diff --git a/.envrc b/.envrc index 90160da..697ced8 100644 --- a/.envrc +++ b/.envrc @@ -1,5 +1 @@ -if ! has nix_direnv_version || ! nix_direnv_version 3.0.6; then - source_url "https://raw.githubusercontent.com/nix-community/nix-direnv/3.0.6/direnvrc" "sha256-RYcUJaRMf8oF5LznDrlCXbkOQrywm0HDv1VjYGaJGdM=" -fi - -use flake .#develop +use_flake .#develop --impure diff --git a/.git-crypt/keys/default/0/6F7069FE6B96E894E60EC45C6EEFA706CB17E89B.gpg b/.git-crypt/keys/default/0/6F7069FE6B96E894E60EC45C6EEFA706CB17E89B.gpg index fd34c43..9587742 100644 Binary files a/.git-crypt/keys/default/0/6F7069FE6B96E894E60EC45C6EEFA706CB17E89B.gpg and b/.git-crypt/keys/default/0/6F7069FE6B96E894E60EC45C6EEFA706CB17E89B.gpg differ diff --git a/.gitignore b/.gitignore index 8c927b6..92102e5 100644 --- a/.gitignore +++ b/.gitignore @@ -4,8 +4,3 @@ .env **/result .direnv/ - -# nixago: ignore-linked-files -/treefmt.toml - -/debug-logs diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml new file mode 100644 index 0000000..efb4d91 --- /dev/null +++ b/.gitlab-ci.yml @@ -0,0 +1,10 @@ +stages: + - build + +build: + stage: build + tags: + - nix + script: + # Test the nix-shell + - just run-with-channels 'nix-shell --run "echo OK"' diff --git a/.sops.yaml b/.sops.yaml index 9e709f9..d003e1b 100644 --- a/.sops.yaml +++ b/.sops.yaml @@ -15,108 +15,86 @@ keys: - &sj-vps-htz0 age18dmqd7r7fanrfmdxsvwgv9psvhs3hw5ydpvw0na0dv3dlrg4rs3q2wpvgv - &sj-srv1 age18dmqd7r7fanrfmdxsvwgv9psvhs3hw5ydpvw0na0dv3dlrg4rs3q2wpvgv - &srv0-dmz0 age13cyvxrd28j68f97q2dwsn62q5dy8tdxtq86ql2dxv2ncwfrf63dsmkj7n3 - - &router0-dmz0 age1qju6ms625tlgcjwc9p447seu2p8gu0cr63e5gv5y0wx9mvgmre9slxzzs0 - - &router0-ifog age1dktk5glcuu34u9t6kp3g2vqyj7dy0elray38t8n75mwa6l0s0vdst2cy00 - - &router0-hosthatch age1v458x2q70yt0a6m6cq5ehemphtrzfzyhmeg3r872vsyyf65asgwstmqqk4 - - &hstk0 age10xwq7a4y256yhv02j0u80te0vt4krgfjc68r0uw07t96z7ggmpwqtv38a0 - + # - &router0-dmz0 age1jetxwpmd9hc4crkjtrdle2qxn9dlq7vcmqhfslv0vlxctrk4u3xq8hcvkz + - &router0-dmz0 age1k7cejd9tqz6a3expd63wkn7kmeawhhrp9vy5vevhjn6eavhdwywqeh7j86 + - &sj-bm-hostkey0 age1dw43sxtdxptzgyhsxhrj36x5gn7376gqk45t7wtyt3s97v7ux39sdmdd44 creation_rules: - path_regex: ^(.+/|)secrets/[^/]+$ key_groups: - - pgp: - - *steveej - age: - - *steveej-t14 - - *steveej-x13s - - *elias-e525 - - *justyna-p300 + - pgp: + - *steveej + age: + - *steveej-t14 + - *steveej-x13s + - *elias-e525 + - *justyna-p300 - - *srv0-dmz0 - - *router0-dmz0 + - *srv0-dmz0 + - *router0-dmz0 - - *sj-vps-htz0 - - *sj-srv1 - - *hstk0 - - *router0-ifog - - *router0-hosthatch + - *sj-vps-htz0 + - *sj-srv1 + - *sj-bm-hostkey0 - path_regex: ^secrets/steveej-t14/.+$ key_groups: - - pgp: - - *steveej - age: - - *steveej-t14 + - pgp: + - *steveej + age: + - *steveej-t14 - path_regex: ^secrets/desktop/.+$ key_groups: - - pgp: - - *steveej - age: - - *steveej-t14 - - *steveej-x13s + - pgp: + - *steveej + age: + - *steveej-t14 + - *steveej-x13s - path_regex: ^secrets/servers/.+$ key_groups: - - pgp: - - *steveej - age: - - *sj-vps-htz0 - - *sj-srv1 + - pgp: + - *steveej + age: + - *sj-vps-htz0 + - *sj-srv1 - path_regex: ^nix/os/containers/.+_secrets.+$ key_groups: - - pgp: - - *steveej - age: - - *sj-vps-htz0 - - *sj-srv1 + - pgp: + - *steveej + age: + - *sj-vps-htz0 + - *sj-srv1 - path_regex: ^secrets/holochain-infra/.+$ key_groups: - - pgp: - - *steveej - age: - - *srv0-dmz0 + - pgp: + - *steveej + age: + - *srv0-dmz0 - path_regex: ^secrets/router0-dmz0/.+$ key_groups: - - pgp: - - *steveej - age: - - *router0-dmz0 - - path_regex: ^secrets/router0-ifog/.+$ - key_groups: - - pgp: - - *steveej - age: - - *router0-ifog - - path_regex: ^secrets/router0-hosthatch/.+$ - key_groups: - - pgp: - - *steveej - age: - - *router0-hosthatch + - pgp: + - *steveej + age: + - *router0-dmz0 - path_regex: ^secrets/sj-vps-htz0/.+$ key_groups: - - pgp: - - *steveej - age: - - *sj-vps-htz0 + - pgp: + - *steveej + age: + - *sj-vps-htz0 - path_regex: ^secrets/sj-srv1/.+$ key_groups: - - pgp: - - *steveej - age: - - *sj-srv1 - - path_regex: ^secrets/hstk0/.+$ + - pgp: + - *steveej + age: + - *sj-srv1 + - path_regex: ^secrets/sj-bm-hostkey0/.+$ key_groups: - - pgp: - - *steveej - age: - - *hstk0 + - pgp: + - *steveej + age: + - *sj-bm-hostkey0 - path_regex: ^secrets/steveej-x13s/.+$ key_groups: - - pgp: - - *steveej - age: - - *steveej-x13s - - path_regex: ^secrets/work-holo/.+$ - key_groups: - - pgp: - - *steveej - age: - - *steveej-x13s + - pgp: + - *steveej + age: + - *steveej-x13s diff --git a/.vscode/settings.json b/.vscode/settings.json index 660429d..0691bf9 100644 --- a/.vscode/settings.json +++ b/.vscode/settings.json @@ -1,20 +1,6 @@ { - "editor.defaultFormatter": "ibecker.treefmt-vscode", - "editor.formatOnSave": true, - "nix.enableLanguageServer": true, - "nix.serverPath": "nil", - "nix.serverSettings": { - // settings for 'nil' LSP - "nil": { - "autoArchive": true, - "diagnostics": { - "ignored": ["unused_binding", "unused_with"] - }, - "formatting": { - "command": ["treefmt", "--stdin", ".nil.nix"] - } - } - }, - "treefmt.command": "treefmt", - "treefmt.config": "" + "nixEnvSelector.nixFile": "${workspaceRoot}/shell.nix", + "[nix]": { + "editor.defaultFormatter": "jnoortheen.nix-ide" + }, } diff --git a/Justfile b/Justfile index 414e736..1633cba 100755 --- a/Justfile +++ b/Justfile @@ -2,320 +2,310 @@ # echo "{{invocation_directory()}}/nix/variables/versions.tmpl.nix" _usage: - just -l + just -l # Re-render the default versions update-default-versions: - nix flake update + nix flake update _get_nix_path versionsPath: - echo $(set -x; nix-build --no-link --show-trace {{ invocation_directory() }}/nix/default.nix -A channelSources --argstr versionsPath {{ versionsPath }}) + echo $(set -x; nix-build --no-link --show-trace {{invocation_directory()}}/nix/default.nix -A channelSources --argstr versionsPath {{versionsPath}}) _device recipe dir +moreargs="": - #!/usr/bin/env bash - set -ex - unset NIX_PATH - source $(just -v _get_nix_path {{ invocation_directory() }}/{{ dir }}/versions.nix) - $(set -x; nix-build --no-link --show-trace $(dirname {{ dir }})/default.nix -A recipes.{{ recipe }} --argstr dir {{ dir }} {{ moreargs }}) + #!/usr/bin/env bash + set -ex + unset NIX_PATH + source $(just -v _get_nix_path {{invocation_directory()}}/{{dir}}/versions.nix) + $(set -x; nix-build --no-link --show-trace $(dirname {{dir}})/default.nix -A recipes.{{recipe}} --argstr dir {{dir}} {{moreargs}}) _render_templates: - #!/usr/bin/env bash - set -ex - if ! ip route get 1.1.1.1; then - echo No route to WAN. Skipping template rendering... - else - source $(just -v _get_nix_path {{ invocation_directory() }}/nix/variables/versions.nix) - # nix/scripts/pre-eval-fixed.sh nix/home-manager/profiles/dotfiles/vcsh{.tmpl,}.nix - fi + #!/usr/bin/env bash + set -ex + if ! ip route get 1.1.1.1; then + echo No route to WAN. Skipping template rendering... + else + source $(just -v _get_nix_path {{invocation_directory()}}/nix/variables/versions.nix) + # nix/scripts/pre-eval-fixed.sh nix/home-manager/profiles/dotfiles/vcsh{.tmpl,}.nix + fi rebuild-remote-device device +rebuildargs="dry-activate": - #!/usr/bin/env bash - set -ex - nix run .#colmena -- apply --impure --on {{ device }} {{ rebuildargs }} + #!/usr/bin/env bash + set -ex + nix run .#colmena -- apply --on {{device}} {{rebuildargs}} # Rebuild this device's NixOS rebuild-this-device +rebuildargs="dry-activate": - nix run .#colmena -- apply-local --impure --sudo {{ rebuildargs }} + nix run .#colmena -- apply-local --sudo {{rebuildargs}} # Re-render the versions of a remote device and rebuild its environment update-remote-device devicename +rebuildargs='build': - #!/usr/bin/env bash - set -e + #!/usr/bin/env bash + set -e - ( - set -xe - cd nix/os/devices/{{ devicename }} - nix flake update - ) + ( + set -xe + cd nix/os/devices/{{devicename}} + nix flake update + ) - just -v rebuild-remote-device {{ devicename }} {{ rebuildargs }} + just -v rebuild-remote-device {{devicename}} {{rebuildargs}} - git commit -v nix/os/devices/{{ devicename }}/flake.{nix,lock} -m "nix/os/devices/{{ devicename }}: bump versions" + git commit -v nix/os/devices/{{devicename}}/flake.{nix,lock} -m "nix/os/devices/{{devicename}}: bump versions" # Re-render the versions of the current device and rebuild its environment update-this-device rebuild-mode='switch' +moreargs='': - #!/usr/bin/env bash - set -e + #!/usr/bin/env bash + set -e - ( - set -xe - cd nix/os/devices/$(hostname -s) - nix flake update - ) + ( + set -xe + cd nix/os/devices/$(hostname -s) + nix flake update + ) - just -v rebuild-this-device {{ rebuild-mode }} {{ moreargs }} + just -v rebuild-this-device {{rebuild-mode}} {{moreargs}} - git commit -v nix/os/devices/$(hostname -s)/flake.{nix,lock} -m "nix/os/devices/$(hostname -s): bump versions" + git commit -v nix/os/devices/$(hostname -s)/flake.{nix,lock} -m "nix/os/devices/$(hostname -s): bump versions" # Rebuild an offline system rebuild-disk device: - #!/usr/bin/env bash - set -xe + #!/usr/bin/env bash + set -xe - just -v disk-mount {{ device }} - trap "set +e; just -v disk-umount {{ device }}" EXIT - just -v disk-install {{ device }} + just -v disk-mount {{device}} + trap "set +e; just -v disk-umount {{device}}" EXIT + just -v disk-install {{device}} # Re-render the versions of the given offline system and reinstall it in offline-mode update-disk dir: - #!/usr/bin/env bash - set -exuo pipefail + #!/usr/bin/env bash + set -exuo pipefail - dir={{ dir }} + dir={{dir}} - template={{ dir }}/versions.tmpl.nix - outfile={{ dir }}/versions.nix + template={{dir}}/versions.tmpl.nix + outfile={{dir}}/versions.nix - if ! test -e ${template}; then - template="$(just _DEFAULT_VERSION_TMPL)" - fi + if ! test -e ${template}; then + template="$(just _DEFAULT_VERSION_TMPL)" + fi - esh -o ${outfile} ${template} - if ! test "$(git diff ${outfile})"; then - echo Already on latest versions - exit 0 - fi + esh -o ${outfile} ${template} + if ! test "$(git diff ${outfile})"; then + echo Already on latest versions + exit 0 + fi - export SYSREBUILD_LOG=.{{ dir }}_sysrebuild.log - just -v rebuild-disk {{ dir }} || { - echo ERROR: Update of {{ dir }} failed, reverting ${outfile}... - exit 1 - } + export SYSREBUILD_LOG=.{{dir}}_sysrebuild.log + just -v rebuild-disk {{dir}} || { + echo ERROR: Update of {{dir}} failed, reverting ${outfile}... + exit 1 + } - git commit -v ${outfile} -m "${dir}: bump versions" + git commit -v ${outfile} -m "${dir}: bump versions" # Iterate on a qtile config by running it inside Xephyr. (un-/grab the mouse with Ctrl + Shift-L) hm-iterate-qtile: - #!/usr/bin/env bash - set -xe - home-manager switch || just -v rebuild-this-device switch - Xephyr -ac -br -resizeable :1 & - XEPHYR_PID=$! - echo ${XEPHYR_PID} - DISPLAY=:1 $(grep qtile ~/.xsession) & - echo "Xephyr started. un-/grab the mouse with Ctrl + Shift-L" - wait $! - kill ${XEPHYR_PID} + #!/usr/bin/env bash + set -xe + home-manager switch || just -v rebuild-this-device switch + Xephyr -ac -br -resizeable :1 & + XEPHYR_PID=$! + echo ${XEPHYR_PID} + DISPLAY=:1 $(grep qtile ~/.xsession) & + echo "Xephyr started. un-/grab the mouse with Ctrl + Shift-L" + wait $! + kill ${XEPHYR_PID} # !!! DANGERIOUS !!! This wipes the disk which is configured for the given device. disk-prepare dir: - just -v _device diskPrepare {{ dir }} + just -v _device diskPrepare {{dir}} disk-relabel dir previous: - just -v _device diskRelabel {{ dir }} --argstr previousDiskId {{ previous }} + just -v _device diskRelabel {{dir}} --argstr previousDiskId {{previous}} # Mount the target disk specified by device configuration directory. The 'dir' argument points to a device configuration, e.g. 'nix/os/devices/steveej-live-mmc-SL32G_0x259093f6' disk-mount dir: - just -v _device diskMount {{ dir }} - + just -v _device diskMount {{dir}} # Unmount target disk, specified by device configuration directory disk-umount dir: - just -v _device diskUmount {{ dir }} + just -v _device diskUmount {{dir}} # Perform an offline installation on the mounted target disk, specified by device configuration directory disk-install dir: _render_templates - just -v _device diskInstall {{ dir }} + just -v _device diskInstall {{dir}} + verify-n-unlock sshserver attempts="10": - #!/usr/bin/env bash - set -e - env \ - GETPW="just _get_pass_entry Infrastructure/VPS/{{ sshserver }} DRIVE_PW" \ - SSHOPTS="$(just _get_pass_entry Infrastructure/VPS/{{ sshserver }} SSHOPTS)" \ - VNCSOCK="$(just _get_pass_entry Infrastructure/VPS/{{ sshserver }} VNCSOCK)" \ - VNCPW="$(just _get_pass_entry Infrastructure/VPS/{{ sshserver }} VNCPW)" \ - \ - just _verify-n-unlock {{ sshserver }} {{ attempts }} + #!/usr/bin/env bash + set -e + env \ + GETPW="just _get_pass_entry Infrastructure/VPS/{{sshserver}} DRIVE_PW" \ + SSHOPTS="$(just _get_pass_entry Infrastructure/VPS/{{sshserver}} SSHOPTS)" \ + VNCSOCK="$(just _get_pass_entry Infrastructure/VPS/{{sshserver}} VNCSOCK)" \ + VNCPW="$(just _get_pass_entry Infrastructure/VPS/{{sshserver}} VNCPW)" \ + \ + just _verify-n-unlock {{sshserver}} {{attempts}} _verify-n-unlock sshserver attempts: - #!/usr/bin/env bash - set -e - : ${VNCSOCK:?VNCSOCK must be set} - : ${VNCPW:?VNCPW must be set} + #!/usr/bin/env bash + set -e + : ${VNCSOCK:?VNCSOCK must be set} + : ${VNCPW:?VNCPW must be set} - export MAGICK_ARGS="-filter Catrom -density 72 -resample 300 -contrast -normalize -despeckle -type grayscale -sharpen 1 -posterize 3 -negate -gamma 100 -blur 1x65535" - export TESS_ARGS="-c debug_file=/dev/null --psm 4" + export MAGICK_ARGS="-filter Catrom -density 72 -resample 300 -contrast -normalize -despeckle -type grayscale -sharpen 1 -posterize 3 -negate -gamma 100 -blur 1x65535" + export TESS_ARGS="-c debug_file=/dev/null --psm 4" - function send() { - local what="${1:?need something to send}" - ssh -4 ${SSHOPTS:?need sshopts} root@{{ sshserver }} "echo -e ${what}>> /dev/tty0" &>/dev/null - } + function send() { + local what="${1:?need something to send}" + ssh -4 ${SSHOPTS:?need sshopts} root@{{sshserver}} "echo -e ${what}>> /dev/tty0" &>/dev/null + } - function expect() { - local what="${1:?need something to expect}" - vncdo --server=${VNCSOCK} --password=${VNCPW} --disable-desktop-resizing --nocursor capture $PWD/screenshot.bmp - convert ${MAGICK_ARGS} screenshot.bmp screenshot.tiff - tesseract ${TESS_ARGS} screenshot.tiff screenshot - grep --quiet "${what}" screenshot.txt - } + function expect() { + local what="${1:?need something to expect}" + vncdo --server=${VNCSOCK} --password=${VNCPW} --disable-desktop-resizing --nocursor capture $PWD/screenshot.bmp + convert ${MAGICK_ARGS} screenshot.bmp screenshot.tiff + tesseract ${TESS_ARGS} screenshot.tiff screenshot + grep --quiet "${what}" screenshot.txt + } - function send_and_expect() { - local send="${1:?need something to send}" - local expect="${2:?need something to expect}" - if ! send "${send}"; then - echo warning: cannot send > /dev/stderr - return -1 - fi - expect "${expect}" - } + function send_and_expect() { + local send="${1:?need something to send}" + local expect="${2:?need something to expect}" + if ! send "${send}"; then + echo warning: cannot send > /dev/stderr + return -1 + fi + expect "${expect}" + } - trap 'E=$?; set +e; rm screenshot.*; echo Exiting...; kill $(jobs -p | cut -d " " -f 4); exit $E' EXIT + trap 'E=$?; set +e; rm screenshot.*; echo Exiting...; kill $(jobs -p | cut -d " " -f 4); exit $E' EXIT - for i in `seq 1 {{ attempts }}`; do - echo Attempt $i... - expect="$(pwgen -0 12)" - send="'\0033\0143'${expect}" - if send_and_expect "${send}" "${expect}"; then - pipe=$(mktemp -u) - mkfifo ${pipe} - exec 3<>${pipe} - rm ${pipe} + for i in `seq 1 {{attempts}}`; do + echo Attempt $i... + expect="$(pwgen -0 12)" + send="'\0033\0143'${expect}" + if send_and_expect "${send}" "${expect}"; then + pipe=$(mktemp -u) + mkfifo ${pipe} + exec 3<>${pipe} + rm ${pipe} - echo Verification succeeded at attempt $i. Unlocking remote drive... - ssh -4 ${SSHOPTS} root@{{ sshserver }} "cryptsetup-askpass" <&3 &>/dev/null & - eval ${GETPW} | head -n1 >&3 + echo Verification succeeded at attempt $i. Unlocking remote drive... + ssh -4 ${SSHOPTS} root@{{sshserver}} "cryptsetup-askpass" <&3 &>/dev/null & + eval ${GETPW} | head -n1 >&3 - for j in `seq 1 120`; do - sleep 0.5 - if expect '— success'; then - echo Unlock successful. - exit 0 - fi - done + for j in `seq 1 120`; do + sleep 0.5 + if expect '— success'; then + echo Unlock successful. + exit 0 + fi + done - echo Unlock failed... - exit 1 - fi - done - echo Verification failed {{ attempts }} times. Giving up... - exit 1 + echo Unlock failed... + exit 1 + fi + done + echo Verification failed {{attempts}} times. Giving up... + exit 1 _get_pass_entry path key: - pass show {{ path }}| grep -E "^{{ key }}:" | sed -E 's/^[^:]+: *//g' + pass show {{path}}| grep -E "^{{key}}:" | sed -E 's/^[^:]+: *//g' run-with-channels +cmds: - #!/usr/bin/env bash - source $(just -v _get_nix_path {{ invocation_directory() }}/nix/variables/versions.nix) - {{ cmds }} + #!/usr/bin/env bash + source $(just -v _get_nix_path {{invocation_directory()}}/nix/variables/versions.nix) + {{cmds}} install-config config root: - sudo just run-with-channels nixos-install -I nixos-config={{ invocation_directory() }}/{{ config }} --root {{ root }} --no-root-passwd + sudo just run-with-channels nixos-install -I nixos-config={{invocation_directory()}}/{{config}} --root {{root}} --no-root-passwd # Switch between gpg-card capable devices which have a copy of the same key -switch-gpg-card key-id="6EEFA706CB17E89B": - #!/usr/bin/env bash - # - # Derived from https://github.com/drduh/YubiKey-Guide/issues/19. - # - # Connect the new device and then run this script to make it known to gnupg. - # - set -xe - if [[ -n "{{key-id}}" ]]; then - KEY_ID="{{key-id}}" - else - KEY_ID=$(gpg --card-status | rg sec | rg -o '[0-9A-Z]{16}') - fi +switch-gpg-card: + #!/usr/bin/env bash + # + # Derived from https://github.com/drduh/YubiKey-Guide/issues/19. + # + # Connect the new device and then run this script to make it known to gnupg. + # + set -xe + KEY_ID=$(gpg --card-status | rg sec | rg -o '[0-9A-Z]{16}') - # export pubkey and ownertrust - gpg2 --output "${KEY_ID}".pubkey --export "${KEY_ID}" - # if this fails the trust in the key is missing and can be fixed with `gpg --edit-key ${KEY_ID}` - gpg2 --export-ownertrust | rg "${KEY_ID}" > "${KEY_ID}".ownertrust + # export pubkey and ownertrust + gpg2 --output "${KEY_ID}".pubkey --export "${KEY_ID}" + # if this fails the trust in the key is missing and can be fixed with `gpg --edit-key ${KEY_ID}` + gpg2 --export-ownertrust | rg "${KEY_ID}" > "${KEY_ID}".ownertrust - # delete the key - gpg --yes --delete-secret-and-public-keys "${KEY_ID}" + # delete the key + gpg --yes --delete-secret-and-public-keys "${KEY_ID}" - # import pubkey and ownertrust back and cleanup - gpg2 --import "${KEY_ID}".pubkey - gpg2 --import-ownertrust < "${KEY_ID}".ownertrust - rm "${KEY_ID}".{pubkey,ownertrust} + # import pubkey and ownertrust back and cleanup + gpg2 --import "${KEY_ID}".pubkey + gpg2 --import-ownertrust < "${KEY_ID}".ownertrust + rm "${KEY_ID}".{pubkey,ownertrust} - # refresh the gpg agent - gpg-connect-agent "scd serialno" "learn --force" /bye - gpg --card-status + # refresh the gpg agent + gpg-connect-agent "scd serialno" "learn --force" /bye + gpg --card-status # Connect to `remote` UUID, and turn it into a short name uuid-to-device-name remote: - #!/usr/bin/env bash - set -e -o pipefail - ssh {{ remote }} 'nix run nixpkgs.dmidecode -c dmidecode -s system-uuid' | xxhsum --quiet -H1 | awk '{print $1}' + #!/usr/bin/env bash + set -e -o pipefail + ssh {{remote}} 'nix run nixpkgs.dmidecode -c dmidecode -s system-uuid' | xxhsum --quiet -H1 | awk '{print $1}' test-connection: - #! /usr/bin/env nix-shell - #! nix-shell -p curl zsh - #! nix-shell -i zsh - #! nix-shell --pure + #! /usr/bin/env nix-shell + #! nix-shell -p curl zsh + #! nix-shell -i zsh + #! nix-shell --pure - while true; do - FAILURE="false" - output=$( - echo "$(date)\n---" - for url in \ - "https://172.16.0.1:65443/0.7/gui/#/login/" \ - "https://192.168.0.1" \ - "http://172.172.171.9" \ - "https://172.172.171.10:65443" \ - "https://172.172.171.11:65443" \ - "https://172.172.171.13:443" \ - "https://172.172.171.14:443" \ - "http://172.172.171.15:22" \ - "http://172.172.171.16:22" \ - "https://crates.io" \ - "https://holo.host" \ - ; \ - do - print "trying ${url}": $( - curl_output=$(curl --http0.9 -k --head --connect-timeout 0.5 ${url} 2>&1) - # if [ $? -ne 0 ]; then - if [[ "$curl_output" == *timeout* ]]; then - echo failure: $(echo ${curl_output} | tail -n1) - # BUG: outer FAILURE is not set by this - FAILURE="true" - else - echo success - fi - ) - done - ) - clear - echo ${output} + while true; do + FAILURE="false" + output=$( + echo "$(date)\n---" + for url in \ + "https://172.16.0.1:65443/0.7/gui/#/login/" \ + "https://192.168.0.1" \ + "http://172.172.171.9" \ + "https://172.172.171.10:65443" \ + "https://172.172.171.11:65443" \ + "https://172.172.171.13:443" \ + "https://172.172.171.14:443" \ + "http://172.172.171.15:22" \ + "http://172.172.171.16:22" \ + "https://crates.io" \ + "https://holo.host" \ + ; \ + do + print "trying ${url}": $( + curl_output=$(curl --http0.9 -k --head --connect-timeout 0.5 ${url} 2>&1) + # if [ $? -ne 0 ]; then + if [[ "$curl_output" == *timeout* ]]; then + echo failure: $(echo ${curl_output} | tail -n1) + # BUG: outer FAILURE is not set by this + FAILURE="true" + else + echo success + fi + ) + done + ) + clear + echo ${output} - if [[ ${FAILURE} == "true" ]]; then - echo something failed - tracepath -m5 -n1 172.16.0.1 - tracepath -m5 -n1 192.168.0.1 - fi + if [[ ${FAILURE} == "true" ]]; then + echo something failed + tracepath -m5 -n1 172.16.0.1 + tracepath -m5 -n1 192.168.0.1 + fi - sleep 5 - done + sleep 5 + done cachix-use name: - nix run nixpkgs/nixos-unstable#cachix -- use {{ name }} -m nixos -d nix/os/ + nix run nixpkgs/nixos-unstable#cachix -- use {{name}} -m nixos -d nix/os/ update-sops-keys: - for file in $(egrep -lr '"?sops"?:') secrets; do sops updatekeys -y $file; done - -deploy-router0-dmz0: - NIX_SSHOPTS="-o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null -o CheckHostIP=no" nixos-rebuild switch --impure --flake .\#router0-dmz0 --target-host root@192.168.20.1 - -ttyusb: - screen -fa /dev/ttyUSB0 115200 + for file in $(egrep -lr '"?sops"?:') secrets; do sops updatekeys -y $file; done diff --git a/README.md b/README.md index 5d32951..d59de56 100644 --- a/README.md +++ b/README.md @@ -1,5 +1,4 @@ # steveej's infra - This repository helps me to manage all computer infrastructure. This is mostly achieved with the help of [Nix](https://nixos.org). @@ -20,7 +19,7 @@ In the unlikely case that you actually read this and have any questions please d - [ ] development environments - [x] (Semi-) automatic synchronization of important repositories - [x] Modification strategy - The approach is to use vcsh for the dotfiles + The approach is to use vcsh for the dotfiles - [x] dotfiles - [x] Toplevel Justfile for simple actions - [x] mount/umount disks @@ -40,46 +39,39 @@ In the unlikely case that you actually read this and have any questions please d - [x] sj-pve0 - [x] use an existing secret management framework - [x] adapt (or abandon?) _just_ recipes + - [x] `rebuild-this-device` + - [x] `update-this-device` + - [x] `rebuild-remote-device` + - [x] `update-remote-device` - - [x] `rebuild-this-device` - - [x] `update-this-device` - - [x] `rebuild-remote-device` - - [x] `update-remote-device` - - evaluate, and understand a path to using these tools in a pull-based fashion: - + evaluate, and understand a path to using these tools in a pull-based fashion: - [x] [colmena](https://github.com/zhaofengli/colmena) - - bootstrapping: https://github.com/zhaofengli/colmena/issues/68 + * bootstrapping: https://github.com/zhaofengli/colmena/issues/68 - [ ] deploy-rs - - [x] 🚧 find a better alternative for the qtile-desktop - current issues: - - - floating windows often get lost in the background - - plugging in-/out- screen crashes the desktop - - evaluate: - - - [x] ~~🚧 gnome3 + pop-shell~~ - - [x] ~~leftwm + eww (+ wayland?)~~ + current issues: + - floating windows often get lost in the background + - plugging in-/out- screen crashes the desktop + evaluate: + - [x] ~~🚧 gnome3 + pop-shell~~ + - [x] ~~leftwm + eww (+ wayland?)~~ - [ ] (Re-)document bootstrap process - [ ] `apt install sudo cryptsetup` as a requirements on a deb admin machine - [ ] a new machine - [ ] an install media - [ ] Design disaster recovery - [ ] Automatic synchronization of other state files - see https://gitlab.com/steveeJ/nix-expressions/issues/2 -- [ ] Recycle _\_archived_ +- [ ] Recycle *\_archived* - [ ] container migrations - [ ] ensure DDNS is updated _before_ the containers are started -## Bugs +## Bugs - [ ] home-manager leaves ~/.gnupg at 0755 ## Usage - -_(These are reminders for my future self)_ +*(These are reminders for my future self)* ``` just --list @@ -88,17 +80,15 @@ just --list ## Bootstrap ### A new machine +* ensure the dotfiles repo has a branch with the new machine's hostname -- ensure the dotfiles repo has a branch with the new machine's hostname - -- boot with an install media and go through setup +* boot with an install media and go through setup #### Post-Install Setup - -- `chmod --recursive g-rwx,o-rwx ~/.gnupg` -- `gpg2 --edit-card; fetch` -- clone password-manager and infra repositories -- gpg2: ultimately trust my own key +* `chmod --recursive g-rwx,o-rwx ~/.gnupg` +* `gpg2 --edit-card; fetch` +* clone password-manager and infra repositories +* gpg2: ultimately trust my own key ## Swapping out a disk diff --git a/_archive/environments/dev/cross.nix b/_archive/environments/dev/cross.nix new file mode 100644 index 0000000..65e6c09 --- /dev/null +++ b/_archive/environments/dev/cross.nix @@ -0,0 +1,90 @@ +import /home/steveej/src/github/NixOS/nixpkgs/default.nix { + crossSystem = rec { + config = "armv7l-unknown-linux-gnueabi"; + bigEndian = false; + arch = "arm"; + float = "hard"; + fpu = "vfpv3-d16"; + withTLS = true; + libc = "glibc"; + platform = { + name = "armv7l-hf-multiplatform"; + gcc = { + arch = "armv7-a"; + fpu = "neon"; + float = "hard"; + }; + kernelMajor = "2.6"; # Using "2.6" enables 2.6 kernel syscalls in glibc. + kernelHeadersBaseConfig = "multi_v7_defconfig"; + kernelBaseConfig = "multi_v7_defconfig"; + kernelArch = "arm"; + kernelDTB = true; + kernelAutoModules = false; + kernelExtraConfig = '' + NAMESPACES y + BTRFS_FS y + BTRFS_FS_POSIX_ACL y + OVERLAY_FS y + FUSE_FS y + ''; + kernelTarget = "zImage"; + uboot = null; + }; + openssl.system = "linux-generic32"; + gcc = { + arch = "armv7-a"; + fpu = "neon"; + float = "hard"; + }; + }; +} +# pkgs.config = { +# packageOverrides = super: let self = super.pkgs; in { +# linux_4_0 = super.linux_3_18.override { +# kernelPatches = super.linux_3_18.kernelPatches ++ [ +# # we'll also add one of our own patches +# { patch = ./dts.patch; name = "dts-fix"; } +# ]; +# +# # add "CONFIG_PPP_FILTER y" option to the set of kernel options +# extraConfig = '' +# HAVE_IMX_ANATOP y +# HAVE_IMX_GPC y +# HAVE_IMX_MMDC y +# HAVE_IMX_SRC y +# SOC_IMX6 y +# SOC_IMX6Q y +# SOC_IMX6SL y +# PCI_IMX6 y +# ARM_IMX6Q_CPUFREQ y +# IMX_WEIM y +# AHCI_IMX y +# SERIAL_IMX y +# SERIAL_IMX_CONSOLE y +# I2C_IMX y +# SPI_IMX y +# PINCTRL_IMX y +# PINCTRL_IMX6Q y +# PINCTRL_IMX6SL y +# POWER_RESET_IMX y +# IMX_THERMAL y +# IMX2_WDT y +# IMX_IPUV3_CORE y +# DRM_IMX y +# DRM_IMX_FB_HELPER y +# DRM_IMX_PARALLEL_DISPLAY y +# DRM_IMX_TVE y +# DRM_IMX_LDB y +# DRM_IMX_IPUV3 y +# DRM_IMX_HDMI y +# MMC_SDHCI_ESDHC_IMX y +# IMX_SDMA y +# PWM_IMX y +# DEBUG_IMX6Q_UART y +# +# PPP_FILTER y +# ''; +# }; +# }; +# }; + diff --git a/_archive/environments/dev/go/default.nix b/_archive/environments/dev/go/default.nix new file mode 100644 index 0000000..c92aa9d --- /dev/null +++ b/_archive/environments/dev/go/default.nix @@ -0,0 +1,89 @@ +{ + gitpkgs ? import /home/steveej/src/github/NixOS/nixpkgs {}, + pkgs ? gitpkgs, + name ? "generic", + version, + extraBuildInputs ? [], + extraShellHook ? "", +}: let + go = builtins.getAttr "go_${version}" pkgs; + commonVimRC = '' + let g:tagbar_type_go = { + \ 'ctagstype' : 'go', + \ 'kinds' : [ + \ 'p:package', + \ 'i:imports:1', + \ 'c:constants', + \ 'v:variables', + \ 't:types', + \ 'n:interfaces', + \ 'w:fields', + \ 'e:embedded', + \ 'm:methods', + \ 'r:constructor', + \ 'f:functions' + \ ], + \ 'sro' : '.', + \ 'kind2scope' : { + \ 't' : 'ctype', + \ 'n' : 'ntype' + \ }, + \ 'scope2kind' : { + \ 'ctype' : 't', + \ 'ntype' : 'n' + \ }, + \ 'ctagsbin' : 'gotags', + \ 'ctagsargs' : '-sort -silent' + \ } + + " vim-go { + let g:go_highlight_functions = 1 + let g:go_highlight_methods = 1 + let g:go_highlight_structs = 1 + let g:go_highlight_interfaces = 1 + let g:go_highlight_operators = 1 + let g:go_highlight_build_constraints = 1 + let g:go_fmt_command = 'gofmt' + let g:go_fmt_options= '-s' + let g:go_def_mode = 'godef' + let g:go_def_reuse_buffer = 0 + + au FileType go nmap gds (go-def-split) + au FileType go nmap gdv (go-def-vertical) + au FileType go nmap gdt (go-def-tab) + au FileType go nmap gi (go-imports) + " } + ''; + buildInputs = with pkgs; [ + glibc.out + glibc.static + + go + gotools + #gotools.bin + #gocode.bin + #godef godef.bin + godep + #godep.bin + gox.bin + #ginkgo ginkgo.bin + #gomega + # ( import ./vim-go.nix { pkgs=gitpkgs; commonRC=commonVimRC; } ) + # ( import ./neovim-go.nix { pkgs=gitpkgs; commonRC=commonVimRC; } ) + ]; +in + pkgs.stdenv.mkDerivation { + inherit name; + buildInputs = extraBuildInputs ++ buildInputs; + shellHook = '' + goname=${go.version}_$name + # FIXME: setPS1 $goname + export GOROOT=${go}/share/go + export GOPATH="$HOME/.gopath_$goname" + export PATH="$HOME/.gopath_$goname/bin:$PATH" + unset name + unset SSL_CERT_FILE + + ${extraShellHook} + ''; + } diff --git a/_archive/environments/dev/go/neovim-go.nix b/_archive/environments/dev/go/neovim-go.nix new file mode 100644 index 0000000..1bbc4dc --- /dev/null +++ b/_archive/environments/dev/go/neovim-go.nix @@ -0,0 +1,12 @@ +{commonRC, ...} @ args: (import ../../pkg-configuration/vim-derivates/neovim.nix args + // { + additionalRC = + commonRC + + '' + " deoplete { + let g:deoplete#enable_at_startup = 1 + let g:deoplete#enable_smart_case = 1 + " } + ''; + additionalPlugins = ["deoplete-go" "deoplete-nvim" "vim-go"]; + }) diff --git a/_archive/environments/dev/pandoc.nix b/_archive/environments/dev/pandoc.nix new file mode 100644 index 0000000..fc4a298 --- /dev/null +++ b/_archive/environments/dev/pandoc.nix @@ -0,0 +1,31 @@ +{ + gitpkgs ? import /home/steveej/src/github/NixOS/nixpkgs {}, + pkgs ? gitpkgs, + name ? "generic", + version ? "Stable", + extraBuildInputs ? [], +}: let + commonVimRC = ""; +in + pkgs.stdenv.mkDerivation { + inherit name; + buildInputs = with pkgs; + [ + (import ./vim-pandoc.nix { + pkgs = gitpkgs; + commonRC = commonVimRC; + }) + pandoc + texlive.combined.scheme-medium + python27Packages.pandocfilters + python27Packages.htmltreediff + python27Packages.html5lib + python27Packages.dbus-python + ] + ++ extraBuildInputs; + shellHook = '' + pandocname=pandoc_${pkgs.pandoc.version} + setPS1 $pandocname + unset name + ''; + } diff --git a/_archive/environments/dev/rkt.nix b/_archive/environments/dev/rkt.nix new file mode 100644 index 0000000..aa01935 --- /dev/null +++ b/_archive/environments/dev/rkt.nix @@ -0,0 +1,71 @@ +{ + pkgs ? import /home/steveej/src/github/NixOS/nixpkgs {}, + mkGoEnv ? import ./go.nix, + rktPath, +}: let + rktBasebuildInputs = with pkgs; [ + glibc.out + glibc.static + autoreconfHook + gnupg1 + squashfsTools + cpio + tree + intltool + libtool + pkgconfig + libgcrypt + gperf + libcap + libseccomp + libzip + eject + iptables + bc + acl + trousers + systemd + ]; + extraShellHook = '' + TARGET=$GOPATH/src/github.com/coreos/rkt + if [[ -e ${rktPath}/rkt/rkt.go ]]; then + pushd ${rktPath} + else + echo rktPath must be run the rkt repository clone, but got '${rktPath}' + exit 1 + fi + if ! [[ -e $TARGET/rkt/rkt.go ]]; then + mkdir -p $TARGET + echo $PWD + sudo -E mount -o bind $PWD $TARGET + fi + pushd $TARGET + ''; +in { + go15 = mkGoEnv { + inherit pkgs; + + name = "rktGo15"; + version = "1_5"; + extraBuildInputs = rktBasebuildInputs; + inherit extraShellHook; + }; + + go16 = mkGoEnv { + inherit pkgs; + + name = "rktGo16"; + version = "1_6"; + extraBuildInputs = rktBasebuildInputs; + inherit extraShellHook; + }; + + go17 = mkGoEnv { + inherit pkgs; + + name = "rktGo17"; + version = "1_7"; + extraBuildInputs = rktBasebuildInputs; + inherit extraShellHook; + }; +} diff --git a/_archive/environments/dev/rust/.envrc b/_archive/environments/dev/rust/.envrc new file mode 100644 index 0000000..051d09d --- /dev/null +++ b/_archive/environments/dev/rust/.envrc @@ -0,0 +1 @@ +eval "$(lorri direnv)" diff --git a/_archive/environments/dev/rust/default.nix b/_archive/environments/dev/rust/default.nix new file mode 100644 index 0000000..11caffa --- /dev/null +++ b/_archive/environments/dev/rust/default.nix @@ -0,0 +1,39 @@ +{ + gitpkgs ? import /home/steveej/src/github/NixOS/nixpkgs {}, + pkgs ? gitpkgs, + name ? "generic", + version ? "Stable", + extraBuildInputs ? [], +}: let + rustPackages = builtins.getAttr "rust${version}" pkgs; + rustc = rustPackages.rustc; + rustShellHook = { + rustc, + name, + }: '' + rustname=rust_${rustc.version}_${name} + setPS1 $rustname + unset name + ''; + commonVimRC = ""; +in + pkgs.stdenv.mkDerivation { + inherit name; + buildInputs = with rustPackages; + [ + (import ./vim-rust.nix { + pkgs = gitpkgs; + commonRC = commonVimRC; + inherit rustc; + racerd = pkgs.rustracerd; + }) + rustc + cargo + ] + ++ [pkgs.rustfmt] + ++ extraBuildInputs; + shellHook = rustShellHook { + inherit name; + inherit rustc; + }; + } diff --git a/_archive/environments/dev/vim-go.nix b/_archive/environments/dev/vim-go.nix new file mode 100644 index 0000000..6eacc45 --- /dev/null +++ b/_archive/environments/dev/vim-go.nix @@ -0,0 +1,19 @@ +{commonRC, ...