg.nix +++ /dev/null @@ -1,12 +0,0 @@ -{ pkgs -, ... -}: - -{ - nixpkgs.config.packageOverrides = pkgs: with pkgs; { - nixPath = (import ../../../default.nix { versionsPath = ./versions.nix; }).nixPath; - }; - home-manager.users.steveej = import ../../../home-manager/configuration/graphical-fullblown.nix { inherit pkgs; }; - services.teamviewer.enable = true; - system.stateVersion = "19.09"; -} diff --git a/nix/os/devices/steveej-t480s-work/system.nix b/nix/os/devices/steveej-t480s-work/system.nix deleted file mode 100644 index 8f17b3c..0000000 --- a/nix/os/devices/steveej-t480s-work/system.nix +++ /dev/null @@ -1,140 +0,0 @@ -{ pkgs -, lib -, config -, ... }: - -let - keys = import ../../../variables/keys.nix; -in { - - # TASK: new device - networking.hostName = "steveej-t480s-work"; # Define your hostname. - - # Used for testing local Openshift clusters - environment.etc."NetworkManager/dnsmasq.d/openshift.conf".text = - let - openshiftClusterName = "openshift-steveej"; - openshiftDomain = "openshift.testing"; - openshiftSubnetBase = "192.168.126"; - in '' - server=/${openshiftDomain}/${openshiftSubnetBase}.1 - address=/.apps.${openshiftClusterName}.${openshiftDomain}/${openshiftSubnetBase}.51 - ''; - networking.firewall.enable = lib.mkForce false; - networking.firewall.checkReversePath = false; - - networking.bridges."virbr1".interfaces = []; - networking.interfaces."virbr1".ipv4.addresses = [ - { address = "10.254.254.254"; prefixLength = 24; } - ]; - - services.printing = { - enable = true; - drivers = with pkgs; [ - hplip - mfcl3770cdw.driver - mfcl3770cdw.cupswrapper - ]; - }; - - services.fprintd.enable = true; - security.pam.services = { - login.fprintAuth = true; - sudo.fprintAuth = true; - }; - - # Kubernetes - # services.kubernetes.roles = ["master" "node"]; - - # virtualization - virtualisation = { - libvirtd = { - enable = true; - }; - - virtualbox.host = { - enable = false ; - addNetworkInterface = false; - }; - - docker = { - enable = true; - extraOptions = "--experimental"; - }; - }; - - - boot.initrd.network = { - enable = true; - useDHCP = true; - udhcpc.extraArgs = [ "-x hostname:${config.networking.hostName}" ]; - - ssh = { - enable = true; - authorizedKeys = keys.users.steveej.openssh; - hostKeys = [ - "/etc/secrets/initrd/ssh_host_rsa_key" - "/etc/secrets/initrd/ssh_host_ed25519_key" - ]; - }; - }; - - security.pki.certificateFiles = [ - "${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt" - ../../../../certificates/sat-r220-02.lab.eng.rdu2.redhat.com.crt - ]; - - services.xserver.videoDrivers = [ "modesetting" ]; - services.xserver.serverFlagsSection = '' - Option "BlankTime" "0" - Option "StandbyTime" "0" - Option "SuspendTime" "0" - Option "OffTime" "0" - ''; - - # the default profile uses linuxPackages_latest - # boot.kernelPackages = lib.mkForce pkgs.linuxPackages; - - krb5 = { - enable = true; - config = let - pkinit_crt = pkgs.fetchurl { - url = "https://password.corp.redhat.com/ipa.crt"; - sha256 = "0cflhkb7szzlakjmz2rmw8l8j5jqsyy2rl7ciclmi5fdfjrrx1cd"; - }; - in '' - [libdefaults] - default_realm = IPA.REDHAT.COM - dns_lookup_realm = true - dns_lookup_kdc = true - rdns = false - dns_canonicalize_hostname = true - ticket_lifetime = 24h - forwardable = true - udp_preference_limit = 0 - default_ccache_name = KEYRING:persistent:%{uid} - - [realms] - REDHAT.COM = { - default_domain = redhat.com - dns_lookup_kdc = true - master_kdc = kerberos.corp.redhat.com - admin_server = kerberos.corp.redhat.com - } - - #make sure to save the IPA CA cert - #mkdir /etc/ipa && curl -o /etc/ipa/ca.crt https://password.corp.redhat.com/ipa.crt - IPA.REDHAT.COM = { - pkinit_anchors = FILE:${pkinit_crt} - pkinit_pool = FILE:${pkinit_crt} - default_domain = ipa.redhat.com - dns_lookup_kdc = true - # Trust tickets issued by legacy realm on this host - auth_to_local = RULE:[1:$1@$0](.*@REDHAT\.COM)s/@.*// - auth_to_local = DEFAULT - } - ''; - }; - - hardware.ledger.enable = true; -} diff --git a/nix/os/devices/steveej-t480s-work/user.nix b/nix/os/devices/steveej-t480s-work/user.nix deleted file mode 100644 index b5f1244..0000000 --- a/nix/os/devices/steveej-t480s-work/user.nix +++ /dev/null @@ -1,21 +0,0 @@ -{ config -, pkgs -, ... }: - -let - passwords = import ../../../variables/passwords.crypt.nix; - keys = import ../../../variables/keys.nix; - inherit (import ../../lib/default.nix { }) mkUser; - -in { - users.extraUsers.steveej2 = mkUser { - uid = 1001; - openssh.authorizedKeys.keys = keys.users.steveej.openssh; - }; - - users.extraUsers.steveej3 = mkUser { - uid = 1002; - openssh.authorizedKeys.keys = keys.users.steveej.openssh; - shell = pkgs.posh { image = "quay.io/enarx/fedora"; }; - }; -} diff --git a/nix/os/devices/steveej-t480s-work/versions.tmpl.nix b/nix/os/devices/steveej-t480s-work/versions.tmpl.nix deleted file mode 100644 index 09f95fd..0000000 --- a/nix/os/devices/steveej-t480s-work/versions.tmpl.nix +++ /dev/null @@ -1,30 +0,0 @@ -let - nixpkgs = { - url = "https://github.com/NixOS/nixpkgs/"; - ref = "nixos-20.09"; - rev = "<% git ls-remote https://github.com/nixos/nixpkgs nixos-20.09 | awk '{ print $1 }' | tr -d '\n' -%>"; - }; -in - -{ - inherit nixpkgs; - nixos = nixpkgs // { - suffix = "/nixos"; - }; - "channels-nixos-stable" = nixpkgs; - "channels-nixos-unstable" = { - url = "https://github.com/NixOS/nixpkgs/"; - ref = "nixos-unstable"; - rev = "<% git ls-remote https://github.com/nixos/nixpkgs nixos-unstable | awk '{ print $1 }' | tr -d '\n' -%>"; - }; - "nixpkgs-master" = { - url = "https://github.com/NixOS/nixpkgs/"; - ref = "master"; - rev = "<% git ls-remote https://github.com/NixOS/nixpkgs.git master | head -n1 | awk '{ print $1 }' | tr -d '\n' -%>"; - }; - "home-manager-module" = { - url = "https://github.com/nix-community/home-manager"; - ref = "release-20.09"; - rev = "<% git ls-remote https://github.com/nix-community/home-manager.git release-20.09 | awk '{ print $1 }' | tr -d '\n' -%>"; - }; -} diff --git a/nix/os/devices/steveej-utilitepro/configuration.nix b/nix/os/devices/steveej-utilitepro/configuration.nix index 721d3c6..76a34c8 100644 --- a/nix/os/devices/steveej-utilitepro/configuration.nix +++ b/nix/os/devices/steveej-utilitepro/configuration.nix @@ -1,227 +1,228 @@ # Edit this configuration file to define what should be installed on # your system. Help is available in the configuration.nix(5) man page # and in the NixOS manual (accessible by running ‘nixos-help’). - { config, pkgs, ... }: - let passwords = import ../common/passwords.crypt.nix; in { # The NixOS release to be compatible with for stateful data such as databases. system.stateVersion = "16.03"; - nix.maxJobs = 4; - nix.buildCores = 4; + nix.maxJobs = 4; + nix.buildCores = 4; - nix.extraOptions = '' + nix.extraOptions = '' gc-keep-outputs = true gc-keep-derivations = true - ''; + ''; - - - nixpkgs.config = { - - packageOverrides = super: let self = super.pkgs; in { + nixpkgs.config = { + packageOverrides = super: { linux_4_1 = super.linux_4_1.override { kernelPatches = super.linux_4_1.kernelPatches ++ [ - { patch = ./patches/utilitepro-kernel-dts.patch; name = "utilitepro-dts"; } - { patch = ./patches/utilitepro-kernel-dts-Makefile.patch; name = "utilitepro-dts-Makefile"; } + { + patch = ./patches/utilitepro-kernel-dts.patch; + name = "utilitepro-dts"; + } + { + patch = ./patches/utilitepro-kernel-dts-Makefile.patch; + name = "utilitepro-dts-Makefile"; + } ]; # add "CONFIG_PPP_FILTER y" option to the set of kernel options extraConfig = '' - BTRFS_FS y - BTRFS_FS_POSIX_ACL y - FUSE_FS y - OVERLAY_FS y + BTRFS_FS y + BTRFS_FS_POSIX_ACL y + FUSE_FS y + OVERLAY_FS y - BLK_DEV_DM y - DM_THIN_PROVISIONING y + BLK_DEV_DM y + DM_THIN_PROVISIONING y - NAMESPACES y - NET_NS y - PID_NS y - IPC_NS y - UTS_NS y - DEVPTS_MULTIPLE_INSTANCES y - CGROUPS y - CGROUP_CPUACCT y - CGROUP_DEVICE y - CGROUP_FREEZER y - CGROUP_SCHED y - CPUSETS y - MEMCG y - POSIX_MQUEUE y + NAMESPACES y + NET_NS y + PID_NS y + IPC_NS y + UTS_NS y + DEVPTS_MULTIPLE_INSTANCES y + CGROUPS y + CGROUP_CPUACCT y + CGROUP_DEVICE y + CGROUP_FREEZER y + CGROUP_SCHED y + CPUSETS y + MEMCG y + POSIX_MQUEUE y - MACVLAN m - VETH m - BRIDGE m + MACVLAN m + VETH m + BRIDGE m - NF_TABLES m - NETFILTER y - NETFILTER_ADVANCED y - NF_NAT_IPV4 m - IP_NF_FILTER m - IP_NF_TARGET_MASQUERADE m - NETFILTER_XT_MATCH_ADDRTYPE m - NETFILTER_XT_MATCH_CONNTRACK m - NF_NAT m - NF_NAT_NEEDED m - BRIDGE_NETFILTER m - NETFILTER_INGRESS y - NETFILTER_NETLINK m - NETFILTER_NETLINK_ACCT m - NETFILTER_NETLINK_QUEUE m - NETFILTER_NETLINK_LOG m - NETFILTER_SYNPROXY m - NETFILTER_XTABLES m - NETFILTER_XT_MARK m - NETFILTER_XT_CONNMARK m - NETFILTER_XT_SET m - NETFILTER_XT_TARGET_AUDIT m - NETFILTER_XT_TARGET_CHECKSUM m - NETFILTER_XT_TARGET_CLASSIFY m - NETFILTER_XT_TARGET_CONNMARK m - NETFILTER_XT_TARGET_CONNSECMARK m - NETFILTER_XT_TARGET_CT m - NETFILTER_XT_TARGET_DSCP m - NETFILTER_XT_TARGET_HL m - NETFILTER_XT_TARGET_HMARK m - NETFILTER_XT_TARGET_IDLETIMER m - NETFILTER_XT_TARGET_LED m - NETFILTER_XT_TARGET_LOG m - NETFILTER_XT_TARGET_MARK m - NETFILTER_XT_NAT m - NETFILTER_XT_TARGET_NETMAP m - NETFILTER_XT_TARGET_NFLOG m - NETFILTER_XT_TARGET_NFQUEUE m - NETFILTER_XT_TARGET_NOTRACK m - NETFILTER_XT_TARGET_RATEEST m - NETFILTER_XT_TARGET_REDIRECT m - NETFILTER_XT_TARGET_TEE m - NETFILTER_XT_TARGET_TPROXY m - NETFILTER_XT_TARGET_TRACE m - NETFILTER_XT_TARGET_SECMARK m - NETFILTER_XT_TARGET_TCPMSS m - NETFILTER_XT_TARGET_TCPOPTSTRIP m - NETFILTER_XT_MATCH_ADDRTYPE m - NETFILTER_XT_MATCH_BPF m - NETFILTER_XT_MATCH_CGROUP m - NETFILTER_XT_MATCH_CLUSTER m - NETFILTER_XT_MATCH_COMMENT m - NETFILTER_XT_MATCH_CONNBYTES m - NETFILTER_XT_MATCH_CONNLABEL m - NETFILTER_XT_MATCH_CONNLIMIT m - NETFILTER_XT_MATCH_CONNMARK m - NETFILTER_XT_MATCH_CONNTRACK m - NETFILTER_XT_MATCH_CPU m - NETFILTER_XT_MATCH_DCCP m - NETFILTER_XT_MATCH_DEVGROUP m - NETFILTER_XT_MATCH_DSCP m - NETFILTER_XT_MATCH_ECN m - NETFILTER_XT_MATCH_ESP m - NETFILTER_XT_MATCH_HASHLIMIT m - NETFILTER_XT_MATCH_HELPER m - NETFILTER_XT_MATCH_HL m - NETFILTER_XT_MATCH_IPCOMP m - NETFILTER_XT_MATCH_IPRANGE m - NETFILTER_XT_MATCH_IPVS m - NETFILTER_XT_MATCH_L2TP m - NETFILTER_XT_MATCH_LENGTH m - NETFILTER_XT_MATCH_LIMIT m - NETFILTER_XT_MATCH_MAC m - NETFILTER_XT_MATCH_MARK m - NETFILTER_XT_MATCH_MULTIPORT m - NETFILTER_XT_MATCH_NFACCT m - NETFILTER_XT_MATCH_OSF m - NETFILTER_XT_MATCH_OWNER m - NETFILTER_XT_MATCH_POLICY m - NETFILTER_XT_MATCH_PHYSDEV m - NETFILTER_XT_MATCH_PKTTYPE m - NETFILTER_XT_MATCH_QUOTA m - NETFILTER_XT_MATCH_RATEEST m - NETFILTER_XT_MATCH_REALM m - NETFILTER_XT_MATCH_RECENT m - NETFILTER_XT_MATCH_SCTP m - NETFILTER_XT_MATCH_SOCKET m - NETFILTER_XT_MATCH_STATE m - NETFILTER_XT_MATCH_STATISTIC m - NETFILTER_XT_MATCH_STRING m - NETFILTER_XT_MATCH_TCPMSS m - NETFILTER_XT_MATCH_TIME m - NETFILTER_XT_MATCH_U32 m + NF_TABLES m + NETFILTER y + NETFILTER_ADVANCED y + NF_NAT_IPV4 m + IP_NF_FILTER m + IP_NF_TARGET_MASQUERADE m + NETFILTER_XT_MATCH_ADDRTYPE m + NETFILTER_XT_MATCH_CONNTRACK m + NF_NAT m + NF_NAT_NEEDED m + BRIDGE_NETFILTER m + NETFILTER_INGRESS y + NETFILTER_NETLINK m + NETFILTER_NETLINK_ACCT m + NETFILTER_NETLINK_QUEUE m + NETFILTER_NETLINK_LOG m + NETFILTER_SYNPROXY m + NETFILTER_XTABLES m + NETFILTER_XT_MARK m + NETFILTER_XT_CONNMARK m + NETFILTER_XT_SET m + NETFILTER_XT_TARGET_AUDIT m + NETFILTER_XT_TARGET_CHECKSUM m + NETFILTER_XT_TARGET_CLASSIFY m + NETFILTER_XT_TARGET_CONNMARK m + NETFILTER_XT_TARGET_CONNSECMARK m + NETFILTER_XT_TARGET_CT m + NETFILTER_XT_TARGET_DSCP m + NETFILTER_XT_TARGET_HL m + NETFILTER_XT_TARGET_HMARK m + NETFILTER_XT_TARGET_IDLETIMER m + NETFILTER_XT_TARGET_LED m + NETFILTER_XT_TARGET_LOG m + NETFILTER_XT_TARGET_MARK m + NETFILTER_XT_NAT m + NETFILTER_XT_TARGET_NETMAP m + NETFILTER_XT_TARGET_NFLOG m + NETFILTER_XT_TARGET_NFQUEUE m + NETFILTER_XT_TARGET_NOTRACK m + NETFILTER_XT_TARGET_RATEEST m + NETFILTER_XT_TARGET_REDIRECT m + NETFILTER_XT_TARGET_TEE m + NETFILTER_XT_TARGET_TPROXY m + NETFILTER_XT_TARGET_TRACE m + NETFILTER_XT_TARGET_SECMARK m + NETFILTER_XT_TARGET_TCPMSS m + NETFILTER_XT_TARGET_TCPOPTSTRIP m + NETFILTER_XT_MATCH_ADDRTYPE m + NETFILTER_XT_MATCH_BPF m + NETFILTER_XT_MATCH_CGROUP m + NETFILTER_XT_MATCH_CLUSTER m + NETFILTER_XT_MATCH_COMMENT m + NETFILTER_XT_MATCH_CONNBYTES m + NETFILTER_XT_MATCH_CONNLABEL m + NETFILTER_XT_MATCH_CONNLIMIT m + NETFILTER_XT_MATCH_CONNMARK m + NETFILTER_XT_MATCH_CONNTRACK m + NETFILTER_XT_MATCH_CPU m + NETFILTER_XT_MATCH_DCCP m + NETFILTER_XT_MATCH_DEVGROUP m + NETFILTER_XT_MATCH_DSCP m + NETFILTER_XT_MATCH_ECN m + NETFILTER_XT_MATCH_ESP m + NETFILTER_XT_MATCH_HASHLIMIT m + NETFILTER_XT_MATCH_HELPER m + NETFILTER_XT_MATCH_HL m + NETFILTER_XT_MATCH_IPCOMP m + NETFILTER_XT_MATCH_IPRANGE m + NETFILTER_XT_MATCH_IPVS m + NETFILTER_XT_MATCH_L2TP m + NETFILTER_XT_MATCH_LENGTH m + NETFILTER_XT_MATCH_LIMIT m + NETFILTER_XT_MATCH_MAC m + NETFILTER_XT_MATCH_MARK m + NETFILTER_XT_MATCH_MULTIPORT m + NETFILTER_XT_MATCH_NFACCT m + NETFILTER_XT_MATCH_OSF m + NETFILTER_XT_MATCH_OWNER m + NETFILTER_XT_MATCH_POLICY m + NETFILTER_XT_MATCH_PHYSDEV m + NETFILTER_XT_MATCH_PKTTYPE m + NETFILTER_XT_MATCH_QUOTA m + NETFILTER_XT_MATCH_RATEEST m + NETFILTER_XT_MATCH_REALM m + NETFILTER_XT_MATCH_RECENT m + NETFILTER_XT_MATCH_SCTP m + NETFILTER_XT_MATCH_SOCKET m + NETFILTER_XT_MATCH_STATE m + NETFILTER_XT_MATCH_STATISTIC m + NETFILTER_XT_MATCH_STRING m + NETFILTER_XT_MATCH_TCPMSS m + NETFILTER_XT_MATCH_TIME m + NETFILTER_XT_MATCH_U32 m - MEMCG_KMEM y - MEMCG_SWAP y - MEMCG_SWAP_ENABLED y - BLK_CGROUP y - IOSCHED_CFQ y - BLK_DEV_THROTTLING y - CGROUP_PERF y - CGROUP_HUGETLB y - NET_CLS_CGROUP y - CGROUP_NET_PRIO y - CFS_BANDWIDTH y - FAIR_GROUP_SCHED y - RT_GROUP_SCHED y - EXT3_FS y - EXT3_FS_XATTR y - EXT3_FS_POSIX_ACL y - EXT3_FS_SECURITY y + MEMCG_KMEM y + MEMCG_SWAP y + MEMCG_SWAP_ENABLED y + BLK_CGROUP y + IOSCHED_CFQ y + BLK_DEV_THROTTLING y + CGROUP_PERF y + CGROUP_HUGETLB y + NET_CLS_CGROUP y + CGROUP_NET_PRIO y + CFS_BANDWIDTH y + FAIR_GROUP_SCHED y + RT_GROUP_SCHED y + EXT3_FS y + EXT3_FS_XATTR y + EXT3_FS_POSIX_ACL y + EXT3_FS_SECURITY y - PPP_FILTER y - HAVE_IMX_ANATOP y - HAVE_IMX_GPC y - HAVE_IMX_MMDC y - HAVE_IMX_SRC y - SOC_IMX6 y - SOC_IMX6Q y - SOC_IMX6SL y - PCI_IMX6 y - ARM_IMX6Q_CPUFREQ y - IMX_WEIM y - AHCI_IMX y - SERIAL_IMX y - SERIAL_IMX_CONSOLE y - I2C_IMX y - SPI_IMX y - PINCTRL_IMX y - PINCTRL_IMX6Q y - PINCTRL_IMX6SL y - POWER_RESET_IMX y - IMX_THERMAL y - IMX2_WDT y - IMX_IPUV3_CORE y - DRM_IMX y - DRM_IMX_FB_HELPER y - DRM_IMX_PARALLEL_DISPLAY y - DRM_IMX_TVE y - DRM_IMX_LDB y - DRM_IMX_IPUV3 y - DRM_IMX_HDMI y - MMC_SDHCI_ESDHC_IMX y - IMX_SDMA y - PWM_IMX y - DEBUG_IMX6Q_UART y + PPP_FILTER y + HAVE_IMX_ANATOP y + HAVE_IMX_GPC y + HAVE_IMX_MMDC y + HAVE_IMX_SRC y + SOC_IMX6 y + SOC_IMX6Q y + SOC_IMX6SL y + PCI_IMX6 y + ARM_IMX6Q_CPUFREQ y + IMX_WEIM y + AHCI_IMX y + SERIAL_IMX y + SERIAL_IMX_CONSOLE y + I2C_IMX y + SPI_IMX y + PINCTRL_IMX y + PINCTRL_IMX6Q y + PINCTRL_IMX6SL y + POWER_RESET_IMX y + IMX_THERMAL y + IMX2_WDT y + IMX_IPUV3_CORE y + DRM_IMX y + DRM_IMX_FB_HELPER y + DRM_IMX_PARALLEL_DISPLAY y + DRM_IMX_TVE y + DRM_IMX_LDB y + DRM_IMX_IPUV3 y + DRM_IMX_HDMI y + MMC_SDHCI_ESDHC_IMX y + IMX_SDMA y + PWM_IMX y + DEBUG_IMX6Q_UART y ''; }; -# pkgs.linux_4_2 = "/nix/store/jc1h6mcc6sq420q2i572qba4b0xzw4gm-linux-4.3-armv7l-unknown-linux-gnueabi"; - }; - allowUnfree = true; - }; + # pkgs.linux_4_2 = "/nix/store/jc1h6mcc6sq420q2i572qba4b0xzw4gm-linux-4.3-armv7l-unknown-linux-gnueabi"; + }; + allowUnfree = true; + }; - imports = - [ # Include the results of the hardware scan. - ./hardware-configuration.nix - ]; + imports = [ + # Include the results of the hardware scan. + ./hardware-configuration.nix + ]; networking.hostName = "steveej-utilitepro"; # Define your hostname. -#networking.wireless.enable = true; # Enables wireless support viawpa_supplicant. + #networking.wireless.enable = true; # Enables wireless support viawpa_supplicant. - boot.kernelPackages = pkgs.linuxPackages_4_1; + boot.kernelPackages = pkgs.linuxPackages_4_1; boot.extraKernelParams = [ "cm_fx6_v4l_msize=128M" "vmalloc=256M" @@ -262,18 +263,27 @@ in users.mutableUsers = false; users.extraUsers.root = { + # FIXME: this is deprecated but so is this device probably hashedPassword = passwords.users.root; - openssh.authorizedKeys.keys = ["ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQD3niN5KcIYikRhXTYZCSehI1ZQs+vvG/dZ7KxNVHslfsS+p1yTycXcZFtDDn5vtG2fAo3yksxCk+G10/AWQ+NMOcFKuAi5qTOYSLbEcHVlZ4ko8sDUe3fF79vrCqY7IWbKKjZ4DH77Qs6SXk5GIlNaIzxut8Dpv8qHnkPiPuFgrJC4oGk60ZKmCPvOEpgg9twcdI6ykIxD4Fg+hHgG1p07uSEcm9EADli8RsU3UJ1UBhXMohMC6HrKVBkBX9wTo+zY+xqXxxem6xGNnkNiZLACfhCnjXv39zh85pgFuNv7R8SzVZQ9iRoCmax/w3JtWdDjqoTGgLfJyhMMjNdjVHOx steveej@steveej-laptop"]; + openssh.authorizedKeys.keys = [ + "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQD3niN5KcIYikRhXTYZCSehI1ZQs+vvG/dZ7KxNVHslfsS+p1yTycXcZFtDDn5vtG2fAo3yksxCk+G10/AWQ+NMOcFKuAi5qTOYSLbEcHVlZ4ko8sDUe3fF79vrCqY7IWbKKjZ4DH77Qs6SXk5GIlNaIzxut8Dpv8qHnkPiPuFgrJC4oGk60ZKmCPvOEpgg9twcdI6ykIxD4Fg+hHgG1p07uSEcm9EADli8RsU3UJ1UBhXMohMC6HrKVBkBX9wTo+zY+xqXxxem6xGNnkNiZLACfhCnjXv39zh85pgFuNv7R8SzVZQ9iRoCmax/w3JtWdDjqoTGgLfJyhMMjNdjVHOx steveej@steveej-laptop" + ]; }; users.extraUsers.steveej = { uid = 1000; isNormalUser = true; home = "/home/steveej"; - extraGroups = [ "wheel" "libvirtd" ]; + extraGroups = [ + "wheel" + "libvirtd" + ]; + # FIXME: this is deprecated but so is this device probably hashedPassword = passwords.users.steveej; - openssh.authorizedKeys.keys = ["ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQD3niN5KcIYikRhXTYZCSehI1ZQs+vvG/dZ7KxNVHslfsS+p1yTycXcZFtDDn5vtG2fAo3yksxCk+G10/AWQ+NMOcFKuAi5qTOYSLbEcHVlZ4ko8sDUe3fF79vrCqY7IWbKKjZ4DH77Qs6SXk5GIlNaIzxut8Dpv8qHnkPiPuFgrJC4oGk60ZKmCPvOEpgg9twcdI6ykIxD4Fg+hHgG1p07uSEcm9EADli8RsU3UJ1UBhXMohMC6HrKVBkBX9wTo+zY+xqXxxem6xGNnkNiZLACfhCnjXv39zh85pgFuNv7R8SzVZQ9iRoCmax/w3JtWdDjqoTGgLfJyhMMjNdjVHOx steveej@steveej-laptop"]; - }; + openssh.authorizedKeys.keys = [ + "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQD3niN5KcIYikRhXTYZCSehI1ZQs+vvG/dZ7KxNVHslfsS+p1yTycXcZFtDDn5vtG2fAo3yksxCk+G10/AWQ+NMOcFKuAi5qTOYSLbEcHVlZ4ko8sDUe3fF79vrCqY7IWbKKjZ4DH77Qs6SXk5GIlNaIzxut8Dpv8qHnkPiPuFgrJC4oGk60ZKmCPvOEpgg9twcdI6ykIxD4Fg+hHgG1p07uSEcm9EADli8RsU3UJ1UBhXMohMC6HrKVBkBX9wTo+zY+xqXxxem6xGNnkNiZLACfhCnjXv39zh85pgFuNv7R8SzVZQ9iRoCmax/w3JtWdDjqoTGgLfJyhMMjNdjVHOx steveej@steveej-laptop" + ]; + }; networking.firewall.enable = false; - networking.useNetworkd = true; + networking.useNetworkd = true; } diff --git a/nix/os/devices/steveej-utilitepro/hardware-configuration.nix b/nix/os/devices/steveej-utilitepro/hardware-configuration.nix index e5eecc9..1d3e463 100644 --- a/nix/os/devices/steveej-utilitepro/hardware-configuration.nix +++ b/nix/os/devices/steveej-utilitepro/hardware-configuration.nix @@ -1,12 +1,9 @@ # Do not modify this file! It was generated by ‘nixos-generate-config’ # and may be overwritten by future invocations. Please make changes # to /etc/nixos/configuration.nix instead. -{ config, lib, pkgs, ... }: - +{ ... }: { - imports = - [ - ]; + imports = [ ]; boot.initrd.availableKernelModules = [ ]; boot.kernelModules = [ ]; @@ -14,14 +11,14 @@ hardware.enableAllFirmware = true; - fileSystems."/" = - { device = "/dev/disk/by-uuid/09d1e4a2-d57b-4de8-a42b-671c4c188367"; - fsType = "btrfs"; - options = "subvol=nixos"; - }; - fileSystems."/boot" = - { device = "/dev/disk/by-uuid/f1e7e913-93a0-4258-88f9-f65041d91d66"; - }; + fileSystems."/" = { + device = "/dev/disk/by-uuid/09d1e4a2-d57b-4de8-a42b-671c4c188367"; + fsType = "btrfs"; + options = "subvol=nixos"; + }; + fileSystems."/boot" = { + device = "/dev/disk/by-uuid/f1e7e913-93a0-4258-88f9-f65041d91d66"; + }; swapDevices = [ ]; } diff --git a/nix/os/devices/steveej-x13s-rmvbl/.gitignore b/nix/os/devices/steveej-x13s-rmvbl/.gitignore new file mode 100644 index 0000000..b2be92b --- /dev/null +++ b/nix/os/devices/steveej-x13s-rmvbl/.gitignore @@ -0,0 +1 @@ +result diff --git a/nix/os/devices/steveej-x13s-rmvbl/configuration.nix b/nix/os/devices/steveej-x13s-rmvbl/configuration.nix new file mode 100644 index 0000000..39e93de --- /dev/null +++ b/nix/os/devices/steveej-x13s-rmvbl/configuration.nix @@ -0,0 +1,176 @@ +{ + repoFlake, + nodeFlake, + pkgs, + lib, + config, + nodeName, + system, + ... +}: +{ + nixos-x13s = { + enable = true; + # TODO: use hardware address + bluetoothMac = "65:9e:7a:8b:86:28"; + }; + + systemd.services.bluetooth-mac = { + enable = true; + path = [ + pkgs.systemd + pkgs.util-linux + pkgs.bluez5-experimental + pkgs.expect + ]; + script = '' + # TODO: this may not be required + while ! (journalctl -b0 | grep 'Bluetooth: hci0: QCA setup on UART is completed'); do + echo Waiting for bluetooth firmware to complete + echo sleep 1 + done + + ( + # best effort + set +e + rfkill block bluetooth + echo $? + btmgmt public-addr ${config.nixos-x13s.bluetoothMac} + echo $? + rfkill unblock bluetooth + echo $? + ) + ''; + requiredBy = [ "bluetooth.service" ]; + before = [ "bluetooth.service" ]; + serviceConfig = { + Type = "oneshot"; + RemainAfterExit = true; + + # we need a tty, otherwise btmgmt will hang + StandardInput = "tty"; + TTYPath = "/dev/tty2"; + TTYReset = "yes"; + TTYVHangup = "yes"; + }; + }; + + imports = [ + nodeFlake.inputs.nixos-x13s.nixosModules.default + + repoFlake.inputs.sops-nix.nixosModules.sops + nodeFlake.inputs.disko.nixosModules.disko + ./disko.nix + + ../../snippets/nix-settings.nix + ../../profiles/common/user.nix + + { + services.openssh.enable = true; + services.openssh.settings.PermitRootLogin = "yes"; + services.openssh.openFirewall = true; + + sops.defaultSopsFile = ../../../../secrets/${nodeName}/secrets.yaml; + sops.defaultSopsFormat = "yaml"; + + users.commonUsers = { + enable = true; + enableNonRoot = true; + }; + } + + ../../snippets/home-manager-with-zsh.nix + ../../snippets/sway-desktop.nix + ../../snippets/bluetooth.nix + ../../snippets/timezone.nix + ../../snippets/radicale.nix + ]; + + networking.hostName = nodeName; + networking.firewall.enable = true; + networking.networkmanager.enable = true; + + nixpkgs.config.allowUnfree = true; + + environment.systemPackages = [ + pkgs.sshfs + pkgs.util-linux + pkgs.coreutils + pkgs.vim + + pkgs.git + pkgs.git-crypt + ]; + + system.stateVersion = "23.11"; + home-manager.users.root = _: { home.stateVersion = "23.11"; }; + home-manager.users.steveej = _: { + home.stateVersion = "23.11"; + + imports = [ ../../../home-manager/configuration/graphical-fullblown.nix ]; + + home.sessionVariables = { }; + + home.packages = with pkgs; [ ]; + + # TODO: currently unsupported + services.gammastep.enable = lib.mkForce false; + # programs.chromium.enable = lib.mkForce false; + }; + + boot = { + loader.systemd-boot.enable = true; + loader.efi.canTouchEfiVariables = lib.mkForce false; + loader.efi.efiSysMountPoint = "/boot"; + blacklistedKernelModules = [ "wwan" ]; + + initrd.kernelModules = [ + "uas" + "usb_storage" + + "phy_qcom_qmp_pcie" + "phy_qcom_qmp_combo" + "phy_qcom_snps_femto_v2" + "phy_qcom_qmp_pcie" + "phy_qcom_qmp_usb" + "xhci-pci-renesas" + + "msm" + ]; + + initrd.extraFiles = { + "firmware/qcom/sc8280xp/LENOVO/21BX/adspr.jsn".source = pkgs.linux-firmware; + "firmware/qcom/sc8280xp/LENOVO/21BX/adspua.jsn".source = pkgs.linux-firmware; + "firmware/qcom/sc8280xp/LENOVO/21BX/audioreach-tplg.bin".source = pkgs.linux-firmware; + "firmware/qcom/sc8280xp/LENOVO/21BX/battmgr.jsn".source = pkgs.linux-firmware; + "firmware/qcom/sc8280xp/LENOVO/21BX/cdspr.jsn".source = pkgs.linux-firmware; + "firmware/qcom/sc8280xp/LENOVO/21BX/qcadsp8280.mbn".source = pkgs.linux-firmware; + "firmware/qcom/sc8280xp/LENOVO/21BX/qccdsp8280.mbn".source = pkgs.linux-firmware; + "firmware/qcom/sc8280xp/LENOVO/21BX/qcdxkmsuc8280.mbn".source = pkgs.linux-firmware; + "firmware/qcom/sc8280xp/LENOVO/21BX/qcslpi8280.mbn".source = pkgs.linux-firmware; + "firmware/qcom/sc8280xp/LENOVO/21BX/qcvss8280.mbn".source = + nodeFlake.inputs.nixos-x13s.packages.${system}."x13s/extra-firmware"; + }; + }; + + hardware.firmware = [ + pkgs.linux-firmware + nodeFlake.inputs.nixos-x13s.packages.${system}."x13s/extra-firmware" + ]; + + hardware.enableAllFirmware = true; + + # see https://linrunner.de/tlp/ + services.tlp = { + enable = true; + settings = { + START_CHARGE_THRESH_BAT0 = "80"; + STOP_CHARGE_THRESH_BAT0 = "85"; + }; + }; + + # android on linux + virtualisation.waydroid.enable = true; + virtualisation.podman.enable = true; + virtualisation.podman.dockerCompat = true; +} diff --git a/nix/os/devices/steveej-x13s-rmvbl/default.nix b/nix/os/devices/steveej-x13s-rmvbl/default.nix new file mode 100644 index 0000000..2ba48d2 --- /dev/null +++ b/nix/os/devices/steveej-x13s-rmvbl/default.nix @@ -0,0 +1,36 @@ +{ + system ? "aarch64-linux", + nodeName, + repoFlake, + repoFlakeWithSystem, + nodeFlake, + localDomainName ? "internal", + ... +}: +{ + meta.nodeSpecialArgs.${nodeName} = { + inherit + repoFlake + nodeName + nodeFlake + system + ; + packages' = repoFlake.packages.${system}; + nodePackages' = nodeFlake.packages.${system}; + repoFlakeInputs' = repoFlakeWithSystem system ({ inputs', ... }: inputs'); + + inherit localDomainName; + }; + + meta.nodeNixpkgs.${nodeName} = import nodeFlake.inputs.nixpkgs.outPath { inherit system; }; + + ${nodeName} = { + deployment.targetHost = "${nodeName}.${localDomainName}"; + deployment.replaceUnknownProfiles = true; + deployment.allowLocalDeployment = true; + + # nixpkgs.pkgs = nodeFlake.inputs.nixpkgs.legacyPackages.${system}; + + imports = [ (repoFlake + "/nix/os/devices/${nodeName}/configuration.nix") ]; + }; +} diff --git a/nix/os/devices/steveej-x13s-rmvbl/disko.nix b/nix/os/devices/steveej-x13s-rmvbl/disko.nix new file mode 100644 index 0000000..2eb097a --- /dev/null +++ b/nix/os/devices/steveej-x13s-rmvbl/disko.nix @@ -0,0 +1,73 @@ +{ + disko.devices = { + disk = { + voyager-gtx = { + type = "disk"; + device = "/dev/disk/by-id/ata-Corsair_Voyager_GTX_21488170000126002054"; + content = { + type = "gpt"; + partitions = { + ESP = { + size = "500M"; + type = "EF00"; + content = { + type = "filesystem"; + format = "vfat"; + mountpoint = "/boot"; + mountOptions = [ "defaults" ]; + }; + }; + luks = { + size = "100%"; + content = { + type = "luks"; + name = "x13s-usb-crypt"; + extraOpenArgs = [ ]; + # disable settings.keyFile if you want to use interactive password entry + #passwordFile = "/tmp/secret.key"; # Interactive + settings = { + # if you want to use the key for interactive login be sure there is no trailing newline + # for example use `echo -n "password" > /tmp/secret.key` + # keyFile = "/tmp/secret.key"; + allowDiscards = true; + }; + # additionalKeyFiles = [ "/tmp/additionalSecret.key" ]; + content = { + type = "btrfs"; + extraArgs = [ "-f" ]; + subvolumes = { + "/root" = { + mountpoint = "/"; + mountOptions = [ + "compress=zstd" + "noatime" + ]; + }; + "/home" = { + mountpoint = "/home"; + mountOptions = [ + "compress=zstd" + "noatime" + ]; + }; + "/nix" = { + mountpoint = "/nix"; + mountOptions = [ + "compress=zstd" + "noatime" + ]; + }; + "/swap" = { + mountpoint = "/.swapvol"; + swap.swapfile.size = "32G"; + }; + }; + }; + }; + }; + }; + }; + }; + }; + }; +} diff --git a/nix/os/devices/steveej-x13s-rmvbl/flake.lock b/nix/os/devices/steveej-x13s-rmvbl/flake.lock new file mode 100644 index 0000000..dcc457f --- /dev/null +++ b/nix/os/devices/steveej-x13s-rmvbl/flake.lock @@ -0,0 +1,194 @@ +{ + "nodes": { + "disko": { + "inputs": { + "nixpkgs": [ + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1705890365, + "narHash": "sha256-MObB+fipA/2Ai3uMuNouxcwz0cqvELPpJ+hfnhSaUeA=", + "owner": "nix-community", + "repo": "disko", + "rev": "9fcdf3375e01e2938a49df103af9fd21bd0f89d9", + "type": "github" + }, + "original": { + "id": "disko", + "type": "indirect" + } + }, + "flake-parts": { + "inputs": { + "nixpkgs-lib": "nixpkgs-lib" + }, + "locked": { + "lastModified": 1704982712, + "narHash": "sha256-2Ptt+9h8dczgle2Oo6z5ni5rt/uLMG47UFTR1ry/wgg=", + "owner": "hercules-ci", + "repo": "flake-parts", + "rev": "07f6395285469419cf9d078f59b5b49993198c00", + "type": "github" + }, + "original": { + "owner": "hercules-ci", + "repo": "flake-parts", + "type": "github" + } + }, + "get-flake": { + "locked": { + "lastModified": 1694475786, + "narHash": "sha256-s5wDmPooMUNIAAsxxCMMh9g68AueGg63DYk2hVZJbc8=", + "owner": "ursi", + "repo": "get-flake", + "rev": "ac54750e3b95dab6ec0726d77f440efe6045bec1", + "type": "github" + }, + "original": { + "owner": "ursi", + "repo": "get-flake", + "type": "github" + } + }, + "home-manager": { + "inputs": { + "nixpkgs": [ + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1705659542, + "narHash": "sha256-WA3xVfAk1AYmFdwghT7mt/erYpsU6JPu9mdTEP/e9HQ=", + "owner": "nix-community", + "repo": "home-manager", + "rev": "10cd9c53115061aa6a0a90aad0b0dde6a999cdb9", + "type": "github" + }, + "original": { + "owner": "nix-community", + "ref": "release-23.11", + "repo": "home-manager", + "type": "github" + } + }, + "mobile-nixos": { + "flake": false, + "locked": { + "lastModified": 1705008488, + "narHash": "sha256-Gj97fDFZaK6gLb3ayZgTTtD+MFE1YjoyYHWkB1TIAe0=", + "owner": "NixOS", + "repo": "mobile-nixos", + "rev": "56e55df7b07b5e5c6d050732d851cec62b41df95", + "type": "github" + }, + "original": { + "owner": "NixOS", + "repo": "mobile-nixos", + "type": "github" + } + }, + "nixos-x13s": { + "inputs": { + "flake-parts": "flake-parts", + "nixpkgs": [ + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1706097550, + "narHash": "sha256-rR4HMpUlT7SbVPxQIvWH0DsxaEQcjTLqLrst2xoT1CY=", + "ref": "refs/heads/main", + "rev": "732a0f1549996740bdb06989599a5f0653de5056", + "revCount": 6, + "type": "git", + "url": "https://codeberg.org/steveej/nixos-x13s" + }, + "original": { + "type": "git", + "url": "https://codeberg.org/steveej/nixos-x13s" + } + }, + "nixpkgs": { + "locked": { + "lastModified": 1705916986, + "narHash": "sha256-iBpfltu6QvN4xMpen6jGGEb6jOqmmVQKUrXdOJ32u8w=", + "owner": "nixos", + "repo": "nixpkgs", + "rev": "d7f206b723e42edb09d9d753020a84b3061a79d8", + "type": "github" + }, + "original": { + "owner": "nixos", + "ref": "nixos-23.11", + "repo": "nixpkgs", + "type": "github" + } + }, + "nixpkgs-2211": { + "locked": { + "lastModified": 1688392541, + "narHash": "sha256-lHrKvEkCPTUO+7tPfjIcb7Trk6k31rz18vkyqmkeJfY=", + "owner": "nixos", + "repo": "nixpkgs", + "rev": "ea4c80b39be4c09702b0cb3b42eab59e2ba4f24b", + "type": "github" + }, + "original": { + "owner": "nixos", + "ref": "nixos-22.11", + "repo": "nixpkgs", + "type": "github" + } + }, + "nixpkgs-lib": { + "locked": { + "dir": "lib", + "lastModified": 1703961334, + "narHash": "sha256-M1mV/Cq+pgjk0rt6VxoyyD+O8cOUiai8t9Q6Yyq4noY=", + "owner": "NixOS", + "repo": "nixpkgs", + "rev": "b0d36bd0a420ecee3bc916c91886caca87c894e9", + "type": "github" + }, + "original": { + "dir": "lib", + "owner": "NixOS", + "ref": "nixos-unstable", + "repo": "nixpkgs", + "type": "github" + } + }, + "nixpkgs-unstable-small": { + "locked": { + "lastModified": 1706022028, + "narHash": "sha256-F8Gv4R4K/AvS3+6pWd8wlnw4Vhgf7bcszy7i8XPbzA0=", + "owner": "nixos", + "repo": "nixpkgs", + "rev": "15ff1758e7816331033baa14eebbea68626128f3", + "type": "github" + }, + "original": { + "owner": "nixos", + "ref": "nixos-unstable-small", + "repo": "nixpkgs", + "type": "github" + } + }, + "root": { + "inputs": { + "disko": "disko", + "get-flake": "get-flake", + "home-manager": "home-manager", + "mobile-nixos": "mobile-nixos", + "nixos-x13s": "nixos-x13s", + "nixpkgs": "nixpkgs", + "nixpkgs-2211": "nixpkgs-2211", + "nixpkgs-unstable-small": "nixpkgs-unstable-small" + } + } + }, + "root": "root", + "version": 7 +} diff --git a/nix/os/devices/steveej-x13s-rmvbl/flake.nix b/nix/os/devices/steveej-x13s-rmvbl/flake.nix new file mode 100644 index 0000000..043907d --- /dev/null +++ b/nix/os/devices/steveej-x13s-rmvbl/flake.nix @@ -0,0 +1,87 @@ +{ + inputs = { + nixpkgs.url = "github:nixos/nixpkgs/nixos-23.11"; + + # required for home-manager modules + nixpkgs-unstable-small.url = "github:nixos/nixpkgs/nixos-unstable-small"; + nixpkgs-2211.url = "github:nixos/nixpkgs/nixos-22.11"; + + get-flake.url = "github:ursi/get-flake"; + + disko.inputs.nixpkgs.follows = "nixpkgs"; + + mobile-nixos.url = "github:NixOS/mobile-nixos"; + mobile-nixos.flake = false; + + home-manager = { + url = "github:nix-community/home-manager/release-23.11"; + inputs.nixpkgs.follows = "nixpkgs"; + }; + + nixos-x13s.url = "git+https://codeberg.org/steveej/nixos-x13s"; + nixos-x13s.inputs.nixpkgs.follows = "nixpkgs"; + }; + + outputs = + { + self, + get-flake, + nixpkgs, + ... + }: + let + system = "aarch64-linux"; + buildPlatform = "x86_64-linux"; + repoFlake = get-flake ../../../..; + in + { + lib = { + mkNixosConfiguration = + { + nodeName, + extraModules ? [ ], + ... + }@attrs: + nixpkgs.lib.nixosSystem ( + nixpkgs.lib.attrsets.recursiveUpdate attrs { + specialArgs = + (import ./default.nix { + inherit system; + inherit nodeName repoFlake; + + nodeFlake = self; + }).meta.nodeSpecialArgs.