diff --git a/.envrc b/.envrc index d8f5b3d..90160da 100644 --- a/.envrc +++ b/.envrc @@ -1 +1,5 @@ -use_flake . --impure +if ! has nix_direnv_version || ! nix_direnv_version 3.0.6; then + source_url "https://raw.githubusercontent.com/nix-community/nix-direnv/3.0.6/direnvrc" "sha256-RYcUJaRMf8oF5LznDrlCXbkOQrywm0HDv1VjYGaJGdM=" +fi + +use flake .#develop diff --git a/.git-crypt/keys/default/0/6F7069FE6B96E894E60EC45C6EEFA706CB17E89B.gpg b/.git-crypt/keys/default/0/6F7069FE6B96E894E60EC45C6EEFA706CB17E89B.gpg index 9587742..fd34c43 100644 Binary files a/.git-crypt/keys/default/0/6F7069FE6B96E894E60EC45C6EEFA706CB17E89B.gpg and b/.git-crypt/keys/default/0/6F7069FE6B96E894E60EC45C6EEFA706CB17E89B.gpg differ diff --git a/.gitignore b/.gitignore index 92102e5..8c927b6 100644 --- a/.gitignore +++ b/.gitignore @@ -4,3 +4,8 @@ .env **/result .direnv/ + +# nixago: ignore-linked-files +/treefmt.toml + +/debug-logs diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml deleted file mode 100644 index efb4d91..0000000 --- a/.gitlab-ci.yml +++ /dev/null @@ -1,10 +0,0 @@ -stages: - - build - -build: - stage: build - tags: - - nix - script: - # Test the nix-shell - - just run-with-channels 'nix-shell --run "echo OK"' diff --git a/.sops.yaml b/.sops.yaml index 00c147f..9e709f9 100644 --- a/.sops.yaml +++ b/.sops.yaml @@ -1,49 +1,122 @@ -# This example uses YAML anchors which allows reuse of multiple keys +# This example uses YAML anchors which allows reuse of multiple keys # without having to repeat yourself. # Also see https://github.com/Mic92/dotfiles/blob/master/nixos/.sops.yaml # for a more complex example. +# use `ssh-keyscan | ssh-to-age` to get the age key for a remote machine +# use `for file in $(grep -lr "sops:") secrets; do sops updatekeys -y $file; done` for updating keys: - &steveej 6F7069FE6B96E894E60EC45C6EEFA706CB17E89B - &steveej-t14 age17jxphuql70wjkd84azn62ltx9ky69hyvkac23lm8f2j92lznf9hseqq0vl + - &steveej-x13s age1y9urllccdcemlv7g5z4peuzeh5ah0a8nu6cnkvym8v2vfhqjd5jql483c6 - &elias-e525 age1pmznn2tjpelpmxjxqef48rse5ujggf9kcr8x5vewuadqcw03aavqwy54zm - &justyna-p300 age1ye4fa0v37shz8q4e5uf9cp2avygcp9jtetmnj2sv9y9mqc7gjyksq2cjy8 - &sj-vps-htz0 age18dmqd7r7fanrfmdxsvwgv9psvhs3hw5ydpvw0na0dv3dlrg4rs3q2wpvgv + - &sj-srv1 age18dmqd7r7fanrfmdxsvwgv9psvhs3hw5ydpvw0na0dv3dlrg4rs3q2wpvgv - &srv0-dmz0 age13cyvxrd28j68f97q2dwsn62q5dy8tdxtq86ql2dxv2ncwfrf63dsmkj7n3 + - &router0-dmz0 age1qju6ms625tlgcjwc9p447seu2p8gu0cr63e5gv5y0wx9mvgmre9slxzzs0 + - &router0-ifog age1dktk5glcuu34u9t6kp3g2vqyj7dy0elray38t8n75mwa6l0s0vdst2cy00 + - &router0-hosthatch age1v458x2q70yt0a6m6cq5ehemphtrzfzyhmeg3r872vsyyf65asgwstmqqk4 + - &hstk0 age10xwq7a4y256yhv02j0u80te0vt4krgfjc68r0uw07t96z7ggmpwqtv38a0 creation_rules: - path_regex: ^(.+/|)secrets/[^/]+$ key_groups: - - pgp: - - *steveej - age: - - *steveej-t14 - - *sj-vps-htz0 - - *srv0-dmz0 - - *elias-e525 - - *justyna-p300 + - pgp: + - *steveej + age: + - *steveej-t14 + - *steveej-x13s + - *elias-e525 + - *justyna-p300 + + - *srv0-dmz0 + - *router0-dmz0 + + - *sj-vps-htz0 + - *sj-srv1 + - *hstk0 + - *router0-ifog + - *router0-hosthatch - path_regex: ^secrets/steveej-t14/.+$ key_groups: - - pgp: - - *steveej - age: - - *steveej-t14 + - pgp: + - *steveej + age: + - *steveej-t14 + - path_regex: ^secrets/desktop/.+$ + key_groups: + - pgp: + - *steveej + age: + - *steveej-t14 + - *steveej-x13s - path_regex: ^secrets/servers/.+$ key_groups: - - pgp: - - *steveej - age: - - *sj-vps-htz0 + - pgp: + - *steveej + age: + - *sj-vps-htz0 + - *sj-srv1 - path_regex: ^nix/os/containers/.+_secrets.+$ key_groups: - - pgp: - - *steveej - age: - - *sj-vps-htz0 + - pgp: + - *steveej + age: + - *sj-vps-htz0 + - *sj-srv1 - path_regex: ^secrets/holochain-infra/.+$ key_groups: - - pgp: - - *steveej - age: - - *srv0-dmz0 \ No newline at end of file + - pgp: + - *steveej + age: + - *srv0-dmz0 + - path_regex: ^secrets/router0-dmz0/.+$ + key_groups: + - pgp: + - *steveej + age: + - *router0-dmz0 + - path_regex: ^secrets/router0-ifog/.+$ + key_groups: + - pgp: + - *steveej + age: + - *router0-ifog + - path_regex: ^secrets/router0-hosthatch/.+$ + key_groups: + - pgp: + - *steveej + age: + - *router0-hosthatch + - path_regex: ^secrets/sj-vps-htz0/.+$ + key_groups: + - pgp: + - *steveej + age: + - *sj-vps-htz0 + - path_regex: ^secrets/sj-srv1/.+$ + key_groups: + - pgp: + - *steveej + age: + - *sj-srv1 + - path_regex: ^secrets/hstk0/.+$ + key_groups: + - pgp: + - *steveej + age: + - *hstk0 + - path_regex: ^secrets/steveej-x13s/.+$ + key_groups: + - pgp: + - *steveej + age: + - *steveej-x13s + - path_regex: ^secrets/work-holo/.+$ + key_groups: + - pgp: + - *steveej + age: + - *steveej-x13s diff --git a/.vscode/settings.json b/.vscode/settings.json index df4ca93..660429d 100644 --- a/.vscode/settings.json +++ b/.vscode/settings.json @@ -1,6 +1,20 @@ { - "nixEnvSelector.nixFile": "${workspaceRoot}/shell.nix", - "[nix]": { - "editor.defaultFormatter": "kamadorueda.alejandra" - }, + "editor.defaultFormatter": "ibecker.treefmt-vscode", + "editor.formatOnSave": true, + "nix.enableLanguageServer": true, + "nix.serverPath": "nil", + "nix.serverSettings": { + // settings for 'nil' LSP + "nil": { + "autoArchive": true, + "diagnostics": { + "ignored": ["unused_binding", "unused_with"] + }, + "formatting": { + "command": ["treefmt", "--stdin", ".nil.nix"] + } + } + }, + "treefmt.command": "treefmt", + "treefmt.config": "" } diff --git a/Justfile b/Justfile index e9cbfd7..414e736 100755 --- a/Justfile +++ b/Justfile @@ -1,308 +1,321 @@ -_DEFAULT_VERSION_TMPL: - echo "{{invocation_directory()}}/nix/variables/versions.tmpl.nix" +# _DEFAULT_VERSION_TMPL: +# echo "{{invocation_directory()}}/nix/variables/versions.tmpl.nix" _usage: - just -l + just -l # Re-render the default versions update-default-versions: - nix flake update + nix flake update _get_nix_path versionsPath: - echo $(set -x; nix-build --no-link --show-trace {{invocation_directory()}}/nix/default.nix -A channelSources --argstr versionsPath {{versionsPath}}) + echo $(set -x; nix-build --no-link --show-trace {{ invocation_directory() }}/nix/default.nix -A channelSources --argstr versionsPath {{ versionsPath }}) _device recipe dir +moreargs="": - #!/usr/bin/env bash - set -ex - unset NIX_PATH - source $(just -v _get_nix_path {{invocation_directory()}}/{{dir}}/versions.nix) - $(set -x; nix-build --no-link --show-trace $(dirname {{dir}})/default.nix -A recipes.{{recipe}} --argstr dir {{dir}} {{moreargs}}) + #!/usr/bin/env bash + set -ex + unset NIX_PATH + source $(just -v _get_nix_path {{ invocation_directory() }}/{{ dir }}/versions.nix) + $(set -x; nix-build --no-link --show-trace $(dirname {{ dir }})/default.nix -A recipes.{{ recipe }} --argstr dir {{ dir }} {{ moreargs }}) _render_templates: - #!/usr/bin/env bash - set -ex - if ! ip route get 1.1.1.1; then - echo No route to WAN. Skipping template rendering... - else - source $(just -v _get_nix_path {{invocation_directory()}}/nix/variables/versions.nix) - # nix/scripts/pre-eval-fixed.sh nix/home-manager/profiles/dotfiles/vcsh{.tmpl,}.nix - fi + #!/usr/bin/env bash + set -ex + if ! ip route get 1.1.1.1; then + echo No route to WAN. Skipping template rendering... + else + source $(just -v _get_nix_path {{ invocation_directory() }}/nix/variables/versions.nix) + # nix/scripts/pre-eval-fixed.sh nix/home-manager/profiles/dotfiles/vcsh{.tmpl,}.nix + fi rebuild-remote-device device +rebuildargs="dry-activate": - #!/usr/bin/env bash - set -ex - nix run .#colmena -- apply --on {{device}} {{rebuildargs}} + #!/usr/bin/env bash + set -ex + nix run .#colmena -- apply --impure --on {{ device }} {{ rebuildargs }} # Rebuild this device's NixOS rebuild-this-device +rebuildargs="dry-activate": - nix run .#colmena -- apply-local --sudo {{rebuildargs}} + nix run .#colmena -- apply-local --impure --sudo {{ rebuildargs }} # Re-render the versions of a remote device and rebuild its environment update-remote-device devicename +rebuildargs='build': - #!/usr/bin/env bash - set -e + #!/usr/bin/env bash + set -e - ( - set -xe - cd nix/os/devices/{{devicename}} - nix flake update - ) + ( + set -xe + cd nix/os/devices/{{ devicename }} + nix flake update + ) - just -v rebuild-remote-device {{devicename}} {{rebuildargs}} + just -v rebuild-remote-device {{ devicename }} {{ rebuildargs }} - git commit -v nix/os/devices/{{devicename}}/flake.{nix,lock} -m "nix/os/devices/{{devicename}}: bump versions" + git commit -v nix/os/devices/{{ devicename }}/flake.{nix,lock} -m "nix/os/devices/{{ devicename }}: bump versions" # Re-render the versions of the current device and rebuild its environment -update-this-device rebuild-mode='switch': - #!/usr/bin/env bash - set -e +update-this-device rebuild-mode='switch' +moreargs='': + #!/usr/bin/env bash + set -e - ( - set -xe - cd nix/os/devices/$(hostname -s) - nix flake update - ) + ( + set -xe + cd nix/os/devices/$(hostname -s) + nix flake update + ) - just -v rebuild-this-device {{rebuild-mode}} + just -v rebuild-this-device {{ rebuild-mode }} {{ moreargs }} - git commit -v nix/os/devices/$(hostname -s)/flake.{nix,lock} -m "nix/os/devices/$(hostname -s): bump versions" + git commit -v nix/os/devices/$(hostname -s)/flake.{nix,lock} -m "nix/os/devices/$(hostname -s): bump versions" # Rebuild an offline system rebuild-disk device: - #!/usr/bin/env bash - set -xe + #!/usr/bin/env bash + set -xe - just -v disk-mount {{device}} - trap "set +e; just -v disk-umount {{device}}" EXIT - just -v disk-install {{device}} + just -v disk-mount {{ device }} + trap "set +e; just -v disk-umount {{ device }}" EXIT + just -v disk-install {{ device }} # Re-render the versions of the given offline system and reinstall it in offline-mode update-disk dir: - #!/usr/bin/env bash - set -exuo pipefail + #!/usr/bin/env bash + set -exuo pipefail - dir={{dir}} + dir={{ dir }} - template={{dir}}/versions.tmpl.nix - outfile={{dir}}/versions.nix + template={{ dir }}/versions.tmpl.nix + outfile={{ dir }}/versions.nix - if ! test -e ${template}; then - template="$(just _DEFAULT_VERSION_TMPL)" - fi + if ! test -e ${template}; then + template="$(just _DEFAULT_VERSION_TMPL)" + fi - esh -o ${outfile} ${template} - if ! test "$(git diff ${outfile})"; then - echo Already on latest versions - exit 0 - fi + esh -o ${outfile} ${template} + if ! test "$(git diff ${outfile})"; then + echo Already on latest versions + exit 0 + fi - export SYSREBUILD_LOG=.{{dir}}_sysrebuild.log - just -v rebuild-disk {{dir}} || { - echo ERROR: Update of {{dir}} failed, reverting ${outfile}... - exit 1 - } + export SYSREBUILD_LOG=.{{ dir }}_sysrebuild.log + just -v rebuild-disk {{ dir }} || { + echo ERROR: Update of {{ dir }} failed, reverting ${outfile}... + exit 1 + } - git commit -v ${outfile} -m "${dir}: bump versions" + git commit -v ${outfile} -m "${dir}: bump versions" # Iterate on a qtile config by running it inside Xephyr. (un-/grab the mouse with Ctrl + Shift-L) hm-iterate-qtile: - #!/usr/bin/env bash - set -xe - home-manager switch || just -v rebuild-this-device switch - Xephyr -ac -br -resizeable :1 & - XEPHYR_PID=$! - echo ${XEPHYR_PID} - DISPLAY=:1 $(grep qtile ~/.xsession) & - echo "Xephyr started. un-/grab the mouse with Ctrl + Shift-L" - wait $! - kill ${XEPHYR_PID} + #!/usr/bin/env bash + set -xe + home-manager switch || just -v rebuild-this-device switch + Xephyr -ac -br -resizeable :1 & + XEPHYR_PID=$! + echo ${XEPHYR_PID} + DISPLAY=:1 $(grep qtile ~/.xsession) & + echo "Xephyr started. un-/grab the mouse with Ctrl + Shift-L" + wait $! + kill ${XEPHYR_PID} # !!! DANGERIOUS !!! This wipes the disk which is configured for the given device. disk-prepare dir: - just -v _device diskPrepare {{dir}} + just -v _device diskPrepare {{ dir }} disk-relabel dir previous: - just -v _device diskRelabel {{dir}} --argstr previousDiskId {{previous}} + just -v _device diskRelabel {{ dir }} --argstr previousDiskId {{ previous }} # Mount the target disk specified by device configuration directory. The 'dir' argument points to a device configuration, e.g. 'nix/os/devices/steveej-live-mmc-SL32G_0x259093f6' disk-mount dir: - just -v _device diskMount {{dir}} + just -v _device diskMount {{ dir }} + # Unmount target disk, specified by device configuration directory disk-umount dir: - just -v _device diskUmount {{dir}} + just -v _device diskUmount {{ dir }} # Perform an offline installation on the mounted target disk, specified by device configuration directory disk-install dir: _render_templates - just -v _device diskInstall {{dir}} - + just -v _device diskInstall {{ dir }} verify-n-unlock sshserver attempts="10": - #!/usr/bin/env bash - set -e - env \ - GETPW="just _get_pass_entry Infrastructure/VPS/{{sshserver}} DRIVE_PW" \ - SSHOPTS="$(just _get_pass_entry Infrastructure/VPS/{{sshserver}} SSHOPTS)" \ - VNCSOCK="$(just _get_pass_entry Infrastructure/VPS/{{sshserver}} VNCSOCK)" \ - VNCPW="$(just _get_pass_entry Infrastructure/VPS/{{sshserver}} VNCPW)" \ - \ - just _verify-n-unlock {{sshserver}} {{attempts}} + #!/usr/bin/env bash + set -e + env \ + GETPW="just _get_pass_entry Infrastructure/VPS/{{ sshserver }} DRIVE_PW" \ + SSHOPTS="$(just _get_pass_entry Infrastructure/VPS/{{ sshserver }} SSHOPTS)" \ + VNCSOCK="$(just _get_pass_entry Infrastructure/VPS/{{ sshserver }} VNCSOCK)" \ + VNCPW="$(just _get_pass_entry Infrastructure/VPS/{{ sshserver }} VNCPW)" \ + \ + just _verify-n-unlock {{ sshserver }} {{ attempts }} _verify-n-unlock sshserver attempts: - #!/usr/bin/env bash - set -e - : ${VNCSOCK:?VNCSOCK must be set} - : ${VNCPW:?VNCPW must be set} + #!/usr/bin/env bash + set -e + : ${VNCSOCK:?VNCSOCK must be set} + : ${VNCPW:?VNCPW must be set} - export MAGICK_ARGS="-filter Catrom -density 72 -resample 300 -contrast -normalize -despeckle -type grayscale -sharpen 1 -posterize 3 -negate -gamma 100 -blur 1x65535" - export TESS_ARGS="-c debug_file=/dev/null --psm 4" + export MAGICK_ARGS="-filter Catrom -density 72 -resample 300 -contrast -normalize -despeckle -type grayscale -sharpen 1 -posterize 3 -negate -gamma 100 -blur 1x65535" + export TESS_ARGS="-c debug_file=/dev/null --psm 4" - function send() { - local what="${1:?need something to send}" - ssh -4 ${SSHOPTS:?need sshopts} root@{{sshserver}} "echo -e ${what}>> /dev/tty0" &>/dev/null - } + function send() { + local what="${1:?need something to send}" + ssh -4 ${SSHOPTS:?need sshopts} root@{{ sshserver }} "echo -e ${what}>> /dev/tty0" &>/dev/null + } - function expect() { - local what="${1:?need something to expect}" - vncdo --server=${VNCSOCK} --password=${VNCPW} --disable-desktop-resizing --nocursor capture $PWD/screenshot.bmp - convert ${MAGICK_ARGS} screenshot.bmp screenshot.tiff - tesseract ${TESS_ARGS} screenshot.tiff screenshot - grep --quiet "${what}" screenshot.txt - } + function expect() { + local what="${1:?need something to expect}" + vncdo --server=${VNCSOCK} --password=${VNCPW} --disable-desktop-resizing --nocursor capture $PWD/screenshot.bmp + convert ${MAGICK_ARGS} screenshot.bmp screenshot.tiff + tesseract ${TESS_ARGS} screenshot.tiff screenshot + grep --quiet "${what}" screenshot.txt + } - function send_and_expect() { - local send="${1:?need something to send}" - local expect="${2:?need something to expect}" - if ! send "${send}"; then - echo warning: cannot send > /dev/stderr - return -1 - fi - expect "${expect}" - } + function send_and_expect() { + local send="${1:?need something to send}" + local expect="${2:?need something to expect}" + if ! send "${send}"; then + echo warning: cannot send > /dev/stderr + return -1 + fi + expect "${expect}" + } - trap 'E=$?; set +e; rm screenshot.*; echo Exiting...; kill $(jobs -p | cut -d " " -f 4); exit $E' EXIT + trap 'E=$?; set +e; rm screenshot.*; echo Exiting...; kill $(jobs -p | cut -d " " -f 4); exit $E' EXIT - for i in `seq 1 {{attempts}}`; do - echo Attempt $i... - expect="$(pwgen -0 12)" - send="'\0033\0143'${expect}" - if send_and_expect "${send}" "${expect}"; then - pipe=$(mktemp -u) - mkfifo ${pipe} - exec 3<>${pipe} - rm ${pipe} + for i in `seq 1 {{ attempts }}`; do + echo Attempt $i... + expect="$(pwgen -0 12)" + send="'\0033\0143'${expect}" + if send_and_expect "${send}" "${expect}"; then + pipe=$(mktemp -u) + mkfifo ${pipe} + exec 3<>${pipe} + rm ${pipe} - echo Verification succeeded at attempt $i. Unlocking remote drive... - ssh -4 ${SSHOPTS} root@{{sshserver}} "cryptsetup-askpass" <&3 &>/dev/null & - eval ${GETPW} | head -n1 >&3 + echo Verification succeeded at attempt $i. Unlocking remote drive... + ssh -4 ${SSHOPTS} root@{{ sshserver }} "cryptsetup-askpass" <&3 &>/dev/null & + eval ${GETPW} | head -n1 >&3 - for j in `seq 1 120`; do - sleep 0.5 - if expect '— success'; then - echo Unlock successful. - exit 0 - fi - done + for j in `seq 1 120`; do + sleep 0.5 + if expect '— success'; then + echo Unlock successful. + exit 0 + fi + done - echo Unlock failed... - exit 1 - fi - done - echo Verification failed {{attempts}} times. Giving up... - exit 1 + echo Unlock failed... + exit 1 + fi + done + echo Verification failed {{ attempts }} times. Giving up... + exit 1 _get_pass_entry path key: - pass show {{path}}| grep -E "^{{key}}:" | sed -E 's/^[^:]+: *//g' + pass show {{ path }}| grep -E "^{{ key }}:" | sed -E 's/^[^:]+: *//g' run-with-channels +cmds: - #!/usr/bin/env bash - source $(just -v _get_nix_path {{invocation_directory()}}/nix/variables/versions.nix) - {{cmds}} + #!/usr/bin/env bash + source $(just -v _get_nix_path {{ invocation_directory() }}/nix/variables/versions.nix) + {{ cmds }} install-config config root: - sudo just run-with-channels nixos-install -I nixos-config={{invocation_directory()}}/{{config}} --root {{root}} --no-root-passwd + sudo just run-with-channels nixos-install -I nixos-config={{ invocation_directory() }}/{{ config }} --root {{ root }} --no-root-passwd # Switch between gpg-card capable devices which have a copy of the same key -switch-gpg-card: - #!/usr/bin/env bash - # - # Derived from https://github.com/drduh/YubiKey-Guide/issues/19. - # - # Connect the new device and then run this script to make it known to gnupg. - # - set -xe - KEY_ID=$(gpg --card-status | rg sec | rg -o '[0-9A-Z]{16}') +switch-gpg-card key-id="6EEFA706CB17E89B": + #!/usr/bin/env bash + # + # Derived from https://github.com/drduh/YubiKey-Guide/issues/19. + # + # Connect the new device and then run this script to make it known to gnupg. + # + set -xe + if [[ -n "{{key-id}}" ]]; then + KEY_ID="{{key-id}}" + else + KEY_ID=$(gpg --card-status | rg sec | rg -o '[0-9A-Z]{16}') + fi - # export pubkey and ownertrust - gpg2 --output "${KEY_ID}".pubkey --export "${KEY_ID}" - # if this fails the trust in the key is missing and can be fixed with `gpg --edit-key ${KEY_ID}` - gpg2 --export-ownertrust | rg "${KEY_ID}" > "${KEY_ID}".ownertrust + # export pubkey and ownertrust + gpg2 --output "${KEY_ID}".pubkey --export "${KEY_ID}" + # if this fails the trust in the key is missing and can be fixed with `gpg --edit-key ${KEY_ID}` + gpg2 --export-ownertrust | rg "${KEY_ID}" > "${KEY_ID}".ownertrust - # delete the key - gpg --yes --delete-secret-and-public-keys "${KEY_ID}" + # delete the key + gpg --yes --delete-secret-and-public-keys "${KEY_ID}" - # import pubkey and ownertrust back and cleanup - gpg2 --import "${KEY_ID}".pubkey - gpg2 --import-ownertrust < "${KEY_ID}".ownertrust - rm "${KEY_ID}".{pubkey,ownertrust} + # import pubkey and ownertrust back and cleanup + gpg2 --import "${KEY_ID}".pubkey + gpg2 --import-ownertrust < "${KEY_ID}".ownertrust + rm "${KEY_ID}".{pubkey,ownertrust} - # refresh the gpg agent - gpg-connect-agent "scd serialno" "learn --force" /bye - gpg --card-status + # refresh the gpg agent + gpg-connect-agent "scd serialno" "learn --force" /bye + gpg --card-status # Connect to `remote` UUID, and turn it into a short name uuid-to-device-name remote: - #!/usr/bin/env bash - set -e -o pipefail - ssh {{remote}} 'nix run nixpkgs.dmidecode -c dmidecode -s system-uuid' | xxhsum --quiet -H1 | awk '{print $1}' + #!/usr/bin/env bash + set -e -o pipefail + ssh {{ remote }} 'nix run nixpkgs.dmidecode -c dmidecode -s system-uuid' | xxhsum --quiet -H1 | awk '{print $1}' test-connection: - #! /usr/bin/env nix-shell - #! nix-shell -p curl zsh - #! nix-shell -i zsh - #! nix-shell --pure + #! /usr/bin/env nix-shell + #! nix-shell -p curl zsh + #! nix-shell -i zsh + #! nix-shell --pure - while true; do - FAILURE="false" - output=$( - echo "$(date)\n---" - for url in \ - "https://172.16.0.1:65443/0.7/gui/#/login/" \ - "https://192.168.0.1" \ - "http://172.172.171.9" \ - "https://172.172.171.10:65443" \ - "https://172.172.171.11:65443" \ - "https://172.172.171.13:443" \ - "https://172.172.171.14:443" \ - "http://172.172.171.15:22" \ - "http://172.172.171.16:22" \ - "https://crates.io" \ - "https://holo.host" \ - ; \ - do - print "trying ${url}": $( - curl_output=$(curl --http0.9 -k --head --connect-timeout 0.5 ${url} 2>&1) - # if [ $? -ne 0 ]; then - if [[ "$curl_output" == *timeout* ]]; then - echo failure: $(echo ${curl_output} | tail -n1) - # BUG: outer FAILURE is not set by this - FAILURE="true" - else - echo success - fi - ) - done - ) - clear - echo ${output} + while true; do + FAILURE="false" + output=$( + echo "$(date)\n---" + for url in \ + "https://172.16.0.1:65443/0.7/gui/#/login/" \ + "https://192.168.0.1" \ + "http://172.172.171.9" \ + "https://172.172.171.10:65443" \ + "https://172.172.171.11:65443" \ + "https://172.172.171.13:443" \ + "https://172.172.171.14:443" \ + "http://172.172.171.15:22" \ + "http://172.172.171.16:22" \ + "https://crates.io" \ + "https://holo.host" \ + ; \ + do + print "trying ${url}": $( + curl_output=$(curl --http0.9 -k --head --connect-timeout 0.5 ${url} 2>&1) + # if [ $? -ne 0 ]; then + if [[ "$curl_output" == *timeout* ]]; then + echo failure: $(echo ${curl_output} | tail -n1) + # BUG: outer FAILURE is not set by this + FAILURE="true" + else + echo success + fi + ) + done + ) + clear + echo ${output} - if [[ ${FAILURE} == "true" ]]; then - echo something failed - tracepath -m5 -n1 172.16.0.1 - tracepath -m5 -n1 192.168.0.1 - fi + if [[ ${FAILURE} == "true" ]]; then + echo something failed + tracepath -m5 -n1 172.16.0.1 + tracepath -m5 -n1 192.168.0.1 + fi - sleep 5 - done + sleep 5 + done cachix-use name: - nix run nixpkgs/nixos-unstable#cachix -- use {{name}} -m nixos -d nix/os/ + nix run nixpkgs/nixos-unstable#cachix -- use {{ name }} -m nixos -d nix/os/ + +update-sops-keys: + for file in $(egrep -lr '"?sops"?:') secrets; do sops updatekeys -y $file; done + +deploy-router0-dmz0: + NIX_SSHOPTS="-o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null -o CheckHostIP=no" nixos-rebuild switch --impure --flake .\#router0-dmz0 --target-host root@192.168.20.1 + +ttyusb: + screen -fa /dev/ttyUSB0 115200 diff --git a/README.md b/README.md index 8184c89..5d32951 100644 --- a/README.md +++ b/README.md @@ -1,4 +1,5 @@ # steveej's infra + This repository helps me to manage all computer infrastructure. This is mostly achieved with the help of [Nix](https://nixos.org). @@ -19,7 +20,7 @@ In the unlikely case that you actually read this and have any questions please d - [ ] development environments - [x] (Semi-) automatic synchronization of important repositories - [x] Modification strategy - The approach is to use vcsh for the dotfiles + The approach is to use vcsh for the dotfiles - [x] dotfiles - [x] Toplevel Justfile for simple actions - [x] mount/umount disks @@ -37,42 +38,48 @@ In the unlikely case that you actually read this and have any questions please d - [x] steveej-t14 - [x] contabo vps - [x] sj-pve0 -- [ ] use an existing secret management framework -- [ ] adapt (or abandon?) _just_ recipes - - [ ] `rebuild-this-device` - - [ ] `update-this-device` - - [ ] `rebuild-remote-device` - - [ ] `update-remote-device` +- [x] use an existing secret management framework +- [x] adapt (or abandon?) _just_ recipes + + - [x] `rebuild-this-device` + - [x] `update-this-device` + - [x] `rebuild-remote-device` + - [x] `update-remote-device` + + evaluate, and understand a path to using these tools in a pull-based fashion: - evaluate, and understand a path to using these tools in a pull-based fashion: - [x] [colmena](https://github.com/zhaofengli/colmena) - * bootstrapping: https://github.com/zhaofengli/colmena/issues/68 + - bootstrapping: https://github.com/zhaofengli/colmena/issues/68 - [ ] deploy-rs -- [ ] 🚧 find a better alternative for the qtile-desktop - current issues: - - floating windows often get lost in the background - - plugging in-/out- screen crashes the desktop +- [x] 🚧 find a better alternative for the qtile-desktop + current issues: + + - floating windows often get lost in the background + - plugging in-/out- screen crashes the desktop + + evaluate: + + - [x] ~~🚧 gnome3 + pop-shell~~ + - [x] ~~leftwm + eww (+ wayland?)~~ - evaluate: - - [ ] 🚧 gnome3 + pop-shell - - [ ] leftwm + eww (+ wayland?) - [ ] (Re-)document bootstrap process - [ ] `apt install sudo cryptsetup` as a requirements on a deb admin machine - [ ] a new machine - [ ] an install media - [ ] Design disaster recovery - [ ] Automatic synchronization of other state files - see https://gitlab.com/steveeJ/nix-expressions/issues/2 -- [ ] Recycle *\_archived* +- [ ] Recycle _\_archived_ - [ ] container migrations - [ ] ensure DDNS is updated _before_ the containers are started - ## Bugs + - [ ] home-manager leaves ~/.gnupg at 0755 ## Usage -*(These are reminders for my future self)* + +_(These are reminders for my future self)_ ``` just --list @@ -81,15 +88,17 @@ just --list ## Bootstrap ### A new machine -* ensure the dotfiles repo has a branch with the new machine's hostname -* boot with an install media and go through setup +- ensure the dotfiles repo has a branch with the new machine's hostname + +- boot with an install media and go through setup #### Post-Install Setup -* `chmod --recursive g-rwx,o-rwx ~/.gnupg` -* `gpg2 --edit-card; fetch` -* clone password-manager and infra repositories -* gpg2: ultimately trust my own key + +- `chmod --recursive g-rwx,o-rwx ~/.gnupg` +- `gpg2 --edit-card; fetch` +- clone password-manager and infra repositories +- gpg2: ultimately trust my own key ## Swapping out a disk @@ -98,10 +107,18 @@ just --list 3. replace the driveId in the device's hw.nix 4. run the `just disk-relabel nix/os/devices/ ` command to rename the filesystem and volume group -## Backup - -### Copy existing subvolumes to new backup target +## Rebuilding an offline system ``` -`systemctl cat bkp-run | grep ExecStart | awk -F '=' '{print $2}'` --verbose --progress archive /var/lib/container-volumes ssh://[IP]:[PORT]/mnt/backup/container-volumes/ +( +sudo cryptsetup open /dev/sdb3 steveej-t14s-cryptroot +sleep 5 + +sudo mkdir -p /mnt/root +sudo mount /dev/mapper/nvme--WD_BLACK_SN850X_4000GB_2227DT443901-root /mnt/root -o subvol=nixos +sudo mount /dev/sdb2 /mnt/root/boot +sudo mount /dev/mapper/nvme--WD_BLACK_SN850X_4000GB_2227DT443901-root /mnt/root/home -o subvol=home + +sudo nixos-install -v --flake .#steveej-t14 --root /mnt/root/ --no-root-password +) ``` diff --git a/_archive/environments/dev/cross.nix b/_archive/environments/dev/cross.nix deleted file mode 100644 index 65e6c09..0000000 --- a/_archive/environments/dev/cross.nix +++ /dev/null @@ -1,90 +0,0 @@ -import /home/steveej/src/github/NixOS/nixpkgs/default.nix { - crossSystem = rec { - config = "armv7l-unknown-linux-gnueabi"; - bigEndian = false; - arch = "arm"; - float = "hard"; - fpu = "vfpv3-d16"; - withTLS = true; - libc = "glibc"; - platform = { - name = "armv7l-hf-multiplatform"; - gcc = { - arch = "armv7-a"; - fpu = "neon"; - float = "hard"; - }; - kernelMajor = "2.6"; # Using "2.6" enables 2.6 kernel syscalls in glibc. - kernelHeadersBaseConfig = "multi_v7_defconfig"; - kernelBaseConfig = "multi_v7_defconfig"; - kernelArch = "arm"; - kernelDTB = true; - kernelAutoModules = false; - kernelExtraConfig = '' - NAMESPACES y - BTRFS_FS y - BTRFS_FS_POSIX_ACL y - OVERLAY_FS y - FUSE_FS y - ''; - kernelTarget = "zImage"; - uboot = null; - }; - openssl.system = "linux-generic32"; - gcc = { - arch = "armv7-a"; - fpu = "neon"; - float = "hard"; - }; - }; -} -# pkgs.config = { -# packageOverrides = super: let self = super.pkgs; in { -# linux_4_0 = super.linux_3_18.override { -# kernelPatches = super.linux_3_18.kernelPatches ++ [ -# # we'll also add one of our own patches -# { patch = ./dts.patch; name = "dts-fix"; } -# ]; -# -# # add "CONFIG_PPP_FILTER y" option to the set of kernel options -# extraConfig = '' -# HAVE_IMX_ANATOP y -# HAVE_IMX_GPC y -# HAVE_IMX_MMDC y -# HAVE_IMX_SRC y -# SOC_IMX6 y -# SOC_IMX6Q y -# SOC_IMX6SL y -# PCI_IMX6 y -# ARM_IMX6Q_CPUFREQ y -# IMX_WEIM y -# AHCI_IMX y -# SERIAL_IMX y -# SERIAL_IMX_CONSOLE y -# I2C_IMX y -# SPI_IMX y -# PINCTRL_IMX y -# PINCTRL_IMX6Q y -# PINCTRL_IMX6SL y -# POWER_RESET_IMX y -# IMX_THERMAL y -# IMX2_WDT y -# IMX_IPUV3_CORE y -# DRM_IMX y -# DRM_IMX_FB_HELPER y -# DRM_IMX_PARALLEL_DISPLAY y -# DRM_IMX_TVE y -# DRM_IMX_LDB y -# DRM_IMX_IPUV3 y -# DRM_IMX_HDMI y -# MMC_SDHCI_ESDHC_IMX y -# IMX_SDMA y -# PWM_IMX y -# DEBUG_IMX6Q_UART y -# -# PPP_FILTER y -# ''; -# }; -# }; -# }; - diff --git a/_archive/environments/dev/go/default.nix b/_archive/environments/dev/go/default.nix deleted file mode 100644 index c92aa9d..0000000 --- a/_archive/environments/dev/go/default.nix +++ /dev/null @@ -1,89 +0,0 @@ -{ - gitpkgs ? import /home/steveej/src/github/NixOS/nixpkgs {}, - pkgs ? gitpkgs, - name ? "generic", - version, - extraBuildInputs ? [], - extraShellHook ? "", -}: let - go = builtins.getAttr "go_${version}" pkgs; - commonVimRC = '' - let g:tagbar_type_go = { - \ 'ctagstype' : 'go', - \ 'kinds' : [ - \ 'p:package', - \ 'i:imports:1', - \ 'c:constants', - \ 'v:variables', - \ 't:types', - \ 'n:interfaces', - \ 'w:fields', - \ 'e:embedded', - \ 'm:methods', - \ 'r:constructor', - \ 'f:functions' - \ ], - \ 'sro' : '.', - \ 'kind2scope' : { - \ 't' : 'ctype', - \ 'n' : 'ntype' - \ }, - \ 'scope2kind' : { - \ 'ctype' : 't', - \ 'ntype' : 'n' - \ }, - \ 'ctagsbin' : 'gotags', - \ 'ctagsargs' : '-sort -silent' - \ } - - " vim-go { - let g:go_highlight_functions = 1 - let g:go_highlight_methods = 1 - let g:go_highlight_structs = 1 - let g:go_highlight_interfaces = 1 - let g:go_highlight_operators = 1 - let g:go_highlight_build_constraints = 1 - let g:go_fmt_command = 'gofmt' - let g:go_fmt_options= '-s' - let g:go_def_mode = 'godef' - let g:go_def_reuse_buffer = 0 - - au FileType go nmap gds (go-def-split) - au FileType go nmap gdv (go-def-vertical) - au FileType go nmap gdt (go-def-tab) - au FileType go nmap gi (go-imports) - " } - ''; - buildInputs = with pkgs; [ - glibc.out - glibc.static - - go - gotools - #gotools.bin - #gocode.bin - #godef godef.bin - godep - #godep.bin - gox.bin - #ginkgo ginkgo.bin - #gomega - # ( import ./vim-go.nix { pkgs=gitpkgs; commonRC=commonVimRC; } ) - # ( import ./neovim-go.nix { pkgs=gitpkgs; commonRC=commonVimRC; } ) - ]; -in - pkgs.stdenv.mkDerivation { - inherit name; - buildInputs = extraBuildInputs ++ buildInputs; - shellHook = '' - goname=${go.version}_$name - # FIXME: setPS1 $goname - export GOROOT=${go}/share/go - export GOPATH="$HOME/.gopath_$goname" - export PATH="$HOME/.gopath_$goname/bin:$PATH" - unset name - unset SSL_CERT_FILE - - ${extraShellHook} - ''; - } diff --git a/_archive/environments/dev/go/neovim-go.nix b/_archive/environments/dev/go/neovim-go.nix deleted file mode 100644 index 1bbc4dc..0000000 --- a/_archive/environments/dev/go/neovim-go.nix +++ /dev/null @@ -1,12 +0,0 @@ -{commonRC, ...} @ args: (import ../../pkg-configuration/vim-derivates/neovim.nix args - // { - additionalRC = - commonRC - + '' - " deoplete { - let g:deoplete#enable_at_startup = 1 - let g:deoplete#enable_smart_case = 1 - " } - ''; - additionalPlugins = ["deoplete-go" "deoplete-nvim" "vim-go"]; - }) diff --git a/_archive/environments/dev/pandoc.nix b/_archive/environments/dev/pandoc.nix deleted file mode 100644 index fc4a298..0000000 --- a/_archive/environments/dev/pandoc.nix +++ /dev/null @@ -1,31 +0,0 @@ -{ - gitpkgs ? import /home/steveej/src/github/NixOS/nixpkgs {}, - pkgs ? gitpkgs, - name ? "generic", - version ? "Stable", - extraBuildInputs ? [], -}: let - commonVimRC = ""; -in - pkgs.stdenv.mkDerivation { - inherit name; - buildInputs = with pkgs; - [ - (import ./vim-pandoc.nix { - pkgs = gitpkgs; - commonRC = commonVimRC; - }) - pandoc - texlive.combined.scheme-medium - python27Packages.pandocfilters - python27Packages.htmltreediff - python27Packages.html5lib - python27Packages.dbus-python - ] - ++ extraBuildInputs; - shellHook = '' - pandocname=pandoc_${pkgs.pandoc.version} - setPS1 $pandocname - unset name - ''; - } diff --git a/_archive/environments/dev/rkt.nix b/_archive/environments/dev/rkt.nix deleted file mode 100644 index aa01935..0000000 --- a/_archive/environments/dev/rkt.nix +++ /dev/null @@ -1,71 +0,0 @@ -{ - pkgs ? import /home/steveej/src/github/NixOS/nixpkgs {}, - mkGoEnv ? import ./go.nix, - rktPath, -}: let - rktBasebuildInputs = with pkgs; [ - glibc.out - glibc.static - autoreconfHook - gnupg1 - squashfsTools - cpio - tree - intltool - libtool - pkgconfig - libgcrypt - gperf - libcap - libseccomp - libzip - eject - iptables - bc - acl - trousers - systemd - ]; - extraShellHook = '' - TARGET=$GOPATH/src/github.com/coreos/rkt - if [[ -e ${rktPath}/rkt/rkt.go ]]; then - pushd ${rktPath} - else - echo rktPath must be run the rkt repository clone, but got '${rktPath}' - exit 1 - fi - if ! [[ -e $TARGET/rkt/rkt.go ]]; then - mkdir -p $TARGET - echo $PWD - sudo -E mount -o bind $PWD $TARGET - fi - pushd $TARGET - ''; -in { - go15 = mkGoEnv { - inherit pkgs; - - name = "rktGo15"; - version = "1_5"; - extraBuildInputs = rktBasebuildInputs; - inherit extraShellHook; - }; - - go16 = mkGoEnv { - inherit pkgs; - - name = "rktGo16"; - version = "1_6"; - extraBuildInputs = rktBasebuildInputs; - inherit extraShellHook; - }; - - go17 = mkGoEnv { - inherit pkgs; - - name = "rktGo17"; - version = "1_7"; - extraBuildInputs = rktBasebuildInputs; - inherit extraShellHook; - }; -} diff --git a/_archive/environments/dev/rust/.envrc b/_archive/environments/dev/rust/.envrc deleted file mode 100644 index 051d09d..0000000 --- a/_archive/environments/dev/rust/.envrc +++ /dev/null @@ -1 +0,0 @@ -eval "$(lorri direnv)" diff --git a/_archive/environments/dev/rust/default.nix b/_archive/environments/dev/rust/default.nix deleted file mode 100644 index 11caffa..0000000 --- a/_archive/environments/dev/rust/default.nix +++ /dev/null @@ -1,39 +0,0 @@ -{ - gitpkgs ? import /home/steveej/src/github/NixOS/nixpkgs {}, - pkgs ? gitpkgs, - name ? "generic", - version ? "Stable", - extraBuildInputs ? [], -}: let - rustPackages = builtins.getAttr "rust${version}" pkgs; - rustc = rustPackages.rustc; - rustShellHook = { - rustc, - name, - }: '' - rustname=rust_${rustc.version}_${name} - setPS1 $rustname - unset name - ''; - commonVimRC = ""; -in - pkgs.stdenv.mkDerivation { - inherit name; - buildInputs = with rustPackages; - [ - (import ./vim-rust.nix { - pkgs = gitpkgs; - commonRC = commonVimRC; - inherit rustc; - racerd = pkgs.rustracerd; - }) - rustc - cargo - ] - ++ [pkgs.rustfmt] - ++ extraBuildInputs; - shellHook = rustShellHook { - inherit name; - inherit rustc; - }; - } diff --git a/_archive/environments/dev/vim-go.nix b/_archive/environments/dev/vim-go.nix deleted file mode 100644 index 6eacc45..0000000 --- a/_archive/environments/dev/vim-go.nix +++ /dev/null @@ -1,19 +0,0 @@ -{commonRC, ...} @ args: -import ../../pkg-configuration/vim-derivates/vim.nix (args - // { - name = "vim-for-go"; - additionalRC = - commonRC - + '' - " Disable AutoComplPop. - let g:acp_enableAtStartup = 0 - " Use neocomplete. - let g:neocomplete#enable_at_startup = 1 - " Use smartcase. - let g:neocomplete#enable_smart_case = 1 - if !exists('g:neocomplete#sources#omni#input_patterns') - let g:neocomplete#sources#omni#input_patterns = {} - endif - ''; - additionalPlugins = ["neocomplete" "vim-go"]; - }) diff --git a/_archive/environments/dev/vim-pandoc.nix b/_archive/environments/dev/vim-pandoc.nix deleted file mode 100644 index 7fc03f2..0000000 --- a/_archive/environments/dev/vim-pandoc.nix +++ /dev/null @@ -1,18 +0,0 @@ -{commonRC, ...} @ args: -import ../../pkg-configuration/vim-derivates/vim.nix (args - // { - name = "vim-for-pandoc"; - additionalRC = - commonRC - + '' - set statusline+=%#warningmsg# - set statusline+=%{SyntasticStatuslineFlag()} - set statusline+=%* - - let g:syntastic_always_populate_loc_list = 1 - let g:syntastic_auto_loc_list = 1 - let g:syntastic_check_on_open = 1 - let g:syntastic_check_on_wq = 0 - ''; - additionalPlugins = ["vim-pandoc" "vim-pandoc-syntax" "vimpreviewpandoc"]; - }) diff --git a/_archive/environments/dev/vim-rust.nix b/_archive/environments/dev/vim-rust.nix deleted file mode 100644 index 56e3c7d..0000000 --- a/_archive/environments/dev/vim-rust.nix +++ /dev/null @@ -1,48 +0,0 @@ -{ - commonRC, - rustc, - racerd, - ... -} @ args: -import ../../pkg-configuration/vim-derivates/vim.nix (args - // { - name = "vim-for-rust"; - additionalRC = - commonRC - + '' - set statusline+=%#warningmsg# - set statusline+=%{SyntasticStatuslineFlag()} - set statusline+=%* - - let g:syntastic_always_populate_loc_list = 1 - let g:syntastic_auto_loc_list = 1 - let g:syntastic_check_on_open = 1 - let g:syntastic_check_on_wq = 0 - - " tagbar - let g:tagbar_type_rust = { - \ 'ctagstype' : 'rust', - \ 'kinds' : [ - \'T:types,type definitions', - \'f:functions,function definitions', - \'g:enum,enumeration names', - \'s:structure names', - \'m:modules,module names', - \'c:consts,static constants', - \'t:traits,traits', - \'i:impls,trait implementations', - \] - \} - - let g:syntastic_rust_checkers = ["rustc"] - - "rustfmt - let g:rustfmt_autosave = 1 - - let g:ycm_auto_trigger = 1 - let g:ycm_rust_src_path = '${rustc.src}/src' - let g:ycm_racerd_binary_path = '${racerd.out}/bin/racerd' - - ''; - additionalPlugins = ["rust-vim"]; - }) diff --git a/_archive/environments/fhs/android.nix b/_archive/environments/fhs/android.nix deleted file mode 100644 index 074469e..0000000 --- a/_archive/environments/fhs/android.nix +++ /dev/null @@ -1,42 +0,0 @@ -{pkgs ? import {}}: -(pkgs.buildFHSUserEnv { - name = "devfhs"; - multiPkgs = pkgs: (with pkgs; [ - android-udev-rules - sudo - gawk - bzip2 - file - gcc - getopt - git - gnumake - ncurses - openssl - patch - perl - pkgconfig - python - openssh - subversion - unzip - wget - which - vim - zlib - libusb - libusb1 - systemd - strace - swt - xorg.libXtst - glib - gtk2 - gnome.gtk - ]); - profile = '' - export LD_LIBRARY_PATH=$LD_LIBRARY_PATH:/lib:/lib64:/lib32:/usr/lib32:/usr/lib64:${pkgs.xorg.libXtst}/lib:${pkgs.glib}/lib:${pkgs.gtk2}/lib - ''; - runScript = "bash"; -}) -.env diff --git a/_archive/environments/fhs/vscode.nix b/_archive/environments/fhs/vscode.nix deleted file mode 100644 index da08700..0000000 --- a/_archive/environments/fhs/vscode.nix +++ /dev/null @@ -1,36 +0,0 @@ -{pkgs ? import {}}: -(pkgs.buildFHSUserEnv { - name = "everydayFHS"; - targetPkgs = pkgs: (with pkgs; [ - which - gitFull - zsh - file - direnv - - xdg_utils - xsel - - vscode - - # vscode live share - gnome3.gcr - libgnome_keyring3 - liburcu - libunwind - lttng-ust - curl - openssl - libkrb5 - libuuid - icu - zlib - libsecret - ]); - multiPkgs = pkgs: (with pkgs; []); - profile = '' - export SHELL=/bin/zsh - ''; - # FIXME runScript = "$SHELL"; -}) -.env diff --git a/default.nix b/default.nix index 75e1dbb..6aba02e 100644 --- a/default.nix +++ b/default.nix @@ -4,6 +4,9 @@ # Having pkgs default to is fine though, and it lets you use short # commands such as: # nix-build -A mypackage -{pkgs ? import {}}: { - pkgs = import ./nix/pkgs {inherit pkgs;}; +{ + pkgs ? import { }, +}: +{ + pkgs = import ./nix/pkgs { inherit pkgs; }; } diff --git a/flake-sandbox/flake.lock b/flake-sandbox/flake.lock deleted file mode 100644 index b600a49..0000000 --- a/flake-sandbox/flake.lock +++ /dev/null @@ -1,27 +0,0 @@ -{ - "nodes": { - "nixpkgs": { - "locked": { - "lastModified": 1681091990, - "narHash": "sha256-ifIzhksUBZKp5WgCuoVhDY32qaEplXp7khzrB6zkaFc=", - "owner": "nixos", - "repo": "nixpkgs", - "rev": "ea96b4af6148114421fda90df33cf236ff5ecf1d", - "type": "github" - }, - "original": { - "owner": "nixos", - "ref": "nixos-22.11", - "repo": "nixpkgs", - "type": "github" - } - }, - "root": { - "inputs": { - "nixpkgs": "nixpkgs" - } - } - }, - "root": "root", - "version": 7 -} diff --git a/flake-sandbox/flake.nix b/flake-sandbox/flake.nix deleted file mode 100644 index 112447e..0000000 --- a/flake-sandbox/flake.nix +++ /dev/null @@ -1,142 +0,0 @@ -{ - inputs = { - nixpkgs.url = "github:nixos/nixpkgs/nixos-22.11"; - }; - outputs = { - self, - nixpkgs, - }: let - system = "x86_64-linux"; - pkgs = import nixpkgs {inherit system;}; - in { - devShells."${system}".default = pkgs.mkShell { - packages = with pkgs; - with pkgs.gnome; [ - hexchat - audacity - proot - yubikey-manager-qt - cheese - remmina - exiv2 - wireshark-qt - seahorse - kotatogram-desktop - usbutils - networkmanagerapplet - sshfs-fuse - pavucontrol - libwebcam - just - eog - git-crypt - espanso - unetbootin - vcsh - skypeforlinux - du-dust - bind - teamviewer - gparted - neovim - inkscape - rustdesk - gnome-themes-extra - pass - xdg-user-dirs - cbatticon - yubikey-personalization-gui - zoom - signal-desktop - xorg.xbacklight - vscode - ripgrep - lightdm - nixpkgs-fmt - git-lfs - qtpass - gimp - lxappearance - flameshot - thunderbird - fprintd - chromium - evtest - alejandra - vlc - pastebinit - evolution - zbar - libreoffice - brave - pidgin - direnv - xorg.xhost - lorri - firefox - logseq - x11_ssh_askpass - xsel - feh - htop - openvpn - syncthing - ncdu - rofi-pass - testdisk - vanilla-dmz - wireguard-tools - xarchive - gnome-icon-theme - wget - nix-index - mr - passff-host - browserpass - xorg.xcursorthemes - gitRepo - gitSVN - androidenv.androidPkgs_9_0.platform-tools - - # introduces python - (qtile.passthru.unwrapped.overrideAttrs (oldAttrs: { - propagatedBuildInputs = - [] - # ++ oldAttrs.passthru.unwrapped.propagatedBuildInputs - # ++ (with pkgs.python3Packages; [ - # # python-wifi - # # iwlib - # keyring - # ]) - ; - - makeWrapperArgs = - oldAttrs.makeWrapperArgs - ++ [ - "--prefix PATH : ${pkgs.lib.makeBinPath oldAttrs.propagatedBuildInputs}" - ]; - })) - - # gi-docgen - # yelp-tools - # scons - # autorandr - # arandr - # meson - # mercurial - # unrar-wrapper - # orca - # radicale - # criu - # gnome-music - # gnome-browser-connector - # radicale - # hplip - # qtile - # gtk-doc - # asciidoc - # meson - ]; - }; - }; -} diff --git a/flake.lock b/flake.lock index 69f97f8..595341f 100644 --- a/flake.lock +++ b/flake.lock @@ -3,11 +3,11 @@ "aphorme_launcher": { "flake": false, "locked": { - "lastModified": 1683977169, - "narHash": "sha256-juRiokIk5x+eGJm+QuCdFPUjEggDmscpy2Ip7pU9KI4=", + "lastModified": 1719922896, + "narHash": "sha256-mOtCz42NFQn+0xPF3gBX4WHfo5UEClSsJ/tF8RdFQkY=", "owner": "Iaphetes", "repo": "aphorme_launcher", - "rev": "211bc27de061b61e3119a7966cff09f4b8c3a1fe", + "rev": "c7c7ce9f91a31cced181fa501a2cad3c68035def", "type": "github" }, "original": { @@ -21,17 +21,18 @@ "inputs": { "flake-compat": "flake-compat", "flake-utils": "flake-utils", + "nix-github-actions": "nix-github-actions", "nixpkgs": [ "nixpkgs" ], "stable": "stable" }, "locked": { - "lastModified": 1688224393, - "narHash": "sha256-rsAvFNhRFzTF7qyb6WprLFghJnRxMFjvD2e5/dqMp4I=", + "lastModified": 1731527002, + "narHash": "sha256-dI9I6suECoIAmbS4xcrqF8r2pbmed8WWm5LIF1yWPw8=", "owner": "zhaofengli", "repo": "colmena", - "rev": "19384f3ee2058c56021e4465a3ec57e84a47d8dd", + "rev": "e3ad42138015fcdf2524518dd564a13145c72ea1", "type": "github" }, "original": { @@ -41,20 +42,12 @@ } }, "crane": { - "inputs": { - "flake-compat": "flake-compat_2", - "flake-utils": "flake-utils_2", - "nixpkgs": [ - "nixpkgs" - ], - "rust-overlay": "rust-overlay" - }, "locked": { - "lastModified": 1688690832, - "narHash": "sha256-RJIYuOn9FaQWVzj6ytaKsHyur0KsYO9tOgaMz1XHtpQ=", + "lastModified": 1733286231, + "narHash": "sha256-mlIDSv1/jqWnH8JTiOV7GMUNPCXL25+6jmD+7hdxx5o=", "owner": "ipetkov", "repo": "crane", - "rev": "bfc1c3dca576e2f9e02eb0176e4058305192afe3", + "rev": "af1556ecda8bcf305820f68ec2f9d77b41d9cc80", "type": "github" }, "original": { @@ -63,6 +56,27 @@ "type": "github" } }, + "devshell": { + "inputs": { + "nixpkgs": [ + "nixvim", + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1728330715, + "narHash": "sha256-xRJ2nPOXb//u1jaBnDP56M7v5ldavjbtR6lfGqSvcKg=", + "owner": "numtide", + "repo": "devshell", + "rev": "dd6b80932022cea34a019e2bb32f6fa9e494dfef", + "type": "github" + }, + "original": { + "owner": "numtide", + "repo": "devshell", + "type": "github" + } + }, "disko": { "inputs": { "nixpkgs": [ @@ -71,11 +85,11 @@ ] }, "locked": { - "lastModified": 1687747614, - "narHash": "sha256-KXspKgtdO2YRL12Jv0sUgkwOwHrAFwdIG/90pDx8Ydg=", + "lastModified": 1727359191, + "narHash": "sha256-5PltTychnExFwzpEnY3WhOywaMV/M6NxYI/y3oXuUtw=", "owner": "nix-community", "repo": "disko", - "rev": "fef67a1ddc293b595d62a660f57deabbcb70ff95", + "rev": "67dc29be3036cc888f0b9d4f0a788ee0f6768700", "type": "github" }, "original": { @@ -85,6 +99,23 @@ "type": "github" } }, + "espanso": { + "flake": false, + "locked": { + "lastModified": 1711840403, + "narHash": "sha256-4y5yHFfA8SmtSJVC2YleoHCUXkgqee+k9A2pRUzqzDo=", + "owner": "espanso", + "repo": "espanso", + "rev": "db97658d1d80697a635b57801696c594eacf057b", + "type": "github" + }, + "original": { + "owner": "espanso", + "repo": "espanso", + "rev": "db97658d1d80697a635b57801696c594eacf057b", + "type": "github" + } + }, "fenix": { "inputs": { "nixpkgs": [ @@ -93,11 +124,11 @@ "rust-analyzer-src": "rust-analyzer-src" }, "locked": { - "lastModified": 1688624761, - "narHash": "sha256-VMvhdWPCLUFhyssTSZXCxFkA9bZ05VgXZVsuYlJcZBg=", + "lastModified": 1733380458, + "narHash": "sha256-H+IQB6cJ7ji/YD537pcSUWlwGGJ49RoYylBonyNW9hk=", "owner": "nix-community", "repo": "fenix", - "rev": "a2ea120926a1234ec804c090f90312e0ec2d4541", + "rev": "08c9e4e29865b60cb81189f8e4de0dccaf297865", "type": "github" }, "original": { @@ -125,11 +156,11 @@ "flake-compat_2": { "flake": false, "locked": { - "lastModified": 1673956053, - "narHash": "sha256-4gtG9iQuiKITOjNQQeQIpoIB6b16fm+504Ch3sNKLd8=", + "lastModified": 1696426674, + "narHash": "sha256-kvjfFW7WAETZlt09AgDn1MrtKzP7t90Vf7vypd3OL1U=", "owner": "edolstra", "repo": "flake-compat", - "rev": "35bb57c0c8d8b62bbfd284272c928ceb64ddbde9", + "rev": "0f9255e01c2351cc7d116c072cb317785dd33b33", "type": "github" }, "original": { @@ -140,11 +171,11 @@ }, "flake-compat_3": { "locked": { - "lastModified": 1688025799, - "narHash": "sha256-ktpB4dRtnksm9F5WawoIkEneh1nrEvuxb5lJFt1iOyw=", + "lastModified": 1717312683, + "narHash": "sha256-FrlieJH50AuvagamEvWMIE6D2OAnERuDboFDYAED/dE=", "owner": "nix-community", "repo": "flake-compat", - "rev": "8bf105319d44f6b9f0d764efa4fdef9f1cc9ba1c", + "rev": "38fd3954cf65ce6faf3d0d45cd26059e059f07ea", "type": "github" }, "original": { @@ -153,16 +184,30 @@ "type": "github" } }, + "flake-compat_4": { + "locked": { + "lastModified": 1696426674, + "narHash": "sha256-kvjfFW7WAETZlt09AgDn1MrtKzP7t90Vf7vypd3OL1U=", + "rev": "0f9255e01c2351cc7d116c072cb317785dd33b33", + "revCount": 57, + "type": "tarball", + "url": "https://api.flakehub.com/f/pinned/edolstra/flake-compat/1.0.1/018afb31-abd1-7bff-a5e4-cff7e18efb7a/source.tar.gz" + }, + "original": { + "type": "tarball", + "url": "https://flakehub.com/f/edolstra/flake-compat/1.tar.gz" + } + }, "flake-parts": { "inputs": { "nixpkgs-lib": "nixpkgs-lib" }, "locked": { - "lastModified": 1688466019, - "narHash": "sha256-VeM2akYrBYMsb4W/MmBo1zmaMfgbL4cH3Pu8PGyIwJ0=", + "lastModified": 1733312601, + "narHash": "sha256-4pDvzqnegAfRkPwO3wmwBhVi/Sye1mzps0zHWYnP88c=", "owner": "hercules-ci", "repo": "flake-parts", - "rev": "8e8d955c22df93dbe24f19ea04f47a74adbdc5ec", + "rev": "205b12d8b7cd4802fbcb8e8ef6a0f1408781a4f9", "type": "github" }, "original": { @@ -179,11 +224,11 @@ ] }, "locked": { - "lastModified": 1687762428, - "narHash": "sha256-DIf7mi45PKo+s8dOYF+UlXHzE0Wl/+k3tXUyAoAnoGE=", + "lastModified": 1726153070, + "narHash": "sha256-HO4zgY0ekfwO5bX0QH/3kJ/h4KvUDFZg8YpkNwIbg1U=", "owner": "hercules-ci", "repo": "flake-parts", - "rev": "37dd7bb15791c86d55c5121740a1887ab55ee836", + "rev": "bcef6817a8b2aa20a5a6dbb19b43e63c5bf8619a", "type": "github" }, "original": { @@ -201,11 +246,53 @@ ] }, "locked": { - "lastModified": 1688466019, - "narHash": "sha256-VeM2akYrBYMsb4W/MmBo1zmaMfgbL4cH3Pu8PGyIwJ0=", + "lastModified": 1722555600, + "narHash": "sha256-XOQkdLafnb/p9ij77byFQjDf5m5QYl9b2REiVClC+x4=", "owner": "hercules-ci", "repo": "flake-parts", - "rev": "8e8d955c22df93dbe24f19ea04f47a74adbdc5ec", + "rev": "8471fe90ad337a8074e957b69ca4d0089218391d", + "type": "github" + }, + "original": { + "owner": "hercules-ci", + "repo": "flake-parts", + "type": "github" + } + }, + "flake-parts_4": { + "inputs": { + "nixpkgs-lib": [ + "nixvim", + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1730504689, + "narHash": "sha256-hgmguH29K2fvs9szpq2r3pz2/8cJd2LPS+b4tfNFCwE=", + "owner": "hercules-ci", + "repo": "flake-parts", + "rev": "506278e768c2a08bec68eb62932193e341f55c90", + "type": "github" + }, + "original": { + "owner": "hercules-ci", + "repo": "flake-parts", + "type": "github" + } + }, + "flake-parts_5": { + "inputs": { + "nixpkgs-lib": [ + "nur", + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1733312601, + "narHash": "sha256-4pDvzqnegAfRkPwO3wmwBhVi/Sye1mzps0zHWYnP88c=", + "owner": "hercules-ci", + "repo": "flake-parts", + "rev": "205b12d8b7cd4802fbcb8e8ef6a0f1408781a4f9", "type": "github" }, "original": { @@ -229,16 +316,34 @@ "type": "github" } }, + "flake-utils_10": { + "inputs": { + "systems": "systems_5" + }, + "locked": { + "lastModified": 1710146030, + "narHash": "sha256-SZ5L6eA7HJ/nmkzGG7/ISclqe6oZdOZTNoesiInkXPQ=", + "owner": "numtide", + "repo": "flake-utils", + "rev": "b1d9ab70662946ef0850d488da1c9019f3a9752a", + "type": "github" + }, + "original": { + "owner": "numtide", + "repo": "flake-utils", + "type": "github" + } + }, "flake-utils_2": { "inputs": { "systems": "systems" }, "locked": { - "lastModified": 1687709756, - "narHash": "sha256-Y5wKlQSkgEK2weWdOu4J3riRd+kV/VCgHsqLNTTWQ/0=", + "lastModified": 1710146030, + "narHash": "sha256-SZ5L6eA7HJ/nmkzGG7/ISclqe6oZdOZTNoesiInkXPQ=", "owner": "numtide", "repo": "flake-utils", - "rev": "dbabf0ca0c0c4bce6ea5eaf65af5cb694d2082c7", + "rev": "b1d9ab70662946ef0850d488da1c9019f3a9752a", "type": "github" }, "original": { @@ -248,15 +353,12 @@ } }, "flake-utils_3": { - "inputs": { - "systems": "systems_2" - }, "locked": { - "lastModified": 1687709756, - "narHash": "sha256-Y5wKlQSkgEK2weWdOu4J3riRd+kV/VCgHsqLNTTWQ/0=", + "lastModified": 1653893745, + "narHash": "sha256-0jntwV3Z8//YwuOjzhV2sgJJPt+HY6KhU7VZUL0fKZQ=", "owner": "numtide", "repo": "flake-utils", - "rev": "dbabf0ca0c0c4bce6ea5eaf65af5cb694d2082c7", + "rev": "1ed9fb1935d260de5fe1c2f7ee0ebaae17ed2fa1", "type": "github" }, "original": { @@ -267,11 +369,92 @@ }, "flake-utils_4": { "locked": { - "lastModified": 1667395993, - "narHash": "sha256-nuEHfE/LcWyuSWnS8t12N1wc105Qtau+/OdUAjtQ0rA=", + "lastModified": 1653893745, + "narHash": "sha256-0jntwV3Z8//YwuOjzhV2sgJJPt+HY6KhU7VZUL0fKZQ=", "owner": "numtide", "repo": "flake-utils", - "rev": "5aed5285a952e0b949eb3ba02c12fa4fcfef535f", + "rev": "1ed9fb1935d260de5fe1c2f7ee0ebaae17ed2fa1", + "type": "github" + }, + "original": { + "owner": "numtide", + "repo": "flake-utils", + "type": "github" + } + }, + "flake-utils_5": { + "locked": { + "lastModified": 1653893745, + "narHash": "sha256-0jntwV3Z8//YwuOjzhV2sgJJPt+HY6KhU7VZUL0fKZQ=", + "owner": "numtide", + "repo": "flake-utils", + "rev": "1ed9fb1935d260de5fe1c2f7ee0ebaae17ed2fa1", + "type": "github" + }, + "original": { + "owner": "numtide", + "repo": "flake-utils", + "type": "github" + } + }, + "flake-utils_6": { + "locked": { + "lastModified": 1653893745, + "narHash": "sha256-0jntwV3Z8//YwuOjzhV2sgJJPt+HY6KhU7VZUL0fKZQ=", + "owner": "numtide", + "repo": "flake-utils", + "rev": "1ed9fb1935d260de5fe1c2f7ee0ebaae17ed2fa1", + "type": "github" + }, + "original": { + "owner": "numtide", + "repo": "flake-utils", + "type": "github" + } + }, + "flake-utils_7": { + "locked": { + "lastModified": 1653893745, + "narHash": "sha256-0jntwV3Z8//YwuOjzhV2sgJJPt+HY6KhU7VZUL0fKZQ=", + "owner": "numtide", + "repo": "flake-utils", + "rev": "1ed9fb1935d260de5fe1c2f7ee0ebaae17ed2fa1", + "type": "github" + }, + "original": { + "owner": "numtide", + "repo": "flake-utils", + "type": "github" + } + }, + "flake-utils_8": { + "inputs": { + "systems": "systems_3" + }, + "locked": { + "lastModified": 1731533236, + "narHash": "sha256-l0KFg5HjrsfsO/JpG+r7fRrqm12kzFHyUHqHCVpMMbI=", + "owner": "numtide", + "repo": "flake-utils", + "rev": "11707dc2f618dd54ca8739b309ec4fc024de578b", + "type": "github" + }, + "original": { + "owner": "numtide", + "repo": "flake-utils", + "type": "github" + } + }, + "flake-utils_9": { + "inputs": { + "systems": "systems_4" + }, + "locked": { + "lastModified": 1731533236, + "narHash": "sha256-l0KFg5HjrsfsO/JpG+r7fRrqm12kzFHyUHqHCVpMMbI=", + "owner": "numtide", + "repo": "flake-utils", + "rev": "11707dc2f618dd54ca8739b309ec4fc024de578b", "type": "github" }, "original": { @@ -282,11 +465,11 @@ }, "get-flake": { "locked": { - "lastModified": 1673819588, - "narHash": "sha256-gRtwKAlu4htvS6dxyZnW3n+vMS1acqnMGVHqxUdETeY=", + "lastModified": 1714237590, + "narHash": "sha256-9gtHdGbzFHaR20xORN8IYd67ROWS+1nqQ5CsPf9MD8I=", "owner": "ursi", "repo": "get-flake", - "rev": "e0917b6f564aa5acefb1484b5baf76da21746c3c", + "rev": "a6c57417d1b857b8be53aba4095869a0f438c502", "type": "github" }, "original": { @@ -295,14 +478,115 @@ "type": "github" } }, + "git-hooks": { + "inputs": { + "flake-compat": [ + "nixvim", + "flake-compat" + ], + "gitignore": "gitignore", + "nixpkgs": [ + "nixvim", + "nixpkgs" + ], + "nixpkgs-stable": [ + "nixvim", + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1732021966, + "narHash": "sha256-mnTbjpdqF0luOkou8ZFi2asa1N3AA2CchR/RqCNmsGE=", + "owner": "cachix", + "repo": "git-hooks.nix", + "rev": "3308484d1a443fc5bc92012435d79e80458fe43c", + "type": "github" + }, + "original": { + "owner": "cachix", + "repo": "git-hooks.nix", + "type": "github" + } + }, + "gitignore": { + "inputs": { + "nixpkgs": [ + "nixvim", + "git-hooks", + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1709087332, + "narHash": "sha256-HG2cCnktfHsKV0s4XW83gU3F57gaTljL9KNSuG6bnQs=", + "owner": "hercules-ci", + "repo": "gitignore.nix", + "rev": "637db329424fd7e46cf4185293b9cc8c88c95394", + "type": "github" + }, + "original": { + "owner": "hercules-ci", + "repo": "gitignore.nix", + "type": "github" + } + }, + "home-manager": { + "inputs": { + "nixpkgs": [ + "nixvim", + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1733175814, + "narHash": "sha256-zFOtOaqjzZfPMsm1mwu98syv3y+jziAq5DfWygaMtLg=", + "owner": "nix-community", + "repo": "home-manager", + "rev": "bf23fe41082aa0289c209169302afd3397092f22", + "type": "github" + }, + "original": { + "owner": "nix-community", + "repo": "home-manager", + "type": "github" + } + }, + "ixx": { + "inputs": { + "flake-utils": [ + "nixvim", + "nuschtosSearch", + "flake-utils" + ], + "nixpkgs": [ + "nixvim", + "nuschtosSearch", + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1729958008, + "narHash": "sha256-EiOq8jF4Z/zQe0QYVc3+qSKxRK//CFHMB84aYrYGwEs=", + "owner": "NuschtOS", + "repo": "ixx", + "rev": "9fd01aad037f345350eab2cd45e1946cc66da4eb", + "type": "github" + }, + "original": { + "owner": "NuschtOS", + "ref": "v0.0.6", + "repo": "ixx", + "type": "github" + } + }, "jay": { "flake": false, "locked": { - "lastModified": 1683988763, - "narHash": "sha256-vaHNBwCIMNf/rnnievmxhF5wxci0Rbu2IUXiUxxKF74=", + "lastModified": 1732789238, + "narHash": "sha256-Yc87dku8r8m7YeVT9VBwfXYPdEfQbb8JKWbOMts6VqY=", "owner": "mahkoh", "repo": "jay", - "rev": "80dc8770c51c0409a32b212499e0803dd585cab1", + "rev": "558fe3d3cef435108c7d31f9b3503263a14d38b0", "type": "github" }, "original": { @@ -313,15 +597,15 @@ }, "lib-aggregate": { "inputs": { - "flake-utils": "flake-utils_3", + "flake-utils": "flake-utils_8", "nixpkgs-lib": "nixpkgs-lib_2" }, "locked": { - "lastModified": 1688299754, - "narHash": "sha256-ElNJ28wfORNv8JaCOFb/mniLiQe0cpuaj2DdD/dqdKw=", + "lastModified": 1733055216, + "narHash": "sha256-yB2y7tGJxDI/SDQ0D7b6ocRtLTPm93u8ybdIKQGXRDE=", "owner": "nix-community", "repo": "lib-aggregate", - "rev": "6107c923522c233458760d0c7f31ad71bf1d2146", + "rev": "f67bf0781c69a46bf3a1469f83c98518aa3054c3", "type": "github" }, "original": { @@ -330,33 +614,40 @@ "type": "github" } }, - "magmawm": { - "flake": false, + "nix-darwin": { + "inputs": { + "nixpkgs": [ + "nixvim", + "nixpkgs" + ] + }, "locked": { - "lastModified": 1687543996, - "narHash": "sha256-S8vRKXCHF7OHestoGNe6fqqxJIc8slhaOFjvGS3oflc=", - "owner": "MagmaWM", - "repo": "MagmaWM", - "rev": "c16fa624b2c86328081a1647f483273e131df29d", + "lastModified": 1733105089, + "narHash": "sha256-Qs3YmoLYUJ8g4RkFj2rMrzrP91e4ShAioC9s+vG6ENM=", + "owner": "lnl7", + "repo": "nix-darwin", + "rev": "c6b65d946097baf3915dd51373251de98199280d", "type": "github" }, "original": { - "owner": "MagmaWM", - "repo": "MagmaWM", + "owner": "lnl7", + "repo": "nix-darwin", "type": "github" } }, "nix-eval-jobs": { "inputs": { "flake-parts": "flake-parts_3", - "nixpkgs": "nixpkgs" + "nix-github-actions": "nix-github-actions_2", + "nixpkgs": "nixpkgs_4", + "treefmt-nix": "treefmt-nix_2" }, "locked": { - "lastModified": 1688608231, - "narHash": "sha256-RQeR/tirHIa5jhZYLCK7KnQiYTG/kq/vWdgDFLi+4+g=", + "lastModified": 1732631228, + "narHash": "sha256-/7Wyhp00yecUMPNz79gGZpjos8OLHqOfdiWWIQfZA1M=", "owner": "nix-community", "repo": "nix-eval-jobs", - "rev": "477d7196a493dd011f05704fc7b42cbe95f5b30d", + "rev": "8f56354b794624689851b2d86c2ce0209cc8f0cf", "type": "github" }, "original": { @@ -365,19 +656,206 @@ "type": "github" } }, - "nixos-2305": { + "nix-github-actions": { + "inputs": { + "nixpkgs": [ + "colmena", + "nixpkgs" + ] + }, "locked": { - "lastModified": 1687938137, - "narHash": "sha256-Z00c0Pk3aE1aw9x44lVcqHmvx+oX7dxCXCvKcUuE150=", - "owner": "NixOS", - "repo": "nixpkgs", - "rev": "ba2ded3227a2992f2040fad4ba6f218a701884a5", + "lastModified": 1729742964, + "narHash": "sha256-B4mzTcQ0FZHdpeWcpDYPERtyjJd/NIuaQ9+BV1h+MpA=", + "owner": "nix-community", + "repo": "nix-github-actions", + "rev": "e04df33f62cdcf93d73e9a04142464753a16db67", "type": "github" }, "original": { - "owner": "NixOS", - "ref": "release-23.05", - "repo": "nixpkgs", + "owner": "nix-community", + "repo": "nix-github-actions", + "type": "github" + } + }, + "nix-github-actions_2": { + "inputs": { + "nixpkgs": [ + "nixpkgs-wayland", + "nix-eval-jobs", + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1731952509, + "narHash": "sha256-p4gB3Rhw8R6Ak4eMl8pqjCPOLCZRqaehZxdZ/mbFClM=", + "owner": "nix-community", + "repo": "nix-github-actions", + "rev": "7b5f051df789b6b20d259924d349a9ba3319b226", + "type": "github" + }, + "original": { + "owner": "nix-community", + "repo": "nix-github-actions", + "type": "github" + } + }, + "nix-vscode-extensions": { + "inputs": { + "flake-compat": "flake-compat_2", + "flake-utils": "flake-utils_2", + "nixpkgs": "nixpkgs" + }, + "locked": { + "lastModified": 1740852064, + "narHash": "sha256-A2zUu1n8Bg505s/GUIYUSQFLmYJAvx/01A2OkGAkevk=", + "owner": "nix-community", + "repo": "nix-vscode-extensions", + "rev": "1b34da949d188b205b4132c2b726415fa19d5086", + "type": "github" + }, + "original": { + "owner": "nix-community", + "repo": "nix-vscode-extensions", + "type": "github" + } + }, + "nix4vscode": { + "inputs": { + "nixpkgs": "nixpkgs_2", + "rust-overlay": "rust-overlay", + "systems": "systems_2" + }, + "locked": { + "lastModified": 1733089477, + "narHash": "sha256-G08QoIxpJlnP9PiUdo2ypmKOrgodwVD6pWEa/8CaDOE=", + "owner": "nix-community", + "repo": "nix4vscode", + "rev": "60f266d2584461611a9e91ad44bbda5c1b0f91f8", + "type": "github" + }, + "original": { + "owner": "nix-community", + "repo": "nix4vscode", + "type": "github" + } + }, + "nixago": { + "inputs": { + "flake-utils": "flake-utils_3", + "nixago-exts": "nixago-exts", + "nixpkgs": [ + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1714086354, + "narHash": "sha256-yKVQMxL9p7zCWUhnGhDzRVT8sDgHoI3V595lBK0C2YA=", + "owner": "jmgilman", + "repo": "nixago", + "rev": "5133633e9fe6b144c8e00e3b212cdbd5a173b63d", + "type": "github" + }, + "original": { + "owner": "jmgilman", + "repo": "nixago", + "type": "github" + } + }, + "nixago-exts": { + "inputs": { + "flake-utils": "flake-utils_4", + "nixago": "nixago_2", + "nixpkgs": [ + "nixago", + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1676070308, + "narHash": "sha256-QaJ65oc2l8iwQIGWUJ0EKjCeSuuCM/LqR8RauxZUUkc=", + "owner": "nix-community", + "repo": "nixago-extensions", + "rev": "e5380cb0456f4ea3c86cf94e3039eb856bf07d0b", + "type": "github" + }, + "original": { + "owner": "nix-community", + "repo": "nixago-extensions", + "type": "github" + } + }, + "nixago-exts_2": { + "inputs": { + "flake-utils": "flake-utils_6", + "nixago": "nixago_3", + "nixpkgs": [ + "nixago", + "nixago-exts", + "nixago", + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1655508669, + "narHash": "sha256-BDDdo5dZQMmwNH/GNacy33nPBnCpSIydWFPZs0kkj/g=", + "owner": "nix-community", + "repo": "nixago-extensions", + "rev": "3022a932ce109258482ecc6568c163e8d0b426aa", + "type": "github" + }, + "original": { + "owner": "nix-community", + "repo": "nixago-extensions", + "type": "github" + } + }, + "nixago_2": { + "inputs": { + "flake-utils": "flake-utils_5", + "nixago-exts": "nixago-exts_2", + "nixpkgs": [ + "nixago", + "nixago-exts", + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1676070010, + "narHash": "sha256-iYzJIWptE1EUD8VINAg66AAMUajizg8JUYN3oBmb8no=", + "owner": "nix-community", + "repo": "nixago", + "rev": "d480ba6c0c16e2c5c0bd2122852d6a0c9ad1ed0e", + "type": "github" + }, + "original": { + "owner": "nix-community", + "ref": "rename-config-data", + "repo": "nixago", + "type": "github" + } + }, + "nixago_3": { + "inputs": { + "flake-utils": "flake-utils_7", + "nixpkgs": [ + "nixago", + "nixago-exts", + "nixago", + "nixago-exts", + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1655405483, + "narHash": "sha256-Crd49aZWNrpczlRTOwWGfwBMsTUoG9vlHDKQC7cx264=", + "owner": "nix-community", + "repo": "nixago", + "rev": "e6a9566c18063db5b120e69e048d3627414e327d", + "type": "github" + }, + "original": { + "owner": "nix-community", + "repo": "nixago", "type": "github" } }, @@ -385,19 +863,19 @@ "inputs": { "disko": "disko", "flake-parts": "flake-parts_2", - "nixos-2305": "nixos-2305", "nixos-images": "nixos-images", + "nixos-stable": "nixos-stable", "nixpkgs": [ "nixpkgs" ], "treefmt-nix": "treefmt-nix" }, "locked": { - "lastModified": 1687941964, - "narHash": "sha256-/Gr4tOq+tMBbE46njUt1aJGbsB9lpwnK99/oeC9uTXE=", + "lastModified": 1733093391, + "narHash": "sha256-tktgkyaBCJDJs0qVyREpETTcpDY7FZbnDurTAM9jIOE=", "owner": "numtide", "repo": "nixos-anywhere", - "rev": "22a2964bef34f92fe1c093ae54a8ab52eefdd5df", + "rev": "9ba099b2ead073e0801b863c880be03a981f2dd1", "type": "github" }, "original": { @@ -409,9 +887,9 @@ }, "nixos-images": { "inputs": { - "nixos-2305": [ + "nixos-stable": [ "nixos-anywhere", - "nixos-2305" + "nixos-stable" ], "nixos-unstable": [ "nixos-anywhere", @@ -419,11 +897,11 @@ ] }, "locked": { - "lastModified": 1686819168, - "narHash": "sha256-IbRVStbKoMC2fUX6TxNO82KgpVfI8LL4Cq0bTgdYhnY=", + "lastModified": 1727367213, + "narHash": "sha256-7O4pi8MmcJpA0nYUQkdolvKGyu6zNjf2gFYD1Q0xppc=", "owner": "nix-community", "repo": "nixos-images", - "rev": "ccc1a2c08ce2fc38bcece85d2a6e7bf17bac9e37", + "rev": "3e7978bab153f39f3fc329ad346d35a8871420f7", "type": "github" }, "original": { @@ -432,18 +910,34 @@ "type": "github" } }, - "nixpkgs": { + "nixos-stable": { "locked": { - "lastModified": 1688607075, - "narHash": "sha256-KDWpwZ4xl4au5R+A+Ka+uVbyiwMDVczjwRTSqBOyqWM=", + "lastModified": 1727264057, + "narHash": "sha256-KQPI8CTTnB9CrJ7LrmLC4VWbKZfljEPBXOFGZFRpxao=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "ff81c24d1dd4dc3698aeb27d2cc3991124e627e6", + "rev": "759537f06e6999e141588ff1c9be7f3a5c060106", "type": "github" }, "original": { "owner": "NixOS", - "ref": "master", + "ref": "nixos-24.05", + "repo": "nixpkgs", + "type": "github" + } + }, + "nixpkgs": { + "locked": { + "lastModified": 1740547748, + "narHash": "sha256-Ly2fBL1LscV+KyCqPRufUBuiw+zmWrlJzpWOWbahplg=", + "owner": "NixOS", + "repo": "nixpkgs", + "rev": "3a05eebede89661660945da1f151959900903b6a", + "type": "github" + }, + "original": { + "owner": "NixOS", + "ref": "nixpkgs-unstable", "repo": "nixpkgs", "type": "github" } @@ -464,47 +958,57 @@ "type": "github" } }, - "nixpkgs-2305": { + "nixpkgs-2411": { "locked": { - "lastModified": 1688594934, - "narHash": "sha256-3dUo20PsmUd57jVZRx5vgKyIN1tv+v/JQweZsve5q/A=", + "lastModified": 1733261153, + "narHash": "sha256-eq51hyiaIwtWo19fPEeE0Zr2s83DYMKJoukNLgGGpek=", "owner": "nixos", "repo": "nixpkgs", - "rev": "e11142026e2cef35ea52c9205703823df225c947", + "rev": "b681065d0919f7eb5309a93cea2cfa84dec9aa88", "type": "github" }, "original": { "owner": "nixos", - "ref": "nixos-23.05", + "ref": "nixos-24.11", + "repo": "nixpkgs", + "type": "github" + } + }, + "nixpkgs-gimp": { + "locked": { + "lastModified": 1735507908, + "narHash": "sha256-VA+khC0S0di6w5Yv1kBNRpAihnt2prT/ehQzsKMhEoA=", + "owner": "jtojnar", + "repo": "nixpkgs", + "rev": "771cf18187fefcfaababd35834917c621447fee8", + "type": "github" + }, + "original": { + "owner": "jtojnar", + "ref": "gimp-meson", "repo": "nixpkgs", "type": "github" } }, "nixpkgs-lib": { "locked": { - "dir": "lib", - "lastModified": 1688049487, - "narHash": "sha256-100g4iaKC9MalDjUW9iN6Jl/OocTDtXdeAj7pEGIRh4=", - "owner": "NixOS", - "repo": "nixpkgs", - "rev": "4bc72cae107788bf3f24f30db2e2f685c9298dc9", - "type": "github" + "lastModified": 1733096140, + "narHash": "sha256-1qRH7uAUsyQI7R1Uwl4T+XvdNv778H0Nb5njNrqvylY=", + "type": "tarball", + "url": "https://github.com/NixOS/nixpkgs/archive/5487e69da40cbd611ab2cadee0b4637225f7cfae.tar.gz" }, "original": { - "dir": "lib", - "owner": "NixOS", - "ref": "nixos-unstable", - "repo": "nixpkgs", - "type": "github" + "type": "tarball", + "url": "https://github.com/NixOS/nixpkgs/archive/5487e69da40cbd611ab2cadee0b4637225f7cfae.tar.gz" } }, "nixpkgs-lib_2": { "locked": { - "lastModified": 1688259758, - "narHash": "sha256-CYVbYQfIm3vwciCf6CCYE+WOOLE3vcfxfEfNHIfKUJQ=", + "lastModified": 1733015484, + "narHash": "sha256-qiyO0GrTvbp869U4VGX5GhAZ00fSiPXszvosY1AgKQ8=", "owner": "nix-community", "repo": "nixpkgs.lib", - "rev": "a92befce80a487380ea5e92ae515fe33cebd3ac6", + "rev": "0e4fdd4a0ab733276b6d2274ff84ae353f17129e", "type": "github" }, "original": { @@ -513,29 +1017,13 @@ "type": "github" } }, - "nixpkgs-stable": { - "locked": { - "lastModified": 1688256355, - "narHash": "sha256-/E+OSabu4ii5+ccWff2k4vxDsXYhpc4hwnm0s6JOz7Y=", - "owner": "NixOS", - "repo": "nixpkgs", - "rev": "f553c016a31277246f8d3724d3b1eee5e8c0842c", - "type": "github" - }, - "original": { - "owner": "NixOS", - "ref": "release-23.05", - "repo": "nixpkgs", - "type": "github" - } - }, "nixpkgs-unstable": { "locked": { - "lastModified": 1690179384, - "narHash": "sha256-+arbgqFTAtoeKtepW9wCnA0njCOyoiDFyl0Q0SBSOtE=", + "lastModified": 1739446958, + "narHash": "sha256-+/bYK3DbPxMIvSL4zArkMX0LQvS7rzBKXnDXLfKyRVc=", "owner": "nixos", "repo": "nixpkgs", - "rev": "b12803b6d90e2e583429bb79b859ca53c348b39a", + "rev": "2ff53fe64443980e139eaa286017f53f88336dd0", "type": "github" }, "original": { @@ -545,18 +1033,18 @@ "type": "github" } }, - "nixpkgs-unstable-small": { + "nixpkgs-vscodium": { "locked": { - "lastModified": 1691472822, - "narHash": "sha256-XVfYZ2oB3lNPVq6sHCY9WkdQ8lHoIDzzbpg8bB6oBxA=", + "lastModified": 1733212471, + "narHash": "sha256-M1+uCoV5igihRfcUKrr1riygbe73/dzNnzPsmaLCmpo=", "owner": "nixos", "repo": "nixpkgs", - "rev": "41c7605718399dcfa53dd7083793b6ae3bc969ff", + "rev": "55d15ad12a74eb7d4646254e13638ad0c4128776", "type": "github" }, "original": { "owner": "nixos", - "ref": "nixos-unstable-small", + "ref": "nixos-unstable", "repo": "nixpkgs", "type": "github" } @@ -566,14 +1054,14 @@ "flake-compat": "flake-compat_3", "lib-aggregate": "lib-aggregate", "nix-eval-jobs": "nix-eval-jobs", - "nixpkgs": "nixpkgs_2" + "nixpkgs": "nixpkgs_5" }, "locked": { - "lastModified": 1688653033, - "narHash": "sha256-iRtkfin+7PLWd0ce/pQ8bDSo1v6N+nfgjFDFCFEKUCA=", + "lastModified": 1733388169, + "narHash": "sha256-WCfVVHIuxnz4O7O9BY76apUkA//ujG7rqkjAWCw0ujY=", "owner": "nix-community", "repo": "nixpkgs-wayland", - "rev": "bc84572c913933dbb49df2746dc8669f562da454", + "rev": "fe88399ae2d22a5381c65a51f8e5a0e4f2e7a38b", "type": "github" }, "original": { @@ -584,11 +1072,11 @@ }, "nixpkgs_2": { "locked": { - "lastModified": 1688590700, - "narHash": "sha256-ZF055rIUP89cVwiLpG5xkJzx00gEuuGFF60Bs/LM3wc=", + "lastModified": 1722421184, + "narHash": "sha256-/DJBI6trCeVnasdjUo9pbnodCLZcFqnVZiLUfqLH4jA=", "owner": "nixos", "repo": "nixpkgs", - "rev": "f292b4964cb71f9dfbbd30dc9f511d6165cd109b", + "rev": "9f918d616c5321ad374ae6cb5ea89c9e04bf3e58", "type": "github" }, "original": { @@ -598,14 +1086,135 @@ "type": "github" } }, + "nixpkgs_3": { + "locked": { + "lastModified": 1722415718, + "narHash": "sha256-5US0/pgxbMksF92k1+eOa8arJTJiPvsdZj9Dl+vJkM4=", + "owner": "NixOS", + "repo": "nixpkgs", + "rev": "c3392ad349a5227f4a3464dce87bcc5046692fce", + "type": "github" + }, + "original": { + "owner": "NixOS", + "ref": "nixpkgs-unstable", + "repo": "nixpkgs", + "type": "github" + } + }, + "nixpkgs_4": { + "locked": { + "lastModified": 1732238832, + "narHash": "sha256-sQxuJm8rHY20xq6Ah+GwIUkF95tWjGRd1X8xF+Pkk38=", + "owner": "NixOS", + "repo": "nixpkgs", + "rev": "8edf06bea5bcbee082df1b7369ff973b91618b8d", + "type": "github" + }, + "original": { + "owner": "NixOS", + "ref": "nixpkgs-unstable", + "repo": "nixpkgs", + "type": "github" + } + }, + "nixpkgs_5": { + "locked": { + "lastModified": 1733212471, + "narHash": "sha256-M1+uCoV5igihRfcUKrr1riygbe73/dzNnzPsmaLCmpo=", + "owner": "nixos", + "repo": "nixpkgs", + "rev": "55d15ad12a74eb7d4646254e13638ad0c4128776", + "type": "github" + }, + "original": { + "owner": "nixos", + "ref": "nixos-unstable", + "repo": "nixpkgs", + "type": "github" + } + }, + "nixvim": { + "inputs": { + "devshell": "devshell", + "flake-compat": "flake-compat_4", + "flake-parts": "flake-parts_4", + "git-hooks": "git-hooks", + "home-manager": "home-manager", + "nix-darwin": "nix-darwin", + "nixpkgs": [ + "nixpkgs" + ], + "nuschtosSearch": "nuschtosSearch", + "treefmt-nix": "treefmt-nix_3" + }, + "locked": { + "lastModified": 1733355056, + "narHash": "sha256-EOldkOLdgUVIa8ZJiHkqjD6yaW+AZiZwd94aBqfZERY=", + "owner": "nix-community", + "repo": "nixvim", + "rev": "277dbeb607210f6a6db656ac7eee9eef3143070c", + "type": "github" + }, + "original": { + "owner": "nix-community", + "repo": "nixvim", + "type": "github" + } + }, + "nur": { + "inputs": { + "flake-parts": "flake-parts_5", + "nixpkgs": [ + "nixpkgs" + ], + "treefmt-nix": "treefmt-nix_4" + }, + "locked": { + "lastModified": 1737225765, + "narHash": "sha256-wyJcROV/d6POpZRlfk79EWsRHZH0iP6aC5uhmM1cH98=", + "owner": "nix-community", + "repo": "NUR", + "rev": "7c2500d3cc3a1d4f51493ba208721ea7c2a4380f", + "type": "github" + }, + "original": { + "owner": "nix-community", + "repo": "NUR", + "type": "github" + } + }, + "nuschtosSearch": { + "inputs": { + "flake-utils": "flake-utils_9", + "ixx": "ixx", + "nixpkgs": [ + "nixvim", + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1733006402, + "narHash": "sha256-BC1CecAQISV5Q4LZK72Gx0+faemOwaChiD9rMVfDPoA=", + "owner": "NuschtOS", + "repo": "search", + "rev": "16307548b7a1247291c84ae6a12c0aacb07dfba2", + "type": "github" + }, + "original": { + "owner": "NuschtOS", + "repo": "search", + "type": "github" + } + }, "ofi-pass": { "flake": false, "locked": { - "lastModified": 1687009458, - "narHash": "sha256-SgndtGEd3zDztqLJYSdun6IbOqgXsvw0Q8flicPHonY=", + "lastModified": 1723412133, + "narHash": "sha256-rOVbz4v1+DHPJMvRtxdOFWdOHlaxI7G2vm0bgEV/0Cg=", "owner": "sereinity", "repo": "ofi-pass", - "rev": "e99b15857438bbb6013f7f65513c13ea3f5ebdfa", + "rev": "2b6aa6a3fc0504e63df4ac3449e0065a1a4d19d0", "type": "github" }, "original": { @@ -614,6 +1223,40 @@ "type": "github" } }, + "openvscode-server": { + "flake": false, + "locked": { + "lastModified": 1714076069, + "narHash": "sha256-Yc16L13Z8AmsGoSFbvy+4+KBdHxvqLMwZLeU2/dAQVU=", + "owner": "gitpod-io", + "repo": "openvscode-server", + "rev": "7920868fc0c6f4e584cca7791c71d300f2bc3a56", + "type": "github" + }, + "original": { + "owner": "gitpod-io", + "ref": "openvscode-server-v1.88.1", + "repo": "openvscode-server", + "type": "github" + } + }, + "prs": { + "flake": false, + "locked": { + "lastModified": 1719086486, + "narHash": "sha256-YQYiN1T7YHYQYv6GoRNdi7Jq93+U+ydoF64tZxuVW+0=", + "owner": "timvisee", + "repo": "prs", + "rev": "07f17a93d19fb6bc92c9c7f3ae3f5cc750b1f973", + "type": "gitlab" + }, + "original": { + "owner": "timvisee", + "repo": "prs", + "rev": "07f17a93d19fb6bc92c9c7f3ae3f5cc750b1f973", + "type": "gitlab" + } + }, "root": { "inputs": { "aphorme_launcher": "aphorme_launcher", @@ -623,35 +1266,63 @@ "nixos-anywhere", "disko" ], + "espanso": "espanso", "fenix": "fenix", "flake-parts": "flake-parts", "get-flake": "get-flake", "jay": "jay", - "magmawm": "magmawm", + "nix-vscode-extensions": "nix-vscode-extensions", + "nix4vscode": "nix4vscode", + "nixago": "nixago", "nixos-anywhere": "nixos-anywhere", "nixpkgs": [ - "nixpkgs-2305" + "nixpkgs-2411" ], "nixpkgs-2211": "nixpkgs-2211", - "nixpkgs-2305": "nixpkgs-2305", + "nixpkgs-2411": "nixpkgs-2411", + "nixpkgs-gimp": "nixpkgs-gimp", "nixpkgs-unstable": "nixpkgs-unstable", - "nixpkgs-unstable-small": "nixpkgs-unstable-small", + "nixpkgs-vscodium": "nixpkgs-vscodium", "nixpkgs-wayland": "nixpkgs-wayland", + "nixvim": "nixvim", + "nur": "nur", "ofi-pass": "ofi-pass", - "salut": "salut", + "openvscode-server": "openvscode-server", + "prs": "prs", + "radicalePkgs": [ + "nixpkgs-2211" + ], + "rperf": "rperf", "sops-nix": "sops-nix", "srvos": "srvos", + "treefmt-nix": "treefmt-nix_5", "yofi": "yofi" } }, + "rperf": { + "flake": false, + "locked": { + "lastModified": 1712257145, + "narHash": "sha256-IMHpJWGja69nTwF9JJOaOZeC5zxzXGanSShompQfBJE=", + "owner": "steveej-forks", + "repo": "rperf", + "rev": "ec7e1fb3a776fce09ca7c497e1d1962c56ef3785", + "type": "github" + }, + "original": { + "owner": "steveej-forks", + "repo": "rperf", + "type": "github" + } + }, "rust-analyzer-src": { "flake": false, "locked": { - "lastModified": 1688576197, - "narHash": "sha256-flxGk5OXBfXqlS/ZWNyT23slfPjTCkza3CV/EIfvdSU=", + "lastModified": 1733330394, + "narHash": "sha256-1jwtAQYtErSsfkEQFvZJ9wJBrLGltzlvZKZzPXhpfpE=", "owner": "rust-lang", "repo": "rust-analyzer", - "rev": "aa91eda9028758839487ad0f0eb120944a549ff3", + "rev": "f499faf72bcd2abbfbf3d7171e5191100547a3df", "type": "github" }, "original": { @@ -663,21 +1334,14 @@ }, "rust-overlay": { "inputs": { - "flake-utils": [ - "crane", - "flake-utils" - ], - "nixpkgs": [ - "crane", - "nixpkgs" - ] + "nixpkgs": "nixpkgs_3" }, "locked": { - "lastModified": 1688351637, - "narHash": "sha256-CLTufJ29VxNOIZ8UTg0lepsn3X03AmopmaLTTeHDCL4=", + "lastModified": 1722565199, + "narHash": "sha256-2eek4vZKsYg8jip2WQWvAOGMMboQ40DIrllpsI6AlU4=", "owner": "oxalica", "repo": "rust-overlay", - "rev": "f9b92316727af9e6c7fee4a761242f7f46880329", + "rev": "a9cd2009fb2eeacfea785b45bdbbc33612bba1f1", "type": "github" }, "original": { @@ -686,35 +1350,18 @@ "type": "github" } }, - "salut": { - "flake": false, - "locked": { - "lastModified": 1671283721, - "narHash": "sha256-W0lhhImSXtYJDeMbxyEioYu/Bh7ZclwR1/5DzNbxM8o=", - "owner": "snakedye", - "repo": "salut", - "rev": "aa57c4d190812908a9c32cd49cff14390c6dfdcb", - "type": "gitlab" - }, - "original": { - "owner": "snakedye", - "repo": "salut", - "type": "gitlab" - } - }, "sops-nix": { "inputs": { "nixpkgs": [ "nixpkgs" - ], - "nixpkgs-stable": "nixpkgs-stable" + ] }, "locked": { - "lastModified": 1688268466, - "narHash": "sha256-fArazqgYyEFiNcqa136zVYXihuqzRHNOOeVICayU2Yg=", + "lastModified": 1733128155, + "narHash": "sha256-m6/qwJAJYcidGMEdLqjKzRIjapK4nUfMq7rDCTmZajc=", "owner": "Mic92", "repo": "sops-nix", - "rev": "5ed3c22c1fa0515e037e36956a67fe7e32c92957", + "rev": "c6134b6fff6bda95a1ac872a2a9d5f32e3c37856", "type": "github" }, "original": { @@ -730,11 +1377,11 @@ ] }, "locked": { - "lastModified": 1688619474, - "narHash": "sha256-mPPR4iZxOoq3LB2EZTgo72UunV4UWdtaBTiTc3x+iPI=", + "lastModified": 1733365027, + "narHash": "sha256-Vl0pOGckECuFoMbiotwj65jjoFE8Mc2yUXNIllttxkI=", "owner": "numtide", "repo": "srvos", - "rev": "bf8ce44e0d1a380565c51bd6a707a75ac21c1a9a", + "rev": "6047d415ca8dc7eae73dd17c832f7dc08ad544f4", "type": "github" }, "original": { @@ -745,16 +1392,16 @@ }, "stable": { "locked": { - "lastModified": 1669735802, - "narHash": "sha256-qtG/o/i5ZWZLmXw108N2aPiVsxOcidpHJYNkT45ry9Q=", + "lastModified": 1730883749, + "narHash": "sha256-mwrFF0vElHJP8X3pFCByJR365Q2463ATp2qGIrDUdlE=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "731cc710aeebecbf45a258e977e8b68350549522", + "rev": "dba414932936fde69f0606b4f1d87c5bc0003ede", "type": "github" }, "original": { "owner": "NixOS", - "ref": "nixos-22.11", + "ref": "nixos-24.05", "repo": "nixpkgs", "type": "github" } @@ -789,6 +1436,51 @@ "type": "github" } }, + "systems_3": { + "locked": { + "lastModified": 1681028828, + "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=", + "owner": "nix-systems", + "repo": "default", + "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e", + "type": "github" + }, + "original": { + "owner": "nix-systems", + "repo": "default", + "type": "github" + } + }, + "systems_4": { + "locked": { + "lastModified": 1681028828, + "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=", + "owner": "nix-systems", + "repo": "default", + "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e", + "type": "github" + }, + "original": { + "owner": "nix-systems", + "repo": "default", + "type": "github" + } + }, + "systems_5": { + "locked": { + "lastModified": 1681028828, + "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=", + "owner": "nix-systems", + "repo": "default", + "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e", + "type": "github" + }, + "original": { + "owner": "nix-systems", + "repo": "default", + "type": "github" + } + }, "treefmt-nix": { "inputs": { "nixpkgs": [ @@ -797,11 +1489,95 @@ ] }, "locked": { - "lastModified": 1687940979, - "narHash": "sha256-D4ZFkgIG2s9Fyi78T3fVG9mqMD+/UnFDB62jS4gjZKY=", + "lastModified": 1727252110, + "narHash": "sha256-3O7RWiXpvqBcCl84Mvqa8dXudZ1Bol1ubNdSmQt7nF4=", "owner": "numtide", "repo": "treefmt-nix", - "rev": "0a4f06c27610a99080b69433873885df82003aae", + "rev": "1bff2ba6ec22bc90e9ad3f7e94cca0d37870afa3", + "type": "github" + }, + "original": { + "owner": "numtide", + "repo": "treefmt-nix", + "type": "github" + } + }, + "treefmt-nix_2": { + "inputs": { + "nixpkgs": [ + "nixpkgs-wayland", + "nix-eval-jobs", + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1723303070, + "narHash": "sha256-krGNVA30yptyRonohQ+i9cnK+CfCpedg6z3qzqVJcTs=", + "owner": "numtide", + "repo": "treefmt-nix", + "rev": "14c092e0326de759e16b37535161b3cb9770cea3", + "type": "github" + }, + "original": { + "owner": "numtide", + "repo": "treefmt-nix", + "type": "github" + } + }, + "treefmt-nix_3": { + "inputs": { + "nixpkgs": [ + "nixvim", + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1732894027, + "narHash": "sha256-2qbdorpq0TXHBWbVXaTqKoikN4bqAtAplTwGuII+oAc=", + "owner": "numtide", + "repo": "treefmt-nix", + "rev": "6209c381904cab55796c5d7350e89681d3b2a8ef", + "type": "github" + }, + "original": { + "owner": "numtide", + "repo": "treefmt-nix", + "type": "github" + } + }, + "treefmt-nix_4": { + "inputs": { + "nixpkgs": [ + "nur", + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1733222881, + "narHash": "sha256-JIPcz1PrpXUCbaccEnrcUS8jjEb/1vJbZz5KkobyFdM=", + "owner": "numtide", + "repo": "treefmt-nix", + "rev": "49717b5af6f80172275d47a418c9719a31a78b53", + "type": "github" + }, + "original": { + "owner": "numtide", + "repo": "treefmt-nix", + "type": "github" + } + }, + "treefmt-nix_5": { + "inputs": { + "nixpkgs": [ + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1738953846, + "narHash": "sha256-yrK3Hjcr8F7qS/j2F+r7C7o010eVWWlm4T1PrbKBOxQ=", + "owner": "numtide", + "repo": "treefmt-nix", + "rev": "4f09b473c936d41582dd744e19f34ec27592c5fd", "type": "github" }, "original": { @@ -812,17 +1588,17 @@ }, "yofi": { "inputs": { - "flake-utils": "flake-utils_4", + "flake-utils": "flake-utils_10", "nixpkgs": [ "nixpkgs" ] }, "locked": { - "lastModified": 1678976029, - "narHash": "sha256-AZ2+FQtVwUFgv4kiZqMKmiXS2qygMktDE185O19BXiM=", + "lastModified": 1725018627, + "narHash": "sha256-uBEU/aKl9jlJ8vIK556TaqSBEHx6/t6AE4fbt/AoRfA=", "owner": "l4l", "repo": "yofi", - "rev": "811a4358913aed527348f9584d6c0767983299bb", + "rev": "09901e75cbdf2147553ab888adde480e57baa0d1", "type": "github" }, "original": { diff --git a/flake.nix b/flake.nix index 7d7f0cd..832b535 100644 --- a/flake.nix +++ b/flake.nix @@ -1,23 +1,36 @@ # flake.nix { inputs = { + # TODO: where has this been used? + # dotfiles = { + # url = "git+https://forgejo.www.stefanjunker.de/steveej/dotfiles.git"; + # flake = false; + # }; + # flake and infra basics nixpkgs-2211.url = "github:nixos/nixpkgs/nixos-22.11"; - nixpkgs-2305.url = "github:nixos/nixpkgs/nixos-23.05"; + radicalePkgs.follows = "nixpkgs-2211"; + nixpkgs-2411.url = "github:nixos/nixpkgs/nixos-24.11"; nixpkgs-unstable.url = "github:nixos/nixpkgs/nixos-unstable"; - nixpkgs-unstable-small.url = "github:nixos/nixpkgs/nixos-unstable-small"; - nixpkgs.follows = "nixpkgs-2305"; + nixpkgs.follows = "nixpkgs-2411"; flake-parts.url = "github:hercules-ci/flake-parts"; get-flake.url = "github:ursi/get-flake"; srvos.url = "github:numtide/srvos"; srvos.inputs.nixpkgs.follows = "nixpkgs"; - nixos-anywhere.url = github:numtide/nixos-anywhere/main; + nixos-anywhere.url = "github:numtide/nixos-anywhere/main"; nixos-anywhere.inputs.nixpkgs.follows = "nixpkgs"; disko.follows = "nixos-anywhere/disko"; nixpkgs-wayland.url = "github:nix-community/nixpkgs-wayland"; + nix-vscode-extensions.url = "github:nix-community/nix-vscode-extensions"; + nixpkgs-vscodium.url = "github:nixos/nixpkgs/nixos-unstable"; + + # needs to be in sync with `vscodium --version` from `nixpkgs-vscodium` + openvscode-server.url = "github:gitpod-io/openvscode-server/openvscode-server-v1.88.1"; + openvscode-server.flake = false; + colmena = { url = "github:zhaofengli/colmena"; inputs.nixpkgs.follows = "nixpkgs"; @@ -28,14 +41,13 @@ url = "github:nix-community/fenix"; inputs.nixpkgs.follows = "nixpkgs"; }; - crane = { - url = "github:ipetkov/crane"; + crane.url = "github:ipetkov/crane"; + + sops-nix = { + url = "github:Mic92/sops-nix"; inputs.nixpkgs.follows = "nixpkgs"; }; - sops-nix.url = "github:Mic92/sops-nix"; - sops-nix.inputs.nixpkgs.follows = "nixpkgs"; - # applications aphorme_launcher = { url = "github:Iaphetes/aphorme_launcher/main"; @@ -58,130 +70,359 @@ flake = false; }; - magmawm = { - url = "github:MagmaWM/MagmaWM"; + prs = { + # url = "gitlab:timvisee/prs/v0.5.2"; + url = "gitlab:timvisee/prs/07f17a93d19fb6bc92c9c7f3ae3f5cc750b1f973"; flake = false; }; - salut = { - url = "gitlab:snakedye/salut"; + rperf = { + url = "github:steveej-forks/rperf"; flake = false; }; + + # nixpkgs-logseq.url = "github:steveej-forks/nixpkgs/logseq-linux-arm64-selfbuilt-appimage"; + + espanso = { + flake = false; + url = "github:espanso/espanso/db97658d1d80697a635b57801696c594eacf057b"; + }; + + nix4vscode = { + url = "github:nix-community/nix4vscode"; + # inputs.nixpkgs.follows = "nixpkgs"; + }; + nixvim = { + # TODO: pin to nixos-24.11 once available + url = "github:nix-community/nixvim"; + inputs.nixpkgs.follows = "nixpkgs"; + }; + treefmt-nix = { + url = "github:numtide/treefmt-nix"; + inputs.nixpkgs.follows = "nixpkgs"; + }; + nixago = { + url = "github:jmgilman/nixago"; + inputs.nixpkgs.follows = "nixpkgs"; + }; + + nur = { + url = "github:nix-community/NUR"; + inputs.nixpkgs.follows = "nixpkgs"; + }; + + nixpkgs-gimp.url = "github:jtojnar/nixpkgs/gimp-meson"; }; - outputs = inputs @ { - self, - flake-parts, - nixpkgs, - ... - }: let - inherit (nixpkgs) lib; + outputs = + inputs@{ + self, + flake-parts, + nixpkgs, + ... + }: + let + inherit (nixpkgs) lib; - systems = [ - "x86_64-linux" - "aarch64-linux" - ]; - in - flake-parts.lib.mkFlake {inherit inputs;} - ({withSystem, ...