} @ args: +import ../../pkg-configuration/vim-derivates/vim.nix (args + // { + name = "vim-for-go"; + additionalRC = + commonRC + + '' + " Disable AutoComplPop. + let g:acp_enableAtStartup = 0 + " Use neocomplete. + let g:neocomplete#enable_at_startup = 1 + " Use smartcase. + let g:neocomplete#enable_smart_case = 1 + if !exists('g:neocomplete#sources#omni#input_patterns') + let g:neocomplete#sources#omni#input_patterns = {} + endif + ''; + additionalPlugins = ["neocomplete" "vim-go"]; + }) diff --git a/_archive/environments/dev/vim-pandoc.nix b/_archive/environments/dev/vim-pandoc.nix new file mode 100644 index 0000000..7fc03f2 --- /dev/null +++ b/_archive/environments/dev/vim-pandoc.nix @@ -0,0 +1,18 @@ +{commonRC, ...} @ args: +import ../../pkg-configuration/vim-derivates/vim.nix (args + // { + name = "vim-for-pandoc"; + additionalRC = + commonRC + + '' + set statusline+=%#warningmsg# + set statusline+=%{SyntasticStatuslineFlag()} + set statusline+=%* + + let g:syntastic_always_populate_loc_list = 1 + let g:syntastic_auto_loc_list = 1 + let g:syntastic_check_on_open = 1 + let g:syntastic_check_on_wq = 0 + ''; + additionalPlugins = ["vim-pandoc" "vim-pandoc-syntax" "vimpreviewpandoc"]; + }) diff --git a/_archive/environments/dev/vim-rust.nix b/_archive/environments/dev/vim-rust.nix new file mode 100644 index 0000000..56e3c7d --- /dev/null +++ b/_archive/environments/dev/vim-rust.nix @@ -0,0 +1,48 @@ +{ + commonRC, + rustc, + racerd, + ... +} @ args: +import ../../pkg-configuration/vim-derivates/vim.nix (args + // { + name = "vim-for-rust"; + additionalRC = + commonRC + + '' + set statusline+=%#warningmsg# + set statusline+=%{SyntasticStatuslineFlag()} + set statusline+=%* + + let g:syntastic_always_populate_loc_list = 1 + let g:syntastic_auto_loc_list = 1 + let g:syntastic_check_on_open = 1 + let g:syntastic_check_on_wq = 0 + + " tagbar + let g:tagbar_type_rust = { + \ 'ctagstype' : 'rust', + \ 'kinds' : [ + \'T:types,type definitions', + \'f:functions,function definitions', + \'g:enum,enumeration names', + \'s:structure names', + \'m:modules,module names', + \'c:consts,static constants', + \'t:traits,traits', + \'i:impls,trait implementations', + \] + \} + + let g:syntastic_rust_checkers = ["rustc"] + + "rustfmt + let g:rustfmt_autosave = 1 + + let g:ycm_auto_trigger = 1 + let g:ycm_rust_src_path = '${rustc.src}/src' + let g:ycm_racerd_binary_path = '${racerd.out}/bin/racerd' + + ''; + additionalPlugins = ["rust-vim"]; + }) diff --git a/_archive/environments/fhs/android.nix b/_archive/environments/fhs/android.nix new file mode 100644 index 0000000..074469e --- /dev/null +++ b/_archive/environments/fhs/android.nix @@ -0,0 +1,42 @@ +{pkgs ? import {}}: +(pkgs.buildFHSUserEnv { + name = "devfhs"; + multiPkgs = pkgs: (with pkgs; [ + android-udev-rules + sudo + gawk + bzip2 + file + gcc + getopt + git + gnumake + ncurses + openssl + patch + perl + pkgconfig + python + openssh + subversion + unzip + wget + which + vim + zlib + libusb + libusb1 + systemd + strace + swt + xorg.libXtst + glib + gtk2 + gnome.gtk + ]); + profile = '' + export LD_LIBRARY_PATH=$LD_LIBRARY_PATH:/lib:/lib64:/lib32:/usr/lib32:/usr/lib64:${pkgs.xorg.libXtst}/lib:${pkgs.glib}/lib:${pkgs.gtk2}/lib + ''; + runScript = "bash"; +}) +.env diff --git a/_archive/environments/fhs/vscode.nix b/_archive/environments/fhs/vscode.nix new file mode 100644 index 0000000..da08700 --- /dev/null +++ b/_archive/environments/fhs/vscode.nix @@ -0,0 +1,36 @@ +{pkgs ? import {}}: +(pkgs.buildFHSUserEnv { + name = "everydayFHS"; + targetPkgs = pkgs: (with pkgs; [ + which + gitFull + zsh + file + direnv + + xdg_utils + xsel + + vscode + + # vscode live share + gnome3.gcr + libgnome_keyring3 + liburcu + libunwind + lttng-ust + curl + openssl + libkrb5 + libuuid + icu + zlib + libsecret + ]); + multiPkgs = pkgs: (with pkgs; []); + profile = '' + export SHELL=/bin/zsh + ''; + # FIXME runScript = "$SHELL"; +}) +.env diff --git a/default.nix b/default.nix index 6aba02e..75e1dbb 100644 --- a/default.nix +++ b/default.nix @@ -4,9 +4,6 @@ # Having pkgs default to is fine though, and it lets you use short # commands such as: # nix-build -A mypackage -{ - pkgs ? import { }, -}: -{ - pkgs = import ./nix/pkgs { inherit pkgs; }; +{pkgs ? import {}}: { + pkgs = import ./nix/pkgs {inherit pkgs;}; } diff --git a/flake-sandbox/flake.lock b/flake-sandbox/flake.lock new file mode 100644 index 0000000..b600a49 --- /dev/null +++ b/flake-sandbox/flake.lock @@ -0,0 +1,27 @@ +{ + "nodes": { + "nixpkgs": { + "locked": { + "lastModified": 1681091990, + "narHash": "sha256-ifIzhksUBZKp5WgCuoVhDY32qaEplXp7khzrB6zkaFc=", + "owner": "nixos", + "repo": "nixpkgs", + "rev": "ea96b4af6148114421fda90df33cf236ff5ecf1d", + "type": "github" + }, + "original": { + "owner": "nixos", + "ref": "nixos-22.11", + "repo": "nixpkgs", + "type": "github" + } + }, + "root": { + "inputs": { + "nixpkgs": "nixpkgs" + } + } + }, + "root": "root", + "version": 7 +} diff --git a/flake-sandbox/flake.nix b/flake-sandbox/flake.nix new file mode 100644 index 0000000..112447e --- /dev/null +++ b/flake-sandbox/flake.nix @@ -0,0 +1,142 @@ +{ + inputs = { + nixpkgs.url = "github:nixos/nixpkgs/nixos-22.11"; + }; + outputs = { + self, + nixpkgs, + }: let + system = "x86_64-linux"; + pkgs = import nixpkgs {inherit system;}; + in { + devShells."${system}".default = pkgs.mkShell { + packages = with pkgs; + with pkgs.gnome; [ + hexchat + audacity + proot + yubikey-manager-qt + cheese + remmina + exiv2 + wireshark-qt + seahorse + kotatogram-desktop + usbutils + networkmanagerapplet + sshfs-fuse + pavucontrol + libwebcam + just + eog + git-crypt + espanso + unetbootin + vcsh + skypeforlinux + du-dust + bind + teamviewer + gparted + neovim + inkscape + rustdesk + gnome-themes-extra + pass + xdg-user-dirs + cbatticon + yubikey-personalization-gui + zoom + signal-desktop + xorg.xbacklight + vscode + ripgrep + lightdm + nixpkgs-fmt + git-lfs + qtpass + gimp + lxappearance + flameshot + thunderbird + fprintd + chromium + evtest + alejandra + vlc + pastebinit + evolution + zbar + libreoffice + brave + pidgin + direnv + xorg.xhost + lorri + firefox + logseq + x11_ssh_askpass + xsel + feh + htop + openvpn + syncthing + ncdu + rofi-pass + testdisk + vanilla-dmz + wireguard-tools + xarchive + gnome-icon-theme + wget + nix-index + mr + passff-host + browserpass + xorg.xcursorthemes + gitRepo + gitSVN + androidenv.androidPkgs_9_0.platform-tools + + # introduces python + (qtile.passthru.unwrapped.overrideAttrs (oldAttrs: { + propagatedBuildInputs = + [] + # ++ oldAttrs.passthru.unwrapped.propagatedBuildInputs + # ++ (with pkgs.python3Packages; [ + # # python-wifi + # # iwlib + # keyring + # ]) + ; + + makeWrapperArgs = + oldAttrs.makeWrapperArgs + ++ [ + "--prefix PATH : ${pkgs.lib.makeBinPath oldAttrs.propagatedBuildInputs}" + ]; + })) + + # gi-docgen + # yelp-tools + # scons + # autorandr + # arandr + # meson + # mercurial + # unrar-wrapper + # orca + # radicale + # criu + # gnome-music + # gnome-browser-connector + # radicale + # hplip + # qtile + # gtk-doc + # asciidoc + # meson + ]; + }; + }; +} diff --git a/flake.lock b/flake.lock index 595341f..08892be 100644 --- a/flake.lock +++ b/flake.lock @@ -1,13 +1,29 @@ { "nodes": { + "adamcstephens_stop-export": { + "flake": false, + "locked": { + "lastModified": 1706405938, + "narHash": "sha256-L+MeX7m78uM09h/7b0jtyGOlgJC1ETQHCBphcJRa5V0=", + "ref": "refs/heads/main", + "rev": "823b14873da7cc0a8a6bf37eaab71d10863272d3", + "revCount": 16, + "type": "git", + "url": "https://codeberg.org/adamcstephens/stop-export.git" + }, + "original": { + "type": "git", + "url": "https://codeberg.org/adamcstephens/stop-export.git" + } + }, "aphorme_launcher": { "flake": false, "locked": { - "lastModified": 1719922896, - "narHash": "sha256-mOtCz42NFQn+0xPF3gBX4WHfo5UEClSsJ/tF8RdFQkY=", + "lastModified": 1699523648, + "narHash": "sha256-OmeelrddWuPQL84W/1Fi3FczKfrR+XdosRfKofc2o6w=", "owner": "Iaphetes", "repo": "aphorme_launcher", - "rev": "c7c7ce9f91a31cced181fa501a2cad3c68035def", + "rev": "3404dd1ac0c448d517efc0a20f554da0f1d5550c", "type": "github" }, "original": { @@ -17,22 +33,38 @@ "type": "github" } }, + "brainwart_x13s-nixos": { + "flake": false, + "locked": { + "lastModified": 1705565623, + "narHash": "sha256-sisr/dFIz8p3/Y7mz+arWxjeiBmUTQkMqkF9j3c2dWE=", + "owner": "BrainWart", + "repo": "x13s-nixos", + "rev": "29002122d86a1009ba70e7a4ca3063e5404c77a2", + "type": "github" + }, + "original": { + "owner": "BrainWart", + "ref": "flake", + "repo": "x13s-nixos", + "type": "github" + } + }, "colmena": { "inputs": { "flake-compat": "flake-compat", "flake-utils": "flake-utils", - "nix-github-actions": "nix-github-actions", "nixpkgs": [ "nixpkgs" ], "stable": "stable" }, "locked": { - "lastModified": 1731527002, - "narHash": "sha256-dI9I6suECoIAmbS4xcrqF8r2pbmed8WWm5LIF1yWPw8=", + "lastModified": 1706509311, + "narHash": "sha256-QQKQ6r3CID8aXn2ZXZ79ZJxdCOeVP+JTnOctDALErOw=", "owner": "zhaofengli", "repo": "colmena", - "rev": "e3ad42138015fcdf2524518dd564a13145c72ea1", + "rev": "c84ccd0a7a712475e861c2b111574472b1a8d0cd", "type": "github" }, "original": { @@ -42,38 +74,22 @@ } }, "crane": { - "locked": { - "lastModified": 1733286231, - "narHash": "sha256-mlIDSv1/jqWnH8JTiOV7GMUNPCXL25+6jmD+7hdxx5o=", - "owner": "ipetkov", - "repo": "crane", - "rev": "af1556ecda8bcf305820f68ec2f9d77b41d9cc80", - "type": "github" - }, - "original": { - "owner": "ipetkov", - "repo": "crane", - "type": "github" - } - }, - "devshell": { "inputs": { "nixpkgs": [ - "nixvim", "nixpkgs" ] }, "locked": { - "lastModified": 1728330715, - "narHash": "sha256-xRJ2nPOXb//u1jaBnDP56M7v5ldavjbtR6lfGqSvcKg=", - "owner": "numtide", - "repo": "devshell", - "rev": "dd6b80932022cea34a019e2bb32f6fa9e494dfef", + "lastModified": 1707075082, + "narHash": "sha256-PUplk5F5jlIyofxqn/xEDN9pbjrd0tnkd0pDsZ52db0=", + "owner": "ipetkov", + "repo": "crane", + "rev": "7d5b46c17d857ee9ddb2e8d88185729a3e5637b6", "type": "github" }, "original": { - "owner": "numtide", - "repo": "devshell", + "owner": "ipetkov", + "repo": "crane", "type": "github" } }, @@ -85,11 +101,11 @@ ] }, "locked": { - "lastModified": 1727359191, - "narHash": "sha256-5PltTychnExFwzpEnY3WhOywaMV/M6NxYI/y3oXuUtw=", + "lastModified": 1701905325, + "narHash": "sha256-lda63LmEIlDMeCgWfjr3/wb487XPllBByfrGRieyEk4=", "owner": "nix-community", "repo": "disko", - "rev": "67dc29be3036cc888f0b9d4f0a788ee0f6768700", + "rev": "1144887c6f4d2dcbb2316a24364ef53e25b0fcfe", "type": "github" }, "original": { @@ -99,21 +115,20 @@ "type": "github" } }, - "espanso": { + "dotfiles": { "flake": false, "locked": { - "lastModified": 1711840403, - "narHash": "sha256-4y5yHFfA8SmtSJVC2YleoHCUXkgqee+k9A2pRUzqzDo=", - "owner": "espanso", - "repo": "espanso", - "rev": "db97658d1d80697a635b57801696c594eacf057b", - "type": "github" + "lastModified": 1541334338, + "narHash": "sha256-9QAq7bjITpaO8A8qD8IVoa+89Bg13CEwxf771d9S/Ag=", + "owner": "steveeJ", + "repo": "dotfiles", + "rev": "9a8484f7094edc1b533bad3be71c511ba8ff45eb", + "type": "gitlab" }, "original": { - "owner": "espanso", - "repo": "espanso", - "rev": "db97658d1d80697a635b57801696c594eacf057b", - "type": "github" + "owner": "steveeJ", + "repo": "dotfiles", + "type": "gitlab" } }, "fenix": { @@ -124,11 +139,11 @@ "rust-analyzer-src": "rust-analyzer-src" }, "locked": { - "lastModified": 1733380458, - "narHash": "sha256-H+IQB6cJ7ji/YD537pcSUWlwGGJ49RoYylBonyNW9hk=", + "lastModified": 1706941198, + "narHash": "sha256-t6/qloMYdknVJ9a3QzjylQIZnQfgefJ5kMim50B7dwA=", "owner": "nix-community", "repo": "fenix", - "rev": "08c9e4e29865b60cb81189f8e4de0dccaf297865", + "rev": "28dbd8b43ea328ee708f7da538c63e03d5ed93c8", "type": "github" }, "original": { @@ -154,28 +169,12 @@ } }, "flake-compat_2": { - "flake": false, "locked": { - "lastModified": 1696426674, - "narHash": "sha256-kvjfFW7WAETZlt09AgDn1MrtKzP7t90Vf7vypd3OL1U=", - "owner": "edolstra", - "repo": "flake-compat", - "rev": "0f9255e01c2351cc7d116c072cb317785dd33b33", - "type": "github" - }, - "original": { - "owner": "edolstra", - "repo": "flake-compat", - "type": "github" - } - }, - "flake-compat_3": { - "locked": { - "lastModified": 1717312683, - "narHash": "sha256-FrlieJH50AuvagamEvWMIE6D2OAnERuDboFDYAED/dE=", + "lastModified": 1688025799, + "narHash": "sha256-ktpB4dRtnksm9F5WawoIkEneh1nrEvuxb5lJFt1iOyw=", "owner": "nix-community", "repo": "flake-compat", - "rev": "38fd3954cf65ce6faf3d0d45cd26059e059f07ea", + "rev": "8bf105319d44f6b9f0d764efa4fdef9f1cc9ba1c", "type": "github" }, "original": { @@ -184,30 +183,16 @@ "type": "github" } }, - "flake-compat_4": { - "locked": { - "lastModified": 1696426674, - "narHash": "sha256-kvjfFW7WAETZlt09AgDn1MrtKzP7t90Vf7vypd3OL1U=", - "rev": "0f9255e01c2351cc7d116c072cb317785dd33b33", - "revCount": 57, - "type": "tarball", - "url": "https://api.flakehub.com/f/pinned/edolstra/flake-compat/1.0.1/018afb31-abd1-7bff-a5e4-cff7e18efb7a/source.tar.gz" - }, - "original": { - "type": "tarball", - "url": "https://flakehub.com/f/edolstra/flake-compat/1.tar.gz" - } - }, "flake-parts": { "inputs": { "nixpkgs-lib": "nixpkgs-lib" }, "locked": { - "lastModified": 1733312601, - "narHash": "sha256-4pDvzqnegAfRkPwO3wmwBhVi/Sye1mzps0zHWYnP88c=", + "lastModified": 1706830856, + "narHash": "sha256-a0NYyp+h9hlb7ddVz4LUn1vT/PLwqfrWYcHMvFB1xYg=", "owner": "hercules-ci", "repo": "flake-parts", - "rev": "205b12d8b7cd4802fbcb8e8ef6a0f1408781a4f9", + "rev": "b253292d9c0a5ead9bc98c4e9a26c6312e27d69f", "type": "github" }, "original": { @@ -224,11 +209,11 @@ ] }, "locked": { - "lastModified": 1726153070, - "narHash": "sha256-HO4zgY0ekfwO5bX0QH/3kJ/h4KvUDFZg8YpkNwIbg1U=", + "lastModified": 1701473968, + "narHash": "sha256-YcVE5emp1qQ8ieHUnxt1wCZCC3ZfAS+SRRWZ2TMda7E=", "owner": "hercules-ci", "repo": "flake-parts", - "rev": "bcef6817a8b2aa20a5a6dbb19b43e63c5bf8619a", + "rev": "34fed993f1674c8d06d58b37ce1e0fe5eebcb9f5", "type": "github" }, "original": { @@ -246,11 +231,11 @@ ] }, "locked": { - "lastModified": 1722555600, - "narHash": "sha256-XOQkdLafnb/p9ij77byFQjDf5m5QYl9b2REiVClC+x4=", + "lastModified": 1701473968, + "narHash": "sha256-YcVE5emp1qQ8ieHUnxt1wCZCC3ZfAS+SRRWZ2TMda7E=", "owner": "hercules-ci", "repo": "flake-parts", - "rev": "8471fe90ad337a8074e957b69ca4d0089218391d", + "rev": "34fed993f1674c8d06d58b37ce1e0fe5eebcb9f5", "type": "github" }, "original": { @@ -262,37 +247,16 @@ "flake-parts_4": { "inputs": { "nixpkgs-lib": [ - "nixvim", + "srvos", "nixpkgs" ] }, "locked": { - "lastModified": 1730504689, - "narHash": "sha256-hgmguH29K2fvs9szpq2r3pz2/8cJd2LPS+b4tfNFCwE=", + "lastModified": 1706830856, + "narHash": "sha256-a0NYyp+h9hlb7ddVz4LUn1vT/PLwqfrWYcHMvFB1xYg=", "owner": "hercules-ci", "repo": "flake-parts", - "rev": "506278e768c2a08bec68eb62932193e341f55c90", - "type": "github" - }, - "original": { - "owner": "hercules-ci", - "repo": "flake-parts", - "type": "github" - } - }, - "flake-parts_5": { - "inputs": { - "nixpkgs-lib": [ - "nur", - "nixpkgs" - ] - }, - "locked": { - "lastModified": 1733312601, - "narHash": "sha256-4pDvzqnegAfRkPwO3wmwBhVi/Sye1mzps0zHWYnP88c=", - "owner": "hercules-ci", - "repo": "flake-parts", - "rev": "205b12d8b7cd4802fbcb8e8ef6a0f1408781a4f9", + "rev": "b253292d9c0a5ead9bc98c4e9a26c6312e27d69f", "type": "github" }, "original": { @@ -316,34 +280,16 @@ "type": "github" } }, - "flake-utils_10": { - "inputs": { - "systems": "systems_5" - }, - "locked": { - "lastModified": 1710146030, - "narHash": "sha256-SZ5L6eA7HJ/nmkzGG7/ISclqe6oZdOZTNoesiInkXPQ=", - "owner": "numtide", - "repo": "flake-utils", - "rev": "b1d9ab70662946ef0850d488da1c9019f3a9752a", - "type": "github" - }, - "original": { - "owner": "numtide", - "repo": "flake-utils", - "type": "github" - } - }, "flake-utils_2": { "inputs": { "systems": "systems" }, "locked": { - "lastModified": 1710146030, - "narHash": "sha256-SZ5L6eA7HJ/nmkzGG7/ISclqe6oZdOZTNoesiInkXPQ=", + "lastModified": 1705309234, + "narHash": "sha256-uNRRNRKmJyCRC/8y1RqBkqWBLM034y4qN7EprSdmgyA=", "owner": "numtide", "repo": "flake-utils", - "rev": "b1d9ab70662946ef0850d488da1c9019f3a9752a", + "rev": "1ef2e671c3b0c19053962c07dbda38332dcebf26", "type": "github" }, "original": { @@ -354,107 +300,11 @@ }, "flake-utils_3": { "locked": { - "lastModified": 1653893745, - "narHash": "sha256-0jntwV3Z8//YwuOjzhV2sgJJPt+HY6KhU7VZUL0fKZQ=", + "lastModified": 1667395993, + "narHash": "sha256-nuEHfE/LcWyuSWnS8t12N1wc105Qtau+/OdUAjtQ0rA=", "owner": "numtide", "repo": "flake-utils", - "rev": "1ed9fb1935d260de5fe1c2f7ee0ebaae17ed2fa1", - "type": "github" - }, - "original": { - "owner": "numtide", - "repo": "flake-utils", - "type": "github" - } - }, - "flake-utils_4": { - "locked": { - "lastModified": 1653893745, - "narHash": "sha256-0jntwV3Z8//YwuOjzhV2sgJJPt+HY6KhU7VZUL0fKZQ=", - "owner": "numtide", - "repo": "flake-utils", - "rev": "1ed9fb1935d260de5fe1c2f7ee0ebaae17ed2fa1", - "type": "github" - }, - "original": { - "owner": "numtide", - "repo": "flake-utils", - "type": "github" - } - }, - "flake-utils_5": { - "locked": { - "lastModified": 1653893745, - "narHash": "sha256-0jntwV3Z8//YwuOjzhV2sgJJPt+HY6KhU7VZUL0fKZQ=", - "owner": "numtide", - "repo": "flake-utils", - "rev": "1ed9fb1935d260de5fe1c2f7ee0ebaae17ed2fa1", - "type": "github" - }, - "original": { - "owner": "numtide", - "repo": "flake-utils", - "type": "github" - } - }, - "flake-utils_6": { - "locked": { - "lastModified": 1653893745, - "narHash": "sha256-0jntwV3Z8//YwuOjzhV2sgJJPt+HY6KhU7VZUL0fKZQ=", - "owner": "numtide", - "repo": "flake-utils", - "rev": "1ed9fb1935d260de5fe1c2f7ee0ebaae17ed2fa1", - "type": "github" - }, - "original": { - "owner": "numtide", - "repo": "flake-utils", - "type": "github" - } - }, - "flake-utils_7": { - "locked": { - "lastModified": 1653893745, - "narHash": "sha256-0jntwV3Z8//YwuOjzhV2sgJJPt+HY6KhU7VZUL0fKZQ=", - "owner": "numtide", - "repo": "flake-utils", - "rev": "1ed9fb1935d260de5fe1c2f7ee0ebaae17ed2fa1", - "type": "github" - }, - "original": { - "owner": "numtide", - "repo": "flake-utils", - "type": "github" - } - }, - "flake-utils_8": { - "inputs": { - "systems": "systems_3" - }, - "locked": { - "lastModified": 1731533236, - "narHash": "sha256-l0KFg5HjrsfsO/JpG+r7fRrqm12kzFHyUHqHCVpMMbI=", - "owner": "numtide", - "repo": "flake-utils", - "rev": "11707dc2f618dd54ca8739b309ec4fc024de578b", - "type": "github" - }, - "original": { - "owner": "numtide", - "repo": "flake-utils", - "type": "github" - } - }, - "flake-utils_9": { - "inputs": { - "systems": "systems_4" - }, - "locked": { - "lastModified": 1731533236, - "narHash": "sha256-l0KFg5HjrsfsO/JpG+r7fRrqm12kzFHyUHqHCVpMMbI=", - "owner": "numtide", - "repo": "flake-utils", - "rev": "11707dc2f618dd54ca8739b309ec4fc024de578b", + "rev": "5aed5285a952e0b949eb3ba02c12fa4fcfef535f", "type": "github" }, "original": { @@ -465,11 +315,11 @@ }, "get-flake": { "locked": { - "lastModified": 1714237590, - "narHash": "sha256-9gtHdGbzFHaR20xORN8IYd67ROWS+1nqQ5CsPf9MD8I=", + "lastModified": 1694475786, + "narHash": "sha256-s5wDmPooMUNIAAsxxCMMh9g68AueGg63DYk2hVZJbc8=", "owner": "ursi", "repo": "get-flake", - "rev": "a6c57417d1b857b8be53aba4095869a0f438c502", + "rev": "ac54750e3b95dab6ec0726d77f440efe6045bec1", "type": "github" }, "original": { @@ -478,115 +328,14 @@ "type": "github" } }, - "git-hooks": { - "inputs": { - "flake-compat": [ - "nixvim", - "flake-compat" - ], - "gitignore": "gitignore", - "nixpkgs": [ - "nixvim", - "nixpkgs" - ], - "nixpkgs-stable": [ - "nixvim", - "nixpkgs" - ] - }, - "locked": { - "lastModified": 1732021966, - "narHash": "sha256-mnTbjpdqF0luOkou8ZFi2asa1N3AA2CchR/RqCNmsGE=", - "owner": "cachix", - "repo": "git-hooks.nix", - "rev": "3308484d1a443fc5bc92012435d79e80458fe43c", - "type": "github" - }, - "original": { - "owner": "cachix", - "repo": "git-hooks.nix", - "type": "github" - } - }, - "gitignore": { - "inputs": { - "nixpkgs": [ - "nixvim", - "git-hooks", - "nixpkgs" - ] - }, - "locked": { - "lastModified": 1709087332, - "narHash": "sha256-HG2cCnktfHsKV0s4XW83gU3F57gaTljL9KNSuG6bnQs=", - "owner": "hercules-ci", - "repo": "gitignore.nix", - "rev": "637db329424fd7e46cf4185293b9cc8c88c95394", - "type": "github" - }, - "original": { - "owner": "hercules-ci", - "repo": "gitignore.nix", - "type": "github" - } - }, - "home-manager": { - "inputs": { - "nixpkgs": [ - "nixvim", - "nixpkgs" - ] - }, - "locked": { - "lastModified": 1733175814, - "narHash": "sha256-zFOtOaqjzZfPMsm1mwu98syv3y+jziAq5DfWygaMtLg=", - "owner": "nix-community", - "repo": "home-manager", - "rev": "bf23fe41082aa0289c209169302afd3397092f22", - "type": "github" - }, - "original": { - "owner": "nix-community", - "repo": "home-manager", - "type": "github" - } - }, - "ixx": { - "inputs": { - "flake-utils": [ - "nixvim", - "nuschtosSearch", - "flake-utils" - ], - "nixpkgs": [ - "nixvim", - "nuschtosSearch", - "nixpkgs" - ] - }, - "locked": { - "lastModified": 1729958008, - "narHash": "sha256-EiOq8jF4Z/zQe0QYVc3+qSKxRK//CFHMB84aYrYGwEs=", - "owner": "NuschtOS", - "repo": "ixx", - "rev": "9fd01aad037f345350eab2cd45e1946cc66da4eb", - "type": "github" - }, - "original": { - "owner": "NuschtOS", - "ref": "v0.0.6", - "repo": "ixx", - "type": "github" - } - }, "jay": { "flake": false, "locked": { - "lastModified": 1732789238, - "narHash": "sha256-Yc87dku8r8m7YeVT9VBwfXYPdEfQbb8JKWbOMts6VqY=", + "lastModified": 1707233644, + "narHash": "sha256-VMbqnbhmevlWjVaabBgwB62CKQay6LrTyQ7XvDv/lC0=", "owner": "mahkoh", "repo": "jay", - "rev": "558fe3d3cef435108c7d31f9b3503263a14d38b0", + "rev": "e7709f695f3cfcf9bb9e857cb488f0c7f269d719", "type": "github" }, "original": { @@ -597,15 +346,15 @@ }, "lib-aggregate": { "inputs": { - "flake-utils": "flake-utils_8", + "flake-utils": "flake-utils_2", "nixpkgs-lib": "nixpkgs-lib_2" }, "locked": { - "lastModified": 1733055216, - "narHash": "sha256-yB2y7tGJxDI/SDQ0D7b6ocRtLTPm93u8ybdIKQGXRDE=", + "lastModified": 1707048513, + "narHash": "sha256-gZh1mHkjtOmXrlgWWdl6G27NlKuNuruz1lOnhgmg1Nk=", "owner": "nix-community", "repo": "lib-aggregate", - "rev": "f67bf0781c69a46bf3a1469f83c98518aa3054c3", + "rev": "83a014ca34f5cf6ef441b760e12d503856f20b35", "type": "github" }, "original": { @@ -614,40 +363,48 @@ "type": "github" } }, - "nix-darwin": { - "inputs": { - "nixpkgs": [ - "nixvim", - "nixpkgs" - ] - }, + "linux_x13s": { + "flake": false, "locked": { - "lastModified": 1733105089, - "narHash": "sha256-Qs3YmoLYUJ8g4RkFj2rMrzrP91e4ShAioC9s+vG6ENM=", - "owner": "lnl7", - "repo": "nix-darwin", - "rev": "c6b65d946097baf3915dd51373251de98199280d", + "lastModified": 1706261399, + "narHash": "sha256-NJSN4j2VbFIPerb/bFqmaYbcHjxF3u6lijuXpC0USYo=", + "owner": "jhovold", + "repo": "linux", + "rev": "b929f8eed9ad1f156cae932dea741bc4383e6367", "type": "github" }, "original": { - "owner": "lnl7", - "repo": "nix-darwin", + "owner": "jhovold", + "ref": "wip/sc8280xp-v6.7", + "repo": "linux", "type": "github" } }, + "logseq_0_10_5_aarch64_appimage": { + "flake": false, + "locked": { + "narHash": "sha256-5uHRJpNcAzVRqyF5eR2sY0u/Q9rHXWh/g36/sehmSys=", + "type": "file", + "url": "https://www.stefanjunker.de/downloads/Logseq-0.10.5.AppImage" + }, + "original": { + "type": "file", + "url": "https://www.stefanjunker.de/downloads/Logseq-0.10.5.AppImage" + } + }, "nix-eval-jobs": { "inputs": { "flake-parts": "flake-parts_3", - "nix-github-actions": "nix-github-actions_2", - "nixpkgs": "nixpkgs_4", + "nix-github-actions": "nix-github-actions", + "nixpkgs": "nixpkgs", "treefmt-nix": "treefmt-nix_2" }, "locked": { - "lastModified": 1732631228, - "narHash": "sha256-/7Wyhp00yecUMPNz79gGZpjos8OLHqOfdiWWIQfZA1M=", + "lastModified": 1705242886, + "narHash": "sha256-TLj334vRwFtSym3m+NnKcNCnKKPNoTC/TDZL40vmOso=", "owner": "nix-community", "repo": "nix-eval-jobs", - "rev": "8f56354b794624689851b2d86c2ce0209cc8f0cf", + "rev": "6b03a93296faf174b97546fd573c8b379f523a8d", "type": "github" }, "original": { @@ -657,27 +414,6 @@ } }, "nix-github-actions": { - "inputs": { - "nixpkgs": [ - "colmena", - "nixpkgs" - ] - }, - "locked": { - "lastModified": 1729742964, - "narHash": "sha256-B4mzTcQ0FZHdpeWcpDYPERtyjJd/NIuaQ9+BV1h+MpA=", - "owner": "nix-community", - "repo": "nix-github-actions", - "rev": "e04df33f62cdcf93d73e9a04142464753a16db67", - "type": "github" - }, - "original": { - "owner": "nix-community", - "repo": "nix-github-actions", - "type": "github" - } - }, - "nix-github-actions_2": { "inputs": { "nixpkgs": [ "nixpkgs-wayland", @@ -686,11 +422,11 @@ ] }, "locked": { - "lastModified": 1731952509, - "narHash": "sha256-p4gB3Rhw8R6Ak4eMl8pqjCPOLCZRqaehZxdZ/mbFClM=", + "lastModified": 1701208414, + "narHash": "sha256-xrQ0FyhwTZK6BwKhahIkUVZhMNk21IEI1nUcWSONtpo=", "owner": "nix-community", "repo": "nix-github-actions", - "rev": "7b5f051df789b6b20d259924d349a9ba3319b226", + "rev": "93e39cc1a087d65bcf7a132e75a650c44dd2b734", "type": "github" }, "original": { @@ -699,166 +435,6 @@ "type": "github" } }, - "nix-vscode-extensions": { - "inputs": { - "flake-compat": "flake-compat_2", - "flake-utils": "flake-utils_2", - "nixpkgs": "nixpkgs" - }, - "locked": { - "lastModified": 1740852064, - "narHash": "sha256-A2zUu1n8Bg505s/GUIYUSQFLmYJAvx/01A2OkGAkevk=", - "owner": "nix-community", - "repo": "nix-vscode-extensions", - "rev": "1b34da949d188b205b4132c2b726415fa19d5086", - "type": "github" - }, - "original": { - "owner": "nix-community", - "repo": "nix-vscode-extensions", - "type": "github" - } - }, - "nix4vscode": { - "inputs": { - "nixpkgs": "nixpkgs_2", - "rust-overlay": "rust-overlay", - "systems": "systems_2" - }, - "locked": { - "lastModified": 1733089477, - "narHash": "sha256-G08QoIxpJlnP9PiUdo2ypmKOrgodwVD6pWEa/8CaDOE=", - "owner": "nix-community", - "repo": "nix4vscode", - "rev": "60f266d2584461611a9e91ad44bbda5c1b0f91f8", - "type": "github" - }, - "original": { - "owner": "nix-community", - "repo": "nix4vscode", - "type": "github" - } - }, - "nixago": { - "inputs": { - "flake-utils": "flake-utils_3", - "nixago-exts": "nixago-exts", - "nixpkgs": [ - "nixpkgs" - ] - }, - "locked": { - "lastModified": 1714086354, - "narHash": "sha256-yKVQMxL9p7zCWUhnGhDzRVT8sDgHoI3V595lBK0C2YA=", - "owner": "jmgilman", - "repo": "nixago", - "rev": "5133633e9fe6b144c8e00e3b212cdbd5a173b63d", - "type": "github" - }, - "original": { - "owner": "jmgilman", - "repo": "nixago", - "type": "github" - } - }, - "nixago-exts": { - "inputs": { - "flake-utils": "flake-utils_4", - "nixago": "nixago_2", - "nixpkgs": [ - "nixago", - "nixpkgs" - ] - }, - "locked": { - "lastModified": 1676070308, - "narHash": "sha256-QaJ65oc2l8iwQIGWUJ0EKjCeSuuCM/LqR8RauxZUUkc=", - "owner": "nix-community", - "repo": "nixago-extensions", - "rev": "e5380cb0456f4ea3c86cf94e3039eb856bf07d0b", - "type": "github" - }, - "original": { - "owner": "nix-community", - "repo": "nixago-extensions", - "type": "github" - } - }, - "nixago-exts_2": { - "inputs": { - "flake-utils": "flake-utils_6", - "nixago": "nixago_3", - "nixpkgs": [ - "nixago", - "nixago-exts", - "nixago", - "nixpkgs" - ] - }, - "locked": { - "lastModified": 1655508669, - "narHash": "sha256-BDDdo5dZQMmwNH/GNacy33nPBnCpSIydWFPZs0kkj/g=", - "owner": "nix-community", - "repo": "nixago-extensions", - "rev": "3022a932ce109258482ecc6568c163e8d0b426aa", - "type": "github" - }, - "original": { - "owner": "nix-community", - "repo": "nixago-extensions", - "type": "github" - } - }, - "nixago_2": { - "inputs": { - "flake-utils": "flake-utils_5", - "nixago-exts": "nixago-exts_2", - "nixpkgs": [ - "nixago", - "nixago-exts", - "nixpkgs" - ] - }, - "locked": { - "lastModified": 1676070010, - "narHash": "sha256-iYzJIWptE1EUD8VINAg66AAMUajizg8JUYN3oBmb8no=", - "owner": "nix-community", - "repo": "nixago", - "rev": "d480ba6c0c16e2c5c0bd2122852d6a0c9ad1ed0e", - "type": "github" - }, - "original": { - "owner": "nix-community", - "ref": "rename-config-data", - "repo": "nixago", - "type": "github" - } - }, - "nixago_3": { - "inputs": { - "flake-utils": "flake-utils_7", - "nixpkgs": [ - "nixago", - "nixago-exts", - "nixago", - "nixago-exts", - "nixpkgs" - ] - }, - "locked": { - "lastModified": 1655405483, - "narHash": "sha256-Crd49aZWNrpczlRTOwWGfwBMsTUoG9vlHDKQC7cx264=", - "owner": "nix-community", - "repo": "nixago", - "rev": "e6a9566c18063db5b120e69e048d3627414e327d", - "type": "github" - }, - "original": { - "owner": "nix-community", - "repo": "nixago", - "type": "github" - } - }, "nixos-anywhere": { "inputs": { "disko": "disko", @@ -871,11 +447,11 @@ "treefmt-nix": "treefmt-nix" }, "locked": { - "lastModified": 1733093391, - "narHash": "sha256-tktgkyaBCJDJs0qVyREpETTcpDY7FZbnDurTAM9jIOE=", + "lastModified": 1704629536, + "narHash": "sha256-hCMBZ61Kpj54JD/miAhhoSHWMyP6NWrOmYOSHd0rB4E=", "owner": "numtide", "repo": "nixos-anywhere", - "rev": "9ba099b2ead073e0801b863c880be03a981f2dd1", + "rev": "4c94cecf3dd551adf1359fb06aa926330f44e5a6", "type": "github" }, "original": { @@ -887,7 +463,7 @@ }, "nixos-images": { "inputs": { - "nixos-stable": [ + "nixos-2311": [ "nixos-anywhere", "nixos-stable" ], @@ -897,11 +473,11 @@ ] }, "locked": { - "lastModified": 1727367213, - "narHash": "sha256-7O4pi8MmcJpA0nYUQkdolvKGyu6zNjf2gFYD1Q0xppc=", + "lastModified": 1702375325, + "narHash": "sha256-kEdrh6IB7xh7YDwZ0ZVCngCs+uoS9gx4ydEoJRnM1Is=", "owner": "nix-community", "repo": "nixos-images", - "rev": "3e7978bab153f39f3fc329ad346d35a8871420f7", + "rev": "d655cc02fcb9ecdcca4f3fb307e291a4b5be1339", "type": "github" }, "original": { @@ -912,27 +488,27 @@ }, "nixos-stable": { "locked": { - "lastModified": 1727264057, - "narHash": "sha256-KQPI8CTTnB9CrJ7LrmLC4VWbKZfljEPBXOFGZFRpxao=", + "lastModified": 1702233072, + "narHash": "sha256-H5G2wgbim2Ku6G6w+NSaQaauv6B6DlPhY9fMvArKqRo=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "759537f06e6999e141588ff1c9be7f3a5c060106", + "rev": "781e2a9797ecf0f146e81425c822dca69fe4a348", "type": "github" }, "original": { "owner": "NixOS", - "ref": "nixos-24.05", + "ref": "nixos-23.11", "repo": "nixpkgs", "type": "github" } }, "nixpkgs": { "locked": { - "lastModified": 1740547748, - "narHash": "sha256-Ly2fBL1LscV+KyCqPRufUBuiw+zmWrlJzpWOWbahplg=", + "lastModified": 1703134684, + "narHash": "sha256-SQmng1EnBFLzS7WSRyPM9HgmZP2kLJcPAz+Ug/nug6o=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "3a05eebede89661660945da1f151959900903b6a", + "rev": "d6863cbcbbb80e71cecfc03356db1cda38919523", "type": "github" }, "original": { @@ -958,57 +534,63 @@ "type": "github" } }, - "nixpkgs-2411": { + "nixpkgs-2305": { "locked": { - "lastModified": 1733261153, - "narHash": "sha256-eq51hyiaIwtWo19fPEeE0Zr2s83DYMKJoukNLgGGpek=", + "lastModified": 1704290814, + "narHash": "sha256-LWvKHp7kGxk/GEtlrGYV68qIvPHkU9iToomNFGagixU=", "owner": "nixos", "repo": "nixpkgs", - "rev": "b681065d0919f7eb5309a93cea2cfa84dec9aa88", + "rev": "70bdadeb94ffc8806c0570eb5c2695ad29f0e421", "type": "github" }, "original": { "owner": "nixos", - "ref": "nixos-24.11", + "ref": "nixos-23.05", "repo": "nixpkgs", "type": "github" } }, - "nixpkgs-gimp": { + "nixpkgs-2311": { "locked": { - "lastModified": 1735507908, - "narHash": "sha256-VA+khC0S0di6w5Yv1kBNRpAihnt2prT/ehQzsKMhEoA=", - "owner": "jtojnar", + "lastModified": 1707091808, + "narHash": "sha256-LahKBAfGbY836gtpVNnWwBTIzN7yf/uYM/S0g393r0Y=", + "owner": "nixos", "repo": "nixpkgs", - "rev": "771cf18187fefcfaababd35834917c621447fee8", + "rev": "9f2ee8c91ac42da3ae6c6a1d21555f283458247e", "type": "github" }, "original": { - "owner": "jtojnar", - "ref": "gimp-meson", + "owner": "nixos", + "ref": "nixos-23.11", "repo": "nixpkgs", "type": "github" } }, "nixpkgs-lib": { "locked": { - "lastModified": 1733096140, - "narHash": "sha256-1qRH7uAUsyQI7R1Uwl4T+XvdNv778H0Nb5njNrqvylY=", - "type": "tarball", - "url": "https://github.com/NixOS/nixpkgs/archive/5487e69da40cbd611ab2cadee0b4637225f7cfae.tar.gz" + "dir": "lib", + "lastModified": 1706550542, + "narHash": "sha256-UcsnCG6wx++23yeER4Hg18CXWbgNpqNXcHIo5/1Y+hc=", + "owner": "NixOS", + "repo": "nixpkgs", + "rev": "97b17f32362e475016f942bbdfda4a4a72a8a652", + "type": "github" }, "original": { - "type": "tarball", - "url": "https://github.com/NixOS/nixpkgs/archive/5487e69da40cbd611ab2cadee0b4637225f7cfae.tar.gz" + "dir": "lib", + "owner": "NixOS", + "ref": "nixos-unstable", + "repo": "nixpkgs", + "type": "github" } }, "nixpkgs-lib_2": { "locked": { - "lastModified": 1733015484, - "narHash": "sha256-qiyO0GrTvbp869U4VGX5GhAZ00fSiPXszvosY1AgKQ8=", + "lastModified": 1707007541, + "narHash": "sha256-fuFppCuZO4wJAfodUkiWhtSxTb+pkBW+lJP2S51jRNU=", "owner": "nix-community", "repo": "nixpkgs.lib", - "rev": "0e4fdd4a0ab733276b6d2274ff84ae353f17129e", + "rev": "948ff77600f9fff8c904d1e1ffb87a60773991af", "type": "github" }, "original": { @@ -1017,51 +599,51 @@ "type": "github" } }, - "nixpkgs-unstable": { + "nixpkgs-stable": { "locked": { - "lastModified": 1739446958, - "narHash": "sha256-+/bYK3DbPxMIvSL4zArkMX0LQvS7rzBKXnDXLfKyRVc=", - "owner": "nixos", + "lastModified": 1705957679, + "narHash": "sha256-Q8LJaVZGJ9wo33wBafvZSzapYsjOaNjP/pOnSiKVGHY=", + "owner": "NixOS", "repo": "nixpkgs", - "rev": "2ff53fe64443980e139eaa286017f53f88336dd0", + "rev": "9a333eaa80901efe01df07eade2c16d183761fa3", "type": "github" }, "original": { - "owner": "nixos", - "ref": "nixos-unstable", + "owner": "NixOS", + "ref": "release-23.05", "repo": "nixpkgs", "type": "github" } }, - "nixpkgs-vscodium": { + "nixpkgs-unstable-small": { "locked": { - "lastModified": 1733212471, - "narHash": "sha256-M1+uCoV5igihRfcUKrr1riygbe73/dzNnzPsmaLCmpo=", + "lastModified": 1707217908, + "narHash": "sha256-5Dauh04xrEZqlokpYWftfVmDrljORnA48tGrRp+TURM=", "owner": "nixos", "repo": "nixpkgs", - "rev": "55d15ad12a74eb7d4646254e13638ad0c4128776", + "rev": "3b0709da3eeed918323399c68b1fe4309b2ac483", "type": "github" }, "original": { "owner": "nixos", - "ref": "nixos-unstable", + "ref": "nixos-unstable-small", "repo": "nixpkgs", "type": "github" } }, "nixpkgs-wayland": { "inputs": { - "flake-compat": "flake-compat_3", + "flake-compat": "flake-compat_2", "lib-aggregate": "lib-aggregate", "nix-eval-jobs": "nix-eval-jobs", - "nixpkgs": "nixpkgs_5" + "nixpkgs": "nixpkgs_2" }, "locked": { - "lastModified": 1733388169, - "narHash": "sha256-WCfVVHIuxnz4O7O9BY76apUkA//ujG7rqkjAWCw0ujY=", + "lastModified": 1707290091, + "narHash": "sha256-QX1lZCenEuNe/yFnPUuxEA5B3QJx3D5UEeLvWQ4QK1w=", "owner": "nix-community", "repo": "nixpkgs-wayland", - "rev": "fe88399ae2d22a5381c65a51f8e5a0e4f2e7a38b", + "rev": "2a54a12e504659a36b20bfce96522b403fa73fdd", "type": "github" }, "original": { @@ -1072,11 +654,11 @@ }, "nixpkgs_2": { "locked": { - "lastModified": 1722421184, - "narHash": "sha256-/DJBI6trCeVnasdjUo9pbnodCLZcFqnVZiLUfqLH4jA=", + "lastModified": 1707092692, + "narHash": "sha256-ZbHsm+mGk/izkWtT4xwwqz38fdlwu7nUUKXTOmm4SyE=", "owner": "nixos", "repo": "nixpkgs", - "rev": "9f918d616c5321ad374ae6cb5ea89c9e04bf3e58", + "rev": "faf912b086576fd1a15fca610166c98d47bc667e", "type": "github" }, "original": { @@ -1086,135 +668,14 @@ "type": "github" } }, - "nixpkgs_3": { - "locked": { - "lastModified": 1722415718, - "narHash": "sha256-5US0/pgxbMksF92k1+eOa8arJTJiPvsdZj9Dl+vJkM4=", - "owner": "NixOS", - "repo": "nixpkgs", - "rev": "c3392ad349a5227f4a3464dce87bcc5046692fce", - "type": "github" - }, - "original": { - "owner": "NixOS", - "ref": "nixpkgs-unstable", - "repo": "nixpkgs", - "type": "github" - } - }, - "nixpkgs_4": { - "locked": { - "lastModified": 1732238832, - "narHash": "sha256-sQxuJm8rHY20xq6Ah+GwIUkF95tWjGRd1X8xF+Pkk38=", - "owner": "NixOS", - "repo": "nixpkgs", - "rev": "8edf06bea5bcbee082df1b7369ff973b91618b8d", - "type": "github" - }, - "original": { - "owner": "NixOS", - "ref": "nixpkgs-unstable", - "repo": "nixpkgs", - "type": "github" - } - }, - "nixpkgs_5": { - "locked": { - "lastModified": 1733212471, - "narHash": "sha256-M1+uCoV5igihRfcUKrr1riygbe73/dzNnzPsmaLCmpo=", - "owner": "nixos", - "repo": "nixpkgs", - "rev": "55d15ad12a74eb7d4646254e13638ad0c4128776", - "type": "github" - }, - "original": { - "owner": "nixos", - "ref": "nixos-unstable", - "repo": "nixpkgs", - "type": "github" - } - }, - "nixvim": { - "inputs": { - "devshell": "devshell", - "flake-compat": "flake-compat_4", - "flake-parts": "flake-parts_4", - "git-hooks": "git-hooks", - "home-manager": "home-manager", - "nix-darwin": "nix-darwin", - "nixpkgs": [ - "nixpkgs" - ], - "nuschtosSearch": "nuschtosSearch", - "treefmt-nix": "treefmt-nix_3" - }, - "locked": { - "lastModified": 1733355056, - "narHash": "sha256-EOldkOLdgUVIa8ZJiHkqjD6yaW+AZiZwd94aBqfZERY=", - "owner": "nix-community", - "repo": "nixvim", - "rev": "277dbeb607210f6a6db656ac7eee9eef3143070c", - "type": "github" - }, - "original": { - "owner": "nix-community", - "repo": "nixvim", - "type": "github" - } - }, - "nur": { - "inputs": { - "flake-parts": "flake-parts_5", - "nixpkgs": [ - "nixpkgs" - ], - "treefmt-nix": "treefmt-nix_4" - }, - "locked": { - "lastModified": 1737225765, - "narHash": "sha256-wyJcROV/d6POpZRlfk79EWsRHZH0iP6aC5uhmM1cH98=", - "owner": "nix-community", - "repo": "NUR", - "rev": "7c2500d3cc3a1d4f51493ba208721ea7c2a4380f", - "type": "github" - }, - "original": { - "owner": "nix-community", - "repo": "NUR", - "type": "github" - } - }, - "nuschtosSearch": { - "inputs": { - "flake-utils": "flake-utils_9", - "ixx": "ixx", - "nixpkgs": [ - "nixvim", - "nixpkgs" - ] - }, - "locked": { - "lastModified": 1733006402, - "narHash": "sha256-BC1CecAQISV5Q4LZK72Gx0+faemOwaChiD9rMVfDPoA=", - "owner": "NuschtOS", - "repo": "search", - "rev": "16307548b7a1247291c84ae6a12c0aacb07dfba2", - "type": "github" - }, - "original": { - "owner": "NuschtOS", - "repo": "search", - "type": "github" - } - }, "ofi-pass": { "flake": false, "locked": { - "lastModified": 1723412133, - "narHash": "sha256-rOVbz4v1+DHPJMvRtxdOFWdOHlaxI7G2vm0bgEV/0Cg=", + "lastModified": 1691863924, + "narHash": "sha256-Vkm3QXjkLIu0RnM0w+upzAF9M7atKBPYqiV7f+eBKJY=", "owner": "sereinity", "repo": "ofi-pass", - "rev": "2b6aa6a3fc0504e63df4ac3449e0065a1a4d19d0", + "rev": "b20bd3440686429b113821c51a68b799675d5bb0", "type": "github" }, "original": { @@ -1223,106 +684,72 @@ "type": "github" } }, - "openvscode-server": { - "flake": false, - "locked": { - "lastModified": 1714076069, - "narHash": "sha256-Yc16L13Z8AmsGoSFbvy+4+KBdHxvqLMwZLeU2/dAQVU=", - "owner": "gitpod-io", - "repo": "openvscode-server", - "rev": "7920868fc0c6f4e584cca7791c71d300f2bc3a56", - "type": "github" - }, - "original": { - "owner": "gitpod-io", - "ref": "openvscode-server-v1.88.1", - "repo": "openvscode-server", - "type": "github" - } - }, "prs": { "flake": false, "locked": { - "lastModified": 1719086486, - "narHash": "sha256-YQYiN1T7YHYQYv6GoRNdi7Jq93+U+ydoF64tZxuVW+0=", + "lastModified": 1692545676, + "narHash": "sha256-jA97WxXBgWtttXnTBxfb4lPEEFqRMflL1BYfDCYeVfo=", "owner": "timvisee", "repo": "prs", - "rev": "07f17a93d19fb6bc92c9c7f3ae3f5cc750b1f973", + "rev": "308e753f769e5ddcda14d13eeeb7b40c5887e0ca", "type": "gitlab" }, "original": { "owner": "timvisee", + "ref": "master", "repo": "prs", - "rev": "07f17a93d19fb6bc92c9c7f3ae3f5cc750b1f973", "type": "gitlab" } }, "root": { "inputs": { + "adamcstephens_stop-export": "adamcstephens_stop-export", "aphorme_launcher": "aphorme_launcher", + "brainwart_x13s-nixos": "brainwart_x13s-nixos", "colmena": "colmena", "crane": "crane", "disko": [ "nixos-anywhere", "disko" ], - "espanso": "espanso", + "dotfiles": "dotfiles", "fenix": "fenix", "flake-parts": "flake-parts", "get-flake": "get-flake", "jay": "jay", - "nix-vscode-extensions": "nix-vscode-extensions", - "nix4vscode": "nix4vscode", - "nixago": "nixago", + "linux_x13s": "linux_x13s", + "logseq_0_10_5_aarch64_appimage": "logseq_0_10_5_aarch64_appimage", "nixos-anywhere": "nixos-anywhere", "nixpkgs": [ - "nixpkgs-2411" + "nixpkgs-2311" ], "nixpkgs-2211": "nixpkgs-2211", - "nixpkgs-2411": "nixpkgs-2411", - "nixpkgs-gimp": "nixpkgs-gimp", - "nixpkgs-unstable": "nixpkgs-unstable", - "nixpkgs-vscodium": "nixpkgs-vscodium", + "nixpkgs-2305": "nixpkgs-2305", + "nixpkgs-2311": "nixpkgs-2311", + "nixpkgs-unstable": [ + "nixpkgs-unstable-small" + ], + "nixpkgs-unstable-small": "nixpkgs-unstable-small", "nixpkgs-wayland": "nixpkgs-wayland", - "nixvim": "nixvim", - "nur": "nur", "ofi-pass": "ofi-pass", - "openvscode-server": "openvscode-server", "prs": "prs", "radicalePkgs": [ "nixpkgs-2211" ], - "rperf": "rperf", + "salut": "salut", "sops-nix": "sops-nix", "srvos": "srvos", - "treefmt-nix": "treefmt-nix_5", "yofi": "yofi" } }, - "rperf": { - "flake": false, - "locked": { - "lastModified": 1712257145, - "narHash": "sha256-IMHpJWGja69nTwF9JJOaOZeC5zxzXGanSShompQfBJE=", - "owner": "steveej-forks", - "repo": "rperf", - "rev": "ec7e1fb3a776fce09ca7c497e1d1962c56ef3785", - "type": "github" - }, - "original": { - "owner": "steveej-forks", - "repo": "rperf", - "type": "github" - } - }, "rust-analyzer-src": { "flake": false, "locked": { - "lastModified": 1733330394, - "narHash": "sha256-1jwtAQYtErSsfkEQFvZJ9wJBrLGltzlvZKZzPXhpfpE=", + "lastModified": 1706875368, + "narHash": "sha256-KOBXxNurIU2lEmO6lR2A5El32X9x8ITt25McxKZ/Ew0=", "owner": "rust-lang", "repo": "rust-analyzer", - "rev": "f499faf72bcd2abbfbf3d7171e5191100547a3df", + "rev": "8f6a72871ec87ed53cfe43a09fb284168a284e7e", "type": "github" }, "original": { @@ -1332,36 +759,35 @@ "type": "github" } }, - "rust-overlay": { - "inputs": { - "nixpkgs": "nixpkgs_3" - }, + "salut": { + "flake": false, "locked": { - "lastModified": 1722565199, - "narHash": "sha256-2eek4vZKsYg8jip2WQWvAOGMMboQ40DIrllpsI6AlU4=", - "owner": "oxalica", - "repo": "rust-overlay", - "rev": "a9cd2009fb2eeacfea785b45bdbbc33612bba1f1", - "type": "github" + "lastModified": 1671283721, + "narHash": "sha256-W0lhhImSXtYJDeMbxyEioYu/Bh7ZclwR1/5DzNbxM8o=", + "owner": "snakedye", + "repo": "salut", + "rev": "aa57c4d190812908a9c32cd49cff14390c6dfdcb", + "type": "gitlab" }, "original": { - "owner": "oxalica", - "repo": "rust-overlay", - "type": "github" + "owner": "snakedye", + "repo": "salut", + "type": "gitlab" } }, "sops-nix": { "inputs": { "nixpkgs": [ "nixpkgs" - ] + ], + "nixpkgs-stable": "nixpkgs-stable" }, "locked": { - "lastModified": 1733128155, - "narHash": "sha256-m6/qwJAJYcidGMEdLqjKzRIjapK4nUfMq7rDCTmZajc=", + "lastModified": 1707015547, + "narHash": "sha256-YZr0OrqWPdbwBhxpBu69D32ngJZw8AMgZtJeaJn0e94=", "owner": "Mic92", "repo": "sops-nix", - "rev": "c6134b6fff6bda95a1ac872a2a9d5f32e3c37856", + "rev": "23f61b897c00b66855074db471ba016e0cda20dd", "type": "github" }, "original": { @@ -1372,16 +798,17 @@ }, "srvos": { "inputs": { + "flake-parts": "flake-parts_4", "nixpkgs": [ "nixpkgs" ] }, "locked": { - "lastModified": 1733365027, - "narHash": "sha256-Vl0pOGckECuFoMbiotwj65jjoFE8Mc2yUXNIllttxkI=", + "lastModified": 1707160670, + "narHash": "sha256-svt/yQB8l/edU9yhYB78lIGKiaO7mXzUQvu/uJLZAVs=", "owner": "numtide", "repo": "srvos", - "rev": "6047d415ca8dc7eae73dd17c832f7dc08ad544f4", + "rev": "977371a151fc3c96d6fac923b3032d07000e9490", "type": "github" }, "original": { @@ -1392,16 +819,16 @@ }, "stable": { "locked": { - "lastModified": 1730883749, - "narHash": "sha256-mwrFF0vElHJP8X3pFCByJR365Q2463ATp2qGIrDUdlE=", + "lastModified": 1696039360, + "narHash": "sha256-g7nIUV4uq1TOVeVIDEZLb005suTWCUjSY0zYOlSBsyE=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "dba414932936fde69f0606b4f1d87c5bc0003ede", + "rev": "32dcb45f66c0487e92db8303a798ebc548cadedc", "type": "github" }, "original": { "owner": "NixOS", - "ref": "nixos-24.05", + "ref": "nixos-23.05", "repo": "nixpkgs", "type": "github" } @@ -1421,66 +848,6 @@ "type": "github" } }, - "systems_2": { - "locked": { - "lastModified": 1681028828, - "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=", - "owner": "nix-systems", - "repo": "default", - "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e", - "type": "github" - }, - "original": { - "owner": "nix-systems", - "repo": "default", - "type": "github" - } - }, - "systems_3": { - "locked": { - "lastModified": 1681028828, - "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=", - "owner": "nix-systems", - "repo": "default", - "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e", - "type": "github" - }, - "original": { - "owner": "nix-systems", - "repo": "default", - "type": "github" - } - }, - "systems_4": { - "locked": { - "lastModified": 1681028828, - "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=", - "owner": "nix-systems", - "repo": "default", - "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e", - "type": "github" - }, - "original": { - "owner": "nix-systems", - "repo": "default", - "type": "github" - } - }, - "systems_5": { - "locked": { - "lastModified": 1681028828, - "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=", - "owner": "nix-systems", - "repo": "default", - "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e", - "type": "github" - }, - "original": { - "owner": "nix-systems", - "repo": "default", - "type": "github" - } - }, "treefmt-nix": { "inputs": { "nixpkgs": [ @@ -1489,11 +856,11 @@ ] }, "locked": { - "lastModified": 1727252110, - "narHash": "sha256-3O7RWiXpvqBcCl84Mvqa8dXudZ1Bol1ubNdSmQt7nF4=", + "lastModified": 1702376629, + "narHash": "sha256-9uAY8a7JN4DvLe/g4OoldqPbcNZ09YOVXID+CkIqL70=", "owner": "numtide", "repo": "treefmt-nix", - "rev": "1bff2ba6ec22bc90e9ad3f7e94cca0d37870afa3", + "rev": "390018a9398f9763bfc05ffe6443ce0622cb9ba6", "type": "github" }, "original": { @@ -1511,73 +878,11 @@ ] }, "locked": { - "lastModified": 1723303070, - "narHash": "sha256-krGNVA30yptyRonohQ+i9cnK+CfCpedg6z3qzqVJcTs=", + "lastModified": 1702979157, + "narHash": "sha256-RnFBbLbpqtn4AoJGXKevQMCGhra4h6G2MPcuTSZZQ+g=", "owner": "numtide", "repo": "treefmt-nix", - "rev": "14c092e0326de759e16b37535161b3cb9770cea3", - "type": "github" - }, - "original": { - "owner": "numtide", - "repo": "treefmt-nix", - "type": "github" - } - }, - "treefmt-nix_3": { - "inputs": { - "nixpkgs": [ - "nixvim", - "nixpkgs" - ] - }, - "locked": { - "lastModified": 1732894027, - "narHash": "sha256-2qbdorpq0TXHBWbVXaTqKoikN4bqAtAplTwGuII+oAc=", - "owner": "numtide", - "repo": "treefmt-nix", - "rev": "6209c381904cab55796c5d7350e89681d3b2a8ef", - "type": "github" - }, - "original": { - "owner": "numtide", - "repo": "treefmt-nix", - "type": "github" - } - }, - "treefmt-nix_4": { - "inputs": { - "nixpkgs": [ - "nur", - "nixpkgs" - ] - }, - "locked": { - "lastModified": 1733222881, - "narHash": "sha256-JIPcz1PrpXUCbaccEnrcUS8jjEb/1vJbZz5KkobyFdM=", - "owner": "numtide", - "repo": "treefmt-nix", - "rev": "49717b5af6f80172275d47a418c9719a31a78b53", - "type": "github" - }, - "original": { - "owner": "numtide", - "repo": "treefmt-nix", - "type": "github" - } - }, - "treefmt-nix_5": { - "inputs": { - "nixpkgs": [ - "nixpkgs" - ] - }, - "locked": { - "lastModified": 1738953846, - "narHash": "sha256-yrK3Hjcr8F7qS/j2F+r7C7o010eVWWlm4T1PrbKBOxQ=", - "owner": "numtide", - "repo": "treefmt-nix", - "rev": "4f09b473c936d41582dd744e19f34ec27592c5fd", + "rev": "2961375283668d867e64129c22af532de8e77734", "type": "github" }, "original": { @@ -1588,17 +893,17 @@ }, "yofi": { "inputs": { - "flake-utils": "flake-utils_10", + "flake-utils": "flake-utils_3", "nixpkgs": [ "nixpkgs" ] }, "locked": { - "lastModified": 1725018627, - "narHash": "sha256-uBEU/aKl9jlJ8vIK556TaqSBEHx6/t6AE4fbt/AoRfA=", + "lastModified": 1707043587, + "narHash": "sha256-bSuJX5BNN31XMFPinZhteeJO0M8ZHaSoXQXXwZ5MR1c=", "owner": "l4l", "repo": "yofi", - "rev": "09901e75cbdf2147553ab888adde480e57baa0d1", + "rev": "5b67f8db1ee9bd1e09b3bf3354d08bd5e89f596e", "type": "github" }, "original": { diff --git a/flake.nix b/flake.nix index 832b535..2538a15 100644 --- a/flake.nix +++ b/flake.nix @@ -1,18 +1,19 @@ # flake.nix { inputs = { - # TODO: where has this been used? - # dotfiles = { - # url = "git+https://forgejo.www.stefanjunker.de/steveej/dotfiles.git"; - # flake = false; - # }; + dotfiles = { + url = "gitlab:steveeJ/dotfiles"; + flake = false; + }; # flake and infra basics nixpkgs-2211.url = "github:nixos/nixpkgs/nixos-22.11"; radicalePkgs.follows = "nixpkgs-2211"; - nixpkgs-2411.url = "github:nixos/nixpkgs/nixos-24.11"; - nixpkgs-unstable.url = "github:nixos/nixpkgs/nixos-unstable"; - nixpkgs.follows = "nixpkgs-2411"; + nixpkgs-2305.url = "github:nixos/nixpkgs/nixos-23.05"; + nixpkgs-2311.url = "github:nixos/nixpkgs/nixos-23.11"; + nixpkgs-unstable-small.url = "github:nixos/nixpkgs/nixos-unstable-small"; + nixpkgs-unstable.follows = "nixpkgs-unstable-small"; + nixpkgs.follows = "nixpkgs-2311"; flake-parts.url = "github:hercules-ci/flake-parts"; get-flake.url = "github:ursi/get-flake"; @@ -24,13 +25,6 @@ nixpkgs-wayland.url = "github:nix-community/nixpkgs-wayland"; - nix-vscode-extensions.url = "github:nix-community/nix-vscode-extensions"; - nixpkgs-vscodium.url = "github:nixos/nixpkgs/nixos-unstable"; - - # needs to be in sync with `vscodium --version` from `nixpkgs-vscodium` - openvscode-server.url = "github:gitpod-io/openvscode-server/openvscode-server-v1.88.1"; - openvscode-server.flake = false; - colmena = { url = "github:zhaofengli/colmena"; inputs.nixpkgs.follows = "nixpkgs"; @@ -41,13 +35,14 @@ url = "github:nix-community/fenix"; inputs.nixpkgs.follows = "nixpkgs"; }; - crane.url = "github:ipetkov/crane"; - - sops-nix = { - url = "github:Mic92/sops-nix"; + crane = { + url = "github:ipetkov/crane"; inputs.nixpkgs.follows = "nixpkgs"; }; + sops-nix.url = "github:Mic92/sops-nix"; + sops-nix.inputs.nixpkgs.follows = "nixpkgs"; + # applications aphorme_launcher = { url = "github:Iaphetes/aphorme_launcher/main"; @@ -70,359 +65,261 @@ flake = false; }; + salut = { + url = "gitlab:snakedye/salut"; + flake = false; + }; + prs = { - # url = "gitlab:timvisee/prs/v0.5.2"; - url = "gitlab:timvisee/prs/07f17a93d19fb6bc92c9c7f3ae3f5cc750b1f973"; + url = "gitlab:timvisee/prs/master"; flake = false; }; - rperf = { - url = "github:steveej-forks/rperf"; + ### inputs for thinkpad x13s + # see https://github.com/jhovold/linux/wiki/X13s for status updates + linux_x13s.url = "github:jhovold/linux/wip/sc8280xp-v6.7"; + linux_x13s.flake = false; + + brainwart_x13s-nixos = { + url = "github:BrainWart/x13s-nixos/flake"; flake = false; }; - # nixpkgs-logseq.url = "github:steveej-forks/nixpkgs/logseq-linux-arm64-selfbuilt-appimage"; - - espanso = { + adamcstephens_stop-export = { flake = false; - url = "github:espanso/espanso/db97658d1d80697a635b57801696c594eacf057b"; + url = "git+https://codeberg.org/adamcstephens/stop-export.git"; }; - nix4vscode = { - url = "github:nix-community/nix4vscode"; - # inputs.nixpkgs.follows = "nixpkgs"; - }; - nixvim = { - # TODO: pin to nixos-24.11 once available - url = "github:nix-community/nixvim"; - inputs.nixpkgs.follows = "nixpkgs"; - }; - treefmt-nix = { - url = "github:numtide/treefmt-nix"; - inputs.nixpkgs.follows = "nixpkgs"; - }; - nixago = { - url = "github:jmgilman/nixago"; - inputs.nixpkgs.follows = "nixpkgs"; - }; + # alsa-ucm-conf = { + # flake = false; + # url = "github:alsa-project/alsa-ucm-conf/master"; + # }; - nur = { - url = "github:nix-community/NUR"; - inputs.nixpkgs.follows = "nixpkgs"; + logseq_0_10_5_aarch64_appimage = { + flake = false; + url = "https://www.stefanjunker.de/downloads/Logseq-0.10.5.AppImage"; }; - - nixpkgs-gimp.url = "github:jtojnar/nixpkgs/gimp-meson"; }; - outputs = - inputs@{ - self, - flake-parts, - nixpkgs, - ... - }: - let - inherit (nixpkgs) lib; + outputs = inputs @ { + self, + flake-parts, + nixpkgs, + ... + }: let + inherit (nixpkgs) lib; - systems = [ - "x86_64-linux" - "aarch64-linux" - ]; - in - flake-parts.lib.mkFlake { inherit inputs; } ( - { withSystem, ... }: - { - flake.colmena = - lib.lists.foldl (sum: cur: lib.attrsets.recursiveUpdate sum cur) - { meta.nixpkgs = import inputs.nixpkgs.outPath { system = builtins.elemAt systems 0; }; } - # FIXME: this doesn't seem to work to apply overlays into a node's nixpkgs import - # try this instead: https://github.com/zhaofengli/colmena/issues/60#issuecomment-1510496861 + systems = [ + "x86_64-linux" + "aarch64-linux" + ]; + in + flake-parts.lib.mkFlake {inherit inputs;} + ({withSystem, ...}: { + flake.colmena = + lib.lists.foldl (sum: cur: lib.attrsets.recursiveUpdate sum cur) + { + meta.nixpkgs = import inputs.nixpkgs.outPath { + system = builtins.elemAt systems 0; + }; + } + # FIXME: this doesn't seem to work to apply overlays into a node's nixpkgs import + # try this instead: https://github.com/zhaofengli/colmena/issues/60#issuecomment-1510496861 + (builtins.map + (nodeName: + import ./nix/os/devices/${nodeName} { + inherit nodeName; + repoFlake = self; + repoFlakeWithSystem = withSystem; + nodeFlake = self.inputs.get-flake ./nix/os/devices/${nodeName}; + }) [ + "steveej-t14" + "steveej-x13s" + "steveej-x13s-rmvbl" + # "elias-e525" + # "justyna-p300" + + # "srv0-dmz0" + # # "router0-dmz0" + + "sj-srv1" + "sj-bm-hostkey0" + + # "retro" + ]); + + # this makes nixos-anywhere work + flake.nixosConfigurations = let + colmenaHive = (inputs.colmena.lib.makeHive self.outputs.colmena).nodes; + router0-dmz0 = (inputs.get-flake ./nix/os/devices/router0-dmz0).nixosConfigurations; + retro = (inputs.get-flake ./nix/os/devices/retro).nixosConfigurations; + in ( + colmenaHive + // { + router0-dmz0 = router0-dmz0.native; + + # for now deploy directly with: + # nixos-rebuild switch --flake .\#router0-dmz0_cross --build-host localhost --target-host root@192.168.10.1 + router0-dmz0_cross = router0-dmz0.cross; + + # nixos-install --flake .\#retro_cross + retro_cross = retro.cross; + + steveej-x13s_cross = (inputs.get-flake ./nix/os/devices/steveej-x13s).nixosConfigurations.cross; + steveej-x13s-rmvbl_cross = (inputs.get-flake ./nix/os/devices/steveej-x13s-rmvbl).nixosConfigurations.cross; + } + ); + + inherit systems; + + perSystem = { + self', + inputs', + system, + config, + lib, + pkgs, + ... + }: { + imports = [ + ./nix/modules/flake-parts/perSystem/default.nix + ]; + + packages = let + dcpj4110dw = pkgs.callPackage (self + /nix/pkgs/dcpj4110dw) {}; + + craneLib = + inputs.crane.lib.${system}.overrideToolchain + inputs'.fenix.packages.stable.toolchain; + + craneLibOfiPass = + inputs.crane.lib.${system}.overrideToolchain ( - builtins.map - ( - nodeName: - import ./nix/os/devices/${nodeName} { - inherit nodeName; - repoFlake = self; - repoFlakeWithSystem = withSystem; - nodeFlake = self.inputs.get-flake (self + "/nix/os/devices/${nodeName}"); - } - ) - [ - "steveej-t14" - "steveej-x13s" - "steveej-x13s-rmvbl" - # "elias-e525" - # "justyna-p300" - - # "srv0-dmz0" - # "router0-dmz0" - "router0-ifog" - "router0-hosthatch" - - "sj-srv1" - ] + inputs'.fenix.packages.stable.toolchain + # .override { + # date = "1.60.0"; + # } ); + in { + dcpj4110dwDriver = dcpj4110dw.driver; + dcpj4110dwCupswrapper = dcpj4110dw.cupswrapper; - flake.lib = { - inherit withSystem; + # broken as of 2023-04-27 because it doesn't load without a config + # aphorme_launcher = craneLib.buildPackage {src = inputs.aphorme_launcher;}; + # yofi = inputs'.yofi.packages.default; + # ofi-pass = craneLibOfiPass.buildPackage {src = inputs.ofi-pass;}; + + inherit (inputs'.colmena.packages) colmena; + + # jay = pkgs.callPackage (self + /nix/pkgs/jay.nix) { + # src = inputs.jay; + # rustPlatform = pkgs.makeRustPlatform { + # cargo = inputs'.fenix.packages.stable.toolchain; + # rustc = inputs'.fenix.packages.stable.toolchain; + # }; + # }; + + salut = craneLib.buildPackage { + src = inputs.salut; + nativeBuildInputs = [ + pkgs.pkg-config + ]; + buildInputs = [ + pkgs.libxkbcommon + pkgs.fontconfig + ]; + }; + + prs = + pkgs.callPackage + ({ + pkgs, + dbus, + glib, + gpgme, + gtk3, + libxcb, + libxkbcommon, + installShellFiles, + pkg-config, + python3, + }: + craneLib.buildPackage { + pname = "prs"; + version = inputs.prs.shortRev; + src = inputs.prs; + nativeBuildInputs = [gpgme installShellFiles pkg-config python3]; + + buildInputs = [ + dbus + glib + gpgme + gtk3 + libxcb + libxkbcommon + ]; + + cargoExtraArgs = "--features backend-gpgme"; + + postInstall = '' + for shell in bash fish zsh; do + installShellCompletion --cmd prs --$shell <($out/bin/prs internal completions $shell --stdout) + done + ''; + }) + {}; + + nomad = inputs'.nixpkgs-unstable-small.legacyPackages.nomad_1_6; + + ledger-live-desktop-wrapped = pkgs.writeShellScriptBin "ledger-live-desktop-wrapped" '' + set -x + pkill -9 wayland-proxy-v + export NIXOS_OZONE_WL="" + ${pkgs.wayland-proxy-virtwl}/bin/wayland-proxy-virtwl \ + --wayland-display=wayland-3 \ + --xwayland-binary=${pkgs.xwayland}/bin/Xwayland \ + --x-display=3 \ + & + # --x-unscale=3 \ + #--verbose \ + + export PROXYPID="$!" + + trap "kill -9 \$PROXYPID" EXIT + # trap "pkill -9 wayland-proxy-v" EXIT + + env \ + WAYLAND_DISPLAY=wayland-3 \ + DISPLAY=:3 \ + ledger-live-desktop + ''; + + syncthing-container-webui = pkgs.writeShellScriptBin "reverse-port-forward-syncthing-container" '' + ssh root@${self.colmena.sj-vps-htz0.deployment.targetHost} -L 8385:syncthing.containers:8384 + ''; + + logseq = + pkgs.callPackage ./nix/pkgs/logseq + (lib.attrsets.optionalAttrs pkgs.stdenv.isAarch64 { + overrideSrc = self.inputs.logseq_0_10_5_aarch64_appimage; + }); }; - # this makes nixos-anywhere work - flake.nixosConfigurations = - let - colmenaHive = (inputs.colmena.lib.makeHive self.outputs.colmena).nodes; - router0-dmz0 = (inputs.get-flake (self + "/nix/os/devices/router0-dmz0")).nixosConfigurations; - in - colmenaHive - // { - router0-dmz0 = router0-dmz0.native; + formatter = pkgs.alejandra; - # for now deploy directly with: - # nixos-rebuild switch --flake .\#router0-dmz0_cross --build-host localhost --target-host root@192.168.10.1 - router0-dmz0_cross = router0-dmz0.cross; - - steveej-x13s_cross = - (inputs.get-flake (self + "./nix/os/devices/steveej-x13s")).nixosConfigurations.cross; - steveej-x13s-rmvbl_cross = - (inputs.get-flake ./nix/os/devices/steveej-x13s-rmvbl).nixosConfigurations.cross; + devShells = let + all = import ./nix/devShells.nix { + inherit + self' + inputs' + pkgs + ; }; + in (all // {default = all.develop;}); + }; - inherit systems; - - perSystem = - { - self', - inputs', - system, - config, - lib, - pkgs, - ... - }: - { - imports = [ ./nix/modules/flake-parts/perSystem/default.nix ]; - - packages = - let - dcpj4110dw = pkgs.callPackage (self + /nix/pkgs/dcpj4110dw) { }; - - craneLibFn = (inputs.crane.mkLib inputs.nixpkgs.legacyPackages.${system}).overrideToolchain; - - craneLib = craneLibFn inputs'.fenix.packages.stable.toolchain; - - _prsPackage = - { - lib, - rustPlatform, - installShellFiles, - pkg-config, - python3, - glib, - gpgme, - gtk3, - stdenv, - cargoHash ? "sha256-T57RqIzurpYLHyeFhvqxmC+DoB6zUf+iTu1YkMmwtp8=", - src, - version, - makeWrapper, - skim, - }: - - rustPlatform.buildRustPackage rec { - pname = "prs"; - - inherit src version cargoHash; - - nativeBuildInputs = [ - gpgme - installShellFiles - pkg-config - python3 - makeWrapper - ]; - - cargoBuildFlags = [ - "--no-default-features" - "--features=alias,backend-gpgme,clipboard,notify,select-fzf-bin,select-skim-bin,tomb,totp" - ]; - - buildInputs = [ - glib - gpgme - gtk3 - ]; - - postInstall = lib.optionalString (stdenv.buildPlatform.canExecute stdenv.hostPlatform) '' - for shell in bash fish zsh; do - installShellCompletion --cmd prs --$shell <($out/bin/prs internal completions $shell --stdout) - done - ''; - - postFixup = '' - wrapProgram $out/bin/prs \ - --prefix PATH : ${lib.makeBinPath [ skim ]} - ''; - - meta = with lib; { - description = "Secure, fast & convenient password manager CLI using GPG and git to sync"; - homepage = "https://gitlab.com/timvisee/prs"; - changelog = "https://gitlab.com/timvisee/prs/-/blob/v${version}/CHANGELOG.md"; - license = with licenses; [ - lgpl3Only # lib - gpl3Only # everything else - ]; - maintainers = with maintainers; [ dotlambda ]; - mainProgram = "prs"; - }; - }; - - local-xwayland = pkgs.writeShellScriptBin "local-xwayland" '' - set -x - ${pkgs.wayland-proxy-virtwl}/bin/wayland-proxy-virtwl \ - --wayland-display=wayland-3 \ - --xwayland-binary=${pkgs.xwayland}/bin/Xwayland \ - --x-display=0 \ - # --x-unscale=3 \ - --verbose - ''; - in - { - dcpj4110dwDriver = dcpj4110dw.driver; - dcpj4110dwCupswrapper = dcpj4110dw.cupswrapper; - - inherit (inputs'.colmena.packages) colmena; - - prs = pkgs.callPackage _prsPackage { - src = inputs.prs; - version = inputs.prs.shortRev; - cargoHash = "sha256-oXuAKOHIfwUvcS0qXDTe68DN+MUNS4TAKV986vxdeh8="; - }; - - nomad = inputs'.nixpkgs-unstable.legacyPackages.nomad_1_6; - - ledger-live-desktop-wrapped = pkgs.writeShellScriptBin "ledger-live-desktop-wrapped" '' - set -x - pkill -9 wayland-proxy-v - export NIXOS_OZONE_WL="" - ${pkgs.wayland-proxy-virtwl}/bin/wayland-proxy-virtwl \ - --wayland-display=wayland-3 \ - --xwayland-binary=${pkgs.xwayland}/bin/Xwayland \ - --x-display=3 \ - & - # --x-unscale=3 \ - #--verbose \ - - export PROXYPID="$!" - - trap "kill -9 \$PROXYPID" EXIT - # trap "pkill -9 wayland-proxy-v" EXIT - - env \ - WAYLAND_DISPLAY=wayland-3 \ - DISPLAY=:3 \ - ledger-live-desktop - ''; - - syncthing-container-webui = pkgs.writeShellScriptBin "reverse-port-forward-syncthing-container" '' - ssh root@${self.colmena.sj-vps-htz0.deployment.targetHost} -L 8385:syncthing.containers:8384 - ''; - - rperf = craneLib.buildPackage { - src = inputs.rperf; - nativeBuildInputs = [ pkgs.pkg-config ]; - buildInputs = [ ]; - }; - - inherit local-xwayland; - - inherit (inputs'.nixpkgs-gimp.legacyPackages) gimp; - - }; - - formatter = - let - settingsNix = { - projectRootFile = ".git/config"; - - package = inputs'.nixpkgs-unstable.legacyPackages.treefmt2; - - programs = { - nixfmt.enable = true; - deadnix.enable = true; - statix.enable = true; - - shfmt.enable = true; - shellcheck.enable = true; - - prettier.enable = true; - just = { - enable = true; - includes = [ - "*/Justfile" - "Justfile" - ]; - }; - } // pkgs.lib.optionalAttrs (pkgs.system != "riscv64-linux") { shellcheck.enable = true; }; - - settings = { - global.excludes = [ - "LICENSE" - "secrets/" - ".git-crypt/" - - # unsupported extensions - "*.{enc,gif,png,svg,tape,mts,lock,mod,sum,toml,env,envrc,gitignore}" - ]; - - formatter = { - deadnix = { - priority = 1; - options = [ "--no-underscore" ]; - }; - - nixfmt = { - priority = 2; - }; - - statix = { - priority = 3; - }; - - prettier = { - options = [ - "--tab-width" - "2" - ]; - includes = [ "*.{css,html,js,json,jsx,md,mdx,scss,ts,yaml}" ]; - }; - }; - }; - }; - eval = inputs.treefmt-nix.lib.evalModule pkgs settingsNix; - in - eval.config.build.wrapper.overrideAttrs (_: { - passthru = { - inherit (eval.config) package settings; - }; - }); - - devShells = - let - all = import ./nix/devShells.nix { - inherit - self - self' - inputs' - pkgs - ; - }; - in - all - // { - default = all.develop; - }; - }; - } - ); + flake.nixosModules = { + # thinkpad-x13s = { pkgs, config, lib, options, ... } @ args: (import ./nix/os/modules/hardware.thinkpad-x13s.nix (args // { inherit self; })); + }; + }); } diff --git a/misc/x13s_bt_firmware/hpnv21g.b8c.crypt.fw b/misc/x13s_bt_firmware/hpnv21g.b8c.crypt.fw deleted file mode 100644 index ea5b5b8..0000000 Binary files a/misc/x13s_bt_firmware/hpnv21g.b8c.crypt.fw and /dev/null differ diff --git a/nix/container-images/build.sh b/nix/container-images/build.sh index 1025cb4..6cfab1a 100755 --- a/nix/container-images/build.sh +++ b/nix/container-images/build.sh @@ -1,7 +1,7 @@ #!/usr/bin/env bash set -xe -[ -n "$NAME" ] +[ ! -z "$NAME" ] nix-build . --show-trace -A "$NAME" -docker image rm "$NAME":latest --force +docker image rm "$NAME":latest --force docker load -i result diff --git a/nix/container-images/default.nix b/nix/container-images/default.nix index 67f516d..7dcab2a 100644 --- a/nix/container-images/default.nix +++ b/nix/container-images/default.nix @@ -1,10 +1,6 @@ -{ - pkgs ? import { }, -}: -let - baseEnv = [ "SSL_CERT_FILE=${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt" ]; -in -rec { +{pkgs ? import {}}: let + baseEnv = ["SSL_CERT_FILE=${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt"]; +in rec { base = pkgs.dockerTools.buildImage rec { name = "base"; @@ -25,70 +21,59 @@ rec { interactive_base = pkgs.dockerTools.buildImage { name = "interactive_base"; fromImage = base; - contents = with pkgs; [ - procps - zsh - coreutils - neovim - ]; + contents = with pkgs; [procps zsh coreutils neovim]; - config = { - Cmd = [ "/bin/zsh" ]; - }; + config = {Cmd = ["/bin/zsh"];}; }; - s3ql = - let - entrypoint = pkgs.writeScript "entrypoint" '' - #!${pkgs.stdenv.shell} + s3ql = let + entrypoint = pkgs.writeScript "entrypoint" '' + #!${pkgs.stdenv.shell} - if [ -z "$S3QL_BUCKET" ]; then - echo S3QL_BUCKET not set - exit 1 - fi + if [ -z "$S3QL_BUCKET" ]; then + echo S3QL_BUCKET not set + exit 1 + fi - if [ -z "$S3QL_STORAGE_URL" ]; then - echo S3QL_STORAGE_URL not set - exit 1 - fi + if [ -z "$S3QL_STORAGE_URL" ]; then + echo S3QL_STORAGE_URL not set + exit 1 + fi - if [ -z "$S3QL_CACHESIZE" ]; then - echo S3QL_CACHESIZE not set - exit 1 - fi + if [ -z "$S3QL_CACHESIZE" ]; then + echo S3QL_CACHESIZE not set + exit 1 + fi - set -x + set -x - if [ "$S3QL_SKIP_FSCK" != "1" ]; then - fsck.s3ql \ - --authfile $S3QL_AUTHINFO2 \ - --log none \ - --cachedir $S3QL_CACHE_DIR \ - $S3QL_STORAGE_URL - fi - - exec mount.s3ql \ - --cachedir "$S3QL_CACHE_DIR" \ - --authfile "$S3QL_AUTHINFO2" \ - --cachesize "$S3QL_CACHESIZE" \ - --fg \ - --compress lzma-6 \ - --threads 4 \ + if [ "$S3QL_SKIP_FSCK" != "1" ]; then + fsck.s3ql \ + --authfile $S3QL_AUTHINFO2 \ --log none \ - --allow-root \ - "$S3QL_STORAGE_URL" \ - /bucket + --cachedir $S3QL_CACHE_DIR \ + $S3QL_STORAGE_URL + fi - # FIXME: touch .isbucket after mount - ''; - in + exec mount.s3ql \ + --cachedir "$S3QL_CACHE_DIR" \ + --authfile "$S3QL_AUTHINFO2" \ + --cachesize "$S3QL_CACHESIZE" \ + --fg \ + --compress lzma-6 \ + --threads 4 \ + --log none \ + --allow-root \ + "$S3QL_STORAGE_URL" \ + /bucket + + # FIXME: touch .isbucket after mount + ''; + in pkgs.dockerTools.buildImage { name = "s3ql"; fromImage = interactive_base; - contents = [ - pkgs.s3ql - pkgs.fuse - ]; + contents = [pkgs.s3ql pkgs.fuse]; runAsRoot = '' #!${pkgs.stdenv.shell} @@ -99,58 +84,57 @@ rec { ''; config = { - Env = baseEnv ++ [ - "HOME=/home/s3ql" - "S3QL_CACHE_DIR=/var/cache/s3ql" - "S3QL_AUTHINFO2=/etc/s3ql/authinfo2" - "CONTAINER_ENTRYPOINT=${entrypoint}" - ]; - Cmd = [ entrypoint ]; + Env = + baseEnv + ++ [ + "HOME=/home/s3ql" + "S3QL_CACHE_DIR=/var/cache/s3ql" + "S3QL_AUTHINFO2=/etc/s3ql/authinfo2" + "CONTAINER_ENTRYPOINT=${entrypoint}" + ]; + Cmd = [entrypoint]; Volumes = { - "/var/cache/s3ql" = { }; - "/etc/s3ql/authinfo2" = { }; - "/buckets" = { }; - "/tmp" = { }; + "/var/cache/s3ql" = {}; + "/etc/s3ql/authinfo2" = {}; + "/buckets" = {}; + "/tmp" = {}; }; }; }; - syncthing = - let - entrypoint = pkgs.writeScript "entrypoint" '' - #!${pkgs.stdenv.shell} - set -x - if [ ! -e /data/.isbucket ]; then - echo ERROR: Bucket not mounted at /data - exit 1 - fi + syncthing = let + entrypoint = pkgs.writeScript "entrypoint" '' + #!${pkgs.stdenv.shell} + set -x + if [ ! -e /data/.isbucket ]; then + echo ERROR: Bucket not mounted at /data + exit 1 + fi - if [ -z "$SYNCTHING_GUI_ADDRESS" ]; then - echo ERROR: SYNCTHING_GUI_ADDRESS is not set - exit 1 - fi + if [ -z "$SYNCTHING_GUI_ADDRESS" ]; then + echo ERROR: SYNCTHING_GUI_ADDRESS is not set + exit 1 + fi - if [ ! -w "$SYNCTHING_HOME" ]; then - echo ERROR : SYNCTHING_HOME is not writable - fi + if [ ! -w "$SYNCTHING_HOME" ]; then + echo ERROR : SYNCTHING_HOME is not writable + fi - exec syncthing \ - -home $SYNCTHING_HOME \ - -gui-address=$SYNCTHING_GUI_ADDRESS \ - -no-browser - ''; - in + exec syncthing \ + -home $SYNCTHING_HOME \ + -gui-address=$SYNCTHING_GUI_ADDRESS \ + -no-browser + ''; + in pkgs.dockerTools.buildImage { name = "syncthing"; fromImage = interactive_base; contents = pkgs.syncthing; config = { - Env = baseEnv ++ [ "SYNCTHING_HOME=/home/syncthing" ]; - Cmd = [ entrypoint ]; - Volumes = { - "/data" = { }; - }; + Env = baseEnv ++ ["SYNCTHING_HOME=/home/syncthing"]; + Cmd = [entrypoint]; + Volumes = {"/data" = {};}; }; }; } diff --git a/nix/default.nix b/nix/default.nix index f8947e0..888a4e9 100644 --- a/nix/default.nix +++ b/nix/default.nix @@ -1,34 +1,26 @@ -{ versionsPath }: -let +{versionsPath}: let channelVersions = import versionsPath; - mkChannelSource = - name: - let - channelVersion = builtins.getAttr name channelVersions; - in + mkChannelSource = name: let + channelVersion = builtins.getAttr name channelVersions; + in builtins.fetchGit { # Descriptive name to make the store path easier to identify inherit name; inherit (channelVersion) url ref rev; }; - nixPath = builtins.concatStringsSep ":" ( - builtins.map ( - elemName: - let - elem = builtins.getAttr elemName channelVersions; - elemPath = mkChannelSource elemName; - suffix = if builtins.hasAttr "suffix" elem then elem.suffix else ""; - in - builtins.concatStringsSep "=" [ - elemName - elemPath - ] - + suffix - ) (builtins.attrNames channelVersions) - ); - pkgs = import (mkChannelSource "nixpkgs") { }; -in -{ + nixPath = builtins.concatStringsSep ":" (builtins.map + (elemName: let + elem = builtins.getAttr elemName channelVersions; + elemPath = mkChannelSource elemName; + suffix = + if builtins.hasAttr "suffix" elem + then elem.suffix + else ""; + in + builtins.concatStringsSep "=" [elemName elemPath] + suffix) + (builtins.attrNames channelVersions)); + pkgs = import (mkChannelSource "nixpkgs") {}; +in { inherit nixPath; channelSources = pkgs.writeText "channels.rc" '' export NIX_PATH=${nixPath} diff --git a/nix/devShells.nix b/nix/devShells.nix index aa4eda5..4cac540 100644 --- a/nix/devShells.nix +++ b/nix/devShells.nix @@ -1,10 +1,8 @@ { - self, self', inputs', pkgs, -}: -{ +}: { install = pkgs.mkShell { name = "infra-install"; packages = with pkgs; [ @@ -19,9 +17,10 @@ develop = pkgs.mkShell { name = "infra-develop"; - inputsFrom = [ self'.devShells.install ]; + inputsFrom = [ + self'.devShells.install + ]; packages = with pkgs; [ - self'.formatter # .package inputs'.colmena.packages.colmena dconf2nix inputs'.nixos-anywhere.packages.nixos-anywhere @@ -36,7 +35,6 @@ inputs'.sops-nix.packages.default sops nil - nix-index apacheHttpd @@ -67,7 +65,6 @@ # hedgedoc-cli xwayland - pulsemixer (pkgs.writeShellScriptBin "rflk" '' exec nix run nixpkgs#$@ @@ -76,28 +73,9 @@ (pkgs.writeShellScriptBin "r11" '' exec env NIXOS_OZONE_WL="" WAYLAND_DISPLAY="" $@ '') - - jq - yq - wireguard-tools - - screen - - inputs'.nixpkgs-unstable.legacyPackages.kanidm ]; # Set Environment Variables RUST_BACKTRACE = 1; - - KANIDM_URL = - self.nixosConfigurations.sj-srv1.config.containers.webserver.config.services.kanidm.serverSettings.origin; - - shellHook = builtins.concatStringsSep "\n" [ - # (self.inputs.nixago.lib.