${nodeName}; + + modules = extraModules; + } + ); + }; + + nixosConfigurations = + let + nodeName = "steveej-x13s-rmvbl"; + in + { + native = self.lib.mkNixosConfiguration { + inherit system nodeName; + extraModules = [ + ./configuration.nix + + { users.commonUsers.installPassword = "install"; } + ]; + }; + + cross = self.lib.mkNixosConfiguration { + inherit nodeName; + extraModules = [ + ./configuration.nix + + { + nixpkgs.buildPlatform.system = buildPlatform; + nixpkgs.hostPlatform.system = system; + } + ]; + }; + }; + }; +} diff --git a/nix/os/devices/steveej-x13s/.gitignore b/nix/os/devices/steveej-x13s/.gitignore new file mode 100644 index 0000000..b2be92b --- /dev/null +++ b/nix/os/devices/steveej-x13s/.gitignore @@ -0,0 +1 @@ +result diff --git a/nix/os/devices/steveej-x13s/configuration.nix b/nix/os/devices/steveej-x13s/configuration.nix new file mode 100644 index 0000000..bc2cde1 --- /dev/null +++ b/nix/os/devices/steveej-x13s/configuration.nix @@ -0,0 +1,288 @@ +{ + repoFlake, + nodeFlake, + pkgs, + lib, + config, + nodeName, + system, + ... +}: +{ + nixpkgs.overlays = [ nodeFlake.overlays.default ]; + + nixos-x13s = { + enable = true; + # TODO: use hardware address + bluetoothMac = "65:9e:7a:8b:86:28"; + kernel = "jhovold"; + }; + + services.illum.enable = true; + + # printint and autodiscovery of printers + services.printing.enable = true; + services.printing.drivers = [ pkgs.hplip ]; + services.avahi = { + enable = true; + nssmdns4 = true; + openFirewall = true; + }; + hardware.sane.enable = true; # enables support for SANE scanners + + systemd.services.bluetooth-x13s-mac = lib.mkForce { + enable = true; + path = [ + pkgs.systemd + pkgs.util-linux + pkgs.bluez5-experimental + pkgs.expect + ]; + script = '' + # TODO: this may not be required + while ! (journalctl -b0 | grep 'Bluetooth: hci0: QCA setup on UART is completed'); do + echo Waiting for bluetooth firmware to complete + echo sleep 1 + done + + ( + # best effort + set +e + rfkill block bluetooth + echo $? + btmgmt public-addr ${config.nixos-x13s.bluetoothMac} + echo $? + rfkill unblock bluetooth + echo $? + ) + ''; + requiredBy = [ "bluetooth.service" ]; + before = [ "bluetooth.service" ]; + serviceConfig = { + Type = "oneshot"; + RemainAfterExit = true; + + # we need a tty, otherwise btmgmt will hang + StandardInput = "tty"; + TTYPath = "/dev/tty2"; + TTYReset = "yes"; + TTYVHangup = "yes"; + }; + }; + + imports = [ + nodeFlake.inputs.nixos-x13s.nixosModules.default + + repoFlake.inputs.sops-nix.nixosModules.sops + nodeFlake.inputs.disko.nixosModules.disko + ./disko.nix + + ../../profiles/common/user.nix + + ../../snippets/nix-settings.nix + ../../snippets/nix-settings-holo-chain.nix + ../../snippets/mycelium.nix + + nodeFlake.inputs.extra-container.nixosModules.default + { + networking.nat = { + enable = true; + internalInterfaces = [ "ve-+" ]; + # externalInterface = "enu1u1u2"; + # Lazy IPv6 connectivity for the container + # enableIPv6 = true; + }; + } + + # TODO: broken with: v4l2loopback-0.13.2-6.13.0-rc3.drv + # make: *** [Makefile:53: v4l2loopback.ko] Error 2 + # ../../snippets/obs-studio.nix + { + services.openssh.enable = true; + services.openssh.settings.PermitRootLogin = "yes"; + services.openssh.openFirewall = true; + + sops.defaultSopsFile = ../../../../secrets/${nodeName}/secrets.yaml; + sops.defaultSopsFormat = "yaml"; + + users.commonUsers = { + enable = true; + enableNonRoot = true; + }; + + sops.secrets.builder-private-key = { }; + nix.distributedBuilds = true; + nix.buildMachines = [ + # test these with: sudo nix store ping --store 'ssh-ng://nix-remote-builder@?ssh-key=/run/secrets/builder-private-key' + { + hostName = "buildbot-nix-0.infra.holochain.org"; + sshUser = "nix-remote-builder"; + sshKey = config.sops.secrets.builder-private-key.path; + protocol = "ssh-ng"; + systems = [ "x86_64-linux" ]; + supportedFeatures = [ + "big-parallel" + "kvm" + "nixos-test" + ]; + maxJobs = 16; + } + + { + hostName = "aarch64-linux-builder-0.infra.holochain.org"; + sshUser = "nix-remote-builder"; + sshKey = config.sops.secrets.builder-private-key.path; + protocol = "ssh-ng"; + systems = [ "aarch64-linux" ]; + supportedFeatures = [ + "big-parallel" + "kvm" + "nixos-test" + ]; + maxJobs = 8; + } + + { + hostName = "x64-linux-dev-01.dev.infra.holochain.org"; + sshUser = "nix-remote-builder"; + sshKey = config.sops.secrets.builder-private-key.path; + protocol = "ssh-ng"; + systems = [ + # "x86_64-linux" + "aarch64-linux" + ]; + supportedFeatures = [ + "big-parallel" + "kvm" + "nixos-test" + ]; + maxJobs = 0; + } + ]; + } + + { + # yubikey / smartcard. only set to `true` for `ykman piv` commands. + services.pcscd.enable = false; + } + + # TODO: create syncthing os snippet + ( + let + tcp = [ 22000 ]; + udp = [ + 22000 + 21027 + ]; + in + { + # TODO: upstream feature for inverse rule to work: `! --in-interface zt+` + networking.firewall.interfaces."en+".allowedTCPPorts = tcp; + networking.firewall.interfaces."en+".allowedUDPPorts = udp; + networking.firewall.interfaces."wl+".allowedTCPPorts = tcp; + networking.firewall.interfaces."wl+".allowedUDPPorts = udp; + + networking.firewall.allowedTCPPorts = [ + # iperf3 + 5201 + ]; + } + ) + + ../../snippets/home-manager-with-zsh.nix + ../../snippets/sway-desktop.nix + ../../snippets/bluetooth.nix + ../../snippets/timezone.nix + ../../snippets/radicale.nix + + ../../snippets/holo-zerotier.nix + + # ../../snippets/k3s-w-nix-snapshotter.nix + ]; + + networking.hostName = nodeName; + networking.firewall.enable = true; + networking.networkmanager.enable = true; + + nixpkgs.config.allowUnfree = true; + + environment.systemPackages = [ + pkgs.sshfs + pkgs.util-linux + pkgs.coreutils + pkgs.vim + + pkgs.git + pkgs.git-crypt + ]; + + system.stateVersion = "23.11"; + home-manager.users.root = _: { home.stateVersion = "23.11"; }; + home-manager.users.steveej = _: { + home.stateVersion = "23.11"; + + imports = [ ../../../home-manager/configuration/graphical-fullblown.nix ]; + + nixpkgs.overlays = [ nodeFlake.overlays.default ]; + + home.sessionVariables = { }; + + home.packages = with pkgs; [ ]; + + # TODO(upstream): currently unsupported on x13s + services.gammastep.enable = true; + }; + + boot = { + loader.systemd-boot.enable = true; + loader.systemd-boot.configurationLimit = 5; + + loader.efi.canTouchEfiVariables = lib.mkForce false; + loader.efi.efiSysMountPoint = "/boot"; + blacklistedKernelModules = [ + "wwan" + # "qcom_soundwire" + # "snd_soc_qcom_sdw" + # "snd_soc_sc8280xp" + ]; + }; + + # TODO: debug this collision: collision between `/nix/store/cb32qlzc4pm6h4arw59kxqyzbvgnmx7g-b43-firmware-6.30.163.46-zstd/lib/firmware/b43/a0g0bsinitvals5.fw.zst' and `/nix/store/niffz3cf0v91y5knz0an29fwvm8amigm-b43-firmware-5.100.138-zstd/lib/firmware/b43/a0g0bsinitvals5.fw.zst' + hardware.firmware = lib.mkBefore [ + (pkgs.runCommand "x13s-ath11k-firmware-before" { } '' + mkdir -p $out/lib/firmware/ath11k/WCN6855/hw2.1/ + cp -v ${nodeFlake.inputs.ath11k-firmware}/WCN6855/hw2.1/{board-2,regdb}.bin $out/lib/firmware/ath11k/WCN6855/hw2.1/ + cp -v ${nodeFlake.inputs.ath11k-firmware}/WCN6855/hw2.1/1.1/WLAN.HSP.1.1-03125-QCAHSPSWPL_V1_V2_SILICONZ_LITE-3.6510.41/{amss,m3}.bin $out/lib/firmware/ath11k/WCN6855/hw2.1/ + '') + ]; + + # see https://linrunner.de/tlp/ + # TODO: find an equivalent to tlp that supports this machine + services.tlp = { + enable = false; + settings = { + START_CHARGE_THRESH_BAT0 = "80"; + STOP_CHARGE_THRESH_BAT0 = "85"; + }; + }; + + # android on linux + virtualisation.waydroid.enable = true; + hardware.ledger.enable = true; + + virtualisation.containers.enable = true; + virtualisation.podman.enable = true; + + steveej.holo-zerotier = { + enable = true; + autostart = false; + }; + + services.udev.packages = [ pkgs.android-udev-rules ]; + programs.adb.enable = true; + + nix.settings.sandbox = lib.mkForce "relaxed"; + + systemd.user.services.wireplumber.environment.LIBCAMERA_IPA_PROXY_PATH = + "${pkgs.libcamera}/libexec/libcamera"; +} diff --git a/nix/os/devices/steveej-x13s/default.nix b/nix/os/devices/steveej-x13s/default.nix new file mode 100644 index 0000000..bb170b2 --- /dev/null +++ b/nix/os/devices/steveej-x13s/default.nix @@ -0,0 +1,36 @@ +{ + system ? "aarch64-linux", + nodeName, + repoFlake, + repoFlakeWithSystem, + nodeFlake, + localDomainName ? "internal", + ... +}: +{ + meta.nodeSpecialArgs.${nodeName} = { + inherit + repoFlake + nodeName + nodeFlake + system + ; + packages' = repoFlake.packages.${system}; + nodePackages' = nodeFlake.packages.${system}; + repoFlakeInputs' = repoFlakeWithSystem system ({ inputs', ... }: inputs'); + + inherit localDomainName; + }; + + meta.nodeNixpkgs.${nodeName} = import nodeFlake.inputs.nixpkgs.outPath { inherit system; }; + + ${nodeName} = { + deployment.targetHost = "${nodeName}.${localDomainName}"; + deployment.replaceUnknownProfiles = true; + deployment.allowLocalDeployment = true; + + # nixpkgs.pkgs = nodeFlake.inputs.nixpkgs.legacyPackages.${system}; + + imports = [ ./configuration.nix ]; + }; +} diff --git a/nix/os/devices/steveej-x13s/disko.nix b/nix/os/devices/steveej-x13s/disko.nix new file mode 100644 index 0000000..40b2118 --- /dev/null +++ b/nix/os/devices/steveej-x13s/disko.nix @@ -0,0 +1,74 @@ +{ + disko.devices = { + disk = { + x13s-nvme = { + type = "disk"; + device = "/dev/disk/by-id/nvme-KBG5AZNT1T02_LA_KIOXIA_52QC84BEEJS6"; + # device = "/dev/disk/by-id/nvme-Corsair_MP600_CORE_MINI_A7SIB33902BQLN"; + content = { + type = "gpt"; + partitions = { + ESP = { + size = "500M"; + type = "EF00"; + content = { + type = "filesystem"; + format = "vfat"; + mountpoint = "/boot"; + mountOptions = [ "defaults" ]; + }; + }; + luks = { + size = "100%"; + content = { + type = "luks"; + name = "x13s-nvme-crypt"; + extraOpenArgs = [ ]; + # disable settings.keyFile if you want to use interactive password entry + #passwordFile = "/tmp/secret.key"; # Interactive + settings = { + # if you want to use the key for interactive login be sure there is no trailing newline + # for example use `echo -n "password" > /tmp/secret.key` + # keyFile = "/tmp/secret.key"; + allowDiscards = true; + }; + # additionalKeyFiles = [ "/tmp/additionalSecret.key" ]; + content = { + type = "btrfs"; + extraArgs = [ "-f" ]; + subvolumes = { + "/root" = { + mountpoint = "/"; + mountOptions = [ + "compress=zstd" + "noatime" + ]; + }; + "/home" = { + mountpoint = "/home"; + mountOptions = [ + "compress=zstd" + "noatime" + ]; + }; + "/nix" = { + mountpoint = "/nix"; + mountOptions = [ + "compress=zstd" + "noatime" + ]; + }; + "/swap" = { + mountpoint = "/.swapvol"; + swap.swapfile.size = "32G"; + }; + }; + }; + }; + }; + }; + }; + }; + }; + }; +} diff --git a/nix/os/devices/steveej-x13s/flake.lock b/nix/os/devices/steveej-x13s/flake.lock new file mode 100644 index 0000000..cef30a8 --- /dev/null +++ b/nix/os/devices/steveej-x13s/flake.lock @@ -0,0 +1,445 @@ +{ + "nodes": { + "ath11k-firmware": { + "flake": false, + "locked": { + "lastModified": 1746643896, + "narHash": "sha256-QXZHcbMNX0f2RQBrCCYRS3dLU1q/02J3HjnWuv8Oaaw=", + "ref": "refs/heads/main", + "rev": "1e7cd757828d414f71da82f480696540473bd475", + "revCount": 174, + "type": "git", + "url": "https://git.codelinaro.org/clo/ath-firmware/ath11k-firmware.git" + }, + "original": { + "type": "git", + "url": "https://git.codelinaro.org/clo/ath-firmware/ath11k-firmware.git" + } + }, + "crane": { + "locked": { + "lastModified": 1742317686, + "narHash": "sha256-ScJYnUykEDhYeCepoAWBbZWx2fpQ8ottyvOyGry7HqE=", + "owner": "ipetkov", + "repo": "crane", + "rev": "66cb0013f9a99d710b167ad13cbd8cc4e64f2ddb", + "type": "github" + }, + "original": { + "owner": "ipetkov", + "repo": "crane", + "type": "github" + } + }, + "disko": { + "inputs": { + "nixpkgs": [ + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1748225455, + "narHash": "sha256-AzlJCKaM4wbEyEpV3I/PUq5mHnib2ryEy32c+qfj6xk=", + "owner": "nix-community", + "repo": "disko", + "rev": "a894f2811e1ee8d10c50560551e50d6ab3c392ba", + "type": "github" + }, + "original": { + "id": "disko", + "type": "indirect" + } + }, + "extra-container": { + "inputs": { + "flake-utils": "flake-utils", + "nixpkgs": [ + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1734542275, + "narHash": "sha256-wnRkafo4YrIuvJeRsOmfStxIzi7ty2I0OtGMO9chwJc=", + "owner": "erikarvstedt", + "repo": "extra-container", + "rev": "fa723fb67201c1b4610fd3d608681da362f800eb", + "type": "github" + }, + "original": { + "owner": "erikarvstedt", + "repo": "extra-container", + "type": "github" + } + }, + "flake-compat": { + "locked": { + "lastModified": 1733328505, + "narHash": "sha256-NeCCThCEP3eCl2l/+27kNNK7QrwZB1IJCrXfrbv5oqU=", + "owner": "edolstra", + "repo": "flake-compat", + "rev": "ff81ac966bb2cae68946d5ed5fc4994f96d0ffec", + "type": "github" + }, + "original": { + "owner": "edolstra", + "repo": "flake-compat", + "type": "github" + } + }, + "flake-compat_2": { + "locked": { + "lastModified": 1733328505, + "narHash": "sha256-NeCCThCEP3eCl2l/+27kNNK7QrwZB1IJCrXfrbv5oqU=", + "rev": "ff81ac966bb2cae68946d5ed5fc4994f96d0ffec", + "revCount": 69, + "type": "tarball", + "url": "https://api.flakehub.com/f/pinned/edolstra/flake-compat/1.1.0/01948eb7-9cba-704f-bbf3-3fa956735b52/source.tar.gz" + }, + "original": { + "type": "tarball", + "url": "https://flakehub.com/f/edolstra/flake-compat/1.tar.gz" + } + }, + "flake-compat_3": { + "flake": false, + "locked": { + "lastModified": 1696426674, + "narHash": "sha256-kvjfFW7WAETZlt09AgDn1MrtKzP7t90Vf7vypd3OL1U=", + "owner": "edolstra", + "repo": "flake-compat", + "rev": "0f9255e01c2351cc7d116c072cb317785dd33b33", + "type": "github" + }, + "original": { + "owner": "edolstra", + "repo": "flake-compat", + "type": "github" + } + }, + "flake-parts": { + "inputs": { + "nixpkgs-lib": [ + "nix-snapshotter", + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1704152458, + "narHash": "sha256-DS+dGw7SKygIWf9w4eNBUZsK+4Ug27NwEWmn2tnbycg=", + "owner": "hercules-ci", + "repo": "flake-parts", + "rev": "88a2cd8166694ba0b6cb374700799cec53aef527", + "type": "github" + }, + "original": { + "owner": "hercules-ci", + "repo": "flake-parts", + "type": "github" + } + }, + "flake-parts_2": { + "inputs": { + "nixpkgs-lib": "nixpkgs-lib" + }, + "locked": { + "lastModified": 1733312601, + "narHash": "sha256-4pDvzqnegAfRkPwO3wmwBhVi/Sye1mzps0zHWYnP88c=", + "owner": "hercules-ci", + "repo": "flake-parts", + "rev": "205b12d8b7cd4802fbcb8e8ef6a0f1408781a4f9", + "type": "github" + }, + "original": { + "owner": "hercules-ci", + "repo": "flake-parts", + "type": "github" + } + }, + "flake-utils": { + "inputs": { + "systems": "systems" + }, + "locked": { + "lastModified": 1731533236, + "narHash": "sha256-l0KFg5HjrsfsO/JpG+r7fRrqm12kzFHyUHqHCVpMMbI=", + "owner": "numtide", + "repo": "flake-utils", + "rev": "11707dc2f618dd54ca8739b309ec4fc024de578b", + "type": "github" + }, + "original": { + "owner": "numtide", + "repo": "flake-utils", + "type": "github" + } + }, + "flake-utils_2": { + "inputs": { + "systems": "systems_2" + }, + "locked": { + "lastModified": 1731533236, + "narHash": "sha256-l0KFg5HjrsfsO/JpG+r7fRrqm12kzFHyUHqHCVpMMbI=", + "owner": "numtide", + "repo": "flake-utils", + "rev": "11707dc2f618dd54ca8739b309ec4fc024de578b", + "type": "github" + }, + "original": { + "id": "flake-utils", + "type": "indirect" + } + }, + "get-flake": { + "inputs": { + "flake-compat": "flake-compat" + }, + "locked": { + "lastModified": 1745945175, + "narHash": "sha256-JGDbJRl5v1snA4JX+yp6m3UA6Mazr59Hrgz+UhhP91M=", + "owner": "ursi", + "repo": "get-flake", + "rev": "38401aa2b3a99c77d0c02727471e99e7de2fc366", + "type": "github" + }, + "original": { + "owner": "ursi", + "repo": "get-flake", + "type": "github" + } + }, + "home-manager": { + "inputs": { + "nixpkgs": [ + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1748455938, + "narHash": "sha256-mQ/iNzPra2WtDQ+x2r5IadcWNr0m3uHvLMzJkXKAG/8=", + "owner": "nix-community", + "repo": "home-manager", + "rev": "02077149e2921014511dac2729ae6dadb4ec50e2", + "type": "github" + }, + "original": { + "owner": "nix-community", + "ref": "master", + "repo": "home-manager", + "type": "github" + } + }, + "linux-jhovold": { + "flake": false, + "locked": { + "lastModified": 1748260494, + "narHash": "sha256-0KTN63q+86g++BVQPOm7MHAVQvj+t3aJFsPwE+wDk2U=", + "owner": "jhovold", + "repo": "linux", + "rev": "ababc24306a694b74995cffc4e9c51aa84b9af8a", + "type": "github" + }, + "original": { + "owner": "jhovold", + "ref": "wip/sc8280xp-6.15", + "repo": "linux", + "type": "github" + } + }, + "mycelium": { + "inputs": { + "crane": "crane", + "flake-compat": "flake-compat_2", + "flake-utils": "flake-utils_2", + "nix-filter": "nix-filter", + "nixpkgs": [ + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1747734538, + "narHash": "sha256-bFKEPbwffDSvoG6KBDH87ebbnFq1IyqAfLyg2zlwlIY=", + "owner": "threefoldtech", + "repo": "mycelium", + "rev": "71cb99dc65f47d4baced0288df1d299bf960505e", + "type": "github" + }, + "original": { + "owner": "threefoldtech", + "repo": "mycelium", + "type": "github" + } + }, + "nix-filter": { + "locked": { + "lastModified": 1731533336, + "narHash": "sha256-oRam5PS1vcrr5UPgALW0eo1m/5/pls27Z/pabHNy2Ms=", + "owner": "numtide", + "repo": "nix-filter", + "rev": "f7653272fd234696ae94229839a99b73c9ab7de0", + "type": "github" + }, + "original": { + "owner": "numtide", + "repo": "nix-filter", + "type": "github" + } + }, + "nix-snapshotter": { + "inputs": { + "flake-compat": "flake-compat_3", + "flake-parts": "flake-parts", + "nixpkgs": [ + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1717948701, + "narHash": "sha256-G7SXaZ7J4yO4OQEKSZPVWcccfV87uyLech0jEOU350g=", + "owner": "yu-re-ka", + "repo": "nix-snapshotter", + "rev": "c10b066a4b1bb3451507c141636014e3335e579e", + "type": "github" + }, + "original": { + "owner": "yu-re-ka", + "repo": "nix-snapshotter", + "type": "github" + } + }, + "nixos-x13s": { + "inputs": { + "flake-parts": "flake-parts_2", + "linux-jhovold": "linux-jhovold", + "nixpkgs": [ + "nixpkgs" + ], + "x13s-bt-linux-firmware": "x13s-bt-linux-firmware" + }, + "locked": { + "lastModified": 1748459535, + "narHash": "sha256-U7n47n4oIhKKiCVzGBOz0vdoihmjLBJFPvdp+gFapmU=", + "ref": "bump", + "rev": "903961b6ad426a1092d3b05501b8f17bcde3c0ab", + "revCount": 151, + "type": "git", + "url": "https://forgejo.www.stefanjunker.de/steveej/nixos-x13s.git" + }, + "original": { + "ref": "bump", + "type": "git", + "url": "https://forgejo.www.stefanjunker.de/steveej/nixos-x13s.git" + } + }, + "nixpkgs-lib": { + "locked": { + "lastModified": 1733096140, + "narHash": "sha256-1qRH7uAUsyQI7R1Uwl4T+XvdNv778H0Nb5njNrqvylY=", + "type": "tarball", + "url": "https://github.com/NixOS/nixpkgs/archive/5487e69da40cbd611ab2cadee0b4637225f7cfae.tar.gz" + }, + "original": { + "type": "tarball", + "url": "https://github.com/NixOS/nixpkgs/archive/5487e69da40cbd611ab2cadee0b4637225f7cfae.tar.gz" + } + }, + "nixpkgs-stable": { + "locked": { + "lastModified": 1748037224, + "narHash": "sha256-92vihpZr6dwEMV6g98M5kHZIttrWahb9iRPBm1atcPk=", + "owner": "nixos", + "repo": "nixpkgs", + "rev": "f09dede81861f3a83f7f06641ead34f02f37597f", + "type": "github" + }, + "original": { + "owner": "nixos", + "ref": "nixos-24.11", + "repo": "nixpkgs", + "type": "github" + } + }, + "nixpkgs-unstable": { + "locked": { + "lastModified": 1748370509, + "narHash": "sha256-QlL8slIgc16W5UaI3w7xHQEP+Qmv/6vSNTpoZrrSlbk=", + "owner": "nixos", + "repo": "nixpkgs", + "rev": "4faa5f5321320e49a78ae7848582f684d64783e9", + "type": "github" + }, + "original": { + "owner": "nixos", + "ref": "nixos-unstable", + "repo": "nixpkgs", + "type": "github" + } + }, + "root": { + "inputs": { + "ath11k-firmware": "ath11k-firmware", + "disko": "disko", + "extra-container": "extra-container", + "get-flake": "get-flake", + "home-manager": "home-manager", + "mycelium": "mycelium", + "nix-snapshotter": "nix-snapshotter", + "nixos-x13s": "nixos-x13s", + "nixpkgs": [ + "nixpkgs-unstable" + ], + "nixpkgs-stable": "nixpkgs-stable", + "nixpkgs-unstable": "nixpkgs-unstable" + } + }, + "systems": { + "locked": { + "lastModified": 1681028828, + "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=", + "owner": "nix-systems", + "repo": "default", + "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e", + "type": "github" + }, + "original": { + "owner": "nix-systems", + "repo": "default", + "type": "github" + } + }, + "systems_2": { + "locked": { + "lastModified": 1681028828, + "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=", + "owner": "nix-systems", + "repo": "default", + "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e", + "type": "github" + }, + "original": { + "owner": "nix-systems", + "repo": "default", + "type": "github" + } + }, + "x13s-bt-linux-firmware": { + "flake": false, + "locked": { + "lastModified": 1733240564, + "narHash": "sha256-348f+wuX7x8xqaBRkraTclupdnRcwL/z2l/1Bs/reXc=", + "ref": "refs/heads/main", + "rev": "06aea4d8bfd5ca3624b56162b24339d7b0449913", + "revCount": 4282, + "type": "git", + "url": "git://git.kernel.org/pub/scm/linux/kernel/git/firmware/linux-firmware.git" + }, + "original": { + "rev": "06aea4d8bfd5ca3624b56162b24339d7b0449913", + "type": "git", + "url": "git://git.kernel.org/pub/scm/linux/kernel/git/firmware/linux-firmware.git" + } + } + }, + "root": "root", + "version": 7 +} diff --git a/nix/os/devices/steveej-x13s/flake.nix b/nix/os/devices/steveej-x13s/flake.nix new file mode 100644 index 0000000..ee2645d --- /dev/null +++ b/nix/os/devices/steveej-x13s/flake.nix @@ -0,0 +1,114 @@ +{ + inputs = { + nixpkgs.follows = "nixpkgs-unstable"; + nixpkgs-stable.url = "github:nixos/nixpkgs/nixos-24.11"; + nixpkgs-unstable.url = "github:nixos/nixpkgs/nixos-unstable"; + # nixpkgs-unstable.url = "github:steveej-forks/nixpkgs/nixos-unstable"; + + get-flake.url = "github:ursi/get-flake"; + + disko.inputs.nixpkgs.follows = "nixpkgs"; + + home-manager = { + # url = "github:steveej-forks/home-manager/master"; + url = "github:nix-community/home-manager/master"; + # url = "github:nix-community/home-manager/release-24.11"; + inputs.nixpkgs.follows = "nixpkgs"; + }; + + nixos-x13s.url = "git+https://forgejo.www.stefanjunker.de/steveej/nixos-x13s.git?ref=bump" + # 6.13-rc2 + # "git+https://forgejo.www.stefanjunker.de/steveej/nixos-x13s.git?ref=bump&rev=c95058f8aa1b361df3874429c5dc0f694f9cba78" + # 6.11.0 + # "git+https://forgejo.www.stefanjunker.de/steveej/nixos-x13s.git?branch=remaintain&rev=6b9efe77ca80653354981c720af3c4241ac71490" + # 6.12.0-rc6 + # "git+https://forgejo.www.stefanjunker.de/steveej/nixos-x13s.git?branch=remaintain&rev=bd580ee9c35fcb8a720122d5bb2f903f1b7395ee" + # "git+https://forgejo.www.stefanjunker.de/steveej/nixos-x13s.git?branch=remaintain&rev=1286d20be2321a1a2d27f5d09257ebaf54ce0630" + #"/home/steveej/src/others/nixos-x13s" + # + ; + # nixos-x13s.url = "path:/home/steveej/src/others/nixos-x13s"; + # nixos-x13s.inputs.nixpkgs.follows = "nixpkgs"; + nixos-x13s.inputs.nixpkgs.follows = "nixpkgs"; + + ath11k-firmware = { + url = "git+https://git.codelinaro.org/clo/ath-firmware/ath11k-firmware.git"; + flake = false; + }; + + mycelium.url = "github:threefoldtech/mycelium"; + mycelium.inputs.nixpkgs.follows = "nixpkgs"; + + nix-snapshotter = { + url = "github:yu-re-ka/nix-snapshotter"; + # url = "github:pdtpartners/nix-snapshotter"; + inputs.nixpkgs.follows = "nixpkgs"; + }; + + extra-container = { + url = "github:erikarvstedt/extra-container"; + inputs.nixpkgs.follows = "nixpkgs"; + }; + }; + + outputs = + { + self, + get-flake, + nixpkgs, + ... + }: + let + nativeSystem = "aarch64-linux"; + nodeName = "steveej-x13s"; + + repoFlake = get-flake ../../../..; + + mkNixosConfiguration = + { + extraModules ? [ ], + ... + }@attrs: + nixpkgs.lib.nixosSystem ( + nixpkgs.lib.attrsets.recursiveUpdate attrs { + specialArgs = + (import ./default.nix { + system = nativeSystem; + inherit nodeName; + + inherit repoFlake; + repoFlakeWithSystem = repoFlake.lib.withSystem; + nodeFlake = self; + }).meta.nodeSpecialArgs.${nodeName}; + + modules = [ + ./configuration.nix + + # flake registry + { nix.registry.nixpkgs.flake = nixpkgs; } + ] ++ extraModules; + } + ); + in + { + lib = { + inherit mkNixosConfiguration; + }; + + overlays.default = _final: _previous: { + }; + + nixosConfigurations = { + native = mkNixosConfiguration { system = nativeSystem; }; + + cross = mkNixosConfiguration { + extraModules = [ + { + nixpkgs.buildPlatform.system = "x86_64-linux"; + nixpkgs.hostPlatform.system = nativeSystem; + } + ]; + }; + }; + }; +} diff --git a/nix/os/devices/167.233.1.14/boot.nix b/nix/os/devices/vmd102066.contaboserver.net/boot.nix similarity index 84% rename from nix/os/devices/167.233.1.14/boot.nix rename to nix/os/devices/vmd102066.contaboserver.net/boot.nix index 18fcc13..ed21f9c 100644 --- a/nix/os/devices/167.233.1.14/boot.nix +++ b/nix/os/devices/vmd102066.contaboserver.net/boot.nix @@ -1,7 +1,4 @@ -{ lib -, ... -}: - +{ lib, ... }: { boot.loader.grub.efiSupport = lib.mkForce false; boot.extraModulePackages = [ ]; diff --git a/nix/os/devices/vmd102066.contaboserver.net/configuration.nix b/nix/os/devices/vmd102066.contaboserver.net/configuration.nix new file mode 100644 index 0000000..b29548c --- /dev/null +++ b/nix/os/devices/vmd102066.contaboserver.net/configuration.nix @@ -0,0 +1,13 @@ +{ ... }: +{ + disabledModules = [ ]; + imports = [ + ../../profiles/common/configuration.nix + ../../modules/opinionatedDisk.nix + + ./system.nix + ./hw.nix + ./pkg.nix + ./boot.nix + ]; +} diff --git a/nix/os/devices/vmd102066.contaboserver.net/default.nix b/nix/os/devices/vmd102066.contaboserver.net/default.nix new file mode 100644 index 0000000..958331e --- /dev/null +++ b/nix/os/devices/vmd102066.contaboserver.net/default.nix @@ -0,0 +1,26 @@ +{ repoFlake, ... }: +let + nodeName = "vmd102066.contaboserver.net"; + system = "x86_64-linux"; + + nodeFlake = repoFlake.inputs.get-flake ./.; +in +{ + meta.nodeSpecialArgs.${nodeName} = { + inherit nodeName nodeFlake; + packages' = repoFlake.packages.${system}; + }; + + meta.nodeNixpkgs.