}: { - flake.colmena = - lib.lists.foldl (sum: cur: lib.attrsets.recursiveUpdate sum cur) - { - meta.nixpkgs = import inputs.nixpkgs.outPath { - system = builtins.elemAt systems 0; - }; - } - # FIXME: this doesn't seem to work to apply overlays into a node's nixpkgs import - # try this instead: https://github.com/zhaofengli/colmena/issues/60#issuecomment-1510496861 - (builtins.map (nodeName: - import ./nix/os/devices/${nodeName} { - inherit nodeName; - repoFlake = self; - repoFlakeWithSystem = withSystem; - nodeFlake = self.inputs.get-flake ./nix/os/devices/${nodeName}; - }) [ - "sj-vps-htz0" - "steveej-t14" - "srv0-dmz0" - "elias-e525" - "justyna-p300" - ]); - - # this makes nixos-anywhere work - flake.nixosConfigurations = (inputs.colmena.lib.makeHive self.outputs.colmena).nodes; - - inherit systems; - - perSystem = { - inputs', - system, - config, - lib, - pkgs, - ... - }: rec { - imports = [ - ./nix/modules/flake-parts/perSystem/default.nix - ]; - - packages = let - dcpj4110dw = pkgs.callPackage (self + /nix/pkgs/dcpj4110dw) {}; - - craneLib = - inputs.crane.lib.${system}.overrideToolchain - inputs'.fenix.packages.stable.toolchain; - - craneLibOfiPass = - inputs.crane.lib.${system}.overrideToolchain + systems = [ + "x86_64-linux" + "aarch64-linux" + ]; + in + flake-parts.lib.mkFlake { inherit inputs; } ( + { withSystem, ... }: + { + flake.colmena = + lib.lists.foldl (sum: cur: lib.attrsets.recursiveUpdate sum cur) + { meta.nixpkgs = import inputs.nixpkgs.outPath { system = builtins.elemAt systems 0; }; } + # FIXME: this doesn't seem to work to apply overlays into a node's nixpkgs import + # try this instead: https://github.com/zhaofengli/colmena/issues/60#issuecomment-1510496861 ( - inputs'.fenix.packages.stable.toolchain - # .override { - # date = "1.60.0"; - # } + builtins.map + ( + nodeName: + import ./nix/os/devices/${nodeName} { + inherit nodeName; + repoFlake = self; + repoFlakeWithSystem = withSystem; + nodeFlake = self.inputs.get-flake (self + "/nix/os/devices/${nodeName}"); + } + ) + [ + "steveej-t14" + "steveej-x13s" + "steveej-x13s-rmvbl" + # "elias-e525" + # "justyna-p300" + + # "srv0-dmz0" + # "router0-dmz0" + "router0-ifog" + "router0-hosthatch" + + "sj-srv1" + ] ); - in { - dcpj4110dwDriver = dcpj4110dw.driver; - dcpj4110dwCupswrapper = dcpj4110dw.cupswrapper; - # broken as of 2023-04-27 because it doesn't load without a config - # aphorme_launcher = craneLib.buildPackage {src = inputs.aphorme_launcher;}; - # yofi = inputs'.yofi.packages.default; - # ofi-pass = craneLibOfiPass.buildPackage {src = inputs.ofi-pass;}; + flake.lib = { + inherit withSystem; + }; - inherit (inputs'.colmena.packages) colmena; + # this makes nixos-anywhere work + flake.nixosConfigurations = + let + colmenaHive = (inputs.colmena.lib.makeHive self.outputs.colmena).nodes; + router0-dmz0 = (inputs.get-flake (self + "/nix/os/devices/router0-dmz0")).nixosConfigurations; + in + colmenaHive + // { + router0-dmz0 = router0-dmz0.native; - # jay = pkgs.callPackage (self + /nix/pkgs/jay.nix) { - # src = inputs.jay; - # rustPlatform = pkgs.makeRustPlatform { - # cargo = inputs'.fenix.packages.stable.toolchain; - # rustc = inputs'.fenix.packages.stable.toolchain; - # }; - # }; + # for now deploy directly with: + # nixos-rebuild switch --flake .\#router0-dmz0_cross --build-host localhost --target-host root@192.168.10.1 + router0-dmz0_cross = router0-dmz0.cross; - # magmawm = pkgs.callPackage (self + /nix/pkgs/magmawm.nix) { - # inherit craneLib; - # src = inputs.magmawm; - # }; - - salut = craneLib.buildPackage { - src = inputs.salut; - nativeBuildInputs = [ - pkgs.pkg-config - ]; - buildInputs = [ - pkgs.libxkbcommon - pkgs.fontconfig - ]; + steveej-x13s_cross = + (inputs.get-flake (self + "./nix/os/devices/steveej-x13s")).nixosConfigurations.cross; + steveej-x13s-rmvbl_cross = + (inputs.get-flake ./nix/os/devices/steveej-x13s-rmvbl).nixosConfigurations.cross; }; - nomad = inputs'.nixpkgs-unstable.legacyPackages.nomad_1_6; - }; + inherit systems; - formatter = pkgs.alejandra; - devShells.default = import ./nix/devShells.nix { - inherit inputs' pkgs; - packages' = packages; - }; - }; - }); + perSystem = + { + self', + inputs', + system, + config, + lib, + pkgs, + ... + }: + { + imports = [ ./nix/modules/flake-parts/perSystem/default.nix ]; + + packages = + let + dcpj4110dw = pkgs.callPackage (self + /nix/pkgs/dcpj4110dw) { }; + + craneLibFn = (inputs.crane.mkLib inputs.nixpkgs.legacyPackages.${system}).overrideToolchain; + + craneLib = craneLibFn inputs'.fenix.packages.stable.toolchain; + + _prsPackage = + { + lib, + rustPlatform, + installShellFiles, + pkg-config, + python3, + glib, + gpgme, + gtk3, + stdenv, + cargoHash ? "sha256-T57RqIzurpYLHyeFhvqxmC+DoB6zUf+iTu1YkMmwtp8=", + src, + version, + makeWrapper, + skim, + }: + + rustPlatform.buildRustPackage rec { + pname = "prs"; + + inherit src version cargoHash; + + nativeBuildInputs = [ + gpgme + installShellFiles + pkg-config + python3 + makeWrapper + ]; + + cargoBuildFlags = [ + "--no-default-features" + "--features=alias,backend-gpgme,clipboard,notify,select-fzf-bin,select-skim-bin,tomb,totp" + ]; + + buildInputs = [ + glib + gpgme + gtk3 + ]; + + postInstall = lib.optionalString (stdenv.buildPlatform.canExecute stdenv.hostPlatform) '' + for shell in bash fish zsh; do + installShellCompletion --cmd prs --$shell <($out/bin/prs internal completions $shell --stdout) + done + ''; + + postFixup = '' + wrapProgram $out/bin/prs \ + --prefix PATH : ${lib.makeBinPath [ skim ]} + ''; + + meta = with lib; { + description = "Secure, fast & convenient password manager CLI using GPG and git to sync"; + homepage = "https://gitlab.com/timvisee/prs"; + changelog = "https://gitlab.com/timvisee/prs/-/blob/v${version}/CHANGELOG.md"; + license = with licenses; [ + lgpl3Only # lib + gpl3Only # everything else + ]; + maintainers = with maintainers; [ dotlambda ]; + mainProgram = "prs"; + }; + }; + + local-xwayland = pkgs.writeShellScriptBin "local-xwayland" '' + set -x + ${pkgs.wayland-proxy-virtwl}/bin/wayland-proxy-virtwl \ + --wayland-display=wayland-3 \ + --xwayland-binary=${pkgs.xwayland}/bin/Xwayland \ + --x-display=0 \ + # --x-unscale=3 \ + --verbose + ''; + in + { + dcpj4110dwDriver = dcpj4110dw.driver; + dcpj4110dwCupswrapper = dcpj4110dw.cupswrapper; + + inherit (inputs'.colmena.packages) colmena; + + prs = pkgs.callPackage _prsPackage { + src = inputs.prs; + version = inputs.prs.shortRev; + cargoHash = "sha256-oXuAKOHIfwUvcS0qXDTe68DN+MUNS4TAKV986vxdeh8="; + }; + + nomad = inputs'.nixpkgs-unstable.legacyPackages.nomad_1_6; + + ledger-live-desktop-wrapped = pkgs.writeShellScriptBin "ledger-live-desktop-wrapped" '' + set -x + pkill -9 wayland-proxy-v + export NIXOS_OZONE_WL="" + ${pkgs.wayland-proxy-virtwl}/bin/wayland-proxy-virtwl \ + --wayland-display=wayland-3 \ + --xwayland-binary=${pkgs.xwayland}/bin/Xwayland \ + --x-display=3 \ + & + # --x-unscale=3 \ + #--verbose \ + + export PROXYPID="$!" + + trap "kill -9 \$PROXYPID" EXIT + # trap "pkill -9 wayland-proxy-v" EXIT + + env \ + WAYLAND_DISPLAY=wayland-3 \ + DISPLAY=:3 \ + ledger-live-desktop + ''; + + syncthing-container-webui = pkgs.writeShellScriptBin "reverse-port-forward-syncthing-container" '' + ssh root@${self.colmena.sj-vps-htz0.deployment.targetHost} -L 8385:syncthing.containers:8384 + ''; + + rperf = craneLib.buildPackage { + src = inputs.rperf; + nativeBuildInputs = [ pkgs.pkg-config ]; + buildInputs = [ ]; + }; + + inherit local-xwayland; + + inherit (inputs'.nixpkgs-gimp.legacyPackages) gimp; + + }; + + formatter = + let + settingsNix = { + projectRootFile = ".git/config"; + + package = inputs'.nixpkgs-unstable.legacyPackages.treefmt2; + + programs = { + nixfmt.enable = true; + deadnix.enable = true; + statix.enable = true; + + shfmt.enable = true; + shellcheck.enable = true; + + prettier.enable = true; + just = { + enable = true; + includes = [ + "*/Justfile" + "Justfile" + ]; + }; + } // pkgs.lib.optionalAttrs (pkgs.system != "riscv64-linux") { shellcheck.enable = true; }; + + settings = { + global.excludes = [ + "LICENSE" + "secrets/" + ".git-crypt/" + + # unsupported extensions + "*.{enc,gif,png,svg,tape,mts,lock,mod,sum,toml,env,envrc,gitignore}" + ]; + + formatter = { + deadnix = { + priority = 1; + options = [ "--no-underscore" ]; + }; + + nixfmt = { + priority = 2; + }; + + statix = { + priority = 3; + }; + + prettier = { + options = [ + "--tab-width" + "2" + ]; + includes = [ "*.{css,html,js,json,jsx,md,mdx,scss,ts,yaml}" ]; + }; + }; + }; + }; + eval = inputs.treefmt-nix.lib.evalModule pkgs settingsNix; + in + eval.config.build.wrapper.overrideAttrs (_: { + passthru = { + inherit (eval.config) package settings; + }; + }); + + devShells = + let + all = import ./nix/devShells.nix { + inherit + self + self' + inputs' + pkgs + ; + }; + in + all + // { + default = all.develop; + }; + }; + } + ); } diff --git a/misc/x13s_bt_firmware/hpnv21g.b8c.crypt.fw b/misc/x13s_bt_firmware/hpnv21g.b8c.crypt.fw new file mode 100644 index 0000000..ea5b5b8 Binary files /dev/null and b/misc/x13s_bt_firmware/hpnv21g.b8c.crypt.fw differ diff --git a/nix/container-images/build.sh b/nix/container-images/build.sh index 6cfab1a..1025cb4 100755 --- a/nix/container-images/build.sh +++ b/nix/container-images/build.sh @@ -1,7 +1,7 @@ #!/usr/bin/env bash set -xe -[ ! -z "$NAME" ] +[ -n "$NAME" ] nix-build . --show-trace -A "$NAME" -docker image rm "$NAME":latest --force +docker image rm "$NAME":latest --force docker load -i result diff --git a/nix/container-images/default.nix b/nix/container-images/default.nix index 7dcab2a..67f516d 100644 --- a/nix/container-images/default.nix +++ b/nix/container-images/default.nix @@ -1,6 +1,10 @@ -{pkgs ? import {}}: let - baseEnv = ["SSL_CERT_FILE=${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt"]; -in rec { +{ + pkgs ? import { }, +}: +let + baseEnv = [ "SSL_CERT_FILE=${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt" ]; +in +rec { base = pkgs.dockerTools.buildImage rec { name = "base"; @@ -21,59 +25,70 @@ in rec { interactive_base = pkgs.dockerTools.buildImage { name = "interactive_base"; fromImage = base; - contents = with pkgs; [procps zsh coreutils neovim]; + contents = with pkgs; [ + procps + zsh + coreutils + neovim + ]; - config = {Cmd = ["/bin/zsh"];}; + config = { + Cmd = [ "/bin/zsh" ]; + }; }; - s3ql = let - entrypoint = pkgs.writeScript "entrypoint" '' - #!${pkgs.stdenv.shell} + s3ql = + let + entrypoint = pkgs.writeScript "entrypoint" '' + #!${pkgs.stdenv.shell} - if [ -z "$S3QL_BUCKET" ]; then - echo S3QL_BUCKET not set - exit 1 - fi + if [ -z "$S3QL_BUCKET" ]; then + echo S3QL_BUCKET not set + exit 1 + fi - if [ -z "$S3QL_STORAGE_URL" ]; then - echo S3QL_STORAGE_URL not set - exit 1 - fi + if [ -z "$S3QL_STORAGE_URL" ]; then + echo S3QL_STORAGE_URL not set + exit 1 + fi - if [ -z "$S3QL_CACHESIZE" ]; then - echo S3QL_CACHESIZE not set - exit 1 - fi + if [ -z "$S3QL_CACHESIZE" ]; then + echo S3QL_CACHESIZE not set + exit 1 + fi - set -x + set -x - if [ "$S3QL_SKIP_FSCK" != "1" ]; then - fsck.s3ql \ - --authfile $S3QL_AUTHINFO2 \ + if [ "$S3QL_SKIP_FSCK" != "1" ]; then + fsck.s3ql \ + --authfile $S3QL_AUTHINFO2 \ + --log none \ + --cachedir $S3QL_CACHE_DIR \ + $S3QL_STORAGE_URL + fi + + exec mount.s3ql \ + --cachedir "$S3QL_CACHE_DIR" \ + --authfile "$S3QL_AUTHINFO2" \ + --cachesize "$S3QL_CACHESIZE" \ + --fg \ + --compress lzma-6 \ + --threads 4 \ --log none \ - --cachedir $S3QL_CACHE_DIR \ - $S3QL_STORAGE_URL - fi + --allow-root \ + "$S3QL_STORAGE_URL" \ + /bucket - exec mount.s3ql \ - --cachedir "$S3QL_CACHE_DIR" \ - --authfile "$S3QL_AUTHINFO2" \ - --cachesize "$S3QL_CACHESIZE" \ - --fg \ - --compress lzma-6 \ - --threads 4 \ - --log none \ - --allow-root \ - "$S3QL_STORAGE_URL" \ - /bucket - - # FIXME: touch .isbucket after mount - ''; - in + # FIXME: touch .isbucket after mount + ''; + in pkgs.dockerTools.buildImage { name = "s3ql"; fromImage = interactive_base; - contents = [pkgs.s3ql pkgs.fuse]; + contents = [ + pkgs.s3ql + pkgs.fuse + ]; runAsRoot = '' #!${pkgs.stdenv.shell} @@ -84,57 +99,58 @@ in rec { ''; config = { - Env = - baseEnv - ++ [ - "HOME=/home/s3ql" - "S3QL_CACHE_DIR=/var/cache/s3ql" - "S3QL_AUTHINFO2=/etc/s3ql/authinfo2" - "CONTAINER_ENTRYPOINT=${entrypoint}" - ]; - Cmd = [entrypoint]; + Env = baseEnv ++ [ + "HOME=/home/s3ql" + "S3QL_CACHE_DIR=/var/cache/s3ql" + "S3QL_AUTHINFO2=/etc/s3ql/authinfo2" + "CONTAINER_ENTRYPOINT=${entrypoint}" + ]; + Cmd = [ entrypoint ]; Volumes = { - "/var/cache/s3ql" = {}; - "/etc/s3ql/authinfo2" = {}; - "/buckets" = {}; - "/tmp" = {}; + "/var/cache/s3ql" = { }; + "/etc/s3ql/authinfo2" = { }; + "/buckets" = { }; + "/tmp" = { }; }; }; }; - syncthing = let - entrypoint = pkgs.writeScript "entrypoint" '' - #!${pkgs.stdenv.shell} - set -x - if [ ! -e /data/.isbucket ]; then - echo ERROR: Bucket not mounted at /data - exit 1 - fi + syncthing = + let + entrypoint = pkgs.writeScript "entrypoint" '' + #!${pkgs.stdenv.shell} + set -x + if [ ! -e /data/.isbucket ]; then + echo ERROR: Bucket not mounted at /data + exit 1 + fi - if [ -z "$SYNCTHING_GUI_ADDRESS" ]; then - echo ERROR: SYNCTHING_GUI_ADDRESS is not set - exit 1 - fi + if [ -z "$SYNCTHING_GUI_ADDRESS" ]; then + echo ERROR: SYNCTHING_GUI_ADDRESS is not set + exit 1 + fi - if [ ! -w "$SYNCTHING_HOME" ]; then - echo ERROR : SYNCTHING_HOME is not writable - fi + if [ ! -w "$SYNCTHING_HOME" ]; then + echo ERROR : SYNCTHING_HOME is not writable + fi - exec syncthing \ - -home $SYNCTHING_HOME \ - -gui-address=$SYNCTHING_GUI_ADDRESS \ - -no-browser - ''; - in + exec syncthing \ + -home $SYNCTHING_HOME \ + -gui-address=$SYNCTHING_GUI_ADDRESS \ + -no-browser + ''; + in pkgs.dockerTools.buildImage { name = "syncthing"; fromImage = interactive_base; contents = pkgs.syncthing; config = { - Env = baseEnv ++ ["SYNCTHING_HOME=/home/syncthing"]; - Cmd = [entrypoint]; - Volumes = {"/data" = {};}; + Env = baseEnv ++ [ "SYNCTHING_HOME=/home/syncthing" ]; + Cmd = [ entrypoint ]; + Volumes = { + "/data" = { }; + }; }; }; } diff --git a/nix/default.nix b/nix/default.nix index 888a4e9..f8947e0 100644 --- a/nix/default.nix +++ b/nix/default.nix @@ -1,26 +1,34 @@ -{versionsPath}: let +{ versionsPath }: +let channelVersions = import versionsPath; - mkChannelSource = name: let - channelVersion = builtins.getAttr name channelVersions; - in + mkChannelSource = + name: + let + channelVersion = builtins.getAttr name channelVersions; + in builtins.fetchGit { # Descriptive name to make the store path easier to identify inherit name; inherit (channelVersion) url ref rev; }; - nixPath = builtins.concatStringsSep ":" (builtins.map - (elemName: let - elem = builtins.getAttr elemName channelVersions; - elemPath = mkChannelSource elemName; - suffix = - if builtins.hasAttr "suffix" elem - then elem.suffix - else ""; - in - builtins.concatStringsSep "=" [elemName elemPath] + suffix) - (builtins.attrNames channelVersions)); - pkgs = import (mkChannelSource "nixpkgs") {}; -in { + nixPath = builtins.concatStringsSep ":" ( + builtins.map ( + elemName: + let + elem = builtins.getAttr elemName channelVersions; + elemPath = mkChannelSource elemName; + suffix = if builtins.hasAttr "suffix" elem then elem.suffix else ""; + in + builtins.concatStringsSep "=" [ + elemName + elemPath + ] + + suffix + ) (builtins.attrNames channelVersions) + ); + pkgs = import (mkChannelSource "nixpkgs") { }; +in +{ inherit nixPath; channelSources = pkgs.writeText "channels.rc" '' export NIX_PATH=${nixPath} diff --git a/nix/devShells.nix b/nix/devShells.nix index 34dfceb..aa4eda5 100644 --- a/nix/devShells.nix +++ b/nix/devShells.nix @@ -1,105 +1,103 @@ { + self, + self', inputs', - packages', pkgs, }: -pkgs.stdenv.mkDerivation { - name = "infra-env"; - buildInputs = - [ - (with pkgs.callPackage (pkgs.path + "/nixos") {configuration = {};}; - with config.system.build; [ - nixos-generate-config - nixos-install - nixos-enter - manual.manpages - ]) - ] - ++ (with pkgs; [ - inputs'.colmena.packages.colmena +{ + install = pkgs.mkShell { + name = "infra-install"; + packages = with pkgs; [ nixos-install-tools + inputs'.disko.packages.disko + just + git + git-crypt + gnupg + ]; + }; + + develop = pkgs.mkShell { + name = "infra-develop"; + inputsFrom = [ self'.devShells.install ]; + packages = with pkgs; [ + self'.formatter # .package + inputs'.colmena.packages.colmena dconf2nix inputs'.nixos-anywhere.packages.nixos-anywhere nurl - - just - git-crypt vcsh - gnupg - git ripgrep - lm_sensors - pass - prs - fuzzel - wofi + # pass age age-plugin-yubikey ssh-to-age yubico-piv-tool inputs'.sops-nix.packages.default sops + nil + nix-index apacheHttpd - vncdo - tesseract - imagemagick + # vncdo + # tesseract + # imagemagick - nmap - sysstat - lshw - xxHash - linssid - wavemon - wirelesstools + # lm_sensors - zathura - xorg.xwininfo - glxinfo - autorandr - arandr - playerctl - x11docker - fwupd + # nmap + # sysstat + # lshw + # xxHash + # linssid + # wavemon + # wirelesstools - ntfy + # zathura + # xorg.xwininfo + # glxinfo + # autorandr + # arandr + # playerctl + # x11docker + # fwupd - hedgedoc-cli + # ntfy + # hedgedoc-cli xwayland - (banana-accounting.overrideDerivation (attrs: - with inputs'.nixpkgs-2211.legacyPackages; { - # dontWrapGApps = true; + pulsemixer - srcs = builtins.fetchurl { - # hosted via https://web3.storage - url = "https://bafybeiabi4m2i4izummipbl5wzhwxjyjt2rylgsrahhkh7i63piwd37n4u.ipfs.w3s.link/mfpcksczayaqqx8fdacp0627zm36c001-bananaplus.tgz"; + (pkgs.writeShellScriptBin "rflk" '' + exec nix run nixpkgs#$@ + '') - sha256 = "09666iqzqdw2526pf6bg5kd0hfw0wblw8ag636ki72dsiw6bmbf1"; - }; + (pkgs.writeShellScriptBin "r11" '' + exec env NIXOS_OZONE_WL="" WAYLAND_DISPLAY="" $@ + '') - # nativeBuildInputs = - # attrs.nativeBuildInputs - # ++ [ - # qt5.qtbase - # qt5.wrapQtAppsHook - # ]; + jq + yq + wireguard-tools - # buildInputs = - # attrs.buildInputs - # ++ [ - # qt5.qtwayland - # ]; + screen - # preFixup = - # (attrs.preFixup or "") - # + '' - # qtWrapperArgs+=("''${gappsWrapperArgs[@]}") - # ''; - })) - ]); + inputs'.nixpkgs-unstable.legacyPackages.kanidm + ]; - # Set Environment Variables - RUST_BACKTRACE = 1; + # Set Environment Variables + RUST_BACKTRACE = 1; + + KANIDM_URL = + self.nixosConfigurations.sj-srv1.config.containers.webserver.config.services.kanidm.serverSettings.origin; + + shellHook = builtins.concatStringsSep "\n" [ + # (self.inputs.nixago.lib.${pkgs.system}.make { + # data = self'.formatter.settings; + # output = "treefmt.toml"; + # format = "toml"; + # }).shellHook + ]; + }; } diff --git a/nix/home-manager/configuration/graphical-fullblown.nix b/nix/home-manager/configuration/graphical-fullblown.nix index d30e7a7..921c4dc 100644 --- a/nix/home-manager/configuration/graphical-fullblown.nix +++ b/nix/home-manager/configuration/graphical-fullblown.nix @@ -1,71 +1,89 @@ { pkgs, + lib, config, # these come in via home-manager.extraSpecialArgs and are specific to each node nodeFlake, - packages', repoFlake, - # repoFlakeInputs', ... -}: let - pkgsMaster = nodeFlake.inputs.nixpkgs-master.legacyPackages.${pkgs.system}; - pkgsUnstableSmall = nodeFlake.inputs.nixpkgs-unstable-small.legacyPackages.${pkgs.system}; - pkgs2211 = nodeFlake.inputs.nixpkgs-2211.legacyPackages.${pkgs.system}; - pkgsUnstableSmallRepo = repoFlake.nixpkgs-unstable-small.${pkgs.system}.legacyPackages; -in { +}: +let + pkgsUnstable = + pkgs.pkgsUnstable + or (import nodeFlake.inputs.nixpkgs-unstable { inherit (pkgs) system config overlays; }); +in +{ imports = [ ../profiles/common.nix - ../profiles/dotfiles.nix + # ../profiles/dotfiles.nix # FIXME: fix homeshick when no WAN connection is available # ../programs/homeshick.nix # ../profiles/gnome-desktop.nix - ../profiles/sway-desktop.nix # ../profiles/experimental-desktop.nix ../programs/redshift.nix - ../programs/gpg-agent.nix - # ../programs/espanso.nix + ../programs/gpg-agent.nix + ../programs/pass.nix + + ../programs/espanso.nix ../programs/firefox.nix ../programs/chromium.nix ../programs/libreoffice.nix ../programs/neovim.nix - ../programs/pass.nix ../programs/vscode - - # TODO: bump these to 23.05 and make it work - (args: import ../programs/radicale.nix (args // {pkgs = pkgs2211;})) - # (args: import ../programs/espanso.nix (args // {pkgs = pkgs2211;})) + { home.packages = [ pkgsUnstable.markdown-oxide ]; } ]; home.sessionVariables.HM_CONFIG = "graphical-fullblown"; home.sessionVariables.GOPATH = "$HOME/src/go"; - home.sessionVariables.PATH = pkgs.lib.concatStringsSep ":" ["$HOME/.local/bin" "$PATH"]; - - nixpkgs.config.permittedInsecurePackages = [ + home.sessionVariables.PATH = pkgs.lib.concatStringsSep ":" [ + "$HOME/.local/bin" + "$PATH" ]; + nixpkgs.config.allowInsecurePredicate = + pkg: + builtins.elem (lib.getName pkg) [ + "electron-28.3.3" + "electron-27.3.11" + ]; + + nixpkgs.config.permittedInsecurePackages = [ + "electron-28.3.3" + "electron-27.3.11" + ]; + + nixpkgs.config.allowUnfree = [ + "electron-28.3.3" + "electron-27.3.11" + ]; + + # nixpkgs.config.allowUnfreePredicate = pkg: + # builtins.elem (lib.getName pkg) [ + # "smartgithg" + # "electron-27.3.11" + # ]; + home.packages = - [] - ++ (with pkgs; [ + (with pkgs; [ # Authentication - cacert - fprintd - openssl - mkpasswd + # cacert + # fprintd + # openssl + # mkpasswd # Nix package related tools patchelf - nix-index + # nix-index nix-prefetch-scripts - # nix-prefetch-github + nix-tree # Version Control Systems gitFull - pijul # gitless gitRepo git-lfs @@ -87,14 +105,13 @@ in { # Password Management gnupg - # yubikey-manager - yubikey-manager-qt + yubikey-manager yubikey-personalization yubikey-personalization-gui # gnome.gnome-keyring gcr - gnome.seahorse + seahorse # Language Support hunspellDicts.en-us @@ -102,124 +119,59 @@ in { # Messaging/Communication # pidgin - hexchat - schildichat-desktop + # hexchat + pkgsUnstable.element-desktop aspellDicts.en aspellDicts.de # skypeforlinux # pkgsUnstable.jitsi-meet-electron - thunderbird - evolution # gnome4.glib_networking + thunderbird-128 + # betterbird # FIXME: depends on insecure openssl 1.1.1t # kotatogram-desktop - tdesktop - (let - version = "6.20.0-beta.1"; - in - pkgsUnstableSmall.signal-desktop-beta.overrideAttrs (old: { - inherit version; - src = builtins.fetchurl { - url = "https://updates.signal.org/desktop/apt/pool/main/s/signal-desktop-beta/signal-desktop-beta_${version}_amd64.deb"; - sha256 = "0xkagnldagfxnpv4c23yd9w0kz1y719m1sj9vqn8mnr1zfn7j62a"; - }; - preFixup = - old.preFixup - + '' - gappsWrapperArgs+=( - --add-flags "\''${NIXOS_OZONE_WL:+\''${WAYLAND_DISPLAY:+--ozone-platform-hint=auto}}" - --add-flags "\''${NIXOS_OZONE_WL:+\''${WAYLAND_DISPLAY:+--enable-features=UseOzonePlatform}}" - ) - ''; - })) - - # --add-flags "--enable-features=UseOzonePlatform" - # --add-flags "--ozone-platform=wayland" - (pkgsUnstableSmall.session-desktop.overrideAttrs (old: { - nativeBuildInputs = - old.nativeBuildInputs - ++ [ - pkgs.wrapGAppsHook - ]; - - preFixup = - (old.preFixup or "") - + '' - gappsWrapperArgs+=( - --add-flags "--enable-features=UseOzonePlatform" - --add-flags "--ozone-platform=wayland" - # --add-flags "\''${NIXOS_OZONE_WL:+\''${WAYLAND_DISPLAY:+--ozone-platform-hint=auto}}" - # --add-flags "\''${NIXOS_OZONE_WL:+\''${WAYLAND_DISPLAY:+--enable-features=WaylandWindowDecorations}}" - # --add-flags "\''${NIXOS_OZONE_WL:+\''${WAYLAND_DISPLAY:+--enable-features=UseOzonePlatform}}" - ) - ''; - })) - - #(pkgsUnstableSmall.session-desktop.overrideAttrs(old: { - # nativeBuildInputs = old.nativeBuildInputs ++ [ - # pkgs.wrapGAppsHook - # ]; - # - # preFixup = (old.preFixup or "") + '' - # gappsWrapperArgs+=( - # --add-flags "\''${NIXOS_OZONE_WL:+\''${WAYLAND_DISPLAY:+--ozone-platform=wayland}}" - # --add-flags "\''${NIXOS_OZONE_WL:+\''${WAYLAND_DISPLAY:+--enable-features=UseOzonePlatform}}" - # ) - # ''; - # })) - - thunderbird - # gnome.cheese - discord + pkgsUnstable.tdesktop + pkgsUnstable.signal-desktop-source # Virtualization - # virtmanager + virt-manager # Remote Control Tools remmina - freerdp - teamviewer - rustdesk + # freerdp # Audio/Video Players - ffmpeg + # ffmpeg vlc - audacity - spotify + # v4l-utils + # audacity + # spotify yt-dlp (writeShellScriptBin "youtube-dl-audio" "${yt-dlp}/bin/yt-dlp --extract-audio --audio-format best --audio-quality 9 \${@:?}") libwebcam + libcamera + snapshot # Network Tools - openvpn tcpdump iftop iperf bind socat - # 2019-03-05: broken on 19.03 linssid - iptraf-ng - ipmitool + nethogs - iptables - nftables - wireshark - wireguard-tools - - # Code Editors - xclip - xsel + # Code Editing and Programming + # TODO(remove or use): pkgsUnstable.lapce + # TODO(remve or use): pkgsUnstable.helix # Image/Graphic/Design Tools - gnome.eog - gimp - imagemagick - exiv2 - graphviz - inkscape - qrencode - zbar - feh + eog + # gimp + # imagemagick + # exiv2 + # graphviz + # inkscape + # qrencode # TODO: remove or move these: Modelling Tools # plantuml @@ -230,55 +182,46 @@ in { # astah-community # Misc Development Tools - qrcode - jq - cdrtools + # qrcode + # jq + # cdrtools # Document Processing and Management - gnome.nautilus - xfce.thunar + nautilus pcmanfm # mendeley evince - pkgsUnstableSmall.logseq + xournalpp # File Synchronzation maestral - maestral-gui rsync # Filesystem Tools - ntfs3g - ddrescue - ncdu - unetbootin - hdparm - testdisk + # ntfs3g + # ddrescue + # ncdu + # hdparm # binwalk - gptfdisk - gparted - smartmontools - - ## Android - androidenv.androidPkgs_9_0.platform-tools + # gptfdisk + # gparted + # smartmontools ## Python - packages'.myPython + # packages'.myPython # Misc Desktop Tools - ltunify + # ltunify # dex - xorg.xbacklight coreutils lsof - xdotool - xdg_utils + xdg-utils xdg-user-dirs dconf picocom glib.dev # contains gdbus tool alacritty - wally-cli + # wally-cli man-pages # Screen recording @@ -288,29 +231,45 @@ in { # shutter # kazam # doesn't start # xvidcap # doesn't keep the recording rectangle - # obs-studio # shotcut # openshot-qt # introduces python: screenkey - pkgsUnstableSmall.ledger-live-desktop + # avidemux # broken + # handbrake + + # snes9x + # snes9x-gtk + # this is a displaymanager! + # libretro.snes9x2010 + # retroarchFull + + # pkgs.logseq-bin + pkgs.logseq + # (pkgs.callPackage "${repoFlake.inputs.nixpkgs-logseq}/pkgs/by-name/lo/logseq-bin/package.nix" { }) + ]) + ++ (with repoFlake.packages.${pkgs.system}; [ gimp ]) + ++ (lib.lists.optionals (!pkgs.stdenv.targetPlatform.isAarch64) [ + pkgsUnstable.ledger-live-desktop + + # unsupported on aarch64-linux + pkgs.androidenv.androidPkgs_9_0.platform-tools + pkgs.teamviewer + pkgs.discord + pkgsUnstable.session-desktop + pkgsUnstable.rustdesk ]); systemd.user.startServices = true; + services.syncthing.enable = true; services.udiskie = { enable = true; - automount = true; + automount = false; notify = true; }; - # FIXME: doesn't work as the service can't seem to control its started PID - services.dropbox = { - enable = false; - path = "${config.home.homeDirectory}/Dropbox-Hm"; - }; - # TODO: uncomment this when it's in stable home-manger # programs.joshuto = { # enable = true; diff --git a/nix/home-manager/configuration/graphical-gnome3.nix b/nix/home-manager/configuration/graphical-gnome3.nix index 12e1948..5eaebd1 100644 --- a/nix/home-manager/configuration/graphical-gnome3.nix +++ b/nix/home-manager/configuration/graphical-gnome3.nix @@ -1,13 +1,8 @@ +{ pkgs, ... }: { - pkgs, - config, - ... -}: { - home.packages = - [] - ++ (with pkgs; [ - gnome.gnome-tweaks - gnome.gnome-keyring - gnome.seahorse - ]); + home.packages = with pkgs; [ + gnome.gnome-tweaks + gnome.gnome-keyring + gnome.seahorse + ]; } diff --git a/nix/home-manager/configuration/graphical-removable.nix b/nix/home-manager/configuration/graphical-removable.nix index faac0d5..d6296a2 100644 --- a/nix/home-manager/configuration/graphical-removable.nix +++ b/nix/home-manager/configuration/graphical-removable.nix @@ -1,8 +1,5 @@ +{ pkgs, ... }: { - pkgs, - config, - ... -}: { imports = [ ../profiles/common.nix ../profiles/qtile-desktop.nix @@ -16,89 +13,87 @@ ../programs/pass.nix ]; - home.packages = - [] - ++ (with pkgs; [ - # Nix package related tools - patchelf - nix-index - nix-prefetch-scripts + home.packages = with pkgs; [ + # Nix package related tools + patchelf + nix-index + nix-prefetch-scripts - # Version Control Systems - gitless + # Version Control Systems + gitless - # Process/System Administration - htop - gnome.gnome-tweaks - xorg.xhost - dmidecode - evtest + # Process/System Administration + htop + gnome.gnome-tweaks + xorg.xhost + dmidecode + evtest - # Archive Managers - sshfs-fuse - xarchive - p7zip - zip - unzip - gzip - lzop + # Archive Managers + sshfs-fuse + xarchive + p7zip + zip + unzip + gzip + lzop - # Password Management - gnome.gnome-keyring - gnome.seahorse + # Password Management + gnome.gnome-keyring + gnome.seahorse - # Remote Control Tools - remmina - freerdp + # Remote Control Tools + remmina + freerdp - # Network Tools - openvpn - tcpdump - iftop - iperf - bind - socat + # Network Tools + openvpn + tcpdump + iftop + iperf + bind + socat - # samba - iptables - nftables - wireshark + # samba + iptables + nftables + wireshark - # Code Editors - xclip - xsel + # Code Editors + xclip + xsel - # Image/Graphic/Design Tools - gnome.eog - gimp - inkscape + # Image/Graphic/Design Tools + gnome.eog + gimp + inkscape - # Misc Development Tools - qrcode - jq - cdrtools + # Misc Development Tools + qrcode + jq + cdrtools - # Document Processing and Management - zathura + # Document Processing and Management + zathura - # File Synchronzation - rsync + # File Synchronzation + rsync - # Filesystem Tools - ntfs3g - ddrescue - ncdu - woeusb - unetbootin - pcmanfm - hdparm - testdisk - binwalk - gptfdisk + # Filesystem Tools + ntfs3g + ddrescue + ncdu + woeusb + unetbootin + pcmanfm + hdparm + testdisk + binwalk + gptfdisk - packages'.myPython + packages'.myPython - # Virtualization - virtmanager - ]); + # Virtualization + virtmanager + ]; } diff --git a/nix/home-manager/configuration/text-minimal.nix b/nix/home-manager/configuration/text-minimal.nix deleted file mode 100644 index 4566af7..0000000 --- a/nix/home-manager/configuration/text-minimal.nix +++ /dev/null @@ -1,12 +0,0 @@ -{pkgs, ...}: { - imports = [ - ../profiles/common.nix - ../programs/neovim.nix - ]; - - home.packages = with pkgs; [ - iperf3 - inetutils - speedtest-cli - ]; -} diff --git a/nix/home-manager/lib.nix b/nix/home-manager/lib.nix index b731c1d..7436034 100644 --- a/nix/home-manager/lib.nix +++ b/nix/home-manager/lib.nix @@ -1,14 +1,19 @@ -{}: let -in { - mkSimpleTrayService = {execStart}: { - Unit = { - Description = ""; - After = ["graphical-session-pre.target"]; - PartOf = ["graphical-session.target"]; +_: { + mkSimpleTrayService = + { execStart }: + { + Unit = { + Description = ""; + After = [ "graphical-session-pre.target" ]; + PartOf = [ "graphical-session.target" ]; + }; + + Install = { + WantedBy = [ "graphical-session.target" ]; + }; + + Service = { + ExecStart = execStart; + }; }; - - Install = {WantedBy = ["graphical-session.target"];}; - - Service = {ExecStart = execStart;}; - }; } diff --git a/nix/home-manager/profiles/common.nix b/nix/home-manager/profiles/common.nix index 20a17e3..77f6e57 100644 --- a/nix/home-manager/profiles/common.nix +++ b/nix/home-manager/profiles/common.nix @@ -1,22 +1,38 @@ -{pkgs, ...}: { +{ pkgs, lib, ... }: +{ + home.stateVersion = lib.mkDefault "23.11"; + # TODO: re-enable this with the appropriate version? # programs.home-manager.enable = true; # programs.home-manager.path = https://github.com/rycee/home-manager/archive/445c0b1482c38172a9f8294ee16a7ca7462388e5.tar.gz; - imports = [ - ../programs/zsh.nix - ]; - + # TODO: move this to an OS snippet? nixpkgs.config = { allowBroken = false; allowUnfree = true; + allowUnsupportedSystem = true; - permittedInsecurePackages = []; + allowInsecurePredicate = + pkg: + builtins.elem (lib.getName pkg) [ + "electron-32.3.3" + "electron" + ]; + + permittedInsecurePackages = [ + "electron-32.3.3" + "electron" + ]; + + allowUnfreePredicate = + pkg: + builtins.elem (lib.getName pkg) [ + "obsidian" + "vivaldi" + "aspell-dict-en-science" + ]; }; - nix.settings.experimental-features = ["nix-command" "flakes" "impure-derivations" "ca-derivations" "recursive-nix"]; - nix.settings.sandbox = "relaxed"; - home.keyboard = { layout = "us"; variant = "altgr-intl"; @@ -30,53 +46,52 @@ xdg.enable = true; programs.direnv.enable = true; - services.lorri.enable = true; - home.sessionVariables.NIXPKGS_ALLOW_UNFREE = "1"; # Don't create .pyc files. home.sessionVariables.PYTHONDONTWRITEBYTECODE = "1"; programs.command-not-found.enable = true; programs.fzf.enable = true; - home.packages = - [] - ++ (with pkgs; [ - htop - vcsh + home.packages = with pkgs; [ + coreutils - # Authentication - cacert - openssl - mkpasswd + vcsh - just - ripgrep - du-dust + htop + iperf3 + nethogs - elfutils - exfat - file - tree - pwgen - proot + # Authentication + cacert + openssl + mkpasswd - parted - pv - tmux - wget - curl + just + ripgrep + du-dust - # git helpers - git-crypt - gitFull - pastebinit - gist - mr + elfutils + exfat + file + tree + pwgen + proot - usbutils - pciutils - ]); + parted + pv + tmux + wget + curl - home.stateVersion = "22.05"; + # git helpers + git-crypt + gitFull + pastebinit + gist + mr + + usbutils + pciutils + ]; } diff --git a/nix/home-manager/profiles/dotfiles.nix b/nix/home-manager/profiles/dotfiles.nix index 95b5248..a7bddd9 100644 --- a/nix/home-manager/profiles/dotfiles.nix +++ b/nix/home-manager/profiles/dotfiles.nix @@ -1,10 +1,4 @@ -{ - pkgs, - config, - ... -}: let - vcshActivationScript = pkgs.callPackage ./dotfiles/vcsh.nix {}; -in { +_: { # TODO: fix the dotfiles # home.activation.vcsh = config.lib.dag.entryAfter["linkGeneration"] '' # $DRY_RUN_CMD ${vcshActivationScript} diff --git a/nix/home-manager/profiles/dotfiles/vcsh.tmpl.nix b/nix/home-manager/profiles/dotfiles/vcsh.tmpl.nix index 84d629f..2a866f2 100644 --- a/nix/home-manager/profiles/dotfiles/vcsh.tmpl.nix +++ b/nix/home-manager/profiles/dotfiles/vcsh.tmpl.nix @@ -3,38 +3,40 @@ repoHttps ? "https://gitlab.com/steveeJ/dotfiles.git", repoSsh ? "git@gitlab.com:/steveeJ/dotfiles.git", ... -}: let +}: +let repoBareLocal = pkgs.runCommand "fetchbare" - { - outputHashMode = "recursive"; - outputHashAlgo = "sha256"; - outputHash = "0000000000000000000000000000000000000000000000000000"; - } '' - ( - set -xe - export GIT_SSL_CAINFO=${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt - export SSL_CERT_FILE=${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt - ${pkgs.git}/bin/git clone --mirror ${repoHttps} $out - ) - ''; + { + outputHashMode = "recursive"; + outputHashAlgo = "sha256"; + outputHash = "0000000000000000000000000000000000000000000000000000"; + } + '' + ( + set -xe + export GIT_SSL_CAINFO=${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt + export SSL_CERT_FILE=${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt + ${pkgs.git}/bin/git clone --mirror ${repoHttps} $out + ) + ''; in - pkgs.writeScript "activation-script" '' - export HOST=$(hostname -s) +pkgs.writeScript "activation-script" '' + export HOST=$(hostname -s) - function set_remotes { - ${pkgs.vcsh}/bin/vcsh dotfiles remote set-url origin $1 - ${pkgs.vcsh}/bin/vcsh dotfiles remote set-url --push origin $2 - } + function set_remotes { + ${pkgs.vcsh}/bin/vcsh dotfiles remote set-url origin $1 + ${pkgs.vcsh}/bin/vcsh dotfiles remote set-url --push origin $2 + } - if ! test -d $HOME/.config/vcsh/repo.d/dotfiles.git; then - echo Cloning dotfiles for $HOST... - ${pkgs.vcsh}/bin/vcsh clone -b $HOST ${repoBareLocal} dotfiles - set_remotes ${repoHttps} ${repoSsh} - else - set_remotes ${repoBareLocal} ${repoSsh} - echo Updating dotfiles for $HOST... - ${pkgs.vcsh}/bin/vcsh pull $HOST || true - set_remotes ${repoHttps} ${repoSsh} - fi - '' + if ! test -d $HOME/.config/vcsh/repo.d/dotfiles.git; then + echo Cloning dotfiles for $HOST... + ${pkgs.vcsh}/bin/vcsh clone -b $HOST ${repoBareLocal} dotfiles + set_remotes ${repoHttps} ${repoSsh} + else + set_remotes ${repoBareLocal} ${repoSsh} + echo Updating dotfiles for $HOST... + ${pkgs.vcsh}/bin/vcsh pull $HOST || true + set_remotes ${repoHttps} ${repoSsh} + fi +'' diff --git a/nix/home-manager/profiles/experimental-desktop.nix b/nix/home-manager/profiles/experimental-desktop.nix index 96daa60..d57a051 100644 --- a/nix/home-manager/profiles/experimental-desktop.nix +++ b/nix/home-manager/profiles/experimental-desktop.nix @@ -1,16 +1,6 @@ +{ packages', ... }: { - pkgs, - config, - lib, - nodeFlake, - packages', - ... -}: let - pkgsUnstable = pkgs.callPackage nodeFlake.inputs.nixpkgs-unstable.outPath {}; -in { - imports = [ - ../profiles/wayland-desktop.nix - ]; + imports = [ ../profiles/wayland-desktop.nix ]; home.packages = [ # experimental WMs diff --git a/nix/home-manager/profiles/gnome-desktop.nix b/nix/home-manager/profiles/gnome-desktop.nix index 5ad7113..5051205 100644 --- a/nix/home-manager/profiles/gnome-desktop.nix +++ b/nix/home-manager/profiles/gnome-desktop.nix @@ -1,13 +1,6 @@ +{ pkgs, ... }: { - pkgs, - config, - lib, - ... -}: let -in { - imports = [ - ../profiles/wayland-desktop.nix - ]; + imports = [ ../profiles/wayland-desktop.nix ]; services = { gnome-keyring.enable = false; @@ -23,86 +16,85 @@ in { # Hidden=true # ''; - services.gpg-agent.pinentryFlavor = "gnome3"; + services.gpg-agent.pinentryPackage = pkgs.pinentry-gnome3; - dconf.settings = let - manualKeybindings = [ - { - binding = "Print"; - command = "flameshot gui"; - name = "flameshot"; - } + dconf.settings = + let + manualKeybindings = [ + { + binding = "Print"; + command = "flameshot gui"; + name = "flameshot"; + } - { - binding = "t"; - command = "alacritty"; - name = "alacritty"; - } - ]; + { + binding = "t"; + command = "alacritty"; + name = "alacritty"; + } + ]; - numWorkspaces = 10; - customKeybindingBaseName = "org/gnome/settings-daemon/plugins/media-keys/custom-keybindings/custom"; - customKeybindingsNames = - builtins.genList (i: "/${customKeybindingBaseName}${toString i}/") - ( - (builtins.length manualKeybindings) - + numWorkspaces # for sending to the workspace + numWorkspaces = 10; + customKeybindingBaseName = "org/gnome/settings-daemon/plugins/media-keys/custom-keybindings/custom"; + customKeybindingsNames = builtins.genList (i: "/${customKeybindingBaseName}${toString i}/") ( + (builtins.length manualKeybindings) + numWorkspaces # for sending to the workspace ); - workspacesKeyBindingsOffset = builtins.length manualKeybindings; + workspacesKeyBindingsOffset = builtins.length manualKeybindings; - # with this we can make use of all number keys [0-9] - mapToNumber = i: - if i < 10 - then i - else if i == 10 - then 0 - else throw "i exceeds 10: ${i}"; - in + # with this we can make use of all number keys [0-9] + mapToNumber = + i: + if i < 10 then + i + else if i == 10 then + 0 + else + throw "i exceeds 10: ${i}"; + in { "org/gnome/settings-daemon/plugins/media-keys" = { custom-keybindings = customKeybindingsNames; screenreader = "@as []"; - screensaver = ["l"]; + screensaver = [ "l" ]; }; # disable the builtin [1-9] functionality - "org/gnome/shell/keybindings" = builtins.listToAttrs ((builtins.genList - (i: { + "org/gnome/shell/keybindings" = builtins.listToAttrs ( + (builtins.genList (i: { name = "switch-to-application-${toString (i + 1)}"; - value = []; - }) - numWorkspaces) ++ [ + value = [ ]; + }) numWorkspaces) + ++ [ { name = "toggle-overview"; - value = []; + value = [ ]; } - ]); + ] + ); # remap it to switching to the workspaces - "org/gnome/desktop/wm/keybindings" = builtins.listToAttrs (builtins.genList - (i: { + "org/gnome/desktop/wm/keybindings" = builtins.listToAttrs ( + builtins.genList (i: { name = "switch-to-workspace-${toString (i + 1)}"; - value = [ - "${toString (mapToNumber (i + 1))}" - ]; - }) - numWorkspaces); + value = [ "${toString (mapToNumber (i + 1))}" ]; + }) numWorkspaces + ); } - // builtins.listToAttrs (builtins.genList - (i: { + // builtins.listToAttrs ( + builtins.genList (i: { name = "${customKeybindingBaseName}${toString i}"; value = builtins.elemAt manualKeybindings i; - }) - (builtins.length manualKeybindings)) - // builtins.listToAttrs (builtins.genList - (i: { + }) (builtins.length manualKeybindings) + ) + // builtins.listToAttrs ( + builtins.genList (i: { name = "${customKeybindingBaseName}${toString (workspacesKeyBindingsOffset + i)}"; value = { binding = "${toString (mapToNumber (i + 1))}"; command = "wmctrl -r :ACTIVE: -t ${toString i}"; name = "Send to workspace ${toString (i + 1)}"; }; - }) - numWorkspaces); + }) numWorkspaces + ); } diff --git a/nix/home-manager/profiles/nix-channels.nix b/nix/home-manager/profiles/nix-channels.nix index 68f21c7..fc52ec6 100644 --- a/nix/home-manager/profiles/nix-channels.nix +++ b/nix/home-manager/profiles/nix-channels.nix @@ -1,28 +1,22 @@ +{ pkgs, config, ... }: { - pkgs, - config, - ... -}: let -in { home.file.".nix-channels".text = ""; - home.activation.removeExistingNixChannels = config.lib.dag.entryBefore ["checkLinkTargets"] '' - $DRY_RUN_CMD ${ - pkgs.writeScript "activation-script" '' - set -ex - if test -f $HOME/.nix-channels; then - echo Uninstalling available channels... - if test -f $HOME/.nix-channel; then - while read url channel; do - nix-channel --remove $channel - done < $HOME/.nix-channel - fi - echo Moving existing file away... - touch $HOME/.nix-channels.dummy - mv --backup=numbered $HOME/.nix-channels.dummy $HOME/.nix-channels - rm $HOME/.nix-channels + home.activation.removeExistingNixChannels = config.lib.dag.entryBefore [ "checkLinkTargets" ] '' + $DRY_RUN_CMD ${pkgs.writeScript "activation-script" '' + set -ex + if test -f $HOME/.nix-channels; then + echo Uninstalling available channels... + if test -f $HOME/.nix-channel; then + while read url channel; do + nix-channel --remove $channel + done < $HOME/.nix-channel fi - '' - }; + echo Moving existing file away... + touch $HOME/.nix-channels.dummy + mv --backup=numbered $HOME/.nix-channels.dummy $HOME/.nix-channels + rm $HOME/.nix-channels + fi + ''}; ''; } diff --git a/nix/home-manager/profiles/qtile-desktop.nix b/nix/home-manager/profiles/qtile-desktop.nix index da12f62..84d9c21 100644 --- a/nix/home-manager/profiles/qtile-desktop.nix +++ b/nix/home-manager/profiles/qtile-desktop.nix @@ -1,14 +1,14 @@ -{ - pkgs, - config, - ... -}: let - inherit (import ../lib.nix {}) mkSimpleTrayService; +{ pkgs, ... }: +let audio = pkgs.writeShellScript "audio" '' export PATH=${ with pkgs; - lib.makeBinPath [pulseaudio findutils gnugrep] + lib.makeBinPath [ + pulseaudio + findutils + gnugrep + ] }:$PATH export MUTEFILE=''${TEMPDIR:-/tmp}/.qtilemute @@ -33,7 +33,7 @@ terminalCommand = "${pkgs.alacritty}/bin/alacritty"; dpmsScript = pkgs.writeShellScript "dpmsScript" '' - export PATH=${with pkgs; lib.makeBinPath [xorg.xset]}:$PATH + export PATH=${with pkgs; lib.makeBinPath [ xorg.xset ]}:$PATH set -xe @@ -56,7 +56,7 @@ ''; screenLockCommand = pkgs.writeShellScript "screenLock" '' - export PATH=${with pkgs; lib.makeBinPath [i3lock]}:$PATH + export PATH=${with pkgs; lib.makeBinPath [ i3lock ]}:$PATH revert() { ${dpmsScript} default @@ -251,7 +251,8 @@ def print_new_window(window): print("new window: ", window) ''; -in { +in +{ services = { gnome-keyring.enable = true; blueman-applet.enable = true; @@ -286,7 +287,7 @@ in { networkmanagerapplet gnome-icon-theme gnome.gnome-themes-extra - gnome.adwaita-icon-theme + adwaita-icon-theme lxappearance xorg.xcursorthemes pavucontrol diff --git a/nix/home-manager/profiles/sway-desktop.nix b/nix/home-manager/profiles/sway-desktop.nix index 9640e4a..c6b1e1f 100644 --- a/nix/home-manager/profiles/sway-desktop.nix +++ b/nix/home-manager/profiles/sway-desktop.nix @@ -1,57 +1,64 @@ +/* + TODO: create helper scripts for sharing of a screen portion + ``` + + # this will create a new output named HEADLESS-. increments by 1 with each invocation even if the output is `unplug`ged. + swaymsg create_output + + # find the name and the workspace number + swaymsg -t get_outputs | jq '.[] | select(.name | test("HEADLESS-.*")) | (.name, .current_workspace)' + + swaymsg output HEADLESS-1 mode 1920@108060Hz + + # mirror the headless workspace on the current one + nix run nixpkgs\#wl-mirror -- HEADLESS-1 + + # shift windows to the workspace and switch the focus to it +*/ { pkgs, config, lib, - packages', + # packages', ... -}: let - inherit (import ../lib.nix {}) mkSimpleTrayService; +}: +let lockCmd = "${pkgs.swaylock}/bin/swaylock -efF --color '#000000'"; displayOffCmd = "${pkgs.sway}/bin/swaymsg 'output * power off'"; displayOnCmd = "${pkgs.sway}/bin/swaymsg 'output * power on'"; swapOutputWorkspaces = ../../../scripts/sway-swapoutputworkspaces.sh; -in { +in +{ imports = [ ../profiles/wayland-desktop.nix ../programs/waybar.nix - ../programs/salut.nix ]; - # TODO: autostart - # environment.loginShellInit = '' - # if [[ "$(tty)" == /dev/tty1 ]]; then - # echo starting sway.. - # exec sway - # fi - # ''; - - services = { - # TODO: doesn't work with 2 screens - # flameshot.enable = true; + services.dunst = { + enable = true; }; - services.gpg-agent.pinentryFlavor = "gnome3"; + services.gpg-agent.pinentryPackage = pkgs.pinentry-gnome3; home.packages = [ pkgs.swayidle pkgs.swaylock ## themes - pkgs.gnome.adwaita-icon-theme + pkgs.adwaita-icon-theme pkgs.hicolor-icon-theme pkgs.gnome-icon-theme ## fonts + # pkgs.nerd-fonts # TODO: reinstall selected ones pkgs.dejavu_fonts # just a basic good fond pkgs.font-awesome_5 # needed by i3status-rust - pkgs.nerdfonts pkgs.font-awesome pkgs.roboto pkgs.ttf_bitstream_vera pkgs.noto-fonts - pkgs.noto-fonts-cjk pkgs.noto-fonts-cjk-sans pkgs.noto-fonts-cjk-serif pkgs.noto-fonts-emoji @@ -66,115 +73,146 @@ in { pkgs.dina-font pkgs.monoid pkgs.hermit - # found on colemickens' repo + ### found on colemickens' repo pkgs.gelasio # metric-compatible with Georgia pkgs.powerline-symbols pkgs.iosevka-comfy.comfy-fixed - # experimental stuff + ## experimental stuff pkgs.fuzzel ]; + # TODO: configure kanshi to always set the 5K resolution + # DP-1 "Philips Consumer Electronics Company PHL 499P9 AU02419010010 (DP-1 via DP)" + # Make: Philips Consumer Electronics Company + # Model: PHL 499P9 + # Serial: AU02419010010 + # Physical size: 1190x340 mm + # Enabled: yes + # Modes: + # 3840x1080 px, 59.967999 Hz (preferred) + # 5120x1440 px, 59.977001 Hz (current) + wayland.windowManager.sway = { enable = true; - systemdIntegration = true; - # systemd.enable = true; + systemd.enable = true; xwayland = false; - config = let - modifier = "Mod4"; - inherit (config.wayland.windowManager.sway.config) left right up down; - in { - inherit modifier; - bars = []; + config = + let + modifier = "Mod4"; + inherit (config.wayland.windowManager.sway.config) + left + right + up + down + ; + in + { + inherit modifier; + bars = [ ]; - input = { - "type:keyboard" = - { - xkb_layout = config.home.keyboard.layout; - xkb_variant = config.home.keyboard.variant; - } - // lib.attrsets.optionalAttrs (builtins.length (config.home.keyboard.options or []) > 0) { - xkb_options = builtins.concatStringsSep "," config.home.keyboard.options; + input = { + "type:keyboard" = + { + xkb_layout = config.home.keyboard.layout; + xkb_variant = config.home.keyboard.variant; + } + // lib.attrsets.optionalAttrs (builtins.length (config.home.keyboard.options or [ ]) > 0) { + xkb_options = builtins.concatStringsSep "," config.home.keyboard.options; + }; + + "type:touchpad" = { + natural_scroll = "enabled"; }; - "type:touchpad" = { - natural_scroll = "enabled"; + # alternatively run this command + # swaymsg input "1386:914:Wacom_Intuos_Pro_S_Pen" tool_mode "* relative" + # and then switch to a different VT (alt+ctrl+f2) and back + "1386:914:Wacom_Intuos_Pro_S_Pen" = { + tool_mode = "* relative"; + }; }; + + keybindings = lib.mkOptionDefault { + # as of 2023-05-21 the `!!` arg parsing mode was broken for me on yofi + # "${modifier}+d" = "exec ${packages'.yofi}/bin/yofi binapps"; + "${modifier}+d" = "exec ${pkgs.fuzzel}/bin/fuzzel --show-actions"; + + # only 1-9 exist on the default config + "${modifier}+0" = "workspace number 0"; + "${modifier}+Shift+0" = "move container to workspace number 0"; + + # disable splitting for now as i sometimes trigger it accidentally and then get stuck with it + "${modifier}+b" = "nop"; + "${modifier}+v" = "nop"; + + # move workspace to output + "${modifier}+Control+Shift+${left}" = "move workspace to output left"; + "${modifier}+Control+Shift+${right}" = "move workspace to output right"; + "${modifier}+Control+Shift+${up}" = "move workspace to output up"; + "${modifier}+Control+Shift+${down}" = "move workspace to output down"; + # move workspace to output with arrow keys + "${modifier}+Control+Shift+Left" = "move workspace to output left"; + "${modifier}+Control+Shift+Right" = "move workspace to output right"; + "${modifier}+Control+Shift+Up" = "move workspace to output up"; + "${modifier}+Control+Shift+Down" = "move workspace to output down"; + + # TODO: i've been hitting this one accidentally way too often. find a better place. + # "${modifier}+Shift+e" = "exec ${pkgs.sway}/bin/swaymsg exit"; + "${modifier}+q" = "kill"; + "${modifier}+Shift+q" = "exec ${pkgs.sway}/bin/swaymsg -t get_tree | ${pkgs.jq}/bin/jq 'recurse(.nodes[], .floating_nodes[]) | select(.focused).pid' | ${pkgs.findutils}/bin/xargs -L1 kill -9"; + + "${modifier}+x" = "exec ${swapOutputWorkspaces}"; + + "${modifier}+Ctrl+l" = "exec ${lockCmd}"; + + "--locked XF86AudioPlay" = "exec ${pkgs.playerctl}/bin/playerctl play-pause"; + "XF86AudioPrev" = "exec ${pkgs.playerctl}/bin/playerctl previous"; + "XF86AudioNext" = "exec ${pkgs.playerctl}/bin/playerctl next"; + + "XF86AudioRaiseVolume" = "exec ${pkgs.pulsemixer}/bin/pulsemixer --change-volume +5"; + "XF86AudioLowerVolume" = "exec ${pkgs.pulsemixer}/bin/pulsemixer --change-volume -5"; + "--locked XF86AudioMute" = "exec ${pkgs.pulsemixer}/bin/pulsemixer --toggle-mute"; + + "Print" = "exec ${pkgs.shotman}/bin/shotman --capture region"; + }; + + terminal = "alacritty"; + startup = + [ + { + command = builtins.toString ( + pkgs.writeShellScript "ensure-graphical-session" '' + ( + ${pkgs.coreutils}/bin/sleep 0.2 + ${pkgs.systemd}/bin/systemctl --user restart graphical-session.target + ) & + '' + ); + } + ] + ++ lib.optionals config.services.swayidle.enable [ + { + command = builtins.toString ( + pkgs.writeShellScript "ensure-graphical-session" '' + ( + ${pkgs.coreutils}/bin/sleep 0.2 + ${pkgs.systemd}/bin/systemctl --user restart swayidle + ) & + '' + ); + } + ]; + + colors.focused = lib.mkOptionDefault { childBorder = lib.mkForce "#ffa500"; }; + + window.titlebar = false; + window.border = 4; + + # this maps to focus_on_window_activation + focus.newWindow = "urgent"; }; - - keybindings = lib.mkOptionDefault { - # as of 2023-05-21 the `!!` arg parsing mode was broken for me on yofi - # "${modifier}+d" = "exec ${packages'.yofi}/bin/yofi binapps"; - "${modifier}+d" = "exec ${pkgs.fuzzel}/bin/fuzzel --show-actions"; - - # only 1-9 exist on the default config - "${modifier}+0" = "workspace number 0"; - "${modifier}+Shift+0" = "move container to workspace number 0"; - - # disable splitting for now as i sometimes trigger it accidentally and then get stuck with it - "${modifier}+b" = "nop"; - "${modifier}+v" = "nop"; - - # move workspace to output - "${modifier}+Control+Shift+${left}" = "move workspace to output left"; - "${modifier}+Control+Shift+${right}" = "move workspace to output right"; - "${modifier}+Control+Shift+${up}" = "move workspace to output up"; - "${modifier}+Control+Shift+${down}" = "move workspace to output down"; - # move workspace to output with arrow keys - "${modifier}+Control+Shift+Left" = "move workspace to output left"; - "${modifier}+Control+Shift+Right" = "move workspace to output right"; - "${modifier}+Control+Shift+Up" = "move workspace to output up"; - "${modifier}+Control+Shift+Down" = "move workspace to output down"; - - "${modifier}+Shift+e" = "exec ${pkgs.sway}/bin/swaymsg exit"; - "${modifier}+q" = "kill"; - "${modifier}+Shift+q" = "exec ${pkgs.sway}/bin/swaymsg -t get_tree | ${pkgs.jq}/bin/jq 'recurse(.nodes[], .floating_nodes[]) | select(.focused).pid' | ${pkgs.findutils}/bin/xargs -L1 kill -9"; - - "${modifier}+x" = "exec ${swapOutputWorkspaces}"; - - "${modifier}+Ctrl+l" = "exec ${lockCmd}"; - - "--locked XF86AudioPlay" = "exec ${pkgs.playerctl}/bin/playerctl play-pause"; - "XF86AudioPrev" = "exec ${pkgs.playerctl}/bin/playerctl previous"; - "XF86AudioNext" = "exec ${pkgs.playerctl}/bin/playerctl next"; - - "XF86AudioRaiseVolume" = "exec ${pkgs.pulsemixer}/bin/pulsemixer --change-volume +5"; - "XF86AudioLowerVolume" = "exec ${pkgs.pulsemixer}/bin/pulsemixer --change-volume -5"; - "--locked XF86AudioMute" = "exec ${pkgs.pulsemixer}/bin/pulsemixer --toggle-mute"; - - "Print" = "exec ${pkgs.shotman}/bin/shotman --capture region"; - }; - - terminal = "alacritty"; - startup = - [ - { - command = builtins.toString (pkgs.writeShellScript "ensure-graphical-session" '' - ( - ${pkgs.coreutils}/bin/sleep 0.2 - ${pkgs.systemd}/bin/systemctl --user restart graphical-session.target - ) & - ''); - } - ] - ++ lib.optionals config.services.swayidle.enable [ - { - command = builtins.toString (pkgs.writeShellScript "ensure-graphical-session" '' - ( - ${pkgs.coreutils}/bin/sleep 0.2 - ${pkgs.systemd}/bin/systemctl --user restart swayidle - ) & - ''); - } - ]; - - colors.focused = lib.mkOptionDefault { - childBorder = lib.mkForce "#ffa500"; - }; - - window.border = 4; - }; }; services.swayidle = { diff --git a/nix/home-manager/profiles/wayland-desktop.nix b/nix/home-manager/profiles/wayland-desktop.nix index 6c4d820..2f0d2ee 100644 --- a/nix/home-manager/profiles/wayland-desktop.nix +++ b/nix/home-manager/profiles/wayland-desktop.nix @@ -1,19 +1,14 @@ { pkgs, - config, lib, repoFlake, - nodeFlake, ... -}: let - inherit (import ../lib.nix {}) mkSimpleTrayService; +}: +let - nixpkgs-2211 = nodeFlake.inputs.nixpkgs-2211.legacyPackages.${pkgs.system}; - nixpkgs-unstable-small = nodeFlake.inputs.nixpkgs-unstable-small.legacyPackages.${pkgs.system}; nixpkgs-wayland' = repoFlake.inputs.nixpkgs-wayland.packages.${pkgs.system}; - - wayprompt = nixpkgs-wayland'.wayprompt; -in { +in +{ fonts.fontconfig.enable = true; # services.gpg-agent.pinentryFlavor = lib.mkForce null; @@ -29,45 +24,57 @@ in { systemd.user.targets.tray = { Unit = { Description = "Home Manager System Tray"; - Requires = ["graphical-session-pre.target"]; + Requires = [ "graphical-session-pre.target" ]; }; }; - home.packages = with pkgs; [ - # required by network-manager-applet - pkgs.networkmanagerapplet + home.packages = + with pkgs; + [ + # required by network-manager-applet + networkmanagerapplet - wlr-randr - wayout - wl-clipboard - wmctrl + wlr-randr + wayout + wl-clipboard + wmctrl - wayprompt - nixpkgs-wayland'.shotman + nixpkgs-wayland'.shotman - # identifies key input syms - wev + # identifies key input syms + wev - # TODO: whwat's this for? - # wltype + # TODO: whwat's this for? + # wltype - pavucontrol - playerctl - pasystray - qt5.qtwayland - qt6.qtwayland - # libsForQt5.qt5.qtwayland - # libsForQt6.qt6.qtwayland + qt5.qtwayland + qt6.qtwayland + # libsForQt5.qt5.qtwayland + # libsForQt6.qt6.qtwayland - # probably required by flameshot - # xdg-desktop-portal xdg-desktop-portal-wlr - # grim - ]; + # audio + playerctl + helvum + pasystray + sonusmix + pwvucontrol + + # probably required by flameshot + # xdg-desktop-portal xdg-desktop-portal-wlr + # grim + + waypipe + ] + ++ (lib.lists.optionals (!pkgs.stdenv.isAarch64) + # TODO: broken on aarch64 + [ ] + ); home.sessionVariables = { XDG_SESSION_TYPE = "wayland"; NIXOS_OZONE_WL = "1"; MOZ_ENABLE_WAYLAND = "1"; + WLR_NO_HARDWARE_CURSORS = "1"; }; home.pointerCursor = { diff --git a/nix/home-manager/programs/chromium.nix b/nix/home-manager/programs/chromium.nix index dda9b61..aa3f531 100644 --- a/nix/home-manager/programs/chromium.nix +++ b/nix/home-manager/programs/chromium.nix @@ -1,59 +1,81 @@ { name, lib, + pkgs, ... -}: let - extensions = - [ - #undetectable adblocker - {id = "gcfcpohokifjldeandkfjoboemihipmb";} +}: +let + extensions = + [ + #undetectable adblocker + { id = "gcfcpohokifjldeandkfjoboemihipmb"; } - # ublock origin - {id = "cjpalhdlnbpafiamejdnhcphjbkeiagm";} + # ublock origin + { id = "cjpalhdlnbpafiamejdnhcphjbkeiagm"; } - # # YT ad block - # {id = "cmedhionkhpnakcndndgjdbohmhepckk";} + # # YT ad block + # {id = "cmedhionkhpnakcndndgjdbohmhepckk";} - # # Adblock Plus - # {id = "cfhdojbkjhnklbpkdaibdccddilifddb";} + # # Adblock Plus + # {id = "cfhdojbkjhnklbpkdaibdccddilifddb";} - # Cookie Notice Blocker - {id = "odhmfmnoejhihkmfebnolljiibpnednn";} - # i don't care about cookies - {id = "fihnjjcciajhdojfnbdddfaoknhalnja";} + # Cookie Notice Blocker + { id = "odhmfmnoejhihkmfebnolljiibpnednn"; } + # i don't care about cookies + { id = "fihnjjcciajhdojfnbdddfaoknhalnja"; } - # NopeCHA - {id = "dknlfmjaanfblgfdfebhijalfmhmjjjo";} + # NopeCHA + { id = "dknlfmjaanfblgfdfebhijalfmhmjjjo"; } - # h264ify - {id = "aleakchihdccplidncghkekgioiakgal";} + # h264ify + { id = "aleakchihdccplidncghkekgioiakgal"; } - # clippy - # {id = "honbeilkanbghjimjoniipnnehlmhggk"} + # clippy + # {id = "honbeilkanbghjimjoniipnnehlmhggk"} - { - id = "dcpihecpambacapedldabdbpakmachpb"; - updateUrl = "https://raw.githubusercontent.com/iamadamdev/bypass-paywalls-chrome/master/updates.xml"; - } + { + id = "dcpihecpambacapedldabdbpakmachpb"; + updateUrl = "https://raw.githubusercontent.com/iamadamdev/bypass-paywalls-chrome/master/updates.xml"; + } - # cookie autodelete - {id = "fhcgjolkccmbidfldomjliifgaodjagh";} - ] - ++ (lib.lists.optionals ((builtins.match "^steveej.*" name) != null) [ - # Vimium C - {id = "hfjbmagddngcpeloejdejnfgbamkjaeg";} - ]); + # cookie autodelete + { id = "fhcgjolkccmbidfldomjliifgaodjagh"; } -in { + # unhook + { id = "khncfooichmfjbepaaaebmommgaepoid"; } + ] + ++ (lib.lists.optionals ((builtins.match "^steveej.*" name) != null) [ + # polkadotjs + { id = "mopnmbcafieddcagagdcbnhejhlodfdd"; } + + # rabby wallet + { id = "acmacodkjbdgmoleebolmdjonilkdbch"; } + + # phantom wallet + { id = "bfnaelmomeimhlpmgjnjophhpkkoljpa"; } + + # Vimium C + { id = "hfjbmagddngcpeloejdejnfgbamkjaeg"; } + + # TODO: this causes scrolling the tab bar all the way to the end. look for a different one or report + # always right + { id = "npjpaghfnndnnmjiliibnkmdfgbojokj"; } + + # shazam music + { id = "mmioliijnhnoblpgimnlajmefafdfilb"; } + ]); +in +{ programs.chromium = { enable = true; inherit extensions; + # TODO: extensions currently don't work with ungoogled-chromium + package = pkgs.chromium; }; programs.brave = { - enable = true; + # TODO: enable this on aarch64-linux + enable = true && !pkgs.stdenv.targetPlatform.isAarch64; inherit extensions; }; - - programs.browserpass = {browsers = ["chromium" "brave"];}; } diff --git a/nix/home-manager/programs/espanso.nix b/nix/home-manager/programs/espanso.nix index 7497432..8297183 100644 --- a/nix/home-manager/programs/espanso.nix +++ b/nix/home-manager/programs/espanso.nix @@ -1,65 +1,82 @@ +{ pkgs, ... }: { - pkgs, - config, - ... -}: { services.espanso = { - # package = pkgs.espanso.overrideAttrs(_: { - # # src = - # }) - enable = true; - settings = { - matches = let - playerctl = '' - ${pkgs.coreutils}/bin/env DBUS_SESSION_BUS_ADDRESS="unix:path=/run/user/$(${pkgs.coreutils}/bin/id -u)/bus" ${pkgs.playerctl}/bin/playerctl''; - in [ - { - trigger = ":vpos"; - replace = "{{output}}"; - vars = [ - { - name = "output"; - type = "script"; - params = { - args = [ - (pkgs.writeScript "espanso" '' - #! ${pkgs.python3}/bin/python - import subprocess, os, math, datetime + package = pkgs.espanso-wayland; + # package = pkgs.espanso-wayland.overrideAttrs (_: { + # src = repoFlake.inputs.espanso; - id=str(os.getuid()) - result=subprocess.run(args=["${pkgs.playerctl}/bin/playerctl", "position"], env={"DBUS_SESSION_BUS_ADDRESS": "unix:path=/run/user/"+id+"/bus"},capture_output=True) - result.check_returncode() + # cargoLock = { + # # lockFile = "${repoFlake.inputs.espanso.outPath}/Cargo.lock"; + # lockFile = repoFlake.inputs.espanso + "/Cargo.lock"; + # outputHashes = { + # "yaml-rust-0.4.6" = "sha256-wXFy0/s4y6wB3UO19jsLwBdzMy7CGX4JoUt5V6cU7LU="; + # }; + # }; + # }); - position_secs = math.trunc(float(result.stdout)) - position_human = datetime.timedelta(seconds=position_secs) - print("%s - %s" % (position_human, position_secs)) - '') - ]; - }; - } - ]; - } - { - trigger = ":vtit"; - replace = "{{output}}"; - vars = [ - { - name = "output"; - type = "script"; - params = { - args = [ - (pkgs.writeShellScript "espanso" - "${playerctl} metadata title") - ]; - }; - } - ]; - } - { - trigger = ":dunno"; - replace = "¯\\_(ツ)_/¯"; - } - ]; + enable = false; + configs = { + default = { + # backend = "Inject"; + # backend = "Clipboard"; + }; }; + matches = + let + playerctl = ''${pkgs.coreutils}/bin/env DBUS_SESSION_BUS_ADDRESS="unix:path=/run/user/$(${pkgs.coreutils}/bin/id -u)/bus" ${pkgs.playerctl}/bin/playerctl''; + in + { + default = { + matches = [ + { + trigger = ":vpos"; + replace = "{{output}}"; + vars = [ + { + name = "output"; + type = "script"; + params = { + args = [ + (pkgs.writeScript "espanso" '' + #! ${pkgs.python3}/bin/python + import subprocess, os, math, datetime + + id=str(os.getuid()) + result=subprocess.run(args=["${pkgs.playerctl}/bin/playerctl", "position"], env={"DBUS_SESSION_BUS_ADDRESS": "unix:path=/run/user/"+id+"/bus"},capture_output=True) + result.check_returncode() + + position_secs = math.trunc(float(result.stdout)) + position_human = datetime.timedelta(seconds=position_secs) + print("%s - %s" % (position_human, position_secs)) + '') + ]; + }; + } + ]; + } + { + trigger = ":vtit"; + replace = "{{output}}"; + vars = [ + { + name = "output"; + type = "script"; + params = { + args = [ (pkgs.writeShellScript "espanso" "${playerctl} metadata title") ]; + }; + } + ]; + } + { + trigger = ":dunno"; + replace = "¯\\_(ツ)_/¯"; + } + { + trigger = ":shrug"; + replace = "¯\\_(ツ)_/¯"; + } + ]; + }; + }; }; } diff --git a/nix/home-manager/programs/firefox.nix b/nix/home-manager/programs/firefox.nix index b008242..51c7a93 100644 --- a/nix/home-manager/programs/firefox.nix +++ b/nix/home-manager/programs/firefox.nix @@ -1,6 +1,417 @@ -{pkgs, ...}: { - # programs.librewolf = {enable = true;}; - programs.firefox = {enable = true;}; +{ + repoFlake, + pkgs, + config, + lib, + ... +}: +let + # Search extension names with below command: + # nix flake show --json "gitlab:rycee/nur-expressions?dir=pkgs/firefox-addons" --all-systems | jq -r '.packages."x86_64-linux" | keys[]' | rg QUERY + ryceeAddons = with pkgs.nur.repos.rycee.firefox-addons; [ + ublock-origin - home.file.".mozilla/native-messaging-hosts/passff.json".source = "${pkgs.passff-host}/share/passff-host/passff.json"; + # bypass-paywalls-clean (can't use, was creating popups) + consent-o-matic + terms-of-service-didnt-read + + auto-tab-discard + + # redirector # For nixos wiki + # darkreader + + facebook-container + control-panel-for-twitter + # containerise + facebook-tracking-removal + vimium + cookie-autodelete + auto-tab-discard + istilldontcareaboutcookies + + youtube-recommended-videos + + display-_anchors + ]; + + customAddons = [ + + ]; + + search = { + force = true; + default = "DuckDuckGo"; + privateDefault = "DuckDuckGo"; + }; + + mkProfile = + override: + lib.recursiveUpdate { + extensions = ryceeAddons ++ customAddons; + inherit search; + + settings = { + # automatically enable extensions + "extensions.autoDisableScopes" = 0; + + "middlemouse.paste" = false; + + "browser.download.useDownloadDir" = false; + "browser.tabs.insertAfterCurrent" = true; + "browser.tabs.warnOnClose" = true; + "browser.toolbars.bookmarks.visibility" = "never"; + "browser.quitShortcut.disabled" = false; + + # restore the previous session automatically + "browser.startup.page" = 3; + "browser.sessionstore.resume_from_crash" = true; + "browser.sessionstore.restore_pinned_tabs_on_demand" = true; + "browser.sessionstore.restore_on_demand" = true; + + "browser.urlbar.suggest.bookmark" = true; + "browser.urlbar.suggest.engines" = true; + "browser.urlbar.suggest.history" = true; + "browser.urlbar.suggest.openpage" = true; + "browser.urlbar.suggest.topsites" = false; + "browser.urlbar.trimHttps" = true; + + "sidebar.position_start" = false; + "findbar.highlightAll" = true; + + "browser.tabs.hoverPreview.enabled" = true; + + # Disable fx accounts + "identity.fxaccounts.enabled" = false; + # Disable "save password" prompt + "signon.rememberSignons" = false; + # Harden + "privacy.trackingprotection.enabled" = true; + "dom.security.https_only_mode" = true; + + # Disable irritating first-run stuff + "browser.disableResetPrompt" = true; + "browser.download.panel.shown" = true; + "browser.feeds.showFirstRunUI" = false; + "browser.messaging-system.whatsNewPanel.enabled" = false; + "browser.rights.3.shown" = true; + "browser.shell.checkDefaultBrowser" = false; + "browser.shell.defaultBrowserCheckCount" = 1; + "browser.startup.homepage_override.mstone" = "ignore"; + "browser.uitour.enabled" = false; + "startup.homepage_override_url" = ""; + "trailhead.firstrun.didSeeAboutWelcome" = true; + "browser.bookmarks.restore_default_bookmarks" = false; + "browser.bookmarks.addedImportButton" = true; + + # Disable "Save to Pocket" or Pocket entirely + "extensions.pocket.enabled" = false; + + # Disable telemetry + "toolkit.telemetry.enabled" = false; + "toolkit.telemetry.unified" = false; + "toolkit.telemetry.archive.enabled" = false; + "datareporting.healthreport.uploadEnabled" = false; + "app.shield.optoutstudies.enabled" = false; + "browser.discovery.enabled" = false; + "browser.newtabpage.activity-stream.feeds.telemetry" = false; + "browser.newtabpage.activity-stream.telemetry" = false; + "browser.ping-centre.telemetry" = false; + "datareporting.healthreport.service.enabled" = false; + "datareporting.policy.dataSubmissionEnabled" = false; + "datareporting.sessions.current.clean" = true; + "devtools.onboarding.telemetry.logged" = false; + "toolkit.telemetry.bhrPing.enabled" = false; + "toolkit.telemetry.firstShutdownPing.enabled" = false; + "toolkit.telemetry.hybridContent.enabled" = false; + "toolkit.telemetry.newProfilePing.enabled" = false; + "toolkit.telemetry.prompted" = 2; + "toolkit.telemetry.rejected" = true; + "toolkit.telemetry.reportingpolicy.firstRun" = false; + "toolkit.telemetry.server" = ""; + "toolkit.telemetry.shutdownPingSender.enabled" = false; + "toolkit.telemetry.unifiedIsOptIn" = false; + "toolkit.telemetry.updatePing.enabled" = false; + + # Disable any feeds on the new tab page + "browser.newtabpage.activity-stream.showTopSites" = false; + "browser.newtabpage.activity-stream.default.sites" = lib.mkForce [ ]; + "browser.newtabpage.activity-stream.discoverystream.enabled" = false; + "browser.newtabpage.activity-stream.feeds.topsites" = false; + "browser.newtabpage.activity-stream.showSponsoredTopSites" = false; + "browser.newtabpage.activity-stream.improvesearch.topSiteSearchShortcuts" = false; + "browser.newtabpage.blocked" = lib.genAttrs [ + # Youtube + "26UbzFJ7qT9/4DhodHKA1Q==" + # Facebook + "4gPpjkxgZzXPVtuEoAL9Ig==" + # Wikipedia + "eV8/WsSLxHadrTL1gAxhug==" + # Reddit + "gLv0ja2RYVgxKdp0I5qwvA==" + # Amazon + "K00ILysCaEq8+bEqV/3nuw==" + # Twitter + "T9nJot5PurhJSy8n038xGA==" + ] (_: 1); + "browser.topsites.blockedSponsors" = [ + "adidas" + "temuaffiliateprogram.pxf" + "s.click.aliexpress" + ]; + + # enable userChrome + "toolkit.legacyUserProfileCustomizations.stylesheets" = true; + "devtools.chrome.enabled" = true; + "devtools.debugger.remote-enabled" = true; + + # disable translations for some languages + "browser.translations.neverTranslateLanguages" = [ + "en" + "de" + ]; + "browser.translations.automaticallyPopup" = false; + + # enable pipewire (and libcamera) sources + "media.webrtc.camera.allow-pipewire" = true; + }; + + userChrome = + let + name = override.color or colors.grey; + value = colorValues."${name}".normal; + valueBright = colorValues."${name}".highlight; + valueDark = colorValues."