${pkgs.system}.make { - # data = self'.formatter.settings; - # output = "treefmt.toml"; - # format = "toml"; - # }).shellHook - ]; }; } diff --git a/nix/home-manager/configuration/graphical-fullblown.nix b/nix/home-manager/configuration/graphical-fullblown.nix index 921c4dc..56f7820 100644 --- a/nix/home-manager/configuration/graphical-fullblown.nix +++ b/nix/home-manager/configuration/graphical-fullblown.nix @@ -4,15 +4,12 @@ config, # these come in via home-manager.extraSpecialArgs and are specific to each node nodeFlake, - repoFlake, + packages', ... -}: -let - pkgsUnstable = - pkgs.pkgsUnstable - or (import nodeFlake.inputs.nixpkgs-unstable { inherit (pkgs) system config overlays; }); -in -{ +}: let + # pkgsMaster = nodeFlake.inputs.nixpkgs-master.legacyPackages.${pkgs.system}; + pkgsUnstableSmall = import nodeFlake.inputs.nixpkgs-unstable-small {inherit (pkgs) system config;}; +in { imports = [ ../profiles/common.nix # ../profiles/dotfiles.nix @@ -35,41 +32,19 @@ in ../programs/libreoffice.nix ../programs/neovim.nix ../programs/vscode - { home.packages = [ pkgsUnstable.markdown-oxide ]; } ]; home.sessionVariables.HM_CONFIG = "graphical-fullblown"; home.sessionVariables.GOPATH = "$HOME/src/go"; - home.sessionVariables.PATH = pkgs.lib.concatStringsSep ":" [ - "$HOME/.local/bin" - "$PATH" - ]; - - nixpkgs.config.allowInsecurePredicate = - pkg: - builtins.elem (lib.getName pkg) [ - "electron-28.3.3" - "electron-27.3.11" - ]; + home.sessionVariables.PATH = pkgs.lib.concatStringsSep ":" ["$HOME/.local/bin" "$PATH"]; nixpkgs.config.permittedInsecurePackages = [ - "electron-28.3.3" - "electron-27.3.11" + "electron-25.9.0" ]; - nixpkgs.config.allowUnfree = [ - "electron-28.3.3" - "electron-27.3.11" - ]; - - # nixpkgs.config.allowUnfreePredicate = pkg: - # builtins.elem (lib.getName pkg) [ - # "smartgithg" - # "electron-27.3.11" - # ]; - home.packages = - (with pkgs; [ + [] + ++ (with pkgs; [ # Authentication # cacert # fprintd @@ -105,13 +80,14 @@ in # Password Management gnupg - yubikey-manager + # yubikey-manager + yubikey-manager-qt yubikey-personalization yubikey-personalization-gui # gnome.gnome-keyring gcr - seahorse + gnome.seahorse # Language Support hunspellDicts.en-us @@ -120,28 +96,49 @@ in # Messaging/Communication # pidgin # hexchat - pkgsUnstable.element-desktop + # schildichat-desktop # insecure as of 2023-12-16 aspellDicts.en aspellDicts.de # skypeforlinux # pkgsUnstable.jitsi-meet-electron - thunderbird-128 - # betterbird + thunderbird + evolution # gnome4.glib_networking # FIXME: depends on insecure openssl 1.1.1t # kotatogram-desktop - pkgsUnstable.tdesktop - pkgsUnstable.signal-desktop-source + tdesktop + + ( + let + version = "6.44.0"; + in + pkgsUnstableSmall.signal-desktop.overrideAttrs (old: + lib.attrsets.optionalAttrs pkgs.stdenv.isAarch64 { + inherit version; + src = + builtins.fetchurl + { + url = "https://github.com/0mniteck/Signal-Desktop-Mobian/raw/master/builds/release/signal-desktop_${version}_arm64.deb"; + sha256 = + # lib.fakeSha256 + "sha256:0svb5vz08n3j4lx4kdjmx5lw9619kvvxg981rs6chh83qz5y519k"; + }; + }) + ) + + thunderbird + + # gnome.cheese # Virtualization - virt-manager + # virtmanager # Remote Control Tools remmina # freerdp # Audio/Video Players - # ffmpeg + ffmpeg vlc # v4l-utils # audacity @@ -149,8 +146,6 @@ in yt-dlp (writeShellScriptBin "youtube-dl-audio" "${yt-dlp}/bin/yt-dlp --extract-audio --audio-format best --audio-quality 9 \${@:?}") libwebcam - libcamera - snapshot # Network Tools tcpdump @@ -161,11 +156,11 @@ in nethogs # Code Editing and Programming - # TODO(remove or use): pkgsUnstable.lapce - # TODO(remve or use): pkgsUnstable.helix + # pkgsUnstableSmall.lapce + # pkgsUnstableSmall.helix # Image/Graphic/Design Tools - eog + gnome.eog # gimp # imagemagick # exiv2 @@ -187,11 +182,10 @@ in # cdrtools # Document Processing and Management - nautilus + gnome.nautilus pcmanfm # mendeley evince - xournalpp # File Synchronzation maestral @@ -215,7 +209,7 @@ in # dex coreutils lsof - xdg-utils + xdg_utils xdg-user-dirs dconf picocom @@ -231,6 +225,7 @@ in # shutter # kazam # doesn't start # xvidcap # doesn't keep the recording rectangle + # obs-studio # shotcut # openshot-qt # introduces python: screenkey @@ -244,24 +239,63 @@ in # libretro.snes9x2010 # retroarchFull - # pkgs.logseq-bin - pkgs.logseq - # (pkgs.callPackage "${repoFlake.inputs.nixpkgs-logseq}/pkgs/by-name/lo/logseq-bin/package.nix" { }) + packages'.logseq + # (pkgs.runCommand "logseq-wrapper" + # { + # nativeBuildInputs = [ pkgs.makeWrapper ]; + # } '' + # makeWrapper ${pkgs.logseq}/bin/logseq $out/bin/logseq \ + # --set NIXOS_OZONE_WL "" + # '') ]) - ++ (with repoFlake.packages.${pkgs.system}; [ gimp ]) ++ (lib.lists.optionals (!pkgs.stdenv.targetPlatform.isAarch64) [ - pkgsUnstable.ledger-live-desktop + ]) + ++ (lib.lists.optionals (!pkgs.stdenv.targetPlatform.isAarch64) [ + ( + pkgs.banana-accounting.overrideDerivation + (attrs: + with nodeFlake.inputs'.nixpkgs-2211.legacyPackages; { + # dontWrapGApps = true; + + srcs = builtins.fetchurl { + # hosted via https://web3.storage + url = "https://bafybeiabi4m2i4izummipbl5wzhwxjyjt2rylgsrahhkh7i63piwd37n4u.ipfs.w3s.link/mfpcksczayaqqx8fdacp0627zm36c001-bananaplus.tgz"; + + sha256 = "09666iqzqdw2526pf6bg5kd0hfw0wblw8ag636ki72dsiw6bmbf1"; + }; + + # nativeBuildInputs = + # attrs.nativeBuildInputs + # ++ [ + # qt5.qtbase + # qt5.wrapQtAppsHook + # ]; + + # buildInputs = + # attrs.buildInputs + # ++ [ + # qt5.qtwayland + # ]; + + # preFixup = + # (attrs.preFixup or "") + # + '' + # qtWrapperArgs+=("''${gappsWrapperArgs[@]}") + # ''; + }) + ) + + pkgsUnstableSmall.ledger-live-desktop # unsupported on aarch64-linux pkgs.androidenv.androidPkgs_9_0.platform-tools pkgs.teamviewer pkgs.discord - pkgsUnstable.session-desktop - pkgsUnstable.rustdesk + pkgsUnstableSmall.session-desktop + pkgsUnstableSmall.rustdesk ]); systemd.user.startServices = true; - services.syncthing.enable = true; services.udiskie = { diff --git a/nix/home-manager/configuration/graphical-gnome3.nix b/nix/home-manager/configuration/graphical-gnome3.nix index 5eaebd1..12e1948 100644 --- a/nix/home-manager/configuration/graphical-gnome3.nix +++ b/nix/home-manager/configuration/graphical-gnome3.nix @@ -1,8 +1,13 @@ -{ pkgs, ... }: { - home.packages = with pkgs; [ - gnome.gnome-tweaks - gnome.gnome-keyring - gnome.seahorse - ]; + pkgs, + config, + ... +}: { + home.packages = + [] + ++ (with pkgs; [ + gnome.gnome-tweaks + gnome.gnome-keyring + gnome.seahorse + ]); } diff --git a/nix/home-manager/configuration/graphical-removable.nix b/nix/home-manager/configuration/graphical-removable.nix index d6296a2..faac0d5 100644 --- a/nix/home-manager/configuration/graphical-removable.nix +++ b/nix/home-manager/configuration/graphical-removable.nix @@ -1,5 +1,8 @@ -{ pkgs, ... }: { + pkgs, + config, + ... +}: { imports = [ ../profiles/common.nix ../profiles/qtile-desktop.nix @@ -13,87 +16,89 @@ ../programs/pass.nix ]; - home.packages = with pkgs; [ - # Nix package related tools - patchelf - nix-index - nix-prefetch-scripts + home.packages = + [] + ++ (with pkgs; [ + # Nix package related tools + patchelf + nix-index + nix-prefetch-scripts - # Version Control Systems - gitless + # Version Control Systems + gitless - # Process/System Administration - htop - gnome.gnome-tweaks - xorg.xhost - dmidecode - evtest + # Process/System Administration + htop + gnome.gnome-tweaks + xorg.xhost + dmidecode + evtest - # Archive Managers - sshfs-fuse - xarchive - p7zip - zip - unzip - gzip - lzop + # Archive Managers + sshfs-fuse + xarchive + p7zip + zip + unzip + gzip + lzop - # Password Management - gnome.gnome-keyring - gnome.seahorse + # Password Management + gnome.gnome-keyring + gnome.seahorse - # Remote Control Tools - remmina - freerdp + # Remote Control Tools + remmina + freerdp - # Network Tools - openvpn - tcpdump - iftop - iperf - bind - socat + # Network Tools + openvpn + tcpdump + iftop + iperf + bind + socat - # samba - iptables - nftables - wireshark + # samba + iptables + nftables + wireshark - # Code Editors - xclip - xsel + # Code Editors + xclip + xsel - # Image/Graphic/Design Tools - gnome.eog - gimp - inkscape + # Image/Graphic/Design Tools + gnome.eog + gimp + inkscape - # Misc Development Tools - qrcode - jq - cdrtools + # Misc Development Tools + qrcode + jq + cdrtools - # Document Processing and Management - zathura + # Document Processing and Management + zathura - # File Synchronzation - rsync + # File Synchronzation + rsync - # Filesystem Tools - ntfs3g - ddrescue - ncdu - woeusb - unetbootin - pcmanfm - hdparm - testdisk - binwalk - gptfdisk + # Filesystem Tools + ntfs3g + ddrescue + ncdu + woeusb + unetbootin + pcmanfm + hdparm + testdisk + binwalk + gptfdisk - packages'.myPython + packages'.myPython - # Virtualization - virtmanager - ]; + # Virtualization + virtmanager + ]); } diff --git a/nix/home-manager/lib.nix b/nix/home-manager/lib.nix index 7436034..b731c1d 100644 --- a/nix/home-manager/lib.nix +++ b/nix/home-manager/lib.nix @@ -1,19 +1,14 @@ -_: { - mkSimpleTrayService = - { execStart }: - { - Unit = { - Description = ""; - After = [ "graphical-session-pre.target" ]; - PartOf = [ "graphical-session.target" ]; - }; - - Install = { - WantedBy = [ "graphical-session.target" ]; - }; - - Service = { - ExecStart = execStart; - }; +{}: let +in { + mkSimpleTrayService = {execStart}: { + Unit = { + Description = ""; + After = ["graphical-session-pre.target"]; + PartOf = ["graphical-session.target"]; }; + + Install = {WantedBy = ["graphical-session.target"];}; + + Service = {ExecStart = execStart;}; + }; } diff --git a/nix/home-manager/profiles/common.nix b/nix/home-manager/profiles/common.nix index 77f6e57..9df371b 100644 --- a/nix/home-manager/profiles/common.nix +++ b/nix/home-manager/profiles/common.nix @@ -1,7 +1,8 @@ -{ pkgs, lib, ... }: { - home.stateVersion = lib.mkDefault "23.11"; - + pkgs, + lib, + ... +}: { # TODO: re-enable this with the appropriate version? # programs.home-manager.enable = true; # programs.home-manager.path = https://github.com/rycee/home-manager/archive/445c0b1482c38172a9f8294ee16a7ca7462388e5.tar.gz; @@ -10,27 +11,8 @@ nixpkgs.config = { allowBroken = false; allowUnfree = true; - allowUnsupportedSystem = true; - allowInsecurePredicate = - pkg: - builtins.elem (lib.getName pkg) [ - "electron-32.3.3" - "electron" - ]; - - permittedInsecurePackages = [ - "electron-32.3.3" - "electron" - ]; - - allowUnfreePredicate = - pkg: - builtins.elem (lib.getName pkg) [ - "obsidian" - "vivaldi" - "aspell-dict-en-science" - ]; + permittedInsecurePackages = []; }; home.keyboard = { @@ -53,45 +35,47 @@ programs.command-not-found.enable = true; programs.fzf.enable = true; - home.packages = with pkgs; [ - coreutils + home.packages = + [] + ++ (with pkgs; [ + coreutils - vcsh + vcsh - htop - iperf3 - nethogs + htop + iperf3 + nethogs - # Authentication - cacert - openssl - mkpasswd + # Authentication + cacert + openssl + mkpasswd - just - ripgrep - du-dust + just + ripgrep + du-dust - elfutils - exfat - file - tree - pwgen - proot + elfutils + exfat + file + tree + pwgen + proot - parted - pv - tmux - wget - curl + parted + pv + tmux + wget + curl - # git helpers - git-crypt - gitFull - pastebinit - gist - mr + # git helpers + git-crypt + gitFull + pastebinit + gist + mr - usbutils - pciutils - ]; + usbutils + pciutils + ]); } diff --git a/nix/home-manager/profiles/dotfiles.nix b/nix/home-manager/profiles/dotfiles.nix index a7bddd9..670ea75 100644 --- a/nix/home-manager/profiles/dotfiles.nix +++ b/nix/home-manager/profiles/dotfiles.nix @@ -1,4 +1,45 @@ -_: { +{ + repoFlake, + pkgs, + config, + repoHttps ? "https://gitlab.com/steveeJ/dotfiles.git", + repoSsh ? "git@gitlab.com:/steveeJ/dotfiles.git", + ... +}: let + repoBareLocal = + pkgs.runCommand "fetchbare" + { + outputHashMode = "recursive"; + outputHashAlgo = "sha256"; + outputHash = "0000000000000000000000000000000000000000000000000000"; + } '' + ( + set -xe + export GIT_SSL_CAINFO=${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt + export SSL_CERT_FILE=${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt + ${pkgs.git}/bin/git clone --mirror ${repoHttps} $out + ) + ''; + vcshActivationScript = pkgs.writeScript "activation-script" '' + export HOST=$(hostname -s) + + function set_remotes { + ${pkgs.vcsh}/bin/vcsh dotfiles remote set-url origin $1 + ${pkgs.vcsh}/bin/vcsh dotfiles remote set-url --push origin $2 + } + + if ! test -d $HOME/.config/vcsh/repo.d/dotfiles.git; then + echo Cloning dotfiles for $HOST... + ${pkgs.vcsh}/bin/vcsh clone -b $HOST ${repoBareLocal} dotfiles + set_remotes ${repoHttps} ${repoSsh} + else + set_remotes ${repoBareLocal} ${repoSsh} + echo Updating dotfiles for $HOST... + ${pkgs.vcsh}/bin/vcsh pull $HOST || true + set_remotes ${repoHttps} ${repoSsh} + fi + ''; +in { # TODO: fix the dotfiles # home.activation.vcsh = config.lib.dag.entryAfter["linkGeneration"] '' # $DRY_RUN_CMD ${vcshActivationScript} diff --git a/nix/home-manager/profiles/dotfiles/vcsh.tmpl.nix b/nix/home-manager/profiles/dotfiles/vcsh.tmpl.nix index 2a866f2..84d629f 100644 --- a/nix/home-manager/profiles/dotfiles/vcsh.tmpl.nix +++ b/nix/home-manager/profiles/dotfiles/vcsh.tmpl.nix @@ -3,40 +3,38 @@ repoHttps ? "https://gitlab.com/steveeJ/dotfiles.git", repoSsh ? "git@gitlab.com:/steveeJ/dotfiles.git", ... -}: -let +}: let repoBareLocal = pkgs.runCommand "fetchbare" - { - outputHashMode = "recursive"; - outputHashAlgo = "sha256"; - outputHash = "0000000000000000000000000000000000000000000000000000"; - } - '' - ( - set -xe - export GIT_SSL_CAINFO=${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt - export SSL_CERT_FILE=${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt - ${pkgs.git}/bin/git clone --mirror ${repoHttps} $out - ) - ''; + { + outputHashMode = "recursive"; + outputHashAlgo = "sha256"; + outputHash = "0000000000000000000000000000000000000000000000000000"; + } '' + ( + set -xe + export GIT_SSL_CAINFO=${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt + export SSL_CERT_FILE=${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt + ${pkgs.git}/bin/git clone --mirror ${repoHttps} $out + ) + ''; in -pkgs.writeScript "activation-script" '' - export HOST=$(hostname -s) + pkgs.writeScript "activation-script" '' + export HOST=$(hostname -s) - function set_remotes { - ${pkgs.vcsh}/bin/vcsh dotfiles remote set-url origin $1 - ${pkgs.vcsh}/bin/vcsh dotfiles remote set-url --push origin $2 - } + function set_remotes { + ${pkgs.vcsh}/bin/vcsh dotfiles remote set-url origin $1 + ${pkgs.vcsh}/bin/vcsh dotfiles remote set-url --push origin $2 + } - if ! test -d $HOME/.config/vcsh/repo.d/dotfiles.git; then - echo Cloning dotfiles for $HOST... - ${pkgs.vcsh}/bin/vcsh clone -b $HOST ${repoBareLocal} dotfiles - set_remotes ${repoHttps} ${repoSsh} - else - set_remotes ${repoBareLocal} ${repoSsh} - echo Updating dotfiles for $HOST... - ${pkgs.vcsh}/bin/vcsh pull $HOST || true - set_remotes ${repoHttps} ${repoSsh} - fi -'' + if ! test -d $HOME/.config/vcsh/repo.d/dotfiles.git; then + echo Cloning dotfiles for $HOST... + ${pkgs.vcsh}/bin/vcsh clone -b $HOST ${repoBareLocal} dotfiles + set_remotes ${repoHttps} ${repoSsh} + else + set_remotes ${repoBareLocal} ${repoSsh} + echo Updating dotfiles for $HOST... + ${pkgs.vcsh}/bin/vcsh pull $HOST || true + set_remotes ${repoHttps} ${repoSsh} + fi + '' diff --git a/nix/home-manager/profiles/experimental-desktop.nix b/nix/home-manager/profiles/experimental-desktop.nix index d57a051..13d87d7 100644 --- a/nix/home-manager/profiles/experimental-desktop.nix +++ b/nix/home-manager/profiles/experimental-desktop.nix @@ -1,6 +1,16 @@ -{ packages', ... }: { - imports = [ ../profiles/wayland-desktop.nix ]; + pkgs, + config, + lib, + nodeFlake, + packages', + ... +}: let + pkgsUnstable = pkgs.callPackage nodeFlake.inputs.nixpkgs-unstable.outPath {}; +in { + imports = [ + ../profiles/wayland-desktop.nix + ]; home.packages = [ # experimental WMs diff --git a/nix/home-manager/profiles/gnome-desktop.nix b/nix/home-manager/profiles/gnome-desktop.nix index 5051205..b0a7a7b 100644 --- a/nix/home-manager/profiles/gnome-desktop.nix +++ b/nix/home-manager/profiles/gnome-desktop.nix @@ -1,6 +1,13 @@ -{ pkgs, ... }: { - imports = [ ../profiles/wayland-desktop.nix ]; + pkgs, + config, + lib, + ... +}: let +in { + imports = [ + ../profiles/wayland-desktop.nix + ]; services = { gnome-keyring.enable = false; @@ -16,85 +23,87 @@ # Hidden=true # ''; - services.gpg-agent.pinentryPackage = pkgs.pinentry-gnome3; + services.gpg-agent.pinentryFlavor = "gnome3"; - dconf.settings = - let - manualKeybindings = [ - { - binding = "Print"; - command = "flameshot gui"; - name = "flameshot"; - } + dconf.settings = let + manualKeybindings = [ + { + binding = "Print"; + command = "flameshot gui"; + name = "flameshot"; + } - { - binding = "t"; - command = "alacritty"; - name = "alacritty"; - } - ]; + { + binding = "t"; + command = "alacritty"; + name = "alacritty"; + } + ]; - numWorkspaces = 10; - customKeybindingBaseName = "org/gnome/settings-daemon/plugins/media-keys/custom-keybindings/custom"; - customKeybindingsNames = builtins.genList (i: "/${customKeybindingBaseName}${toString i}/") ( - (builtins.length manualKeybindings) + numWorkspaces # for sending to the workspace + numWorkspaces = 10; + customKeybindingBaseName = "org/gnome/settings-daemon/plugins/media-keys/custom-keybindings/custom"; + customKeybindingsNames = + builtins.genList (i: "/${customKeybindingBaseName}${toString i}/") + ( + (builtins.length manualKeybindings) + + numWorkspaces # for sending to the workspace ); - workspacesKeyBindingsOffset = builtins.length manualKeybindings; + workspacesKeyBindingsOffset = builtins.length manualKeybindings; - # with this we can make use of all number keys [0-9] - mapToNumber = - i: - if i < 10 then - i - else if i == 10 then - 0 - else - throw "i exceeds 10: ${i}"; - in + # with this we can make use of all number keys [0-9] + mapToNumber = i: + if i < 10 + then i + else if i == 10 + then 0 + else throw "i exceeds 10: ${i}"; + in { "org/gnome/settings-daemon/plugins/media-keys" = { custom-keybindings = customKeybindingsNames; screenreader = "@as []"; - screensaver = [ "l" ]; + screensaver = ["l"]; }; # disable the builtin [1-9] functionality - "org/gnome/shell/keybindings" = builtins.listToAttrs ( - (builtins.genList (i: { - name = "switch-to-application-${toString (i + 1)}"; - value = [ ]; - }) numWorkspaces) + "org/gnome/shell/keybindings" = builtins.listToAttrs ((builtins.genList + (i: { + name = "switch-to-application-${toString (i + 1)}"; + value = []; + }) + numWorkspaces) ++ [ { name = "toggle-overview"; - value = [ ]; + value = []; } - ] - ); + ]); # remap it to switching to the workspaces - "org/gnome/desktop/wm/keybindings" = builtins.listToAttrs ( - builtins.genList (i: { + "org/gnome/desktop/wm/keybindings" = builtins.listToAttrs (builtins.genList + (i: { name = "switch-to-workspace-${toString (i + 1)}"; - value = [ "${toString (mapToNumber (i + 1))}" ]; - }) numWorkspaces - ); + value = [ + "${toString (mapToNumber (i + 1))}" + ]; + }) + numWorkspaces); } - // builtins.listToAttrs ( - builtins.genList (i: { + // builtins.listToAttrs (builtins.genList + (i: { name = "${customKeybindingBaseName}${toString i}"; value = builtins.elemAt manualKeybindings i; - }) (builtins.length manualKeybindings) - ) - // builtins.listToAttrs ( - builtins.genList (i: { + }) + (builtins.length manualKeybindings)) + // builtins.listToAttrs (builtins.genList + (i: { name = "${customKeybindingBaseName}${toString (workspacesKeyBindingsOffset + i)}"; value = { binding = "${toString (mapToNumber (i + 1))}"; command = "wmctrl -r :ACTIVE: -t ${toString i}"; name = "Send to workspace ${toString (i + 1)}"; }; - }) numWorkspaces - ); + }) + numWorkspaces); } diff --git a/nix/home-manager/profiles/nix-channels.nix b/nix/home-manager/profiles/nix-channels.nix index fc52ec6..68f21c7 100644 --- a/nix/home-manager/profiles/nix-channels.nix +++ b/nix/home-manager/profiles/nix-channels.nix @@ -1,22 +1,28 @@ -{ pkgs, config, ... }: { + pkgs, + config, + ... +}: let +in { home.file.".nix-channels".text = ""; - home.activation.removeExistingNixChannels = config.lib.dag.entryBefore [ "checkLinkTargets" ] '' - $DRY_RUN_CMD ${pkgs.writeScript "activation-script" '' - set -ex - if test -f $HOME/.nix-channels; then - echo Uninstalling available channels... - if test -f $HOME/.nix-channel; then - while read url channel; do - nix-channel --remove $channel - done < $HOME/.nix-channel + home.activation.removeExistingNixChannels = config.lib.dag.entryBefore ["checkLinkTargets"] '' + $DRY_RUN_CMD ${ + pkgs.writeScript "activation-script" '' + set -ex + if test -f $HOME/.nix-channels; then + echo Uninstalling available channels... + if test -f $HOME/.nix-channel; then + while read url channel; do + nix-channel --remove $channel + done < $HOME/.nix-channel + fi + echo Moving existing file away... + touch $HOME/.nix-channels.dummy + mv --backup=numbered $HOME/.nix-channels.dummy $HOME/.nix-channels + rm $HOME/.nix-channels fi - echo Moving existing file away... - touch $HOME/.nix-channels.dummy - mv --backup=numbered $HOME/.nix-channels.dummy $HOME/.nix-channels - rm $HOME/.nix-channels - fi - ''}; + '' + }; ''; } diff --git a/nix/home-manager/profiles/qtile-desktop.nix b/nix/home-manager/profiles/qtile-desktop.nix index 84d9c21..da12f62 100644 --- a/nix/home-manager/profiles/qtile-desktop.nix +++ b/nix/home-manager/profiles/qtile-desktop.nix @@ -1,14 +1,14 @@ -{ pkgs, ... }: -let +{ + pkgs, + config, + ... +}: let + inherit (import ../lib.nix {}) mkSimpleTrayService; audio = pkgs.writeShellScript "audio" '' export PATH=${ with pkgs; - lib.makeBinPath [ - pulseaudio - findutils - gnugrep - ] + lib.makeBinPath [pulseaudio findutils gnugrep] }:$PATH export MUTEFILE=''${TEMPDIR:-/tmp}/.qtilemute @@ -33,7 +33,7 @@ let terminalCommand = "${pkgs.alacritty}/bin/alacritty"; dpmsScript = pkgs.writeShellScript "dpmsScript" '' - export PATH=${with pkgs; lib.makeBinPath [ xorg.xset ]}:$PATH + export PATH=${with pkgs; lib.makeBinPath [xorg.xset]}:$PATH set -xe @@ -56,7 +56,7 @@ let ''; screenLockCommand = pkgs.writeShellScript "screenLock" '' - export PATH=${with pkgs; lib.makeBinPath [ i3lock ]}:$PATH + export PATH=${with pkgs; lib.makeBinPath [i3lock]}:$PATH revert() { ${dpmsScript} default @@ -251,8 +251,7 @@ let def print_new_window(window): print("new window: ", window) ''; -in -{ +in { services = { gnome-keyring.enable = true; blueman-applet.enable = true; @@ -287,7 +286,7 @@ in networkmanagerapplet gnome-icon-theme gnome.gnome-themes-extra - adwaita-icon-theme + gnome.adwaita-icon-theme lxappearance xorg.xcursorthemes pavucontrol diff --git a/nix/home-manager/profiles/sway-desktop.nix b/nix/home-manager/profiles/sway-desktop.nix index c6b1e1f..284a8a1 100644 --- a/nix/home-manager/profiles/sway-desktop.nix +++ b/nix/home-manager/profiles/sway-desktop.nix @@ -1,64 +1,62 @@ -/* - TODO: create helper scripts for sharing of a screen portion - ``` - - # this will create a new output named HEADLESS-. increments by 1 with each invocation even if the output is `unplug`ged. - swaymsg create_output - - # find the name and the workspace number - swaymsg -t get_outputs | jq '.[] | select(.name | test("HEADLESS-.*")) | (.name, .current_workspace)' - - swaymsg output HEADLESS-1 mode 1920@108060Hz - - # mirror the headless workspace on the current one - nix run nixpkgs\#wl-mirror -- HEADLESS-1 - - # shift windows to the workspace and switch the focus to it -*/ { pkgs, config, lib, # packages', + repoFlakeInputs', ... -}: -let +}: let + inherit (import ../lib.nix {}) mkSimpleTrayService; lockCmd = "${pkgs.swaylock}/bin/swaylock -efF --color '#000000'"; displayOffCmd = "${pkgs.sway}/bin/swaymsg 'output * power off'"; displayOnCmd = "${pkgs.sway}/bin/swaymsg 'output * power on'"; swapOutputWorkspaces = ../../../scripts/sway-swapoutputworkspaces.sh; -in -{ +in { imports = [ ../profiles/wayland-desktop.nix ../programs/waybar.nix + # ../programs/salut.nix ]; + # TODO: autostart + # environment.loginShellInit = '' + # if [[ "$(tty)" == /dev/tty1 ]]; then + # echo starting sway.. + # exec sway + # fi + # ''; + + services = { + # TODO: doesn't work with 2 screens + # flameshot.enable = true; + }; + services.dunst = { enable = true; }; - services.gpg-agent.pinentryPackage = pkgs.pinentry-gnome3; + services.gpg-agent.pinentryFlavor = "gnome3"; home.packages = [ pkgs.swayidle pkgs.swaylock ## themes - pkgs.adwaita-icon-theme + pkgs.gnome.adwaita-icon-theme pkgs.hicolor-icon-theme pkgs.gnome-icon-theme ## fonts - # pkgs.nerd-fonts # TODO: reinstall selected ones pkgs.dejavu_fonts # just a basic good fond pkgs.font-awesome_5 # needed by i3status-rust + pkgs.nerdfonts pkgs.font-awesome pkgs.roboto pkgs.ttf_bitstream_vera pkgs.noto-fonts + pkgs.noto-fonts-cjk pkgs.noto-fonts-cjk-sans pkgs.noto-fonts-cjk-serif pkgs.noto-fonts-emoji @@ -73,146 +71,118 @@ in pkgs.dina-font pkgs.monoid pkgs.hermit - ### found on colemickens' repo + # found on colemickens' repo pkgs.gelasio # metric-compatible with Georgia pkgs.powerline-symbols pkgs.iosevka-comfy.comfy-fixed - ## experimental stuff + # experimental stuff pkgs.fuzzel ]; - # TODO: configure kanshi to always set the 5K resolution - # DP-1 "Philips Consumer Electronics Company PHL 499P9 AU02419010010 (DP-1 via DP)" - # Make: Philips Consumer Electronics Company - # Model: PHL 499P9 - # Serial: AU02419010010 - # Physical size: 1190x340 mm - # Enabled: yes - # Modes: - # 3840x1080 px, 59.967999 Hz (preferred) - # 5120x1440 px, 59.977001 Hz (current) - wayland.windowManager.sway = { enable = true; systemd.enable = true; - xwayland = false; + xwayland = true; - config = - let - modifier = "Mod4"; - inherit (config.wayland.windowManager.sway.config) - left - right - up - down - ; - in - { - inherit modifier; - bars = [ ]; + config = let + modifier = "Mod4"; + inherit (config.wayland.windowManager.sway.config) left right up down; + in { + inherit modifier; + bars = []; - input = { - "type:keyboard" = - { - xkb_layout = config.home.keyboard.layout; - xkb_variant = config.home.keyboard.variant; - } - // lib.attrsets.optionalAttrs (builtins.length (config.home.keyboard.options or [ ]) > 0) { - xkb_options = builtins.concatStringsSep "," config.home.keyboard.options; - }; - - "type:touchpad" = { - natural_scroll = "enabled"; + input = { + "type:keyboard" = + { + xkb_layout = config.home.keyboard.layout; + xkb_variant = config.home.keyboard.variant; + } + // lib.attrsets.optionalAttrs (builtins.length (config.home.keyboard.options or []) > 0) { + xkb_options = builtins.concatStringsSep "," config.home.keyboard.options; }; - # alternatively run this command - # swaymsg input "1386:914:Wacom_Intuos_Pro_S_Pen" tool_mode "* relative" - # and then switch to a different VT (alt+ctrl+f2) and back - "1386:914:Wacom_Intuos_Pro_S_Pen" = { - tool_mode = "* relative"; - }; + "type:touchpad" = { + natural_scroll = "enabled"; }; - - keybindings = lib.mkOptionDefault { - # as of 2023-05-21 the `!!` arg parsing mode was broken for me on yofi - # "${modifier}+d" = "exec ${packages'.yofi}/bin/yofi binapps"; - "${modifier}+d" = "exec ${pkgs.fuzzel}/bin/fuzzel --show-actions"; - - # only 1-9 exist on the default config - "${modifier}+0" = "workspace number 0"; - "${modifier}+Shift+0" = "move container to workspace number 0"; - - # disable splitting for now as i sometimes trigger it accidentally and then get stuck with it - "${modifier}+b" = "nop"; - "${modifier}+v" = "nop"; - - # move workspace to output - "${modifier}+Control+Shift+${left}" = "move workspace to output left"; - "${modifier}+Control+Shift+${right}" = "move workspace to output right"; - "${modifier}+Control+Shift+${up}" = "move workspace to output up"; - "${modifier}+Control+Shift+${down}" = "move workspace to output down"; - # move workspace to output with arrow keys - "${modifier}+Control+Shift+Left" = "move workspace to output left"; - "${modifier}+Control+Shift+Right" = "move workspace to output right"; - "${modifier}+Control+Shift+Up" = "move workspace to output up"; - "${modifier}+Control+Shift+Down" = "move workspace to output down"; - - # TODO: i've been hitting this one accidentally way too often. find a better place. - # "${modifier}+Shift+e" = "exec ${pkgs.sway}/bin/swaymsg exit"; - "${modifier}+q" = "kill"; - "${modifier}+Shift+q" = "exec ${pkgs.sway}/bin/swaymsg -t get_tree | ${pkgs.jq}/bin/jq 'recurse(.nodes[], .floating_nodes[]) | select(.focused).pid' | ${pkgs.findutils}/bin/xargs -L1 kill -9"; - - "${modifier}+x" = "exec ${swapOutputWorkspaces}"; - - "${modifier}+Ctrl+l" = "exec ${lockCmd}"; - - "--locked XF86AudioPlay" = "exec ${pkgs.playerctl}/bin/playerctl play-pause"; - "XF86AudioPrev" = "exec ${pkgs.playerctl}/bin/playerctl previous"; - "XF86AudioNext" = "exec ${pkgs.playerctl}/bin/playerctl next"; - - "XF86AudioRaiseVolume" = "exec ${pkgs.pulsemixer}/bin/pulsemixer --change-volume +5"; - "XF86AudioLowerVolume" = "exec ${pkgs.pulsemixer}/bin/pulsemixer --change-volume -5"; - "--locked XF86AudioMute" = "exec ${pkgs.pulsemixer}/bin/pulsemixer --toggle-mute"; - - "Print" = "exec ${pkgs.shotman}/bin/shotman --capture region"; - }; - - terminal = "alacritty"; - startup = - [ - { - command = builtins.toString ( - pkgs.writeShellScript "ensure-graphical-session" '' - ( - ${pkgs.coreutils}/bin/sleep 0.2 - ${pkgs.systemd}/bin/systemctl --user restart graphical-session.target - ) & - '' - ); - } - ] - ++ lib.optionals config.services.swayidle.enable [ - { - command = builtins.toString ( - pkgs.writeShellScript "ensure-graphical-session" '' - ( - ${pkgs.coreutils}/bin/sleep 0.2 - ${pkgs.systemd}/bin/systemctl --user restart swayidle - ) & - '' - ); - } - ]; - - colors.focused = lib.mkOptionDefault { childBorder = lib.mkForce "#ffa500"; }; - - window.titlebar = false; - window.border = 4; - - # this maps to focus_on_window_activation - focus.newWindow = "urgent"; }; + + keybindings = lib.mkOptionDefault { + # as of 2023-05-21 the `!!` arg parsing mode was broken for me on yofi + # "${modifier}+d" = "exec ${packages'.yofi}/bin/yofi binapps"; + "${modifier}+d" = "exec ${pkgs.fuzzel}/bin/fuzzel --show-actions"; + + # only 1-9 exist on the default config + "${modifier}+0" = "workspace number 0"; + "${modifier}+Shift+0" = "move container to workspace number 0"; + + # disable splitting for now as i sometimes trigger it accidentally and then get stuck with it + "${modifier}+b" = "nop"; + "${modifier}+v" = "nop"; + + # move workspace to output + "${modifier}+Control+Shift+${left}" = "move workspace to output left"; + "${modifier}+Control+Shift+${right}" = "move workspace to output right"; + "${modifier}+Control+Shift+${up}" = "move workspace to output up"; + "${modifier}+Control+Shift+${down}" = "move workspace to output down"; + # move workspace to output with arrow keys + "${modifier}+Control+Shift+Left" = "move workspace to output left"; + "${modifier}+Control+Shift+Right" = "move workspace to output right"; + "${modifier}+Control+Shift+Up" = "move workspace to output up"; + "${modifier}+Control+Shift+Down" = "move workspace to output down"; + + "${modifier}+Shift+e" = "exec ${pkgs.sway}/bin/swaymsg exit"; + "${modifier}+q" = "kill"; + "${modifier}+Shift+q" = "exec ${pkgs.sway}/bin/swaymsg -t get_tree | ${pkgs.jq}/bin/jq 'recurse(.nodes[], .floating_nodes[]) | select(.focused).pid' | ${pkgs.findutils}/bin/xargs -L1 kill -9"; + + "${modifier}+x" = "exec ${swapOutputWorkspaces}"; + + "${modifier}+Ctrl+l" = "exec ${lockCmd}"; + + "--locked XF86AudioPlay" = "exec ${pkgs.playerctl}/bin/playerctl play-pause"; + "XF86AudioPrev" = "exec ${pkgs.playerctl}/bin/playerctl previous"; + "XF86AudioNext" = "exec ${pkgs.playerctl}/bin/playerctl next"; + + "XF86AudioRaiseVolume" = "exec ${pkgs.pulsemixer}/bin/pulsemixer --change-volume +5"; + "XF86AudioLowerVolume" = "exec ${pkgs.pulsemixer}/bin/pulsemixer --change-volume -5"; + "--locked XF86AudioMute" = "exec ${pkgs.pulsemixer}/bin/pulsemixer --toggle-mute"; + + "Print" = "exec ${pkgs.shotman}/bin/shotman --capture region"; + }; + + terminal = "alacritty"; + startup = + [ + { + command = builtins.toString (pkgs.writeShellScript "ensure-graphical-session" '' + ( + ${pkgs.coreutils}/bin/sleep 0.2 + ${pkgs.systemd}/bin/systemctl --user restart graphical-session.target + ) & + ''); + } + ] + ++ lib.optionals config.services.swayidle.enable [ + { + command = builtins.toString (pkgs.writeShellScript "ensure-graphical-session" '' + ( + ${pkgs.coreutils}/bin/sleep 0.2 + ${pkgs.systemd}/bin/systemctl --user restart swayidle + ) & + ''); + } + ]; + + colors.focused = lib.mkOptionDefault { + childBorder = lib.mkForce "#ffa500"; + }; + + window.titlebar = false; + window.border = 4; + + # this maps to focus_on_window_activation + focus.newWindow = "urgent"; + }; }; services.swayidle = { diff --git a/nix/home-manager/profiles/wayland-desktop.nix b/nix/home-manager/profiles/wayland-desktop.nix index 2f0d2ee..cf77c15 100644 --- a/nix/home-manager/profiles/wayland-desktop.nix +++ b/nix/home-manager/profiles/wayland-desktop.nix @@ -1,14 +1,16 @@ { pkgs, + config, lib, repoFlake, + nodeFlake, ... -}: -let +}: let + inherit (import ../lib.nix {}) mkSimpleTrayService; nixpkgs-wayland' = repoFlake.inputs.nixpkgs-wayland.packages.