${nodeName} = import nodeFlake.inputs.nixpkgs.outPath { inherit system; }; + + ${nodeName} = { + deployment.targetHost = nodeName; + deployment.replaceUnknownProfiles = true; + + imports = [ + (repoFlake + "/nix/os/devices/${nodeName}/configuration.nix") + + nodeFlake.inputs.home-manager.nixosModules.home-manager + ]; + }; +} diff --git a/nix/os/devices/vmd102066.contaboserver.net/flake.lock b/nix/os/devices/vmd102066.contaboserver.net/flake.lock new file mode 100644 index 0000000..2a1267e --- /dev/null +++ b/nix/os/devices/vmd102066.contaboserver.net/flake.lock @@ -0,0 +1,99 @@ +{ + "nodes": { + "home-manager": { + "inputs": { + "nixpkgs": [ + "nixpkgs" + ], + "utils": "utils" + }, + "locked": { + "lastModified": 1681092193, + "narHash": "sha256-JerCqqOqbT2tBnXQW4EqwFl0hHnuZp21rIQ6lu/N4rI=", + "owner": "nix-community", + "repo": "home-manager", + "rev": "f9edbedaf015013eb35f8caacbe0c9666bbc16af", + "type": "github" + }, + "original": { + "owner": "nix-community", + "ref": "release-22.11", + "repo": "home-manager", + "type": "github" + } + }, + "nixpkgs": { + "locked": { + "lastModified": 1681759395, + "narHash": "sha256-7aaRtLxLAy8qFVIA26ulB+Q5nDVzuQ71qi0s0wMjAws=", + "owner": "nixos", + "repo": "nixpkgs", + "rev": "cd749f58ba83f7155b7062dd49d08e5e47e44d50", + "type": "github" + }, + "original": { + "owner": "nixos", + "ref": "nixos-22.11", + "repo": "nixpkgs", + "type": "github" + } + }, + "nixpkgs-master": { + "locked": { + "lastModified": 1681895322, + "narHash": "sha256-dtduardGFljEIh0Whlnhzda7Au0s1WnnSdzh2ZhCu9c=", + "owner": "nixos", + "repo": "nixpkgs", + "rev": "57aad37a2eab85fb5522cbc8568fe27872071a1c", + "type": "github" + }, + "original": { + "owner": "nixos", + "ref": "master", + "repo": "nixpkgs", + "type": "github" + } + }, + "nixpkgs-unstable": { + "locked": { + "lastModified": 1681770396, + "narHash": "sha256-tq+GZOkRA3uF3I/jIzuBGfnTRQFT4QnnRCWJ8DKSaMg=", + "owner": "nixos", + "repo": "nixpkgs", + "rev": "4df48038a44e9f3a3da8e9b42ca182726b743de4", + "type": "github" + }, + "original": { + "owner": "nixos", + "ref": "nixos-unstable-small", + "repo": "nixpkgs", + "type": "github" + } + }, + "root": { + "inputs": { + "home-manager": "home-manager", + "nixpkgs": "nixpkgs", + "nixpkgs-master": "nixpkgs-master", + "nixpkgs-unstable": "nixpkgs-unstable" + } + }, + "utils": { + "locked": { + "lastModified": 1667395993, + "narHash": "sha256-nuEHfE/LcWyuSWnS8t12N1wc105Qtau+/OdUAjtQ0rA=", + "owner": "numtide", + "repo": "flake-utils", + "rev": "5aed5285a952e0b949eb3ba02c12fa4fcfef535f", + "type": "github" + }, + "original": { + "owner": "numtide", + "repo": "flake-utils", + "type": "github" + } + } + }, + "root": "root", + "version": 7 +} diff --git a/nix/os/devices/vmd102066.contaboserver.net/flake.nix b/nix/os/devices/vmd102066.contaboserver.net/flake.nix new file mode 100644 index 0000000..0547466 --- /dev/null +++ b/nix/os/devices/vmd102066.contaboserver.net/flake.nix @@ -0,0 +1,12 @@ +{ + inputs.nixpkgs.url = "github:nixos/nixpkgs/nixos-22.11"; + inputs.nixpkgs-unstable.url = "github:nixos/nixpkgs/nixos-unstable-small"; + inputs.nixpkgs-master.url = "github:nixos/nixpkgs/master"; + + inputs.home-manager = { + url = "github:nix-community/home-manager/release-22.11"; + inputs.nixpkgs.follows = "nixpkgs"; + }; + + outputs = _: { }; +} diff --git a/nix/os/devices/vmd32387.contaboserver.net/hw.nix b/nix/os/devices/vmd102066.contaboserver.net/hw.nix similarity index 76% rename from nix/os/devices/vmd32387.contaboserver.net/hw.nix rename to nix/os/devices/vmd102066.contaboserver.net/hw.nix index 7a04340..392bb1b 100644 --- a/nix/os/devices/vmd32387.contaboserver.net/hw.nix +++ b/nix/os/devices/vmd102066.contaboserver.net/hw.nix @@ -1,10 +1,8 @@ -{ ... }: - +_: let - stage1Modules = [ + stage1Modules = [ "aesni_intel" "kvm-intel" - "aes_x86_64" "virtio_balloon" "virtio_scsi" @@ -14,17 +12,16 @@ let "virtio" "scsi_mod" ]; - in { # TASK: new device - hardware.encryptedDisk = { + hardware.opinionatedDisk = { enable = true; + encrypted = true; diskId = "scsi-0QEMU_QEMU_HARDDISK_drive-scsi0"; }; boot.initrd.availableKernelModules = stage1Modules; boot.initrd.kernelModules = stage1Modules; - boot.extraModprobeConfig = '' - ''; + boot.extraModprobeConfig = ""; } diff --git a/nix/os/devices/vmd32387.contaboserver.net/pkg.nix b/nix/os/devices/vmd102066.contaboserver.net/pkg.nix similarity index 73% rename from nix/os/devices/vmd32387.contaboserver.net/pkg.nix rename to nix/os/devices/vmd102066.contaboserver.net/pkg.nix index f8ee564..2857a30 100644 --- a/nix/os/devices/vmd32387.contaboserver.net/pkg.nix +++ b/nix/os/devices/vmd102066.contaboserver.net/pkg.nix @@ -1,19 +1,19 @@ -{ config -, pkgs -, lib -, ... -}: - +{ config, pkgs, ... }: { - nixpkgs.config.packageOverrides = pkgs: with pkgs; { - nixPath = (import ../../../default.nix { versionsPath = ./versions.nix; }).nixPath; + home-manager.users.steveej = import ../../../home-manager/configuration/text-minimal.nix { + inherit pkgs; }; - home-manager.users.steveej = import ../../../home-manager/configuration/text-minimal.nix { inherit pkgs; }; nix.buildMachines = [ - { hostName = "localhost"; + { + hostName = "localhost"; system = "x86_64-linux"; - supportedFeatures = ["kvm" "nixos-test" "big-parallel" "benchmark"]; + supportedFeatures = [ + "kvm" + "nixos-test" + "big-parallel" + "benchmark" + ]; maxJobs = 4; } ]; @@ -23,13 +23,13 @@ hydraURL = "http://localhost:3000"; # externally visible URL notificationSender = "hydra@${config.networking.hostName}.stefanjunker.de"; # e-mail of hydra service # a standalone hydra will require you to unset the buildMachinesFiles list to avoid using a nonexistant /etc/nix/machines - buildMachinesFiles = []; + buildMachinesFiles = [ ]; # you will probably also want, otherwise *everything* will be built from scratch useSubstitutes = true; }; services.gitlab-runner = { - enable = true; + enable = false; extraPackages = with pkgs; [ bash @@ -49,6 +49,5 @@ tagList = [ "nix" ]; }; }; - }; } diff --git a/nix/os/devices/vmd32387.contaboserver.net/system.nix b/nix/os/devices/vmd102066.contaboserver.net/system.nix similarity index 64% rename from nix/os/devices/vmd32387.contaboserver.net/system.nix rename to nix/os/devices/vmd102066.contaboserver.net/system.nix index 2944e09..cebed6a 100644 --- a/nix/os/devices/vmd32387.contaboserver.net/system.nix +++ b/nix/os/devices/vmd102066.contaboserver.net/system.nix @@ -1,16 +1,9 @@ -{ pkgs -, lib -, config -, ... }: - +{ pkgs, config, ... }: let keys = import ../../../variables/keys.nix; - -in { - # TASK: new device - networking.hostName = "vmd32387"; # Define your hostname. - networking.domain = "contaboserver.net"; - + passwords = import ../../../variables/passwords.crypt.nix; +in +{ networking.firewall.enable = true; networking.firewall.allowedTCPPorts = [ # iperf3 @@ -27,7 +20,10 @@ in { networking.interfaces.eth0 = { useDHCP = true; ipv6.addresses = [ - { address = "2a02:c207:3003:2387::1"; prefixLength = 64; } + { + address = "2a02:c206:3010:2066::1"; + prefixLength = 64; + } ]; }; networking.defaultGateway6 = { @@ -61,21 +57,19 @@ in { ''; }; - systemd.services.sshd.serviceConfig = { - TasksMax = 32; - }; + # systemd.services.sshd.serviceConfig = {TasksMax = 32;}; - systemd.timers."sshd-status" = { - description = "Timer to trigger sshd-status periodically"; - enable = true; - wantedBy = [ "timer.target" "multi-user.target" ]; - timerConfig = { - OnActiveSec="5s"; - OnUnitActiveSec="5s"; - AccuracySec="1s"; - Unit = "sshd-status.service"; - }; - }; + # systemd.timers."sshd-status" = { + # description = "Timer to trigger sshd-status periodically"; + # enable = true; + # wantedBy = ["timer.target" "multi-user.target"]; + # timerConfig = { + # OnActiveSec = "5s"; + # OnUnitActiveSec = "5s"; + # AccuracySec = "1s"; + # Unit = "sshd-status.service"; + # }; + # }; nix.gc = { automatic = true; @@ -103,35 +97,26 @@ in { done ''; - networking.useHostResolvConf = true; - containers = { - mailserver = import ../../containers/mailserver.nix { - hostAddress = "192.168.100.10"; - localAddress = "192.168.100.11"; - - imapsPort = 993; - sievePort = 4190; - }; - - webserver = import ../../containers/webserver.nix { - hostAddress = "192.168.100.12"; - localAddress = "192.168.100.13"; - - httpsPort = 443; - }; - - syncthing = import ../../containers/syncthing.nix { - hostAddress = "192.168.100.14"; - localAddress = "192.168.100.15"; - - syncthingPort = 22000; - }; - backup = import ../../containers/backup.nix { + autoStart = false; + inherit config; hostAddress = "192.168.100.16"; localAddress = "192.168.100.17"; + subvolumes = [ + "mailserver" + "webserver" + "backup" + "syncthing" + ]; + }; + + bkpTarget = import ../../containers/backup-target.nix { + autoStart = false; + hostAddress = "192.168.100.18"; + localAddress = "192.168.100.19"; + containerBackupCfg = passwords.storage.backupTarget; }; }; @@ -141,5 +126,5 @@ in { # this value at the release version of the first install of this system. # Before changing this value read the documentation for this option # (e.g. man configuration.nix or on https://nixos.org/nixos/options.html). - system.stateVersion = "20.03"; # Did you read the comment? + system.stateVersion = "22.05"; # Did you read the comment? } diff --git a/nix/os/devices/vmd32387.contaboserver.net/versions.nix b/nix/os/devices/vmd32387.contaboserver.net/versions.nix deleted file mode 100644 index 519781a..0000000 --- a/nix/os/devices/vmd32387.contaboserver.net/versions.nix +++ /dev/null @@ -1,37 +0,0 @@ -let - nixpkgs = { - url = "https://github.com/NixOS/nixpkgs/"; - ref = "nixos-20.09"; - rev = "51aaa3fa1b69559456f9bd4968bd5b179a784f67"; - }; -in - -{ - inherit nixpkgs; - "channels-nixos-stable" = nixpkgs; - "channels-nixos-20.03" = { - url = "https://github.com/NixOS/nixpkgs/"; - ref = "nixos-20.03"; - rev = "ff6fda61600cc60404bab5cb6b18b8636785b7bc"; - }; - "channels-nixos-19.09" = { - url = "https://github.com/NixOS/nixpkgs/"; - ref = "nixos-19.09"; - rev = "75f4ba05c63be3f147bcc2f7bd4ba1f029cedcb1"; - }; - "channels-nixos-unstable" = { - url = "https://github.com/NixOS/nixpkgs/"; - ref = "nixos-unstable"; - rev = "24c9b05ac53e422f1af81a156f1fd58499eb27fb"; - }; - "nixpkgs-master" = { - url = "https://github.com/NixOS/nixpkgs/"; - ref = "master"; - rev = "9b3e35d991ea6a43f256069dcb2e006006730d05"; - }; - "home-manager-module" = { - url = "https://github.com/nix-community/home-manager"; - ref = "release-20.09"; - rev = "7339784e07217ed0232e08d1ea33b610c94657d8"; - }; -} diff --git a/nix/os/devices/vmd32387.contaboserver.net/versions.tmpl.nix b/nix/os/devices/vmd32387.contaboserver.net/versions.tmpl.nix deleted file mode 100644 index a19cc09..0000000 --- a/nix/os/devices/vmd32387.contaboserver.net/versions.tmpl.nix +++ /dev/null @@ -1,37 +0,0 @@ -let - nixpkgs = { - url = "https://github.com/NixOS/nixpkgs/"; - ref = "nixos-20.09"; - rev = "<% git ls-remote https://github.com/nixos/nixpkgs nixos-20.09 | awk '{ print $1 }' | tr -d '\n' -%>"; - }; -in - -{ - inherit nixpkgs; - "channels-nixos-stable" = nixpkgs; - "channels-nixos-20.03" = { - url = "https://github.com/NixOS/nixpkgs/"; - ref = "nixos-20.03"; - rev = "<% git ls-remote https://github.com/nixos/nixpkgs nixos-20.03 | awk '{ print $1 }' | tr -d '\n' -%>"; - }; - "channels-nixos-19.09" = { - url = "https://github.com/NixOS/nixpkgs/"; - ref = "nixos-19.09"; - rev = "<% git ls-remote https://github.com/nixos/nixpkgs nixos-19.09 | awk '{ print $1 }' | tr -d '\n' -%>"; - }; - "channels-nixos-unstable" = { - url = "https://github.com/NixOS/nixpkgs/"; - ref = "nixos-unstable"; - rev = "<% git ls-remote https://github.com/nixos/nixpkgs nixos-unstable | awk '{ print $1 }' | tr -d '\n' -%>"; - }; - "nixpkgs-master" = { - url = "https://github.com/NixOS/nixpkgs/"; - ref = "master"; - rev = "<% git ls-remote https://github.com/NixOS/nixpkgs.git master | head -n1 | awk '{ print $1 }' | tr -d '\n' -%>"; - }; - "home-manager-module" = { - url = "https://github.com/nix-community/home-manager"; - ref = "release-20.09"; - rev = "<% git ls-remote https://github.com/nix-community/home-manager.git release-20.09 | awk '{ print $1 }' | tr -d '\n' -%>"; - }; -} diff --git a/nix/os/lib/default.nix b/nix/os/lib/default.nix index 566ccb9..206c367 100644 --- a/nix/os/lib/default.nix +++ b/nix/os/lib/default.nix @@ -1,31 +1,52 @@ -{ keys ? import ../../variables/keys.nix -, passwords ? import ../../variables/passwords.crypt.nix -}: - +{ lib, config }: +let + keys = import ../../variables/keys.nix; + deepMergeAttrsets = + listOfAttrsets: lib.foldl' (acc: cur: lib.recursiveUpdate acc cur) { } listOfAttrsets; +in { - mkRoot = { } @ args: { - hashedPassword = passwords.users.root; - openssh.authorizedKeys.keys = keys.users.steveej.openssh; - } // args; + inherit deepMergeAttrsets; - mkUser = {uid, hashedPassword ? passwords.users.steveej, ... } @ args: { - inherit uid hashedPassword; - isNormalUser = true; - extraGroups = [ - "docker" - "wheel" - "libvirtd" - "networkmanager" - "vboxusers" - "users" - "input" - "audio" - "video" - "cdrom" - "adbusers" - ]; - openssh.authorizedKeys.keys = keys.users.steveej.openssh; - } // args; + mkUser = + args@{ username, ... }: + { + users.users.${username} = deepMergeAttrsets [ + { + isNormalUser = true; + extraGroups = [ + "docker" + "podman" + "wheel" + "libvirtd" + "networkmanager" + "vboxusers" + "users" + "input" + "audio" + "video" + "cdrom" + "adbusers" + "dialout" + "cdrom" + "fuse" + "adbusers" + "scanner" + "lp" + "kvm" + ]; + openssh.authorizedKeys.keys = keys.users.steveej.openssh; + + # TODO: investigate why this secret cannot be found + # openssh.authorizedKeys.keyFiles = [ + # config.sops.secrets.sharedSshKeys-steveej.path + # ]; + } + + (builtins.removeAttrs args [ "username" ]) + ]; + + home-manager.users.${username}.home.username = username; + }; disk = rec { # TODO: verify the GPT PARTLABEL cap at 36 chars @@ -44,9 +65,10 @@ # Cannot use the disk ID here because might be different at install vs. runtime. # Example: MMC card which is used in the internal reader vs. USB reader - bootFsDevice = diskId: "/dev/disk/by-partlabel/" + (shortenGptPartlabel ("2-"+diskId)); - bootLuksDevice = diskId: "/dev/disk/by-partlabel/" + (shortenGptPartlabel ("3-"+diskId)); - luksName = diskId: (volumeGroup diskId)+"pv"; + bootFsDevice = diskId: "/dev/disk/by-partlabel/" + (shortenGptPartlabel ("2-" + diskId)); + bootLuksDevice = diskId: "/dev/disk/by-partlabel/" + (shortenGptPartlabel ("3-" + diskId)); + luksName = diskId: (volumeGroup diskId) + "pv"; luksPhysicalVolume = diskId: "/dev/mapper/" + (luksName diskId); + lvmPv = diskId: encrypted: if encrypted then luksPhysicalVolume diskId else bootLuksDevice diskId; }; } diff --git a/nix/os/modules/ddclient-hetzner.nix b/nix/os/modules/ddclient-hetzner.nix new file mode 100644 index 0000000..622ae62 --- /dev/null +++ b/nix/os/modules/ddclient-hetzner.nix @@ -0,0 +1,9 @@ +{ lib, ... }: +{ + options.services.ddclient-hetzner = with lib; { + enable = mkEnableOption "Enable ddclient-hetzner"; + zone = mkOption { type = types.str; }; + domains = mkOption { type = types.listOf types.str; }; + passwordFile = mkOption { type = types.path; }; + }; +} diff --git a/nix/os/modules/ddclient-ovh.nix b/nix/os/modules/ddclient-ovh.nix index f7f9893..150d688 100644 --- a/nix/os/modules/ddclient-ovh.nix +++ b/nix/os/modules/ddclient-ovh.nix @@ -1,30 +1,7 @@ -{ lib -, config -, ... }: - -let - cfg = config.services.ddclientovh; - - passwords = import ../../variables/passwords.crypt.nix; - -in { - +{ lib, ... }: +{ options.services.ddclientovh = with lib; { enable = mkEnableOption "Enable ddclient-ovh"; - domain = mkOption { - type = types.str; - }; - }; - - config = lib.mkIf cfg.enable { - services.ddclient = { - enable = true; - protocol = "dyndns2"; - server = "www.ovh.com"; - ssl = true; - domains = [ cfg.domain ]; - use = "web, web=ifconfig.co"; - inherit (passwords.dyndns.${cfg.domain}) username password; - }; + domain = mkOption { type = types.str; }; }; } diff --git a/nix/os/modules/encryptedDisk.nix b/nix/os/modules/encryptedDisk.nix deleted file mode 100644 index b70c7be..0000000 --- a/nix/os/modules/encryptedDisk.nix +++ /dev/null @@ -1,58 +0,0 @@ -{ lib -, config -, ... }: -with lib; - -let - cfg = config.hardware.encryptedDisk; - ownLib = import ../lib/default.nix { }; -in { - options.hardware.encryptedDisk = { - enable = mkEnableOption "Enable encrypted filesystem layout"; - diskId = mkOption { - type = types.str; - }; - }; - - config = lib.mkIf cfg.enable { - fileSystems."/boot" = { - device = (ownLib.disk.bootFsDevice cfg.diskId); - fsType = "vfat"; - }; - - fileSystems."/" = { - device = (ownLib.disk.rootFsDevice cfg.diskId); - fsType = "btrfs"; - options = [ "subvol=nixos" ]; - }; - - fileSystems."/home" = { - device = (ownLib.disk.rootFsDevice cfg.diskId); - fsType = "btrfs"; - options = [ "subvol=home" ]; - }; - - swapDevices = [ { device = (ownLib.disk.swapFsDevice cfg.diskId); } ]; - - boot.loader.grub = { - device = (ownLib.disk.bootGrubDevice cfg.diskId); - enableCryptodisk = true; - }; - - boot.initrd.luks.devices = builtins.listToAttrs [ - { - name = - let - splitstring = builtins.split "/" (ownLib.disk.bootLuksDevice cfg.diskId); - lastelem = (builtins.length splitstring)-1; - in - builtins.elemAt splitstring lastelem; - value = { - device = (ownLib.disk.bootLuksDevice cfg.diskId); - preLVM = true; - allowDiscards = true; - }; - } - ]; - }; -} diff --git a/nix/os/modules/initrd-network.nix b/nix/os/modules/initrd-network.nix index 4c9da89..4ca89cf 100644 --- a/nix/os/modules/initrd-network.nix +++ b/nix/os/modules/initrd-network.nix @@ -1,37 +1,34 @@ -{ config, lib, pkgs, ... }: - +{ + config, + lib, + pkgs, + ... +}: with lib; - let - cfg = config.boot.initrd.network; - udhcpcScript = pkgs.writeScript "udhcp-script" - '' - #! /bin/sh - if [ "$1" = bound ]; then - ip address add "$ip/$mask" dev "$interface" - if [ -n "$router" ]; then - ip route add "$router" dev "$interface" # just in case if "$router" is not within "$ip/$mask" (e.g. Hetzner Cloud) - ip route add default via "$router" dev "$interface" - fi - if [ -n "$dns" ]; then - rm -f /etc/resolv.conf - for i in $dns; do - echo "nameserver $dns" >> /etc/resolv.conf - done - fi + udhcpcScript = pkgs.writeScript "udhcp-script" '' + #! /bin/sh + if [ "$1" = bound ]; then + ip address add "$ip/$mask" dev "$interface" + if [ -n "$router" ]; then + ip route add "$router" dev "$interface" # just in case if "$router" is not within "$ip/$mask" (e.g. Hetzner Cloud) + ip route add default via "$router" dev "$interface" fi - ''; + if [ -n "$dns" ]; then + rm -f /etc/resolv.conf + for i in $dns; do + echo "nameserver $dns" >> /etc/resolv.conf + done + fi + fi + ''; udhcpcArgs = toString cfg.udhcpc.extraArgs; - in - { - options = { - boot.initrd.network.enable = mkOption { type = types.bool; default = false; @@ -51,7 +48,7 @@ in }; boot.initrd.network.udhcpc.extraArgs = mkOption { - default = []; + default = [ ]; type = types.listOf types.str; description = '' Additional command-line arguments passed verbatim to udhcpc if @@ -76,11 +73,9 @@ in Whether to enable DHCP for the network interfaces. ''; }; - }; config = mkIf cfg.enable { - warnings = [ "Enabled SSH for stage1" ]; boot.initrd.kernelModules = [ "af_packet" ]; @@ -100,7 +95,6 @@ in esac done '' - # Otherwise, use DHCP. + optionalString cfg.useDHCP '' if [ -z "$hasNetwork" ]; then @@ -116,14 +110,12 @@ in udhcpc --quit --now --script ${udhcpcScript} ${udhcpcArgs} && hasNetwork=1 fi '' - + '' if [ -n "$hasNetwork" ]; then echo "networking is up!" ${cfg.postCommands} fi - ''); - + '' + ); }; - } diff --git a/nix/os/modules/natrouter.nix b/nix/os/modules/natrouter.nix index a834cca..d853c28 100644 --- a/nix/os/modules/natrouter.nix +++ b/nix/os/modules/natrouter.nix @@ -1,8 +1,5 @@ -{ lib -, config -, ... }: -with lib; - +{ lib, ... }: +with lib; { # TODO # Provide a NAT/DHCP Router diff --git a/nix/os/modules/opinionatedDisk.nix b/nix/os/modules/opinionatedDisk.nix new file mode 100644 index 0000000..db2bbbf --- /dev/null +++ b/nix/os/modules/opinionatedDisk.nix @@ -0,0 +1,73 @@ +{ + lib, + config, + pkgs, + ... +}: +with lib; +let + cfg = config.hardware.opinionatedDisk; + ownLib = pkgs.callPackage ../lib/default.nix { }; + + earlyDiskId = cfg: if cfg.earlyDiskIdOverride != "" then cfg.earlyDiskIdOverride else cfg.diskId; +in +{ + options.hardware.opinionatedDisk = { + enable = mkEnableOption "Enable opinionated filesystem layout"; + diskId = mkOption { type = types.str; }; + encrypted = mkOption { + default = true; + type = types.bool; + }; + + earlyDiskIdOverride = mkOption { + default = ""; + type = types.str; + }; + }; + + config = lib.mkIf cfg.enable { + fileSystems."/boot" = { + device = ownLib.disk.bootFsDevice cfg.diskId; + fsType = "vfat"; + }; + + fileSystems."/" = { + device = ownLib.disk.rootFsDevice cfg.diskId; + fsType = "btrfs"; + options = [ "subvol=nixos" ]; + }; + + fileSystems."/home" = { + device = ownLib.disk.rootFsDevice cfg.diskId; + fsType = "btrfs"; + options = [ "subvol=home" ]; + }; + + swapDevices = [ { device = ownLib.disk.swapFsDevice cfg.diskId; } ]; + + boot.loader.grub = { + device = ownLib.disk.bootGrubDevice (earlyDiskId cfg); + enableCryptodisk = cfg.encrypted; + }; + + boot.initrd.luks.devices = lib.optionalAttrs cfg.encrypted ( + builtins.listToAttrs [ + { + name = + let + splitstring = builtins.split "/" (ownLib.disk.bootLuksDevice cfg.diskId); + lastelem = (builtins.length splitstring) - 1; + in + builtins.elemAt splitstring lastelem; + value = { + device = ownLib.disk.bootLuksDevice cfg.diskId; + + preLVM = true; + allowDiscards = true; + }; + } + ] + ); + }; +} diff --git a/nix/os/profiles/common/boot.nix b/nix/os/profiles/common/boot.nix deleted file mode 100644 index 3d2d00c..0000000 --- a/nix/os/profiles/common/boot.nix +++ /dev/null @@ -1,24 +0,0 @@ -{ pkgs -, ... -}: - -{ - boot.kernelPackages = pkgs.linuxPackages; - boot.loader.grub = { - efiSupport = true; - efiInstallAsRemovable = false; - enable = true; - version = 2; - }; - - boot.loader.systemd-boot.enable = true; - boot.loader.efi.canTouchEfiVariables = true; - boot.tmpOnTmpfs = true; - - # Workaround for nm-pptp to enforce module load - boot.kernelModules = [ - "nf_conntrack_proto_gre" - "nf_conntrack_pptp" - ]; -} - diff --git a/nix/os/profiles/common/configuration.nix b/nix/os/profiles/common/configuration.nix index 361f538..61b4cb8 100644 --- a/nix/os/profiles/common/configuration.nix +++ b/nix/os/profiles/common/configuration.nix @@ -1,13 +1,40 @@ -{ ... }: - { - nixpkgs.overlays = builtins.attrValues (import ../../../overlays); + config, + pkgs, + repoFlake, + ... +}: +{ + imports = [ + repoFlake.inputs.sops-nix.nixosModules.sops + + ../../snippets/nix-settings.nix + ../../snippets/home-manager-with-zsh.nix - imports = [ - ./boot.nix - ./pkg.nix - ./user.nix ./system.nix ./hw.nix + ./user.nix ]; + + boot.kernelPackages = pkgs.linuxPackages; + boot.loader.grub = { + enable = true; + efiSupport = true; + efiInstallAsRemovable = false; + }; + + boot.loader.systemd-boot.enable = false; + boot.loader.efi.canTouchEfiVariables = true; + boot.tmp.useTmpfs = true; + + # Workaround for nm-pptp to enforce module load + boot.kernelModules = [ + "nf_conntrack_proto_gre" + "nf_conntrack_pptp" + ]; + + nixpkgs.config = { + allowBroken = false; + allowUnfree = true; + }; } diff --git a/nix/os/profiles/common/hw.nix b/nix/os/profiles/common/hw.nix index 885663e..4d6eb74 100644 --- a/nix/os/profiles/common/hw.nix +++ b/nix/os/profiles/common/hw.nix @@ -1,6 +1,4 @@ -{ ... }: - -{ +_: { hardware.trackpoint.emulateWheel = true; boot.initrd.availableKernelModules = [ diff --git a/nix/os/profiles/common/pkg.nix b/nix/os/profiles/common/pkg.nix deleted file mode 100644 index df14e0f..0000000 --- a/nix/os/profiles/common/pkg.nix +++ /dev/null @@ -1,41 +0,0 @@ -{ config -, pkgs -, ... }: - -{ - imports = [ - "${}/nixos" - ]; - home-manager.users.root = import ../../../home-manager/configuration/text-minimal.nix { inherit pkgs; }; - - nixpkgs.config = { - allowBroken = false; - allowUnfree = true; - - packageOverrides = pkgs: with pkgs; { - }; - }; - - environment.systemPackages = with pkgs; [ - elfutils - exfat - file - tree - pwgen - proot - - parted - pv - tmux - wget - curl - - gitFull - pastebinit - gist - mr - - usbutils - pciutils - ]; -} diff --git a/nix/os/profiles/common/system.nix b/nix/os/profiles/common/system.nix index 6256dff..edf8717 100644 --- a/nix/os/profiles/common/system.nix +++ b/nix/os/profiles/common/system.nix @@ -1,27 +1,7 @@ -{ config -, pkgs -, lib -, ... -}: - +{ pkgs, nodeName, ... }: { - nix.binaryCachePublicKeys = [ - # "hydra.nixos.org-1:CNHJZBh9K4tP3EKF6FkkgeVYsS3ohTl+oS0Qa8bezVs=" - ]; - nix.binaryCaches = [ - "https://cache.nixos.org" - # "https://hydra.nixos.org" - ]; - nix.trustedBinaryCaches = [ - "https://cache.nixos.org" - # "https://hydra.nixos.org" - ]; - - nix.daemonNiceLevel = lib.mkDefault 19; - nix.daemonIONiceLevel = lib.mkDefault 7; - nix.maxJobs = lib.mkDefault "auto"; - nix.buildCores = lib.mkDefault 0; - nix.useSandbox = true; + networking.hostName = builtins.elemAt (builtins.split "\\." nodeName) 0; # Define your hostname. + networking.domain = builtins.elemAt (builtins.split "(^[^\\.]+\.)" nodeName) 2; environment.etc."lvm/lvm.conf".text = '' devices { @@ -29,21 +9,15 @@ } ''; - environment.variables = { - NIX_PATH = lib.mkForce pkgs.nixPath; - }; - # Fonts, I18N, Date ... - fonts.fonts = [ - pkgs.corefonts - ]; + fonts.packages = [ pkgs.corefonts ]; console.font = "lat9w-16"; i18n = { defaultLocale = "en_US.UTF-8"; }; - time.timeZone = "Europe/Berlin"; + time.timeZone = "Etc/UTC"; services.gpm.enable = true; services.packagekit.enable = true; @@ -66,14 +40,12 @@ # mv -Tf /etc/X11/.sessions /etc/X11/sessions # ''; + # TODO: adapt this to be arch agnostic system.activationScripts.lib64 = '' echo "setting up /lib64..." mkdir -p /lib64 - ln -sfT ${pkgs.stdenv.glibc}/lib/ld-linux-x86-64.so.2 /lib64/.ld-linux-x86-64.so.2 + ln -sfT ${pkgs.glibc}/lib/ld-linux-x86-64.so.2 /lib64/.ld-linux-x86-64.so.2 mv -Tf /lib64/.ld-linux-x86-64.so.2 /lib64/ld-linux-x86-64.so.2 ''; - - programs.zsh.enable = true; - users.defaultUserShell = pkgs.zsh; - environment.pathsToLink = [ "/share/zsh" ]; + programs.fuse.userAllowOther = true; } diff --git a/nix/os/profiles/common/user.nix b/nix/os/profiles/common/user.nix index 673bc49..d5f64fe 100644 --- a/nix/os/profiles/common/user.nix +++ b/nix/os/profiles/common/user.nix @@ -1,18 +1,89 @@ -{ config -, pkgs -, ... }: - +{ + config, + lib, + ... +}: let - passwords = import ../../../variables/passwords.crypt.nix; - inherit (import ../../lib/default.nix { }) mkUser mkRoot; -in { - users.mutableUsers = false; + keys = import ../../../variables/keys.nix; + inherit + (import ../../lib/default.nix { + inherit lib config; + }) + mkUser + ; - users.extraUsers.root = mkRoot { }; - users.extraUsers.steveej = mkUser { - uid = 1000; + inherit (lib) types; + + cfg = config.users.commonUsers; +in +{ + options.users.commonUsers = { + enable = lib.mkOption { + default = true; + type = types.bool; + }; + + enableNonRoot = lib.mkOption { + default = true; + type = types.bool; + }; + + rootPasswordFile = lib.mkOption { + default = config.sops.secrets.sharedUsers-root.path; + type = types.path; + }; + + # TODO: test if this works + installPassword = lib.mkOption { + default = null; + type = types.nullOr types.str; + }; }; + config = lib.mkIf cfg.enable ( + lib.mkMerge [ + (lib.mkIf (cfg.installPassword == null) { + sops.secrets.sharedUsers-root = { + sopsFile = ../../../../secrets/shared-users.yaml; + neededForUsers = true; + format = "yaml"; + }; - security.pam.u2f.enable = true; - security.pam.services.steveej.u2fAuth = true; + sops.secrets.sharedUsers-steveej = lib.mkIf cfg.enableNonRoot { + sopsFile = ../../../../secrets/shared-users.yaml; + neededForUsers = true; + format = "yaml"; + }; + + sops.secrets.sharedSshKeys-steveej = lib.mkIf cfg.enableNonRoot { + sopsFile = ../../../../secrets/shared-users.yaml; + # neededForUsers = true; + format = "yaml"; + }; + }) + + { + users.mutableUsers = cfg.installPassword != null; + + users.users.root = lib.mkMerge [ + { openssh.authorizedKeys.keys = keys.users.steveej.openssh; } + + (lib.mkIf (cfg.installPassword != "") { password = cfg.installPassword; }) + + (lib.mkIf (cfg.installPassword == "") { hashedPasswordFile = cfg.rootPasswordFile; }) + ]; + + } + + (lib.mkIf cfg.enableNonRoot (mkUser { + username = "steveej"; + + uid = 1000; + + password = cfg.installPassword; + hashedPasswordFile = lib.mkIf ( + cfg.installPassword == null + ) config.sops.secrets.sharedUsers-steveej.path; + })) + ] + ); } diff --git a/nix/os/profiles/containers/configuration.nix b/nix/os/profiles/containers/configuration.nix index 89a5fe4..40fd3f4 100644 --- a/nix/os/profiles/containers/configuration.nix +++ b/nix/os/profiles/containers/configuration.nix @@ -1,9 +1,28 @@ -{ ... }: - { - nixpkgs.overlays = builtins.attrValues (import ../../../overlays); + hostAddress, + pkgs, + lib, + ... +}: +{ + networking.useHostResolvConf = false; + + networking.firewall.enable = true; + networking.nftables.enable = true; + networking.nftables.flushRuleset = true; + + networking.nameservers = lib.mkForce [ hostAddress ]; + + environment.systemPackages = [ pkgs.dnsutils ]; imports = [ - ../../modules/ddclient-ovh.nix + { + # keep DNS set up to a minimum: only query the container host + services.resolved.enable = lib.mkForce false; + networking.nameservers = [ hostAddress ]; + } + ../../snippets/nix-settings.nix + # ../../modules/ddclient-ovh.nix + # ../../modules/ddclient-hetzner.nix ]; } diff --git a/nix/os/profiles/graphical-gnome-xorg.nix b/nix/os/profiles/graphical-gnome-xorg.nix new file mode 100644 index 0000000..bc88473 --- /dev/null +++ b/nix/os/profiles/graphical-gnome-xorg.nix @@ -0,0 +1,104 @@ +{ pkgs, lib, ... }: +{ + services.libinput.enable = true; + services.libinput.touchpad.naturalScrolling = true; + services.xserver = { + enable = true; + + videoDrivers = [ + "qxl" + "modesetting" + "ati" + "cirrus" + "intel" + "vesa" + "vmware" + "modesetting" + ]; + xkb.layout = "us"; + xkb.variant = "altgr-intl"; + xkb.options = "nodeadkeys"; + + desktopManager = { + # FIXME: gnome should be moved to user session + gnome.enable = true; + + xterm.enable = true; + plasma5.enable = false; + }; + + displayManager = { + gdm.enable = true; + gdm.wayland = true; + }; + }; + + # gnome, most of it is disabled and ideally it could live entirely in the user's home config + programs.gpaste.enable = false; + programs.gnome-terminal.enable = false; + # programs.gnome-documents.enable = false; + programs.gnome-disks.enable = false; + + # TODO: fully delegate graphical session to home-manager config + services.gnome = { + games.enable = false; + gnome-remote-desktop.enable = false; + gnome-user-share.enable = false; + rygel.enable = false; + sushi.enable = false; + tinysparql.enable = false; + localsearch.enable = false; + + gnome-browser-connector.enable = false; + gnome-initial-setup.enable = false; + + # FIXME: gnome should be moved to home config + gnome-settings-daemon.enable = true; + core-os-services.enable = true; + at-spi2-core.enable = true; + evolution-data-server.enable = true; + gnome-online-accounts.enable = true; + gnome-keyring.enable = lib.mkForce false; + }; + + # FIXME: gnome should be moved to user session + services.gvfs.enable = true; + programs.seahorse.enable = true; + programs.dconf.enable = true; + + environment.gnome.excludePackages = with pkgs; + [ + orca + gnome-photos + gnome-tour + + snapshot # webcam tool + gnome-music + gnome-terminal + gedit # text editor + epiphany # web