${name}".inactive; + in + '' + @namespace url("http://www.mozilla.org/keymaster/gatekeeper/there.is.only.xul"); /* only needed once */ + + #nav-bar { + background-color: ${value} !important; + color: black !important; + } + + /* don't show close button on background tabs */ + #tabbrowser-tabs[closebuttons="activetab"] .tabbrowser-tab:not([selected]):not([pinned]):not([hover]) .tab-close-button { + display: none !important; + } + + /* show close button on hover */ + #tabbrowser-tabs[closebuttons="activetab"] .tabbrowser-tab:not([selected]):not([pinned]):hover .tab-close-button { + display: -moz-inline-box !important; + } + + + /* default */ + #TabsToolbar { + background: ${valueDark} !important; + } + + /* default tab */ + #TabsToolbar #tabbrowser-tabs .tabbrowser-tab .tab-content { + background: ${value} !important; + opacity: 0.8 + } + + /* selected tab */ + #TabsToolbar #tabbrowser-tabs .tabbrowser-tab[selected] .tab-content { + background: ${valueBright} !important; + box-shadow: 0 8px 16px 0 rgba(0,0,0,0.2), 0 6px 20px 0 rgba(0,0,0,0.19); + } + + /* hovered tab */ + #TabsToolbar #tabbrowser-tabs .tabbrowser-tab:hover:not([selected]) .tab-content { + background: ${valueBright} !important; + } + + /* unloaded/pending tab */ + #TabsToolbar #tabbrowser-tabs .tabbrowser-tab[pending] .tab-content { + background: ${valueDark} !important; + } + ''; + + # /* new tab */ + # #TabsToolbar #tabbrowser-tabs #tabs-newtab-button .toolbarbutton-icon { + # background: unset !important; + # } + + # #TabsToolbar #tabbrowser-tabs #tabs-newtab-button { + # /* background: var(--default_tabs_bg_newtab) !important; + # } + + # /* hovered new tab */ + # #TabsToolbar #tabbrowser-tabs #tabs-newtab-button:hover { + # background: var(--default_tabs_bg_newtab_hovered) !important; + # } + + } (builtins.removeAttrs override [ "color" ]); + + # TODO: insert the id automatically + mkProfiles = attrs: builtins.mapAttrs (_k: v: v) attrs; + + colors = builtins.mapAttrs (name: _: name) colorValues; + + colorValues = { + blue = { + normal = "#49b1fc"; + highlight = "#05a9fc"; # Brighter blue + inactive = "#1f81c6"; # Darker blue + }; + green = { + normal = "#51cd00"; + highlight = "#5ae200"; # Brighter green + inactive = "#45ad00"; # Darker green + }; + orange = { + normal = "#ff9800"; + highlight = "#ffb74d"; # Brighter orange + inactive = "#c76a00"; # Darker orange + }; + red = { + normal = "#f6685e"; + highlight = "#ff4336"; # Brighter red + inactive = "#aa463f"; # Darker red + }; + yellow = { + normal = "#fced4b"; + highlight = "#fce705"; # Brighter yellow + inactive = "#dbbe00"; # Darker yellow + }; + purple = { + normal = "#9c27b0"; + highlight = "#ab47bc"; # Brighter purple + inactive = "#7b1fa2"; # Darker purple + }; + pink = { + normal = "#e91e63"; + highlight = "#ff6090"; # Brighter pink + inactive = "#c2185b"; # Darker pink + }; + brown = { + normal = "#795548"; + highlight = "#a88b6f"; # Brighter brown + inactive = "#4e3b30"; # Darker brown + }; + grey = { + normal = "#9e9e9e"; + highlight = "#bdbdbd"; # Brighter grey + inactive = "#757575"; # Darker grey + }; + teal = { + normal = "#009688"; + highlight = "#26c6da"; # Brighter teal + inactive = "#00796b"; # Darker teal + }; + }; + +in +{ + nixpkgs.overlays = [ + repoFlake.inputs.nur.overlays.default + ]; + + nixpkgs.config.allowUnfreePredicate = + pkg: + builtins.elem (lib.getName pkg) [ + "youtube-recommended-videos" + ]; + + programs.librewolf = { + enable = false; + }; + programs.firefox = { + enable = true; + package = pkgs.firefox-esr; + + profiles = mkProfiles { + "personal" = mkProfile { + id = 0; + isDefault = true; + color = colors.blue; + }; + "comms" = mkProfile { + id = 1; + color = colors.blue; + }; + "admin" = mkProfile { + id = 2; + color = colors.blue; + }; + "infra" = mkProfile { + id = 3; + color = colors.blue; + }; + "finance" = mkProfile { + id = 4; + color = colors.yellow; + }; + "business-admin" = mkProfile { + id = 5; + color = colors.teal; + }; + "business-comms" = mkProfile { + id = 6; + color = colors.teal; + }; + "business-dev" = mkProfile { + id = 7; + color = colors.teal; + }; + "holo-dev" = mkProfile { + id = 8; + color = colors.green; + }; + "holo-infra" = mkProfile { + id = 9; + color = colors.green; + }; + "holo-comms" = mkProfile { + id = 10; + color = colors.green; + }; + "justyna" = mkProfile { + id = 11; + color = colors.pink; + }; + "justyna-office" = mkProfile { + id = 12; + color = colors.pink; + }; + }; + + }; + + # create one desktop entry for each profile + xdg.desktopEntries = lib.mapAttrs' ( + k: _v: + lib.nameValuePair "firefox-profile-${k}" { + categories = [ + "Network" + "WebBrowser" + ]; + exec = "${lib.getExe config.programs.firefox.package} -P ${k}"; + genericName = "Web Browser"; + icon = + builtins.replaceStrings [ ".desktop" ] [ "" ] + config.programs.firefox.package.desktopItem.name; + mimeType = [ + "text/html" + "text/xml" + "application/xhtml+xml" + "application/vnd.mozilla.xul+xml" + "x-scheme-handler/http" + "x-scheme-handler/https" + ]; + name = "Firefox: ${k}"; + startupNotify = true; + settings.StartupWMClass = + # To group windows of different profiles. + # Set WM_CLASS on Xorg using --class, set app-id on Wayland using --name. + #if profile.name == "default" + #then "firefox" + #else "firefox-${profile.name}"; + "firefox"; + terminal = false; + type = "Application"; + } + ) config.programs.firefox.profiles; } diff --git a/nix/home-manager/programs/gpg-agent.nix b/nix/home-manager/programs/gpg-agent.nix index 79ce675..b81c150 100644 --- a/nix/home-manager/programs/gpg-agent.nix +++ b/nix/home-manager/programs/gpg-agent.nix @@ -1,20 +1,17 @@ -{lib, pkgs, config, ...}: { - home.packages = [ - pkgs.gcr - ] ++ - (if config.services.gpg-agent.pinentryFlavor == "gtk2" then [pkgs.pinentry-gtk2] - else if config.services.gpg-agent.pinentryFlavor == "gnome3" then [pkgs.pinentry-gnome] - else []) - ; +{ lib, pkgs, osConfig, ... }: +{ + home.packages = [ pkgs.gcr ]; programs.gpg.enable = true; services.gpg-agent = { enable = true; - enableScDaemon = true; + enableScDaemon = !osConfig.services.pcscd.enable; enableSshSupport = true; grabKeyboardAndMouse = true; - pinentryFlavor = lib.mkDefault "gtk2"; - extraConfig = ""; + pinentryPackage = lib.mkDefault pkgs.pinentry-gtk2; + extraConfig = '' + no-allow-external-cache + ''; defaultCacheTtl = 0; maxCacheTtl = 0; diff --git a/nix/home-manager/programs/homeshick.nix b/nix/home-manager/programs/homeshick.nix index cbd4964..4ba0dfe 100644 --- a/nix/home-manager/programs/homeshick.nix +++ b/nix/home-manager/programs/homeshick.nix @@ -1,32 +1,25 @@ +{ pkgs, config, ... }: { - pkgs, - config, - ... -}: let - # TODO: clean up the impurity in here -in { home.sessionVariables.HOMESHICK_DIR = "${pkgs.homeshick}"; - home.activation.bootstrapRepos = config.lib.dag.entryAfter ["writeBoundary"] '' - $DRY_RUN_CMD ${ - pkgs.writeScript "activation-script" '' - set -e - echo home-manager path is ${config.home.path} - echo home is $HOME + home.activation.bootstrapRepos = config.lib.dag.entryAfter [ "writeBoundary" ] '' + $DRY_RUN_CMD ${pkgs.writeScript "activation-script" '' + set -e + echo home-manager path is ${config.home.path} + echo home is $HOME - source ${pkgs.homeshick}/homeshick.sh - type homeshick + source ${pkgs.homeshick}/homeshick.sh + type homeshick - # echo Updating homeshick - # ln -sfT ${pkgs.homeshick} "$HOMESICK_REPOS"/.homeshick - # mv -Tf "$HOMESICK_REPOS"/{.,}homeshick - '' - }; + # echo Updating homeshick + # ln -sfT ${pkgs.homeshick} "$HOMESICK_REPOS"/.homeshick + # mv -Tf "$HOMESICK_REPOS"/{.,}homeshick + ''}; ''; nixpkgs.config = { - packageOverrides = pkgs: - with pkgs; { + packageOverrides = + pkgs: with pkgs; { homeshick = builtins.fetchGit { url = "https://github.com/andsens/homeshick.git"; ref = "master"; diff --git a/nix/home-manager/programs/libreoffice.nix b/nix/home-manager/programs/libreoffice.nix index f5921e2..2091dc8 100644 --- a/nix/home-manager/programs/libreoffice.nix +++ b/nix/home-manager/programs/libreoffice.nix @@ -1,3 +1,8 @@ -{pkgs, ...}: { - home.packages = with pkgs; [libreoffice-fresh]; +{ pkgs, nodeFlake, ... }: + +let + pkgsStable = nodeFlake.inputs.nixpkgs-stable.legacyPackages.${pkgs.system}; +in +{ + home.packages = [ pkgsStable.libreoffice ]; } diff --git a/nix/home-manager/programs/neovim.nix b/nix/home-manager/programs/neovim.nix index e169eea..d5f60dc 100644 --- a/nix/home-manager/programs/neovim.nix +++ b/nix/home-manager/programs/neovim.nix @@ -1,131 +1,161 @@ +{ repoFlake, pkgs, ... }: { - pkgs, - lib, - ... -}: let -in { - # FIXME: this doesn't work - home.sessionVariables.EDITOR = "nvim"; + imports = [ repoFlake.inputs.nixvim.homeManagerModules.nixvim ]; - programs.neovim = { + programs.nixvim = { enable = true; + defaultEditor = true; + vimdiffAlias = true; + vimAlias = true; - extraPython3Packages = ps: with ps; []; + extraPython3Packages = ps: with ps; [ ]; - extraConfig = builtins.readFile ./neovim/vimrc; + # extraConfigVim = builtins.readFile ./neovim/vimrc; - plugins = with pkgs; - [ - # yaml-folds - { - plugin = vimUtils.buildVimPlugin { - name = "vim-yaml-folds"; - src = fetchFromGitHub { - owner = "pedrohdz"; - repo = "vim-yaml-folds"; - rev = "890ccd8e5370808d569e96dbb06cbeca2cf5993a"; - sha256 = "018z6xcwrq58q6lj6gwhrifjaxkmrlkkg0n86s6mjjlwkbs2qa4m"; - }; - buildInputs = [zip vim]; - }; - } + clipboard = { + register = "unnamedplus"; + providers.wl-copy.enable = true; + }; - { - plugin = vimUtils.buildVimPlugin { - name = "vim-yaml"; - src = fetchFromGitHub { - owner = "stephpy"; - repo = "vim-yaml"; - rev = "e97e063b16eba4e593d620676a0a15fa98613979"; - sha256 = "0vqahbrnr43lxanpziyrmzaqqb3cmyny8ry1xvmy2xyd1larzfrk"; - }; - }; - } + plugins = { + airline = { + enable = true; + settings = { + powerline_fonts = 1; + skip_empty_sections = 1; + theme = "papercolor"; + }; + }; + fugitive.enable = true; + gitblame.enable = true; + lsp = { + enable = true; + }; - # broken 2021-06-08 - # { - # plugin = vimUtils.buildVimPlugin { - # name = "vim-markdown-toc"; - # src = fetchFromGitHub { - # owner = "mzlogin"; - # repo = "vim-markdown-toc"; - # rev = "b7bb6c37033d3a6c93906af48dc0e689bd948638"; - # sha256 = "026xf2gid4qivwawh7if3nfk7zja9di0flhdzdx82lvil9x48lyz"; - # }; - # }; - # } + nix.enable = true; - # broken 2021-06-08 - # { - # plugin = vimUtils.buildVimPlugin { - # name = "vim-perl"; - # src = fetchFromGitHub { - # owner = "vim-perl"; - # repo = "vim-perl"; - # rev = "f330b5d474c44e6cfae22ba50868093dea3e9adb"; - # sha256 = "1dy40ixgixj0536c5ggra51b4yd1lbw4j6l0j5zc3diasb7m2gvr"; - # }; - # }; - # } + # TODO: enable in next release + # numbertoggle.enable = true; - { - plugin = vimUtils.buildVimPlugin { - name = "git-blame"; - src = fetchFromGitHub { - "owner" = "zivyangll"; - "repo" = "git-blame.vim"; - "rev" = "9d144b7bed5d8f1c9259551768b7f3b3d1294917"; - "sha256" = "06zb5xcc59k25rpwl46j82fcqckiznmj97v6i0mwlb8jhqqrhy9j"; - }; - }; - } - ] - ++ (with pkgs.vimPlugins; [ - delimitMate - vim-airline - vim-airline-themes - ctrlp - vim-css-color - rainbow_parentheses - vim-colorschemes - vim-colorstepper - vim-signify - fugitive - vim-indent-guides - UltiSnips - fzfWrapper + # successfor to ctrlp and fzf + telescope.enable = true; - ncm2 - ncm2-bufword - ncm2-path - ncm2-tmux - ncm2-ultisnips - nvim-yarp + todo-comments.enable = true; - LanguageClient-neovim + toggleterm.enable = true; - Improved-AnsiEsc - tabular + treesitter = { + enable = true; - # Nix - vim-addon-nix - tlib - vim-addon-vim2nix + grammarPackages = with pkgs.vimPlugins.nvim-treesitter.builtGrammars; [ + bash + json + lua + make + markdown + nix + regex + toml + vim + vimdoc + xml + yaml + ]; + }; - # LaTeX - vim-latex-live-preview - vimtex + treesitter-context.enable = true; + treesitter-refactor.enable = true; - # YAML - vim-yaml + # This plugin trims trailing whitespace and lines. + trim.enable = true; + }; - # markdown - vim-markdown - vim-markdown-toc + # plugins = with pkgs; + # [ + # # yaml-folds + # { + # plugin = vimUtils.buildVimPlugin { + # name = "vim-yaml-folds"; + # src = fetchFromGitHub { + # owner = "pedrohdz"; + # repo = "vim-yaml-folds"; + # rev = "890ccd8e5370808d569e96dbb06cbeca2cf5993a"; + # sha256 = "018z6xcwrq58q6lj6gwhrifjaxkmrlkkg0n86s6mjjlwkbs2qa4m"; + # }; + # buildInputs = [zip vim]; + # }; + # } - # misc syntax support - vim-bazel - maktaba - ]); + # { + # plugin = vimUtils.buildVimPlugin { + # name = "vim-yaml"; + # src = fetchFromGitHub { + # owner = "stephpy"; + # repo = "vim-yaml"; + # rev = "e97e063b16eba4e593d620676a0a15fa98613979"; + # sha256 = "0vqahbrnr43lxanpziyrmzaqqb3cmyny8ry1xvmy2xyd1larzfrk"; + # }; + # }; + # } + + # { + # plugin = vimUtils.buildVimPlugin { + # name = "git-blame"; + # src = fetchFromGitHub { + # "owner" = "zivyangll"; + # "repo" = "git-blame.vim"; + # "rev" = "9d144b7bed5d8f1c9259551768b7f3b3d1294917"; + # "sha256" = "06zb5xcc59k25rpwl46j82fcqckiznmj97v6i0mwlb8jhqqrhy9j"; + # }; + # }; + # } + # ] + # ++ (with pkgs.vimPlugins; [ + # delimitMate + # vim-airline + # vim-airline-themes + # ctrlp + # vim-css-color + # rainbow_parentheses + # vim-colorschemes + # vim-colorstepper + # vim-signify + # fugitive + # vim-indent-guides + # UltiSnips + # fzfWrapper + + # ncm2 + # ncm2-bufword + # ncm2-path + # ncm2-tmux + # ncm2-ultisnips + # nvim-yarp + + # LanguageClient-neovim + + # Improved-AnsiEsc + # tabular + + # # Nix + # vim-addon-nix + # tlib + # vim-addon-vim2nix + + # # LaTeX + # vim-latex-live-preview + # vimtex + + # # YAML + # vim-yaml + + # # markdown + # vim-markdown + # vim-markdown-toc + + # # misc syntax support + # vim-bazel + # maktaba + # ]); }; } diff --git a/nix/home-manager/programs/neovim/vimrc b/nix/home-manager/programs/neovim/vimrc index c002c2b..f3cb42b 100644 --- a/nix/home-manager/programs/neovim/vimrc +++ b/nix/home-manager/programs/neovim/vimrc @@ -49,8 +49,8 @@ let g:ctrlp_custom_ignore = { \ 'dir': '\v[\/]\.(git|hg|svn)$$', \ 'file': '\v\.(exe|so|dll)$$', \ } -let g:ctrlp_max_files=0 -let g:ctrlp_max_depth=1000 +"let g:ctrlp_max_files=0 +"let g:ctrlp_max_depth=1000 "let g:ctrlp_match_func = { 'match': 'pymatcher#PyMatch' } "let g:pydiction_location = '~/.vim/bundle/pydiction/complete-dict' diff --git a/nix/home-manager/programs/obs-studio.nix b/nix/home-manager/programs/obs-studio.nix new file mode 100644 index 0000000..d99747d --- /dev/null +++ b/nix/home-manager/programs/obs-studio.nix @@ -0,0 +1,25 @@ +{ pkgs, lib, ... }: +{ + programs.obs-studio = { + enable = true; + plugins = + builtins.map + ( + plugin: + (plugin.overrideAttrs (attrs: { + meta = lib.mkMerge [ + { inherit (attrs) meta; } + { meta.platforms = [ pkgs.stdenv.system ]; } + ]; + })) + ) + ( + with pkgs.obs-studio-plugins; + [ + # wlrobs + obs-backgroundremoval + obs-pipewire-audio-capture + ] + ); + }; +} diff --git a/nix/home-manager/programs/openvscode-server.nix b/nix/home-manager/programs/openvscode-server.nix new file mode 100644 index 0000000..4b01360 --- /dev/null +++ b/nix/home-manager/programs/openvscode-server.nix @@ -0,0 +1,37 @@ +{ pkgs, repoFlake, ... }: +let + pkgsVscodium = import repoFlake.inputs.nixpkgs-vscodium { inherit (pkgs) system config; }; +in +{ + home.packages = [ + pkgs.nil + pkgs.nixd + pkgs.nixfmt-rfc-style + + # TODO: automate linking this + # 1. get the commit with: `codium --version` + # 2. create the binary directory: `mkdir -p /home/steveej/.vscodium-server/bin/c8ce3ba4bc6b30b3b10edc61481cb85b1d2396bc/bin/` + # 3. link the binary. this relies on the client-side setting `"remote.SSH.experimental.serverBinaryName": "openvscode-server"` : ln -s $(which openvscode-server) /home/steveej/.vscodium-server/bin/c8ce3ba4bc6b30b3b10edc61481cb85b1d2396bc/bin/ + + /* + e.g.: + ``` + ( + set -e + export COMMIT=$(codium --version | rg '^[0-9a-f]{40}$') + ssh bm-hostkey0 "pkill -9 openvscode; rm -rf /home/steveej/.vscodium-server/bin/$COMMIT; mkdir -p /home/steveej/.vscodium-server/bin/$COMMIT/bin/; ln -s \$(which openvscode-server) /home/steveej/.vscodium-server/bin/$COMMIT/bin/" + ) + ``` + */ + + (pkgsVscodium.openvscode-server.overrideAttrs (attrs: { + src = repoFlake.inputs.openvscode-server; + version = "1.94.2"; + yarnCache = attrs.yarnCache.overrideAttrs (_: { + outputHash = "sha256-89c6GYLT2RzHqwxBKegYqB6g5rEJ6/nH53cnfV7b0Tt="; + }); + })) + + pkgs.waypipe + ]; +} diff --git a/nix/home-manager/programs/pass.nix b/nix/home-manager/programs/pass.nix index 2be5230..056d08d 100644 --- a/nix/home-manager/programs/pass.nix +++ b/nix/home-manager/programs/pass.nix @@ -1,17 +1,16 @@ -{pkgs, ...}: { +{ repoFlake, pkgs, ... }: +{ # required by pass-otp - home.sessionVariables.PASSWORD_STORE_EXTENSIONS_DIR = "$HOME/.nix-profile/lib/password-store/extensions"; - home.sessionVariables.PASSWORD_STORE_ENABLE_EXTENSIONS = "true"; - - programs.browserpass.enable = true; + # home.sessionVariables.PASSWORD_STORE_EXTENSIONS_DIR = "$HOME/.nix-profile/lib/password-store/extensions"; + # home.sessionVariables.PASSWORD_STORE_ENABLE_EXTENSIONS = "true"; + # programs.browserpass.enable = true; home.packages = with pkgs; [ - gnupg - pass + gnupg - # broken on wayland - # rofi-pass + # broken on wayland + # rofi-pass - prs + repoFlake.packages.${pkgs.system}.prs ]; } diff --git a/nix/home-manager/programs/radicale.nix b/nix/home-manager/programs/radicale.nix index a8e4eef..be31268 100644 --- a/nix/home-manager/programs/radicale.nix +++ b/nix/home-manager/programs/radicale.nix @@ -4,7 +4,8 @@ pkgs, osConfig, ... -}: let +}: +let libdecsync = pkgs.python3Packages.buildPythonPackage rec { pname = "libdecsync"; version = "2.2.1"; @@ -38,50 +39,51 @@ # pkgs.libxcrypt ]; - propagatedBuildInputs = [libdecsync pkgs.python3Packages.setuptools]; + propagatedBuildInputs = [ + libdecsync + pkgs.python3Packages.setuptools + ]; }; radicale-decsync = pkgs.radicale.overrideAttrs (old: { - propagatedBuildInputs = - old.propagatedBuildInputs - ++ [radicale-storage-decsync]; + propagatedBuildInputs = old.propagatedBuildInputs ++ [ radicale-storage-decsync ]; }); - mkRadicaleService = { - suffix, - port, - }: let - radicale-config = pkgs.writeText "radicale-config-${suffix}" '' - [server] - hosts = localhost:${builtins.toString port} + mkRadicaleService = + { suffix, port }: + let + radicale-config = pkgs.writeText "radicale-config-${suffix}" '' + [server] + hosts = localhost:${builtins.toString port} - [auth] - type = htpasswd - htpasswd_filename = ${osConfig.sops.secrets.radicale_htpasswd.path} - htpasswd_encryption = bcrypt + [auth] + type = htpasswd + htpasswd_filename = ${osConfig.sops.secrets.radicale_htpasswd.path} + htpasswd_encryption = bcrypt - [storage] - type = radicale_storage_decsync - filesystem_folder = ${config.xdg.dataHome}/radicale-${suffix} - decsync_dir = ${config.xdg.dataHome}/decsync-${suffix} - ''; - in { - systemd.user.services."radicale-${suffix}" = { - Unit.Description = "Radicale with DecSync (${suffix})"; - Service = { - ExecStart = "${radicale-decsync}/bin/radicale -C ${radicale-config}"; - Restart = "on-failure"; + [storage] + type = radicale_storage_decsync + filesystem_folder = ${config.xdg.dataHome}/radicale/radicale-${suffix} + decsync_dir = ${config.xdg.dataHome}/decsync/decsync-${suffix} + ''; + in + { + systemd.user.services."radicale-${suffix}" = { + Unit.Description = "Radicale with DecSync (${suffix})"; + Service = { + ExecStart = "${radicale-decsync}/bin/radicale -C ${radicale-config}"; + Restart = "on-failure"; + }; + Install.WantedBy = [ "default.target" ]; }; - Install.WantedBy = ["default.target"]; }; - }; in - builtins.foldl' (sum: cur: lib.recursiveUpdate sum (mkRadicaleService cur)) {} [ - { - suffix = "personal"; - port = 5232; - } - { - suffix = "family"; - port = 5233; - } - ] +builtins.foldl' (sum: cur: lib.recursiveUpdate sum (mkRadicaleService cur)) { } [ + { + suffix = "personal"; + port = 5232; + } + { + suffix = "family"; + port = 5233; + } +] diff --git a/nix/home-manager/programs/redshift.nix b/nix/home-manager/programs/redshift.nix index 0946b2e..9e45594 100644 --- a/nix/home-manager/programs/redshift.nix +++ b/nix/home-manager/programs/redshift.nix @@ -1,21 +1,26 @@ -{ - pkgs, - config, - ... -}: let +_: +let passwords = import ../../variables/passwords.crypt.nix; -in { +in +{ services.gammastep = { enable = true; + provider = "manual"; + enableVerboseLogging = true; inherit (passwords.location.stefan) longitude latitude; temperature = { - day = 6700; + # day = 6700; + day = 3000; night = 3000; }; tray = true; settings = { + general = { + adjustment-method = "wayland"; + }; gammastep = { - brightness-day = 1.0; + # brightness-day = 1.0; + brightness-day = 0.5; brightness-night = 0.5; }; }; diff --git a/nix/home-manager/programs/salut.nix b/nix/home-manager/programs/salut.nix index 1d39b5e..415e3be 100644 --- a/nix/home-manager/programs/salut.nix +++ b/nix/home-manager/programs/salut.nix @@ -1,20 +1,11 @@ -{ - pkgs, - config, - lib, - packages', - ... -}: +{ pkgs, packages', ... }: # useful testing command: # for i in `seq 0 10`; do nix shell nixpkgs#libnotify --command notify-send notifiiiiiii "$i"; sleep 1; done - let - inherit (import ../lib.nix {}) mkSimpleTrayService; + inherit (import ../lib.nix { }) mkSimpleTrayService; in { - home.packages = [ - packages'.salut - ]; + home.packages = [ packages'.salut ]; xdg.configFile."salut/config.ini" = { enable = true; @@ -36,7 +27,5 @@ in onChange = "${pkgs.systemd}/bin/systemctl --user restart salut"; }; - systemd.user.services.salut = mkSimpleTrayService { - execStart = "${packages'.salut}/bin/salut"; - }; + systemd.user.services.salut = mkSimpleTrayService { execStart = "${packages'.salut}/bin/salut"; }; } diff --git a/nix/home-manager/programs/vscode/default.nix b/nix/home-manager/programs/vscode/default.nix index 1e9cacd..df72028 100644 --- a/nix/home-manager/programs/vscode/default.nix +++ b/nix/home-manager/programs/vscode/default.nix @@ -1,482 +1,134 @@ -{pkgs, ...}: let - packagedExtensions = with pkgs.vscode-extensions; [ - # bbenoist.Nix - ms-vscode-remote.remote-ssh - - vscodevim.vim - ]; - - marketPlaceExtensions = pkgs.vscode-utils.extensionsFromVscodeMarketplace [ - # { - # name = "vim"; - # publisher = "vscodevim"; - # version = "1.17.1"; - # sha256 = "10f8jz52gr6k2553awa66m006wszj9z2rnshsic6h2aawxiz3zq1"; - # } - # { - # name = "remote-ssh-edit"; - # publisher = "ms-vscode-remote"; - # version = "0.56.0"; - # sha256 = "1gy03ff2xqg7q3y4j47z2l94x5gbw0mjd5h4cl3n0q3iaswk1c1r"; - # } - { - name = "Theme-NaturalContrast-With-HC"; - publisher = "74th"; - version = "1.0.0"; - sha256 = "1wxwk059znkflip0c8hyqdfq0h15n4idmff4bnnfdggiqjwhr5rm"; - } - { - name = "markdown-toc"; - publisher = "AlanWalk"; - version = "1.5.6"; - sha256 = "0hh38i2dpmrm2akcd4jkxchp6b374m5jzcqm1jqqmkqjmlig7qm5"; - } - { - name = "Paper-tmTheme"; - publisher = "DiryoX"; - version = "0.4.0"; - sha256 = "0l8hgbwwg87ysfb22rvwgmkk91i4vjd0kgi30c1bn26bm2pd1gw0"; - } - { - name = "Monokai-Polished"; - publisher = "Mit"; - version = "0.3.1"; - sha256 = "11h7sfwp9ikwc8z6bkyxk1678ymfpff8i2p876b208yrq8dy2kr1"; - } - { - name = "dot"; - publisher = "Stephanvs"; - version = "0.0.1"; - sha256 = "0rq0wvnbcggg4zb4swxym77knfjma0v9lwf3x45p22qsqx2crvgf"; - } - { - name = "rust-snippets"; - publisher = "ZakCodes"; - version = "0.0.1"; - sha256 = "152i23mh8j2l26zpwid3hllxc2abkhr3g939rvxk8bry137vryy2"; - } - { - name = "better-comments"; - publisher = "aaron-bond"; - version = "2.1.0"; - sha256 = "0kmmk6bpsdrvbb7dqf0d3annpg41n9g6ljzc1dh0akjzpbchdcwp"; - } - { - name = "vscode-icalendar"; - publisher = "af4jm"; - version = "1.0.1"; - sha256 = "0g15f2595ayy9ch4f2ccd8prc51q1mwslilk8sk2ldsmdksaya79"; - } - { - name = "hugofy"; - publisher = "akmittal"; - version = "0.1.1"; - sha256 = "02rjwmy7z4qfxws8lgdki53q4b2hjklxn2nlxx3w04kahr759dlg"; - } - { - name = "asciidoctor-vscode"; - publisher = "asciidoctor"; - version = "2.8.4"; - sha256 = "0j019vwmd83mbc75kfcqzmpvqzsp3s595cgh6n9978k9q0zjrqad"; - } - { - name = "markdown-preview-github-styles"; - publisher = "bierner"; - version = "0.1.6"; - sha256 = "1plj6a1hgbhb740zbw4pbnk7919cx1s6agf5xiiqbb9485x2pqiw"; - } - { - name = "made-of-code"; - publisher = "brian-yu"; - version = "0.0.5"; - sha256 = "1cmw63vrpzxv8vkgq674xa2wqqag0a8spr623ngi87925f17p965"; - } - { - name = "better-toml"; - publisher = "bungcip"; - version = "0.3.2"; - sha256 = "08lhzhrn6p0xwi0hcyp6lj9bvpfj87vr99klzsiy8ji7621dzql3"; - } - { - name = "tabulous"; - publisher = "bwildeman"; - version = "1.2.0"; - sha256 = "0hbp345i19ncvn1v792nr257gmw0nz09nhjniiypnzvz9wszw2j9"; - } - { - name = "bracket-pair-colorizer"; - publisher = "CoenraadS"; - version = "1.0.61"; - sha256 = "0r3bfp8kvhf9zpbiil7acx7zain26grk133f0r0syxqgml12i652"; - } - { - name = "mustache"; - publisher = "dawhite"; - version = "1.1.1"; - sha256 = "1j8qn5grg8v3n3v66d8c77slwpdr130xzpv06z1wp2bmxhqsck1y"; - } - { - name = "vscode-nomnoml"; - publisher = "doctorrustynelson"; - version = "0.3.0"; - sha256 = "07nr6n5ai8m6rap8av47mqi3vv6zchymiqfw8jlbl4hsryszyr43"; - } - { - name = "gitlens"; - publisher = "eamodio"; - version = "11.0.5"; - sha256 = "1fi8j5r6cd82a50hv2lwzqnvyvhxf9waamkviyh0wyqi5i1k4q88"; - } - { - name = "monokai-light"; - publisher = "ethansugar"; - version = "0.2.1"; - sha256 = "1xn74arpv58hwdywaxvv9xhljl23wsqdpyfrgn9nvd29gsiz71w0"; - } - { - name = "Theme-Monokai-Contrast"; - publisher = "gerane"; - version = "0.0.5"; - sha256 = "1m1n1izdjgng0q3yljccwjxj0s60p5nfw3hlw7hb467a1wz479pm"; - } - { - name = "Theme-snappy-light"; - publisher = "gerane"; - version = "0.0.5"; - sha256 = "0syrm921l4lka6dmg258c2zi0a758acvcs8y0qm0kjim7h7xxf0w"; - } - { - name = "vscode-pull-request-github"; - publisher = "GitHub"; - version = "0.21.3"; - sha256 = "0p03v6y1gh62jby74vkhi897mzj8dg9xb561v0b99x81r9zhwqw0"; - } - { - name = "go"; - publisher = "golang"; - version = "0.19.0"; - sha256 = "1xr2c4xn0w68fdcbm8d2wqfb9dxf03w38367ghycrzmz2p4syr98"; - } - { - name = "terraform"; - publisher = "hashicorp"; - version = "2.3.0"; - sha256 = "0696q8nr6kb5q08295zvbqwj7lr98z18gz1chf0adgrh476zm6qq"; - } - { - name = "bonsai"; - publisher = "hawkeyegold"; - version = "1.4.0"; - sha256 = "0r7bxx1lgbg6p97xwd2wr8j7slz720a1v6vzpd0fhcq83vqzkl89"; - } - { - name = "live-html-previewer"; - publisher = "hdg"; - version = "0.3.0"; - sha256 = "0hv5plh44q97355j5la83r8hjsxpv9d173mba34xr4p82a3pcq5p"; - } - { - name = "yuml"; - publisher = "JaimeOlivares"; - version = "3.5.1"; - sha256 = "01phwj8kn2zmzpjk97wacnc8iiby0szv40b1030fkcm3szafnya0"; - } - { - name = "latex-workshop"; - publisher = "James-Yu"; - version = "8.14.0"; - sha256 = "12bh2gpmak7vgzhjnvk2hw0yqm6wkd7vsm4ki4zbqa6lpriscjyi"; - } - { - name = "plantuml"; - publisher = "jebbs"; - version = "2.13.16"; - sha256 = "0672x0a1c9yk0g4vka40f4amgxir2bs25zg6qsims9plj0x2s4si"; - } - { - name = "tasks-chooser"; - publisher = "jeremyfa"; - version = "0.3.0"; - sha256 = "0bq80wv7zf94cgn94ll3jj68z35p13r0zw5by62dnlnj1sv7dghi"; - } - { - name = "asciidoctor-vscode"; - publisher = "joaompinto"; - version = "2.8.0"; - sha256 = "06nx627fik3c3x4gsq01rj0v59ckd4byvxffwmmigy3q2ljzsp0x"; - } - { - name = "contrast-theme"; - publisher = "johndugan"; - version = "1.1.10"; - sha256 = "0hib85318940ajfbzqrpgqh4jr39w18aq6babargbf64yxg94mbw"; - } - { - name = "theme-dark-plus-contrast"; - publisher = "k3a"; - version = "0.1.101"; - sha256 = "137kq6i6xn394msjrhj7v6c8shrvw9yf8i01mf4yl4aan2bw3419"; - } - { - name = "vscode-gist"; - publisher = "kenhowardpdx"; - version = "3.0.3"; - sha256 = "033iry115hbd5jbdr04frbrcgfpfnsc2z551nlfsaczbg4j9dydw"; - } - { - name = "quick-open"; - publisher = "leizongmin"; - version = "1.1.0"; - sha256 = "03avjgkvl2w51f0lvvfksa6lxqb4i9jgz2c74hw686yaydj8mfsp"; - } - { - name = "rainbow-csv"; - publisher = "mechatroner"; - version = "1.7.1"; - sha256 = "0w5mijs4ll5qjkpyw7qpn1k40pq8spm0b3q72x150ydbcini5hxw"; - } - { - name = "openapi-lint"; - publisher = "mermade"; - version = "1.2.0"; - sha256 = "0q81ifgr211apymbs21y0l3x8n324k6mh7p8kykz2xz38cslyq49"; - } - { - name = "swagger-doc-viewer"; - publisher = "mimarec"; - version = "1.0.4"; - sha256 = "1vvqwmfav6c2r1xkyfczm564bi2cpa9nklj35w3h3hrp4f6dnvpx"; - } - { - name = "vscode-clang"; - publisher = "mitaki28"; - version = "0.2.3"; - sha256 = "0xbg2frb4dxv7zl43gi25w2mkkh4xq2aidcf5i8b4imys9h720yr"; - } - { - name = "prettify-json"; - publisher = "mohsen1"; - version = "0.0.3"; - sha256 = "1spj01dpfggfchwly3iyfm2ak618q2wqd90qx5ndvkj3a7x6rxwn"; - } - { - name = "vscode-docker"; - publisher = "ms-azuretools"; - version = "1.8.1"; - sha256 = "08691mwb3kgmk5fnjpw1g3a5i7qwalw1yrv2skm519wh62w6nmw8"; - } - { - name = "python"; - publisher = "ms-python"; - version = "2020.11.371526539"; - sha256 = "0iavy4c209k53jkqsbhsvibzjj3fjxa500rv72fywgb2vxsi9fc3"; - } - { - name = "jupyter"; - publisher = "ms-toolsai"; - version = "2020.11.372831992"; - sha256 = "0r39xqrbkzcfkz6rca039s87ibx79a983y8lbiglhkmw3bp4p658"; - } - # fails to download C/C++ tools - # { - # name = "cpptools"; - # publisher = "ms-vscode"; - # version = "1.1.2"; - # sha256 = "09z1vrshvwimdrpsnfs4lyzca2qixp3h85xib8jf2fpxdjl3r5vg"; - # } - { - name = "vscode-quick-open-create"; - publisher = "nocksock"; - version = "0.6.0"; - sha256 = "0ipkjm74xpx44h130rmbnkjwsi63kcvq6fr0b0nxqqc9aa9jk22j"; - } - { - name = "indent-rainbow"; - publisher = "oderwat"; - version = "7.4.0"; - sha256 = "1xnsdwrcx24vlbpd2igjaqlk3ck5d6jzcfmxaisrgk7sac1aa81p"; - } - { - name = "phantypist"; - publisher = "paulofallon"; - version = "1.0.3"; - sha256 = "0rsaklwsd9i25p9j82ivblkbsk5cwjm22afzc2cq5klkbz9vxg62"; - } - { - name = "swaggitor"; - publisher = "qnsolutions"; - version = "0.1.1"; - sha256 = "0dhygxawxjhm0q1nmxwwcyhnk4hm1yzadnhc5ha7amdg7gddlrc1"; - } - { - name = "vscode-yaml"; - publisher = "redhat"; - version = "0.13.0"; - sha256 = "046kdk73a5xbrwq16ff0l64271c6q6ygjvxaph58z29gyiszfkig"; - } - { - name = "papercolor-vscode"; - publisher = "rozbo"; - version = "0.4.0"; - sha256 = "0fla4dfxm6ppqgfvp9rc2izhnv0909yk3r38xmh15ald84i1jhzm"; - } - { - name = "iferrblocks"; - publisher = "rstuven"; - version = "1.1.1"; - sha256 = "0ncj1g2dqa1wwqmj27w1356f4b9nlk2narvgyjn208axfwifz1lw"; - } - { - name = "rust"; - publisher = "rust-lang"; - version = "0.7.8"; - sha256 = "039ns854v1k4jb9xqknrjkj8lf62nfcpfn0716ancmjc4f0xlzb3"; - } - { - name = "bracket-jumper"; - publisher = "sashaweiss"; - version = "1.1.8"; - sha256 = "11sj7h13yjcpd94x07wlmck7cmidk1kla00kjq7wfw2xc1143rqs"; - } - { - name = "just"; - publisher = "skellock"; - version = "2.0.0"; - sha256 = "1ph869zl757a11f8iq643f79h8gry7650a9i03mlxyxlqmspzshl"; - } - { - name = "line-endings"; - publisher = "steditor"; - version = "1.0.3"; - sha256 = "1mdybbhs771w8r9xqy1n7x2is2vhh6axkssarb2yy7gps3v81ik7"; - } - { - name = "code-spell-checker"; - publisher = "streetsidesoftware"; - version = "1.10.0"; - sha256 = "1172wcw1a1mbx8nrlnh1hyizs9abzvqmhwgc6bmp8wvxk8hk4x3i"; - } - { - name = "code-spell-checker-german"; - publisher = "streetsidesoftware"; - version = "0.1.8"; - sha256 = "117ba1m427d7nqh2p4djjswbksz1nvy2zkgdnm2iis17gzxscbmz"; - } - { - name = "code-spell-checker-german"; - publisher = "streetsidesoftware"; - version = "0.1.8"; - sha256 = "117ba1m427d7nqh2p4djjswbksz1nvy2zkgdnm2iis17gzxscbmz"; - } - { - name = "code-spell-checker"; - publisher = "streetsidesoftware"; - version = "1.10.0"; - sha256 = "1172wcw1a1mbx8nrlnh1hyizs9abzvqmhwgc6bmp8wvxk8hk4x3i"; - } - { - name = "vscode-open-in-github"; - publisher = "sysoev"; - version = "1.14.0"; - sha256 = "1whyrsckx0gikgjj1812dlsykck7cs696wz9fn4fhcishp9479hp"; - } - { - name = "html-preview-vscode"; - publisher = "tht13"; - version = "0.2.5"; - sha256 = "0k75ivigzjfq8y4xwwrgs2iy913plkwp2a68f0i4bkz9kx39wq6v"; - } - { - name = "scrolloff"; - publisher = "tickleforce"; - version = "0.0.4"; - sha256 = "1n5xcbcwdj54c9dlscd5igdbga6v9wv5j1qbhjb7p2mf7sbps3cq"; - } - { - name = "shellcheck"; - publisher = "timonwong"; - version = "0.12.1"; - sha256 = "0apvbs90mdjk5y6vy2v4azwxhdjqfypqp5d5hh9rlgxyq4m0azz2"; - } - { - name = "sort-lines"; - publisher = "Tyriar"; - version = "1.9.0"; - sha256 = "0l4wibsjnlbzbrl1wcj18vnm1q4ygvxmh347jvzziv8f1l790qjl"; - } - # slow and currently not needed - # { - # name = "vscode-lldb"; - # publisher = "vadimcn"; - # version = "1.6.0"; - # sha256 = "15m0idk75bvbzfxipdxwz2vpdklr15zv92h4mxxpr8db9jjr32vi"; - # } - # { - # name = "vim"; - # publisher = "vscodevim"; - # version = "1.17.1"; - # sha256 = "10f8jz52gr6k2553awa66m006wszj9z2rnshsic6h2aawxiz3zq1"; - # } - { - name = "prettify-selected-json"; - publisher = "vthiery"; - version = "1.0.3"; - sha256 = "0g2svrls7x4w75fj6rr839mrwd3sn912vn6ysiy0sasnnc55rpgb"; - } - { - name = "debug"; - publisher = "webfreak"; - version = "0.25.0"; - sha256 = "0qm2jgkj17a0ca5z21xbqzfjpi0hzxw4h8y2hm8c4kk2bnw02sh1"; - } - { - name = "clang-format"; - publisher = "xaver"; - version = "1.9.0"; - sha256 = "0bwc4lpcjq1x73kwd6kxr674v3rb0d2cjj65g3r69y7gfs8yzl5b"; - } - { - name = "vscode-capnp"; - publisher = "xmonader"; - version = "1.0.0"; - sha256 = "0z2shl6qvr3y3m5y63v69x94rzyb2cmf5046afx2yswnll6j52fc"; - } - { - name = "plsql-language"; - publisher = "xyz"; - version = "1.8.2"; - sha256 = "16xxa6w03wzd95v1cycmjvw9hfg3chvpclrn28v0qsa3lir1mxrr"; - } - { - name = "markdown-pdf"; - publisher = "yzane"; - version = "1.4.4"; - sha256 = "00cjwjwzsv3wx2qy0faqxryirr2hp60yhkrlzsk0avmvb0bm9paf"; - } - { - name = "vscode-proto3"; - publisher = "zxh404"; - version = "0.5.2"; - sha256 = "1jmmbz3i0hxq5ka4rsk07mynxh3pkh5g736d9ryv1czhnrb06lwf"; - } - ]; -in { +{ + config, + pkgs, + repoFlake, + lib, + ... +}: +let + pkgsVscodium = import repoFlake.inputs.nixpkgs-vscodium { inherit (pkgs) system config; }; +in +{ programs.vscode = { enable = true; - package = pkgs.vscodium; + package = pkgsVscodium.vscodium; extensions = - [] ++ packagedExtensions - # ++ marketPlaceExtensions - ; + with pkgsVscodium.vscode-extensions; + [ + eamodio.gitlens + mkhl.direnv + tomoki1207.pdf + vscodevim.vim + + # bbenoist.nix + jnoortheen.nix-ide + + ms-vscode.theme-tomorrowkit + nonylene.dark-molokai-theme + + ms-python.vscode-pylance + + # TODO: these are not in nixpkgs + + # fredwangwang.vscode-hcl-format + # hashicorp.hcl + # mindaro-dev.file-downloader + # ms-vscode.remote-explorer + + # TODO: not compatible with vscodium + # ms-vscode-remote.remote-ssh + ] + ++ ( + let + extensions = repoFlake.inputs.nix-vscode-extensions.extensions.${pkgs.system}; + in + with extensions.vscode-marketplace; + with extensions.vscode-marketplace-release; + [ + + serayuzgur.crates + rust-lang.rust-analyzer + swellaby.vscode-rust-test-adapter + + tamasfe.even-better-toml + golang.go + jeff-hykin.better-go-syntax + blueglassblock.better-json5 + nefrob.vscode-just-syntax + # fabianlauer.vs-code-xml-format + + bierner.emojisense + ] + ) + ++ ( + let + nix4vscodeToml = pkgs.writeText "nix4vscode.toml" '' + vscode_version = "${config.programs.vscode.package.version}" + + [[extensions]] + publisher_name = "FelixZeller" + extension_name = "markdown-oxide" + + [[extensions]] + publisher_name = "ibecker" + extension_name = "treefmt-vscode" + + [[extensions]] + publisher_name = "AntiAntiSepticeye" + extension_name = "vscode-color-picker" + + # [[extensions]] + # publisher_name = "nefrob" + # extension_name = "vscode-just-syntax" + + [[extensions]] + publisher_name = "fabianlauer" + extension_name = "vs-code-xml-format" + ''; + + nix4vscodeNix = + pkgs.runCommand "nix4vscode.nix" + { + # nix4vscode needs internet access + __noChroot = true; + requiredSystemFeatures = [ "recursive-nix" ]; + buildInputs = [ + pkgs.nix + pkgs.cacert + (pkgs.callPackage "${repoFlake.inputs.nix4vscode.outPath}/nix/package.nix" { }) + # pkgs.strace + ]; + # outputHashAlgo = "sha256"; + # outputHashMode = "recursive"; + # outputHash = lib.fakeSha256; + } + '' + # set -x + # export RUST_BACKTRACE=full + # export RUST_LOG=trace + export HOME=$(mktemp -d) + # strace -ffZyyY + nix4vscode ${nix4vscodeToml} > $out + ''; + nix4vscodeExtensions = builtins.removeAttrs (pkgs.callPackage nix4vscodeNix { }) [ + "override" + "overrideDerivation" + ]; + nix4vscodeExtensions' = lib.attrsets.mapAttrsToList ( + _: v: builtins.head (builtins.attrValues v) + ) nix4vscodeExtensions; + in + nix4vscodeExtensions' + ); + mutableExtensionsDir = true; }; - home.packages = [pkgs.nixpkgs-fmt pkgs.alejandra]; + home.packages = [ + pkgs.nil + pkgs.nixfmt-rfc-style + ]; } # TODO: automate -# rustup install stable -# rustup component add rust-analysis --toolchain stable -# rustup component add rust-src --toolchain stable -# rustup component add rls --toolchain stable ### original list: # 74th.Theme-NaturalContrast-With-HC # AlanWalk.markdown-toc @@ -550,4 +202,3 @@ in { # xyz.plsql-language # yzane.markdown-pdf # zxh404.vscode-proto3 - diff --git a/nix/home-manager/programs/waybar.css b/nix/home-manager/programs/waybar.css index 60eff50..664a47f 100644 --- a/nix/home-manager/programs/waybar.css +++ b/nix/home-manager/programs/waybar.css @@ -1,6 +1,5 @@ - #custom-cputemp { - padding: 0 10px; - background-color: #f0932b; - color: #ffffff; + padding: 0 10px; + background-color: #f0932b; + color: #ffffff; } diff --git a/nix/home-manager/programs/waybar.nix b/nix/home-manager/programs/waybar.nix index 05392c5..a559dfc 100644 --- a/nix/home-manager/programs/waybar.nix +++ b/nix/home-manager/programs/waybar.nix @@ -1,9 +1,5 @@ +{ pkgs, repoFlake, ... }: { - pkgs, - config, - repoFlake, - ... -}: { home.packages = [ # required by any bar that has a tray plugin pkgs.libappindicator-gtk3 @@ -12,17 +8,18 @@ programs.waybar = { enable = true; - package = repoFlake.inputs.nixpkgs-wayland.outputs.packages.${pkgs.stdenv.hostPlatform.system}.waybar; - style = - pkgs.lib.readFile "${pkgs.waybar.src}/resources/style.css" - + pkgs.lib.readFile ./waybar.css; + package = + repoFlake.inputs.nixpkgs-wayland.outputs.packages.${pkgs.stdenv.hostPlatform.system}.waybar; + style = pkgs.lib.readFile "${pkgs.waybar.src}/resources/style.css" + pkgs.lib.readFile ./waybar.css; systemd.enable = true; settings = { mainBar = { layer = "top"; position = "bottom"; height = 30; - output = ["*"]; + output = + # hide the bar on HEADDLESS displays as i use them only for screensharing + (builtins.genList (i: "!HEADLESS-${builtins.toString i}") 99) ++ [ "*" ]; # output = [ # "eDP-1" # "DP-*" diff --git a/nix/home-manager/programs/zsh.nix b/nix/home-manager/programs/zsh.nix index 724051b..333d3d7 100644 --- a/nix/home-manager/programs/zsh.nix +++ b/nix/home-manager/programs/zsh.nix @@ -3,27 +3,29 @@ lib, pkgs, ... -}: let - just-plugin = let - plugin_file = pkgs.writeText "_just" '' - #compdef just - #autload +}: +let + just-plugin = + let + plugin_file = pkgs.writeText "_just" '' + #compdef just + #autload - alias justl="\just --list" - alias juste="\just --evaluate" + alias justl="\just --list" + alias juste="\just --evaluate" - local subcmds=() + local subcmds=() - while read -r line ; do - if [[ ! $line == Available* ]] ; - then - subcmds+=(''${line/[[:space:]]*\#/:}) - fi - done < <(just --list) + while read -r line ; do + if [[ ! $line == Available* ]] ; + then + subcmds+=(''${line/[[:space:]]*\#/:}) + fi + done < <(just --list) - _describe 'command' subcmds - ''; - in + _describe 'command' subcmds + ''; + in pkgs.stdenv.mkDerivation { name = "just-completions"; version = "0.1.0"; @@ -35,7 +37,8 @@ chmod --recursive a-w $out ''; }; -in { +in +{ programs.zsh = { enable = true; @@ -46,60 +49,64 @@ in { # will be called again by oh-my-zsh enableCompletion = false; enableAutosuggestions = true; - initExtra = let - inNixShell = ''$([[ -n "$IN_NIX_SHELL" ]] && printf " 🐚")''; - in '' - PROMPT='%F{%(!.red.green)}%n%f@%m %(?.%F{green}✓%f.%F{red}✗ ($?%))%f %F{blue}%~%f${inNixShell}%F{magenta}$(git_prompt_info)%f$prompt_newline%_%F{%(!.red.green)}$(prompt_char)%f ' - RPROMPT="" + initExtra = + let + inNixShell = ''$([[ -n "$IN_NIX_SHELL" ]] && printf " 🐚")''; + in + '' + if test ! -n "$TMPDIR" -a -z "$TMPDIR"; then + unset TMPDIR + fi - # Automatic rehash - zstyle ':completion:*' rehash true + if test ! -n "$TMP" -a -z "$TMP"; then + unset TMP + fi - if [ -f $HOME/.shrc.d/sh_aliases ]; then - . $HOME/.shrc.d/sh_aliases - fi - ${ - if builtins.hasAttr "homeshick" pkgs - then '' - source ${pkgs.homeshick}/homeshick.sh - fpath=(${pkgs.homeshick}/completions $fpath) - '' - else "" - } + PROMPT='%F{%(!.red.green)}%n%f@%m %(?.%F{green}✓%f.%F{red}✗ ($?%))%f %F{blue}%~%f${inNixShell}%F{magenta}$(git_prompt_info)%f$prompt_newline%_%F{%(!.red.green)}$(prompt_char)%f ' + RPROMPT="" - # Disable intercepting of ctrl-s and ctrl-q as flow control. - stty stop ''' -ixoff -ixon + # Automatic rehash + zstyle ':completion:*' rehash true - # don't cd into directories when executed - unsetopt AUTO_CD + if [ -f $HOME/.shrc.d/sh_aliases ]; then + . $HOME/.shrc.d/sh_aliases + fi - export NIX_PATH="nixpkgs=${pkgs.path}" + ${ + if builtins.hasAttr "homeshick" pkgs then + '' + source ${pkgs.homeshick}/homeshick.sh + fpath=(${pkgs.homeshick}/completions $fpath) + '' + else + "" + } - # print lines without termination - setopt PROMPT_CR - setopt PROMPT_SP - export PROMPT_EOL_MARK="" + # Disable intercepting of ctrl-s and ctrl-q as flow control. + stty stop ''' -ixoff -ixon - ${lib.optionalString config.services.gpg-agent.enable '' - export SSH_AUTH_SOCK="$XDG_RUNTIME_DIR/gnupg/S.gpg-agent.ssh" - ''} + # don't cd into directories when executed + unsetopt AUTO_CD - ${lib.optionalString config.programs.neovim.enable '' - export EDITOR="nvim" - ''} - ''; + # print lines without termination + setopt PROMPT_CR + setopt PROMPT_SP + export PROMPT_EOL_MARK="" + + ${lib.optionalString config.services.gpg-agent.enable '' + export SSH_AUTH_SOCK="$XDG_RUNTIME_DIR/gnupg/S.gpg-agent.ssh" + ''} + + ${lib.optionalString config.programs.neovim.enable '' + export EDITOR="nvim" + ''} + ''; plugins = [ { - # will source zsh-autosuggestions.plugin.zsh name = "zsh-autosuggestions"; - src = pkgs.fetchFromGitHub { - owner = "zsh-users"; - repo = "zsh-autosuggestions"; - rev = "v0.6.3"; - sha256 = "1h8h2mz9wpjpymgl2p7pc146c1jgb3dggpvzwm9ln3in336wl95c"; - }; + src = pkgs.zsh-autosuggestions; } { name = "enhancd"; @@ -107,8 +114,8 @@ in { src = pkgs.fetchFromGitHub { owner = "b4b4r07"; repo = "enhancd"; - rev = "v2.2.4"; - sha256 = "1smskx9vkx78yhwspjq2c5r5swh9fc5xxa40ib4753f00wk4dwpp"; + rev = "v2.5.1"; + sha256 = "sha256-kaintLXSfLH7zdLtcoZfVNobCJCap0S/Ldq85wd3krI="; }; } { @@ -127,7 +134,10 @@ in { oh-my-zsh = { enable = true; theme = "tjkirch"; - plugins = ["git" "sudo"]; + plugins = [ + "git" + "sudo" + ]; }; }; } diff --git a/nix/modules/flake-parts/colmena.nix b/nix/modules/flake-parts/colmena.nix index ee885cf..136a5a1 100644 --- a/nix/modules/flake-parts/colmena.nix +++ b/nix/modules/flake-parts/colmena.nix @@ -1,7 +1,8 @@ -{lib, ...}: { +{ lib, ... }: +{ options.flake.colmena = lib.mkOption { # type = lib.types.attrsOf lib.types.unspecified; type = lib.types.raw; - default = {}; + default = { }; }; } diff --git a/nix/modules/flake-parts/perSystem/default.nix b/nix/modules/flake-parts/perSystem/default.nix index a752173..da1e42a 100644 --- a/nix/modules/flake-parts/perSystem/default.nix +++ b/nix/modules/flake-parts/perSystem/default.nix @@ -1,38 +1,37 @@ +{ pkgs, ... }: { - inputs', - system, - config, - lib, - pkgs, - ... -}: { packages = { - myPython = pkgs.python310.withPackages (ps: + myPython = pkgs.python310.withPackages ( + ps: with ps; - [ - pep8 - yapf - flake8 - # autopep8 (broken) - # pylint (broken) - ipython - llfuse - dugong - defusedxml - wheel - pip - virtualenv - cffi - # pyopenssl - urllib3 - # mistune (insecure) - sympy + [ + pep8 + yapf + flake8 + # autopep8 (broken) + # pylint (broken) + ipython + llfuse + dugong + defusedxml + wheel + pip + virtualenv + cffi + # pyopenssl + urllib3 + # mistune (insecure) + sympy - flask + flask - pyaml - requests - ] - ++ [pkgs.pypi2nix pkgs.libffi]); + pyaml + requests + ] + ++ [ + pkgs.pypi2nix + pkgs.libffi + ] + ); }; } diff --git a/nix/os/cachix.nix b/nix/os/cachix.nix index 332fc55..0d14a2f 100644 --- a/nix/os/cachix.nix +++ b/nix/os/cachix.nix @@ -1,14 +1,12 @@ - # WARN: this file will get overwritten by $ cachix use -{ pkgs, lib, ... }: - +{ lib, ... }: let folder = ./cachix; - toImport = name: value: folder + ("/" + name); + toImport = name: _value: folder + ("/" + name); filterCaches = key: value: value == "regular" && lib.hasSuffix ".nix" key; imports = lib.mapAttrsToList toImport (lib.filterAttrs filterCaches (builtins.readDir folder)); -in { +in +{ inherit imports; - nix.settings.substituters = ["https://cache.nixos.org/"]; + nix.settings.substituters = [ "https://cache.nixos.org/" ]; } - diff --git a/nix/os/cachix/nixpkgs-wayland.nix b/nix/os/cachix/nixpkgs-wayland.nix index e370450..1c0cca7 100644 --- a/nix/os/cachix/nixpkgs-wayland.nix +++ b/nix/os/cachix/nixpkgs-wayland.nix @@ -1,12 +1,8 @@ - { nix = { - settings.substituters = [ - "https://nixpkgs-wayland.cachix.org" - ]; + settings.substituters = [ "https://nixpkgs-wayland.cachix.org" ]; settings.trusted-public-keys = [ "nixpkgs-wayland.cachix.org-1:3lwxaILxMRkVhehr5StQprHdEo4IrE8sRho9R9HOLYA=" ]; }; } - diff --git a/nix/os/containers/backup-target.nix b/nix/os/containers/backup-target.nix deleted file mode 100644 index d1ff1f0..0000000 --- a/nix/os/containers/backup-target.nix +++ /dev/null @@ -1,87 +0,0 @@ -{ - hostAddress, - localAddress, - containerBackupCfg, - sshPort ? containerBackupCfg.portInt, - autoStart ? false, -}: { - config = { - config, - pkgs, - lib, - ... - }: { - system.stateVersion = "22.05"; # Did you read the comment? - - imports = [../profiles/containers/configuration.nix]; - - networking.firewall.enable = false; - - services.ddclientovh = { - enable = true; - domain = containerBackupCfg.addr; - }; - - services.openssh.enable = true; - - users.extraUsers."${containerBackupCfg.user}" = { - uid = 2000; - group = containerBackupCfg.group; - shell = pkgs.bashInteractive; - home = "/${containerBackupCfg.targetPath}"; - openssh.authorizedKeys.keys = [ - "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDNI3H0BRSYOZ/MbTs9J80doJwSd1HymFOP5quNt0J48vxZ5FPVrT2FHpQiNrCcYbCKRsU4X8AiGUHiXC0PapQQ3JDkqp6WZoqBNDx6BI7RadyH1TqVQPlou3pQmCAogzfBInruR53YTDmQqXiPwfM0okPOXgiBNjDfZXOX4+CyUfkmZZwASoicTInqWGkn1sFnh4tyXIkgWflg0njlVmfkVvH71+evvKLYHtoNpVXazkQ0SXbyuW5f3mSta7TNkpC3HbBm+4n+WxYGySrlRLWQhTo+aoWUKk9h5zvECDNpwRtbqzt+bA9nKrdg180ceu8hruwvWNiC6PPA2GW9Z1+VKROviGu1C3dliE/pPCBtK+ZoRVv2CGE+pmAuQsB9Nif9tk5tY6HJhuLNxKYiMfQkiLsDYv6KdZXUIVK/4BIDkZuQNnjhdOQBLnea0ANOhutA9gnjxnsd3UT6ovfazg5gud7n3u4yBtzjTkRrqWZ63eM1NmUVOgMWHQ715pV+hJfOFGqzRBEe3g/p3bWNgpROBYJbG1H8l9DN7emG4FGWsb1HeNFwQ5lS0Zsezb7qzahr4vSmHNugVw7w8ONt5dPbPI9wQnWvkkuHH76P/NYy6OC6lHrN1rXyA1okqdPr06YAZnCot+Pqdgn/ijxgp06J3dtkhin+Q7PoQbGff3ERIw== bkp" - ]; - - packages = with pkgs; [btrfs-progs]; - - isSystemUser = true; - }; - - security.sudo = { - enable = true; - extraRules = [ - { - users = ["bkp"]; - commands = [ - { - command = "/etc/profiles/per-user/bkp/bin/btrfs"; - options = ["NOPASSWD"]; - } - { - command = "/run/current-system/sw/bin/readlink"; - options = ["NOPASSWD"]; - } - { - command = "/run/current-system/sw/bin/test"; - options = ["NOPASSWD"]; - } - ]; - } - ]; - }; - }; - - inherit autoStart; - - bindMounts = { - "/${containerBackupCfg.targetPath}" = { - hostPath = "/var/lib/container-volumes/backup-target"; - isReadOnly = false; - }; - }; - - extraFlags = ["--resolv-conf=bind-host"]; - - privateNetwork = true; - forwardPorts = [ - { - # ssh - containerPort = 22; - hostPort = sshPort; - protocol = "tcp"; - } - ]; - - inherit hostAddress localAddress; -} diff --git a/nix/os/containers/backup.nix b/nix/os/containers/backup.nix index 864aa20..2c2c171 100644 --- a/nix/os/containers/backup.nix +++ b/nix/os/containers/backup.nix @@ -5,88 +5,107 @@ subvolumes, targetPathSuffix ? "", autoStart ? false, -}: let +}: +let passwords = import ../../variables/passwords.crypt.nix; subvolumeParentDir = "/var/lib/container-volumes"; -in { - config = {pkgs, ...}: { - system.stateVersion = "20.03"; # Did you read the comment? +in +{ + config = + { pkgs, ... }: + { + system.stateVersion = "20.03"; # Did you read the comment? - imports = [../profiles/containers/configuration.nix]; + imports = [ ../profiles/containers/configuration.nix ]; - environment.systemPackages = with pkgs; [btrfs-progs btrbk]; + environment.systemPackages = with pkgs; [ + btrfs-progs + btrbk + ]; - networking.firewall.enable = true; + networking.firewall.enable = true; - systemd.services."bkp-sync" = { - enable = true; - description = "bkp-sync service"; + systemd.services."bkp-sync" = { + enable = true; + description = "bkp-sync service"; - serviceConfig = {Type = "oneshot";}; + serviceConfig = { + Type = "oneshot"; + }; - after = ["bkp-run.service"]; + after = [ "bkp-run.service" ]; - requires = ["bkp-run.service"]; + requires = [ "bkp-run.service" ]; - path = with pkgs; [utillinux]; - script = '' - set -x - true - ''; - }; - - systemd.services."bkp-run" = { - enable = true; - description = "bkp-run"; - - serviceConfig = {Type = "oneshot";}; - - partOf = ["bkp-sync.service"]; - - path = with pkgs; [btrfs-progs btrbk coreutils]; - - script = let - btrbkConf = pkgs.writeText "cfg" '' - timestamp_format long - ssh_identity ${passwords.storage.backupTarget.keyPath} - ssh_user ${passwords.storage.backupTarget.user} - ssh_compression no - backend_remote btrfs-progs-sudo - compat_remote busybox - btrfs_commit_delete each - snapshot_create onchange - snapshot_preserve_min latest - snapshot_preserve 7d 4w - target_preserve_min latest - target_preserve 7d 4w 12m *y - - volume ${subvolumeParentDir} - target ${passwords.storage.backupTarget.target}/container-volumes/${targetPathSuffix} - ${builtins.foldl' (sum: elem: sum + " subvolume " + elem + "\n") "" - subvolumes} + path = with pkgs; [ utillinux ]; + script = '' + set -x + true ''; - in '' - #! ${pkgs.bash}/bin/bash - set -Eeuxo pipefail + }; - btrbk -c ${btrbkConf} --progress ''${@:-run} - ''; - }; + systemd.services."bkp-run" = { + enable = true; + description = "bkp-run"; - systemd.timers."bkp" = { - description = "Timer to trigger bkp periodically"; - enable = true; - wantedBy = ["timer.target" "multi-user.target"]; - timerConfig = { - # Obtained using `systemd-analyze calendar "Wed 23:00"` - # OnCalendar = "Wed *-*-* 23:00:00"; - OnStartupSec = "1m"; - Unit = "bkp-sync.service"; - OnUnitInactiveSec = "2h"; - Persistent = "true"; + serviceConfig = { + Type = "oneshot"; + }; + + partOf = [ "bkp-sync.service" ]; + + path = with pkgs; [ + btrfs-progs + btrbk + coreutils + ]; + + script = + let + btrbkConf = pkgs.writeText "cfg" '' + timestamp_format long + ssh_identity ${passwords.storage.backupTarget.keyPath} + ssh_user ${passwords.storage.backupTarget.user} + ssh_compression no + backend_remote btrfs-progs-sudo + compat_remote busybox + btrfs_commit_delete each + snapshot_create onchange + snapshot_preserve_min latest + snapshot_preserve 7d 4w + target_preserve_min latest + target_preserve 7d 4w 12m *y + + volume ${subvolumeParentDir} + target ${passwords.storage.backupTarget.target}/container-volumes/${targetPathSuffix} + ${builtins.foldl' (sum: elem: sum + " subvolume " + elem + "\n") "" subvolumes} + ''; + in + '' + #! ${pkgs.bash}/bin/bash + set -Eeuxo pipefail + + btrbk -c ${btrbkConf} --progress ''${@:-run} + ''; + }; + + systemd.timers."bkp" = { + description = "Timer to trigger bkp periodically"; + enable = true; + wantedBy = [ + "timer.target" + "multi-user.target" + ]; + timerConfig = { + # Obtained using `systemd-analyze calendar "Wed 23:00"` + # OnCalendar = "Wed *-*-* 23:00:00"; + OnStartupSec = "1m"; + Unit = "bkp-sync.service"; + OnUnitInactiveSec = "2h"; + Persistent = "true"; + }; }; }; - }; inherit autoStart; @@ -114,10 +133,10 @@ in { } ]; - extraFlags = ["--resolv-conf=bind-host"]; + extraFlags = [ "--resolv-conf=bind-host" ]; privateNetwork = true; - forwardPorts = []; + forwardPorts = [ ]; inherit hostAddress localAddress; } diff --git a/nix/os/containers/mailserver.nix b/nix/os/containers/mailserver.nix index 79c6e55..0be078c 100644 --- a/nix/os/containers/mailserver.nix +++ b/nix/os/containers/mailserver.nix @@ -1,203 +1,211 @@ { - repoFlake, + specialArgs, + hostBridge, hostAddress, localAddress, imapsPort ? 993, sievePort ? 4190, autoStart ? false, -}: { - config = { - pkgs, - config, - lib, - ... - }: { - system.stateVersion = "21.11"; # Did you read the comment? +}: +{ + inherit specialArgs; + config = + { + pkgs, + config, + repoFlake, + ... + }: + { + system.stateVersion = "22.05"; # Did you read the comment? - imports = [ - ../profiles/containers/configuration.nix + imports = [ + ../profiles/containers/configuration.nix - repoFlake.inputs.sops-nix.nixosModules.sops - ../profiles/common/user.nix - ]; - - # FIXME: find out how to use the `defaultSopsFile` so i don't have to specify each secret separately - # sops.defaultSopsFile = ./mailserver_secrets.yaml; - - sops.age.sshKeyPaths = ["/etc/ssh/ssh_host_ed25519_key"]; - sops.secrets.email_mailStefanjunkerDe = { - sopsFile = ./mailserver_secrets.yaml; - owner = config.users.users.steveej.name; - }; - sops.secrets.email_mailStefanjunkerDeHetzner = { - sopsFile = ./mailserver_secrets.yaml; - owner = config.users.users.steveej.name; - }; - sops.secrets.email_schtifATwebDe = { - sopsFile = ./mailserver_secrets.yaml; - owner = config.users.users.steveej.name; - }; - sops.secrets.email_dovecot_steveej = { - sopsFile = ./mailserver_secrets.yaml; - owner = config.users.users.dovecot2.name; - }; - - # TODO: switch to something other than ddclient as it's no longer maintained - services.ddclient-hetzner = { - enable = false; - zone = "stefanjunker.de"; - domains = [ - "mailserver.svc.stefanjunker.de" + repoFlake.inputs.sops-nix.nixosModules.sops + ../profiles/common/user.nix ]; - passwordFile = config.sops.secrets.hetznerDnsApiToken.path; - }; - # TODO: switch to a let's encrypt certificate - sops.secrets.dovecotSslServerCert = { - sopsFile = ./mailserver_secrets.yaml; - owner = config.users.users.dovecot2.name; - }; - sops.secrets.dovecotSslServerKey = { - sopsFile = ./mailserver_secrets.yaml; - owner = config.users.users.dovecot2.name; - }; - services.dovecot2 = { - enable = true; + networking.firewall.allowedTCPPorts = [ + imapsPort + sievePort + ]; - modules = [pkgs.dovecot_pigeonhole]; - protocols = ["sieve"]; + # FIXME: find out how to use the `defaultSopsFile` so i don't have to specify each secret separately + # sops.defaultSopsFile = ./mailserver_secrets.yaml; - enableImap = true; - enableLmtp = true; - enablePAM = true; - showPAMFailure = true; - mailLocation = "maildir:~/.maildir"; - sslServerCert = config.sops.secrets.dovecotSslServerCert.path; - sslServerKey = config.sops.secrets.dovecotSslServerKey.path; + sops.age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ]; + sops.secrets.email_mailStefanjunkerDe = { + sopsFile = ./mailserver_secrets.yaml; + owner = config.users.users.steveej.name; + }; + sops.secrets.email_mailStefanjunkerDeHetzner = { + sopsFile = ./mailserver_secrets.yaml; + owner = config.users.users.steveej.name; + }; + sops.secrets.email_schtifATwebDe = { + sopsFile = ./mailserver_secrets.yaml; + owner = config.users.users.steveej.name; + }; + sops.secrets.email_dovecot_steveej = { + sopsFile = ./mailserver_secrets.yaml; + owner = config.users.users.dovecot2.name; + }; - #configFile = "/etc/dovecot/dovecot2_manual.conf"; - extraConfig = '' - auth_mechanisms = cram-md5 digest-md5 - auth_verbose = yes + # TODO: switch to something other than ddclient as it's no longer maintained - passdb { - driver = passwd-file - args = scheme=CRYPT username_format=%u /etc/dovecot/users - } + # TODO: switch to a let's encrypt certificate + sops.secrets.dovecotSslServerCert = { + sopsFile = ./mailserver_secrets.yaml; + owner = config.users.users.dovecot2.name; + }; + sops.secrets.dovecotSslServerKey = { + sopsFile = ./mailserver_secrets.yaml; + owner = config.users.users.dovecot2.name; + }; + services.dovecot2 = { + enable = true; - protocol lda { - postmaster_address = "mail@stefanjunker.de" - mail_plugins = $mail_plugins sieve - } + modules = [ pkgs.dovecot_pigeonhole ]; + protocols = [ "sieve" ]; - protocol imap { - mail_max_userip_connections = 64 - } - ''; - }; + enableImap = true; + enableLmtp = true; + enablePAM = true; + showPAMFailure = true; + mailLocation = "maildir:~/.maildir"; + sslServerCert = config.sops.secrets.dovecotSslServerCert.path; + sslServerKey = config.sops.secrets.dovecotSslServerKey.path; - environment.etc."dovecot/users".source = config.sops.secrets.email_dovecot_steveej.path; + #configFile = "/etc/dovecot/dovecot2_manual.conf"; + extraConfig = '' + auth_mechanisms = cram-md5 digest-md5 + auth_verbose = yes - systemd.services.steveej-getmail-stefanjunker = { - enable = true; - wantedBy = ["multi-user.target"]; - serviceConfig.User = "steveej"; - serviceConfig.Group = "dovecot2"; - serviceConfig.RestartSec = 600; - serviceConfig.Restart = "always"; - description = "Getmail service"; - path = [pkgs.getmail6]; - script = let - rc = pkgs.writeText "mailATstefanjunker.de.getmail.rc" '' - [options] - verbose = 1 - read_all = 0 - delete_after = 30 + passdb { + driver = passwd-file + args = scheme=CRYPT username_format=%u /etc/dovecot/users + } - [retriever] - type = SimpleIMAPSSLRetriever - server = ssl0.ovh.net - port = 993 - username = mail@stefanjunker.de - password_command = ("${pkgs.coreutils}/bin/cat", "${config.sops.secrets.email_mailStefanjunkerDe.path}") - mailboxes = ('INBOX',) + protocol lda { + postmaster_address = "mail@stefanjunker.de" + mail_plugins = $mail_plugins sieve + } - [destination] - type = MDA_external - path = ${pkgs.dovecot}/libexec/dovecot/dovecot-lda + protocol imap { + mail_max_userip_connections = 64 + } ''; - in '' - getmail --idle=INBOX --rcfile=${rc} - ''; + }; + + environment.etc."dovecot/users".source = config.sops.secrets.email_dovecot_steveej.path; + + systemd.services.steveej-getmail-stefanjunker = { + enable = true; + wantedBy = [ "multi-user.target" ]; + serviceConfig.User = "steveej"; + serviceConfig.Group = "dovecot2"; + serviceConfig.RestartSec = 600; + serviceConfig.Restart = "always"; + description = "Getmail service"; + path = [ pkgs.getmail6 ]; + script = + let + rc = pkgs.writeText "mailATstefanjunker.de.getmail.rc" '' + [options] + verbose = 1 + read_all = 0 + delete_after = 30 + + [retriever] + type = SimpleIMAPSSLRetriever + server = ssl0.ovh.net + port = 993 + username = mail@stefanjunker.de + password_command = ("${pkgs.coreutils}/bin/cat", "${config.sops.secrets.email_mailStefanjunkerDe.path}") + mailboxes = ('INBOX',) + + [destination] + type = MDA_external + path = ${pkgs.dovecot}/libexec/dovecot/dovecot-lda + ''; + in + '' + getmail --idle=INBOX --rcfile=${rc} + ''; + }; + + systemd.services.steveej-getmail-stefanjunker-hetzner = { + enable = true; + wantedBy = [ "multi-user.target" ]; + serviceConfig.User = "steveej"; + serviceConfig.Group = "dovecot2"; + serviceConfig.RestartSec = 60; + serviceConfig.Restart = "always"; + description = "Getmail service"; + path = [ pkgs.getmail6 ]; + script = + let + rc = pkgs.writeText "mailATstefanjunker.de.getmail.rc" '' + [options] + verbose = 2 + read_all = 0 + delete_after = 30 + + [retriever] + type = SimpleIMAPSSLRetriever + server = mail.your-server.de + port = 993 + username = mail@stefanjunker.de + password_command = ("${pkgs.coreutils}/bin/cat", "${config.sops.secrets.email_mailStefanjunkerDeHetzner.path}") + mailboxes = ('INBOX',) + + [destination] + type = MDA_external + path = ${pkgs.dovecot}/libexec/dovecot/dovecot-lda + ''; + in + '' + getmail --rcfile=${rc} --idle=INBOX + ''; + }; + + systemd.services.steveej-getmail-webde = { + enable = true; + wantedBy = [ "multi-user.target" ]; + serviceConfig.User = "steveej"; + serviceConfig.Group = "dovecot2"; + description = "Getmail service"; + path = [ pkgs.getmail6 ]; + serviceConfig.RestartSec = 1000; + serviceConfig.Restart = "always"; + script = + let + rc = pkgs.writeText "schtifATweb.de.getmail.rc" '' + [options] + verbose = 1 + read_all = 0 + delete_after = 30 + + [retriever] + type = SimpleIMAPSSLRetriever + server = imap.web.de + port = 993 + username = schtif + password_command = ("${pkgs.coreutils}/bin/cat", "${config.sops.secrets.email_schtifATwebDe.path}") + mailboxes = ('INBOX',) + + [destination] + type = Maildir + path = ~/.maildir/ + ''; + in + '' + getmail --rcfile=${rc} --idle=INBOX + ''; + }; }; - systemd.services.steveej-getmail-stefanjunker-hetzner = { - enable = true; - wantedBy = ["multi-user.target"]; - serviceConfig.User = "steveej"; - serviceConfig.Group = "dovecot2"; - serviceConfig.RestartSec = 60; - serviceConfig.Restart = "always"; - description = "Getmail service"; - path = [pkgs.getmail6]; - script = let - rc = pkgs.writeText "mailATstefanjunker.de.getmail.rc" '' - [options] - verbose = 2 - read_all = 0 - delete_after = 30 - - [retriever] - type = SimpleIMAPSSLRetriever - server = mail.your-server.de - port = 993 - username = mail@stefanjunker.de - password_command = ("${pkgs.coreutils}/bin/cat", "${config.sops.secrets.email_mailStefanjunkerDeHetzner.path}") - mailboxes = ('INBOX',) - - [destination] - type = MDA_external - path = ${pkgs.dovecot}/libexec/dovecot/dovecot-lda - ''; - in '' - getmail --rcfile=${rc} --idle=INBOX - ''; - }; - - systemd.services.steveej-getmail-webde = { - enable = true; - wantedBy = ["multi-user.target"]; - serviceConfig.User = "steveej"; - serviceConfig.Group = "dovecot2"; - description = "Getmail service"; - path = [pkgs.getmail6]; - serviceConfig.RestartSec = 1000; - serviceConfig.Restart = "always"; - script = let - rc = pkgs.writeText "schtifATweb.de.getmail.rc" '' - [options] - verbose = 1 - read_all = 0 - delete_after = 30 - - [retriever] - type = SimpleIMAPSSLRetriever - server = imap.web.de - port = 993 - username = schtif - password_command = ("${pkgs.coreutils}/bin/cat", "${config.sops.secrets.email_schtifATwebDe.path}") - mailboxes = ('INBOX',) - - [destination] - type = Maildir - path = ~/.maildir/ - ''; - in '' - getmail --rcfile=${rc} --idle=INBOX - ''; - }; - }; - inherit autoStart; bindMounts = { @@ -211,8 +219,6 @@ }; }; - # extraFlags = ["--resolv-conf=bind-host"]; - privateNetwork = true; forwardPorts = [ { @@ -230,5 +236,5 @@ } ]; - inherit hostAddress localAddress; + inherit hostBridge hostAddress localAddress; } diff --git a/nix/os/containers/mailserver_secrets.yaml b/nix/os/containers/mailserver_secrets.yaml index ffb595a..f519b36 100644 --- a/nix/os/containers/mailserver_secrets.yaml +++ b/nix/os/containers/mailserver_secrets.yaml @@ -7,37 +7,37 @@ dovecotSslServerCert: ENC[AES256_GCM,data:ylK0IIj2vdY0mXOqSgA5zYmFYGote/uMtDWy2r dovecotSslServerKey: ENC[AES256_GCM,data:KYpQZbioLGrp/6R6j/c4uJhBpoDT2aj7UffQQug8Otzr/0rk51tavsjg4YRQGIv+ZpFYpWAuHbhW4O8AsRgpi0AX3hKsZICEdNubfK5zfd+SInXveaVFbHHjOuzcqftraUrqx9APu+omk4LlpxpWTbj/bAcRnRBn0C093AeJNi1giaCZd4NxmmkYqwYzrjUc6LYHvICEnjA87ZVpeOKE/6B2Ng5QWDKhZNmjy7YDXAk4DS+P2grLmoGvnz6ubtaypSzaKXYTFz/uxEvtCCPlIaJHm3Nz0i0j1rjX3S/w3c26zuIFtwCmAQzGnHyQwbx7ILwCXfnyQnpM7+R5+fxcYvcK2GEJyTGzg/JFa++TI1YO+wpknjzxK3Sa8aX0pUbx/TEjnY3+tRnx7YNuih2ZNZrPHy8uJJtO9Aef84Sq5vLQG5n1/ya0pVhjCbs1pgpeK/qT3ikLbkcJg6NxAq3hqqQdR4TTkZBwKLVfzcMXLDZB0GphhVvtO0W7afRCE+nA/FPDT2NN6WLD15cN5F8w6USi0iQlwFb+TE8nt1ghhoGmwCMx+lX1Bk/jdIlYtJ62T8+T3nRVJ6ZRlUa1rkbAADaWZVvLR2/ylaEkeYFo/CC6lUg4DWPCVoGFxaWaU+ZaIDjbiYcqGQFBwq8JZ44hAOyJQpb7N1zgDVyPh/xr+ukmjutFuu97FY55VTn+8eipRiR4TZpPRH+KvB/FmlLNaim76YZCRH9Dv2ENbz9fXpWv7P+yh06+ci9HKvjNAzR6NRr368tK2srEEhWzFv+nAsRetzc2VcfwNMcg5/mvlWHVZSmONXC5adEo/W5XgJgUnH/fkz5IRPY/1iteq8PTCPUkubzF+qT2+suzEDnvgXlaKsqHkrk+n8YySl+GRABnasmnBYdb8vboDM41ptw3PXDoL+l07o6KxTwPOWWl9BVNMT8VzL7gAl+dlxjkEUSqn53OrsYDluxefBa3c0rfvk8CCvOMjgLkagK9O+VavqJEo00zd3f0ZzMcIoRebuDzYILw3DTrG/qyLXGsRoybBr+qcuSVBzM5RnjcToFJO4W/0EIdH1drZmqHdNgSNwPPRSNCivrhV25syUCrTee/xkDVUr47z67pK/5Mh0ewlwq0hcl/dBoA0YP/PptntK0CHfistD8chNtdMk3PyzqSiFaDPQ3T4wdc3zTNUjXeQ5643k5weJXFPg4tUuCCa8HxUJHd5sLnNY0OaRBwh2SLkQlcXYFQDzVHSoVscR3tf+57L7aF2hVQT2QtJKdZQjOyMg5YK0UlVc3tkyPZzyjOVaP7eTCRKwXI1NminHmmy1ZzZ+w+8+oX8cfvE9HdbqDoDp0MnkicS0+5S0lZwkRWrjUx/gS4aMWLbCHUQHY8wm+fmyDLJ/oI4ukdUI5YLOutlCsIY+aotnVMoORgdd/EPeZVYJmci/pvMjPF9Eard0aD4rLA7z/HwGgc3VEGmNluE+20BXO3bFIqwa9tzMqzOJB0qglP35MjVGiUe6Svq13DAmSOnzN+WqcVbTMJG8J1bwKqvmaN8AEpO0zU94ZhHspUtGyQQ0D6sMsw9jqJ1WyLE7aXeFR6OHrpw3DC2mCpr/qX8QFsveeyB83Za2+CuVVi2sqGAKYzkwlUPkeuaxfBak0apwJsF2trT1uMvPOuIda8k4XhtYLxah2BDJZIoMqUVz2xcN4OuW8bdSX/lepsyZZO34VEQDLBa2dxCCHJmCKf6io/0YlswNKGDQh+DI935KTdqBnHSJ9IjvADQuu+K37aS0L9V0ZLXiM5SBQtbB7kQpHjvivq97ru7QpFqJf8HCl1vDs4gJ/NV+J0+CX6dQTQOtHvwxD2CPGiiSv40ycoJAcwiqTh5T+hRPtca6bSes/jGN5iQjfLCRbwvL/ItLLAK3F2cEIdKZnfhJkdEAIwWFLvR4R5I7ZcCK5GgKz5dPROup8BAONA8XxcJWXaXV0YkfEmCDbZYMFC7pcx4NAnGp881RyAaG/HlstBHHVagpP2fwZ8K0J/2KPillOq/Die+vNc2++hx4EuftvNkZhSd+7zIYNKHQd0M4Ea74flgmmW5lG73bE1BkhVd2DsgEDihH19/vJjFH4PxKINKp0ij4jMyq9w+WsGiUqSDaQz/MZJ8wjzaSjvmSj4qlOAitr/s3f041e77rMb0W2ieCtYEy7IsebIqIWgKn/crm5FhyUtBCPEqFZgAKS313bXUio8LktqXCrZjZ0ZG8DmQG6hnK4PstKlIUQoNuFnb8Bp1zDgY4i2hb6Zmu7NnqnOaJJTjSGwaZOav0oMousn67BuFtwoMaGp+OjCopZ3HPfg19usnjvWpOgccXWYlQc0HOlGXUq+otKlXtQwAjUvz50GmV+lY3t4rpCgqk+pj9iH62xuzDQ01FOXl+v3Ehnw97mNJk9YarueG0Hl/1f6dhwXnjeEv35LLyWUjQolOoYgycEkgQ/cCCOSm7zgK1VT0oTLFISai8IG0qDP9HCszteHZhp+y4bsXQfAJTY11QLr7hx9/nQmVlHksDN5Wsno4wbkT+D2xb5EaDU2RBqZfTVcbRBWRtAhQcRPxdaUXyI7oKEaFg8fvQZ8wK/Ae+L18ub+Latb5W69dUVT6I13tPleXDl1oen9BXzaX7sygSpY4lJoXlu+SCKyNTMrC36PrB39QUWosw03ZsiKT5xjgN5+1m32yv4cg8lAwNCR4xxShrnhSbZ328yifaAuTnSawZmUGBVxPx4glVcvNUOXW2UvVtmeKU0SG1E+UGBAq7/UfaadMM7BsjyaaKpBa/tXZTm0rn8UiFqujvgNjQ3F/3ybRdlO5d6eMI9Na+1gqg6qxYSGR0H0wAdPhtyGRxpumehAQGeMKd49Sg6jspaf3NAjjuZ0Yp+eJV9652WqVZ7xtCNqRURV353h+XPGR+ZZ9siHRDQ+NcbxPkfbHw0/RTvZvEIdaDi5+DLh6tgIxMEtOpwTlfFrOUDaIcmWvzk92VtBFuafvoGzTipryTnMszjCsUTvyEPN8jPd6r8UmOFGXF2aVNksmn/bI97i4s1kYLgY8XsEOyx+Q9pUTkTEMn2JWgnEcSOAtaX1ZskHnfueKzUPb+/YWb+z8SNCgnUqHqa42qBqwlhdshzYhhfKhEisUptirzzp1kcbyHrug5PzHxh8Qri2pjHxSHYQ5sjig6K6B1YEuHP6uo19fL6BdgGlhKroiOF/6TMAcE9V3+yqvDdsW/IC0QXLHIBKC7wlDgLc25ltGogD/76P6tViDAb6+HNSSXJO056Ovq0z2BrXhnq1AmWa99mVnOLJwafRWPZC,iv:XxnAsh6yx9gICi3N6oTttpGXvguGZImWNIMp9srDJLM=,tag:M9gFSD5PNIfoCLet6Vy6QA==,type:str] hetznerDnsApiToken: ENC[AES256_GCM,data:JfL4Xg9TZu4Og35g0SwfrI1uxiqgdFa7p5AQcfiPwLY=,iv:yOak3uXX7CNglu8O2UW/1sOI7BGZxpRQAFJCvRbzU0Y=,tag:6orkQIy7BxACziLWpYoS5Q==,type:str] sops: - kms: [] - gcp_kms: [] - azure_kv: [] - hc_vault: [] - age: - - recipient: age18dmqd7r7fanrfmdxsvwgv9psvhs3hw5ydpvw0na0dv3dlrg4rs3q2wpvgv - enc: | - -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBWaE9nNytUbXhWeWZYWndn - R3pMV3N1NjJPK2gzUDl2YitxWEU4NUFPRUJ3Cm1tMGhGcU56bSs5SUIzRmhqVHN2 - dXIzYlkvS1JnWnladGdXTnRKMXNOWncKLS0tIGhyRFhFV1VRVXVYN1pJWjNFd1Rj - bENCWmVNUEJyZFBpRmYwbWVndFJGcUEKzvkGz3WycSrU4qPcBhs4cSCn/9TQ62sl - T6TuDra97qJJ1Pg9VZGHT/OoSleLA4s0qpNlAxnAnNaO0conTsREZQ== - -----END AGE ENCRYPTED FILE----- - lastmodified: "2023-07-17T12:01:21Z" - mac: ENC[AES256_GCM,data:003nzaNWdXLscJy9XZcwAb93M9Eo3Bdg9s5MHHiv4/TitaaZE7VghWHKv5DrcoA0GGdN9SnIVqHd+o6OPVER91XLVxoiX7ixtlu1RIRfqdama3RRPtSki5wP5wPz6qF4vRBIKfrTpZK7thXLYs2NhCB9HJYljNhcgLtzEG5bWgY=,iv:tEP530Pij3bt3hc5PCYGjFFyPiKgo34dHm23Xtmrxt8=,tag:macr/U8R5+wktTBJ9OqI/w==,type:str] - pgp: - - created_at: "2023-07-02T20:30:30Z" - enc: |- - -----BEGIN PGP MESSAGE----- + kms: [] + gcp_kms: [] + azure_kv: [] + hc_vault: [] + age: + - recipient: age18dmqd7r7fanrfmdxsvwgv9psvhs3hw5ydpvw0na0dv3dlrg4rs3q2wpvgv + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBWaE9nNytUbXhWeWZYWndn + R3pMV3N1NjJPK2gzUDl2YitxWEU4NUFPRUJ3Cm1tMGhGcU56bSs5SUIzRmhqVHN2 + dXIzYlkvS1JnWnladGdXTnRKMXNOWncKLS0tIGhyRFhFV1VRVXVYN1pJWjNFd1Rj + bENCWmVNUEJyZFBpRmYwbWVndFJGcUEKzvkGz3WycSrU4qPcBhs4cSCn/9TQ62sl + T6TuDra97qJJ1Pg9VZGHT/OoSleLA4s0qpNlAxnAnNaO0conTsREZQ== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2023-07-17T12:01:21Z" + mac: ENC[AES256_GCM,data:003nzaNWdXLscJy9XZcwAb93M9Eo3Bdg9s5MHHiv4/TitaaZE7VghWHKv5DrcoA0GGdN9SnIVqHd+o6OPVER91XLVxoiX7ixtlu1RIRfqdama3RRPtSki5wP5wPz6qF4vRBIKfrTpZK7thXLYs2NhCB9HJYljNhcgLtzEG5bWgY=,iv:tEP530Pij3bt3hc5PCYGjFFyPiKgo34dHm23Xtmrxt8=,tag:macr/U8R5+wktTBJ9OqI/w==,type:str] + pgp: + - created_at: "2023-07-02T20:30:30Z" + enc: |- + -----BEGIN PGP MESSAGE----- - wcBMA0SHG/zF3227AQgAli6PQTNwh9N5Oo1LJvHysQNdxdZAq4QbfcwcIfpJIDds - 0TQs28EeSttv47P2ga4Nb1O5dVUnlvwbP+uV9RbioYF4LfZ2/uNlS1lSGwsLbPcf - SsY+U2WvpJgyo3EWQRusR/OXLFg0EdqDPDseH1w1u8tGALDrewre5oBjrMa0GRbb - 5F8lK/FVxSJxz70UkHgE7c6pSqPpznlgVduUwoOWnlhTw4aet7lLik+/C9K7LBDc - Q04sW1W2yqYr2882xPAUwfBhgfZQ1Uld5aDwqwPH+1Ttx26e7JrGSFaIX8GTVVpc - RJqN6uman5at3lOaEKXS1qf7T9ZI003CvdFwHS1G89JRAemdeK4bur5wS3VXBhDx - 44fHgmDcOohHilTahwmyXCT70KjjHbd9665vAhsl0N9aOrOBdOgq0HmLjNzAQkz5 - uGcEfsNiUXPngkNrh/Nvhh9w - =yHDZ - -----END PGP MESSAGE----- - fp: 6F7069FE6B96E894E60EC45C6EEFA706CB17E89B - unencrypted_suffix: _unencrypted - version: 3.7.3 + wcBMA0SHG/zF3227AQgAli6PQTNwh9N5Oo1LJvHysQNdxdZAq4QbfcwcIfpJIDds + 0TQs28EeSttv47P2ga4Nb1O5dVUnlvwbP+uV9RbioYF4LfZ2/uNlS1lSGwsLbPcf + SsY+U2WvpJgyo3EWQRusR/OXLFg0EdqDPDseH1w1u8tGALDrewre5oBjrMa0GRbb + 5F8lK/FVxSJxz70UkHgE7c6pSqPpznlgVduUwoOWnlhTw4aet7lLik+/C9K7LBDc + Q04sW1W2yqYr2882xPAUwfBhgfZQ1Uld5aDwqwPH+1Ttx26e7JrGSFaIX8GTVVpc + RJqN6uman5at3lOaEKXS1qf7T9ZI003CvdFwHS1G89JRAemdeK4bur5wS3VXBhDx + 44fHgmDcOohHilTahwmyXCT70KjjHbd9665vAhsl0N9aOrOBdOgq0HmLjNzAQkz5 + uGcEfsNiUXPngkNrh/Nvhh9w + =yHDZ + -----END PGP MESSAGE----- + fp: 6F7069FE6B96E894E60EC45C6EEFA706CB17E89B + unencrypted_suffix: _unencrypted + version: 3.7.3 diff --git a/nix/os/containers/mycelium/flake.lock b/nix/os/containers/mycelium/flake.lock new file mode 100644 index 0000000..0a7597d --- /dev/null +++ b/nix/os/containers/mycelium/flake.lock @@ -0,0 +1,124 @@ +{ + "nodes": { + "flake-compat": { + "flake": false, + "locked": { + "lastModified": 1696426674, + "narHash": "sha256-kvjfFW7WAETZlt09AgDn1MrtKzP7t90Vf7vypd3OL1U=", + "owner": "edolstra", + "repo": "flake-compat", + "rev": "0f9255e01c2351cc7d116c072cb317785dd33b33", + "type": "github" + }, + "original": { + "owner": "edolstra", + "repo": "flake-compat", + "type": "github" + } + }, + "flake-parts": { + "inputs": { + "nixpkgs-lib": [ + "nix-snapshotter", + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1704152458, + "narHash": "sha256-DS+dGw7SKygIWf9w4eNBUZsK+4Ug27NwEWmn2tnbycg=", + "owner": "hercules-ci", + "repo": "flake-parts", + "rev": "88a2cd8166694ba0b6cb374700799cec53aef527", + "type": "github" + }, + "original": { + "owner": "hercules-ci", + "repo": "flake-parts", + "type": "github" + } + }, + "nix-snapshotter": { + "inputs": { + "flake-compat": "flake-compat", + "flake-parts": "flake-parts", + "nixpkgs": [ + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1723875769, + "narHash": "sha256-66GofByLJ+S4ZZphIC+vJKeL9VJ2bzH2VbcJ3OqteMM=", + "owner": "pdtpartners", + "repo": "nix-snapshotter", + "rev": "6eaadfd8f89e5e7d79b2013626bbd36e388159da", + "type": "github" + }, + "original": { + "owner": "pdtpartners", + "repo": "nix-snapshotter", + "type": "github" + } + }, + "nixlib": { + "locked": { + "lastModified": 1728781282, + "narHash": "sha256-hUP9oxmnOmNnKcDOf5Y55HQ+NnoT0+bLWHLQWLLw9Ks=", + "owner": "nix-community", + "repo": "nixpkgs.lib", + "rev": "16340f605f4e8e5cf07fd74dcbe692eee2d4f51b", + "type": "github" + }, + "original": { + "owner": "nix-community", + "repo": "nixpkgs.lib", + "type": "github" + } + }, + "nixos-generators": { + "inputs": { + "nixlib": "nixlib", + "nixpkgs": [ + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1728867876, + "narHash": "sha256-NCyOA8WZNoojmXH+kBDrQj3LwvakYNzSc0h+LTXkmPE=", + "owner": "nix-community", + "repo": "nixos-generators", + "rev": "fdf142111597f6c6283cf5ffe092b6293a3911d0", + "type": "github" + }, + "original": { + "owner": "nix-community", + "repo": "nixos-generators", + "type": "github" + } + }, + "nixpkgs": { + "locked": { + "lastModified": 1728897630, + "narHash": "sha256-0utJPs4o2Mody8GDwo4hnGuxc8dJqju4u9lLJY4d/Lw=", + "owner": "NixOS", + "repo": "nixpkgs", + "rev": "c9f0b4a395289ce18727e2a8e43cae6796693ccc", + "type": "github" + }, + "original": { + "owner": "NixOS", + "ref": "nixos-unstable-small", + "repo": "nixpkgs", + "type": "github" + } + }, + "root": { + "inputs": { + "nix-snapshotter": "nix-snapshotter", + "nixos-generators": "nixos-generators", + "nixpkgs": "nixpkgs" + } + } + }, + "root": "root", + "version": 7 +} diff --git a/nix/os/containers/mycelium/flake.nix b/nix/os/containers/mycelium/flake.nix new file mode 100644 index 0000000..1527acf --- /dev/null +++ b/nix/os/containers/mycelium/flake.nix @@ -0,0 +1,371 @@ +{ + inputs = { + nixpkgs.url = "github:NixOS/nixpkgs/nixos-unstable-small"; + # nixpkgs-systemd256.url = "github:NixOS/nixpkgs/962cf03fb8c782c5e00f465397e03dc84284acc9"; + nixos-generators = { + url = "github:nix-community/nixos-generators"; + inputs.nixpkgs.follows = "nixpkgs"; + }; + nix-snapshotter = { + url = "github:pdtpartners/nix-snapshotter"; + inputs.nixpkgs.follows = "nixpkgs"; + }; + }; + outputs = + { self, nixpkgs, ... }: + let + systems = [ + "aarch64-linux" + "x86_64-linux" + ]; + forAllSystems = nixpkgs.lib.genAttrs systems; + in + { + nixosConfigurations.default = nixpkgs.lib.nixosSystem { + system = "aarch64-linux"; + + specialArgs = { }; + + modules = [ + ( + { + config, + modulesPath, + pkgs, + lib, + ... + }: + { + nixpkgs.overlays = [ + (_final: _previous: { + # inherit (self.inputs.nixpkgs-systemd256.legacyPackages.${pkgs.system}) systemd systemdMinimal; + # systemd = + # self.inputs.nixpkgs-systemd256.legacyPackages.${pkgs.system}.systemd.overrideAttrs (prevAttrs: { + # src = /home/steveej/src/others/systemd; + + # withAppArmor = false; + # withRepart = false; + # withHomed = false; + # withAcl = false; + # withEfi = false; + # withBootloader = false; + # withCryptsetup = false; + # withLibBPF = false; + # withOomd = false; + # withFido2 = false; + # withApparmor = false; + # withDocumentation = false; + # withUtmp = false; + # withQrencode = false; + # withVmspawn = false; + # withMachined = false; + # withLogTrace = true; + # withArchive = false; + # # don't need these but cause errors for exampel files not found + # # withLogind = false; + # }) + # pkgs.systemdMinimal.override { + # # getting errors with these disabled + # withCoredump = true; + # withCompression = true; + # withLogind = true; + # withSysusers = true; + # withUserDb = true; + # } + # pkgs.systemdMinimal + # pkgs.systemd.override { + # withRepart = false; + # withHomed = false; + # withAcl = false; + # withEfi = false; + # withBootloader = false; + # withCryptsetup = false; + # withLibBPF = false; + # withOomd = false; + # withFido2 = false; + # withApparmor = false; + # withDocumentation = false; + # withUtmp = false; + # withQrencode = false; + # withVmspawn = false; + # withMachined = false; + # withLogTrace = true; + # # don't need these but cause errors for exampel files not found + # # withLogind = false; + # } + # ; + }) + ]; + + imports = [ (modulesPath + "/profiles/minimal.nix") ]; + system.stateVersion = "24.11"; + + # https://github.com/hercules-ci/arion/blob/c24c185e67f093298a081900b49ca18716077dec/src/nix/modules/nixos/container-systemd.nix + boot.isContainer = true; + # boot.tmp.useTmpfs = true; + boot.loader.grub.enable = lib.mkForce false; + boot.loader.systemd-boot.enable = lib.mkForce false; + services.journald.console = "/dev/console"; + services.journald.storage = "none"; + # boot.specialFileSystems = lib.mkForce {}; + + services.nscd.enable = false; + system.nssModules = lib.mkForce [ ]; + systemd.services.systemd-logind.enable = false; + systemd.services.console-getty.enable = false; + + systemd.sockets.nix-daemon.enable = false; + systemd.services.nix-daemon.enable = false; + systemd.oomd.enable = false; + networking.useDHCP = false; + networking.firewall.enable = false; + + # system.build.earlyMountScript = + # lib.mkForce '' + # ''; + # system.activationScripts.specialfs = + # lib.mkForce '' + # ''; + boot.postBootCommands = '' + ls -lha /run + mkdir -p /run/wrappers + ''; + + boot.kernelParams = [ "systemd.log_level=debug" ]; + + # services.udev.enable = false; + + # TODO: this is only needed because `/run/current-system` is missing + # environment.variables.PATH = "${lib.makeBinPath config.environment.systemPackages}:$PATH"; + + systemd.mounts = lib.mkForce [ ]; + fileSystems = lib.mkForce { }; + + services.mycelium.enable = false; + services.mycelium.keyFile = "/var/lib/secrets/mycelium-keyfile"; + systemd.services.mycelium.serviceConfig.DynamicUser = lib.mkForce false; + systemd.services.mycelium.serviceConfig.User = lib.mkForce "root"; + systemd.services.mycelium.serviceConfig.ExecStart = lib.mkForce ( + pkgs.writeShellScript "mycelium" '' + while true; do + ls -lha $CREDENTIALS_DIRECTORY + sleep 5 + done + '' + ); + + systemd.services.testing-credentials = { + wantedBy = [ "multi-user.target" ]; + path = [ pkgs.coreutils ]; + + serviceConfig = { + # SyslogIdentifier = "testing-credentials"; + # StateDirectory = "testing-credentials"; + # DynamicUser = true; + # User = "tc"; + # ProtectHome = true; + # ProtectSystem = true; + # LoadCredential = [ + # "mycelium-keyfile:${self.nixosConfigurations.default.config.services.mycelium.keyFile}" + # "hosts:/etc/hosts" + # ]; + SetCredential = "mycelium-keyfile:not secret string"; + ExecStart = lib.mkForce ( + pkgs.writeShellScript "mycelium" '' + cd $STATE_DIRECTORY + pwd + env + while true; do + ls -lha $CREDENTIALS_DIRECTORY + sleep 5 + done + '' + ); + }; + }; + + services.caddy = { + enable = true; + globalConfig = '' + auto_https off + ''; + virtualHosts.":80" = { + extraConfig = '' + respond "hello from ${config.networking.hostName}" + ''; + }; + }; + } + ) + ]; + }; + packages = forAllSystems ( + system: + let + name = "mycelium"; + inherit (self.inputs) nix-snapshotter; + + config = { + entrypoint = "${self.nixosConfigurations.default.config.system.build.toplevel}/init"; + # port = 2379; + args = [ ]; + # nodePort = 30001; + }; + + myceliumPorts = { + tcp = [ 9651 ]; + udp = [ + 9650 + 9651 + ]; + }; + + inherit (config) + entrypoint + # port + + args + # nodePort + + ; + + pkgs = import nixpkgs { overlays = [ nix-snapshotter.overlays.default ]; }; + + image = pkgs.nix-snapshotter.buildImage { + inherit name; + resolvedByNix = true; + config = { + entrypoint = [ entrypoint ]; + env = [ + # this is read by the `/init` script and prevents various incompatible commands like mount, etc. + # the value of this doesn't seem to matter as long as it's not an empty string. + "container=nerd" + "SYSTEMD_LOG_LEVEL=debug" + ]; + volumes = { + # "/var/lib/private/mycelium/key.bin" = {}; + # "/run" = {}; + # "/tmp" = {}; + # "/etc" = {}; + }; + copyToRoot = [ + # self.nixosConfigurations.default.config.system.build.toplevel + ]; + }; + }; + in + { + k8s = + let + pod = pkgs.writeText "${name}-pod.json" ( + builtins.toJSON { + apiVersion = "v1"; + kind = "Pod"; + metadata = { + inherit name; + labels = { + inherit name; + }; + }; + spec.containers = [ + { + inherit name args; + image = "nix:0${image}"; + ports = [ + { + name = "mycelium-tcp-0"; + containerPort = builtins.elemAt myceliumPorts.tcp 0; + } + { + name = "mycelium-udp-0"; + protocol = "UDP"; + containerPort = builtins.elemAt myceliumPorts.udp 0; + } + { + name = "mycelium-udp-1"; + protocol = "UDP"; + containerPort = builtins.elemAt myceliumPorts.udp 1; + } + ]; + } + ]; + } + ); + + service = pkgs.writeText "${name}-service.json" ( + builtins.toJSON { + apiVersion = "v1"; + kind = "Service"; + metadata.name = "${name}-service"; + spec = { + type = "NodePort"; + selector = { + inherit name; + }; + ports = [ + { + name = "mycelium-tcp-0"; + port = builtins.elemAt myceliumPorts.tcp 0 + 50000; + targetPort = "mycelium-tcp-0"; + } + { + name = "mycelium-udp-0"; + protocol = "UDP"; + port = builtins.elemAt myceliumPorts.udp 0 + 50000; + targetPort = "mycelium-udp-0"; + } + { + name = "mycelium-udp-1"; + protocol = "UDP"; + port = builtins.elemAt myceliumPorts.udp 1 + 50000; + targetPort = "mycelium-udp-1"; + } + ]; + }; + } + ); + in + pkgs.runCommand "declarative-k8s" { } '' + mkdir -p $out/share/k8s + cp ${pod} $out/share/k8s/ + cp ${service} $out/share/k8s/ + ''; + + inherit image; + + start = pkgs.writeShellApplication { + name = "start"; + text = '' + set -x + rm -rf ./result + nix build --impure .