${pkgs.system}; -in -{ + wayprompt = nixpkgs-wayland'.wayprompt; +in { fonts.fontconfig.enable = true; # services.gpg-agent.pinentryFlavor = lib.mkForce null; @@ -24,15 +26,14 @@ in systemd.user.targets.tray = { Unit = { Description = "Home Manager System Tray"; - Requires = [ "graphical-session-pre.target" ]; + Requires = ["graphical-session-pre.target"]; }; }; - home.packages = - with pkgs; + home.packages = with pkgs; [ # required by network-manager-applet - networkmanagerapplet + pkgs.networkmanagerapplet wlr-randr wayout @@ -47,34 +48,29 @@ in # TODO: whwat's this for? # wltype + pavucontrol + playerctl + pasystray qt5.qtwayland qt6.qtwayland # libsForQt5.qt5.qtwayland # libsForQt6.qt6.qtwayland - # audio - playerctl - helvum - pasystray - sonusmix - pwvucontrol - # probably required by flameshot # xdg-desktop-portal xdg-desktop-portal-wlr # grim - - waypipe ] - ++ (lib.lists.optionals (!pkgs.stdenv.isAarch64) + ++ ( + lib.lists.optionals (!pkgs.stdenv.isAarch64) # TODO: broken on aarch64 - [ ] + [ + ] ); home.sessionVariables = { XDG_SESSION_TYPE = "wayland"; NIXOS_OZONE_WL = "1"; MOZ_ENABLE_WAYLAND = "1"; - WLR_NO_HARDWARE_CURSORS = "1"; }; home.pointerCursor = { diff --git a/nix/home-manager/programs/chromium.nix b/nix/home-manager/programs/chromium.nix index aa3f531..2d9070d 100644 --- a/nix/home-manager/programs/chromium.nix +++ b/nix/home-manager/programs/chromium.nix @@ -3,15 +3,14 @@ lib, pkgs, ... -}: -let +}: let extensions = [ #undetectable adblocker - { id = "gcfcpohokifjldeandkfjoboemihipmb"; } + {id = "gcfcpohokifjldeandkfjoboemihipmb";} # ublock origin - { id = "cjpalhdlnbpafiamejdnhcphjbkeiagm"; } + {id = "cjpalhdlnbpafiamejdnhcphjbkeiagm";} # # YT ad block # {id = "cmedhionkhpnakcndndgjdbohmhepckk";} @@ -20,15 +19,15 @@ let # {id = "cfhdojbkjhnklbpkdaibdccddilifddb";} # Cookie Notice Blocker - { id = "odhmfmnoejhihkmfebnolljiibpnednn"; } + {id = "odhmfmnoejhihkmfebnolljiibpnednn";} # i don't care about cookies - { id = "fihnjjcciajhdojfnbdddfaoknhalnja"; } + {id = "fihnjjcciajhdojfnbdddfaoknhalnja";} # NopeCHA - { id = "dknlfmjaanfblgfdfebhijalfmhmjjjo"; } + {id = "dknlfmjaanfblgfdfebhijalfmhmjjjo";} # h264ify - { id = "aleakchihdccplidncghkekgioiakgal"; } + {id = "aleakchihdccplidncghkekgioiakgal";} # clippy # {id = "honbeilkanbghjimjoniipnnehlmhggk"} @@ -39,43 +38,31 @@ let } # cookie autodelete - { id = "fhcgjolkccmbidfldomjliifgaodjagh"; } + {id = "fhcgjolkccmbidfldomjliifgaodjagh";} # unhook - { id = "khncfooichmfjbepaaaebmommgaepoid"; } + {id = "khncfooichmfjbepaaaebmommgaepoid";} ] ++ (lib.lists.optionals ((builtins.match "^steveej.*" name) != null) [ - # polkadotjs - { id = "mopnmbcafieddcagagdcbnhejhlodfdd"; } - - # rabby wallet - { id = "acmacodkjbdgmoleebolmdjonilkdbch"; } - - # phantom wallet - { id = "bfnaelmomeimhlpmgjnjophhpkkoljpa"; } - # Vimium C - { id = "hfjbmagddngcpeloejdejnfgbamkjaeg"; } + {id = "hfjbmagddngcpeloejdejnfgbamkjaeg";} - # TODO: this causes scrolling the tab bar all the way to the end. look for a different one or report # always right - { id = "npjpaghfnndnnmjiliibnkmdfgbojokj"; } - - # shazam music - { id = "mmioliijnhnoblpgimnlajmefafdfilb"; } + {id = "npjpaghfnndnnmjiliibnkmdfgbojokj";} ]); -in -{ +in { programs.chromium = { enable = true; inherit extensions; - # TODO: extensions currently don't work with ungoogled-chromium - package = pkgs.chromium; }; programs.brave = { # TODO: enable this on aarch64-linux - enable = true && !pkgs.stdenv.targetPlatform.isAarch64; + enable = + true + && !pkgs.stdenv.targetPlatform.isAarch64; inherit extensions; }; + + programs.browserpass = {browsers = ["chromium" "brave"];}; } diff --git a/nix/home-manager/programs/espanso.nix b/nix/home-manager/programs/espanso.nix index 8297183..23f727a 100644 --- a/nix/home-manager/programs/espanso.nix +++ b/nix/home-manager/programs/espanso.nix @@ -1,82 +1,73 @@ -{ pkgs, ... }: -{ +{pkgs, ...}: { services.espanso = { - package = pkgs.espanso-wayland; - # package = pkgs.espanso-wayland.overrideAttrs (_: { - # src = repoFlake.inputs.espanso; - - # cargoLock = { - # # lockFile = "${repoFlake.inputs.espanso.outPath}/Cargo.lock"; - # lockFile = repoFlake.inputs.espanso + "/Cargo.lock"; - # outputHashes = { - # "yaml-rust-0.4.6" = "sha256-wXFy0/s4y6wB3UO19jsLwBdzMy7CGX4JoUt5V6cU7LU="; - # }; - # }; - # }); - - enable = false; + # package = pkgs.espanso.overrideAttrs(_: { + # # src = + # }) + enable = true; configs = { default = { # backend = "Inject"; # backend = "Clipboard"; }; }; - matches = - let - playerctl = ''${pkgs.coreutils}/bin/env DBUS_SESSION_BUS_ADDRESS="unix:path=/run/user/$(${pkgs.coreutils}/bin/id -u)/bus" ${pkgs.playerctl}/bin/playerctl''; - in - { - default = { - matches = [ - { - trigger = ":vpos"; - replace = "{{output}}"; - vars = [ - { - name = "output"; - type = "script"; - params = { - args = [ - (pkgs.writeScript "espanso" '' - #! ${pkgs.python3}/bin/python - import subprocess, os, math, datetime + matches = let + playerctl = '' + ${pkgs.coreutils}/bin/env DBUS_SESSION_BUS_ADDRESS="unix:path=/run/user/$(${pkgs.coreutils}/bin/id -u)/bus" ${pkgs.playerctl}/bin/playerctl''; + in { + default = { + matches = [ + { + trigger = ":vpos"; + replace = "{{output}}"; + vars = [ + { + name = "output"; + type = "script"; + params = { + args = [ + (pkgs.writeScript "espanso" '' + #! ${pkgs.python3}/bin/python + import subprocess, os, math, datetime - id=str(os.getuid()) - result=subprocess.run(args=["${pkgs.playerctl}/bin/playerctl", "position"], env={"DBUS_SESSION_BUS_ADDRESS": "unix:path=/run/user/"+id+"/bus"},capture_output=True) - result.check_returncode() + id=str(os.getuid()) + result=subprocess.run(args=["${pkgs.playerctl}/bin/playerctl", "position"], env={"DBUS_SESSION_BUS_ADDRESS": "unix:path=/run/user/"+id+"/bus"},capture_output=True) + result.check_returncode() - position_secs = math.trunc(float(result.stdout)) - position_human = datetime.timedelta(seconds=position_secs) - print("%s - %s" % (position_human, position_secs)) - '') - ]; - }; - } - ]; - } - { - trigger = ":vtit"; - replace = "{{output}}"; - vars = [ - { - name = "output"; - type = "script"; - params = { - args = [ (pkgs.writeShellScript "espanso" "${playerctl} metadata title") ]; - }; - } - ]; - } - { - trigger = ":dunno"; - replace = "¯\\_(ツ)_/¯"; - } - { - trigger = ":shrug"; - replace = "¯\\_(ツ)_/¯"; - } - ]; - }; + position_secs = math.trunc(float(result.stdout)) + position_human = datetime.timedelta(seconds=position_secs) + print("%s - %s" % (position_human, position_secs)) + '') + ]; + }; + } + ]; + } + { + trigger = ":vtit"; + replace = "{{output}}"; + vars = [ + { + name = "output"; + type = "script"; + params = { + args = [ + (pkgs.writeShellScript "espanso" + "${playerctl} metadata title") + ]; + }; + } + ]; + } + { + trigger = ":dunno"; + replace = "¯\\_(ツ)_/¯"; + } + { + trigger = ":shrug"; + replace = "¯\\_(ツ)_/¯"; + } + ]; }; + }; }; } diff --git a/nix/home-manager/programs/firefox.nix b/nix/home-manager/programs/firefox.nix index 51c7a93..05beab4 100644 --- a/nix/home-manager/programs/firefox.nix +++ b/nix/home-manager/programs/firefox.nix @@ -1,417 +1,6 @@ -{ - repoFlake, - pkgs, - config, - lib, - ... -}: -let - # Search extension names with below command: - # nix flake show --json "gitlab:rycee/nur-expressions?dir=pkgs/firefox-addons" --all-systems | jq -r '.packages."x86_64-linux" | keys[]' | rg QUERY - ryceeAddons = with pkgs.nur.repos.rycee.firefox-addons; [ - ublock-origin +{pkgs, ...}: { + programs.librewolf = {enable = true;}; + programs.firefox = {enable = true;}; - # bypass-paywalls-clean (can't use, was creating popups) - consent-o-matic - terms-of-service-didnt-read - - auto-tab-discard - - # redirector # For nixos wiki - # darkreader - - facebook-container - control-panel-for-twitter - # containerise - facebook-tracking-removal - vimium - cookie-autodelete - auto-tab-discard - istilldontcareaboutcookies - - youtube-recommended-videos - - display-_anchors - ]; - - customAddons = [ - - ]; - - search = { - force = true; - default = "DuckDuckGo"; - privateDefault = "DuckDuckGo"; - }; - - mkProfile = - override: - lib.recursiveUpdate { - extensions = ryceeAddons ++ customAddons; - inherit search; - - settings = { - # automatically enable extensions - "extensions.autoDisableScopes" = 0; - - "middlemouse.paste" = false; - - "browser.download.useDownloadDir" = false; - "browser.tabs.insertAfterCurrent" = true; - "browser.tabs.warnOnClose" = true; - "browser.toolbars.bookmarks.visibility" = "never"; - "browser.quitShortcut.disabled" = false; - - # restore the previous session automatically - "browser.startup.page" = 3; - "browser.sessionstore.resume_from_crash" = true; - "browser.sessionstore.restore_pinned_tabs_on_demand" = true; - "browser.sessionstore.restore_on_demand" = true; - - "browser.urlbar.suggest.bookmark" = true; - "browser.urlbar.suggest.engines" = true; - "browser.urlbar.suggest.history" = true; - "browser.urlbar.suggest.openpage" = true; - "browser.urlbar.suggest.topsites" = false; - "browser.urlbar.trimHttps" = true; - - "sidebar.position_start" = false; - "findbar.highlightAll" = true; - - "browser.tabs.hoverPreview.enabled" = true; - - # Disable fx accounts - "identity.fxaccounts.enabled" = false; - # Disable "save password" prompt - "signon.rememberSignons" = false; - # Harden - "privacy.trackingprotection.enabled" = true; - "dom.security.https_only_mode" = true; - - # Disable irritating first-run stuff - "browser.disableResetPrompt" = true; - "browser.download.panel.shown" = true; - "browser.feeds.showFirstRunUI" = false; - "browser.messaging-system.whatsNewPanel.enabled" = false; - "browser.rights.3.shown" = true; - "browser.shell.checkDefaultBrowser" = false; - "browser.shell.defaultBrowserCheckCount" = 1; - "browser.startup.homepage_override.mstone" = "ignore"; - "browser.uitour.enabled" = false; - "startup.homepage_override_url" = ""; - "trailhead.firstrun.didSeeAboutWelcome" = true; - "browser.bookmarks.restore_default_bookmarks" = false; - "browser.bookmarks.addedImportButton" = true; - - # Disable "Save to Pocket" or Pocket entirely - "extensions.pocket.enabled" = false; - - # Disable telemetry - "toolkit.telemetry.enabled" = false; - "toolkit.telemetry.unified" = false; - "toolkit.telemetry.archive.enabled" = false; - "datareporting.healthreport.uploadEnabled" = false; - "app.shield.optoutstudies.enabled" = false; - "browser.discovery.enabled" = false; - "browser.newtabpage.activity-stream.feeds.telemetry" = false; - "browser.newtabpage.activity-stream.telemetry" = false; - "browser.ping-centre.telemetry" = false; - "datareporting.healthreport.service.enabled" = false; - "datareporting.policy.dataSubmissionEnabled" = false; - "datareporting.sessions.current.clean" = true; - "devtools.onboarding.telemetry.logged" = false; - "toolkit.telemetry.bhrPing.enabled" = false; - "toolkit.telemetry.firstShutdownPing.enabled" = false; - "toolkit.telemetry.hybridContent.enabled" = false; - "toolkit.telemetry.newProfilePing.enabled" = false; - "toolkit.telemetry.prompted" = 2; - "toolkit.telemetry.rejected" = true; - "toolkit.telemetry.reportingpolicy.firstRun" = false; - "toolkit.telemetry.server" = ""; - "toolkit.telemetry.shutdownPingSender.enabled" = false; - "toolkit.telemetry.unifiedIsOptIn" = false; - "toolkit.telemetry.updatePing.enabled" = false; - - # Disable any feeds on the new tab page - "browser.newtabpage.activity-stream.showTopSites" = false; - "browser.newtabpage.activity-stream.default.sites" = lib.mkForce [ ]; - "browser.newtabpage.activity-stream.discoverystream.enabled" = false; - "browser.newtabpage.activity-stream.feeds.topsites" = false; - "browser.newtabpage.activity-stream.showSponsoredTopSites" = false; - "browser.newtabpage.activity-stream.improvesearch.topSiteSearchShortcuts" = false; - "browser.newtabpage.blocked" = lib.genAttrs [ - # Youtube - "26UbzFJ7qT9/4DhodHKA1Q==" - # Facebook - "4gPpjkxgZzXPVtuEoAL9Ig==" - # Wikipedia - "eV8/WsSLxHadrTL1gAxhug==" - # Reddit - "gLv0ja2RYVgxKdp0I5qwvA==" - # Amazon - "K00ILysCaEq8+bEqV/3nuw==" - # Twitter - "T9nJot5PurhJSy8n038xGA==" - ] (_: 1); - "browser.topsites.blockedSponsors" = [ - "adidas" - "temuaffiliateprogram.pxf" - "s.click.aliexpress" - ]; - - # enable userChrome - "toolkit.legacyUserProfileCustomizations.stylesheets" = true; - "devtools.chrome.enabled" = true; - "devtools.debugger.remote-enabled" = true; - - # disable translations for some languages - "browser.translations.neverTranslateLanguages" = [ - "en" - "de" - ]; - "browser.translations.automaticallyPopup" = false; - - # enable pipewire (and libcamera) sources - "media.webrtc.camera.allow-pipewire" = true; - }; - - userChrome = - let - name = override.color or colors.grey; - value = colorValues."${name}".normal; - valueBright = colorValues."${name}".highlight; - valueDark = colorValues."${name}".inactive; - in - '' - @namespace url("http://www.mozilla.org/keymaster/gatekeeper/there.is.only.xul"); /* only needed once */ - - #nav-bar { - background-color: ${value} !important; - color: black !important; - } - - /* don't show close button on background tabs */ - #tabbrowser-tabs[closebuttons="activetab"] .tabbrowser-tab:not([selected]):not([pinned]):not([hover]) .tab-close-button { - display: none !important; - } - - /* show close button on hover */ - #tabbrowser-tabs[closebuttons="activetab"] .tabbrowser-tab:not([selected]):not([pinned]):hover .tab-close-button { - display: -moz-inline-box !important; - } - - - /* default */ - #TabsToolbar { - background: ${valueDark} !important; - } - - /* default tab */ - #TabsToolbar #tabbrowser-tabs .tabbrowser-tab .tab-content { - background: ${value} !important; - opacity: 0.8 - } - - /* selected tab */ - #TabsToolbar #tabbrowser-tabs .tabbrowser-tab[selected] .tab-content { - background: ${valueBright} !important; - box-shadow: 0 8px 16px 0 rgba(0,0,0,0.2), 0 6px 20px 0 rgba(0,0,0,0.19); - } - - /* hovered tab */ - #TabsToolbar #tabbrowser-tabs .tabbrowser-tab:hover:not([selected]) .tab-content { - background: ${valueBright} !important; - } - - /* unloaded/pending tab */ - #TabsToolbar #tabbrowser-tabs .tabbrowser-tab[pending] .tab-content { - background: ${valueDark} !important; - } - ''; - - # /* new tab */ - # #TabsToolbar #tabbrowser-tabs #tabs-newtab-button .toolbarbutton-icon { - # background: unset !important; - # } - - # #TabsToolbar #tabbrowser-tabs #tabs-newtab-button { - # /* background: var(--default_tabs_bg_newtab) !important; - # } - - # /* hovered new tab */ - # #TabsToolbar #tabbrowser-tabs #tabs-newtab-button:hover { - # background: var(--default_tabs_bg_newtab_hovered) !important; - # } - - } (builtins.removeAttrs override [ "color" ]); - - # TODO: insert the id automatically - mkProfiles = attrs: builtins.mapAttrs (_k: v: v) attrs; - - colors = builtins.mapAttrs (name: _: name) colorValues; - - colorValues = { - blue = { - normal = "#49b1fc"; - highlight = "#05a9fc"; # Brighter blue - inactive = "#1f81c6"; # Darker blue - }; - green = { - normal = "#51cd00"; - highlight = "#5ae200"; # Brighter green - inactive = "#45ad00"; # Darker green - }; - orange = { - normal = "#ff9800"; - highlight = "#ffb74d"; # Brighter orange - inactive = "#c76a00"; # Darker orange - }; - red = { - normal = "#f6685e"; - highlight = "#ff4336"; # Brighter red - inactive = "#aa463f"; # Darker red - }; - yellow = { - normal = "#fced4b"; - highlight = "#fce705"; # Brighter yellow - inactive = "#dbbe00"; # Darker yellow - }; - purple = { - normal = "#9c27b0"; - highlight = "#ab47bc"; # Brighter purple - inactive = "#7b1fa2"; # Darker purple - }; - pink = { - normal = "#e91e63"; - highlight = "#ff6090"; # Brighter pink - inactive = "#c2185b"; # Darker pink - }; - brown = { - normal = "#795548"; - highlight = "#a88b6f"; # Brighter brown - inactive = "#4e3b30"; # Darker brown - }; - grey = { - normal = "#9e9e9e"; - highlight = "#bdbdbd"; # Brighter grey - inactive = "#757575"; # Darker grey - }; - teal = { - normal = "#009688"; - highlight = "#26c6da"; # Brighter teal - inactive = "#00796b"; # Darker teal - }; - }; - -in -{ - nixpkgs.overlays = [ - repoFlake.inputs.nur.overlays.default - ]; - - nixpkgs.config.allowUnfreePredicate = - pkg: - builtins.elem (lib.getName pkg) [ - "youtube-recommended-videos" - ]; - - programs.librewolf = { - enable = false; - }; - programs.firefox = { - enable = true; - package = pkgs.firefox-esr; - - profiles = mkProfiles { - "personal" = mkProfile { - id = 0; - isDefault = true; - color = colors.blue; - }; - "comms" = mkProfile { - id = 1; - color = colors.blue; - }; - "admin" = mkProfile { - id = 2; - color = colors.blue; - }; - "infra" = mkProfile { - id = 3; - color = colors.blue; - }; - "finance" = mkProfile { - id = 4; - color = colors.yellow; - }; - "business-admin" = mkProfile { - id = 5; - color = colors.teal; - }; - "business-comms" = mkProfile { - id = 6; - color = colors.teal; - }; - "business-dev" = mkProfile { - id = 7; - color = colors.teal; - }; - "holo-dev" = mkProfile { - id = 8; - color = colors.green; - }; - "holo-infra" = mkProfile { - id = 9; - color = colors.green; - }; - "holo-comms" = mkProfile { - id = 10; - color = colors.green; - }; - "justyna" = mkProfile { - id = 11; - color = colors.pink; - }; - "justyna-office" = mkProfile { - id = 12; - color = colors.pink; - }; - }; - - }; - - # create one desktop entry for each profile - xdg.desktopEntries = lib.mapAttrs' ( - k: _v: - lib.nameValuePair "firefox-profile-${k}" { - categories = [ - "Network" - "WebBrowser" - ]; - exec = "${lib.getExe config.programs.firefox.package} -P ${k}"; - genericName = "Web Browser"; - icon = - builtins.replaceStrings [ ".desktop" ] [ "" ] - config.programs.firefox.package.desktopItem.name; - mimeType = [ - "text/html" - "text/xml" - "application/xhtml+xml" - "application/vnd.mozilla.xul+xml" - "x-scheme-handler/http" - "x-scheme-handler/https" - ]; - name = "Firefox: ${k}"; - startupNotify = true; - settings.StartupWMClass = - # To group windows of different profiles. - # Set WM_CLASS on Xorg using --class, set app-id on Wayland using --name. - #if profile.name == "default" - #then "firefox" - #else "firefox-${profile.name}"; - "firefox"; - terminal = false; - type = "Application"; - } - ) config.programs.firefox.profiles; + # home.file.".mozilla/native-messaging-hosts/passff.json".source = "${pkgs.passff-host}/share/passff-host/passff.json"; } diff --git a/nix/home-manager/programs/gpg-agent.nix b/nix/home-manager/programs/gpg-agent.nix index b81c150..5fff979 100644 --- a/nix/home-manager/programs/gpg-agent.nix +++ b/nix/home-manager/programs/gpg-agent.nix @@ -1,17 +1,29 @@ -{ lib, pkgs, osConfig, ... }: { - home.packages = [ pkgs.gcr ]; + lib, + pkgs, + config, + ... +}: { + home.packages = + [ + pkgs.gcr + ] + ++ ( + if config.services.gpg-agent.pinentryFlavor == "gtk2" + then [pkgs.pinentry-gtk2] + else if config.services.gpg-agent.pinentryFlavor == "gnome3" + then [pkgs.pinentry-gnome] + else [] + ); programs.gpg.enable = true; services.gpg-agent = { enable = true; - enableScDaemon = !osConfig.services.pcscd.enable; + enableScDaemon = true; enableSshSupport = true; grabKeyboardAndMouse = true; - pinentryPackage = lib.mkDefault pkgs.pinentry-gtk2; - extraConfig = '' - no-allow-external-cache - ''; + pinentryFlavor = lib.mkDefault "gtk2"; + extraConfig = ""; defaultCacheTtl = 0; maxCacheTtl = 0; diff --git a/nix/home-manager/programs/homeshick.nix b/nix/home-manager/programs/homeshick.nix index 4ba0dfe..cbd4964 100644 --- a/nix/home-manager/programs/homeshick.nix +++ b/nix/home-manager/programs/homeshick.nix @@ -1,25 +1,32 @@ -{ pkgs, config, ... }: { + pkgs, + config, + ... +}: let + # TODO: clean up the impurity in here +in { home.sessionVariables.HOMESHICK_DIR = "${pkgs.homeshick}"; - home.activation.bootstrapRepos = config.lib.dag.entryAfter [ "writeBoundary" ] '' - $DRY_RUN_CMD ${pkgs.writeScript "activation-script" '' - set -e - echo home-manager path is ${config.home.path} - echo home is $HOME + home.activation.bootstrapRepos = config.lib.dag.entryAfter ["writeBoundary"] '' + $DRY_RUN_CMD ${ + pkgs.writeScript "activation-script" '' + set -e + echo home-manager path is ${config.home.path} + echo home is $HOME - source ${pkgs.homeshick}/homeshick.sh - type homeshick + source ${pkgs.homeshick}/homeshick.sh + type homeshick - # echo Updating homeshick - # ln -sfT ${pkgs.homeshick} "$HOMESICK_REPOS"/.homeshick - # mv -Tf "$HOMESICK_REPOS"/{.,}homeshick - ''}; + # echo Updating homeshick + # ln -sfT ${pkgs.homeshick} "$HOMESICK_REPOS"/.homeshick + # mv -Tf "$HOMESICK_REPOS"/{.,}homeshick + '' + }; ''; nixpkgs.config = { - packageOverrides = - pkgs: with pkgs; { + packageOverrides = pkgs: + with pkgs; { homeshick = builtins.fetchGit { url = "https://github.com/andsens/homeshick.git"; ref = "master"; diff --git a/nix/home-manager/programs/libreoffice.nix b/nix/home-manager/programs/libreoffice.nix index 2091dc8..f5921e2 100644 --- a/nix/home-manager/programs/libreoffice.nix +++ b/nix/home-manager/programs/libreoffice.nix @@ -1,8 +1,3 @@ -{ pkgs, nodeFlake, ... }: - -let - pkgsStable = nodeFlake.inputs.nixpkgs-stable.legacyPackages.${pkgs.system}; -in -{ - home.packages = [ pkgsStable.libreoffice ]; +{pkgs, ...}: { + home.packages = with pkgs; [libreoffice-fresh]; } diff --git a/nix/home-manager/programs/neovim.nix b/nix/home-manager/programs/neovim.nix index d5f60dc..e169eea 100644 --- a/nix/home-manager/programs/neovim.nix +++ b/nix/home-manager/programs/neovim.nix @@ -1,161 +1,131 @@ -{ repoFlake, pkgs, ... }: { - imports = [ repoFlake.inputs.nixvim.homeManagerModules.nixvim ]; + pkgs, + lib, + ... +}: let +in { + # FIXME: this doesn't work + home.sessionVariables.EDITOR = "nvim"; - programs.nixvim = { + programs.neovim = { enable = true; - defaultEditor = true; - vimdiffAlias = true; - vimAlias = true; - extraPython3Packages = ps: with ps; [ ]; + extraPython3Packages = ps: with ps; []; - # extraConfigVim = builtins.readFile ./neovim/vimrc; + extraConfig = builtins.readFile ./neovim/vimrc; - clipboard = { - register = "unnamedplus"; - providers.wl-copy.enable = true; - }; + plugins = with pkgs; + [ + # yaml-folds + { + plugin = vimUtils.buildVimPlugin { + name = "vim-yaml-folds"; + src = fetchFromGitHub { + owner = "pedrohdz"; + repo = "vim-yaml-folds"; + rev = "890ccd8e5370808d569e96dbb06cbeca2cf5993a"; + sha256 = "018z6xcwrq58q6lj6gwhrifjaxkmrlkkg0n86s6mjjlwkbs2qa4m"; + }; + buildInputs = [zip vim]; + }; + } - plugins = { - airline = { - enable = true; - settings = { - powerline_fonts = 1; - skip_empty_sections = 1; - theme = "papercolor"; - }; - }; - fugitive.enable = true; - gitblame.enable = true; - lsp = { - enable = true; - }; + { + plugin = vimUtils.buildVimPlugin { + name = "vim-yaml"; + src = fetchFromGitHub { + owner = "stephpy"; + repo = "vim-yaml"; + rev = "e97e063b16eba4e593d620676a0a15fa98613979"; + sha256 = "0vqahbrnr43lxanpziyrmzaqqb3cmyny8ry1xvmy2xyd1larzfrk"; + }; + }; + } - nix.enable = true; + # broken 2021-06-08 + # { + # plugin = vimUtils.buildVimPlugin { + # name = "vim-markdown-toc"; + # src = fetchFromGitHub { + # owner = "mzlogin"; + # repo = "vim-markdown-toc"; + # rev = "b7bb6c37033d3a6c93906af48dc0e689bd948638"; + # sha256 = "026xf2gid4qivwawh7if3nfk7zja9di0flhdzdx82lvil9x48lyz"; + # }; + # }; + # } - # TODO: enable in next release - # numbertoggle.enable = true; + # broken 2021-06-08 + # { + # plugin = vimUtils.buildVimPlugin { + # name = "vim-perl"; + # src = fetchFromGitHub { + # owner = "vim-perl"; + # repo = "vim-perl"; + # rev = "f330b5d474c44e6cfae22ba50868093dea3e9adb"; + # sha256 = "1dy40ixgixj0536c5ggra51b4yd1lbw4j6l0j5zc3diasb7m2gvr"; + # }; + # }; + # } - # successfor to ctrlp and fzf - telescope.enable = true; + { + plugin = vimUtils.buildVimPlugin { + name = "git-blame"; + src = fetchFromGitHub { + "owner" = "zivyangll"; + "repo" = "git-blame.vim"; + "rev" = "9d144b7bed5d8f1c9259551768b7f3b3d1294917"; + "sha256" = "06zb5xcc59k25rpwl46j82fcqckiznmj97v6i0mwlb8jhqqrhy9j"; + }; + }; + } + ] + ++ (with pkgs.vimPlugins; [ + delimitMate + vim-airline + vim-airline-themes + ctrlp + vim-css-color + rainbow_parentheses + vim-colorschemes + vim-colorstepper + vim-signify + fugitive + vim-indent-guides + UltiSnips + fzfWrapper - todo-comments.enable = true; + ncm2 + ncm2-bufword + ncm2-path + ncm2-tmux + ncm2-ultisnips + nvim-yarp - toggleterm.enable = true; + LanguageClient-neovim - treesitter = { - enable = true; + Improved-AnsiEsc + tabular - grammarPackages = with pkgs.vimPlugins.nvim-treesitter.builtGrammars; [ - bash - json - lua - make - markdown - nix - regex - toml - vim - vimdoc - xml - yaml - ]; - }; + # Nix + vim-addon-nix + tlib + vim-addon-vim2nix - treesitter-context.enable = true; - treesitter-refactor.enable = true; + # LaTeX + vim-latex-live-preview + vimtex - # This plugin trims trailing whitespace and lines. - trim.enable = true; - }; + # YAML + vim-yaml - # plugins = with pkgs; - # [ - # # yaml-folds - # { - # plugin = vimUtils.buildVimPlugin { - # name = "vim-yaml-folds"; - # src = fetchFromGitHub { - # owner = "pedrohdz"; - # repo = "vim-yaml-folds"; - # rev = "890ccd8e5370808d569e96dbb06cbeca2cf5993a"; - # sha256 = "018z6xcwrq58q6lj6gwhrifjaxkmrlkkg0n86s6mjjlwkbs2qa4m"; - # }; - # buildInputs = [zip vim]; - # }; - # } + # markdown + vim-markdown + vim-markdown-toc - # { - # plugin = vimUtils.buildVimPlugin { - # name = "vim-yaml"; - # src = fetchFromGitHub { - # owner = "stephpy"; - # repo = "vim-yaml"; - # rev = "e97e063b16eba4e593d620676a0a15fa98613979"; - # sha256 = "0vqahbrnr43lxanpziyrmzaqqb3cmyny8ry1xvmy2xyd1larzfrk"; - # }; - # }; - # } - - # { - # plugin = vimUtils.buildVimPlugin { - # name = "git-blame"; - # src = fetchFromGitHub { - # "owner" = "zivyangll"; - # "repo" = "git-blame.vim"; - # "rev" = "9d144b7bed5d8f1c9259551768b7f3b3d1294917"; - # "sha256" = "06zb5xcc59k25rpwl46j82fcqckiznmj97v6i0mwlb8jhqqrhy9j"; - # }; - # }; - # } - # ] - # ++ (with pkgs.vimPlugins; [ - # delimitMate - # vim-airline - # vim-airline-themes - # ctrlp - # vim-css-color - # rainbow_parentheses - # vim-colorschemes - # vim-colorstepper - # vim-signify - # fugitive - # vim-indent-guides - # UltiSnips - # fzfWrapper - - # ncm2 - # ncm2-bufword - # ncm2-path - # ncm2-tmux - # ncm2-ultisnips - # nvim-yarp - - # LanguageClient-neovim - - # Improved-AnsiEsc - # tabular - - # # Nix - # vim-addon-nix - # tlib - # vim-addon-vim2nix - - # # LaTeX - # vim-latex-live-preview - # vimtex - - # # YAML - # vim-yaml - - # # markdown - # vim-markdown - # vim-markdown-toc - - # # misc syntax support - # vim-bazel - # maktaba - # ]); + # misc syntax support + vim-bazel + maktaba + ]); }; } diff --git a/nix/home-manager/programs/neovim/vimrc b/nix/home-manager/programs/neovim/vimrc index f3cb42b..c002c2b 100644 --- a/nix/home-manager/programs/neovim/vimrc +++ b/nix/home-manager/programs/neovim/vimrc @@ -49,8 +49,8 @@ let g:ctrlp_custom_ignore = { \ 'dir': '\v[\/]\.(git|hg|svn)$$', \ 'file': '\v\.(exe|so|dll)$$', \ } -"let g:ctrlp_max_files=0 -"let g:ctrlp_max_depth=1000 +let g:ctrlp_max_files=0 +let g:ctrlp_max_depth=1000 "let g:ctrlp_match_func = { 'match': 'pymatcher#PyMatch' } "let g:pydiction_location = '~/.vim/bundle/pydiction/complete-dict' diff --git a/nix/home-manager/programs/obs-studio.nix b/nix/home-manager/programs/obs-studio.nix deleted file mode 100644 index d99747d..0000000 --- a/nix/home-manager/programs/obs-studio.nix +++ /dev/null @@ -1,25 +0,0 @@ -{ pkgs, lib, ... }: -{ - programs.obs-studio = { - enable = true; - plugins = - builtins.map - ( - plugin: - (plugin.overrideAttrs (attrs: { - meta = lib.mkMerge [ - { inherit (attrs) meta; } - { meta.platforms = [ pkgs.stdenv.system ]; } - ]; - })) - ) - ( - with pkgs.obs-studio-plugins; - [ - # wlrobs - obs-backgroundremoval - obs-pipewire-audio-capture - ] - ); - }; -} diff --git a/nix/home-manager/programs/openvscode-server.nix b/nix/home-manager/programs/openvscode-server.nix deleted file mode 100644 index 4b01360..0000000 --- a/nix/home-manager/programs/openvscode-server.nix +++ /dev/null @@ -1,37 +0,0 @@ -{ pkgs, repoFlake, ... }: -let - pkgsVscodium = import repoFlake.inputs.nixpkgs-vscodium { inherit (pkgs) system config; }; -in -{ - home.packages = [ - pkgs.nil - pkgs.nixd - pkgs.nixfmt-rfc-style - - # TODO: automate linking this - # 1. get the commit with: `codium --version` - # 2. create the binary directory: `mkdir -p /home/steveej/.vscodium-server/bin/c8ce3ba4bc6b30b3b10edc61481cb85b1d2396bc/bin/` - # 3. link the binary. this relies on the client-side setting `"remote.SSH.experimental.serverBinaryName": "openvscode-server"` : ln -s $(which openvscode-server) /home/steveej/.vscodium-server/bin/c8ce3ba4bc6b30b3b10edc61481cb85b1d2396bc/bin/ - - /* - e.g.: - ``` - ( - set -e - export COMMIT=$(codium --version | rg '^[0-9a-f]{40}$') - ssh bm-hostkey0 "pkill -9 openvscode; rm -rf /home/steveej/.vscodium-server/bin/$COMMIT; mkdir -p /home/steveej/.vscodium-server/bin/$COMMIT/bin/; ln -s \$(which openvscode-server) /home/steveej/.vscodium-server/bin/$COMMIT/bin/" - ) - ``` - */ - - (pkgsVscodium.openvscode-server.overrideAttrs (attrs: { - src = repoFlake.inputs.openvscode-server; - version = "1.94.2"; - yarnCache = attrs.yarnCache.overrideAttrs (_: { - outputHash = "sha256-89c6GYLT2RzHqwxBKegYqB6g5rEJ6/nH53cnfV7b0Tt="; - }); - })) - - pkgs.waypipe - ]; -} diff --git a/nix/home-manager/programs/pass.nix b/nix/home-manager/programs/pass.nix index 056d08d..7c1f221 100644 --- a/nix/home-manager/programs/pass.nix +++ b/nix/home-manager/programs/pass.nix @@ -1,5 +1,8 @@ -{ repoFlake, pkgs, ... }: { + repoFlake, + pkgs, + ... +}: { # required by pass-otp # home.sessionVariables.PASSWORD_STORE_EXTENSIONS_DIR = "$HOME/.nix-profile/lib/password-store/extensions"; # home.sessionVariables.PASSWORD_STORE_ENABLE_EXTENSIONS = "true"; @@ -7,6 +10,7 @@ home.packages = with pkgs; [ gnupg + pass # broken on wayland # rofi-pass diff --git a/nix/home-manager/programs/radicale.nix b/nix/home-manager/programs/radicale.nix index be31268..207b9e6 100644 --- a/nix/home-manager/programs/radicale.nix +++ b/nix/home-manager/programs/radicale.nix @@ -4,8 +4,7 @@ pkgs, osConfig, ... -}: -let +}: let libdecsync = pkgs.python3Packages.buildPythonPackage rec { pname = "libdecsync"; version = "2.2.1"; @@ -39,51 +38,50 @@ let # pkgs.libxcrypt ]; - propagatedBuildInputs = [ - libdecsync - pkgs.python3Packages.setuptools - ]; + propagatedBuildInputs = [libdecsync pkgs.python3Packages.setuptools]; }; radicale-decsync = pkgs.radicale.overrideAttrs (old: { - propagatedBuildInputs = old.propagatedBuildInputs ++ [ radicale-storage-decsync ]; + propagatedBuildInputs = + old.propagatedBuildInputs + ++ [radicale-storage-decsync]; }); - mkRadicaleService = - { suffix, port }: - let - radicale-config = pkgs.writeText "radicale-config-${suffix}" '' - [server] - hosts = localhost:${builtins.toString port} + mkRadicaleService = { + suffix, + port, + }: let + radicale-config = pkgs.writeText "radicale-config-${suffix}" '' + [server] + hosts = localhost:${builtins.toString port} - [auth] - type = htpasswd - htpasswd_filename = ${osConfig.sops.secrets.radicale_htpasswd.path} - htpasswd_encryption = bcrypt + [auth] + type = htpasswd + htpasswd_filename = ${osConfig.sops.secrets.radicale_htpasswd.path} + htpasswd_encryption = bcrypt - [storage] - type = radicale_storage_decsync - filesystem_folder = ${config.xdg.dataHome}/radicale/radicale-${suffix} - decsync_dir = ${config.xdg.dataHome}/decsync/decsync-${suffix} - ''; - in - { - systemd.user.services."radicale-${suffix}" = { - Unit.Description = "Radicale with DecSync (${suffix})"; - Service = { - ExecStart = "${radicale-decsync}/bin/radicale -C ${radicale-config}"; - Restart = "on-failure"; - }; - Install.WantedBy = [ "default.target" ]; + [storage] + type = radicale_storage_decsync + filesystem_folder = ${config.xdg.dataHome}/radicale/radicale-${suffix} + decsync_dir = ${config.xdg.dataHome}/decsync/decsync-${suffix} + ''; + in { + systemd.user.services."radicale-${suffix}" = { + Unit.Description = "Radicale with DecSync (${suffix})"; + Service = { + ExecStart = "${radicale-decsync}/bin/radicale -C ${radicale-config}"; + Restart = "on-failure"; }; + Install.WantedBy = ["default.target"]; }; + }; in -builtins.foldl' (sum: cur: lib.recursiveUpdate sum (mkRadicaleService cur)) { } [ - { - suffix = "personal"; - port = 5232; - } - { - suffix = "family"; - port = 5233; - } -] + builtins.foldl' (sum: cur: lib.recursiveUpdate sum (mkRadicaleService cur)) {} [ + { + suffix = "personal"; + port = 5232; + } + { + suffix = "family"; + port = 5233; + } + ] diff --git a/nix/home-manager/programs/redshift.nix b/nix/home-manager/programs/redshift.nix index 9e45594..0946b2e 100644 --- a/nix/home-manager/programs/redshift.nix +++ b/nix/home-manager/programs/redshift.nix @@ -1,26 +1,21 @@ -_: -let - passwords = import ../../variables/passwords.crypt.nix; -in { + pkgs, + config, + ... +}: let + passwords = import ../../variables/passwords.crypt.nix; +in { services.gammastep = { enable = true; - provider = "manual"; - enableVerboseLogging = true; inherit (passwords.location.stefan) longitude latitude; temperature = { - # day = 6700; - day = 3000; + day = 6700; night = 3000; }; tray = true; settings = { - general = { - adjustment-method = "wayland"; - }; gammastep = { - # brightness-day = 1.0; - brightness-day = 0.5; + brightness-day = 1.0; brightness-night = 0.5; }; }; diff --git a/nix/home-manager/programs/salut.nix b/nix/home-manager/programs/salut.nix index 415e3be..6a2894d 100644 --- a/nix/home-manager/programs/salut.nix +++ b/nix/home-manager/programs/salut.nix @@ -1,11 +1,18 @@ -{ pkgs, packages', ... }: +{ + pkgs, + config, + lib, + packages', + ... +}: # useful testing command: # for i in `seq 0 10`; do nix shell nixpkgs#libnotify --command notify-send notifiiiiiii "$i"; sleep 1; done let - inherit (import ../lib.nix { }) mkSimpleTrayService; -in -{ - home.packages = [ packages'.salut ]; + inherit (import ../lib.nix {}) mkSimpleTrayService; +in { + home.packages = [ + packages'.salut + ]; xdg.configFile."salut/config.ini" = { enable = true; @@ -27,5 +34,7 @@ in onChange = "${pkgs.systemd}/bin/systemctl --user restart salut"; }; - systemd.user.services.salut = mkSimpleTrayService { execStart = "${packages'.salut}/bin/salut"; }; + systemd.user.services.salut = mkSimpleTrayService { + execStart = "${packages'.salut}/bin/salut"; + }; } diff --git a/nix/home-manager/programs/vscode/default.nix b/nix/home-manager/programs/vscode/default.nix index df72028..a0c0d76 100644 --- a/nix/home-manager/programs/vscode/default.nix +++ b/nix/home-manager/programs/vscode/default.nix @@ -1,35 +1,32 @@ { - config, pkgs, - repoFlake, - lib, + nodeFlake, ... -}: -let - pkgsVscodium = import repoFlake.inputs.nixpkgs-vscodium { inherit (pkgs) system config; }; -in -{ +}: { programs.vscode = { enable = true; - package = pkgsVscodium.vscodium; + package = pkgs.vscodium; extensions = - with pkgsVscodium.vscode-extensions; [ + # TODO: how can i install (this) vsix(s) directly? + # (builtins.fetchurl { + # # https://open-vsx.org/extension/jeanp413/open-remote-ssh + # url = "https://open-vsx.org/api/jeanp413/open-remote-ssh/0.0.45/file/jeanp413.open-remote-ssh-0.0.45.vsix"; + # sha256 = "1qc1qsahfx1nvznq4adplx63w5d94xhafngv76vnqjjbzhv991v2"; + # }) + ] + ++ (with pkgs.vscode-extensions; [ + bbenoist.nix eamodio.gitlens mkhl.direnv + jnoortheen.nix-ide tomoki1207.pdf vscodevim.vim - # bbenoist.nix - jnoortheen.nix-ide - ms-vscode.theme-tomorrowkit nonylene.dark-molokai-theme - ms-python.vscode-pylance - # TODO: these are not in nixpkgs - # fredwangwang.vscode-hcl-format # hashicorp.hcl # mindaro-dev.file-downloader @@ -37,96 +34,11 @@ in # TODO: not compatible with vscodium # ms-vscode-remote.remote-ssh - ] - ++ ( - let - extensions = repoFlake.inputs.nix-vscode-extensions.extensions.