browser + geary # email reader + evince # document viewer + gnome-characters + totem # video player + ]; + + services.pipewire = { + audio.enable = true; + enable = true; + alsa.enable = true; + alsa.support32Bit = true; + pulse.enable = true; + wireplumber.enable = true; + # If you want to use JACK applications, uncomment this + #jack.enable = true; + }; + + services.dbus.packages = with pkgs; [ dconf ]; + + # More Services + environment.systemPackages = [ + pkgs.adwaita-icon-theme + pkgs.gnomeExtensions.appindicator + ]; +} diff --git a/nix/os/profiles/graphical/boot.nix b/nix/os/profiles/graphical/boot.nix index e4d35b0..4bf6ca4 100644 --- a/nix/os/profiles/graphical/boot.nix +++ b/nix/os/profiles/graphical/boot.nix @@ -1,7 +1,4 @@ - -{ lib -, ... -}: - +{ config, ... }: { + boot.extraModulePackages = [ config.boot.kernelPackages.v4l2loopback ]; } diff --git a/nix/os/profiles/graphical/configuration.nix b/nix/os/profiles/graphical/configuration.nix index 1ab66e9..477a93d 100644 --- a/nix/os/profiles/graphical/configuration.nix +++ b/nix/os/profiles/graphical/configuration.nix @@ -1,7 +1,4 @@ -{ pkgs -, ... -}: - +{ ... }: { imports = [ ./boot.nix diff --git a/nix/os/profiles/graphical/hw.nix b/nix/os/profiles/graphical/hw.nix index 7cc04be..821f5bf 100644 --- a/nix/os/profiles/graphical/hw.nix +++ b/nix/os/profiles/graphical/hw.nix @@ -1,7 +1 @@ -{ -... -}: - -{ - hardware.enableAllFirmware = true; -} +_: { hardware.enableAllFirmware = true; } diff --git a/nix/os/profiles/graphical/system.nix b/nix/os/profiles/graphical/system.nix index ff3def4..00ed2c2 100644 --- a/nix/os/profiles/graphical/system.nix +++ b/nix/os/profiles/graphical/system.nix @@ -1,11 +1,10 @@ -{ pkgs -, ... -}: - +{ pkgs, ... }: { + imports = [ ../../snippets/bluetooth.nix ]; + networking.networkmanager = { enable = true; - dns = "dnsmasq"; + dns = "systemd-resolved"; unmanaged = [ "interface-name:veth*" "interface-name:virbr*" @@ -16,85 +15,12 @@ }; networking.usePredictableInterfaceNames = false; - services.resolved.enable = false; + services.resolved.enable = true; # hardware related services - services.illum.enable = true; services.pcscd.enable = true; - hardware = { - bluetooth.enable = true; - pulseaudio = { - enable = true; - package = pkgs.pulseaudioFull; - support32Bit = true; - }; - }; - # required for running blueman-applet in user sessions - services.dbus.packages = with pkgs; [ - blueman - ]; - services.blueman.enable = true; + hardware.graphics.enable = true; - services.xserver = { - enable = true; - libinput.enable = true; - libinput.naturalScrolling = true; - - videoDrivers = [ "qxl" "modesetting" "ati" "cirrus" "intel" "vesa" "vmware" "modesetting" ]; - xkbVariant = "altgr-intl"; - xkbOptions = "nodeadkeys"; - - desktopManager = { - # FIXME: gnome should be moved to user session - gnome3.enable = true; - - xterm.enable = true; - plasma5.enable = false; - }; - - displayManager = { - gdm.enable = false; - - autoLogin = { - enable = true; - user = "steveej"; - }; - - lightdm = { - enable = true; - background = "${pkgs.nixos-artwork.wallpapers.simple-blue}/share/artwork/gnome/nix-wallpaper-simple-blue.png"; - }; - - sessionCommands = '' - ''; - }; - }; - - services.gvfs.enable = true; - programs.seahorse.enable = true; - programs.gpaste.enable = false; - programs.gnome-terminal.enable = false; - programs.gnome-documents.enable = false; - programs.gnome-disks.enable = false; - - services.gnome3 = { - # gnome-online-miners.enable = false; TODO: enable this again - games.enable = false; - gnome-remote-desktop.enable = false; - gnome-user-share.enable = false; - rygel.enable = false; - sushi.enable = false; - tracker.enable = false; - tracker-miners.enable = false; - - # FIXME: gnome should be moved to user session - at-spi2-core.enable = true; - evolution-data-server.enable = true; - gnome-online-accounts.enable = true; - gnome-keyring.enable = true; - }; - - # More Services services.udev.packages = [ pkgs.libu2f-host pkgs.yubikey-personalization @@ -109,13 +35,24 @@ SUBSYSTEM=="usb", ATTR{idVendor}=="047f", ATTR{idProduct}=="011a", GROUP="users", MODE="0777" SUBSYSTEM=="usb", ATTR{idVendor}=="047f", ATTR{idProduct}=="fffe", GROUP="users", MODE="0777" SUBSYSTEM=="usb", ATTR{idVendor}=="047f", ATTR{idProduct}=="0001", GROUP="users", MODE="0777" + + # Yubikey 4/5 U2F+CCID + SUBSYSTEM=="usb", ATTR{idVendor}=="1050", ATTR{idProduct}=="0406", ENV{ID_SECURITY_TOKEN}="1", GROUP="wheel" ''; - - services.samba.enable = true; - services.samba.extraConfig = '' - client max protocol = SMB3 - ''; + # services.samba.enable = true; + # services.samba.extraConfig = '' + # client max protocol = SMB3 + # # client min protocol = SMB2_10 + # # client min protocol = NT1 + # # ntlm auth = yes + # ''; services.logind.lidSwitchExternalPower = "ignore"; + + services.printing = { + enable = true; + drivers = with pkgs; [ + ]; + }; } diff --git a/nix/os/profiles/install-medium/iso/Justfile b/nix/os/profiles/install-medium/iso/Justfile index bcd3c66..099a8aa 100644 --- a/nix/os/profiles/install-medium/iso/Justfile +++ b/nix/os/profiles/install-medium/iso/Justfile @@ -1,2 +1,2 @@ build: - nix-build '' -A config.system.build.isoImage -I nixos-config=iso.nix + nix-build '' -A config.system.build.isoImage -I nixos-config=iso.nix diff --git a/nix/os/profiles/install-medium/iso/iso.nix b/nix/os/profiles/install-medium/iso/iso.nix index a93f3d9..a32f3f6 100644 --- a/nix/os/profiles/install-medium/iso/iso.nix +++ b/nix/os/profiles/install-medium/iso/iso.nix @@ -1,53 +1,69 @@ # This module defines a small NixOS installation CD. It does not # contain any graphical stuff. -{config, pkgs, lib, ...}: +{ + config, + pkgs, + lib, + ... +}: +let + nixos-init-script = '' + #!${pkgs.stdenv.shell} -let nixos-init-script = '' - #!${pkgs.stdenv.shell} + export HOME=/root + export PATH=${ + pkgs.lib.makeBinPath [ + config.nix.package + pkgs.systemd + pkgs.gnugrep + pkgs.gnused + config.system.build.nixos-rebuild + config.system.build.nixos-install + pkgs.utillinux + pkgs.e2fsprogs + pkgs.coreutils + pkgs.hdparm + ] + }:$PATH + export NIX_PATH=/nix/var/nix/profiles/per-user/root/channels/nixos:nixos-config=/etc/nixos/configuration.nix:/nix/var/nix/profiles/per-user/root/channels - export HOME=/root - export PATH=${pkgs.lib.makeBinPath [ - config.nix.package pkgs.systemd pkgs.gnugrep pkgs.gnused config.system.build.nixos-rebuild - config.system.build.nixos-install pkgs.utillinux pkgs.e2fsprogs pkgs.coreutils pkgs.hdparm - ]}:$PATH - export NIX_PATH=/nix/var/nix/profiles/per-user/root/channels/nixos:nixos-config=/etc/nixos/configuration.nix:/nix/var/nix/profiles/per-user/root/channels + set -xe - set -xe + fdisk -w always -W always /dev/vda < @@ -58,13 +74,14 @@ in { isoImage.isoName = lib.mkForce "${config.isoImage.isoBaseName}-${pkgs.stdenv.hostPlatform.system}.iso"; boot.loader.timeout = lib.mkForce 0; - boot.postBootCommands = '' - ''; + boot.postBootCommands = ""; - environment.systemPackages = []; + environment.systemPackages = [ ]; users.users.root = { - openssh.authorizedKeys.keys = [ "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC4RFtHz0sE5y0AyZZm/tH7bBBgsx55gLPt5tGsl9yZlOzih6n4qbJE/9OOdwnOY2AHRe2lrlTekbW5ewWSBBCbiBE3Vux86sLgy7LM9zoKaNC+E3hmxaoS9SExn0BTkb3kNlOcj2k6UyJhkZWEsqVMV5C21R8EWmMlLY/qm3AxptNjOyzKDwNX2zlHZ5IyjgzO4ZjIxjawmJlUrVEn7/m+M7qK3I1Tyg/ZvDSfmxVJS97sVzseYE0rVwLEWJQOnHh0wnfl27smr2McAB7Cy6sxKyPKvEGyXbNqqb8fqk4okZlRRxhq/XkKlC7IZr+uqYxlL4HN8vjkTRNlgenDUSVT cardno:000604870382" ]; + openssh.authorizedKeys.keys = [ + "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC4RFtHz0sE5y0AyZZm/tH7bBBgsx55gLPt5tGsl9yZlOzih6n4qbJE/9OOdwnOY2AHRe2lrlTekbW5ewWSBBCbiBE3Vux86sLgy7LM9zoKaNC+E3hmxaoS9SExn0BTkb3kNlOcj2k6UyJhkZWEsqVMV5C21R8EWmMlLY/qm3AxptNjOyzKDwNX2zlHZ5IyjgzO4ZjIxjawmJlUrVEn7/m+M7qK3I1Tyg/ZvDSfmxVJS97sVzseYE0rVwLEWJQOnHh0wnfl27smr2McAB7Cy6sxKyPKvEGyXbNqqb8fqk4okZlRRxhq/XkKlC7IZr+uqYxlL4HN8vjkTRNlgenDUSVT cardno:000604870382" + ]; }; services.gpm.enable = true; @@ -80,7 +97,7 @@ in { wantedBy = [ "multi-user.target" ]; after = [ "multi-user.target" ]; requires = [ "network-online.target" ]; - + restartIfChanged = false; unitConfig.X-StopOnRemoval = false; diff --git a/nix/os/profiles/podman/configuration.nix b/nix/os/profiles/podman/configuration.nix deleted file mode 100644 index d15563e..0000000 --- a/nix/os/profiles/podman/configuration.nix +++ /dev/null @@ -1,180 +0,0 @@ -{ config, pkgs, ... }: - -{ - environment.systemPackages = with pkgs; [ - podman - runc - conmon - cni - cni-plugins - slirp4netns - ]; - - environment.etc."containers/registries.conf".text = '' - # This is a system-wide configuration file used to - # keep track of registries for various container backends. - # It adheres to TOML format and does not support recursive - # lists of registries. - - [registries.search] - registries = [ 'docker.io' - , 'registry.fedoraproject.org' - , 'registry.access.redhat.com' - , 'quay.io' - ] - - # If you need to access insecure registries, add the registry's fully-qualified name. - # An insecure registry is one that does not have a valid SSL certificate or only does HTTP. - [registries.insecure] - registries = ['localhost:5000'] - ''; - - environment.etc."containers/policy.json".text = '' - { - "default": [ - { - "type": "insecureAcceptAnything" - } - ], - "transports": - { - "docker-daemon": - { - "": [{"type":"insecureAcceptAnything"}] - } - } - } - ''; - - environment.etc."cni/net.d/00-loopback.conf".text = '' - { - "cniVersion": "0.3.0", - "type": "loopback" - } - ''; - - environment.etc."cni/net.d/87-podman-bridge.conflist".text = '' - { - "cniVersion": "0.3.0", - "name": "podman", - "plugins": [ - { - "type": "bridge", - "bridge": "cni0", - "isGateway": true, - "ipMasq": true, - "ipam": { - "type": "host-local", - "subnet": "10.88.0.0/16", - "routes": [ - { "dst": "0.0.0.0/0" } - ] - } - }, - { - "type": "portmap", - "capabilities": { - "portMappings": true - } - } - ] - } - ''; - - environment.etc."containers/libpod.conf".text = '' - # libpod.conf is the default configuration file for all tools using libpod to - # manage containers - - # Default transport method for pulling and pushing for images - image_default_transport = "docker://" - - # Paths to search for the Conmon container manager binary - runtime_path = [ - "${pkgs.runc}/bin/runc" - ] - - - # Paths to look for the Conmon container manager binary - conmon_path = [ - "${pkgs.conmon}/bin/conmon" - ] - - - # Environment variables to pass into conmon - conmon_env_vars = [ - # "PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin" - ] - - # CGroup Manager - valid values are "systemd" and "cgroupfs" - cgroup_manager = "systemd" - - # Container init binary - #init_path = "/usr/libexec/podman/catatonit" - - # Directory for persistent libpod files (database, etc) - # By default, this will be configured relative to where containers/storage - # stores containers - # Uncomment to change location from this default - #static_dir = "/var/lib/containers/storage/libpod" - - # Directory for temporary files. Must be tmpfs (wiped after reboot) - tmp_dir = "/var/run/libpod" - - # Maximum size of log files (in bytes) - # -1 is unlimited - max_log_size = -1 - - # Whether to use chroot instead of pivot_root in the runtime - no_pivot_root = false - - # Directory containing CNI plugin configuration files - cni_config_dir = "/etc/cni/net.d/" - - # Directories where the CNI plugin binaries may be located - cni_plugin_dir = [ - "${pkgs.cni-plugins}/bin" - ] - - - # Default CNI network for libpod. - # If multiple CNI network configs are present, libpod will use the network with - # the name given here for containers unless explicitly overridden. - # The default here is set to the name we set in the - # 87-podman-bridge.conflist included in the repository. - # Not setting this, or setting it to the empty string, will use normal CNI - # precedence rules for selecting between multiple networks. - cni_default_network = "podman" - - # Default libpod namespace - # If libpod is joined to a namespace, it will see only containers and pods - # that were created in the same namespace, and will create new containers and - # pods in that namespace. - # The default namespace is "", which corresponds to no namespace. When no - # namespace is set, all containers and pods are visible. - #namespace = "" - - # Default pause image name for pod pause containers - pause_image = "k8s.gcr.io/pause:3.1" - - # Default command to run the pause container - pause_command = "/pause" - - # Determines whether libpod will reserve ports on the host when they are - # forwarded to containers. When enabled, when ports are forwarded to containers, - # they are held open by conmon as long as the container is running, ensuring that - # they cannot be reused by other programs on the host. However, this can cause - # significant memory usage if a container has many ports forwarded to it. - # Disabling this can save memory. - #enable_port_reservation = true - - # Default libpod support for container labeling - # label=true - - # Paths to look for a valid OCI runtime (runc, runv, etc) - # FIXME: this doesn't seem to take effect - [runtimes] - runc = [ - "${pkgs.runc}/bin/runc" - ] -''; -} diff --git a/nix/os/profiles/removable-medium/boot.nix b/nix/os/profiles/removable-medium/boot.nix index b3939cb..17a1dba 100644 --- a/nix/os/profiles/removable-medium/boot.nix +++ b/nix/os/profiles/removable-medium/boot.nix @@ -1,9 +1,6 @@ -{ lib -, ... -}: - +{ lib, ... }: { boot.loader.grub.efiInstallAsRemovable = lib.mkForce true; - boot.loader.efi.canTouchEfiVariables = lib.mkForce false; + boot.loader.efi.canTouchEfiVariables = lib.mkForce false; boot.extraModulePackages = [ ]; } diff --git a/nix/os/profiles/removable-medium/configuration.nix b/nix/os/profiles/removable-medium/configuration.nix index 883c2a4..ad7def0 100644 --- a/nix/os/profiles/removable-medium/configuration.nix +++ b/nix/os/profiles/removable-medium/configuration.nix @@ -1,8 +1,7 @@ { ... }: - { - imports = [ - ../../modules/encryptedDisk.nix + imports = [ + ../../modules/opinionatedDisk.nix ./pkg.nix ./hw.nix diff --git a/nix/os/profiles/removable-medium/hw.nix b/nix/os/profiles/removable-medium/hw.nix index 99f014f..0f7cbec 100644 --- a/nix/os/profiles/removable-medium/hw.nix +++ b/nix/os/profiles/removable-medium/hw.nix @@ -1,6 +1,4 @@ -{ ... }: - -{ - hardware.encryptedDisk.enable = true; +_: { + hardware.opinionatedDisk.enable = true; hardware.enableAllFirmware = true; } diff --git a/nix/os/profiles/removable-medium/pkg.nix b/nix/os/profiles/removable-medium/pkg.nix index 7b9ee0e..d27081f 100644 --- a/nix/os/profiles/removable-medium/pkg.nix +++ b/nix/os/profiles/removable-medium/pkg.nix @@ -1,7 +1,6 @@ -{ pkgs -, ... -}: - +{ pkgs, ... }: { - home-manager.users.steveej = import ../../../home-manager/configuration/graphical-removable.nix { inherit pkgs; }; + home-manager.users.steveej = import ../../../home-manager/configuration/graphical-removable.nix { + inherit pkgs; + }; } diff --git a/nix/os/profiles/removable-medium/system.nix b/nix/os/profiles/removable-medium/system.nix index fccfc9e..243edf7 100644 --- a/nix/os/profiles/removable-medium/system.nix +++ b/nix/os/profiles/removable-medium/system.nix @@ -1,9 +1,6 @@ -{ config, lib, pkgs, ... }: +_: { + services.illum.enable = true; - -let - -in { services.printing = { enable = false; }; diff --git a/nix/os/snippets/bluetooth.nix b/nix/os/snippets/bluetooth.nix new file mode 100644 index 0000000..090217e --- /dev/null +++ b/nix/os/snippets/bluetooth.nix @@ -0,0 +1,7 @@ +{ pkgs, ... }: +{ + # required for running blueman-applet in user sessions + services.dbus.packages = with pkgs; [ blueman ]; + hardware.bluetooth.enable = true; + services.blueman.enable = true; +} diff --git a/nix/os/snippets/holo-zerotier.nix b/nix/os/snippets/holo-zerotier.nix new file mode 100644 index 0000000..4371b78 --- /dev/null +++ b/nix/os/snippets/holo-zerotier.nix @@ -0,0 +1,53 @@ +{ config, lib, ... }: +let + cfg = config.steveej.holo-zerotier; +in +{ + options.steveej.holo-zerotier = { + enable = lib.mkEnableOption "Enable holo-zerotier"; + autostart = lib.mkOption { default = false; }; + }; + + config = { + nixpkgs.config.allowUnfreePredicate = pkg: builtins.elem (lib.getName pkg) [ "zerotierone" ]; + + services.zerotierone = { + inherit (cfg) enable; + joinNetworks = [ + # moved to the service below as it's now secret + ]; + }; + + systemd.services.zerotierone.wantedBy = lib.mkIf (!cfg.autostart) (lib.mkForce [ ]); + + systemd.services.zerotieroneSecretNetworks = { + inherit (cfg) enable; + requiredBy = [ "zerotierone.service" ]; + partOf = [ "zerotierone.service" ]; + + serviceConfig.Type = "oneshot"; + serviceConfig.RemainAfterExit = true; + + script = + let + secret = config.sops.secrets.zerotieroneNetworks; + in + '' + # include the secret's hash to trigger a restart on change + # ${builtins.hashString "sha256" (builtins.toJSON secret)} + + ${config.systemd.services.zerotierone.preStart} + + rm -rf /var/lib/zerotier-one/networks.d/*.conf + for network in `grep -v '#' ${secret.path}`; do + touch /var/lib/zerotier-one/networks.d/''${network}.conf + done + ''; + }; + + sops.secrets.zerotieroneNetworks = { + sopsFile = ../../../secrets/work-holo/zerotierone.txt; + format = "binary"; + }; + }; +} diff --git a/nix/os/snippets/home-manager-with-zsh.nix b/nix/os/snippets/home-manager-with-zsh.nix new file mode 100644 index 0000000..47ddd8a --- /dev/null +++ b/nix/os/snippets/home-manager-with-zsh.nix @@ -0,0 +1,43 @@ +{ + nodeFlake, + repoFlake, + repoFlakeInputs', + packages', + pkgs, + ... +}: +let + # TODO: make this configurable + homeUser = "steveej"; + commonHomeImports = [ + ../../home-manager/profiles/common.nix + ../../home-manager/programs/neovim.nix + ../../home-manager/programs/zsh.nix + ]; +in +{ + imports = [ nodeFlake.inputs.home-manager.nixosModules.home-manager ]; + + # TODO: investigate an issue with the "name" arg contained here, which causes problems with home-manager + # home-manager.extraSpecialArgs = specialArgs; + # hence, opt for passing the arguments selectively instead + home-manager.extraSpecialArgs = { + inherit + repoFlake + repoFlakeInputs' + packages' + nodeFlake + ; + }; + + home-manager.useGlobalPkgs = false; + home-manager.useUserPackages = true; + + home-manager.users.root = _: { imports = commonHomeImports; }; + + home-manager.users."${homeUser}" = _: { imports = commonHomeImports; }; + + programs.zsh.enable = true; + users.defaultUserShell = pkgs.zsh; + environment.pathsToLink = [ "/share/zsh" ]; +} diff --git a/nix/os/snippets/k3s-w-nix-snapshotter.nix b/nix/os/snippets/k3s-w-nix-snapshotter.nix new file mode 100644 index 0000000..1774650 --- /dev/null +++ b/nix/os/snippets/k3s-w-nix-snapshotter.nix @@ -0,0 +1,58 @@ +# experiment with k3s, nix-snapshotter, and nixos images +{ + nodeFlake, + pkgs, + lib, + system, + config, + ... +}: +let + cfg = config.steveej.k3s; + +in +# TODO: make this configurable +{ + options.steveej.k3s = { + enable = lib.mkOption { + description = "steveej's k3s distro"; + type = lib.types.bool; + default = true; + }; + }; + + # (1) Import nixos module. + imports = [ nodeFlake.inputs.nix-snapshotter.nixosModules.default ]; + + config = lib.mkIf cfg.enable { + # (2) Add overlay. + nixpkgs.overlays = [ nodeFlake.inputs.nix-snapshotter.overlays.default ]; + + # (3) Enable service. + virtualisation.containerd = { + enable = true; + nixSnapshotterIntegration = true; + + # TODO: understand if this has an influence on the systemd LoadCredential issue + # settings.plugins."io.containerd.grpc.v1.cri".containerd.runtimes.runc.options.SystemdCgroup = lib.mkForce true; + }; + services.nix-snapshotter = { + enable = true; + }; + + # (4) Add a containerd CLI like nerdctl. + environment.systemPackages = [ + pkgs.nerdctl + nodeFlake.inputs.nix-snapshotter.packages.${system}.default + ]; + + services.k3s = { + enable = false; + setKubeConfig = true; + }; + + # home-manager.users."${homeUser}" = _: { + # home.sessionVariables.CONTAINERD_ADDRESS = "/run/user/1000/containerd/containerd.sock"; + # }; + }; +} diff --git a/nix/os/snippets/mycelium.nix b/nix/os/snippets/mycelium.nix new file mode 100644 index 0000000..990477e --- /dev/null +++ b/nix/os/snippets/mycelium.nix @@ -0,0 +1,32 @@ +{ + repoFlake, + nodeName, + config, + lib, + ... +}: +let + cfg.autostart = false; +in +{ + imports = [ ]; + + sops.secrets.mycelium-key = { + format = "binary"; + sopsFile = repoFlake + "/secrets/${nodeName}/mycelium_priv_key.bin.enc"; + }; + + services.mycelium = { + enable = true; + # package = nodeFlake.inputs.mycelium.packages.${system}.myceliumd; + keyFile = config.sops.secrets.mycelium-key.path; + addHostedPublicNodes = true; + peers = [ ]; + + # tunName = "mycelium-pub"; + + extraArgs = [ ]; + }; + + systemd.services.mycelium.wantedBy = lib.mkIf (!cfg.autostart) (lib.mkForce [ ]); +} diff --git a/nix/os/snippets/nix-settings-holo-chain.nix b/nix/os/snippets/nix-settings-holo-chain.nix new file mode 100644 index 0000000..b660f1c --- /dev/null +++ b/nix/os/snippets/nix-settings-holo-chain.nix @@ -0,0 +1,16 @@ +_: { + nix.settings = { + substituters = [ + "https://holochain-ci.cachix.org" + "https://holochain-ci-internal.cachix.org" + # "https://cache.holo.host/" + ]; + + trusted-public-keys = [ + "holochain-ci.cachix.org-1:5IUSkZc0aoRS53rfkvH9Kid40NpyjwCMCzwRTXy+QN8=" + "holochain-ci-internal.cachix.org-1:QvVsSrTiearCjrLTVtNtJOdQCDTseXh7UXUuSMx46NE=" + "cache.holo.host-1:lNXIXtJgS9Iuw4Cu6X0HINLu9sTfcjEntnrgwMQIMcE=" + "cache.holo.host-2:ZJCkX3AUYZ8soxTLfTb60g+F3MkWD7hkH9y8CgqwhDQ=" + ]; + }; +} diff --git a/nix/os/snippets/nix-settings.nix b/nix/os/snippets/nix-settings.nix new file mode 100644 index 0000000..99d26d4 --- /dev/null +++ b/nix/os/snippets/nix-settings.nix @@ -0,0 +1,37 @@ +{ + nodeFlake, + pkgs, + lib, + ... +}: +{ + nix.daemonCPUSchedPolicy = "idle"; + nix.daemonIOSchedClass = "idle"; + nix.settings.max-jobs = lib.mkDefault "auto"; + nix.settings.cores = lib.mkDefault 0; + nix.settings.sandbox = true; + nix.nixPath = [ "nixpkgs=${pkgs.path}" ]; + + nix.settings.experimental-features = [ + "nix-command" + "flakes" + "ca-derivations" + "recursive-nix" + ]; + + nix.settings.system-features = [ + "recursive-nix" + "big-parallel" + "kvm" + "nixos-test" + ]; + + # nix.registry.nixpkgs.flake = nodeFlake.inputs.nixpkgs; + nix.registry.nixpkgs.to = { + type = "path"; + path = nodeFlake.inputs.nixpkgs.outPath; + inherit (nodeFlake.inputs.nixpkgs) narHash; + }; + + nix.package = pkgs.nixVersions.latest; +} diff --git a/nix/os/snippets/obs-studio.nix b/nix/os/snippets/obs-studio.nix new file mode 100644 index 0000000..8a99fcb --- /dev/null +++ b/nix/os/snippets/obs-studio.nix @@ -0,0 +1,27 @@ +{ config, ... }: +let + # TODO: make configurable + homeUser = "steveej"; +in +{ + boot.extraModulePackages = [ config.boot.kernelPackages.v4l2loopback.out ]; + + # Activate kernel modules (choose from built-ins and extra ones) + boot.kernelModules = [ + # Virtual Camera + "v4l2loopback" + # Virtual Microphone, built-in + "snd-aloop" + ]; + + # exclusive_caps: Skype, Zoom, Teams etc. will only show device when actually streaming + # card_label: Name of virtual camera, how it'll show up in Skype, Zoom, Teams + # https://github.com/umlaeute/v4l2loopback + boot.extraModprobeConfig = '' + options v4l2loopback devices=1 video_nr=1 card_label="OBSCam" exclusive_caps=1 + ''; + + security.polkit.enable = true; + + home-manager.users.${homeUser} = _: { imports = [ ../../home-manager/programs/obs-studio.nix ]; }; +} diff --git a/nix/os/snippets/radicale.nix b/nix/os/snippets/radicale.nix new file mode 100644 index 0000000..709b601 --- /dev/null +++ b/nix/os/snippets/radicale.nix @@ -0,0 +1,33 @@ +{ + config, + pkgs, + repoFlakeInputs', + ... +}: +let + # TODO: make configurable + homeUser = "steveej"; +in +{ + sops.secrets.radicale_htpasswd = { + sopsFile = ../../../secrets/desktop/radicale_htpasswd; + format = "binary"; + owner = config.users.users."${homeUser}".name; + }; + + home-manager.users.${homeUser} = _: { + imports = [ + # TODO: bump these to latest and make it work + ( + args: + import ../../home-manager/programs/radicale.nix ( + args + // { + osConfig = config; + pkgs = repoFlakeInputs'.radicalePkgs.legacyPackages; + } + ) + ) + ]; + }; +} diff --git a/nix/os/snippets/sway-desktop.nix b/nix/os/snippets/sway-desktop.nix new file mode 100644 index 0000000..df40e2b --- /dev/null +++ b/nix/os/snippets/sway-desktop.nix @@ -0,0 +1,136 @@ +{ + pkgs, + lib, + config, + ... +}: +let + # TODO: make this configurable + homeUser = "steveej"; +in +{ + services.xserver.serverFlagsSection = '' + Option "BlankTime" "0" + Option "StandbyTime" "0" + Option "SuspendTime" "0" + Option "OffTime" "0" + ''; + + hardware.graphics.enable = true; + + services.gvfs = { + enable = true; + package = lib.mkForce pkgs.gnome.gvfs; + }; + + environment.systemPackages = with pkgs; [ + # provides a default authentification client for policykit + lxqt.lxqt-policykit + ]; + + # required by swaywm + security.polkit.enable = true; + security.pam.services.swaylock = { }; + + # test these on https://mozilla.github.io/webrtc-landing/gum_test.html + xdg.portal = { + enable = true; + # FIXME: `true` breaks xdg-open from alacritty: + # $ xdg-open "https://github.com/" + # Error: GDBus.Error:org.freedesktop.DBus.Error.UnknownMethod: No such interface “org.freedesktop.portal.OpenURI” on object at path /org/freedesktop/portal/desktop + xdgOpenUsePortal = false; + + wlr = { + enable = true; + settings = { + screencast = { + chooser_type = "dmenu"; + # display the output as a list in favor of the default mouse selection + chooser_cmd = lib.getExe ( + pkgs.writeShellApplication { + name = "chooser_cmd"; + runtimeInputs = [ + pkgs.sway + pkgs.jq + pkgs.fuzzel + pkgs.gnused + ]; + text = '' + swaymsg -t get_outputs | jq '.[] | "\(.name)@\(.current_mode.width)x\(.current_mode.height) on \(.model)"' | sed 's/"//g' | fuzzel -d | sed 's/@.*//' + ''; + } + ); + max_fps = 30; + }; + }; + }; + + # keep the behaviour in < 1.17, which uses the first portal implementation found in lexicographical order, use the following: + config = { + common = { + default = [ + "wlr" + "gtk" + ]; + }; + }; + + extraPortals = [ + # repoFlake.inputs.nixpkgs-wayland.packages.${pkgs.system}.xdg-desktop-portal-wlr + + pkgs.xdg-desktop-portal-gtk + # (pkgs.xdg-desktop-portal-gtk.override (_: { + # buildPortalsInGnome = false; + # })) + ]; + }; + + # rtkit is optional but recommended + security.rtkit.enable = true; + services.pipewire = { + audio.enable = true; + enable = true; + alsa.enable = true; + alsa.support32Bit = true; + pulse.enable = true; + wireplumber.enable = true; + # If you want to use JACK applications, uncomment this + #jack.enable = true; + }; + + security.pam.services.getty.enableGnomeKeyring = true; + security.pam.services."autovt@tty1".enableGnomeKeyring = true; + services.gnome.gnome-keyring.enable = true; + + # autologin steveej on tty1 + # TODO: make user configurable + systemd.services."autovt@tty1".description = "Autologin at the TTY1"; + systemd.services."autovt@tty1".after = [ "systemd-logind.service" ]; # without it user session not started and xorg can't be run from this tty + systemd.services."autovt@tty1".wantedBy = [ "multi-user.target" ]; + systemd.services."autovt@tty1".serviceConfig = { + ExecStart = [ + "" # override upstream default with an empty ExecStart + "@${pkgs.utillinux}/sbin/agetty agetty --login-program ${pkgs.shadow}/bin/login --autologin steveej --noclear %I $TERM" + ]; + Restart = "always"; + Type = "idle"; + }; + + programs = + let + steveejSwayOnTty1 = '' + if test $(id --user steveej) = $(id -u) && test $(tty) = "/dev/tty1"; then + exec sway + fi + ''; + in + { + bash.loginShellInit = steveejSwayOnTty1; + # TODO: only do this when zsh is enabled. first naiv attempt lead infinite recursion + zsh.loginShellInit = steveejSwayOnTty1; + }; + + home-manager.users."${homeUser}" = _: { + imports = [ ../../home-manager/profiles/sway-desktop.nix ]; + }; +} diff --git a/nix/os/snippets/systemd-resolved.nix b/nix/os/snippets/systemd-resolved.nix new file mode 100644 index 0000000..f7c2301 --- /dev/null +++ b/nix/os/snippets/systemd-resolved.nix @@ -0,0 +1,28 @@ +{ lib, ... }: +{ + networking.nameservers = [ + # https://dnsforge.de/ + "176.9.93.198" + "176.9.1.117" + + # TODO: enable IPv6 + # "2a01:4f8:151:34aa::198" + # "2a01:4f8:141:316d::117" + ]; + + services.resolved = { + enable = true; + dnssec = "true"; + domains = [ "~." ]; + + # TODO: figure out why "true" doesn't work + dnsovertls = "opportunistic"; + + fallbackDns = lib.mkForce [ ]; + + # TODO: IPv6 + # extraConfig = '' + # DNSStubListenerExtra=[::1]:53 + # ''; + }; +} diff --git a/nix/os/snippets/timezone.nix b/nix/os/snippets/timezone.nix new file mode 100644 index 0000000..67db1e8 --- /dev/null +++ b/nix/os/snippets/timezone.nix @@ -0,0 +1,7 @@ +{ lib, ... }: +let + passwords = import ../../variables/passwords.crypt.nix; +in +{ + time.timeZone = lib.mkDefault passwords.timeZone.stefan; +} diff --git a/nix/overlays/default.nix b/nix/overlays/default.nix deleted file mode 100644 index e412c8d..0000000 --- a/nix/overlays/default.nix +++ /dev/null @@ -1,5 +0,0 @@ -{ - overrides = import ./overrides.nix; - pkgs = import ./pkgs.nix; - posh = import ./posh.nix; -} diff --git a/nix/overlays/overrides.nix b/nix/overlays/overrides.nix deleted file mode 100644 index 92516fc..0000000 --- a/nix/overlays/overrides.nix +++ /dev/null @@ -1,47 +0,0 @@ -# This overlay is used for overriding upstream packages. - -self: super: - -let - nixpkgs-master = import { inherit (super) config; }; - -in { - inherit nixpkgs-master; - - # alacritty = nixpkgs-master.alacritty; - alacritty = super.stdenv.mkDerivation { - name = "alacritty-custom"; - buildInputs = [ super.makeWrapper ]; - phases = "installPhase"; - installPhase = '' - makeWrapper ${self.nixpkgs-master.alacritty}/bin/alacritty $out/bin/alacritty \ - --set-default WINIT_X11_SCALE_FACTOR 1.4 - ''; - }; - - roxterm = super.stdenv.mkDerivation { - name = "roxterm-custom"; - buildInputs = [ super.makeWrapper ]; - phases = "installPhase"; - installPhase = '' - makeWrapper ${super.roxterm}/bin/roxterm $out/bin/roxterm \ - --add-flags "--separate" - ''; - }; - - # TODO: facetimehd is currfently broken (https://github.com/NixOS/nixpkgs/pull/72804) - facetimehd-firmware = super.hello; - - qtile = self.nixpkgs-master.qtile.overrideAttrs(oldAttrs: { - pythonPath = oldAttrs.pythonPath ++ (with self.python37Packages; [ - psutil - dbus-python - pyxdg - mpd2 - # python-wifi - # iwlib - dateutil - keyring - ]); - }); -} diff --git a/nix/overlays/pkgs.nix b/nix/overlays/pkgs.nix deleted file mode 100644 index b6b57ef..0000000 --- a/nix/overlays/pkgs.nix +++ /dev/null @@ -1,18 +0,0 @@ -# This overlay includes all packages defined by the top-level default.nix. -# The code is copied from the NUR repository [0]. -# -# [0]: https://github.com/nix-community/nur-packages-template/blob/2610a5b60bd926cea3e6395511da8f0d14c613b9/overlay.nix - -self: super: - -let - - isReserved = n: n == "lib" || n == "overlays" || n == "modules"; - nameValuePair = n: v: { name = n; value = v; }; - nurAttrs = import ../pkgs { pkgs = super; }; - -in - builtins.listToAttrs - (map (n: nameValuePair n nurAttrs.