#image + sudo nix2container load ./result + sudo -E nerdctl run --name ${name} --privileged -dt \ + --cgroup-manager cgroupfs \ + --volume "$PWD/key.bin.crypt:${self.nixosConfigurations.default.config.services.mycelium.keyFile}:ro" \ + "nix:0$(readlink result):latest" + ''; + }; + + stop = pkgs.writeShellApplication { + name = "stop"; + text = '' + set +e + sudo -E nerdctl stop -t 60 ${name} + sudo -E nerdctl rm --force ${name} + sudo -E nerdctl system prune --all --force + sudo systemctl stop nix-snapshotter + sudo systemctl stop containerd + mount | rg -No '(/var/lib/container|/tmp/initial)[^ ]+' | tac | xargs sudo umount -l + sudo systemctl start containerd + sudo systemctl start nix-snapshotter + ''; + + # tmpfs on /run/credentials/mycelium.service type tmpfs (ro,nosuid,nodev,noexec,relatime,nosymfollow,size=1024k,nr_inodes=1024,mode=700,noswap) + + # mount -t tmpfs tmpfs /run/credentials/mycelium.service -o ro,nosuid,nodev,noexec,relatime,nosymfollow,size=1024k,nr_inodes=1024,mode=700,noswap + }; + } + ); + }; +} diff --git a/nix/os/containers/syncthing.nix b/nix/os/containers/syncthing.nix index 72aaab8..921662f 100644 --- a/nix/os/containers/syncthing.nix +++ b/nix/os/containers/syncthing.nix @@ -1,31 +1,81 @@ { + specialArgs, + hostBridge, hostAddress, localAddress, syncthingPort ? 22000, syncthingLocalAnnouncePort ? 21027, + smbTcpPort ? 445, autoStart ? false, -}: { - config = { - config, - pkgs, - ... - }: { - system.stateVersion = "20.05"; # Did you read the comment? +}: +{ + inherit specialArgs; + config = + { ... }: + { + system.stateVersion = "20.05"; # Did you read the comment? - imports = [../profiles/containers/configuration.nix]; + imports = [ ../profiles/containers/configuration.nix ]; - networking.firewall.enable = true; - networking.firewall.allowedTCPPorts = [ - # syncthing gui - 8384 - ]; + networking.firewall.allowedTCPPorts = [ + # syncthing gui + 8384 + ]; - services.syncthing = { - enable = true; - openDefaultPorts = true; - guiAddress = "0.0.0.0:8384"; + services.syncthing = { + enable = true; + openDefaultPorts = true; + guiAddress = "0.0.0.0:8384"; + }; + + services.samba = { + enable = true; + securityType = "user"; + openFirewall = true; + settings = { + global = { + "workgroup" = "DMZ"; + "server string" = "syncthing"; + "netbios name" = "syncthing"; + "security" = "user"; + #"use sendfile" = "yes"; + #"max protocol" = "smb2"; + # note: localhost is the ipv6 localhost ::1 + "hosts allow" = "192.168.23. 127.0.0.1 localhost"; + "hosts deny" = "0.0.0.0/0"; + "guest account" = "nobody"; + "map to guest" = "bad user"; + }; + "scan-stefan" = { + "path" = "/var/lib/syncthing/Sync/Home::Scan::Stefan"; + "browseable" = "yes"; + "read only" = "no"; + "guest ok" = "no"; + "create mask" = "0644"; + "directory mask" = "0755"; + "force user" = "syncthing"; + "force group" = "syncthing"; + }; + + "scan-justyna" = { + "path" = "/var/lib/syncthing/Sync/Home::Scan::Justyna"; + "browseable" = "yes"; + "read only" = "no"; + "guest ok" = "no"; + "create mask" = "0644"; + "directory mask" = "0755"; + "force user" = "syncthing"; + "force group" = "syncthing"; + }; + }; + }; + + + # TODO: find out if smbpasswd file is still used and set it here. or find an alternative + # sops.secrets.smbpasswd = { + # }; + # environment.etc."samba/smbpasswd".source = config.sops.secrets.smbpasswd.text; }; - }; inherit autoStart; @@ -36,8 +86,6 @@ }; }; - extraFlags = ["--resolv-conf=bind-host"]; - privateNetwork = true; forwardPorts = [ { @@ -55,7 +103,12 @@ hostPort = syncthingLocalAnnouncePort; protocol = "udp"; } + { + containerPort = 445; + hostPort = smbTcpPort; + protocol = "tcp"; + } ]; - inherit hostAddress localAddress; + inherit hostBridge hostAddress localAddress; } diff --git a/nix/os/containers/webserver.nix b/nix/os/containers/webserver.nix index d3600a3..6389cc5 100644 --- a/nix/os/containers/webserver.nix +++ b/nix/os/containers/webserver.nix @@ -1,212 +1,426 @@ { - repoFlake, + specialArgs, + hostBridge, hostAddress, localAddress, - httpPort ? 80, - httpsPort ? 443, + httpPort, + httpsPort, + forgejoSshPort, autoStart ? false, -}: { - config = { - config, - pkgs, - lib, - ... - }: { - system.stateVersion = "22.05"; # Did you read the comment? +}: +let + domain = "www.stefanjunker.de"; +in +{ + inherit specialArgs; + config = + { + config, + pkgs, + lib, + repoFlake, + nodeFlake, + system, + ... + }: + let + nixpkgs-kanidm = nodeFlake.inputs.nixpkgs-unstable; + in + { + system.stateVersion = "22.05"; # Did you read the comment? - imports = [ - ../profiles/containers/configuration.nix + disabledModules = [ + "services/misc/forgejo.nix" + "services/security/kanidm.nix" + ]; - repoFlake.inputs.sops-nix.nixosModules.sops - ]; + imports = [ + "${nodeFlake.inputs.nixpkgs-unstable}/nixos/modules/services/misc/forgejo.nix" + "${nixpkgs-kanidm}/nixos/modules/services/security/kanidm.nix" - networking.firewall.enable = false; + ../profiles/containers/configuration.nix - services.ddclientovh = { - enable = true; - domain = "www.stefanjunker.de"; - }; + repoFlake.inputs.sops-nix.nixosModules.sops + ]; - sops.age.sshKeyPaths = ["/etc/ssh/ssh_host_ed25519_key"]; - sops.secrets.hedgedoc_environment_file = { - sopsFile = ./webserver_secrets.yaml; - owner = config.users.users.hedgedoc.name; - }; + sops.defaultSopsFile = ./webserver_secrets.yaml; - services.caddy = { - enable = true; - virtualHosts."${config.services.ddclientovh.domain}" = { - extraConfig = let - port = "${builtins.toString config.services.authelia.instances.default.settings.server.port}"; - path = "${config.services.authelia.instances.default.settings.server.path}"; - in '' - redir /hedgedoc* https://hedgedoc.${config.services.ddclientovh.domain} + networking.firewall.allowedTCPPorts = [ + httpPort + httpsPort + forgejoSshPort + ]; - respond "Hi!" + sops.age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ]; + sops.secrets.hedgedoc_environment_file = { + sopsFile = ./webserver_secrets.yaml; + owner = config.users.users.hedgedoc.name; + }; + + services.caddy = { + enable = true; + logFormat = '' + level ERROR ''; - }; + virtualHosts."${domain}" = { + extraConfig = '' + redir /hedgedoc* https://hedgedoc.${domain} - virtualHosts."hedgedoc.${config.services.ddclientovh.domain}" = { - extraConfig = '' - reverse_proxy http://[::1]:3000 - ''; - }; + file_server /*/* { + browse + root /var/www/stefanjunker.de/htdocs/caddy + pass_thru + } - virtualHosts."authelia.${config.services.ddclientovh.domain}" = { - extraConfig = '' - reverse_proxy http://127.0.0.1:${builtins.toString config.services.authelia.instances.default.settings.server.port} - ''; - }; - - virtualHosts."lldap.${config.services.ddclientovh.domain}" = { - extraConfig = '' - reverse_proxy http://127.0.0.1:${builtins.toString config.services.lldap.settings.http_port} - ''; - }; - }; - - services.hedgedoc = { - enable = true; - settings = { - domain = "hedgedoc.${config.services.ddclientovh.domain}"; - urlPath = ""; - protocolUseSSL = true; - db = { - dialect = "sqlite"; - storage = "/var/lib/hedgedoc/db.hedgedoc.sqlite"; + # respond "Hi" + # respond (not /*/*) "Hi" + ''; }; - allowAnonymous = false; - allowAnonymousEdits = false; - allowGravatar = false; - allowFreeURL = false; - defaultPermission = "private"; - - allowEmailRegister = false; - email = false; - - ldap = { - url = "ldap://127.0.0.1:${builtins.toString config.services.lldap.settings.ldap_port}"; - bindDn = "uid=admin,ou=people,dc=stefanjunker,dc=de"; - # these are set via the `environmentFile` - bindCredentials = "$LDAP_ADMIN_PASSWORD"; - searchBase = "ou=people,dc=stefanjunker,dc=de"; - searchFilter = "(&(memberOf=cn=hedgedoc,ou=groups,dc=stefanjunker,dc=de)(uid={{username}}))"; - useridField = "uid"; + virtualHosts."hedgedoc.${domain}" = { + extraConfig = '' + reverse_proxy http://[::1]:3000 + ''; }; - uploadsPath = "/var/lib/hedgedoc/uploads"; - }; - - environmentFile = config.sops.secrets.hedgedoc_environment_file.path; - }; - - sops.secrets.authelia_storageEncryptionKey = { - sopsFile = ./webserver_secrets.yaml; - owner = config.users.users.authelia-default.name; - }; - - sops.secrets.authelia_jwtSecret = { - sopsFile = ./webserver_secrets.yaml; - owner = config.users.users.authelia-default.name; - }; - - services.authelia.instances.default = let - baseDir = "/var/lib/authelia-default"; - in { - enable = true; - secrets.storageEncryptionKeyFile = config.sops.secrets.authelia_storageEncryptionKey.path; - secrets.jwtSecretFile = config.sops.secrets.authelia_jwtSecret.path; - settings = { - theme = "auto"; - default_2fa_method = "totp"; - log.level = "debug"; - - server = { - disable_healthcheck = true; - host = "127.0.0.1"; - port = 9091; - # path = "authelia"; + virtualHosts."authelia.${domain}" = { + extraConfig = '' + reverse_proxy http://127.0.0.1:${builtins.toString config.services.authelia.instances.default.settings.server.port} + ''; }; - storage = { - local.path = "${baseDir}/authelia.sqlite"; + virtualHosts."lldap.${domain}" = { + extraConfig = '' + reverse_proxy http://127.0.0.1:${builtins.toString config.services.lldap.settings.http_port} + ''; }; - authentication_backend = { - file.path = "${baseDir}/first_factor.yaml"; - file.search.email = true; - file.search.case_insensitive = false; + virtualHosts."forgejo.${domain}" = { + extraConfig = '' + reverse_proxy http://127.0.0.1:${builtins.toString config.services.forgejo.settings.server.HTTP_PORT} + ''; }; - access_control = { - default_policy = "one_factor"; - }; - - session.domain = "stefanjunker.de"; - - notifier = { - disable_startup_check = true; - filesystem.filename = "${baseDir}/notification.txt"; + virtualHosts."kanidm.${domain}" = { + extraConfig = '' + reverse_proxy https://${builtins.toString config.services.kanidm.serverSettings.bindaddress} { + transport http { + tls_server_name ${config.services.kanidm.serverSettings.domain} + } + } + ''; }; }; - }; - users.groups.lldap = {}; - users.users.lldap = { - isSystemUser = true; - group = "lldap"; - }; + services.hedgedoc = { + enable = true; + settings = { + domain = "hedgedoc.${domain}"; + urlPath = ""; + protocolUseSSL = true; + db = { + dialect = "sqlite"; + storage = "/var/lib/hedgedoc/db.hedgedoc.sqlite"; + }; - sops.secrets.lldap_jwtSecret = { - sopsFile = ./webserver_secrets.yaml; - owner = config.users.users.lldap.name; - }; + allowAnonymous = false; + allowAnonymousEdits = false; + allowGravatar = false; + allowFreeURL = false; + defaultPermission = "private"; - sops.secrets.lldap_adminPassword = { - sopsFile = ./webserver_secrets.yaml; - owner = config.users.users.lldap.name; - }; + allowEmailRegister = false; + email = false; - sops.secrets.lldap_environmentFile = { - sopsFile = ./webserver_secrets.yaml; - owner = config.users.users.lldap.name; - }; + ldap = { + url = "ldap://127.0.0.1:${builtins.toString config.services.lldap.settings.ldap_port}"; + bindDn = "uid=admin,ou=people,dc=stefanjunker,dc=de"; + # these are set via the `environmentFile` + # bindCredentials = "$LDAP_ADMIN_PASSWORD"; + searchBase = "ou=people,dc=stefanjunker,dc=de"; + searchFilter = "(&(memberOf=cn=hedgedoc,ou=groups,dc=stefanjunker,dc=de)(uid={{username}}))"; + useridField = "uid"; + }; - services.lldap = { - enable = true; - environment = { - LLDAP_JWT_SECRET_FILE = config.sops.secrets.lldap_jwtSecret.path; - LLDAP_LDAP_USER_PASS_FILE = config.sops.secrets.lldap_adminPassword.path; - }; - environmentFile = config.sops.secrets.lldap_environmentFile.path; + oauth2 = + let + originURL = config.services.kanidm.serverSettings.origin; + in + { + providerName = "kanidm (${originURL})"; - settings = { - verbose = true; + authorizationURL = "${originURL}/ui/oauth2"; + tokenURL = "${originURL}/oauth2/token"; + userProfileURL = "${originURL}/oauth2/openid/hedgedoc/userinfo"; - ldap_base_dn = "dc=stefanjunker,dc=de"; - http_url = "https://lldap.${config.services.ddclientovh.domain}"; + scope = "openid email profile"; + # rolesClaim = "roles"; + # accessRole = "role/hedgedoc"; - ## Options to configure SMTP parameters, to send password reset emails. - ## To set these options from environment variables, use the following format - ## (example with "password"): LLDAP_SMTP_OPTIONS__PASSWORD - smtp_options = { - ## Whether to enabled password reset via email, from LLDAP. - enable_password_reset = true; + userProfileUsernameAttr = "name"; + userProfileDisplayNameAttr = "displayname"; + userProfileEmailAttr = "email"; - # port = 465; - ## How the connection is encrypted, either "NONE" (no encryption), "TLS" or "STARTTLS". - # smtp_encryption = "TLS"; + clientID = "hedgedoc"; + # set via the `environmentFile` + # clientSecret = "$CMD_OAUTH2_CLIENT_SECRET"; + }; + + uploadsPath = "/var/lib/hedgedoc/uploads"; }; - # database_url = "sqlite:///var/lib/lldap/users.db?mode=rwc"; + environmentFile = config.sops.secrets.hedgedoc_environment_file.path; }; - }; - systemd.services.lldap.serviceConfig.User = config.users.users.lldap.name; - systemd.services.lldap.serviceConfig.Group = config.users.groups.lldap.name; - systemd.services.lldap.serviceConfig.DynamicUser = lib.mkForce false; - }; + services.jitsi-meet = { + enable = false; + hostName = "meet.${domain}"; + config = { + prejoinPageEnabled = true; + }; + caddy.enable = true; + nginx.enable = false; + }; + + sops.secrets.authelia_storageEncryptionKey = { + sopsFile = ./webserver_secrets.yaml; + owner = config.users.users.authelia-default.name; + }; + + sops.secrets.authelia_jwtSecret = { + sopsFile = ./webserver_secrets.yaml; + owner = config.users.users.authelia-default.name; + }; + + services.authelia.instances.default = + let + baseDir = "/var/lib/authelia-default"; + in + { + enable = true; + secrets.storageEncryptionKeyFile = config.sops.secrets.authelia_storageEncryptionKey.path; + secrets.jwtSecretFile = config.sops.secrets.authelia_jwtSecret.path; + settings = { + theme = "auto"; + default_2fa_method = "totp"; + log.level = "debug"; + + server = { + disable_healthcheck = true; + host = "127.0.0.1"; + port = 9091; + # path = "authelia"; + }; + + storage = { + local.path = "${baseDir}/authelia.sqlite"; + }; + + authentication_backend = { + file.path = "${baseDir}/first_factor.yaml"; + file.search.email = true; + file.search.case_insensitive = false; + }; + + access_control = { + default_policy = "one_factor"; + }; + + session.domain = "stefanjunker.de"; + + notifier = { + disable_startup_check = true; + filesystem.filename = "${baseDir}/notification.txt"; + }; + }; + }; + + users.groups.lldap = { }; + users.users.lldap = { + isSystemUser = true; + group = "lldap"; + }; + + sops.secrets.lldap_jwtSecret = { + sopsFile = ./webserver_secrets.yaml; + owner = config.users.users.lldap.name; + }; + + sops.secrets.lldap_adminPassword = { + sopsFile = ./webserver_secrets.yaml; + owner = config.users.users.lldap.name; + }; + + sops.secrets.lldap_environmentFile = { + sopsFile = ./webserver_secrets.yaml; + owner = config.users.users.lldap.name; + }; + + services.lldap = { + enable = true; + environment = { + LLDAP_JWT_SECRET_FILE = config.sops.secrets.lldap_jwtSecret.path; + LLDAP_LDAP_USER_PASS_FILE = config.sops.secrets.lldap_adminPassword.path; + }; + environmentFile = config.sops.secrets.lldap_environmentFile.path; + + settings = { + verbose = true; + + ldap_base_dn = "dc=stefanjunker,dc=de"; + http_url = "https://lldap.${domain}"; + + ## Options to configure SMTP parameters, to send password reset emails. + ## To set these options from environment variables, use the following format + ## (example with "password"): LLDAP_SMTP_OPTIONS__PASSWORD + smtp_options = { + ## Whether to enabled password reset via email, from LLDAP. + enable_password_reset = true; + + # port = 465; + ## How the connection is encrypted, either "NONE" (no encryption), "TLS" or "STARTTLS". + # smtp_encryption = "TLS"; + }; + + # database_url = "sqlite:///var/lib/lldap/users.db?mode=rwc"; + }; + }; + + sops.secrets.FORGEJO_JWT_SECRET = { }; + sops.secrets.FORGEJO_INTERNAL_TOKEN = { }; + sops.secrets.FORGEJO_SECRET_KEY = { }; + + services.forgejo = { + enable = true; + package = nodeFlake.inputs.nixpkgs-unstable.legacyPackages.${pkgs.system}.forgejo; + settings = { + service.DISABLE_REGISTRATION = true; + server.HTTP_ADDR = "127.0.0.1"; + server.START_SSH_SERVER = true; + server.SSH_PORT = forgejoSshPort; + server.ROOT_URL = "https://forgejo.${domain}"; + server.HTTP_PORT = 3001; + + # TODO: how do i get a 3072 length SSH key with the yubikey? + "ssh.minimum_key_sizes".RSA = 2048; + }; + secrets = { + oauth2.JWT_SECRET = lib.mkForce config.sops.secrets.FORGEJO_JWT_SECRET.path; + security.INTERNAL_TOKEN = lib.mkForce config.sops.secrets.FORGEJO_INTERNAL_TOKEN.path; + security.SECRET_KEY = lib.mkForce config.sops.secrets.FORGEJO_SECRET_KEY.path; + }; + }; + + systemd.services.lldap.serviceConfig.User = config.users.users.lldap.name; + systemd.services.lldap.serviceConfig.Group = config.users.groups.lldap.name; + systemd.services.lldap.serviceConfig.DynamicUser = lib.mkForce false; + + # combine a path watcher with a service that transfers the certs by caddy to kanidm + # TODO: had an issue where the certificate in kanidm was expired, despite caddy having a refreshed certificate + systemd.paths.kanidm-tls-watch = { + enable = true; + requiredBy = [ "kanidm.service" ]; + pathConfig = { + PathChanged = [ + "${config.services.caddy.dataDir}/.local/share/caddy/certificates/acme-v02.api.letsencrypt.org-directory/${config.services.kanidm.serverSettings.domain}/${config.services.kanidm.serverSettings.domain}.key" + "${config.services.caddy.dataDir}/.local/share/caddy/certificates/acme-v02.api.letsencrypt.org-directory/${config.services.kanidm.serverSettings.domain}/${config.services.kanidm.serverSettings.domain}.crt" + ]; + Unit = "kanidm-tls-update.service"; + }; + }; + systemd.services.kanidm-tls-update = + let + dbDir = builtins.dirOf config.services.kanidm.serverSettings.db_path; + in + { + enable = true; + requiredBy = [ "kanidm.service" ]; + unitConfig = { + # ConditionPathExists = [ + # "${config.services.caddy.dataDir}/.local/share/caddy/certificates/acme-v02.api.letsencrypt.org-directory/${config.services.kanidm.serverSettings.domain}/${config.services.kanidm.serverSettings.domain}.key" + # "${config.services.caddy.dataDir}/.local/share/caddy/certificates/acme-v02.api.letsencrypt.org-directory/${config.services.kanidm.serverSettings.domain}/${config.services.kanidm.serverSettings.domain}.crt" + # ]; + }; + serviceConfig.Type = "oneshot"; + script = + let + tlsDir = builtins.dirOf config.services.kanidm.serverSettings.tls_key; + in + '' + set -xe + + cat "${config.services.caddy.dataDir}/.local/share/caddy/certificates/acme-v02.api.letsencrypt.org-directory/${config.services.kanidm.serverSettings.domain}/${config.services.kanidm.serverSettings.domain}.key" > tls.key + cat "${config.services.caddy.dataDir}/.local/share/caddy/certificates/acme-v02.api.letsencrypt.org-directory/${config.services.kanidm.serverSettings.domain}/${config.services.kanidm.serverSettings.domain}.crt" > tls.chain + + chown ${config.systemd.services.kanidm.serviceConfig.User}:${config.systemd.services.kanidm.serviceConfig.Group} tls.{key,chain} + chmod 400 tls.{key,chain} + + # create the kanidm directory in case it's missing + if [[ ! -d ${tlsDir} ]]; then + mkdir -p ${tlsDir} + chown -R ${config.systemd.services.kanidm.serviceConfig.User}:${config.systemd.services.kanidm.serviceConfig.Group} ${tlsDir} + chmod 700 ${tlsDir} + fi + + mv tls.key ${config.services.kanidm.serverSettings.tls_key} + mv tls.chain ${config.services.kanidm.serverSettings.tls_chain} + + if [[ ! -d ${dbDir} ]]; then + mkdir -p ${dbDir} + chown -R ${config.systemd.services.kanidm.serviceConfig.User}:${config.systemd.services.kanidm.serviceConfig.Group} ${dbDir} + chmod 700 ${dbDir} + fi + ''; + }; + + systemd.services.kanidm.serviceConfig = + let + dbDir = builtins.dirOf config.services.kanidm.serverSettings.db_path; + in + # stateDir = "/var/lib/${config.systemd.services.kanidm.serviceConfig.StateDirectory}"; + { + # ExecStartPre = '' + # mkdir -p ${dbDir} + # ''; + BindPaths = [ + dbDir + # stateDir + ]; + }; + + services.kanidm = + let + dataDir = "/var/lib/kanidm"; + in + { + package = nixpkgs-kanidm.legacyPackages.${pkgs.system}.kanidm; + + enablePam = false; + enableClient = false; + + enableServer = true; + serverSettings = { + role = "WriteReplica"; + log_level = "debug"; + + domain = "kanidm.${domain}"; + origin = "https://kanidm.${domain}"; + + + bindaddress = "127.0.0.1:8444"; + + # don't expose ldap + # ldapbindaddress = "[::1]:6636"; + + tls_key = "${dataDir}/tls/tls.key"; + tls_chain = "${dataDir}/tls/tls.chain"; + + online_backup = { + schedule = "00 06 * * *"; + }; + }; + }; + }; inherit autoStart; @@ -239,10 +453,17 @@ hostPath = "/var/lib/container-volumes/webserver/var-lib-lldap"; isReadOnly = false; }; - }; - # extraFlags = ["--resolv-conf=bind-host"]; - # networking.useHostResolvConf = true; + "/var/lib/forgejo" = { + hostPath = "/var/lib/container-volumes/webserver/var-lib-forgejo"; + isReadOnly = false; + }; + + "/var/lib/kanidm" = { + hostPath = "/var/lib/container-volumes/webserver/var-lib-kanidm"; + isReadOnly = false; + }; + }; privateNetwork = true; forwardPorts = [ @@ -258,7 +479,14 @@ hostPort = httpsPort; protocol = "tcp"; } + + { + # forgejo ssh + containerPort = forgejoSshPort; + hostPort = forgejoSshPort; + protocol = "tcp"; + } ]; - inherit hostAddress localAddress; + inherit hostBridge hostAddress localAddress; } diff --git a/nix/os/containers/webserver_secrets.yaml b/nix/os/containers/webserver_secrets.yaml index 29bb119..62dc6e8 100644 --- a/nix/os/containers/webserver_secrets.yaml +++ b/nix/os/containers/webserver_secrets.yaml @@ -1,41 +1,45 @@ -hedgedoc_environment_file: ENC[AES256_GCM,data:uBaATOTIkCkboAfaB7d6G2G4AfKszipQe+mc0XPJHik30wLppCKpEc61ELLbiZ1xGaOEWKUSMHc0GyBapykrgEe0UUYJ0Ukpq9bj9/J2VC7BLu1ABbr+pWpJR68+IOKY2GWlioSDIL6JwaGIjLV5sLrUjJgtwzAYrqAU13VS5RVHtGtz+7TgwHIJADoec+jSRhkh82g198eaAUbKyAFB9yhXFWgq6ozh8RgtkYKAP7LXIuyJt9BYJoNQ,iv:MCMJph0W1PC0n9h7xhPMxtJINQP+QRBf2anzXEzydwc=,tag:zj2o+/JpBRTYgYpSMJedPw==,type:str] +hedgedoc_environment_file: ENC[AES256_GCM,data:gPTokPMGBAN/lGGeUs95vg45yVrrSmFCKWTjlMV4V+YnflcqiaZvifX9+0fe3DELwNL4kY4st4N0MadhLkTiSieyp46fP8Dujk4Prhi7JWweBDsN4WtxcwJfAdowgh5LTzqM3zggC/J9NGR/zgJGLYraOqsFueXycxDxntE+8MlepYFGsND4WbFHNRvsVd7xUWerZZD+JFhws2sjwC9DqoJ+mBX4u9J2faSrL3okBGwRpEZlJhe6/8pT0l1aVxI0b/9UsLUL/him/vVqY8ygMP8O95gzuDEaCtwSXw08ylhb3g3YHdMh9ZOe9dPNVocVFrB15HfxeY4KzRCVfvgmBsSiUrgUAZQ8aav2ZWHPKQ==,iv:AVtx/43MK5KVxP59olEmbkUzLhd0cBjPpVeiAJGELfM=,tag:Hd3edeUzLgHnwAwPiMGp4A==,type:str] authelia_storageEncryptionKey: ENC[AES256_GCM,data:BLj2+w0jUOiiqljd4WcYt90I1Y/tm6vYRn9IPvv7k+ykjeWeafDcb9LpAbYZ82iAbCDZ6cDnTIJSH50TYFM1Bw==,iv:DfrFuTMS6rzWS1F7hIloD7Eb9N6LV6MDsPGEidTCIkM=,tag:4TxiUuWj8LLCAe+3SQWthA==,type:str] authelia_jwtSecret: ENC[AES256_GCM,data:CtvhPJDlM8kZDh3MWI6jBEIK5P/Rc0ZY3JfQ/1qn2FyZ0kOE9CMznRQdzi125Mlh+LgfhS00aeY/esuSJ1YKnw==,iv:o29+Ja4E4USpxD5Bgg4nGpj1WdK+uJJeuyqa3c92Pys=,tag:Ko/6PqIM7FyvqMJAepTNKw==,type:str] lldap_jwtSecret: ENC[AES256_GCM,data:Jd05K5zZZcdFY9P+PM1ycpl4eKr7THXzlEC2gxhfq0kZ0c7NrmqpnxLFyMOoq0oZwFXQ3aE29N+dYYCbWgEs0g==,iv:k9Y4XZcFSUaaOvooMzH1AlHaI/RiZZ0cpSqTU6jzsUU=,tag:EHwIMQ00Z+IrXAKgugMbmQ==,type:str] lldap_adminPassword: ENC[AES256_GCM,data:qZviC+/V25iHWS2d5KKrMfCLmmWKAkXoiLW3NJyZWIvMRbFPtfJGv/5e++idcKNLdPHRgvGpdeTpOdZNK7ETSQ==,iv:jX8bzgYVXZfMQ8Qxa7WaUiQFE/mBmQWZ3o000njeEC8=,tag:4Rd3WVGIw1rBLKND4xPbMg==,type:str] lldap_environmentFile: ENC[AES256_GCM,data:TpdO1N2MgHWI4TipvlwfVjnKppzpluI9WA3ejbgT8jrRXXTCA94PS734wDHLtEAIwKdIQd/JGDS+1kbdvgDL3F3HIOX5HLz9h7CtkDBYT6qOy0Zb0tNHjmJco6dL/iMwuzglXxu2460nadO+lHoTs3DA3lesghzpJzm41hgElzcxXS2sa/hsV+kjmbyfu6Xi94kbqcHBLA/mppWmLSgJN6wu/bO07XfaSB1ghHnAR7BL9XZDjoNDzljZAXDpDBw3WD6mwoZeIjGbkEuL4nUnkS6CkA+y7IORA24XGGAczRxZp4vLfUOnnlFCPGIHBsRTbrTB4bcEDBK4+5gHfNhXxvD5VlNMb4TPqYdcEIxkgMxZNLV5U2LTlzn18HNOCvsPb9XOOtY21j6qHMMQDXZREmn5NsW0HXM4gNZ0fC9UEe1MYBhyE3gGEGDzzDUrrQCGLm7/1OC7NRlzuI7M/5DlgcREwK1PkjPDmfRCAq86l0N5lMP/A7MMq2SJWcZvf+ot3fInugq485773vgWWl2Rodl08SZ8YHnzj0L6anPu856v2BsIotE0iRJSCpzA2ZgOJ9RViBfoq6F3beJKLnGN7oGb8XBviRTnXrTN6BTuFyv3dIZ7qcuTGTY+ucjRXfGJ1TVlVQBbiqhQDz5c9D5e0RVnRe3AkMXeDMOd4GlWW5gsJSuZtlYq1aMEf/Bx+4WMyY/Wh+Jk1xxf30bth5L1dW82p6fNFhEuKabtkBALOg/CQzYczMeGP9ai6BWgZL8QPlQoEUpHh59Vz91V6unQSOJ2PNr5wzC6j75IKInVjcp4d1S9K2UAxg+HETn5p9T1sBRdAAVz0YgO5902FwDTsA+2x6Q=,iv:U94CNFxQ8kyIYdH0EyqQIJ3s7QKaLlMa+5coO0dQnto=,tag:KZEizL99W5BtcaXSnYXFhg==,type:str] +#ENC[AES256_GCM,data:uNqahO8WF6QFNkbPnQq2UDKn/gFt0H56keUb,iv:CDVKC3ER5rsKoMmBi2g5g+F3ZfKc3+Rs8bjxFhgSPZ4=,tag:oGPl6TB/nghGwWvVBLFlGQ==,type:comment] +FORGEJO_JWT_SECRET: ENC[AES256_GCM,data:nVz9x7+K+rBIZxuQP7o0WNFHUz89eR9cwBjfSAx9/WH5PF+/aWazZOJpVg==,iv:4qpHo143fe/sVhKfYDwxr+YiBZ2q/WWViYSwoxz0i/k=,tag:smSsJsqa6uZKarcoOMUjwQ==,type:str] +FORGEJO_INTERNAL_TOKEN: ENC[AES256_GCM,data:EIono9HSyvp1nQM0ij3ln3IUXO4moFbRgVddeV0BZBXmZG05jdjZ1SIXo/BxoSmRKnjllR7P00CpajNM5zORldlsBId5oAYL5GZtY3/nmxeXucJidknuow22G7Z8wRJJGBdishbgQhmc,iv:1D93gTUF1+DUR8qLJgML+oUhvSslhxEjGnbBC/PWHXw=,tag:NZB+mwba4TzLcUANZLDRTw==,type:str] +FORGEJO_SECRET_KEY: ENC[AES256_GCM,data:CewYFZtcXKUD5/oSM0Q32rhw+urdA0eQhdYp8EFHUXxEtL6f5NWK6IOwIlMuEv1/FjtTWlqxWekOZpmxBRzwnw==,iv:qLyVB7Nc+rDbBoO5g82/vPdykwOATHCSDLhvS+fK9PM=,tag:4NMhUvKmrRd6qrcQq3R8wA==,type:str] sops: - kms: [] - gcp_kms: [] - azure_kv: [] - hc_vault: [] - age: - - recipient: age18dmqd7r7fanrfmdxsvwgv9psvhs3hw5ydpvw0na0dv3dlrg4rs3q2wpvgv - enc: | - -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA0SkxFSkJQb29UeVRnZnFh - U3BJeGZ1NUVzMk0ycXBvWExyZDcveXZrd2pJCmpCeS80VE5McWVHQnZpaHFERmNh - YWZIMHRtQkd5Vm54MWR3bkhUUDRvejQKLS0tIG9NSkpCSkEyZFRyOXorWE1KLytP - eWdXVHg5MTlQQU9GeElPeUZXUlBlaTgKceDu3tLbQM/DxY0tJYJTPy2Dl/SBYaoc - KfMZOkc322/NvgWu/3Ke0hV1/eMk8EICwXbSwHhXr5a0+cwPZ9xV4A== - -----END AGE ENCRYPTED FILE----- - lastmodified: "2023-07-17T11:48:04Z" - mac: ENC[AES256_GCM,data:Bgmm5+IrFdnTG907cZe0cnSmbWLyNDVYyABFj5eRuGsYCthclRM9WEKktvJg2RVYcND39IEH/FiFR/Hxf5YgrUcU7HKEXKzn7U4AGcREh2tb5EVTELjAJ4e00omNoD1gmFOklRS9AWce1g03AGzfbzM68enpDUkxWWTU2FOPei8=,iv:A9V4EsMAIoEs7j/eWy06Y9RExz+N/PT70TBNSViswKc=,tag:287n8ygaEj/40vh1x2IQig==,type:str] - pgp: - - created_at: "2023-07-09T17:51:27Z" - enc: |- - -----BEGIN PGP MESSAGE----- + kms: [] + gcp_kms: [] + azure_kv: [] + hc_vault: [] + age: + - recipient: age18dmqd7r7fanrfmdxsvwgv9psvhs3hw5ydpvw0na0dv3dlrg4rs3q2wpvgv + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA0SkxFSkJQb29UeVRnZnFh + U3BJeGZ1NUVzMk0ycXBvWExyZDcveXZrd2pJCmpCeS80VE5McWVHQnZpaHFERmNh + YWZIMHRtQkd5Vm54MWR3bkhUUDRvejQKLS0tIG9NSkpCSkEyZFRyOXorWE1KLytP + eWdXVHg5MTlQQU9GeElPeUZXUlBlaTgKceDu3tLbQM/DxY0tJYJTPy2Dl/SBYaoc + KfMZOkc322/NvgWu/3Ke0hV1/eMk8EICwXbSwHhXr5a0+cwPZ9xV4A== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2024-10-16T12:28:51Z" + mac: ENC[AES256_GCM,data:nrd2czzJlBcFfwn6lzh4qqco+/XsU2J6BqvQqMtskh3mL4Xx25IAzxiCno0KlNGr6o4YsuZP5anOX9RvrDq76Us3JQ7pDi3iQGPhmg+SE9u3Rwqn1/3YConvdfPV2DNB+tuyG3UVoRqpA4d+HdcYjN9n1UKk54R6UdSm9UrA+zc=,iv:Juupyet09zUAMu7bmVxq+/Q0bXJAzR0wAyt6vKNns3w=,tag:owdUWuXrQcDdiWi+1geY9A==,type:str] + pgp: + - created_at: "2023-07-09T17:51:27Z" + enc: |- + -----BEGIN PGP MESSAGE----- - wcBMA0SHG/zF3227AQgAs92CvegZAcuyNllIp9zHUp7jFqfXhuoAOKKmOZvN4TBD - gQM7jKAXXwbMy90gGWF9EkdMzeBqG4S9ZM8gPAYcZkt98F0PGu6wBSvvYnUdDOcO - 8tvhEhBSE19xCIR7BeG9bhooEJ1V3LSZzrwyikeHUHAqDQLrwM7jrPOef22PIzH+ - XPtwWMVwVzwRJTZ/uV11vIV60b0zfnB8ZJzv7RbXsob8octy4LRe6Vb0BUd5ON3w - YULnyMlFFGekiqAPBk0K5Xib35qBu6mtnmxWzVUqT4pgiShoZsRQs3At1Onm7Cku - bqIDMoCYTvSzwDCOYp2+ni/ZOIuDvBiRCPoNuLjkD9JRAcCbjuxA6w0eaJKFTzoI - F1olIecBtQOQQn+iXya/rx69wDtR9965gecWRMbRg6tYncumpdQB//MWALhVmr6i - g+ZF+9NNqOTKsBzEnuGsZRnI - =iXfo - -----END PGP MESSAGE----- - fp: 6F7069FE6B96E894E60EC45C6EEFA706CB17E89B - unencrypted_suffix: _unencrypted - version: 3.7.3 + wcBMA0SHG/zF3227AQgAs92CvegZAcuyNllIp9zHUp7jFqfXhuoAOKKmOZvN4TBD + gQM7jKAXXwbMy90gGWF9EkdMzeBqG4S9ZM8gPAYcZkt98F0PGu6wBSvvYnUdDOcO + 8tvhEhBSE19xCIR7BeG9bhooEJ1V3LSZzrwyikeHUHAqDQLrwM7jrPOef22PIzH+ + XPtwWMVwVzwRJTZ/uV11vIV60b0zfnB8ZJzv7RbXsob8octy4LRe6Vb0BUd5ON3w + YULnyMlFFGekiqAPBk0K5Xib35qBu6mtnmxWzVUqT4pgiShoZsRQs3At1Onm7Cku + bqIDMoCYTvSzwDCOYp2+ni/ZOIuDvBiRCPoNuLjkD9JRAcCbjuxA6w0eaJKFTzoI + F1olIecBtQOQQn+iXya/rx69wDtR9965gecWRMbRg6tYncumpdQB//MWALhVmr6i + g+ZF+9NNqOTKsBzEnuGsZRnI + =iXfo + -----END PGP MESSAGE----- + fp: 6F7069FE6B96E894E60EC45C6EEFA706CB17E89B + unencrypted_suffix: _unencrypted + version: 3.8.1 diff --git a/nix/os/devices/default.nix b/nix/os/devices/default.nix index bc8e0ad..02b0212 100644 --- a/nix/os/devices/default.nix +++ b/nix/os/devices/default.nix @@ -1,20 +1,25 @@ { dir, - pkgs ? import {}, - ownLib ? import ../lib/default.nix {inherit (pkgs) lib;}, + pkgs ? import { }, + ownLib ? import ../lib/default.nix { inherit (pkgs) lib; }, gitRoot ? "$(git rev-parse --show-toplevel)", # FIXME: why do these need explicit mentioning? moreargs ? "", rebuildarg ? "", ... -} @ args: let - rebuildargsSudo = ["switch" "boot"]; - rebuild = { - gitRoot, - rebuildarg ? "dry-activate", - moreargs ? "", - ... - }: +}@args: +let + rebuildargsSudo = [ + "switch" + "boot" + ]; + rebuild = + { + gitRoot, + rebuildarg ? "dry-activate", + moreargs ? "", + ... + }: pkgs.writeScript "script" '' #!/usr/bin/env bash set -xe @@ -30,25 +35,24 @@ ${ if - (builtins.elem rebuildarg rebuildargsSudo) - && (builtins.match ".*--target-host.*" moreargs) == null - then "sudo -E \\" - else "" + (builtins.elem rebuildarg rebuildargsSudo) && (builtins.match ".*--target-host.*" moreargs) == null + then + "sudo -E \\" + else + "" } nixos-rebuild --show-trace -I nixos-config=''${NIXOS_CONFIG} ${rebuildarg} ${moreargs} ''; -in { - recipes = - { - rebuild = - rebuild { - inherit gitRoot; - inherit moreargs; - inherit rebuildarg; - } - # // pkgs.lib.attrsets.optionalAttrs (moreargs != "") { inherit moreargs; } - # // pkgs.lib.attrsets.optionalAttrs (rebuildarg != "") { inherit rebuildarg; } - ; +in +{ + recipes = { + rebuild = rebuild { + inherit gitRoot; + inherit moreargs; + inherit rebuildarg; } - // (import ./disk.nix (args // {inherit pkgs ownLib gitRoot;})); + # // pkgs.lib.attrsets.optionalAttrs (moreargs != "") { inherit moreargs; } + # // pkgs.lib.attrsets.optionalAttrs (rebuildarg != "") { inherit rebuildarg; } + ; + } // (import ./disk.nix (args // { inherit pkgs ownLib gitRoot; })); } diff --git a/nix/os/devices/disk.nix b/nix/os/devices/disk.nix index f62c6a9..f639344 100644 --- a/nix/os/devices/disk.nix +++ b/nix/os/devices/disk.nix @@ -3,40 +3,29 @@ ownLib, dir, gitRoot, - diskId ? - (import ((builtins.getEnv "PWD") + "/${dir}/hw.nix") - {}) - .hardware - .opinionatedDisk - .diskId, + diskId ? (import ((builtins.getEnv "PWD") + "/${dir}/hw.nix") { }).hardware.opinionatedDisk.diskId, encrypted ? - (import ((builtins.getEnv "PWD") + "/${dir}/hw.nix") - {}) - .hardware - .opinionatedDisk - .encrypted, + (import ((builtins.getEnv "PWD") + "/${dir}/hw.nix") { }).hardware.opinionatedDisk.encrypted, previousDiskId ? "", ... -}: let +}: +let mntRootVol = "/mnt/${diskId}-root"; -in rec { +in +rec { diskMount = pkgs.writeScript "script" '' #!/usr/bin/env bash set -xe echo Mounting ${diskId} ${pkgs.lib.strings.optionalString encrypted '' - sudo cryptsetup luksOpen ${ownLib.disk.bootLuksDevice diskId} ${ - ownLib.disk.luksName diskId - } + sudo cryptsetup luksOpen ${ownLib.disk.bootLuksDevice diskId} ${ownLib.disk.luksName diskId} ''} sleep 1 sudo vgchange -ay ${ownLib.disk.volumeGroup diskId} sudo mkdir -p /mnt sudo mkdir ${mntRootVol} sudo mount ${ownLib.disk.rootFsDevice diskId} ${mntRootVol} - sudo mount ${ - ownLib.disk.rootFsDevice diskId - } ${mntRootVol}/nixos/home -o subvol=home + sudo mount ${ownLib.disk.rootFsDevice diskId} ${mntRootVol}/nixos/home -o subvol=home sudo mount ${ownLib.disk.bootFsDevice diskId} ${mntRootVol}/nixos/boot ''; @@ -73,9 +62,7 @@ in rec { #!/usr/bin/env bash set -xe - read -p "Continue to format ${ - ownLib.disk.bootGrubDevice diskId - } (YES/n)? " choice + read -p "Continue to format ${ownLib.disk.bootGrubDevice diskId} (YES/n)? " choice case "$choice" in YES ) echo "Continuing in 3 seconds..."; sleep 3;; n|N ) echo "Exiting..."; exit 0;; @@ -122,15 +109,11 @@ in rec { ${pkgs.lib.strings.optionalString encrypted '' # Encrypt sudo cryptsetup luksFormat ${ownLib.disk.bootLuksDevice diskId} - - sudo cryptsetup luksOpen ${ownLib.disk.bootLuksDevice diskId} ${ - ownLib.disk.luksName diskId - } + sudo cryptsetup luksOpen ${ownLib.disk.bootLuksDevice diskId} ${ownLib.disk.luksName diskId} ''} # LVM - sudo vgcreate ${ownLib.disk.volumeGroup diskId} ${ - ownLib.disk.lvmPv diskId encrypted - } + sudo vgcreate ${ownLib.disk.volumeGroup diskId} ${ownLib.disk.lvmPv diskId encrypted} sudo lvcreate ${ownLib.disk.volumeGroup diskId} -L 2G -n swap sudo lvcreate ${ownLib.disk.volumeGroup diskId} -l 100%FREE -n root @@ -154,9 +137,7 @@ in rec { #!/usr/bin/env bash set -xe - read -p "Continue to relabel ${ - ownLib.disk.bootGrubDevice diskId - } (YES/n)?" choice + read -p "Continue to relabel ${ownLib.disk.bootGrubDevice diskId} (YES/n)?" choice case "$choice" in YES ) echo "Continuing in 3 seconds..."; sleep 3;; n|N ) echo "Exiting..."; exit 0;; @@ -187,13 +168,9 @@ in rec { if test "${previousDiskId}"; then - ${ - pkgs.lib.strings.optionalString encrypted '' - sudo cryptsetup luksOpen ${ownLib.disk.bootLuksDevice diskId} ${ - ownLib.disk.luksName diskId - } - '' - } + ${pkgs.lib.strings.optionalString encrypted '' + sudo cryptsetup luksOpen ${ownLib.disk.bootLuksDevice diskId} ${ownLib.disk.luksName diskId} + ''} sync sleep 1 if sudo vgs ${previousDiskId}; then diff --git a/nix/os/devices/elias-e525/boot.nix b/nix/os/devices/elias-e525/boot.nix index 4d8c1d1..6698046 100644 --- a/nix/os/devices/elias-e525/boot.nix +++ b/nix/os/devices/elias-e525/boot.nix @@ -1,4 +1,5 @@ -{lib, ...}: { - boot.loader.grub.efiInstallAsRemovable = lib.mkForce true; +{ lib, ... }: +{ + boot.loader.grub.efiSupport = lib.mkForce false; boot.loader.efi.canTouchEfiVariables = lib.mkForce false; } diff --git a/nix/os/devices/elias-e525/configuration.nix b/nix/os/devices/elias-e525/configuration.nix index 8974207..ea92869 100644 --- a/nix/os/devices/elias-e525/configuration.nix +++ b/nix/os/devices/elias-e525/configuration.nix @@ -1,4 +1,5 @@ -{...}: { +{ ... }: +{ imports = [ ../../profiles/common/configuration.nix ../../profiles/graphical/configuration.nix @@ -9,5 +10,6 @@ ./hw.nix ./pkg.nix ./user.nix + ./boot.nix ]; } diff --git a/nix/os/devices/elias-e525/default.nix b/nix/os/devices/elias-e525/default.nix index c169019..ba02693 100644 --- a/nix/os/devices/elias-e525/default.nix +++ b/nix/os/devices/elias-e525/default.nix @@ -3,20 +3,20 @@ repoFlake, nodeFlake, ... -}: let +}: +let system = "x86_64-linux"; -in { +in +{ meta.nodeSpecialArgs.${nodeName} = { inherit repoFlake nodeName nodeFlake; packages' = repoFlake.packages.${system}; }; - meta.nodeNixpkgs.${nodeName} = import nodeFlake.inputs.nixpkgs.outPath { - inherit system; - }; + meta.nodeNixpkgs.${nodeName} = import nodeFlake.inputs.nixpkgs.outPath { inherit system; }; ${nodeName} = { - deployment.targetHost = "192.168.15.198"; + deployment.targetHost = "elias-e525.lan"; deployment.replaceUnknownProfiles = false; # deployment.allowLocalDeployment = true; diff --git a/nix/os/devices/elias-e525/flake.lock b/nix/os/devices/elias-e525/flake.lock index dc66cc4..9616d4f 100644 --- a/nix/os/devices/elias-e525/flake.lock +++ b/nix/os/devices/elias-e525/flake.lock @@ -7,32 +7,32 @@ ] }, "locked": { - "lastModified": 1687871164, - "narHash": "sha256-bBFlPthuYX322xOlpJvkjUBz0C+MOBjZdDOOJJ+G2jU=", + "lastModified": 1703113038, + "narHash": "sha256-oxkyzjpD+mNT7arzU/zHrkNHLuY9tKwmnD2MNaZiSDw=", "owner": "nix-community", "repo": "home-manager", - "rev": "07c347bb50994691d7b0095f45ebd8838cf6bc38", + "rev": "0c2353d5d930c3d93724df6858aef064a31b3c00", "type": "github" }, "original": { "owner": "nix-community", - "ref": "release-23.05", + "ref": "release-23.11", "repo": "home-manager", "type": "github" } }, "nixpkgs": { "locked": { - "lastModified": 1688868408, - "narHash": "sha256-RR9N5XTAxSBhK8MCvLq9uxfdkd7etC//seVXldy0k48=", + "lastModified": 1703068421, + "narHash": "sha256-WSw5Faqlw75McIflnl5v7qVD/B3S2sLh+968bpOGrWA=", "owner": "nixos", "repo": "nixpkgs", - "rev": "510d721ce097150ae3b80f84b04b13b039186571", + "rev": "d65bceaee0fb1e64363f7871bc43dc1c6ecad99f", "type": "github" }, "original": { "owner": "nixos", - "ref": "nixos-23.05", + "ref": "nixos-23.11", "repo": "nixpkgs", "type": "github" } diff --git a/nix/os/devices/elias-e525/flake.nix b/nix/os/devices/elias-e525/flake.nix index 81d8a95..d5bd2c5 100644 --- a/nix/os/devices/elias-e525/flake.nix +++ b/nix/os/devices/elias-e525/flake.nix @@ -1,10 +1,10 @@ { - inputs.nixpkgs.url = "github:nixos/nixpkgs/nixos-23.05"; + inputs.nixpkgs.url = "github:nixos/nixpkgs/nixos-23.11"; inputs.home-manager = { - url = "github:nix-community/home-manager/release-23.05"; + url = "github:nix-community/home-manager/release-23.11"; inputs.nixpkgs.follows = "nixpkgs"; }; - outputs = _: {}; + outputs = _: { }; } diff --git a/nix/os/devices/elias-e525/hw.nix b/nix/os/devices/elias-e525/hw.nix index 269281c..23d4edb 100644 --- a/nix/os/devices/elias-e525/hw.nix +++ b/nix/os/devices/elias-e525/hw.nix @@ -1,4 +1,4 @@ -{...}: { +_: { # TASK: new device hardware.opinionatedDisk = { enable = true; diff --git a/nix/os/devices/elias-e525/pkg.nix b/nix/os/devices/elias-e525/pkg.nix index e119032..57d813e 100644 --- a/nix/os/devices/elias-e525/pkg.nix +++ b/nix/os/devices/elias-e525/pkg.nix @@ -1,8 +1,5 @@ -{ - pkgs, - lib, - ... -}: let +{ pkgs, lib, ... }: +let homeEnv = keyboard: { imports = [ ../../../home-manager/profiles/common.nix @@ -22,26 +19,27 @@ rustdesk ]; }; -in { - services.gnome = builtins.mapAttrs (attr: value: lib.mkForce value) { +in +{ + services.gnome = builtins.mapAttrs (_attr: value: lib.mkForce value) { gnome-remote-desktop.enable = true; }; home-manager.users.steveej = homeEnv { layout = "en"; - options = ["nodeadkey"]; + options = [ "nodeadkey" ]; variant = "altgr-intl"; }; home-manager.users.elias = homeEnv { layout = "de"; - options = []; + options = [ ]; variant = ""; }; home-manager.users.justyna = homeEnv { layout = "de"; - options = []; + options = [ ]; variant = ""; }; diff --git a/nix/os/devices/elias-e525/system.nix b/nix/os/devices/elias-e525/system.nix index 6763062..d2a3efe 100644 --- a/nix/os/devices/elias-e525/system.nix +++ b/nix/os/devices/elias-e525/system.nix @@ -1,10 +1,5 @@ +{ pkgs, lib, ... }: { - pkgs, - lib, - config, - ... -}: let -in { # TASK: new device networking.hostName = "elias-e525"; # Define your hostname. @@ -38,11 +33,13 @@ in { # udev.packages = [ pkgs.gnome3.gnome-settings-daemon ]; }; - security.pki.certificateFiles = ["${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt"]; + security.pki.certificateFiles = [ "${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt" ]; - services.xserver.videoDrivers = ["modesetting"]; + services.xserver.videoDrivers = [ "modesetting" ]; boot.kernelPackages = lib.mkForce pkgs.linuxPackages_latest; - nix.gc = {automatic = true;}; + nix.gc = { + automatic = true; + }; } diff --git a/nix/os/devices/elias-e525/user.nix b/nix/os/devices/elias-e525/user.nix index 196c96a..c4690cf 100644 --- a/nix/os/devices/elias-e525/user.nix +++ b/nix/os/devices/elias-e525/user.nix @@ -1,12 +1,9 @@ -{ - config, - pkgs, - lib, - ... -}: let +{ config, pkgs, ... }: +let keys = import ../../../variables/keys.nix; - inherit (pkgs.callPackage ../../lib/default.nix {}) mkUser; -in { + inherit (pkgs.callPackage ../../lib/default.nix { }) mkUser; +in +{ sops.secrets.sharedUsers-elias = { sopsFile = ../../../../secrets/shared-users.yaml; neededForUsers = true; diff --git a/nix/os/devices/fwhost1/boot.nix b/nix/os/devices/fwhost1/boot.nix index 4d8c1d1..639698f 100644 --- a/nix/os/devices/fwhost1/boot.nix +++ b/nix/os/devices/fwhost1/boot.nix @@ -1,4 +1,5 @@ -{lib, ...}: { +{ lib, ... }: +{ boot.loader.grub.efiInstallAsRemovable = lib.mkForce true; boot.loader.efi.canTouchEfiVariables = lib.mkForce false; } diff --git a/nix/os/devices/fwhost1/configuration.nix b/nix/os/devices/fwhost1/configuration.nix index ed238cb..fbdc4c0 100644 --- a/nix/os/devices/fwhost1/configuration.nix +++ b/nix/os/devices/fwhost1/configuration.nix @@ -1,4 +1,5 @@ -{...}: { +{ ... }: +{ imports = [ ../../profiles/common/configuration.nix ../../modules/opinionatedDisk.nix diff --git a/nix/os/devices/fwhost1/hw.nix b/nix/os/devices/fwhost1/hw.nix index 6c1aaaf..43334ed 100644 --- a/nix/os/devices/fwhost1/hw.nix +++ b/nix/os/devices/fwhost1/hw.nix @@ -1,5 +1,4 @@ -{...}: let -in { +_: { # TASK: new device hardware.opinionatedDisk = { enable = true; diff --git a/nix/os/devices/fwhost1/pkg.nix b/nix/os/devices/fwhost1/pkg.nix index 6650ad9..aacf501 100644 --- a/nix/os/devices/fwhost1/pkg.nix +++ b/nix/os/devices/fwhost1/pkg.nix @@ -1,17 +1,17 @@ -{pkgs, ...}: { - nixpkgs.config.packageOverrides = pkgs: - with pkgs; { - nixPath = - (import ../../../default.nix { - versionsPath = ./versions.nix; - }) - .nixPath; +{ pkgs, ... }: +{ + nixpkgs.config.packageOverrides = + pkgs: with pkgs; { + inherit ((import ../../../default.nix { versionsPath = ./versions.nix; })) nixPath; }; home-manager.users.steveej = import ../../../home-manager/configuration/text-minimal.nix { inherit pkgs; }; - environment.systemPackages = with pkgs; [iw wirelesstools]; + environment.systemPackages = with pkgs; [ + iw + wirelesstools + ]; system.stateVersion = "21.11"; } diff --git a/nix/os/devices/fwhost1/system.nix b/nix/os/devices/fwhost1/system.nix index abe1717..548caec 100644 --- a/nix/os/devices/fwhost1/system.nix +++ b/nix/os/devices/fwhost1/system.nix @@ -1,12 +1,8 @@ -{ - pkgs, - lib, - config, - ... -}: let - keys = import ../../../variables/keys.nix; +{ pkgs, lib, ... }: +let passwords = import ../../../variables/passwords.crypt.nix; -in { +in +{ # TASK: new device networking.hostName = "fwhost1"; # Define your hostname. @@ -21,11 +17,14 @@ in { networking.firewall.logRefusedConnections = false; networking.usePredictableInterfaceNames = false; - networking.bridges.breth.interfaces = ["eth0" "eth1"]; + networking.bridges.breth.interfaces = [ + "eth0" + "eth1" + ]; networking.bridges.breth.rstp = true; networking.defaultGateway.address = "172.172.171.10"; - networking.nameservers = ["172.172.171.10"]; + networking.nameservers = [ "172.172.171.10" ]; # WAN interfaces, currently unused because the OPNsense guest acts as a router. networking.vlans.wan1.id = 3; diff --git a/nix/os/devices/fwhost1/user.nix b/nix/os/devices/fwhost1/user.nix index 98f59ba..958608a 100644 --- a/nix/os/devices/fwhost1/user.nix +++ b/nix/os/devices/fwhost1/user.nix @@ -1,9 +1 @@ -{ - config, - pkgs, - ... -}: let - passwords = import ../../../variables/passwords.crypt.nix; - keys = import ../../../variables/keys.nix; - inherit (import ../../lib/default.nix {}) mkUser; -in {} +_: { } diff --git a/nix/os/devices/fwhost1/versions.nix b/nix/os/devices/fwhost1/versions.nix index c6dac79..276eb87 100644 --- a/nix/os/devices/fwhost1/versions.nix +++ b/nix/os/devices/fwhost1/versions.nix @@ -4,9 +4,12 @@ let ref = "nixos-21.11"; rev = "386234e2a61e1e8acf94dfa3a3d3ca19a6776efb"; }; -in { +in +{ inherit nixpkgs; - nixos = nixpkgs // {suffix = "/nixos";}; + nixos = nixpkgs // { + suffix = "/nixos"; + }; "channels-nixos-stable" = nixpkgs; "channels-nixos-unstable" = { diff --git a/nix/os/devices/fwhost1/versions.tmpl.nix b/nix/os/devices/fwhost1/versions.tmpl.nix index c9dc8a9..d3d0c19 100644 --- a/nix/os/devices/fwhost1/versions.tmpl.nix +++ b/nix/os/devices/fwhost1/versions.tmpl.nix @@ -6,9 +6,12 @@ let <% git ls-remote https://github.com/nixos/nixpkgs nixos-21.11 | awk '{ print $1 }' | tr -d ' ' -%>''; }; -in { +in +{ inherit nixpkgs; - nixos = nixpkgs // {suffix = "/nixos";}; + nixos = nixpkgs // { + suffix = "/nixos"; + }; "channels-nixos-stable" = nixpkgs; "channels-nixos-unstable" = { diff --git a/nix/os/devices/fwhost2/boot.nix b/nix/os/devices/fwhost2/boot.nix index 4d8c1d1..639698f 100644 --- a/nix/os/devices/fwhost2/boot.nix +++ b/nix/os/devices/fwhost2/boot.nix @@ -1,4 +1,5 @@ -{lib, ...}: { +{ lib, ... }: +{ boot.loader.grub.efiInstallAsRemovable = lib.mkForce true; boot.loader.efi.canTouchEfiVariables = lib.mkForce false; } diff --git a/nix/os/devices/fwhost2/configuration.nix b/nix/os/devices/fwhost2/configuration.nix index ed238cb..fbdc4c0 100644 --- a/nix/os/devices/fwhost2/configuration.nix +++ b/nix/os/devices/fwhost2/configuration.nix @@ -1,4 +1,5 @@ -{...}: { +{ ... }: +{ imports = [ ../../profiles/common/configuration.nix ../../modules/opinionatedDisk.nix diff --git a/nix/os/devices/fwhost2/hw.nix b/nix/os/devices/fwhost2/hw.nix index c207b8c..a8891e3 100644 --- a/nix/os/devices/fwhost2/hw.nix +++ b/nix/os/devices/fwhost2/hw.nix @@ -1,5 +1,4 @@ -{...}: let -in { +_: { # TASK: new device hardware.opinionatedDisk = { enable = true; diff --git a/nix/os/devices/fwhost2/pkg.nix b/nix/os/devices/fwhost2/pkg.nix index 6650ad9..aacf501 100644 --- a/nix/os/devices/fwhost2/pkg.nix +++ b/nix/os/devices/fwhost2/pkg.nix @@ -1,17 +1,17 @@ -{pkgs, ...}: { - nixpkgs.config.packageOverrides = pkgs: - with pkgs; { - nixPath = - (import ../../../default.nix { - versionsPath = ./versions.nix; - }) - .nixPath; +{ pkgs, ... }: +{ + nixpkgs.config.packageOverrides = + pkgs: with pkgs; { + inherit ((import ../../../default.nix { versionsPath = ./versions.nix; })) nixPath; }; home-manager.users.steveej = import ../../../home-manager/configuration/text-minimal.nix { inherit pkgs; }; - environment.systemPackages = with pkgs; [iw wirelesstools]; + environment.systemPackages = with pkgs; [ + iw + wirelesstools + ]; system.stateVersion = "21.11"; } diff --git a/nix/os/devices/fwhost2/system.nix b/nix/os/devices/fwhost2/system.nix index 54da0ba..652347f 100644 --- a/nix/os/devices/fwhost2/system.nix +++ b/nix/os/devices/fwhost2/system.nix @@ -1,13 +1,8 @@ -{ - pkgs, - lib, - config, - utils, - ... -}: let - keys = import ../../../variables/keys.nix; +{ pkgs, lib, ... }: +let passwords = import ../../../variables/passwords.crypt.nix; -in { +in +{ # TASK: new device networking.hostName = "fwhost2"; # Define your hostname. @@ -22,11 +17,14 @@ in { networking.firewall.logRefusedConnections = false; networking.usePredictableInterfaceNames = false; - networking.bridges.breth.interfaces = ["eth0" "eth1"]; + networking.bridges.breth.interfaces = [ + "eth0" + "eth1" + ]; networking.bridges.breth.rstp = true; networking.defaultGateway.address = "172.172.171.10"; - networking.nameservers = ["172.172.171.10"]; + networking.nameservers = [ "172.172.171.10" ]; # WAN interfaces, currently unused because the OPNsense guest acts as a router. networking.vlans.wan1.id = 3; diff --git a/nix/os/devices/fwhost2/user.nix b/nix/os/devices/fwhost2/user.nix index d7dc0dc..47efa02 100644 --- a/nix/os/devices/fwhost2/user.nix +++ b/nix/os/devices/fwhost2/user.nix @@ -1,12 +1,4 @@ -{ - config, - pkgs, - ... -}: let - passwords = import ../../../variables/passwords.crypt.nix; - keys = import ../../../variables/keys.nix; - inherit (import ../../lib/default.nix {inherit (pkgs) lib;}) mkUser; -in { +_: { # users.extraUsers.steveej2 = mkUser { # uid = 1001; # openssh.authorizedKeys.keys = keys.users.steveej.openssh; diff --git a/nix/os/devices/fwhost2/versions.nix b/nix/os/devices/fwhost2/versions.nix index c6dac79..276eb87 100644 --- a/nix/os/devices/fwhost2/versions.nix +++ b/nix/os/devices/fwhost2/versions.nix @@ -4,9 +4,12 @@ let ref = "nixos-21.11"; rev = "386234e2a61e1e8acf94dfa3a3d3ca19a6776efb"; }; -in { +in +{ inherit nixpkgs; - nixos = nixpkgs // {suffix = "/nixos";}; + nixos = nixpkgs // { + suffix = "/nixos"; + }; "channels-nixos-stable" = nixpkgs; "channels-nixos-unstable" = { diff --git a/nix/os/devices/fwhost2/versions.tmpl.nix b/nix/os/devices/fwhost2/versions.tmpl.nix index c9dc8a9..d3d0c19 100644 --- a/nix/os/devices/fwhost2/versions.tmpl.nix +++ b/nix/os/devices/fwhost2/versions.tmpl.nix @@ -6,9 +6,12 @@ let <% git ls-remote https://github.com/nixos/nixpkgs nixos-21.11 | awk '{ print $1 }' | tr -d ' ' -%>''; }; -in { +in +{ inherit nixpkgs; - nixos = nixpkgs // {suffix = "/nixos";}; + nixos = nixpkgs // { + suffix = "/nixos"; + }; "channels-nixos-stable" = nixpkgs; "channels-nixos-unstable" = { diff --git a/nix/os/devices/hstk0/.gitignore b/nix/os/devices/hstk0/.gitignore new file mode 100644 index 0000000..b2be92b --- /dev/null +++ b/nix/os/devices/hstk0/.gitignore @@ -0,0 +1 @@ +result diff --git a/nix/os/devices/hstk0/README.md b/nix/os/devices/hstk0/README.md new file mode 100644 index 0000000..60ee180 --- /dev/null +++ b/nix/os/devices/hstk0/README.md @@ -0,0 +1,6 @@ +## bootstrapping + +``` +# TODO: generate an SSH host-key and deploy it via --extra-files +nixos-anywhere --flake .\#sj-bm-hostkey0 root@185.130.227.252 +``` diff --git a/nix/os/devices/hstk0/configuration.nix b/nix/os/devices/hstk0/configuration.nix new file mode 100644 index 0000000..32fad43 --- /dev/null +++ b/nix/os/devices/hstk0/configuration.nix @@ -0,0 +1,146 @@ +{ + repoFlake, + pkgs, + lib, + nodeFlake, + nodeName, + system, + ... +}: +{ + disabledModules = [ ]; + + imports = [ + nodeFlake.inputs.disko.nixosModules.disko + repoFlake.inputs.sops-nix.nixosModules.sops + + nodeFlake.inputs.srvos.nixosModules.roles-nix-remote-builder + { + roles.nix-remote-builder.schedulerPublicKeys = [ + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINQ22z5rDdCLYH+MEoEt+tXJXTJqoeZNqvJl2n4aB+Kn steveej@steveej-x13s" + + # TODO: make this a reference to the private key's secret + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIC8FHuK0k86iBWq41+NAhVwJqH1ZpGJe+q01m7iLviz6 root@steveej-t14" + ]; + } + + ../../snippets/nix-settings.nix + { nix.settings.sandbox = lib.mkForce "relaxed"; } + + ../../snippets/mycelium.nix + + # user config + ../../profiles/common/user.nix + { + users.commonUsers = { + enable = true; + enableNonRoot = true; + }; + } + + ../../snippets/home-manager-with-zsh.nix + # { + # home-manager.users.steveej = {pkgs, ...}: { + # imports = [ + # ../../../home-manager/programs/pass.nix + # ../../../home-manager/programs/openvscode-server.nix + # ]; + # }; + # } + ]; + + services.openssh = { + enable = true; + openFirewall = true; + settings.PermitRootLogin = "yes"; + extraConfig = '' + StreamLocalBindUnlink yes + ''; + }; + + boot = { + kernel = { + sysctl = { + "net.ipv4.conf.all.forwarding" = true; + "net.ipv6.conf.all.forwarding" = true; + }; + }; + }; + + networking = { + hostName = nodeName; + useNetworkd = true; + useDHCP = true; + + nat.enable = true; + firewall.enable = true; + + firewall.allowedTCPPorts = [ 5201 ]; + firewall.allowedUDPPorts = [ 5201 ]; + }; + + disko.devices = + let + disk = id: { + type = "disk"; + device = "/dev/${id}"; + content = { + type = "gpt"; + partitions = { + boot = { + size = "1M"; + type = "EF02"; # for grub MBR + }; + mdadm = { + size = "100%"; + content = { + type = "mdraid"; + name = "raid0"; + }; + }; + }; + }; + }; + in + { + disk = { + sda = disk "sda"; + sdb = disk "sdb"; + }; + mdadm = { + raid0 = { + type = "mdadm"; + level = 0; + content = { + type = "gpt"; + partitions = { + primary = { + size = "100%"; + content = { + type = "filesystem"; + format = "btrfs"; + mountpoint = "/"; + }; + }; + }; + }; + }; + }; + }; + + system.stateVersion = "24.05"; + + boot.kernelPackages = pkgs.linuxPackages_latest; + boot.initrd.includeDefaultModules = true; + boot.initrd.kernelModules = [ + "dm-raid" + "dm-integrity" + "xhci_pci_renesas" + ]; + + hardware.enableRedistributableFirmware = true; + + virtualisation.libvirtd.enable = true; + + boot.binfmt.emulatedSystems = [ "aarch64-linux" ]; +} diff --git a/nix/os/devices/hstk0/default.nix b/nix/os/devices/hstk0/default.nix new file mode 100644 index 0000000..62e6cc1 --- /dev/null +++ b/nix/os/devices/hstk0/default.nix @@ -0,0 +1,37 @@ +{ + nodeName, + repoFlake, + nodeFlake, + ... +}: +let + system = "x86_64-linux"; +in +{ + meta.nodeSpecialArgs.${nodeName} = { + inherit + repoFlake + nodeName + nodeFlake + system + ; + packages' = repoFlake.packages.${system}; + }; + + meta.nodeNixpkgs.${nodeName} = import nodeFlake.inputs.nixpkgs.outPath { inherit system; }; + + ${nodeName} = { + deployment.targetHost = "185.130.224.33"; + deployment.replaceUnknownProfiles = false; + + # nixpkgs.pkgs = nodeFlake.inputs.nixpkgs.legacyPackages.${system}; + + imports = [ + nodeFlake.inputs.home-manager.nixosModules.home-manager + + ./configuration.nix + ]; + + networking.hostName = nodeName; + }; +} diff --git a/nix/os/devices/hstk0/flake.lock b/nix/os/devices/hstk0/flake.lock new file mode 100644 index 0000000..8389a6a --- /dev/null +++ b/nix/os/devices/hstk0/flake.lock @@ -0,0 +1,124 @@ +{ + "nodes": { + "disko": { + "inputs": { + "nixpkgs": [ + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1719401812, + "narHash": "sha256-QONBQ/arBsKZNJuSd3sMIkSYFlBoRJpvf1jGlMfcOuI=", + "owner": "nix-community", + "repo": "disko", + "rev": "b6a1262796b2990ec3cc60bb2ec23583f35b2f43", + "type": "github" + }, + "original": { + "owner": "nix-community", + "repo": "disko", + "type": "github" + } + }, + "get-flake": { + "locked": { + "lastModified": 1714237590, + "narHash": "sha256-9gtHdGbzFHaR20xORN8IYd67ROWS+1nqQ5CsPf9MD8I=", + "owner": "ursi", + "repo": "get-flake", + "rev": "a6c57417d1b857b8be53aba4095869a0f438c502", + "type": "github" + }, + "original": { + "owner": "ursi", + "repo": "get-flake", + "type": "github" + } + }, + "home-manager": { + "inputs": { + "nixpkgs": [ + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1718530513, + "narHash": "sha256-BmO8d0r+BVlwWtMLQEYnwmngqdXIuyFzMwvmTcLMee8=", + "owner": "nix-community", + "repo": "home-manager", + "rev": "a1fddf0967c33754271761d91a3d921772b30d0e", + "type": "github" + }, + "original": { + "owner": "nix-community", + "ref": "release-24.05", + "repo": "home-manager", + "type": "github" + } + }, + "nixpkgs": { + "locked": { + "lastModified": 1719253556, + "narHash": "sha256-A/76RFUVxZ/7Y8+OMVL1Lc8LRhBxZ8ZE2bpMnvZ1VpY=", + "owner": "nixos", + "repo": "nixpkgs", + "rev": "fc07dc3bdf2956ddd64f24612ea7fc894933eb2e", + "type": "github" + }, + "original": { + "owner": "nixos", + "ref": "nixos-24.05", + "repo": "nixpkgs", + "type": "github" + } + }, + "nixpkgs-unstable": { + "locked": { + "lastModified": 1719254875, + "narHash": "sha256-ECni+IkwXjusHsm9Sexdtq8weAq/yUyt1TWIemXt3Ko=", + "owner": "nixos", + "repo": "nixpkgs", + "rev": "2893f56de08021cffd9b6b6dfc70fd9ccd51eb60", + "type": "github" + }, + "original": { + "owner": "nixos", + "ref": "nixos-unstable", + "repo": "nixpkgs", + "type": "github" + } + }, + "root": { + "inputs": { + "disko": "disko", + "get-flake": "get-flake", + "home-manager": "home-manager", + "nixpkgs": "nixpkgs", + "nixpkgs-unstable": "nixpkgs-unstable", + "srvos": "srvos" + } + }, + "srvos": { + "inputs": { + "nixpkgs": [ + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1719189969, + "narHash": "sha256-6MSZrWvXSvUKIr0iC9eSbQ09NSm+j1Oh4o9Gentu1CU=", + "owner": "numtide", + "repo": "srvos", + "rev": "4f314be1307c8d5f1fb3d882a67e09dbdf285850", + "type": "github" + }, + "original": { + "owner": "numtide", + "repo": "srvos", + "type": "github" + } + } + }, + "root": "root", + "version": 7 +} diff --git a/nix/os/devices/hstk0/flake.nix b/nix/os/devices/hstk0/flake.nix new file mode 100644 index 0000000..6c9b22f --- /dev/null +++ b/nix/os/devices/hstk0/flake.nix @@ -0,0 +1,52 @@ +{ + inputs = { + nixpkgs.url = "github:nixos/nixpkgs/nixos-24.05"; + nixpkgs-unstable.url = "github:nixos/nixpkgs/nixos-unstable"; + + get-flake.url = "github:ursi/get-flake"; + + home-manager.url = "github:nix-community/home-manager/release-24.05"; + home-manager.inputs.nixpkgs.follows = "nixpkgs"; + + disko.url = "github:nix-community/disko"; + disko.inputs.nixpkgs.follows = "nixpkgs"; + srvos.url = "github:numtide/srvos"; + srvos.inputs.nixpkgs.follows = "nixpkgs"; + }; + + # outputs = _: {}; + + outputs = + { + self, + get-flake, + nixpkgs, + ... + }: + let + system = "x86_64-linux"; + nodeName = "hostkey-0"; + + mkNixosConfiguration = + { + extraModules ? [ ], + ... + }@attrs: + nixpkgs.lib.nixosSystem ( + nixpkgs.lib.attrsets.recursiveUpdate attrs { + specialArgs = { + nodeFlake = self; + repoFlake = get-flake ../../../..; + inherit nodeName; + }; + + modules = [ ./configuration.nix ] ++ extraModules; + } + ); + in + { + nixosConfigurations = { + native = mkNixosConfiguration { inherit system; }; + }; + }; +} diff --git a/nix/os/devices/hydra.json b/nix/os/devices/hydra.json index 3723c24..a0204bc 100644 --- a/nix/os/devices/hydra.json +++ b/nix/os/devices/hydra.json @@ -1,16 +1,24 @@ { - "enabled": 1, - "hidden": false, - "description": "Jobsets", - "nixexprinput": "src", - "nixexprpath": "default.nix", - "checkinterval": 300, - "schedulingshares": 100, - "enableemail": false, - "emailoverride": "", - "keepnr": 3, - "inputs": { - "src": { "type": "git", "value": "git://github.com/shlevy/declarative-hydra-example.git", "emailresponsible": false }, - "nixpkgs": { "type": "git", "value": "git://github.com/NixOS/nixpkgs.git release-16.03", "emailresponsible": false } + "enabled": 1, + "hidden": false, + "description": "Jobsets", + "nixexprinput": "src", + "nixexprpath": "default.nix", + "checkinterval": 300, + "schedulingshares": 100, + "enableemail": false, + "emailoverride": "", + "keepnr": 3, + "inputs": { + "src": { + "type": "git", + "value": "git://github.com/shlevy/declarative-hydra-example.git", + "emailresponsible": false + }, + "nixpkgs": { + "type": "git", + "value": "git://github.com/NixOS/nixpkgs.git release-16.03", + "emailresponsible": false } + } } diff --git a/nix/os/devices/justyna-p300/boot.nix b/nix/os/devices/justyna-p300/boot.nix index 85006ed..9d6bbe7 100644 --- a/nix/os/devices/justyna-p300/boot.nix +++ b/nix/os/devices/justyna-p300/boot.nix @@ -1,4 +1,5 @@ -{lib, ...}: { +{ lib, ... }: +{ boot.loader.grub.efiInstallAsRemovable = lib.mkForce false; boot.loader.efi.canTouchEfiVariables = lib.mkForce false; boot.loader.grub.efiSupport = lib.mkForce false; diff --git a/nix/os/devices/justyna-p300/configuration.nix b/nix/os/devices/justyna-p300/configuration.nix index f2cb3f7..e636106 100644 --- a/nix/os/devices/justyna-p300/configuration.nix +++ b/nix/os/devices/justyna-p300/configuration.nix @@ -1,4 +1,5 @@ -{...}: { +{ ... }: +{ imports = [ ../../profiles/common/configuration.nix ../../profiles/graphical/configuration.nix diff --git a/nix/os/devices/justyna-p300/default.nix b/nix/os/devices/justyna-p300/default.nix index 907e60b..427ce7e 100644 --- a/nix/os/devices/justyna-p300/default.nix +++ b/nix/os/devices/justyna-p300/default.nix @@ -3,17 +3,17 @@ repoFlake, nodeFlake, ... -}: let +}: +let system = "x86_64-linux"; -in { +in +{ meta.nodeSpecialArgs.${nodeName} = { inherit repoFlake nodeName nodeFlake; packages' = repoFlake.packages.${system}; }; - meta.nodeNixpkgs.${nodeName} = import nodeFlake.inputs.nixpkgs.outPath { - inherit system; - }; + meta.nodeNixpkgs.${nodeName} = import nodeFlake.inputs.nixpkgs.outPath { inherit system; }; ${nodeName} = { deployment.targetHost = nodeName; diff --git a/nix/os/devices/justyna-p300/flake.nix b/nix/os/devices/justyna-p300/flake.nix index 3e68abe..9b8b8ed 100644 --- a/nix/os/devices/justyna-p300/flake.nix +++ b/nix/os/devices/justyna-p300/flake.nix @@ -6,8 +6,8 @@ inputs.nixpkgs.follows = "nixpkgs"; }; - inputs.disko.url = github:nix-community/disko; + inputs.disko.url = "github:nix-community/disko"; inputs.disko.inputs.nixpkgs.follows = "nixpkgs"; - outputs = _: {}; + outputs = _: { }; } diff --git a/nix/os/devices/justyna-p300/hw.nix b/nix/os/devices/justyna-p300/hw.nix index 0924dd2..b68e082 100644 --- a/nix/os/devices/justyna-p300/hw.nix +++ b/nix/os/devices/justyna-p300/hw.nix @@ -1,12 +1,6 @@ +{ nodeFlake, ... }: { - repoFlake, - nodeFlake, - lib, - ... -}: { - imports = [ - nodeFlake.inputs.disko.nixosModules.disko - ]; + imports = [ nodeFlake.inputs.disko.nixosModules.disko ]; disko.devices.disk.sda = { device = "/dev/sda"; @@ -20,7 +14,7 @@ start = "0"; end = "1M"; part-type = "primary"; - flags = ["bios_grub"]; + flags = [ "bios_grub" ]; } { name = "root"; @@ -30,14 +24,14 @@ bootable = true; content = { type = "btrfs"; - extraArgs = ["-f"]; # Override existing partition + extraArgs = [ "-f" ]; # Override existing partition subvolumes = { # Subvolume name is different from mountpoint "/rootfs" = { mountpoint = "/"; }; "/nix" = { - mountOptions = ["noatime"]; + mountOptions = [ "noatime" ]; }; }; }; diff --git a/nix/os/devices/justyna-p300/pkg.nix b/nix/os/devices/justyna-p300/pkg.nix index 2b9ebf0..d23cfb0 100644 --- a/nix/os/devices/justyna-p300/pkg.nix +++ b/nix/os/devices/justyna-p300/pkg.nix @@ -3,7 +3,8 @@ lib, packages', ... -}: let +}: +let homeEnv = keyboard: { imports = [ ../../../home-manager/profiles/common.nix @@ -23,15 +24,19 @@ rustdesk ]; }; -in { - services.gnome = builtins.mapAttrs (attr: value: lib.mkForce value) { +in +{ + services.gnome = builtins.mapAttrs (_attr: value: lib.mkForce value) { gnome-remote-desktop.enable = true; }; - services.printing.drivers = lib.mkForce (with packages'; [ - dcpj4110dwDriver - dcpj4110dwCupswrapper - ]); + services.printing.drivers = lib.mkForce ( + with packages'; + [ + dcpj4110dwDriver + dcpj4110dwCupswrapper + ] + ); services.printing.extraConf = '' LogLevel debug @@ -39,29 +44,29 @@ in { home-manager.users.steveej = homeEnv { layout = "en"; - options = ["nodeadkey"]; + options = [ "nodeadkey" ]; variant = "altgr-intl"; }; home-manager.users.elias = homeEnv { layout = "de"; - options = []; + options = [ ]; variant = ""; }; home-manager.users.justyna = - lib.attrsets.recursiveUpdate (homeEnv { - layout = "de"; - options = []; - variant = ""; - }) { - services.syncthing.enable = true; - services.syncthing.tray = true; + lib.attrsets.recursiveUpdate + (homeEnv { + layout = "de"; + options = [ ]; + variant = ""; + }) + { + services.syncthing.enable = true; + services.syncthing.tray = true; - home.packages = with pkgs; [ - session-desktop - ]; - }; + home.packages = with pkgs; [ session-desktop ]; + }; system.stateVersion = "21.11"; } diff --git a/nix/os/devices/justyna-p300/system.nix b/nix/os/devices/justyna-p300/system.nix index 44c3db9..82a7b02 100644 --- a/nix/os/devices/justyna-p300/system.nix +++ b/nix/os/devices/justyna-p300/system.nix @@ -1,11 +1,8 @@ -{ - pkgs, - lib, - config, - ... -}: let +{ pkgs, lib, ... }: +let passwords = import ../../../variables/passwords.crypt.nix; -in { +in +{ networking.firewall.enable = true; networking.firewall.allowedTCPPorts = [ # iperf3 @@ -39,11 +36,13 @@ in { # udev.packages = [ pkgs.gnome3.gnome-settings-daemon ]; }; - security.pki.certificateFiles = ["${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt"]; + security.pki.certificateFiles = [ "${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt" ]; - services.xserver.videoDrivers = ["modesetting"]; + services.xserver.videoDrivers = [ "modesetting" ]; boot.kernelPackages = lib.mkForce pkgs.linuxPackages_latest; - nix.gc = {automatic = true;}; + nix.gc = { + automatic = true; + }; } diff --git a/nix/os/devices/justyna-p300/user.nix b/nix/os/devices/justyna-p300/user.nix index 6d86c59..c4690cf 100644 --- a/nix/os/devices/justyna-p300/user.nix +++ b/nix/os/devices/justyna-p300/user.nix @@ -1,11 +1,9 @@ -{ - config, - pkgs, - ... -}: let +{ config, pkgs, ... }: +let keys = import ../../../variables/keys.nix; - inherit (pkgs.callPackage ../../lib/default.nix {}) mkUser; -in { + inherit (pkgs.callPackage ../../lib/default.nix { }) mkUser; +in +{ sops.secrets.sharedUsers-elias = { sopsFile = ../../../../secrets/shared-users.yaml; neededForUsers = true; diff --git a/nix/os/devices/router0-dmz0/.gitignore b/nix/os/devices/router0-dmz0/.gitignore new file mode 100644 index 0000000..b2be92b --- /dev/null +++ b/nix/os/devices/router0-dmz0/.gitignore @@ -0,0 +1 @@ +result diff --git a/nix/os/devices/router0-dmz0/configuration.nix b/nix/os/devices/router0-dmz0/configuration.nix new file mode 100644 index 0000000..07c6b1c --- /dev/null +++ b/nix/os/devices/router0-dmz0/configuration.nix @@ -0,0 +1,1298 @@ +# TODO: don't pull in bluez (or any bluetooth components) +{ + repoFlake, + pkgs, + lib, + config, + nodeFlake, + nodeName, + localDomainName, + system, + ... +}: +let + inherit (nodeFlake.inputs) nixos-nftables-firewall nixos-sbc; + + vlanRangeStart = builtins.head vlanRange; + vlanRangeEnd = builtins.elemAt vlanRange ((builtins.length vlanRange) - 1); + vlanRange = builtins.map (vlanid: (lib.strings.toInt vlanid)) (builtins.attrNames vlans); + vlanRangeWith0 = [ 0 ] ++ vlanRange; + + mkVlanIpv4HostAddr = + { + vlanid, + host, + thirdIpv4SegmentMin ? 20, + cidr ? true, + }: + let + # reserve the first subnet for vlanid == 0 + # number the other subnets continously from there + offset = if vlanid == 0 then thirdIpv4SegmentMin else thirdIpv4SegmentMin + 1 - vlanRangeStart; + in + builtins.concatStringsSep "." [ + "192" + "168" + (toString (vlanid + offset)) + "${toString host}${lib.strings.optionalString cidr "/24"}" + ]; + + defaultVlan = { + name = "${localDomainName}"; + packet_priority = 0; + }; + + vlans = { + "2".name = "dmz"; + "2".packet_priority = -5; + + "3".name = "iot"; + "3".packet_priority = -5; + + "4".name = "office"; + "4".packet_priority = -10; + + "5".name = "guests"; + "5".packet_priority = 10; + }; + + vlansByName = lib.attrsets.mapAttrs' ( + vlanid': attrs: + lib.attrsets.nameValuePair attrs.name ( + attrs + // { + id = lib.strings.toInt vlanid'; + id' = vlanid'; + } + ) + ) vlans; + + getVlanDomain = + { vlanid }: + if vlanid == 0 then defaultVlan.name else vlans."${toString vlanid}".name + "." + defaultVlan.name; + + bridgeInterfaceName = "br-lan"; + mkInterfaceName = + { vlanid }: + if vlanid == 0 then bridgeInterfaceName else "${bridgeInterfaceName}.${toString vlanid}"; + + dmzExposedHost = "sj-srv1"; + dmzExposedHostDomain = "dmz.internal"; + dmzExposedHostFQDN = "${dmzExposedHost}.${dmzExposedHostDomain}"; + dmzExposedHostIpv4 = mkVlanIpv4HostAddr { + vlanid = vlansByName.dmz.id; + host = 99; + cidr = false; + }; + + dmzExposedHostMACaddr = + repoFlake.nixosConfigurations.${dmzExposedHost}.config.systemd.network.netdevs."10-dmz0".netdevConfig.MACAddress; +in +{ + imports = [ + nixos-sbc.nixosModules.default + nixos-sbc.nixosModules.boards.bananapi.bpir3 + { + sbc.version = "0.2"; + sbc.bootstrap.rootFilesystem = "btrfs"; + sbc.wireless.wifi.acceptRegulatoryResponsibility = true; + } + + repoFlake.inputs.sops-nix.nixosModules.sops + + ../../profiles/common/user.nix + ../../snippets/nix-settings.nix + + nixos-nftables-firewall.nixosModules.default + + { + services.openssh.enable = true; + services.openssh.settings.PermitRootLogin = "yes"; + + users.commonUsers = { + enable = true; + enableNonRoot = false; + rootPasswordFile = config.sops.secrets.passwords-root.path; + }; + + sops.defaultSopsFile = ../../../../secrets/${nodeName}/secrets.yaml; + sops.defaultSopsFormat = "yaml"; + + sops.secrets.passwords-root.neededForUsers = true; + + # sops.secrets.wlan0_saePasswordsFile = {}; + sops.secrets.wlan0_wpaPskFile = { }; + } + ]; + + # sops.secrets.ssh_host_ed25519_key = { + # sopsFile = ../../../../secrets/${nodeName}/secrets.yaml; + # format = "yaml"; + + # path = "/etc/ssh/ssh_host_ed25519_key"; + # mode = "0600"; + # }; + # sops.secrets.ssh_host_ed25519_key_pub = { + # sopsFile = ../../../../secrets/${nodeName}/secrets.yaml; + # format = "yaml"; + + # path = "/etc/ssh/ssh_host_ed25519_key.pub"; + # mode = "0600"; + # }; + # sops.secrets.ssh_host_rsa_key = { + # sopsFile = ../../../../secrets/${nodeName}/secrets.yaml; + # format = "yaml"; + + # path = "/etc/ssh/ssh_host_rsa_key"; + # mode = "0600"; + # }; + # sops.secrets.ssh_host_rsa_key_pub = { + # sopsFile = ../../../../secrets/${nodeName}/secrets.yaml; + # format = "yaml"; + + # path = "/etc/ssh/ssh_host_rsa_key.pub"; + # mode = "0644"; + # }; + + boot = { + kernel = { + sysctl = { + "net.ipv4.conf.all.forwarding" = true; + "net.ipv6.conf.all.forwarding" = true; + }; + }; + }; + + networking = { + hostName = nodeName; + useNetworkd = true; + useDHCP = false; + + # these will be configured via nftables + nat.enable = lib.mkForce false; + firewall.enable = lib.mkForce false; + + # Use the nftables firewall instead of the base nixos scripted rules. + # This flake provides a similar utility to the base nixos scripting. + # https://github.com/thelegy/nixos-nftables-firewall/tree/main + + # TODO: configure packet_priority for VLANs (see https://wiki.nftables.org/wiki-nftables/index.php/Configuring_chains#Base_chain_priority, https://wiki.nftables.org/wiki-nftables/index.php/Setting_packet_metainformation#packet_priority) + nftables = { + enable = true; + + stopRuleset = ""; + chains = { + prerouting = { + "exposeHost" = { + after = [ "hook" ]; + rules = + let + wanInterfaces = builtins.concatStringsSep ", " config.networking.nftables.firewall.zones.wan.interfaces; + in + [ + "iifname { ${wanInterfaces} } tcp dport 220 redirect to 22" + "iifname { ${wanInterfaces} } dnat ip to ${dmzExposedHostIpv4}" + ]; + }; + }; + }; + + firewall = { + enable = true; + snippets.nnf-common.enable = true; + # included in the above + # snippets.nnf-conntrack.enable = true; + zones = + { + lan.interfaces = [ (mkInterfaceName { vlanid = 0; }) ]; + vlan.interfaces = builtins.map (vlanid: (mkInterfaceName { inherit vlanid; })) vlanRange; + # lan.ipv4Addresses = ["192.168.0.0/16"]; + wan.interfaces = [ + "wan" + "lan0" + ]; + vpn.interfaces = [ + "wg0" + "wg1" + "wg2" + ]; + } + // + # generate a zone for each vlan + lib.attrsets.mapAttrs (_key: value: { + interfaces = [ (mkInterfaceName { vlanid = value.id; }) ]; + }) vlansByName; + rules = + let + ipv6IcmpTypes = [ + "destination-unreachable" + "echo-reply" + "echo-request" + "packet-too-big" + "parameter-problem" + "time-exceeded" + + # Without the nd-* ones ipv6 will not work. + "nd-neighbor-solicit" + "nd-router-advert" + "nd-neighbor-advert" + ]; + ipv4IcmpTypes = [ + "destination-unreachable" + "echo-reply" + "echo-request" + "source-quench" + "time-exceeded" + "router-advertisement" + ]; + allowIcmpLines = [ + "ip protocol icmp icmp type { ${builtins.concatStringsSep ", " ipv4IcmpTypes} } accept" + "ip6 nexthdr icmpv6 icmpv6 type { ${builtins.concatStringsSep ", " ipv6IcmpTypes} } accept" + ]; + in + { + fw = { + from = [ "fw" ]; + verdict = "accept"; + }; + + office-to-dmz = { + from = [ "office" ]; + to = [ "dmz" ]; + verdict = "accept"; + }; + + lan-to-fw = { + from = [ "lan" ]; + to = [ + "fw" + "lan" + ]; + verdict = "accept"; + }; + + lan-to-wan = { + from = [ "lan" ]; + to = [ "wan" ]; + verdict = "accept"; + }; + + vlan-to-wan = { + from = [ "vlan" ]; + to = [ "wan" ]; + verdict = "accept"; + }; + + vlan-to-fw = { + allowedUDPPortRanges = [ + { + from = 53; + to = 53; + } + { + from = 67; + to = 68; + } + { + from = 5201; + to = 5201; + } + ]; + allowedTCPPortRanges = [ + { + from = 22; + to = 22; + } + { + from = 53; + to = 53; + } + { + from = 5201; + to = 5201; + } + ]; + from = [ "vlan" ]; + to = [ "fw" ]; + extraLines = allowIcmpLines ++ [ "drop" ]; + }; + + to-wan-nat = { + from = [ + "lan" + "vlan" + ]; + to = [ "wan" ]; + masquerade = true; + verdict = "accept"; + }; + + wan-to-dmz = { + from = [ "wan" ]; + to = [ "dmz" ]; + verdict = "accept"; + }; + + wan-to-fw = { + from = [ "wan" ]; + to = [ "fw" ]; + allowedTCPPortRanges = [ + { + from = 22; + to = 22; + } + ]; + extraLines = allowIcmpLines ++ [ "drop" ]; + }; + + to-vpn-nat = { + from = [ + "lan" + "vlan" + ]; + to = [ "vpn" ]; + masquerade = false; + verdict = "accept"; + }; + }; + }; + }; + }; + + sops.secrets.wg0-privatekey = { + mode = "440"; + group = "systemd-network"; + }; + sops.secrets.wg1-privatekey = { + mode = "440"; + group = "systemd-network"; + }; + sops.secrets.wg0-peer0-psk = { + mode = "440"; + group = "systemd-network"; + }; + sops.secrets.wg1-peer0-psk = { + mode = "440"; + group = "systemd-network"; + }; + + # TODO: this shouldn't be necessary _at all_ + systemd.services.sfp-quirk = { + enable = true; + wantedBy = [ + "network.target" + "multi-user.target" + ]; + + requires = [ + "sys-subsystem-net-devices-lan4.device" + "sys-subsystem-net-devices-eth1.device" + ]; + + after = [ + "sys-subsystem-net-devices-lan4.device" + "sys-subsystem-net-devices-eth1.device" + ]; + + path = [ + pkgs.ethtool + pkgs.iproute2 + pkgs.coreutils + ]; + + script = '' + set -xeE + + ip l set dev lan4 down + ip l set dev eth1 down + + sleep 0.5 + + ethtool -s lan4 duplex full autoneg off + ethtool -s eth1 duplex full autoneg off + + sleep 0.5 + + ip l set dev lan4 up + ip l set dev eth1 up + + echo quirk applied, fingers crossed. + ''; + }; + + systemd.network = { + wait-online.anyInterface = true; + config.networkConfig = { + IPv4Forwarding = true; + IPv6Forwarding = true; + }; + links = { + # TODO: this doesn't work, thus shoving it into a quirk service. however, there's a proper solution beyond any of this. + # "00-eth1" = { + # enable = true; + # matchConfig.Name = "eth1"; + # linkConfig = { + # # BitsPerSecond = "2500M"; + # Duplex= "full"; + # AutoNegotiation = false; + # }; + # }; + # "00-lan4" = { + # enable = true; + # matchConfig.Name = "lan4@eth0"; + # linkConfig = { + # # BitsPerSecond = "1000M"; + # Duplex= "full"; + # AutoNegotiation = false; + # }; + # }; + }; + netdevs = + let + router0-ifog_wg0Endpoint = "${repoFlake.colmena.router0-ifog.deployment.targetHost}:${builtins.toString repoFlake.nixosConfigurations.router0-ifog.config.systemd.network.netdevs.wg0.wireguardConfig.ListenPort}"; + + router0-ifog_wg1Endpoint = "${repoFlake.colmena.router0-ifog.deployment.targetHost}:${builtins.toString repoFlake.nixosConfigurations.router0-ifog.config.systemd.network.netdevs.wg1.wireguardConfig.ListenPort}"; + + router0-hosthatch_wg0Endpoint = "${repoFlake.colmena.router0-hosthatch.deployment.targetHost}:${builtins.toString repoFlake.nixosConfigurations.router0-hosthatch.config.systemd.network.netdevs.wg0.wireguardConfig.ListenPort}"; + in + { + # Create the bridge interface + "20-${bridgeInterfaceName}" = { + netdevConfig = { + Kind = "bridge"; + Name = bridgeInterfaceName; + }; + + extraConfig = '' + [Bridge] + STP=yes + VLANFiltering=yes + VLANProtocol=802.1q + DefaultPVID=0 + ''; + }; + + wg0 = { + enable = true; + netdevConfig = { + Name = "wg0"; + Kind = "wireguard"; + }; + wireguardConfig = { + PrivateKeyFile = builtins.toString config.sops.secrets.wg0-privatekey.path; + FirewallMark = 100; + }; + wireguardPeers = [ + { + AllowedIPs = [ + # this allows all traffic to be routed through this interface + "0.0.0.0/0" + + # # alternatively, specific destinations could be allowed + + # # remote peer wg addr + # "10.0.0.0/32" + + # "1.1.1.1/32" + # # ifconfig.co. + # "172.67.168.106" + # "104.21.54.91" + ]; + PersistentKeepalive = 15; + PresharedKeyFile = builtins.toString config.sops.secrets.wg0-peer0-psk.path; + PublicKey = "/RPDdqPzr9iRc7zR0bRkt9aS2QCt+b2K3WbsNg8XamM="; + Endpoint = router0-ifog_wg0Endpoint; + } + ]; + }; + + wg1 = { + enable = true; + netdevConfig = { + Name = "wg1"; + Kind = "wireguard"; + }; + wireguardConfig = { + PrivateKeyFile = builtins.toString config.sops.secrets.wg1-privatekey.path; + FirewallMark = 101; + }; + wireguardPeers = [ + { + AllowedIPs = [ + # this allows all traffic to be routed through this interface + "0.0.0.0/0" + ]; + PersistentKeepalive = 15; + PresharedKeyFile = builtins.toString config.sops.secrets.wg1-peer0-psk.path; + PublicKey = "/RPDdqPzr9iRc7zR0bRkt9aS2QCt+b2K3WbsNg8XamM="; + Endpoint = router0-ifog_wg1Endpoint; + } + ]; + }; + + wg2 = { + enable = true; + netdevConfig = { + Name = "wg2"; + Kind = "wireguard"; + }; + wireguardConfig = { + PrivateKeyFile = builtins.toString config.sops.secrets.wg0-privatekey.path; + FirewallMark = 102; + }; + wireguardPeers = [ + { + AllowedIPs = [ + # this allows all traffic to be routed through this interface + "0.0.0.0/0" + + # # alternatively, specific destinations could be allowed + + # # remote peer wg addr + # "10.0.0.0/32" + + # "1.1.1.1/32" + # # ifconfig.co. + # "172.67.168.106" + # "104.21.54.91" + ]; + PersistentKeepalive = 15; + PresharedKeyFile = builtins.toString config.sops.secrets.wg0-peer0-psk.path; + PublicKey = "/RPDdqPzr9iRc7zR0bRkt9aS2QCt+b2K3WbsNg8XamM="; + Endpoint = router0-hosthatch_wg0Endpoint; + } + ]; + }; + } + # generate the vlan devices. these will be tagged on the main bridge + // builtins.foldl' (acc: cur: acc // cur) { } ( + builtins.map + ( + { vlanid, vlanid' }: + { + "20-${mkInterfaceName { inherit vlanid; }}" = { + netdevConfig = { + Kind = "vlan"; + Name = "${mkInterfaceName { inherit vlanid; }}"; + }; + vlanConfig.Id = vlanid; + }; + } + ) + ( + builtins.map (vlanid: { + inherit vlanid; + vlanid' = builtins.toString vlanid; + }) vlanRange + ) + ); + networks = + let + commonWanOptions = { + networkConfig = { + # start a DHCP Client for IPv4/6 Addressing/Routing + DHCP = true; + DNSOverTLS = true; + DNSSEC = true; + + # accept Router Advertisements for Stateless IPv6 Autoconfiguraton (SLAAC) + IPv6AcceptRA = true; + IPv6PrivacyExtensions = false; + DHCPPrefixDelegation = true; + }; + dhcpV4Config = { + UseDNS = false; + UseDomains = false; + UseHostname = false; + }; + dhcpV6Config = { + UseDNS = false; + UseDomains = false; + UseHostname = false; + PrefixDelegationHint = "::/56"; + UseDelegatedPrefix = true; + WithoutRA = "solicit"; + }; + ipv6AcceptRAConfig = { + UseDNS = false; + UseDomains = false; + }; + + # TODO: enable these somehow + # extraConfig = '' + # [IPv6AcceptRA] + # # FIXME: supported in nixos-24.11 + # DHCPv6Client=solicit + + # # FIXME: not supported at all yet + # UsePREF64=true + # ''; + }; + in + { + # places options here that should always exist + "lo" = { + matchConfig.Name = "lo"; + + # these are roughly equivalent to: + # ip rule add fwmark 100 priority 0 table 100 + # ip rule add fwmark 100 priority 1 prohibit + # ip rule add fwmark 101 priority 0 table 101 + # ip rule add fwmark 101 priority 1 prohibit + routingPolicyRules = [ + { + FirewallMark = 100; + Priority = 30000; + Table = 100; + } + { + FirewallMark = 100; + Priority = 30001; + Table = 100; + Type = "prohibit"; + } + { + FirewallMark = 101; + Priority = 30000; + Table = 101; + } + { + FirewallMark = 101; + Priority = 30001; + Table = 101; + Type = "prohibit"; + } + { + FirewallMark = 102; + Priority = 30000; + Table = 102; + } + { + FirewallMark = 102; + Priority = 30001; + Table = 102; + Type = "prohibit"; + } + ]; + }; + # use lan0 as secondary WAN interface + "10-lan0-wan" = lib.attrsets.recursiveUpdate commonWanOptions { + matchConfig.Name = "lan0"; + # make routing on this interface a dependency for network-online.target + # linkConfig.RequiredForOnline = "routable"; + linkConfig.RequiredForOnline = "no"; + + dhcpV4Config = { + RouteMetric = 2000; + }; + + # similar to + # ip route add default via 172.16.0.1 table 101 + routes = [ + { + Gateway = "_dhcp4"; + Table = 101; + } + ]; + }; + "10-wan" = lib.attrsets.recursiveUpdate commonWanOptions { + matchConfig.Name = "wan"; + # make routing on this interface a dependency for network-online.target + # linkConfig.RequiredForOnline = "routable"; + linkConfig.RequiredForOnline = "no"; + + dhcpV4Config = { + RouteMetric = 1000; + }; + + # similar to + # ip route add default via 192.168.0.1 table 100 + routes = [ + { + Gateway = "_dhcp4"; + Table = 100; + } + { + Gateway = "_dhcp4"; + Table = 102; + } + ]; + }; + + # Connect the bridge ports to the bridge + "30-lan1" = { + matchConfig.Name = "lan1"; + networkConfig = { + Bridge = bridgeInterfaceName; + ConfigureWithoutCarrier = true; + }; + linkConfig.RequiredForOnline = "enslaved"; + + bridgeVLANs = [ + { + VLAN = vlansByName.dmz.id; + PVID = vlansByName.dmz.id; + EgressUntagged = vlansByName.dmz.id; + } + ]; + }; + + "30-lan2" = { + matchConfig.Name = "lan2"; + networkConfig = { + Bridge = bridgeInterfaceName; + ConfigureWithoutCarrier = true; + }; + linkConfig.RequiredForOnline = "enslaved"; + + bridgeVLANs = [ + { + VLAN = vlansByName.office.id; + PVID = vlansByName.office.id; + EgressUntagged = vlansByName.office.id; + } + ]; + }; + + "30-lan3" = { + matchConfig.Name = "lan3"; + networkConfig = { + Bridge = bridgeInterfaceName; + ConfigureWithoutCarrier = true; + }; + linkConfig.RequiredForOnline = "enslaved"; + + bridgeVLANs = [ + { + VLAN = "${toString vlanRangeStart}-${toString vlanRangeEnd}"; + } + ]; + }; + "30-lan4" = { + matchConfig.Name = "lan4"; + networkConfig = { + Bridge = bridgeInterfaceName; + ConfigureWithoutCarrier = true; + }; + linkConfig.RequiredForOnline = "enslaved"; + + bridgeVLANs = [ + { + VLAN = vlansByName.office.id; + PVID = vlansByName.office.id; + EgressUntagged = vlansByName.office.id; + } + ]; + }; + "30-eth1" = { + matchConfig.Name = "eth1"; + networkConfig = { + Bridge = bridgeInterfaceName; + ConfigureWithoutCarrier = true; + }; + linkConfig.RequiredForOnline = "enslaved"; + + bridgeVLANs = [ + { + VLAN = vlansByName.dmz.id; + PVID = vlansByName.dmz.id; + EgressUntagged = vlansByName.dmz.id; + } + ]; + }; + # Configure the bridge for its desired function + "40-${bridgeInterfaceName}" = { + matchConfig.Name = bridgeInterfaceName; + bridgeConfig = { }; + address = [ + (mkVlanIpv4HostAddr { + vlanid = 0; + host = 1; + }) + ]; + networkConfig = { + ConfigureWithoutCarrier = true; + }; + # Don't wait for it as it also would wait for wlan and DFS which takes around 5 min + linkConfig.RequiredForOnline = "no"; + linkConfig.ActivationPolicy = "always-up"; + + bridgeVLANs = [ + { + VLAN = "${toString vlanRangeStart}-${toString vlanRangeEnd}"; + } + ]; + + vlan = builtins.map (vlanid: (mkInterfaceName { inherit vlanid; })) vlanRange; + }; + + "50-wg0" = { + enable = true; + matchConfig.Name = "wg0"; + address = [ "10.0.0.1/31" ]; + + routes = [ + # { + # # test the set uprouting to a specific IP + # Destination = "${repoFlake.colmena.sj-bm-hostkey0.deployment.targetHost}/32"; + # MultiPathRoute = "10.0.0.0 1"; + # } + ]; + }; + "50-wg1" = { + enable = true; + matchConfig.Name = "wg1"; + address = [ "10.0.0.3/31" ]; + routes = [ + # { + # Destination = "${repoFlake.colmena.sj-bm-hostkey0.deployment.targetHost}/32"; + # MultiPathRoute = "10.0.0.2 1"; + # } + ]; + }; + + "50-wg2" = { + enable = true; + matchConfig.Name = "wg2"; + address = [ "10.0.1.1/31" ]; + + routes = [ + # TODO: add a testing route here + ]; + }; + } + # configuration for the hostapd dynamic interfaces + # * netdev type vlan + # * host address for vlan + # * vlan config for wlan interface + // builtins.foldl' (acc: cur: acc // cur) { } ( + builtins.map + ( + { vlanid, vlanid' }: + { + # configure the tagged vlan device with an address and vlan filtering. + # dnsmasq is configured to serve the respective /24 range on each tagged device. + # this device only receives traffic for the given vlanid and sends tagged traffic to the bridge. + "41-${mkInterfaceName { inherit vlanid; }}" = { + matchConfig.Name = "${mkInterfaceName { inherit vlanid; }}"; + address = [ + (mkVlanIpv4HostAddr { + inherit vlanid; + host = 1; + }) + ]; + networkConfig = { + ConfigureWithoutCarrier = true; + + # the client shouldn't be allowed to send us RAs, that would be weird. + IPv6AcceptRA = false; + + DHCPPrefixDelegation = true; + IPv6SendRA = true; + }; + + dhcpPrefixDelegationConfig = { + UplinkInterface = "wan"; + Assign = true; + SubnetId = vlanid; + Announce = true; + }; + + linkConfig.RequiredForOnline = "no"; + linkConfig.ActivationPolicy = "always-up"; + + bridgeVLANs = [ + { + VLAN = vlanid; + } + ]; + }; + + # configure the wlan interface as a bridge member that + # * only gets traffic for vid 15 + # * untags traffic after receiving it + # * tags traffic that comes out of it + "41-wlan0.