${pkgs.system}; - in - with extensions.vscode-marketplace; - with extensions.vscode-marketplace-release; - [ - - serayuzgur.crates - rust-lang.rust-analyzer - swellaby.vscode-rust-test-adapter - - tamasfe.even-better-toml - golang.go - jeff-hykin.better-go-syntax - blueglassblock.better-json5 - nefrob.vscode-just-syntax - # fabianlauer.vs-code-xml-format - - bierner.emojisense - ] - ) - ++ ( - let - nix4vscodeToml = pkgs.writeText "nix4vscode.toml" '' - vscode_version = "${config.programs.vscode.package.version}" - - [[extensions]] - publisher_name = "FelixZeller" - extension_name = "markdown-oxide" - - [[extensions]] - publisher_name = "ibecker" - extension_name = "treefmt-vscode" - - [[extensions]] - publisher_name = "AntiAntiSepticeye" - extension_name = "vscode-color-picker" - - # [[extensions]] - # publisher_name = "nefrob" - # extension_name = "vscode-just-syntax" - - [[extensions]] - publisher_name = "fabianlauer" - extension_name = "vs-code-xml-format" - ''; - - nix4vscodeNix = - pkgs.runCommand "nix4vscode.nix" - { - # nix4vscode needs internet access - __noChroot = true; - requiredSystemFeatures = [ "recursive-nix" ]; - buildInputs = [ - pkgs.nix - pkgs.cacert - (pkgs.callPackage "${repoFlake.inputs.nix4vscode.outPath}/nix/package.nix" { }) - # pkgs.strace - ]; - # outputHashAlgo = "sha256"; - # outputHashMode = "recursive"; - # outputHash = lib.fakeSha256; - } - '' - # set -x - # export RUST_BACKTRACE=full - # export RUST_LOG=trace - export HOME=$(mktemp -d) - # strace -ffZyyY - nix4vscode ${nix4vscodeToml} > $out - ''; - nix4vscodeExtensions = builtins.removeAttrs (pkgs.callPackage nix4vscodeNix { }) [ - "override" - "overrideDerivation" - ]; - nix4vscodeExtensions' = lib.attrsets.mapAttrsToList ( - _: v: builtins.head (builtins.attrValues v) - ) nix4vscodeExtensions; - in - nix4vscodeExtensions' - ); + ]); mutableExtensionsDir = true; }; - home.packages = [ - pkgs.nil - pkgs.nixfmt-rfc-style - ]; + home.packages = [pkgs.nixpkgs-fmt pkgs.alejandra]; } # TODO: automate ### original list: @@ -202,3 +114,4 @@ in # xyz.plsql-language # yzane.markdown-pdf # zxh404.vscode-proto3 + diff --git a/nix/home-manager/programs/waybar.css b/nix/home-manager/programs/waybar.css index 664a47f..60eff50 100644 --- a/nix/home-manager/programs/waybar.css +++ b/nix/home-manager/programs/waybar.css @@ -1,5 +1,6 @@ + #custom-cputemp { - padding: 0 10px; - background-color: #f0932b; - color: #ffffff; + padding: 0 10px; + background-color: #f0932b; + color: #ffffff; } diff --git a/nix/home-manager/programs/waybar.nix b/nix/home-manager/programs/waybar.nix index a559dfc..05392c5 100644 --- a/nix/home-manager/programs/waybar.nix +++ b/nix/home-manager/programs/waybar.nix @@ -1,5 +1,9 @@ -{ pkgs, repoFlake, ... }: { + pkgs, + config, + repoFlake, + ... +}: { home.packages = [ # required by any bar that has a tray plugin pkgs.libappindicator-gtk3 @@ -8,18 +12,17 @@ programs.waybar = { enable = true; - package = - repoFlake.inputs.nixpkgs-wayland.outputs.packages.${pkgs.stdenv.hostPlatform.system}.waybar; - style = pkgs.lib.readFile "${pkgs.waybar.src}/resources/style.css" + pkgs.lib.readFile ./waybar.css; + package = repoFlake.inputs.nixpkgs-wayland.outputs.packages.${pkgs.stdenv.hostPlatform.system}.waybar; + style = + pkgs.lib.readFile "${pkgs.waybar.src}/resources/style.css" + + pkgs.lib.readFile ./waybar.css; systemd.enable = true; settings = { mainBar = { layer = "top"; position = "bottom"; height = 30; - output = - # hide the bar on HEADDLESS displays as i use them only for screensharing - (builtins.genList (i: "!HEADLESS-${builtins.toString i}") 99) ++ [ "*" ]; + output = ["*"]; # output = [ # "eDP-1" # "DP-*" diff --git a/nix/home-manager/programs/zsh.nix b/nix/home-manager/programs/zsh.nix index 333d3d7..40e603d 100644 --- a/nix/home-manager/programs/zsh.nix +++ b/nix/home-manager/programs/zsh.nix @@ -3,29 +3,27 @@ lib, pkgs, ... -}: -let - just-plugin = - let - plugin_file = pkgs.writeText "_just" '' - #compdef just - #autload +}: let + just-plugin = let + plugin_file = pkgs.writeText "_just" '' + #compdef just + #autload - alias justl="\just --list" - alias juste="\just --evaluate" + alias justl="\just --list" + alias juste="\just --evaluate" - local subcmds=() + local subcmds=() - while read -r line ; do - if [[ ! $line == Available* ]] ; - then - subcmds+=(''${line/[[:space:]]*\#/:}) - fi - done < <(just --list) + while read -r line ; do + if [[ ! $line == Available* ]] ; + then + subcmds+=(''${line/[[:space:]]*\#/:}) + fi + done < <(just --list) - _describe 'command' subcmds - ''; - in + _describe 'command' subcmds + ''; + in pkgs.stdenv.mkDerivation { name = "just-completions"; version = "0.1.0"; @@ -37,8 +35,7 @@ let chmod --recursive a-w $out ''; }; -in -{ +in { programs.zsh = { enable = true; @@ -49,59 +46,56 @@ in # will be called again by oh-my-zsh enableCompletion = false; enableAutosuggestions = true; - initExtra = - let - inNixShell = ''$([[ -n "$IN_NIX_SHELL" ]] && printf " 🐚")''; - in - '' - if test ! -n "$TMPDIR" -a -z "$TMPDIR"; then - unset TMPDIR - fi + initExtra = let + inNixShell = ''$([[ -n "$IN_NIX_SHELL" ]] && printf " 🐚")''; + in '' + if test ! -n "$TMPDIR" -a -z "$TMPDIR"; then + unset TMPDIR + fi - if test ! -n "$TMP" -a -z "$TMP"; then - unset TMP - fi + if test ! -n "$TMP" -a -z "$TMP"; then + unset TMP + fi - PROMPT='%F{%(!.red.green)}%n%f@%m %(?.%F{green}✓%f.%F{red}✗ ($?%))%f %F{blue}%~%f${inNixShell}%F{magenta}$(git_prompt_info)%f$prompt_newline%_%F{%(!.red.green)}$(prompt_char)%f ' - RPROMPT="" + PROMPT='%F{%(!.red.green)}%n%f@%m %(?.%F{green}✓%f.%F{red}✗ ($?%))%f %F{blue}%~%f${inNixShell}%F{magenta}$(git_prompt_info)%f$prompt_newline%_%F{%(!.red.green)}$(prompt_char)%f ' + RPROMPT="" - # Automatic rehash - zstyle ':completion:*' rehash true + # Automatic rehash + zstyle ':completion:*' rehash true - if [ -f $HOME/.shrc.d/sh_aliases ]; then - . $HOME/.shrc.d/sh_aliases - fi + if [ -f $HOME/.shrc.d/sh_aliases ]; then + . $HOME/.shrc.d/sh_aliases + fi - ${ - if builtins.hasAttr "homeshick" pkgs then - '' - source ${pkgs.homeshick}/homeshick.sh - fpath=(${pkgs.homeshick}/completions $fpath) - '' - else - "" - } + ${ + if builtins.hasAttr "homeshick" pkgs + then '' + source ${pkgs.homeshick}/homeshick.sh + fpath=(${pkgs.homeshick}/completions $fpath) + '' + else "" + } - # Disable intercepting of ctrl-s and ctrl-q as flow control. - stty stop ''' -ixoff -ixon + # Disable intercepting of ctrl-s and ctrl-q as flow control. + stty stop ''' -ixoff -ixon - # don't cd into directories when executed - unsetopt AUTO_CD + # don't cd into directories when executed + unsetopt AUTO_CD - # print lines without termination - setopt PROMPT_CR - setopt PROMPT_SP - export PROMPT_EOL_MARK="" + # print lines without termination + setopt PROMPT_CR + setopt PROMPT_SP + export PROMPT_EOL_MARK="" - ${lib.optionalString config.services.gpg-agent.enable '' - export SSH_AUTH_SOCK="$XDG_RUNTIME_DIR/gnupg/S.gpg-agent.ssh" - ''} + ${lib.optionalString config.services.gpg-agent.enable '' + export SSH_AUTH_SOCK="$XDG_RUNTIME_DIR/gnupg/S.gpg-agent.ssh" + ''} - ${lib.optionalString config.programs.neovim.enable '' - export EDITOR="nvim" - ''} - ''; + ${lib.optionalString config.programs.neovim.enable '' + export EDITOR="nvim" + ''} + ''; plugins = [ { @@ -134,10 +128,7 @@ in oh-my-zsh = { enable = true; theme = "tjkirch"; - plugins = [ - "git" - "sudo" - ]; + plugins = ["git" "sudo"]; }; }; } diff --git a/nix/modules/flake-parts/colmena.nix b/nix/modules/flake-parts/colmena.nix index 136a5a1..ee885cf 100644 --- a/nix/modules/flake-parts/colmena.nix +++ b/nix/modules/flake-parts/colmena.nix @@ -1,8 +1,7 @@ -{ lib, ... }: -{ +{lib, ...}: { options.flake.colmena = lib.mkOption { # type = lib.types.attrsOf lib.types.unspecified; type = lib.types.raw; - default = { }; + default = {}; }; } diff --git a/nix/modules/flake-parts/perSystem/default.nix b/nix/modules/flake-parts/perSystem/default.nix index da1e42a..a752173 100644 --- a/nix/modules/flake-parts/perSystem/default.nix +++ b/nix/modules/flake-parts/perSystem/default.nix @@ -1,37 +1,38 @@ -{ pkgs, ... }: { + inputs', + system, + config, + lib, + pkgs, + ... +}: { packages = { - myPython = pkgs.python310.withPackages ( - ps: + myPython = pkgs.python310.withPackages (ps: with ps; - [ - pep8 - yapf - flake8 - # autopep8 (broken) - # pylint (broken) - ipython - llfuse - dugong - defusedxml - wheel - pip - virtualenv - cffi - # pyopenssl - urllib3 - # mistune (insecure) - sympy + [ + pep8 + yapf + flake8 + # autopep8 (broken) + # pylint (broken) + ipython + llfuse + dugong + defusedxml + wheel + pip + virtualenv + cffi + # pyopenssl + urllib3 + # mistune (insecure) + sympy - flask + flask - pyaml - requests - ] - ++ [ - pkgs.pypi2nix - pkgs.libffi - ] - ); + pyaml + requests + ] + ++ [pkgs.pypi2nix pkgs.libffi]); }; } diff --git a/nix/os/cachix.nix b/nix/os/cachix.nix index 0d14a2f..d888840 100644 --- a/nix/os/cachix.nix +++ b/nix/os/cachix.nix @@ -1,12 +1,14 @@ # WARN: this file will get overwritten by $ cachix use -{ lib, ... }: -let +{ + pkgs, + lib, + ... +}: let folder = ./cachix; - toImport = name: _value: folder + ("/" + name); + toImport = name: value: folder + ("/" + name); filterCaches = key: value: value == "regular" && lib.hasSuffix ".nix" key; imports = lib.mapAttrsToList toImport (lib.filterAttrs filterCaches (builtins.readDir folder)); -in -{ +in { inherit imports; - nix.settings.substituters = [ "https://cache.nixos.org/" ]; + nix.settings.substituters = ["https://cache.nixos.org/"]; } diff --git a/nix/os/cachix/nixpkgs-wayland.nix b/nix/os/cachix/nixpkgs-wayland.nix index 1c0cca7..499e6e0 100644 --- a/nix/os/cachix/nixpkgs-wayland.nix +++ b/nix/os/cachix/nixpkgs-wayland.nix @@ -1,6 +1,8 @@ { nix = { - settings.substituters = [ "https://nixpkgs-wayland.cachix.org" ]; + settings.substituters = [ + "https://nixpkgs-wayland.cachix.org" + ]; settings.trusted-public-keys = [ "nixpkgs-wayland.cachix.org-1:3lwxaILxMRkVhehr5StQprHdEo4IrE8sRho9R9HOLYA=" ]; diff --git a/nix/os/containers/backup-target.nix b/nix/os/containers/backup-target.nix new file mode 100644 index 0000000..608ac47 --- /dev/null +++ b/nix/os/containers/backup-target.nix @@ -0,0 +1,87 @@ +{ + hostAddress, + localAddress, + containerBackupCfg, + sshPort ? containerBackupCfg.portInt, + autoStart ? false, +}: { + config = { + config, + pkgs, + lib, + ... + }: { + system.stateVersion = "22.05"; # Did you read the comment? + + imports = [../profiles/containers/configuration.nix]; + + networking.firewall.enable = false; + + # services.ddclientovh = { + # enable = true; + # domain = containerBackupCfg.addr; + # }; + + services.openssh.enable = true; + + users.extraUsers."${containerBackupCfg.user}" = { + uid = 2000; + group = containerBackupCfg.group; + shell = pkgs.bashInteractive; + home = "/${containerBackupCfg.targetPath}"; + openssh.authorizedKeys.keys = [ + "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDNI3H0BRSYOZ/MbTs9J80doJwSd1HymFOP5quNt0J48vxZ5FPVrT2FHpQiNrCcYbCKRsU4X8AiGUHiXC0PapQQ3JDkqp6WZoqBNDx6BI7RadyH1TqVQPlou3pQmCAogzfBInruR53YTDmQqXiPwfM0okPOXgiBNjDfZXOX4+CyUfkmZZwASoicTInqWGkn1sFnh4tyXIkgWflg0njlVmfkVvH71+evvKLYHtoNpVXazkQ0SXbyuW5f3mSta7TNkpC3HbBm+4n+WxYGySrlRLWQhTo+aoWUKk9h5zvECDNpwRtbqzt+bA9nKrdg180ceu8hruwvWNiC6PPA2GW9Z1+VKROviGu1C3dliE/pPCBtK+ZoRVv2CGE+pmAuQsB9Nif9tk5tY6HJhuLNxKYiMfQkiLsDYv6KdZXUIVK/4BIDkZuQNnjhdOQBLnea0ANOhutA9gnjxnsd3UT6ovfazg5gud7n3u4yBtzjTkRrqWZ63eM1NmUVOgMWHQ715pV+hJfOFGqzRBEe3g/p3bWNgpROBYJbG1H8l9DN7emG4FGWsb1HeNFwQ5lS0Zsezb7qzahr4vSmHNugVw7w8ONt5dPbPI9wQnWvkkuHH76P/NYy6OC6lHrN1rXyA1okqdPr06YAZnCot+Pqdgn/ijxgp06J3dtkhin+Q7PoQbGff3ERIw== bkp" + ]; + + packages = with pkgs; [btrfs-progs]; + + isSystemUser = true; + }; + + security.sudo = { + enable = true; + extraRules = [ + { + users = ["bkp"]; + commands = [ + { + command = "/etc/profiles/per-user/bkp/bin/btrfs"; + options = ["NOPASSWD"]; + } + { + command = "/run/current-system/sw/bin/readlink"; + options = ["NOPASSWD"]; + } + { + command = "/run/current-system/sw/bin/test"; + options = ["NOPASSWD"]; + } + ]; + } + ]; + }; + }; + + inherit autoStart; + + bindMounts = { + "/${containerBackupCfg.targetPath}" = { + hostPath = "/var/lib/container-volumes/backup-target"; + isReadOnly = false; + }; + }; + + extraFlags = ["--resolv-conf=bind-host"]; + + privateNetwork = true; + forwardPorts = [ + { + # ssh + containerPort = 22; + hostPort = sshPort; + protocol = "tcp"; + } + ]; + + inherit hostAddress localAddress; +} diff --git a/nix/os/containers/backup.nix b/nix/os/containers/backup.nix index 2c2c171..864aa20 100644 --- a/nix/os/containers/backup.nix +++ b/nix/os/containers/backup.nix @@ -5,107 +5,88 @@ subvolumes, targetPathSuffix ? "", autoStart ? false, -}: -let +}: let passwords = import ../../variables/passwords.crypt.nix; subvolumeParentDir = "/var/lib/container-volumes"; -in -{ - config = - { pkgs, ... }: - { - system.stateVersion = "20.03"; # Did you read the comment? +in { + config = {pkgs, ...}: { + system.stateVersion = "20.03"; # Did you read the comment? - imports = [ ../profiles/containers/configuration.nix ]; + imports = [../profiles/containers/configuration.nix]; - environment.systemPackages = with pkgs; [ - btrfs-progs - btrbk - ]; + environment.systemPackages = with pkgs; [btrfs-progs btrbk]; - networking.firewall.enable = true; + networking.firewall.enable = true; - systemd.services."bkp-sync" = { - enable = true; - description = "bkp-sync service"; + systemd.services."bkp-sync" = { + enable = true; + description = "bkp-sync service"; - serviceConfig = { - Type = "oneshot"; - }; + serviceConfig = {Type = "oneshot";}; - after = [ "bkp-run.service" ]; + after = ["bkp-run.service"]; - requires = [ "bkp-run.service" ]; + requires = ["bkp-run.service"]; - path = with pkgs; [ utillinux ]; - script = '' - set -x - true + path = with pkgs; [utillinux]; + script = '' + set -x + true + ''; + }; + + systemd.services."bkp-run" = { + enable = true; + description = "bkp-run"; + + serviceConfig = {Type = "oneshot";}; + + partOf = ["bkp-sync.service"]; + + path = with pkgs; [btrfs-progs btrbk coreutils]; + + script = let + btrbkConf = pkgs.writeText "cfg" '' + timestamp_format long + ssh_identity ${passwords.storage.backupTarget.keyPath} + ssh_user ${passwords.storage.backupTarget.user} + ssh_compression no + backend_remote btrfs-progs-sudo + compat_remote busybox + btrfs_commit_delete each + snapshot_create onchange + snapshot_preserve_min latest + snapshot_preserve 7d 4w + target_preserve_min latest + target_preserve 7d 4w 12m *y + + volume ${subvolumeParentDir} + target ${passwords.storage.backupTarget.target}/container-volumes/${targetPathSuffix} + ${builtins.foldl' (sum: elem: sum + " subvolume " + elem + "\n") "" + subvolumes} ''; - }; + in '' + #! ${pkgs.bash}/bin/bash + set -Eeuxo pipefail - systemd.services."bkp-run" = { - enable = true; - description = "bkp-run"; + btrbk -c ${btrbkConf} --progress ''${@:-run} + ''; + }; - serviceConfig = { - Type = "oneshot"; - }; - - partOf = [ "bkp-sync.service" ]; - - path = with pkgs; [ - btrfs-progs - btrbk - coreutils - ]; - - script = - let - btrbkConf = pkgs.writeText "cfg" '' - timestamp_format long - ssh_identity ${passwords.storage.backupTarget.keyPath} - ssh_user ${passwords.storage.backupTarget.user} - ssh_compression no - backend_remote btrfs-progs-sudo - compat_remote busybox - btrfs_commit_delete each - snapshot_create onchange - snapshot_preserve_min latest - snapshot_preserve 7d 4w - target_preserve_min latest - target_preserve 7d 4w 12m *y - - volume ${subvolumeParentDir} - target ${passwords.storage.backupTarget.target}/container-volumes/${targetPathSuffix} - ${builtins.foldl' (sum: elem: sum + " subvolume " + elem + "\n") "" subvolumes} - ''; - in - '' - #! ${pkgs.bash}/bin/bash - set -Eeuxo pipefail - - btrbk -c ${btrbkConf} --progress ''${@:-run} - ''; - }; - - systemd.timers."bkp" = { - description = "Timer to trigger bkp periodically"; - enable = true; - wantedBy = [ - "timer.target" - "multi-user.target" - ]; - timerConfig = { - # Obtained using `systemd-analyze calendar "Wed 23:00"` - # OnCalendar = "Wed *-*-* 23:00:00"; - OnStartupSec = "1m"; - Unit = "bkp-sync.service"; - OnUnitInactiveSec = "2h"; - Persistent = "true"; - }; + systemd.timers."bkp" = { + description = "Timer to trigger bkp periodically"; + enable = true; + wantedBy = ["timer.target" "multi-user.target"]; + timerConfig = { + # Obtained using `systemd-analyze calendar "Wed 23:00"` + # OnCalendar = "Wed *-*-* 23:00:00"; + OnStartupSec = "1m"; + Unit = "bkp-sync.service"; + OnUnitInactiveSec = "2h"; + Persistent = "true"; }; }; + }; inherit autoStart; @@ -133,10 +114,10 @@ in } ]; - extraFlags = [ "--resolv-conf=bind-host" ]; + extraFlags = ["--resolv-conf=bind-host"]; privateNetwork = true; - forwardPorts = [ ]; + forwardPorts = []; inherit hostAddress localAddress; } diff --git a/nix/os/containers/mailserver.nix b/nix/os/containers/mailserver.nix index 0be078c..d113925 100644 --- a/nix/os/containers/mailserver.nix +++ b/nix/os/containers/mailserver.nix @@ -1,210 +1,194 @@ { - specialArgs, - hostBridge, + repoFlake, hostAddress, localAddress, imapsPort ? 993, sievePort ? 4190, autoStart ? false, -}: -{ - inherit specialArgs; - config = - { - pkgs, - config, - repoFlake, - ... - }: - { - system.stateVersion = "22.05"; # Did you read the comment? +}: { + config = { + pkgs, + config, + lib, + ... + }: { + system.stateVersion = "21.11"; # Did you read the comment? - imports = [ - ../profiles/containers/configuration.nix + imports = [ + ../profiles/containers/configuration.nix - repoFlake.inputs.sops-nix.nixosModules.sops - ../profiles/common/user.nix - ]; + repoFlake.inputs.sops-nix.nixosModules.sops + ../profiles/common/user.nix + ]; - networking.firewall.allowedTCPPorts = [ - imapsPort - sievePort - ]; + # FIXME: find out how to use the `defaultSopsFile` so i don't have to specify each secret separately + # sops.defaultSopsFile = ./mailserver_secrets.yaml; - # FIXME: find out how to use the `defaultSopsFile` so i don't have to specify each secret separately - # sops.defaultSopsFile = ./mailserver_secrets.yaml; - - sops.age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ]; - sops.secrets.email_mailStefanjunkerDe = { - sopsFile = ./mailserver_secrets.yaml; - owner = config.users.users.steveej.name; - }; - sops.secrets.email_mailStefanjunkerDeHetzner = { - sopsFile = ./mailserver_secrets.yaml; - owner = config.users.users.steveej.name; - }; - sops.secrets.email_schtifATwebDe = { - sopsFile = ./mailserver_secrets.yaml; - owner = config.users.users.steveej.name; - }; - sops.secrets.email_dovecot_steveej = { - sopsFile = ./mailserver_secrets.yaml; - owner = config.users.users.dovecot2.name; - }; - - # TODO: switch to something other than ddclient as it's no longer maintained - - # TODO: switch to a let's encrypt certificate - sops.secrets.dovecotSslServerCert = { - sopsFile = ./mailserver_secrets.yaml; - owner = config.users.users.dovecot2.name; - }; - sops.secrets.dovecotSslServerKey = { - sopsFile = ./mailserver_secrets.yaml; - owner = config.users.users.dovecot2.name; - }; - services.dovecot2 = { - enable = true; - - modules = [ pkgs.dovecot_pigeonhole ]; - protocols = [ "sieve" ]; - - enableImap = true; - enableLmtp = true; - enablePAM = true; - showPAMFailure = true; - mailLocation = "maildir:~/.maildir"; - sslServerCert = config.sops.secrets.dovecotSslServerCert.path; - sslServerKey = config.sops.secrets.dovecotSslServerKey.path; - - #configFile = "/etc/dovecot/dovecot2_manual.conf"; - extraConfig = '' - auth_mechanisms = cram-md5 digest-md5 - auth_verbose = yes - - passdb { - driver = passwd-file - args = scheme=CRYPT username_format=%u /etc/dovecot/users - } - - protocol lda { - postmaster_address = "mail@stefanjunker.de" - mail_plugins = $mail_plugins sieve - } - - protocol imap { - mail_max_userip_connections = 64 - } - ''; - }; - - environment.etc."dovecot/users".source = config.sops.secrets.email_dovecot_steveej.path; - - systemd.services.steveej-getmail-stefanjunker = { - enable = true; - wantedBy = [ "multi-user.target" ]; - serviceConfig.User = "steveej"; - serviceConfig.Group = "dovecot2"; - serviceConfig.RestartSec = 600; - serviceConfig.Restart = "always"; - description = "Getmail service"; - path = [ pkgs.getmail6 ]; - script = - let - rc = pkgs.writeText "mailATstefanjunker.de.getmail.rc" '' - [options] - verbose = 1 - read_all = 0 - delete_after = 30 - - [retriever] - type = SimpleIMAPSSLRetriever - server = ssl0.ovh.net - port = 993 - username = mail@stefanjunker.de - password_command = ("${pkgs.coreutils}/bin/cat", "${config.sops.secrets.email_mailStefanjunkerDe.path}") - mailboxes = ('INBOX',) - - [destination] - type = MDA_external - path = ${pkgs.dovecot}/libexec/dovecot/dovecot-lda - ''; - in - '' - getmail --idle=INBOX --rcfile=${rc} - ''; - }; - - systemd.services.steveej-getmail-stefanjunker-hetzner = { - enable = true; - wantedBy = [ "multi-user.target" ]; - serviceConfig.User = "steveej"; - serviceConfig.Group = "dovecot2"; - serviceConfig.RestartSec = 60; - serviceConfig.Restart = "always"; - description = "Getmail service"; - path = [ pkgs.getmail6 ]; - script = - let - rc = pkgs.writeText "mailATstefanjunker.de.getmail.rc" '' - [options] - verbose = 2 - read_all = 0 - delete_after = 30 - - [retriever] - type = SimpleIMAPSSLRetriever - server = mail.your-server.de - port = 993 - username = mail@stefanjunker.de - password_command = ("${pkgs.coreutils}/bin/cat", "${config.sops.secrets.email_mailStefanjunkerDeHetzner.path}") - mailboxes = ('INBOX',) - - [destination] - type = MDA_external - path = ${pkgs.dovecot}/libexec/dovecot/dovecot-lda - ''; - in - '' - getmail --rcfile=${rc} --idle=INBOX - ''; - }; - - systemd.services.steveej-getmail-webde = { - enable = true; - wantedBy = [ "multi-user.target" ]; - serviceConfig.User = "steveej"; - serviceConfig.Group = "dovecot2"; - description = "Getmail service"; - path = [ pkgs.getmail6 ]; - serviceConfig.RestartSec = 1000; - serviceConfig.Restart = "always"; - script = - let - rc = pkgs.writeText "schtifATweb.de.getmail.rc" '' - [options] - verbose = 1 - read_all = 0 - delete_after = 30 - - [retriever] - type = SimpleIMAPSSLRetriever - server = imap.web.de - port = 993 - username = schtif - password_command = ("${pkgs.coreutils}/bin/cat", "${config.sops.secrets.email_schtifATwebDe.path}") - mailboxes = ('INBOX',) - - [destination] - type = Maildir - path = ~/.maildir/ - ''; - in - '' - getmail --rcfile=${rc} --idle=INBOX - ''; - }; + sops.age.sshKeyPaths = ["/etc/ssh/ssh_host_ed25519_key"]; + sops.secrets.email_mailStefanjunkerDe = { + sopsFile = ./mailserver_secrets.yaml; + owner = config.users.users.steveej.name; }; + sops.secrets.email_mailStefanjunkerDeHetzner = { + sopsFile = ./mailserver_secrets.yaml; + owner = config.users.users.steveej.name; + }; + sops.secrets.email_schtifATwebDe = { + sopsFile = ./mailserver_secrets.yaml; + owner = config.users.users.steveej.name; + }; + sops.secrets.email_dovecot_steveej = { + sopsFile = ./mailserver_secrets.yaml; + owner = config.users.users.dovecot2.name; + }; + + # TODO: switch to something other than ddclient as it's no longer maintained + + # TODO: switch to a let's encrypt certificate + sops.secrets.dovecotSslServerCert = { + sopsFile = ./mailserver_secrets.yaml; + owner = config.users.users.dovecot2.name; + }; + sops.secrets.dovecotSslServerKey = { + sopsFile = ./mailserver_secrets.yaml; + owner = config.users.users.dovecot2.name; + }; + services.dovecot2 = { + enable = true; + + modules = [pkgs.dovecot_pigeonhole]; + protocols = ["sieve"]; + + enableImap = true; + enableLmtp = true; + enablePAM = true; + showPAMFailure = true; + mailLocation = "maildir:~/.maildir"; + sslServerCert = config.sops.secrets.dovecotSslServerCert.path; + sslServerKey = config.sops.secrets.dovecotSslServerKey.path; + + #configFile = "/etc/dovecot/dovecot2_manual.conf"; + extraConfig = '' + auth_mechanisms = cram-md5 digest-md5 + auth_verbose = yes + + passdb { + driver = passwd-file + args = scheme=CRYPT username_format=%u /etc/dovecot/users + } + + protocol lda { + postmaster_address = "mail@stefanjunker.de" + mail_plugins = $mail_plugins sieve + } + + protocol imap { + mail_max_userip_connections = 64 + } + ''; + }; + + environment.etc."dovecot/users".source = config.sops.secrets.email_dovecot_steveej.path; + + systemd.services.steveej-getmail-stefanjunker = { + enable = true; + wantedBy = ["multi-user.target"]; + serviceConfig.User = "steveej"; + serviceConfig.Group = "dovecot2"; + serviceConfig.RestartSec = 600; + serviceConfig.Restart = "always"; + description = "Getmail service"; + path = [pkgs.getmail6]; + script = let + rc = pkgs.writeText "mailATstefanjunker.de.getmail.rc" '' + [options] + verbose = 1 + read_all = 0 + delete_after = 30 + + [retriever] + type = SimpleIMAPSSLRetriever + server = ssl0.ovh.net + port = 993 + username = mail@stefanjunker.de + password_command = ("${pkgs.coreutils}/bin/cat", "${config.sops.secrets.email_mailStefanjunkerDe.path}") + mailboxes = ('INBOX',) + + [destination] + type = MDA_external + path = ${pkgs.dovecot}/libexec/dovecot/dovecot-lda + ''; + in '' + getmail --idle=INBOX --rcfile=${rc} + ''; + }; + + systemd.services.steveej-getmail-stefanjunker-hetzner = { + enable = true; + wantedBy = ["multi-user.target"]; + serviceConfig.User = "steveej"; + serviceConfig.Group = "dovecot2"; + serviceConfig.RestartSec = 60; + serviceConfig.Restart = "always"; + description = "Getmail service"; + path = [pkgs.getmail6]; + script = let + rc = pkgs.writeText "mailATstefanjunker.de.getmail.rc" '' + [options] + verbose = 2 + read_all = 0 + delete_after = 30 + + [retriever] + type = SimpleIMAPSSLRetriever + server = mail.your-server.de + port = 993 + username = mail@stefanjunker.de + password_command = ("${pkgs.coreutils}/bin/cat", "${config.sops.secrets.email_mailStefanjunkerDeHetzner.path}") + mailboxes = ('INBOX',) + + [destination] + type = MDA_external + path = ${pkgs.dovecot}/libexec/dovecot/dovecot-lda + ''; + in '' + getmail --rcfile=${rc} --idle=INBOX + ''; + }; + + systemd.services.steveej-getmail-webde = { + enable = true; + wantedBy = ["multi-user.target"]; + serviceConfig.User = "steveej"; + serviceConfig.Group = "dovecot2"; + description = "Getmail service"; + path = [pkgs.getmail6]; + serviceConfig.RestartSec = 1000; + serviceConfig.Restart = "always"; + script = let + rc = pkgs.writeText "schtifATweb.de.getmail.rc" '' + [options] + verbose = 1 + read_all = 0 + delete_after = 30 + + [retriever] + type = SimpleIMAPSSLRetriever + server = imap.web.de + port = 993 + username = schtif + password_command = ("${pkgs.coreutils}/bin/cat", "${config.sops.secrets.email_schtifATwebDe.path}") + mailboxes = ('INBOX',) + + [destination] + type = Maildir + path = ~/.maildir/ + ''; + in '' + getmail --rcfile=${rc} --idle=INBOX + ''; + }; + }; inherit autoStart; @@ -219,6 +203,8 @@ }; }; + # extraFlags = ["--resolv-conf=bind-host"]; + privateNetwork = true; forwardPorts = [ { @@ -236,5 +222,5 @@ } ]; - inherit hostBridge hostAddress localAddress; + inherit hostAddress localAddress; } diff --git a/nix/os/containers/mailserver_secrets.yaml b/nix/os/containers/mailserver_secrets.yaml index f519b36..ffb595a 100644 --- a/nix/os/containers/mailserver_secrets.yaml +++ b/nix/os/containers/mailserver_secrets.yaml @@ -7,37 +7,37 @@ dovecotSslServerCert: ENC[AES256_GCM,data:ylK0IIj2vdY0mXOqSgA5zYmFYGote/uMtDWy2r dovecotSslServerKey: ENC[AES256_GCM,data:KYpQZbioLGrp/6R6j/c4uJhBpoDT2aj7UffQQug8Otzr/0rk51tavsjg4YRQGIv+ZpFYpWAuHbhW4O8AsRgpi0AX3hKsZICEdNubfK5zfd+SInXveaVFbHHjOuzcqftraUrqx9APu+omk4LlpxpWTbj/bAcRnRBn0C093AeJNi1giaCZd4NxmmkYqwYzrjUc6LYHvICEnjA87ZVpeOKE/6B2Ng5QWDKhZNmjy7YDXAk4DS+P2grLmoGvnz6ubtaypSzaKXYTFz/uxEvtCCPlIaJHm3Nz0i0j1rjX3S/w3c26zuIFtwCmAQzGnHyQwbx7ILwCXfnyQnpM7+R5+fxcYvcK2GEJyTGzg/JFa++TI1YO+wpknjzxK3Sa8aX0pUbx/TEjnY3+tRnx7YNuih2ZNZrPHy8uJJtO9Aef84Sq5vLQG5n1/ya0pVhjCbs1pgpeK/qT3ikLbkcJg6NxAq3hqqQdR4TTkZBwKLVfzcMXLDZB0GphhVvtO0W7afRCE+nA/FPDT2NN6WLD15cN5F8w6USi0iQlwFb+TE8nt1ghhoGmwCMx+lX1Bk/jdIlYtJ62T8+T3nRVJ6ZRlUa1rkbAADaWZVvLR2/ylaEkeYFo/CC6lUg4DWPCVoGFxaWaU+ZaIDjbiYcqGQFBwq8JZ44hAOyJQpb7N1zgDVyPh/xr+ukmjutFuu97FY55VTn+8eipRiR4TZpPRH+KvB/FmlLNaim76YZCRH9Dv2ENbz9fXpWv7P+yh06+ci9HKvjNAzR6NRr368tK2srEEhWzFv+nAsRetzc2VcfwNMcg5/mvlWHVZSmONXC5adEo/W5XgJgUnH/fkz5IRPY/1iteq8PTCPUkubzF+qT2+suzEDnvgXlaKsqHkrk+n8YySl+GRABnasmnBYdb8vboDM41ptw3PXDoL+l07o6KxTwPOWWl9BVNMT8VzL7gAl+dlxjkEUSqn53OrsYDluxefBa3c0rfvk8CCvOMjgLkagK9O+VavqJEo00zd3f0ZzMcIoRebuDzYILw3DTrG/qyLXGsRoybBr+qcuSVBzM5RnjcToFJO4W/0EIdH1drZmqHdNgSNwPPRSNCivrhV25syUCrTee/xkDVUr47z67pK/5Mh0ewlwq0hcl/dBoA0YP/PptntK0CHfistD8chNtdMk3PyzqSiFaDPQ3T4wdc3zTNUjXeQ5643k5weJXFPg4tUuCCa8HxUJHd5sLnNY0OaRBwh2SLkQlcXYFQDzVHSoVscR3tf+57L7aF2hVQT2QtJKdZQjOyMg5YK0UlVc3tkyPZzyjOVaP7eTCRKwXI1NminHmmy1ZzZ+w+8+oX8cfvE9HdbqDoDp0MnkicS0+5S0lZwkRWrjUx/gS4aMWLbCHUQHY8wm+fmyDLJ/oI4ukdUI5YLOutlCsIY+aotnVMoORgdd/EPeZVYJmci/pvMjPF9Eard0aD4rLA7z/HwGgc3VEGmNluE+20BXO3bFIqwa9tzMqzOJB0qglP35MjVGiUe6Svq13DAmSOnzN+WqcVbTMJG8J1bwKqvmaN8AEpO0zU94ZhHspUtGyQQ0D6sMsw9jqJ1WyLE7aXeFR6OHrpw3DC2mCpr/qX8QFsveeyB83Za2+CuVVi2sqGAKYzkwlUPkeuaxfBak0apwJsF2trT1uMvPOuIda8k4XhtYLxah2BDJZIoMqUVz2xcN4OuW8bdSX/lepsyZZO34VEQDLBa2dxCCHJmCKf6io/0YlswNKGDQh+DI935KTdqBnHSJ9IjvADQuu+K37aS0L9V0ZLXiM5SBQtbB7kQpHjvivq97ru7QpFqJf8HCl1vDs4gJ/NV+J0+CX6dQTQOtHvwxD2CPGiiSv40ycoJAcwiqTh5T+hRPtca6bSes/jGN5iQjfLCRbwvL/ItLLAK3F2cEIdKZnfhJkdEAIwWFLvR4R5I7ZcCK5GgKz5dPROup8BAONA8XxcJWXaXV0YkfEmCDbZYMFC7pcx4NAnGp881RyAaG/HlstBHHVagpP2fwZ8K0J/2KPillOq/Die+vNc2++hx4EuftvNkZhSd+7zIYNKHQd0M4Ea74flgmmW5lG73bE1BkhVd2DsgEDihH19/vJjFH4PxKINKp0ij4jMyq9w+WsGiUqSDaQz/MZJ8wjzaSjvmSj4qlOAitr/s3f041e77rMb0W2ieCtYEy7IsebIqIWgKn/crm5FhyUtBCPEqFZgAKS313bXUio8LktqXCrZjZ0ZG8DmQG6hnK4PstKlIUQoNuFnb8Bp1zDgY4i2hb6Zmu7NnqnOaJJTjSGwaZOav0oMousn67BuFtwoMaGp+OjCopZ3HPfg19usnjvWpOgccXWYlQc0HOlGXUq+otKlXtQwAjUvz50GmV+lY3t4rpCgqk+pj9iH62xuzDQ01FOXl+v3Ehnw97mNJk9YarueG0Hl/1f6dhwXnjeEv35LLyWUjQolOoYgycEkgQ/cCCOSm7zgK1VT0oTLFISai8IG0qDP9HCszteHZhp+y4bsXQfAJTY11QLr7hx9/nQmVlHksDN5Wsno4wbkT+D2xb5EaDU2RBqZfTVcbRBWRtAhQcRPxdaUXyI7oKEaFg8fvQZ8wK/Ae+L18ub+Latb5W69dUVT6I13tPleXDl1oen9BXzaX7sygSpY4lJoXlu+SCKyNTMrC36PrB39QUWosw03ZsiKT5xjgN5+1m32yv4cg8lAwNCR4xxShrnhSbZ328yifaAuTnSawZmUGBVxPx4glVcvNUOXW2UvVtmeKU0SG1E+UGBAq7/UfaadMM7BsjyaaKpBa/tXZTm0rn8UiFqujvgNjQ3F/3ybRdlO5d6eMI9Na+1gqg6qxYSGR0H0wAdPhtyGRxpumehAQGeMKd49Sg6jspaf3NAjjuZ0Yp+eJV9652WqVZ7xtCNqRURV353h+XPGR+ZZ9siHRDQ+NcbxPkfbHw0/RTvZvEIdaDi5+DLh6tgIxMEtOpwTlfFrOUDaIcmWvzk92VtBFuafvoGzTipryTnMszjCsUTvyEPN8jPd6r8UmOFGXF2aVNksmn/bI97i4s1kYLgY8XsEOyx+Q9pUTkTEMn2JWgnEcSOAtaX1ZskHnfueKzUPb+/YWb+z8SNCgnUqHqa42qBqwlhdshzYhhfKhEisUptirzzp1kcbyHrug5PzHxh8Qri2pjHxSHYQ5sjig6K6B1YEuHP6uo19fL6BdgGlhKroiOF/6TMAcE9V3+yqvDdsW/IC0QXLHIBKC7wlDgLc25ltGogD/76P6tViDAb6+HNSSXJO056Ovq0z2BrXhnq1AmWa99mVnOLJwafRWPZC,iv:XxnAsh6yx9gICi3N6oTttpGXvguGZImWNIMp9srDJLM=,tag:M9gFSD5PNIfoCLet6Vy6QA==,type:str] hetznerDnsApiToken: ENC[AES256_GCM,data:JfL4Xg9TZu4Og35g0SwfrI1uxiqgdFa7p5AQcfiPwLY=,iv:yOak3uXX7CNglu8O2UW/1sOI7BGZxpRQAFJCvRbzU0Y=,tag:6orkQIy7BxACziLWpYoS5Q==,type:str] sops: - kms: [] - gcp_kms: [] - azure_kv: [] - hc_vault: [] - age: - - recipient: age18dmqd7r7fanrfmdxsvwgv9psvhs3hw5ydpvw0na0dv3dlrg4rs3q2wpvgv - enc: | - -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBWaE9nNytUbXhWeWZYWndn - R3pMV3N1NjJPK2gzUDl2YitxWEU4NUFPRUJ3Cm1tMGhGcU56bSs5SUIzRmhqVHN2 - dXIzYlkvS1JnWnladGdXTnRKMXNOWncKLS0tIGhyRFhFV1VRVXVYN1pJWjNFd1Rj - bENCWmVNUEJyZFBpRmYwbWVndFJGcUEKzvkGz3WycSrU4qPcBhs4cSCn/9TQ62sl - T6TuDra97qJJ1Pg9VZGHT/OoSleLA4s0qpNlAxnAnNaO0conTsREZQ== - -----END AGE ENCRYPTED FILE----- - lastmodified: "2023-07-17T12:01:21Z" - mac: ENC[AES256_GCM,data:003nzaNWdXLscJy9XZcwAb93M9Eo3Bdg9s5MHHiv4/TitaaZE7VghWHKv5DrcoA0GGdN9SnIVqHd+o6OPVER91XLVxoiX7ixtlu1RIRfqdama3RRPtSki5wP5wPz6qF4vRBIKfrTpZK7thXLYs2NhCB9HJYljNhcgLtzEG5bWgY=,iv:tEP530Pij3bt3hc5PCYGjFFyPiKgo34dHm23Xtmrxt8=,tag:macr/U8R5+wktTBJ9OqI/w==,type:str] - pgp: - - created_at: "2023-07-02T20:30:30Z" - enc: |- - -----BEGIN PGP MESSAGE----- + kms: [] + gcp_kms: [] + azure_kv: [] + hc_vault: [] + age: + - recipient: age18dmqd7r7fanrfmdxsvwgv9psvhs3hw5ydpvw0na0dv3dlrg4rs3q2wpvgv + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBWaE9nNytUbXhWeWZYWndn + R3pMV3N1NjJPK2gzUDl2YitxWEU4NUFPRUJ3Cm1tMGhGcU56bSs5SUIzRmhqVHN2 + dXIzYlkvS1JnWnladGdXTnRKMXNOWncKLS0tIGhyRFhFV1VRVXVYN1pJWjNFd1Rj + bENCWmVNUEJyZFBpRmYwbWVndFJGcUEKzvkGz3WycSrU4qPcBhs4cSCn/9TQ62sl + T6TuDra97qJJ1Pg9VZGHT/OoSleLA4s0qpNlAxnAnNaO0conTsREZQ== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2023-07-17T12:01:21Z" + mac: ENC[AES256_GCM,data:003nzaNWdXLscJy9XZcwAb93M9Eo3Bdg9s5MHHiv4/TitaaZE7VghWHKv5DrcoA0GGdN9SnIVqHd+o6OPVER91XLVxoiX7ixtlu1RIRfqdama3RRPtSki5wP5wPz6qF4vRBIKfrTpZK7thXLYs2NhCB9HJYljNhcgLtzEG5bWgY=,iv:tEP530Pij3bt3hc5PCYGjFFyPiKgo34dHm23Xtmrxt8=,tag:macr/U8R5+wktTBJ9OqI/w==,type:str] + pgp: + - created_at: "2023-07-02T20:30:30Z" + enc: |- + -----BEGIN PGP MESSAGE----- - wcBMA0SHG/zF3227AQgAli6PQTNwh9N5Oo1LJvHysQNdxdZAq4QbfcwcIfpJIDds - 0TQs28EeSttv47P2ga4Nb1O5dVUnlvwbP+uV9RbioYF4LfZ2/uNlS1lSGwsLbPcf - SsY+U2WvpJgyo3EWQRusR/OXLFg0EdqDPDseH1w1u8tGALDrewre5oBjrMa0GRbb - 5F8lK/FVxSJxz70UkHgE7c6pSqPpznlgVduUwoOWnlhTw4aet7lLik+/C9K7LBDc - Q04sW1W2yqYr2882xPAUwfBhgfZQ1Uld5aDwqwPH+1Ttx26e7JrGSFaIX8GTVVpc - RJqN6uman5at3lOaEKXS1qf7T9ZI003CvdFwHS1G89JRAemdeK4bur5wS3VXBhDx - 44fHgmDcOohHilTahwmyXCT70KjjHbd9665vAhsl0N9aOrOBdOgq0HmLjNzAQkz5 - uGcEfsNiUXPngkNrh/Nvhh9w - =yHDZ - -----END PGP MESSAGE----- - fp: 6F7069FE6B96E894E60EC45C6EEFA706CB17E89B - unencrypted_suffix: _unencrypted - version: 3.7.3 + wcBMA0SHG/zF3227AQgAli6PQTNwh9N5Oo1LJvHysQNdxdZAq4QbfcwcIfpJIDds + 0TQs28EeSttv47P2ga4Nb1O5dVUnlvwbP+uV9RbioYF4LfZ2/uNlS1lSGwsLbPcf + SsY+U2WvpJgyo3EWQRusR/OXLFg0EdqDPDseH1w1u8tGALDrewre5oBjrMa0GRbb + 5F8lK/FVxSJxz70UkHgE7c6pSqPpznlgVduUwoOWnlhTw4aet7lLik+/C9K7LBDc + Q04sW1W2yqYr2882xPAUwfBhgfZQ1Uld5aDwqwPH+1Ttx26e7JrGSFaIX8GTVVpc + RJqN6uman5at3lOaEKXS1qf7T9ZI003CvdFwHS1G89JRAemdeK4bur5wS3VXBhDx + 44fHgmDcOohHilTahwmyXCT70KjjHbd9665vAhsl0N9aOrOBdOgq0HmLjNzAQkz5 + uGcEfsNiUXPngkNrh/Nvhh9w + =yHDZ + -----END PGP MESSAGE----- + fp: 6F7069FE6B96E894E60EC45C6EEFA706CB17E89B + unencrypted_suffix: _unencrypted + version: 3.7.3 diff --git a/nix/os/containers/mycelium/flake.lock b/nix/os/containers/mycelium/flake.lock deleted file mode 100644 index 0a7597d..0000000 --- a/nix/os/containers/mycelium/flake.lock +++ /dev/null @@ -1,124 +0,0 @@ -{ - "nodes": { - "flake-compat": { - "flake": false, - "locked": { - "lastModified": 1696426674, - "narHash": "sha256-kvjfFW7WAETZlt09AgDn1MrtKzP7t90Vf7vypd3OL1U=", - "owner": "edolstra", - "repo": "flake-compat", - "rev": "0f9255e01c2351cc7d116c072cb317785dd33b33", - "type": "github" - }, - "original": { - "owner": "edolstra", - "repo": "flake-compat", - "type": "github" - } - }, - "flake-parts": { - "inputs": { - "nixpkgs-lib": [ - "nix-snapshotter", - "nixpkgs" - ] - }, - "locked": { - "lastModified": 1704152458, - "narHash": "sha256-DS+dGw7SKygIWf9w4eNBUZsK+4Ug27NwEWmn2tnbycg=", - "owner": "hercules-ci", - "repo": "flake-parts", - "rev": "88a2cd8166694ba0b6cb374700799cec53aef527", - "type": "github" - }, - "original": { - "owner": "hercules-ci", - "repo": "flake-parts", - "type": "github" - } - }, - "nix-snapshotter": { - "inputs": { - "flake-compat": "flake-compat", - "flake-parts": "flake-parts", - "nixpkgs": [ - "nixpkgs" - ] - }, - "locked": { - "lastModified": 1723875769, - "narHash": "sha256-66GofByLJ+S4ZZphIC+vJKeL9VJ2bzH2VbcJ3OqteMM=", - "owner": "pdtpartners", - "repo": "nix-snapshotter", - "rev": "6eaadfd8f89e5e7d79b2013626bbd36e388159da", - "type": "github" - }, - "original": { - "owner": "pdtpartners", - "repo": "nix-snapshotter", - "type": "github" - } - }, - "nixlib": { - "locked": { - "lastModified": 1728781282, - "narHash": "sha256-hUP9oxmnOmNnKcDOf5Y55HQ+NnoT0+bLWHLQWLLw9Ks=", - "owner": "nix-community", - "repo": "nixpkgs.lib", - "rev": "16340f605f4e8e5cf07fd74dcbe692eee2d4f51b", - "type": "github" - }, - "original": { - "owner": "nix-community", - "repo": "nixpkgs.lib", - "type": "github" - } - }, - "nixos-generators": { - "inputs": { - "nixlib": "nixlib", - "nixpkgs": [ - "nixpkgs" - ] - }, - "locked": { - "lastModified": 1728867876, - "narHash": "sha256-NCyOA8WZNoojmXH+kBDrQj3LwvakYNzSc0h+LTXkmPE=", - "owner": "nix-community", - "repo": "nixos-generators", - "rev": "fdf142111597f6c6283cf5ffe092b6293a3911d0", - "type": "github" - }, - "original": { - "owner": "nix-community", - "repo": "nixos-generators", - "type": "github" - } - }, - "nixpkgs": { - "locked": { - "lastModified": 1728897630, - "narHash": "sha256-0utJPs4o2Mody8GDwo4hnGuxc8dJqju4u9lLJY4d/Lw=", - "owner": "NixOS", - "repo": "nixpkgs", - "rev": "c9f0b4a395289ce18727e2a8e43cae6796693ccc", - "type": "github" - }, - "original": { - "owner": "NixOS", - "ref": "nixos-unstable-small", - "repo": "nixpkgs", - "type": "github" - } - }, - "root": { - "inputs": { - "nix-snapshotter": "nix-snapshotter", - "nixos-generators": "nixos-generators", - "nixpkgs": "nixpkgs" - } - } - }, - "root": "root", - "version": 7 -} diff --git a/nix/os/containers/mycelium/flake.nix b/nix/os/containers/mycelium/flake.nix deleted file mode 100644 index 1527acf..0000000 --- a/nix/os/containers/mycelium/flake.nix +++ /dev/null @@ -1,371 +0,0 @@ -{ - inputs = { - nixpkgs.url = "github:NixOS/nixpkgs/nixos-unstable-small"; - # nixpkgs-systemd256.url = "github:NixOS/nixpkgs/962cf03fb8c782c5e00f465397e03dc84284acc9"; - nixos-generators = { - url = "github:nix-community/nixos-generators"; - inputs.nixpkgs.follows = "nixpkgs"; - }; - nix-snapshotter = { - url = "github:pdtpartners/nix-snapshotter"; - inputs.nixpkgs.follows = "nixpkgs"; - }; - }; - outputs = - { self, nixpkgs, ... }: - let - systems = [ - "aarch64-linux" - "x86_64-linux" - ]; - forAllSystems = nixpkgs.lib.genAttrs systems; - in - { - nixosConfigurations.default = nixpkgs.lib.nixosSystem { - system = "aarch64-linux"; - - specialArgs = { }; - - modules = [ - ( - { - config, - modulesPath, - pkgs, - lib, - ... - }: - { - nixpkgs.overlays = [ - (_final: _previous: { - # inherit (self.inputs.nixpkgs-systemd256.legacyPackages.