${n}) - (builtins.filter (n: !isReserved n) - (builtins.attrNames nurAttrs))) diff --git a/nix/overlays/posh.nix b/nix/overlays/posh.nix deleted file mode 100644 index 6c8905d..0000000 --- a/nix/overlays/posh.nix +++ /dev/null @@ -1,20 +0,0 @@ -self: super: - -let - nixpkgs-master = import {}; - - inherit (nixpkgs-master) crun; - crun_10_6_0 = crun.overrideAttrs (oldAttrs: rec { - version = "0.10.6"; - src = super.fetchgit { - inherit (crun.src) url; - rev = version; - sha256 = "0v1hrlpnln0c976fb0k2ig4jv11qbyzf95z0wy92fd8r8in16rc1"; - }; - }); - -in { - inherit (nixpkgs-master) podman conmon slirp4netns; - crun = crun_10_6_0; - posh = self.callPackage ../pkgs/posh.nix {}; -} diff --git a/nix/pkgs/browserpass/default.nix b/nix/pkgs/browserpass/default.nix index a98268e..34a6977 100644 --- a/nix/pkgs/browserpass/default.nix +++ b/nix/pkgs/browserpass/default.nix @@ -1,28 +1,27 @@ -with import {}; - +with import { }; stdenv.mkDerivation rec { - broken = true; + broken = true; - name = "browserpass"; - version = "2.0.9"; + name = "browserpass"; + version = "2.0.9"; - src = fetchzip { - url = "https://github.com/dannyvankooten/browserpass/releases/download/${version}/${name}-linux64.zip"; - sha256 = "1nygcfjhyrcvbdmz4hjphcnmr4lm9y24lpdkdcjix6vbsjs0hipw"; - stripRoot = false; - }; + src = fetchzip { + url = "https://github.com/dannyvankooten/browserpass/releases/download/${version}/${name}-linux64.zip"; + sha256 = "1nygcfjhyrcvbdmz4hjphcnmr4lm9y24lpdkdcjix6vbsjs0hipw"; + stripRoot = false; + }; - buildPhase = '':''; + buildPhase = ":"; - libPath = lib.makeLibraryPath [ ]; - installPhase = '' - set -x - patchelf --set-interpreter ${stdenv.glibc}/lib/ld-linux-x86-64.so.2 browserpass-linux64 + libPath = lib.makeLibraryPath [ ]; + installPhase = '' + set -x + patchelf --set-interpreter ${glibc}/lib/ld-linux-x86-64.so.2 browserpass-linux64 - mkdir -p $out/bin - cp -a * $out/bin/ -# wrapProgram $out/bin/browserpass-linux64 \ -# --prefix LD_LIBRARY_PATH : "${libPath}" -# - ''; + mkdir -p $out/bin + cp -a * $out/bin/ + # wrapProgram $out/bin/browserpass-linux64 \ + # --prefix LD_LIBRARY_PATH : "${libPath}" + # + ''; } diff --git a/nix/pkgs/dcpj4110dw/default.nix b/nix/pkgs/dcpj4110dw/default.nix new file mode 100644 index 0000000..93f59c7 --- /dev/null +++ b/nix/pkgs/dcpj4110dw/default.nix @@ -0,0 +1,146 @@ +{ + pkgsi686Linux, + stdenv, + fetchurl, + dpkg, + makeWrapper, + coreutils, + ghostscript, + gnugrep, + gnused, + which, + lib, + cups, + a2ps, + gawk, + file, + proot, + bash, +}: +let + model = "dcpj4110dw"; + version = "3.0.1-1"; + src = fetchurl { + url = "https://download.brother.com/welcome/dlf005595/${model}lpr-${version}.i386.deb"; + sha256 = "sha256-ryKDsSkabAD2X3WLmeqjdB3+4DXdJ0qUz3O64DV+ixw="; + }; + reldir = "opt/brother/Printers/${model}/"; +in +rec { + driver = pkgsi686Linux.stdenv.mkDerivation rec { + inherit src version; + name = "${model}drv-${version}"; + + nativeBuildInputs = [ + dpkg + makeWrapper + ]; + + unpackPhase = "dpkg-deb -x $src $out"; + + installPhase = '' + # need to use i686 glibc here, these are 32bit proprietary binaries + patchelf --set-interpreter "$(cat $NIX_CC/nix-support/dynamic-linker)" \ + $out/${reldir}/lpd/br${model}filter + + mkdir -p $out/lib/cups/filter/ + ln -s $out/${reldir}/lpd/filter${model} $out/lib/cups/filter/brother_lpdwrapper_${model} + + # use proot to bind /opt for the filter + mv $out/${reldir}/lpd/filter${model} $out/${reldir}/lpd/.wrapped_filter${model} + + cat <<-EOF >$out/${reldir}/lpd/.wrapper_inner_filter${model} + export PATH=\$PATH:${ + lib.makeBinPath [ + gawk + file + a2ps + coreutils + ghostscript + gnugrep + gnused + which + ] + } + exec $out/${reldir}/lpd/.wrapped_filter${model} + EOF + chmod +x $out/${reldir}/lpd/.wrapper_inner_filter${model} + + cat <<-EOF >$out/${reldir}/lpd/filter${model} + #!${bash}/bin/bash + exec ${proot}/bin/proot \ + -b /nix/store:/nix/store \ + -b $out/opt:/opt \ + -b ${cups}/share:/usr/share/cups \ + $out/${reldir}/lpd/.wrapper_inner_filter${model} + EOF + chmod +x $out/${reldir}/lpd/filter${model} + ''; + + meta = { + description = "Brother ${lib.strings.toUpper model} driver"; + homepage = "http://www.brother.com/"; + sourceProvenance = with lib.sourceTypes; [ binaryNativeCode ]; + # license = lib.licenses.unfree; + platforms = [ + "x86_64-linux" + "i686-linux" + ]; + maintainers = [ lib.maintainers.steveej ]; + }; + }; + + cupswrapper = stdenv.mkDerivation rec { + inherit version; + + src = fetchurl { + url = "https://download.brother.com/welcome/dlf005597/${model}cupswrapper-${version}.i386.deb"; + sha256 = "sha256-nwpuuXqBrEh5tye14gFLrezktTz6kq7HtnGqdBbgGkk="; + }; + + name = "${model}cupswrapper-${version}"; + + nativeBuildInputs = [ + dpkg + makeWrapper + ]; + buildInputs = [ + cups + ghostscript + a2ps + gawk + ]; + + unpackPhase = "dpkg-deb -x $src $out"; + + installPhase = '' + wrapProgram $out/${reldir}/cupswrapper/cupswrapper${model} \ + --prefix PATH : ${ + lib.makeBinPath [ + coreutils + ghostscript + gnugrep + gnused + ] + } + + patchelf --set-interpreter "$(cat $NIX_CC/nix-support/dynamic-linker)" \ + $out/${reldir}/cupswrapper/brcupsconfpt1 + + mkdir -p $out/share/cups/model + ln -s $out/${reldir}/cupswrapper/brother_${model}_printer_en.ppd $out/share/cups/model/ + ''; + + meta = { + description = "Brother ${lib.strings.toUpper model} CUPS wrapper driver"; + homepage = "http://www.brother.com/"; + sourceProvenance = with lib.sourceTypes; [ binaryNativeCode ]; + license = lib.licenses.gpl2; + platforms = [ + "x86_64-linux" + "i686-linux" + ]; + maintainers = [ lib.maintainers.steveej ]; + }; + }; +} diff --git a/nix/pkgs/default.nix b/nix/pkgs/default.nix index a4c21e9..78b37a6 100644 --- a/nix/pkgs/default.nix +++ b/nix/pkgs/default.nix @@ -1,112 +1,8 @@ { pkgs }: -let - -in rec { - nixpkgs-master = import {}; - - linuxPackages_sgx_540rc3 = let - linux_sgx_pkg = { fetchurl, buildLinux, ... } @ args: - - buildLinux (args // rec { - version = "5.4.0-rc3"; - modDirVersion = version; - - src = fetchurl { - url = "https://github.com/jsakkine-intel/linux-sgx/archive/v23.tar.gz"; - sha256 = "11rwlwv7s071ia889dk1dgrxprxiwgi7djhg47vi56dj81jgib20"; - }; - kernelPatches = []; - - extraConfig = '' - INTEL_SGX y - ''; - - extraMeta.branch = "5.4"; - } // (args.argsOverride or {})); - linux_sgx = pkgs.callPackage linux_sgx_pkg {}; - in - pkgs.recurseIntoAttrs (pkgs.linuxPackagesFor linux_sgx); - linuxPackages_sgx_latest = linuxPackages_sgx_540rc3; - - busyboxStatic = pkgs.busybox.override { - enableStatic = true; - extraConfig = '' - CONFIG_STATIC y - CONFIG_INSTALL_APPLET_DONT y - CONFIG_INSTALL_APPLET_SYMLINKS n - ''; +{ + duplicacy = pkgs.callPackage ../pkgs/duplicacy { }; + staruml = pkgs.callPackage ../pkgs/staruml.nix { + inherit (pkgs.gnome2) GConf; + libgcrypt = pkgs.libgcrypt_1_5; }; - dropbearStatic = pkgs.dropbear.override { - enableStatic = true; - }; - - php5 = let - nixpkgsWithPhp5 = pkgs.fetchFromGitHub { - owner = "nixos"; - repo = "nixpkgs-channels"; - rev = "pkgs"; - sha256 = "1qifgc1q2i4g0ivpfjnxp4jl2cc82gfjws08dsllgw7q7kw4b4rb"; - }; - php5 = (pkgs.callPackage "${nixpkgsWithPhp5}/pkgs/development/interpreters/php/default.nix" { - config = (pkgs.lib.attrsets.recursiveUpdate - pkgs.config - { - php = { - imap = false; - openssl = false; - curl = false; - ldap = false; - mcrypt = false; - }; - } - ); - stdenv = pkgs.llvmPackages_6.stdenv; #broken - icu = pkgs.icu60; - }).php56; - in - php5 - .overrideAttrs(attrs: rec { - # See https://secure.php.net/ChangeLog-5.php - version = "5.6.40"; - name = "php-${version}"; - - sha256 = "005s7w167dypl41wlrf51niryvwy1hfv53zxyyr3lm938v9jbl7z"; - src = pkgs.fetchurl { - url = "http://www.php.net/distributions/php-${version}.tar.bz2"; - inherit sha256; - }; - - configureFlags = attrs.configureFlags ++ [ - "--without-fpm-systemd" - ]; - - }); - - duplicacy = pkgs.callPackage ../pkgs/duplicacy {}; - mfcl3770cdw = pkgs.callPackage ../pkgs/mfcl3770cdw.nix {}; - staruml = pkgs.callPackage ../pkgs/staruml.nix { inherit (pkgs.gnome2) GConf; libgcrypt = pkgs.libgcrypt_1_5; }; - - myPython = pkgs.python37Full.withPackages (ps: with ps; [ - pep8 yapf flake8 - # autopep8 (broken) - # pylint (broken) - ipython - llfuse - dugong - defusedxml - wheel - pip - virtualenv - cffi - pyopenssl - urllib3 - mistune - - flask - - pyaml - ] ++ [ - pkgs.pypi2nix - pkgs.libffi - ]); } diff --git a/nix/pkgs/duplicacy/default.nix b/nix/pkgs/duplicacy/default.nix index 9aed9df..b961a17 100644 --- a/nix/pkgs/duplicacy/default.nix +++ b/nix/pkgs/duplicacy/default.nix @@ -1,7 +1,4 @@ -{ buildGoPackage -, fetchFromGitHub -}: - +{ buildGoPackage, fetchFromGitHub }: buildGoPackage rec { name = "duplicay-${version}"; version = "2.1.2"; diff --git a/nix/pkgs/duplicacy/deps.nix b/nix/pkgs/duplicacy/deps.nix index 5511b2e..8621cb1 100644 --- a/nix/pkgs/duplicacy/deps.nix +++ b/nix/pkgs/duplicacy/deps.nix @@ -1,336 +1,336 @@ # file generated from Gopkg.lock using dep2nix (https://github.com/nixcloud/dep2nix) [ { - goPackagePath = "cloud.google.com/go"; + goPackagePath = "cloud.google.com/go"; fetch = { type = "git"; url = "https://code.googlesource.com/gocloud"; - rev = "2d3a6656c17a60b0815b7e06ab0be04eacb6e613"; + rev = "2d3a6656c17a60b0815b7e06ab0be04eacb6e613"; sha256 = "0fi3qj9fvc4bxbrwa1m5sxsb8yhvawiwigaddvmmizjykxbq5csq"; }; } { - goPackagePath = "github.com/Azure/azure-sdk-for-go"; + goPackagePath = "github.com/Azure/azure-sdk-for-go"; fetch = { type = "git"; url = "https://github.com/Azure/azure-sdk-for-go"; - rev = "b7fadebe0e7f5c5720986080a01495bd8d27be37"; + rev = "b7fadebe0e7f5c5720986080a01495bd8d27be37"; sha256 = "11zcmd17206byxhgz2a75qascilydlzjbz73l2mrqng3yyr20yk1"; }; } { - goPackagePath = "github.com/Azure/go-autorest"; + goPackagePath = "github.com/Azure/go-autorest"; fetch = { type = "git"; url = "https://github.com/Azure/go-autorest"; - rev = "0ae36a9e544696de46fdadb7b0d5fb38af48c063"; + rev = "0ae36a9e544696de46fdadb7b0d5fb38af48c063"; sha256 = "0f2qcv24l9bx3jys2m9ycyy77vqlx7dbfa3frxlk19wnrwiv3p6g"; }; } { - goPackagePath = "github.com/aryann/difflib"; + goPackagePath = "github.com/aryann/difflib"; fetch = { type = "git"; url = "https://github.com/aryann/difflib"; - rev = "e206f873d14a916d3d26c40ab667bca123f365a3"; + rev = "e206f873d14a916d3d26c40ab667bca123f365a3"; sha256 = "00zb9sx6l6b2zq614x45zlyshl20zjhwfj8r5krw4f9y0mx3n2dm"; }; } { - goPackagePath = "github.com/aws/aws-sdk-go"; + goPackagePath = "github.com/aws/aws-sdk-go"; fetch = { type = "git"; url = "https://github.com/aws/aws-sdk-go"; - rev = "a32b1dcd091264b5dee7b386149b6cc3823395c9"; + rev = "a32b1dcd091264b5dee7b386149b6cc3823395c9"; sha256 = "1yicb7l6m4hs3mi724hz74wn8305qvx6g73mjqafaaqvh6dyn86m"; }; } { - goPackagePath = "github.com/bkaradzic/go-lz4"; + goPackagePath = "github.com/bkaradzic/go-lz4"; fetch = { type = "git"; url = "https://github.com/bkaradzic/go-lz4"; - rev = "74ddf82598bc4745b965729e9c6a463bedd33049"; + rev = "74ddf82598bc4745b965729e9c6a463bedd33049"; sha256 = "1vdid8v0c2v2qhrg9rzn3l7ya1h34jirrxfnir7gv7w6s4ivdvc1"; }; } { - goPackagePath = "github.com/dgrijalva/jwt-go"; + goPackagePath = "github.com/dgrijalva/jwt-go"; fetch = { type = "git"; url = "https://github.com/dgrijalva/jwt-go"; - rev = "dbeaa9332f19a944acb5736b4456cfcc02140e29"; + rev = "dbeaa9332f19a944acb5736b4456cfcc02140e29"; sha256 = "0zk6l6kzsjdijfn7c4h0aywdjx5j2hjwi67vy1k6wr46hc8ks2hs"; }; } { - goPackagePath = "github.com/gilbertchen/azure-sdk-for-go"; + goPackagePath = "github.com/gilbertchen/azure-sdk-for-go"; fetch = { type = "git"; url = "https://github.com/gilbertchen/azure-sdk-for-go"; - rev = "bbf89bd4d716c184f158d1e1428c2dbef4a18307"; + rev = "bbf89bd4d716c184f158d1e1428c2dbef4a18307"; sha256 = "14563izc2y05k8s20fmhanvjydbcq8k5adp4cgw91d9bs52qivx7"; }; } { - goPackagePath = "github.com/gilbertchen/cli"; + goPackagePath = "github.com/gilbertchen/cli"; fetch = { type = "git"; url = "https://github.com/gilbertchen/cli"; - rev = "1de0a1836ce9c3ae1bf737a0869c4f04f28a7f98"; + rev = "1de0a1836ce9c3ae1bf737a0869c4f04f28a7f98"; sha256 = "00vbyjsn009cqg24sxcizq10rgicnmrv0f8jg3fa1fw6yp5gqdl5"; }; } { - goPackagePath = "github.com/gilbertchen/go-dropbox"; + goPackagePath = "github.com/gilbertchen/go-dropbox"; fetch = { type = "git"; url = "https://github.com/gilbertchen/go-dropbox"; - rev = "90711b603312b1f973f3a5da3793ac4f1e5c2f2a"; + rev = "90711b603312b1f973f3a5da3793ac4f1e5c2f2a"; sha256 = "0y2ydl3mjbkfbqyygrwq7vqig9hjh7cxvzsn2gxc1851haqp4h19"; }; } { - goPackagePath = "github.com/gilbertchen/go-ole"; + goPackagePath = "github.com/gilbertchen/go-ole"; fetch = { type = "git"; url = "https://github.com/gilbertchen/go-ole"; - rev = "0e87ea779d9deb219633b828a023b32e1244dd57"; + rev = "0e87ea779d9deb219633b828a023b32e1244dd57"; sha256 = "1d937b4i9mrwfgs1s17qhbd78dcd97wwm8zsajkarky8d55rz1bw"; }; } { - goPackagePath = "github.com/gilbertchen/go.dbus"; + goPackagePath = "github.com/gilbertchen/go.dbus"; fetch = { type = "git"; url = "https://github.com/gilbertchen/go.dbus"; - rev = "9e442e6378618c083fd3b85b703ffd202721fb17"; + rev = "9e442e6378618c083fd3b85b703ffd202721fb17"; sha256 = "0q8ld38gnr4adzw5287lw5f5l14yp8slxsz1za5ryrkprh04bhkv"; }; } { - goPackagePath = "github.com/gilbertchen/goamz"; + goPackagePath = "github.com/gilbertchen/goamz"; fetch = { type = "git"; url = "https://github.com/gilbertchen/goamz"; - rev = "eada9f4e8cc2a45db775dee08a2c37597ce4760a"; + rev = "eada9f4e8cc2a45db775dee08a2c37597ce4760a"; sha256 = "0v6i4jdly06wixmm58ygxh284hnlbfxczvcwxvywiyy9bp5qyaid"; }; } { - goPackagePath = "github.com/gilbertchen/gopass"; + goPackagePath = "github.com/gilbertchen/gopass"; fetch = { type = "git"; url = "https://github.com/gilbertchen/gopass"; - rev = "bf9dde6d0d2c004a008c27aaee91170c786f6db8"; + rev = "bf9dde6d0d2c004a008c27aaee91170c786f6db8"; sha256 = "1jxzyfnqi0h1fzlsvlkn10bncic803bfhslyijcxk55mgh297g45"; }; } { - goPackagePath = "github.com/gilbertchen/keyring"; + goPackagePath = "github.com/gilbertchen/keyring"; fetch = { type = "git"; url = "https://github.com/gilbertchen/keyring"; - rev = "8855f5632086e51468cd7ce91056f8da69687ef6"; + rev = "8855f5632086e51468cd7ce91056f8da69687ef6"; sha256 = "1ja623dqnhkr1cvynrcai10s8kn2aiq53cvd8yxr47bb8i2a2q1m"; }; } { - goPackagePath = "github.com/gilbertchen/xattr"; + goPackagePath = "github.com/gilbertchen/xattr"; fetch = { type = "git"; url = "https://github.com/gilbertchen/xattr"; - rev = "68e7a6806b0137a396d7d05601d7403ae1abac58"; + rev = "68e7a6806b0137a396d7d05601d7403ae1abac58"; sha256 = "120lq8vasc5yh0ajczsdpi8cfzgi4ymrnphgqdfcar3b9rsvx80b"; }; } { - goPackagePath = "github.com/go-ini/ini"; + goPackagePath = "github.com/go-ini/ini"; fetch = { type = "git"; url = "https://github.com/go-ini/ini"; - rev = "32e4c1e6bc4e7d0d8451aa6b75200d19e37a536a"; + rev = "32e4c1e6bc4e7d0d8451aa6b75200d19e37a536a"; sha256 = "0mhgxw5q6b0pryhikx3k4wby7g32rwjjljzihi47lwn34kw5y1qn"; }; } { - goPackagePath = "github.com/golang/protobuf"; + goPackagePath = "github.com/golang/protobuf"; fetch = { type = "git"; url = "https://github.com/golang/protobuf"; - rev = "1e59b77b52bf8e4b449a57e6f79f21226d571845"; + rev = "1e59b77b52bf8e4b449a57e6f79f21226d571845"; sha256 = "19bkh81wnp6njg3931wky6hsnnl2d1ig20vfjxpv450sd3k6yys8"; }; } { - goPackagePath = "github.com/googleapis/gax-go"; + goPackagePath = "github.com/googleapis/gax-go"; fetch = { type = "git"; url = "https://github.com/googleapis/gax-go"; - rev = "317e0006254c44a0ac427cc52a0e083ff0b9622f"; + rev = "317e0006254c44a0ac427cc52a0e083ff0b9622f"; sha256 = "0h92x579vbrv2fka8q2ddy1kq6a63qbqa8zc09ygl6skzn9gw1dh"; }; } { - goPackagePath = "github.com/jmespath/go-jmespath"; + goPackagePath = "github.com/jmespath/go-jmespath"; fetch = { type = "git"; url = "https://github.com/jmespath/go-jmespath"; - rev = "0b12d6b5"; + rev = "0b12d6b5"; sha256 = "1vv6hph8j6xgv7gwl9vvhlsaaqsm22sxxqmgmldi4v11783pc1ld"; }; } { - goPackagePath = "github.com/kr/fs"; + goPackagePath = "github.com/kr/fs"; fetch = { type = "git"; url = "https://github.com/kr/fs"; - rev = "2788f0dbd16903de03cb8186e5c7d97b69ad387b"; + rev = "2788f0dbd16903de03cb8186e5c7d97b69ad387b"; sha256 = "1c0fipl4rsh0v5liq1ska1dl83v3llab4k6lm8mvrx9c4dyp71ly"; }; } { - goPackagePath = "github.com/marstr/guid"; + goPackagePath = "github.com/marstr/guid"; fetch = { type = "git"; url = "https://github.com/marstr/guid"; - rev = "8bd9a64bf37eb297b492a4101fb28e80ac0b290f"; + rev = "8bd9a64bf37eb297b492a4101fb28e80ac0b290f"; sha256 = "081qrar6wwpmb2pq3swv4byh73r9riyhl2dwv0902d8jg3kwricm"; }; } { - goPackagePath = "github.com/minio/blake2b-simd"; + goPackagePath = "github.com/minio/blake2b-simd"; fetch = { type = "git"; url = "https://github.com/minio/blake2b-simd"; - rev = "3f5f724cb5b182a5c278d6d3d55b40e7f8c2efb4"; + rev = "3f5f724cb5b182a5c278d6d3d55b40e7f8c2efb4"; sha256 = "0b6jbnj62c0gmmfd4zdmh8xbg01p80f13yygir9xprqkzk6fikmd"; }; } { - goPackagePath = "github.com/ncw/swift"; + goPackagePath = "github.com/ncw/swift"; fetch = { type = "git"; url = "https://github.com/ncw/swift"; - rev = "ae9f0ea1605b9aa6434ed5c731ca35d83ba67c55"; + rev = "ae9f0ea1605b9aa6434ed5c731ca35d83ba67c55"; sha256 = "0a0iwynhgxsl3czabl7ajnxpyw6x0dzbiqz6il8aw7kn10ld1rvl"; }; } { - goPackagePath = "github.com/pkg/errors"; + goPackagePath = "github.com/pkg/errors"; fetch = { type = "git"; url = "https://github.com/pkg/errors"; - rev = "645ef00459ed84a119197bfb8d8205042c6df63d"; + rev = "645ef00459ed84a119197bfb8d8205042c6df63d"; sha256 = "001i6n71ghp2l6kdl3qq1v2vmghcz3kicv9a5wgcihrzigm75pp5"; }; } { - goPackagePath = "github.com/pkg/sftp"; + goPackagePath = "github.com/pkg/sftp"; fetch = { type = "git"; url = "https://github.com/pkg/sftp"; - rev = "98203f5a8333288eb3163b7c667d4260fe1333e9"; + rev = "98203f5a8333288eb3163b7c667d4260fe1333e9"; sha256 = "09wxyrhwwh20rzpzb06vsj8k2bmw52cjlx7j4115zhky27528sx9"; }; } { - goPackagePath = "github.com/satori/go.uuid"; + goPackagePath = "github.com/satori/go.uuid"; fetch = { type = "git"; url = "https://github.com/satori/go.uuid"; - rev = "f58768cc1a7a7e77a3bd49e98cdd21419399b6a3"; + rev = "f58768cc1a7a7e77a3bd49e98cdd21419399b6a3"; sha256 = "1j4s5pfg2ldm35y8ls8jah4dya2grfnx2drb4jcbjsyrp4cm5yfb"; }; } { - goPackagePath = "github.com/vaughan0/go-ini"; + goPackagePath = "github.com/vaughan0/go-ini"; fetch = { type = "git"; url = "https://github.com/vaughan0/go-ini"; - rev = "a98ad7ee00ec53921f08832bc06ecf7fd600e6a1"; + rev = "a98ad7ee00ec53921f08832bc06ecf7fd600e6a1"; sha256 = "1l1isi3czis009d9k5awsj4xdxgbxn4n9yqjc1ac7f724x6jacfa"; }; } { - goPackagePath = "golang.org/x/crypto"; + goPackagePath = "golang.org/x/crypto"; fetch = { type = "git"; url = "https://go.googlesource.com/crypto"; - rev = "9f005a07e0d31d45e6656d241bb5c0f2efd4bc94"; + rev = "9f005a07e0d31d45e6656d241bb5c0f2efd4bc94"; sha256 = "1mhmr6ljzl3iafsz4qy8vval7rmr828wh59dlqqqjqx6sqmcs1dv"; }; } { - goPackagePath = "golang.org/x/net"; + goPackagePath = "golang.org/x/net"; fetch = { type = "git"; url = "https://go.googlesource.com/net"; - rev = "9dfe39835686865bff950a07b394c12a98ddc811"; + rev = "9dfe39835686865bff950a07b394c12a98ddc811"; sha256 = "0z8mnl4mi88syafrgqys2ak2gg3yrbna25hpz88y3anl8x4jhg1a"; }; } { - goPackagePath = "golang.org/x/oauth2"; + goPackagePath = "golang.org/x/oauth2"; fetch = { type = "git"; url = "https://go.googlesource.com/oauth2"; - rev = "f95fa95eaa936d9d87489b15d1d18b97c1ba9c28"; + rev = "f95fa95eaa936d9d87489b15d1d18b97c1ba9c28"; sha256 = "0p9kis69wvhv8a2qbcjxvn9ggpdh81cbfjpq5pjga7n8k6d065fh"; }; } { - goPackagePath = "golang.org/x/sys"; + goPackagePath = "golang.org/x/sys"; fetch = { type = "git"; url = "https://go.googlesource.com/sys"; - rev = "82aafbf43bf885069dc71b7e7c2f9d7a614d47da"; + rev = "82aafbf43bf885069dc71b7e7c2f9d7a614d47da"; sha256 = "1jvngpvy0q40f7krkgmwf5bbjzhv449297awcr0y78kzn0cyawi2"; }; } { - goPackagePath = "golang.org/x/text"; + goPackagePath = "golang.org/x/text"; fetch = { type = "git"; url = "https://go.googlesource.com/text"; - rev = "88f656faf3f37f690df1a32515b479415e1a6769"; + rev = "88f656faf3f37f690df1a32515b479415e1a6769"; sha256 = "0zakmgg6dlwnkhignwjajn0dckzqq18zxvnmmg0fq6455x7fs673"; }; } { - goPackagePath = "google.golang.org/api"; + goPackagePath = "google.golang.org/api"; fetch = { type = "git"; url = "https://code.googlesource.com/google-api-go-client"; - rev = "17b5f22a248d6d3913171c1a557552ace0d9c806"; + rev = "17b5f22a248d6d3913171c1a557552ace0d9c806"; sha256 = "0gs78qsxfg89kpiiray1x9jiv6bh328jmjkwd3ghnygf3l98kc8c"; }; } { - goPackagePath = "google.golang.org/appengine"; + goPackagePath = "google.golang.org/appengine"; fetch = { type = "git"; url = "https://github.com/golang/appengine"; - rev = "150dc57a1b433e64154302bdc40b6bb8aefa313a"; + rev = "150dc57a1b433e64154302bdc40b6bb8aefa313a"; sha256 = "0w3knznv39k8bm85ri62f83czcrxknql7dv6p9hk1a5jx3xljgxq"; }; } { - goPackagePath = "google.golang.org/genproto"; + goPackagePath = "google.golang.org/genproto"; fetch = { type = "git"; url = "https://github.com/google/go-genproto"; - rev = "891aceb7c239e72692819142dfca057bdcbfcb96"; + rev = "891aceb7c239e72692819142dfca057bdcbfcb96"; sha256 = "1axim84fqzsp6iialk6zl4fsbfpx658vssc6ccakn4yy1xc9h854"; }; } { - goPackagePath = "google.golang.org/grpc"; + goPackagePath = "google.golang.org/grpc"; fetch = { type = "git"; url = "https://github.com/grpc/grpc-go"; - rev = "5a9f7b402fe85096d2e1d0383435ee1876e863d0"; + rev = "5a9f7b402fe85096d2e1d0383435ee1876e863d0"; sha256 = "1hlirgvmzb929jpb1dvh930646ih5ffg3b6pmlilqr7ffdkl5z3j"; }; } -] \ No newline at end of file +] diff --git a/nix/pkgs/duplicacy/shell.nix b/nix/pkgs/duplicacy/shell.nix index 72c40b1..045572c 100644 --- a/nix/pkgs/duplicacy/shell.nix +++ b/nix/pkgs/duplicacy/shell.nix @@ -1,4 +1,4 @@ -with import {}; +with import { }; stdenv.mkDerivation { name = "env"; buildInputs = [ @@ -7,6 +7,6 @@ stdenv.mkDerivation { go2nix dep2nix nix-prefetch-github - (callPackage ./default.nix {}) + (callPackage ./default.nix { }) ]; } diff --git a/nix/pkgs/jay.nix b/nix/pkgs/jay.nix new file mode 100644 index 0000000..9a7b0e5 --- /dev/null +++ b/nix/pkgs/jay.nix @@ -0,0 +1,36 @@ +{ + lib, + src, + rustPlatform, + libinput, + libxkbcommon, + mesa, + pango, + udev, +}: +rustPlatform.buildRustPackage rec { + pname = "jay"; + version = src.rev; + + inherit src; + + cargoLock.lockFile = "${src}/Cargo.lock"; + + buildInputs = [ + libxkbcommon + mesa + pango + udev + libinput + ]; + + RUSTC_BOOTSTRAP = 1; + + meta = with lib; { + description = "A Wayland compositor written in Rust"; + homepage = "https://github.com/mahkoh/jay"; + license = licenses.gpl3; + platforms = platforms.linux; + maintainers = with maintainers; [ dit7ya ]; + }; +} diff --git a/nix/pkgs/logseq/Containerfile b/nix/pkgs/logseq/Containerfile new file mode 100644 index 0000000..97464d1 --- /dev/null +++ b/nix/pkgs/logseq/Containerfile @@ -0,0 +1,57 @@ +# NOTE: please keep it in sync with .github pipelines +# NOTE: during testing make sure to change the branch below +# NOTE: before running the build-docker GH action edit +# build-docker.yml and change the release channel from :latest to :testing + +# Builder image +# FROM clojure:temurin-11-tools-deps-1.11.1.1208-bullseye-slim as builder +FROM clojure:temurin-11-tools-deps-bullseye-slim as builder + +ARG DEBIAN_FRONTEND=noninteractive + +# Install reqs +RUN echo 1 +RUN apt-get update && apt-get install -y --no-install-recommends \ + curl \ + ca-certificates \ + apt-transport-https \ + gpg \ + build-essential libcairo2-dev libpango1.0-dev libjpeg-dev libgif-dev librsvg2-dev \ + zip + +# install NodeJS & yarn +RUN curl -sL https://deb.nodesource.com/setup_20.x | bash - + +RUN curl -sS https://dl.yarnpkg.com/debian/pubkey.gpg | gpg --dearmor | tee /etc/apt/trusted.gpg.d/yarn.gpg && echo "deb https://dl.yarnpkg.com/debian/ stable main" | tee /etc/apt/sources.list.d/yarn.list && apt-get update && apt-get install -y nodejs yarn + +WORKDIR /data + +ENV VERSION=0.10.9 + +# build Logseq static resources +RUN git clone -b ${VERSION} https://github.com/logseq/logseq.git . + +RUN yarn config set network-timeout 240000 -g && yarn install +RUN yarn release-electron + +RUN mkdir /out +RUN mv /data/static/out/make/zip /out/${VERSION}.zip +RUN mv /data/static/out/make/*.AppImage /out/ + +FROM scratch as artifacts +COPY --from=builder /out / +# Logseq-${VERSION}.AppImage +# RUN mv zip /${VERSION}.zip + +# RUN \ +# mkdir -p builds +# # NOTE: save VERSION file to builds directory +# cp static/VERSION ./builds/VERSION +# mv static/out/make/*-*.AppImage ./builds/Logseq-linux-aarch64-${VERSION}.AppImage +# mv static/out/make/zip/linux/x64/*-linux-x64-*.zip ./builds/Logseq-linux-aarch64-${VERSION}.zip + +# # Web App Runner image +# FROM nginx:1.24.0-alpine3.17 +# +# COPY --from=builder /data/static /usr/share/nginx/html +# diff --git a/nix/pkgs/logseq/README.md b/nix/pkgs/logseq/README.md new file mode 100644 index 0000000..0c596b6 --- /dev/null +++ b/nix/pkgs/logseq/README.md @@ -0,0 +1,22 @@ +# build instructions + +this is pseudocode that serves as a reminder + +1. podman build -f Containerfile -t logseq +2. CONTAINER_ID=$(podman container create logseq) +3. podman unshare +4. podman mount $CONTAINER_ID +5. copy and upload the AppImage. e.g. + ``` + cp /home/steveej/.local/share/containers/storage/overlay/f932ca9f11ea2bfd6b221118eb54775a623bc519bfe38188afcbad51dda2777f/merged/Logseq-0.10.9.AppImage . + exit + scp Logseq-0.10.9.AppImage root@www.stefanjunker.de:/var/lib/container-volumes/webserver/var-www/stefanjunker.de/htdocs/caddy/downloads/ + ``` +6. podman unshare +7. podman unmount + +# resources + +- https://github.com/logseq/logseq/blob/dc5127b48a7874627bd9ab63696f7ddf821b90a7/docs/develop-logseq.md?plain=1#L90 +- https://github.com/logseq/logseq/blob/master/Dockerfile +- https://github.com/randomwangran/logseq-nix-flake diff --git a/nix/pkgs/magmawm.nix b/nix/pkgs/magmawm.nix new file mode 100644 index 0000000..c1850c1 --- /dev/null +++ b/nix/pkgs/magmawm.nix @@ -0,0 +1,47 @@ +{ + lib, + src, + craneLib, + pkg-config, + wayland, + libseat, + libinput, + libxkbcommon, + mesa, + udev, + dbus, + libGL, +}: +craneLib.buildPackage { + inherit src; + pname = "magmawm"; + version = src.rev; + + nativeBuildInputs = [ pkg-config ]; + + buildInputs = [ + wayland + udev + libxkbcommon + libinput + dbus + libseat + mesa + ]; + + preFixup = '' + if [[ -e "$out/bin/magmawm" ]]; then + patchelf \ + --add-needed "${libGL}/lib/libEGL.so.1" \ + $out/bin/magmawm + fi + ''; + + meta = with lib; { + description = "A versatile and customizable Window Manager and Wayland Compositor"; + homepage = "https://github.com/MagmaWM/MagmaWM"; + license = licenses.gpl3; + platforms = platforms.linux; + maintainers = with maintainers; [ ]; + }; +} diff --git a/nix/pkgs/mfcl3770cdw.nix b/nix/pkgs/mfcl3770cdw.nix index 9fa1c05..142c1c0 100644 --- a/nix/pkgs/mfcl3770cdw.nix +++ b/nix/pkgs/mfcl3770cdw.nix @@ -1,18 +1,18 @@ -{ pkgsi686Linux -, stdenv -, fetchurl -, dpkg -, makeWrapper -, coreutils -, ghostscript -, gnugrep -, gnused -, which -, perl -, lib +{ + pkgsi686Linux, + stdenv, + fetchurl, + dpkg, + makeWrapper, + coreutils, + ghostscript, + gnugrep, + gnused, + which, + perl, + lib, }: - -let +let model = "mfcl3770cdw"; version = "1.0.2-0"; src = fetchurl { @@ -20,37 +20,49 @@ let sha256 = "09fhbzhpjymhkwxqyxzv24b06ybmajr6872yp7pri39595mhrvay"; }; reldir = "opt/brother/Printers/${model}/"; - -in rec { +in +rec { driver = stdenv.mkDerivation rec { inherit src version; name = "${model}drv-${version}"; - nativeBuildInputs = [ dpkg makeWrapper ]; + nativeBuildInputs = [ + dpkg + makeWrapper + ]; unpackPhase = "dpkg-deb -x $src $out"; installPhase = '' - dir="$out/${reldir}" - substituteInPlace $dir/lpd/filter_${model} \ - --replace /usr/bin/perl ${perl}/bin/perl \ - --replace "BR_PRT_PATH =~" "BR_PRT_PATH = \"$dir\"; #" \ - --replace "PRINTER =~" "PRINTER = \"${model}\"; #" - wrapProgram $dir/lpd/filter_${model} \ - --prefix PATH : ${stdenv.lib.makeBinPath [ - coreutils ghostscript gnugrep gnused which - ]} - # need to use i686 glibc here, these are 32bit proprietary binaries - interpreter=${pkgsi686Linux.glibc}/lib/ld-linux.so.2 - patchelf --set-interpreter "$interpreter" $dir/lpd/brmfcl3770cdwfilter + dir="$out/${reldir}" + substituteInPlace $dir/lpd/filter_${model} \ + --replace /usr/bin/perl ${perl}/bin/perl \ + --replace "BR_PRT_PATH =~" "BR_PRT_PATH = \"$dir\"; #" \ + --replace "PRINTER =~" "PRINTER = \"${model}\"; #" + wrapProgram $dir/lpd/filter_${model} \ + --prefix PATH : ${ + lib.makeBinPath [ + coreutils + ghostscript + gnugrep + gnused + which + ] + } + # need to use i686 glibc here, these are 32bit proprietary binaries + interpreter=${pkgsi686Linux.glibc}/lib/ld-linux.so.2 + patchelf --set-interpreter "$interpreter" $dir/lpd/brmfcl3770cdwfilter ''; meta = { description = "Brother ${lib.strings.toUpper model} driver"; - homepage = http://www.brother.com/; - license = stdenv.lib.licenses.unfree; - platforms = [ "x86_64-linux" "i686-linux" ]; - maintainers = [ stdenv.lib.maintainers.steveej ]; + homepage = "http://www.brother.com/"; + license = lib.licenses.unfree; + platforms = [ + "x86_64-linux" + "i686-linux" + ]; + maintainers = [ lib.maintainers.steveej ]; }; }; @@ -58,7 +70,10 @@ in rec { inherit version src; name = "${model}cupswrapper-${version}"; - nativeBuildInputs = [ dpkg makeWrapper ]; + nativeBuildInputs = [ + dpkg + makeWrapper + ]; unpackPhase = "dpkg-deb -x $src $out"; @@ -70,7 +85,13 @@ in rec { --replace "basedir =~" "basedir = \"$basedir\"; #" \ --replace "PRINTER =~" "PRINTER = \"${model}\"; #" wrapProgram $dir/cupswrapper/brother_lpdwrapper_${model} \ - --prefix PATH : ${stdenv.lib.makeBinPath [ coreutils gnugrep gnused ]} + --prefix PATH : ${ + lib.makeBinPath [ + coreutils + gnugrep + gnused + ] + } mkdir -p $out/lib/cups/filter mkdir -p $out/share/cups/model ln $dir/cupswrapper/brother_lpdwrapper_${model} $out/lib/cups/filter @@ -79,10 +100,13 @@ in rec { meta = { description = "Brother ${lib.strings.toUpper model} CUPS wrapper driver"; - homepage = http://www.brother.com/; - license = stdenv.lib.licenses.gpl2; - platforms = [ "x86_64-linux" "i686-linux" ]; - maintainers = [ stdenv.lib.maintainers.steveej ]; + homepage = "http://www.brother.com/"; + license = lib.licenses.gpl2; + platforms = [ + "x86_64-linux" + "i686-linux" + ]; + maintainers = [ lib.maintainers.steveej ]; }; }; } diff --git a/nix/pkgs/nomad/default.nix b/nix/pkgs/nomad/default.nix deleted file mode 100644 index 4214ce9..0000000 --- a/nix/pkgs/nomad/default.nix +++ /dev/null @@ -1,29 +0,0 @@ -with import {}; - -stdenv.mkDerivation rec { - name = "nomad"; - version = "0.1.2"; - filename = "nomad_${version}_linux_amd64.zip"; - - src = fetchurl { - url = "https://releases.hashicorp.com/nomad/${version}/${filename}"; - sha256 = "0d3r3n1wwlic1kg3hgghds7f3b0qhh97v8xf36mcmsnmn2ngfd9k"; - }; - - unpackPhase = '' - unzip ${src} - ''; - - - buildInputs = [ makeWrapper unzip ]; - libPath = lib.makeLibraryPath [ ]; - installPhase = '' - patchelf --set-interpreter ${stdenv.glibc}/lib/ld-linux-x86-64.so.2 ./nomad - - mkdir -p $out/bin - cp ./nomad $out/bin/nomad -# wrapProgram $out/bin/nomad \ -# --prefix LD_LIBRARY_PATH : "${libPath}" -# - ''; -} diff --git a/nix/pkgs/nozbe/default.nix b/nix/pkgs/nozbe/default.nix index 47bf205..e5ac519 100644 --- a/nix/pkgs/nozbe/default.nix +++ b/nix/pkgs/nozbe/default.nix @@ -1,61 +1,60 @@ -with import {}; - +with import { }; stdenv.mkDerivation rec { - name = "nozbe"; - version = "3.6.3"; + name = "nozbe"; + version = "3.6.3"; - src = fetchzip { - url = "https://files.nozbe.com/linux/linux64_newest.tar.gz"; - sha256 = "08hag0kv23psqa1pl9kardz90scgk21rsr5xxfg8jvmnxy2nc858"; - stripRoot = false; - }; + src = fetchzip { + url = "https://files.nozbe.com/linux/linux64_newest.tar.gz"; + sha256 = "08hag0kv23psqa1pl9kardz90scgk21rsr5xxfg8jvmnxy2nc858"; + stripRoot = false; + }; - buildInputs = [ makeWrapper ]; + buildInputs = [ makeWrapper ]; - buildPhase = '':''; + buildPhase = ":"; - libPath = lib.makeLibraryPath [ - alsaLib - atk - cairo - cups - dbus - expat - freetype - fontconfig - gnome3.gconf - gcc.cc - gdk_pixbuf - gtk2-x11 - glib - pango - nss - nspr - systemd.lib - xorg.libX11 - xorg.libXcursor - xorg.libXcomposite - xorg.libXext - xorg.libXfixes - xorg.libXdamage - xorg.libXi - xorg.libXrandr - xorg.libXrender - xorg.libXtst - xorg.libXScrnSaver - ]; - installPhase = '' - pushd Nozbe-${version} - ls -lha + libPath = lib.makeLibraryPath [ + alsaLib + atk + cairo + cups + dbus + expat + freetype + fontconfig + gnome3.gconf + gcc.cc + gdk_pixbuf + gtk2-x11 + glib + pango + nss + nspr + systemd.lib + xorg.libX11 + xorg.libXcursor + xorg.libXcomposite + xorg.libXext + xorg.libXfixes + xorg.libXdamage + xorg.libXi + xorg.libXrandr + xorg.libXrender + xorg.libXtst + xorg.libXScrnSaver + ]; + installPhase = '' + pushd Nozbe-${version} + ls -lha - patchelf --set-interpreter ${stdenv.glibc}/lib/ld-linux-x86-64.so.2 Nozbe + patchelf --set-interpreter ${stdenv.glibc}/lib/ld-linux-x86-64.so.2 Nozbe - mkdir -p $out/bin - cp -a * $out/ + mkdir -p $out/bin + cp -a * $out/ - wrapProgram $out/Nozbe \ - --prefix LD_LIBRARY_PATH : "${libPath}" + wrapProgram $out/Nozbe \ + --prefix LD_LIBRARY_PATH : "${libPath}" - ln -sf ../Nozbe $out/bin/ - ''; + ln -sf ../Nozbe $out/bin/ + ''; } diff --git a/nix/pkgs/posh.nix b/nix/pkgs/posh.nix index 488a31e..b7ad5cb 100644 --- a/nix/pkgs/posh.nix +++ b/nix/pkgs/posh.nix @@ -1,8 +1,8 @@ # posh makes use of podman to run an encapsulated shell session { pkgs, ... }: - let - cniConfigDir = let + cniConfigDir = + let loopback = pkgs.writeText "00-loopback.conf" '' { "cniVersion": "0.3.0", @@ -37,7 +37,8 @@ let ] } ''; - in pkgs.runCommand "cniConfig" {} '' + in + pkgs.runCommand "cniConfig" { } '' set -x mkdir $out; ln -s ${loopback} $out/${loopback.name} @@ -125,16 +126,14 @@ let } } ''; - in - -{ image -, pull ? "always" -, global_args ? "" -, run_args ? "" -, userns ? "keep-id" +{ + image, + pull ? "always", + global_args ? "", + run_args ? "", + userns ? "keep-id", }: - (pkgs.writeScriptBin "posh" '' #! ${pkgs.bash}/bin/bash source /etc/profile @@ -170,12 +169,16 @@ in --conmon ${pkgs.conmon}/bin/conmon --runtime ${pkgs.crun}/bin/crun \ --rm -i --network host --pull=''${POSH_PULL} \ $tty $ssh -e HOME -v $HOME:$HOME -w $HOME \ - ${if userns != null then "--userns="+userns else ""} \ + ${if userns != null then "--userns=" + userns else ""} \ ${run_args} \ ''${POSH_IMAGE} /usr/bin/env bash -l "''${cmd[@]}" -'') -.overrideAttrs(attrs: attrs // { - passthru = { - shellPath = "/bin/posh"; - }; -}) +'').overrideAttrs + ( + attrs: + attrs + // { + passthru = { + shellPath = "/bin/posh"; + }; + } + ) diff --git a/nix/pkgs/slirp4netns.nix b/nix/pkgs/slirp4netns.nix index 8d456d6..5e50ecf 100644 --- a/nix/pkgs/slirp4netns.nix +++ b/nix/pkgs/slirp4netns.nix @@ -1,12 +1,12 @@ -{ stdenv -, fetchFromGitHub -, autoconf -, automake -, libtool -, gnumake -, gcc +{ + stdenv, + fetchFromGitHub, + autoconf, + automake, + libtool, + gnumake, + gcc, }: - stdenv.mkDerivation rec { name = "slirp4netns-${version}"; version = "v0.2.1"; @@ -25,14 +25,14 @@ stdenv.mkDerivation rec { gnumake gcc ]; - + configurePhase = '' ./autogen.sh ./configure --prefix="" ''; buildPhase = '' - make + make ''; installPhase = '' @@ -41,7 +41,7 @@ stdenv.mkDerivation rec { meta = with stdenv.lib; { description = "User-mode networking for unprivileged network namespaces"; - homepage = https://github.com/rootless-containers/slirp4netns; + homepage = "https://github.com/rootless-containers/slirp4netns"; license = null; maintainers = [ maintainers.steveej ]; platforms = platforms.all; diff --git a/nix/pkgs/staruml.nix b/nix/pkgs/staruml.nix index 7886d1b..35399ad 100644 --- a/nix/pkgs/staruml.nix +++ b/nix/pkgs/staruml.nix @@ -1,25 +1,51 @@ -{ stdenv, fetchurl, makeWrapper -, dpkg, patchelf -, gtk2, glib, gdk_pixbuf, alsaLib, nss, nspr, GConf, cups, libgcrypt, dbus, systemd +{ + stdenv, + fetchurl, + makeWrapper, + dpkg, + patchelf, + gtk2, + glib, + gdk_pixbuf, + alsaLib, + nss, + nspr, + GConf, + cups, + libgcrypt, + dbus, + systemd, }: - let inherit (stdenv) lib; - LD_LIBRARY_PATH = lib.makeLibraryPath - [ glib gtk2 gdk_pixbuf alsaLib nss nspr GConf cups libgcrypt dbus ]; + LD_LIBRARY_PATH = lib.makeLibraryPath [ + glib + gtk2 + gdk_pixbuf + alsaLib + nss + nspr + GConf + cups + libgcrypt + dbus + ]; in stdenv.mkDerivation rec { version = "2.8.1"; name = "staruml-${version}"; src = - if stdenv.system == "i686-linux" then fetchurl { - url = "http://staruml.io/download/release/v${version}/StarUML-v${version}-32-bit.deb"; - sha256 = "0vb3k9m3l6pmsid4shlk0xdjsriq3gxzm8q7l04didsppg0vvq1n"; - } else fetchurl { - url = "https://s3.amazonaws.com/staruml-bucket/releases-v2/StarUML-v${version}-64-bit.deb"; - sha256 = "05gzrnlssjkhyh0wv019d4r7p40lxnsa1sghazll6f233yrqmxb0"; - }; + if stdenv.system == "i686-linux" then + fetchurl { + url = "http://staruml.io/download/release/v${version}/StarUML-v${version}-32-bit.deb"; + sha256 = "0vb3k9m3l6pmsid4shlk0xdjsriq3gxzm8q7l04didsppg0vvq1n"; + } + else + fetchurl { + url = "https://s3.amazonaws.com/staruml-bucket/releases-v2/StarUML-v${version}-64-bit.deb"; + sha256 = "05gzrnlssjkhyh0wv019d4r7p40lxnsa1sghazll6f233yrqmxb0"; + }; buildInputs = [ dpkg ]; @@ -50,8 +76,11 @@ stdenv.mkDerivation rec { meta = with stdenv.lib; { description = "A sophisticated software modeler"; - homepage = http://staruml.io/; + homepage = "http://staruml.io/"; license = licenses.unfree; - platforms = [ "i686-linux" "x86_64-linux" ]; + platforms = [ + "i686-linux" + "x86_64-linux" + ]; }; } diff --git a/nix/scripts/pre-eval-fixed.sh b/nix/scripts/pre-eval-fixed.sh index e6bc4a0..ec7b14e 100755 --- a/nix/scripts/pre-eval-fixed.sh +++ b/nix/scripts/pre-eval-fixed.sh @@ -2,5 +2,8 @@ set -xe INFILE="${1:?Please set arg1 to INFILE}" OUTFILE="${2:?Please set arg2 to OUTFILE}" -hash=$(nix-build ${INFILE} --arg pkgs 'import {}' --arg config 'null' 2>&1 | rg -o 'got.*sha256:([0-9a-z]{52})' -r '$1') -sed -E "s/0{52}/${hash}/" ${INFILE} > ${OUTFILE} +# sha256-1fm94N2Y9ptXVN6ni0nJyPRK+nsvoeliqBcFyjlaTH4= +# sha256:0zjcb8wwl18pm1ifk89gggx4mx68r54qp9yyaibrpxlqvphbvyfm +hash=$(nix-build "${INFILE}" --arg pkgs 'import {}' --arg config 'null' 2>&1 | rg -o 'got.*(sha256[:-].+)$' -r '$1') + +sed -E "s/0{52}/${hash}/" "${INFILE}" >"${OUTFILE}" diff --git a/nix/tests/buildvmwithbootloader/build-vm.nix b/nix/tests/buildvmwithbootloader/build-vm.nix index 8347b45..a085713 100644 --- a/nix/tests/buildvmwithbootloader/build-vm.nix +++ b/nix/tests/buildvmwithbootloader/build-vm.nix @@ -1,32 +1,39 @@ -{ system ? builtins.currentSystem -, vmPkgsPath -, buildPkgsPath -, nixosConfigPath +{ + system ? builtins.currentSystem, + vmPkgsPath, + buildPkgsPath, + nixosConfigPath, }: - let - buildPkgs = import buildPkgsPath {}; - vmPkgs'= import vmPkgsPath {}; + vmPkgs' = import vmPkgsPath { }; vmPkgs = vmPkgs' // { runtimeShell = "${vmPkgs'.bash}/${vmPkgs'.bash.shellPath}"; }; importWithPkgs = { path, pkgs }: args: import path (args // { inherit pkgs; }); - - nixosConfig = importWithPkgs { path = "${nixosConfigPath}"; pkgs = vmPkgs; }; - vmConfig = importWithPkgs { path = "${buildPkgsPath}/nixos/modules/virtualisation/qemu-vm.nix"; pkgs = vmPkgs; }; - evalConfig = importWithPkgs { path = "${vmPkgsPath}/nixos/lib/eval-config.nix"; pkgs = null; }; - vmWithBootLoaderConfigMixed = (evalConfig { - modules = [ - nixosConfig - vmConfig - { - virtualisation.useBootLoader = true; - } + nixosConfig = importWithPkgs { + path = "${nixosConfigPath}"; + pkgs = vmPkgs; + }; + vmConfig = importWithPkgs { + path = "${buildPkgsPath}/nixos/modules/virtualisation/qemu-vm.nix"; + pkgs = vmPkgs; + }; + evalConfig = importWithPkgs { + path = "${vmPkgsPath}/nixos/lib/eval-config.nix"; + pkgs = null; + }; - ]; - }).config; -in { + vmWithBootLoaderConfigMixed = + (evalConfig { + modules = [ + nixosConfig + vmConfig + { virtualisation.useBootLoader = true; } + ]; + }).config; +in +{ vmWithBootLoaderMixed = vmWithBootLoaderConfigMixed.system.build.vm; } diff --git a/nix/tests/buildvmwithbootloader/build-vm.sh b/nix/tests/buildvmwithbootloader/build-vm.sh index 520e0c8..3ee6ee0 100755 --- a/nix/tests/buildvmwithbootloader/build-vm.sh +++ b/nix/tests/buildvmwithbootloader/build-vm.sh @@ -1,6 +1,6 @@ #!/usr/bin/env bash set -x -rm *.qcow2 +rm ./*.qcow2 rm result* set -e @@ -8,9 +8,9 @@ BUILD_NIXPKGS="${BUILD_NIXPKGS:-${HOME}/src/github/NixOS/nixpkgs.dev}" NIXOS_CONFIG="${NIXOS_CONFIG_OVERRIDE:-${PWD}/configuration.nix}" nix-build -K --show-trace build-vm.nix \ - --arg vmPkgsPath '' \ - --argstr buildPkgsPath "${BUILD_NIXPKGS}" \ - --argstr nixosConfigPath "${NIXOS_CONFIG}" \ - -A vmWithBootLoaderMixed + --arg vmPkgsPath '' \ + --argstr buildPkgsPath "${BUILD_NIXPKGS}" \ + --argstr nixosConfigPath "${NIXOS_CONFIG}" \ + -A vmWithBootLoaderMixed -./result/bin/run-*-vm +"./result/bin/run-*-vm" diff --git a/nix/tests/buildvmwithbootloader/configuration.nix b/nix/tests/buildvmwithbootloader/configuration.nix index 874bea1..49dc463 100644 --- a/nix/tests/buildvmwithbootloader/configuration.nix +++ b/nix/tests/buildvmwithbootloader/configuration.nix @@ -1,8 +1,4 @@ -{ pkgs, lib, ... }: -let - -in - +{ lib, ... }: { boot.loader.grub = { enable = true; @@ -14,7 +10,8 @@ in boot.loader.efi.canTouchEfiVariables = true; boot.loader.systemd-boot.enable = true; - boot.initrd.luks.devices = [ { + boot.initrd.luks.devices = [ + { name = "crypt"; device = "/dev/disk/uuid/463d886d-7dfe-421b-8cef-f9af3a3fa09d"; preLVM = true; @@ -22,17 +19,23 @@ in } ]; fileSystems."/" = { - label = "root"; + label = "root"; }; fileSystems."/boot" = { - label = "boot"; + label = "boot"; }; boot.tmpOnTmpfs = true; - boot.initrd.availableKernelModules = [ "xhci_pci" "ahci" "usb_storage" "sd_mod" "rtsx_pci_sdmmc" ]; - + boot.initrd.availableKernelModules = [ + "xhci_pci" + "ahci" + "usb_storage" + "sd_mod" + "rtsx_pci_sdmmc" + ]; + users.extraUsers.root.initialPassword = lib.mkForce "toorroot"; users.mutableUsers = false; } diff --git a/nix/tests/buildvmwithbootloader/debug-vm.sh b/nix/tests/buildvmwithbootloader/debug-vm.sh index 0d11067..8e3bdce 100755 --- a/nix/tests/buildvmwithbootloader/debug-vm.sh +++ b/nix/tests/buildvmwithbootloader/debug-vm.sh @@ -1,3 +1,5 @@ +#!/usr/bin/env bash + # /nix/store/lya9qyl9z5xb4vzdzh4vzcr7gfssk47z-qemu-host-cpu-only-for-vm-tests-2.12.0/bin/qemu-kvm \ # -cpu \ # kvm64 \ @@ -24,7 +26,6 @@ # -drive \ # index=0,id=drive1,file=/home/steveej/src/steveej/nix-expressions/nixos.qcow2,cache=writeback,werror=report,if=virtio \ - /nix/store/0i6fr8vv559a50w0vipvd22r0kkg1kx1-qemu-host-cpu-only-for-vm-tests-3.0.0/bin/qemu-kvm -cpu kvm64 -name nixos -m 384 -smp 1 -device virtio-rng-pci -net nic,netdev=user.0,model=virtio -netdev user,id=user.0 -virtfs local,path=/nix/store,security_model=none,mount_tag=store -virtfs local,path=/tmp/nix-vm.BXlbOnli8K/xchg,security_model=none,mount_tag=xchg -virtfs local,path=/tmp/nix-vm.BXlbOnli8K/xchg,security_model=none,mount_tag=shared \ - -drive index=1,id=drive2,file=/tmp/nix-vm.BXlbOnli8K/disk.img,media=disk,if=virtio \ - -drive index=0,id=drive1,file=/home/steveej/src/steveej/nix-expressions/tests/nixos.qcow2,cache=writeback,werror=report,if=virtio \ + -drive index=1,id=drive2,file=/tmp/nix-vm.BXlbOnli8K/disk.img,media=disk,if=virtio \ + -drive index=0,id=drive1,file=/home/steveej/src/steveej/nix-expressions/tests/nixos.qcow2,cache=writeback,werror=report,if=virtio diff --git a/nix/tests/buildvmwithbootloader/result b/nix/tests/buildvmwithbootloader/result deleted file mode 120000 index a5fdbfc..0000000 --- a/nix/tests/buildvmwithbootloader/result +++ /dev/null @@ -1 +0,0 @@ -/nix/store/xh6p394kh1bncmc3lr6l9fb81284ckhf-nixos-vm \ No newline at end of file diff --git a/nix/tests/test-vm.nix b/nix/tests/test-vm.nix index d647b3c..fc956b6 100644 --- a/nix/tests/test-vm.nix +++ b/nix/tests/test-vm.nix @@ -1,6 +1,5 @@ -{ lib, config, pkgs, fetchgit, ... }: -{ - boot.consoleLogLevel=6; +_: { + boot.consoleLogLevel = 6; users.users.root.initialPassword = "root"; systemd.services."serial-getty@ttyS0".enable = true; networking.firewall.enable = false; diff --git a/nix/variables/keys.nix b/nix/variables/keys.nix index 8eb8229..bd140a9 100644 --- a/nix/variables/keys.nix +++ b/nix/variables/keys.nix @@ -3,6 +3,7 @@ steveej = { openssh = [ # active, current + "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQC98w24rC+0YwkR/60VvuHVo+HaojvrM0rre0WCj1s1YVFiLPycsAKhZvl/yo06RKgkhChGb0tHZRGseQSmyb+rEbuNFxXQZnjOylT4jlrQvFR+S9WulkHrLMU0wodwEOpTrzJr/zqThEy3pj61KpC+Yhj9FfCn/p3l7HvL2yp3j+TyclyGbEQtt3Dgo1Ls5ZiD5FVhZAMkto4mK9fThyKjQhT6dUu47j2mxhT5OB8gHNtmPvpdQAUQCNrIz4oP5gilGKsWILmXM0/UwnrSXVdR2cUeiRkKqT0h/Q5jp/+/aW8oDoNYluHw2unWJcMTF0zoVWy/IcuNBTqzfiAhiDICCJN9Y0IXf4KhYN2mGtYJjioEVzmaIp/djxDt1Ra4PTNk1DqazRX72XgXcC9hFskLgiRSGSTR1EJk8dmfN0fE9Kv7IwgmHpyGciUy9WIX4o/eYHt7uO8cmJldtt9dPT7OV3DqGWrmgdCgzV5hVrxPVyOyvuLZa2J1N3T/5v1a8zrsyJ0KwuWH64VJqjVL7dTSKCyHKKIwx5ksLwIpFXBxPiypgCtYyvM6IY7PzF492cBucKimD5wd4f5mY5YxEGZC53/ZgodFVQJkyjmIiO/E06KUjLilmnSzf/nOtk3hoiWK8av47mr8otj+UCfWx6xXVKvGAjSOt4MEzUDDG3D+nw== cardno:17_673_091" "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDAIODJoJ7Chi8jPTGmKQ5MlB7+TgNGznreeRW/K34v1ey23/FlnIxP9XyyLkzojKALTfAQYgqzrQV3HDSRwhd1rXB7YLq1/CiVWRJvDMTkJiOCV515eiUJGXu1G8e12d/USPNBMEzMJGvqBCIGYen5OxXkyIHIREfePNi5k337G5z9fiuiggxJl9ty6qZ4XIRgFQj9jAoShixP/+99I7XrGWeFQ1BmLZWzi20SQGKvogYnOszDZFqBAHGFnCFYHaTz2jOXXCtQsa27gr8D2iLRFaxvhB7XMK+VbpDcZGjmfRJ701XxFv15GFnFAV71hTaYqj/Ebpw9Vs02+gUp3+tt cardno:000608695695" "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDAIODJoJ7Chi8jPTGmKQ5MlB7+TgNGznreeRW/K34v1ey23/FlnIxP9XyyLkzojKALTfAQYgqzrQV3HDSRwhd1rXB7YLq1/CiVWRJvDMTkJiOCV515eiUJGXu1G8e12d/USPNBMEzMJGvqBCIGYen5OxXkyIHIREfePNi5k337G5z9fiuiggxJl9ty6qZ4XIRgFQj9jAoShixP/+99I7XrGWeFQ1BmLZWzi20SQGKvogYnOszDZFqBAHGFnCFYHaTz2jOXXCtQsa27gr8D2iLRFaxvhB7XMK+VbpDcZGjmfRJ701XxFv15GFnFAV71hTaYqj/Ebpw9Vs02+gUp3+tt cardno:000605247559" diff --git a/nix/variables/passwords.crypt.nix b/nix/variables/passwords.crypt.nix index 92f89d2..91d2eb6 100644 Binary files a/nix/variables/passwords.crypt.nix and b/nix/variables/passwords.crypt.nix differ diff --git a/nix/variables/versions.nix b/nix/variables/versions.nix index 4a3e8f4..6d441a6 100644 --- a/nix/variables/versions.nix +++ b/nix/variables/versions.nix @@ -1,11 +1,10 @@ let nixpkgs = { url = "https://github.com/NixOS/nixpkgs/"; - ref = "nixos-20.09"; - rev = "51aaa3fa1b69559456f9bd4968bd5b179a784f67"; + ref = "nixos-22.11"; + rev = ''5b7cd5c39befee629be284970415b6eb3b0ff000''; }; in - { inherit nixpkgs; nixos = nixpkgs // { @@ -15,16 +14,16 @@ in "channels-nixos-unstable" = { url = "https://github.com/NixOS/nixpkgs/"; ref = "nixos-unstable"; - rev = "24c9b05ac53e422f1af81a156f1fd58499eb27fb"; + rev = ''4bb072f0a8b267613c127684e099a70e1f6ff106''; }; "nixpkgs-master" = { url = "https://github.com/NixOS/nixpkgs/"; ref = "master"; - rev = "3312e1c3ba80506c435876f016d7b3888f297c4e"; + rev = ''a8636efe2df64047cd58898010a72f73efd56722''; }; "home-manager-module" = { url = "https://github.com/nix-community/home-manager"; - ref = "release-20.09"; - rev = "7339784e07217ed0232e08d1ea33b610c94657d8"; + ref = "release-22.11"; + rev = ''83110c259889230b324bb2d35bef78bf5f214a1f''; }; } diff --git a/nix/variables/versions.tmpl.nix b/nix/variables/versions.tmpl.nix index 09f95fd..66e90e3 100644 --- a/nix/variables/versions.tmpl.nix +++ b/nix/variables/versions.tmpl.nix @@ -1,11 +1,12 @@ let nixpkgs = { url = "https://github.com/NixOS/nixpkgs/"; - ref = "nixos-20.09"; - rev = "<% git ls-remote https://github.com/nixos/nixpkgs nixos-20.09 | awk '{ print $1 }' | tr -d '\n' -%>"; + ref = "nixos-22.11"; + rev = '' + <% git ls-remote https://github.com/nixos/nixpkgs nixos-22.11 | awk '{ print $1 }' | tr -d ' + ' -%>''; }; in - { inherit nixpkgs; nixos = nixpkgs // { @@ -15,16 +16,22 @@ in "channels-nixos-unstable" = { url = "https://github.com/NixOS/nixpkgs/"; ref = "nixos-unstable"; - rev = "<% git ls-remote https://github.com/nixos/nixpkgs nixos-unstable | awk '{ print $1 }' | tr -d '\n' -%>"; + rev = '' + <% git ls-remote https://github.com/nixos/nixpkgs nixos-unstable | awk '{ print $1 }' | tr -d ' + ' -%>''; }; "nixpkgs-master" = { url = "https://github.com/NixOS/nixpkgs/"; ref = "master"; - rev = "<% git ls-remote https://github.com/NixOS/nixpkgs.git master | head -n1 | awk '{ print $1 }' | tr -d '\n' -%>"; + rev = '' + <% git ls-remote https://github.com/NixOS/nixpkgs.git master | head -n1 | awk '{ print $1 }' | tr -d ' + ' -%>''; }; "home-manager-module" = { url = "https://github.com/nix-community/home-manager"; - ref = "release-20.09"; - rev = "<% git ls-remote https://github.com/nix-community/home-manager.git release-20.09 | awk '{ print $1 }' | tr -d '\n' -%>"; + ref = "release-22.11"; + rev = '' + <% git ls-remote https://github.com/nix-community/home-manager.git release-22.11 | awk '{ print $1 }' | tr -d ' + ' -%>''; }; } diff --git a/oci/user-ubuntu/Containerfile b/oci/user-ubuntu/Containerfile new file mode 100644 index 0000000..8afa2ce --- /dev/null +++ b/oci/user-ubuntu/Containerfile @@ -0,0 +1,27 @@ +FROM ubuntu + +ARG USERNAME=user +ARG USER_UID=1000 +ARG USER_GID=$USER_UID + +# Create the user +RUN groupadd --gid $USER_GID $USERNAME \ + && useradd --uid $USER_UID --gid $USER_GID -m $USERNAME \ + # + # [Optional] Add sudo support. Omit if you don't need to install software after connecting. + && apt-get update \ + && apt-get install -y sudo \ + && echo $USERNAME ALL=\(root\) NOPASSWD:ALL > /etc/sudoers.d/$USERNAME \ + && chmod 0440 /etc/sudoers.d/$USERNAME + +# ******************************************************** +# * Anything else you want to do like clean up goes here * +# ******************************************************** + +# [Optional] Set the default user. Omit if you want to keep the default as root. +USER $USERNAME + + +ENV DEBIAN_FRONTEND=noninteractive +RUN sudo apt install -y curl xz-utils +RUN curl --proto '=https' --tlsv1.2 -sSf -L https://install.determinate.systems/nix | sh -s - install --init none --no-confirm diff --git a/scripts/sway-swapoutputworkspaces.sh b/scripts/sway-swapoutputworkspaces.sh new file mode 100755 index 0000000..6ed8d64 --- /dev/null +++ b/scripts/sway-swapoutputworkspaces.sh @@ -0,0 +1,41 @@ +#!/usr/bin/env sh + +# Get two outputs, visible workspaces and focused workspace +output1=$(swaymsg -t get_outputs --raw | jq '.[0].name' -r) +output2=$(swaymsg -t get_outputs --raw | jq '.[1].name' -r) +workspace1=$(swaymsg -t get_outputs --raw | jq '.[0].current_workspace' -r) +workspace2=$(swaymsg -t get_outputs --raw | jq '.[1].current_workspace' -r) +workspace_active=$(swaymsg -t get_workspaces | jq -r '.[] | select(.focused==true).name') + +# If any of the outputs doesn't have a workspace, do nothing +if [ "$workspace1" = null ] || [ "$workspace2" = null ]; then + exit 0 +else + # If script is provided with `follow` argument, then follow focused workspace + if [ "$1" = "follow" ]; then + if [ "$workspace1" = "$workspace_active" ]; then + swaymsg move workspace to output "$output2" + swaymsg workspace "$workspace2" + swaymsg move workspace to output "$output1" + swaymsg workspace "$workspace2" + else + swaymsg workspace "$workspace1" + swaymsg move workspace to output "$output2" + swaymsg workspace "$workspace2" + swaymsg move workspace to output "$output1" + fi + # Else focus stays with focused output + else + if [ "$workspace1" = "$workspace_active" ]; then + swaymsg move workspace to output "$output2" + swaymsg workspace "$workspace2" + swaymsg move workspace to output "$output1" + else + swaymsg workspace "$workspace1" + swaymsg move workspace to output "$output2" + swaymsg workspace "$workspace2" + swaymsg move workspace to output "$output1" + swaymsg workspace "$workspace1" + fi + fi +fi diff --git a/secrets/desktop/radicale_htpasswd b/secrets/desktop/radicale_htpasswd new file mode 100644 index 0000000..eba3f98 --- /dev/null +++ b/secrets/desktop/radicale_htpasswd @@ -0,0 +1,30 @@ +{ + "data": "ENC[AES256_GCM,data:rUTsNj5pW/7JhyfRWiEoOHVT06tmbAHarOEuMkWaP+jz9FX3Qvjtv2S767Be89RwBdZZPTyO5+DcWUH+m2AOoAFKZs8TgT7lmQCuweXE27HZe88y+mNvHYfExWbLaC3fxheHgy8BgZBQNdVMKhZlYr5nLxJBrUY+j2sRP/CuucUcbsCojoHqYmb9hpS03PZ7i6Uf7tImgvFc,iv:pnYzcggEWKAhRxJyOGYaXFrS6kN7uLHic+tO1PeHZmg=,tag:4eXlaWf7hJxcy6zlQC5U8Q==,type:str]", + "sops": { + "age": [ + { + "recipient": "age1tkvtkw62xy90xc5xdcq836wgyrwlwmdslh76cete5g98vvvhj34qvwdw0g", + "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBLNEpQSUdkWStSb0Evbklx\nQXdHK3BtMEh3L1Vtc0VlN1paWm1sMkJhaTJJCmd3eTZyRkdMOVQ1MmwxaU1YYXBK\nb0ZKY0tqTCtEUGNHQzFhSXVBOHpUeVUKLS0tIDJtd2wrbFZNanZ6cGYwcjRNdDdN\nbm9adllGcy9GeitiYU53ZUtRaTgvUWsKuDmxV1BJPaiSyfzFmG7kE9K/GxjCfsI/\nejd+DnLe8FdHxyJyyrqShE/CWzw+CKL1Z9dO5SBmrEQXgZu1Zhdysg==\n-----END AGE ENCRYPTED FILE-----\n" + }, + { + "recipient": "age17jxphuql70wjkd84azn62ltx9ky69hyvkac23lm8f2j92lznf9hseqq0vl", + "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSByVkRhYzVtVVBTcm5abndE\nVEtMODUwNFNaVEtqeVUyVUpuVXBqbDBtL1RZCmYyVUd3N0NBQzBRVWozWVAxczZD\nM1RLbzhYUXVjNm9KdlN4c252YVV6aVkKLS0tIE12WmFtMUxsczFBbEpES0UzZmhl\nRGRyQllzLytja1JpY1RpdXZwSFVwcU0KlNOFmcNo5T7GY6Qma/6w/GRDECR/0XQR\nCDm90Zx4QTDJrjy7ach3poPeHEKmlhW+ZQ4MlB8cuAjsjpVdgzBD3w==\n-----END AGE ENCRYPTED FILE-----\n" + }, + { + "recipient": "age1y9urllccdcemlv7g5z4peuzeh5ah0a8nu6cnkvym8v2vfhqjd5jql483c6", + "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBHcTV6NmoyekZJU3hmNTVB\nSklnWUczaHFtenpWbWNTNFZqNkV5ODFZSkZBCkc4b3BuYzdnUCt0WkgzL0tKM0Vl\ndEZ0MkZkb2p3T245S1dhenQ4MkQ1ME0KLS0tIEdWRll6VEk2SDdERTNjZG1xMmFJ\nRWJJeXJMZkRnYUxhTWltUHVYeUtlZlUKmpWPDHAdSt2fnqLzrOhwQVFWFJi/wSLA\nbRgCQc8lJIRg4nPvwBLLvvl49NCoNCsci//ZHD4RbsjMDhBLpRab1w==\n-----END AGE ENCRYPTED FILE-----\n" + } + ], + "lastmodified": "2024-01-24T22:45:02Z", + "mac": "ENC[AES256_GCM,data:70nJ8FwQqWKUs5tVZTdaUSnFdvzh7h7GG9lJU9IVuSW8GHs9N4srFRJ0DtJbrIYm4YasNsZqNUcWx/ptxzP0DG/IJs8Vpnb4U5SXKw+zN7B5GBM0Xnh6pZZcylAw7lcXevBfI4jw7Ymmj5zBIFyKTCKhietayfmxdIxyoaxNH34=,iv:XJgmRc0tONH9H6AQyfJvDdkfJgP3ugAxOPxMkBqhLMo=,tag:MBN8FJglHqTiS5nLjtMXiA==,type:str]", + "pgp": [ + { + "created_at": "2025-06-05T09:49:10Z", + "enc": "-----BEGIN PGP MESSAGE-----\n\nhQIMAw+OdhfgD3wfAQ//Y90sdCp0RviD2cAKB1FV+r/kDR/5wMlK5CKljSMr+KpX\nOp4rhWHJ+8im0FbXdEFbCatdgC6gJlwAuZE7OqSofjPoWDUAjS4Mn4HSjHX0rxhx\nSaSsM/6q929WiktwmqCVUuxgs2ZrQraCTg9Cu0gbchYEEIg3ALtaLMMQEBfs7Reb\n6sJYdRGvmJMvw0R1mgSBCpcwX4Q2lO2bFIsfXG13/oVefKKgNDLZ8p5dnrk7OwiL\ntnGh8IBSQTzba2eJdayKGF3mB7pTlCh56yt5Ia37QaJKTrXe+nWBx8HmItlCjrwn\nndRiHUG7+ElC94WxsKVAKqPhsuud8fuRLzcicT/Apd3E1Zy418XHj6qscHn4nYRM\nJeESRBkECrFIlKLjaM6rmL7FZ47RO2tIBdnL7FTT6HxIL7jaBFHdp9DBdpthXUdL\nAhbQg3mT88F2EdgCQCdm1SGiAs3h2/Od0ipIYazlq8XkhsCT8ZCijykxJNTz/2JQ\n0oXAgXRH3yJHcTbAsyrxHv98jHf0qIkLvFaYjigR4Rvv7wEOdhCgXyqCBjOkX6xT\nxqz5bRJ1rgyBT3jyoTtKw56wFWwoOqCAbReFgTtKdoEm+U3Xg+X/FsFiJ2ZrPsz3\nY35v6zsx4oi5Byvf5Jk53BeSKjgbzfu4dKFqNWzEi/UgQwVNgpV5iyhNK2ab01LS\nXAGzbiWT1YbYVLcoK1QW1G+hs4UTUMMyhyPP1fV0kUnxvuhupbvGIepcf4mcvjgs\nQxxNTRLyKt22so06awWrVNc+pltUivW3sFeTDdJBBqc9ILx33pSZiDdt2LTW\n=5gtk\n-----END PGP MESSAGE-----", + "fp": "6F7069FE6B96E894E60EC45C6EEFA706CB17E89B" + } + ], + "unencrypted_suffix": "_unencrypted", + "version": "3.8.1" + } +} diff --git a/secrets/holochain-infra/nomad.yaml b/secrets/holochain-infra/nomad.yaml new file mode 100644 index 0000000..c2a5987 --- /dev/null +++ b/secrets/holochain-infra/nomad.yaml @@ -0,0 +1,41 @@ +holochain-nomad-agent-ca: ENC[AES256_GCM,data:DeB3Poq3v4mMfT4Hc46QNOcXuztGzU8X5ilGTMjjRWH0XuCju282XDMjO1eaoOzdZAHSRNKgSITJUgL7hj90CBb0YgnF0irLLKXCJftseRw30fIaJkvgESFT9CaUJkiOd9Ke0GGWWCw6hQj8KK1N7BItYiOrl1zp28Ej0oLcc+qwMMb9L0eiNmlVBBrb/o2AJuD8xvQzO48O9LffrNAxhrd5IbDxrAiu1n+2eSeWwrlmiK/sGqNw4UoJ98K1uraxWcBcrudwWwMBkPE+UTanqq6jjUMCGLtjMphs34I/pNrRBWS1KFUSdvUNMzlCGL8WQXjYD/7z0JSVxqTgaIHpiRG2NjCz1oFxNU594sXlwK0kCMgNKqa47pomWeYQ0jSuup1NVUy5wEECpc/5DlpYIP+c094PMz2jXF+kFMXohOMpT88GXlxQK1Sxpyn7rp1e+rGHeK3pENos1gedwqNW3WzCpm7Wmvc8aZvTtDXfo6XZlcpllPivKJmYz2o9Dxz0w4n7U5nic1cji0ZhqrvXWO3rsVQ5IKRkWVH6ralg7OvdkoyRDRxETmlPio3ykGbo/4D9hEh4+r4Etu+pPu0eZ7PmrCQ8rhHPNBOPEQPHnLa81r8gygEzwb7VcLii5S3/tnO9cPdFMpHfpcIHtFA9qRONlU6jx/RaDjid3BESjoDdWULtIn5JqborcomTg6BJ3lUz5zgm5nv0MY84VGuwafDyy54OelAdD0QWJdgYhyX4FuJYgVhuctJEdvJ9y1bpogpcCIf8STdy+eSP9cWHBMNI/CwKszyXI8AGH2jw4V3BxNbglUycmE7xvunmbkt/Yg+2UdKwDYHGzD4NtqY3YL+kLnpSh13XR80RdVM6EMeithpO8Awze78NWZw7I6UMIe1FqJKUlq18HdA3xUQLs4zTFWyxOtn05o1tZ2g6FFTKmkzfySDkCBUP6lDGUl8Q1IpePoE3geyIoEuO4SgszN2T9/Ncefx/846j58BvzOX8l0umdiyESarVhkQ692T5mKu7RbeaoyERj4ilUogYhtescB/ACWsbBYjqby++qBehsJMfjm6yNSalbspK4ZStBX3gv4v9YP3iSZJrnrusyVw/5WwGL0Fh/mlIsUfMmIlFzT7nMCvJZMWOk+zEX62Em+O6DhX4zuwWCasSqhPKwQLOba0ZpKpJfgiW9DhwUlZz/6VkCsOXED6K+dugT7nqbvY4JH+0LJCm3v0bj03i8vHpLGCiajcLi3t5ivSpHRrCEY/8WjTyYDr2Y+cCjjLy8GtBtvO6FTpzwmyQsCpOrTd3cw1jwvA4vmkZ/DF8sn8Za8vxYaJZAglLuZICPNIeCdhA/I767MRIosV9TL4KNlahaY8FQYdUbQtsHlpNn6TLucKiAjPWpd8MhuSMQ8EGEIUEBbyU0ZvdV1CzmuHka7QA,iv:jojLi4+X6BVLcBiDTgcrwdh/H73sQW9l1n+SrTa8HEE=,tag:2vRZsuWyR0LMlSmzILflwg==,type:str] +holochain-nomad-cli-cert: ENC[AES256_GCM,data:5XIGPcjlcVShrNMso1E3LlDfYLRac0uOqFl1kkuIw0Br0WrCelmUYrBya/QXk3IHxzl+mjvW0v9Y7qsYn6tfs+XMz41QUOQ7CKPLkK8jlCi25FXfxClh/gL5W7M1iBgZ6PZth20frszSD9dWk9DxuJHWq+Xg9hVlOyGA9I7mws5FEsLmpCKEF8Vfj7g6oU1IhJSkYawmku8r9bTyYrPH2EWy7nuFn694ddpsud3I0WBK1KI2D5coIg7uIqJO7JF65I12PLGW418mkI+CmOkanx23dOpY0H103T9IJUAYAShGbw/laPaPbF4Ms/FG9174pHROWSTM+1AT2bI/jFaFv6DUE0elnm/Bi/V6i6RPOwrBmO+KhyKX3c+5uAvWGsewKiuUVfbRtTCT3n85Bh5EoE6gzzTGE4xIDqixzthzBkLczIMbx0br4rFlcXwifNWGa6tfB0X/jI1lQEfdyu6mXzhjXLP/CoXz0pGZ3r5EkvsdU//cOkBmK8/Dg5dDsH4pIdw3Zxy41yIfciBpuMRzi23tLGtha7VtdnMelKO47d+LPFezvIIgdPtvgjTCy2Ltl2paD/UM2L39fP0G6DabNYC6QzF3p/2q5ecZUEJHDLsH0Pf+BBEvvsftb7ZE3cA8Xij/0ExqRSFY4Ndo3d78onE4jiYH+cWFGBN971sbypF9D+H5SYF2PJRVJjqYlr65HZzrLQfmTcFa7OBB+jXv8LwEFuMfVIvhRZCPULABjWRakikMT5WLz3McRP/zi+e1kUnmP2Fr0zrXUznmstO9BObUFkCW+ieDOCTDQYAqMK0H6ssPLVekXhBaqVqSqPTKt9PD8EES/rhs2qp3/OaVeznW1dA160YvM8Ahnq5Qcy9bPb8KFBFfXPvhNBjXFBSvUx5+nYA1IWuL4djBPa0WiGnPyxPeYNCT2+c5SUEOeEy0ZTcK0xGKKM2h4veJi7UA9KdSoeGisYKJ+hJTVC3lST/qN8sBVRpAp5UY6gt/cAL5yzJRn/9PtfGVKU60odwRwaZEjnNricqHpMyF8RVMZ8lkmaHAolgzXWNRtiQ2Tl0Q/Tc/qCHf1AKPqCjMGWXmLmoW5wAaaCt3V9giyi+Pn6GiIc2fY8xetp3qpBfkDHz4Kk3WtbofOBWvCaxWNShHAsNq2An+gWNidNlhVhdHCxolRmYyBftw81Pxpy9KkYQ0kC7QvAVFgUrphMDQGRm/,iv:1x4/kBIMbsB87MN+a8keJxJMVZZXRJ9WvozckByPLqU=,tag:l2WBaVhcP591TtEoZmIkUA==,type:str] +holochain-nomad-cli-key: ENC[AES256_GCM,data:Kl7EJI1V5HGeE9nogY5rujwe8MQYA6tIc3bLiyGdWHTtIbUGfp5wQ5p5zTyDBzA1IeWfTBIaM5dLyw7W+95KENaahJph+HrNbvLvBK8CXmTp7bRFJOgXIDV7CkxnTTX46Qptd17F3gY/4/HeMYsGJ7cZYmLYjW2UiyT6NmrivcaPJmECnuPPJV8aN3Kofm2gL9jbw089IiG6yksT1Y+AQUt/UQBzjYGpaYPHYaldgPQkb0+yaSb+DhF8/fr9lNsCyUbtnHFVNfiQj64IDw68jBohIMQzCMd44plJI8dcJNoA0TM=,iv:qShNRSKgqIe03a1K3FqTpDxogf4Uc25UsZXpwd6cHT8=,tag:9zr/wfR4umX6JCMslrjQjA==,type:str] +holochain-global-nomad-client-cert: ENC[AES256_GCM,data:eiPqZA5kCi5HPa5AlCTKmOD9r0uU5DlSClNTvg6asWybYZcipiQ6Md+cXxMl3VnemwBbxS8KxjuPg6k63SA+gypEW+XZP7VtCdHl4d65MOfIT6CpzTDVi0FUj58z2v7W6XfgAu33uDxTy+e4+SX69duUmmKicwe+CLK2ckfR3U32s39GKBDKYBZ8DTsAJmex45hf17rwcKsaMM142zgBcn2wbuNF46US8iWf4pKXJ4827pgD1HZ2Ry/IgFcRdSXGdsuAU9FcsuwTNfVftOtf/XGxrIJsvCoC7t/SalQSH4eg5s1N9N68vruKlV6AfVNIiQwfwdJ9ldeTOT3of/Fmu0ftiLaq5ZZ97zxd9Bean49EmJw5VEf63+cWKPonLxls1CV02dy1ua9zrjyX37Jz4dQiS02lZF/ljfcaGL+5TOQaX0oEIAA5tl7uaR/UIV7lqfFMZDUtQMHkYAkPkV/VF8wgyE8mD88KqKU+AdsL2yEyKo7VBAe/pYtGWsbyYhemmmpfPnUkt3wz+YQc7zs+MzaI/Z36BIGtY6ObNUfg++4dYXdoMrHufeRbihsLJ69m/bjF0qYtGCjrEPqTwF7WuWSz28to/ZOVrUKZgH8MOMoKKedzZ+kbzs9+hPDawCHs9VtiFo4d/roHBKMquDZVc6+VYtCjj8xjG8TJoJVWlKQogKa3zoWA0ZPwywwWb2V2ehocOk7MRxFZcek4gjvIJ7Ud6aom7dq3HIJJJYxwdVh7pJO9tJhW1T5R/n9g8zrANzXUvMyt55zUZytjF3pPFfaE7en+9LCf4h7AUocI1gOToUC9hlv/uhTOLCYU5S1xAtrlvvX4QSkmTyBTHe9XeOIZbI7LjzINRuO/XFKN/4dqz5/q195OprOBxg2fv1ETPJUwSN66PFYGh6VqhZZf/NokW1qYyrC0kW8lP/EZN6YGhQTyDRrSn3Y+U3nJuVEcydAKTSwzafR4pO4V6U02/CnBH8IqMsNMIhPPPwC1Wntqne3Rabdbx6ZWOxHQuv3cEPEronKGeeU4ADLBPSWnvGcVZuwgxzVpvVwCWtF59Aiew4pmWd8sqLnTOKrxY9BsV9nwRv0ZGE8l0NwiRGw2YIGWaXup0kwl6UVkSOgSuKqvIff09t3XXRINcwIh13jSAipsDpDjqT59qE0Uoc6/lV63eQKkqYs0wFTwc/XXZ2RJusNX+PDDCRW8xykmu4HC+rX7EMeF53xfDEi4wJGoSCySn3idt33A/QotnjDOl385/lkXwgVz4RjCiiCY016fje+78j7RBH3q,iv:nSXO+1ALy6Ie5aNIEm1ZZgZwOdJLrHjO+BwKVbbZQ7c=,tag:n4V165c86IQ3QHzYb1ThJA==,type:str] +holochain-global-client-nomad-key: ENC[AES256_GCM,data:9w+1CYOXgm+xvg9iER+cLJBlKLyYmanr93tZ8xTl63ZIKho6DJLqGPCYdjlG4sHWyQUM6/Dpaa490yC4CToLX5MuUnSvqiaSgugcGqPa1DhlRYVsa8j5rdp90EDMoarN7xKe0ShIRW2GTT9S5EEyF2qdZUAFybpDPX2laZZ44UBz1QvlCp7gzs0duO4b95WPTHmlhfaw0BVF7FhFqkAHtH6qg24qEtwB3I4NmW5UsTKR+tbUCEyQcADQr1CrXhIHkQ8yZ52rc42H6gRQXoVrJomJgtiXf28ARY5K1oZMmICLDw==,iv:FSiRHgbqpKEYINVBLYp1A9YgroLT07GMDFqT/k8Vyqs=,tag:XX7oQhllDmrRLCEiMMYsfA==,type:str] +sops: + age: + - recipient: age1tkvtkw62xy90xc5xdcq836wgyrwlwmdslh76cete5g98vvvhj34qvwdw0g + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBtYStCU2FnN2oxWWU4aWJR + N1NXQW5oRlZCL3BPVDN0d01sTk8wUy9FNTM0CmEvdTJsZDEvWkhvcFdBSHNWMS9O + WDBYQjhzSE9IeTAzczR1eFlnVXUwRU0KLS0tIGtpTG45Qmh1cHc0ZUpGTUQ5NTF4 + OVJwWGR2TkR1VWtHeVp6Wlk4S3I4Q3cKAeQEBdqh8yeD1jSClUaofdqEPz7RNEaP + /Sk5FUTmjC07s2fyORf+03SK43+HbJRNASyC8EtCrqAMcwKFlti1eg== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2023-07-12T09:51:29Z" + mac: ENC[AES256_GCM,data:Eq/hdaWf9+CG2jLQsL2Sw+IHy0vef7cC0IR5xL3jooYbmilRYS2Lj+lRckVcLKTRHjLBlJmnY20wbL/iNwlyTsY3MkCTEMAg1aY2GVPq3/gL0Gl0/Em4pktfVLZGVTZLt6mKzAJMWM9RdTapW5sRlywZ4/fa1YQwoQQ3tFVWm4U=,iv:+Oy+dBT0B5k5eItscLlXrRzbPO1u8eQNBwoDLnZC06I=,tag:hVwJwd6m6oCOlQ0jC8H+Ew==,type:str] + pgp: + - created_at: "2025-06-05T09:49:08Z" + enc: |- + -----BEGIN PGP MESSAGE----- + + hQIMAw+OdhfgD3wfAQ/7BTbxsFCBhKM6oM1JkRNgR3gHCabXrparjyC3ayfFkFQr + TGWW1S/RkTyAbzMkG6VJmvbd28AqzPUWMBxOHtJB8e/aLJIFchL0pAuSK3w51iGN + Ss20IDUkX8wyljdFSJYhiGF6CNRZGkMAvzghDW0zVHzJlaXlZvAL1sqhOHhykugZ + ++/RZsjnjymVL/chXr/z/VI/6Ovmjjv9mcSG5HvziJfdihZS3pChTbOPCRZhjPzT + Or/AzDBk191cF+PLq7qOSO8dNMoR/mW8gYLLpfi/N3rURpdZWPKsH11hFGo4/Iwx + pNVHER60Q98i8VYXwdvxprOc0TtknPkFRIWA1tvPuMY44992ok7eJITaPpUufB66 + POBoOQzkvjZZIY9sbJK//e3boqvGaUfs0ia+kKSovvGz9d1EefyNEmZfR9kA/Lyt + eGEBlpxwVVA+qGsC/MaCfYKsKRtzUkPshb/vPNV6pfBQ6eTuUdQKSDSIv+PTXoVt + wkIG8HJB3z/L1IlaE4y5o/8anHa/Z3cdI4wzMNoJKCTt49SzAWPONxL/KegWwLYl + KD7RVam47l2Ju4pV8IsYMTjSc2SYyzDxzAJSYNBzYT7Z+U1v08HMJLjH4oDR6mYH + d6kxkSQ77wXAwP9UcMOHbVbTbT+MKqv+UrvWSDMDdZrrymRNfMjlC65KItDBbCXS + XgHkBg6IcSO3VtmH79ceOwkhfNCXwF0rkQzfAn29l/+1MZu22CAxuiW4t0zxN83o + pv3FRQwrbuVQUZNFyy3Iq00mThs3J/Ze0BltrPBSG9mHTE8kHn6sg2uudQr69tU= + =1Ywm + -----END PGP MESSAGE----- + fp: 6F7069FE6B96E894E60EC45C6EEFA706CB17E89B + unencrypted_suffix: _unencrypted + version: 3.7.3 diff --git a/secrets/hstk0/mycelium_priv_key.bin.enc b/secrets/hstk0/mycelium_priv_key.bin.enc new file mode 100644 index 0000000..5592a8f --- /dev/null +++ b/secrets/hstk0/mycelium_priv_key.bin.enc @@ -0,0 +1,26 @@ +{ + "data": "ENC[AES256_GCM,data:2DcYHv5RCSoM3olKYZhn4BTwEROwC4+JZ/PQxF4SV7I=,iv:B27a2XnhgiHW3HAh/MnTUonmhkWvaZkmG2c2JPWV05A=,tag:TKZ/rFzQH0uvbOFoeas3Ag==,type:str]", + "sops": { + "age": [ + { + "recipient": "age1tkvtkw62xy90xc5xdcq836wgyrwlwmdslh76cete5g98vvvhj34qvwdw0g", + "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB0MlpwdVpvNFpqQW9GRlJv\nQmtiK05mMkk3ZEZMNzMzNzRGN1NoWjY2VWdjCkdiOEs4bWFzNjRtNmRuZGxjYTlo\nakQ2bFVqTGE4dkZBSitLb0VjME9TaDQKLS0tIHJocmdZNUp6WjNOTTN1d3pxMENV\nNWxYdmp2ODJKbDEydXpJejBHK3M3aW8KpnFNofmSJZN6NDZ8od+RIf3v0Pa+o+Gw\ntAuyC2TuLb5N6RXyRUmnu0eD6bWLE6D7CvpYBy5GEHcKnbAdX07aJw==\n-----END AGE ENCRYPTED FILE-----\n" + }, + { + "recipient": "age10xwq7a4y256yhv02j0u80te0vt4krgfjc68r0uw07t96z7ggmpwqtv38a0", + "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBYcWpxa0RySm9tNWM2ekNI\nNVNUT3JCSWUwazZoeGhmNldReXRDTnpjT2djCi8wdEdJZHdaRzFyem1BUVJRUVk5\nNEF6Yms4dDgwWWFmQ2J6c3J3eEdIZFUKLS0tIHVFa0lZRWhGV1BHYjRWdHFWTkJZ\nRFJ5VUpINHdEeXYwdHliWG1ZN0J5bTQKLFZuFWgC9KE3WVbQYqxveFmzMHPE9yvB\n6odS9oKWt2v+5q1K9Bw1Q9MYv9cqPZrnfwJbjXZwLitVXlnlFMnA+g==\n-----END AGE ENCRYPTED FILE-----\n" + } + ], + "lastmodified": "2024-05-17T14:49:38Z", + "mac": "ENC[AES256_GCM,data:HqeOxzTlr6tyDWmSpvAthf/puD1wdv3a3Nv8qdt9GcR2UqmByreFPRktTwRL53NvCW+8QGSrUjah7fB2GWsuSVXowSSkY5h8W5s0O+YkFLXo9K67hhtEk+4QwYKQk5w4ZdlAEFrgDAzCFr27Mron53VLhVo0DA6GesgywTLf/B4=,iv:uV/dpuhxXl39MTzystHafirJH0mVnLsT+0h9jh4Epm8=,tag:s5uRzLtcfyNuWau9RteyvA==,type:str]", + "pgp": [ + { + "created_at": "2025-06-05T09:49:12Z", + "enc": "-----BEGIN PGP MESSAGE-----\n\nhQIMAw+OdhfgD3wfAQ//fvT0XVvugLgN6/0PduDRIl8MiaAG38eUeEWwIafDkeuN\nuoC7SUZF+xGgmcDD0hUC30Vt/vH3O8s3eOYxvAbt5NMOCI826u2wX85LEW3YvHpT\nbGdSejUMTB9tAQkFa2q9D6ZwzgJxfrxUXoXmXJA9zxEIJ2J5KPDv/Bwy2hczsJNB\nbCzY32OjrdGUhFqRsCFZN7OHkMN6+j0riUHdGMSa3efyR0Ow7LJc/e7pQBZVagVE\nFD6w5erZUzqeRtKCTBJstuALqSseeSpQ0vV/N9ZvhlaZGsaq62+qxR+B+a7gRPJc\nr7Jsd8vYuAytSckll7PnWmZgjk3cT8fXWDWzVUHl4rORtUJgeyNxEz1976Hzrbap\nZWEJeBx3Q3U9QlUncxblraViYM+NLxgbwqx4v2AktS7Dua04AImM6itXEodDVGoG\nH4A/UtRSSoIpcuDyyrqaTfeeoMwnRfJj9O0kT2DYT5G5oBjS5/IXjIDeFYj6fvp7\nsRCnY4Lt0sijH7hQcijfSjMeXdByf4FGhe1goR1dU/COljOZ4hkfgj7lGm6BtQCa\nOG+z5kI/PUzOhzb5PKxuSm4e+QNBFnRK83SWW/P8W3y3AAVtyzIpfdw/9n04wSAK\niVnhiqA3Rp3BzC7hRCpOerag4LEWKMJUxhyn3QOHGuYWFJmdxYFafovhGY/Ms8LS\nXAFS6/No9TYKa4QrFj0iw3/Kx9X6NpdnscnxJ4YelW5+3mjJNGLEfwvVdtXbrpNW\ntmlfYCj3Kg7FP3SWGCz368CU9gjGjfBOVIi+BEJ1a7Nity3fJO3aENhNjkhO\n=REjF\n-----END PGP MESSAGE-----", + "fp": "6F7069FE6B96E894E60EC45C6EEFA706CB17E89B" + } + ], + "unencrypted_suffix": "_unencrypted", + "version": "3.8.1" + } +} diff --git a/secrets/hstk0/secrets.yaml b/secrets/hstk0/secrets.yaml new file mode 100644 index 0000000..c5aa7b5 --- /dev/null +++ b/secrets/hstk0/secrets.yaml @@ -0,0 +1,46 @@ +tf-eval-minio-root: ENC[AES256_GCM,data:83SacYkxLHU2fHbHNiLG9owDgakOY/nrZBnlDgltRlQDTSW9HkKejVrKtTaixjbxKCgsy9sgJBv8LZtqwthgZ6MI942YU2pJHL8le1wBsuY=,iv:uXbOw/9ljYjWCdafhupVJA7tIvcL801xszI8lrQnQIA=,tag:yolnZdYD1KZJFnH2gs8zzw==,type:str] +sops: + age: + - recipient: age1tkvtkw62xy90xc5xdcq836wgyrwlwmdslh76cete5g98vvvhj34qvwdw0g + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA5MFFBNWJkS3NpWlkrQXZu + dlJHNnlRUXhQOTNEazd6ZDh3dEZ0REtMQUc0CnVhcElHR1JMaG4zWjh0WER5c2tk + OXhuVU5lSTJRdmdlM3p1UStyVUtqdDAKLS0tIDdLT0RubGZPT1F1NWg1SnoxV05z + N2tyUlJwcmdHL2NldmFzR3VWcE5yRkkKzORrAR7iCVY0ifCE/guH5/qTPujU4MAe + tfHCW4j8gdbTDUlwN8fTQC8D2ILp/4ikaGcg76vTDekb8mHVM4nNpw== + -----END AGE ENCRYPTED FILE----- + - recipient: age10xwq7a4y256yhv02j0u80te0vt4krgfjc68r0uw07t96z7ggmpwqtv38a0 + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBCc1VvYi9kaDA1d2NlcGZJ + RjMvSFZ0b2VCSDc3aXJXY0pTY1VGQnlUZ0IwCit2bVBhejl2VFFBRmUxZVVReXBT + Um1kek1xWTZoMkd0blJ1MnFGdndqMDAKLS0tIDY2QW5uaXl4dHZUb0txZk1lRjVt + RE41R3JJOFpudGtNUDA4bnlEekt3NEEKOrnajH190HxAa+VuAScwWM4BOZvP2Amz + OYH7v+CXvp+74NqX/CT8/2EI1mGayrmEhpl5/iiUilBy0AUjwHQ6xA== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2024-03-08T16:59:30Z" + mac: ENC[AES256_GCM,data:VIA7UaP1c2kli+BuppPl4LH1jiU9qAfqvfejZ0Mv0E8CxQ0eLAMJVkZIzSygLCx00cPbqAkESrniCeLYagyEP4tS/cff2ngplzig4uFbZzniYMXcYF9VIAyBhGgQGEZlZPgh4r4wmBdUFfhc0CPzmYt0obJ1LXElGdAoeM4OcPs=,iv:KPFJX2qJaxMwvrw/R8xrw5Fk5FRyTQdxq7DnszToy88=,tag:/H7iPZlWk2qMrWbwZdeF5w==,type:str] + pgp: + - created_at: "2025-06-05T09:49:12Z" + enc: |- + -----BEGIN PGP MESSAGE----- + + hQIMAw+OdhfgD3wfAQ//cOnKq/AUiMJI3gdGqxCA6kLTIjXfPJz8SceFo7QClpdL + XwJYlsvUJSLBLHhb5f1gADRtVAiGGTb80wGw1CGIHykS3+H4WwqdZCWbffg1lQ4v + QrBtZ+RTHNBWekYbyLH89E3bkM5e6DJWo2zjUzpELw9shpr23Bd9C3nLBRSGxhtj + C59HjEpcY+K4aInn1sD7/ocEuQwib+B2a8mMv0fhsrSnkDg2U9R984UbwPfH7c1b + 6XHWJe926aOv9tme0M0gZRKoDd4PWW55ZWpM+uqwi0A+elSNcwq08XdfFvSWXvua + DbFAyX/1TGYzcTuatqFuDdp1HvcdK8CxIziQWlwTjA/MCu3300bcdSm8J6G94yoy + EYQWHyore/5ztBFAd7QkuFLwDdQq9A7OSW89FWsEJtExC13Oyo1puqePoGKe8hI/ + +EWvWzZaYsuZhm0sqdhVhfy0jXGrmqjsHkfUD8+/kurl/U+ZhuMHykp0nGcz+xw1 + Aum60NTpl3/PFsxHsXdtRfJCMPNXtLbYvYUb/UUztU09sfcl1uN/eoEljGJDKSZW + TVHxFT1d5KbTQOnfrSlheqA6zJEGdaHRWmGOb6GbW/yMeX496qcAAHt90tkC0XrG + 1Sn/HXjX5ICH0gVjvDi4m/Yw2zaw/wGkaKWPGBdyUUkIYG33bCzJqYd7HtG6FPfS + XAEUgwFsnCWamLyfqUd3iuFLxOYL3IcoQdhkoKBa0Zo5Wjq4qPZWxG8smpwQ5IxL + +l4TGjTydE787lk29+Zi5tk3MGMsPSvUL1ev9o5ZnaUStY/NwdKrOE5wMY5y + =25kh + -----END PGP MESSAGE----- + fp: 6F7069FE6B96E894E60EC45C6EEFA706CB17E89B + unencrypted_suffix: _unencrypted + version: 3.8.1 diff --git a/secrets/router0-dmz0/secrets.yaml b/secrets/router0-dmz0/secrets.yaml new file mode 100644 index 0000000..e1f528d --- /dev/null +++ b/secrets/router0-dmz0/secrets.yaml @@ -0,0 +1,63 @@ +#ENC[AES256_GCM,data:ZkUrwF6DTQFainYhDA==,iv:VDjRBF4WfPmJdKtUpZYJcOPxoUYT3DUxAC9ct7EvFss=,tag:efllkpv2SxRv6+DyuqRQCQ==,type:comment] +#ENC[AES256_GCM,data:2luPn7XRMTtgNpz0QLXQwF92kbBLdjJoUdFKdayy0A==,iv:dr//F4r/8k9zSzkWXUlVT+81iYLTX2rmXIp+Z9Lt4XY=,tag:RZTSqCqqmRxBvWqHqmF7Gw==,type:comment] +#ENC[AES256_GCM,data:SjwWciLOzMxrq/QV00Q+gt1sNXwl6N/eTHsN9jeFHwFeOQrZ0M7/36WgjSVHpGlVmklzd0LiOB+LhNlzqysM6RI=,iv:vznczLEeyTmCxExlkFiv8ftQy+3z0LyAg8vhcpGT4M8=,tag:+QgSJtX7FFLfMnPLhrgcvQ==,type:comment] +passwords-root: ENC[AES256_GCM,data:BzQYUCGJwyA/mUohN3OkKdjkuHUfOgYFs01W/F1WM7i/UyOXA3HooUjbGe1KVQkn5NGTvWvR6t3CCr2o4Bjvq2pXrH+92a1kpQ==,iv:9PCLNVUyI2R0F5LmLe9spp7q65pwMJ9TUHmT/VtPazM=,tag:apsIgXhOkoZ8Gb0UshKg7g==,type:str] +ssh_host_ed25519_key: ENC[AES256_GCM,data:XQjTqNADLhisxPBIJ7x0bs3qgQk0u4q9HKSDukRbzel7hUiDqc6ELQAvffRqJQUtAS5Cfz9PzVcnyEA4wapvK7RLFavOmaN2MhcnQR24oQks5RVYmlvcems02Qovd15iE07XR4KCDcmQ5/XM5v4/RxW2zYzV5Il67Vzhij2wA9bJ7D3sbKUfyc6pBoIXvURbq6QO8ZMIU6ckAuOqG2230KwXLdz/ld0s3Ir1q/7t+rrrS7BPkeA+SRdYhb5XDOTKtfgFxNvdI6DSETV+q67xAalAkM/cZ2rqHJQd+wgH2VIPyiGqeq6LvPT0vmopFJn0CqQA2HauQAmBNIAtXel8GbK+qA11XilMx+hp6qhVH+BnSWWY3GriGfaGlpUZ0E7uymqRkpRwBcHmZto6E/E/XUxBfISVyJf/2RcTy10RelWLJtNuaXT2eHgXmZ/uAlcTGlCYYirr5g3iAGUoqxYbWlZb9SdqVO/0PLCZo7AkDWxk57wer/lHOG59ZpoiZnanaMIaNqJ7Tsslvvm0JuoP,iv:2U5IpWTRyQ8basBRoYpFe6Ycc5qdeCUAUTwlEHttRJU=,tag:jA0mFsMxWKq7dnkGQWNP9Q==,type:str] +ssh_host_ed25519_key_pub: ENC[AES256_GCM,data:MQ0q/I6clKNz6uzoztGA06vOjIbpK6Dsf3WbgddRA0B8nEJ4EUmRBT0KkX3o+LZmQPhmURHWWFtOSqvAzkyoxAoBZEh98H3IDsLE5PgcNbxK3dAh36+AAMPLzVFnHLyaWLQW,iv:9XIw29PkSHCeU7C2GuSJ+J+mBrwOrbSMmm7kOtCkiyI=,tag:x3JqFF08f2eVfOrrQ1gzYw==,type:str] +ssh_host_rsa_key: ENC[AES256_GCM,data:tFGQ77X5Y1TRR2F0EJ4hmauE9ABILP6V0CSmzb1QLaH6VlhriXSE1UQcQ2Rc73CR7+JLjLbggL7RKpkA8gJQq/ubhiXHJokBEo6rfBXETVepv0HlyX5UvzWhi6iKBE5YsYyyBI1VWDcx+oTR8+daqnKwbbqPeDUpC2coT3S9svEsKXeb3YOMxJ9X/Rvh96UtMmlk7WeZa2JvOP3k62HROVo8QRYXeQWTO87TCzVdU7OWnbRIuC6bu+32Uy70AsIu39fazX7WqIUxaeO/oNHsay0/TBXKNu2El0JRG8tHCHdXe1tahniGbGH5xeEZmgLTOjHntw5UIdxZbgvcbxmt9seDXUxjhhEMS8eHWaxnRDSI7n2KOb/3UaBQ3BHnYpuRjW++uFBgRHxxANlYfpfEdz/LNexdPb9+QCw80r38uZxP8yD5/PxFV/Y+gSX+WnNE0YQnBDtHFjKhHpqpm2P4Ek3hLzjXh6CPzUZru6LAO/FklcLCGaq94fDC5wW3K0x1UvyfMjBwwyeSymcV95YcZu8Ty280jRhG8l719KkEJjnBdnB25PQ5gEwc34dG5xH5HwVUDPIM9v9m+cXtldUIk3BH4PiTEI1aZsZx50BtBhxybAxhTqNElrP+/2W73muTSQboDIB1Xb2NhArLB6XnnVhVUD/Pg/9wiDUY0mYyr0eIp9AmBfSmSIDjFyVUB9o+gv/B+LpxwxPKmsPt3MRKWoZw+bIGTI82UqBv0eX6Xqq71H4DYFnJ3J+n+Jzp5ww5mSPPHffZZFSBbZSpTk8El4L5II/hyyxk7yJopt19AAsw+UgLJDO31XnyiGAEbbDdwjuCWQMmuzKJ6H7c7UGDXLO92jAlXwEWT5fwzG6Wvu5+n/OToz3CN1Cv40uwVb/fOqmzep9hoOrXeuzmnGULfGmwItjuJoMkfmPUq8obAuj5ml0YduU2eLbe15OlD2Vg2I+BH0WuCPYnnCrLyX8ixhJEuGGDkhGhaKMHaMjNuMOGmDQ6oRCVU8BA/zDgnF/GrcHgIe742Yh68PyaH2j+iX6/5YvUB+R1sDnrgfXlgET1V+nny+fD4GBnP+RKYtdGG0P4y3AYlACQE9sJ6Nkb8CTVb2Va6L3rXzeyJG2FtYkUKxxwDUv/KyieclHiJpdawunOLVkmI6p/iaZIThrdGA5p7b01/WOyJFA9aI3oU2f2rMYBLGHYirrRs3WtS7ExhKriHpgax574UIcW0mecFto9dHkGlBOTQy+Zp1GARnePXKZcyKm2qhTIjw0ho/DUe3+t1knbR6WJCwl1LDtfpPD2KPDDH+HpHm3EoiA1mDSp6lYMVxwBr2eBmFPKuPkkAL/3Bf6SKlEp1UCDee7BPlzS9kwmIEt/EuIohbMDdyaHtulW31Hdrsai8fCxc7AAzgsmoMBp2Smwoe3C8K5K8RaNp6v4boY8WBH3rLjAFTmOPB7TiZfplQjV8triZS3JFopNjvCglfZSXxSs+RjZUgSgL/1fFLT2m0Mp1XPMvGZlD73TzJ5RH5WWlxliaau42Q4vXRFUK+ZFx0SvwOO5xZvRNtAOfipEoqscKOopV+HHl74DJEk/xLibWJmkEBqoVbf1BFDUAiRSSb/0RdfCAGaj1mqV68szVtLt3jB1AJm9iu9RNU047HHQeOi++8g6lOpHmhsksfQLAucLVtLTrXpHDEAugDbSXrwPkhWa2Ej+Iva1p2vteIExcT+8h3WiXkamDBZALpJcLkDSazgAmmrB+6u6odsyin9Z5zB55EN2iz24nGNgyylt9FehC4/2SNHMX42hZ/JPQw51+vZQLoLQv+oOJAVXGBHeDy3kDl60fL6Fr5jZ0YOfO+rFGk4bDpXYjq27ahLv763tVs8SrgMseNWNWTakZUAXuYPbP3GBFEjTPHM4216WABj2cC3zSmrnbEyNRMWTdsm46ASZvhZo4wO8eTrndvy44Q2UKOFOh1sYCY4jjCWCI74pEV3rRcBJASuUipep65ZwXOlFOXu7uiaG01/KWofn4JzzrlX3MfhKsUBaEDTUXwDGw0RAEHQXb3rvfiIjCQBcpy8kM1fBR97K5LFJzZ2/qf2bPGs0yxma1O0Z6TT/2Uk2n62jK2xIM7gvTjPOVDP2etHKVxMpMjhTAbRj4K3568HZM/POBC5AORLAtBAo14CNxRMN8f05Gs13wn9ZI+pqiaOpTTnfH1xL9fd/6I03utzMKnoR8IVhrQLDLT6OAIkdeJX8s99R/J/nTOApk3XACWqjmMTcWtwt6g3x2iTk/1jTTn70rYVr8JLHHCt+bd5H/eDUiq9HpG1oFEZPXuvgATOovru0YVtmVx+yea0jWpJOsK+/SZjYAfvAKh0ZNr8dKHug/gGEpp6SfFBI+c4ywR1kM83OUHLaI/dOU9rLeCKktB+UcvTPoLhHLbTAlTrizeRmYY16Z1a+47LvwX944js3TZZkxqylz73cekWidYiiLNbiHwACftOK/GwZCG0WrVfcSi6pJYDgPgbcqFohaKI7ltKZgTlHGT1mZr1IH1RnauZmN/MkBEKVHO3E/PFgKkWNcXQi4uV2P3j8aHHc0RJrxx7qAFFXCYEwu02pv9nmul/HClLMmDYHDY1lHZvIIyPcsmr1ZkCFRV4UtnZRtXhHNAZCGFRX+y5HQXnubjPmV5I2R/gcLLi//2vIE6V2i8SpEJZlVweLpjRYwb6H6xFTuvHN+9Y5pd3rFx2BapR0AzYdOXUVqKF5ewrfE/1iitsEeDJj8OqmNzpmLBrnROnPyPh/+KGWBG5Nm4QKVMhP7XN1F+Fr7sTxw1ignXsfSwH8v/ELMzxVLu3ijWxvmk3/eOsrKYB/x3h6I1SFWZUoTjVPAmlNAnYl90Xf+FMPiII11+zrYwsJbCh25gmSvtKR+hmoTxXbJ2w5E2cFoVHMBOmS8Uo8L0BDOUzUE64cPl/v119BafVUOohLF1l3Ob19td+sMvqX8OHLGgB+/r6jKmUPnNNEzbDAogMydcVVjtPRIoDScw4ExxuxILN4/V+VulyAgU29OvFWS6+r5Y+bjqgqMg55Of0le3HUqt65qMuqiaUR5P/9WP+H666GsYTSg5I5gPJv0FF6tqXCWE9mpQ4sk2/BiWWaNeojxyhyH/cv4fbUmcee6K3+P+liXyFGGAWdBP5uGb+BzIfSaXVN3xEBPWAAe+BMkJrxbc6FSS12Wkh+bLM+NJH7XaoDl6+8LtF3bstsCoXvQgNlXHlbt4/aIIFEBShlYSQwLMDcey1VB4pu4SBv2HXwaX9zXPd+MGH77DeQU4yBkrElly51/68yzdSGpe6mNFy57Hc3UJBW1pNbds5Gxu+jFbQ6Phxvn38u9V8cphjxzgig0uZjkKHYx0EwFjBqmfrP0hQDnpcyg5QCPhnXOthmVL4jkJs3OrRHhoYRgbXpaVRMpVMLFeeSqcQABaRK5ibpB81WP8yCJPIMsbWW7sDTCiIyLq6qW5pKNq8/l3sq042+6bJgJ3CfDYdNKJCTF/09F5JKkpXeIxL4MGqvg5nOoyiahDQsUzMT3dwGg7IWqxQidcJ576XSBkR2qNwUrl6qq87JP+Zo3RJbA5bpPubm6sUonWE3hRGg4LWceVBO34J/wutWVt4W7dXnK5WVhJv8UHJcbgWR9dMpWkbeMpakqlRRLOTibztMFkx3xyIMmZS+cNyhRyatw+DwX/opuY+bl8X4yKgNOuW/w6r06r4MrL78MTjqZDQ4xkCSL3x3KWr2Tf4lAX6sdwKTzdBdzvFuLeuijngrvRYRyk/3jk/o4ujfHMdrergMjlP5Js7ICZSLhXHHOc2Hc5oPaBIx59r6FynA+W6ROmk5kVF2BNkRlP6/oV5Apn3MMUnDc4YjHaowt8UVkIHZOEL8hxymYDR4g9y1wOoIwKCorBQa5jsXH+AEop3hlsv4uqzrrcGGQhfQEW0Vb1fG4N0VAyWEodaw7wOY3XCrW7yHjIgRM3Is+juT7jMeACW+OQuvQHTS/9bc9n9sXjjVwsvoHROLxsXMFO9HablXaEKzFL1oGXpnavYf/MuZMwALsPish2Mmj9fONNMBo1yYy/j+8GzHCqByDS1ZPnlzPQD0ztGNwNfOOhNOqamqaE9GNHv92yQIf/KKGhnjFH/I9IlzA28eaaSVql/1vdhRAI2G1WxpgyQ1ryRPLYHA/Qw9OYrb+jIxHj9uqfohShgIqnv6TCXRmByfyU6Te3oqKLyezKj7tPCqv1la1ostycmE4msAs4EI7pe1OZcRulPkUJrZCPkvo+EYTw8AfGmwHFb5foQ4wk8pkjTvo1zHmjy0GjMAZpcmDHfyHAyoaED6DUKAHRBbMdSqQJWmzhHkzn5oRCR6UlWSyxRZ1wBIKn+T+kcn28XiLlJrJVK3n2CQkE1c3EfFemnimo0Yc9yNQZygfZjr2W2TnmtAZ5jHiMmv7E8CPxBQBd/pf29z/uAEwQIqVFSHxkVaVjHW5wlhfWwOuj0xZFly,iv:mXE8xpXFBYSJce9pg+g3OedMS9+ZHOHHwydCY0NbGRQ=,tag:cEqbUu9Y1PFKXwaeqioXWA==,type:str] +ssh_host_rsa_key_pub: ENC[AES256_GCM,data:N60bGf/6KNRhVUq1EIbPVo3aBDDKEpMBr5+Gt3+FMPt3uQEaKk8jBg5mOdxWMTPoLg1ZP/Pme8afoM+Skc0b50WnpErF3Ox1w+4eM0oMJYOhIvHLGURNM3Dba5MgA7YfhPdTsVdjD2yks2vYqhdtEvzTTgCJbFimVJlp+wDqE6czPgMjD03c7oJDtv38OBtc1vRMzVw3cIuyxz2yNnXQxiMgTR6pZN7+Brami2dfXOHEVgymmlU5PRE8Ykerq2fB36N5uqu4/xSPaHaM+/f2OA/TLlYYB+sGMDExZfbO/vsiRBLvTY/f4KG2mEkmH+IFH1bk6UF47xTFEe8tHN/TlLo+9OmjZTph221ZYnOsIqBY+F822ctZEe8Ikz9Ti4F1ApvxxRcWHajbgQnDJdDiHJvt3OHal4rNBtYwxxV/MDZtvKSVxmFwgx7nwNP0oKhAigQkU7Mvp1q5p3dZsdbGCUeFm2S5/qIxWPfr7wg4xocLNSsLW1EpGo6A2RUXWIV+lPuZd9dNEjGC5zKKAgMI94is6MtMXgqlFqTcZuQ9hvhoVDcFhVSJylu8pzk9d/tKviwcd98jHAhdfGpnc9eJbtyBU6/HvxLzQpsbFjwa3LGirEdtgxRZn2nJx++0U6XuLcbGwjOVAhkde6g2vFv5hsC6KaZQcp4AFvMvEdJyrnb0b2TOeOD8zEljb8u2q/eexCRSjGpobEINwu5qV+tF9eHIJ1YFzhCSmmLGKXjc7bC8uv5ffl39JmAbUrffd18zqae+Xpijd+QzwF425NG9+PksAt+PPzt4SDgGfKBIpMNFxIb18oo88z4YDLuNzRy/HVF90JV0LlAxES4ZOxoWUjJPrR6dGxNRANYOyFGmoN+yG3B9kd1NRGRNGh5P9EtZBxlPIi24djzF1n4GQSW1NFDgoGcxaXhk0PlpPxwuHK0X9FkFDDzQUYNBhx7py+hev5rBUCs7Yhj5xgcM88fdLRZi8MulNws=,iv:8c3hDcJ8wzTugmJ3Mhzx/qEXnnlpFefBmRTG/MqyeEg=,tag:uSz6+CYu9uQa0C2DXnHPUA==,type:str] +#ENC[AES256_GCM,data:QOMW5ALQD+CIXyqRAUzZfv42HvMfq9qiTho=,iv:/KlPuB6aBBhdMvJ9kYClfFRBMC0bSF16/EKrnH/Ifsk=,tag:Wwfk7YnNvla06I2/ajTd4g==,type:comment] +#ENC[AES256_GCM,data:6/aUsWY875jPKZZiJLL3TWYeZT9VOjoJBDwjRTfjnUHcc/NTTeQRPvb+keJeMt5kfWmAzieYpslvz21UktTKqHO/,iv:+zwyh6nAP7DRhQX48/BmMCbv3W3wKfUiAWCvu8UvS8A=,tag:doc142ZXZO6ajPcuWftdtA==,type:comment] +#ENC[AES256_GCM,data:GG3qBrBJSmJfUun5+0fKkp7J280oW3r5tGGjm9UMolUsZCYYv5E=,iv:gFGxT9Jr/d3fVouWEphJUxW/Hid8dAIvldkxYHb9DvM=,tag:DkgD7SIgIYyk5Ne/lGWcwQ==,type:comment] +wlan0_wpaPskFile: ENC[AES256_GCM,data:yB/1MLibWzQuV+LnM01DoOaImu6aCHB9TMsIDaby9MxjRCQNuI7qxc5dvTQ3RtA1V6at97r3ufw0W2Vwtkf8Mu3l/UL33nWoX8n4RAykF5HkDK+l1hzdW+41wZMZPc+NDE6ZgMSNG3N9gipHSjYQ+vU6KPX9RQwWTUbJiWWYtii+hi9NXMa7sBvjl1WUQtrKdAmc+7flAEFxOY1pOvkj87yOQDybQYdx268Gh2wkfgtacet4zwWvC/VGNrN2p3Eub8S16vHAZZKeW+2rr4U/GiOeS65CSk9srOGwlD6IboTUXSAoSChJmevnm+cgkzZsuOKS7knEZPjQ+l2Z+K4l3FnB8+CVvHw/DlUAG0pFgw49NfBGczGSAFh34b0k,iv:2AkphYXeupcDvB5KXlnuC7QsVJdBZHnR684045DJtfw=,tag:YFNcunSPVJUSLIPTTQ7szA==,type:str] +wg0-privatekey: ENC[AES256_GCM,data:5/5llD0itgdKhZ53IbtkwfhO+qUI+/xBCxnfQOg9yjS7knvUINURY7rl/F8=,iv:86t6XuY4a1rHY3kmC3XB6WwwPZVWAyM2saGqEZaHdJ0=,tag:4xemlclKI4RIxAe60HGuuQ==,type:str] +wg0-publickey: ENC[AES256_GCM,data:D/RU+43/bYhg1lRZE9zA52AIWGd2KRF0EQcvteS4CtQN0Yy65vjGqVEkjyk=,iv:BmS0TfUQXRt1tdWBBKIUi+DqXCLTXePzbq4dUYSlQQw=,tag:qglrKjhcSBPtqNd6YCMlPQ==,type:str] +wg0-peer0-psk: ENC[AES256_GCM,data:859rOfvyaeaH07s06IT2qJZjXcWZiXazQPUImYOMngTj+xNop8UHX0iDegA=,iv:V7cR9mGQrk6aKctY+1egYFhBiveqc0OwrQSJxByk0zk=,tag:WF5via8rVm8Leol5rANPqQ==,type:str] +wg1-privatekey: ENC[AES256_GCM,data:Q3zb6oLhBqW+D063S37O2vZD3PSn3yIYWWkOtZwvpmMmdAMtztGqdrHzXRE=,iv:tIEDtHa3s2/Shg6Kw/8G+xjtixH32fxS3l5KtR2VUIs=,tag:JpKjYmV2pPip9hDkKg8pRQ==,type:str] +wg1-publickey: ENC[AES256_GCM,data:7svFjRVdWBmrUt2qzHSmgBo4HPwJR6I6p3rZg2U+h1uVhQwCnUCH6JATVZs=,iv:xWUKpjmmrf/U8T8XmdL4Ox+aqkftnh8oeORCkhtJoBU=,tag:+k+E13X+EbZxfiq0MoGIEg==,type:str] +wg1-peer0-psk: ENC[AES256_GCM,data:egtyccOYD4NAUTunpvVXTJwjtSdJJT8v5O9Wl7NoCKy2eDzrQvrEEK8Zzts=,iv:D7EQkj2Oz2JJIF6slTLq3A4esKN6VfkOA+odHvjSeUE=,tag:z/blOUXX1JOyqtXgMldnlg==,type:str] +sops: + age: + - recipient: age1tkvtkw62xy90xc5xdcq836wgyrwlwmdslh76cete5g98vvvhj34qvwdw0g + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBQNzRJeDlFdHhYSlRFWjJ4 + dXZtN21CRllTSitTZ2h2VnBNV2l2Wk5hVFNRCjhvVDFBR0ZYc3pkT0ZOMmVNMkRj + MGk5RXJ6UExmTUxoMml1bFgxLytUZjQKLS0tIFhrYS9xYzhHc0NTbHVpNEJEMU5U + UElCL0JIdWxkQ3oyZWJTUTRsYUxJdkkKobP1eWNWnvFCOY9AQRNhGjg9EzAX1MjP + QxhTNYs94CPFLeVsMghSw1v5rHLoXdyQnHc6LJ/rer6qLoSq//mv0A== + -----END AGE ENCRYPTED FILE----- + - recipient: age1qju6ms625tlgcjwc9p447seu2p8gu0cr63e5gv5y0wx9mvgmre9slxzzs0 + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB1R1g5OHEyUVFzclNwYXFN + K3N1R2xoYjdyYzF3Y0NNUXNCemJ5Y05uSEJ3CkVNdXNudk13VnlXNGR0MWt2Vm5P + UHI0ZUlVemkyNGJFeklaTmhlRm5KU0EKLS0tIHQyckt0RWNtVDA1aXVLNlVyUklQ + REhSYTUzeCtoUmJhWW5oZlZkVDM0N3cKid4XtaA3rjY89HOcRdv2xivlJAabjj7u + ES/s4YtRx/S1TIaAXlMmtQe1llKv0OIaioFvtgKnkrlpf7+tROZT7Q== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2025-02-05T09:44:59Z" + mac: ENC[AES256_GCM,data:P2bEHq4ZBg2Y8RPmUSuIOxWxJdYTUpTD5nXv3vqAHOU0t5ZlyOjFUPYejGBLdvd++v+plwo4lYG4/JJ3/LFIM/n2f1kFOOPSIt6yox6oYHHzJRly2kBfyIpUz4q+1c/xhMjpcQdAlWEdIQLm80BMUpny9y2KhVYot9TvTNTSkxM=,iv:uso8kcW8gildOD7FF1Xvage2dccQ8GkMI6nDCaUw2qc=,tag:urKtsRoGqwoZzk7DuMCINw==,type:str] + pgp: + - created_at: "2025-06-05T09:49:09Z" + enc: |- + -----BEGIN PGP MESSAGE----- + + hQIMAw+OdhfgD3wfAQ/9Hx9PkWEL0en32Ji+fk4kCcXwToFf6EOe06bNit/8r5Qw + C3ixd+uOykhbwN77yssvB8uZ52A7NTSdf6iV5E7M+nFx4+mLYMW+mZekF82ICyjW + SW4b0HsI8WwVYn7EWb3BiNa2D3ku1XXqkmaMLtEb8N+LTXW3jCq/gC1xuB6Msdny + egz7l7KemiWcOPxXZmh9INKxpEYziXCnkq7p9T+04noi6Yz9hPWBzBRBOw88AfrP + eyFzFIbWPsNpsRhVzRlWNmu4Sx0NtqNy2zHk2wkcndJaldk5EEFO2c4szofuQV0o + lmssfVH+BGwtEUs/37igSxeHwnYxEEhEof3B8qnXReUsqcrLqpvQIgleQgUg4T3s + SCbA9dCSTBfos+rVM1764B6lw5ISOj2JxJyoV5itXu1LNK45fpsT2YgRXOoaziHK + hn4WOsVnRuaadHrd2ULA/0qXlWE+QscetZzrKCIZsuqHCqNumjhNhtIlOlKLFv4U + GVMyalRmSJTCVI5EfewyHzMJpGa+OVtfEoUgM2xm1Jd34dEjjHjyynyqOj0ybB0+ + CgC8IGcWpCQZwijITMMZ/bPyet68nVrApy44pniTENcXN1byQECUuZV3Z+BTWNZg + VOuOPmiTQf26qjQ8I4fEUuRgPpC1Wze4MiDyXkX2jtgU5nbLxAhZLln4z9JA1FfS + XAGEKaPlu9x0WB9vSu3ArEERIw/rmu5Ux23Gzev4IFhzJ21Jzp4tpjZhGQvAIafQ + fStDytk2DOS71x7Z8MzqE10BQJ0oB37donhAxqAgOCpOnAtK1a/IOkT1m9IZ + =xkVg + -----END PGP MESSAGE----- + fp: 6F7069FE6B96E894E60EC45C6EEFA706CB17E89B + unencrypted_suffix: _unencrypted + version: 3.9.1 diff --git a/secrets/router0-hosthatch/secrets.yaml b/secrets/router0-hosthatch/secrets.yaml new file mode 100644 index 0000000..6939402 --- /dev/null +++ b/secrets/router0-hosthatch/secrets.yaml @@ -0,0 +1,53 @@ +#ENC[AES256_GCM,data:62US77UkclVlR3klMH6P/oYC006vFa6DEVgvmemMFh6INuw95NyRwJaiMs4EGaNFuX+jkfBbtlm0MQK73rXfGxg=,iv:UALT0vebke8KDPdroZnC3rSUCB0CmlX9dfbLqNAlJ7Y=,tag:iKxAWDTdUZDBD0PWfomeWQ==,type:comment] +passwords-root: ENC[AES256_GCM,data:ummvEe+5HipUvVEyHLA6NULuWJuPyv2VqlXEZFp/UdybLU+1t/VRo+KPLYRPpXQBbsBaHVa/XOiOqLK9dPDHuVZBavnTTMC3Yg==,iv:pqjtzPH+T8CLJsJusi5CpVklPUAnioIoTjBXAR3y620=,tag:vrGzZlRX1TJ5b6Wxt29V+Q==,type:str] +wg0-privatekey: ENC[AES256_GCM,data:6BR3zB5oDPu5XyM5pgrdXoYKvwf+rAK7ngDzLcIQZnr4JH2YXH9UWERjVpg=,iv:2Z3yG+fWC4diGANCurCEpA5ybEpMdE1t/rviRJtUE0Q=,tag:4sqnLfAnxQOAci37RCY6jQ==,type:str] +wg0-publickey: ENC[AES256_GCM,data:7QLstpkyVDFU5oxgRdVYdBOZB1tjKMbzxgZtCYp3G1+AO85ir6kNXo8P65U=,iv:XRnPg93nnSR3h+R/K2rh1QYgmdJTE6i17ZomMf0BJ9k=,tag:fhyySGI0y5swGp3ot+q3pA==,type:str] +wg0-peer0-psk: ENC[AES256_GCM,data:p5V/8fFEmozG6nFCpHNcWNdunYlHxnsnW+YjTAIEXlm2ku4yEL45H9t9/Sw=,iv:jDZMhrZIJwaDWm+s6aXVWovdo116q2D5cUyHzMdWCIU=,tag:M5IebfGfeL6VW+OOgtARpA==,type:str] +wg1-privatekey: ENC[AES256_GCM,data:dcD5isfYT+diae7tS6OSEQiqEkrpUxw0io8EqaSUaaFxKf2RAqSqxEXkhzU=,iv:HVB+uJG0SwxH3gbSpyZJZnzadVK2MYWvaZ3t7vPXn3E=,tag:/q7hgBA45Hq3446w83ConA==,type:str] +wg1-publickey: ENC[AES256_GCM,data:08fRjmGysmgGwXgwGqtMmO4iMWNIOucRnD7l4qaCh1hVWAk2BbO3OcHw010=,iv:PfKUVRyjEVT2BBUCmruR026n/P2kT2Papq46DOFq3rE=,tag:AhyI1yHdEucmQEo6iHnznQ==,type:str] +wg1-peer0-psk: ENC[AES256_GCM,data:zlQv7B2Xm+QUzevsYDD2ckIp3PdEAOSEPv6UKYLKRUGWXKE9eLhC1dNq5t8=,iv:kehiDKfew68S2pfRFq5OyTm+Ixo05uiAiHDg30xhP4Y=,tag:0GSr1d26ALehewMF5b6woQ==,type:str] +sops: + age: + - recipient: age1tkvtkw62xy90xc5xdcq836wgyrwlwmdslh76cete5g98vvvhj34qvwdw0g + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA0bW12THJKV1B1Zkw2RG1H + YnpPZE9UTDVFSFZtWDRTWkd2c2pRaHdmRHdvCngyNDlmVSs0Zm5yYkFLbFFFZ2xR + M1FnYWx6UmZIQ0xZcnVtdVhmR1REL3MKLS0tIFA5TTYxSXhFN3JzRUd2UkJnV0tE + dHFiZFZIdkRtUzBSNTIzUWNIb3h4TTAKYThgfHX91UXq27b2U/wtrCyZY8484Yga + Ic7FhMQMEgRVC58q6xLOglCmM11USL3YeyOYEFeoLnsvecgobft3Aw== + -----END AGE ENCRYPTED FILE----- + - recipient: age1v458x2q70yt0a6m6cq5ehemphtrzfzyhmeg3r872vsyyf65asgwstmqqk4 + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBzdGZhTThjd290dUM4ME11 + Y2Q3dy9sNks2OFpUNXdQZmdEUFFuVGZRZzFzClhyU0ZxY1hvUkxaa3BLajJGOHlr + M05XQTZtNGlhZ1VaeTN1ZlAwVjZVNW8KLS0tIHk1WUt2UENZaHRaSVhoanY1WEdp + YzZpeDBrM05oRXFjM2E2dTRoZmF3R2sKr9kID48vUng7tbIoc50kzB3X8SM+vIvK + GQi0dHVaYIvrIkdDm7utuqPRFTwOrxb+Fii0HVBKGzeOLTfckqfOnA== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2024-06-09T14:08:09Z" + mac: ENC[AES256_GCM,data:nCwAca0MktoxUb0W+1B7+4UP5IOG4cuj2BhJBxjDV4gjYBSKYJs5gSdYytjOpu76ePXSUHgyiPH0Joe5ESubaUN4zPIWMLpkEk6WjXnmXRTY8B5ZZ+AVR2lxNi7UtiCyx0yjAVZFxuk33MmKR2yXMLEqE6U/70fccJlY+dbTaVU=,iv:QTafba+auq3Zv/xoBzHmnIMmfDAynqApAcr/T0Uh/2g=,tag:RREUDKF4Kruy0AEFDqSVuw==,type:str] + pgp: + - created_at: "2025-06-05T09:49:11Z" + enc: |- + -----BEGIN PGP MESSAGE----- + + hQIMAw+OdhfgD3wfARAAosMhFMHsZ2uXt0AVKf+tbGxyr3oZte7uX45SDv+mWkpa + kGBQiiY2tLU2+GqTnec9MRx5D12r6kBuVjW3UG2FCIhONLMFk+3L80lHEZLYNVID + Og30hKqEGSRrJasnVgQPAo7SXfyfFKGflZyQV56P4jAphWCwSvkFywcXlP9ZZKA6 + SmMZrdQeylM9Qp9/B2DtoVLVv6beeSqV6gu8KBN8qSXky+MTOHadfNePNnyvl0EV + kH9SeH1ch+XbEqHhEMm/EB+RXZSBgXv0yVhHBhtr3sx06o3Jpbw7mDMEscNl76xx + QQtzR4OsBp/VKQEJde3OYUOvKzNyYk1yB5Oocrb+shAjHXrF73Yt0yeq1LiTWYA4 + BLQWzeraCoo14m8tMD9nKo4tEurTBFWOmSITTu85V+kzJ6FRc/F3i2OjB94DUBsM + VNsldqQhc4mDioVywBQ1MaA9phWHTUHprJPflByQmP3jj2bjbure1UHOFVqqzW0W + zAp5yFCJXfUJap6MPKl9ZR5zCTZmpiChJxkipwpmNSQh589uiJrCzgwJ/VQC/yHq + a56PGW6eANzjGC3CkWzEBDELjYsXhxV4jbc6Qfh0owcbWDNe2xV6u6Mp+9DvfJQx + iz06fQaN4YQP8xhfLSBg/utc+H7U8dkd1jr3/GYr4PAf17FNQA4VkF5XhxDkT6zS + XAEFECB086pVQFehiL3SpvoTJUdkJdLySQ3qVYmldA/mQXlg3SEDhGHtJlgkx+US + v0BYfCrlnygbXyuPcKKwN54K8H/uL8OAB90Vq0FFeaVbVE1zn5MJx5wQaxL7 + =v2Ad + -----END PGP MESSAGE----- + fp: 6F7069FE6B96E894E60EC45C6EEFA706CB17E89B + unencrypted_suffix: _unencrypted + version: 3.8.1 diff --git a/secrets/router0-ifog/secrets.yaml b/secrets/router0-ifog/secrets.yaml new file mode 100644 index 0000000..9a2ca9f --- /dev/null +++ b/secrets/router0-ifog/secrets.yaml @@ -0,0 +1,55 @@ +#ENC[AES256_GCM,data:+I8pZeH8kkkGaeUJ7A==,iv:5Yv2K6pU33CA82oCspb5exjaAPMRszslozTphxvDhbw=,tag:OpKwj8SYXSMcLlusEVX7GA==,type:comment] +age-key: ENC[AES256_GCM,data:8L4IWs31RUXGns25pP6BrhFKVAYvVY7yIOe6MSk4abvgks2eyHnQDTiSKVUQGjTyZFVbQ4mtF9O8CmqqlaK5z4nrUYSUN/Ustc13L98V+PMUOxljka0UL/pOe36aHEQz3Z2MuobEtZHwccPEqWhOlF2v+OgFQ4Kp2Vczw9REf4ahxyqz3fz58ymR8HKfTHD7YBawEAgYU6WVyrLfyA78860pkjlYMwhnjkVBvkP/zd4H+L2JxzjwUeUCqcm0,iv:8RwmmtgKqLsJov+DxNjvtjPk8t8yVmRhRa3k5HdCvgk=,tag:CZoZL3aYucIk1JENWY/mMQ==,type:str] +#ENC[AES256_GCM,data:62US77UkclVlR3klMH6P/oYC006vFa6DEVgvmemMFh6INuw95NyRwJaiMs4EGaNFuX+jkfBbtlm0MQK73rXfGxg=,iv:UALT0vebke8KDPdroZnC3rSUCB0CmlX9dfbLqNAlJ7Y=,tag:iKxAWDTdUZDBD0PWfomeWQ==,type:comment] +passwords-root: ENC[AES256_GCM,data:ummvEe+5HipUvVEyHLA6NULuWJuPyv2VqlXEZFp/UdybLU+1t/VRo+KPLYRPpXQBbsBaHVa/XOiOqLK9dPDHuVZBavnTTMC3Yg==,iv:pqjtzPH+T8CLJsJusi5CpVklPUAnioIoTjBXAR3y620=,tag:vrGzZlRX1TJ5b6Wxt29V+Q==,type:str] +wg0-privatekey: ENC[AES256_GCM,data:6BR3zB5oDPu5XyM5pgrdXoYKvwf+rAK7ngDzLcIQZnr4JH2YXH9UWERjVpg=,iv:2Z3yG+fWC4diGANCurCEpA5ybEpMdE1t/rviRJtUE0Q=,tag:4sqnLfAnxQOAci37RCY6jQ==,type:str] +wg0-publickey: ENC[AES256_GCM,data:7QLstpkyVDFU5oxgRdVYdBOZB1tjKMbzxgZtCYp3G1+AO85ir6kNXo8P65U=,iv:XRnPg93nnSR3h+R/K2rh1QYgmdJTE6i17ZomMf0BJ9k=,tag:fhyySGI0y5swGp3ot+q3pA==,type:str] +wg0-peer0-psk: ENC[AES256_GCM,data:p5V/8fFEmozG6nFCpHNcWNdunYlHxnsnW+YjTAIEXlm2ku4yEL45H9t9/Sw=,iv:jDZMhrZIJwaDWm+s6aXVWovdo116q2D5cUyHzMdWCIU=,tag:M5IebfGfeL6VW+OOgtARpA==,type:str] +wg1-privatekey: ENC[AES256_GCM,data:dcD5isfYT+diae7tS6OSEQiqEkrpUxw0io8EqaSUaaFxKf2RAqSqxEXkhzU=,iv:HVB+uJG0SwxH3gbSpyZJZnzadVK2MYWvaZ3t7vPXn3E=,tag:/q7hgBA45Hq3446w83ConA==,type:str] +wg1-publickey: ENC[AES256_GCM,data:08fRjmGysmgGwXgwGqtMmO4iMWNIOucRnD7l4qaCh1hVWAk2BbO3OcHw010=,iv:PfKUVRyjEVT2BBUCmruR026n/P2kT2Papq46DOFq3rE=,tag:AhyI1yHdEucmQEo6iHnznQ==,type:str] +wg1-peer0-psk: ENC[AES256_GCM,data:zlQv7B2Xm+QUzevsYDD2ckIp3PdEAOSEPv6UKYLKRUGWXKE9eLhC1dNq5t8=,iv:kehiDKfew68S2pfRFq5OyTm+Ixo05uiAiHDg30xhP4Y=,tag:0GSr1d26ALehewMF5b6woQ==,type:str] +sops: + age: + - recipient: age1tkvtkw62xy90xc5xdcq836wgyrwlwmdslh76cete5g98vvvhj34qvwdw0g + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBtRHh0S0o2RWh2azFpL0k3 + b3dPNjJmbzZwclkxVkxDdkJ6NWpTRGxycFZVCmtkNWVRZldKUXVTTFA4LzRxZita + QmNJV00wYVBOUGdlOEViVjRqRjFSSE0KLS0tIGtSYzMrQTFUREQ3all3N3VHTXZ1 + M251bnVseUdqcUFwek9SZ1FEbk9XWEEKs7g7qxFzmr5I56jPiLH2K06a4lZ59pxy + qQCXK3AIZZtz8ibLfgo058Om/36SIX7rddOVxab7QnagGwdKF4d6EQ== + -----END AGE ENCRYPTED FILE----- + - recipient: age1dktk5glcuu34u9t6kp3g2vqyj7dy0elray38t8n75mwa6l0s0vdst2cy00 + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBkdjE0YUlKNW1WeHJ5YWZl + aGk3N250MHlHRTNaZDN4OExjVmRoaVhReFE0CmRTeDZleHR1RzZBMWJXV2U5YU1L + MklidG5lcm1sWlZIbDV2YzlmU1ZQNEkKLS0tIFZNL2o5RlpRdlhxMnhSV3p1Ukg5 + ZHJyalhzSWJhUk96TkxuM09aUWcwMjAKu6pzq11IDeOLR9C4GEf5VyLk6WJHxxAl + X1JUdl7IFfGLSpGfFRmFN6HJxtiC1IGkEYinCfFWPR6ogx9dTp5H0Q== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2024-05-26T17:23:41Z" + mac: ENC[AES256_GCM,data:Ez/79vUHs+9B/v2qlUiPQeuYHRdvjUg1jJOt3C6xEnncDQ2fH0CUxKEIfjgJR7eatwvZSznprv2wCD8Ik0SKunjRI1UGe5JmrVstqoSDbo+MxpdwrqA8zC5unpRUYenvyo9m8ZW/DnjKz0ArorYjA9vid878MdemkHtSjjZzik8=,iv:2CkmPRjYYt7q7HAdEjIbJHaSUG6Yr92pEkk+Dd3E7LE=,tag:S8LPb0mEjRZQqawX310SOg==,type:str] + pgp: + - created_at: "2025-06-05T09:49:11Z" + enc: |- + -----BEGIN PGP MESSAGE----- + + hQIMAw+OdhfgD3wfAQ//fh09erpIbQiOxllj9U47PNkGNHQHiw1mrECpdjXUwVxz + 2KLJ2Sg0KLDcU5tDmr8s4Agm7pKluncJ9xPSNs1RriP6pZ/uJQrX4nc3tSRktgPv + haHBrwVSX+E1WDcxk9mpbS1jfpE2YsgtjLRMsHgequ2zf0JhSJiJJnI7IR3eur2Q + qewY3MfBE3jMGZoqt5r5P0pTFwZZhsdNlSc4UpYxNWKw+mCZd6jL9J1c9l/LkIZc + rn9hxqGTlouRw7pRrCD8HPD3g27PFcWfqRO18CBM+tHlj62q8PTZX+IfkLh7VbCG + Py1ByglXYvfT6y8NgFPjzaIl+ZLMcPuHkMW2sdOFGQ1L2+W3GaVaD0TFYlFUT1dD + A47/8yFFXYD/4MzcZK7W2fHdzQt1qtACoAPxgiM38uon237gNOSbuSmamfR66rI2 + L6+v7jlkt364Yt9D0bQCqNJQ6uhtFykaLqN6mLoj1IeoP9yQGaEni2pJzDfW4QYd + EiwigSxviiDnGRGaithMMexrLzcf7UhEZJgGrq+D3d2xPN4mJ9irT9MheFYwYLW4 + M/yDnA50GvwxHA7IzrR1fxneO6P44zi82stX+agFTmbiBKw2aelGJM+wwzCEVGfR + /ksU6xhLbL7aMZLBXkZ1ZV9tf0t5EbizapqNdILxSMgaKfGegJGZHLuvukv55ODS + XAFXaECdhLj92gxmtVAf9Ct/17J7fkD+qLHHmrVBTHJWZ40zDeA+7sw7LUeE0sPl + 0z3QLEk+szBOyo/07ZIVC9xA292Rt5VQJrMSTOIGcGw4g0m1nOzTtT3Q5DLL + =aStS + -----END PGP MESSAGE----- + fp: 6F7069FE6B96E894E60EC45C6EEFA706CB17E89B + unencrypted_suffix: _unencrypted + version: 3.8.1 diff --git a/secrets/servers/dyndns.yaml b/secrets/servers/dyndns.yaml new file mode 100644 index 0000000..d01380b --- /dev/null +++ b/secrets/servers/dyndns.yaml @@ -0,0 +1,47 @@ +dyndns_www.stefanjunker.de: ENC[AES256_GCM,data:xHpC/V9OWCMpTKs1,iv:gW6f6kQedbdxbz1zJAY6xceoeG/LqPG/Ss3DaBm/Ta0=,tag:v2V/hzRg+xgO8zpwyIBVXA==,type:str] +dyndns_mailserver.svc.stefanjunker.de: ENC[AES256_GCM,data:auVHa5n4335mNXAy,iv:WZMOA+Z7/w+Jsu5193WwERXZrt/5JDiMUKIZo8ieT7w=,tag:YmEDp/0gjgPY2kg9GNKmxQ==,type:str] +sops: + age: + - recipient: age1tkvtkw62xy90xc5xdcq836wgyrwlwmdslh76cete5g98vvvhj34qvwdw0g + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBBTE1ZQXpZR2JWNXZyZG10 + NHhwbTZQZEVKQURZOS9BZ1BBbVgwdHpWMUNvCm9RNU1nbk1uT2VLTkVtSkFIQ3lh + OUZQSjZsK1Zvb3ZWVzZoTmVRQXpselkKLS0tIDJlanZpanZ5bDF2TUFLWWxSbytz + cEdYRnBHOERkWjZiWUFVQnZ0VU5EZEEKJD9EdW3iNVs9BdflLBsYgqRAQuJsWkVM + 