${vlanid'}" = { + matchConfig.Name = "wlan0.${vlanid'}"; + networkConfig = { + Bridge = bridgeInterfaceName; + ConfigureWithoutCarrier = true; + }; + + linkConfig.RequiredForOnline = "no"; + + bridgeVLANs = [ + { + VLAN = vlanid; + PVID = vlanid; + EgressUntagged = vlanid; + } + ]; + }; + + # "50-${mkInterfaceName {inherit vlanid;}}" = { + # matchConfig.Name = "${mkInterfaceName {inherit vlanid;}}"; + # address = [ + # (mkVlanIpv4HostAddr { + # inherit vlanid; + # host = 1; + # }) + # ]; + # networkConfig = { + # ConfigureWithoutCarrier = true; + # }; + # linkConfig.RequiredForOnline = "no"; + # }; + } + ) + ( + builtins.map (vlanid: { + inherit vlanid; + vlanid' = builtins.toString vlanid; + }) vlanRange + ) + ); + }; + + # wireless access point + services.hostapd = { + enable = true; + # package = nodeFlake.packages.${system}.hostapd_patched; + radios = + let + # generated with https://miniwebtool.com/mac-address-generator/ + mkBssid = i: "34:56:ce:0f:ed:4${toString i}"; + in + { + wlan0 = { + band = "2g"; + # FIXME: apparently setting this could cause bugs, testing disabling it for a while. + # countryCode = "CH"; + channel = 0; # 0 would mean Automatic Channel Selection + + settings = { + # TODO: this would be faster but x13s on windows can't connect when it's enabled. + # ieee80211n = 1; + + # Exclude DFS channels from ACS + # This option can be used to exclude all DFS channels from the ACS channel list + # in cases where the driver supports DFS channels. + acs_exclude_dfs = 0; + }; + + # use 'iw phy#1 info' to determine your VHT capabilities + wifi4 = { + enable = true; + require = false; + capabilities = [ + "HT20" + "HT40+" + "LDPC" + "SHORT-GI-20" + "SHORT-GI-40" + "TX-STBC" + "RX-STBC1" + "MAX-AMSDU-7935" + + "40-INTOLERANT" + + # not supported by BPI-R3 module + # "DELAYED-BA" + # "DSSS_CCK-40" + ]; + }; + + wifi5 = { + enable = false; + require = false; + }; + + wifi6 = { + enable = false; + require = false; + }; + + networks = { + wlan0 = + let + iface = "wlan0"; + in + { + ssid = "mlsia"; + bssid = mkBssid 0; + + # enables debug logging + logLevel = 0; + + authentication.mode = "wpa2-sha256" + # "wpa3-sae-transition" + # "wpa3-sae" + ; + + authentication.wpaPskFile = config.sops.secrets."${iface}_wpaPskFile".path; + + # TODO: unfortunately SAE passwords don't work per VLAN like PSKs do + # authentication.saePasswordsFile = config.sops.secrets."${iface}_saePasswordsFile".path; + + # see https://w1.fi/cgit/hostap/plain/hostapd/hostapd.conf for reference + settings = { + # disable syslog because it duplicates stdout + logger_syslog = lib.mkForce 0; + + # bridge = bridgeInterfaceName; + + # wpa_psk_file = config.sops.secrets.wlan0_wpaPskFile.path; + # not yet supported on hostapd 2.10 + # sae_password_file = config.sops.secrets.wlan0_saePasswordsFile.path; + + # resources on vlan tagging + # https://wireless.wiki.kernel.org/en/users/Documentation/hostapd#dynamic_vlan_tagging + # https://forum.openwrt.org/t/individual-per-passphrase-wifi-vlans-using-wpa-psk-file-no-radius-required/161696/4 + + dynamic_vlan = 1; + # this option currently requires a patch to hostapd + vlan_no_bridge = 1; + + /* + not used due to the above vlan_no_bridge setting + vlan_tagged_interface = bridgeInterfaceName; + vlan_naming = 1; + vlan_bridge = "br-${iface}."; + */ + + vlan_file = + let + generated = builtins.map ( + vlanid: "${builtins.toString vlanid} ${iface}.${builtins.toString vlanid}" + ) vlanRange; + + wildcard = [ + # Optional wildcard entry matching all VLAN IDs. The first # in the interface + # name will be replaced with the VLAN ID. The network interfaces are created + # (and removed) dynamically based on the use. + # see https://w1.fi/cgit/hostap/tree/hostapd/hostapd.vlan + "* ${iface}.#" + ]; + + file = pkgs.writeText "hostapd.vlan" (builtins.concatStringsSep "\n" (generated ++ wildcard)); + filePath = toString file; + in + filePath; + + wpa_key_mgmt = lib.mkForce ( + builtins.concatStringsSep " " [ + "WPA-PSK" + + # TODO: the printer can't connect when this is on + # "WPA-PSK-SHA256" + + # unfortunately SAE doesn't support VLAN passwords in the way i'd like to use them + # "SAE" + ] + ); + + # wpa_psk_radius = 0; + wpa_pairwise = "CCMP"; + wmm_enabled = 1; + + # IEEE 802.11i (authentication) related configuration + # Encrypt management frames to protect against deauthentication and similar attacks. + # 0 := disabled; 1 := optional; 2 := required + ieee80211w = 1; + # sae_require_mfp = 1; + # sae_groups = "19 20 21"; + + # [ENABLE-TLSv1.3] = enable TLSv1.3 (experimental - disabled by default) + tls_flags = "[ENABLE-TLSv1.3]"; + + # TODO: debugging for wifi drops happens below here + # Require IEEE 802.1X authorization + ieee8021x = 0; + + # Optionally, hostapd can be configured to use an integrated EAP server + # to process EAP authentication locally without need for an external RADIUS + # server. This functionality can be used both as a local authentication server + # for IEEE 802.1X/EAPOL and as a RADIUS server for other devices. + + # Use integrated EAP server instead of external RADIUS authentication + # server. This is also needed if hostapd is configured to act as a RADIUS + # authentication server. + eap_server = 0; + + # Disassociate stations based on excessive transmission failures or other + # indications of connection loss. This depends on the driver capabilities and + # may not be available with all drivers. + disassoc_low_ack = 0; + + skip_inactivity_poll = 1; + + # TODO: check if this is required. multicast can be more efficient so it'd be nice to disable this. + multicast_to_unicast = 0; + }; + }; + }; + }; + }; + }; + + services.resolved.enable = false; + + services.dnsmasq = { + enable = true; + settings = { + domain-needed = true; + bogus-priv = true; + no-resolv = true; + localise-queries = true; + + proxy-dnssec = true; + conntrack = true; + + # enable for debugging + # log-debug = true; + # log-queries = true; + + # disable negative caching + no-negcache = true; + local-ttl = 0; + dhcp-ttl = 0; + + # v6 config + enable-ra = true; + + dhcp-range = + let + mkDhcpRange = + { tag, vlanid }: + builtins.concatStringsSep "," [ + tag + (mkVlanIpv4HostAddr { + inherit vlanid; + host = 100; + cidr = false; + }) + (mkVlanIpv4HostAddr { + inherit vlanid; + host = 199; + cidr = false; + }) + "12h" + # "slaac" + # "ra-stateless" + # "ra-names" + ]; + in + builtins.map ( + vlanid: + mkDhcpRange { + tag = mkInterfaceName { inherit vlanid; }; + inherit vlanid; + } + ) vlanRangeWith0; + + dhcp-host = builtins.concatStringsSep "," [ + dmzExposedHostMACaddr + dmzExposedHostIpv4 + dmzExposedHostFQDN + ]; + + expand-hosts = true; + + # don't use /etc/hosts as this would advertise ${nodeName} as localhost + no-hosts = true; + + server = [ + # upstream DNS servers + + # https://dnsforge.de/ + "176.9.93.198" + "176.9.1.117" + "2a01:4f8:151:34aa::198" + "2a01:4f8:141:316d::117" + + # https://dismail.de/info.html#dns + "116.203.32.217" + "2a01:4f8:1c1b:44aa::1" + "159.69.114.157" + "2a01:4f8:c17:739a::2" + ]; + + domain = + [ "/${getVlanDomain { vlanid = 0; }}/,local" ] + ++ builtins.map ( + vlanid: + "${getVlanDomain { inherit vlanid; }},${ + mkVlanIpv4HostAddr { + inherit vlanid; + host = 0; + cidr = true; + } + },local" + ) vlanRangeWith0; + + # TODO: compare this to using `interface-name` + dynamic-host = builtins.map ( + vlanid: + builtins.concatStringsSep "," [ + # "${getVlanDomain{inherit vlanid;}}" "0.0.0.1" (mkInterfaceName {inherit vlanid;}) + "${nodeName}.${getVlanDomain { inherit vlanid; }}" + "0.0.0.1" + (mkInterfaceName { inherit vlanid; }) + ] + ) vlanRangeWith0; + + dhcp-option-force = builtins.map ( + vlanid: + "${mkInterfaceName { inherit vlanid; }},option:domain-search,${getVlanDomain { inherit vlanid; }}" + ) vlanRangeWith0; + + # auth-server = [ + # (builtins.concatStringsSep "," [ + # "www.stefanjunker.de" + # # (mkInterfaceName { vlanid = vlansByName.dmz.id; }) + # # (mkInterfaceName { vlanid = vlansByName.office.id; }) + # ]) + # ]; + + cname = [ + "mailserver.svc.stefanjunker.de,${dmzExposedHost}" + "www.stefanjunker.de,${dmzExposedHost}" + "hedgedoc.www.stefanjunker.de,${dmzExposedHost}" + "jitsi.www.stefanjunker.de,${dmzExposedHost}" + "lldap.www.stefanjunker.de,${dmzExposedHost}" + "forgejo.www.stefanjunker.de,${dmzExposedHost}" + "kanidm.www.stefanjunker.de,${dmzExposedHost}" + ]; + }; + }; + + system.stateVersion = "24.11"; + + # boot.kernelPackages = pkgs.linuxPackages_bpir3_6_6; + + environment.systemPackages = [ + pkgs.ethtool + pkgs.vim + pkgs.iperf3 + + pkgs.wireguard-tools + pkgs.tshark + pkgs.tmux + + (pkgs.writeShellScriptBin "dbg-ip" '' + echo links: + ip -br -c l + echo + echo addresses: + ip -br -c a + echo + echo vlans: + bridge -c vlan + '') + + (pkgs.writeShellScriptBin "dbg-dnsmasq" '' + # get the rendered in-use config + pgrep -a dnsmasq | grep -Eo '[^ ]*conf' | xargs cat | grep -Eo '[^=]*conf' | xargs cat + '') + ]; +} diff --git a/nix/os/devices/router0-dmz0/default.nix b/nix/os/devices/router0-dmz0/default.nix new file mode 100644 index 0000000..a0520dc --- /dev/null +++ b/nix/os/devices/router0-dmz0/default.nix @@ -0,0 +1,41 @@ +{ + system ? "aarch64-linux", + nodeName, + repoFlake, + nodeFlake, + localDomainName ? "internal", + ... +}: +{ + meta.nodeSpecialArgs.${nodeName} = { + inherit + repoFlake + nodeName + nodeFlake + system + ; + packages' = repoFlake.packages.${system}; + nodePackages' = nodeFlake.packages.${system}; + + inherit (nodeFlake.inputs.bpir3.packages.${system}) armTrustedFirmwareMT7986; + + inherit localDomainName; + }; + + meta.nodeNixpkgs.${nodeName} = import nodeFlake.inputs.nixpkgs.outPath { inherit system; }; + + ${nodeName} = { + deployment.targetHost = "${nodeName}.${localDomainName}"; + deployment.replaceUnknownProfiles = true; + + # nixpkgs.pkgs = nodeFlake.inputs.nixpkgs.legacyPackages.${system}; + + imports = [ + nodeFlake.inputs.home-manager.nixosModules.home-manager + + ./configuration.nix + ]; + + networking.hostName = nodeName; + }; +} diff --git a/nix/os/devices/router0-dmz0/flake.lock b/nix/os/devices/router0-dmz0/flake.lock new file mode 100644 index 0000000..8f55026 --- /dev/null +++ b/nix/os/devices/router0-dmz0/flake.lock @@ -0,0 +1,224 @@ +{ + "nodes": { + "dependencyDagOfSubmodule": { + "inputs": { + "nixpkgs": [ + "nixos-nftables-firewall", + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1656615370, + "narHash": "sha256-IZDqz1aSySoqf1qtVQg+oJMHfC4IlT55Zoa7EkjvPug=", + "owner": "thelegy", + "repo": "nix-dependencyDagOfSubmodule", + "rev": "98eb563d80b35acafbfc1abb9ccee569c1efb19c", + "type": "github" + }, + "original": { + "owner": "thelegy", + "repo": "nix-dependencyDagOfSubmodule", + "type": "github" + } + }, + "disko": { + "inputs": { + "nixpkgs": [ + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1738148035, + "narHash": "sha256-KYOATYEwaKysL3HdHdS5kbQMXvzS4iPJzJrML+3TKAo=", + "owner": "nix-community", + "repo": "disko", + "rev": "18d0a984cc2bc82cf61df19523a34ad463aa7f54", + "type": "github" + }, + "original": { + "owner": "nix-community", + "repo": "disko", + "type": "github" + } + }, + "get-flake": { + "locked": { + "lastModified": 1714237590, + "narHash": "sha256-9gtHdGbzFHaR20xORN8IYd67ROWS+1nqQ5CsPf9MD8I=", + "owner": "ursi", + "repo": "get-flake", + "rev": "a6c57417d1b857b8be53aba4095869a0f438c502", + "type": "github" + }, + "original": { + "owner": "ursi", + "repo": "get-flake", + "type": "github" + } + }, + "home-manager": { + "inputs": { + "nixpkgs": [ + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1736373539, + "narHash": "sha256-dinzAqCjenWDxuy+MqUQq0I4zUSfaCvN9rzuCmgMZJY=", + "owner": "nix-community", + "repo": "home-manager", + "rev": "bd65bc3cde04c16755955630b344bc9e35272c56", + "type": "github" + }, + "original": { + "owner": "nix-community", + "ref": "release-24.11", + "repo": "home-manager", + "type": "github" + } + }, + "hostapd": { + "flake": false, + "locked": { + "lastModified": 1738518662, + "narHash": "sha256-MeE2FTG7Jh4BqchSvevJH7IsqTotjemndLzev8TkiRk=", + "ref": "refs/heads/main", + "rev": "c12fc97e3b59742e0c5743fceae6a87a8b13a576", + "revCount": 20282, + "type": "git", + "url": "git://w1.fi/hostap.git?branch=main" + }, + "original": { + "type": "git", + "url": "git://w1.fi/hostap.git?branch=main" + } + }, + "nixos-nftables-firewall": { + "inputs": { + "dependencyDagOfSubmodule": "dependencyDagOfSubmodule", + "nixpkgs": [ + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1715521768, + "narHash": "sha256-BQkkBqDemoPRd2a4G94I9w9fNE0IxWtVsQ9SalnNqCQ=", + "owner": "thelegy", + "repo": "nixos-nftables-firewall", + "rev": "2c5a19966b4dfc5ca92df7eb250c68f90be653c8", + "type": "github" + }, + "original": { + "owner": "thelegy", + "repo": "nixos-nftables-firewall", + "type": "github" + } + }, + "nixos-sbc": { + "inputs": { + "nixpkgs": [ + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1738254353, + "narHash": "sha256-SYpvOn0v/wi8lrgEBhobjKFvFWPlJ3gP7SZPfyw9td0=", + "owner": "nakato", + "repo": "nixos-sbc", + "rev": "21be4ab012197a2eea4bbff8315c40f26f715a18", + "type": "github" + }, + "original": { + "owner": "nakato", + "repo": "nixos-sbc", + "type": "github" + } + }, + "nixpkgs": { + "locked": { + "lastModified": 1738702386, + "narHash": "sha256-nJj8f78AYAxl/zqLiFGXn5Im1qjFKU8yBPKoWEeZN5M=", + "owner": "nixos", + "repo": "nixpkgs", + "rev": "030ba1976b7c0e1a67d9716b17308ccdab5b381e", + "type": "github" + }, + "original": { + "owner": "nixos", + "ref": "nixos-24.11", + "repo": "nixpkgs", + "type": "github" + } + }, + "nixpkgs-unstable": { + "locked": { + "lastModified": 1738680400, + "narHash": "sha256-ooLh+XW8jfa+91F1nhf9OF7qhuA/y1ChLx6lXDNeY5U=", + "owner": "nixos", + "repo": "nixpkgs", + "rev": "799ba5bffed04ced7067a91798353d360788b30d", + "type": "github" + }, + "original": { + "owner": "nixos", + "ref": "nixos-unstable", + "repo": "nixpkgs", + "type": "github" + } + }, + "openwrt": { + "flake": false, + "locked": { + "lastModified": 1691699580, + "narHash": "sha256-CV+ufXPEr5Nz2O2FBnnuPeHNsFQ7c5s0uW39u/q3cUo=", + "ref": "main", + "rev": "847984c773d819d5579d5abae4b80a4983103ed9", + "revCount": 58166, + "type": "git", + "url": "https://github.com/openwrt/openwrt.git" + }, + "original": { + "ref": "main", + "rev": "847984c773d819d5579d5abae4b80a4983103ed9", + "type": "git", + "url": "https://github.com/openwrt/openwrt.git" + } + }, + "root": { + "inputs": { + "disko": "disko", + "get-flake": "get-flake", + "home-manager": "home-manager", + "hostapd": "hostapd", + "nixos-nftables-firewall": "nixos-nftables-firewall", + "nixos-sbc": "nixos-sbc", + "nixpkgs": "nixpkgs", + "nixpkgs-unstable": "nixpkgs-unstable", + "openwrt": "openwrt", + "srvos": "srvos" + } + }, + "srvos": { + "inputs": { + "nixpkgs": [ + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1738198321, + "narHash": "sha256-lhnHBXO9Y8xEn92JqxjancdL8Gh16ONuxZp60iZfmX4=", + "owner": "numtide", + "repo": "srvos", + "rev": "7d5a4aaadac9ff63f9ed4347df95175aceee5079", + "type": "github" + }, + "original": { + "owner": "numtide", + "repo": "srvos", + "type": "github" + } + } + }, + "root": "root", + "version": 7 +} diff --git a/nix/os/devices/router0-dmz0/flake.nix b/nix/os/devices/router0-dmz0/flake.nix new file mode 100644 index 0000000..d56e72a --- /dev/null +++ b/nix/os/devices/router0-dmz0/flake.nix @@ -0,0 +1,107 @@ +{ + inputs = { + nixpkgs.url = "github:nixos/nixpkgs/nixos-24.11"; + nixpkgs-unstable.url = "github:nixos/nixpkgs/nixos-unstable"; + + get-flake.url = "github:ursi/get-flake"; + + home-manager.url = "github:nix-community/home-manager/release-24.11"; + home-manager.inputs.nixpkgs.follows = "nixpkgs"; + + disko.url = "github:nix-community/disko"; + disko.inputs.nixpkgs.follows = "nixpkgs"; + srvos.url = "github:numtide/srvos"; + srvos.inputs.nixpkgs.follows = "nixpkgs"; + + nixos-sbc.url = "github:nakato/nixos-sbc" + # "github:steveej-forks/nakato_nixos-sbc//bpi-r3_kernel-6.12" + # "github:steveej-forks/nakato_nixos-sbc//bpi-r3_kernel-6.13" + # "github:steveej-forks/nakato_nixos-sbc/kernel-6.9_and_cross-compile" + # "github:steveej-forks/nakato_nixos-sbc/kernel-6.10_and_cross-compile" + # "git+file:///home/steveej/src/others/nakato_nixos-sbc/" + ; + nixos-sbc.inputs.nixpkgs.follows = "nixpkgs"; + + nixos-nftables-firewall.url = "github:thelegy/nixos-nftables-firewall"; + nixos-nftables-firewall.inputs.nixpkgs.follows = "nixpkgs"; + + hostapd.url = "git://w1.fi/hostap.git?branch=main"; + hostapd.flake = false; + + openwrt.url = "git+https://github.com/openwrt/openwrt.git?ref=main&rev=847984c773d819d5579d5abae4b80a4983103ed9"; + openwrt.flake = false; + + # TODO: would be nice if this worked but it throws an error when using the input as a patch: + # error: flake input has unsupported input type 'file' + # hostapd_patch_vlan_no_bridge = { + # url = "file+https://raw.githubusercontent.com/openwrt/openwrt/847984c773d819d5579d5abae4b80a4983103ed9/package/network/services/hostapd/patches/710-vlan_no_bridge.patch"; + # flake = false; + # }; + + # repoFlake.url = "path:../../../.."; + }; + + outputs = + { + self, + get-flake, + nixpkgs, + ... + }: + let + nativeSystem = "aarch64-linux"; + nodeName = "router0-dmz0"; + + mkNixosConfiguration = + { + extraModules ? [ ], + ... + }@attrs: + nixpkgs.lib.nixosSystem ( + nixpkgs.lib.attrsets.recursiveUpdate attrs { + specialArgs = + (import ./default.nix { + system = nativeSystem; + inherit nodeName; + + repoFlake = get-flake ../../../..; + # repoFlake = get-flake ./.; + # repoFlake = self.inputs.repoFlake; + nodeFlake = self; + }).meta.nodeSpecialArgs.${nodeName}; + + modules = [ + ./configuration.nix + + # flake registry + { + nixpkgs.overlays = builtins.attrValues self.overlays; + nix.registry.nixpkgs.flake = nixpkgs; + } + ] ++ extraModules; + } + ); + in + { + nixosConfigurations = { + native = mkNixosConfiguration { system = nativeSystem; }; + + cross = mkNixosConfiguration { + extraModules = [ + { + nixpkgs.buildPlatform.system = "x86_64-linux"; + nixpkgs.hostPlatform.system = nativeSystem; + } + ]; + }; + }; + + overlays.default = _final: previous: { + hostapd = previous.hostapd.overrideDerivation (attrs: { + patches = attrs.patches ++ [ + "${self.inputs.openwrt}/package/network/services/hostapd/patches/710-vlan_no_bridge.patch" + ]; + }); + }; + }; +} diff --git a/nix/os/devices/router0-hosthatch/configuration.nix b/nix/os/devices/router0-hosthatch/configuration.nix new file mode 100644 index 0000000..af02b3d --- /dev/null +++ b/nix/os/devices/router0-hosthatch/configuration.nix @@ -0,0 +1,337 @@ +{ + repoFlake, + pkgs, + lib, + config, + nodeFlake, + nodeName, + system, + variables, + ... +}: +{ + system.stateVersion = "24.05"; + + imports = [ + nodeFlake.inputs.disko.nixosModules.disko + nodeFlake.inputs.srvos.nixosModules.mixins-terminfo + + repoFlake.inputs.sops-nix.nixosModules.sops + + ../../snippets/nix-settings.nix + ../../profiles/common/user.nix + + nodeFlake.inputs.nixos-nftables-firewall.nixosModules.default + + { + services.openssh.enable = true; + services.openssh.settings.PermitRootLogin = "yes"; + + users.commonUsers = { + enable = true; + enableNonRoot = false; + rootPasswordFile = config.sops.secrets.passwords-root.path; + }; + + # sops.age.keyFile = "/etc/age.key"; + # sops.age.sshKeyPaths = []; + + sops.defaultSopsFile = ../../../../secrets/${nodeName}/secrets.yaml; + sops.defaultSopsFormat = "yaml"; + + sops.secrets.passwords-root.neededForUsers = true; + } + + # TODO: extract this into single-disk VM BIOS module + { + boot.loader.systemd-boot.enable = false; + boot.loader.grub.efiSupport = false; + + # forcing seems required or else there's an error about duplicated devices + boot.loader.grub.devices = lib.mkForce [ "/dev/vda" ]; + + disko.devices.disk.vda = { + device = "/dev/vda"; + type = "disk"; + content = { + type = "gpt"; + partitions = { + boot = { + size = "1M"; + type = "EF02"; # for grub MBR + }; + root = { + size = "100%"; + content = { + type = "btrfs"; + extraArgs = [ "-f" ]; # Override existing partition + subvolumes = { + # Subvolume name is different from mountpoint + "/rootfs" = { + mountpoint = "/"; + }; + "/nix" = { + mountOptions = [ "noatime" ]; + mountpoint = "/nix"; + }; + "/boot" = { + mountpoint = "/boot"; + }; + }; + }; + }; + }; + }; + }; + + boot.initrd.kernelModules = [ + "virtio_balloon" + "virtio_scsi" + "virtio_net" + "virtio_pci" + "virtio_ring" + "virtio" + "scsi_mod" + + "virtio_blk" + "virtio_ring" + "ata_piix" + "pata_acpi" + "ata_generic" + ]; + } + ]; + + # sops.secrets.ssh_host_ed25519_key = { + # sopsFile = ../../../../secrets/${nodeName}/secrets.yaml; + # format = "yaml"; + + # path = "/etc/ssh/ssh_host_ed25519_key"; + # mode = "0600"; + # }; + # sops.secrets.ssh_host_ed25519_key_pub = { + # sopsFile = ../../../../secrets/${nodeName}/secrets.yaml; + # format = "yaml"; + + # path = "/etc/ssh/ssh_host_ed25519_key.pub"; + # mode = "0600"; + # }; + # sops.secrets.ssh_host_rsa_key = { + # sopsFile = ../../../../secrets/${nodeName}/secrets.yaml; + # format = "yaml"; + + # path = "/etc/ssh/ssh_host_rsa_key"; + # mode = "0600"; + # }; + # sops.secrets.ssh_host_rsa_key_pub = { + # sopsFile = ../../../../secrets/${nodeName}/secrets.yaml; + # format = "yaml"; + + # path = "/etc/ssh/ssh_host_rsa_key.pub"; + # mode = "0644"; + # }; + + boot = { + kernel = { + sysctl = { + "net.ipv4.conf.all.forwarding" = true; + "net.ipv6.conf.all.forwarding" = true; + }; + }; + }; + + networking = { + hostName = nodeName; + useNetworkd = true; + useDHCP = true; + usePredictableInterfaceNames = false; + + interfaces.eth0.ipv4.addresses = [ + { + address = variables.ipv4; + prefixLength = variables.ipv4length; + } + ]; + defaultGateway = { + interface = "eth0"; + address = variables.ipv4gateway; + }; + nameservers = [ variables.ipv4dns ]; + + # these will be configured via nftables + nat.enable = lib.mkForce false; + firewall.enable = lib.mkForce false; + + # Use the nftables firewall instead of the base nixos scripted rules. + # This flake provides a similar utility to the base nixos scripting. + # https://github.com/thelegy/nixos-nftables-firewall/tree/main + + nftables = { + enable = true; + + firewall = { + enable = true; + snippets.nnf-common.enable = true; + + zones.wan = { + interfaces = [ "eth0" ]; + }; + + zones.vpn = { + interfaces = [ + "wg0" + "wg1" + ]; + }; + + rules = { + to-fw = { + from = "all"; + to = [ "fw" ]; + verdict = "drop"; + + allowedTCPPorts = [ + 22 + 5201 + ]; + allowedUDPPorts = [ + 22 + 5201 + config.systemd.network.netdevs.wg0.wireguardConfig.ListenPort + config.systemd.network.netdevs.wg1.wireguardConfig.ListenPort + ]; + }; + + vpn-to-wan-nat = { + from = [ "vpn" ]; + to = [ "wan" ]; + masquerade = true; + verdict = "accept"; + }; + }; + }; + }; + }; + + sops.secrets.wg0-privatekey = { + mode = "440"; + group = "systemd-network"; + }; + sops.secrets.wg0-peer0-psk = { + mode = "440"; + group = "systemd-network"; + }; + sops.secrets.wg1-privatekey = { + mode = "440"; + group = "systemd-network"; + }; + sops.secrets.wg1-peer0-psk = { + mode = "440"; + group = "systemd-network"; + }; + + systemd.network.enable = true; + systemd.network.netdevs.wg0 = { + enable = true; + netdevConfig = { + Name = "wg0"; + Kind = "wireguard"; + }; + wireguardConfig = { + ListenPort = 51820; + # PublicKey /RPDdqPzr9iRc7zR0bRkt9aS2QCt+b2K3WbsNg8XamM= + PrivateKeyFile = builtins.toString config.sops.secrets.wg0-privatekey.path; + }; + wireguardPeers = [ + { + wireguardPeerConfig = { + AllowedIPs = [ + "10.0.1.1/32" + "192.168.0.0/16" + ]; + PersistentKeepalive = 15; + PresharedKeyFile = builtins.toString config.sops.secrets.wg0-peer0-psk.path; + PublicKey = "hsjIenUFV/FBqplIKxSL/Zn2zDAfojlIKHMxPA6RC04="; + }; + } + ]; + }; + systemd.network.netdevs.wg1 = { + enable = true; + netdevConfig = { + Name = "wg1"; + Kind = "wireguard"; + }; + wireguardConfig = { + ListenPort = 51821; + # PublicKey /RPDdqPzr9iRc7zR0bRkt9aS2QCt+b2K3WbsNg8XamM= + PrivateKeyFile = builtins.toString config.sops.secrets.wg1-privatekey.path; + }; + wireguardPeers = [ + { + wireguardPeerConfig = { + AllowedIPs = [ + "10.0.1.3/31" + "192.168.0.0/16" + ]; + PersistentKeepalive = 15; + PresharedKeyFile = builtins.toString config.sops.secrets.wg1-peer0-psk.path; + PublicKey = "Ha5hsarCRO8LX9SrkopUeP14ebLdFgxXUC0ezrobax4="; + }; + } + ]; + }; + systemd.network.networks.wg0 = { + enable = true; + matchConfig.Name = "wg0"; + address = [ "10.0.1.0/31" ]; + + routes = [ + { + routeConfig = { + Destination = "192.168.0.0/16"; + MultiPathRoute = "10.0.1.1 1"; + }; + } + ]; + }; + systemd.network.networks.wg1 = { + enable = true; + matchConfig.Name = "wg1"; + address = [ "10.0.1.2/31" ]; + + routes = [ + { + routeConfig = { + Destination = "192.168.0.0/16"; + MultiPathRoute = "10.0.1.3 1"; + }; + } + ]; + }; + + environment.systemPackages = [ + pkgs.ethtool + pkgs.neovim + pkgs.tmux + + pkgs.wireguard-tools + pkgs.tshark + + (pkgs.writeShellScriptBin "dbg-ip" '' + echo links: + ip -br -c l + echo + echo addresses: + ip -br -c a + echo + echo vlans: + bridge -c vlan + '') + + (pkgs.writeShellScriptBin "dbg-dnsmasq" '' + # get the rendered in-use config + pgrep -a dnsmasq | grep -Eo '[^ ]*conf' | xargs cat | grep -Eo '[^=]*conf' | xargs cat + '') + ]; +} diff --git a/nix/os/devices/router0-hosthatch/default.nix b/nix/os/devices/router0-hosthatch/default.nix new file mode 100644 index 0000000..fd2c485 --- /dev/null +++ b/nix/os/devices/router0-hosthatch/default.nix @@ -0,0 +1,38 @@ +{ + system ? "x86_64-linux", + nodeName, + repoFlake, + nodeFlake, + ... +}: +let + variables = import ./variables.crypt.nix; +in +{ + meta.nodeSpecialArgs.${nodeName} = { + inherit + repoFlake + nodeName + nodeFlake + system + variables + ; + packages' = repoFlake.packages.${system}; + nodePackages' = nodeFlake.packages.${system}; + }; + + meta.nodeNixpkgs.${nodeName} = import nodeFlake.inputs.nixpkgs.outPath { inherit system; }; + + ${nodeName} = { + deployment.targetHost = variables.ipv4; + deployment.replaceUnknownProfiles = true; + + imports = [ + nodeFlake.inputs.home-manager.nixosModules.home-manager + + ./configuration.nix + ]; + + networking.hostName = nodeName; + }; +} diff --git a/nix/os/devices/router0-hosthatch/flake.lock b/nix/os/devices/router0-hosthatch/flake.lock new file mode 100644 index 0000000..f66687f --- /dev/null +++ b/nix/os/devices/router0-hosthatch/flake.lock @@ -0,0 +1,151 @@ +{ + "nodes": { + "dependencyDagOfSubmodule": { + "inputs": { + "nixpkgs": [ + "nixos-nftables-firewall", + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1656615370, + "narHash": "sha256-IZDqz1aSySoqf1qtVQg+oJMHfC4IlT55Zoa7EkjvPug=", + "owner": "thelegy", + "repo": "nix-dependencyDagOfSubmodule", + "rev": "98eb563d80b35acafbfc1abb9ccee569c1efb19c", + "type": "github" + }, + "original": { + "owner": "thelegy", + "repo": "nix-dependencyDagOfSubmodule", + "type": "github" + } + }, + "disko": { + "inputs": { + "nixpkgs": [ + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1719864345, + "narHash": "sha256-e4Pw+30vFAxuvkSTaTypd9zYemB/QlWcH186dsGT+Ms=", + "owner": "nix-community", + "repo": "disko", + "rev": "544a80a69d6e2da04e4df7ec8210a858de8c7533", + "type": "github" + }, + "original": { + "owner": "nix-community", + "repo": "disko", + "type": "github" + } + }, + "home-manager": { + "inputs": { + "nixpkgs": [ + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1719827385, + "narHash": "sha256-qs+nU20Sm8czHg3bhGCqiH+8e13BJyRrKONW34g3i50=", + "owner": "nix-community", + "repo": "home-manager", + "rev": "391ca6e950c2525b4f853cbe29922452c14eda82", + "type": "github" + }, + "original": { + "owner": "nix-community", + "ref": "release-24.05", + "repo": "home-manager", + "type": "github" + } + }, + "nixos-nftables-firewall": { + "inputs": { + "dependencyDagOfSubmodule": "dependencyDagOfSubmodule", + "nixpkgs": [ + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1715521768, + "narHash": "sha256-BQkkBqDemoPRd2a4G94I9w9fNE0IxWtVsQ9SalnNqCQ=", + "owner": "thelegy", + "repo": "nixos-nftables-firewall", + "rev": "2c5a19966b4dfc5ca92df7eb250c68f90be653c8", + "type": "github" + }, + "original": { + "owner": "thelegy", + "repo": "nixos-nftables-firewall", + "type": "github" + } + }, + "nixpkgs": { + "locked": { + "lastModified": 1719838683, + "narHash": "sha256-Zw9rQjHz1ilNIimEXFeVa1ERNRBF8DoXDhLAZq5B4pE=", + "owner": "nixos", + "repo": "nixpkgs", + "rev": "d032c1a6dfad4eedec7e35e91986becc699d7d69", + "type": "github" + }, + "original": { + "owner": "nixos", + "ref": "nixos-24.05", + "repo": "nixpkgs", + "type": "github" + } + }, + "nixpkgs-unstable": { + "locked": { + "lastModified": 1719848872, + "narHash": "sha256-H3+EC5cYuq+gQW8y0lSrrDZfH71LB4DAf+TDFyvwCNA=", + "owner": "nixos", + "repo": "nixpkgs", + "rev": "00d80d13810dbfea8ab4ed1009b09100cca86ba8", + "type": "github" + }, + "original": { + "owner": "nixos", + "ref": "nixos-unstable", + "repo": "nixpkgs", + "type": "github" + } + }, + "root": { + "inputs": { + "disko": "disko", + "home-manager": "home-manager", + "nixos-nftables-firewall": "nixos-nftables-firewall", + "nixpkgs": "nixpkgs", + "nixpkgs-unstable": "nixpkgs-unstable", + "srvos": "srvos" + } + }, + "srvos": { + "inputs": { + "nixpkgs": [ + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1719965291, + "narHash": "sha256-IQiO6VNESSmgxQkpI1q86pqxRw0SZ45iSeM1jsmBpSw=", + "owner": "numtide", + "repo": "srvos", + "rev": "1844f1a15ef530c963bb07c3846172fccbfb9f74", + "type": "github" + }, + "original": { + "owner": "numtide", + "repo": "srvos", + "type": "github" + } + } + }, + "root": "root", + "version": 7 +} diff --git a/nix/os/devices/router0-hosthatch/flake.nix b/nix/os/devices/router0-hosthatch/flake.nix new file mode 100644 index 0000000..3057b9a --- /dev/null +++ b/nix/os/devices/router0-hosthatch/flake.nix @@ -0,0 +1,19 @@ +{ + inputs = { + nixpkgs.url = "github:nixos/nixpkgs/nixos-24.05"; + nixpkgs-unstable.url = "github:nixos/nixpkgs/nixos-unstable"; + + home-manager.url = "github:nix-community/home-manager/release-24.05"; + home-manager.inputs.nixpkgs.follows = "nixpkgs"; + + disko.url = "github:nix-community/disko"; + disko.inputs.nixpkgs.follows = "nixpkgs"; + srvos.url = "github:numtide/srvos"; + srvos.inputs.nixpkgs.follows = "nixpkgs"; + + nixos-nftables-firewall.url = "github:thelegy/nixos-nftables-firewall"; + nixos-nftables-firewall.inputs.nixpkgs.follows = "nixpkgs"; + }; + + outputs = _: { }; +} diff --git a/nix/os/devices/router0-hosthatch/variables.crypt.nix b/nix/os/devices/router0-hosthatch/variables.crypt.nix new file mode 100644 index 0000000..38c17df Binary files /dev/null and b/nix/os/devices/router0-hosthatch/variables.crypt.nix differ diff --git a/nix/os/devices/router0-ifog/configuration.nix b/nix/os/devices/router0-ifog/configuration.nix new file mode 100644 index 0000000..9bc91ee --- /dev/null +++ b/nix/os/devices/router0-ifog/configuration.nix @@ -0,0 +1,337 @@ +{ + repoFlake, + pkgs, + lib, + config, + nodeFlake, + nodeName, + system, + variables, + ... +}: +{ + system.stateVersion = "23.11"; + + imports = [ + nodeFlake.inputs.disko.nixosModules.disko + nodeFlake.inputs.srvos.nixosModules.mixins-terminfo + + repoFlake.inputs.sops-nix.nixosModules.sops + + ../../snippets/nix-settings.nix + ../../profiles/common/user.nix + + nodeFlake.inputs.nixos-nftables-firewall.nixosModules.default + + { + services.openssh.enable = true; + services.openssh.settings.PermitRootLogin = "yes"; + + users.commonUsers = { + enable = true; + enableNonRoot = false; + rootPasswordFile = config.sops.secrets.passwords-root.path; + }; + + # sops.age.keyFile = "/etc/age.key"; + # sops.age.sshKeyPaths = []; + + sops.defaultSopsFile = ../../../../secrets/${nodeName}/secrets.yaml; + sops.defaultSopsFormat = "yaml"; + + sops.secrets.passwords-root.neededForUsers = true; + } + + # TODO: extract this into single-disk VM BIOS module + { + boot.loader.systemd-boot.enable = false; + boot.loader.grub.efiSupport = false; + + # forcing seems required or else there's an error about duplicated devices + boot.loader.grub.devices = lib.mkForce [ "/dev/vda" ]; + + disko.devices.disk.vda = { + device = "/dev/vda"; + type = "disk"; + content = { + type = "gpt"; + partitions = { + boot = { + size = "1M"; + type = "EF02"; # for grub MBR + }; + root = { + size = "100%"; + content = { + type = "btrfs"; + extraArgs = [ "-f" ]; # Override existing partition + subvolumes = { + # Subvolume name is different from mountpoint + "/rootfs" = { + mountpoint = "/"; + }; + "/nix" = { + mountOptions = [ "noatime" ]; + mountpoint = "/nix"; + }; + "/boot" = { + mountpoint = "/boot"; + }; + }; + }; + }; + }; + }; + }; + + boot.initrd.kernelModules = [ + "virtio_balloon" + "virtio_scsi" + "virtio_net" + "virtio_pci" + "virtio_ring" + "virtio" + "scsi_mod" + + "virtio_blk" + "virtio_ring" + "ata_piix" + "pata_acpi" + "ata_generic" + ]; + } + ]; + + # sops.secrets.ssh_host_ed25519_key = { + # sopsFile = ../../../../secrets/${nodeName}/secrets.yaml; + # format = "yaml"; + + # path = "/etc/ssh/ssh_host_ed25519_key"; + # mode = "0600"; + # }; + # sops.secrets.ssh_host_ed25519_key_pub = { + # sopsFile = ../../../../secrets/${nodeName}/secrets.yaml; + # format = "yaml"; + + # path = "/etc/ssh/ssh_host_ed25519_key.pub"; + # mode = "0600"; + # }; + # sops.secrets.ssh_host_rsa_key = { + # sopsFile = ../../../../secrets/${nodeName}/secrets.yaml; + # format = "yaml"; + + # path = "/etc/ssh/ssh_host_rsa_key"; + # mode = "0600"; + # }; + # sops.secrets.ssh_host_rsa_key_pub = { + # sopsFile = ../../../../secrets/${nodeName}/secrets.yaml; + # format = "yaml"; + + # path = "/etc/ssh/ssh_host_rsa_key.pub"; + # mode = "0644"; + # }; + + boot = { + kernel = { + sysctl = { + "net.ipv4.conf.all.forwarding" = true; + "net.ipv6.conf.all.forwarding" = true; + }; + }; + }; + + networking = { + hostName = nodeName; + useNetworkd = true; + useDHCP = true; + usePredictableInterfaceNames = false; + + interfaces.eth0.ipv4.addresses = [ + { + address = variables.ipv4; + prefixLength = variables.ipv4length; + } + ]; + defaultGateway = { + interface = "eth0"; + address = variables.ipv4gateway; + }; + nameservers = [ variables.ipv4dns ]; + + # these will be configured via nftables + nat.enable = lib.mkForce false; + firewall.enable = lib.mkForce false; + + # Use the nftables firewall instead of the base nixos scripted rules. + # This flake provides a similar utility to the base nixos scripting. + # https://github.com/thelegy/nixos-nftables-firewall/tree/main + + nftables = { + enable = true; + + firewall = { + enable = true; + snippets.nnf-common.enable = true; + + zones.wan = { + interfaces = [ "eth0" ]; + }; + + zones.vpn = { + interfaces = [ + "wg0" + "wg1" + ]; + }; + + rules = { + to-fw = { + from = "all"; + to = [ "fw" ]; + verdict = "drop"; + + allowedTCPPorts = [ + 22 + 5201 + ]; + allowedUDPPorts = [ + 22 + 5201 + config.systemd.network.netdevs.wg0.wireguardConfig.ListenPort + config.systemd.network.netdevs.wg1.wireguardConfig.ListenPort + ]; + }; + + vpn-to-wan-nat = { + from = [ "vpn" ]; + to = [ "wan" ]; + masquerade = true; + verdict = "accept"; + }; + }; + }; + }; + }; + + sops.secrets.wg0-privatekey = { + mode = "440"; + group = "systemd-network"; + }; + sops.secrets.wg0-peer0-psk = { + mode = "440"; + group = "systemd-network"; + }; + sops.secrets.wg1-privatekey = { + mode = "440"; + group = "systemd-network"; + }; + sops.secrets.wg1-peer0-psk = { + mode = "440"; + group = "systemd-network"; + }; + + systemd.network.enable = true; + systemd.network.netdevs.wg0 = { + enable = true; + netdevConfig = { + Name = "wg0"; + Kind = "wireguard"; + }; + wireguardConfig = { + ListenPort = 51820; + # PublicKey /RPDdqPzr9iRc7zR0bRkt9aS2QCt+b2K3WbsNg8XamM= + PrivateKeyFile = builtins.toString config.sops.secrets.wg0-privatekey.path; + }; + wireguardPeers = [ + { + wireguardPeerConfig = { + AllowedIPs = [ + "10.0.0.1/32" + "192.168.0.0/16" + ]; + PersistentKeepalive = 15; + PresharedKeyFile = builtins.toString config.sops.secrets.wg0-peer0-psk.path; + PublicKey = "hsjIenUFV/FBqplIKxSL/Zn2zDAfojlIKHMxPA6RC04="; + }; + } + ]; + }; + systemd.network.netdevs.wg1 = { + enable = true; + netdevConfig = { + Name = "wg1"; + Kind = "wireguard"; + }; + wireguardConfig = { + ListenPort = 51821; + # PublicKey /RPDdqPzr9iRc7zR0bRkt9aS2QCt+b2K3WbsNg8XamM= + PrivateKeyFile = builtins.toString config.sops.secrets.wg1-privatekey.path; + }; + wireguardPeers = [ + { + wireguardPeerConfig = { + AllowedIPs = [ + "10.0.0.3/31" + "192.168.0.0/16" + ]; + PersistentKeepalive = 15; + PresharedKeyFile = builtins.toString config.sops.secrets.wg1-peer0-psk.path; + PublicKey = "Ha5hsarCRO8LX9SrkopUeP14ebLdFgxXUC0ezrobax4="; + }; + } + ]; + }; + systemd.network.networks.wg0 = { + enable = true; + matchConfig.Name = "wg0"; + address = [ "10.0.0.0/31" ]; + + routes = [ + { + routeConfig = { + Destination = "192.168.0.0/16"; + MultiPathRoute = "10.0.0.1 1"; + }; + } + ]; + }; + systemd.network.networks.wg1 = { + enable = true; + matchConfig.Name = "wg1"; + address = [ "10.0.0.2/31" ]; + + routes = [ + { + routeConfig = { + Destination = "192.168.0.0/16"; + MultiPathRoute = "10.0.0.3 1"; + }; + } + ]; + }; + + environment.systemPackages = [ + pkgs.ethtool + pkgs.neovim + pkgs.tmux + + pkgs.wireguard-tools + pkgs.tshark + + (pkgs.writeShellScriptBin "dbg-ip" '' + echo links: + ip -br -c l + echo + echo addresses: + ip -br -c a + echo + echo vlans: + bridge -c vlan + '') + + (pkgs.writeShellScriptBin "dbg-dnsmasq" '' + # get the rendered in-use config + pgrep -a dnsmasq | grep -Eo '[^ ]*conf' | xargs cat | grep -Eo '[^=]*conf' | xargs cat + '') + ]; +} diff --git a/nix/os/devices/router0-ifog/default.nix b/nix/os/devices/router0-ifog/default.nix new file mode 100644 index 0000000..fd2c485 --- /dev/null +++ b/nix/os/devices/router0-ifog/default.nix @@ -0,0 +1,38 @@ +{ + system ? "x86_64-linux", + nodeName, + repoFlake, + nodeFlake, + ... +}: +let + variables = import ./variables.crypt.nix; +in +{ + meta.nodeSpecialArgs.${nodeName} = { + inherit + repoFlake + nodeName + nodeFlake + system + variables + ; + packages' = repoFlake.packages.${system}; + nodePackages' = nodeFlake.packages.${system}; + }; + + meta.nodeNixpkgs.${nodeName} = import nodeFlake.inputs.nixpkgs.outPath { inherit system; }; + + ${nodeName} = { + deployment.targetHost = variables.ipv4; + deployment.replaceUnknownProfiles = true; + + imports = [ + nodeFlake.inputs.home-manager.nixosModules.home-manager + + ./configuration.nix + ]; + + networking.hostName = nodeName; + }; +} diff --git a/nix/os/devices/router0-ifog/flake.lock b/nix/os/devices/router0-ifog/flake.lock new file mode 100644 index 0000000..f66687f --- /dev/null +++ b/nix/os/devices/router0-ifog/flake.lock @@ -0,0 +1,151 @@ +{ + "nodes": { + "dependencyDagOfSubmodule": { + "inputs": { + "nixpkgs": [ + "nixos-nftables-firewall", + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1656615370, + "narHash": "sha256-IZDqz1aSySoqf1qtVQg+oJMHfC4IlT55Zoa7EkjvPug=", + "owner": "thelegy", + "repo": "nix-dependencyDagOfSubmodule", + "rev": "98eb563d80b35acafbfc1abb9ccee569c1efb19c", + "type": "github" + }, + "original": { + "owner": "thelegy", + "repo": "nix-dependencyDagOfSubmodule", + "type": "github" + } + }, + "disko": { + "inputs": { + "nixpkgs": [ + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1719864345, + "narHash": "sha256-e4Pw+30vFAxuvkSTaTypd9zYemB/QlWcH186dsGT+Ms=", + "owner": "nix-community", + "repo": "disko", + "rev": "544a80a69d6e2da04e4df7ec8210a858de8c7533", + "type": "github" + }, + "original": { + "owner": "nix-community", + "repo": "disko", + "type": "github" + } + }, + "home-manager": { + "inputs": { + "nixpkgs": [ + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1719827385, + "narHash": "sha256-qs+nU20Sm8czHg3bhGCqiH+8e13BJyRrKONW34g3i50=", + "owner": "nix-community", + "repo": "home-manager", + "rev": "391ca6e950c2525b4f853cbe29922452c14eda82", + "type": "github" + }, + "original": { + "owner": "nix-community", + "ref": "release-24.05", + "repo": "home-manager", + "type": "github" + } + }, + "nixos-nftables-firewall": { + "inputs": { + "dependencyDagOfSubmodule": "dependencyDagOfSubmodule", + "nixpkgs": [ + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1715521768, + "narHash": "sha256-BQkkBqDemoPRd2a4G94I9w9fNE0IxWtVsQ9SalnNqCQ=", + "owner": "thelegy", + "repo": "nixos-nftables-firewall", + "rev": "2c5a19966b4dfc5ca92df7eb250c68f90be653c8", + "type": "github" + }, + "original": { + "owner": "thelegy", + "repo": "nixos-nftables-firewall", + "type": "github" + } + }, + "nixpkgs": { + "locked": { + "lastModified": 1719838683, + "narHash": "sha256-Zw9rQjHz1ilNIimEXFeVa1ERNRBF8DoXDhLAZq5B4pE=", + "owner": "nixos", + "repo": "nixpkgs", + "rev": "d032c1a6dfad4eedec7e35e91986becc699d7d69", + "type": "github" + }, + "original": { + "owner": "nixos", + "ref": "nixos-24.05", + "repo": "nixpkgs", + "type": "github" + } + }, + "nixpkgs-unstable": { + "locked": { + "lastModified": 1719848872, + "narHash": "sha256-H3+EC5cYuq+gQW8y0lSrrDZfH71LB4DAf+TDFyvwCNA=", + "owner": "nixos", + "repo": "nixpkgs", + "rev": "00d80d13810dbfea8ab4ed1009b09100cca86ba8", + "type": "github" + }, + "original": { + "owner": "nixos", + "ref": "nixos-unstable", + "repo": "nixpkgs", + "type": "github" + } + }, + "root": { + "inputs": { + "disko": "disko", + "home-manager": "home-manager", + "nixos-nftables-firewall": "nixos-nftables-firewall", + "nixpkgs": "nixpkgs", + "nixpkgs-unstable": "nixpkgs-unstable", + "srvos": "srvos" + } + }, + "srvos": { + "inputs": { + "nixpkgs": [ + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1719965291, + "narHash": "sha256-IQiO6VNESSmgxQkpI1q86pqxRw0SZ45iSeM1jsmBpSw=", + "owner": "numtide", + "repo": "srvos", + "rev": "1844f1a15ef530c963bb07c3846172fccbfb9f74", + "type": "github" + }, + "original": { + "owner": "numtide", + "repo": "srvos", + "type": "github" + } + } + }, + "root": "root", + "version": 7 +} diff --git a/nix/os/devices/router0-ifog/flake.nix b/nix/os/devices/router0-ifog/flake.nix new file mode 100644 index 0000000..3057b9a --- /dev/null +++ b/nix/os/devices/router0-ifog/flake.nix @@ -0,0 +1,19 @@ +{ + inputs = { + nixpkgs.url = "github:nixos/nixpkgs/nixos-24.05"; + nixpkgs-unstable.url = "github:nixos/nixpkgs/nixos-unstable"; + + home-manager.url = "github:nix-community/home-manager/release-24.05"; + home-manager.inputs.nixpkgs.follows = "nixpkgs"; + + disko.url = "github:nix-community/disko"; + disko.inputs.nixpkgs.follows = "nixpkgs"; + srvos.url = "github:numtide/srvos"; + srvos.inputs.nixpkgs.follows = "nixpkgs"; + + nixos-nftables-firewall.url = "github:thelegy/nixos-nftables-firewall"; + nixos-nftables-firewall.inputs.nixpkgs.follows = "nixpkgs"; + }; + + outputs = _: { }; +} diff --git a/nix/os/devices/router0-ifog/variables.crypt.nix b/nix/os/devices/router0-ifog/variables.crypt.nix new file mode 100644 index 0000000..1dec120 Binary files /dev/null and b/nix/os/devices/router0-ifog/variables.crypt.nix differ diff --git a/nix/os/devices/sj-srv1/README.md b/nix/os/devices/sj-srv1/README.md new file mode 100644 index 0000000..394da55 --- /dev/null +++ b/nix/os/devices/sj-srv1/README.md @@ -0,0 +1 @@ +## bootstrapping diff --git a/nix/os/devices/sj-srv1/configuration.nix b/nix/os/devices/sj-srv1/configuration.nix new file mode 100644 index 0000000..5184bd1 --- /dev/null +++ b/nix/os/devices/sj-srv1/configuration.nix @@ -0,0 +1,23 @@ +{ nodeName, config, ... }: +{ + disabledModules = [ ]; + imports = [ + ../../profiles/common/configuration.nix + { + users.commonUsers = { + enable = true; + enableNonRoot = true; + rootPasswordFile = config.sops.secrets.passwords-root.path; + }; + + sops.secrets.passwords-root = { + sopsFile = ../../../../secrets/${nodeName}/secrets.yaml; + neededForUsers = true; + format = "yaml"; + }; + } + + ./system.nix + ./hw.nix + ]; +} diff --git a/nix/os/devices/sj-srv1/default.nix b/nix/os/devices/sj-srv1/default.nix new file mode 100644 index 0000000..6ec896d --- /dev/null +++ b/nix/os/devices/sj-srv1/default.nix @@ -0,0 +1,28 @@ +{ + nodeName, + repoFlake, + nodeFlake, + ... +}: +let + system = "x86_64-linux"; +in +{ + meta.nodeSpecialArgs.${nodeName} = { + inherit repoFlake nodeName nodeFlake; + packages' = repoFlake.packages.${system}; + }; + + meta.nodeNixpkgs.${nodeName} = import nodeFlake.inputs.nixpkgs.outPath { inherit system; }; + + ${nodeName} = { + deployment.targetHost = "${nodeName}.dmz.internal"; + deployment.replaceUnknownProfiles = false; + + imports = [ + nodeFlake.inputs.home-manager.nixosModules.home-manager + + ./configuration.nix + ]; + }; +} diff --git a/nix/os/devices/sj-srv1/flake.lock b/nix/os/devices/sj-srv1/flake.lock new file mode 100644 index 0000000..05230e2 --- /dev/null +++ b/nix/os/devices/sj-srv1/flake.lock @@ -0,0 +1,100 @@ +{ + "nodes": { + "home-manager": { + "inputs": { + "nixpkgs": [ + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1747020534, + "narHash": "sha256-D/6rkiC6w2p+4SwRiVKrWIeYzun8FBg7NlMKMwQMxO0=", + "owner": "nix-community", + "repo": "home-manager", + "rev": "b4bbdc6fde16fc2051fcde232f6e288cd22007ca", + "type": "github" + }, + "original": { + "owner": "nix-community", + "ref": "release-24.11", + "repo": "home-manager", + "type": "github" + } + }, + "nixpkgs": { + "locked": { + "lastModified": 1746957726, + "narHash": "sha256-k9ut1LSfHCr0AW82ttEQzXVCqmyWVA5+SHJkS5ID/Jo=", + "owner": "nixos", + "repo": "nixpkgs", + "rev": "a39ed32a651fdee6842ec930761e31d1f242cb94", + "type": "github" + }, + "original": { + "owner": "nixos", + "ref": "nixos-24.11", + "repo": "nixpkgs", + "type": "github" + } + }, + "nixpkgs-kanidm": { + "locked": { + "lastModified": 1729071019, + "narHash": "sha256-c4J/ZiMbjMf98FawO5XJaTWqvrvIXpxnIpxu4OV3CGA=", + "owner": "steveej-forks", + "repo": "nixpkgs", + "rev": "984b1d5a286d3a072b840b30ec49d96878d01e64", + "type": "github" + }, + "original": { + "owner": "steveej-forks", + "ref": "kanidm", + "repo": "nixpkgs", + "type": "github" + } + }, + "nixpkgs-master": { + "locked": { + "lastModified": 1747142919, + "narHash": "sha256-84jJ5uDXws7EYch+4fxmfoCCTWRWZCXCCVM0Dh65ZH8=", + "owner": "nixos", + "repo": "nixpkgs", + "rev": "60bdd7db9e890967224c2244be45beecd7d6e448", + "type": "github" + }, + "original": { + "owner": "nixos", + "ref": "master", + "repo": "nixpkgs", + "type": "github" + } + }, + "nixpkgs-unstable": { + "locked": { + "lastModified": 1747114929, + "narHash": "sha256-GnQGiZiOnGfxM9oVhgqOJk0Qv1aZ11p5Aloac2tdoKY=", + "owner": "nixos", + "repo": "nixpkgs", + "rev": "fab95ba4b9523f310644e6e6087c0014535c8e02", + "type": "github" + }, + "original": { + "owner": "nixos", + "ref": "nixos-unstable-small", + "repo": "nixpkgs", + "type": "github" + } + }, + "root": { + "inputs": { + "home-manager": "home-manager", + "nixpkgs": "nixpkgs", + "nixpkgs-kanidm": "nixpkgs-kanidm", + "nixpkgs-master": "nixpkgs-master", + "nixpkgs-unstable": "nixpkgs-unstable" + } + } + }, + "root": "root", + "version": 7 +} diff --git a/nix/os/devices/sj-srv1/flake.nix b/nix/os/devices/sj-srv1/flake.nix new file mode 100644 index 0000000..213d325 --- /dev/null +++ b/nix/os/devices/sj-srv1/flake.nix @@ -0,0 +1,14 @@ +{ + inputs.nixpkgs.url = "github:nixos/nixpkgs/nixos-24.11"; + inputs.nixpkgs-unstable.url = "github:nixos/nixpkgs/nixos-unstable-small"; + inputs.nixpkgs-master.url = "github:nixos/nixpkgs/master"; + + inputs.nixpkgs-kanidm.url = "github:steveej-forks/nixpkgs/kanidm"; + + inputs.home-manager = { + url = "github:nix-community/home-manager/release-24.11"; + inputs.nixpkgs.follows = "nixpkgs"; + }; + + outputs = _: { }; +} diff --git a/nix/os/devices/sj-srv1/hw.nix b/nix/os/devices/sj-srv1/hw.nix new file mode 100644 index 0000000..ca9158b --- /dev/null +++ b/nix/os/devices/sj-srv1/hw.nix @@ -0,0 +1,55 @@ +_: +let + stage1Modules = [ + "virtio_balloon" + "virtio_scsi" + "virtio_net" + "virtio_pci" + "virtio_ring" + "virtio" + "scsi_mod" + + "virtio_blk" + "virtio_ring" + "ata_piix" + "pata_acpi" + "ata_generic" + + "aesni_intel" + "kvm_amd" + "nvme" + "nvme_core" + + "thunderbolt" + "e1000e" + + "usbcore" + "xhci_hcd" + "usbnet" + "snd_usb_audio" + "usbhid" + "snd_usbmidi_lib" + "cdc_mbim" + "cdc_ncm" + "usb_storage" + "cdc_wdm" + "uvcvideo" + "btusb" + "xhci_pci" + "cdc_ether" + "uas" + ]; +in +{ + imports = [ + ../../modules/opinionatedDisk.nix + ]; + hardware.opinionatedDisk = { + enable = true; + encrypted = false; + diskId = "virtio-virtio-paeNi8Fof9Oe"; + earlyDiskIdOverride = "ata-INTEL_SSDSC2KB019TZ_PHYI315001FW1P9DGN"; + }; + + boot.initrd.kernelModules = stage1Modules; +} diff --git a/nix/os/devices/sj-srv1/system.nix b/nix/os/devices/sj-srv1/system.nix new file mode 100644 index 0000000..c5e4c43 --- /dev/null +++ b/nix/os/devices/sj-srv1/system.nix @@ -0,0 +1,220 @@ +{ + pkgs, + lib, + config, + repoFlake, + nodeFlake, + nodeName, + ... +}: +let + hostBridgeAddress = "192.168.101.1"; +in +{ + imports = [ + ../../snippets/systemd-resolved.nix + { + # make sure it uses the DNS that comes in via DHCP + networking.nameservers = lib.mkForce [ ]; + services.resolved.enable = true; + + # provide DNS to the containers + services.resolved.extraConfig = '' + DNSStubListenerExtra=${hostBridgeAddress} + ''; + networking.firewall.interfaces.br0.allowedTCPPorts = [ 53 ]; + networking.firewall.interfaces.br0.allowedUDPPorts = [ 53 ]; + } + ]; + + programs.wireshark.enable = true; + environment.systemPackages = [ pkgs.dnsutils ]; + + networking.firewall.enable = true; + networking.nftables.enable = true; + networking.nftables.flushRuleset = true; + + networking.firewall.allowedTCPPorts = [ + # iperf3 + 5201 + ]; + + networking.firewall.logRefusedConnections = false; + + networking.usePredictableInterfaceNames = false; + + networking.useNetworkd = true; + networking.useDHCP = false; + + networking.nat = { + enable = true; + internalInterfaces = [ "br0" ]; + externalInterface = "dmz0"; + }; + + networking.bridges = { + br0 = { + interfaces = [ ]; + }; + }; + networking.interfaces = { + br0 = { + ipv4.addresses = [ + { + address = hostBridgeAddress; + prefixLength = 24; + } + ]; + }; + }; + + systemd.network.netdevs."10-dmz0" = { + enable = true; + netdevConfig = { + Name = "dmz0"; + Kind = "macvlan"; + MACAddress = "1c:69:7a:07:08:6f"; + }; + + macvlanConfig = { + Mode = "bridge"; + }; + }; + + systemd.network.networks."20-eth0" = { + enable = true; + matchConfig.Name = "eth0"; + + linkConfig.RequiredForOnline = "carrier"; + networkConfig.LinkLocalAddressing = "no"; + + # TODO: i'm not sure if and if so why this is required + macvlan = [ "dmz0" ]; + + DHCP = "no"; + }; + + systemd.network.networks."30-dmz0" = { + enable = true; + matchConfig.Name = "dmz0"; + DHCP = "yes"; + + dhcpV4Config.UseDNS = true; + dhcpV6Config.UseDNS = true; + }; + + boot.kernel.sysctl = { + "net.ipv4.ip_forward" = 1; + "net.ipv6.ip_forward" = 1; + }; + + # virtualization + virtualisation = { + docker.enable = false; + }; + + nix.gc = { + automatic = true; + }; + + sops.secrets.restic-password.sopsFile = ../../../../secrets/${nodeName}/secrets.yaml; + + # adapted from https://github.com/lilyinstarlight/foosteros/blob/5c75ded111878970fd4f600c7adc013f971d5e71/config/restic.nix + services.restic.backups.${nodeName} = + let + btrfs = "${pkgs.btrfs-progs}/bin/btrfs"; + in + { + initialize = true; + repository = "sftp://u217879-sub3@u217879-sub3.your-storagebox.de:23/restic/${nodeName}"; + + paths = [ "/backup" ]; + + pruneOpts = [ + "--keep-daily 7" + "--keep-weekly 5" + "--keep-monthly 12" + "--keep-yearly 2" + ]; + + timerConfig = { + OnCalendar = lib.mkDefault "daily"; + Persistent = true; + }; + + passwordFile = config.sops.secrets.restic-password.path; + + backupPrepareCommand = '' + ${btrfs} su snapshot -r /var/lib/container-volumes /backup/container-volumes + ''; + backupCleanupCommand = '' + ${btrfs} su delete /backup/container-volumes + ''; + }; + + containers = { + mailserver = import ../../containers/mailserver.nix { + specialArgs = { + inherit repoFlake nodeFlake; + hostAddress = hostBridgeAddress; + }; + + autoStart = true; + + hostBridge = "br0"; + hostAddress = hostBridgeAddress; + localAddress = "192.168.101.10/24"; + + imapsPort = 993; + sievePort = 4190; + }; + + webserver = import ../../containers/webserver.nix { + specialArgs = { + inherit repoFlake nodeFlake; + hostAddress = hostBridgeAddress; + }; + + autoStart = true; + + hostBridge = "br0"; + hostAddress = hostBridgeAddress; + localAddress = "192.168.101.11/24"; + + httpPort = 80; + httpsPort = 443; + forgejoSshPort = 2222; + }; + + syncthing = import ../../containers/syncthing.nix { + specialArgs = { + inherit repoFlake nodeFlake; + hostAddress = hostBridgeAddress; + }; + autoStart = true; + + hostBridge = "br0"; + hostAddress = hostBridgeAddress; + localAddress = "192.168.101.12/24"; + + syncthingPort = 22000; + }; + }; + + virtualisation.libvirtd = { + enable = true; + onShutdown = "shutdown"; + parallelShutdown = 3; + }; + + # VM storage + # fileSystems."/mnt/8078-532D".device = "/dev/disk/by-uuid/8078-532D"; + + # This value determines the NixOS release from which the default + # settings for stateful data, like file locations and database versions + # on your system were taken. It‘s perfectly fine and recommended to leave + # this value at the release version of the first install of this system. + # Before changing this value read the documentation for this option + # (e.g. man configuration.nix or on https://nixos.org/nixos/options.html). + system.stateVersion = "22.11"; # Did you read the comment? +} diff --git a/nix/os/devices/sj-vps-htz0/boot.nix b/nix/os/devices/sj-vps-htz0/boot.nix index 5713789..ed21f9c 100644 --- a/nix/os/devices/sj-vps-htz0/boot.nix +++ b/nix/os/devices/sj-vps-htz0/boot.nix @@ -1,4 +1,5 @@ -{lib, ...}: { +{ lib, ... }: +{ boot.loader.grub.efiSupport = lib.mkForce false; - boot.extraModulePackages = []; + boot.extraModulePackages = [ ]; } diff --git a/nix/os/devices/sj-vps-htz0/configuration.nix b/nix/os/devices/sj-vps-htz0/configuration.nix index 28a63fb..0f9e008 100644 --- a/nix/os/devices/sj-vps-htz0/configuration.nix +++ b/nix/os/devices/sj-vps-htz0/configuration.nix @@ -1,12 +1,25 @@ -{...}: { - disabledModules = []; +{ nodeName, config, ... }: +{ + disabledModules = [ ]; imports = [ ../../profiles/common/configuration.nix + { + users.commonUsers = { + enable = true; + enableNonRoot = true; + rootPasswordFile = config.sops.secrets.passwords-root.path; + }; + + sops.secrets.passwords-root = { + sopsFile = ../../../../secrets/${nodeName}/secrets.yaml; + neededForUsers = true; + format = "yaml"; + }; + } ../../modules/opinionatedDisk.nix ./system.nix ./hw.nix - ./pkg.nix ./boot.nix ]; } diff --git a/nix/os/devices/sj-vps-htz0/default.nix b/nix/os/devices/sj-vps-htz0/default.nix index 12e0271..7683a53 100644 --- a/nix/os/devices/sj-vps-htz0/default.nix +++ b/nix/os/devices/sj-vps-htz0/default.nix @@ -3,17 +3,17 @@ repoFlake, nodeFlake, ... -}: let +}: +let system = "x86_64-linux"; -in { +in +{ meta.nodeSpecialArgs.${nodeName} = { inherit repoFlake nodeName nodeFlake; packages' = repoFlake.packages.${system}; }; - meta.nodeNixpkgs.${nodeName} = import nodeFlake.inputs.nixpkgs.outPath { - inherit system; - }; + meta.nodeNixpkgs.${nodeName} = import nodeFlake.inputs.nixpkgs.outPath { inherit system; }; ${nodeName} = { deployment.targetHost = "${nodeName}.infra.stefanjunker.de"; diff --git a/nix/os/devices/sj-vps-htz0/flake.lock b/nix/os/devices/sj-vps-htz0/flake.lock index 7bca561..56c2d36 100644 --- a/nix/os/devices/sj-vps-htz0/flake.lock +++ b/nix/os/devices/sj-vps-htz0/flake.lock @@ -7,11 +7,11 @@ ] }, "locked": { - "lastModified": 1687871164, - "narHash": "sha256-bBFlPthuYX322xOlpJvkjUBz0C+MOBjZdDOOJJ+G2jU=", + "lastModified": 1700392168, + "narHash": "sha256-v5LprEFx3u4+1vmds9K0/i7sHjT0IYGs7u9v54iz/OA=", "owner": "nix-community", "repo": "home-manager", - "rev": "07c347bb50994691d7b0095f45ebd8838cf6bc38", + "rev": "28535c3a34d79071f2ccb68671971ce0c0984d7e", "type": "github" }, "original": { @@ -23,11 +23,11 @@ }, "nixpkgs": { "locked": { - "lastModified": 1688868408, - "narHash": "sha256-RR9N5XTAxSBhK8MCvLq9uxfdkd7etC//seVXldy0k48=", + "lastModified": 1700501263, + "narHash": "sha256-M0U063Ba2DKL4lMYI7XW13Rsk5tfUXnIYiAVa39AV/0=", "owner": "nixos", "repo": "nixpkgs", - "rev": "510d721ce097150ae3b80f84b04b13b039186571", + "rev": "f741f8a839912e272d7e87ccf4b9dbc6012cdaf9", "type": "github" }, "original": { @@ -39,11 +39,11 @@ }, "nixpkgs-master": { "locked": { - "lastModified": 1688925019, - "narHash": "sha256-281HjmJycKt8rZ0/vpYTtJuZrQl6mpGNlUFf8cebmeA=", + "lastModified": 1700758842, + "narHash": "sha256-WNpG3F/0dktkYbG6O8Put9GtBw4C4vb1KwtIibfXYEE=", "owner": "nixos", "repo": "nixpkgs", - "rev": "2b356dae6208d422236c4cdc48f3bed749f9daea", + "rev": "359d577687ea3eb033590cf1259f0355e30b9c6f", "type": "github" }, "original": { @@ -55,11 +55,11 @@ }, "nixpkgs-unstable": { "locked": { - "lastModified": 1688891216, - "narHash": "sha256-ZUQs8C5N6aw/QeBhUFGcX89OoYoP9jbdmbR6aSbvaHg=", + "lastModified": 1700641131, + "narHash": "sha256-M3bsoVMQM2PcuBWb6n1KDNeMX87svcSj/4qlBcVqs3k=", "owner": "nixos", "repo": "nixpkgs", - "rev": "e4a12fdac2a313b18e7f66a097108412b07c5f00", + "rev": "da41de71f62bf7fb989a04e39629b8adbf8aa8b5", "type": "github" }, "original": { diff --git a/nix/os/devices/sj-vps-htz0/flake.nix b/nix/os/devices/sj-vps-htz0/flake.nix index c315b8e..f8ca24f 100644 --- a/nix/os/devices/sj-vps-htz0/flake.nix +++ b/nix/os/devices/sj-vps-htz0/flake.nix @@ -8,5 +8,5 @@ inputs.nixpkgs.follows = "nixpkgs"; }; - outputs = _: {}; + outputs = _: { }; } diff --git a/nix/os/devices/sj-vps-htz0/hw.nix b/nix/os/devices/sj-vps-htz0/hw.nix index 7566a02..080bb40 100644 --- a/nix/os/devices/sj-vps-htz0/hw.nix +++ b/nix/os/devices/sj-vps-htz0/hw.nix @@ -1,4 +1,5 @@ -{...}: let +_: +let stage1Modules = [ "virtio_balloon" "virtio_scsi" @@ -14,7 +15,8 @@ "pata_acpi" "ata_generic" ]; -in { +in +{ hardware.opinionatedDisk = { enable = true; encrypted = false; diff --git a/nix/os/devices/sj-vps-htz0/pkg.nix b/nix/os/devices/sj-vps-htz0/pkg.nix deleted file mode 100644 index 11d8bad..0000000 --- a/nix/os/devices/sj-vps-htz0/pkg.nix +++ /dev/null @@ -1,26 +0,0 @@ -{ - config, - pkgs, - lib, - ... -}: { - nixpkgs.config.packageOverrides = pkgs: - with pkgs; { - nixPath = - (import ../../../default.nix { - versionsPath = ./versions.nix; - }) - .nixPath; - }; - home-manager.users.steveej = import ../../../home-manager/configuration/text-minimal.nix { - inherit pkgs; - extraPackages = [ - # required by vscode's remote-ssh plugin - pkgs.nodejs - - # allow clipboard exchanges - pkgs.xsel - pkgs.xclip - ]; - }; -} diff --git a/nix/os/devices/sj-vps-htz0/system.nix b/nix/os/devices/sj-vps-htz0/system.nix index afba434..7380a35 100644 --- a/nix/os/devices/sj-vps-htz0/system.nix +++ b/nix/os/devices/sj-vps-htz0/system.nix @@ -1,10 +1,15 @@ { pkgs, - lib, config, - repoFlake, + nodeName, ... -}: { +}: +let + wireguardPort = 51820; +in +{ + imports = [ ../../snippets/systemd-resolved.nix ]; + networking.firewall.enable = true; networking.nftables.enable = true; @@ -12,6 +17,8 @@ # iperf3 5201 ]; + networking.firewall.allowedUDPPorts = [ wireguardPort ]; + networking.firewall.logRefusedConnections = false; networking.usePredictableInterfaceNames = false; @@ -20,14 +27,14 @@ networking.interfaces.eth0 = { mtu = 1400; - useDHCP = false; + useDHCP = true; ipv4.addresses = [ { "address" = "167.233.1.14"; "prefixLength" = 29; } ]; - ipv6.addresses = []; + ipv6.addresses = [ ]; }; networking.defaultGateway = { @@ -40,21 +47,12 @@ interface = "eth0"; }; - networking.nameservers = ["1.1.1.1#one.one.one.one" "1.0.0.1#one.one.one.one"]; - - services.resolved = { - enable = true; - dnssec = "true"; - domains = ["~."]; - fallbackDns = ["1.1.1.1#one.one.one.one" "1.0.0.1#one.one.one.one"]; - extraConfig = '' - DNSOverTLS=yes - ''; - }; - networking.nat = { enable = true; - internalInterfaces = ["ve-*"]; + internalInterfaces = [ + "ve-*" + "wg*" + ]; externalInterface = "eth0"; }; @@ -64,49 +62,41 @@ meta nfproto ipv6 tcp flags syn tcp option maxseg size set 1340; ''; + sops.secrets.wg0-private.sopsFile = ../../../../secrets/${nodeName}/secrets.yaml; + sops.secrets.wg0-psk-steveej-psk.sopsFile = ../../../../secrets/${nodeName}/secrets.yaml; + + networking.wireguard.enable = true; + networking.wireguard.interfaces.wg0 = { + # eth0 MTU (1400) - 80 + mtu = 1320; + ips = [ "192.168.99.1/31" ]; + listenPort = wireguardPort; + privateKeyFile = config.sops.secrets.wg0-private.path; + peers = [ + { + allowedIPs = [ "192.168.99.2/32" ]; + publicKey = "O3k4jEdX6jkV1fHP/J8KSH5tvi+n1VvnBTD5na6Naw0="; + presharedKeyFile = config.sops.secrets.wg0-psk-steveej-psk.path; + } + ]; + }; + # virtualization - virtualisation = {docker.enable = false;}; + virtualisation = { + docker.enable = false; + }; services.spice-vdagentd.enable = true; services.qemuGuest.enable = true; - nix.gc = {automatic = true;}; + nix.gc = { + automatic = true; + }; - containers = { - mailserver = import ../../containers/mailserver.nix { - inherit repoFlake; + containers = { }; - autoStart = true; - - hostAddress = "192.168.100.10"; - localAddress = "192.168.100.11"; - - imapsPort = 993; - sievePort = 4190; - }; - - webserver = - import ../../containers/webserver.nix - { - inherit repoFlake; - - autoStart = true; - - hostAddress = "192.168.100.12"; - localAddress = "192.168.100.13"; - - httpPort = 80; - httpsPort = 443; - }; - - syncthing = import ../../containers/syncthing.nix { - autoStart = true; - - hostAddress = "192.168.100.14"; - localAddress = "192.168.100.15"; - - syncthingPort = 22000; - }; + home-manager.users.steveej = import ../../../home-manager/configuration/text-minimal.nix { + inherit pkgs; }; # This value determines the NixOS release from which the default diff --git a/nix/os/devices/srv0-dmz0/README.md b/nix/os/devices/srv0-dmz0/README.md index 92893b6..c76c8a0 100644 --- a/nix/os/devices/srv0-dmz0/README.md +++ b/nix/os/devices/srv0-dmz0/README.md @@ -1,7 +1,6 @@ ## bootstrapping ``` -# TODO: generate an SSH host-key and deploy it via --extra-files +# TODO: generate an SSH host-key and deploy it via --extra-files nixos-anywhere --flake .\#srv0-dmz0 root@srv0.dmz0.noosphere.life ``` - diff --git a/nix/os/devices/srv0-dmz0/configuration.nix b/nix/os/devices/srv0-dmz0/configuration.nix index 66e15d5..5514edf 100644 --- a/nix/os/devices/srv0-dmz0/configuration.nix +++ b/nix/os/devices/srv0-dmz0/configuration.nix @@ -1,14 +1,14 @@ { modulesPath, repoFlake, - packages', - pkgs, config, ... -}: let - disk = "/dev/disk/by-id/ata-Corsair_Voyager_GTX_21488170000126002051"; -in { - disabledModules = []; +}: +let + disk = "/dev/disk/by-id/ata-INTEL_SSDSC2BW240A4_PHDA435602332403GN"; +in +{ + disabledModules = [ ]; imports = [ repoFlake.inputs.disko.nixosModules.disko repoFlake.inputs.srvos.nixosModules.server @@ -23,7 +23,7 @@ in { ]; ## bare-metal machines - srvos.boot.consoles = ["tty0"]; + srvos.boot.consoles = [ "tty0" ]; boot.loader.grub.enable = false; boot.loader.efi.canTouchEfiVariables = false; @@ -39,7 +39,7 @@ in { start = "0"; end = "1M"; part-type = "primary"; - flags = ["bios_grub"]; + flags = [ "bios_grub" ]; } { name = "ESP"; @@ -60,14 +60,14 @@ in { bootable = true; content = { type = "btrfs"; - extraArgs = ["-f"]; # Override existing partition + extraArgs = [ "-f" ]; # Override existing partition subvolumes = { # Subvolume name is different from mountpoint "/rootfs" = { mountpoint = "/"; }; "/nix" = { - mountOptions = ["noatime"]; + mountOptions = [ "noatime" ]; }; }; }; @@ -109,7 +109,7 @@ in { networking.nat = { enable = true; - internalInterfaces = ["ve-+"]; + internalInterfaces = [ "ve-+" ]; externalInterface = "eth0"; }; @@ -119,95 +119,11 @@ in { # virtualization # virtualisation = {docker.enable = true;}; - nix.gc = {automatic = true;}; - - containers = { + nix.gc = { + automatic = true; }; - sops.secrets.holochain-nomad-agent-ca = { - sopsFile = ../../../../secrets/holochain-infra/nomad.yaml; - owner = config.users.extraUsers.nomad.name; - group = config.users.groups.nomad.name; - }; - sops.secrets.holochain-global-nomad-client-cert = { - sopsFile = ../../../../secrets/holochain-infra/nomad.yaml; - owner = config.users.extraUsers.nomad.name; - group = config.users.groups.nomad.name; - }; - sops.secrets.holochain-global-client-nomad-key = { - sopsFile = ../../../../secrets/holochain-infra/nomad.yaml; - owner = config.users.extraUsers.nomad.name; - group = config.users.groups.nomad.name; - }; - - services.nomad = { - enable = true; - package = packages'.nomad; - enableDocker = false; - dropPrivileges = false; - - extraPackages = [ - pkgs.coreutils - pkgs.nix - pkgs.bash - pkgs.gitFull - pkgs.cacert - ]; - - settings = { - server.enabled = false; - - client = { - enabled = true; - server_join = { - retry_join = [ - "infra.holochain.org" - ]; - retry_interval = "60s"; - }; - - node_class = "testing"; - - meta = { - inherit (pkgs.targetPlatform) system; - - features = builtins.concatStringsSep "," [ - "poc-1" - "poc-2" - "ipv4-nat" - "nix" - "nixos" - "holoport" - ]; - - machine_type = "baremetal"; - }; - }; - - tls = { - http = true; - rpc = true; - ca_file = config.sops.secrets.holochain-nomad-agent-ca.path; - cert_file = config.sops.secrets.holochain-global-nomad-client-cert.path; - key_file = config.sops.secrets.holochain-global-client-nomad-key.path; - - verify_server_hostname = true; - verify_https_client = true; - }; - - plugin.raw_exec.config.enabled = true; - }; - }; - - users.extraUsers.nomad.isNormalUser = true; - users.extraUsers.nomad.isSystemUser = false; - users.extraUsers.nomad.group = "nomad"; - users.extraUsers.nomad.home = config.services.nomad.settings.data_dir; - users.extraUsers.nomad.createHome = true; - users.groups.nomad.members = ["nomad"]; - - systemd.services.nomad.serviceConfig.User = "nomad"; - systemd.services.nomad.serviceConfig.Group = "nomad"; + containers = { }; # This value determines the NixOS release from which the default # settings for stateful data, like file locations and database versions @@ -215,5 +131,5 @@ in { # this value at the release version of the first install of this system. # Before changing this value read the documentation for this option # (e.g. man configuration.nix or on https://nixos.org/nixos/options.html). - system.stateVersion = "23.05"; # Did you read the comment? + system.stateVersion = "23.11"; # Did you read the comment? } diff --git a/nix/os/devices/srv0-dmz0/default.nix b/nix/os/devices/srv0-dmz0/default.nix index 5c0b7bb..3af624b 100644 --- a/nix/os/devices/srv0-dmz0/default.nix +++ b/nix/os/devices/srv0-dmz0/default.nix @@ -3,17 +3,17 @@ repoFlake, nodeFlake, ... -}: let +}: +let system = "x86_64-linux"; -in { +in +{ meta.nodeSpecialArgs.${nodeName} = { inherit repoFlake nodeName nodeFlake; packages' = repoFlake.packages.${system}; }; - meta.nodeNixpkgs.${nodeName} = import nodeFlake.inputs.nixpkgs.outPath { - inherit system; - }; + meta.nodeNixpkgs.${nodeName} = import nodeFlake.inputs.nixpkgs.outPath { inherit system; }; ${nodeName} = { deployment.targetHost = "srv0.dmz0.noosphere.life"; diff --git a/nix/os/devices/srv0-dmz0/flake.lock b/nix/os/devices/srv0-dmz0/flake.lock index 38508fd..4e1a641 100644 --- a/nix/os/devices/srv0-dmz0/flake.lock +++ b/nix/os/devices/srv0-dmz0/flake.lock @@ -7,43 +7,43 @@ ] }, "locked": { - "lastModified": 1687871164, - "narHash": "sha256-bBFlPthuYX322xOlpJvkjUBz0C+MOBjZdDOOJJ+G2jU=", + "lastModified": 1716736833, + "narHash": "sha256-rNObca6dm7Qs524O4st8VJH6pZ/Xe1gxl+Rx6mcWYo0=", "owner": "nix-community", "repo": "home-manager", - "rev": "07c347bb50994691d7b0095f45ebd8838cf6bc38", + "rev": "a631666f5ec18271e86a5cde998cba68c33d9ac6", "type": "github" }, "original": { "owner": "nix-community", - "ref": "release-23.05", + "ref": "release-24.05", "repo": "home-manager", "type": "github" } }, "nixpkgs": { "locked": { - "lastModified": 1688594934, - "narHash": "sha256-3dUo20PsmUd57jVZRx5vgKyIN1tv+v/JQweZsve5q/A=", + "lastModified": 1717144377, + "narHash": "sha256-F/TKWETwB5RaR8owkPPi+SPJh83AQsm6KrQAlJ8v/uA=", "owner": "nixos", "repo": "nixpkgs", - "rev": "e11142026e2cef35ea52c9205703823df225c947", + "rev": "805a384895c696f802a9bf5bf4720f37385df547", "type": "github" }, "original": { "owner": "nixos", - "ref": "nixos-23.05", + "ref": "nixos-24.05", "repo": "nixpkgs", "type": "github" } }, "nixpkgs-master": { "locked": { - "lastModified": 1688668881, - "narHash": "sha256-q5QIxsX5UR+P2uq8RyaJA/GI5z3yZiKl3Q35gVyr9UM=", + "lastModified": 1717242134, + "narHash": "sha256-2X835ZESUaQ/KZEuG9HkoEB7h0USG5uvkSUmLzFkxAE=", "owner": "nixos", "repo": "nixpkgs", - "rev": "0ffe9cc640d092e6abd8c0adec483acfd2ed7cda", + "rev": "61c1d282153dbfcb5fe413c228d172d0fe7c2a7e", "type": "github" }, "original": { @@ -55,11 +55,11 @@ }, "nixpkgs-unstable": { "locked": { - "lastModified": 1688640665, - "narHash": "sha256-bpNl3nTFDZqrLiRU0bO6vdIT5Ww13nNCVsOLLKEqGuE=", + "lastModified": 1717216113, + "narHash": "sha256-DniggN0kphCCBpGlS2WyDPoNqxQoRFlhN2GMk35OHiM=", "owner": "nixos", "repo": "nixpkgs", - "rev": "88faf206ce0d5cfda760539a367daf6cde5b3712", + "rev": "21959d8d44197094aebc74ead6ca4a53bcce0adb", "type": "github" }, "original": { diff --git a/nix/os/devices/srv0-dmz0/flake.nix b/nix/os/devices/srv0-dmz0/flake.nix index c315b8e..2f27989 100644 --- a/nix/os/devices/srv0-dmz0/flake.nix +++ b/nix/os/devices/srv0-dmz0/flake.nix @@ -1,12 +1,12 @@ { - inputs.nixpkgs.url = "github:nixos/nixpkgs/nixos-23.05"; + inputs.nixpkgs.url = "github:nixos/nixpkgs/nixos-24.05"; inputs.nixpkgs-unstable.url = "github:nixos/nixpkgs/nixos-unstable-small"; inputs.nixpkgs-master.url = "github:nixos/nixpkgs/master"; inputs.home-manager = { - url = "github:nix-community/home-manager/release-23.05"; + url = "github:nix-community/home-manager/release-24.05"; inputs.nixpkgs.follows = "nixpkgs"; }; - outputs = _: {}; + outputs = _: { }; } diff --git a/nix/os/devices/srv0.home-ch.stefanjunker.de/boot.nix b/nix/os/devices/srv0.home-ch.stefanjunker.de/boot.nix index fe0b621..9ddbde9 100644 --- a/nix/os/devices/srv0.home-ch.stefanjunker.de/boot.nix +++ b/nix/os/devices/srv0.home-ch.stefanjunker.de/boot.nix @@ -1,4 +1,4 @@ -{lib, ...}: { +_: { boot.loader.grub.efiSupport = true; - boot.extraModulePackages = []; + boot.extraModulePackages = [ ]; } diff --git a/nix/os/devices/srv0.home-ch.stefanjunker.de/configuration.nix b/nix/os/devices/srv0.home-ch.stefanjunker.de/configuration.nix index 28a63fb..b29548c 100644 --- a/nix/os/devices/srv0.home-ch.stefanjunker.de/configuration.nix +++ b/nix/os/devices/srv0.home-ch.stefanjunker.de/configuration.nix @@ -1,5 +1,6 @@ -{...}: { - disabledModules = []; +{ ... }: +{ + disabledModules = [ ]; imports = [ ../../profiles/common/configuration.nix ../../modules/opinionatedDisk.nix diff --git a/nix/os/devices/srv0.home-ch.stefanjunker.de/hw.nix b/nix/os/devices/srv0.home-ch.stefanjunker.de/hw.nix index 8815036..a89e29a 100644 --- a/nix/os/devices/srv0.home-ch.stefanjunker.de/hw.nix +++ b/nix/os/devices/srv0.home-ch.stefanjunker.de/hw.nix @@ -1,4 +1,5 @@ -{...