${pkgs.system}) systemd systemdMinimal; - # systemd = - # self.inputs.nixpkgs-systemd256.legacyPackages.${pkgs.system}.systemd.overrideAttrs (prevAttrs: { - # src = /home/steveej/src/others/systemd; - - # withAppArmor = false; - # withRepart = false; - # withHomed = false; - # withAcl = false; - # withEfi = false; - # withBootloader = false; - # withCryptsetup = false; - # withLibBPF = false; - # withOomd = false; - # withFido2 = false; - # withApparmor = false; - # withDocumentation = false; - # withUtmp = false; - # withQrencode = false; - # withVmspawn = false; - # withMachined = false; - # withLogTrace = true; - # withArchive = false; - # # don't need these but cause errors for exampel files not found - # # withLogind = false; - # }) - # pkgs.systemdMinimal.override { - # # getting errors with these disabled - # withCoredump = true; - # withCompression = true; - # withLogind = true; - # withSysusers = true; - # withUserDb = true; - # } - # pkgs.systemdMinimal - # pkgs.systemd.override { - # withRepart = false; - # withHomed = false; - # withAcl = false; - # withEfi = false; - # withBootloader = false; - # withCryptsetup = false; - # withLibBPF = false; - # withOomd = false; - # withFido2 = false; - # withApparmor = false; - # withDocumentation = false; - # withUtmp = false; - # withQrencode = false; - # withVmspawn = false; - # withMachined = false; - # withLogTrace = true; - # # don't need these but cause errors for exampel files not found - # # withLogind = false; - # } - # ; - }) - ]; - - imports = [ (modulesPath + "/profiles/minimal.nix") ]; - system.stateVersion = "24.11"; - - # https://github.com/hercules-ci/arion/blob/c24c185e67f093298a081900b49ca18716077dec/src/nix/modules/nixos/container-systemd.nix - boot.isContainer = true; - # boot.tmp.useTmpfs = true; - boot.loader.grub.enable = lib.mkForce false; - boot.loader.systemd-boot.enable = lib.mkForce false; - services.journald.console = "/dev/console"; - services.journald.storage = "none"; - # boot.specialFileSystems = lib.mkForce {}; - - services.nscd.enable = false; - system.nssModules = lib.mkForce [ ]; - systemd.services.systemd-logind.enable = false; - systemd.services.console-getty.enable = false; - - systemd.sockets.nix-daemon.enable = false; - systemd.services.nix-daemon.enable = false; - systemd.oomd.enable = false; - networking.useDHCP = false; - networking.firewall.enable = false; - - # system.build.earlyMountScript = - # lib.mkForce '' - # ''; - # system.activationScripts.specialfs = - # lib.mkForce '' - # ''; - boot.postBootCommands = '' - ls -lha /run - mkdir -p /run/wrappers - ''; - - boot.kernelParams = [ "systemd.log_level=debug" ]; - - # services.udev.enable = false; - - # TODO: this is only needed because `/run/current-system` is missing - # environment.variables.PATH = "${lib.makeBinPath config.environment.systemPackages}:$PATH"; - - systemd.mounts = lib.mkForce [ ]; - fileSystems = lib.mkForce { }; - - services.mycelium.enable = false; - services.mycelium.keyFile = "/var/lib/secrets/mycelium-keyfile"; - systemd.services.mycelium.serviceConfig.DynamicUser = lib.mkForce false; - systemd.services.mycelium.serviceConfig.User = lib.mkForce "root"; - systemd.services.mycelium.serviceConfig.ExecStart = lib.mkForce ( - pkgs.writeShellScript "mycelium" '' - while true; do - ls -lha $CREDENTIALS_DIRECTORY - sleep 5 - done - '' - ); - - systemd.services.testing-credentials = { - wantedBy = [ "multi-user.target" ]; - path = [ pkgs.coreutils ]; - - serviceConfig = { - # SyslogIdentifier = "testing-credentials"; - # StateDirectory = "testing-credentials"; - # DynamicUser = true; - # User = "tc"; - # ProtectHome = true; - # ProtectSystem = true; - # LoadCredential = [ - # "mycelium-keyfile:${self.nixosConfigurations.default.config.services.mycelium.keyFile}" - # "hosts:/etc/hosts" - # ]; - SetCredential = "mycelium-keyfile:not secret string"; - ExecStart = lib.mkForce ( - pkgs.writeShellScript "mycelium" '' - cd $STATE_DIRECTORY - pwd - env - while true; do - ls -lha $CREDENTIALS_DIRECTORY - sleep 5 - done - '' - ); - }; - }; - - services.caddy = { - enable = true; - globalConfig = '' - auto_https off - ''; - virtualHosts.":80" = { - extraConfig = '' - respond "hello from ${config.networking.hostName}" - ''; - }; - }; - } - ) - ]; - }; - packages = forAllSystems ( - system: - let - name = "mycelium"; - inherit (self.inputs) nix-snapshotter; - - config = { - entrypoint = "${self.nixosConfigurations.default.config.system.build.toplevel}/init"; - # port = 2379; - args = [ ]; - # nodePort = 30001; - }; - - myceliumPorts = { - tcp = [ 9651 ]; - udp = [ - 9650 - 9651 - ]; - }; - - inherit (config) - entrypoint - # port - - args - # nodePort - - ; - - pkgs = import nixpkgs { overlays = [ nix-snapshotter.overlays.default ]; }; - - image = pkgs.nix-snapshotter.buildImage { - inherit name; - resolvedByNix = true; - config = { - entrypoint = [ entrypoint ]; - env = [ - # this is read by the `/init` script and prevents various incompatible commands like mount, etc. - # the value of this doesn't seem to matter as long as it's not an empty string. - "container=nerd" - "SYSTEMD_LOG_LEVEL=debug" - ]; - volumes = { - # "/var/lib/private/mycelium/key.bin" = {}; - # "/run" = {}; - # "/tmp" = {}; - # "/etc" = {}; - }; - copyToRoot = [ - # self.nixosConfigurations.default.config.system.build.toplevel - ]; - }; - }; - in - { - k8s = - let - pod = pkgs.writeText "${name}-pod.json" ( - builtins.toJSON { - apiVersion = "v1"; - kind = "Pod"; - metadata = { - inherit name; - labels = { - inherit name; - }; - }; - spec.containers = [ - { - inherit name args; - image = "nix:0${image}"; - ports = [ - { - name = "mycelium-tcp-0"; - containerPort = builtins.elemAt myceliumPorts.tcp 0; - } - { - name = "mycelium-udp-0"; - protocol = "UDP"; - containerPort = builtins.elemAt myceliumPorts.udp 0; - } - { - name = "mycelium-udp-1"; - protocol = "UDP"; - containerPort = builtins.elemAt myceliumPorts.udp 1; - } - ]; - } - ]; - } - ); - - service = pkgs.writeText "${name}-service.json" ( - builtins.toJSON { - apiVersion = "v1"; - kind = "Service"; - metadata.name = "${name}-service"; - spec = { - type = "NodePort"; - selector = { - inherit name; - }; - ports = [ - { - name = "mycelium-tcp-0"; - port = builtins.elemAt myceliumPorts.tcp 0 + 50000; - targetPort = "mycelium-tcp-0"; - } - { - name = "mycelium-udp-0"; - protocol = "UDP"; - port = builtins.elemAt myceliumPorts.udp 0 + 50000; - targetPort = "mycelium-udp-0"; - } - { - name = "mycelium-udp-1"; - protocol = "UDP"; - port = builtins.elemAt myceliumPorts.udp 1 + 50000; - targetPort = "mycelium-udp-1"; - } - ]; - }; - } - ); - in - pkgs.runCommand "declarative-k8s" { } '' - mkdir -p $out/share/k8s - cp ${pod} $out/share/k8s/ - cp ${service} $out/share/k8s/ - ''; - - inherit image; - - start = pkgs.writeShellApplication { - name = "start"; - text = '' - set -x - rm -rf ./result - nix build --impure .#image - sudo nix2container load ./result - sudo -E nerdctl run --name ${name} --privileged -dt \ - --cgroup-manager cgroupfs \ - --volume "$PWD/key.bin.crypt:${self.nixosConfigurations.default.config.services.mycelium.keyFile}:ro" \ - "nix:0$(readlink result):latest" - ''; - }; - - stop = pkgs.writeShellApplication { - name = "stop"; - text = '' - set +e - sudo -E nerdctl stop -t 60 ${name} - sudo -E nerdctl rm --force ${name} - sudo -E nerdctl system prune --all --force - sudo systemctl stop nix-snapshotter - sudo systemctl stop containerd - mount | rg -No '(/var/lib/container|/tmp/initial)[^ ]+' | tac | xargs sudo umount -l - sudo systemctl start containerd - sudo systemctl start nix-snapshotter - ''; - - # tmpfs on /run/credentials/mycelium.service type tmpfs (ro,nosuid,nodev,noexec,relatime,nosymfollow,size=1024k,nr_inodes=1024,mode=700,noswap) - - # mount -t tmpfs tmpfs /run/credentials/mycelium.service -o ro,nosuid,nodev,noexec,relatime,nosymfollow,size=1024k,nr_inodes=1024,mode=700,noswap - }; - } - ); - }; -} diff --git a/nix/os/containers/syncthing.nix b/nix/os/containers/syncthing.nix index 921662f..72aaab8 100644 --- a/nix/os/containers/syncthing.nix +++ b/nix/os/containers/syncthing.nix @@ -1,81 +1,31 @@ { - specialArgs, - hostBridge, hostAddress, localAddress, syncthingPort ? 22000, syncthingLocalAnnouncePort ? 21027, - smbTcpPort ? 445, autoStart ? false, -}: -{ - inherit specialArgs; - config = - { ... }: - { - system.stateVersion = "20.05"; # Did you read the comment? +}: { + config = { + config, + pkgs, + ... + }: { + system.stateVersion = "20.05"; # Did you read the comment? - imports = [ ../profiles/containers/configuration.nix ]; + imports = [../profiles/containers/configuration.nix]; - networking.firewall.allowedTCPPorts = [ - # syncthing gui - 8384 - ]; + networking.firewall.enable = true; + networking.firewall.allowedTCPPorts = [ + # syncthing gui + 8384 + ]; - services.syncthing = { - enable = true; - openDefaultPorts = true; - guiAddress = "0.0.0.0:8384"; - }; - - services.samba = { - enable = true; - securityType = "user"; - openFirewall = true; - settings = { - global = { - "workgroup" = "DMZ"; - "server string" = "syncthing"; - "netbios name" = "syncthing"; - "security" = "user"; - #"use sendfile" = "yes"; - #"max protocol" = "smb2"; - # note: localhost is the ipv6 localhost ::1 - "hosts allow" = "192.168.23. 127.0.0.1 localhost"; - "hosts deny" = "0.0.0.0/0"; - "guest account" = "nobody"; - "map to guest" = "bad user"; - }; - "scan-stefan" = { - "path" = "/var/lib/syncthing/Sync/Home::Scan::Stefan"; - "browseable" = "yes"; - "read only" = "no"; - "guest ok" = "no"; - "create mask" = "0644"; - "directory mask" = "0755"; - "force user" = "syncthing"; - "force group" = "syncthing"; - }; - - "scan-justyna" = { - "path" = "/var/lib/syncthing/Sync/Home::Scan::Justyna"; - "browseable" = "yes"; - "read only" = "no"; - "guest ok" = "no"; - "create mask" = "0644"; - "directory mask" = "0755"; - "force user" = "syncthing"; - "force group" = "syncthing"; - }; - }; - }; - - - # TODO: find out if smbpasswd file is still used and set it here. or find an alternative - # sops.secrets.smbpasswd = { - # }; - # environment.etc."samba/smbpasswd".source = config.sops.secrets.smbpasswd.text; + services.syncthing = { + enable = true; + openDefaultPorts = true; + guiAddress = "0.0.0.0:8384"; }; + }; inherit autoStart; @@ -86,6 +36,8 @@ }; }; + extraFlags = ["--resolv-conf=bind-host"]; + privateNetwork = true; forwardPorts = [ { @@ -103,12 +55,7 @@ hostPort = syncthingLocalAnnouncePort; protocol = "udp"; } - { - containerPort = 445; - hostPort = smbTcpPort; - protocol = "tcp"; - } ]; - inherit hostBridge hostAddress localAddress; + inherit hostAddress localAddress; } diff --git a/nix/os/containers/webserver.nix b/nix/os/containers/webserver.nix index 6389cc5..df3c445 100644 --- a/nix/os/containers/webserver.nix +++ b/nix/os/containers/webserver.nix @@ -1,427 +1,227 @@ { - specialArgs, - hostBridge, + repoFlake, hostAddress, localAddress, - httpPort, - httpsPort, - forgejoSshPort, + httpPort ? 80, + httpsPort ? 443, autoStart ? false, -}: -let +}: let domain = "www.stefanjunker.de"; -in -{ - inherit specialArgs; - config = - { - config, - pkgs, - lib, - repoFlake, - nodeFlake, - system, - ... - }: - let - nixpkgs-kanidm = nodeFlake.inputs.nixpkgs-unstable; - in - { - system.stateVersion = "22.05"; # Did you read the comment? - - disabledModules = [ - "services/misc/forgejo.nix" - "services/security/kanidm.nix" - ]; - - imports = [ - "${nodeFlake.inputs.nixpkgs-unstable}/nixos/modules/services/misc/forgejo.nix" - "${nixpkgs-kanidm}/nixos/modules/services/security/kanidm.nix" - - ../profiles/containers/configuration.nix - - repoFlake.inputs.sops-nix.nixosModules.sops - ]; - - sops.defaultSopsFile = ./webserver_secrets.yaml; - - networking.firewall.allowedTCPPorts = [ - httpPort - httpsPort - forgejoSshPort - ]; - - sops.age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ]; - sops.secrets.hedgedoc_environment_file = { - sopsFile = ./webserver_secrets.yaml; - owner = config.users.users.hedgedoc.name; - }; - - services.caddy = { - enable = true; - logFormat = '' - level ERROR - ''; - virtualHosts."${domain}" = { - extraConfig = '' - redir /hedgedoc* https://hedgedoc.${domain} - - file_server /*/* { - browse - root /var/www/stefanjunker.de/htdocs/caddy - pass_thru - } - - # respond "Hi" - # respond (not /*/*) "Hi" - ''; - }; - - virtualHosts."hedgedoc.${domain}" = { - extraConfig = '' - reverse_proxy http://[::1]:3000 - ''; - }; - - virtualHosts."authelia.${domain}" = { - extraConfig = '' - reverse_proxy http://127.0.0.1:${builtins.toString config.services.authelia.instances.default.settings.server.port} - ''; - }; - - virtualHosts."lldap.${domain}" = { - extraConfig = '' - reverse_proxy http://127.0.0.1:${builtins.toString config.services.lldap.settings.http_port} - ''; - }; - - virtualHosts."forgejo.${domain}" = { - extraConfig = '' - reverse_proxy http://127.0.0.1:${builtins.toString config.services.forgejo.settings.server.HTTP_PORT} - ''; - }; - - virtualHosts."kanidm.${domain}" = { - extraConfig = '' - reverse_proxy https://${builtins.toString config.services.kanidm.serverSettings.bindaddress} { - transport http { - tls_server_name ${config.services.kanidm.serverSettings.domain} - } - } - ''; - }; - }; - - services.hedgedoc = { - enable = true; - settings = { - domain = "hedgedoc.${domain}"; - urlPath = ""; - protocolUseSSL = true; - db = { - dialect = "sqlite"; - storage = "/var/lib/hedgedoc/db.hedgedoc.sqlite"; - }; - - allowAnonymous = false; - allowAnonymousEdits = false; - allowGravatar = false; - allowFreeURL = false; - defaultPermission = "private"; - - allowEmailRegister = false; - email = false; - - ldap = { - url = "ldap://127.0.0.1:${builtins.toString config.services.lldap.settings.ldap_port}"; - bindDn = "uid=admin,ou=people,dc=stefanjunker,dc=de"; - # these are set via the `environmentFile` - # bindCredentials = "$LDAP_ADMIN_PASSWORD"; - searchBase = "ou=people,dc=stefanjunker,dc=de"; - searchFilter = "(&(memberOf=cn=hedgedoc,ou=groups,dc=stefanjunker,dc=de)(uid={{username}}))"; - useridField = "uid"; - }; - - oauth2 = - let - originURL = config.services.kanidm.serverSettings.origin; - in - { - providerName = "kanidm (${originURL})"; - - authorizationURL = "${originURL}/ui/oauth2"; - tokenURL = "${originURL}/oauth2/token"; - userProfileURL = "${originURL}/oauth2/openid/hedgedoc/userinfo"; - - scope = "openid email profile"; - # rolesClaim = "roles"; - # accessRole = "role/hedgedoc"; - - userProfileUsernameAttr = "name"; - userProfileDisplayNameAttr = "displayname"; - userProfileEmailAttr = "email"; - - clientID = "hedgedoc"; - # set via the `environmentFile` - # clientSecret = "$CMD_OAUTH2_CLIENT_SECRET"; - }; - - uploadsPath = "/var/lib/hedgedoc/uploads"; - }; - - environmentFile = config.sops.secrets.hedgedoc_environment_file.path; - }; - - services.jitsi-meet = { - enable = false; - hostName = "meet.${domain}"; - config = { - prejoinPageEnabled = true; - }; - caddy.enable = true; - nginx.enable = false; - }; - - sops.secrets.authelia_storageEncryptionKey = { - sopsFile = ./webserver_secrets.yaml; - owner = config.users.users.authelia-default.name; - }; - - sops.secrets.authelia_jwtSecret = { - sopsFile = ./webserver_secrets.yaml; - owner = config.users.users.authelia-default.name; - }; - - services.authelia.instances.default = - let - baseDir = "/var/lib/authelia-default"; - in - { - enable = true; - secrets.storageEncryptionKeyFile = config.sops.secrets.authelia_storageEncryptionKey.path; - secrets.jwtSecretFile = config.sops.secrets.authelia_jwtSecret.path; - settings = { - theme = "auto"; - default_2fa_method = "totp"; - log.level = "debug"; - - server = { - disable_healthcheck = true; - host = "127.0.0.1"; - port = 9091; - # path = "authelia"; - }; - - storage = { - local.path = "${baseDir}/authelia.sqlite"; - }; - - authentication_backend = { - file.path = "${baseDir}/first_factor.yaml"; - file.search.email = true; - file.search.case_insensitive = false; - }; - - access_control = { - default_policy = "one_factor"; - }; - - session.domain = "stefanjunker.de"; - - notifier = { - disable_startup_check = true; - filesystem.filename = "${baseDir}/notification.txt"; - }; - }; - }; - - users.groups.lldap = { }; - users.users.lldap = { - isSystemUser = true; - group = "lldap"; - }; - - sops.secrets.lldap_jwtSecret = { - sopsFile = ./webserver_secrets.yaml; - owner = config.users.users.lldap.name; - }; - - sops.secrets.lldap_adminPassword = { - sopsFile = ./webserver_secrets.yaml; - owner = config.users.users.lldap.name; - }; - - sops.secrets.lldap_environmentFile = { - sopsFile = ./webserver_secrets.yaml; - owner = config.users.users.lldap.name; - }; - - services.lldap = { - enable = true; - environment = { - LLDAP_JWT_SECRET_FILE = config.sops.secrets.lldap_jwtSecret.path; - LLDAP_LDAP_USER_PASS_FILE = config.sops.secrets.lldap_adminPassword.path; - }; - environmentFile = config.sops.secrets.lldap_environmentFile.path; - - settings = { - verbose = true; - - ldap_base_dn = "dc=stefanjunker,dc=de"; - http_url = "https://lldap.${domain}"; - - ## Options to configure SMTP parameters, to send password reset emails. - ## To set these options from environment variables, use the following format - ## (example with "password"): LLDAP_SMTP_OPTIONS__PASSWORD - smtp_options = { - ## Whether to enabled password reset via email, from LLDAP. - enable_password_reset = true; - - # port = 465; - ## How the connection is encrypted, either "NONE" (no encryption), "TLS" or "STARTTLS". - # smtp_encryption = "TLS"; - }; - - # database_url = "sqlite:///var/lib/lldap/users.db?mode=rwc"; - }; - }; - - sops.secrets.FORGEJO_JWT_SECRET = { }; - sops.secrets.FORGEJO_INTERNAL_TOKEN = { }; - sops.secrets.FORGEJO_SECRET_KEY = { }; - - services.forgejo = { - enable = true; - package = nodeFlake.inputs.nixpkgs-unstable.legacyPackages.${pkgs.system}.forgejo; - settings = { - service.DISABLE_REGISTRATION = true; - server.HTTP_ADDR = "127.0.0.1"; - server.START_SSH_SERVER = true; - server.SSH_PORT = forgejoSshPort; - server.ROOT_URL = "https://forgejo.${domain}"; - server.HTTP_PORT = 3001; - - # TODO: how do i get a 3072 length SSH key with the yubikey? - "ssh.minimum_key_sizes".RSA = 2048; - }; - secrets = { - oauth2.JWT_SECRET = lib.mkForce config.sops.secrets.FORGEJO_JWT_SECRET.path; - security.INTERNAL_TOKEN = lib.mkForce config.sops.secrets.FORGEJO_INTERNAL_TOKEN.path; - security.SECRET_KEY = lib.mkForce config.sops.secrets.FORGEJO_SECRET_KEY.path; - }; - }; - - systemd.services.lldap.serviceConfig.User = config.users.users.lldap.name; - systemd.services.lldap.serviceConfig.Group = config.users.groups.lldap.name; - systemd.services.lldap.serviceConfig.DynamicUser = lib.mkForce false; - - # combine a path watcher with a service that transfers the certs by caddy to kanidm - # TODO: had an issue where the certificate in kanidm was expired, despite caddy having a refreshed certificate - systemd.paths.kanidm-tls-watch = { - enable = true; - requiredBy = [ "kanidm.service" ]; - pathConfig = { - PathChanged = [ - "${config.services.caddy.dataDir}/.local/share/caddy/certificates/acme-v02.api.letsencrypt.org-directory/${config.services.kanidm.serverSettings.domain}/${config.services.kanidm.serverSettings.domain}.key" - "${config.services.caddy.dataDir}/.local/share/caddy/certificates/acme-v02.api.letsencrypt.org-directory/${config.services.kanidm.serverSettings.domain}/${config.services.kanidm.serverSettings.domain}.crt" - ]; - Unit = "kanidm-tls-update.service"; - }; - }; - systemd.services.kanidm-tls-update = - let - dbDir = builtins.dirOf config.services.kanidm.serverSettings.db_path; - in - { - enable = true; - requiredBy = [ "kanidm.service" ]; - unitConfig = { - # ConditionPathExists = [ - # "${config.services.caddy.dataDir}/.local/share/caddy/certificates/acme-v02.api.letsencrypt.org-directory/${config.services.kanidm.serverSettings.domain}/${config.services.kanidm.serverSettings.domain}.key" - # "${config.services.caddy.dataDir}/.local/share/caddy/certificates/acme-v02.api.letsencrypt.org-directory/${config.services.kanidm.serverSettings.domain}/${config.services.kanidm.serverSettings.domain}.crt" - # ]; - }; - serviceConfig.Type = "oneshot"; - script = - let - tlsDir = builtins.dirOf config.services.kanidm.serverSettings.tls_key; - in - '' - set -xe - - cat "${config.services.caddy.dataDir}/.local/share/caddy/certificates/acme-v02.api.letsencrypt.org-directory/${config.services.kanidm.serverSettings.domain}/${config.services.kanidm.serverSettings.domain}.key" > tls.key - cat "${config.services.caddy.dataDir}/.local/share/caddy/certificates/acme-v02.api.letsencrypt.org-directory/${config.services.kanidm.serverSettings.domain}/${config.services.kanidm.serverSettings.domain}.crt" > tls.chain - - chown ${config.systemd.services.kanidm.serviceConfig.User}:${config.systemd.services.kanidm.serviceConfig.Group} tls.{key,chain} - chmod 400 tls.{key,chain} - - # create the kanidm directory in case it's missing - if [[ ! -d ${tlsDir} ]]; then - mkdir -p ${tlsDir} - chown -R ${config.systemd.services.kanidm.serviceConfig.User}:${config.systemd.services.kanidm.serviceConfig.Group} ${tlsDir} - chmod 700 ${tlsDir} - fi - - mv tls.key ${config.services.kanidm.serverSettings.tls_key} - mv tls.chain ${config.services.kanidm.serverSettings.tls_chain} - - if [[ ! -d ${dbDir} ]]; then - mkdir -p ${dbDir} - chown -R ${config.systemd.services.kanidm.serviceConfig.User}:${config.systemd.services.kanidm.serviceConfig.Group} ${dbDir} - chmod 700 ${dbDir} - fi - ''; - }; - - systemd.services.kanidm.serviceConfig = - let - dbDir = builtins.dirOf config.services.kanidm.serverSettings.db_path; - in - # stateDir = "/var/lib/${config.systemd.services.kanidm.serviceConfig.StateDirectory}"; - { - # ExecStartPre = '' - # mkdir -p ${dbDir} - # ''; - BindPaths = [ - dbDir - # stateDir - ]; - }; - - services.kanidm = - let - dataDir = "/var/lib/kanidm"; - in - { - package = nixpkgs-kanidm.legacyPackages.${pkgs.system}.kanidm; - - enablePam = false; - enableClient = false; - - enableServer = true; - serverSettings = { - role = "WriteReplica"; - log_level = "debug"; - - domain = "kanidm.${domain}"; - origin = "https://kanidm.${domain}"; - - - bindaddress = "127.0.0.1:8444"; - - # don't expose ldap - # ldapbindaddress = "[::1]:6636"; - - tls_key = "${dataDir}/tls/tls.key"; - tls_chain = "${dataDir}/tls/tls.chain"; - - online_backup = { - schedule = "00 06 * * *"; - }; - }; - }; +in { + config = { + config, + pkgs, + lib, + ... + }: { + system.stateVersion = "22.05"; # Did you read the comment? + + imports = [ + ../profiles/containers/configuration.nix + + repoFlake.inputs.sops-nix.nixosModules.sops + ]; + + networking.firewall.enable = false; + + sops.age.sshKeyPaths = ["/etc/ssh/ssh_host_ed25519_key"]; + sops.secrets.hedgedoc_environment_file = { + sopsFile = ./webserver_secrets.yaml; + owner = config.users.users.hedgedoc.name; }; + services.caddy = { + enable = true; + virtualHosts."${domain}" = { + extraConfig = let + port = "${builtins.toString config.services.authelia.instances.default.settings.server.port}"; + path = "${config.services.authelia.instances.default.settings.server.path}"; + in '' + redir /hedgedoc* https://hedgedoc.${domain} + + file_server /*/* { + browse + root /var/www/stefanjunker.de/htdocs/caddy + pass_thru + } + + # respond "Hi" + # respond (not /*/*) "Hi" + ''; + }; + + virtualHosts."hedgedoc.${domain}" = { + extraConfig = '' + reverse_proxy http://[::1]:3000 + ''; + }; + + virtualHosts."authelia.${domain}" = { + extraConfig = '' + reverse_proxy http://127.0.0.1:${builtins.toString config.services.authelia.instances.default.settings.server.port} + ''; + }; + + virtualHosts."lldap.${domain}" = { + extraConfig = '' + reverse_proxy http://127.0.0.1:${builtins.toString config.services.lldap.settings.http_port} + ''; + }; + }; + + services.hedgedoc = { + enable = true; + settings = { + domain = "hedgedoc.${domain}"; + urlPath = ""; + protocolUseSSL = true; + db = { + dialect = "sqlite"; + storage = "/var/lib/hedgedoc/db.hedgedoc.sqlite"; + }; + + allowAnonymous = false; + allowAnonymousEdits = false; + allowGravatar = false; + allowFreeURL = false; + defaultPermission = "private"; + + allowEmailRegister = false; + email = false; + + ldap = { + url = "ldap://127.0.0.1:${builtins.toString config.services.lldap.settings.ldap_port}"; + bindDn = "uid=admin,ou=people,dc=stefanjunker,dc=de"; + # these are set via the `environmentFile` + bindCredentials = "$LDAP_ADMIN_PASSWORD"; + searchBase = "ou=people,dc=stefanjunker,dc=de"; + searchFilter = "(&(memberOf=cn=hedgedoc,ou=groups,dc=stefanjunker,dc=de)(uid={{username}}))"; + useridField = "uid"; + }; + + uploadsPath = "/var/lib/hedgedoc/uploads"; + }; + + environmentFile = config.sops.secrets.hedgedoc_environment_file.path; + }; + + services.jitsi-meet = { + enable = false; + hostName = "meet.${domain}"; + config = { + prejoinPageEnabled = true; + }; + caddy.enable = true; + nginx.enable = false; + }; + + sops.secrets.authelia_storageEncryptionKey = { + sopsFile = ./webserver_secrets.yaml; + owner = config.users.users.authelia-default.name; + }; + + sops.secrets.authelia_jwtSecret = { + sopsFile = ./webserver_secrets.yaml; + owner = config.users.users.authelia-default.name; + }; + + services.authelia.instances.default = let + baseDir = "/var/lib/authelia-default"; + in { + enable = true; + secrets.storageEncryptionKeyFile = config.sops.secrets.authelia_storageEncryptionKey.path; + secrets.jwtSecretFile = config.sops.secrets.authelia_jwtSecret.path; + settings = { + theme = "auto"; + default_2fa_method = "totp"; + log.level = "debug"; + + server = { + disable_healthcheck = true; + host = "127.0.0.1"; + port = 9091; + # path = "authelia"; + }; + + storage = { + local.path = "${baseDir}/authelia.sqlite"; + }; + + authentication_backend = { + file.path = "${baseDir}/first_factor.yaml"; + file.search.email = true; + file.search.case_insensitive = false; + }; + + access_control = { + default_policy = "one_factor"; + }; + + session.domain = "stefanjunker.de"; + + notifier = { + disable_startup_check = true; + filesystem.filename = "${baseDir}/notification.txt"; + }; + }; + }; + + users.groups.lldap = {}; + users.users.lldap = { + isSystemUser = true; + group = "lldap"; + }; + + sops.secrets.lldap_jwtSecret = { + sopsFile = ./webserver_secrets.yaml; + owner = config.users.users.lldap.name; + }; + + sops.secrets.lldap_adminPassword = { + sopsFile = ./webserver_secrets.yaml; + owner = config.users.users.lldap.name; + }; + + sops.secrets.lldap_environmentFile = { + sopsFile = ./webserver_secrets.yaml; + owner = config.users.users.lldap.name; + }; + + services.lldap = { + enable = true; + environment = { + LLDAP_JWT_SECRET_FILE = config.sops.secrets.lldap_jwtSecret.path; + LLDAP_LDAP_USER_PASS_FILE = config.sops.secrets.lldap_adminPassword.path; + }; + environmentFile = config.sops.secrets.lldap_environmentFile.path; + + settings = { + verbose = true; + + ldap_base_dn = "dc=stefanjunker,dc=de"; + http_url = "https://lldap.