7OdYSnB+aEULLRYcTpbCH/AJ3U5TDGFemj2ec9nq0H2qgUBCNOvicQ== + -----END AGE ENCRYPTED FILE----- + - recipient: age18dmqd7r7fanrfmdxsvwgv9psvhs3hw5ydpvw0na0dv3dlrg4rs3q2wpvgv + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBTSUxNQ1ZoeVBsR2VTRjNS + a3BJZ0pxU0JSYkgxWjNTdk01UzJ2SUJrUW1nCnczNGxBNVhBY2hLZ2c0UjludlBD + bGl1UFY4Ti9OSnIzK0hRb2dmdUY0T3MKLS0tIE5FT1BDYmsxRThhVXo0SVFjYlZi + TzVhN01zNTZkYk1jL1VYS2YwTkJIejgKLD9zpgrTV8ViOaV+WdXIdZXrd4eyRV20 + iNq3B+DF8Xzpu/cQJ2Id6ZXvuBNPVDvSn8N79FmO+Ad2a5XZl80Png== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2023-07-14T20:50:30Z" + mac: ENC[AES256_GCM,data:09EAhiFSNroQKelSHF0YdJl8INdYVcjK4BfiOktY+Nx1GK2BA6T8grvIHGB1UZaDvS/AzjcSIq+5ZnyfBU13Ks8zH5oQ11La48FheE3bL38KS+JNgqw3F53w/NUVFkYFp2YRuCqkg8/OBmT3OONLggF7ziuQEByW5NlOUdLejkA=,iv:qe4kBBxxpFdKNszbvZlIXjA2Ybc+NAU2GkMcSviZczE=,tag:98ABbbVh5qPnAzo0xkZ81w==,type:str] + pgp: + - created_at: "2025-06-05T09:49:10Z" + enc: |- + -----BEGIN PGP MESSAGE----- + + hQIMAw+OdhfgD3wfAQ/9EgxX9o0GjO+n1fnAEeYYkhHyx3ITJKT2XQIwMSbAukhA + PgNSmojyAr2FUuScDZ4cZh4ACj4itPFVT1kDNEDyHZaaWmqcDIrx0SKgtUymDAiA + hXnB9IqzPJVqodo6+Eav+p6JEB3IoENQ6p/9BLN0o8P2RDYiKRV6i1pSQfDvHzfs + EnsQYHpDBNHSo/L+WwvsVmq60tmywBy7SF35B86JQPfbgYEVr0bxEHCkzfGAdilY + fYY92QH3YoXvc4mE4mF7BnWjOpyHsQ/UKSUrl2223r+dPSGthrGfvCOnpE4CN12o + 5yZ7T7oXZlIgvwNUn3BjQm/KXSYmLVhe1KWmkXA23wZ7NlmGL3WKLj++8P1GjpM9 + TGBHp96CBAl5NsC3tTovqtDLdsEV66nGXnVaF0e1avaeyt9396PCVw9GiEl/phH2 + Mw8UBwgBxJ1jx6WB+tnUdBXvlJRc4/ZLpfxTyUxAkYxDfYfiZ/Wago+sZZc1XBGR + 5BlHsGm4Fsu1DaQt3IrBcvzrladwtFaYv7OcwQccQRHmQ5jXh4qo2HE0qHUSK/PD + Rpjw9D1DhDjolfMVSJID0GgFyjEeya9MaKvzTTkBW0u5Hn7HayzePE7GfDrzDwJg + Ef5DcH+b1YOjtxoaU9dxcPMT0QHGK6f3CO7K+q6EzxMMo7Wx41Vv5K4KGBj3vjDS + XAGUt9b+GwugiS1A6bHnssDH0JVsHc2aitz5Q8N0l3h3J9d6DxVGew6S9+4pkq0B + gB9uwzJWME6Sgpa6xx2a2krlIlbUX9ehfmYB2LIvpp5U25nw13YVwTUjH5Yj + =hMaH + -----END PGP MESSAGE----- + fp: 6F7069FE6B96E894E60EC45C6EEFA706CB17E89B + unencrypted_suffix: _unencrypted + version: 3.7.3 diff --git a/secrets/shared-users.yaml b/secrets/shared-users.yaml new file mode 100644 index 0000000..2596180 --- /dev/null +++ b/secrets/shared-users.yaml @@ -0,0 +1,111 @@ +#ENC[AES256_GCM,data:I4vX/lS1zWiEBbp9wA==,iv:P3tlp4VmVKasE434JuWZsg9H7t5PpP1FxUxPygahtDs=,tag:knVhCKkx25QJfTH/tcx2Ow==,type:comment] +#ENC[AES256_GCM,data:aqlLlXgwwtjBYxytS2H33KbN0z8pHijFXKBAPQyQ7cxE8iO6tDfn/3kEVaEa1YaiYUMXACX2Ow==,iv:uKTUsccWAqrBkdG/ymCZB1pcumRreGv/2rIn6YG8Y7c=,tag:NWDO4dPRA45Ki4ymGblGIg==,type:comment] +sharedUsers-root: ENC[AES256_GCM,data:RhMqzHmMzsPZnskGAKQ5GEagkAmtCqbp3FI4XPWweq6U8WcML+XEOKBfRoemK6yMHpSobBUPEHudNDeVxhGLH1VREmO6+JVZ/3dz44qWudhyuAj2CHiVkVgMlSfOKIbY9FLLxXxfySnEsQ==,iv:EYWeRKI+nFpEkxtBJ57xH6V4arE+hVAHy5ht9v8P1oQ=,tag:I5WA5+FjJ3lF30dth3H2ug==,type:str] +#ENC[AES256_GCM,data:d9jstVxMebNWmJHo79RF0YdurMqwRoDrFzbwjoQ=,iv:UG+qk8hc/WiCviJSCmrUyQZATDD1gBhqiYU6spf7Zo4=,tag:4HNfJQh+3GEP+MHqg1KNHA==,type:comment] +#ENC[AES256_GCM,data:4FjqAy/pZMkBFC7aq6Jqx+TqCtU=,iv:iWxPm8etDkAIuz9op4ck5AgszLuEN9cXXixzO705afc=,tag:MC03p7Kqk0srtDjbov91LA==,type:comment] +sharedUsers-steveej: ENC[AES256_GCM,data:almzynLh7RHcjTFOQWVaGk027uAanFcE+AYVhcbzSs5Xwd9sZR5+Ckbb//YxT/Imz9WKVG7z+bxPuhYPgbzUPCyxUu6/X9ZeCF0gmffyTbXVQHpo2W+71Zcob2Mbt9yMAF1146Dr1Q5R2w==,iv:fHMmtO3U6f/0ZNjxcvm0vOx/W/BYWvpD3WtzLNejGpA=,tag:tsLziHECG323TCKBLO6FzA==,type:str] +sharedSshKeys-steveej: ENC[AES256_GCM,data:Cj8aoHYN95kOuFwMIr+gYTtvE2MNMT6WhHg+r5cEvfgLbI6EJQdMBU30nhJZ8S7uRwJwyVEnqw9qgaZYVorXrIh4oZoQBT6g0UGQ5b5lhtfj86omP7w/NukvpjUPBJEUL+JgvaNGsAbAmExPb1yQY9f/kn2QuyY31pTywcV6qeSHHlK8I2cpei5RxtuG2IX+EjvDXZ3CtQwLY7YrhLvv0K+N8XlEusnytNkXLfjRgd0dJqNLQdkuzrjFPQnuzkxoBBmwfheO8CaTpmH1C5z/dbmeIP5H9GY2gnBCu5xB2zp8ZerVi2E3teW5EZ+Sh+lz/5DOuVpPn3G8W7l4fTM8iX2IHeakjlpYewx1wmW9SZdV/zxyt5rQUtmMj3F+IVktbOWsOyXwSz0CDUlKkVKJdvzATlWdIjteKTwKEgS8RWjg5H7mGylfxyg6YrHYAHTZjC4J1Qz2CwWmAFxzpFCkHvF6QwAOUg+ST+crfw4DiSamb6SKjIg7LNz6VZTOeji6+71Q59u6g2RcdgNowzgrrQCAw7qHnewbFX/2IOW+pdASCB/q9/7218yM6fzMtcPHPiDpZ2tLHQd+45zxZpbUXXCNdNm5v9OTjjK+uA0ARLOVCw5gtd2FbKsJcwyMhXY/h028tgdRhsXIalLolorrYBPx9hR+UHU0TNihspajoNYJCTuJccMiwo8N9AT1DIdUXcOxrQL80RvWY0S6rBzES3q7a91aC/lGEmS/beO7MDgOKaEV+qwPZOLOZXWAesqsR3sKzpOdPx1gFrLvX6vIhAtzuteH0KvKujIAhCg0sEz3Ct/A1S2uNtohz8CstvEEqP6GiR6/X+sQRgxOcXGPQglz68FFKOErIz5XZJBz5+14u/lady1jxhXnVW0cxZDgmqmAvNbrQ9JjNgBvremaDUvuO5R5V5K4MHAMsNQ5yxE9iScXEfwmEvo+Gj4huJwXvwLDE/1TqIaQWX6LfZKOOZ93ivhj7eEiAz7TsLojdNUeDhnWGOYcWbEkMNzYyPb7obN/HgKzcuSixpYm+IZu4sOzXyoO5Lblzd7OObtG4P9jIj4cdxF+vm/s6MYYxtst7jRwzcv9vMLETDXx40IOSqTo2e8New2e/D003T4jx2sis0+68Iyg9m8ltEYb85v6oGFshIdafIGKBaNHm/zIL4Dw03M8kxxfuVuWZD8S2P3bnfryfA4lbOZttv2DnlPZf/Dfb+Ax5qTe5yn4uzLYDTqq9rIqdoNYUmx1OaxGa69oTIqCpL7FC6xe+9NnTEdojl9svZUhtGfThiphYcK72lryqrTyYVuAOa3WjZtHgUJ5lU8x79eExXyDexmC4RNDszar+qMiwlzMC977qsKczfTGe2audm5PLaLTYhWSOZ1p83d/xhFWhLmqjqHrPF5kYrnG+W4ZuVIqxJOrLHQhseKc4fFZrF/XCusgIcoDEq81M/EmHeEDcuWEYldn1pjbE8yzb2ZgfG8mycNh8z41lKsalKmesyZs0k0IvWmrdCpLXqWl/TgsPSO1q+zbQHyfiNewoZec3GC8k1k64zrG3CNI8bP40L6i4Uo/GFPS/y0OjgQhww+He0bWY7yP9MKqdbahpdYQE9kYU5yoJTUG+ZYRir6h6o/JmTJQy4QIvwmcx2jiiA5XXpj3cYAJ9/3eHDFCeg==,iv:QeYNlLR97tdC9i5N909GnoNyBwNNiuljF/eVbdhvGXg=,tag:lBWDaaZMQRPX/4Ln+oUQPA==,type:str] +#ENC[AES256_GCM,data:8u2UAE6lXi0e6qKJxB3VP1k7hmfUYRcejXoR7K6NIQ9E7AqOlMiLDyQFw77NBlqpy0G6mPVOnC+XskGAscm3TLFzs7+o+/i0IxH7uDPwoh+U,iv:n4wheHkpPbnKeXb4DTxwks2bph4LO6xQW6LcrlA4jKU=,tag:mgwa7rYvqoubFdQDXJADZQ==,type:comment] +sharedUsers-radicale: ENC[AES256_GCM,data:Mn1QIwQDX0ZnZ0Jbk1RYY60k+XbbGPYYf+NG3xQz3oR14CqSVy3hjQEkqcezwj/v2ELrLWid2hK+lDtY,iv:TNoJ7Kq3WDkkPBLG3a+N/A8yBZcx7Gc0jaBToYX3Y5M=,tag:VU5P4YtzMv1FVc3ugig8TA==,type:str] +#ENC[AES256_GCM,data:685Grzm+Qw==,iv:sswI1QEvU3nXgQCJcF/O4n3a1z3r6fAVAOSF7W24PZw=,tag:cH/AroGEBfCnnepyqtjt0Q==,type:comment] +sharedUsers-elias: ENC[AES256_GCM,data:RsGDCguYkqegKhkO20lr8HjrTABAaNJmDiGK3DhhbX1sOLMweZwDtESvYjCfAOzWpiAaFh0BqevMkuUcEYQTBubSX+X0EZ0dFrdbVxIe7lq7Dosds98SqKLL4zWqe2y2qsphvj+oAz7Utg==,iv:JXIbyqAUt1OcB+bvgK6H2NU6Ip4nWRJ1/Hje75FfHC4=,tag:kPFALVkf1GbRj1J85SZm6Q==,type:str] +sharedUsers-justyna: ENC[AES256_GCM,data:BGVp2QppWWaYHK3rwLlyy7SOWxSqKGsn7lemWe0KUzgiQc6D8ivYvXdGaAhJNvhgVTxlK6BZOacG4NESWf5hi7sN8AkwTT/6pa9WzhQQGNnwZIaVulXeddzFlebbh8pAt0WYV82DRejX3Q==,iv:RMysIp0pMnCLhWogWiGq4IpZA43sd0DPj3jeV0oRkY8=,tag:VvXPzyGAoATlSedvV2prJA==,type:str] +sops: + age: + - recipient: age1tkvtkw62xy90xc5xdcq836wgyrwlwmdslh76cete5g98vvvhj34qvwdw0g + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSArejJMdC9Xb1EvMlkvUk9Y + MW5LcnhTdktHVlNoMFpYWG0xUkRjZm1GbVVZCjJaNEN5ZHFSeC9YNVBmM0QxM3VK + c1NJRVlzWDQ0QS9XZFpWeEJwTTV2Q2sKLS0tIEcwZ1JjeHhNdXFId2YwQXMyMk52 + NVMzL2U0eUdISlQrLzYvSTlKQkUzancK2dmrpC6+Bl7DrHtx5mvF+c4BRv0HPzjU + aT6GbjP3uZ0/jrRM1REqfLQe0v/AP9yMIenZNLdkfoSELtXpHIIsNQ== + -----END AGE ENCRYPTED FILE----- + - recipient: age1y9urllccdcemlv7g5z4peuzeh5ah0a8nu6cnkvym8v2vfhqjd5jql483c6 + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBKalYrWUlmN1d5WXpDOEtM + Qmd0SXZMdXpJdVdtcW5lcHZoT3hTMGhTZldFCm5XcEJ4WWgrbW9YQ0lrRzFOYndZ + VE1QTzlMUmdEZkRzakRUOHVrcWZ0dWMKLS0tIHVyeEVtekRnTDY2c25idUpTMXhH + ak1jbnQ0dFBFM3c5TVJvcDlkR1VjcTAKUeMBhu4ZFBYLW9jB63JErQwCsAV3YCKG + kxJTfdaoS3X2QWGIp6s+oE/YYCikKiOR6UxoHoBBgklP8tOXG03cPg== + -----END AGE ENCRYPTED FILE----- + - recipient: age1pmznn2tjpelpmxjxqef48rse5ujggf9kcr8x5vewuadqcw03aavqwy54zm + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBCSGpDSGZQVUExL2tXbFQ2 + MldVZGFQNlVULy9BVUYxVXlseTlKL0RhU1F3CnVSUXdoczRjYWJCMnpyWldUMU9R + blJwVXIwdmFRd1JlSURQTEZkTmRkSFkKLS0tIE9VcXRVZytWUTBUV1gzdytrbTla + MjBvNXdWU3Q5ZENraWIrYmlZUmNqRU0KfDDVeBKs9gm1oBufKfSvkNSbdlyjQt3q + is+5wfSgiV7vzvdh7MWqQhyYI3U+JJB2sq2dy8m65GLT5XMJdqm80w== + -----END AGE ENCRYPTED FILE----- + - recipient: age1qju6ms625tlgcjwc9p447seu2p8gu0cr63e5gv5y0wx9mvgmre9slxzzs0 + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA5SGJ0bTRXN2RSeEprZGtO + NTI5YXRhV3VXWHpsekNWY0N2Rm90WmpVM0JrCmw2dkczbDNwOHViM1B2eVNmMGRS + R2QvMEZIOXhXS2t2RGRDTU9yK3ZJV1EKLS0tIFNwMFJmWFFJMjFPNDVEbk5naGR5 + Q0txMjlPNStWY0RqcEZTS2VBbEF0NWsKS2nLfY2AcTmI3Jkd+xtEw+LCJ0RCXSfW + 9L0EO9VuoMcEXUtPmMBVWnfFRS9e7MuYrrFy66tNO29+088bYGOXvw== + -----END AGE ENCRYPTED FILE----- + - recipient: age18dmqd7r7fanrfmdxsvwgv9psvhs3hw5ydpvw0na0dv3dlrg4rs3q2wpvgv + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBZNnhSai9KMjh1RC83UjBm + K2dPZisvcTA3a0JqNzVwWWJkWmp4Mkt5bFE4Ck91TnpJR1dGcnNzNFk0bWJkZENB + elp5NWpGY2F4K052MXZaTzluUkc1NEkKLS0tIFBvbHBZNWlqNitDbmFwbWt4Y2o4 + OVdhWGJQb0hIYXJkbXNGVUlEanJPclEKkX9L1XTFP8euXXcBESc4vGZycYGRTj2e + 9xQW8ABndvyvz9hWXvjD8US9A26nxDyCAoFYluF/dvpt3M4gg4hhBA== + -----END AGE ENCRYPTED FILE----- + - recipient: age10xwq7a4y256yhv02j0u80te0vt4krgfjc68r0uw07t96z7ggmpwqtv38a0 + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBzd1U4MWNwYVA1WU51cXlJ + SVNkeTBPaTVJWjFKRFZDRWx4a08venB2MmhrCnJzRzFTR1YxS0hSQmp3T29IcUJW + YWVRQkpIRWsxL1FqaElZNEdDcXpxRUEKLS0tIDljL0FZN3VraE42SXg3V0o4cGFl + eDVCaXE5bGRTcW8yN3hpL3FiaHZaYXMK682pq4hOUq29PXvPyrgWlZnxmXlNLXIX + lP4zA+nOCeTn6Mj4ffCr1uwz6Z+KraNzr8cWne5XRod56E+/uYNddQ== + -----END AGE ENCRYPTED FILE----- + - recipient: age1dktk5glcuu34u9t6kp3g2vqyj7dy0elray38t8n75mwa6l0s0vdst2cy00 + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBhU0EvNmlJaFViNnFrNlJJ + Y1lRajh4cWVnUVRrcDV4QlZITGpqUERLZ2k0CnlOUVhPL2xMdGtMMHo5cExKVEFX + cWlQZGZ0ODRremRINGlFcU5tMUNmZkEKLS0tIHhhU0tHL3NFM1o0Wkw0aE9EanJB + eFAydDVGOTN0b2ZrMHYyMkR0SElHZncKx5oAailIVsgXi1ajrgkYkBIr8AJQtEj8 + YOBoaXBGppSUygMxWHSt4vzdtEBYcC9xaZ7zAKVYQbOODAlSRd58rw== + -----END AGE ENCRYPTED FILE----- + - recipient: age1v458x2q70yt0a6m6cq5ehemphtrzfzyhmeg3r872vsyyf65asgwstmqqk4 + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAxY1UwdUsvai8rRnd3bzAx + SUhKZ0RHWW1wWXpadWhQOHVYTGRoYXBsbDNJClRjaE5Vai8rbENBaEt2ZE5JNVZL + aUs4ZHVQL3JxTWhibVBmNnVicmM2SjgKLS0tIGkra2kybjRORmlzbUFYcG9zSTVU + MzJrSGdPaldlakloeU1HVHFSdWlUWFkKq2oHlI3o7cIb0NEtOu3q5n9t9jYQmQNe + gfUnJ0BxkE43otBEWU7ZqRsVvsXfJYreq1IRNz4KyLEi0/taTe4QyA== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2025-06-05T09:27:48Z" + mac: ENC[AES256_GCM,data:XXj7KCnNkL0nX3aVz+20aNhOESyfX2O4fKVKyAA0lOwNLHyMb1K0dXyctUVofLd5YvWA2cRFBm33vodlkYeS3wXDhYapeUGI9RJ9CLgFpNS1J6OPureTfW3/a25XSKj7vVnLn9Ng+LVI94MriQlmjg7lCBdat0sBRKEVYktuQEM=,iv:1ptZZ9QjHhhbLn7qp1MDJMlgxrOxzQZqwR64bEM36dg=,tag:25lCi/KmRAUGx8QHRmlohw==,type:str] + pgp: + - created_at: "2025-06-05T09:49:12Z" + enc: |- + -----BEGIN PGP MESSAGE----- + + hQIMAw+OdhfgD3wfAQ/9ENt3lsKgc/XZJYMGHKhQa/kRJT7y12VfhvySitKBGOtr + 5eGQTwUo/4WXBwUb3fPDGC/4Y9MIVuARQzSgzULLy3HG5ESkx6UpOjz38NA6OQSb + fTB+ljVzLgxk5uxB3q3/TUp3nK3PFPlpHpBf/9oIMgGDdoRBqCJWjGQIDaVb1tba + I8l05XsjKv69a/Qo6OXhrScfU83dh136D5yrX65z53MlaVIbH7K4tKxQVLIBkbS7 + iW4uCZfL0GpG3AAEFQj8KXKbPb5ptAxsE7zNX+wml17o42Vzfu3Mtf5xY0zxpttu + oJYZHTq9MxaEMFKHE34QTARMTFeb8MgA+19Cc0V0rKa6ZoB+jKiwyIN+Hg5wiodD + xMT8dqYPnN7cEqB8mPQPojcra3yE8UAiQppAebLxFUXTFIi7H1ZyYR9DmpHJ7b+j + y2ao79gyzDa79PSE3Z3AITnUw+aVrdo+Fv/8tvjAa3VEtz/vVPmYHL1CuLd1huiC + ZwxWUoEcCOqjMq8vUkVb3MsU9+N/Unq+r+5hCwUPDzKfHhZgiyTR8fQLzyROol57 + +tS8OXeE6nbKYVIjGqIjkj+q22RThtMVRIzbouK+ByfhTbI5j8FMgGWapgrG92CL + e3TTINTKNDNH9wbtDlz2N+ywdMv33RuIjCHifnLIYloivt20YIeJeKphZN5F1tjS + XAG/8Ir5mJsgenNWB5kxR755VO556zu5jSvaBqoAltmPutmN4Uig8zKfT4Li9NfP + OHpqyIcg/DN5Un16BS8dxhmJYuG8PZTIE/gKjnDJlwVntsiaoxde3hO/mo8T + =JIPa + -----END PGP MESSAGE----- + fp: 6F7069FE6B96E894E60EC45C6EEFA706CB17E89B + unencrypted_suffix: _unencrypted + version: 3.10.2 diff --git a/secrets/sj-srv1/secrets.yaml b/secrets/sj-srv1/secrets.yaml new file mode 100644 index 0000000..9c563eb --- /dev/null +++ b/secrets/sj-srv1/secrets.yaml @@ -0,0 +1,48 @@ +#ENC[AES256_GCM,data:NJd2BaOWeCr6IER0GSL4OrnABI65kMLg0ft0auq4gazQJ+40vYKwN7pMimXnhQrIsax01pQocF0x0R9we0i/dbE=,iv:OlqfIRF9FtZVHT4QzjQuKCMbVaA+ei7PE9QvbyWj9OA=,tag:8uPJVrva06SUg0DQ26mNow==,type:comment] +passwords-root: ENC[AES256_GCM,data:mDQXWfH3zcvIifhmFdB5rfuiImHLX0Wb2WuR5Jb4lBII72AN9sEy436nHKLHdDHYDgzBkTHXDz63SfK28GEckJJKXHPcKuYl/g==,iv:M8tcUyUVuYAIesuGxQHQ/JRDlzeklTBAVgD1oBzsbVM=,tag:E8g5Qo1zAJkCvNPDeAv7pw==,type:str] +restic-password: ENC[AES256_GCM,data:0cTVlqHCW/xCk7y3ikh0RtVk/5xFOrcrnQmMbIBtfOd7PYbiTUzwBtYXwOaXO4ob7/+KJUEwhl5TzX/Of1J+y7ML7JbpNPtLr8r0gzDYOvBPY5GlmkDGcorz7QTaomuDprJkoD06lJWme/L893u7rxwamF222D2JvGz5FfTuWfaRWb1PcehBkew89gjdAgqFJJwqlX1vwvQDPg6yj+vnk9ZqR/E967bbQeN/G/qGJ9xfVmeuOPYoZH2IrL0Zgif/FLqZWZtlJ1JnRUBXsVN6FZXfT1Q82euLPOpaUHrFJjAF26PuTwVreIjcBLX3wqc8vhAYWfc+RThS3ITwNdNTSA==,iv:KBqME0cqIIX15xPgKi5mBalk01tswj8xVd8rFETX9zU=,tag:V6KltIGVarWXP1R5lY2FAw==,type:str] +sops: + age: + - recipient: age1tkvtkw62xy90xc5xdcq836wgyrwlwmdslh76cete5g98vvvhj34qvwdw0g + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB4bjVmWnlmMSsvSlR3N1Js + ODhHc0RzRHFxK2xmbkM3ZFYyZHFOMkEzcFdrCnVVRGNIc3lLWUNPL0owUGZSZVpv + UjJOc1V1djRBUHA4cG83OEVWci9EbTgKLS0tIFFnV2srUGJ0UWlYMlJRdkc3citK + VUVuZkZPUW52ZjhBUXVzTmVINUkrL00K2I8yT9TQAHRnHpAVF2BvldPPXXnkzovu + 5E0+aVGLn59/LwUNKzDaEy+WHkpNvRID3fXWYLK1Uyl8YxuqfRrj6A== + -----END AGE ENCRYPTED FILE----- + - recipient: age18dmqd7r7fanrfmdxsvwgv9psvhs3hw5ydpvw0na0dv3dlrg4rs3q2wpvgv + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBLQ2JYaXhMcHhmc3F4dnBF + NWl5ditHeTBrcGJFTGUyM3NKUFNza0RYWFJjCkdkNDdTYmV1b3NNOXNWM3NIMGhB + bi9BVGFqOVgyb2F5dDF1bzI0eDh3VkUKLS0tIHZud2pYNzh5K1BhUHdaSU5jNC9S + ay9vd0dGYXpUUWFEbEtTK245UFV2V00KPXPEAhhL54Hz7m3YSk88hZtPm2WUrY7C + k7fC78uLtALlwnORr6aqj/1+sODaLF1ER/UXfYOGCiIcCZu85C46JQ== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2024-01-19T20:25:37Z" + mac: ENC[AES256_GCM,data:gAn4HAJRiejixDApIBZD87JjHLyOnC9LvYR0E4oDa0GVu6/BLVNbie0zG1TdnYl4LAuLa0rf4gkSDCLNvjkBGesGb7oez06WAHJd3VAK6wyFYxQSxKA8U5OZu8nozciuatTCvc/JL1ZjxxGlDFDSHSP2m1PsB6br2e0g8oL1vJw=,iv:7rOU6w+Ly+OYEnF5SikijEpauMp5lhTae74zDi2vF+U=,tag:EURfxNbEe4ZLFF4l19EzFA==,type:str] + pgp: + - created_at: "2025-06-05T09:49:10Z" + enc: |- + -----BEGIN PGP MESSAGE----- + + hQIMAw+OdhfgD3wfARAAmxdorYO1KLI5NpkQ8GF744tb7Pa37zTQ84At57905S8p + kBFKZW6OXEVFZaog5qQAGv8c4/hjWhRkFsGRlZlda7dUD/LomUG7bUSpZ2tXsbTp + tKvX0GFaqgehYI1UuRNcN0W54jeUq0+W5fqsOaQEwnt6x5qQSk2C8m63q8x0zRcf + fDGwXtGuChyqjUus7qBnLiacnq+XObPOEP5cE46y1Zgl7HjGkfv7dCWekgs1Aq4T + W6D1Hz/33vrudbwMhvcqqHVyL3JPtTVhNrip3Z+DCh7KGq54PmXzKwyIM4eK5OFA + es1SNhVplkX7NQv6539ifWv1ZYA2RMyOheK421yrRKqPyV9faq7kJ9ShRsGViUye + V7OXdlVIHWAYl1WWmIHJWoZ8v+MI44w31J3wBNlY6QsLpR+6T5t6y7j25p2Af1/Q + Mc7htobx2J4DwRZoVGewLYBRQPIoz4qLbKln/m/igsWqn1K/i6AUzRd91qXGII+v + 2cDNDLG5QspwXS02N143/gvk/9f2PZhONmoDGsdvqsTyhoQ4YAWEqCXtx4kqcBE2 + KptK/Ox5A9Z7+UkhE+5nJz5pDOQfCG8kCk8xp5qqwwttyDm1Y9iD+mhwNPCHoBhp + GI+WjJ9lD6KSx2vdMXUkgzma5y2SSQSxRAF8uscqCYjv6glX8tfET9gBW65jrW3S + XAFHYiaOZIDpI5g4XILPNbLIwyrngd+/sOb4aQa3/M4ztRGs7VuUpsiBjecsnamU + qx6qvkSh73AwE3MGrUbzyyCl06gwh/nYgV97NN+PXTkFtd0kr65VfX1W2RrJ + =n6yr + -----END PGP MESSAGE----- + fp: 6F7069FE6B96E894E60EC45C6EEFA706CB17E89B + unencrypted_suffix: _unencrypted + version: 3.7.3 diff --git a/secrets/sj-vps-htz0/secrets.yaml b/secrets/sj-vps-htz0/secrets.yaml new file mode 100644 index 0000000..a3d5191 --- /dev/null +++ b/secrets/sj-vps-htz0/secrets.yaml @@ -0,0 +1,51 @@ +#ENC[AES256_GCM,data:NJd2BaOWeCr6IER0GSL4OrnABI65kMLg0ft0auq4gazQJ+40vYKwN7pMimXnhQrIsax01pQocF0x0R9we0i/dbE=,iv:OlqfIRF9FtZVHT4QzjQuKCMbVaA+ei7PE9QvbyWj9OA=,tag:8uPJVrva06SUg0DQ26mNow==,type:comment] +passwords-root: ENC[AES256_GCM,data:mDQXWfH3zcvIifhmFdB5rfuiImHLX0Wb2WuR5Jb4lBII72AN9sEy436nHKLHdDHYDgzBkTHXDz63SfK28GEckJJKXHPcKuYl/g==,iv:M8tcUyUVuYAIesuGxQHQ/JRDlzeklTBAVgD1oBzsbVM=,tag:E8g5Qo1zAJkCvNPDeAv7pw==,type:str] +wg0-private: ENC[AES256_GCM,data:hiUUUhQ/hi6d51Wgwb0gZ5lBB5TS9+F8gVEGrRUqLauKjGZujyqjZIFix7E=,iv:ISb5cqkOE0UyQqlQCeclyMBof037XF1+7zDFslKStr0=,tag:Ox0S+YOkfXpFCSbNrdSrxQ==,type:str] +wg0-public: ENC[AES256_GCM,data:AnEK0wlEIlVrz0nubLWr3lv7R1ddzA/RPjP0CosyEJzCJU6cF2DBJig4xYo=,iv:ifaQVHQyoYqcr6a4kJ1Kvd4QBDLT5xNyr75GuogBv5g=,tag:Tl9HpsJ5+LaV81LiLcThkg==,type:str] +wg0-psk-steveej-psk: ENC[AES256_GCM,data:Z5txIdXKVshlqMBLEnW/ulFiQSmMKj6m1vLE8fuL+zl+tJxh9EX/XvjLaC4=,iv:h4ypudvQAKPM7+5vQNAb69JntdZPNa8Km6wd14ovCHc=,tag:t7ZbbcpRCTAF7zP8vKPpJw==,type:str] +wg0-psk-steveej-public: ENC[AES256_GCM,data:KU6aRVK06RkyvvYFzFZaCplz1HyirSfpjW+jjvHP+eTMs3hfhFUnPSZRCN4=,iv:2A019CQD2vjcOmX6PFpDaDCo8yN9oA9kdKxiW1e3Dss=,tag:kfRENOJY7RnwWGN1eOeEhQ==,type:str] +sops: + age: + - recipient: age1tkvtkw62xy90xc5xdcq836wgyrwlwmdslh76cete5g98vvvhj34qvwdw0g + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBjTjc1QUtRSWRwaGdOdE83 + WWxsVWpWMXZ2cjZ0RzBiMUVSUVp2dmRKb0c0ClRURUZmWXdHdkR3eVF0Y1ZqYWFR + b253TVhRQSswZGVCSjZoNFVldGhPaFkKLS0tIFJRcno4V0RNSlNoUFc4TzRpL2pG + eEpxZXdNTVBxd1FETWlxdGpZQ3BRdU0KJqQLuwyf8V7bPDLMvuryFrYTZoCmxUlR + mzvYKGQTFNaTcY8fvsSiYxTxXx+WXMLXtz0o2y5fX/1Rz4AW7hW0yg== + -----END AGE ENCRYPTED FILE----- + - recipient: age18dmqd7r7fanrfmdxsvwgv9psvhs3hw5ydpvw0na0dv3dlrg4rs3q2wpvgv + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBURk5aMnE4THNVVW0rSVRC + Z09lbUdzeHZlOEdmYUE3Qy9BckVNUGc2Sng0CnZRM3VTRXdKbXBDQlBxenFXa1FB + SXBwK0pvQjg5Z1R4djU1NjE5dUI1VEkKLS0tIFV1U2FpWGFFYk9pcVFFTHdrMzdM + RDM0OEFIUWh4SU5LRzJRSUlwcm5BeU0KA2RW/rYniJbIqRRiQfzE+ZZp+DgNODDg + +5xYpgegsBoBwcIkFemYwVXxKy4pzF57FR3oaf/0Gi1imXiKSAPdVg== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2023-08-13T17:03:01Z" + mac: ENC[AES256_GCM,data:AtD2QZsLpOLQB7Jcb0Cn+zGUK/fMzuVhQ2r5f4jL3dttqfaDa4k+bUMP7wQ9RW6cUXm5ps+s1t9TkRUi2P7bkQjtEuyiTGAUiM8OnkJQ26npITWWs8giekKq01m2DlZufWRcrZrQU43EgVNDqRTVlMK1IoVS4zqNwqt4tXG6YWk=,iv:F+BbR5aGg+6/0LBxpC+AoNT4dLutvkgeUJszkMrV5xk=,tag:4Cvd4nG+h1+hXg/NzH0wRg==,type:str] + pgp: + - created_at: "2025-06-05T09:49:10Z" + enc: |- + -----BEGIN PGP MESSAGE----- + + hQIMAw+OdhfgD3wfARAApmxc/Ubnhh5F2uwxquqpWb/BBH57dS6+qZJ9KdGMcR86 + engG3qbFHZWK2yzCKXh9Sqs7o2Tw80HWSjzgI1+r7YBp6e0FNwaIRCsuxOzlNtKT + M8yVrtkRxoDJ2OnfaarKubpzGR69Zt9Zcvw3Zy8xDyuoDgAuh09q3n3ctVYeAkuV + E6xNSwAv9kPuOGUvjh+XAfB5ZUpOymmOBfKPoT1mdgZ0Q8Ye3oH27oGjfSfyMavB + BKJn8dQXDvTo/mX+7o7e7TPt9NstLoxmMctaE3MIyBX07nunFrdCSooODY7GqV6X + 5q0IyLI5Sy+hqetWRhLZxeF9nyxRhd3FohII8osf/l9WeqPZ6R5BcDJpsHmlOOEl + EOea4gRPWY8x0jJ3jZ6cVyVNINg8TOe2d5BIE6+INaoT2VpVowIPOI91i/0xNVuq + lWrzYJyDxk/7e4XId3GlM/SuEpjnL5cPQMmQRKqZ1lykwhF0ADQZgqzKp28sW1L3 + baq4hk1Gi19SRqaR2FnCioc7Ybxi6VJ6fesLGGGDvK8RAVCY+J1c1q6nUqazEqj2 + S2288c+mLpMyGlPHIaI3Qdyg8Fb27054EzGve2u/MmQpATAMj9hny65qVqcIsx7K + LQHBbdweDyHOZylO5ApGE9uf+0Q2zZjtX2LXN2S9wc8o2KMOfFYHkNEVjwqD4bLS + XAED066xz2GnHM1VdzaXPDw5Jokpp9wma2j9KxeOy0jOW+HNpO2bth3vhTsUwAcj + Dlq1UbIyf+4+My0LKopdCW5SJ8lhyysk4dMISu3m8XP0PVgJY7PzSC8/haty + =ykfJ + -----END PGP MESSAGE----- + fp: 6F7069FE6B96E894E60EC45C6EEFA706CB17E89B + unencrypted_suffix: _unencrypted + version: 3.7.3 diff --git a/secrets/steveej-x13s/mycelium_priv_key.bin.enc b/secrets/steveej-x13s/mycelium_priv_key.bin.enc new file mode 100644 index 0000000..d3ad822 --- /dev/null +++ b/secrets/steveej-x13s/mycelium_priv_key.bin.enc @@ -0,0 +1,26 @@ +{ + "data": "ENC[AES256_GCM,data:ILo+B9hfSEOaNleohfdc+RlzFHOu5y0kS9Ocys5KBKQ=,iv:GNzGem+eBseA99FoFHRSDQbnpo0RS6lRRR6oLV5xajE=,tag:FmBrSBT1qQ+jXhUlAjCRSg==,type:str]", + "sops": { + "age": [ + { + "recipient": "age1tkvtkw62xy90xc5xdcq836wgyrwlwmdslh76cete5g98vvvhj34qvwdw0g", + "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBocVpZSUxWK25CaC9PYVJY\nK1U2TXo1TWJlRDhJZTI4ZFRLeHE5ODNMZndJCmpmT0p3b294bWs5UE44ZG45TXdD\nbzM1V3ByQkxIQWFacTgwaWozRkZFaHcKLS0tIG90VXdaSXF6NjBnSHEzdTd4d0M1\nTnpiYkNjVTlKQjFKQ1hNYVBIbUp2a0kKsneBNjaJjULUgZ+E5wiPvtpBR22tCtAy\notjS/WOiOvslYRT7H/N6I11rvlTnwZi/orBcMmE18GEfNVRzLUTReA==\n-----END AGE ENCRYPTED FILE-----\n" + }, + { + "recipient": "age1y9urllccdcemlv7g5z4peuzeh5ah0a8nu6cnkvym8v2vfhqjd5jql483c6", + "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB2MDl1cmt0eTQzNm96M2Z3\nQnNNeGpITzJOb0t5QS9DMGZNNHJ4YmZZV2pvCkhESmMvTndnS3ZoWHIwRnlXdStQ\nNUlsMnRnMmlWNW51Lzk3L3d4SmNDR0UKLS0tIDU0VXdxK3ptQ3JSdUdPS3g1M09r\nQVFrTXFkUSs5MFluVHlmbVpOQWlDYXcKFXtj/r11QoHMDbELo9oHVxwGDneZ2cyz\nQBLMhlZWX5uMqgLes5tLXW1r5xondqbGblEWYMcjj0lzZq+Jml9DoA==\n-----END AGE ENCRYPTED FILE-----\n" + } + ], + "lastmodified": "2024-04-19T19:07:46Z", + "mac": "ENC[AES256_GCM,data:e6xOIt73MDaMOnP3d2G/xqjwozdvdkxNkso4ry3Wj5UELoSKtjOXn0oWA1KIApQM72rcytyAMuvuF8nIRzOsU+RjCxyoyFxK+x1ljvXcjJF/mrB8+27QEIKMFbCRYDtDtiax0MnVkW3a4zqAz9ETd2hlBRS2DcVXvgV8GVRZL4o=,iv:jd5Mwf+IUrm5vbHftImsB7iX3AP8O61/2kEf2BpOFRQ=,tag:aXmSU8qPGTKRmzddVz6s8w==,type:str]", + "pgp": [ + { + "created_at": "2025-06-05T09:49:11Z", + "enc": "-----BEGIN PGP MESSAGE-----\n\nhQIMAw+OdhfgD3wfAQ//QX8Tebm/qWToFViEiMlleF3Xqp5xno3NkrJSc5Bc4MF7\nG/qeh6cEii+m+SzQW+M8S0YDQmxqL9ddJqmrNmFBSMauqBjX99G/7COgCsQwtjYu\n2G/dclkBAE/jrdsw1uEnGQwIWxKcTPFx2x7qCDtXKIvikLbbclyBuo14+lp8SmW/\nTA8hBtisngwz8gH23zgly8NEZBRo8m/szjsiNd2NAujPni3pFQe/9NQgwH63oLkO\nbVlg3yRhaNJdB4e/rzBjMysEXW8vNakfpmw+SfP49aRBHAlj7keMajjBllKO0CRe\nLeqQsU+WogbCUjvPdrazeW8Nv1fN5iz/wXX6ZjI+EqyEywODKDquO9+HipyJcvs4\nlqH5TgkFh1M1eTD8M/Al2511gLKrt0pAbx3x8ldOVZyKd06NAakKXvVVEdDkiSeQ\nSSFvko9aG+qf87iC3gIt+L9KpA8WsA66f8gIP3wQgcr0CqPxZe/zVn6OE2V5vKc6\noIGZ9kwdVW3EB9EKEoYghG8F/32nhOIZ0MUfefJo4BQ9paqUSbcfAqb5QfnRWEZl\nVRSPXqTLNErZp8V1NWmS/ycoz54EaJsHDHKjpmoKo0G07wOb4jxefs9S+mQNVBu7\nX0jnEDjCtWGFiFAXyZ+FVh2mRuRRP6AlrvaPxDbT4v2SNljL4A2r1QEuChxDPyjS\nXAH90Blsv0wX6whS26rXosFNxisgR08NDpbaIzEjTtJKVidfOHWjZyXcuSzUeL9E\ni0zzTY1hR5bc+86KDljO7+AvoEguibUbQiItjECltYs4t2+97pmjqyZnMCX3\n=fYod\n-----END PGP MESSAGE-----", + "fp": "6F7069FE6B96E894E60EC45C6EEFA706CB17E89B" + } + ], + "unencrypted_suffix": "_unencrypted", + "version": "3.8.1" + } +} diff --git a/secrets/steveej-x13s/secrets.yaml b/secrets/steveej-x13s/secrets.yaml new file mode 100644 index 0000000..c7566c5 --- /dev/null +++ b/secrets/steveej-x13s/secrets.yaml @@ -0,0 +1,46 @@ +builder-private-key: ENC[AES256_GCM,data:KG5V86SDVM5LfFPZI5rjKGvYwqLZInEqpwdIJPAiF7fMdG3rTq3JgNJCQr0eOhfmLwT3KEN2Fv0mHZS4smMGdh0WCkza8CzRn/KFY8gqEWxxdff1Wqj7+2/5lSI8I7Qp2EW+eaAgU53PPOh/M3Cgm/Rraw2ARmIJNIgtuJC8ZeZlsh3sl0tacF9rgSrP8p4xAH3C/QUs1HW+10eL9F3STtAV+ZBruU68lNmCdiyqKjg3O3qdRFsjdGWAwHNHL42cEm3il4PofyS5fDDF4otQktZa5n8832ukF5Aj6RNgJwubrsxB9+1M9s7hD1UQyKo6oQKJr1GXNK+IPyXAvdxckZ8INhsxP4c4v8GzR0zJK4MfESx0r67ciGLOcYulNBDOMSbD57oW+wRvCI2eZlpB3ugBcUm/rsQbgFVEX8q6jD8WipJ+Q3hz1zWq45s66XooFmnwc2nBhT6cRmtGzTJCcDpiovgj5tKXSXrWfwYO7tWr7lYg8T4zhfplZBtQOaqTUrAOhW7IRT5Lo/310cMRcp1h44TSnpWXZN7l,iv:DOUijPr4wHmjNIniF2IRjinXZ6iyg8Z1Nt5EgFfX5Zw=,tag:VWxHpfpyphtu6XLR1yKugg==,type:str] +sops: + age: + - recipient: age1tkvtkw62xy90xc5xdcq836wgyrwlwmdslh76cete5g98vvvhj34qvwdw0g + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBRMHdBc2dlNHNMRGNMVjQx + aEk0eFpEZVppMHpCQTJsM0JDNGJIOXdXODNrCmhqTnFCNTM3QWZjQm40YzVTS2pB + V29VY2RhcmN1RGR6bEhVU2FmakVFWUkKLS0tIG1GbENQdWF1S2pHWWtRZnRLL1dC + bXJGVTB1WmRJMVd4TFdtcXZxWnJTVHMKeLAbvyypDNUddigWYxmLSaqBK4jNpQyo + oGX/UnFchExIYIqsuasHEUbUsTOJmMj6JJYIb4reSNCUKfLpF81ONg== + -----END AGE ENCRYPTED FILE----- + - recipient: age1y9urllccdcemlv7g5z4peuzeh5ah0a8nu6cnkvym8v2vfhqjd5jql483c6 + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAwbEM3UDV5WU14RE1wZW5x + NFJDbklaeFNjem1oN3Znc3hVVG9PMEJPemlJCjY2aDFiS1d1bzIvSUFJOW42ZnRj + L3o5Tkx6TVFLRldMQzM3TXlJRnhYR3cKLS0tIFZPckwwZ3RXY0w2NXVSK1NMamJB + MFM1dUY2cWFWc3pJNlhNekovUEgwTG8K7XAKzsKqoUinTiGX9zgRtkLo8OD2WPfx + /jH6IECHhOjMLWOowEzyCcUd1Tmi44FzBytVRYUGfxlLESQmEydHzg== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2024-05-01T16:50:35Z" + mac: ENC[AES256_GCM,data:wDnv7wZLks2EME+JqlBtagVaDZEo9ap3d6xFfnBy2/D4wrJhhYlo8vOYM8GFXEhfa0Jek+9ZlkmXYerLNWLMiUMKWIvk0cvHjxBaR2wcxt9FnynPT9W9hSX7UFhM/eTiJviksOESTI7pqNh9X7ggLSZ0c+O5mBxxEh/bcjz8vIU=,iv:vgvmyvUkZBapCpRbPU3cDgmHsc5NwHzCsMzjHvr/Xc0=,tag:FMI0YrwdCPIFe8tnLQr69w==,type:str] + pgp: + - created_at: "2025-06-05T09:49:10Z" + enc: |- + -----BEGIN PGP MESSAGE----- + + hQIMAw+OdhfgD3wfAQ/9HkWJKy3V5aXqDRgS9O6vFq/AVtCSc5RzBB8SgrKxiSgy + UIGXX6y2k+Iw5sWMwyFanu2Wf+4/36N2HcGlIEDrJG/XvSrBVAteN1dcwYkY1r38 + L8PDrSdP9zBPqnq+R3+Tzp2L0djNA7MYgRD9gm78kRwW7TTSKID5QWhhkQ0X1xuN + mCIeUKVjPQhjJWkV3687QIzyrMGFUwxDz5DbG5lYdAZZXxYmLJpS+Gi88mMfF+bc + ShYLrH6JHYf1zLV0vrHHRUb8C8Nb6eOLX4PKIOC9agMlDdYdi1uH5zSqaxJhWT3j + 7N1APdt2YhODU/P9r+5JtfKML/nAWAlH+ztJy5h5f4uwb0qjlZsEAGEr3VDklC/R + 0Hqos1UQgWPX6KuMTKrtBZbuMg/kvaCjeqYGohhBWdMUOrf0F2uo/z2nUso9mRLF + 0whLeFtMnSdlX2IZG7meyUdD7IVGAbONRLGDAFP7607Bdufn2HXOenXRTebSa4Ei + whaaSVMa7nY57oFIBPW4Itwa6BSslx7PRaZv3ug52m85JZZ++PgBUUcwlz393GTX + Gr3EVKOaZIeeF3BMGApiungfI2sywbcTkUUgX5ULHSuFHNC/zVTOfTeVoTOvScJK + awyceOLGvtl7YuBJTUq2PoSID/RWJ6mj7l88jU3jIXXLmhXMUpCoQl04xJGshtbS + XgFvlmAIic7NjKtNL7lzVm9il+jTe8uqXcxqcgDGNbUdlzPxXfRs3wPoNUW9OOto + Bp8CFmVsnpSy14ss6Rj+qRfvSbZr/R9G/WJXDo5XphPBJJCad8smwGBK2tatwbc= + =O4hn + -----END PGP MESSAGE----- + fp: 6F7069FE6B96E894E60EC45C6EEFA706CB17E89B + unencrypted_suffix: _unencrypted + version: 3.8.1 diff --git a/secrets/work-holo/zerotierone.txt b/secrets/work-holo/zerotierone.txt new file mode 100644 index 0000000..2e5522a --- /dev/null +++ b/secrets/work-holo/zerotierone.txt @@ -0,0 +1,26 @@ +{ + "data": "ENC[AES256_GCM,data:D6xhJ8RgtO3wuNQF0N9V4TlYcKahT8Rv3rHPeZH5F2Wk+V1GhZ+Bhl+D75ersKPv3vmNWlKD2lHb46LaM3Cz7gKAgcQ=,iv:BsnB+Tt+83QVdfive5+s824f3MBZSy6N3g+/raqWgGA=,tag:foQL/RYGfovt1feSlE5GAg==,type:str]", + "sops": { + "age": [ + { + "recipient": "age1tkvtkw62xy90xc5xdcq836wgyrwlwmdslh76cete5g98vvvhj34qvwdw0g", + "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA3ZFlVdXhuOW5zZ0FFVS82\nUDM3TVUzUEh5STFMNHlyZGdtNlRManNoOUFjCmxuMERXVUNmdFBxT1F2YUVPa0Ny\ndDBURUZ3dUlVOFF4V3YvMDlHVEZlRU0KLS0tIDRTV0QwL3F4a1VMMnM1TUxPTWIv\nNHVETVZxdTEyM3NrMDN0eDBucVZjTWMKQi66m7gORsxbCUCiIc509a9npsAyExdO\nbHymSiGR9sOsjIse213YL8jmQd+FcUbQ0u5v88IVsNBusOMHLet4kA==\n-----END AGE ENCRYPTED FILE-----\n" + }, + { + "recipient": "age1y9urllccdcemlv7g5z4peuzeh5ah0a8nu6cnkvym8v2vfhqjd5jql483c6", + "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB6ZUw1TWR3TVdDQ1hsNWhJ\nek5VVGZYb1NJdk81QmdlZFhwV0w0U0E0aG13CjhTVlIzTWg2K1N1SDhOOGFGdnp4\nSVJHL2tVOE9qNG9jUnkvbFZCVnpDYWcKLS0tIG9wb050NS9wNjhSYnIrVExJNzdP\ncWRCK1JyY01adm1SL25MZjJoVml5VjQKdOgbB+SpvreR6Lc970nIQjBQgCv7ngsl\ndYBnu0TgwgbTPibFaAdV+ndFUy27bbwBvGyPCiuKAZx0T44BZIcSrg==\n-----END AGE ENCRYPTED FILE-----\n" + } + ], + "lastmodified": "2023-07-01T20:19:12Z", + "mac": "ENC[AES256_GCM,data:aIizzl+WFLI8rwp9r9p3kJIsbAISp8vRnSUQKKRIY8V8WdjBNuR+ebSlMf8kBg4e+D9hpTGEY0byv8bpgx/1m5MMEXIDBiBb8GHBk8qwB/3JWsBMyCHOyylw9AAgteyCDEKMCHgU/ZBvExW9n5gnuvkngKK8X1imrNG2ySL9cIo=,iv:UFacq8BdavyiHGRAcKq9obdAD7ZsW8wqugkvtbpi8pw=,tag:fkoaJKrA54tNlTLbAwRsug==,type:str]", + "pgp": [ + { + "created_at": "2025-06-05T09:49:11Z", + "enc": "-----BEGIN PGP MESSAGE-----\n\nhQIMAw+OdhfgD3wfAQ/+MEjuddwMdAVWyoXEJJt/YW0sleAVJzvh5XDgg9fQ9nXB\nJaNlt2yWmaa894zh5JYrnkHp17d756lJQz/PgMukUt2xzO5UfjPlZRUaZLRirhpr\nJbv9+A5M52SHuCSG9qH2GYQXzd+5M0CEztMAyX3PMbcW4fNtagnfD54jW4LXt+om\nlIYIHPp5Mpl0/8EdcBMm6HPIKCGm44g7ghENlfPDfDvGH0TQF57hQUyB6h14uU4u\n/ffLgTK8y87tFblaN/Bbv+/3D+PcVNoqblD5fXgXW0LZOnG9BWM6v1tlJ78s0hP+\n81DXuumKNvoxkgsQdZiADMTCC8EDKVwz7mUaCs7j6TOG9t2Nu870mxfuBiIUUwRm\nANnHqgYVLuhgAZnmdrSX1UeN1jaccOTQCsFweyr8/0lL/H+83uRjMLWMNCMtw4Mj\nF17+Tig6lYevF0IXmPvKeyWxuxr2TMBg1Bg7QDfwWpfhT2u3Fqj1W0qQnUNxXHRT\n9mxOEPvxJCE2RkeHFsFQE4vT7cMLoaw9vrWfPKKTJeCir+24QngFmRSS1zxQtkop\nNiNXy4focN4bnZdWirJRsu7z5vLXXbMdWvUQ379DqZy6uepTm5l/gG6h+RciJ9Ux\nKJu+WzLniU092ArWRgcnNnyMvmBmP2iSnpMsLliWwzNLcVxU8F/KByHNbXTCsZ/S\nXAF9rWs6+VmhEqBqtuNWmACdtTjHBQAk+FPTAr/7qIERhCynnh7I3RDssV34HSdH\n7edAn78hfYd+WPpwCMJvrN3puppj7QNhSc9sYSiKgyaGr52DvMVkNu91gkbO\n=FVew\n-----END PGP MESSAGE-----", + "fp": "6F7069FE6B96E894E60EC45C6EEFA706CB17E89B" + } + ], + "unencrypted_suffix": "_unencrypted", + "version": "3.7.3" + } +} diff --git a/services/home-ch/router-family.lan/Justfile b/services/home-ch/router-family.lan/Justfile new file mode 100644 index 0000000..c15ed68 --- /dev/null +++ b/services/home-ch/router-family.lan/Justfile @@ -0,0 +1,12 @@ +_run_ssh_cmd cmd: + ssh root@router-family.lan "{{ cmd }}" + +post-setup: + just -v _run_ssh_cmd "opkg update" + just -v _run_ssh_cmd "opkg install luci-ssl luci-app-ddns" + just -v _run_ssh_cmd "opkg install luci-app-samba samba36-server" + just -v _run_ssh_cmd "opkg install block-mount blockd kmod-fs-vfat kmod-usb-storage usbutils kmod-usb-storage-uas kmod-fs-btrfs btrfs-progs" + # multiuser SFTP + just -v _run_ssh_cmd "opkg install openssh-server openssh-sftp-server" + just -v _run_ssh_cmd "opkg install sudo coreutils-readlink" + just -v _run_ssh_cmd "/etc/init.d/uhttpd restart" diff --git a/services/home-ch/router-family.lan/mlsia.qrcode.png.secret b/services/home-ch/router-family.lan/mlsia.qrcode.png.secret new file mode 100644 index 0000000..4c771ef Binary files /dev/null and b/services/home-ch/router-family.lan/mlsia.qrcode.png.secret differ diff --git a/services/home-ch/router-wan.dmz/Justfile b/services/home-ch/router-wan.dmz/Justfile new file mode 100644 index 0000000..6f818a8 --- /dev/null +++ b/services/home-ch/router-wan.dmz/Justfile @@ -0,0 +1,9 @@ +_run_ssh_cmd cmd: + ssh root@router-wan.dmz "{{ cmd }}" + +post-setup: + just -v _run_ssh_cmd "opkg update" + just -v _run_ssh_cmd "opkg install luci-ssl" + just -v _run_ssh_cmd "opkg install luci-app-mwan3" + # multiuser SFTP + just -v _run_ssh_cmd "/etc/init.d/uhttpd restart" diff --git a/services/home-ch/router-wan.lan/Justfile b/services/home-ch/router-wan.lan/Justfile deleted file mode 100644 index 8792f32..0000000 --- a/services/home-ch/router-wan.lan/Justfile +++ /dev/null @@ -1,9 +0,0 @@ -_run_ssh_cmd cmd: - ssh root@router-wan.lan "{{cmd}}" - -post-setup: - just -v _run_ssh_cmd "opkg update" - just -v _run_ssh_cmd "opkg install luci-ssl" - just -v _run_ssh_cmd "opkg install luci-app-samba samba36-server" - just -v _run_ssh_cmd "opkg install block-mount blockd kmod-fs-vfat kmod-usb-storage usbutils" - just -v _run_ssh_cmd "/etc/init.d/uhttpd restart" diff --git a/shell.nix b/shell.nix deleted file mode 100644 index b8ce6da..0000000 --- a/shell.nix +++ /dev/null @@ -1,33 +0,0 @@ -{ ... }: - -let - channels-nixos-stable-path = (builtins.fetchTarball https://github.com/NixOS/nixpkgs-channels/archive/dbacfa172f9a6399f180bcd0aef7998fdec0d55a.tar.gz); - channels-nixos-stable = import channels-nixos-stable-path { overlays = builtins.attrValues (import ./nix/overlays); }; - -in -with channels-nixos-stable; -stdenv.mkDerivation { - name = "infra-env"; - buildInputs = [ - (with import (channels-nixos-stable-path+"/nixos") { configuration = {}; }; with config.system.build; [ nixos-generate-config nixos-install nixos-enter manual.manpages ]) - just - git-crypt - vcsh - gnupg - git - - vncdo - tesseract - imagemagick - - esh - - xorg.xwininfo - nmap - sysstat - lshw - ]; - - # Set Environment Variables - RUST_BACKTRACE = 1; -}