}: let +_: +let stage1Modules = [ "aesni_intel" "kvm-intel" @@ -17,7 +18,8 @@ "xhci_hcd" "xhci_pci" ]; -in { +in +{ # TASK: new device hardware.opinionatedDisk = { enable = true; diff --git a/nix/os/devices/srv0.home-ch.stefanjunker.de/pkg.nix b/nix/os/devices/srv0.home-ch.stefanjunker.de/pkg.nix index b6c8038..607e7f3 100644 --- a/nix/os/devices/srv0.home-ch.stefanjunker.de/pkg.nix +++ b/nix/os/devices/srv0.home-ch.stefanjunker.de/pkg.nix @@ -1,16 +1,8 @@ +{ config, pkgs, ... }: { - config, - pkgs, - lib, - ... -}: { - nixpkgs.config.packageOverrides = pkgs: - with pkgs; { - nixPath = - (import ../../../default.nix { - versionsPath = ./versions.nix; - }) - .nixPath; + nixpkgs.config.packageOverrides = + pkgs: with pkgs; { + inherit ((import ../../../default.nix { versionsPath = ./versions.nix; })) nixPath; }; home-manager.users.steveej = import ../../../home-manager/configuration/text-minimal.nix { inherit pkgs; @@ -20,7 +12,12 @@ { hostName = "localhost"; system = "x86_64-linux"; - supportedFeatures = ["kvm" "nixos-test" "big-parallel" "benchmark"]; + supportedFeatures = [ + "kvm" + "nixos-test" + "big-parallel" + "benchmark" + ]; maxJobs = 4; } ]; diff --git a/nix/os/devices/srv0.home-ch.stefanjunker.de/system.nix b/nix/os/devices/srv0.home-ch.stefanjunker.de/system.nix index e677958..84bb74d 100644 --- a/nix/os/devices/srv0.home-ch.stefanjunker.de/system.nix +++ b/nix/os/devices/srv0.home-ch.stefanjunker.de/system.nix @@ -1,11 +1,4 @@ -{ - pkgs, - lib, - config, - ... -}: let - keys = import ../../../variables/keys.nix; -in { +_: { # TASK: new device networking.hostName = "srv0"; # Define your hostname. # networking.domain = "home-ch.stefanjunker.de"; @@ -37,7 +30,7 @@ in { networking.nat = { enable = true; - internalInterfaces = ["ve-+"]; + internalInterfaces = [ "ve-+" ]; externalInterface = "eth0"; }; @@ -45,14 +38,20 @@ in { # services.kubernetes.roles = ["master" "node"]; # virtualization - virtualisation = {docker.enable = true;}; + virtualisation = { + docker.enable = true; + }; - nix.gc = {automatic = true;}; + nix.gc = { + automatic = true; + }; networking.useHostResolvConf = false; - services.resolved = {enable = true;}; + services.resolved = { + enable = true; + }; - containers = {}; + containers = { }; # This value determines the NixOS release from which the default # settings for stateful data, like file locations and database versions diff --git a/nix/os/devices/srv0.home-ch.stefanjunker.de/versions.nix b/nix/os/devices/srv0.home-ch.stefanjunker.de/versions.nix index bb546e6..1bc2086 100644 --- a/nix/os/devices/srv0.home-ch.stefanjunker.de/versions.nix +++ b/nix/os/devices/srv0.home-ch.stefanjunker.de/versions.nix @@ -4,7 +4,8 @@ let ref = "nixos-22.05"; rev = "040c6d8374d090f46ab0e99f1f7c27a4529ecffd"; }; -in { +in +{ inherit nixpkgs; "channels-nixos-stable" = nixpkgs; "nixpkgs-master" = { diff --git a/nix/os/devices/srv0.home-ch.stefanjunker.de/versions.tmpl.nix b/nix/os/devices/srv0.home-ch.stefanjunker.de/versions.tmpl.nix index 511138c..5817e21 100644 --- a/nix/os/devices/srv0.home-ch.stefanjunker.de/versions.tmpl.nix +++ b/nix/os/devices/srv0.home-ch.stefanjunker.de/versions.tmpl.nix @@ -6,7 +6,8 @@ let <% git ls-remote https://github.com/nixos/nixpkgs nixos-22.05 | awk '{ print $1 }' | tr -d ' ' -%>''; }; -in { +in +{ inherit nixpkgs; "channels-nixos-stable" = nixpkgs; "nixpkgs-master" = { diff --git a/nix/os/devices/steveej-nuc7pjyh-work/configuration.nix b/nix/os/devices/steveej-nuc7pjyh-work/configuration.nix index a15e1aa..d009275 100644 --- a/nix/os/devices/steveej-nuc7pjyh-work/configuration.nix +++ b/nix/os/devices/steveej-nuc7pjyh-work/configuration.nix @@ -1,4 +1,5 @@ -{...}: { +{ ... }: +{ imports = [ ../../profiles/common/configuration.nix ../../profiles/graphical/configuration.nix diff --git a/nix/os/devices/steveej-nuc7pjyh-work/hw.nix b/nix/os/devices/steveej-nuc7pjyh-work/hw.nix index 6d8eadd..76ab1b9 100644 --- a/nix/os/devices/steveej-nuc7pjyh-work/hw.nix +++ b/nix/os/devices/steveej-nuc7pjyh-work/hw.nix @@ -1,4 +1,4 @@ -{...}: { +_: { # TASK: new device hardware.encryptedDisk = { enable = true; diff --git a/nix/os/devices/steveej-nuc7pjyh-work/system.nix b/nix/os/devices/steveej-nuc7pjyh-work/system.nix index 73d39d9..efe0db2 100644 --- a/nix/os/devices/steveej-nuc7pjyh-work/system.nix +++ b/nix/os/devices/steveej-nuc7pjyh-work/system.nix @@ -1,11 +1,7 @@ +{ pkgs, lib, ... }: { - pkgs, - lib, - ... -}: let -in { services.udev.extraRules = ''SUBSYSTEM=="sgx", MODE="0660", GROUP="sgx"''; - users.groups.sgx = {}; + users.groups.sgx = { }; networking.hostName = "steveej-nuc7pjyh-work"; # Define your hostname. boot.kernelPackages = lib.mkForce pkgs.linuxPackages_sgx_latest; } diff --git a/nix/os/devices/steveej-nuc7pjyh-work/user.nix b/nix/os/devices/steveej-nuc7pjyh-work/user.nix index 2b72309..e37d392 100644 --- a/nix/os/devices/steveej-nuc7pjyh-work/user.nix +++ b/nix/os/devices/steveej-nuc7pjyh-work/user.nix @@ -1,12 +1,9 @@ -{ - config, - pkgs, - ... -}: let - passwords = import ../../../variables/passwords.crypt.nix; +{ pkgs, ... }: +let keys = import ../../../variables/keys.nix; - inherit (import ../../lib/default.nix {inherit (pkgs) lib;}) mkUser; -in { + inherit (import ../../lib/default.nix { inherit (pkgs) lib; }) mkUser; +in +{ users.extraUsers.sjunker = mkUser { uid = 1001; openssh.authorizedKeys.keys = keys.users.steveej.openssh; @@ -14,7 +11,7 @@ in { image = "quay.io/enarx/fedora"; run_args = "-v /dev/sgx:/dev/sgx"; }; - extraGroups = ["sgx"]; + extraGroups = [ "sgx" ]; subUidRanges = [ { diff --git a/nix/os/devices/steveej-pa600/boot.nix b/nix/os/devices/steveej-pa600/boot.nix index 4d8c1d1..639698f 100644 --- a/nix/os/devices/steveej-pa600/boot.nix +++ b/nix/os/devices/steveej-pa600/boot.nix @@ -1,4 +1,5 @@ -{lib, ...}: { +{ lib, ... }: +{ boot.loader.grub.efiInstallAsRemovable = lib.mkForce true; boot.loader.efi.canTouchEfiVariables = lib.mkForce false; } diff --git a/nix/os/devices/steveej-pa600/configuration.nix b/nix/os/devices/steveej-pa600/configuration.nix index 37f4c61..68ad190 100644 --- a/nix/os/devices/steveej-pa600/configuration.nix +++ b/nix/os/devices/steveej-pa600/configuration.nix @@ -1,4 +1,5 @@ -{...}: { +{ ... }: +{ imports = [ ../../profiles/common/configuration.nix ../../profiles/graphical/configuration.nix diff --git a/nix/os/devices/steveej-pa600/hw.nix b/nix/os/devices/steveej-pa600/hw.nix index a563c1a..651a6e2 100644 --- a/nix/os/devices/steveej-pa600/hw.nix +++ b/nix/os/devices/steveej-pa600/hw.nix @@ -1,4 +1,5 @@ -{...}: let +_: +let stage1Modules = [ "aesni_intel" "kvm-intel" @@ -7,7 +8,8 @@ "xhci_pci" "hxci_hcd" ]; -in { +in +{ # TASK: new device hardware.opinionatedDisk = { enable = true; diff --git a/nix/os/devices/steveej-pa600/pkg.nix b/nix/os/devices/steveej-pa600/pkg.nix index 1db742a..360c17b 100644 --- a/nix/os/devices/steveej-pa600/pkg.nix +++ b/nix/os/devices/steveej-pa600/pkg.nix @@ -1,11 +1,8 @@ -{pkgs, ...}: { - nixpkgs.config.packageOverrides = pkgs: - with pkgs; { - nixPath = - (import ../../../default.nix { - versionsPath = ./versions.nix; - }) - .nixPath; +{ pkgs, ... }: +{ + nixpkgs.config.packageOverrides = + pkgs: with pkgs; { + inherit ((import ../../../default.nix { versionsPath = ./versions.nix; })) nixPath; }; home-manager.users.steveej = import ../../../home-manager/configuration/graphical-fullblown.nix { inherit pkgs; diff --git a/nix/os/devices/steveej-pa600/system.nix b/nix/os/devices/steveej-pa600/system.nix index 02256d8..2a4551a 100644 --- a/nix/os/devices/steveej-pa600/system.nix +++ b/nix/os/devices/steveej-pa600/system.nix @@ -1,11 +1,5 @@ +{ pkgs, lib, ... }: { - pkgs, - lib, - config, - ... -}: let - keys = import ../../../variables/keys.nix; -in { # TASK: new device networking.hostName = "steveej-pa600"; # Define your hostname. @@ -20,7 +14,11 @@ in { services.printing = { enable = true; - drivers = with pkgs; [hplip mfcl3770cdw.driver mfcl3770cdw.cupswrapper]; + drivers = with pkgs; [ + hplip + mfcl3770cdw.driver + mfcl3770cdw.cupswrapper + ]; }; services.fprintd.enable = true; @@ -29,9 +27,9 @@ in { sudo.fprintAuth = true; }; - security.pki.certificateFiles = ["${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt"]; + security.pki.certificateFiles = [ "${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt" ]; - services.xserver.videoDrivers = ["modesetting"]; + services.xserver.videoDrivers = [ "modesetting" ]; services.xserver.serverFlagsSection = '' Option "BlankTime" "0" Option "StandbyTime" "0" diff --git a/nix/os/devices/steveej-pa600/user.nix b/nix/os/devices/steveej-pa600/user.nix index 4b85fea..bb94098 100644 --- a/nix/os/devices/steveej-pa600/user.nix +++ b/nix/os/devices/steveej-pa600/user.nix @@ -1,12 +1,9 @@ -{ - config, - pkgs, - ... -}: let - passwords = import ../../../variables/passwords.crypt.nix; +{ pkgs, ... }: +let keys = import ../../../variables/keys.nix; - inherit (import ../../lib/default.nix {inherit (pkgs) lib;}) mkUser; -in { + inherit (import ../../lib/default.nix { inherit (pkgs) lib; }) mkUser; +in +{ users.extraUsers.steveej2 = mkUser { uid = 1001; openssh.authorizedKeys.keys = keys.users.steveej.openssh; diff --git a/nix/os/devices/steveej-pa600/versions.nix b/nix/os/devices/steveej-pa600/versions.nix index ce6b116..e7d4567 100644 --- a/nix/os/devices/steveej-pa600/versions.nix +++ b/nix/os/devices/steveej-pa600/versions.nix @@ -4,9 +4,12 @@ let ref = "nixos-20.09"; rev = "e065200fc90175a8f6e50e76ef10a48786126e1c"; }; -in { +in +{ inherit nixpkgs; - nixos = nixpkgs // {suffix = "/nixos";}; + nixos = nixpkgs // { + suffix = "/nixos"; + }; "channels-nixos-stable" = nixpkgs; "channels-nixos-unstable" = { url = "https://github.com/NixOS/nixpkgs/"; diff --git a/nix/os/devices/steveej-pa600/versions.tmpl.nix b/nix/os/devices/steveej-pa600/versions.tmpl.nix index 96f7be3..08f1a43 100644 --- a/nix/os/devices/steveej-pa600/versions.tmpl.nix +++ b/nix/os/devices/steveej-pa600/versions.tmpl.nix @@ -6,9 +6,12 @@ let <% git ls-remote https://github.com/nixos/nixpkgs nixos-20.09 | awk '{ print $1 }' | tr -d ' ' -%>''; }; -in { +in +{ inherit nixpkgs; - nixos = nixpkgs // {suffix = "/nixos";}; + nixos = nixpkgs // { + suffix = "/nixos"; + }; "channels-nixos-stable" = nixpkgs; "channels-nixos-unstable" = { url = "https://github.com/NixOS/nixpkgs/"; diff --git a/nix/os/devices/steveej-rmvbl-mmc-SL32G_0x259093f6/configuration.nix b/nix/os/devices/steveej-rmvbl-mmc-SL32G_0x259093f6/configuration.nix index b32a198..9682eb6 100644 --- a/nix/os/devices/steveej-rmvbl-mmc-SL32G_0x259093f6/configuration.nix +++ b/nix/os/devices/steveej-rmvbl-mmc-SL32G_0x259093f6/configuration.nix @@ -1,4 +1,5 @@ -{...}: { +{ ... }: +{ imports = [ ../../profiles/common/configuration.nix ../../profiles/graphical/configuration.nix diff --git a/nix/os/devices/steveej-rmvbl-mmc-SL32G_0x259093f6/hw.nix b/nix/os/devices/steveej-rmvbl-mmc-SL32G_0x259093f6/hw.nix index 14df96a..4af1def 100644 --- a/nix/os/devices/steveej-rmvbl-mmc-SL32G_0x259093f6/hw.nix +++ b/nix/os/devices/steveej-rmvbl-mmc-SL32G_0x259093f6/hw.nix @@ -1,4 +1,4 @@ -{...}: { +_: { # TASK: new device hardware.encryptedDisk = { enable = true; diff --git a/nix/os/devices/steveej-rmvbl-mmc-SL32G_0x259093f6/system.nix b/nix/os/devices/steveej-rmvbl-mmc-SL32G_0x259093f6/system.nix index 4329e5c..7f69ec0 100644 --- a/nix/os/devices/steveej-rmvbl-mmc-SL32G_0x259093f6/system.nix +++ b/nix/os/devices/steveej-rmvbl-mmc-SL32G_0x259093f6/system.nix @@ -1,3 +1,3 @@ -{...}: { +_: { networking.hostName = "steveej-rmvbl-mmc-SL32G_0x259093f6"; # Define your hostname. } diff --git a/nix/os/devices/steveej-rmvbl-sdep0/configuration.nix b/nix/os/devices/steveej-rmvbl-sdep0/configuration.nix index d49dbd3..861a9ea 100644 --- a/nix/os/devices/steveej-rmvbl-sdep0/configuration.nix +++ b/nix/os/devices/steveej-rmvbl-sdep0/configuration.nix @@ -1,11 +1,8 @@ -{...}: { - nixpkgs.config.packageOverrides = pkgs: - with pkgs; { - nixPath = - (import ../../../default.nix { - versionsPath = ./versions.nix; - }) - .nixPath; +{ ... }: +{ + nixpkgs.config.packageOverrides = + pkgs: with pkgs; { + inherit ((import ../../../default.nix { versionsPath = ./versions.nix; })) nixPath; }; imports = [ diff --git a/nix/os/devices/steveej-rmvbl-sdep0/hw.nix b/nix/os/devices/steveej-rmvbl-sdep0/hw.nix index 408b2a9..c42f909 100644 --- a/nix/os/devices/steveej-rmvbl-sdep0/hw.nix +++ b/nix/os/devices/steveej-rmvbl-sdep0/hw.nix @@ -1,4 +1,4 @@ -{...}: { +_: { # TASK: new device hardware.opinionatedDisk.diskId = "usb-SanDisk_Extreme_Pro_12345978EC62-0:0"; hardware.opinionatedDisk.encrypted = true; diff --git a/nix/os/devices/steveej-rmvbl-sdep0/system.nix b/nix/os/devices/steveej-rmvbl-sdep0/system.nix index 5bad73f..d409681 100644 --- a/nix/os/devices/steveej-rmvbl-sdep0/system.nix +++ b/nix/os/devices/steveej-rmvbl-sdep0/system.nix @@ -1,4 +1,4 @@ -{...}: { +_: { networking.hostName = "steveej-rmvbl-sdep0"; # Define your hostname. system.stateVersion = "21.05"; } diff --git a/nix/os/devices/steveej-rmvbl-sdep0/versions.nix b/nix/os/devices/steveej-rmvbl-sdep0/versions.nix index f8759b8..3771f25 100644 --- a/nix/os/devices/steveej-rmvbl-sdep0/versions.nix +++ b/nix/os/devices/steveej-rmvbl-sdep0/versions.nix @@ -2,35 +2,33 @@ let nixpkgs = { url = "https://github.com/NixOS/nixpkgs/"; ref = "nixos-22.11"; - rev = '' - 0040164e473509b4aee6aedb3b923e400d6df10b''; + rev = ''0040164e473509b4aee6aedb3b923e400d6df10b''; }; -in { +in +{ inherit nixpkgs; - nixos = nixpkgs // {suffix = "/nixos";}; + nixos = nixpkgs // { + suffix = "/nixos"; + }; "channels-nixos-stable" = nixpkgs; "channels-nixos-unstable" = { url = "https://github.com/NixOS/nixpkgs/"; ref = "nixos-unstable"; - rev = '' - d9f759f2ea8d265d974a6e1259bd510ac5844c5d''; + rev = ''d9f759f2ea8d265d974a6e1259bd510ac5844c5d''; }; "channels-nixos-unstable-small" = { url = "https://github.com/NixOS/nixpkgs/"; ref = "nixos-unstable-small"; - rev = '' - 9c34c8adba80180608794cce600b10183b048942''; + rev = ''9c34c8adba80180608794cce600b10183b048942''; }; "nixpkgs-master" = { url = "https://github.com/NixOS/nixpkgs/"; ref = "master"; - rev = '' - f9adb566707a492bd3d17fee1e223695d939b52a''; + rev = ''f9adb566707a492bd3d17fee1e223695d939b52a''; }; "home-manager-module" = { url = "https://github.com/nix-community/home-manager"; ref = "release-22.11"; - rev = '' - d6f3ba090ed090ae664ab5bac329654093aae725''; + rev = ''d6f3ba090ed090ae664ab5bac329654093aae725''; }; } diff --git a/nix/os/devices/steveej-rmvbl-sdep0/versions.tmpl.nix b/nix/os/devices/steveej-rmvbl-sdep0/versions.tmpl.nix index a0fa34a..92abc4a 100644 --- a/nix/os/devices/steveej-rmvbl-sdep0/versions.tmpl.nix +++ b/nix/os/devices/steveej-rmvbl-sdep0/versions.tmpl.nix @@ -6,9 +6,12 @@ let <% git ls-remote https://github.com/nixos/nixpkgs nixos-22.11 | awk '{ print $1 }' | tr -d ' ' -%>''; }; -in { +in +{ inherit nixpkgs; - nixos = nixpkgs // {suffix = "/nixos";}; + nixos = nixpkgs // { + suffix = "/nixos"; + }; "channels-nixos-stable" = nixpkgs; "channels-nixos-unstable" = { url = "https://github.com/NixOS/nixpkgs/"; diff --git a/nix/os/devices/steveej-t14/boot.nix b/nix/os/devices/steveej-t14/boot.nix index 281d09e..d3ff0b5 100644 --- a/nix/os/devices/steveej-t14/boot.nix +++ b/nix/os/devices/steveej-t14/boot.nix @@ -1,8 +1,5 @@ +{ lib, pkgs, ... }: { - lib, - pkgs, - ... -}: { boot.loader.grub.efiInstallAsRemovable = lib.mkForce true; boot.loader.efi.canTouchEfiVariables = lib.mkForce false; boot.kernelPackages = lib.mkForce pkgs.linuxPackages_latest; diff --git a/nix/os/devices/steveej-t14/configuration.nix b/nix/os/devices/steveej-t14/configuration.nix index 8d578b7..f5ccca0 100644 --- a/nix/os/devices/steveej-t14/configuration.nix +++ b/nix/os/devices/steveej-t14/configuration.nix @@ -1,5 +1,13 @@ -{...}: { +{ ... }: +{ imports = [ + ../../snippets/home-manager-with-zsh.nix + ../../snippets/nix-settings-holo-chain.nix + # TODO: double-check whether this works at all after the most recent changes + # ../../snippets/radicale.nix + ../../snippets/sway-desktop.nix + ../../snippets/timezone.nix + ../../profiles/common/configuration.nix ../../profiles/graphical/configuration.nix ../../modules/opinionatedDisk.nix @@ -10,6 +18,60 @@ ./pkg.nix ./user.nix ./boot.nix - ./secrets.nix + + # samba seerver + (_: { + # networking.firewall.enable = lib.mkForce false; + services.samba-wsdd.enable = true; # make shares visible for windows 10 clients + networking.firewall.allowedTCPPorts = [ + 5357 # wsdd + ]; + networking.firewall.allowedUDPPorts = [ + 3702 # wsdd + ]; + services.samba = { + enable = true; + + securityType = "user"; + + extraConfig = '' + workgroup = ARBEITSGRUPPE + server string = steveej-t14 + netbios name = steveej-t14 + security = user + + # use sendfile = yes + + # for executables on windows + acl allow execute always = True + + # legacy windows quirks + max protocol = NT1 + min protocol = NT1 + ntlm auth = yes + + # client max protocol = SMB1 + # client min protocol = NT1 + + # note: localhost is the ipv6 localhost ::1 + hosts allow = 192.168. 127.0.0.1 localhost + hosts deny = 0.0.0.0/0 + guest account = nobody + map to guest = bad user + ''; + shares = { + voodoo = { + path = "/home/steveej/Desktop/voodoo"; + browseable = "yes"; + "read only" = "no"; + "guest ok" = "no"; + "create mask" = "0644"; + "directory mask" = "0755"; + # "force user" = "steveej"; + # "force group" = "users"; + }; + }; + }; + }) ]; } diff --git a/nix/os/devices/steveej-t14/default.nix b/nix/os/devices/steveej-t14/default.nix index 739065b..d7e6d28 100644 --- a/nix/os/devices/steveej-t14/default.nix +++ b/nix/os/devices/steveej-t14/default.nix @@ -3,35 +3,25 @@ repoFlake, repoFlakeWithSystem, nodeFlake, -}: let + ... +}: +let system = "x86_64-linux"; -in { +in +{ meta.nodeSpecialArgs.${nodeName} = { inherit repoFlake nodeName nodeFlake; packages' = repoFlake.packages.${system}; - repoFlakeInputs' = repoFlakeWithSystem system ({inputs', ...}: inputs'); + repoFlakeInputs' = repoFlakeWithSystem system ({ inputs', ... }: inputs'); }; - meta.nodeNixpkgs.${nodeName} = import nodeFlake.inputs.nixpkgs.outPath { - inherit system; - overlays = [ - (final: prev: { - # FIXME: why are these not effective in for the configuration.nix below? - xdg-desktop-portal-wlr' = repoFlake.inputs.nixpkgs-wayland.packages.${system}.xdg-desktop-portal-wlr; - xdg-desktop-portal-wlr-gtk' = repoFlake.inputs.nixpkgs-wayland.packages.${system}.xdg-desktop-portal-wlr-gtk; - }) - ]; - }; + meta.nodeNixpkgs.${nodeName} = import nodeFlake.inputs.nixpkgs.outPath { inherit system; }; ${nodeName} = { deployment.targetHost = nodeName; deployment.replaceUnknownProfiles = false; deployment.allowLocalDeployment = true; - imports = [ - (repoFlake + "/nix/os/devices/${nodeName}/configuration.nix") - - nodeFlake.inputs.home-manager.nixosModules.home-manager - ]; + imports = [ (repoFlake + "/nix/os/devices/${nodeName}/configuration.nix") ]; }; } diff --git a/nix/os/devices/steveej-t14/flake.lock b/nix/os/devices/steveej-t14/flake.lock index 1941acf..5960780 100644 --- a/nix/os/devices/steveej-t14/flake.lock +++ b/nix/os/devices/steveej-t14/flake.lock @@ -7,16 +7,16 @@ ] }, "locked": { - "lastModified": 1687871164, - "narHash": "sha256-bBFlPthuYX322xOlpJvkjUBz0C+MOBjZdDOOJJ+G2jU=", + "lastModified": 1705273357, + "narHash": "sha256-JAlkxgJbWh7+auiT0rJL3IUXXtkULRqygfxQA6mvLgc=", "owner": "nix-community", "repo": "home-manager", - "rev": "07c347bb50994691d7b0095f45ebd8838cf6bc38", + "rev": "924d91e1e4c802fd8e60279a022dbae5acb36f2d", "type": "github" }, "original": { "owner": "nix-community", - "ref": "release-23.05", + "ref": "release-23.11", "repo": "home-manager", "type": "github" } @@ -39,11 +39,11 @@ }, "nixpkgs-2305": { "locked": { - "lastModified": 1691421349, - "narHash": "sha256-RRJyX0CUrs4uW4gMhd/X4rcDG8PTgaaCQM5rXEJOx6g=", + "lastModified": 1704290814, + "narHash": "sha256-LWvKHp7kGxk/GEtlrGYV68qIvPHkU9iToomNFGagixU=", "owner": "nixos", "repo": "nixpkgs", - "rev": "011567f35433879aae5024fc6ec53f2a0568a6c4", + "rev": "70bdadeb94ffc8806c0570eb5c2695ad29f0e421", "type": "github" }, "original": { @@ -53,13 +53,29 @@ "type": "github" } }, - "nixpkgs-master": { + "nixpkgs-2311": { "locked": { - "lastModified": 1691518494, - "narHash": "sha256-Xa77u1HcXQ3p+v+8EoHi5ZgHnh8uNcQkEIoNF5xGSVU=", + "lastModified": 1705183652, + "narHash": "sha256-rnfkyUH0x72oHfiSDhuCHDHg3gFgF+lF8zkkg5Zihsw=", "owner": "nixos", "repo": "nixpkgs", - "rev": "c9a4aa0cd93d9c73a50015d9df19ee65e5f793f8", + "rev": "428544ae95eec077c7f823b422afae5f174dee4b", + "type": "github" + }, + "original": { + "owner": "nixos", + "ref": "nixos-23.11", + "repo": "nixpkgs", + "type": "github" + } + }, + "nixpkgs-master": { + "locked": { + "lastModified": 1705325703, + "narHash": "sha256-ckwq5uZTOg79p6j9Op4tuKUiEIf0gaLskMS5g43MfVI=", + "owner": "nixos", + "repo": "nixpkgs", + "rev": "7081bd488c8fd2a1ac54fda9676e22e6f8fb581f", "type": "github" }, "original": { @@ -71,11 +87,11 @@ }, "nixpkgs-unstable": { "locked": { - "lastModified": 1691368598, - "narHash": "sha256-ia7li22keBBbj02tEdqjVeLtc7ZlSBuhUk+7XTUFr14=", + "lastModified": 1705133751, + "narHash": "sha256-rCIsyE80jgiOU78gCWN3A0wE0tR2GI5nH6MlS+HaaSQ=", "owner": "nixos", "repo": "nixpkgs", - "rev": "5a8e9243812ba528000995b294292d3b5e120947", + "rev": "9b19f5e77dd906cb52dade0b7bd280339d2a1f3d", "type": "github" }, "original": { @@ -87,11 +103,11 @@ }, "nixpkgs-unstable-small": { "locked": { - "lastModified": 1691472822, - "narHash": "sha256-XVfYZ2oB3lNPVq6sHCY9WkdQ8lHoIDzzbpg8bB6oBxA=", + "lastModified": 1705249824, + "narHash": "sha256-ZLPa6YWHeX+/yzaxU7uMWq9eMMncffrzkgOXe6AODMU=", "owner": "nixos", "repo": "nixpkgs", - "rev": "41c7605718399dcfa53dd7083793b6ae3bc969ff", + "rev": "0c741cd9fbdc435b7ca88e17efc371b48e7c23b8", "type": "github" }, "original": { @@ -105,10 +121,11 @@ "inputs": { "home-manager": "home-manager", "nixpkgs": [ - "nixpkgs-2305" + "nixpkgs-2311" ], "nixpkgs-2211": "nixpkgs-2211", "nixpkgs-2305": "nixpkgs-2305", + "nixpkgs-2311": "nixpkgs-2311", "nixpkgs-master": "nixpkgs-master", "nixpkgs-unstable": "nixpkgs-unstable", "nixpkgs-unstable-small": "nixpkgs-unstable-small" diff --git a/nix/os/devices/steveej-t14/flake.nix b/nix/os/devices/steveej-t14/flake.nix index 4786ee1..504ce45 100644 --- a/nix/os/devices/steveej-t14/flake.nix +++ b/nix/os/devices/steveej-t14/flake.nix @@ -1,16 +1,16 @@ { inputs.nixpkgs-2211.url = "github:nixos/nixpkgs/nixos-22.11"; inputs.nixpkgs-2305.url = "github:nixos/nixpkgs/nixos-23.05"; + inputs.nixpkgs-2311.url = "github:nixos/nixpkgs/nixos-23.11"; inputs.nixpkgs-unstable.url = "github:nixos/nixpkgs/nixos-unstable"; - inputs.nixpkgs-unstable-small.url = "github:nixos/nixpkgs/nixos-unstable-small"; inputs.nixpkgs-master.url = "github:nixos/nixpkgs/master"; - inputs.nixpkgs.follows = "nixpkgs-2305"; + inputs.nixpkgs.follows = "nixpkgs-2311"; inputs.home-manager = { - url = "github:nix-community/home-manager/release-23.05"; + url = "github:nix-community/home-manager/release-23.11"; inputs.nixpkgs.follows = "nixpkgs"; }; - outputs = _: {}; + outputs = _: { }; } diff --git a/nix/os/devices/steveej-t14/hw.nix b/nix/os/devices/steveej-t14/hw.nix index 9f7d778..0fa593a 100644 --- a/nix/os/devices/steveej-t14/hw.nix +++ b/nix/os/devices/steveej-t14/hw.nix @@ -1,5 +1,130 @@ -{...}: let - stage1Modules = [ +_: { + # TASK: new device + hardware.opinionatedDisk = { + enable = true; + encrypted = true; + diskId = "nvme-WD_BLACK_SN850X_4000GB_2227DT443901"; + earlyDiskIdOverride = "usb-JMicron_Generic_0123456789ABCDEF-0:0"; + }; + + # boot.loader.grub.device = lib.mkForce "/dev/disk/by-id/usb-JMicron_Generic_0123456789ABCDEF-0:0"; + + # see https://linrunner.de/tlp/ + services.tlp = { + enable = false; + settings = { + CPU_DRIVER_OPMODE_ON_AC = "active"; + CPU_DRIVER_OPMODE_ON_BAT = "passive"; + + CPU_SCALING_GOVERNOR_ON_AC = "performance"; + CPU_SCALING_GOVERNOR_ON_BAT = "powersave"; + + CPU_ENERGY_PERF_POLICY_ON_AC = "performance"; + CPU_ENERGY_PERF_POLICY_ON_BAT = "power"; + + CPU_BOOST_ON_AC = "0"; + CPU_BOOST_ON_BAT = "0"; + + RADEON_DPM_PERF_LEVEL_ON_AC = "low"; + RADEON_DPM_PERF_LEVEL_ON_BAT = "low"; + RADEON_POWER_PROFILE_ON_AC = "low"; + RADEON_POWER_PROFILE_ON_BAT = "low"; + RADEON_DPM_STATE_ON_AC = "battery"; + RADEON_DPM_STATE_ON_BAT = "battery"; + + # SOUND_POWER_SAVE_ON_AC="1"; + SOUND_POWER_SAVE_ON_BAT = "1"; + + PLATFORM_PROFILE_ON_AC = "performance"; + PLATFORM_PROFILE_ON_BAT = "low-power"; + + RUNTIME_PM_ON_AC = "on"; + RUNTIME_PM_ON_BAT = "auto"; + + PCIE_ASPM_ON_AC = "default"; + PCIE_ASPM_ON_BAT = "powersupersave"; + + START_CHARGE_THRESH_BAT0 = "80"; + STOP_CHARGE_THRESH_BAT0 = "85"; + + WOL_DISABLE = "Y"; + # WIFI_PWR_ON_AC="on"; + # WIFI_PWR_ON_BAT = "on"; + DEVICES_TO_DISABLE_ON_STARTUP = "wwan"; + # #DEVICES_TO_DISABLE_ON_LAN_CONNECT="wifi wwan"; + # #DEVICES_TO_DISABLE_ON_WIFI_CONNECT="wwan"; + # #DEVICES_TO_DISABLE_ON_WWAN_CONNECT="wifi"; + + SATA_LINKPWR_ON_AC = "max_performance"; + SATA_LINKPWR_ON_BAT = "min_power"; + }; + }; + + # see https://www.kernel.org/doc/html/v6.6/admin-guide/laptops/thinkpad-acpi.html#fan-control-and-monitoring-fan-speed-fan-enable-disable + services.thinkfan = { + enable = false; + levels = [ + # ["level auto" 0 60] + [ + 0 + 0 + 60 + ] + [ + 1 + 60 + 65 + ] + [ + 1 + 65 + 75 + ] + [ + 2 + 75 + 78 + ] + [ + 3 + 78 + 80 + ] + [ + 4 + 80 + 82 + ] + [ + 5 + 82 + 84 + ] + [ + 6 + 84 + 86 + ] + [ + 7 + 86 + 88 + ] + [ + "level full-speed" + 88 + 999 + ] + ]; + + extraArgs = [ + "-b-3" + "-s1" + ]; + }; + + hardware.enableRedistributableFirmware = true; + boot.initrd.kernelModules = [ "aesni_intel" "kvm_amd" "nvme" @@ -7,80 +132,12 @@ "thunderbolt" "e1000e" + + "usbcore" + "xhci_hcd" + "usbhid" + "usb_storage" + "xhci_pci" + "uas" ]; -in { - # TASK: new device - hardware.opinionatedDisk = { - enable = true; - encrypted = true; - diskId = "nvme-WD_BLACK_SN850X_4000GB_2227DT443901"; - }; - - # see https://linrunner.de/tlp/ - services.tlp = { - enable = true; - settings = { - # CPU_SCALING_GOVERNOR_ON_AC = "schedutil"; - CPU_SCALING_GOVERNOR_ON_BAT = "schedutil"; - - # CPU_ENERGY_PERF_POLICY_ON_AC="balance_power"; - CPU_ENERGY_PERF_POLICY_ON_BAT="power"; - - # SCHED_POWERSAVE_ON_AC="1"; - SCHED_POWERSAVE_ON_BAT="1"; - - CPU_BOOST_ON_AC="0"; - CPU_BOOST_ON_BAT="0"; - - # RADEON_DPM_PERF_LEVEL_ON_AC="auto"; - RADEON_DPM_PERF_LEVEL_ON_BAT="low"; - # RADEON_DPM_STATE_ON_AC="balanced"; - RADEON_DPM_STATE_ON_BAT="battery"; - - # SOUND_POWER_SAVE_ON_AC="1"; - SOUND_POWER_SAVE_ON_BAT="1"; - - # # PLATFORM_PROFILE_ON_AC="low-power"; - # # PLATFORM_PROFILE_ON_BAT="low-power"; - # PLATFORM_PROFILE_ON_AC="balanced"; - PLATFORM_PROFILE_ON_BAT="low-power"; - - # RUNTIME_PM_ON_AC = "auto"; - RUNTIME_PM_ON_BAT = "auto"; - - # PCIE_ASPM_ON_AC="default"; - PCIE_ASPM_ON_BAT="powersave"; - - START_CHARGE_THRESH_BAT0 = "75"; - STOP_CHARGE_THRESH_BAT0 = "80"; - - WOL_DISABLE="Y"; - # WIFI_PWR_ON_AC="on"; - WIFI_PWR_ON_BAT="on"; - DEVICES_TO_DISABLE_ON_STARTUP="wwan"; - # #DEVICES_TO_DISABLE_ON_LAN_CONNECT="wifi wwan"; - # #DEVICES_TO_DISABLE_ON_WIFI_CONNECT="wwan"; - # #DEVICES_TO_DISABLE_ON_WWAN_CONNECT="wifi"; - }; - }; - - services.thinkfan = { - enable = true; - levels = [ - [0 0 55] - [1 55 65] - [1 65 75] - [2 75 78] - [3 78 80] - [4 80 82] - [5 82 84] - [6 84 86] - [7 86 88] - ["level full-speed" 88 999] - ]; - }; - - - # boot.initrd.availableKernelModules = stage1Modules; - boot.initrd.kernelModules = stage1Modules; } diff --git a/nix/os/devices/steveej-t14/pkg.nix b/nix/os/devices/steveej-t14/pkg.nix index 95dc2d4..4e53eaf 100644 --- a/nix/os/devices/steveej-t14/pkg.nix +++ b/nix/os/devices/steveej-t14/pkg.nix @@ -1,11 +1,9 @@ +{ pkgs, ... }: { - pkgs, - lib, - repoFlake, - nodeFlake, - ... -}: { + system.stateVersion = "23.05"; + home-manager.users.root = _: { home.stateVersion = "22.05"; }; home-manager.users.steveej = _: { + home.stateVersion = "22.05"; imports = [ ../../../home-manager/configuration/graphical-fullblown.nix @@ -16,11 +14,9 @@ }) ]; - home.sessionVariables = { - }; + home.sessionVariables = { }; - home.packages = with pkgs; [ - ]; + home.packages = with pkgs; [ ]; }; # TODO: fix the following errors with regreet @@ -34,26 +30,28 @@ # # (regreet:505614): Gtk-WARNING **: 10:31:42.532: Theme parser warning: :6:17-18: Empty declaration # Failed to create /var/empty/.cache for shader cache (Operation not permitted)---disabling. - services.greetd = let - # exec "${pkgs.greetd.gtkgreet}/bin/gtkgreet -l; swaymsg exit" - swayConfig = pkgs.writeText "greetd-sway-config" '' - # `-l` activates layer-shell mode. Notice that `swaymsg exit` will run after gtkgreet. - exec "dbus-update-activation-environment --systemd DISPLAY WAYLAND_DISPLAY SWAYSOCK; ${pkgs.greetd.regreet}/bin/regreet; swaymsg exit" - bindsym Mod4+shift+e exec swaynag \ - -t warning \ - -m 'What do you want to do?' \ - -b 'Poweroff' 'systemctl poweroff' \ - -b 'Reboot' 'systemctl reboot' - ''; - in { - enable = false; - settings = { - vt = 1; - default_session = { - command = "${pkgs.sway}/bin/sway --config ${swayConfig}"; + services.greetd = + let + # exec "${pkgs.greetd.gtkgreet}/bin/gtkgreet -l; swaymsg exit" + swayConfig = pkgs.writeText "greetd-sway-config" '' + # `-l` activates layer-shell mode. Notice that `swaymsg exit` will run after gtkgreet. + exec "dbus-update-activation-environment --systemd DISPLAY WAYLAND_DISPLAY SWAYSOCK; ${pkgs.greetd.regreet}/bin/regreet; swaymsg exit" + bindsym Mod4+shift+e exec swaynag \ + -t warning \ + -m 'What do you want to do?' \ + -b 'Poweroff' 'systemctl poweroff' \ + -b 'Reboot' 'systemctl reboot' + ''; + in + { + enable = false; + settings = { + vt = 1; + default_session = { + command = "${pkgs.sway}/bin/sway --config ${swayConfig}"; + }; }; }; - }; environment.etc."greetd/environments".text = '' sway @@ -102,42 +100,4 @@ # # }; # # }; # }; - - security.pam.services.getty.enableGnomeKeyring = true; - services.gnome.gnome-keyring.enable = true; - - # rtkit is optional but recommended - security.rtkit.enable = true; - services.pipewire = { - enable = true; - alsa.enable = true; - alsa.support32Bit = true; - pulse.enable = true; - # If you want to use JACK applications, uncomment this - #jack.enable = true; - }; - - # required by swaywm - security.polkit.enable = true; - security.pam.services.swaylock = {}; - - # test these on https://mozilla.github.io/webrtc-landing/gum_test.html - xdg.portal = { - enable = true; - # FIXME: `true` breaks xdg-open from alacritty: - # $ xdg-open "https://github.com/" - # Error: GDBus.Error:org.freedesktop.DBus.Error.UnknownMethod: No such interface “org.freedesktop.portal.OpenURI” on object at path /org/freedesktop/portal/desktop - xdgOpenUsePortal = false; - extraPortals = [ - pkgs.xdg-desktop-portal-wlr - pkgs.xdg-desktop-portal-gtk - - # repoFlake.inputs.nixpkgs-wayland.packages.${pkgs.system}.xdg-desktop-portal-wlr - # (pkgs.xdg-desktop-portal-gtk.override (_: { - # buildPortalsInGnome = false; - # })) - ]; - }; - - system.stateVersion = "23.05"; } diff --git a/nix/os/devices/steveej-t14/secrets.nix b/nix/os/devices/steveej-t14/secrets.nix deleted file mode 100644 index a97d67d..0000000 --- a/nix/os/devices/steveej-t14/secrets.nix +++ /dev/null @@ -1,7 +0,0 @@ -{config, ...}: { - sops.secrets.radicale_htpasswd = { - sopsFile = ../../../../secrets/steveej-t14/radicale_htpasswd; - format = "binary"; - owner = config.users.users.steveej.name; - }; -} diff --git a/nix/os/devices/steveej-t14/system.nix b/nix/os/devices/steveej-t14/system.nix index 9ced0b4..db19a3b 100644 --- a/nix/os/devices/steveej-t14/system.nix +++ b/nix/os/devices/steveej-t14/system.nix @@ -2,43 +2,11 @@ pkgs, lib, config, - nodeName, repoFlake, ... -}: let - passwords = import ../../../variables/passwords.crypt.nix; -in { - nix.settings = { - substituters = [ - "https://holochain-ci.cachix.org" - "https://cache.holo.host/" - ]; - trusted-public-keys = [ - "holochain-ci.cachix.org-1:5IUSkZc0aoRS53rfkvH9Kid40NpyjwCMCzwRTXy+QN8=" - "cache.holo.host-1:lNXIXtJgS9Iuw4Cu6X0HINLu9sTfcjEntnrgwMQIMcE=" - "cache.holo.host-2:ZJCkX3AUYZ8soxTLfTb60g+F3MkWD7hkH9y8CgqwhDQ=" - ]; - - extra-experimental-features = ["impure-derivations"]; - system-features = ["recursive-nix" "big-parallel"]; - }; - - networking.extraHosts = '' - ''; - - networking.bridges."virbr1".interfaces = []; - networking.interfaces."virbr1".ipv4.addresses = [ - { - address = "10.254.254.254"; - prefixLength = 24; - } - ]; - - networking.firewall.enable = true; - services.openssh.openFirewall = false; - - # TODO: upstream feature for inverse rule to work: `! --in-interface zt+` - networking.firewall.interfaces."eth+".allowedTCPPorts = [ +}: +let + localTcpPorts = [ 22 # syncthing @@ -47,11 +15,67 @@ in { # iperf3 5201 ]; - networking.firewall.interfaces."eth+".allowedUDPPorts = [ + + localUdpPorts = [ # syncthing 22000 21027 ]; +in +{ + nix.settings = { + substituters = [ ]; + trusted-public-keys = [ ]; + }; + + nix.distributedBuilds = true; + nix.buildMachines = [ + { + hostName = repoFlake.colmena.sj-bm-hostkey0.deployment.targetHost; + # TODO: make this a reference + sshUser = "nix-remote-builder"; + protocol = "ssh-ng"; + system = "x86_64-linux"; + maxJobs = 32; + speedFactor = 100; + supportedFeatures = repoFlake.nixosConfigurations.steveej-t14.config.nix.settings.system-features; + } + + { + hostName = repoFlake.colmena.sj-bm-hostkey0.deployment.targetHost; + # TODO: make this a reference + sshUser = "nix-remote-builder"; + protocol = "ssh-ng"; + system = "aarch64-linux"; + maxJobs = 32; + speedFactor = 100; + supportedFeatures = repoFlake.nixosConfigurations.router0-dmz0.config.nix.settings.system-features; + } + ]; + + networking.networkmanager.enable = true; + + networking.extraHosts = ''''; + + networking.bridges."virbr1".interfaces = [ ]; + networking.interfaces."virbr1".ipv4.addresses = [ + { + address = "10.254.254.254"; + prefixLength = 24; + } + ]; + + # needed to make wireguard managed by networkmanager route all traffic through it + networking.firewall.checkReversePath = false; + + networking.firewall.enable = true; + services.openssh.openFirewall = false; + + # TODO: upstream feature for inverse rule to work: `! --in-interface zt+` + networking.firewall.interfaces."eth+".allowedTCPPorts = localTcpPorts; + networking.firewall.interfaces."eth+".allowedUDPPorts = localUdpPorts; + networking.firewall.interfaces."wlan+".allowedTCPPorts = localTcpPorts; + networking.firewall.interfaces."wlan+".allowedUDPPorts = localUdpPorts; networking.firewall.logRefusedConnections = false; networking.usePredictableInterfaceNames = false; @@ -66,7 +90,9 @@ in { # virtualization virtualisation = { - libvirtd = {enable = true;}; + libvirtd = { + enable = true; + }; virtualbox.host = { enable = false; @@ -84,52 +110,11 @@ in { # client min protocol = NT1 ''; - security.pki.certificateFiles = ["${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt"]; + security.pki.certificateFiles = [ "${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt" ]; - services.xserver.videoDrivers = lib.mkForce ["amdgpu"]; - services.xserver.serverFlagsSection = '' - Option "BlankTime" "0" - Option "StandbyTime" "0" - Option "SuspendTime" "0" - Option "OffTime" "0" - ''; - - time.timeZone = lib.mkForce passwords.timeZone.stefan; + services.xserver.videoDrivers = lib.mkForce [ "amdgpu" ]; hardware.ledger.enable = true; - services.zerotierone = { - enable = true; - joinNetworks = [ - # moved to the service below as it's now secret - ]; - }; - - systemd.services.zerotieroneSecretNetworks = { - enable = true; - requiredBy = ["zerotierone.service"]; - partOf = ["zerotierone.service"]; - - serviceConfig.Type = "oneshot"; - serviceConfig.RemainAfterExit = true; - - script = let - secret = config.sops.secrets.zerotieroneNetworks; - in '' - # include the secret's hash to trigger a restart on change - # ${builtins.hashString "sha256" (builtins.toJSON secret)} - - ${config.systemd.services.zerotierone.preStart} - - rm -rf /var/lib/zerotier-one/networks.d/*.conf - for network in `grep -v '#' ${secret.path}`; do - touch /var/lib/zerotier-one/networks.d/''${network}.conf - done - ''; - }; - - sops.secrets.zerotieroneNetworks = { - sopsFile = ../../../../secrets/zerotierone.txt; - format = "binary"; - }; + boot.binfmt.emulatedSystems = [ "aarch64-linux" ]; } diff --git a/nix/os/devices/steveej-t14/user.nix b/nix/os/devices/steveej-t14/user.nix index ece9cec..dacf1f4 100644 --- a/nix/os/devices/steveej-t14/user.nix +++ b/nix/os/devices/steveej-t14/user.nix @@ -1,19 +1,16 @@ -{ - config, - pkgs, - lib, - ... -}: let +{ config, pkgs, ... }: +let keys = import ../../../variables/keys.nix; - inherit (pkgs.callPackage ../../lib/default.nix {}) mkUser; -in { - users.extraUsers.steveej2 = mkUser { + inherit (pkgs.callPackage ../../lib/default.nix { }) mkUser; +in +{ + users.users.steveej2 = mkUser { uid = 1001; openssh.authorizedKeys.keys = keys.users.steveej.openssh; - passwordFile = config.sops.secrets.sharedUsers-steveej.path; + hashedPasswordFile = config.sops.secrets.sharedUsers-steveej.path; }; - nix.settings.trusted-users = ["steveej"]; + nix.settings.trusted-users = [ "steveej" ]; security.pam.u2f.enable = true; security.pam.services.steveej.u2fAuth = true; diff --git a/nix/os/devices/steveej-utilitepro/configuration.nix b/nix/os/devices/steveej-utilitepro/configuration.nix index 06cc7d1..76a34c8 100644 --- a/nix/os/devices/steveej-utilitepro/configuration.nix +++ b/nix/os/devices/steveej-utilitepro/configuration.nix @@ -1,13 +1,11 @@ # Edit this configuration file to define what should be installed on # your system. Help is available in the configuration.nix(5) man page # and in the NixOS manual (accessible by running ‘nixos-help’). -{ - config, - pkgs, - ... -}: let +{ config, pkgs, ... }: +let passwords = import ../common/passwords.crypt.nix; -in { +in +{ # The NixOS release to be compatible with for stateful data such as databases. system.stateVersion = "16.03"; nix.maxJobs = 4; @@ -19,22 +17,18 @@ in { ''; nixpkgs.config = { - packageOverrides = super: let - self = super.pkgs; - in { + packageOverrides = super: { linux_4_1 = super.linux_4_1.override { - kernelPatches = - super.linux_4_1.kernelPatches - ++ [ - { - patch = ./patches/utilitepro-kernel-dts.patch; - name = "utilitepro-dts"; - } - { - patch = ./patches/utilitepro-kernel-dts-Makefile.patch; - name = "utilitepro-dts-Makefile"; - } - ]; + kernelPatches = super.linux_4_1.kernelPatches ++ [ + { + patch = ./patches/utilitepro-kernel-dts.patch; + name = "utilitepro-dts"; + } + { + patch = ./patches/utilitepro-kernel-dts-Makefile.patch; + name = "utilitepro-dts-Makefile"; + } + ]; # add "CONFIG_PPP_FILTER y" option to the set of kernel options extraConfig = '' BTRFS_FS y @@ -279,7 +273,10 @@ in { uid = 1000; isNormalUser = true; home = "/home/steveej"; - extraGroups = ["wheel" "libvirtd"]; + extraGroups = [ + "wheel" + "libvirtd" + ]; # FIXME: this is deprecated but so is this device probably hashedPassword = passwords.users.steveej; openssh.authorizedKeys.keys = [ diff --git a/nix/os/devices/steveej-utilitepro/hardware-configuration.nix b/nix/os/devices/steveej-utilitepro/hardware-configuration.nix index a325b30..1d3e463 100644 --- a/nix/os/devices/steveej-utilitepro/hardware-configuration.nix +++ b/nix/os/devices/steveej-utilitepro/hardware-configuration.nix @@ -1,17 +1,13 @@ # Do not modify this file! It was generated by ‘nixos-generate-config’ # and may be overwritten by future invocations. Please make changes # to /etc/nixos/configuration.nix instead. +{ ... }: { - config, - lib, - pkgs, - ... -}: { - imports = []; + imports = [ ]; - boot.initrd.availableKernelModules = []; - boot.kernelModules = []; - boot.extraModulePackages = []; + boot.initrd.availableKernelModules = [ ]; + boot.kernelModules = [ ]; + boot.extraModulePackages = [ ]; hardware.enableAllFirmware = true; @@ -24,5 +20,5 @@ device = "/dev/disk/by-uuid/f1e7e913-93a0-4258-88f9-f65041d91d66"; }; - swapDevices = []; + swapDevices = [ ]; } diff --git a/nix/os/devices/steveej-x13s-rmvbl/.gitignore b/nix/os/devices/steveej-x13s-rmvbl/.gitignore new file mode 100644 index 0000000..b2be92b --- /dev/null +++ b/nix/os/devices/steveej-x13s-rmvbl/.gitignore @@ -0,0 +1 @@ +result diff --git a/nix/os/devices/steveej-x13s-rmvbl/configuration.nix b/nix/os/devices/steveej-x13s-rmvbl/configuration.nix new file mode 100644 index 0000000..39e93de --- /dev/null +++ b/nix/os/devices/steveej-x13s-rmvbl/configuration.nix @@ -0,0 +1,176 @@ +{ + repoFlake, + nodeFlake, + pkgs, + lib, + config, + nodeName, + system, + ... +}: +{ + nixos-x13s = { + enable = true; + # TODO: use hardware address + bluetoothMac = "65:9e:7a:8b:86:28"; + }; + + systemd.services.bluetooth-mac = { + enable = true; + path = [ + pkgs.systemd + pkgs.util-linux + pkgs.bluez5-experimental + pkgs.expect + ]; + script = '' + # TODO: this may not be required + while ! (journalctl -b0 | grep 'Bluetooth: hci0: QCA setup on UART is completed'); do + echo Waiting for bluetooth firmware to complete + echo sleep 1 + done + + ( + # best effort + set +e + rfkill block bluetooth + echo $? + btmgmt public-addr ${config.nixos-x13s.bluetoothMac} + echo $? + rfkill unblock bluetooth + echo $? + ) + ''; + requiredBy = [ "bluetooth.service" ]; + before = [ "bluetooth.service" ]; + serviceConfig = { + Type = "oneshot"; + RemainAfterExit = true; + + # we need a tty, otherwise btmgmt will hang + StandardInput = "tty"; + TTYPath = "/dev/tty2"; + TTYReset = "yes"; + TTYVHangup = "yes"; + }; + }; + + imports = [ + nodeFlake.inputs.nixos-x13s.nixosModules.default + + repoFlake.inputs.sops-nix.nixosModules.sops + nodeFlake.inputs.disko.nixosModules.disko + ./disko.nix + + ../../snippets/nix-settings.nix + ../../profiles/common/user.nix + + { + services.openssh.enable = true; + services.openssh.settings.PermitRootLogin = "yes"; + services.openssh.openFirewall = true; + + sops.defaultSopsFile = ../../../../secrets/${nodeName}/secrets.yaml; + sops.defaultSopsFormat = "yaml"; + + users.commonUsers = { + enable = true; + enableNonRoot = true; + }; + } + + ../../snippets/home-manager-with-zsh.nix + ../../snippets/sway-desktop.nix + ../../snippets/bluetooth.nix + ../../snippets/timezone.nix + ../../snippets/radicale.nix + ]; + + networking.hostName = nodeName; + networking.firewall.enable = true; + networking.networkmanager.enable = true; + + nixpkgs.config.allowUnfree = true; + + environment.systemPackages = [ + pkgs.sshfs + pkgs.util-linux + pkgs.coreutils + pkgs.vim + + pkgs.git + pkgs.git-crypt + ]; + + system.stateVersion = "23.11"; + home-manager.users.root = _: { home.stateVersion = "23.11"; }; + home-manager.users.steveej = _: { + home.stateVersion = "23.11"; + + imports = [ ../../../home-manager/configuration/graphical-fullblown.nix ]; + + home.sessionVariables = { }; + + home.packages = with pkgs; [ ]; + + # TODO: currently unsupported + services.gammastep.enable = lib.mkForce false; + # programs.chromium.enable = lib.mkForce false; + }; + + boot = { + loader.systemd-boot.enable = true; + loader.efi.canTouchEfiVariables = lib.mkForce false; + loader.efi.efiSysMountPoint = "/boot"; + blacklistedKernelModules = [ "wwan" ]; + + initrd.kernelModules = [ + "uas" + "usb_storage" + + "phy_qcom_qmp_pcie" + "phy_qcom_qmp_combo" + "phy_qcom_snps_femto_v2" + "phy_qcom_qmp_pcie" + "phy_qcom_qmp_usb" + "xhci-pci-renesas" + + "msm" + ]; + + initrd.extraFiles = { + "firmware/qcom/sc8280xp/LENOVO/21BX/adspr.jsn".source = pkgs.linux-firmware; + "firmware/qcom/sc8280xp/LENOVO/21BX/adspua.jsn".source = pkgs.linux-firmware; + "firmware/qcom/sc8280xp/LENOVO/21BX/audioreach-tplg.bin".source = pkgs.linux-firmware; + "firmware/qcom/sc8280xp/LENOVO/21BX/battmgr.jsn".source = pkgs.linux-firmware; + "firmware/qcom/sc8280xp/LENOVO/21BX/cdspr.jsn".source = pkgs.linux-firmware; + "firmware/qcom/sc8280xp/LENOVO/21BX/qcadsp8280.mbn".source = pkgs.linux-firmware; + "firmware/qcom/sc8280xp/LENOVO/21BX/qccdsp8280.mbn".source = pkgs.linux-firmware; + "firmware/qcom/sc8280xp/LENOVO/21BX/qcdxkmsuc8280.mbn".source = pkgs.linux-firmware; + "firmware/qcom/sc8280xp/LENOVO/21BX/qcslpi8280.mbn".source = pkgs.linux-firmware; + "firmware/qcom/sc8280xp/LENOVO/21BX/qcvss8280.mbn".source = + nodeFlake.inputs.nixos-x13s.packages.${system}."x13s/extra-firmware"; + }; + }; + + hardware.firmware = [ + pkgs.linux-firmware + nodeFlake.inputs.nixos-x13s.packages.${system}."x13s/extra-firmware" + ]; + + hardware.enableAllFirmware = true; + + # see https://linrunner.de/tlp/ + services.tlp = { + enable = true; + settings = { + START_CHARGE_THRESH_BAT0 = "80"; + STOP_CHARGE_THRESH_BAT0 = "85"; + }; + }; + + # android on linux + virtualisation.waydroid.enable = true; + virtualisation.podman.enable = true; + virtualisation.podman.dockerCompat = true; +} diff --git a/nix/os/devices/steveej-x13s-rmvbl/default.nix b/nix/os/devices/steveej-x13s-rmvbl/default.nix new file mode 100644 index 0000000..2ba48d2 --- /dev/null +++ b/nix/os/devices/steveej-x13s-rmvbl/default.nix @@ -0,0 +1,36 @@ +{ + system ? "aarch64-linux", + nodeName, + repoFlake, + repoFlakeWithSystem, + nodeFlake, + localDomainName ? "internal", + ... +}: +{ + meta.nodeSpecialArgs.${nodeName} = { + inherit + repoFlake + nodeName + nodeFlake + system + ; + packages' = repoFlake.packages.${system}; + nodePackages' = nodeFlake.packages.${system}; + repoFlakeInputs' = repoFlakeWithSystem system ({ inputs', ... }: inputs'); + + inherit localDomainName; + }; + + meta.nodeNixpkgs.${nodeName} = import nodeFlake.inputs.nixpkgs.outPath { inherit system; }; + + ${nodeName} = { + deployment.targetHost = "${nodeName}.${localDomainName}"; + deployment.replaceUnknownProfiles = true; + deployment.allowLocalDeployment = true; + + # nixpkgs.pkgs = nodeFlake.inputs.nixpkgs.legacyPackages.${system}; + + imports = [ (repoFlake + "/nix/os/devices/${nodeName}/configuration.nix") ]; + }; +} diff --git a/nix/os/devices/steveej-x13s-rmvbl/disko.nix b/nix/os/devices/steveej-x13s-rmvbl/disko.nix new file mode 100644 index 0000000..2eb097a --- /dev/null +++ b/nix/os/devices/steveej-x13s-rmvbl/disko.nix @@ -0,0 +1,73 @@ +{ + disko.devices = { + disk = { + voyager-gtx = { + type = "disk"; + device = "/dev/disk/by-id/ata-Corsair_Voyager_GTX_21488170000126002054"; + content = { + type = "gpt"; + partitions = { + ESP = { + size = "500M"; + type = "EF00"; + content = { + type = "filesystem"; + format = "vfat"; + mountpoint = "/boot"; + mountOptions = [ "defaults" ]; + }; + }; + luks = { + size = "100%"; + content = { + type = "luks"; + name = "x13s-usb-crypt"; + extraOpenArgs = [ ]; + # disable settings.keyFile if you want to use interactive password entry + #passwordFile = "/tmp/secret.key"; # Interactive + settings = { + # if you want to use the key for interactive login be sure there is no trailing newline + # for example use `echo -n "password" > /tmp/secret.key` + # keyFile = "/tmp/secret.key"; + allowDiscards = true; + }; + # additionalKeyFiles = [ "/tmp/additionalSecret.key" ]; + content = { + type = "btrfs"; + extraArgs = [ "-f" ]; + subvolumes = { + "/root" = { + mountpoint = "/"; + mountOptions = [ + "compress=zstd" + "noatime" + ]; + }; + "/home" = { + mountpoint = "/home"; + mountOptions = [ + "compress=zstd" + "noatime" + ]; + }; + "/nix" = { + mountpoint = "/nix"; + mountOptions = [ + "compress=zstd" + "noatime" + ]; + }; + "/swap" = { + mountpoint = "/.swapvol"; + swap.swapfile.size = "32G"; + }; + }; + }; + }; + }; + }; + }; + }; + }; + }; +} diff --git a/nix/os/devices/steveej-x13s-rmvbl/flake.lock b/nix/os/devices/steveej-x13s-rmvbl/flake.lock new file mode 100644 index 0000000..dcc457f --- /dev/null +++ b/nix/os/devices/steveej-x13s-rmvbl/flake.lock @@ -0,0 +1,194 @@ +{ + "nodes": { + "disko": { + "inputs": { + "nixpkgs": [ + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1705890365, + "narHash": "sha256-MObB+fipA/2Ai3uMuNouxcwz0cqvELPpJ+hfnhSaUeA=", + "owner": "nix-community", + "repo": "disko", + "rev": "9fcdf3375e01e2938a49df103af9fd21bd0f89d9", + "type": "github" + }, + "original": { + "id": "disko", + "type": "indirect" + } + }, + "flake-parts": { + "inputs": { + "nixpkgs-lib": "nixpkgs-lib" + }, + "locked": { + "lastModified": 1704982712, + "narHash": "sha256-2Ptt+9h8dczgle2Oo6z5ni5rt/uLMG47UFTR1ry/wgg=", + "owner": "hercules-ci", + "repo": "flake-parts", + "rev": "07f6395285469419cf9d078f59b5b49993198c00", + "type": "github" + }, + "original": { + "owner": "hercules-ci", + "repo": "flake-parts", + "type": "github" + } + }, + "get-flake": { + "locked": { + "lastModified": 1694475786, + "narHash": "sha256-s5wDmPooMUNIAAsxxCMMh9g68AueGg63DYk2hVZJbc8=", + "owner": "ursi", + "repo": "get-flake", + "rev": "ac54750e3b95dab6ec0726d77f440efe6045bec1", + "type": "github" + }, + "original": { + "owner": "ursi", + "repo": "get-flake", + "type": "github" + } + }, + "home-manager": { + "inputs": { + "nixpkgs": [ + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1705659542, + "narHash": "sha256-WA3xVfAk1AYmFdwghT7mt/erYpsU6JPu9mdTEP/e9HQ=", + "owner": "nix-community", + "repo": "home-manager", + "rev": "10cd9c53115061aa6a0a90aad0b0dde6a999cdb9", + "type": "github" + }, + "original": { + "owner": "nix-community", + "ref": "release-23.11", + "repo": "home-manager", + "type": "github" + } + }, + "mobile-nixos": { + "flake": false, + "locked": { + "lastModified": 1705008488, + "narHash": "sha256-Gj97fDFZaK6gLb3ayZgTTtD+MFE1YjoyYHWkB1TIAe0=", + "owner": "NixOS", + "repo": "mobile-nixos", + "rev": "56e55df7b07b5e5c6d050732d851cec62b41df95", + "type": "github" + }, + "original": { + "owner": "NixOS", + "repo": "mobile-nixos", + "type": "github" + } + }, + "nixos-x13s": { + "inputs": { + "flake-parts": "flake-parts", + "nixpkgs": [ + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1706097550, + "narHash": "sha256-rR4HMpUlT7SbVPxQIvWH0DsxaEQcjTLqLrst2xoT1CY=", + "ref": "refs/heads/main", + "rev": "732a0f1549996740bdb06989599a5f0653de5056", + "revCount": 6, + "type": "git", + "url": "https://codeberg.org/steveej/nixos-x13s" + }, + "original": { + "type": "git", + "url": "https://codeberg.org/steveej/nixos-x13s" + } + }, + "nixpkgs": { + "locked": { + "lastModified": 1705916986, + "narHash": "sha256-iBpfltu6QvN4xMpen6jGGEb6jOqmmVQKUrXdOJ32u8w=", + "owner": "nixos", + "repo": "nixpkgs", + "rev": "d7f206b723e42edb09d9d753020a84b3061a79d8", + "type": "github" + }, + "original": { + "owner": "nixos", + "ref": "nixos-23.11", + "repo": "nixpkgs", + "type": "github" + } + }, + "nixpkgs-2211": { + "locked": { + "lastModified": 1688392541, + "narHash": "sha256-lHrKvEkCPTUO+7tPfjIcb7Trk6k31rz18vkyqmkeJfY=", + "owner": "nixos", + "repo": "nixpkgs", + "rev": "ea4c80b39be4c09702b0cb3b42eab59e2ba4f24b", + "type": "github" + }, + "original": { + "owner": "nixos", + "ref": "nixos-22.11", + "repo": "nixpkgs", + "type": "github" + } + }, + "nixpkgs-lib": { + "locked": { + "dir": "lib", + "lastModified": 1703961334, + "narHash": "sha256-M1mV/Cq+pgjk0rt6VxoyyD+O8cOUiai8t9Q6Yyq4noY=", + "owner": "NixOS", + "repo": "nixpkgs", + "rev": "b0d36bd0a420ecee3bc916c91886caca87c894e9", + "type": "github" + }, + "original": { + "dir": "lib", + "owner": "NixOS", + "ref": "nixos-unstable", + "repo": "nixpkgs", + "type": "github" + } + }, + "nixpkgs-unstable-small": { + "locked": { + "lastModified": 1706022028, + "narHash": "sha256-F8Gv4R4K/AvS3+6pWd8wlnw4Vhgf7bcszy7i8XPbzA0=", + "owner": "nixos", + "repo": "nixpkgs", + "rev": "15ff1758e7816331033baa14eebbea68626128f3", + "type": "github" + }, + "original": { + "owner": "nixos", + "ref": "nixos-unstable-small", + "repo": "nixpkgs", + "type": "github" + } + }, + "root": { + "inputs": { + "disko": "disko", + "get-flake": "get-flake", + "home-manager": "home-manager", + "mobile-nixos": "mobile-nixos", + "nixos-x13s": "nixos-x13s", + "nixpkgs": "nixpkgs", + "nixpkgs-2211": "nixpkgs-2211", + "nixpkgs-unstable-small": "nixpkgs-unstable-small" + } + } + }, + "root": "root", + "version": 7 +} diff --git a/nix/os/devices/steveej-x13s-rmvbl/flake.nix b/nix/os/devices/steveej-x13s-rmvbl/flake.nix new file mode 100644 index 0000000..043907d --- /dev/null +++ b/nix/os/devices/steveej-x13s-rmvbl/flake.nix @@ -0,0 +1,87 @@ +{ + inputs = { + nixpkgs.url = "github:nixos/nixpkgs/nixos-23.11"; + + # required for home-manager modules + nixpkgs-unstable-small.url = "github:nixos/nixpkgs/nixos-unstable-small"; + nixpkgs-2211.url = "github:nixos/nixpkgs/nixos-22.11"; + + get-flake.url = "github:ursi/get-flake"; + + disko.inputs.nixpkgs.follows = "nixpkgs"; + + mobile-nixos.url = "github:NixOS/mobile-nixos"; + mobile-nixos.flake = false; + + home-manager = { + url = "github:nix-community/home-manager/release-23.11"; + inputs.nixpkgs.follows = "nixpkgs"; + }; + + nixos-x13s.url = "git+https://codeberg.org/steveej/nixos-x13s"; + nixos-x13s.inputs.nixpkgs.follows = "nixpkgs"; + }; + + outputs = + { + self, + get-flake, + nixpkgs, + ... + }: + let + system = "aarch64-linux"; + buildPlatform = "x86_64-linux"; + repoFlake = get-flake ../../../..; + in + { + lib = { + mkNixosConfiguration = + { + nodeName, + extraModules ? [ ], + ... + }@attrs: + nixpkgs.lib.nixosSystem ( + nixpkgs.lib.attrsets.recursiveUpdate attrs { + specialArgs = + (import ./default.nix { + inherit system; + inherit nodeName repoFlake; + + nodeFlake = self; + }).meta.nodeSpecialArgs.${nodeName}; + + modules = extraModules; + } + ); + }; + + nixosConfigurations = + let + nodeName = "steveej-x13s-rmvbl"; + in + { + native = self.lib.mkNixosConfiguration { + inherit system nodeName; + extraModules = [ + ./configuration.nix + + { users.commonUsers.installPassword = "install"; } + ]; + }; + + cross = self.lib.mkNixosConfiguration { + inherit nodeName; + extraModules = [ + ./configuration.nix + + { + nixpkgs.buildPlatform.system = buildPlatform; + nixpkgs.hostPlatform.system = system; + } + ]; + }; + }; + }; +} diff --git a/nix/os/devices/steveej-x13s/.gitignore b/nix/os/devices/steveej-x13s/.gitignore new file mode 100644 index 0000000..b2be92b --- /dev/null +++ b/nix/os/devices/steveej-x13s/.gitignore @@ -0,0 +1 @@ +result diff --git a/nix/os/devices/steveej-x13s/configuration.nix b/nix/os/devices/steveej-x13s/configuration.nix new file mode 100644 index 0000000..d5c9475 --- /dev/null +++ b/nix/os/devices/steveej-x13s/configuration.nix @@ -0,0 +1,287 @@ +{ + repoFlake, + nodeFlake, + pkgs, + lib, + config, + nodeName, + system, + ... +}: +{ + nixpkgs.overlays = [ nodeFlake.overlays.default ]; + + nixos-x13s = { + enable = true; + # TODO: use hardware address + bluetoothMac = "65:9e:7a:8b:86:28"; + kernel = "jhovold"; + }; + + services.illum.enable = true; + + # printint and autodiscovery of printers + services.printing.enable = true; + services.printing.drivers = [ pkgs.hplip ]; + services.avahi = { + enable = true; + nssmdns4 = true; + openFirewall = true; + }; + hardware.sane.enable = true; # enables support for SANE scanners + + systemd.services.bluetooth-x13s-mac = lib.mkForce { + enable = true; + path = [ + pkgs.systemd + pkgs.util-linux + pkgs.bluez5-experimental + pkgs.expect + ]; + script = '' + # TODO: this may not be required + while ! (journalctl -b0 | grep 'Bluetooth: hci0: QCA setup on UART is completed'); do + echo Waiting for bluetooth firmware to complete + echo sleep 1 + done + + ( + # best effort + set +e + rfkill block bluetooth + echo $? + btmgmt public-addr ${config.nixos-x13s.bluetoothMac} + echo $? + rfkill unblock bluetooth + echo $? + ) + ''; + requiredBy = [ "bluetooth.service" ]; + before = [ "bluetooth.service" ]; + serviceConfig = { + Type = "oneshot"; + RemainAfterExit = true; + + # we need a tty, otherwise btmgmt will hang + StandardInput = "tty"; + TTYPath = "/dev/tty2"; + TTYReset = "yes"; + TTYVHangup = "yes"; + }; + }; + + imports = [ + nodeFlake.inputs.nixos-x13s.nixosModules.default + + repoFlake.inputs.sops-nix.nixosModules.sops + nodeFlake.inputs.disko.nixosModules.disko + ./disko.nix + + ../../profiles/common/user.nix + + ../../snippets/nix-settings.nix + ../../snippets/nix-settings-holo-chain.nix + ../../snippets/mycelium.nix + + nodeFlake.inputs.extra-container.nixosModules.default + { + networking.nat = { + enable = true; + internalInterfaces = ["ve-+"]; + # externalInterface = "enu1u1u2"; + # Lazy IPv6 connectivity for the container + # enableIPv6 = true; + }; + } + + # TODO: broken with: v4l2loopback-0.13.2-6.13.0-rc3.drv + # make: *** [Makefile:53: v4l2loopback.ko] Error 2 + # ../../snippets/obs-studio.nix + { + services.openssh.enable = true; + services.openssh.settings.PermitRootLogin = "yes"; + services.openssh.openFirewall = true; + + sops.defaultSopsFile = ../../../../secrets/${nodeName}/secrets.yaml; + sops.defaultSopsFormat = "yaml"; + + users.commonUsers = { + enable = true; + enableNonRoot = true; + }; + + sops.secrets.builder-private-key = { }; + nix.distributedBuilds = true; + nix.buildMachines = [ + # test these with: sudo nix store ping --store 'ssh-ng://nix-remote-builder@?ssh-key=/run/secrets/builder-private-key' + { + hostName = "buildbot-nix-0.infra.holochain.org"; + sshUser = "nix-remote-builder"; + sshKey = config.sops.secrets.builder-private-key.path; + protocol = "ssh-ng"; + systems = [ "x86_64-linux" ]; + supportedFeatures = [ + "big-parallel" + "kvm" + "nixos-test" + ]; + maxJobs = 16; + } + + { + hostName = "aarch64-linux-builder-0.infra.holochain.org"; + sshUser = "nix-remote-builder"; + sshKey = config.sops.secrets.builder-private-key.path; + protocol = "ssh-ng"; + systems = [ "aarch64-linux" ]; + supportedFeatures = [ + "big-parallel" + "kvm" + "nixos-test" + ]; + maxJobs = 8; + } + + { + hostName = "x64-linux-dev-01.dev.infra.holochain.org"; + sshUser = "nix-remote-builder"; + sshKey = config.sops.secrets.builder-private-key.path; + protocol = "ssh-ng"; + systems = [ + # "x86_64-linux" + "aarch64-linux" + ]; + supportedFeatures = [ + "big-parallel" + "kvm" + "nixos-test" + ]; + maxJobs = 0; + } + ]; + } + + { + # yubikey / smartcard. only set to `true` for `ykman piv` commands. + services.pcscd.enable = false; + } + + # TODO: create syncthing os snippet + ( + let + tcp = [ 22000 ]; + udp = [ + 22000 + 21027 + ]; + in + { + # TODO: upstream feature for inverse rule to work: `! --in-interface zt+` + networking.firewall.interfaces."en+".allowedTCPPorts = tcp; + networking.firewall.interfaces."en+".allowedUDPPorts = udp; + networking.firewall.interfaces."wl+".allowedTCPPorts = tcp; + networking.firewall.interfaces."wl+".allowedUDPPorts = udp; + + networking.firewall.allowedTCPPorts = [ + # iperf3 + 5201 + ]; + } + ) + + ../../snippets/home-manager-with-zsh.nix + ../../snippets/sway-desktop.nix + ../../snippets/bluetooth.nix + ../../snippets/timezone.nix + ../../snippets/radicale.nix + + ../../snippets/holo-zerotier.nix + + # ../../snippets/k3s-w-nix-snapshotter.nix + ]; + + networking.hostName = nodeName; + networking.firewall.enable = true; + networking.networkmanager.enable = true; + + nixpkgs.config.allowUnfree = true; + + environment.systemPackages = [ + pkgs.sshfs + pkgs.util-linux + pkgs.coreutils + pkgs.vim + + pkgs.git + pkgs.git-crypt + ]; + + system.stateVersion = "23.11"; + home-manager.users.root = _: { home.stateVersion = "23.11"; }; + home-manager.users.steveej = _: { + home.stateVersion = "23.11"; + + imports = [ ../../../home-manager/configuration/graphical-fullblown.nix ]; + + nixpkgs.overlays = [ nodeFlake.overlays.default ]; + + home.sessionVariables = { }; + + home.packages = with pkgs; [ ]; + + # TODO(upstream): currently unsupported on x13s + services.gammastep.enable = true; + }; + + boot = { + loader.systemd-boot.enable = true; + loader.systemd-boot.configurationLimit = 5; + + loader.efi.canTouchEfiVariables = lib.mkForce false; + loader.efi.efiSysMountPoint = "/boot"; + blacklistedKernelModules = [ + "wwan" + # "qcom_soundwire" + # "snd_soc_qcom_sdw" + # "snd_soc_sc8280xp" + ]; + }; + + # TODO: debug this collision: collision between `/nix/store/cb32qlzc4pm6h4arw59kxqyzbvgnmx7g-b43-firmware-6.30.163.46-zstd/lib/firmware/b43/a0g0bsinitvals5.fw.zst' and `/nix/store/niffz3cf0v91y5knz0an29fwvm8amigm-b43-firmware-5.100.138-zstd/lib/firmware/b43/a0g0bsinitvals5.fw.zst' + hardware.firmware = lib.mkBefore [ + (pkgs.runCommand "x13s-ath11k-firmware-before" { } '' + mkdir -p $out/lib/firmware/ath11k/WCN6855/hw2.1/ + cp -v ${nodeFlake.inputs.ath11k-firmware}/WCN6855/hw2.1/{board-2,regdb}.bin $out/lib/firmware/ath11k/WCN6855/hw2.1/ + cp -v ${nodeFlake.inputs.ath11k-firmware}/WCN6855/hw2.1/1.1/WLAN.HSP.1.1-03125-QCAHSPSWPL_V1_V2_SILICONZ_LITE-3.6510.41/{amss,m3}.bin $out/lib/firmware/ath11k/WCN6855/hw2.1/ + '') + ]; + + # see https://linrunner.de/tlp/ + # TODO: find an equivalent to tlp that supports this machine + services.tlp = { + enable = false; + settings = { + START_CHARGE_THRESH_BAT0 = "80"; + STOP_CHARGE_THRESH_BAT0 = "85"; + }; + }; + + # android on linux + virtualisation.waydroid.enable = true; + hardware.ledger.enable = true; + + virtualisation.containers.enable = true; + virtualisation.podman.enable = true; + + steveej.holo-zerotier = { + enable = true; + autostart = false; + }; + + services.udev.packages = [ pkgs.android-udev-rules ]; + programs.adb.enable = true; + + nix.settings.sandbox = lib.mkForce "relaxed"; + + systemd.user.services.wireplumber.environment.LIBCAMERA_IPA_PROXY_PATH = "${pkgs.libcamera}/libexec/libcamera"; +} diff --git a/nix/os/devices/steveej-x13s/default.nix b/nix/os/devices/steveej-x13s/default.nix new file mode 100644 index 0000000..bb170b2 --- /dev/null +++ b/nix/os/devices/steveej-x13s/default.nix @@ -0,0 +1,36 @@ +{ + system ? "aarch64-linux", + nodeName, + repoFlake, + repoFlakeWithSystem, + nodeFlake, + localDomainName ? "internal", + ... +}: +{ + meta.nodeSpecialArgs.${nodeName} = { + inherit + repoFlake + nodeName + nodeFlake + system + ; + packages' = repoFlake.packages.${system}; + nodePackages' = nodeFlake.packages.${system}; + repoFlakeInputs' = repoFlakeWithSystem system ({ inputs', ... }: inputs'); + + inherit localDomainName; + }; + + meta.nodeNixpkgs.${nodeName} = import nodeFlake.inputs.nixpkgs.outPath { inherit system; }; + + ${nodeName} = { + deployment.targetHost = "${nodeName}.${localDomainName}"; + deployment.replaceUnknownProfiles = true; + deployment.allowLocalDeployment = true; + + # nixpkgs.pkgs = nodeFlake.inputs.nixpkgs.legacyPackages.${system}; + + imports = [ ./configuration.nix ]; + }; +} diff --git a/nix/os/devices/steveej-x13s/disko.nix b/nix/os/devices/steveej-x13s/disko.nix new file mode 100644 index 0000000..40b2118 --- /dev/null +++ b/nix/os/devices/steveej-x13s/disko.nix @@ -0,0 +1,74 @@ +{ + disko.devices = { + disk = { + x13s-nvme = { + type = "disk"; + device = "/dev/disk/by-id/nvme-KBG5AZNT1T02_LA_KIOXIA_52QC84BEEJS6"; + # device = "/dev/disk/by-id/nvme-Corsair_MP600_CORE_MINI_A7SIB33902BQLN"; + content = { + type = "gpt"; + partitions = { + ESP = { + size = "500M"; + type = "EF00"; + content = { + type = "filesystem"; + format = "vfat"; + mountpoint = "/boot"; + mountOptions = [ "defaults" ]; + }; + }; + luks = { + size = "100%"; + content = { + type = "luks"; + name = "x13s-nvme-crypt"; + extraOpenArgs = [ ]; + # disable settings.keyFile if you want to use interactive password entry + #passwordFile = "/tmp/secret.key"; # Interactive + settings = { + # if you want to use the key for interactive login be sure there is no trailing newline + # for example use `echo -n "password" > /tmp/secret.key` + # keyFile = "/tmp/secret.key"; + allowDiscards = true; + }; + # additionalKeyFiles = [ "/tmp/additionalSecret.key" ]; + content = { + type = "btrfs"; + extraArgs = [ "-f" ]; + subvolumes = { + "/root" = { + mountpoint = "/"; + mountOptions = [ + "compress=zstd" + "noatime" + ]; + }; + "/home" = { + mountpoint = "/home"; + mountOptions = [ + "compress=zstd" + "noatime" + ]; + }; + "/nix" = { + mountpoint = "/nix"; + mountOptions = [ + "compress=zstd" + "noatime" + ]; + }; + "/swap" = { + mountpoint = "/.swapvol"; + swap.swapfile.size = "32G"; + }; + }; + }; + }; + }; + }; + }; + }; + }; + }; +} diff --git a/nix/os/devices/steveej-x13s/flake.lock b/nix/os/devices/steveej-x13s/flake.lock new file mode 100644 index 0000000..8ee318a --- /dev/null +++ b/nix/os/devices/steveej-x13s/flake.lock @@ -0,0 +1,466 @@ +{ + "nodes": { + "ath11k-firmware": { + "flake": false, + "locked": { + "lastModified": 1741293326, + "narHash": "sha256-Ew0d2h1pHqJB8SC0pEYezU5lMknvlcYazVVYCtjW3OY=", + "ref": "refs/heads/main", + "rev": "bc6359cb7ad38b7bc4de6580b7a3c70851c0cafb", + "revCount": 173, + "type": "git", + "url": "https://git.codelinaro.org/clo/ath-firmware/ath11k-firmware.git" + }, + "original": { + "type": "git", + "url": "https://git.codelinaro.org/clo/ath-firmware/ath11k-firmware.git" + } + }, + "crane": { + "locked": { + "lastModified": 1742317686, + "narHash": "sha256-ScJYnUykEDhYeCepoAWBbZWx2fpQ8ottyvOyGry7HqE=", + "owner": "ipetkov", + "repo": "crane", + "rev": "66cb0013f9a99d710b167ad13cbd8cc4e64f2ddb", + "type": "github" + }, + "original": { + "owner": "ipetkov", + "repo": "crane", + "type": "github" + } + }, + "disko": { + "inputs": { + "nixpkgs": [ + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1745812220, + "narHash": "sha256-hotBG0EJ9VmAHJYF0yhWuTVZpENHvwcJ2SxvIPrXm+g=", + "owner": "nix-community", + "repo": "disko", + "rev": "d0c543d740fad42fe2c035b43c9d41127e073c78", + "type": "github" + }, + "original": { + "id": "disko", + "type": "indirect" + } + }, + "extra-container": { + "inputs": { + "flake-utils": "flake-utils", + "nixpkgs": [ + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1734542275, + "narHash": "sha256-wnRkafo4YrIuvJeRsOmfStxIzi7ty2I0OtGMO9chwJc=", + "owner": "erikarvstedt", + "repo": "extra-container", + "rev": "fa723fb67201c1b4610fd3d608681da362f800eb", + "type": "github" + }, + "original": { + "owner": "erikarvstedt", + "repo": "extra-container", + "type": "github" + } + }, + "flake-compat": { + "locked": { + "lastModified": 1733328505, + "narHash": "sha256-NeCCThCEP3eCl2l/+27kNNK7QrwZB1IJCrXfrbv5oqU=", + "owner": "edolstra", + "repo": "flake-compat", + "rev": "ff81ac966bb2cae68946d5ed5fc4994f96d0ffec", + "type": "github" + }, + "original": { + "owner": "edolstra", + "repo": "flake-compat", + "type": "github" + } + }, + "flake-compat_2": { + "locked": { + "lastModified": 1733328505, + "narHash": "sha256-NeCCThCEP3eCl2l/+27kNNK7QrwZB1IJCrXfrbv5oqU=", + "rev": "ff81ac966bb2cae68946d5ed5fc4994f96d0ffec", + "revCount": 69, + "type": "tarball", + "url": "https://api.flakehub.com/f/pinned/edolstra/flake-compat/1.1.0/01948eb7-9cba-704f-bbf3-3fa956735b52/source.tar.gz" + }, + "original": { + "type": "tarball", + "url": "https://flakehub.com/f/edolstra/flake-compat/1.tar.gz" + } + }, + "flake-compat_3": { + "flake": false, + "locked": { + "lastModified": 1696426674, + "narHash": "sha256-kvjfFW7WAETZlt09AgDn1MrtKzP7t90Vf7vypd3OL1U=", + "owner": "edolstra", + "repo": "flake-compat", + "rev": "0f9255e01c2351cc7d116c072cb317785dd33b33", + "type": "github" + }, + "original": { + "owner": "edolstra", + "repo": "flake-compat", + "type": "github" + } + }, + "flake-parts": { + "inputs": { + "nixpkgs-lib": [ + "nix-snapshotter", + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1704152458, + "narHash": "sha256-DS+dGw7SKygIWf9w4eNBUZsK+4Ug27NwEWmn2tnbycg=", + "owner": "hercules-ci", + "repo": "flake-parts", + "rev": "88a2cd8166694ba0b6cb374700799cec53aef527", + "type": "github" + }, + "original": { + "owner": "hercules-ci", + "repo": "flake-parts", + "type": "github" + } + }, + "flake-parts_2": { + "inputs": { + "nixpkgs-lib": "nixpkgs-lib" + }, + "locked": { + "lastModified": 1733312601, + "narHash": "sha256-4pDvzqnegAfRkPwO3wmwBhVi/Sye1mzps0zHWYnP88c=", + "owner": "hercules-ci", + "repo": "flake-parts", + "rev": "205b12d8b7cd4802fbcb8e8ef6a0f1408781a4f9", + "type": "github" + }, + "original": { + "owner": "hercules-ci", + "repo": "flake-parts", + "type": "github" + } + }, + "flake-utils": { + "inputs": { + "systems": "systems" + }, + "locked": { + "lastModified": 1731533236, + "narHash": "sha256-l0KFg5HjrsfsO/JpG+r7fRrqm12kzFHyUHqHCVpMMbI=", + "owner": "numtide", + "repo": "flake-utils", + "rev": "11707dc2f618dd54ca8739b309ec4fc024de578b", + "type": "github" + }, + "original": { + "owner": "numtide", + "repo": "flake-utils", + "type": "github" + } + }, + "flake-utils_2": { + "inputs": { + "systems": "systems_2" + }, + "locked": { + "lastModified": 1731533236, + "narHash": "sha256-l0KFg5HjrsfsO/JpG+r7fRrqm12kzFHyUHqHCVpMMbI=", + "owner": "numtide", + "repo": "flake-utils", + "rev": "11707dc2f618dd54ca8739b309ec4fc024de578b", + "type": "github" + }, + "original": { + "id": "flake-utils", + "type": "indirect" + } + }, + "get-flake": { + "inputs": { + "flake-compat": "flake-compat" + }, + "locked": { + "lastModified": 1745945175, + "narHash": "sha256-JGDbJRl5v1snA4JX+yp6m3UA6Mazr59Hrgz+UhhP91M=", + "owner": "ursi", + "repo": "get-flake", + "rev": "38401aa2b3a99c77d0c02727471e99e7de2fc366", + "type": "github" + }, + "original": { + "owner": "ursi", + "repo": "get-flake", + "type": "github" + } + }, + "home-manager": { + "inputs": { + "nixpkgs": [ + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1737233786, + "narHash": "sha256-WO6owkCecetn7bbu/ofy8aftO3rPCHUeq5GlVLsfS4M=", + "owner": "steveej-forks", + "repo": "home-manager", + "rev": "40ecdf4fc8bb698b8cbdb2ddb0ed5b1868e43c1a", + "type": "github" + }, + "original": { + "owner": "steveej-forks", + "ref": "master", + "repo": "home-manager", + "type": "github" + } + }, + "linux-jhovold": { + "flake": false, + "locked": { + "lastModified": 1745847827, + "narHash": "sha256-ewM7Rpd6On6ys3OkcWOtR7TNWSRZRLZpRP7L9syhn6s=", + "owner": "jhovold", + "repo": "linux", + "rev": "1786db28b335abb5a0fa1e8a27e9950a73f64acf", + "type": "github" + }, + "original": { + "owner": "jhovold", + "ref": "wip/sc8280xp-6.15-rc4", + "repo": "linux", + "type": "github" + } + }, + "mycelium": { + "inputs": { + "crane": "crane", + "flake-compat": "flake-compat_2", + "flake-utils": "flake-utils_2", + "nix-filter": "nix-filter", + "nixpkgs": [ + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1745920427, + "narHash": "sha256-E5uUuKv7Mn0/EfmffRQZpSeATcSzJFVeYVF6Cn7KbJc=", + "owner": "threefoldtech", + "repo": "mycelium", + "rev": "1eec5651bf5f194b7f7875ec2483582ccebf1cc1", + "type": "github" + }, + "original": { + "owner": "threefoldtech", + "repo": "mycelium", + "type": "github" + } + }, + "nix-filter": { + "locked": { + "lastModified": 1731533336, + "narHash": "sha256-oRam5PS1vcrr5UPgALW0eo1m/5/pls27Z/pabHNy2Ms=", + "owner": "numtide", + "repo": "nix-filter", + "rev": "f7653272fd234696ae94229839a99b73c9ab7de0", + "type": "github" + }, + "original": { + "owner": "numtide", + "repo": "nix-filter", + "type": "github" + } + }, + "nix-snapshotter": { + "inputs": { + "flake-compat": "flake-compat_3", + "flake-parts": "flake-parts", + "nixpkgs": [ + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1717948701, + "narHash": "sha256-G7SXaZ7J4yO4OQEKSZPVWcccfV87uyLech0jEOU350g=", + "owner": "yu-re-ka", + "repo": "nix-snapshotter", + "rev": "c10b066a4b1bb3451507c141636014e3335e579e", + "type": "github" + }, + "original": { + "owner": "yu-re-ka", + "repo": "nix-snapshotter", + "type": "github" + } + }, + "nixos-x13s": { + "inputs": { + "flake-parts": "flake-parts_2", + "linux-jhovold": "linux-jhovold", + "nixpkgs": [ + "nixpkgs" + ], + "x13s-bt-linux-firmware": "x13s-bt-linux-firmware" + }, + "locked": { + "lastModified": 1745914252, + "narHash": "sha256-u8hbsI+oW+cO+omdGeY6Q+Z/NvVZaHIZS70f1mq1gac=", + "ref": "bump", + "rev": "8bd7972c74b12b45aee190ce2ddd6960a0771af6", + "revCount": 147, + "type": "git", + "url": "https://forgejo.www.stefanjunker.de/steveej/nixos-x13s.git" + }, + "original": { + "ref": "bump", + "type": "git", + "url": "https://forgejo.www.stefanjunker.de/steveej/nixos-x13s.git" + } + }, + "nixpkgs-lib": { + "locked": { + "lastModified": 1733096140, + "narHash": "sha256-1qRH7uAUsyQI7R1Uwl4T+XvdNv778H0Nb5njNrqvylY=", + "type": "tarball", + "url": "https://github.com/NixOS/nixpkgs/archive/5487e69da40cbd611ab2cadee0b4637225f7cfae.tar.gz" + }, + "original": { + "type": "tarball", + "url": "https://github.com/NixOS/nixpkgs/archive/5487e69da40cbd611ab2cadee0b4637225f7cfae.tar.gz" + } + }, + "nixpkgs-stable": { + "locked": { + "lastModified": 1746055187, + "narHash": "sha256-3dqArYSMP9hM7Qpy5YWhnSjiqniSaT2uc5h2Po7tmg0=", + "owner": "nixos", + "repo": "nixpkgs", + "rev": "3e362ce63e16b9572d8c2297c04f7c19ab6725a5", + "type": "github" + }, + "original": { + "owner": "nixos", + "ref": "nixos-24.11", + "repo": "nixpkgs", + "type": "github" + } + }, + "nixpkgs-unstable": { + "locked": { + "lastModified": 1745930157, + "narHash": "sha256-y3h3NLnzRSiUkYpnfvnS669zWZLoqqI6NprtLQ+5dck=", + "owner": "nixos", + "repo": "nixpkgs", + "rev": "46e634be05ce9dc6d4db8e664515ba10b78151ae", + "type": "github" + }, + "original": { + "owner": "nixos", + "ref": "nixos-unstable", + "repo": "nixpkgs", + "type": "github" + } + }, + "root": { + "inputs": { + "ath11k-firmware": "ath11k-firmware", + "disko": "disko", + "extra-container": "extra-container", + "get-flake": "get-flake", + "home-manager": "home-manager", + "mycelium": "mycelium", + "nix-snapshotter": "nix-snapshotter", + "nixos-x13s": "nixos-x13s", + "nixpkgs": [ + "nixpkgs-unstable" + ], + "nixpkgs-stable": "nixpkgs-stable", + "nixpkgs-unstable": "nixpkgs-unstable", + "signal-desktop": "signal-desktop" + } + }, + "signal-desktop": { + "inputs": { + "nixpkgs": [ + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1745037528, + "narHash": "sha256-twzHVBNEX6daUCFwtjn3X7WaJnwRqHeAxX0MB7kosHo=", + "owner": "youwen5", + "repo": "signal-desktop-flake", + "rev": "1b41af6489574da6ba1e0186235c87acbf57163f", + "type": "github" + }, + "original": { + "owner": "youwen5", + "repo": "signal-desktop-flake", + "type": "github" + } + }, + "systems": { + "locked": { + "lastModified": 1681028828, + "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=", + "owner": "nix-systems", + "repo": "default", + "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e", + "type": "github" + }, + "original": { + "owner": "nix-systems", + "repo": "default", + "type": "github" + } + }, + "systems_2": { + "locked": { + "lastModified": 1681028828, + "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=", + "owner": "nix-systems", + "repo": "default", + "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e", + "type": "github" + }, + "original": { + "owner": "nix-systems", + "repo": "default", + "type": "github" + } + }, + "x13s-bt-linux-firmware": { + "flake": false, + "locked": { + "lastModified": 1733240564, + "narHash": "sha256-348f+wuX7x8xqaBRkraTclupdnRcwL/z2l/1Bs/reXc=", + "ref": "refs/heads/main", + "rev": "06aea4d8bfd5ca3624b56162b24339d7b0449913", + "revCount": 4282, + "type": "git", + "url": "git://git.kernel.org/pub/scm/linux/kernel/git/firmware/linux-firmware.git" + }, + "original": { + "rev": "06aea4d8bfd5ca3624b56162b24339d7b0449913", + "type": "git", + "url": "git://git.kernel.org/pub/scm/linux/kernel/git/firmware/linux-firmware.git" + } + } + }, + "root": "root", + "version": 7 +} diff --git a/nix/os/devices/steveej-x13s/flake.nix b/nix/os/devices/steveej-x13s/flake.nix new file mode 100644 index 0000000..ffd00f9 --- /dev/null +++ b/nix/os/devices/steveej-x13s/flake.nix @@ -0,0 +1,121 @@ +{ + inputs = { + nixpkgs.follows = "nixpkgs-unstable"; + nixpkgs-stable.url = "github:nixos/nixpkgs/nixos-24.11"; + nixpkgs-unstable.url = "github:nixos/nixpkgs/nixos-unstable"; + # nixpkgs-unstable.url = "github:steveej-forks/nixpkgs/nixos-unstable"; + + get-flake.url = "github:ursi/get-flake"; + + disko.inputs.nixpkgs.follows = "nixpkgs"; + + home-manager = { + url = "github:steveej-forks/home-manager/master"; + # url = "github:nix-community/home-manager/master"; + # url = "github:nix-community/home-manager/release-24.11"; + inputs.nixpkgs.follows = "nixpkgs"; + }; + + nixos-x13s.url = "git+https://forgejo.www.stefanjunker.de/steveej/nixos-x13s.git?ref=bump" + # 6.13-rc2 + # "git+https://forgejo.www.stefanjunker.de/steveej/nixos-x13s.git?ref=bump&rev=c95058f8aa1b361df3874429c5dc0f694f9cba78" + # 6.11.0 + # "git+https://forgejo.www.stefanjunker.de/steveej/nixos-x13s.git?branch=remaintain&rev=6b9efe77ca80653354981c720af3c4241ac71490" + # 6.12.0-rc6 + # "git+https://forgejo.www.stefanjunker.de/steveej/nixos-x13s.git?branch=remaintain&rev=bd580ee9c35fcb8a720122d5bb2f903f1b7395ee" + # "git+https://forgejo.www.stefanjunker.de/steveej/nixos-x13s.git?branch=remaintain&rev=1286d20be2321a1a2d27f5d09257ebaf54ce0630" + #"/home/steveej/src/others/nixos-x13s" + # + ; + # nixos-x13s.url = "path:/home/steveej/src/others/nixos-x13s"; + # nixos-x13s.inputs.nixpkgs.follows = "nixpkgs"; + nixos-x13s.inputs.nixpkgs.follows = "nixpkgs"; + + ath11k-firmware = { + url = "git+https://git.codelinaro.org/clo/ath-firmware/ath11k-firmware.git"; + flake = false; + }; + + mycelium.url = "github:threefoldtech/mycelium"; + mycelium.inputs.nixpkgs.follows = "nixpkgs"; + + nix-snapshotter = { + url = "github:yu-re-ka/nix-snapshotter"; + # url = "github:pdtpartners/nix-snapshotter"; + inputs.nixpkgs.follows = "nixpkgs"; + }; + + extra-container = { + url = "github:erikarvstedt/extra-container"; + inputs.nixpkgs.follows = "nixpkgs"; + }; + + signal-desktop = { + url = "github:youwen5/signal-desktop-flake"; + inputs.nixpkgs.follows = "nixpkgs"; + }; + }; + + outputs = + { + self, + get-flake, + nixpkgs, + ... + }: + let + nativeSystem = "aarch64-linux"; + nodeName = "steveej-x13s"; + + repoFlake = get-flake ../../../..; + + mkNixosConfiguration = + { + extraModules ? [ ], + ... + }@attrs: + nixpkgs.lib.nixosSystem ( + nixpkgs.lib.attrsets.recursiveUpdate attrs { + specialArgs = + (import ./default.nix { + system = nativeSystem; + inherit nodeName; + + inherit repoFlake; + repoFlakeWithSystem = repoFlake.lib.withSystem; + nodeFlake = self; + }).meta.nodeSpecialArgs.${nodeName}; + + modules = [ + ./configuration.nix + + # flake registry + { nix.registry.nixpkgs.flake = nixpkgs; } + ] ++ extraModules; + } + ); + in + { + lib = { + inherit mkNixosConfiguration; + }; + + overlays.default = + _final: _previous: + { + }; + + nixosConfigurations = { + native = mkNixosConfiguration { system = nativeSystem; }; + + cross = mkNixosConfiguration { + extraModules = [ + { + nixpkgs.buildPlatform.system = "x86_64-linux"; + nixpkgs.hostPlatform.system = nativeSystem; + } + ]; + }; + }; + }; +} diff --git a/nix/os/devices/vmd102066.contaboserver.net/boot.nix b/nix/os/devices/vmd102066.contaboserver.net/boot.nix index 5713789..ed21f9c 100644 --- a/nix/os/devices/vmd102066.contaboserver.net/boot.nix +++ b/nix/os/devices/vmd102066.contaboserver.net/boot.nix @@ -1,4 +1,5 @@ -{lib, ...}: { +{ lib, ... }: +{ boot.loader.grub.efiSupport = lib.mkForce false; - boot.extraModulePackages = []; + boot.extraModulePackages = [ ]; } diff --git a/nix/os/devices/vmd102066.contaboserver.net/configuration.nix b/nix/os/devices/vmd102066.contaboserver.net/configuration.nix index 28a63fb..b29548c 100644 --- a/nix/os/devices/vmd102066.contaboserver.net/configuration.nix +++ b/nix/os/devices/vmd102066.contaboserver.net/configuration.nix @@ -1,5 +1,6 @@ -{...}: { - disabledModules = []; +{ ... }: +{ + disabledModules = [ ]; imports = [ ../../profiles/common/configuration.nix ../../modules/opinionatedDisk.nix diff --git a/nix/os/devices/vmd102066.contaboserver.net/default.nix b/nix/os/devices/vmd102066.contaboserver.net/default.nix index db025f1..958331e 100644 --- a/nix/os/devices/vmd102066.contaboserver.net/default.nix +++ b/nix/os/devices/vmd102066.contaboserver.net/default.nix @@ -1,17 +1,17 @@ -{repoFlake, ...}: let +{ repoFlake, ... }: +let nodeName = "vmd102066.contaboserver.net"; system = "x86_64-linux"; nodeFlake = repoFlake.inputs.get-flake ./.; -in { +in +{ meta.nodeSpecialArgs.${nodeName} = { inherit nodeName nodeFlake; packages' = repoFlake.packages.${system}; }; - meta.nodeNixpkgs.${nodeName} = import nodeFlake.inputs.nixpkgs.outPath { - inherit system; - }; + meta.nodeNixpkgs.${nodeName} = import nodeFlake.inputs.nixpkgs.outPath { inherit system; }; ${nodeName} = { deployment.targetHost = nodeName; diff --git a/nix/os/devices/vmd102066.contaboserver.net/flake.nix b/nix/os/devices/vmd102066.contaboserver.net/flake.nix index d432f24..0547466 100644 --- a/nix/os/devices/vmd102066.contaboserver.net/flake.nix +++ b/nix/os/devices/vmd102066.contaboserver.net/flake.nix @@ -8,5 +8,5 @@ inputs.nixpkgs.follows = "nixpkgs"; }; - outputs = _: {}; + outputs = _: { }; } diff --git a/nix/os/devices/vmd102066.contaboserver.net/hw.nix b/nix/os/devices/vmd102066.contaboserver.net/hw.nix index e09b10e..392bb1b 100644 --- a/nix/os/devices/vmd102066.contaboserver.net/hw.nix +++ b/nix/os/devices/vmd102066.contaboserver.net/hw.nix @@ -1,4 +1,5 @@ -{...}: let +_: +let stage1Modules = [ "aesni_intel" "kvm-intel" @@ -11,7 +12,8 @@ "virtio" "scsi_mod" ]; -in { +in +{ # TASK: new device hardware.opinionatedDisk = { enable = true; diff --git a/nix/os/devices/vmd102066.contaboserver.net/pkg.nix b/nix/os/devices/vmd102066.contaboserver.net/pkg.nix index 96cfc55..2857a30 100644 --- a/nix/os/devices/vmd102066.contaboserver.net/pkg.nix +++ b/nix/os/devices/vmd102066.contaboserver.net/pkg.nix @@ -1,9 +1,5 @@ +{ config, pkgs, ... }: { - config, - pkgs, - lib, - ... -}: { home-manager.users.steveej = import ../../../home-manager/configuration/text-minimal.nix { inherit pkgs; }; @@ -12,7 +8,12 @@ { hostName = "localhost"; system = "x86_64-linux"; - supportedFeatures = ["kvm" "nixos-test" "big-parallel" "benchmark"]; + supportedFeatures = [ + "kvm" + "nixos-test" + "big-parallel" + "benchmark" + ]; maxJobs = 4; } ]; @@ -22,7 +23,7 @@ hydraURL = "http://localhost:3000"; # externally visible URL notificationSender = "hydra@${config.networking.hostName}.stefanjunker.de"; # e-mail of hydra service # a standalone hydra will require you to unset the buildMachinesFiles list to avoid using a nonexistant /etc/nix/machines - buildMachinesFiles = []; + buildMachinesFiles = [ ]; # you will probably also want, otherwise *everything* will be built from scratch useSubstitutes = true; }; @@ -30,7 +31,13 @@ services.gitlab-runner = { enable = false; - extraPackages = with pkgs; [bash gitlab-runner nix gitFull git-crypt]; + extraPackages = with pkgs; [ + bash + gitlab-runner + nix + gitFull + git-crypt + ]; concurrent = 2; checkInterval = 0; @@ -39,7 +46,7 @@ executor = "shell"; runUntagged = true; registrationConfigFile = "/etc/secrets/gitlab-runner/nix-runner.registration"; - tagList = ["nix"]; + tagList = [ "nix" ]; }; }; }; diff --git a/nix/os/devices/vmd102066.contaboserver.net/system.nix b/nix/os/devices/vmd102066.contaboserver.net/system.nix index 45c6b0c..cebed6a 100644 --- a/nix/os/devices/vmd102066.contaboserver.net/system.nix +++ b/nix/os/devices/vmd102066.contaboserver.net/system.nix @@ -1,13 +1,9 @@ -{ - pkgs, - lib, - config, - nodeName, - ... -}: let +{ pkgs, config, ... }: +let keys = import ../../../variables/keys.nix; passwords = import ../../../variables/passwords.crypt.nix; -in { +in +{ networking.firewall.enable = true; networking.firewall.allowedTCPPorts = [ # iperf3 @@ -37,7 +33,7 @@ in { networking.nat = { enable = true; - internalInterfaces = ["ve-+"]; + internalInterfaces = [ "ve-+" ]; externalInterface = "eth0"; }; @@ -45,7 +41,9 @@ in { # services.kubernetes.roles = ["master" "node"]; # virtualization - virtualisation = {docker.enable = true;}; + virtualisation = { + docker.enable = true; + }; services.spice-vdagentd.enable = true; services.qemuGuest.enable = true; @@ -53,7 +51,7 @@ in { systemd.services."sshd-status" = { enable = true; description = "sshd-status service"; - path = [pkgs.systemd]; + path = [ pkgs.systemd ]; script = '' systemctl status sshd | grep -i tasks ''; @@ -73,11 +71,13 @@ in { # }; # }; - nix.gc = {automatic = true;}; + nix.gc = { + automatic = true; + }; boot.initrd.network = { enable = true; - udhcpc.extraArgs = ["-x hostname:${config.networking.hostName}"]; + udhcpc.extraArgs = [ "-x hostname:${config.networking.hostName}" ]; ssh = { enable = true; @@ -104,7 +104,12 @@ in { inherit config; hostAddress = "192.168.100.16"; localAddress = "192.168.100.17"; - subvolumes = ["mailserver" "webserver" "backup" "syncthing"]; + subvolumes = [ + "mailserver" + "webserver" + "backup" + "syncthing" + ]; }; bkpTarget = import ../../containers/backup-target.nix { diff --git a/nix/os/lib/default.nix b/nix/os/lib/default.nix index 0554d6e..b4f4dcc 100644 --- a/nix/os/lib/default.nix +++ b/nix/os/lib/default.nix @@ -1,34 +1,43 @@ -{ - lib, - config, -}: let +{ lib, config }: +let keys = import ../../variables/keys.nix; -in { - mkUser = args: ( - lib.attrsets.recursiveUpdate { - isNormalUser = true; - extraGroups = [ - "docker" - "wheel" - "libvirtd" - "networkmanager" - "vboxusers" - "users" - "input" - "audio" - "video" - "cdrom" - "adbusers" - ]; - openssh.authorizedKeys.keys = keys.users.steveej.openssh; +in +{ + mkUser = + args: + lib.mkMerge [ + { + isNormalUser = true; + extraGroups = [ + "docker" + "podman" + "wheel" + "libvirtd" + "networkmanager" + "vboxusers" + "users" + "input" + "audio" + "video" + "cdrom" + "adbusers" + "dialout" + "cdrom" + "fuse" + "adbusers" + "scanner" + "lp" + "kvm" + ]; + openssh.authorizedKeys.keys = keys.users.steveej.openssh; - # TODO: investigate why this secret cannot be found - # openssh.authorizedKeys.keyFiles = [ - # config.sops.secrets.sharedSshKeys-steveej.path - # ]; - } - args - ); + # TODO: investigate why this secret cannot be found + # openssh.authorizedKeys.keyFiles = [ + # config.sops.secrets.sharedSshKeys-steveej.path + # ]; + } + args + ]; disk = rec { # TODO: verify the GPT PARTLABEL cap at 36 chars @@ -36,7 +45,7 @@ in { # LVM doesn't allow most characters in VG names # TODO: replace this with a whitelist for: [a-zA-Z0-9.-_+] - volumeGroup = diskId: builtins.replaceStrings [":"] [""] diskId; + volumeGroup = diskId: builtins.replaceStrings [ ":" ] [ "" ] diskId; # This is important at install-time bootGrubDevice = diskId: "/dev/disk/by-id/" + diskId; @@ -47,15 +56,10 @@ in { # Cannot use the disk ID here because might be different at install vs. runtime. # Example: MMC card which is used in the internal reader vs. USB reader - bootFsDevice = diskId: - "/dev/disk/by-partlabel/" + (shortenGptPartlabel ("2-" + diskId)); - bootLuksDevice = diskId: - "/dev/disk/by-partlabel/" + (shortenGptPartlabel ("3-" + diskId)); + bootFsDevice = diskId: "/dev/disk/by-partlabel/" + (shortenGptPartlabel ("2-" + diskId)); + bootLuksDevice = diskId: "/dev/disk/by-partlabel/" + (shortenGptPartlabel ("3-" + diskId)); luksName = diskId: (volumeGroup diskId) + "pv"; luksPhysicalVolume = diskId: "/dev/mapper/" + (luksName diskId); - lvmPv = diskId: encrypted: - if encrypted == true - then luksPhysicalVolume diskId - else bootLuksDevice diskId; + lvmPv = diskId: encrypted: if encrypted then luksPhysicalVolume diskId else bootLuksDevice diskId; }; } diff --git a/nix/os/modules/ddclient-hetzner.nix b/nix/os/modules/ddclient-hetzner.nix index 75765d1..622ae62 100644 --- a/nix/os/modules/ddclient-hetzner.nix +++ b/nix/os/modules/ddclient-hetzner.nix @@ -1,39 +1,9 @@ +{ lib, ... }: { - lib, - config, - ... -}: let - cfg = config.services.ddclient-hetzner; -in { options.services.ddclient-hetzner = with lib; { enable = mkEnableOption "Enable ddclient-hetzner"; - zone = mkOption {type = types.str;}; - domains = mkOption {type = types.listOf types.str;}; - passwordFile = mkOption {type = types.path;}; - }; - - config = lib.mkIf cfg.enable { - users.groups.ddclient = {}; - users.users.ddclient = { - isSystemUser = true; - group = "ddclient"; - }; - - services.ddclient = { - enable = cfg.enable; - verbose = true; - protocol = "hetzner"; - - # see https://github.com/ddclient/ddclient/blob/a4eab34ab4719d1e2146d8c9c4449b70dd7e0163/ddclient.in#L775 - username = "token"; - - inherit (cfg) zone domains passwordFile; - - extraConfig = '' - ''; - }; - - systemd.services.ddclient.serviceConfig.User = config.users.users.ddclient.name; - systemd.services.ddclient.serviceConfig.Group = config.users.groups.ddclient.name; + zone = mkOption { type = types.str; }; + domains = mkOption { type = types.listOf types.str; }; + passwordFile = mkOption { type = types.path; }; }; } diff --git a/nix/os/modules/ddclient-ovh.nix b/nix/os/modules/ddclient-ovh.nix index 7ac124c..150d688 100644 --- a/nix/os/modules/ddclient-ovh.nix +++ b/nix/os/modules/ddclient-ovh.nix @@ -1,23 +1,7 @@ +{ lib, ... }: { - lib, - config, - ... -}: let - cfg = config.services.ddclientovh; -in { options.services.ddclientovh = with lib; { enable = mkEnableOption "Enable ddclient-ovh"; - domain = mkOption {type = types.str;}; - }; - - config = lib.mkIf cfg.enable { - services.ddclient = { - enable = true; - protocol = "dyndns2"; - server = "www.ovh.com"; - ssl = true; - domains = [cfg.domain]; - use = "web"; - }; + domain = mkOption { type = types.str; }; }; } diff --git a/nix/os/modules/initrd-network.nix b/nix/os/modules/initrd-network.nix index e517d62..4ca89cf 100644 --- a/nix/os/modules/initrd-network.nix +++ b/nix/os/modules/initrd-network.nix @@ -4,7 +4,8 @@ pkgs, ... }: -with lib; let +with lib; +let cfg = config.boot.initrd.network; udhcpcScript = pkgs.writeScript "udhcp-script" '' @@ -25,7 +26,8 @@ with lib; let ''; udhcpcArgs = toString cfg.udhcpc.extraArgs; -in { +in +{ options = { boot.initrd.network.enable = mkOption { type = types.bool; @@ -46,7 +48,7 @@ in { }; boot.initrd.network.udhcpc.extraArgs = mkOption { - default = []; + default = [ ]; type = types.listOf types.str; description = '' Additional command-line arguments passed verbatim to udhcpc if @@ -74,9 +76,9 @@ in { }; config = mkIf cfg.enable { - warnings = ["Enabled SSH for stage1"]; + warnings = [ "Enabled SSH for stage1" ]; - boot.initrd.kernelModules = ["af_packet"]; + boot.initrd.kernelModules = [ "af_packet" ]; boot.initrd.extraUtilsCommands = '' copy_bin_and_libs ${pkgs.mkinitcpio-nfs-utils}/bin/ipconfig diff --git a/nix/os/modules/natrouter.nix b/nix/os/modules/natrouter.nix index 62af2a8..d853c28 100644 --- a/nix/os/modules/natrouter.nix +++ b/nix/os/modules/natrouter.nix @@ -1,9 +1,6 @@ +{ lib, ... }: +with lib; { - lib, - config, - ... -}: -with lib; { # TODO # Provide a NAT/DHCP Router # diff --git a/nix/os/modules/opinionatedDisk.nix b/nix/os/modules/opinionatedDisk.nix index 758c50e..db2bbbf 100644 --- a/nix/os/modules/opinionatedDisk.nix +++ b/nix/os/modules/opinionatedDisk.nix @@ -4,17 +4,26 @@ pkgs, ... }: -with lib; let +with lib; +let cfg = config.hardware.opinionatedDisk; - ownLib = pkgs.callPackage ../lib/default.nix {}; -in { + ownLib = pkgs.callPackage ../lib/default.nix { }; + + earlyDiskId = cfg: if cfg.earlyDiskIdOverride != "" then cfg.earlyDiskIdOverride else cfg.diskId; +in +{ options.hardware.opinionatedDisk = { enable = mkEnableOption "Enable opinionated filesystem layout"; - diskId = mkOption {type = types.str;}; + diskId = mkOption { type = types.str; }; encrypted = mkOption { default = true; type = types.bool; }; + + earlyDiskIdOverride = mkOption { + default = ""; + type = types.str; + }; }; config = lib.mkIf cfg.enable { @@ -26,38 +35,39 @@ in { fileSystems."/" = { device = ownLib.disk.rootFsDevice cfg.diskId; fsType = "btrfs"; - options = ["subvol=nixos"]; + options = [ "subvol=nixos" ]; }; fileSystems."/home" = { device = ownLib.disk.rootFsDevice cfg.diskId; fsType = "btrfs"; - options = ["subvol=home"]; + options = [ "subvol=home" ]; }; - swapDevices = [{device = ownLib.disk.swapFsDevice cfg.diskId;}]; + swapDevices = [ { device = ownLib.disk.swapFsDevice cfg.diskId; } ]; boot.loader.grub = { - device = ownLib.disk.bootGrubDevice cfg.diskId; + device = ownLib.disk.bootGrubDevice (earlyDiskId cfg); enableCryptodisk = cfg.encrypted; }; - boot.initrd.luks.devices = - lib.optionalAttrs cfg.encrypted - (builtins.listToAttrs [ + boot.initrd.luks.devices = lib.optionalAttrs cfg.encrypted ( + builtins.listToAttrs [ { - name = let - splitstring = - builtins.split "/" (ownLib.disk.bootLuksDevice cfg.diskId); - lastelem = (builtins.length splitstring) - 1; - in + name = + let + splitstring = builtins.split "/" (ownLib.disk.bootLuksDevice cfg.diskId); + lastelem = (builtins.length splitstring) - 1; + in builtins.elemAt splitstring lastelem; value = { device = ownLib.disk.bootLuksDevice cfg.diskId; + preLVM = true; allowDiscards = true; }; } - ]); + ] + ); }; } diff --git a/nix/os/profiles/common/boot.nix b/nix/os/profiles/common/boot.nix deleted file mode 100644 index 21fa70c..0000000 --- a/nix/os/profiles/common/boot.nix +++ /dev/null @@ -1,15 +0,0 @@ -{pkgs, ...}: { - boot.kernelPackages = pkgs.linuxPackages; - boot.loader.grub = { - enable = true; - efiSupport = true; - efiInstallAsRemovable = false; - }; - - boot.loader.systemd-boot.enable = false; - boot.loader.efi.canTouchEfiVariables = true; - boot.tmp.useTmpfs = true; - - # Workaround for nm-pptp to enforce module load - boot.kernelModules = ["nf_conntrack_proto_gre" "nf_conntrack_pptp"]; -} diff --git a/nix/os/profiles/common/configuration.nix b/nix/os/profiles/common/configuration.nix index d68a694..61b4cb8 100644 --- a/nix/os/profiles/common/configuration.nix +++ b/nix/os/profiles/common/configuration.nix @@ -3,15 +3,38 @@ pkgs, repoFlake, ... -}: { +}: +{ imports = [ - ./boot.nix - ./pkg.nix + repoFlake.inputs.sops-nix.nixosModules.sops + + ../../snippets/nix-settings.nix + ../../snippets/home-manager-with-zsh.nix + ./system.nix ./hw.nix - ./user.nix - - repoFlake.inputs.sops-nix.nixosModules.sops ]; + + boot.kernelPackages = pkgs.linuxPackages; + boot.loader.grub = { + enable = true; + efiSupport = true; + efiInstallAsRemovable = false; + }; + + boot.loader.systemd-boot.enable = false; + boot.loader.efi.canTouchEfiVariables = true; + boot.tmp.useTmpfs = true; + + # Workaround for nm-pptp to enforce module load + boot.kernelModules = [ + "nf_conntrack_proto_gre" + "nf_conntrack_pptp" + ]; + + nixpkgs.config = { + allowBroken = false; + allowUnfree = true; + }; } diff --git a/nix/os/profiles/common/hw.nix b/nix/os/profiles/common/hw.nix index 80bdc31..4d6eb74 100644 --- a/nix/os/profiles/common/hw.nix +++ b/nix/os/profiles/common/hw.nix @@ -1,5 +1,12 @@ -{...}: { +_: { hardware.trackpoint.emulateWheel = true; - boot.initrd.availableKernelModules = ["xhci_pci" "ahci" "usb_storage" "sd_mod" "rtsx_pci_sdmmc" "cryptd"]; + boot.initrd.availableKernelModules = [ + "xhci_pci" + "ahci" + "usb_storage" + "sd_mod" + "rtsx_pci_sdmmc" + "cryptd" + ]; } diff --git a/nix/os/profiles/common/pkg.nix b/nix/os/profiles/common/pkg.nix deleted file mode 100644 index 7cd1dfb..0000000 --- a/nix/os/profiles/common/pkg.nix +++ /dev/null @@ -1,37 +0,0 @@ -{ - config, - pkgs, - # these come in via nodeSpecialArgs and are expected to be defined for every node - repoFlake, - repoFlakeInputs', - nodeFlake, - packages', - ... -}: { - imports = [ - ]; - - nix.registry.nixpkgs.flake = nodeFlake.inputs.nixpkgs; - home-manager.useGlobalPkgs = false; - home-manager.useUserPackages = true; - home-manager.users.root = import ../../../home-manager/configuration/text-minimal.nix; - - # TODO: investigate an issue with the "name" arg contained here, which causes problems with home-manager - # home-manager.extraSpecialArgs = specialArgs; - # hence, opt for passing the arguments selectively instead - home-manager.extraSpecialArgs = { - inherit - repoFlake - repoFlakeInputs' - packages' - nodeFlake - ; - - osConfig = config; - }; - - nixpkgs.config = { - allowBroken = false; - allowUnfree = true; - }; -} diff --git a/nix/os/profiles/common/system.nix b/nix/os/profiles/common/system.nix index 388a07b..edf8717 100644 --- a/nix/os/profiles/common/system.nix +++ b/nix/os/profiles/common/system.nix @@ -1,20 +1,8 @@ +{ pkgs, nodeName, ... }: { - config, - pkgs, - lib, - nodeName, - ... -}: { networking.hostName = builtins.elemAt (builtins.split "\\." nodeName) 0; # Define your hostname. networking.domain = builtins.elemAt (builtins.split "(^[^\\.]+\.)" nodeName) 2; - nix.daemonCPUSchedPolicy = "idle"; - nix.daemonIOSchedClass = "idle"; - nix.settings.max-jobs = lib.mkDefault "auto"; - nix.settings.cores = lib.mkDefault 0; - nix.settings.sandbox = true; - nix.nixPath = ["nixpkgs=${pkgs.path}"]; - environment.etc."lvm/lvm.conf".text = '' devices { issue_discards = 1 @@ -22,11 +10,13 @@ ''; # Fonts, I18N, Date ... - fonts.fonts = [pkgs.corefonts]; + fonts.packages = [ pkgs.corefonts ]; console.font = "lat9w-16"; - i18n = {defaultLocale = "en_US.UTF-8";}; + i18n = { + defaultLocale = "en_US.UTF-8"; + }; time.timeZone = "Etc/UTC"; services.gpm.enable = true; @@ -50,15 +40,12 @@ # mv -Tf /etc/X11/.sessions /etc/X11/sessions # ''; + # TODO: adapt this to be arch agnostic system.activationScripts.lib64 = '' echo "setting up /lib64..." mkdir -p /lib64 ln -sfT ${pkgs.glibc}/lib/ld-linux-x86-64.so.2 /lib64/.ld-linux-x86-64.so.2 mv -Tf /lib64/.ld-linux-x86-64.so.2 /lib64/ld-linux-x86-64.so.2 ''; - - programs.zsh.enable = true; - users.defaultUserShell = pkgs.zsh; - environment.pathsToLink = ["/share/zsh"]; programs.fuse.userAllowOther = true; } diff --git a/nix/os/profiles/common/user.nix b/nix/os/profiles/common/user.nix index a2447f9..6c799c9 100644 --- a/nix/os/profiles/common/user.nix +++ b/nix/os/profiles/common/user.nix @@ -1,8 +1,10 @@ { config, pkgs, + lib, ... -}: let +}: +let keys = import ../../../variables/keys.nix; inherit (import ../../lib/default.nix { @@ -11,39 +13,81 @@ }) mkUser ; -in { - sops.secrets.sharedUsers-root = { - sopsFile = ../../../../secrets/shared-users.yaml; - neededForUsers = true; - format = "yaml"; + + inherit (lib) types; + + cfg = config.users.commonUsers; +in +{ + options.users.commonUsers = { + enable = lib.mkOption { + default = true; + type = types.bool; + }; + + enableNonRoot = lib.mkOption { + default = true; + type = types.bool; + }; + + rootPasswordFile = lib.mkOption { + default = config.sops.secrets.sharedUsers-root.path; + type = types.path; + }; + + # TODO: test if this works + installPassword = lib.mkOption { + default = ""; + type = types.str; + }; }; + config = lib.mkIf cfg.enable ( + lib.mkMerge [ + (lib.mkIf (cfg.installPassword == "") { + sops.secrets.sharedUsers-root = { + sopsFile = ../../../../secrets/shared-users.yaml; + neededForUsers = true; + format = "yaml"; + }; - sops.secrets.sharedUsers-steveej = { - sopsFile = ../../../../secrets/shared-users.yaml; - neededForUsers = true; - format = "yaml"; - }; + sops.secrets.sharedUsers-steveej = lib.mkIf cfg.enableNonRoot { + sopsFile = ../../../../secrets/shared-users.yaml; + neededForUsers = true; + format = "yaml"; + }; - sops.secrets.sharedSshKeys-steveej = { - sopsFile = ../../../../secrets/shared-users.yaml; - # neededForUsers = true; - format = "yaml"; - }; + sops.secrets.sharedSshKeys-steveej = lib.mkIf cfg.enableNonRoot { + sopsFile = ../../../../secrets/shared-users.yaml; + # neededForUsers = true; + format = "yaml"; + }; + }) - users.mutableUsers = false; + { + users.mutableUsers = cfg.installPassword != ""; - users.extraUsers.root = { - passwordFile = config.sops.secrets.sharedUsers-root.path; - openssh.authorizedKeys.keys = keys.users.steveej.openssh; + users.users.root = lib.mkMerge [ + { openssh.authorizedKeys.keys = keys.users.steveej.openssh; } - # TODO: investigate why this secret cannot be found - # openssh.authorizedKeys.keyFiles = [ - # config.sops.secrets.sharedSshKeys-steveej.path - # ]; - }; + (lib.mkIf (cfg.installPassword != "") { password = cfg.installPassword; }) - users.extraUsers.steveej = mkUser { - uid = 1000; - passwordFile = config.sops.secrets.sharedUsers-steveej.path; - }; + (lib.mkIf (cfg.installPassword == "") { hashedPasswordFile = cfg.rootPasswordFile; }) + ]; + + users.users.steveej = lib.mkIf cfg.enableNonRoot ( + mkUser ( + lib.mkMerge [ + { uid = 1000; } + + (lib.mkIf (cfg.installPassword != "") { password = cfg.installPassword; }) + + (lib.mkIf (cfg.installPassword == "") { + hashedPasswordFile = config.sops.secrets.sharedUsers-steveej.path; + }) + ] + ) + ); + } + ] + ); } diff --git a/nix/os/profiles/containers/configuration.nix b/nix/os/profiles/containers/configuration.nix index 4a3e475..40fd3f4 100644 --- a/nix/os/profiles/containers/configuration.nix +++ b/nix/os/profiles/containers/configuration.nix @@ -1,20 +1,28 @@ -{...}: { +{ + hostAddress, + pkgs, + lib, + ... +}: +{ networking.useHostResolvConf = false; - networking.nameservers = ["1.1.1.1#one.one.one.one" "1.0.0.1#one.one.one.one"]; + networking.firewall.enable = true; + networking.nftables.enable = true; + networking.nftables.flushRuleset = true; - services.resolved = { - enable = true; - dnssec = "true"; - domains = ["~."]; - fallbackDns = ["1.1.1.1#one.one.one.one" "1.0.0.1#one.one.one.one"]; - extraConfig = '' - DNSOverTLS=yes - ''; - }; + networking.nameservers = lib.mkForce [ hostAddress ]; + + environment.systemPackages = [ pkgs.dnsutils ]; imports = [ - ../../modules/ddclient-ovh.nix - ../../modules/ddclient-hetzner.nix + { + # keep DNS set up to a minimum: only query the container host + services.resolved.enable = lib.mkForce false; + networking.nameservers = [ hostAddress ]; + } + ../../snippets/nix-settings.nix + # ../../modules/ddclient-ovh.nix + # ../../modules/ddclient-hetzner.nix ]; } diff --git a/nix/os/profiles/graphical-gnome-xorg.nix b/nix/os/profiles/graphical-gnome-xorg.nix index 8cf3c58..a13dd07 100644 --- a/nix/os/profiles/graphical-gnome-xorg.nix +++ b/nix/os/profiles/graphical-gnome-xorg.nix @@ -1,8 +1,5 @@ +{ pkgs, lib, ... }: { - pkgs, - lib, - ... -}: { services.xserver = { enable = true; libinput.enable = true; @@ -36,7 +33,6 @@ }; }; - # gnome, most of it is disabled and ideally it could live entirely in the user's home config programs.gpaste.enable = false; programs.gnome-terminal.enable = false; @@ -99,8 +95,11 @@ support32Bit = true; }; - services.dbus.packages = with pkgs; [dconf]; + services.dbus.packages = with pkgs; [ dconf ]; # More Services - environment.systemPackages = [pkgs.gnome.adwaita-icon-theme pkgs.gnomeExtensions.appindicator]; + environment.systemPackages = [ + pkgs.gnome.adwaita-icon-theme + pkgs.gnomeExtensions.appindicator + ]; } diff --git a/nix/os/profiles/graphical/boot.nix b/nix/os/profiles/graphical/boot.nix index f6d9452..4bf6ca4 100644 --- a/nix/os/profiles/graphical/boot.nix +++ b/nix/os/profiles/graphical/boot.nix @@ -1 +1,4 @@ -{lib, ...}: {} +{ config, ... }: +{ + boot.extraModulePackages = [ config.boot.kernelPackages.v4l2loopback ]; +} diff --git a/nix/os/profiles/graphical/configuration.nix b/nix/os/profiles/graphical/configuration.nix index b9cf53e..477a93d 100644 --- a/nix/os/profiles/graphical/configuration.nix +++ b/nix/os/profiles/graphical/configuration.nix @@ -1,3 +1,8 @@ -{pkgs, ...}: { - imports = [./boot.nix ./system.nix ./hw.nix]; +{ ... }: +{ + imports = [ + ./boot.nix + ./system.nix + ./hw.nix + ]; } diff --git a/nix/os/profiles/graphical/hw.nix b/nix/os/profiles/graphical/hw.nix index abb1e68..821f5bf 100644 --- a/nix/os/profiles/graphical/hw.nix +++ b/nix/os/profiles/graphical/hw.nix @@ -1,3 +1 @@ -{...}: { - hardware.enableAllFirmware = true; -} +_: { hardware.enableAllFirmware = true; } diff --git a/nix/os/profiles/graphical/system.nix b/nix/os/profiles/graphical/system.nix index 2e125c0..42eccfb 100644 --- a/nix/os/profiles/graphical/system.nix +++ b/nix/os/profiles/graphical/system.nix @@ -1,8 +1,7 @@ +{ pkgs, ... }: { - pkgs, - lib, - ... -}: { + imports = [ ../../snippets/bluetooth.nix ]; + networking.networkmanager = { enable = true; dns = "systemd-resolved"; @@ -18,17 +17,15 @@ services.resolved.enable = true; - # hardware related services - services.illum.enable = true; services.pcscd.enable = true; hardware.opengl.enable = true; - hardware.bluetooth.enable = true; - # required for running blueman-applet in user sessions - services.dbus.packages = with pkgs; [blueman]; - services.blueman.enable = true; - services.udev.packages = [pkgs.libu2f-host pkgs.yubikey-personalization pkgs.android-udev-rules]; + services.udev.packages = [ + pkgs.libu2f-host + pkgs.yubikey-personalization + pkgs.android-udev-rules + ]; services.udev.extraRules = '' # OnePlusOne ATTR{idVendor}=="05c6", ATTR{idProduct}=="6764", SYMLINK+="libmtp-%k", MODE="660", GROUP="audio", ENV{ID_MTP_DEVICE}="1", ENV{ID_MEDIA_PLAYER}="1", TAG+="uaccess" @@ -43,15 +40,21 @@ SUBSYSTEM=="usb", ATTR{idVendor}=="1050", ATTR{idProduct}=="0406", ENV{ID_SECURITY_TOKEN}="1", GROUP="wheel" ''; - services.samba.enable = true; - services.samba.extraConfig = '' - client max protocol = SMB3 - ''; + # services.samba.enable = true; + # services.samba.extraConfig = '' + # client max protocol = SMB3 + # # client min protocol = SMB2_10 + # # client min protocol = NT1 + # # ntlm auth = yes + # ''; services.logind.lidSwitchExternalPower = "ignore"; services.printing = { enable = true; - drivers = with pkgs; [mfcl3770cdwlpr mfcl3770cdwcupswrapper]; + drivers = with pkgs; [ + mfcl3770cdwlpr + mfcl3770cdwcupswrapper + ]; }; } diff --git a/nix/os/profiles/install-medium/iso/Justfile b/nix/os/profiles/install-medium/iso/Justfile index bcd3c66..099a8aa 100644 --- a/nix/os/profiles/install-medium/iso/Justfile +++ b/nix/os/profiles/install-medium/iso/Justfile @@ -1,2 +1,2 @@ build: - nix-build '' -A config.system.build.isoImage -I nixos-config=iso.nix + nix-build '' -A config.system.build.isoImage -I nixos-config=iso.nix diff --git a/nix/os/profiles/install-medium/iso/iso.nix b/nix/os/profiles/install-medium/iso/iso.nix index 394aece..a32f3f6 100644 --- a/nix/os/profiles/install-medium/iso/iso.nix +++ b/nix/os/profiles/install-medium/iso/iso.nix @@ -5,25 +5,26 @@ pkgs, lib, ... -}: let +}: +let nixos-init-script = '' #!${pkgs.stdenv.shell} export HOME=/root export PATH=${ - pkgs.lib.makeBinPath [ - config.nix.package - pkgs.systemd - pkgs.gnugrep - pkgs.gnused - config.system.build.nixos-rebuild - config.system.build.nixos-install - pkgs.utillinux - pkgs.e2fsprogs - pkgs.coreutils - pkgs.hdparm - ] - }:$PATH + pkgs.lib.makeBinPath [ + config.nix.package + pkgs.systemd + pkgs.gnugrep + pkgs.gnused + config.system.build.nixos-rebuild + config.system.build.nixos-install + pkgs.utillinux + pkgs.e2fsprogs + pkgs.coreutils + pkgs.hdparm + ] + }:$PATH export NIX_PATH=/nix/var/nix/profiles/per-user/root/channels/nixos:nixos-config=/etc/nixos/configuration.nix:/nix/var/nix/profiles/per-user/root/channels set -xe @@ -61,7 +62,8 @@ nixos-install reboot ''; -in { +in +{ imports = [ @@ -70,13 +72,11 @@ in { # ]; - isoImage.isoName = - lib.mkForce - "${config.isoImage.isoBaseName}-${pkgs.stdenv.hostPlatform.system}.iso"; + isoImage.isoName = lib.mkForce "${config.isoImage.isoBaseName}-${pkgs.stdenv.hostPlatform.system}.iso"; boot.loader.timeout = lib.mkForce 0; boot.postBootCommands = ""; - environment.systemPackages = []; + environment.systemPackages = [ ]; users.users.root = { openssh.authorizedKeys.keys = [ @@ -85,18 +85,18 @@ in { }; services.gpm.enable = true; - systemd.services.sshd.wantedBy = lib.mkForce ["multi-user.target"]; + systemd.services.sshd.wantedBy = lib.mkForce [ "multi-user.target" ]; systemd.services.nixos-init = { script = nixos-init-script; - path = with pkgs; []; + path = with pkgs; [ ]; description = "Initialize /dev/vda from configuration.nix found at /dev/vdb"; enable = true; - wantedBy = ["multi-user.target"]; - after = ["multi-user.target"]; - requires = ["network-online.target"]; + wantedBy = [ "multi-user.target" ]; + after = [ "multi-user.target" ]; + requires = [ "network-online.target" ]; restartIfChanged = false; unitConfig.X-StopOnRemoval = false; diff --git a/nix/os/profiles/removable-medium/boot.nix b/nix/os/profiles/removable-medium/boot.nix index e0938bd..17a1dba 100644 --- a/nix/os/profiles/removable-medium/boot.nix +++ b/nix/os/profiles/removable-medium/boot.nix @@ -1,5 +1,6 @@ -{lib, ...}: { +{ lib, ... }: +{ boot.loader.grub.efiInstallAsRemovable = lib.mkForce true; boot.loader.efi.canTouchEfiVariables = lib.mkForce false; - boot.extraModulePackages = []; + boot.extraModulePackages = [ ]; } diff --git a/nix/os/profiles/removable-medium/configuration.nix b/nix/os/profiles/removable-medium/configuration.nix index 95ca049..ad7def0 100644 --- a/nix/os/profiles/removable-medium/configuration.nix +++ b/nix/os/profiles/removable-medium/configuration.nix @@ -1,4 +1,5 @@ -{...}: { +{ ... }: +{ imports = [ ../../modules/opinionatedDisk.nix diff --git a/nix/os/profiles/removable-medium/hw.nix b/nix/os/profiles/removable-medium/hw.nix index 17c16b0..0f7cbec 100644 --- a/nix/os/profiles/removable-medium/hw.nix +++ b/nix/os/profiles/removable-medium/hw.nix @@ -1,4 +1,4 @@ -{...}: { +_: { hardware.opinionatedDisk.enable = true; hardware.enableAllFirmware = true; } diff --git a/nix/os/profiles/removable-medium/pkg.nix b/nix/os/profiles/removable-medium/pkg.nix index 5a54115..d27081f 100644 --- a/nix/os/profiles/removable-medium/pkg.nix +++ b/nix/os/profiles/removable-medium/pkg.nix @@ -1,4 +1,5 @@ -{pkgs, ...}: { +{ pkgs, ... }: +{ home-manager.users.steveej = import ../../../home-manager/configuration/graphical-removable.nix { inherit pkgs; }; diff --git a/nix/os/profiles/removable-medium/system.nix b/nix/os/profiles/removable-medium/system.nix index 10a18ef..243edf7 100644 --- a/nix/os/profiles/removable-medium/system.nix +++ b/nix/os/profiles/removable-medium/system.nix @@ -1,11 +1,9 @@ -{ - config, - lib, - pkgs, - ... -}: let -in { - services.printing = {enable = false;}; +_: { + services.illum.enable = true; + + services.printing = { + enable = false; + }; services.spice-vdagentd.enable = true; services.qemuGuest.enable = true; diff --git a/nix/os/snippets/bluetooth.nix b/nix/os/snippets/bluetooth.nix new file mode 100644 index 0000000..090217e --- /dev/null +++ b/nix/os/snippets/bluetooth.nix @@ -0,0 +1,7 @@ +{ pkgs, ... }: +{ + # required for running blueman-applet in user sessions + services.dbus.packages = with pkgs; [ blueman ]; + hardware.bluetooth.enable = true; + services.blueman.enable = true; +} diff --git a/nix/os/snippets/holo-zerotier.nix b/nix/os/snippets/holo-zerotier.nix new file mode 100644 index 0000000..4371b78 --- /dev/null +++ b/nix/os/snippets/holo-zerotier.nix @@ -0,0 +1,53 @@ +{ config, lib, ... }: +let + cfg = config.steveej.holo-zerotier; +in +{ + options.steveej.holo-zerotier = { + enable = lib.mkEnableOption "Enable holo-zerotier"; + autostart = lib.mkOption { default = false; }; + }; + + config = { + nixpkgs.config.allowUnfreePredicate = pkg: builtins.elem (lib.getName pkg) [ "zerotierone" ]; + + services.zerotierone = { + inherit (cfg) enable; + joinNetworks = [ + # moved to the service below as it's now secret + ]; + }; + + systemd.services.zerotierone.wantedBy = lib.mkIf (!cfg.autostart) (lib.mkForce [ ]); + + systemd.services.zerotieroneSecretNetworks = { + inherit (cfg) enable; + requiredBy = [ "zerotierone.service" ]; + partOf = [ "zerotierone.service" ]; + + serviceConfig.Type = "oneshot"; + serviceConfig.RemainAfterExit = true; + + script = + let + secret = config.sops.secrets.zerotieroneNetworks; + in + '' + # include the secret's hash to trigger a restart on change + # ${builtins.hashString "sha256" (builtins.toJSON secret)} + + ${config.systemd.services.zerotierone.preStart} + + rm -rf /var/lib/zerotier-one/networks.d/*.conf + for network in `grep -v '#' ${secret.path}`; do + touch /var/lib/zerotier-one/networks.d/''${network}.conf + done + ''; + }; + + sops.secrets.zerotieroneNetworks = { + sopsFile = ../../../secrets/work-holo/zerotierone.txt; + format = "binary"; + }; + }; +} diff --git a/nix/os/snippets/home-manager-with-zsh.nix b/nix/os/snippets/home-manager-with-zsh.nix new file mode 100644 index 0000000..47ddd8a --- /dev/null +++ b/nix/os/snippets/home-manager-with-zsh.nix @@ -0,0 +1,43 @@ +{ + nodeFlake, + repoFlake, + repoFlakeInputs', + packages', + pkgs, + ... +}: +let + # TODO: make this configurable + homeUser = "steveej"; + commonHomeImports = [ + ../../home-manager/profiles/common.nix + ../../home-manager/programs/neovim.nix + ../../home-manager/programs/zsh.nix + ]; +in +{ + imports = [ nodeFlake.inputs.home-manager.nixosModules.home-manager ]; + + # TODO: investigate an issue with the "name" arg contained here, which causes problems with home-manager + # home-manager.extraSpecialArgs = specialArgs; + # hence, opt for passing the arguments selectively instead + home-manager.extraSpecialArgs = { + inherit + repoFlake + repoFlakeInputs' + packages' + nodeFlake + ; + }; + + home-manager.useGlobalPkgs = false; + home-manager.useUserPackages = true; + + home-manager.users.root = _: { imports = commonHomeImports; }; + + home-manager.users."${homeUser}" = _: { imports = commonHomeImports; }; + + programs.zsh.enable = true; + users.defaultUserShell = pkgs.zsh; + environment.pathsToLink = [ "/share/zsh" ]; +} diff --git a/nix/os/snippets/k3s-w-nix-snapshotter.nix b/nix/os/snippets/k3s-w-nix-snapshotter.nix new file mode 100644 index 0000000..1774650 --- /dev/null +++ b/nix/os/snippets/k3s-w-nix-snapshotter.nix @@ -0,0 +1,58 @@ +# experiment with k3s, nix-snapshotter, and nixos images +{ + nodeFlake, + pkgs, + lib, + system, + config, + ... +}: +let + cfg = config.steveej.k3s; + +in +# TODO: make this configurable +{ + options.steveej.k3s = { + enable = lib.mkOption { + description = "steveej's k3s distro"; + type = lib.types.bool; + default = true; + }; + }; + + # (1) Import nixos module. + imports = [ nodeFlake.inputs.nix-snapshotter.nixosModules.default ]; + + config = lib.mkIf cfg.enable { + # (2) Add overlay. + nixpkgs.overlays = [ nodeFlake.inputs.nix-snapshotter.overlays.default ]; + + # (3) Enable service. + virtualisation.containerd = { + enable = true; + nixSnapshotterIntegration = true; + + # TODO: understand if this has an influence on the systemd LoadCredential issue + # settings.plugins."io.containerd.grpc.v1.cri".containerd.runtimes.runc.options.SystemdCgroup = lib.mkForce true; + }; + services.nix-snapshotter = { + enable = true; + }; + + # (4) Add a containerd CLI like nerdctl. + environment.systemPackages = [ + pkgs.nerdctl + nodeFlake.inputs.nix-snapshotter.packages.${system}.default + ]; + + services.k3s = { + enable = false; + setKubeConfig = true; + }; + + # home-manager.users."${homeUser}" = _: { + # home.sessionVariables.CONTAINERD_ADDRESS = "/run/user/1000/containerd/containerd.sock"; + # }; + }; +} diff --git a/nix/os/snippets/mycelium.nix b/nix/os/snippets/mycelium.nix new file mode 100644 index 0000000..990477e --- /dev/null +++ b/nix/os/snippets/mycelium.nix @@ -0,0 +1,32 @@ +{ + repoFlake, + nodeName, + config, + lib, + ... +}: +let + cfg.autostart = false; +in +{ + imports = [ ]; + + sops.secrets.mycelium-key = { + format = "binary"; + sopsFile = repoFlake + "/secrets/${nodeName}/mycelium_priv_key.bin.enc"; + }; + + services.mycelium = { + enable = true; + # package = nodeFlake.inputs.mycelium.packages.${system}.myceliumd; + keyFile = config.sops.secrets.mycelium-key.path; + addHostedPublicNodes = true; + peers = [ ]; + + # tunName = "mycelium-pub"; + + extraArgs = [ ]; + }; + + systemd.services.mycelium.wantedBy = lib.mkIf (!cfg.autostart) (lib.mkForce [ ]); +} diff --git a/nix/os/snippets/nix-settings-holo-chain.nix b/nix/os/snippets/nix-settings-holo-chain.nix new file mode 100644 index 0000000..b660f1c --- /dev/null +++ b/nix/os/snippets/nix-settings-holo-chain.nix @@ -0,0 +1,16 @@ +_: { + nix.settings = { + substituters = [ + "https://holochain-ci.cachix.org" + "https://holochain-ci-internal.cachix.org" + # "https://cache.holo.host/" + ]; + + trusted-public-keys = [ + "holochain-ci.cachix.org-1:5IUSkZc0aoRS53rfkvH9Kid40NpyjwCMCzwRTXy+QN8=" + "holochain-ci-internal.cachix.org-1:QvVsSrTiearCjrLTVtNtJOdQCDTseXh7UXUuSMx46NE=" + "cache.holo.host-1:lNXIXtJgS9Iuw4Cu6X0HINLu9sTfcjEntnrgwMQIMcE=" + "cache.holo.host-2:ZJCkX3AUYZ8soxTLfTb60g+F3MkWD7hkH9y8CgqwhDQ=" + ]; + }; +} diff --git a/nix/os/snippets/nix-settings.nix b/nix/os/snippets/nix-settings.nix new file mode 100644 index 0000000..6340977 --- /dev/null +++ b/nix/os/snippets/nix-settings.nix @@ -0,0 +1,40 @@ +{ + nodeFlake, + pkgs, + lib, + ... +}: +let + pkgsUnstable = import nodeFlake.inputs.nixpkgs-unstable { inherit (pkgs) system config; }; +in +{ + nix.daemonCPUSchedPolicy = "idle"; + nix.daemonIOSchedClass = "idle"; + nix.settings.max-jobs = lib.mkDefault "auto"; + nix.settings.cores = lib.mkDefault 0; + nix.settings.sandbox = true; + nix.nixPath = [ "nixpkgs=${pkgs.path}" ]; + + nix.settings.experimental-features = [ + "nix-command" + "flakes" + "ca-derivations" + "recursive-nix" + ]; + + nix.settings.system-features = [ + "recursive-nix" + "big-parallel" + "kvm" + "nixos-test" + ]; + + # nix.registry.nixpkgs.flake = nodeFlake.inputs.nixpkgs; + nix.registry.nixpkgs.to = { + type = "path"; + path = nodeFlake.inputs.nixpkgs.outPath; + inherit (nodeFlake.inputs.nixpkgs) narHash; + }; + + nix.package = pkgsUnstable.nixVersions.latest; +} diff --git a/nix/os/snippets/obs-studio.nix b/nix/os/snippets/obs-studio.nix new file mode 100644 index 0000000..8a99fcb --- /dev/null +++ b/nix/os/snippets/obs-studio.nix @@ -0,0 +1,27 @@ +{ config, ... }: +let + # TODO: make configurable + homeUser = "steveej"; +in +{ + boot.extraModulePackages = [ config.boot.kernelPackages.v4l2loopback.out ]; + + # Activate kernel modules (choose from built-ins and extra ones) + boot.kernelModules = [ + # Virtual Camera + "v4l2loopback" + # Virtual Microphone, built-in + "snd-aloop" + ]; + + # exclusive_caps: Skype, Zoom, Teams etc. will only show device when actually streaming + # card_label: Name of virtual camera, how it'll show up in Skype, Zoom, Teams + # https://github.com/umlaeute/v4l2loopback + boot.extraModprobeConfig = '' + options v4l2loopback devices=1 video_nr=1 card_label="OBSCam" exclusive_caps=1 + ''; + + security.polkit.enable = true; + + home-manager.users.${homeUser} = _: { imports = [ ../../home-manager/programs/obs-studio.nix ]; }; +} diff --git a/nix/os/snippets/radicale.nix b/nix/os/snippets/radicale.nix new file mode 100644 index 0000000..709b601 --- /dev/null +++ b/nix/os/snippets/radicale.nix @@ -0,0 +1,33 @@ +{ + config, + pkgs, + repoFlakeInputs', + ... +}: +let + # TODO: make configurable + homeUser = "steveej"; +in +{ + sops.secrets.radicale_htpasswd = { + sopsFile = ../../../secrets/desktop/radicale_htpasswd; + format = "binary"; + owner = config.users.users."${homeUser}".name; + }; + + home-manager.users.${homeUser} = _: { + imports = [ + # TODO: bump these to latest and make it work + ( + args: + import ../../home-manager/programs/radicale.nix ( + args + // { + osConfig = config; + pkgs = repoFlakeInputs'.radicalePkgs.legacyPackages; + } + ) + ) + ]; + }; +} diff --git a/nix/os/snippets/sway-desktop.nix b/nix/os/snippets/sway-desktop.nix new file mode 100644 index 0000000..a40eb85 --- /dev/null +++ b/nix/os/snippets/sway-desktop.nix @@ -0,0 +1,136 @@ +{ + pkgs, + lib, + config, + ... +}: +let + # TODO: make this configurable + homeUser = "steveej"; +in +{ + services.xserver.serverFlagsSection = '' + Option "BlankTime" "0" + Option "StandbyTime" "0" + Option "SuspendTime" "0" + Option "OffTime" "0" + ''; + + hardware.opengl.enable = true; + + services.gvfs = { + enable = true; + package = lib.mkForce pkgs.gnome.gvfs; + }; + + environment.systemPackages = with pkgs; [ + # provides a default authentification client for policykit + lxqt.lxqt-policykit + ]; + + # required by swaywm + security.polkit.enable = true; + security.pam.services.swaylock = { }; + + # test these on https://mozilla.github.io/webrtc-landing/gum_test.html + xdg.portal = { + enable = true; + # FIXME: `true` breaks xdg-open from alacritty: + # $ xdg-open "https://github.com/" + # Error: GDBus.Error:org.freedesktop.DBus.Error.UnknownMethod: No such interface “org.freedesktop.portal.OpenURI” on object at path /org/freedesktop/portal/desktop + xdgOpenUsePortal = false; + + wlr = { + enable = true; + settings = { + screencast = { + chooser_type = "dmenu"; + # display the output as a list in favor of the default mouse selection + chooser_cmd = lib.getExe ( + pkgs.writeShellApplication { + name = "chooser_cmd"; + runtimeInputs = [ + pkgs.sway + pkgs.jq + pkgs.fuzzel + pkgs.gnused + ]; + text = '' + swaymsg -t get_outputs | jq '.[] | "\(.name)@\(.current_mode.width)x\(.current_mode.height) on \(.model)"' | sed 's/"//g' | fuzzel -d | sed 's/@.*//' + ''; + } + ); + max_fps = 30; + }; + }; + }; + + # keep the behaviour in < 1.17, which uses the first portal implementation found in lexicographical order, use the following: + config = { + common = { + default = [ + "wlr" + "gtk" + ]; + }; + }; + + extraPortals = [ + # repoFlake.inputs.nixpkgs-wayland.packages.${pkgs.system}.xdg-desktop-portal-wlr + + pkgs.xdg-desktop-portal-gtk + # (pkgs.xdg-desktop-portal-gtk.override (_: { + # buildPortalsInGnome = false; + # })) + ]; + }; + + # rtkit is optional but recommended + security.rtkit.enable = true; + services.pipewire = { + audio.enable = true; + enable = true; + alsa.enable = true; + alsa.support32Bit = true; + pulse.enable = true; + wireplumber.enable = true; + # If you want to use JACK applications, uncomment this + #jack.enable = true; + }; + + security.pam.services.getty.enableGnomeKeyring = true; + security.pam.services."autovt@tty1".enableGnomeKeyring = true; + services.gnome.gnome-keyring.enable = true; + + # autologin steveej on tty1 + # TODO: make user configurable + systemd.services."autovt@tty1".description = "Autologin at the TTY1"; + systemd.services."autovt@tty1".after = [ "systemd-logind.service" ]; # without it user session not started and xorg can't be run from this tty + systemd.services."autovt@tty1".wantedBy = [ "multi-user.target" ]; + systemd.services."autovt@tty1".serviceConfig = { + ExecStart = [ + "" # override upstream default with an empty ExecStart + "@${pkgs.utillinux}/sbin/agetty agetty --login-program ${pkgs.shadow}/bin/login --autologin steveej --noclear %I $TERM" + ]; + Restart = "always"; + Type = "idle"; + }; + + programs = + let + steveejSwayOnTty1 = '' + if test $(id --user steveej) = $(id -u) && test $(tty) = "/dev/tty1"; then + exec sway + fi + ''; + in + { + bash.loginShellInit = steveejSwayOnTty1; + # TODO: only do this when zsh is enabled. first naiv attempt lead infinite recursion + zsh.loginShellInit = steveejSwayOnTty1; + }; + + home-manager.users."${homeUser}" = _: { + imports = [ ../../home-manager/profiles/sway-desktop.nix ]; + }; +} diff --git a/nix/os/snippets/systemd-resolved.nix b/nix/os/snippets/systemd-resolved.nix new file mode 100644 index 0000000..f7c2301 --- /dev/null +++ b/nix/os/snippets/systemd-resolved.nix @@ -0,0 +1,28 @@ +{ lib, ... }: +{ + networking.nameservers = [ + # https://dnsforge.de/ + "176.9.93.198" + "176.9.1.117" + + # TODO: enable IPv6 + # "2a01:4f8:151:34aa::198" + # "2a01:4f8:141:316d::117" + ]; + + services.resolved = { + enable = true; + dnssec = "true"; + domains = [ "~." ]; + + # TODO: figure out why "true" doesn't work + dnsovertls = "opportunistic"; + + fallbackDns = lib.mkForce [ ]; + + # TODO: IPv6 + # extraConfig = '' + # DNSStubListenerExtra=[::1]:53 + # ''; + }; +} diff --git a/nix/os/snippets/timezone.nix b/nix/os/snippets/timezone.nix new file mode 100644 index 0000000..67db1e8 --- /dev/null +++ b/nix/os/snippets/timezone.nix @@ -0,0 +1,7 @@ +{ lib, ... }: +let + passwords = import ../../variables/passwords.crypt.nix; +in +{ + time.timeZone = lib.mkDefault passwords.timeZone.stefan; +} diff --git a/nix/pkgs/browserpass/default.nix b/nix/pkgs/browserpass/default.nix index 5b13732..34a6977 100644 --- a/nix/pkgs/browserpass/default.nix +++ b/nix/pkgs/browserpass/default.nix @@ -1,27 +1,27 @@ -with import {}; - stdenv.mkDerivation rec { - broken = true; +with import { }; +stdenv.mkDerivation rec { + broken = true; - name = "browserpass"; - version = "2.0.9"; + name = "browserpass"; + version = "2.0.9"; - src = fetchzip { - url = "https://github.com/dannyvankooten/browserpass/releases/download/${version}/${name}-linux64.zip"; - sha256 = "1nygcfjhyrcvbdmz4hjphcnmr4lm9y24lpdkdcjix6vbsjs0hipw"; - stripRoot = false; - }; + src = fetchzip { + url = "https://github.com/dannyvankooten/browserpass/releases/download/${version}/${name}-linux64.zip"; + sha256 = "1nygcfjhyrcvbdmz4hjphcnmr4lm9y24lpdkdcjix6vbsjs0hipw"; + stripRoot = false; + }; - buildPhase = ":"; + buildPhase = ":"; - libPath = lib.makeLibraryPath []; - installPhase = '' - set -x - patchelf --set-interpreter ${glibc}/lib/ld-linux-x86-64.so.2 browserpass-linux64 + libPath = lib.makeLibraryPath [ ]; + installPhase = '' + set -x + patchelf --set-interpreter ${glibc}/lib/ld-linux-x86-64.so.2 browserpass-linux64 - mkdir -p $out/bin - cp -a * $out/bin/ - # wrapProgram $out/bin/browserpass-linux64 \ - # --prefix LD_LIBRARY_PATH : "${libPath}" - # - ''; - } + mkdir -p $out/bin + cp -a * $out/bin/ + # wrapProgram $out/bin/browserpass-linux64 \ + # --prefix LD_LIBRARY_PATH : "${libPath}" + # + ''; +} diff --git a/nix/pkgs/dcpj4110dw/default.nix b/nix/pkgs/dcpj4110dw/default.nix index 8a4f6a6..93f59c7 100644 --- a/nix/pkgs/dcpj4110dw/default.nix +++ b/nix/pkgs/dcpj4110dw/default.nix @@ -16,7 +16,8 @@ file, proot, bash, -}: let +}: +let model = "dcpj4110dw"; version = "3.0.1-1"; src = fetchurl { @@ -24,12 +25,16 @@ sha256 = "sha256-ryKDsSkabAD2X3WLmeqjdB3+4DXdJ0qUz3O64DV+ixw="; }; reldir = "opt/brother/Printers/${model}/"; -in rec { +in +rec { driver = pkgsi686Linux.stdenv.mkDerivation rec { inherit src version; name = "${model}drv-${version}"; - nativeBuildInputs = [dpkg makeWrapper]; + nativeBuildInputs = [ + dpkg + makeWrapper + ]; unpackPhase = "dpkg-deb -x $src $out"; @@ -45,7 +50,18 @@ in rec { mv $out/${reldir}/lpd/filter${model} $out/${reldir}/lpd/.wrapped_filter${model} cat <<-EOF >$out/${reldir}/lpd/.wrapper_inner_filter${model} - export PATH=\$PATH:${lib.makeBinPath [gawk file a2ps coreutils ghostscript gnugrep gnused which]} + export PATH=\$PATH:${ + lib.makeBinPath [ + gawk + file + a2ps + coreutils + ghostscript + gnugrep + gnused + which + ] + } exec $out/${reldir}/lpd/.wrapped_filter${model} EOF chmod +x $out/${reldir}/lpd/.wrapper_inner_filter${model} @@ -64,10 +80,13 @@ in rec { meta = { description = "Brother ${lib.strings.toUpper model} driver"; homepage = "http://www.brother.com/"; - sourceProvenance = with lib.sourceTypes; [binaryNativeCode]; + sourceProvenance = with lib.sourceTypes; [ binaryNativeCode ]; # license = lib.licenses.unfree; - platforms = ["x86_64-linux" "i686-linux"]; - maintainers = [lib.maintainers.steveej]; + platforms = [ + "x86_64-linux" + "i686-linux" + ]; + maintainers = [ lib.maintainers.steveej ]; }; }; @@ -81,14 +100,29 @@ in rec { name = "${model}cupswrapper-${version}"; - nativeBuildInputs = [dpkg makeWrapper]; - buildInputs = [cups ghostscript a2ps gawk]; + nativeBuildInputs = [ + dpkg + makeWrapper + ]; + buildInputs = [ + cups + ghostscript + a2ps + gawk + ]; unpackPhase = "dpkg-deb -x $src $out"; installPhase = '' wrapProgram $out/${reldir}/cupswrapper/cupswrapper${model} \ - --prefix PATH : ${lib.makeBinPath [coreutils ghostscript gnugrep gnused]} + --prefix PATH : ${ + lib.makeBinPath [ + coreutils + ghostscript + gnugrep + gnused + ] + } patchelf --set-interpreter "$(cat $NIX_CC/nix-support/dynamic-linker)" \ $out/${reldir}/cupswrapper/brcupsconfpt1 @@ -100,10 +134,13 @@ in rec { meta = { description = "Brother ${lib.strings.toUpper model} CUPS wrapper driver"; homepage = "http://www.brother.com/"; - sourceProvenance = with lib.sourceTypes; [binaryNativeCode]; + sourceProvenance = with lib.sourceTypes; [ binaryNativeCode ]; license = lib.licenses.gpl2; - platforms = ["x86_64-linux" "i686-linux"]; - maintainers = [lib.maintainers.steveej]; + platforms = [ + "x86_64-linux" + "i686-linux" + ]; + maintainers = [ lib.maintainers.steveej ]; }; }; } diff --git a/nix/pkgs/default.nix b/nix/pkgs/default.nix index 6f114b2..78b37a6 100644 --- a/nix/pkgs/default.nix +++ b/nix/pkgs/default.nix @@ -1,5 +1,6 @@ -{pkgs}: { - duplicacy = pkgs.callPackage ../pkgs/duplicacy {}; +{ pkgs }: +{ + duplicacy = pkgs.callPackage ../pkgs/duplicacy { }; staruml = pkgs.callPackage ../pkgs/staruml.nix { inherit (pkgs.gnome2) GConf; libgcrypt = pkgs.libgcrypt_1_5; diff --git a/nix/pkgs/duplicacy/default.nix b/nix/pkgs/duplicacy/default.nix index 7a3fc19..b961a17 100644 --- a/nix/pkgs/duplicacy/default.nix +++ b/nix/pkgs/duplicacy/default.nix @@ -1,7 +1,4 @@ -{ - buildGoPackage, - fetchFromGitHub, -}: +{ buildGoPackage, fetchFromGitHub }: buildGoPackage rec { name = "duplicay-${version}"; version = "2.1.2"; diff --git a/nix/pkgs/duplicacy/shell.nix b/nix/pkgs/duplicacy/shell.nix index 051e832..045572c 100644 --- a/nix/pkgs/duplicacy/shell.nix +++ b/nix/pkgs/duplicacy/shell.nix @@ -1,12 +1,12 @@ -with import {}; - stdenv.mkDerivation { - name = "env"; - buildInputs = [ - zsh - go - go2nix - dep2nix - nix-prefetch-github - (callPackage ./default.nix {}) - ]; - } +with import { }; +stdenv.mkDerivation { + name = "env"; + buildInputs = [ + zsh + go + go2nix + dep2nix + nix-prefetch-github + (callPackage ./default.nix { }) + ]; +} diff --git a/nix/pkgs/jay.nix b/nix/pkgs/jay.nix index 634de0c..9a7b0e5 100644 --- a/nix/pkgs/jay.nix +++ b/nix/pkgs/jay.nix @@ -1,13 +1,13 @@ -{ lib -, src -, rustPlatform -, libinput -, libxkbcommon -, mesa -, pango -, udev +{ + lib, + src, + rustPlatform, + libinput, + libxkbcommon, + mesa, + pango, + udev, }: - rustPlatform.buildRustPackage rec { pname = "jay"; version = src.rev; @@ -30,7 +30,7 @@ rustPlatform.buildRustPackage rec { description = "A Wayland compositor written in Rust"; homepage = "https://github.com/mahkoh/jay"; license = licenses.gpl3; - platforms = platforms.linux; + platforms = platforms.linux; maintainers = with maintainers; [ dit7ya ]; }; } diff --git a/nix/pkgs/logseq/Containerfile b/nix/pkgs/logseq/Containerfile new file mode 100644 index 0000000..97464d1 --- /dev/null +++ b/nix/pkgs/logseq/Containerfile @@ -0,0 +1,57 @@ +# NOTE: please keep it in sync with .github pipelines +# NOTE: during testing make sure to change the branch below +# NOTE: before running the build-docker GH action edit +# build-docker.yml and change the release channel from :latest to :testing + +# Builder image +# FROM clojure:temurin-11-tools-deps-1.11.1.1208-bullseye-slim as builder +FROM clojure:temurin-11-tools-deps-bullseye-slim as builder + +ARG DEBIAN_FRONTEND=noninteractive + +# Install reqs +RUN echo 1 +RUN apt-get update && apt-get install -y --no-install-recommends \ + curl \ + ca-certificates \ + apt-transport-https \ + gpg \ + build-essential libcairo2-dev libpango1.0-dev libjpeg-dev libgif-dev librsvg2-dev \ + zip + +# install NodeJS & yarn +RUN curl -sL https://deb.nodesource.com/setup_20.x | bash - + +RUN curl -sS https://dl.yarnpkg.com/debian/pubkey.gpg | gpg --dearmor | tee /etc/apt/trusted.gpg.d/yarn.gpg && echo "deb https://dl.yarnpkg.com/debian/ stable main" | tee /etc/apt/sources.list.d/yarn.list && apt-get update && apt-get install -y nodejs yarn + +WORKDIR /data + +ENV VERSION=0.10.9 + +# build Logseq static resources +RUN git clone -b ${VERSION} https://github.com/logseq/logseq.git . + +RUN yarn config set network-timeout 240000 -g && yarn install +RUN yarn release-electron + +RUN mkdir /out +RUN mv /data/static/out/make/zip /out/${VERSION}.zip +RUN mv /data/static/out/make/*.AppImage /out/ + +FROM scratch as artifacts +COPY --from=builder /out / +# Logseq-${VERSION}.AppImage +# RUN mv zip /${VERSION}.zip + +# RUN \ +# mkdir -p builds +# # NOTE: save VERSION file to builds directory +# cp static/VERSION ./builds/VERSION +# mv static/out/make/*-*.AppImage ./builds/Logseq-linux-aarch64-${VERSION}.AppImage +# mv static/out/make/zip/linux/x64/*-linux-x64-*.zip ./builds/Logseq-linux-aarch64-${VERSION}.zip + +# # Web App Runner image +# FROM nginx:1.24.0-alpine3.17 +# +# COPY --from=builder /data/static /usr/share/nginx/html +# diff --git a/nix/pkgs/logseq/README.md b/nix/pkgs/logseq/README.md new file mode 100644 index 0000000..0c596b6 --- /dev/null +++ b/nix/pkgs/logseq/README.md @@ -0,0 +1,22 @@ +# build instructions + +this is pseudocode that serves as a reminder + +1. podman build -f Containerfile -t logseq +2. CONTAINER_ID=$(podman container create logseq) +3. podman unshare +4. podman mount $CONTAINER_ID +5. copy and upload the AppImage. e.g. + ``` + cp /home/steveej/.local/share/containers/storage/overlay/f932ca9f11ea2bfd6b221118eb54775a623bc519bfe38188afcbad51dda2777f/merged/Logseq-0.10.9.AppImage . + exit + scp Logseq-0.10.9.AppImage root@www.stefanjunker.de:/var/lib/container-volumes/webserver/var-www/stefanjunker.de/htdocs/caddy/downloads/ + ``` +6. podman unshare +7. podman unmount + +# resources + +- https://github.com/logseq/logseq/blob/dc5127b48a7874627bd9ab63696f7ddf821b90a7/docs/develop-logseq.md?plain=1#L90 +- https://github.com/logseq/logseq/blob/master/Dockerfile +- https://github.com/randomwangran/logseq-nix-flake diff --git a/nix/pkgs/magmawm.nix b/nix/pkgs/magmawm.nix index 23445cc..c1850c1 100644 --- a/nix/pkgs/magmawm.nix +++ b/nix/pkgs/magmawm.nix @@ -1,26 +1,23 @@ -{ lib -, src -, craneLib - -, pkg-config -, wayland -, libseat -, libinput -, libxkbcommon -, mesa -, pango -, udev -, dbus -, libGL +{ + lib, + src, + craneLib, + pkg-config, + wayland, + libseat, + libinput, + libxkbcommon, + mesa, + udev, + dbus, + libGL, }: - -craneLib.buildPackage {inherit src; +craneLib.buildPackage { + inherit src; pname = "magmawm"; version = src.rev; - nativeBuildInputs = [ - pkg-config - ]; + nativeBuildInputs = [ pkg-config ]; buildInputs = [ wayland @@ -44,7 +41,7 @@ craneLib.buildPackage {inherit src; description = "A versatile and customizable Window Manager and Wayland Compositor"; homepage = "https://github.com/MagmaWM/MagmaWM"; license = licenses.gpl3; - platforms = platforms.linux; + platforms = platforms.linux; maintainers = with maintainers; [ ]; }; } diff --git a/nix/pkgs/mfcl3770cdw.nix b/nix/pkgs/mfcl3770cdw.nix index 5c04cbf..142c1c0 100644 --- a/nix/pkgs/mfcl3770cdw.nix +++ b/nix/pkgs/mfcl3770cdw.nix @@ -11,7 +11,8 @@ which, perl, lib, -}: let +}: +let model = "mfcl3770cdw"; version = "1.0.2-0"; src = fetchurl { @@ -19,12 +20,16 @@ sha256 = "09fhbzhpjymhkwxqyxzv24b06ybmajr6872yp7pri39595mhrvay"; }; reldir = "opt/brother/Printers/${model}/"; -in rec { +in +rec { driver = stdenv.mkDerivation rec { inherit src version; name = "${model}drv-${version}"; - nativeBuildInputs = [dpkg makeWrapper]; + nativeBuildInputs = [ + dpkg + makeWrapper + ]; unpackPhase = "dpkg-deb -x $src $out"; @@ -36,8 +41,14 @@ in rec { --replace "PRINTER =~" "PRINTER = \"${model}\"; #" wrapProgram $dir/lpd/filter_${model} \ --prefix PATH : ${ - lib.makeBinPath [coreutils ghostscript gnugrep gnused which] - } + lib.makeBinPath [ + coreutils + ghostscript + gnugrep + gnused + which + ] + } # need to use i686 glibc here, these are 32bit proprietary binaries interpreter=${pkgsi686Linux.glibc}/lib/ld-linux.so.2 patchelf --set-interpreter "$interpreter" $dir/lpd/brmfcl3770cdwfilter @@ -47,8 +58,11 @@ in rec { description = "Brother ${lib.strings.toUpper model} driver"; homepage = "http://www.brother.com/"; license = lib.licenses.unfree; - platforms = ["x86_64-linux" "i686-linux"]; - maintainers = [lib.maintainers.steveej]; + platforms = [ + "x86_64-linux" + "i686-linux" + ]; + maintainers = [ lib.maintainers.steveej ]; }; }; @@ -56,7 +70,10 @@ in rec { inherit version src; name = "${model}cupswrapper-${version}"; - nativeBuildInputs = [dpkg makeWrapper]; + nativeBuildInputs = [ + dpkg + makeWrapper + ]; unpackPhase = "dpkg-deb -x $src $out"; @@ -68,7 +85,13 @@ in rec { --replace "basedir =~" "basedir = \"$basedir\"; #" \ --replace "PRINTER =~" "PRINTER = \"${model}\"; #" wrapProgram $dir/cupswrapper/brother_lpdwrapper_${model} \ - --prefix PATH : ${lib.makeBinPath [coreutils gnugrep gnused]} + --prefix PATH : ${ + lib.makeBinPath [ + coreutils + gnugrep + gnused + ] + } mkdir -p $out/lib/cups/filter mkdir -p $out/share/cups/model ln $dir/cupswrapper/brother_lpdwrapper_${model} $out/lib/cups/filter @@ -79,8 +102,11 @@ in rec { description = "Brother ${lib.strings.toUpper model} CUPS wrapper driver"; homepage = "http://www.brother.com/"; license = lib.licenses.gpl2; - platforms = ["x86_64-linux" "i686-linux"]; - maintainers = [lib.maintainers.steveej]; + platforms = [ + "x86_64-linux" + "i686-linux" + ]; + maintainers = [ lib.maintainers.steveej ]; }; }; } diff --git a/nix/pkgs/nozbe/default.nix b/nix/pkgs/nozbe/default.nix index 368add8..e5ac519 100644 --- a/nix/pkgs/nozbe/default.nix +++ b/nix/pkgs/nozbe/default.nix @@ -1,60 +1,60 @@ -with import {}; - stdenv.mkDerivation rec { - name = "nozbe"; - version = "3.6.3"; +with import { }; +stdenv.mkDerivation rec { + name = "nozbe"; + version = "3.6.3"; - src = fetchzip { - url = "https://files.nozbe.com/linux/linux64_newest.tar.gz"; - sha256 = "08hag0kv23psqa1pl9kardz90scgk21rsr5xxfg8jvmnxy2nc858"; - stripRoot = false; - }; + src = fetchzip { + url = "https://files.nozbe.com/linux/linux64_newest.tar.gz"; + sha256 = "08hag0kv23psqa1pl9kardz90scgk21rsr5xxfg8jvmnxy2nc858"; + stripRoot = false; + }; - buildInputs = [makeWrapper]; + buildInputs = [ makeWrapper ]; - buildPhase = ":"; + buildPhase = ":"; - libPath = lib.makeLibraryPath [ - alsaLib - atk - cairo - cups - dbus - expat - freetype - fontconfig - gnome3.gconf - gcc.cc - gdk_pixbuf - gtk2-x11 - glib - pango - nss - nspr - systemd.lib - xorg.libX11 - xorg.libXcursor - xorg.libXcomposite - xorg.libXext - xorg.libXfixes - xorg.libXdamage - xorg.libXi - xorg.libXrandr - xorg.libXrender - xorg.libXtst - xorg.libXScrnSaver - ]; - installPhase = '' - pushd Nozbe-${version} - ls -lha + libPath = lib.makeLibraryPath [ + alsaLib + atk + cairo + cups + dbus + expat + freetype + fontconfig + gnome3.gconf + gcc.cc + gdk_pixbuf + gtk2-x11 + glib + pango + nss + nspr + systemd.lib + xorg.libX11 + xorg.libXcursor + xorg.libXcomposite + xorg.libXext + xorg.libXfixes + xorg.libXdamage + xorg.libXi + xorg.libXrandr + xorg.libXrender + xorg.libXtst + xorg.libXScrnSaver + ]; + installPhase = '' + pushd Nozbe-${version} + ls -lha - patchelf --set-interpreter ${stdenv.glibc}/lib/ld-linux-x86-64.so.2 Nozbe + patchelf --set-interpreter ${stdenv.glibc}/lib/ld-linux-x86-64.so.2 Nozbe - mkdir -p $out/bin - cp -a * $out/ + mkdir -p $out/bin + cp -a * $out/ - wrapProgram $out/Nozbe \ - --prefix LD_LIBRARY_PATH : "${libPath}" + wrapProgram $out/Nozbe \ + --prefix LD_LIBRARY_PATH : "${libPath}" - ln -sf ../Nozbe $out/bin/ - ''; - } + ln -sf ../Nozbe $out/bin/ + ''; +} diff --git a/nix/pkgs/posh.nix b/nix/pkgs/posh.nix index 4d993ba..b7ad5cb 100644 --- a/nix/pkgs/posh.nix +++ b/nix/pkgs/posh.nix @@ -1,42 +1,44 @@ # posh makes use of podman to run an encapsulated shell session -{pkgs, ...}: let - cniConfigDir = let - loopback = pkgs.writeText "00-loopback.conf" '' - { - "cniVersion": "0.3.0", - "type": "loopback" - } - ''; - - podman-bridge = pkgs.writeText "87-podman-bridge.conflist" '' - { +{ pkgs, ... }: +let + cniConfigDir = + let + loopback = pkgs.writeText "00-loopback.conf" '' + { "cniVersion": "0.3.0", - "name": "podman", - "plugins": [ - { - "type": "bridge", - "bridge": "cni0", - "isGateway": true, - "ipMasq": true, - "ipam": { - "type": "host-local", - "subnet": "10.88.0.0/16", - "routes": [ - { "dst": "0.0.0.0/0" } - ] + "type": "loopback" + } + ''; + + podman-bridge = pkgs.writeText "87-podman-bridge.conflist" '' + { + "cniVersion": "0.3.0", + "name": "podman", + "plugins": [ + { + "type": "bridge", + "bridge": "cni0", + "isGateway": true, + "ipMasq": true, + "ipam": { + "type": "host-local", + "subnet": "10.88.0.0/16", + "routes": [ + { "dst": "0.0.0.0/0" } + ] + } + }, + { + "type": "portmap", + "capabilities": { + "portMappings": true + } } - }, - { - "type": "portmap", - "capabilities": { - "portMappings": true - } - } - ] - } - ''; - in - pkgs.runCommand "cniConfig" {} '' + ] + } + ''; + in + pkgs.runCommand "cniConfig" { } '' set -x mkdir $out; ln -s ${loopback} $out/${loopback.name} @@ -125,54 +127,58 @@ } ''; in - { - image, - pull ? "always", - global_args ? "", - run_args ? "", - userns ? "keep-id", - }: - (pkgs.writeScriptBin "posh" '' - #! ${pkgs.bash}/bin/bash - source /etc/profile +{ + image, + pull ? "always", + global_args ? "", + run_args ? "", + userns ? "keep-id", +}: +(pkgs.writeScriptBin "posh" '' + #! ${pkgs.bash}/bin/bash + source /etc/profile - test -S "$SSH_AUTH_SOCK" && ssh="-v $SSH_AUTH_SOCK:$SSH_AUTH_SOCK -e SSH_AUTH_SOCK" - tty -s && tty="-t" entrypoint=--entrypoint='["/usr/bin/env","bash","-il"]' || quiet="-q" + test -S "$SSH_AUTH_SOCK" && ssh="-v $SSH_AUTH_SOCK:$SSH_AUTH_SOCK -e SSH_AUTH_SOCK" + tty -s && tty="-t" entrypoint=--entrypoint='["/usr/bin/env","bash","-il"]' || quiet="-q" - # define these as variables so we can override them at runtime - POSH_IMAGE=${image} - POSH_PULL=${pull} + # define these as variables so we can override them at runtime + POSH_IMAGE=${image} + POSH_PULL=${pull} - if [ "$1" == "-c" ]; then - # We've most likely been spawned by sshd and are interested in $2 whitch contains the command string - shift - # TODO parse the beginning of the command for POSH_* overrides - fi + if [ "$1" == "-c" ]; then + # We've most likely been spawned by sshd and are interested in $2 whitch contains the command string + shift + # TODO parse the beginning of the command for POSH_* overrides + fi - test "$@" && cmd=( -c "$@") + test "$@" && cmd=( -c "$@") - HOME_CONTAINERS_CONFIGDIR="$HOME/.config/containers" - HOME_POLICY_JSON="$HOME_CONTAINERS_CONFIGDIR/policy.json" - test -d $HOME_CONTAINERS_CONFIGIDR || mkdir $HOME_CONTAINERS_CONFIGIDR - ln -sf ${policy-json} $HOME_POLICY_JSON + HOME_CONTAINERS_CONFIGDIR="$HOME/.config/containers" + HOME_POLICY_JSON="$HOME_CONTAINERS_CONFIGDIR/policy.json" + test -d $HOME_CONTAINERS_CONFIGIDR || mkdir $HOME_CONTAINERS_CONFIGIDR + ln -sf ${policy-json} $HOME_POLICY_JSON - set -x - exec ${pkgs.podman}/bin/podman \ - --cgroup-manager=cgroupfs \ - ${global_args} \ - run \ - --annotation=io.crun.keep_original_groups=1 \ - --config ${podmanConfig} \ - --conmon ${pkgs.conmon}/bin/conmon --runtime ${pkgs.crun}/bin/crun \ - --rm -i --network host --pull=''${POSH_PULL} \ - $tty $ssh -e HOME -v $HOME:$HOME -w $HOME \ - ${ - if userns != null - then "--userns=" + userns - else "" - } \ - ${run_args} \ - ''${POSH_IMAGE} /usr/bin/env bash -l "''${cmd[@]}" - '') - .overrideAttrs (attrs: attrs // {passthru = {shellPath = "/bin/posh";};}) + set -x + exec ${pkgs.podman}/bin/podman \ + --cgroup-manager=cgroupfs \ + ${global_args} \ + run \ + --annotation=io.crun.keep_original_groups=1 \ + --config ${podmanConfig} \ + --conmon ${pkgs.conmon}/bin/conmon --runtime ${pkgs.crun}/bin/crun \ + --rm -i --network host --pull=''${POSH_PULL} \ + $tty $ssh -e HOME -v $HOME:$HOME -w $HOME \ + ${if userns != null then "--userns=" + userns else ""} \ + ${run_args} \ + ''${POSH_IMAGE} /usr/bin/env bash -l "''${cmd[@]}" +'').overrideAttrs + ( + attrs: + attrs + // { + passthru = { + shellPath = "/bin/posh"; + }; + } + ) diff --git a/nix/pkgs/slirp4netns.nix b/nix/pkgs/slirp4netns.nix index ffcc730..5e50ecf 100644 --- a/nix/pkgs/slirp4netns.nix +++ b/nix/pkgs/slirp4netns.nix @@ -18,7 +18,13 @@ stdenv.mkDerivation rec { sha256 = "0kqncza4kgqkqiki569j7ym9pvp7879i6q2z0djvda9y0i6b80w4"; }; - buildInputs = [autoconf automake libtool gnumake gcc]; + buildInputs = [ + autoconf + automake + libtool + gnumake + gcc + ]; configurePhase = '' ./autogen.sh @@ -37,7 +43,7 @@ stdenv.mkDerivation rec { description = "User-mode networking for unprivileged network namespaces"; homepage = "https://github.com/rootless-containers/slirp4netns"; license = null; - maintainers = [maintainers.steveej]; + maintainers = [ maintainers.steveej ]; platforms = platforms.all; }; } diff --git a/nix/pkgs/staruml.nix b/nix/pkgs/staruml.nix index a0e9d90..35399ad 100644 --- a/nix/pkgs/staruml.nix +++ b/nix/pkgs/staruml.nix @@ -15,7 +15,8 @@ libgcrypt, dbus, systemd, -}: let +}: +let inherit (stdenv) lib; LD_LIBRARY_PATH = lib.makeLibraryPath [ glib @@ -30,55 +31,56 @@ dbus ]; in - stdenv.mkDerivation rec { - version = "2.8.1"; - name = "staruml-${version}"; +stdenv.mkDerivation rec { + version = "2.8.1"; + name = "staruml-${version}"; - src = - if stdenv.system == "i686-linux" - then - fetchurl - { - url = "http://staruml.io/download/release/v${version}/StarUML-v${version}-32-bit.deb"; - sha256 = "0vb3k9m3l6pmsid4shlk0xdjsriq3gxzm8q7l04didsppg0vvq1n"; - } - else - fetchurl { - url = "https://s3.amazonaws.com/staruml-bucket/releases-v2/StarUML-v${version}-64-bit.deb"; - sha256 = "05gzrnlssjkhyh0wv019d4r7p40lxnsa1sghazll6f233yrqmxb0"; - }; + src = + if stdenv.system == "i686-linux" then + fetchurl { + url = "http://staruml.io/download/release/v${version}/StarUML-v${version}-32-bit.deb"; + sha256 = "0vb3k9m3l6pmsid4shlk0xdjsriq3gxzm8q7l04didsppg0vvq1n"; + } + else + fetchurl { + url = "https://s3.amazonaws.com/staruml-bucket/releases-v2/StarUML-v${version}-64-bit.deb"; + sha256 = "05gzrnlssjkhyh0wv019d4r7p40lxnsa1sghazll6f233yrqmxb0"; + }; - buildInputs = [dpkg]; + buildInputs = [ dpkg ]; - nativeBuildInputs = [makeWrapper]; + nativeBuildInputs = [ makeWrapper ]; - unpackPhase = '' - mkdir pkg - dpkg-deb -x $src pkg - sourceRoot=pkg - ''; + unpackPhase = '' + mkdir pkg + dpkg-deb -x $src pkg + sourceRoot=pkg + ''; - installPhase = '' - mkdir $out - mv opt/staruml $out/bin + installPhase = '' + mkdir $out + mv opt/staruml $out/bin - mkdir -p $out/lib - ln -s ${stdenv.cc.cc.lib}/lib/libstdc++.so.6 $out/lib/ - ln -s ${systemd.lib}/lib/libudev.so.1 $out/lib/libudev.so.0 + mkdir -p $out/lib + ln -s ${stdenv.cc.cc.lib}/lib/libstdc++.so.6 $out/lib/ + ln -s ${systemd.lib}/lib/libudev.so.1 $out/lib/libudev.so.0 - for binary in StarUML Brackets-node; do - ${patchelf}/bin/patchelf \ - --interpreter "$(cat $NIX_CC/nix-support/dynamic-linker)" \ - $out/bin/$binary - wrapProgram $out/bin/$binary \ - --prefix LD_LIBRARY_PATH : $out/lib:${LD_LIBRARY_PATH} - done - ''; + for binary in StarUML Brackets-node; do + ${patchelf}/bin/patchelf \ + --interpreter "$(cat $NIX_CC/nix-support/dynamic-linker)" \ + $out/bin/$binary + wrapProgram $out/bin/$binary \ + --prefix LD_LIBRARY_PATH : $out/lib:${LD_LIBRARY_PATH} + done + ''; - meta = with stdenv.lib; { - description = "A sophisticated software modeler"; - homepage = "http://staruml.io/"; - license = licenses.unfree; - platforms = ["i686-linux" "x86_64-linux"]; - }; - } + meta = with stdenv.lib; { + description = "A sophisticated software modeler"; + homepage = "http://staruml.io/"; + license = licenses.unfree; + platforms = [ + "i686-linux" + "x86_64-linux" + ]; + }; +} diff --git a/nix/scripts/pre-eval-fixed.sh b/nix/scripts/pre-eval-fixed.sh index 25a3e36..ec7b14e 100755 --- a/nix/scripts/pre-eval-fixed.sh +++ b/nix/scripts/pre-eval-fixed.sh @@ -3,7 +3,7 @@ set -xe INFILE="${1:?Please set arg1 to INFILE}" OUTFILE="${2:?Please set arg2 to OUTFILE}" # sha256-1fm94N2Y9ptXVN6ni0nJyPRK+nsvoeliqBcFyjlaTH4= -# sha256:0zjcb8wwl18pm1ifk89gggx4mx68r54qp9yyaibrpxlqvphbvyfm -hash=$(nix-build ${INFILE} --arg pkgs 'import {}' --arg config 'null' 2>&1 | rg -o 'got.*(sha256[:-].+)$' -r '$1') +# sha256:0zjcb8wwl18pm1ifk89gggx4mx68r54qp9yyaibrpxlqvphbvyfm +hash=$(nix-build "${INFILE}" --arg pkgs 'import {}' --arg config 'null' 2>&1 | rg -o 'got.*(sha256[:-].+)$' -r '$1') -sed -E "s/0{52}/${hash}/" ${INFILE} > ${OUTFILE} +sed -E "s/0{52}/${hash}/" "${INFILE}" >"${OUTFILE}" diff --git a/nix/sources.json b/nix/sources.json deleted file mode 100644 index 49bfd31..0000000 --- a/nix/sources.json +++ /dev/null @@ -1,14 +0,0 @@ -{ - "nixpkgs": { - "branch": "release-22.05", - "description": "Nix Packages collection", - "homepage": "https://github.com/NixOS/nixpkgs", - "owner": "NixOS", - "repo": "nixpkgs", - "rev": "26fe7618c7efbbfe28db9a52a21fb87e67ebaf06", - "sha256": "0wi8l10zn808psf0i7ka3ifpx46vdv2fkq3hcb9d5m72fv64vznr", - "type": "tarball", - "url": "https://github.com/NixOS/nixpkgs/archive/26fe7618c7efbbfe28db9a52a21fb87e67ebaf06.tar.gz", - "url_template": "https://github.com///archive/.tar.gz" - } -} diff --git a/nix/sources.nix b/nix/sources.nix deleted file mode 100644 index 87a7093..0000000 --- a/nix/sources.nix +++ /dev/null @@ -1,260 +0,0 @@ -# This file has been generated by Niv. -let - # - # The fetchers. fetch_ fetches specs of type . - # - fetch_file = pkgs: name: spec: let - name' = sanitizeName name + "-src"; - in - if spec.builtin or true - then - builtins_fetchurl - { - inherit (spec) url sha256; - name = name'; - } - else - pkgs.fetchurl { - inherit (spec) url sha256; - name = name'; - }; - - fetch_tarball = pkgs: name: spec: let - name' = sanitizeName name + "-src"; - in - if spec.builtin or true - then - builtins_fetchTarball - { - name = name'; - inherit (spec) url sha256; - } - else - pkgs.fetchzip { - name = name'; - inherit (spec) url sha256; - }; - - fetch_git = name: spec: let - ref = - if spec ? ref - then spec.ref - else if spec ? branch - then "refs/heads/${spec.branch}" - else if spec ? tag - then "refs/tags/${spec.tag}" - else - abort - "In git source '${name}': Please specify `ref`, `tag` or `branch`!"; - submodules = - if spec ? submodules - then spec.submodules - else false; - submoduleArg = let - nixSupportsSubmodules = - builtins.compareVersions builtins.nixVersion "2.4" >= 0; - emptyArgWithWarning = - if submodules == true - then - builtins.trace - (''The niv input "${name}" uses submodules '' - + "but your nix's (${builtins.nixVersion}) builtins.fetchGit " - + "does not support them") - {} - else {}; - in - if nixSupportsSubmodules - then { - inherit submodules; - } - else emptyArgWithWarning; - in - builtins.fetchGit ({ - url = spec.repo; - inherit (spec) rev; - inherit ref; - } - // submoduleArg); - - fetch_local = spec: spec.path; - - fetch_builtin-tarball = name: - throw '' - [${name}] The niv type "builtin-tarball" is deprecated. You should instead use `builtin = true`. - $ niv modify ${name} -a type=tarball -a builtin=true''; - - fetch_builtin-url = name: - throw '' - [${name}] The niv type "builtin-url" will soon be deprecated. You should instead use `builtin = true`. - $ niv modify ${name} -a type=file -a builtin=true''; - - # - # Various helpers - # - - # https://github.com/NixOS/nixpkgs/pull/83241/files#diff-c6f540a4f3bfa4b0e8b6bafd4cd54e8bR695 - sanitizeName = name: (concatMapStrings (s: - if builtins.isList s - then "-" - else s) - (builtins.split "[^[:alnum:]+._?=-]+" - ((x: builtins.elemAt (builtins.match "\\.*(.*)" x) 0) name))); - - # The set of packages used when specs are fetched using non-builtins. - mkPkgs = sources: system: let - sourcesNixpkgs = - import - (builtins_fetchTarball {inherit (sources.nixpkgs) url sha256;}) - { - inherit system; - }; - hasNixpkgsPath = builtins.any (x: x.prefix == "nixpkgs") builtins.nixPath; - hasThisAsNixpkgsPath = == ./.; - in - if builtins.hasAttr "nixpkgs" sources - then sourcesNixpkgs - else if hasNixpkgsPath && !hasThisAsNixpkgsPath - then import {} - else - abort '' - Please specify either (through -I or NIX_PATH=nixpkgs=...) or - add a package called "nixpkgs" to your sources.json. - ''; - - # The actual fetching function. - fetch = pkgs: name: spec: - if !builtins.hasAttr "type" spec - then abort "ERROR: niv spec ${name} does not have a 'type' attribute" - else if spec.type == "file" - then fetch_file pkgs name spec - else if spec.type == "tarball" - then fetch_tarball pkgs name spec - else if spec.type == "git" - then fetch_git name spec - else if spec.type == "local" - then fetch_local spec - else if spec.type == "builtin-tarball" - then fetch_builtin-tarball name - else if spec.type == "builtin-url" - then fetch_builtin-url name - else - abort - "ERROR: niv spec ${name} has unknown type ${builtins.toJSON spec.type}"; - - # If the environment variable NIV_OVERRIDE_${name} is set, then use - # the path directly as opposed to the fetched source. - replace = name: drv: let - saneName = - stringAsChars - (c: - if isNull (builtins.match "[a-zA-Z0-9]" c) - then "_" - else c) - name; - ersatz = builtins.getEnv "NIV_OVERRIDE_${saneName}"; - in - if ersatz == "" - then drv - else - # this turns the string into an actual Nix path (for both absolute and - # relative paths) - if builtins.substring 0 1 ersatz == "/" - then /. + ersatz - else /. + builtins.getEnv "PWD" + "/${ersatz}"; - - # Ports of functions for older nix versions - - # a Nix version of mapAttrs if the built-in doesn't exist - mapAttrs = - builtins.mapAttrs - or (f: set: - with builtins; - listToAttrs (map (attr: { - name = attr; - value = f attr set.${attr}; - }) (attrNames set))); - - # https://github.com/NixOS/nixpkgs/blob/0258808f5744ca980b9a1f24fe0b1e6f0fecee9c/lib/lists.nix#L295 - range = first: last: - if first > last - then [] - else builtins.genList (n: first + n) (last - first + 1); - - # https://github.com/NixOS/nixpkgs/blob/0258808f5744ca980b9a1f24fe0b1e6f0fecee9c/lib/strings.nix#L257 - stringToCharacters = s: - map (p: builtins.substring p 1 s) (range 0 (builtins.stringLength s - 1)); - - # https://github.com/NixOS/nixpkgs/blob/0258808f5744ca980b9a1f24fe0b1e6f0fecee9c/lib/strings.nix#L269 - stringAsChars = f: s: concatStrings (map f (stringToCharacters s)); - concatMapStrings = f: list: concatStrings (map f list); - concatStrings = builtins.concatStringsSep ""; - - # https://github.com/NixOS/nixpkgs/blob/8a9f58a375c401b96da862d969f66429def1d118/lib/attrsets.nix#L331 - optionalAttrs = cond: as: - if cond - then as - else {}; - - # fetchTarball version that is compatible between all the versions of Nix - builtins_fetchTarball = { - url, - name ? null, - sha256, - } @ attrs: let - inherit (builtins) lessThan nixVersion fetchTarball; - in - if lessThan nixVersion "1.12" - then - fetchTarball - ({inherit url;} // (optionalAttrs (!isNull name) {inherit name;})) - else fetchTarball attrs; - - # fetchurl version that is compatible between all the versions of Nix - builtins_fetchurl = { - url, - name ? null, - sha256, - } @ attrs: let - inherit (builtins) lessThan nixVersion fetchurl; - in - if lessThan nixVersion "1.12" - then - fetchurl - ({inherit url;} // (optionalAttrs (!isNull name) {inherit name;})) - else fetchurl attrs; - - # Create the final "sources" from the config - mkSources = config: - mapAttrs - (name: spec: - if builtins.hasAttr "outPath" spec - then - abort - "The values in sources.json should not have an 'outPath' attribute" - else spec // {outPath = replace name (fetch config.pkgs name spec);}) - config.sources; - - # The "config" used by the fetchers - mkConfig = { - sourcesFile ? - if builtins.pathExists ./sources.json - then ./sources.json - else null, - sources ? - if isNull sourcesFile - then {} - else builtins.fromJSON (builtins.readFile sourcesFile), - system ? builtins.currentSystem, - pkgs ? mkPkgs sources system, - }: rec { - # The sources, i.e. the attribute set of spec name to spec - inherit sources; - - # The "pkgs" (evaluated nixpkgs) to use for e.g. non-builtin fetchers - inherit pkgs; - }; -in - mkSources (mkConfig {}) - // { - __functor = _: settings: mkSources (mkConfig settings); - } diff --git a/nix/tests/buildvmwithbootloader/build-vm.nix b/nix/tests/buildvmwithbootloader/build-vm.nix index be819b6..a085713 100644 --- a/nix/tests/buildvmwithbootloader/build-vm.nix +++ b/nix/tests/buildvmwithbootloader/build-vm.nix @@ -3,20 +3,14 @@ vmPkgsPath, buildPkgsPath, nixosConfigPath, -}: let - buildPkgs = import buildPkgsPath {}; - vmPkgs' = import vmPkgsPath {}; - vmPkgs = - vmPkgs' - // { - runtimeShell = "${vmPkgs'.bash}/${vmPkgs'.bash.shellPath}"; - }; +}: +let + vmPkgs' = import vmPkgsPath { }; + vmPkgs = vmPkgs' // { + runtimeShell = "${vmPkgs'.bash}/${vmPkgs'.bash.shellPath}"; + }; - importWithPkgs = { - path, - pkgs, - }: args: - import path (args // {inherit pkgs;}); + importWithPkgs = { path, pkgs }: args: import path (args // { inherit pkgs; }); nixosConfig = importWithPkgs { path = "${nixosConfigPath}"; @@ -36,8 +30,10 @@ modules = [ nixosConfig vmConfig - {virtualisation.useBootLoader = true;} + { virtualisation.useBootLoader = true; } ]; - }) - .config; -in {vmWithBootLoaderMixed = vmWithBootLoaderConfigMixed.system.build.vm;} + }).config; +in +{ + vmWithBootLoaderMixed = vmWithBootLoaderConfigMixed.system.build.vm; +} diff --git a/nix/tests/buildvmwithbootloader/build-vm.sh b/nix/tests/buildvmwithbootloader/build-vm.sh index 520e0c8..3ee6ee0 100755 --- a/nix/tests/buildvmwithbootloader/build-vm.sh +++ b/nix/tests/buildvmwithbootloader/build-vm.sh @@ -1,6 +1,6 @@ #!/usr/bin/env bash set -x -rm *.qcow2 +rm ./*.qcow2 rm result* set -e @@ -8,9 +8,9 @@ BUILD_NIXPKGS="${BUILD_NIXPKGS:-${HOME}/src/github/NixOS/nixpkgs.dev}" NIXOS_CONFIG="${NIXOS_CONFIG_OVERRIDE:-${PWD}/configuration.nix}" nix-build -K --show-trace build-vm.nix \ - --arg vmPkgsPath '' \ - --argstr buildPkgsPath "${BUILD_NIXPKGS}" \ - --argstr nixosConfigPath "${NIXOS_CONFIG}" \ - -A vmWithBootLoaderMixed + --arg vmPkgsPath '' \ + --argstr buildPkgsPath "${BUILD_NIXPKGS}" \ + --argstr nixosConfigPath "${NIXOS_CONFIG}" \ + -A vmWithBootLoaderMixed -./result/bin/run-*-vm +"./result/bin/run-*-vm" diff --git a/nix/tests/buildvmwithbootloader/configuration.nix b/nix/tests/buildvmwithbootloader/configuration.nix index 92072fe..49dc463 100644 --- a/nix/tests/buildvmwithbootloader/configuration.nix +++ b/nix/tests/buildvmwithbootloader/configuration.nix @@ -1,9 +1,5 @@ +{ lib, ... }: { - pkgs, - lib, - ... -}: let -in { boot.loader.grub = { enable = true; version = 2; @@ -22,13 +18,23 @@ in { allowDiscards = true; } ]; - fileSystems."/" = {label = "root";}; + fileSystems."/" = { + label = "root"; + }; - fileSystems."/boot" = {label = "boot";}; + fileSystems."/boot" = { + label = "boot"; + }; boot.tmpOnTmpfs = true; - boot.initrd.availableKernelModules = ["xhci_pci" "ahci" "usb_storage" "sd_mod" "rtsx_pci_sdmmc"]; + boot.initrd.availableKernelModules = [ + "xhci_pci" + "ahci" + "usb_storage" + "sd_mod" + "rtsx_pci_sdmmc" + ]; users.extraUsers.root.initialPassword = lib.mkForce "toorroot"; users.mutableUsers = false; diff --git a/nix/tests/buildvmwithbootloader/debug-vm.sh b/nix/tests/buildvmwithbootloader/debug-vm.sh index 0d11067..8e3bdce 100755 --- a/nix/tests/buildvmwithbootloader/debug-vm.sh +++ b/nix/tests/buildvmwithbootloader/debug-vm.sh @@ -1,3 +1,5 @@ +#!/usr/bin/env bash + # /nix/store/lya9qyl9z5xb4vzdzh4vzcr7gfssk47z-qemu-host-cpu-only-for-vm-tests-2.12.0/bin/qemu-kvm \ # -cpu \ # kvm64 \ @@ -24,7 +26,6 @@ # -drive \ # index=0,id=drive1,file=/home/steveej/src/steveej/nix-expressions/nixos.qcow2,cache=writeback,werror=report,if=virtio \ - /nix/store/0i6fr8vv559a50w0vipvd22r0kkg1kx1-qemu-host-cpu-only-for-vm-tests-3.0.0/bin/qemu-kvm -cpu kvm64 -name nixos -m 384 -smp 1 -device virtio-rng-pci -net nic,netdev=user.0,model=virtio -netdev user,id=user.0 -virtfs local,path=/nix/store,security_model=none,mount_tag=store -virtfs local,path=/tmp/nix-vm.BXlbOnli8K/xchg,security_model=none,mount_tag=xchg -virtfs local,path=/tmp/nix-vm.BXlbOnli8K/xchg,security_model=none,mount_tag=shared \ - -drive index=1,id=drive2,file=/tmp/nix-vm.BXlbOnli8K/disk.img,media=disk,if=virtio \ - -drive index=0,id=drive1,file=/home/steveej/src/steveej/nix-expressions/tests/nixos.qcow2,cache=writeback,werror=report,if=virtio \ + -drive index=1,id=drive2,file=/tmp/nix-vm.BXlbOnli8K/disk.img,media=disk,if=virtio \ + -drive index=0,id=drive1,file=/home/steveej/src/steveej/nix-expressions/tests/nixos.qcow2,cache=writeback,werror=report,if=virtio diff --git a/nix/tests/test-vm.nix b/nix/tests/test-vm.nix index 55053e2..fc956b6 100644 --- a/nix/tests/test-vm.nix +++ b/nix/tests/test-vm.nix @@ -1,10 +1,4 @@ -{ - lib, - config, - pkgs, - fetchgit, - ... -}: { +_: { boot.consoleLogLevel = 6; users.users.root.initialPassword = "root"; systemd.services."serial-getty@ttyS0".enable = true; diff --git a/nix/variables/keys.nix b/nix/variables/keys.nix index 8eb8229..bd140a9 100644 --- a/nix/variables/keys.nix +++ b/nix/variables/keys.nix @@ -3,6 +3,7 @@ steveej = { openssh = [ # active, current + "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQC98w24rC+0YwkR/60VvuHVo+HaojvrM0rre0WCj1s1YVFiLPycsAKhZvl/yo06RKgkhChGb0tHZRGseQSmyb+rEbuNFxXQZnjOylT4jlrQvFR+S9WulkHrLMU0wodwEOpTrzJr/zqThEy3pj61KpC+Yhj9FfCn/p3l7HvL2yp3j+TyclyGbEQtt3Dgo1Ls5ZiD5FVhZAMkto4mK9fThyKjQhT6dUu47j2mxhT5OB8gHNtmPvpdQAUQCNrIz4oP5gilGKsWILmXM0/UwnrSXVdR2cUeiRkKqT0h/Q5jp/+/aW8oDoNYluHw2unWJcMTF0zoVWy/IcuNBTqzfiAhiDICCJN9Y0IXf4KhYN2mGtYJjioEVzmaIp/djxDt1Ra4PTNk1DqazRX72XgXcC9hFskLgiRSGSTR1EJk8dmfN0fE9Kv7IwgmHpyGciUy9WIX4o/eYHt7uO8cmJldtt9dPT7OV3DqGWrmgdCgzV5hVrxPVyOyvuLZa2J1N3T/5v1a8zrsyJ0KwuWH64VJqjVL7dTSKCyHKKIwx5ksLwIpFXBxPiypgCtYyvM6IY7PzF492cBucKimD5wd4f5mY5YxEGZC53/ZgodFVQJkyjmIiO/E06KUjLilmnSzf/nOtk3hoiWK8av47mr8otj+UCfWx6xXVKvGAjSOt4MEzUDDG3D+nw== cardno:17_673_091" "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDAIODJoJ7Chi8jPTGmKQ5MlB7+TgNGznreeRW/K34v1ey23/FlnIxP9XyyLkzojKALTfAQYgqzrQV3HDSRwhd1rXB7YLq1/CiVWRJvDMTkJiOCV515eiUJGXu1G8e12d/USPNBMEzMJGvqBCIGYen5OxXkyIHIREfePNi5k337G5z9fiuiggxJl9ty6qZ4XIRgFQj9jAoShixP/+99I7XrGWeFQ1BmLZWzi20SQGKvogYnOszDZFqBAHGFnCFYHaTz2jOXXCtQsa27gr8D2iLRFaxvhB7XMK+VbpDcZGjmfRJ701XxFv15GFnFAV71hTaYqj/Ebpw9Vs02+gUp3+tt cardno:000608695695" "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDAIODJoJ7Chi8jPTGmKQ5MlB7+TgNGznreeRW/K34v1ey23/FlnIxP9XyyLkzojKALTfAQYgqzrQV3HDSRwhd1rXB7YLq1/CiVWRJvDMTkJiOCV515eiUJGXu1G8e12d/USPNBMEzMJGvqBCIGYen5OxXkyIHIREfePNi5k337G5z9fiuiggxJl9ty6qZ4XIRgFQj9jAoShixP/+99I7XrGWeFQ1BmLZWzi20SQGKvogYnOszDZFqBAHGFnCFYHaTz2jOXXCtQsa27gr8D2iLRFaxvhB7XMK+VbpDcZGjmfRJ701XxFv15GFnFAV71hTaYqj/Ebpw9Vs02+gUp3+tt cardno:000605247559" diff --git a/nix/variables/passwords.crypt.nix b/nix/variables/passwords.crypt.nix index ce2f0fc..91d2eb6 100644 Binary files a/nix/variables/passwords.crypt.nix and b/nix/variables/passwords.crypt.nix differ diff --git a/nix/variables/versions.nix b/nix/variables/versions.nix index 535d7d3..6d441a6 100644 --- a/nix/variables/versions.nix +++ b/nix/variables/versions.nix @@ -2,29 +2,28 @@ let nixpkgs = { url = "https://github.com/NixOS/nixpkgs/"; ref = "nixos-22.11"; - rev = '' - 5b7cd5c39befee629be284970415b6eb3b0ff000''; + rev = ''5b7cd5c39befee629be284970415b6eb3b0ff000''; }; -in { +in +{ inherit nixpkgs; - nixos = nixpkgs // {suffix = "/nixos";}; + nixos = nixpkgs // { + suffix = "/nixos"; + }; "channels-nixos-stable" = nixpkgs; "channels-nixos-unstable" = { url = "https://github.com/NixOS/nixpkgs/"; ref = "nixos-unstable"; - rev = '' - 4bb072f0a8b267613c127684e099a70e1f6ff106''; + rev = ''4bb072f0a8b267613c127684e099a70e1f6ff106''; }; "nixpkgs-master" = { url = "https://github.com/NixOS/nixpkgs/"; ref = "master"; - rev = '' - a8636efe2df64047cd58898010a72f73efd56722''; + rev = ''a8636efe2df64047cd58898010a72f73efd56722''; }; "home-manager-module" = { url = "https://github.com/nix-community/home-manager"; ref = "release-22.11"; - rev = '' - 83110c259889230b324bb2d35bef78bf5f214a1f''; + rev = ''83110c259889230b324bb2d35bef78bf5f214a1f''; }; } diff --git a/nix/variables/versions.tmpl.nix b/nix/variables/versions.tmpl.nix index e0734f1..66e90e3 100644 --- a/nix/variables/versions.tmpl.nix +++ b/nix/variables/versions.tmpl.nix @@ -6,9 +6,12 @@ let <% git ls-remote https://github.com/nixos/nixpkgs nixos-22.11 | awk '{ print $1 }' | tr -d ' ' -%>''; }; -in { +in +{ inherit nixpkgs; - nixos = nixpkgs // {suffix = "/nixos";}; + nixos = nixpkgs // { + suffix = "/nixos"; + }; "channels-nixos-stable" = nixpkgs; "channels-nixos-unstable" = { url = "https://github.com/NixOS/nixpkgs/"; diff --git a/oci/user-ubuntu/Containerfile b/oci/user-ubuntu/Containerfile new file mode 100644 index 0000000..8afa2ce --- /dev/null +++ b/oci/user-ubuntu/Containerfile @@ -0,0 +1,27 @@ +FROM ubuntu + +ARG USERNAME=user +ARG USER_UID=1000 +ARG USER_GID=$USER_UID + +# Create the user +RUN groupadd --gid $USER_GID $USERNAME \ + && useradd --uid $USER_UID --gid $USER_GID -m $USERNAME \ + # + # [Optional] Add sudo support. Omit if you don't need to install software after connecting. + && apt-get update \ + && apt-get install -y sudo \ + && echo $USERNAME ALL=\(root\) NOPASSWD:ALL > /etc/sudoers.d/$USERNAME \ + && chmod 0440 /etc/sudoers.d/$USERNAME + +# ******************************************************** +# * Anything else you want to do like clean up goes here * +# ******************************************************** + +# [Optional] Set the default user. Omit if you want to keep the default as root. +USER $USERNAME + + +ENV DEBIAN_FRONTEND=noninteractive +RUN sudo apt install -y curl xz-utils +RUN curl --proto '=https' --tlsv1.2 -sSf -L https://install.determinate.systems/nix | sh -s - install --init none --no-confirm diff --git a/scripts/sway-swapoutputworkspaces.sh b/scripts/sway-swapoutputworkspaces.sh index 9f8f637..6ed8d64 100755 --- a/scripts/sway-swapoutputworkspaces.sh +++ b/scripts/sway-swapoutputworkspaces.sh @@ -9,33 +9,33 @@ workspace_active=$(swaymsg -t get_workspaces | jq -r '.[] | select(.focused==tru # If any of the outputs doesn't have a workspace, do nothing if [ "$workspace1" = null ] || [ "$workspace2" = null ]; then - exit 0 + exit 0 else - # If script is provided with `follow` argument, then follow focused workspace - if [ "$1" = "follow" ]; then - if [ "$workspace1" = "$workspace_active" ]; then - swaymsg move workspace to output "$output2" - swaymsg workspace "$workspace2" - swaymsg move workspace to output "$output1" - swaymsg workspace "$workspace2" - else - swaymsg workspace "$workspace1" - swaymsg move workspace to output "$output2" - swaymsg workspace "$workspace2" - swaymsg move workspace to output "$output1" - fi - # Else focus stays with focused output + # If script is provided with `follow` argument, then follow focused workspace + if [ "$1" = "follow" ]; then + if [ "$workspace1" = "$workspace_active" ]; then + swaymsg move workspace to output "$output2" + swaymsg workspace "$workspace2" + swaymsg move workspace to output "$output1" + swaymsg workspace "$workspace2" else - if [ "$workspace1" = "$workspace_active" ]; then - swaymsg move workspace to output "$output2" - swaymsg workspace "$workspace2" - swaymsg move workspace to output "$output1" - else - swaymsg workspace "$workspace1" - swaymsg move workspace to output "$output2" - swaymsg workspace "$workspace2" - swaymsg move workspace to output "$output1" - swaymsg workspace "$workspace1" - fi + swaymsg workspace "$workspace1" + swaymsg move workspace to output "$output2" + swaymsg workspace "$workspace2" + swaymsg move workspace to output "$output1" fi + # Else focus stays with focused output + else + if [ "$workspace1" = "$workspace_active" ]; then + swaymsg move workspace to output "$output2" + swaymsg workspace "$workspace2" + swaymsg move workspace to output "$output1" + else + swaymsg workspace "$workspace1" + swaymsg move workspace to output "$output2" + swaymsg workspace "$workspace2" + swaymsg move workspace to output "$output1" + swaymsg workspace "$workspace1" + fi + fi fi diff --git a/secrets/desktop/radicale_htpasswd b/secrets/desktop/radicale_htpasswd new file mode 100644 index 0000000..5b0f6b6 --- /dev/null +++ b/secrets/desktop/radicale_htpasswd @@ -0,0 +1,30 @@ +{ + "data": "ENC[AES256_GCM,data:rUTsNj5pW/7JhyfRWiEoOHVT06tmbAHarOEuMkWaP+jz9FX3Qvjtv2S767Be89RwBdZZPTyO5+DcWUH+m2AOoAFKZs8TgT7lmQCuweXE27HZe88y+mNvHYfExWbLaC3fxheHgy8BgZBQNdVMKhZlYr5nLxJBrUY+j2sRP/CuucUcbsCojoHqYmb9hpS03PZ7i6Uf7tImgvFc,iv:pnYzcggEWKAhRxJyOGYaXFrS6kN7uLHic+tO1PeHZmg=,tag:4eXlaWf7hJxcy6zlQC5U8Q==,type:str]", + "sops": { + "kms": null, + "gcp_kms": null, + "azure_kv": null, + "hc_vault": null, + "age": [ + { + "recipient": "age17jxphuql70wjkd84azn62ltx9ky69hyvkac23lm8f2j92lznf9hseqq0vl", + "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBsRG1PWnJpTjRCOFVXS21h\nTUxFb1ZsS1piTUxtdmRSVGFmNGlzZmZqWXo4CnhMY3hBZU93bE45MFBJSG9Nd3Zh\nNi9DQjZlb2FzQXplZXovOENBOWRUQ0kKLS0tIFJsNklCUWFZdzhNaXlFQ2lFTGd5\nREp5VFZaNFlZeWVTUXlJSWpUOXA0OEEKEO5EEvjKL2BdBd+eHxvicl3IhGV/WNRS\ni5065sFhraZ+6MAg91eHUcwcfwjhx0tr06v9xARtKzgEEpgxHLT6BQ==\n-----END AGE ENCRYPTED FILE-----\n" + }, + { + "recipient": "age1y9urllccdcemlv7g5z4peuzeh5ah0a8nu6cnkvym8v2vfhqjd5jql483c6", + "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAvWHZjdERBT0hHTVVnMzJJ\nSURhU0NrelB4b0FuTmM1VFIvRFRpQS9sMEQwClJsWGVTUE1hN0Y5c3dETUcyUllX\nSmIzR2ZhMDJDa1hsY0xBaGJrNXkrMUUKLS0tIHAwenJOOHZOSksrQ2dacVhKQVg5\ndEl6QVdkTHdGbG81OUUzOFprZHVRUm8KVYgQ5wUkCDZa9SUbmJgtpWY/LWruAg2t\nZFVYJUZ7B/Pd6rzvtOVjU8mEOaMbtq1cYkiAcuzhIdoTxu1TX11OPA==\n-----END AGE ENCRYPTED FILE-----\n" + } + ], + "lastmodified": "2024-01-24T22:45:02Z", + "mac": "ENC[AES256_GCM,data:70nJ8FwQqWKUs5tVZTdaUSnFdvzh7h7GG9lJU9IVuSW8GHs9N4srFRJ0DtJbrIYm4YasNsZqNUcWx/ptxzP0DG/IJs8Vpnb4U5SXKw+zN7B5GBM0Xnh6pZZcylAw7lcXevBfI4jw7Ymmj5zBIFyKTCKhietayfmxdIxyoaxNH34=,iv:XJgmRc0tONH9H6AQyfJvDdkfJgP3ugAxOPxMkBqhLMo=,tag:MBN8FJglHqTiS5nLjtMXiA==,type:str]", + "pgp": [ + { + "created_at": "2024-01-24T22:48:30Z", + "enc": "-----BEGIN PGP MESSAGE-----\n\nhQEMA0SHG/zF3227AQgAl7wj8pgA42CyZ+b0ykAVMIzfVsX5zfyLTL3fKRC78kGH\n7D6Lp6Fesp3dZ8c7awWEM3b1WEFOS8Yklo6bfZCnioJoqZhMtYhyTCi+KEBXdw7g\n+KAquXkrD6mYOVBXoKHUqUBoDjFjU/stfV2Pdnl5I7SGYFHtyv8jwdJXbBInDNI6\nmtVzpKoM7pCFHH0Vz+A1D1X4k+96znbSnjHVBgOFLjyZ2KGPKBKud4nM0idAO/tO\nH77ApV1qRBU7weI5yTbK7GeuUxFYrolxkqOCPUH6E5Z2eVQ8ACUFpvgX4ET91jeP\nYTbTuq9cfm/gPsFIGtZLgWSq7cCZHe12nPHT//ajK9JcASNmmTiJFvK19WmN7spg\nbfDJLZud80PNu6MVXthwRGJ50/yRSrO8e/5tCjVz7UlkOmVG5ClsGDfRCH5gJDqS\nMJ+UdOHZjqcZu6TkBmSNX+9fRS1hgCiGxOjT2mU=\n=q3es\n-----END PGP MESSAGE-----", + "fp": "6F7069FE6B96E894E60EC45C6EEFA706CB17E89B" + } + ], + "unencrypted_suffix": "_unencrypted", + "version": "3.8.1" + } +} \ No newline at end of file diff --git a/secrets/holochain-infra/nomad.yaml b/secrets/holochain-infra/nomad.yaml index 89bcb33..f0fe5cd 100644 --- a/secrets/holochain-infra/nomad.yaml +++ b/secrets/holochain-infra/nomad.yaml @@ -4,37 +4,37 @@ holochain-nomad-cli-key: ENC[AES256_GCM,data:Kl7EJI1V5HGeE9nogY5rujwe8MQYA6tIc3b holochain-global-nomad-client-cert: ENC[AES256_GCM,data:eiPqZA5kCi5HPa5AlCTKmOD9r0uU5DlSClNTvg6asWybYZcipiQ6Md+cXxMl3VnemwBbxS8KxjuPg6k63SA+gypEW+XZP7VtCdHl4d65MOfIT6CpzTDVi0FUj58z2v7W6XfgAu33uDxTy+e4+SX69duUmmKicwe+CLK2ckfR3U32s39GKBDKYBZ8DTsAJmex45hf17rwcKsaMM142zgBcn2wbuNF46US8iWf4pKXJ4827pgD1HZ2Ry/IgFcRdSXGdsuAU9FcsuwTNfVftOtf/XGxrIJsvCoC7t/SalQSH4eg5s1N9N68vruKlV6AfVNIiQwfwdJ9ldeTOT3of/Fmu0ftiLaq5ZZ97zxd9Bean49EmJw5VEf63+cWKPonLxls1CV02dy1ua9zrjyX37Jz4dQiS02lZF/ljfcaGL+5TOQaX0oEIAA5tl7uaR/UIV7lqfFMZDUtQMHkYAkPkV/VF8wgyE8mD88KqKU+AdsL2yEyKo7VBAe/pYtGWsbyYhemmmpfPnUkt3wz+YQc7zs+MzaI/Z36BIGtY6ObNUfg++4dYXdoMrHufeRbihsLJ69m/bjF0qYtGCjrEPqTwF7WuWSz28to/ZOVrUKZgH8MOMoKKedzZ+kbzs9+hPDawCHs9VtiFo4d/roHBKMquDZVc6+VYtCjj8xjG8TJoJVWlKQogKa3zoWA0ZPwywwWb2V2ehocOk7MRxFZcek4gjvIJ7Ud6aom7dq3HIJJJYxwdVh7pJO9tJhW1T5R/n9g8zrANzXUvMyt55zUZytjF3pPFfaE7en+9LCf4h7AUocI1gOToUC9hlv/uhTOLCYU5S1xAtrlvvX4QSkmTyBTHe9XeOIZbI7LjzINRuO/XFKN/4dqz5/q195OprOBxg2fv1ETPJUwSN66PFYGh6VqhZZf/NokW1qYyrC0kW8lP/EZN6YGhQTyDRrSn3Y+U3nJuVEcydAKTSwzafR4pO4V6U02/CnBH8IqMsNMIhPPPwC1Wntqne3Rabdbx6ZWOxHQuv3cEPEronKGeeU4ADLBPSWnvGcVZuwgxzVpvVwCWtF59Aiew4pmWd8sqLnTOKrxY9BsV9nwRv0ZGE8l0NwiRGw2YIGWaXup0kwl6UVkSOgSuKqvIff09t3XXRINcwIh13jSAipsDpDjqT59qE0Uoc6/lV63eQKkqYs0wFTwc/XXZ2RJusNX+PDDCRW8xykmu4HC+rX7EMeF53xfDEi4wJGoSCySn3idt33A/QotnjDOl385/lkXwgVz4RjCiiCY016fje+78j7RBH3q,iv:nSXO+1ALy6Ie5aNIEm1ZZgZwOdJLrHjO+BwKVbbZQ7c=,tag:n4V165c86IQ3QHzYb1ThJA==,type:str] holochain-global-client-nomad-key: ENC[AES256_GCM,data:9w+1CYOXgm+xvg9iER+cLJBlKLyYmanr93tZ8xTl63ZIKho6DJLqGPCYdjlG4sHWyQUM6/Dpaa490yC4CToLX5MuUnSvqiaSgugcGqPa1DhlRYVsa8j5rdp90EDMoarN7xKe0ShIRW2GTT9S5EEyF2qdZUAFybpDPX2laZZ44UBz1QvlCp7gzs0duO4b95WPTHmlhfaw0BVF7FhFqkAHtH6qg24qEtwB3I4NmW5UsTKR+tbUCEyQcADQr1CrXhIHkQ8yZ52rc42H6gRQXoVrJomJgtiXf28ARY5K1oZMmICLDw==,iv:FSiRHgbqpKEYINVBLYp1A9YgroLT07GMDFqT/k8Vyqs=,tag:XX7oQhllDmrRLCEiMMYsfA==,type:str] sops: - kms: [] - gcp_kms: [] - azure_kv: [] - hc_vault: [] - age: - - recipient: age13cyvxrd28j68f97q2dwsn62q5dy8tdxtq86ql2dxv2ncwfrf63dsmkj7n3 - enc: | - -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBtQmFtWk8vSHYydmt5OW5I - Z2JCVFJ0MHRoWkU1QXpzY1NGOFU5NHF1SkNzCkN6SEVXUlhnRHZKVXcrVStYRHFL - R2g5WG5tbExSVkVYMFlFL2tnWHlCNW8KLS0tIG5CaURNSjQ3QkRUS1FkdjljbmNB - YUwvY0hIZkhJcEZLUkFMWXBjMW1VSFUKBDDoDAbVaex00VRjuWKifbTrtKaHz7m8 - M3nrwfIcjsJiMs9vJXWh5J/dhRTWQp0kEZRaCtxN6gDz+dDE3TVAiw== - -----END AGE ENCRYPTED FILE----- - lastmodified: "2023-07-12T09:51:29Z" - mac: ENC[AES256_GCM,data:Eq/hdaWf9+CG2jLQsL2Sw+IHy0vef7cC0IR5xL3jooYbmilRYS2Lj+lRckVcLKTRHjLBlJmnY20wbL/iNwlyTsY3MkCTEMAg1aY2GVPq3/gL0Gl0/Em4pktfVLZGVTZLt6mKzAJMWM9RdTapW5sRlywZ4/fa1YQwoQQ3tFVWm4U=,iv:+Oy+dBT0B5k5eItscLlXrRzbPO1u8eQNBwoDLnZC06I=,tag:hVwJwd6m6oCOlQ0jC8H+Ew==,type:str] - pgp: - - created_at: "2023-07-12T10:09:31Z" - enc: |- - -----BEGIN PGP MESSAGE----- + kms: [] + gcp_kms: [] + azure_kv: [] + hc_vault: [] + age: + - recipient: age13cyvxrd28j68f97q2dwsn62q5dy8tdxtq86ql2dxv2ncwfrf63dsmkj7n3 + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBtQmFtWk8vSHYydmt5OW5I + Z2JCVFJ0MHRoWkU1QXpzY1NGOFU5NHF1SkNzCkN6SEVXUlhnRHZKVXcrVStYRHFL + R2g5WG5tbExSVkVYMFlFL2tnWHlCNW8KLS0tIG5CaURNSjQ3QkRUS1FkdjljbmNB + YUwvY0hIZkhJcEZLUkFMWXBjMW1VSFUKBDDoDAbVaex00VRjuWKifbTrtKaHz7m8 + M3nrwfIcjsJiMs9vJXWh5J/dhRTWQp0kEZRaCtxN6gDz+dDE3TVAiw== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2023-07-12T09:51:29Z" + mac: ENC[AES256_GCM,data:Eq/hdaWf9+CG2jLQsL2Sw+IHy0vef7cC0IR5xL3jooYbmilRYS2Lj+lRckVcLKTRHjLBlJmnY20wbL/iNwlyTsY3MkCTEMAg1aY2GVPq3/gL0Gl0/Em4pktfVLZGVTZLt6mKzAJMWM9RdTapW5sRlywZ4/fa1YQwoQQ3tFVWm4U=,iv:+Oy+dBT0B5k5eItscLlXrRzbPO1u8eQNBwoDLnZC06I=,tag:hVwJwd6m6oCOlQ0jC8H+Ew==,type:str] + pgp: + - created_at: "2023-07-12T10:09:31Z" + enc: |- + -----BEGIN PGP MESSAGE----- - wcBMA0SHG/zF3227AQgAlXTAMih9lsxCEvh3UyK8vxuhnmnlluf22D+oz/e0JabE - DirPEM4FUlCV+8j+Hia5mKpgWJFDcMK0FqxIQvUwTj/I9AnIB740kcr5TVPcOWOU - 9TPmhjLT8RRhQWu8/URUnjdiF1YypOHYfUItSw/agTJa89T4ZJFsaA9IjNdZBUq8 - e0eTF+7Ha0wfll+V+veOPfL53uYuuIoDXoi5wwAjYa2433QsdLwUTKrRi4dNrQyo - dYnYltYRAe/4w/sFCkMlLRpo47J5m7SEggXrM8wni8QpTOJzOIqCP7XTm8MX3MKE - pU25kh0iCsBaNfwD34NF2Ti5l9aUuRWmy0EI+wcTKtJRAaMojKInR/TB8Tj4OD2O - p2IVFwZlPGgOOwZUTn5wyWWSuZD8JRJHxrYETpejXtPIGtnSkiVgphYlD/bagPA5 - eHRQH6uDdKM+/6FXnNMiu50G - =itdA - -----END PGP MESSAGE----- - fp: 6F7069FE6B96E894E60EC45C6EEFA706CB17E89B - unencrypted_suffix: _unencrypted - version: 3.7.3 + wcBMA0SHG/zF3227AQgAlXTAMih9lsxCEvh3UyK8vxuhnmnlluf22D+oz/e0JabE + DirPEM4FUlCV+8j+Hia5mKpgWJFDcMK0FqxIQvUwTj/I9AnIB740kcr5TVPcOWOU + 9TPmhjLT8RRhQWu8/URUnjdiF1YypOHYfUItSw/agTJa89T4ZJFsaA9IjNdZBUq8 + e0eTF+7Ha0wfll+V+veOPfL53uYuuIoDXoi5wwAjYa2433QsdLwUTKrRi4dNrQyo + dYnYltYRAe/4w/sFCkMlLRpo47J5m7SEggXrM8wni8QpTOJzOIqCP7XTm8MX3MKE + pU25kh0iCsBaNfwD34NF2Ti5l9aUuRWmy0EI+wcTKtJRAaMojKInR/TB8Tj4OD2O + p2IVFwZlPGgOOwZUTn5wyWWSuZD8JRJHxrYETpejXtPIGtnSkiVgphYlD/bagPA5 + eHRQH6uDdKM+/6FXnNMiu50G + =itdA + -----END PGP MESSAGE----- + fp: 6F7069FE6B96E894E60EC45C6EEFA706CB17E89B + unencrypted_suffix: _unencrypted + version: 3.7.3 diff --git a/secrets/hstk0/mycelium_priv_key.bin.enc b/secrets/hstk0/mycelium_priv_key.bin.enc new file mode 100644 index 0000000..49f69ca --- /dev/null +++ b/secrets/hstk0/mycelium_priv_key.bin.enc @@ -0,0 +1,26 @@ +{ + "data": "ENC[AES256_GCM,data:2DcYHv5RCSoM3olKYZhn4BTwEROwC4+JZ/PQxF4SV7I=,iv:B27a2XnhgiHW3HAh/MnTUonmhkWvaZkmG2c2JPWV05A=,tag:TKZ/rFzQH0uvbOFoeas3Ag==,type:str]", + "sops": { + "kms": null, + "gcp_kms": null, + "azure_kv": null, + "hc_vault": null, + "age": [ + { + "recipient": "age10xwq7a4y256yhv02j0u80te0vt4krgfjc68r0uw07t96z7ggmpwqtv38a0", + "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAwKzZsYytMYkd0WTF1TW5a\nZGpQcUYyUjYzY2UrQVp2bHhJTHRSR013Z1h3CmtjSEFaOGE5WDNDZElkM0c2N0Nh\nQTFRU2hvdlpGYlhsUlZoUGZSaWg1UTgKLS0tIHNNWUw0YytRTm5pRTFXTndBamVL\nbTJUNGNSdTloZXM4OWhrN1dlVFpHUGcKq+owmJktDTqpOgtD/makczGkRTphCtb/\nKnL1ig8xdnG+DdyhVCDmtjC7tAFgSUJBZnQi8ervh+yXOXvTJfGglg==\n-----END AGE ENCRYPTED FILE-----\n" + } + ], + "lastmodified": "2024-05-17T14:49:38Z", + "mac": "ENC[AES256_GCM,data:HqeOxzTlr6tyDWmSpvAthf/puD1wdv3a3Nv8qdt9GcR2UqmByreFPRktTwRL53NvCW+8QGSrUjah7fB2GWsuSVXowSSkY5h8W5s0O+YkFLXo9K67hhtEk+4QwYKQk5w4ZdlAEFrgDAzCFr27Mron53VLhVo0DA6GesgywTLf/B4=,iv:uV/dpuhxXl39MTzystHafirJH0mVnLsT+0h9jh4Epm8=,tag:s5uRzLtcfyNuWau9RteyvA==,type:str]", + "pgp": [ + { + "created_at": "2024-06-26T19:27:08Z", + "enc": "-----BEGIN PGP MESSAGE-----\n\nhQEMA0SHG/zF3227AQf+NduNIJaTv/DNmY3dGucui5Ud/ONikEdt/8q3M/iSNeQy\njdHjDbHu0UDBwKqD0Pmhs3StWSv2cs4UDvxPtaPV2sN8/WjeAUZJ1Sf2+k1Duy3n\ns40TpaHAf66JuDRkkFaYt5114AE1ypbMp29S0nv9OTpvAFy7FWtw1dsgKskQOWxW\nTnkxfttpaMoCVoUTjPZFbfPE3WJrp+r20QzwzelX5xl3SGmYvdPVDCPp1S54q+gY\n4l3b5R2wvGv3IAA0l7tKtmFe6XqzYlATOSUaP3+qHTKnXFmT1GAr3o+mLRJOG5/R\ny2CJS0wR9JKowAk23ubc1gYxcc/gIUzi5BGMvM4GlNJcAb3Q/nBs5WtjnHrk7zPK\nzzhV758th72GKhzJko6qUFwcfjaIB6h3o0NQAAlVCMXKUWk4KFY1TCgpLbd0Z6Gm\nv8tE1CFUViT/8Ys+2x7UYeWqN53ZWsioGzrk2F4=\n=sXbx\n-----END PGP MESSAGE-----", + "fp": "6F7069FE6B96E894E60EC45C6EEFA706CB17E89B" + } + ], + "unencrypted_suffix": "_unencrypted", + "version": "3.8.1" + } +} \ No newline at end of file diff --git a/secrets/hstk0/secrets.yaml b/secrets/hstk0/secrets.yaml new file mode 100644 index 0000000..044372c --- /dev/null +++ b/secrets/hstk0/secrets.yaml @@ -0,0 +1,36 @@ +tf-eval-minio-root: ENC[AES256_GCM,data:83SacYkxLHU2fHbHNiLG9owDgakOY/nrZBnlDgltRlQDTSW9HkKejVrKtTaixjbxKCgsy9sgJBv8LZtqwthgZ6MI942YU2pJHL8le1wBsuY=,iv:uXbOw/9ljYjWCdafhupVJA7tIvcL801xszI8lrQnQIA=,tag:yolnZdYD1KZJFnH2gs8zzw==,type:str] +sops: + kms: [] + gcp_kms: [] + azure_kv: [] + hc_vault: [] + age: + - recipient: age10xwq7a4y256yhv02j0u80te0vt4krgfjc68r0uw07t96z7ggmpwqtv38a0 + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBuVXBDSTgwVWtpN01ldjdv + UWIxNEZFVVowbFk4bnRNSEl6M1pHcUdIelFFClVHK211enBkODljWHVYNmFYM0gx + L01hVFFSeExtQmFXbytzSEMrbVMxYTAKLS0tIG9lMnBTMXJMMUZUcTRFcThrd1Ny + bEhlUzFqU2hkbXBZaldzeTdCbnhOdTgKsCcLlqcl+fnvZ8EGKNWlbSbLQvzx099E + fC/QlagRvdmVfsFpOQnd0cFzQ1X0EDAx6XcGF8mHBrAKqCS9GCAIyA== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2024-03-08T16:59:30Z" + mac: ENC[AES256_GCM,data:VIA7UaP1c2kli+BuppPl4LH1jiU9qAfqvfejZ0Mv0E8CxQ0eLAMJVkZIzSygLCx00cPbqAkESrniCeLYagyEP4tS/cff2ngplzig4uFbZzniYMXcYF9VIAyBhGgQGEZlZPgh4r4wmBdUFfhc0CPzmYt0obJ1LXElGdAoeM4OcPs=,iv:KPFJX2qJaxMwvrw/R8xrw5Fk5FRyTQdxq7DnszToy88=,tag:/H7iPZlWk2qMrWbwZdeF5w==,type:str] + pgp: + - created_at: "2024-06-26T19:27:08Z" + enc: |- + -----BEGIN PGP MESSAGE----- + + hQEMA0SHG/zF3227AQgA1qnWMAoXFJsx0A9dX2qFhRUHOlO+VKOi678pGQu4Pwld + wUdqAylrtaLDsr+kFwLvsGUKKHzfvaQH/EfEChQb2L9njzQjwNwmgZPAq6NqZAmB + EhudaY7R12Lb507Fsh/k7dgOFTuH0/ceKtW+QKF3SVVa+DwgOx8VRP3LJwGW4PQq + mRmPkyjnuFmepziTULe0ZPvO6PaH8FvLISBvMkBH+IGXat98OVgqGFzxHkpA3pey + 8w7mKDEi6i6g72GrrjuWFuh5JjSSb3og1ziO4O8XQ7mHqbUYwc4NfeVTYD7thdyh + OsijkXHvvHkRidTjTn4ZEzxFaNgTvzRB0V7r/jEu3tJcASfyDt4sXkKv84xu29Pp + BYZLj9xUrS30bmI8NOP77sy/3++ppX96oKhi91S7F0HZcznJPOhS+YtomXCCGvS9 + qaN8kkDXt5k5dkLd2+eft7CCF8+lwf6XX/qEjPw= + =+0h1 + -----END PGP MESSAGE----- + fp: 6F7069FE6B96E894E60EC45C6EEFA706CB17E89B + unencrypted_suffix: _unencrypted + version: 3.8.1 diff --git a/secrets/router0-dmz0/secrets.yaml b/secrets/router0-dmz0/secrets.yaml new file mode 100644 index 0000000..b797baa --- /dev/null +++ b/secrets/router0-dmz0/secrets.yaml @@ -0,0 +1,53 @@ +#ENC[AES256_GCM,data:ZkUrwF6DTQFainYhDA==,iv:VDjRBF4WfPmJdKtUpZYJcOPxoUYT3DUxAC9ct7EvFss=,tag:efllkpv2SxRv6+DyuqRQCQ==,type:comment] +#ENC[AES256_GCM,data:2luPn7XRMTtgNpz0QLXQwF92kbBLdjJoUdFKdayy0A==,iv:dr//F4r/8k9zSzkWXUlVT+81iYLTX2rmXIp+Z9Lt4XY=,tag:RZTSqCqqmRxBvWqHqmF7Gw==,type:comment] +#ENC[AES256_GCM,data:SjwWciLOzMxrq/QV00Q+gt1sNXwl6N/eTHsN9jeFHwFeOQrZ0M7/36WgjSVHpGlVmklzd0LiOB+LhNlzqysM6RI=,iv:vznczLEeyTmCxExlkFiv8ftQy+3z0LyAg8vhcpGT4M8=,tag:+QgSJtX7FFLfMnPLhrgcvQ==,type:comment] +passwords-root: ENC[AES256_GCM,data:BzQYUCGJwyA/mUohN3OkKdjkuHUfOgYFs01W/F1WM7i/UyOXA3HooUjbGe1KVQkn5NGTvWvR6t3CCr2o4Bjvq2pXrH+92a1kpQ==,iv:9PCLNVUyI2R0F5LmLe9spp7q65pwMJ9TUHmT/VtPazM=,tag:apsIgXhOkoZ8Gb0UshKg7g==,type:str] +ssh_host_ed25519_key: ENC[AES256_GCM,data:XQjTqNADLhisxPBIJ7x0bs3qgQk0u4q9HKSDukRbzel7hUiDqc6ELQAvffRqJQUtAS5Cfz9PzVcnyEA4wapvK7RLFavOmaN2MhcnQR24oQks5RVYmlvcems02Qovd15iE07XR4KCDcmQ5/XM5v4/RxW2zYzV5Il67Vzhij2wA9bJ7D3sbKUfyc6pBoIXvURbq6QO8ZMIU6ckAuOqG2230KwXLdz/ld0s3Ir1q/7t+rrrS7BPkeA+SRdYhb5XDOTKtfgFxNvdI6DSETV+q67xAalAkM/cZ2rqHJQd+wgH2VIPyiGqeq6LvPT0vmopFJn0CqQA2HauQAmBNIAtXel8GbK+qA11XilMx+hp6qhVH+BnSWWY3GriGfaGlpUZ0E7uymqRkpRwBcHmZto6E/E/XUxBfISVyJf/2RcTy10RelWLJtNuaXT2eHgXmZ/uAlcTGlCYYirr5g3iAGUoqxYbWlZb9SdqVO/0PLCZo7AkDWxk57wer/lHOG59ZpoiZnanaMIaNqJ7Tsslvvm0JuoP,iv:2U5IpWTRyQ8basBRoYpFe6Ycc5qdeCUAUTwlEHttRJU=,tag:jA0mFsMxWKq7dnkGQWNP9Q==,type:str] +ssh_host_ed25519_key_pub: ENC[AES256_GCM,data:MQ0q/I6clKNz6uzoztGA06vOjIbpK6Dsf3WbgddRA0B8nEJ4EUmRBT0KkX3o+LZmQPhmURHWWFtOSqvAzkyoxAoBZEh98H3IDsLE5PgcNbxK3dAh36+AAMPLzVFnHLyaWLQW,iv:9XIw29PkSHCeU7C2GuSJ+J+mBrwOrbSMmm7kOtCkiyI=,tag:x3JqFF08f2eVfOrrQ1gzYw==,type:str] +ssh_host_rsa_key: ENC[AES256_GCM,data:tFGQ77X5Y1TRR2F0EJ4hmauE9ABILP6V0CSmzb1QLaH6VlhriXSE1UQcQ2Rc73CR7+JLjLbggL7RKpkA8gJQq/ubhiXHJokBEo6rfBXETVepv0HlyX5UvzWhi6iKBE5YsYyyBI1VWDcx+oTR8+daqnKwbbqPeDUpC2coT3S9svEsKXeb3YOMxJ9X/Rvh96UtMmlk7WeZa2JvOP3k62HROVo8QRYXeQWTO87TCzVdU7OWnbRIuC6bu+32Uy70AsIu39fazX7WqIUxaeO/oNHsay0/TBXKNu2El0JRG8tHCHdXe1tahniGbGH5xeEZmgLTOjHntw5UIdxZbgvcbxmt9seDXUxjhhEMS8eHWaxnRDSI7n2KOb/3UaBQ3BHnYpuRjW++uFBgRHxxANlYfpfEdz/LNexdPb9+QCw80r38uZxP8yD5/PxFV/Y+gSX+WnNE0YQnBDtHFjKhHpqpm2P4Ek3hLzjXh6CPzUZru6LAO/FklcLCGaq94fDC5wW3K0x1UvyfMjBwwyeSymcV95YcZu8Ty280jRhG8l719KkEJjnBdnB25PQ5gEwc34dG5xH5HwVUDPIM9v9m+cXtldUIk3BH4PiTEI1aZsZx50BtBhxybAxhTqNElrP+/2W73muTSQboDIB1Xb2NhArLB6XnnVhVUD/Pg/9wiDUY0mYyr0eIp9AmBfSmSIDjFyVUB9o+gv/B+LpxwxPKmsPt3MRKWoZw+bIGTI82UqBv0eX6Xqq71H4DYFnJ3J+n+Jzp5ww5mSPPHffZZFSBbZSpTk8El4L5II/hyyxk7yJopt19AAsw+UgLJDO31XnyiGAEbbDdwjuCWQMmuzKJ6H7c7UGDXLO92jAlXwEWT5fwzG6Wvu5+n/OToz3CN1Cv40uwVb/fOqmzep9hoOrXeuzmnGULfGmwItjuJoMkfmPUq8obAuj5ml0YduU2eLbe15OlD2Vg2I+BH0WuCPYnnCrLyX8ixhJEuGGDkhGhaKMHaMjNuMOGmDQ6oRCVU8BA/zDgnF/GrcHgIe742Yh68PyaH2j+iX6/5YvUB+R1sDnrgfXlgET1V+nny+fD4GBnP+RKYtdGG0P4y3AYlACQE9sJ6Nkb8CTVb2Va6L3rXzeyJG2FtYkUKxxwDUv/KyieclHiJpdawunOLVkmI6p/iaZIThrdGA5p7b01/WOyJFA9aI3oU2f2rMYBLGHYirrRs3WtS7ExhKriHpgax574UIcW0mecFto9dHkGlBOTQy+Zp1GARnePXKZcyKm2qhTIjw0ho/DUe3+t1knbR6WJCwl1LDtfpPD2KPDDH+HpHm3EoiA1mDSp6lYMVxwBr2eBmFPKuPkkAL/3Bf6SKlEp1UCDee7BPlzS9kwmIEt/EuIohbMDdyaHtulW31Hdrsai8fCxc7AAzgsmoMBp2Smwoe3C8K5K8RaNp6v4boY8WBH3rLjAFTmOPB7TiZfplQjV8triZS3JFopNjvCglfZSXxSs+RjZUgSgL/1fFLT2m0Mp1XPMvGZlD73TzJ5RH5WWlxliaau42Q4vXRFUK+ZFx0SvwOO5xZvRNtAOfipEoqscKOopV+HHl74DJEk/xLibWJmkEBqoVbf1BFDUAiRSSb/0RdfCAGaj1mqV68szVtLt3jB1AJm9iu9RNU047HHQeOi++8g6lOpHmhsksfQLAucLVtLTrXpHDEAugDbSXrwPkhWa2Ej+Iva1p2vteIExcT+8h3WiXkamDBZALpJcLkDSazgAmmrB+6u6odsyin9Z5zB55EN2iz24nGNgyylt9FehC4/2SNHMX42hZ/JPQw51+vZQLoLQv+oOJAVXGBHeDy3kDl60fL6Fr5jZ0YOfO+rFGk4bDpXYjq27ahLv763tVs8SrgMseNWNWTakZUAXuYPbP3GBFEjTPHM4216WABj2cC3zSmrnbEyNRMWTdsm46ASZvhZo4wO8eTrndvy44Q2UKOFOh1sYCY4jjCWCI74pEV3rRcBJASuUipep65ZwXOlFOXu7uiaG01/KWofn4JzzrlX3MfhKsUBaEDTUXwDGw0RAEHQXb3rvfiIjCQBcpy8kM1fBR97K5LFJzZ2/qf2bPGs0yxma1O0Z6TT/2Uk2n62jK2xIM7gvTjPOVDP2etHKVxMpMjhTAbRj4K3568HZM/POBC5AORLAtBAo14CNxRMN8f05Gs13wn9ZI+pqiaOpTTnfH1xL9fd/6I03utzMKnoR8IVhrQLDLT6OAIkdeJX8s99R/J/nTOApk3XACWqjmMTcWtwt6g3x2iTk/1jTTn70rYVr8JLHHCt+bd5H/eDUiq9HpG1oFEZPXuvgATOovru0YVtmVx+yea0jWpJOsK+/SZjYAfvAKh0ZNr8dKHug/gGEpp6SfFBI+c4ywR1kM83OUHLaI/dOU9rLeCKktB+UcvTPoLhHLbTAlTrizeRmYY16Z1a+47LvwX944js3TZZkxqylz73cekWidYiiLNbiHwACftOK/GwZCG0WrVfcSi6pJYDgPgbcqFohaKI7ltKZgTlHGT1mZr1IH1RnauZmN/MkBEKVHO3E/PFgKkWNcXQi4uV2P3j8aHHc0RJrxx7qAFFXCYEwu02pv9nmul/HClLMmDYHDY1lHZvIIyPcsmr1ZkCFRV4UtnZRtXhHNAZCGFRX+y5HQXnubjPmV5I2R/gcLLi//2vIE6V2i8SpEJZlVweLpjRYwb6H6xFTuvHN+9Y5pd3rFx2BapR0AzYdOXUVqKF5ewrfE/1iitsEeDJj8OqmNzpmLBrnROnPyPh/+KGWBG5Nm4QKVMhP7XN1F+Fr7sTxw1ignXsfSwH8v/ELMzxVLu3ijWxvmk3/eOsrKYB/x3h6I1SFWZUoTjVPAmlNAnYl90Xf+FMPiII11+zrYwsJbCh25gmSvtKR+hmoTxXbJ2w5E2cFoVHMBOmS8Uo8L0BDOUzUE64cPl/v119BafVUOohLF1l3Ob19td+sMvqX8OHLGgB+/r6jKmUPnNNEzbDAogMydcVVjtPRIoDScw4ExxuxILN4/V+VulyAgU29OvFWS6+r5Y+bjqgqMg55Of0le3HUqt65qMuqiaUR5P/9WP+H666GsYTSg5I5gPJv0FF6tqXCWE9mpQ4sk2/BiWWaNeojxyhyH/cv4fbUmcee6K3+P+liXyFGGAWdBP5uGb+BzIfSaXVN3xEBPWAAe+BMkJrxbc6FSS12Wkh+bLM+NJH7XaoDl6+8LtF3bstsCoXvQgNlXHlbt4/aIIFEBShlYSQwLMDcey1VB4pu4SBv2HXwaX9zXPd+MGH77DeQU4yBkrElly51/68yzdSGpe6mNFy57Hc3UJBW1pNbds5Gxu+jFbQ6Phxvn38u9V8cphjxzgig0uZjkKHYx0EwFjBqmfrP0hQDnpcyg5QCPhnXOthmVL4jkJs3OrRHhoYRgbXpaVRMpVMLFeeSqcQABaRK5ibpB81WP8yCJPIMsbWW7sDTCiIyLq6qW5pKNq8/l3sq042+6bJgJ3CfDYdNKJCTF/09F5JKkpXeIxL4MGqvg5nOoyiahDQsUzMT3dwGg7IWqxQidcJ576XSBkR2qNwUrl6qq87JP+Zo3RJbA5bpPubm6sUonWE3hRGg4LWceVBO34J/wutWVt4W7dXnK5WVhJv8UHJcbgWR9dMpWkbeMpakqlRRLOTibztMFkx3xyIMmZS+cNyhRyatw+DwX/opuY+bl8X4yKgNOuW/w6r06r4MrL78MTjqZDQ4xkCSL3x3KWr2Tf4lAX6sdwKTzdBdzvFuLeuijngrvRYRyk/3jk/o4ujfHMdrergMjlP5Js7ICZSLhXHHOc2Hc5oPaBIx59r6FynA+W6ROmk5kVF2BNkRlP6/oV5Apn3MMUnDc4YjHaowt8UVkIHZOEL8hxymYDR4g9y1wOoIwKCorBQa5jsXH+AEop3hlsv4uqzrrcGGQhfQEW0Vb1fG4N0VAyWEodaw7wOY3XCrW7yHjIgRM3Is+juT7jMeACW+OQuvQHTS/9bc9n9sXjjVwsvoHROLxsXMFO9HablXaEKzFL1oGXpnavYf/MuZMwALsPish2Mmj9fONNMBo1yYy/j+8GzHCqByDS1ZPnlzPQD0ztGNwNfOOhNOqamqaE9GNHv92yQIf/KKGhnjFH/I9IlzA28eaaSVql/1vdhRAI2G1WxpgyQ1ryRPLYHA/Qw9OYrb+jIxHj9uqfohShgIqnv6TCXRmByfyU6Te3oqKLyezKj7tPCqv1la1ostycmE4msAs4EI7pe1OZcRulPkUJrZCPkvo+EYTw8AfGmwHFb5foQ4wk8pkjTvo1zHmjy0GjMAZpcmDHfyHAyoaED6DUKAHRBbMdSqQJWmzhHkzn5oRCR6UlWSyxRZ1wBIKn+T+kcn28XiLlJrJVK3n2CQkE1c3EfFemnimo0Yc9yNQZygfZjr2W2TnmtAZ5jHiMmv7E8CPxBQBd/pf29z/uAEwQIqVFSHxkVaVjHW5wlhfWwOuj0xZFly,iv:mXE8xpXFBYSJce9pg+g3OedMS9+ZHOHHwydCY0NbGRQ=,tag:cEqbUu9Y1PFKXwaeqioXWA==,type:str] +ssh_host_rsa_key_pub: ENC[AES256_GCM,data:N60bGf/6KNRhVUq1EIbPVo3aBDDKEpMBr5+Gt3+FMPt3uQEaKk8jBg5mOdxWMTPoLg1ZP/Pme8afoM+Skc0b50WnpErF3Ox1w+4eM0oMJYOhIvHLGURNM3Dba5MgA7YfhPdTsVdjD2yks2vYqhdtEvzTTgCJbFimVJlp+wDqE6czPgMjD03c7oJDtv38OBtc1vRMzVw3cIuyxz2yNnXQxiMgTR6pZN7+Brami2dfXOHEVgymmlU5PRE8Ykerq2fB36N5uqu4/xSPaHaM+/f2OA/TLlYYB+sGMDExZfbO/vsiRBLvTY/f4KG2mEkmH+IFH1bk6UF47xTFEe8tHN/TlLo+9OmjZTph221ZYnOsIqBY+F822ctZEe8Ikz9Ti4F1ApvxxRcWHajbgQnDJdDiHJvt3OHal4rNBtYwxxV/MDZtvKSVxmFwgx7nwNP0oKhAigQkU7Mvp1q5p3dZsdbGCUeFm2S5/qIxWPfr7wg4xocLNSsLW1EpGo6A2RUXWIV+lPuZd9dNEjGC5zKKAgMI94is6MtMXgqlFqTcZuQ9hvhoVDcFhVSJylu8pzk9d/tKviwcd98jHAhdfGpnc9eJbtyBU6/HvxLzQpsbFjwa3LGirEdtgxRZn2nJx++0U6XuLcbGwjOVAhkde6g2vFv5hsC6KaZQcp4AFvMvEdJyrnb0b2TOeOD8zEljb8u2q/eexCRSjGpobEINwu5qV+tF9eHIJ1YFzhCSmmLGKXjc7bC8uv5ffl39JmAbUrffd18zqae+Xpijd+QzwF425NG9+PksAt+PPzt4SDgGfKBIpMNFxIb18oo88z4YDLuNzRy/HVF90JV0LlAxES4ZOxoWUjJPrR6dGxNRANYOyFGmoN+yG3B9kd1NRGRNGh5P9EtZBxlPIi24djzF1n4GQSW1NFDgoGcxaXhk0PlpPxwuHK0X9FkFDDzQUYNBhx7py+hev5rBUCs7Yhj5xgcM88fdLRZi8MulNws=,iv:8c3hDcJ8wzTugmJ3Mhzx/qEXnnlpFefBmRTG/MqyeEg=,tag:uSz6+CYu9uQa0C2DXnHPUA==,type:str] +#ENC[AES256_GCM,data:QOMW5ALQD+CIXyqRAUzZfv42HvMfq9qiTho=,iv:/KlPuB6aBBhdMvJ9kYClfFRBMC0bSF16/EKrnH/Ifsk=,tag:Wwfk7YnNvla06I2/ajTd4g==,type:comment] +#ENC[AES256_GCM,data:6/aUsWY875jPKZZiJLL3TWYeZT9VOjoJBDwjRTfjnUHcc/NTTeQRPvb+keJeMt5kfWmAzieYpslvz21UktTKqHO/,iv:+zwyh6nAP7DRhQX48/BmMCbv3W3wKfUiAWCvu8UvS8A=,tag:doc142ZXZO6ajPcuWftdtA==,type:comment] +#ENC[AES256_GCM,data:GG3qBrBJSmJfUun5+0fKkp7J280oW3r5tGGjm9UMolUsZCYYv5E=,iv:gFGxT9Jr/d3fVouWEphJUxW/Hid8dAIvldkxYHb9DvM=,tag:DkgD7SIgIYyk5Ne/lGWcwQ==,type:comment] +wlan0_wpaPskFile: ENC[AES256_GCM,data:yB/1MLibWzQuV+LnM01DoOaImu6aCHB9TMsIDaby9MxjRCQNuI7qxc5dvTQ3RtA1V6at97r3ufw0W2Vwtkf8Mu3l/UL33nWoX8n4RAykF5HkDK+l1hzdW+41wZMZPc+NDE6ZgMSNG3N9gipHSjYQ+vU6KPX9RQwWTUbJiWWYtii+hi9NXMa7sBvjl1WUQtrKdAmc+7flAEFxOY1pOvkj87yOQDybQYdx268Gh2wkfgtacet4zwWvC/VGNrN2p3Eub8S16vHAZZKeW+2rr4U/GiOeS65CSk9srOGwlD6IboTUXSAoSChJmevnm+cgkzZsuOKS7knEZPjQ+l2Z+K4l3FnB8+CVvHw/DlUAG0pFgw49NfBGczGSAFh34b0k,iv:2AkphYXeupcDvB5KXlnuC7QsVJdBZHnR684045DJtfw=,tag:YFNcunSPVJUSLIPTTQ7szA==,type:str] +wg0-privatekey: ENC[AES256_GCM,data:5/5llD0itgdKhZ53IbtkwfhO+qUI+/xBCxnfQOg9yjS7knvUINURY7rl/F8=,iv:86t6XuY4a1rHY3kmC3XB6WwwPZVWAyM2saGqEZaHdJ0=,tag:4xemlclKI4RIxAe60HGuuQ==,type:str] +wg0-publickey: ENC[AES256_GCM,data:D/RU+43/bYhg1lRZE9zA52AIWGd2KRF0EQcvteS4CtQN0Yy65vjGqVEkjyk=,iv:BmS0TfUQXRt1tdWBBKIUi+DqXCLTXePzbq4dUYSlQQw=,tag:qglrKjhcSBPtqNd6YCMlPQ==,type:str] +wg0-peer0-psk: ENC[AES256_GCM,data:859rOfvyaeaH07s06IT2qJZjXcWZiXazQPUImYOMngTj+xNop8UHX0iDegA=,iv:V7cR9mGQrk6aKctY+1egYFhBiveqc0OwrQSJxByk0zk=,tag:WF5via8rVm8Leol5rANPqQ==,type:str] +wg1-privatekey: ENC[AES256_GCM,data:Q3zb6oLhBqW+D063S37O2vZD3PSn3yIYWWkOtZwvpmMmdAMtztGqdrHzXRE=,iv:tIEDtHa3s2/Shg6Kw/8G+xjtixH32fxS3l5KtR2VUIs=,tag:JpKjYmV2pPip9hDkKg8pRQ==,type:str] +wg1-publickey: ENC[AES256_GCM,data:7svFjRVdWBmrUt2qzHSmgBo4HPwJR6I6p3rZg2U+h1uVhQwCnUCH6JATVZs=,iv:xWUKpjmmrf/U8T8XmdL4Ox+aqkftnh8oeORCkhtJoBU=,tag:+k+E13X+EbZxfiq0MoGIEg==,type:str] +wg1-peer0-psk: ENC[AES256_GCM,data:egtyccOYD4NAUTunpvVXTJwjtSdJJT8v5O9Wl7NoCKy2eDzrQvrEEK8Zzts=,iv:D7EQkj2Oz2JJIF6slTLq3A4esKN6VfkOA+odHvjSeUE=,tag:z/blOUXX1JOyqtXgMldnlg==,type:str] +sops: + kms: [] + gcp_kms: [] + azure_kv: [] + hc_vault: [] + age: + - recipient: age1qju6ms625tlgcjwc9p447seu2p8gu0cr63e5gv5y0wx9mvgmre9slxzzs0 + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBRNE9VK05aYlRKcXRBak1h + Sk5GS08zUE93U2VSL2FYTTllS3Fjb2I5R1ZZCjFtL1RZUWVvbzdlcnBCN1NJbE5S + QW9paVFDaldhSVh2eitoaStpZU94T2MKLS0tIHV4ajZFdEl0TjFNNXhhTlFBaGMz + S0Y0WjA5eXovc2pUUzdUY0ZEZVN1dkUKNuvEcQ5lmVUNan4fj0tfwXc3JUfV8opV + KCBiiPEIBRwryWg7CLo7qgFU9nRTnA7Wjjo2vnh9nLLnIjNSmc/ECQ== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2025-02-05T09:44:59Z" + mac: ENC[AES256_GCM,data:P2bEHq4ZBg2Y8RPmUSuIOxWxJdYTUpTD5nXv3vqAHOU0t5ZlyOjFUPYejGBLdvd++v+plwo4lYG4/JJ3/LFIM/n2f1kFOOPSIt6yox6oYHHzJRly2kBfyIpUz4q+1c/xhMjpcQdAlWEdIQLm80BMUpny9y2KhVYot9TvTNTSkxM=,iv:uso8kcW8gildOD7FF1Xvage2dccQ8GkMI6nDCaUw2qc=,tag:urKtsRoGqwoZzk7DuMCINw==,type:str] + pgp: + - created_at: "2024-12-24T19:36:20Z" + enc: |- + -----BEGIN PGP MESSAGE----- + + hQEMA0SHG/zF3227AQf/RIzNBL+pVy3msNL8iuGdPXywQhS4JPgP9QqiYu8hqTsw + ja/jx8ShJmLjC5i7D8nwwbUyY1DJTSdHcRblcsROgo4DgthdtuprJlSQIPZhaW5Q + Rbo52yT1LkzypUcSQFIDY2QFpPw2zL3ZmPyIwg7YCI3seNQckv93nZQzpLx2Ifad + hLU0+C8tU94z+sgqLq0OVryZb6taQP/h41niFKHZtemnykA03JIbCmyl1HZDEtRJ + 1xSFpAKAtfzdhR5SfrGYtSBj7FysanfSEi4Gxxp7VcfqBVYTHAOsDLFnFCEwr13H + sopUdgCeZdZTBFgzS+AVb0zcHti/YJ9xUNrIKJXwAdJcAS9w3Y4MqcbEdcFp/CD5 + W8w7WZjHm8ly0qm2DgyQmd3040V64mt5cDe7+8YRqu5cZILyKpRGwUx3ES0eJ+g3 + g2P8+l5NEvzTX3ldXHObOUVebLouZrxd6UjWvUo= + =mYf/ + -----END PGP MESSAGE----- + fp: 6F7069FE6B96E894E60EC45C6EEFA706CB17E89B + unencrypted_suffix: _unencrypted + version: 3.9.1 diff --git a/secrets/router0-hosthatch/secrets.yaml b/secrets/router0-hosthatch/secrets.yaml new file mode 100644 index 0000000..c0606da --- /dev/null +++ b/secrets/router0-hosthatch/secrets.yaml @@ -0,0 +1,43 @@ +#ENC[AES256_GCM,data:62US77UkclVlR3klMH6P/oYC006vFa6DEVgvmemMFh6INuw95NyRwJaiMs4EGaNFuX+jkfBbtlm0MQK73rXfGxg=,iv:UALT0vebke8KDPdroZnC3rSUCB0CmlX9dfbLqNAlJ7Y=,tag:iKxAWDTdUZDBD0PWfomeWQ==,type:comment] +passwords-root: ENC[AES256_GCM,data:ummvEe+5HipUvVEyHLA6NULuWJuPyv2VqlXEZFp/UdybLU+1t/VRo+KPLYRPpXQBbsBaHVa/XOiOqLK9dPDHuVZBavnTTMC3Yg==,iv:pqjtzPH+T8CLJsJusi5CpVklPUAnioIoTjBXAR3y620=,tag:vrGzZlRX1TJ5b6Wxt29V+Q==,type:str] +wg0-privatekey: ENC[AES256_GCM,data:6BR3zB5oDPu5XyM5pgrdXoYKvwf+rAK7ngDzLcIQZnr4JH2YXH9UWERjVpg=,iv:2Z3yG+fWC4diGANCurCEpA5ybEpMdE1t/rviRJtUE0Q=,tag:4sqnLfAnxQOAci37RCY6jQ==,type:str] +wg0-publickey: ENC[AES256_GCM,data:7QLstpkyVDFU5oxgRdVYdBOZB1tjKMbzxgZtCYp3G1+AO85ir6kNXo8P65U=,iv:XRnPg93nnSR3h+R/K2rh1QYgmdJTE6i17ZomMf0BJ9k=,tag:fhyySGI0y5swGp3ot+q3pA==,type:str] +wg0-peer0-psk: ENC[AES256_GCM,data:p5V/8fFEmozG6nFCpHNcWNdunYlHxnsnW+YjTAIEXlm2ku4yEL45H9t9/Sw=,iv:jDZMhrZIJwaDWm+s6aXVWovdo116q2D5cUyHzMdWCIU=,tag:M5IebfGfeL6VW+OOgtARpA==,type:str] +wg1-privatekey: ENC[AES256_GCM,data:dcD5isfYT+diae7tS6OSEQiqEkrpUxw0io8EqaSUaaFxKf2RAqSqxEXkhzU=,iv:HVB+uJG0SwxH3gbSpyZJZnzadVK2MYWvaZ3t7vPXn3E=,tag:/q7hgBA45Hq3446w83ConA==,type:str] +wg1-publickey: ENC[AES256_GCM,data:08fRjmGysmgGwXgwGqtMmO4iMWNIOucRnD7l4qaCh1hVWAk2BbO3OcHw010=,iv:PfKUVRyjEVT2BBUCmruR026n/P2kT2Papq46DOFq3rE=,tag:AhyI1yHdEucmQEo6iHnznQ==,type:str] +wg1-peer0-psk: ENC[AES256_GCM,data:zlQv7B2Xm+QUzevsYDD2ckIp3PdEAOSEPv6UKYLKRUGWXKE9eLhC1dNq5t8=,iv:kehiDKfew68S2pfRFq5OyTm+Ixo05uiAiHDg30xhP4Y=,tag:0GSr1d26ALehewMF5b6woQ==,type:str] +sops: + kms: [] + gcp_kms: [] + azure_kv: [] + hc_vault: [] + age: + - recipient: age1v458x2q70yt0a6m6cq5ehemphtrzfzyhmeg3r872vsyyf65asgwstmqqk4 + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBuRzJxaGJVclFwZE9ZT3BP + OHNEaVg5ZVl0Nm9YTWo3Q1lmSEw5dnRoRVY0CkpCeWxXU0RybU45Y3RvVkxJYkEv + TjJsb3AyNVR6QmJVbnJsZzE3S0VmQjgKLS0tIHVHSTZVOHc4R0E1TWNETWNlWEty + czc2YUdudGdnVlZteXBmaHZaV1NWbGcK6jWSkOEBYN+1HQ+IZdBKknYo96Aydp/s + +hK8V6qEyCkAqWLYEnZ5ErMEc8OcOyYCQnYyCb10SWJvye+uyX8SZg== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2024-06-09T14:08:09Z" + mac: ENC[AES256_GCM,data:nCwAca0MktoxUb0W+1B7+4UP5IOG4cuj2BhJBxjDV4gjYBSKYJs5gSdYytjOpu76ePXSUHgyiPH0Joe5ESubaUN4zPIWMLpkEk6WjXnmXRTY8B5ZZ+AVR2lxNi7UtiCyx0yjAVZFxuk33MmKR2yXMLEqE6U/70fccJlY+dbTaVU=,iv:QTafba+auq3Zv/xoBzHmnIMmfDAynqApAcr/T0Uh/2g=,tag:RREUDKF4Kruy0AEFDqSVuw==,type:str] + pgp: + - created_at: "2024-06-09T14:07:43Z" + enc: |- + -----BEGIN PGP MESSAGE----- + + hQEMA0SHG/zF3227AQgAkYv+dSMKF647ApqeslZpv22LmhdphDTSQjaRJdIK4gM4 + kv4aJ4L0K/fDqKtsbszbAnuratJnOxnhGaydTX5Ob9tb5QbFfmC2C4OED6hB/enu + hsP9BpsA945Keqf27NyXgxnLDVr6OXcpZqWZbYqHmWDx+BHrw500hgFb91ejzf3c + 6KF2Rrp4PsUl58D6LcSFxfqcna7l2+Ptx+k2vfInSkyPit/5tjry8SyBbUFWPwz2 + gVj9MN0bLCMqhToFh532GSDmnxNd8d1Sb8G1riJ4JaTHStV3s6KebF90ws3FtC5n + y0f/BbjkSqEqNIKFplPZ4Cx6O7WsXbH1hU1Dgba9G9JeAYVAFyi+OnCV49ugZ93p + uwGhpXmP6RbGVT6JB/beAdUToTdP0EfdVE4LlxkssEFd8HHzO8kD2u7k7glkDEq7 + Ox1QlDrMuz0zRE6D5B4DwXrWvAOw/TjvydWjyS6HCg== + =5YRC + -----END PGP MESSAGE----- + fp: 6F7069FE6B96E894E60EC45C6EEFA706CB17E89B + unencrypted_suffix: _unencrypted + version: 3.8.1 diff --git a/secrets/router0-ifog/secrets.yaml b/secrets/router0-ifog/secrets.yaml new file mode 100644 index 0000000..0566d57 --- /dev/null +++ b/secrets/router0-ifog/secrets.yaml @@ -0,0 +1,45 @@ +#ENC[AES256_GCM,data:+I8pZeH8kkkGaeUJ7A==,iv:5Yv2K6pU33CA82oCspb5exjaAPMRszslozTphxvDhbw=,tag:OpKwj8SYXSMcLlusEVX7GA==,type:comment] +age-key: ENC[AES256_GCM,data:8L4IWs31RUXGns25pP6BrhFKVAYvVY7yIOe6MSk4abvgks2eyHnQDTiSKVUQGjTyZFVbQ4mtF9O8CmqqlaK5z4nrUYSUN/Ustc13L98V+PMUOxljka0UL/pOe36aHEQz3Z2MuobEtZHwccPEqWhOlF2v+OgFQ4Kp2Vczw9REf4ahxyqz3fz58ymR8HKfTHD7YBawEAgYU6WVyrLfyA78860pkjlYMwhnjkVBvkP/zd4H+L2JxzjwUeUCqcm0,iv:8RwmmtgKqLsJov+DxNjvtjPk8t8yVmRhRa3k5HdCvgk=,tag:CZoZL3aYucIk1JENWY/mMQ==,type:str] +#ENC[AES256_GCM,data:62US77UkclVlR3klMH6P/oYC006vFa6DEVgvmemMFh6INuw95NyRwJaiMs4EGaNFuX+jkfBbtlm0MQK73rXfGxg=,iv:UALT0vebke8KDPdroZnC3rSUCB0CmlX9dfbLqNAlJ7Y=,tag:iKxAWDTdUZDBD0PWfomeWQ==,type:comment] +passwords-root: ENC[AES256_GCM,data:ummvEe+5HipUvVEyHLA6NULuWJuPyv2VqlXEZFp/UdybLU+1t/VRo+KPLYRPpXQBbsBaHVa/XOiOqLK9dPDHuVZBavnTTMC3Yg==,iv:pqjtzPH+T8CLJsJusi5CpVklPUAnioIoTjBXAR3y620=,tag:vrGzZlRX1TJ5b6Wxt29V+Q==,type:str] +wg0-privatekey: ENC[AES256_GCM,data:6BR3zB5oDPu5XyM5pgrdXoYKvwf+rAK7ngDzLcIQZnr4JH2YXH9UWERjVpg=,iv:2Z3yG+fWC4diGANCurCEpA5ybEpMdE1t/rviRJtUE0Q=,tag:4sqnLfAnxQOAci37RCY6jQ==,type:str] +wg0-publickey: ENC[AES256_GCM,data:7QLstpkyVDFU5oxgRdVYdBOZB1tjKMbzxgZtCYp3G1+AO85ir6kNXo8P65U=,iv:XRnPg93nnSR3h+R/K2rh1QYgmdJTE6i17ZomMf0BJ9k=,tag:fhyySGI0y5swGp3ot+q3pA==,type:str] +wg0-peer0-psk: ENC[AES256_GCM,data:p5V/8fFEmozG6nFCpHNcWNdunYlHxnsnW+YjTAIEXlm2ku4yEL45H9t9/Sw=,iv:jDZMhrZIJwaDWm+s6aXVWovdo116q2D5cUyHzMdWCIU=,tag:M5IebfGfeL6VW+OOgtARpA==,type:str] +wg1-privatekey: ENC[AES256_GCM,data:dcD5isfYT+diae7tS6OSEQiqEkrpUxw0io8EqaSUaaFxKf2RAqSqxEXkhzU=,iv:HVB+uJG0SwxH3gbSpyZJZnzadVK2MYWvaZ3t7vPXn3E=,tag:/q7hgBA45Hq3446w83ConA==,type:str] +wg1-publickey: ENC[AES256_GCM,data:08fRjmGysmgGwXgwGqtMmO4iMWNIOucRnD7l4qaCh1hVWAk2BbO3OcHw010=,iv:PfKUVRyjEVT2BBUCmruR026n/P2kT2Papq46DOFq3rE=,tag:AhyI1yHdEucmQEo6iHnznQ==,type:str] +wg1-peer0-psk: ENC[AES256_GCM,data:zlQv7B2Xm+QUzevsYDD2ckIp3PdEAOSEPv6UKYLKRUGWXKE9eLhC1dNq5t8=,iv:kehiDKfew68S2pfRFq5OyTm+Ixo05uiAiHDg30xhP4Y=,tag:0GSr1d26ALehewMF5b6woQ==,type:str] +sops: + kms: [] + gcp_kms: [] + azure_kv: [] + hc_vault: [] + age: + - recipient: age1dktk5glcuu34u9t6kp3g2vqyj7dy0elray38t8n75mwa6l0s0vdst2cy00 + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBuNmRsNDJRbHZmS3JmOVht + c1kyKzBXdGxkQXErQlhXUzBmMm12eXNCVlVVCm9KUCtZeWJWYWVJUFhYRUlLVDdD + Nk9Wdk5WeXl2ZGNybGxnZWtGR2thTDgKLS0tIEovQnU0bzRCdEp6RnVvZCtUTlFL + dFBOcE9leDQrYzVQNUpLZzJBYlBYaE0KyKVh0VDpbA2eIh9d+KhCYKjbl4fHPt07 + fVbbDEz67bWNjaH6Yg6xlNQIhv9prUK2isckVizpUANmOKxPJ2ia2Q== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2024-05-26T17:23:41Z" + mac: ENC[AES256_GCM,data:Ez/79vUHs+9B/v2qlUiPQeuYHRdvjUg1jJOt3C6xEnncDQ2fH0CUxKEIfjgJR7eatwvZSznprv2wCD8Ik0SKunjRI1UGe5JmrVstqoSDbo+MxpdwrqA8zC5unpRUYenvyo9m8ZW/DnjKz0ArorYjA9vid878MdemkHtSjjZzik8=,iv:2CkmPRjYYt7q7HAdEjIbJHaSUG6Yr92pEkk+Dd3E7LE=,tag:S8LPb0mEjRZQqawX310SOg==,type:str] + pgp: + - created_at: "2024-06-08T18:36:55Z" + enc: |- + -----BEGIN PGP MESSAGE----- + + hQEMA0SHG/zF3227AQf/VntYsys2fb7NslwBbEwQ4VYh8OOWtCGhqbVw045QflFD + 2hS1cT85MDNTwPnnDW4NYbf3UEIq12eXVDFR8+4S4mMun68OmxEf3UhSB6k2cDgh + iwM6HdAh13cC4UfYBpEq/NTr9omdoXPrcjQNYxqm8OBRNf1126L5XmQ4NT2Lg8Yw + 2HcDIxrl9vX1X8OYd7fwc7TIJpVYCmG2UhVrz+gS4q51s1hi1t1BZdeUhU9RpSdZ + Mu2HlB68t597wAXOB88K+zJG4+uUQrpz9V2Xd/lfzFIeQtwLcA/NdoZs+AMEQE+j + wa5FPI08uF68KbwzXYCq2NEPKA4SX9UzlirJjdAukdJeAfqO5woWkuDHmDj+nDDS + fSwL7mVNd43h9uO3PXi7j8kj32dwLcBSjkeuN1+gaTBLixzzp0drLTD1DkeY8kBS + ROvWaNhXsrm+uB9d8aaznqfWS9C+3PE5fY9untPIUA== + =f2HS + -----END PGP MESSAGE----- + fp: 6F7069FE6B96E894E60EC45C6EEFA706CB17E89B + unencrypted_suffix: _unencrypted + version: 3.8.1 diff --git a/secrets/servers/dyndns.yaml b/secrets/servers/dyndns.yaml index ad8635f..b93a80f 100644 --- a/secrets/servers/dyndns.yaml +++ b/secrets/servers/dyndns.yaml @@ -1,46 +1,37 @@ dyndns_www.stefanjunker.de: ENC[AES256_GCM,data:xHpC/V9OWCMpTKs1,iv:gW6f6kQedbdxbz1zJAY6xceoeG/LqPG/Ss3DaBm/Ta0=,tag:v2V/hzRg+xgO8zpwyIBVXA==,type:str] dyndns_mailserver.svc.stefanjunker.de: ENC[AES256_GCM,data:auVHa5n4335mNXAy,iv:WZMOA+Z7/w+Jsu5193WwERXZrt/5JDiMUKIZo8ieT7w=,tag:YmEDp/0gjgPY2kg9GNKmxQ==,type:str] sops: - kms: [] - gcp_kms: [] - azure_kv: [] - hc_vault: [] - age: - - recipient: age18dmqd7r7fanrfmdxsvwgv9psvhs3hw5ydpvw0na0dv3dlrg4rs3q2wpvgv - enc: | - -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBhT0t1U2hOR2RpVU5HWVU2 - aWpSNklwak9HYUYwSEltaWlUNyt1OENLdTNRCkxyTGZZQ0ZncmZnYTdTMC90RnpT - dlRpWGVtNWhtUS9IeEJsb0VpU3greEUKLS0tIHNBQlh4NEFsZC9NQ3hRSTBTdC9W - TjVwOWJVQkZIc2RuWEU3QkxyVnc0UXcKIQm61AimM7hch3tT/KownHqZT7NyLNv+ - H69zogFe63Oj27a5OK5cdcy9W6u4ew7b35ybkpeooMBuy2WbUld5LQ== - -----END AGE ENCRYPTED FILE----- - - recipient: age17jxphuql70wjkd84azn62ltx9ky69hyvkac23lm8f2j92lznf9hseqq0vl - enc: | - -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB3SWZSRHF6L1d6dVd1dTVB - elBvaGR4V1ZySW03S2Z4SWliZDVscjZQM1JJCjNscTJRM29HUXVxOWhUU0tZZllm - dHRKUlpqTDdjd3paWjViYlIrL2g5RUEKLS0tIEJLdDJVbkVYTDVRd0toZGZVOGxu - Vm8rS25SbE56c2RiRFFtM29pRm1ZR1kK4yKaQ5VP+X+WnIPNpVWniCX+NisVBhaO - DM4Tz7OJuDSSWZ19kVIN+eXrLftQbKCj8+9QgbzzjgoIpER+N2Z28A== - -----END AGE ENCRYPTED FILE----- - lastmodified: "2023-07-14T20:50:30Z" - mac: ENC[AES256_GCM,data:09EAhiFSNroQKelSHF0YdJl8INdYVcjK4BfiOktY+Nx1GK2BA6T8grvIHGB1UZaDvS/AzjcSIq+5ZnyfBU13Ks8zH5oQ11La48FheE3bL38KS+JNgqw3F53w/NUVFkYFp2YRuCqkg8/OBmT3OONLggF7ziuQEByW5NlOUdLejkA=,iv:qe4kBBxxpFdKNszbvZlIXjA2Ybc+NAU2GkMcSviZczE=,tag:98ABbbVh5qPnAzo0xkZ81w==,type:str] - pgp: - - created_at: "2023-07-01T21:42:42Z" - enc: |- - -----BEGIN PGP MESSAGE----- + kms: [] + gcp_kms: [] + azure_kv: [] + hc_vault: [] + age: + - recipient: age18dmqd7r7fanrfmdxsvwgv9psvhs3hw5ydpvw0na0dv3dlrg4rs3q2wpvgv + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBnWFR1cWJkWFl3SHphNVlt + NmI0eDFJanVLVlFKeWcydDNaclp0VlQveVJnCnRBc0JTUzZkV0l6cWdaNko3YUNM + bWZRaGpYMHZWWkRPMjY4SEF3S200YlUKLS0tIExrWGhjM01YdS85U000Q2o1TjUw + VFpZb0dEL2w5NWErR245MUplZE9xN28KiGaqrH9wYZ2goHKYygLgPZIZmUCosHc0 + RNaMVrIv7I9dPMiqlKdSl1Xp/ePa9gxUhVCpsFIZmlrlhHxv0TLtkQ== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2023-07-14T20:50:30Z" + mac: ENC[AES256_GCM,data:09EAhiFSNroQKelSHF0YdJl8INdYVcjK4BfiOktY+Nx1GK2BA6T8grvIHGB1UZaDvS/AzjcSIq+5ZnyfBU13Ks8zH5oQ11La48FheE3bL38KS+JNgqw3F53w/NUVFkYFp2YRuCqkg8/OBmT3OONLggF7ziuQEByW5NlOUdLejkA=,iv:qe4kBBxxpFdKNszbvZlIXjA2Ybc+NAU2GkMcSviZczE=,tag:98ABbbVh5qPnAzo0xkZ81w==,type:str] + pgp: + - created_at: "2023-11-23T12:05:35Z" + enc: |- + -----BEGIN PGP MESSAGE----- - wcBMA0SHG/zF3227AQf/XI/S30xYCkzBweU75bCZBYDwR7hprSygW4xCI5qc8xax - dpT5RpIrfPOelxrtjuDvkWCMa5Xfu/A6eQAF0EABZVMNiy1PpMTuarU1Np1Zfgoo - vhYJDCe329/kQBlMFT8/6wyxQRi7bEjK19wsYrsFbKA9wSXIpz2Drx6DG5Zck4bU - 5RvAdeWgZUcnuPAlc0SYZOfl/8EBqKG83U7NW8VdoJpphifYHK2HMJpOD0mxzZ8V - sR93tVdRA856O8ZhxdC1l1HkSSnR+0B+Dku8t4Bmy+4H6Y4KqmMhbKUIMFY+0pW9 - MDIPJ8zVGkU4PyCjDwCqoYu/XgoJvTCAYgZFpyCyPdJRAftjWvzD59u31zjJKwiG - eyU7I73Q+jDIJDYPIrt8K7+CpEmDBpIZBQxsfmP5xFznNt4LPB07HFgC/yPDmjiC - Vu3cIGSwFgRRdXUYnLTQCQM/ - =g1+E - -----END PGP MESSAGE----- - fp: 6F7069FE6B96E894E60EC45C6EEFA706CB17E89B - unencrypted_suffix: _unencrypted - version: 3.7.3 + wcBMA0SHG/zF3227AQgAjfBO/8RSFW5aIhchSLLvhNzhIF+p2f4KZTAiT0uhB5u6 + T10j8i0q5IV9XVDdRXxYZwBn6LDFOJ6WJ7hIv61Ri+jCGZ8N8Mr6OA7HyB+6zQmg + 3PON+5qJC8FHFHiW+bB7NEULdlILS5Q6E3atjGmgOHKYq2O5L+IZgxp5Udt/oXuF + CqIW22M/9ftEipgG2b2Txgq1PTNFWI8gYRVacuSU5UD687EacH4fTDyIdXk01FMW + LmIh9h64kA5b6VALma1C2ztP0uvCUOSfVsvKJEILOb/kTb0qCdSkEM44onXTCHM+ + fBo140l54Cy1aIxFPsU8J/KkVbQ9Q6dOxIxrpaEQP9JRAUrBpLwbVLpWww2WFwG3 + nTplRw3DzGTGoV7CgdzRRhjv7fkb+h5eWLpFqSj6r2MG5PnEjnnDiBaa611sDN// + ijdeSDMnCT93t6BEeNKvmTPS + =60WW + -----END PGP MESSAGE----- + fp: 6F7069FE6B96E894E60EC45C6EEFA706CB17E89B + unencrypted_suffix: _unencrypted + version: 3.7.3 diff --git a/secrets/shared-users.yaml b/secrets/shared-users.yaml index f64bef7..428b745 100644 --- a/secrets/shared-users.yaml +++ b/secrets/shared-users.yaml @@ -1,6 +1,8 @@ #ENC[AES256_GCM,data:aqlLlXgwwtjBYxytS2H33KbN0z8pHijFXKBAPQyQ7cxE8iO6tDfn/3kEVaEa1YaiYUMXACX2Ow==,iv:uKTUsccWAqrBkdG/ymCZB1pcumRreGv/2rIn6YG8Y7c=,tag:NWDO4dPRA45Ki4ymGblGIg==,type:comment] sharedUsers-root: ENC[AES256_GCM,data:RhMqzHmMzsPZnskGAKQ5GEagkAmtCqbp3FI4XPWweq6U8WcML+XEOKBfRoemK6yMHpSobBUPEHudNDeVxhGLH1VREmO6+JVZ/3dz44qWudhyuAj2CHiVkVgMlSfOKIbY9FLLxXxfySnEsQ==,iv:EYWeRKI+nFpEkxtBJ57xH6V4arE+hVAHy5ht9v8P1oQ=,tag:I5WA5+FjJ3lF30dth3H2ug==,type:str] -sharedUsers-steveej: ENC[AES256_GCM,data:vuvklQJFb0kziB/qr7LNiTB30T/1UmZUV3YE3fFpKLZSlxqwYR7e8pnj94hFMhCtPquw3qdtB8vFAIQSb2LxXUgsfNo1bmkGJU86vz3Vy9Js7oua7KlLyZjoFNpMBgbD7swyXns=,iv:nsymZS1wQ7QSL5ZqoVx/ygaP4UR/e0cYIXHg+UyhbYs=,tag:+/N1QRESOUUK/XJXgiyFfg==,type:str] +#ENC[AES256_GCM,data:d9jstVxMebNWmJHo79RF0YdurMqwRoDrFzbwjoQ=,iv:UG+qk8hc/WiCviJSCmrUyQZATDD1gBhqiYU6spf7Zo4=,tag:4HNfJQh+3GEP+MHqg1KNHA==,type:comment] +#ENC[AES256_GCM,data:4FjqAy/pZMkBFC7aq6Jqx+TqCtU=,iv:iWxPm8etDkAIuz9op4ck5AgszLuEN9cXXixzO705afc=,tag:MC03p7Kqk0srtDjbov91LA==,type:comment] +sharedUsers-steveej: ENC[AES256_GCM,data:almzynLh7RHcjTFOQWVaGk027uAanFcE+AYVhcbzSs5Xwd9sZR5+Ckbb//YxT/Imz9WKVG7z+bxPuhYPgbzUPCyxUu6/X9ZeCF0gmffyTbXVQHpo2W+71Zcob2Mbt9yMAF1146Dr1Q5R2w==,iv:fHMmtO3U6f/0ZNjxcvm0vOx/W/BYWvpD3WtzLNejGpA=,tag:tsLziHECG323TCKBLO6FzA==,type:str] sharedSshKeys-steveej: ENC[AES256_GCM,data:Cj8aoHYN95kOuFwMIr+gYTtvE2MNMT6WhHg+r5cEvfgLbI6EJQdMBU30nhJZ8S7uRwJwyVEnqw9qgaZYVorXrIh4oZoQBT6g0UGQ5b5lhtfj86omP7w/NukvpjUPBJEUL+JgvaNGsAbAmExPb1yQY9f/kn2QuyY31pTywcV6qeSHHlK8I2cpei5RxtuG2IX+EjvDXZ3CtQwLY7YrhLvv0K+N8XlEusnytNkXLfjRgd0dJqNLQdkuzrjFPQnuzkxoBBmwfheO8CaTpmH1C5z/dbmeIP5H9GY2gnBCu5xB2zp8ZerVi2E3teW5EZ+Sh+lz/5DOuVpPn3G8W7l4fTM8iX2IHeakjlpYewx1wmW9SZdV/zxyt5rQUtmMj3F+IVktbOWsOyXwSz0CDUlKkVKJdvzATlWdIjteKTwKEgS8RWjg5H7mGylfxyg6YrHYAHTZjC4J1Qz2CwWmAFxzpFCkHvF6QwAOUg+ST+crfw4DiSamb6SKjIg7LNz6VZTOeji6+71Q59u6g2RcdgNowzgrrQCAw7qHnewbFX/2IOW+pdASCB/q9/7218yM6fzMtcPHPiDpZ2tLHQd+45zxZpbUXXCNdNm5v9OTjjK+uA0ARLOVCw5gtd2FbKsJcwyMhXY/h028tgdRhsXIalLolorrYBPx9hR+UHU0TNihspajoNYJCTuJccMiwo8N9AT1DIdUXcOxrQL80RvWY0S6rBzES3q7a91aC/lGEmS/beO7MDgOKaEV+qwPZOLOZXWAesqsR3sKzpOdPx1gFrLvX6vIhAtzuteH0KvKujIAhCg0sEz3Ct/A1S2uNtohz8CstvEEqP6GiR6/X+sQRgxOcXGPQglz68FFKOErIz5XZJBz5+14u/lady1jxhXnVW0cxZDgmqmAvNbrQ9JjNgBvremaDUvuO5R5V5K4MHAMsNQ5yxE9iScXEfwmEvo+Gj4huJwXvwLDE/1TqIaQWX6LfZKOOZ93ivhj7eEiAz7TsLojdNUeDhnWGOYcWbEkMNzYyPb7obN/HgKzcuSixpYm+IZu4sOzXyoO5Lblzd7OObtG4P9jIj4cdxF+vm/s6MYYxtst7jRwzcv9vMLETDXx40IOSqTo2e8New2e/D003T4jx2sis0+68Iyg9m8ltEYb85v6oGFshIdafIGKBaNHm/zIL4Dw03M8kxxfuVuWZD8S2P3bnfryfA4lbOZttv2DnlPZf/Dfb+Ax5qTe5yn4uzLYDTqq9rIqdoNYUmx1OaxGa69oTIqCpL7FC6xe+9NnTEdojl9svZUhtGfThiphYcK72lryqrTyYVuAOa3WjZtHgUJ5lU8x79eExXyDexmC4RNDszar+qMiwlzMC977qsKczfTGe2audm5PLaLTYhWSOZ1p83d/xhFWhLmqjqHrPF5kYrnG+W4ZuVIqxJOrLHQhseKc4fFZrF/XCusgIcoDEq81M/EmHeEDcuWEYldn1pjbE8yzb2ZgfG8mycNh8z41lKsalKmesyZs0k0IvWmrdCpLXqWl/TgsPSO1q+zbQHyfiNewoZec3GC8k1k64zrG3CNI8bP40L6i4Uo/GFPS/y0OjgQhww+He0bWY7yP9MKqdbahpdYQE9kYU5yoJTUG+ZYRir6h6o/JmTJQy4QIvwmcx2jiiA5XXpj3cYAJ9/3eHDFCeg==,iv:QeYNlLR97tdC9i5N909GnoNyBwNNiuljF/eVbdhvGXg=,tag:lBWDaaZMQRPX/4Ln+oUQPA==,type:str] #ENC[AES256_GCM,data:8u2UAE6lXi0e6qKJxB3VP1k7hmfUYRcejXoR7K6NIQ9E7AqOlMiLDyQFw77NBlqpy0G6mPVOnC+XskGAscm3TLFzs7+o+/i0IxH7uDPwoh+U,iv:n4wheHkpPbnKeXb4DTxwks2bph4LO6xQW6LcrlA4jKU=,tag:mgwa7rYvqoubFdQDXJADZQ==,type:comment] sharedUsers-radicale: ENC[AES256_GCM,data:Mn1QIwQDX0ZnZ0Jbk1RYY60k+XbbGPYYf+NG3xQz3oR14CqSVy3hjQEkqcezwj/v2ELrLWid2hK+lDtY,iv:TNoJ7Kq3WDkkPBLG3a+N/A8yBZcx7Gc0jaBToYX3Y5M=,tag:VU5P4YtzMv1FVc3ugig8TA==,type:str] @@ -8,73 +10,118 @@ sharedUsers-radicale: ENC[AES256_GCM,data:Mn1QIwQDX0ZnZ0Jbk1RYY60k+XbbGPYYf+NG3x sharedUsers-elias: ENC[AES256_GCM,data:RsGDCguYkqegKhkO20lr8HjrTABAaNJmDiGK3DhhbX1sOLMweZwDtESvYjCfAOzWpiAaFh0BqevMkuUcEYQTBubSX+X0EZ0dFrdbVxIe7lq7Dosds98SqKLL4zWqe2y2qsphvj+oAz7Utg==,iv:JXIbyqAUt1OcB+bvgK6H2NU6Ip4nWRJ1/Hje75FfHC4=,tag:kPFALVkf1GbRj1J85SZm6Q==,type:str] sharedUsers-justyna: ENC[AES256_GCM,data:BGVp2QppWWaYHK3rwLlyy7SOWxSqKGsn7lemWe0KUzgiQc6D8ivYvXdGaAhJNvhgVTxlK6BZOacG4NESWf5hi7sN8AkwTT/6pa9WzhQQGNnwZIaVulXeddzFlebbh8pAt0WYV82DRejX3Q==,iv:RMysIp0pMnCLhWogWiGq4IpZA43sd0DPj3jeV0oRkY8=,tag:VvXPzyGAoATlSedvV2prJA==,type:str] sops: - kms: [] - gcp_kms: [] - azure_kv: [] - hc_vault: [] - age: - - recipient: age17jxphuql70wjkd84azn62ltx9ky69hyvkac23lm8f2j92lznf9hseqq0vl - enc: | - -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA1RUdSYmxFdXI2R25OZ0ov - TlEwOStVeUxkbE1sbTJWZG5VZFRPNkNOeWlnCm0xMWFCdm4zMjVlcjB1ZXFZVVho - TCtVYW84WGh2ZmdsWHBlUFJVcm8vZFkKLS0tIGFYaWptakozYVVvQ0ZmbUFjMFR3 - b0VBVTV3R2tlckJLQzlvWFVKK1h6aGsKCekGZ/RZ7nNa5yXHfgXGpSrh3J3C95mh - 7YFgjgd9ey3BGNoMNxm5E++JzxBN0d2tY7sW/G6ub+kOJIt0rAEAkg== - -----END AGE ENCRYPTED FILE----- - - recipient: age18dmqd7r7fanrfmdxsvwgv9psvhs3hw5ydpvw0na0dv3dlrg4rs3q2wpvgv - enc: | - -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSArYy9FL3pnNmdUa0VEdlV4 - aFVNTkhGWTZJcUo0YTlORmdINGkxMTlVdHkwClVyakJoZTdxVlF6UTVBbm45d1Bo - RUl2S3BaU0NYYmtsSGhHWGxrWjVuemcKLS0tIHlqbXhXN0RUbm9sL09mbjhaSnBP - V0hQTUJuUnlOQ1hycDJ4RlY1aCtjOFEKuDt6KRxX7+yYIHxtD0prLdxJSlHwQtxH - 8U/Q8hoE+L3lBFSE3+syMt1/pu5vHrreIOVTXAxSENsDxcE6noxQvA== - -----END AGE ENCRYPTED FILE----- - - recipient: age13cyvxrd28j68f97q2dwsn62q5dy8tdxtq86ql2dxv2ncwfrf63dsmkj7n3 - enc: | - -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBDK080NlJKYkZyREFpc1JM - ZWxlV2Z5YjZRSnBFMy9CbUs2aHJkcjNVR2dJCjN5SXQzbWtiZlZBK0g0Y1ZPcHJK - cXRCTStRSG1lamUvOFBxSFViWmFVeW8KLS0tIDFUNlRkS2RLMGdULzhzdSt5Uk02 - TjZZN1lFZ3g3YzVxQUlyQ1Y5S1NWeFEKGjqEPuxaUR/WQc+4OhUzLgtSCatVmtx+ - q4Y/wC1eqUKJHzqIMa3qeWXwrGbf6ScL3s0bNc9sxvPmWQ3NLvjUfg== - -----END AGE ENCRYPTED FILE----- - - recipient: age1pmznn2tjpelpmxjxqef48rse5ujggf9kcr8x5vewuadqcw03aavqwy54zm - enc: | - -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB3Uk9zWHJCY2dnamN1S1hU - ZWhoTkptaVArOGlHZ01Nd0ZkaGpFQ2dUU0hzCnR3WGtCVkJtSzlncVVhVU11K2d1 - SVpHa1RXN1dWMDE4cExiV2ordkhTSTAKLS0tIFBkV3oyS2VVVU92b0hnRG1nQytW - QU5IR2FaVGswZkhIOWhzWGh4YmUyMk0KVJEFNmm57SSUreilhuzLofZIlnILnO7F - rWASlGDi4YSGquM3lEfdn5rwqqJ3d77hSeRQEnaGhnClDYSH3nzjZQ== - -----END AGE ENCRYPTED FILE----- - - recipient: age1ye4fa0v37shz8q4e5uf9cp2avygcp9jtetmnj2sv9y9mqc7gjyksq2cjy8 - enc: | - -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBldnVDczdmVUd3OS9jTnpB - dDkrQS9JcUY5b3YxY0lzVFEyUTlPNk5rM1VVCk9qMzJHWitrY0pjU0NCMWI0ODhG - S29DL0tPNWtkTStPTWRZdzlQWFJsTWcKLS0tIDdWZ1lVejcyVW5mcTgyR3ZMWlJq - RTdBNkRINWN3MTZOSXdPMXovNDNSQUEKJZhJFN6zmdCtzoCdKiKfYQf4vU8AXRvz - wHnPO2H8SAMK8XqjdXvIrRK6iXQIjonHO2ilTDxAGNPAFN5BpbGrWQ== - -----END AGE ENCRYPTED FILE----- - lastmodified: "2023-07-06T20:14:22Z" - mac: ENC[AES256_GCM,data:GPWu5DjjJ1ki+HRuedGdDCt+2V0RPbOsD/yWJxPIkgu5923vnF8y9y4V6e6+ZsTqHv4hsKeCjKtUnh2Ldn+xadwJmqrIxyJ8NzH5TOvcBxAab9cJCp/yKENw0O1WMUTlDPelvQKMDwbgiebaVVfxbQPUEfJGOgkHkyXrgqN94FU=,iv:h9YALYahUl7mRJmZKjArEfaMrfW9YZkVYd2CEooF13Q=,tag:wotqxup/ouG/bEVOZCs19w==,type:str] - pgp: - - created_at: "2023-07-10T08:17:16Z" - enc: |- - -----BEGIN PGP MESSAGE----- + kms: [] + gcp_kms: [] + azure_kv: [] + hc_vault: [] + age: + - recipient: age17jxphuql70wjkd84azn62ltx9ky69hyvkac23lm8f2j92lznf9hseqq0vl + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB6T2hmV3BOU0M1MTloWktK + YTRXS3lTcERncjNpaFlhRlljNWlJQURmdW1FCmQzNEFFZ2VxTmdmZ21idzZEUHVZ + clFMZU1tTG9kWkNFVzdXK0NYQjVMMnMKLS0tIHVwRzlpR2VwcXlCdUxUbTN4YWcy + Y3dqOXlTeDZRU3YycUtqTXpKcWt4bk0KT71rTNU/kZci9u3NahgR3/fL6IHHxVdu + unIWav0e6cZVQXKw29Pji966zuB5Rv0vb+5LAYsXzC0E6vtiC7kwzA== + -----END AGE ENCRYPTED FILE----- + - recipient: age1y9urllccdcemlv7g5z4peuzeh5ah0a8nu6cnkvym8v2vfhqjd5jql483c6 + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBxM0NiZ1RIekpsY2pDVEh0 + MldzL0Zna045QVY5TnAwYU1rTitQMkxOZ1M4Ck80a2dnTlFxYkZyKzE3emFTa29R + THNTblJuU1g0Zlg1RlhMV0JsY3ZpR0UKLS0tIGhLWFZOcS9za0Riak9QUVZ1dGhZ + SnVNUTJFWnVHTDZKZzFBME5ZZzFBWE0K6jMchwT9eJOqyBhSiyg0XS69KxWc2Xx1 + SJS0acLF+Lcrw0xEr856846P/bH+l/SY4Ii7Mv0b38GOb5KPGra3cA== + -----END AGE ENCRYPTED FILE----- + - recipient: age1pmznn2tjpelpmxjxqef48rse5ujggf9kcr8x5vewuadqcw03aavqwy54zm + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBENVQ5MHZ3VXBMbUdBTHFN + Z09QTDdyWFpHUG9LWGdqZXhBRm90ZnBsNFhJClJpaTFCaSt6Q0E1UlR0WEljWjVv + UE1LUDZ1by9zYmhibGJHRGpKT2RhbzQKLS0tIEhKYTlTcmw2NDBDVGluc1N0Y2Rl + d2dsU0ZnMFVlYnJtai9UWDJROG9JTWcKeCVOvRWUJutoFOhDLni2CpgKUUvxTFUS + NNozeDy27P+ZZFDHxBGPoJhJmAKt7Vs4FpdAYJM1xeZWd4BgakdUZw== + -----END AGE ENCRYPTED FILE----- + - recipient: age1ye4fa0v37shz8q4e5uf9cp2avygcp9jtetmnj2sv9y9mqc7gjyksq2cjy8 + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBIMWxSQ3ovamNoaFovcDRi + NGVRRGNZZDJoVWdhMDBhRU9VZHNzMUkzV1RFCjgzQ1FDdSsyMWYrZC9iZXBDa1NJ + dThoNms4aW5iQVBzK21URXkrQjFQR3cKLS0tIDFmR2o4OEpxZnJheGJTWHRMNDBV + djkrN0xTR25zeEVjYnpMbllZRHcySGsKvPzezvh4MF5TvrqEAg5z/nDRw8iviIx0 + wcnO7RQZGSZ71Cv0T11dIpAixUE90l5b6xHKdaeS8vtYFTKdw8FjKg== + -----END AGE ENCRYPTED FILE----- + - recipient: age13cyvxrd28j68f97q2dwsn62q5dy8tdxtq86ql2dxv2ncwfrf63dsmkj7n3 + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB5ZW9HdjNSTE5xWlVWY01R + bXAyWVZhcjlkbFVneXhaVnZOQkQ5amszeDJJCjVWa3lLSWhBUDYyd1N1QlZ3T2Fs + QkN2MDViUGwyV0w4NGJiZHhaQ0VjcW8KLS0tIFNkZnNJbXpFOVZsdjREbWFwQ1RB + RTVML1czWWk1QkYzMlVwOWVXNVRwancKKngA02rNH1ZN2jvJ4QZcN07djYzzqoPo + OFeFoOHOKNz3Obwlxv6eW1bd0AP/MT7VR+cTDdaAxwNf8I1gEC9bjw== + -----END AGE ENCRYPTED FILE----- + - recipient: age1qju6ms625tlgcjwc9p447seu2p8gu0cr63e5gv5y0wx9mvgmre9slxzzs0 + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBkdG5NWlVURFA0TDhWak5u + R0tmR3JiMThtNnpqM05yQWZTdVAxZTQ4TEcwCndjSlYvMTg1NlRvSHhmdmNMRzhS + MjgwMU5ZcnVnWVplY1lOc1JQNFkxMDQKLS0tIHhHenE2SmdFcC95ampNbmdOSDJX + ZnJLR0RKZ3FrOUxRSU11dlh5ZzBidmcK7PsJYwMJpv9YoaYiN+U20HA2opK2IUnF + elU57b01ZOZM5nfpnyZBdqZO6VRDAZC2h81z+BCNXUQus4SSNQi0aw== + -----END AGE ENCRYPTED FILE----- + - recipient: age18dmqd7r7fanrfmdxsvwgv9psvhs3hw5ydpvw0na0dv3dlrg4rs3q2wpvgv + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB2bzBRSi9qOEsxR0Z4RTNt + U0VKT0o3b3I0dXJxSHRSVnFiR3BWOUNTR2ljCmlHWWZnTGJKeWNhTWxKaEVrbWdG + M2twejZqaFU2RU8wemVxWHlpQVJYZWcKLS0tIDA5Y1Q0RWJvbUlGUHpKN1BIMGM2 + cGU2bXpEaVNRcko4TVlBMG9KdnJibjQK86rJ3S+JQhD8+gCkr748z1oVy55ukOMv + c408QBFGToOuzvaRbOIb8lhci4ImuSJJE7TZUzgYsADEAaeudDKVtw== + -----END AGE ENCRYPTED FILE----- + - recipient: age10xwq7a4y256yhv02j0u80te0vt4krgfjc68r0uw07t96z7ggmpwqtv38a0 + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB5WHJjQThud1IzSHk2Z0Zn + L2NybEJyMVdoRWszb0lZTlcyN1ppa1BOSmdzCitZa2thNkJyWWxKU0IxdnhrVXNI + Q2dXL1BST1hzMy9PZWpVcU1lckcvdVkKLS0tIDd1VXBGRmdkdnV6UHdzbU1UMjVB + WjB5akxEeUd2eS95ZnZHSUFXSmNXWncK3VXZqfKo8jat4gbn/5YSL/cV5qILqV5b + E/OBRFStWmfhuCZJzCDhU9a0QJocW+UkkI4XRzDDaN66gEmZe+u7mA== + -----END AGE ENCRYPTED FILE----- + - recipient: age1dktk5glcuu34u9t6kp3g2vqyj7dy0elray38t8n75mwa6l0s0vdst2cy00 + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA2cE5lLy9ZNXdXb0owcnZk + S0JRSkc4Q2p4bGxPSG14VjlKZ3NMMUpEd2drClBGU0FyaGJ1WCtHVHRzYTFqRXpz + VWJvTlBEcXg4TVVLZzV4djE2bUhIRVEKLS0tICtSTCtNS2dON0pIMHNzWmE5Q253 + c3loYWpFd0h6N3FpdkdpZGdHZjU0aE0K2zsQNBl1jdhLWf1PeGVo+deCc6BwnTo4 + tUg59pWQ5BvwMQx0kjhEoa29S1QUU4Or4erPPoHS5teK4Llv0s2gRQ== + -----END AGE ENCRYPTED FILE----- + - recipient: age1v458x2q70yt0a6m6cq5ehemphtrzfzyhmeg3r872vsyyf65asgwstmqqk4 + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBUNHNvaU5sUDEvd3JGWUFa + VjZDbm9VMXpjQWhCYTRxbUlEREErT0tDUXpRCnN4YXhVVW8zTi9ZZmVUYWwwRHhH + dXd0dnB5WE9sTDZ2R3d4MlFiWlFZcmsKLS0tIENJSTNvNWV3SlVwRk15RDRpNllQ + YmZuei9iVFMvcytqS3podTZZb2g3S0kK+qGQ8LkLO6v8T718dyD5j5CTC+UwBaCn + 9dxkh9MWkKknRL89MHbV9gVG/StiOa+USGqulXEGbapiZ9q1JYCa7A== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2024-11-16T19:17:41Z" + mac: ENC[AES256_GCM,data:WWOWqwrUtpJWY7o7M6Aac7B9O6tw91yNiL74Fg0TKq4OH/0TGHI7YJK4c9swXs95jctFvFL9qQPTNEENgnqhJyZJGuc2qTsSaKERsSReaV4gURNEm2J2R52EQkyZXRbrn0oSoDazORqRXQo1KvULV75fyIPtsE1OcU/1/TPkWHY=,iv:XwyR6rM+0eTmKg4+vpQx26iKgKm0NL6siKxLoF3MufM=,tag:ks777fUl7uUgn7W48zBoMg==,type:str] + pgp: + - created_at: "2024-12-24T19:36:21Z" + enc: |- + -----BEGIN PGP MESSAGE----- - wcBMA0SHG/zF3227AQf8DDe0qysI5DL1xc6IbIQ+a2oKtiNyL0P4pwrdfsCcudMm - dfhnap8JHPfVssucbA7Gicpg8iZxy9+M1o5E4es1EUBWun+tf+9utHmRKLkAJb98 - OPm+vvp/fzRU0bAtvwchskCc4REWbsq82UQdQl8uPhGoCweyWDusmAmXjjECBWmP - sW1pSb0tGvtHM7m0cpLYepWHUZ/VOcNBeuv3fGDuI3M0fv+lCTgYQJOtIrJv+xFf - q9dB1HGJaePsKLxmQTJW1gFdoWkc3ndfBwytY00iho1xPbrKAPSZojE0Wj227DPx - YynEy8ruLWIVcFZsjfEm961kRiwb8MwK1xB7ov/d79JRAXrovFTT3EfFZ+2pY2FW - w8TKQjGol/+vJ2mzlQV0LFtAxjUvgNgoAC/cJgl5c+N4qXz4ChgiT38yZ7JW2e2c - OUwOtIhmRp4PNBU+402xfgYI - =X23Q - -----END PGP MESSAGE----- - fp: 6F7069FE6B96E894E60EC45C6EEFA706CB17E89B - unencrypted_suffix: _unencrypted - version: 3.7.3 + hQEMA0SHG/zF3227AQgAqL1QC5kKDaMVQQp9Lboe3krFMW6MxBjilO3BvGYoXHKu + kKP4hJomuF8wqkKzwsXZihIoXmc767/lKG7AIIMnMJjShGgIjSU668l0guuxlGdT + r58W+JvA1Hu6LadQ6iPS5dVJgW0MJj5YGG0+EPljHVjFIXOKJff+09jBv2648kDh + SuuDVwFueX88qgKLnGNw/JWsmG6TRb8WPpbtK0zd30Y/guTRdx57+W4GcLz6zs98 + kkU/VwAKy8ghkXlDyG/TBWipgj+xPGvOIRYiddZc6FBE14e5Miyuw4vgtLaYIWpS + aDB0BUbjmCaiVyZ3PF8nzJcUj3thAepkGyGIgPAgCNJcAW0hIzLoYdU9Dt5kxmGf + tCH3/l3nOuqFZ2EFe6xlBuYEfkjCDLMnDD6W4gvJTkOjfYDWuF0TldyfXeGken+J + BYeYA3OGTslhrVlXSPQeY1OqITnbqbPgwLkd7D0= + =Nc6x + -----END PGP MESSAGE----- + fp: 6F7069FE6B96E894E60EC45C6EEFA706CB17E89B + unencrypted_suffix: _unencrypted + version: 3.8.1 diff --git a/secrets/sj-srv1/secrets.yaml b/secrets/sj-srv1/secrets.yaml new file mode 100644 index 0000000..40a927b --- /dev/null +++ b/secrets/sj-srv1/secrets.yaml @@ -0,0 +1,38 @@ +#ENC[AES256_GCM,data:NJd2BaOWeCr6IER0GSL4OrnABI65kMLg0ft0auq4gazQJ+40vYKwN7pMimXnhQrIsax01pQocF0x0R9we0i/dbE=,iv:OlqfIRF9FtZVHT4QzjQuKCMbVaA+ei7PE9QvbyWj9OA=,tag:8uPJVrva06SUg0DQ26mNow==,type:comment] +passwords-root: ENC[AES256_GCM,data:mDQXWfH3zcvIifhmFdB5rfuiImHLX0Wb2WuR5Jb4lBII72AN9sEy436nHKLHdDHYDgzBkTHXDz63SfK28GEckJJKXHPcKuYl/g==,iv:M8tcUyUVuYAIesuGxQHQ/JRDlzeklTBAVgD1oBzsbVM=,tag:E8g5Qo1zAJkCvNPDeAv7pw==,type:str] +restic-password: ENC[AES256_GCM,data:0cTVlqHCW/xCk7y3ikh0RtVk/5xFOrcrnQmMbIBtfOd7PYbiTUzwBtYXwOaXO4ob7/+KJUEwhl5TzX/Of1J+y7ML7JbpNPtLr8r0gzDYOvBPY5GlmkDGcorz7QTaomuDprJkoD06lJWme/L893u7rxwamF222D2JvGz5FfTuWfaRWb1PcehBkew89gjdAgqFJJwqlX1vwvQDPg6yj+vnk9ZqR/E967bbQeN/G/qGJ9xfVmeuOPYoZH2IrL0Zgif/FLqZWZtlJ1JnRUBXsVN6FZXfT1Q82euLPOpaUHrFJjAF26PuTwVreIjcBLX3wqc8vhAYWfc+RThS3ITwNdNTSA==,iv:KBqME0cqIIX15xPgKi5mBalk01tswj8xVd8rFETX9zU=,tag:V6KltIGVarWXP1R5lY2FAw==,type:str] +sops: + kms: [] + gcp_kms: [] + azure_kv: [] + hc_vault: [] + age: + - recipient: age18dmqd7r7fanrfmdxsvwgv9psvhs3hw5ydpvw0na0dv3dlrg4rs3q2wpvgv + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBUOFB4VWUyT1pqVWF6b01v + ZmEyeG0zSjRsWTRkWW9FUmtUWlNiS3VTN2dNClcvQitVUDk1d3oxTnErRG1wZmpL + dHlkZnE2VlVUOGMyeW0xNmo5OHdmbmcKLS0tIFlnbXNvUWRPWGI2KzkrMW01Y0E2 + czdzaWhBRWJyb0pBSnphamZVZDgyMDAKjTYixgD7CzJImvPFRYJKJXefXqxSA6I0 + iOyW6E++Ax0MsYll77sR9eMNMgPCromY3uzKVJe640HKY/E1cLoi0Q== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2024-01-19T20:25:37Z" + mac: ENC[AES256_GCM,data:gAn4HAJRiejixDApIBZD87JjHLyOnC9LvYR0E4oDa0GVu6/BLVNbie0zG1TdnYl4LAuLa0rf4gkSDCLNvjkBGesGb7oez06WAHJd3VAK6wyFYxQSxKA8U5OZu8nozciuatTCvc/JL1ZjxxGlDFDSHSP2m1PsB6br2e0g8oL1vJw=,iv:7rOU6w+Ly+OYEnF5SikijEpauMp5lhTae74zDi2vF+U=,tag:EURfxNbEe4ZLFF4l19EzFA==,type:str] + pgp: + - created_at: "2023-08-11T16:31:41Z" + enc: |- + -----BEGIN PGP MESSAGE----- + + wcBMA0SHG/zF3227AQf+ONiHDN6/hgu1g4WBaQOtAd3tnruoG+O9pbv/IIR86T3n + TIQElcQNsWJpHpoTeXB9G+H3HPh1f3z95tdHwQZOD78HpP0B7sOqx/KUOSJqTkC7 + R8jsuAxrIpidr9MIxAypsK5UE3SnZodf6E0IhWR5H26oWXtKPRd2TIBEMwbJZ4dZ + JLZ1D1pYIrJfNez1SP9r8SBMaKJgxLn65sFzonj8j6C+8CpStun2ykLfflsoQzXP + kiCzxG/IR9fA7fyq38h+QdeQgcX7/kyhC/g1tnfDoZRjmcS7gA2yI9Dlxr08cOvy + 0Dbruq0tykU0isHSPQHgKQpX/7PD5aV3mXTyvNyzEtJRASftwq7H5sDJXvAXWLMT + eKfUnGyPanQqVNA/jAPhOj/tAIVQZbL4UIPOlT6REfxmNk9tl7JSDhMJzKAEdkk7 + C5Jot9exml6467YZkApBm0eM + =HulH + -----END PGP MESSAGE----- + fp: 6F7069FE6B96E894E60EC45C6EEFA706CB17E89B + unencrypted_suffix: _unencrypted + version: 3.7.3 diff --git a/secrets/sj-vps-htz0/secrets.yaml b/secrets/sj-vps-htz0/secrets.yaml new file mode 100644 index 0000000..09a13a2 --- /dev/null +++ b/secrets/sj-vps-htz0/secrets.yaml @@ -0,0 +1,41 @@ +#ENC[AES256_GCM,data:NJd2BaOWeCr6IER0GSL4OrnABI65kMLg0ft0auq4gazQJ+40vYKwN7pMimXnhQrIsax01pQocF0x0R9we0i/dbE=,iv:OlqfIRF9FtZVHT4QzjQuKCMbVaA+ei7PE9QvbyWj9OA=,tag:8uPJVrva06SUg0DQ26mNow==,type:comment] +passwords-root: ENC[AES256_GCM,data:mDQXWfH3zcvIifhmFdB5rfuiImHLX0Wb2WuR5Jb4lBII72AN9sEy436nHKLHdDHYDgzBkTHXDz63SfK28GEckJJKXHPcKuYl/g==,iv:M8tcUyUVuYAIesuGxQHQ/JRDlzeklTBAVgD1oBzsbVM=,tag:E8g5Qo1zAJkCvNPDeAv7pw==,type:str] +wg0-private: ENC[AES256_GCM,data:hiUUUhQ/hi6d51Wgwb0gZ5lBB5TS9+F8gVEGrRUqLauKjGZujyqjZIFix7E=,iv:ISb5cqkOE0UyQqlQCeclyMBof037XF1+7zDFslKStr0=,tag:Ox0S+YOkfXpFCSbNrdSrxQ==,type:str] +wg0-public: ENC[AES256_GCM,data:AnEK0wlEIlVrz0nubLWr3lv7R1ddzA/RPjP0CosyEJzCJU6cF2DBJig4xYo=,iv:ifaQVHQyoYqcr6a4kJ1Kvd4QBDLT5xNyr75GuogBv5g=,tag:Tl9HpsJ5+LaV81LiLcThkg==,type:str] +wg0-psk-steveej-psk: ENC[AES256_GCM,data:Z5txIdXKVshlqMBLEnW/ulFiQSmMKj6m1vLE8fuL+zl+tJxh9EX/XvjLaC4=,iv:h4ypudvQAKPM7+5vQNAb69JntdZPNa8Km6wd14ovCHc=,tag:t7ZbbcpRCTAF7zP8vKPpJw==,type:str] +wg0-psk-steveej-public: ENC[AES256_GCM,data:KU6aRVK06RkyvvYFzFZaCplz1HyirSfpjW+jjvHP+eTMs3hfhFUnPSZRCN4=,iv:2A019CQD2vjcOmX6PFpDaDCo8yN9oA9kdKxiW1e3Dss=,tag:kfRENOJY7RnwWGN1eOeEhQ==,type:str] +sops: + kms: [] + gcp_kms: [] + azure_kv: [] + hc_vault: [] + age: + - recipient: age18dmqd7r7fanrfmdxsvwgv9psvhs3hw5ydpvw0na0dv3dlrg4rs3q2wpvgv + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBUOFB4VWUyT1pqVWF6b01v + ZmEyeG0zSjRsWTRkWW9FUmtUWlNiS3VTN2dNClcvQitVUDk1d3oxTnErRG1wZmpL + dHlkZnE2VlVUOGMyeW0xNmo5OHdmbmcKLS0tIFlnbXNvUWRPWGI2KzkrMW01Y0E2 + czdzaWhBRWJyb0pBSnphamZVZDgyMDAKjTYixgD7CzJImvPFRYJKJXefXqxSA6I0 + iOyW6E++Ax0MsYll77sR9eMNMgPCromY3uzKVJe640HKY/E1cLoi0Q== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2023-08-13T17:03:01Z" + mac: ENC[AES256_GCM,data:AtD2QZsLpOLQB7Jcb0Cn+zGUK/fMzuVhQ2r5f4jL3dttqfaDa4k+bUMP7wQ9RW6cUXm5ps+s1t9TkRUi2P7bkQjtEuyiTGAUiM8OnkJQ26npITWWs8giekKq01m2DlZufWRcrZrQU43EgVNDqRTVlMK1IoVS4zqNwqt4tXG6YWk=,iv:F+BbR5aGg+6/0LBxpC+AoNT4dLutvkgeUJszkMrV5xk=,tag:4Cvd4nG+h1+hXg/NzH0wRg==,type:str] + pgp: + - created_at: "2023-08-11T16:31:41Z" + enc: |- + -----BEGIN PGP MESSAGE----- + + wcBMA0SHG/zF3227AQf+ONiHDN6/hgu1g4WBaQOtAd3tnruoG+O9pbv/IIR86T3n + TIQElcQNsWJpHpoTeXB9G+H3HPh1f3z95tdHwQZOD78HpP0B7sOqx/KUOSJqTkC7 + R8jsuAxrIpidr9MIxAypsK5UE3SnZodf6E0IhWR5H26oWXtKPRd2TIBEMwbJZ4dZ + JLZ1D1pYIrJfNez1SP9r8SBMaKJgxLn65sFzonj8j6C+8CpStun2ykLfflsoQzXP + kiCzxG/IR9fA7fyq38h+QdeQgcX7/kyhC/g1tnfDoZRjmcS7gA2yI9Dlxr08cOvy + 0Dbruq0tykU0isHSPQHgKQpX/7PD5aV3mXTyvNyzEtJRASftwq7H5sDJXvAXWLMT + eKfUnGyPanQqVNA/jAPhOj/tAIVQZbL4UIPOlT6REfxmNk9tl7JSDhMJzKAEdkk7 + C5Jot9exml6467YZkApBm0eM + =HulH + -----END PGP MESSAGE----- + fp: 6F7069FE6B96E894E60EC45C6EEFA706CB17E89B + unencrypted_suffix: _unencrypted + version: 3.7.3 diff --git a/secrets/steveej-t14/radicale_htpasswd b/secrets/steveej-t14/radicale_htpasswd deleted file mode 100644 index 0ab6e33..0000000 --- a/secrets/steveej-t14/radicale_htpasswd +++ /dev/null @@ -1,26 +0,0 @@ -{ - "data": "ENC[AES256_GCM,data:4Oo7a4iL9ry9qFnzd/uwllP8UZ1re+RglnvkEO11XvSqqGhGOCUX0k0kOVD/CYbdLNq7jqVI8h5Fw5grSb6SCDzlknV0bJ70mmBQ9wEhRA82P1M/T50KH6V6XIVR7IlVhjMKkdW6YH0XAyrqaVh3fJUbOk9hJVvrylLvPF4vpc9+aYdzUCvn5jbecpywYY7NRKLI7H7xUmnW,iv:vvyS08x5yXTmlZo1A+Z2zsW9Mj6JrIkNt+CvB7VZJ38=,tag:MrjYVpS+SyYLUAbin85fkw==,type:str]", - "sops": { - "kms": null, - "gcp_kms": null, - "azure_kv": null, - "hc_vault": null, - "age": [ - { - "recipient": "age17jxphuql70wjkd84azn62ltx9ky69hyvkac23lm8f2j92lznf9hseqq0vl", - "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBmTVMxdkpjQllIZlRpQjEr\nc0RqNzNnOGplcDR6by9aL0JQY0ZmZjV3OUhrCm1sbHEvQ3hFZVg1YU5wOU5kaGpI\nK25zckJNaXhWd21kUHIyTm8yVW0reWsKLS0tIHVvbDhYZjRSbVRjOWZNaWkwcm1z\neVJyTTRNNTJBeVYxdDFCL1ozQjhQUkUK09k0LVNUugbxtZJB1JEXWmB2Q35mK1MW\nY12rpx4QwFUf1uhZDGmHMU0mrmaZRhkiTXTW+MtbHHtiGCxI8JrgLQ==\n-----END AGE ENCRYPTED FILE-----\n" - } - ], - "lastmodified": "2023-07-01T17:49:07Z", - "mac": "ENC[AES256_GCM,data:DLKp0oBRgqoC1vm7Gt8IgTXQZBVhFMzRlP2CeWUHCi0PhOFFDCQCbJMJ4GnLeVAMgn1PTQXxDBJsqx1dd99oR3xXOqV6s9RUrg7BNql6G1PRnROnvGavVq+K8Oqyc6K3RDMK95Fwd20Svvyplc7fvvJVYA7XE8oVyPCj7adgIzA=,iv:0T60zdgBXTNEUyzWNH2gRJsH7D/mofiBQKD4XpaTdf4=,tag:9s0g5W0fu7PrKybYNQMfxA==,type:str]", - "pgp": [ - { - "created_at": "2023-07-01T17:45:58Z", - "enc": "-----BEGIN PGP MESSAGE-----\n\nwcBMA0SHG/zF3227AQf/e3rEGHYLdAQ3t5Ye7EY8HGj3zplmEm6yX/OD6atnIH56\n1n+buBEsCnj6OMJ8IPBI1KMlR3agvrTcP1U428VaJKEqMAfAbmTxHvuYv17r4z3c\nuxtvnK4BUC0BIgf3b9FP1uQBvmwSR3bIV1JuD1or88j9iY3dO7KbwbAEF+HMqj9/\nz+NM9ZGi/mpdFHLCKp52FgKi+eiNyGiJS1a8VSda/X8GwcmQYUzSkUxOcjGVTmYr\nBzie319eutOq6zf9+8WGO+Jd8XDlFdmucXyb5kkJkKv0kUeEMKePktpxjh/SUH2E\nVWLDa3rLPEZWvvLtDeOgAWdxNVBsvAhFwyUl7hJ+INJRAbgK7jJpGJuNUmN48P/Y\nKj1/x5hKlBOQpqWyoB751Sq2hAITS/UyvpIEL7cH9ASq369SVa7tI6KL0Ut5wSDb\n1681kueTerz2szUe6DPcAC4U\n=Bu6s\n-----END PGP MESSAGE-----", - "fp": "6F7069FE6B96E894E60EC45C6EEFA706CB17E89B" - } - ], - "unencrypted_suffix": "_unencrypted", - "version": "3.7.3" - } -} \ No newline at end of file diff --git a/secrets/steveej-x13s/mycelium_priv_key.bin.enc b/secrets/steveej-x13s/mycelium_priv_key.bin.enc new file mode 100644 index 0000000..d1693e7 --- /dev/null +++ b/secrets/steveej-x13s/mycelium_priv_key.bin.enc @@ -0,0 +1,26 @@ +{ + "data": "ENC[AES256_GCM,data:ILo+B9hfSEOaNleohfdc+RlzFHOu5y0kS9Ocys5KBKQ=,iv:GNzGem+eBseA99FoFHRSDQbnpo0RS6lRRR6oLV5xajE=,tag:FmBrSBT1qQ+jXhUlAjCRSg==,type:str]", + "sops": { + "kms": null, + "gcp_kms": null, + "azure_kv": null, + "hc_vault": null, + "age": [ + { + "recipient": "age1y9urllccdcemlv7g5z4peuzeh5ah0a8nu6cnkvym8v2vfhqjd5jql483c6", + "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBvOHM2dFdaSmRjVXRGOWdM\nc3NySkxDWjl3bXl0VHpRUURINlRWNTJhM1JNCmQzV2xUTUlEb0l2Q0FZUDMrOVVF\neTNEWG1kV1hlY3dWaDVubzdBMUpjdjgKLS0tIGtzeUF5TCtoSk92aDZkdkhqMjZm\nellNZk84ckRXZW5LYlA0Zjc0MXFVMFUKkbgJvketPLkiRtiM2ot/o2q0roCyMcNB\nDjvUDLeExvpz11T12pFETaeSGKMH/R6HfDt37T/K2cpCNvOXHU8MpQ==\n-----END AGE ENCRYPTED FILE-----\n" + } + ], + "lastmodified": "2024-04-19T19:07:46Z", + "mac": "ENC[AES256_GCM,data:e6xOIt73MDaMOnP3d2G/xqjwozdvdkxNkso4ry3Wj5UELoSKtjOXn0oWA1KIApQM72rcytyAMuvuF8nIRzOsU+RjCxyoyFxK+x1ljvXcjJF/mrB8+27QEIKMFbCRYDtDtiax0MnVkW3a4zqAz9ETd2hlBRS2DcVXvgV8GVRZL4o=,iv:jd5Mwf+IUrm5vbHftImsB7iX3AP8O61/2kEf2BpOFRQ=,tag:aXmSU8qPGTKRmzddVz6s8w==,type:str]", + "pgp": [ + { + "created_at": "2024-04-19T19:07:46Z", + "enc": "-----BEGIN PGP MESSAGE-----\n\nhQEMA0SHG/zF3227AQf/UWVXKoYna+QMRhlTcMeEYBYD1twGiU2M+Qov7lMwCVd0\nyLd/TW0E3l7nNp+8pVeQb2a84F3W6kitWSv6sSEQuz74vMGtAHJs63NRaRP+apdV\nKE9kada00clOgd8gDAwEZUUMaTuCxZalsLHOLmKa/5UJVCaYuHcS1wyKWqhK7l9j\nYuELlmM0DcJixWved7t0UL9O1s15b6aFGjc029OIEXwIGuh9Fe01lDjqC/NM+bZC\neL8osDcyTvz2AJB7IjlKQ9EQ9SGxhKXdcoJ0iGvZn5UJx4Dmvw7U2egHN511WDR7\nE4UGux7u7D+DfvOmeCxd/6iCzMdOZUUk3E+yb05YxNJcAZNG/2HLxs2eIs/W81Uk\nLM4UVDBrrrH9hAAyE5sSHsZOIxoqbNol9FSU3iTKEdCq9giU1C8P5mjKymr1hhro\nbYiCYZXhSV0X+bEm27NH8KqEg7wYv6FWMwiYVVY=\n=Itgp\n-----END PGP MESSAGE-----", + "fp": "6F7069FE6B96E894E60EC45C6EEFA706CB17E89B" + } + ], + "unencrypted_suffix": "_unencrypted", + "version": "3.8.1" + } +} \ No newline at end of file diff --git a/secrets/steveej-x13s/secrets.yaml b/secrets/steveej-x13s/secrets.yaml new file mode 100644 index 0000000..a76e0dc --- /dev/null +++ b/secrets/steveej-x13s/secrets.yaml @@ -0,0 +1,36 @@ +builder-private-key: ENC[AES256_GCM,data:KG5V86SDVM5LfFPZI5rjKGvYwqLZInEqpwdIJPAiF7fMdG3rTq3JgNJCQr0eOhfmLwT3KEN2Fv0mHZS4smMGdh0WCkza8CzRn/KFY8gqEWxxdff1Wqj7+2/5lSI8I7Qp2EW+eaAgU53PPOh/M3Cgm/Rraw2ARmIJNIgtuJC8ZeZlsh3sl0tacF9rgSrP8p4xAH3C/QUs1HW+10eL9F3STtAV+ZBruU68lNmCdiyqKjg3O3qdRFsjdGWAwHNHL42cEm3il4PofyS5fDDF4otQktZa5n8832ukF5Aj6RNgJwubrsxB9+1M9s7hD1UQyKo6oQKJr1GXNK+IPyXAvdxckZ8INhsxP4c4v8GzR0zJK4MfESx0r67ciGLOcYulNBDOMSbD57oW+wRvCI2eZlpB3ugBcUm/rsQbgFVEX8q6jD8WipJ+Q3hz1zWq45s66XooFmnwc2nBhT6cRmtGzTJCcDpiovgj5tKXSXrWfwYO7tWr7lYg8T4zhfplZBtQOaqTUrAOhW7IRT5Lo/310cMRcp1h44TSnpWXZN7l,iv:DOUijPr4wHmjNIniF2IRjinXZ6iyg8Z1Nt5EgFfX5Zw=,tag:VWxHpfpyphtu6XLR1yKugg==,type:str] +sops: + kms: [] + gcp_kms: [] + azure_kv: [] + hc_vault: [] + age: + - recipient: age1y9urllccdcemlv7g5z4peuzeh5ah0a8nu6cnkvym8v2vfhqjd5jql483c6 + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSByZWRvaWFlU25sYkdTejg3 + YXRrVHhHaDN2anR0WWJmcDdCZDNLUFhiU2hrCmZSNWNFbVd3Wm95SU9iNmhqaVE1 + TlFuYzFNOVFEekYvWjlQWEpqbzZCU1UKLS0tIFczTHlsN2lNdlh3clI2VEI4Y0lI + dUQ5ZE9keUtxVU5mMklGODRjSld0TnMKGWu7m6/q6PhS1R8N9YBsxDs9O76U6Bta + wr8Tqr/1JLWoSLbPapltKH8+hKAb84LeILezVS1SrL+mjf2KYa3WQQ== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2024-05-01T16:50:35Z" + mac: ENC[AES256_GCM,data:wDnv7wZLks2EME+JqlBtagVaDZEo9ap3d6xFfnBy2/D4wrJhhYlo8vOYM8GFXEhfa0Jek+9ZlkmXYerLNWLMiUMKWIvk0cvHjxBaR2wcxt9FnynPT9W9hSX7UFhM/eTiJviksOESTI7pqNh9X7ggLSZ0c+O5mBxxEh/bcjz8vIU=,iv:vgvmyvUkZBapCpRbPU3cDgmHsc5NwHzCsMzjHvr/Xc0=,tag:FMI0YrwdCPIFe8tnLQr69w==,type:str] + pgp: + - created_at: "2024-04-04T18:26:01Z" + enc: |- + -----BEGIN PGP MESSAGE----- + + hQEMA0SHG/zF3227AQgAn6CqJhclheA82nJm39h/52Ir/gVGRZz1ViK157MxRVs3 + NSrNZCPW+x9vGExPWJ8wnT3KZ7jeo7jEbJ260WSp4xwQtCuUrDR6Oyp0mrtN6SMo + 4hHZo+OwLb3brQGHOng43Hedk6E74ZRMyUr5mmRKLTC1l9GeKtf3HoSvNq+bS7B8 + SrmkemzsS2SrXYE7Qslzhi8QKwby8nsjN2pE5hk12wZKefT4XP3q+lf7n2QeboG0 + 8d4u+706BO4DoxtnXPs1Gop3sJ3TZdAXTdfjnuv+LDMOmIDoVp1tgXRPiAvCfMPV + 9YiFS/WYMD5OA69SPBjCWIMPMw8PIU8OuHjy71eXlNJeAXeVLp70pGQOiPOZSvtl + vmfiPWOZnX+6jSpsSfmEa8FxAZYLgHUayF8YMtHi3kdz3x0kWMx3Pzvjvs4BfIyd + pp7PTfMycrk67Y3lcokNswt/fle0tN6xuqP4Uv4zWw== + =y1Sk + -----END PGP MESSAGE----- + fp: 6F7069FE6B96E894E60EC45C6EEFA706CB17E89B + unencrypted_suffix: _unencrypted + version: 3.8.1 diff --git a/secrets/work-holo/zerotierone.txt b/secrets/work-holo/zerotierone.txt new file mode 100644 index 0000000..38a76e4 --- /dev/null +++ b/secrets/work-holo/zerotierone.txt @@ -0,0 +1,26 @@ +{ + "data": "ENC[AES256_GCM,data:D6xhJ8RgtO3wuNQF0N9V4TlYcKahT8Rv3rHPeZH5F2Wk+V1GhZ+Bhl+D75ersKPv3vmNWlKD2lHb46LaM3Cz7gKAgcQ=,iv:BsnB+Tt+83QVdfive5+s824f3MBZSy6N3g+/raqWgGA=,tag:foQL/RYGfovt1feSlE5GAg==,type:str]", + "sops": { + "kms": null, + "gcp_kms": null, + "azure_kv": null, + "hc_vault": null, + "age": [ + { + "recipient": "age1y9urllccdcemlv7g5z4peuzeh5ah0a8nu6cnkvym8v2vfhqjd5jql483c6", + "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSByYWNzWm5ZQVFRNWRSQ3I2\nckQ0YVc0NlJPYVFvYi9Zd2ZNaVh3UG91T2xNClVDaGtvcHlvUnZTOVgyV242OHhy\nWW84NW9LZ242Nk5RalBWUUFITmEvaVEKLS0tIEtOemlTWHYwU3RTVUFoQU8yNU9N\nMlJnL2ZjWVh1RWJwMEpXUjZQZDIxb0kKKbe3H99dII7ni0NQv/QcotAQ4OdrV87/\nro5JVYotk/m0NtS76nJ0NuNpkz4/r4D0XE1r/y3eRH/q+JHyjHFX1w==\n-----END AGE ENCRYPTED FILE-----\n" + } + ], + "lastmodified": "2023-07-01T20:19:12Z", + "mac": "ENC[AES256_GCM,data:aIizzl+WFLI8rwp9r9p3kJIsbAISp8vRnSUQKKRIY8V8WdjBNuR+ebSlMf8kBg4e+D9hpTGEY0byv8bpgx/1m5MMEXIDBiBb8GHBk8qwB/3JWsBMyCHOyylw9AAgteyCDEKMCHgU/ZBvExW9n5gnuvkngKK8X1imrNG2ySL9cIo=,iv:UFacq8BdavyiHGRAcKq9obdAD7ZsW8wqugkvtbpi8pw=,tag:fkoaJKrA54tNlTLbAwRsug==,type:str]", + "pgp": [ + { + "created_at": "2024-06-26T19:27:08Z", + "enc": "-----BEGIN PGP MESSAGE-----\n\nhQEMA0SHG/zF3227AQgAgxxDv/vq2N5Hn37enDmLSjOegRW+IbDE/M3zbEvaKh9R\n+UdPf2+9oBjMLX42fOdSihGIHbrQtfG37nFLcJb/W1+Kay205INSDLSWIyUlyNvT\nwtPSVBZdgCbH5rW8yoX5xaS6Fdm1ANCof+hYyQxNtC7LgcgHLKvubhPrsckEoul1\nVuL0g9DGFysxnb4MCOZyFmziucwTKvLFzkaIb68PAYigPJG+wWVx5G/CvoC7Mzxp\nVYApk/6OnHR8TZOhtpnD9Q7Uj5g2ZGAJWE/B2z6xY2m9NJNC8UEL0QypVOnqBaSq\nyDDwrfOdTHqm3u0huJ4mV3cXzzb6RtRw89AuXS+6O9JcATtlFBazwos44yV/WAKz\nT3ZOZ4oD6elvqnvj9J7oOIwuPylaXd802YQSzPrfWQSqMUYds0gt3gklfIx+/SRm\nqBvQqStPmm3njU1TEPU3xrTywDSWGDKXCklnkVM=\n=CPPt\n-----END PGP MESSAGE-----", + "fp": "6F7069FE6B96E894E60EC45C6EEFA706CB17E89B" + } + ], + "unencrypted_suffix": "_unencrypted", + "version": "3.7.3" + } +} \ No newline at end of file diff --git a/secrets/zerotierone.txt b/secrets/zerotierone.txt deleted file mode 100644 index 347b737..0000000 --- a/secrets/zerotierone.txt +++ /dev/null @@ -1,30 +0,0 @@ -{ - "data": "ENC[AES256_GCM,data:D6xhJ8RgtO3wuNQF0N9V4TlYcKahT8Rv3rHPeZH5F2Wk+V1GhZ+Bhl+D75ersKPv3vmNWlKD2lHb46LaM3Cz7gKAgcQ=,iv:BsnB+Tt+83QVdfive5+s824f3MBZSy6N3g+/raqWgGA=,tag:foQL/RYGfovt1feSlE5GAg==,type:str]", - "sops": { - "kms": null, - "gcp_kms": null, - "azure_kv": null, - "hc_vault": null, - "age": [ - { - "recipient": "age17jxphuql70wjkd84azn62ltx9ky69hyvkac23lm8f2j92lznf9hseqq0vl", - "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAybUlwMVhVSTlxWjk0aXV1\nRkFKN0d2TWdTNGxFK1o3QitpTG5JN1FUNEVFCmRZdVYrSlJYbVF2NFlkRHBQNFgx\nM2dGOE5yaWl0VnJVU1MzNGJ1VUZYK1kKLS0tIEh4dkI2Vk9yUStHRlNzVUVPeWVB\nVmw0V0MxWWdudE1ONkszRSs5MEtUT28KkIW7Y+9AfxbPu1V0YoL5Brdv+2AaTAn0\nXmJmn8qwOtuyWRR3sJfDfkR2eW85mrMmhJnNa1aHg5lDQUGA/eqinQ==\n-----END AGE ENCRYPTED FILE-----\n" - }, - { - "recipient": "age18dmqd7r7fanrfmdxsvwgv9psvhs3hw5ydpvw0na0dv3dlrg4rs3q2wpvgv", - "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBFOGdQN0xOVzYvOFdzbUgy\ncStsYXdxUkY4OEJ5TGhVWitoQnpsSGYxS1VjCkhaYmxOOEh6eS8yeGViZjJZZ3o5\nUVBSYXFOSkJHQnB3aHVTeEk1VWNhblEKLS0tIG9NRTFpZFJlRUVYeHpVN2ljVngv\nRzJNZnZMRlJsL0F0eVIzcnhEbSszSGsKnK0SfJe7hQKyslklwvvFlBX9GjGWf6md\nl7AZLivBP67A0GbD2DztUaiS8NsPtlV899xqIH4/YUIIUGG9M2XHew==\n-----END AGE ENCRYPTED FILE-----\n" - } - ], - "lastmodified": "2023-07-01T20:19:12Z", - "mac": "ENC[AES256_GCM,data:aIizzl+WFLI8rwp9r9p3kJIsbAISp8vRnSUQKKRIY8V8WdjBNuR+ebSlMf8kBg4e+D9hpTGEY0byv8bpgx/1m5MMEXIDBiBb8GHBk8qwB/3JWsBMyCHOyylw9AAgteyCDEKMCHgU/ZBvExW9n5gnuvkngKK8X1imrNG2ySL9cIo=,iv:UFacq8BdavyiHGRAcKq9obdAD7ZsW8wqugkvtbpi8pw=,tag:fkoaJKrA54tNlTLbAwRsug==,type:str]", - "pgp": [ - { - "created_at": "2023-07-01T20:50:27Z", - "enc": "-----BEGIN PGP MESSAGE-----\n\nwcBMA0SHG/zF3227AQf+JijZCf20beuFsUX5Qjt9IVmeA1VG+iRiSncX6Q9NQWqc\nRlxZP3gZz9a/SQDaG3v7S0v5FBmbCScan2xrHSrJne6ljVkxlsiE4SE9Mq1wczF7\n0gdt1pnmjKMjhVVeG2jzNqL3bPGlhIBIIBB+Sv3FHftiXwfBYP5OJh9MTaokwj5/\ntd2x9LxBi6seH+RShrFk33wKJ3gMA2cF9aFEsbvmdXPHs91glwLD1NHN3vp0lGNX\nm4otFLZ0e36aqSVyAiwpoIgLwInZxtx6nnMWVk25s0fj+fKfgnHE3RNh9BntQ19d\nZDpQn7b2DqrKozUnycwpPRojPkmaqpom5XmbuurrA9JRAQYWSmeOuJXUBfZclzLJ\nERYPWDJIN7bmYPFoMkZ2YdV/GCin6lwFfl6u74VAkpU+AMgB+0c51nEHZcO5UaWT\nLRcMPADwjmk35oiltQYOvOpm\n=CGsu\n-----END PGP MESSAGE-----", - "fp": "6F7069FE6B96E894E60EC45C6EEFA706CB17E89B" - } - ], - "unencrypted_suffix": "_unencrypted", - "version": "3.7.3" - } -} \ No newline at end of file diff --git a/services/home-ch/router-family.lan/Justfile b/services/home-ch/router-family.lan/Justfile index c599600..c15ed68 100644 --- a/services/home-ch/router-family.lan/Justfile +++ b/services/home-ch/router-family.lan/Justfile @@ -1,12 +1,12 @@ _run_ssh_cmd cmd: - ssh root@router-family.lan "{{cmd}}" + ssh root@router-family.lan "{{ cmd }}" post-setup: - just -v _run_ssh_cmd "opkg update" - just -v _run_ssh_cmd "opkg install luci-ssl luci-app-ddns" - just -v _run_ssh_cmd "opkg install luci-app-samba samba36-server" - just -v _run_ssh_cmd "opkg install block-mount blockd kmod-fs-vfat kmod-usb-storage usbutils kmod-usb-storage-uas kmod-fs-btrfs btrfs-progs" - # multiuser SFTP - just -v _run_ssh_cmd "opkg install openssh-server openssh-sftp-server" - just -v _run_ssh_cmd "opkg install sudo coreutils-readlink" - just -v _run_ssh_cmd "/etc/init.d/uhttpd restart" + just -v _run_ssh_cmd "opkg update" + just -v _run_ssh_cmd "opkg install luci-ssl luci-app-ddns" + just -v _run_ssh_cmd "opkg install luci-app-samba samba36-server" + just -v _run_ssh_cmd "opkg install block-mount blockd kmod-fs-vfat kmod-usb-storage usbutils kmod-usb-storage-uas kmod-fs-btrfs btrfs-progs" + # multiuser SFTP + just -v _run_ssh_cmd "opkg install openssh-server openssh-sftp-server" + just -v _run_ssh_cmd "opkg install sudo coreutils-readlink" + just -v _run_ssh_cmd "/etc/init.d/uhttpd restart" diff --git a/services/home-ch/router-wan.dmz/Justfile b/services/home-ch/router-wan.dmz/Justfile index 921adb4..6f818a8 100644 --- a/services/home-ch/router-wan.dmz/Justfile +++ b/services/home-ch/router-wan.dmz/Justfile @@ -1,9 +1,9 @@ _run_ssh_cmd cmd: - ssh root@router-wan.dmz "{{cmd}}" + ssh root@router-wan.dmz "{{ cmd }}" post-setup: - just -v _run_ssh_cmd "opkg update" - just -v _run_ssh_cmd "opkg install luci-ssl" - just -v _run_ssh_cmd "opkg install luci-app-mwan3" - # multiuser SFTP - just -v _run_ssh_cmd "/etc/init.d/uhttpd restart" + just -v _run_ssh_cmd "opkg update" + just -v _run_ssh_cmd "opkg install luci-ssl" + just -v _run_ssh_cmd "opkg install luci-app-mwan3" + # multiuser SFTP + just -v _run_ssh_cmd "/etc/init.d/uhttpd restart"