${domain}"; + + ## Options to configure SMTP parameters, to send password reset emails. + ## To set these options from environment variables, use the following format + ## (example with "password"): LLDAP_SMTP_OPTIONS__PASSWORD + smtp_options = { + ## Whether to enabled password reset via email, from LLDAP. + enable_password_reset = true; + + # port = 465; + ## How the connection is encrypted, either "NONE" (no encryption), "TLS" or "STARTTLS". + # smtp_encryption = "TLS"; + }; + + # database_url = "sqlite:///var/lib/lldap/users.db?mode=rwc"; + }; + }; + + systemd.services.lldap.serviceConfig.User = config.users.users.lldap.name; + systemd.services.lldap.serviceConfig.Group = config.users.groups.lldap.name; + systemd.services.lldap.serviceConfig.DynamicUser = lib.mkForce false; + }; + inherit autoStart; bindMounts = { @@ -453,18 +253,11 @@ in hostPath = "/var/lib/container-volumes/webserver/var-lib-lldap"; isReadOnly = false; }; - - "/var/lib/forgejo" = { - hostPath = "/var/lib/container-volumes/webserver/var-lib-forgejo"; - isReadOnly = false; - }; - - "/var/lib/kanidm" = { - hostPath = "/var/lib/container-volumes/webserver/var-lib-kanidm"; - isReadOnly = false; - }; }; + # extraFlags = ["--resolv-conf=bind-host"]; + # networking.useHostResolvConf = true; + privateNetwork = true; forwardPorts = [ { @@ -479,14 +272,7 @@ in hostPort = httpsPort; protocol = "tcp"; } - - { - # forgejo ssh - containerPort = forgejoSshPort; - hostPort = forgejoSshPort; - protocol = "tcp"; - } ]; - inherit hostBridge hostAddress localAddress; + inherit hostAddress localAddress; } diff --git a/nix/os/containers/webserver_secrets.yaml b/nix/os/containers/webserver_secrets.yaml index 62dc6e8..29bb119 100644 --- a/nix/os/containers/webserver_secrets.yaml +++ b/nix/os/containers/webserver_secrets.yaml @@ -1,45 +1,41 @@ -hedgedoc_environment_file: ENC[AES256_GCM,data:gPTokPMGBAN/lGGeUs95vg45yVrrSmFCKWTjlMV4V+YnflcqiaZvifX9+0fe3DELwNL4kY4st4N0MadhLkTiSieyp46fP8Dujk4Prhi7JWweBDsN4WtxcwJfAdowgh5LTzqM3zggC/J9NGR/zgJGLYraOqsFueXycxDxntE+8MlepYFGsND4WbFHNRvsVd7xUWerZZD+JFhws2sjwC9DqoJ+mBX4u9J2faSrL3okBGwRpEZlJhe6/8pT0l1aVxI0b/9UsLUL/him/vVqY8ygMP8O95gzuDEaCtwSXw08ylhb3g3YHdMh9ZOe9dPNVocVFrB15HfxeY4KzRCVfvgmBsSiUrgUAZQ8aav2ZWHPKQ==,iv:AVtx/43MK5KVxP59olEmbkUzLhd0cBjPpVeiAJGELfM=,tag:Hd3edeUzLgHnwAwPiMGp4A==,type:str] +hedgedoc_environment_file: ENC[AES256_GCM,data:uBaATOTIkCkboAfaB7d6G2G4AfKszipQe+mc0XPJHik30wLppCKpEc61ELLbiZ1xGaOEWKUSMHc0GyBapykrgEe0UUYJ0Ukpq9bj9/J2VC7BLu1ABbr+pWpJR68+IOKY2GWlioSDIL6JwaGIjLV5sLrUjJgtwzAYrqAU13VS5RVHtGtz+7TgwHIJADoec+jSRhkh82g198eaAUbKyAFB9yhXFWgq6ozh8RgtkYKAP7LXIuyJt9BYJoNQ,iv:MCMJph0W1PC0n9h7xhPMxtJINQP+QRBf2anzXEzydwc=,tag:zj2o+/JpBRTYgYpSMJedPw==,type:str] authelia_storageEncryptionKey: ENC[AES256_GCM,data:BLj2+w0jUOiiqljd4WcYt90I1Y/tm6vYRn9IPvv7k+ykjeWeafDcb9LpAbYZ82iAbCDZ6cDnTIJSH50TYFM1Bw==,iv:DfrFuTMS6rzWS1F7hIloD7Eb9N6LV6MDsPGEidTCIkM=,tag:4TxiUuWj8LLCAe+3SQWthA==,type:str] authelia_jwtSecret: ENC[AES256_GCM,data:CtvhPJDlM8kZDh3MWI6jBEIK5P/Rc0ZY3JfQ/1qn2FyZ0kOE9CMznRQdzi125Mlh+LgfhS00aeY/esuSJ1YKnw==,iv:o29+Ja4E4USpxD5Bgg4nGpj1WdK+uJJeuyqa3c92Pys=,tag:Ko/6PqIM7FyvqMJAepTNKw==,type:str] lldap_jwtSecret: ENC[AES256_GCM,data:Jd05K5zZZcdFY9P+PM1ycpl4eKr7THXzlEC2gxhfq0kZ0c7NrmqpnxLFyMOoq0oZwFXQ3aE29N+dYYCbWgEs0g==,iv:k9Y4XZcFSUaaOvooMzH1AlHaI/RiZZ0cpSqTU6jzsUU=,tag:EHwIMQ00Z+IrXAKgugMbmQ==,type:str] lldap_adminPassword: ENC[AES256_GCM,data:qZviC+/V25iHWS2d5KKrMfCLmmWKAkXoiLW3NJyZWIvMRbFPtfJGv/5e++idcKNLdPHRgvGpdeTpOdZNK7ETSQ==,iv:jX8bzgYVXZfMQ8Qxa7WaUiQFE/mBmQWZ3o000njeEC8=,tag:4Rd3WVGIw1rBLKND4xPbMg==,type:str] lldap_environmentFile: ENC[AES256_GCM,data:TpdO1N2MgHWI4TipvlwfVjnKppzpluI9WA3ejbgT8jrRXXTCA94PS734wDHLtEAIwKdIQd/JGDS+1kbdvgDL3F3HIOX5HLz9h7CtkDBYT6qOy0Zb0tNHjmJco6dL/iMwuzglXxu2460nadO+lHoTs3DA3lesghzpJzm41hgElzcxXS2sa/hsV+kjmbyfu6Xi94kbqcHBLA/mppWmLSgJN6wu/bO07XfaSB1ghHnAR7BL9XZDjoNDzljZAXDpDBw3WD6mwoZeIjGbkEuL4nUnkS6CkA+y7IORA24XGGAczRxZp4vLfUOnnlFCPGIHBsRTbrTB4bcEDBK4+5gHfNhXxvD5VlNMb4TPqYdcEIxkgMxZNLV5U2LTlzn18HNOCvsPb9XOOtY21j6qHMMQDXZREmn5NsW0HXM4gNZ0fC9UEe1MYBhyE3gGEGDzzDUrrQCGLm7/1OC7NRlzuI7M/5DlgcREwK1PkjPDmfRCAq86l0N5lMP/A7MMq2SJWcZvf+ot3fInugq485773vgWWl2Rodl08SZ8YHnzj0L6anPu856v2BsIotE0iRJSCpzA2ZgOJ9RViBfoq6F3beJKLnGN7oGb8XBviRTnXrTN6BTuFyv3dIZ7qcuTGTY+ucjRXfGJ1TVlVQBbiqhQDz5c9D5e0RVnRe3AkMXeDMOd4GlWW5gsJSuZtlYq1aMEf/Bx+4WMyY/Wh+Jk1xxf30bth5L1dW82p6fNFhEuKabtkBALOg/CQzYczMeGP9ai6BWgZL8QPlQoEUpHh59Vz91V6unQSOJ2PNr5wzC6j75IKInVjcp4d1S9K2UAxg+HETn5p9T1sBRdAAVz0YgO5902FwDTsA+2x6Q=,iv:U94CNFxQ8kyIYdH0EyqQIJ3s7QKaLlMa+5coO0dQnto=,tag:KZEizL99W5BtcaXSnYXFhg==,type:str] -#ENC[AES256_GCM,data:uNqahO8WF6QFNkbPnQq2UDKn/gFt0H56keUb,iv:CDVKC3ER5rsKoMmBi2g5g+F3ZfKc3+Rs8bjxFhgSPZ4=,tag:oGPl6TB/nghGwWvVBLFlGQ==,type:comment] -FORGEJO_JWT_SECRET: ENC[AES256_GCM,data:nVz9x7+K+rBIZxuQP7o0WNFHUz89eR9cwBjfSAx9/WH5PF+/aWazZOJpVg==,iv:4qpHo143fe/sVhKfYDwxr+YiBZ2q/WWViYSwoxz0i/k=,tag:smSsJsqa6uZKarcoOMUjwQ==,type:str] -FORGEJO_INTERNAL_TOKEN: ENC[AES256_GCM,data:EIono9HSyvp1nQM0ij3ln3IUXO4moFbRgVddeV0BZBXmZG05jdjZ1SIXo/BxoSmRKnjllR7P00CpajNM5zORldlsBId5oAYL5GZtY3/nmxeXucJidknuow22G7Z8wRJJGBdishbgQhmc,iv:1D93gTUF1+DUR8qLJgML+oUhvSslhxEjGnbBC/PWHXw=,tag:NZB+mwba4TzLcUANZLDRTw==,type:str] -FORGEJO_SECRET_KEY: ENC[AES256_GCM,data:CewYFZtcXKUD5/oSM0Q32rhw+urdA0eQhdYp8EFHUXxEtL6f5NWK6IOwIlMuEv1/FjtTWlqxWekOZpmxBRzwnw==,iv:qLyVB7Nc+rDbBoO5g82/vPdykwOATHCSDLhvS+fK9PM=,tag:4NMhUvKmrRd6qrcQq3R8wA==,type:str] sops: - kms: [] - gcp_kms: [] - azure_kv: [] - hc_vault: [] - age: - - recipient: age18dmqd7r7fanrfmdxsvwgv9psvhs3hw5ydpvw0na0dv3dlrg4rs3q2wpvgv - enc: | - -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA0SkxFSkJQb29UeVRnZnFh - U3BJeGZ1NUVzMk0ycXBvWExyZDcveXZrd2pJCmpCeS80VE5McWVHQnZpaHFERmNh - YWZIMHRtQkd5Vm54MWR3bkhUUDRvejQKLS0tIG9NSkpCSkEyZFRyOXorWE1KLytP - eWdXVHg5MTlQQU9GeElPeUZXUlBlaTgKceDu3tLbQM/DxY0tJYJTPy2Dl/SBYaoc - KfMZOkc322/NvgWu/3Ke0hV1/eMk8EICwXbSwHhXr5a0+cwPZ9xV4A== - -----END AGE ENCRYPTED FILE----- - lastmodified: "2024-10-16T12:28:51Z" - mac: ENC[AES256_GCM,data:nrd2czzJlBcFfwn6lzh4qqco+/XsU2J6BqvQqMtskh3mL4Xx25IAzxiCno0KlNGr6o4YsuZP5anOX9RvrDq76Us3JQ7pDi3iQGPhmg+SE9u3Rwqn1/3YConvdfPV2DNB+tuyG3UVoRqpA4d+HdcYjN9n1UKk54R6UdSm9UrA+zc=,iv:Juupyet09zUAMu7bmVxq+/Q0bXJAzR0wAyt6vKNns3w=,tag:owdUWuXrQcDdiWi+1geY9A==,type:str] - pgp: - - created_at: "2023-07-09T17:51:27Z" - enc: |- - -----BEGIN PGP MESSAGE----- + kms: [] + gcp_kms: [] + azure_kv: [] + hc_vault: [] + age: + - recipient: age18dmqd7r7fanrfmdxsvwgv9psvhs3hw5ydpvw0na0dv3dlrg4rs3q2wpvgv + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA0SkxFSkJQb29UeVRnZnFh + U3BJeGZ1NUVzMk0ycXBvWExyZDcveXZrd2pJCmpCeS80VE5McWVHQnZpaHFERmNh + YWZIMHRtQkd5Vm54MWR3bkhUUDRvejQKLS0tIG9NSkpCSkEyZFRyOXorWE1KLytP + eWdXVHg5MTlQQU9GeElPeUZXUlBlaTgKceDu3tLbQM/DxY0tJYJTPy2Dl/SBYaoc + KfMZOkc322/NvgWu/3Ke0hV1/eMk8EICwXbSwHhXr5a0+cwPZ9xV4A== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2023-07-17T11:48:04Z" + mac: ENC[AES256_GCM,data:Bgmm5+IrFdnTG907cZe0cnSmbWLyNDVYyABFj5eRuGsYCthclRM9WEKktvJg2RVYcND39IEH/FiFR/Hxf5YgrUcU7HKEXKzn7U4AGcREh2tb5EVTELjAJ4e00omNoD1gmFOklRS9AWce1g03AGzfbzM68enpDUkxWWTU2FOPei8=,iv:A9V4EsMAIoEs7j/eWy06Y9RExz+N/PT70TBNSViswKc=,tag:287n8ygaEj/40vh1x2IQig==,type:str] + pgp: + - created_at: "2023-07-09T17:51:27Z" + enc: |- + -----BEGIN PGP MESSAGE----- - wcBMA0SHG/zF3227AQgAs92CvegZAcuyNllIp9zHUp7jFqfXhuoAOKKmOZvN4TBD - gQM7jKAXXwbMy90gGWF9EkdMzeBqG4S9ZM8gPAYcZkt98F0PGu6wBSvvYnUdDOcO - 8tvhEhBSE19xCIR7BeG9bhooEJ1V3LSZzrwyikeHUHAqDQLrwM7jrPOef22PIzH+ - XPtwWMVwVzwRJTZ/uV11vIV60b0zfnB8ZJzv7RbXsob8octy4LRe6Vb0BUd5ON3w - YULnyMlFFGekiqAPBk0K5Xib35qBu6mtnmxWzVUqT4pgiShoZsRQs3At1Onm7Cku - bqIDMoCYTvSzwDCOYp2+ni/ZOIuDvBiRCPoNuLjkD9JRAcCbjuxA6w0eaJKFTzoI - F1olIecBtQOQQn+iXya/rx69wDtR9965gecWRMbRg6tYncumpdQB//MWALhVmr6i - g+ZF+9NNqOTKsBzEnuGsZRnI - =iXfo - -----END PGP MESSAGE----- - fp: 6F7069FE6B96E894E60EC45C6EEFA706CB17E89B - unencrypted_suffix: _unencrypted - version: 3.8.1 + wcBMA0SHG/zF3227AQgAs92CvegZAcuyNllIp9zHUp7jFqfXhuoAOKKmOZvN4TBD + gQM7jKAXXwbMy90gGWF9EkdMzeBqG4S9ZM8gPAYcZkt98F0PGu6wBSvvYnUdDOcO + 8tvhEhBSE19xCIR7BeG9bhooEJ1V3LSZzrwyikeHUHAqDQLrwM7jrPOef22PIzH+ + XPtwWMVwVzwRJTZ/uV11vIV60b0zfnB8ZJzv7RbXsob8octy4LRe6Vb0BUd5ON3w + YULnyMlFFGekiqAPBk0K5Xib35qBu6mtnmxWzVUqT4pgiShoZsRQs3At1Onm7Cku + bqIDMoCYTvSzwDCOYp2+ni/ZOIuDvBiRCPoNuLjkD9JRAcCbjuxA6w0eaJKFTzoI + F1olIecBtQOQQn+iXya/rx69wDtR9965gecWRMbRg6tYncumpdQB//MWALhVmr6i + g+ZF+9NNqOTKsBzEnuGsZRnI + =iXfo + -----END PGP MESSAGE----- + fp: 6F7069FE6B96E894E60EC45C6EEFA706CB17E89B + unencrypted_suffix: _unencrypted + version: 3.7.3 diff --git a/nix/os/devices/default.nix b/nix/os/devices/default.nix index 02b0212..bc8e0ad 100644 --- a/nix/os/devices/default.nix +++ b/nix/os/devices/default.nix @@ -1,25 +1,20 @@ { dir, - pkgs ? import { }, - ownLib ? import ../lib/default.nix { inherit (pkgs) lib; }, + pkgs ? import {}, + ownLib ? import ../lib/default.nix {inherit (pkgs) lib;}, gitRoot ? "$(git rev-parse --show-toplevel)", # FIXME: why do these need explicit mentioning? moreargs ? "", rebuildarg ? "", ... -}@args: -let - rebuildargsSudo = [ - "switch" - "boot" - ]; - rebuild = - { - gitRoot, - rebuildarg ? "dry-activate", - moreargs ? "", - ... - }: +} @ args: let + rebuildargsSudo = ["switch" "boot"]; + rebuild = { + gitRoot, + rebuildarg ? "dry-activate", + moreargs ? "", + ... + }: pkgs.writeScript "script" '' #!/usr/bin/env bash set -xe @@ -35,24 +30,25 @@ let ${ if - (builtins.elem rebuildarg rebuildargsSudo) && (builtins.match ".*--target-host.*" moreargs) == null - then - "sudo -E \\" - else - "" + (builtins.elem rebuildarg rebuildargsSudo) + && (builtins.match ".*--target-host.*" moreargs) == null + then "sudo -E \\" + else "" } nixos-rebuild --show-trace -I nixos-config=''${NIXOS_CONFIG} ${rebuildarg} ${moreargs} ''; -in -{ - recipes = { - rebuild = rebuild { - inherit gitRoot; - inherit moreargs; - inherit rebuildarg; +in { + recipes = + { + rebuild = + rebuild { + inherit gitRoot; + inherit moreargs; + inherit rebuildarg; + } + # // pkgs.lib.attrsets.optionalAttrs (moreargs != "") { inherit moreargs; } + # // pkgs.lib.attrsets.optionalAttrs (rebuildarg != "") { inherit rebuildarg; } + ; } - # // pkgs.lib.attrsets.optionalAttrs (moreargs != "") { inherit moreargs; } - # // pkgs.lib.attrsets.optionalAttrs (rebuildarg != "") { inherit rebuildarg; } - ; - } // (import ./disk.nix (args // { inherit pkgs ownLib gitRoot; })); + // (import ./disk.nix (args // {inherit pkgs ownLib gitRoot;})); } diff --git a/nix/os/devices/disk.nix b/nix/os/devices/disk.nix index f639344..f62c6a9 100644 --- a/nix/os/devices/disk.nix +++ b/nix/os/devices/disk.nix @@ -3,29 +3,40 @@ ownLib, dir, gitRoot, - diskId ? (import ((builtins.getEnv "PWD") + "/${dir}/hw.nix") { }).hardware.opinionatedDisk.diskId, + diskId ? + (import ((builtins.getEnv "PWD") + "/${dir}/hw.nix") + {}) + .hardware + .opinionatedDisk + .diskId, encrypted ? - (import ((builtins.getEnv "PWD") + "/${dir}/hw.nix") { }).hardware.opinionatedDisk.encrypted, + (import ((builtins.getEnv "PWD") + "/${dir}/hw.nix") + {}) + .hardware + .opinionatedDisk + .encrypted, previousDiskId ? "", ... -}: -let +}: let mntRootVol = "/mnt/${diskId}-root"; -in -rec { +in rec { diskMount = pkgs.writeScript "script" '' #!/usr/bin/env bash set -xe echo Mounting ${diskId} ${pkgs.lib.strings.optionalString encrypted '' - sudo cryptsetup luksOpen ${ownLib.disk.bootLuksDevice diskId} ${ownLib.disk.luksName diskId} + sudo cryptsetup luksOpen ${ownLib.disk.bootLuksDevice diskId} ${ + ownLib.disk.luksName diskId + } ''} sleep 1 sudo vgchange -ay ${ownLib.disk.volumeGroup diskId} sudo mkdir -p /mnt sudo mkdir ${mntRootVol} sudo mount ${ownLib.disk.rootFsDevice diskId} ${mntRootVol} - sudo mount ${ownLib.disk.rootFsDevice diskId} ${mntRootVol}/nixos/home -o subvol=home + sudo mount ${ + ownLib.disk.rootFsDevice diskId + } ${mntRootVol}/nixos/home -o subvol=home sudo mount ${ownLib.disk.bootFsDevice diskId} ${mntRootVol}/nixos/boot ''; @@ -62,7 +73,9 @@ rec { #!/usr/bin/env bash set -xe - read -p "Continue to format ${ownLib.disk.bootGrubDevice diskId} (YES/n)? " choice + read -p "Continue to format ${ + ownLib.disk.bootGrubDevice diskId + } (YES/n)? " choice case "$choice" in YES ) echo "Continuing in 3 seconds..."; sleep 3;; n|N ) echo "Exiting..."; exit 0;; @@ -109,11 +122,15 @@ rec { ${pkgs.lib.strings.optionalString encrypted '' # Encrypt sudo cryptsetup luksFormat ${ownLib.disk.bootLuksDevice diskId} - - sudo cryptsetup luksOpen ${ownLib.disk.bootLuksDevice diskId} ${ownLib.disk.luksName diskId} + sudo cryptsetup luksOpen ${ownLib.disk.bootLuksDevice diskId} ${ + ownLib.disk.luksName diskId + } ''} # LVM - sudo vgcreate ${ownLib.disk.volumeGroup diskId} ${ownLib.disk.lvmPv diskId encrypted} + sudo vgcreate ${ownLib.disk.volumeGroup diskId} ${ + ownLib.disk.lvmPv diskId encrypted + } sudo lvcreate ${ownLib.disk.volumeGroup diskId} -L 2G -n swap sudo lvcreate ${ownLib.disk.volumeGroup diskId} -l 100%FREE -n root @@ -137,7 +154,9 @@ rec { #!/usr/bin/env bash set -xe - read -p "Continue to relabel ${ownLib.disk.bootGrubDevice diskId} (YES/n)?" choice + read -p "Continue to relabel ${ + ownLib.disk.bootGrubDevice diskId + } (YES/n)?" choice case "$choice" in YES ) echo "Continuing in 3 seconds..."; sleep 3;; n|N ) echo "Exiting..."; exit 0;; @@ -168,9 +187,13 @@ rec { if test "${previousDiskId}"; then - ${pkgs.lib.strings.optionalString encrypted '' - sudo cryptsetup luksOpen ${ownLib.disk.bootLuksDevice diskId} ${ownLib.disk.luksName diskId} - ''} + ${ + pkgs.lib.strings.optionalString encrypted '' + sudo cryptsetup luksOpen ${ownLib.disk.bootLuksDevice diskId} ${ + ownLib.disk.luksName diskId + } + '' + } sync sleep 1 if sudo vgs ${previousDiskId}; then diff --git a/nix/os/devices/elias-e525/boot.nix b/nix/os/devices/elias-e525/boot.nix index 6698046..ab6c098 100644 --- a/nix/os/devices/elias-e525/boot.nix +++ b/nix/os/devices/elias-e525/boot.nix @@ -1,5 +1,4 @@ -{ lib, ... }: -{ +{lib, ...}: { boot.loader.grub.efiSupport = lib.mkForce false; boot.loader.efi.canTouchEfiVariables = lib.mkForce false; } diff --git a/nix/os/devices/elias-e525/configuration.nix b/nix/os/devices/elias-e525/configuration.nix index ea92869..d39da6f 100644 --- a/nix/os/devices/elias-e525/configuration.nix +++ b/nix/os/devices/elias-e525/configuration.nix @@ -1,5 +1,4 @@ -{ ... }: -{ +{...}: { imports = [ ../../profiles/common/configuration.nix ../../profiles/graphical/configuration.nix diff --git a/nix/os/devices/elias-e525/default.nix b/nix/os/devices/elias-e525/default.nix index ba02693..4b4d676 100644 --- a/nix/os/devices/elias-e525/default.nix +++ b/nix/os/devices/elias-e525/default.nix @@ -3,17 +3,17 @@ repoFlake, nodeFlake, ... -}: -let +}: let system = "x86_64-linux"; -in -{ +in { meta.nodeSpecialArgs.${nodeName} = { inherit repoFlake nodeName nodeFlake; packages' = repoFlake.packages.${system}; }; - meta.nodeNixpkgs.${nodeName} = import nodeFlake.inputs.nixpkgs.outPath { inherit system; }; + meta.nodeNixpkgs.${nodeName} = import nodeFlake.inputs.nixpkgs.outPath { + inherit system; + }; ${nodeName} = { deployment.targetHost = "elias-e525.lan"; diff --git a/nix/os/devices/elias-e525/flake.nix b/nix/os/devices/elias-e525/flake.nix index d5bd2c5..3f73b91 100644 --- a/nix/os/devices/elias-e525/flake.nix +++ b/nix/os/devices/elias-e525/flake.nix @@ -6,5 +6,5 @@ inputs.nixpkgs.follows = "nixpkgs"; }; - outputs = _: { }; + outputs = _: {}; } diff --git a/nix/os/devices/elias-e525/hw.nix b/nix/os/devices/elias-e525/hw.nix index 23d4edb..269281c 100644 --- a/nix/os/devices/elias-e525/hw.nix +++ b/nix/os/devices/elias-e525/hw.nix @@ -1,4 +1,4 @@ -_: { +{...}: { # TASK: new device hardware.opinionatedDisk = { enable = true; diff --git a/nix/os/devices/elias-e525/pkg.nix b/nix/os/devices/elias-e525/pkg.nix index 57d813e..e119032 100644 --- a/nix/os/devices/elias-e525/pkg.nix +++ b/nix/os/devices/elias-e525/pkg.nix @@ -1,5 +1,8 @@ -{ pkgs, lib, ... }: -let +{ + pkgs, + lib, + ... +}: let homeEnv = keyboard: { imports = [ ../../../home-manager/profiles/common.nix @@ -19,27 +22,26 @@ let rustdesk ]; }; -in -{ - services.gnome = builtins.mapAttrs (_attr: value: lib.mkForce value) { +in { + services.gnome = builtins.mapAttrs (attr: value: lib.mkForce value) { gnome-remote-desktop.enable = true; }; home-manager.users.steveej = homeEnv { layout = "en"; - options = [ "nodeadkey" ]; + options = ["nodeadkey"]; variant = "altgr-intl"; }; home-manager.users.elias = homeEnv { layout = "de"; - options = [ ]; + options = []; variant = ""; }; home-manager.users.justyna = homeEnv { layout = "de"; - options = [ ]; + options = []; variant = ""; }; diff --git a/nix/os/devices/elias-e525/system.nix b/nix/os/devices/elias-e525/system.nix index d2a3efe..6763062 100644 --- a/nix/os/devices/elias-e525/system.nix +++ b/nix/os/devices/elias-e525/system.nix @@ -1,5 +1,10 @@ -{ pkgs, lib, ... }: { + pkgs, + lib, + config, + ... +}: let +in { # TASK: new device networking.hostName = "elias-e525"; # Define your hostname. @@ -33,13 +38,11 @@ # udev.packages = [ pkgs.gnome3.gnome-settings-daemon ]; }; - security.pki.certificateFiles = [ "${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt" ]; + security.pki.certificateFiles = ["${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt"]; - services.xserver.videoDrivers = [ "modesetting" ]; + services.xserver.videoDrivers = ["modesetting"]; boot.kernelPackages = lib.mkForce pkgs.linuxPackages_latest; - nix.gc = { - automatic = true; - }; + nix.gc = {automatic = true;}; } diff --git a/nix/os/devices/elias-e525/user.nix b/nix/os/devices/elias-e525/user.nix index c4690cf..196c96a 100644 --- a/nix/os/devices/elias-e525/user.nix +++ b/nix/os/devices/elias-e525/user.nix @@ -1,9 +1,12 @@ -{ config, pkgs, ... }: -let - keys = import ../../../variables/keys.nix; - inherit (pkgs.callPackage ../../lib/default.nix { }) mkUser; -in { + config, + pkgs, + lib, + ... +}: let + keys = import ../../../variables/keys.nix; + inherit (pkgs.callPackage ../../lib/default.nix {}) mkUser; +in { sops.secrets.sharedUsers-elias = { sopsFile = ../../../../secrets/shared-users.yaml; neededForUsers = true; diff --git a/nix/os/devices/fwhost1/boot.nix b/nix/os/devices/fwhost1/boot.nix index 639698f..4d8c1d1 100644 --- a/nix/os/devices/fwhost1/boot.nix +++ b/nix/os/devices/fwhost1/boot.nix @@ -1,5 +1,4 @@ -{ lib, ... }: -{ +{lib, ...}: { boot.loader.grub.efiInstallAsRemovable = lib.mkForce true; boot.loader.efi.canTouchEfiVariables = lib.mkForce false; } diff --git a/nix/os/devices/fwhost1/configuration.nix b/nix/os/devices/fwhost1/configuration.nix index fbdc4c0..ed238cb 100644 --- a/nix/os/devices/fwhost1/configuration.nix +++ b/nix/os/devices/fwhost1/configuration.nix @@ -1,5 +1,4 @@ -{ ... }: -{ +{...}: { imports = [ ../../profiles/common/configuration.nix ../../modules/opinionatedDisk.nix diff --git a/nix/os/devices/fwhost1/hw.nix b/nix/os/devices/fwhost1/hw.nix index 43334ed..6c1aaaf 100644 --- a/nix/os/devices/fwhost1/hw.nix +++ b/nix/os/devices/fwhost1/hw.nix @@ -1,4 +1,5 @@ -_: { +{...}: let +in { # TASK: new device hardware.opinionatedDisk = { enable = true; diff --git a/nix/os/devices/fwhost1/pkg.nix b/nix/os/devices/fwhost1/pkg.nix index aacf501..6650ad9 100644 --- a/nix/os/devices/fwhost1/pkg.nix +++ b/nix/os/devices/fwhost1/pkg.nix @@ -1,17 +1,17 @@ -{ pkgs, ... }: -{ - nixpkgs.config.packageOverrides = - pkgs: with pkgs; { - inherit ((import ../../../default.nix { versionsPath = ./versions.nix; })) nixPath; +{pkgs, ...}: { + nixpkgs.config.packageOverrides = pkgs: + with pkgs; { + nixPath = + (import ../../../default.nix { + versionsPath = ./versions.nix; + }) + .nixPath; }; home-manager.users.steveej = import ../../../home-manager/configuration/text-minimal.nix { inherit pkgs; }; - environment.systemPackages = with pkgs; [ - iw - wirelesstools - ]; + environment.systemPackages = with pkgs; [iw wirelesstools]; system.stateVersion = "21.11"; } diff --git a/nix/os/devices/fwhost1/system.nix b/nix/os/devices/fwhost1/system.nix index 548caec..abe1717 100644 --- a/nix/os/devices/fwhost1/system.nix +++ b/nix/os/devices/fwhost1/system.nix @@ -1,8 +1,12 @@ -{ pkgs, lib, ... }: -let - passwords = import ../../../variables/passwords.crypt.nix; -in { + pkgs, + lib, + config, + ... +}: let + keys = import ../../../variables/keys.nix; + passwords = import ../../../variables/passwords.crypt.nix; +in { # TASK: new device networking.hostName = "fwhost1"; # Define your hostname. @@ -17,14 +21,11 @@ in networking.firewall.logRefusedConnections = false; networking.usePredictableInterfaceNames = false; - networking.bridges.breth.interfaces = [ - "eth0" - "eth1" - ]; + networking.bridges.breth.interfaces = ["eth0" "eth1"]; networking.bridges.breth.rstp = true; networking.defaultGateway.address = "172.172.171.10"; - networking.nameservers = [ "172.172.171.10" ]; + networking.nameservers = ["172.172.171.10"]; # WAN interfaces, currently unused because the OPNsense guest acts as a router. networking.vlans.wan1.id = 3; diff --git a/nix/os/devices/fwhost1/user.nix b/nix/os/devices/fwhost1/user.nix index 958608a..98f59ba 100644 --- a/nix/os/devices/fwhost1/user.nix +++ b/nix/os/devices/fwhost1/user.nix @@ -1 +1,9 @@ -_: { } +{ + config, + pkgs, + ... +}: let + passwords = import ../../../variables/passwords.crypt.nix; + keys = import ../../../variables/keys.nix; + inherit (import ../../lib/default.nix {}) mkUser; +in {} diff --git a/nix/os/devices/fwhost1/versions.nix b/nix/os/devices/fwhost1/versions.nix index 276eb87..c6dac79 100644 --- a/nix/os/devices/fwhost1/versions.nix +++ b/nix/os/devices/fwhost1/versions.nix @@ -4,12 +4,9 @@ let ref = "nixos-21.11"; rev = "386234e2a61e1e8acf94dfa3a3d3ca19a6776efb"; }; -in -{ +in { inherit nixpkgs; - nixos = nixpkgs // { - suffix = "/nixos"; - }; + nixos = nixpkgs // {suffix = "/nixos";}; "channels-nixos-stable" = nixpkgs; "channels-nixos-unstable" = { diff --git a/nix/os/devices/fwhost1/versions.tmpl.nix b/nix/os/devices/fwhost1/versions.tmpl.nix index d3d0c19..c9dc8a9 100644 --- a/nix/os/devices/fwhost1/versions.tmpl.nix +++ b/nix/os/devices/fwhost1/versions.tmpl.nix @@ -6,12 +6,9 @@ let <% git ls-remote https://github.com/nixos/nixpkgs nixos-21.11 | awk '{ print $1 }' | tr -d ' ' -%>''; }; -in -{ +in { inherit nixpkgs; - nixos = nixpkgs // { - suffix = "/nixos"; - }; + nixos = nixpkgs // {suffix = "/nixos";}; "channels-nixos-stable" = nixpkgs; "channels-nixos-unstable" = { diff --git a/nix/os/devices/fwhost2/boot.nix b/nix/os/devices/fwhost2/boot.nix index 639698f..4d8c1d1 100644 --- a/nix/os/devices/fwhost2/boot.nix +++ b/nix/os/devices/fwhost2/boot.nix @@ -1,5 +1,4 @@ -{ lib, ... }: -{ +{lib, ...}: { boot.loader.grub.efiInstallAsRemovable = lib.mkForce true; boot.loader.efi.canTouchEfiVariables = lib.mkForce false; } diff --git a/nix/os/devices/fwhost2/configuration.nix b/nix/os/devices/fwhost2/configuration.nix index fbdc4c0..ed238cb 100644 --- a/nix/os/devices/fwhost2/configuration.nix +++ b/nix/os/devices/fwhost2/configuration.nix @@ -1,5 +1,4 @@ -{ ... }: -{ +{...}: { imports = [ ../../profiles/common/configuration.nix ../../modules/opinionatedDisk.nix diff --git a/nix/os/devices/fwhost2/hw.nix b/nix/os/devices/fwhost2/hw.nix index a8891e3..c207b8c 100644 --- a/nix/os/devices/fwhost2/hw.nix +++ b/nix/os/devices/fwhost2/hw.nix @@ -1,4 +1,5 @@ -_: { +{...}: let +in { # TASK: new device hardware.opinionatedDisk = { enable = true; diff --git a/nix/os/devices/fwhost2/pkg.nix b/nix/os/devices/fwhost2/pkg.nix index aacf501..6650ad9 100644 --- a/nix/os/devices/fwhost2/pkg.nix +++ b/nix/os/devices/fwhost2/pkg.nix @@ -1,17 +1,17 @@ -{ pkgs, ... }: -{ - nixpkgs.config.packageOverrides = - pkgs: with pkgs; { - inherit ((import ../../../default.nix { versionsPath = ./versions.nix; })) nixPath; +{pkgs, ...}: { + nixpkgs.config.packageOverrides = pkgs: + with pkgs; { + nixPath = + (import ../../../default.nix { + versionsPath = ./versions.nix; + }) + .nixPath; }; home-manager.users.steveej = import ../../../home-manager/configuration/text-minimal.nix { inherit pkgs; }; - environment.systemPackages = with pkgs; [ - iw - wirelesstools - ]; + environment.systemPackages = with pkgs; [iw wirelesstools]; system.stateVersion = "21.11"; } diff --git a/nix/os/devices/fwhost2/system.nix b/nix/os/devices/fwhost2/system.nix index 652347f..54da0ba 100644 --- a/nix/os/devices/fwhost2/system.nix +++ b/nix/os/devices/fwhost2/system.nix @@ -1,8 +1,13 @@ -{ pkgs, lib, ... }: -let - passwords = import ../../../variables/passwords.crypt.nix; -in { + pkgs, + lib, + config, + utils, + ... +}: let + keys = import ../../../variables/keys.nix; + passwords = import ../../../variables/passwords.crypt.nix; +in { # TASK: new device networking.hostName = "fwhost2"; # Define your hostname. @@ -17,14 +22,11 @@ in networking.firewall.logRefusedConnections = false; networking.usePredictableInterfaceNames = false; - networking.bridges.breth.interfaces = [ - "eth0" - "eth1" - ]; + networking.bridges.breth.interfaces = ["eth0" "eth1"]; networking.bridges.breth.rstp = true; networking.defaultGateway.address = "172.172.171.10"; - networking.nameservers = [ "172.172.171.10" ]; + networking.nameservers = ["172.172.171.10"]; # WAN interfaces, currently unused because the OPNsense guest acts as a router. networking.vlans.wan1.id = 3; diff --git a/nix/os/devices/fwhost2/user.nix b/nix/os/devices/fwhost2/user.nix index 47efa02..d7dc0dc 100644 --- a/nix/os/devices/fwhost2/user.nix +++ b/nix/os/devices/fwhost2/user.nix @@ -1,4 +1,12 @@ -_: { +{ + config, + pkgs, + ... +}: let + passwords = import ../../../variables/passwords.crypt.nix; + keys = import ../../../variables/keys.nix; + inherit (import ../../lib/default.nix {inherit (pkgs) lib;}) mkUser; +in { # users.extraUsers.steveej2 = mkUser { # uid = 1001; # openssh.authorizedKeys.keys = keys.users.steveej.openssh; diff --git a/nix/os/devices/fwhost2/versions.nix b/nix/os/devices/fwhost2/versions.nix index 276eb87..c6dac79 100644 --- a/nix/os/devices/fwhost2/versions.nix +++ b/nix/os/devices/fwhost2/versions.nix @@ -4,12 +4,9 @@ let ref = "nixos-21.11"; rev = "386234e2a61e1e8acf94dfa3a3d3ca19a6776efb"; }; -in -{ +in { inherit nixpkgs; - nixos = nixpkgs // { - suffix = "/nixos"; - }; + nixos = nixpkgs // {suffix = "/nixos";}; "channels-nixos-stable" = nixpkgs; "channels-nixos-unstable" = { diff --git a/nix/os/devices/fwhost2/versions.tmpl.nix b/nix/os/devices/fwhost2/versions.tmpl.nix index d3d0c19..c9dc8a9 100644 --- a/nix/os/devices/fwhost2/versions.tmpl.nix +++ b/nix/os/devices/fwhost2/versions.tmpl.nix @@ -6,12 +6,9 @@ let <% git ls-remote https://github.com/nixos/nixpkgs nixos-21.11 | awk '{ print $1 }' | tr -d ' ' -%>''; }; -in -{ +in { inherit nixpkgs; - nixos = nixpkgs // { - suffix = "/nixos"; - }; + nixos = nixpkgs // {suffix = "/nixos";}; "channels-nixos-stable" = nixpkgs; "channels-nixos-unstable" = { diff --git a/nix/os/devices/hstk0/configuration.nix b/nix/os/devices/hstk0/configuration.nix deleted file mode 100644 index 32fad43..0000000 --- a/nix/os/devices/hstk0/configuration.nix +++ /dev/null @@ -1,146 +0,0 @@ -{ - repoFlake, - pkgs, - lib, - nodeFlake, - nodeName, - system, - ... -}: -{ - disabledModules = [ ]; - - imports = [ - nodeFlake.inputs.disko.nixosModules.disko - repoFlake.inputs.sops-nix.nixosModules.sops - - nodeFlake.inputs.srvos.nixosModules.roles-nix-remote-builder - { - roles.nix-remote-builder.schedulerPublicKeys = [ - "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINQ22z5rDdCLYH+MEoEt+tXJXTJqoeZNqvJl2n4aB+Kn steveej@steveej-x13s" - - # TODO: make this a reference to the private key's secret - "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIC8FHuK0k86iBWq41+NAhVwJqH1ZpGJe+q01m7iLviz6 root@steveej-t14" - ]; - } - - ../../snippets/nix-settings.nix - { nix.settings.sandbox = lib.mkForce "relaxed"; } - - ../../snippets/mycelium.nix - - # user config - ../../profiles/common/user.nix - { - users.commonUsers = { - enable = true; - enableNonRoot = true; - }; - } - - ../../snippets/home-manager-with-zsh.nix - # { - # home-manager.users.steveej = {pkgs, ...}: { - # imports = [ - # ../../../home-manager/programs/pass.nix - # ../../../home-manager/programs/openvscode-server.nix - # ]; - # }; - # } - ]; - - services.openssh = { - enable = true; - openFirewall = true; - settings.PermitRootLogin = "yes"; - extraConfig = '' - StreamLocalBindUnlink yes - ''; - }; - - boot = { - kernel = { - sysctl = { - "net.ipv4.conf.all.forwarding" = true; - "net.ipv6.conf.all.forwarding" = true; - }; - }; - }; - - networking = { - hostName = nodeName; - useNetworkd = true; - useDHCP = true; - - nat.enable = true; - firewall.enable = true; - - firewall.allowedTCPPorts = [ 5201 ]; - firewall.allowedUDPPorts = [ 5201 ]; - }; - - disko.devices = - let - disk = id: { - type = "disk"; - device = "/dev/${id}"; - content = { - type = "gpt"; - partitions = { - boot = { - size = "1M"; - type = "EF02"; # for grub MBR - }; - mdadm = { - size = "100%"; - content = { - type = "mdraid"; - name = "raid0"; - }; - }; - }; - }; - }; - in - { - disk = { - sda = disk "sda"; - sdb = disk "sdb"; - }; - mdadm = { - raid0 = { - type = "mdadm"; - level = 0; - content = { - type = "gpt"; - partitions = { - primary = { - size = "100%"; - content = { - type = "filesystem"; - format = "btrfs"; - mountpoint = "/"; - }; - }; - }; - }; - }; - }; - }; - - system.stateVersion = "24.05"; - - boot.kernelPackages = pkgs.linuxPackages_latest; - boot.initrd.includeDefaultModules = true; - boot.initrd.kernelModules = [ - "dm-raid" - "dm-integrity" - "xhci_pci_renesas" - ]; - - hardware.enableRedistributableFirmware = true; - - virtualisation.libvirtd.enable = true; - - boot.binfmt.emulatedSystems = [ "aarch64-linux" ]; -} diff --git a/nix/os/devices/hstk0/flake.nix b/nix/os/devices/hstk0/flake.nix deleted file mode 100644 index 6c9b22f..0000000 --- a/nix/os/devices/hstk0/flake.nix +++ /dev/null @@ -1,52 +0,0 @@ -{ - inputs = { - nixpkgs.url = "github:nixos/nixpkgs/nixos-24.05"; - nixpkgs-unstable.url = "github:nixos/nixpkgs/nixos-unstable"; - - get-flake.url = "github:ursi/get-flake"; - - home-manager.url = "github:nix-community/home-manager/release-24.05"; - home-manager.inputs.nixpkgs.follows = "nixpkgs"; - - disko.url = "github:nix-community/disko"; - disko.inputs.nixpkgs.follows = "nixpkgs"; - srvos.url = "github:numtide/srvos"; - srvos.inputs.nixpkgs.follows = "nixpkgs"; - }; - - # outputs = _: {}; - - outputs = - { - self, - get-flake, - nixpkgs, - ... - }: - let - system = "x86_64-linux"; - nodeName = "hostkey-0"; - - mkNixosConfiguration = - { - extraModules ? [ ], - ... - }@attrs: - nixpkgs.lib.nixosSystem ( - nixpkgs.lib.attrsets.recursiveUpdate attrs { - specialArgs = { - nodeFlake = self; - repoFlake = get-flake ../../../..; - inherit nodeName; - }; - - modules = [ ./configuration.nix ] ++ extraModules; - } - ); - in - { - nixosConfigurations = { - native = mkNixosConfiguration { inherit system; }; - }; - }; -} diff --git a/nix/os/devices/hydra.json b/nix/os/devices/hydra.json index a0204bc..3723c24 100644 --- a/nix/os/devices/hydra.json +++ b/nix/os/devices/hydra.json @@ -1,24 +1,16 @@ { - "enabled": 1, - "hidden": false, - "description": "Jobsets", - "nixexprinput": "src", - "nixexprpath": "default.nix", - "checkinterval": 300, - "schedulingshares": 100, - "enableemail": false, - "emailoverride": "", - "keepnr": 3, - "inputs": { - "src": { - "type": "git", - "value": "git://github.com/shlevy/declarative-hydra-example.git", - "emailresponsible": false - }, - "nixpkgs": { - "type": "git", - "value": "git://github.com/NixOS/nixpkgs.git release-16.03", - "emailresponsible": false + "enabled": 1, + "hidden": false, + "description": "Jobsets", + "nixexprinput": "src", + "nixexprpath": "default.nix", + "checkinterval": 300, + "schedulingshares": 100, + "enableemail": false, + "emailoverride": "", + "keepnr": 3, + "inputs": { + "src": { "type": "git", "value": "git://github.com/shlevy/declarative-hydra-example.git", "emailresponsible": false }, + "nixpkgs": { "type": "git", "value": "git://github.com/NixOS/nixpkgs.git release-16.03", "emailresponsible": false } } - } } diff --git a/nix/os/devices/justyna-p300/boot.nix b/nix/os/devices/justyna-p300/boot.nix index 9d6bbe7..85006ed 100644 --- a/nix/os/devices/justyna-p300/boot.nix +++ b/nix/os/devices/justyna-p300/boot.nix @@ -1,5 +1,4 @@ -{ lib, ... }: -{ +{lib, ...}: { boot.loader.grub.efiInstallAsRemovable = lib.mkForce false; boot.loader.efi.canTouchEfiVariables = lib.mkForce false; boot.loader.grub.efiSupport = lib.mkForce false; diff --git a/nix/os/devices/justyna-p300/configuration.nix b/nix/os/devices/justyna-p300/configuration.nix index e636106..f2cb3f7 100644 --- a/nix/os/devices/justyna-p300/configuration.nix +++ b/nix/os/devices/justyna-p300/configuration.nix @@ -1,5 +1,4 @@ -{ ... }: -{ +{...}: { imports = [ ../../profiles/common/configuration.nix ../../profiles/graphical/configuration.nix diff --git a/nix/os/devices/justyna-p300/default.nix b/nix/os/devices/justyna-p300/default.nix index 427ce7e..907e60b 100644 --- a/nix/os/devices/justyna-p300/default.nix +++ b/nix/os/devices/justyna-p300/default.nix @@ -3,17 +3,17 @@ repoFlake, nodeFlake, ... -}: -let +}: let system = "x86_64-linux"; -in -{ +in { meta.nodeSpecialArgs.${nodeName} = { inherit repoFlake nodeName nodeFlake; packages' = repoFlake.packages.${system}; }; - meta.nodeNixpkgs.${nodeName} = import nodeFlake.inputs.nixpkgs.outPath { inherit system; }; + meta.nodeNixpkgs.${nodeName} = import nodeFlake.inputs.nixpkgs.outPath { + inherit system; + }; ${nodeName} = { deployment.targetHost = nodeName; diff --git a/nix/os/devices/justyna-p300/flake.nix b/nix/os/devices/justyna-p300/flake.nix index 9b8b8ed..3e68abe 100644 --- a/nix/os/devices/justyna-p300/flake.nix +++ b/nix/os/devices/justyna-p300/flake.nix @@ -6,8 +6,8 @@ inputs.nixpkgs.follows = "nixpkgs"; }; - inputs.disko.url = "github:nix-community/disko"; + inputs.disko.url = github:nix-community/disko; inputs.disko.inputs.nixpkgs.follows = "nixpkgs"; - outputs = _: { }; + outputs = _: {}; } diff --git a/nix/os/devices/justyna-p300/hw.nix b/nix/os/devices/justyna-p300/hw.nix index b68e082..0924dd2 100644 --- a/nix/os/devices/justyna-p300/hw.nix +++ b/nix/os/devices/justyna-p300/hw.nix @@ -1,6 +1,12 @@ -{ nodeFlake, ... }: { - imports = [ nodeFlake.inputs.disko.nixosModules.disko ]; + repoFlake, + nodeFlake, + lib, + ... +}: { + imports = [ + nodeFlake.inputs.disko.nixosModules.disko + ]; disko.devices.disk.sda = { device = "/dev/sda"; @@ -14,7 +20,7 @@ start = "0"; end = "1M"; part-type = "primary"; - flags = [ "bios_grub" ]; + flags = ["bios_grub"]; } { name = "root"; @@ -24,14 +30,14 @@ bootable = true; content = { type = "btrfs"; - extraArgs = [ "-f" ]; # Override existing partition + extraArgs = ["-f"]; # Override existing partition subvolumes = { # Subvolume name is different from mountpoint "/rootfs" = { mountpoint = "/"; }; "/nix" = { - mountOptions = [ "noatime" ]; + mountOptions = ["noatime"]; }; }; }; diff --git a/nix/os/devices/justyna-p300/pkg.nix b/nix/os/devices/justyna-p300/pkg.nix index d23cfb0..e780b7e 100644 --- a/nix/os/devices/justyna-p300/pkg.nix +++ b/nix/os/devices/justyna-p300/pkg.nix @@ -3,8 +3,7 @@ lib, packages', ... -}: -let +}: let homeEnv = keyboard: { imports = [ ../../../home-manager/profiles/common.nix @@ -24,19 +23,15 @@ let rustdesk ]; }; -in -{ - services.gnome = builtins.mapAttrs (_attr: value: lib.mkForce value) { +in { + services.gnome = builtins.mapAttrs (attr: value: lib.mkForce value) { gnome-remote-desktop.enable = true; }; - services.printing.drivers = lib.mkForce ( - with packages'; - [ - dcpj4110dwDriver - dcpj4110dwCupswrapper - ] - ); + services.printing.drivers = lib.mkForce (with packages'; [ + dcpj4110dwDriver + dcpj4110dwCupswrapper + ]); services.printing.extraConf = '' LogLevel debug @@ -44,29 +39,31 @@ in home-manager.users.steveej = homeEnv { layout = "en"; - options = [ "nodeadkey" ]; + options = ["nodeadkey"]; variant = "altgr-intl"; }; home-manager.users.elias = homeEnv { layout = "de"; - options = [ ]; + options = []; variant = ""; }; home-manager.users.justyna = lib.attrsets.recursiveUpdate - (homeEnv { - layout = "de"; - options = [ ]; - variant = ""; - }) - { - services.syncthing.enable = true; - services.syncthing.tray = true; + (homeEnv { + layout = "de"; + options = []; + variant = ""; + }) + { + services.syncthing.enable = true; + services.syncthing.tray = true; - home.packages = with pkgs; [ session-desktop ]; - }; + home.packages = with pkgs; [ + session-desktop + ]; + }; system.stateVersion = "21.11"; } diff --git a/nix/os/devices/justyna-p300/system.nix b/nix/os/devices/justyna-p300/system.nix index 82a7b02..44c3db9 100644 --- a/nix/os/devices/justyna-p300/system.nix +++ b/nix/os/devices/justyna-p300/system.nix @@ -1,8 +1,11 @@ -{ pkgs, lib, ... }: -let - passwords = import ../../../variables/passwords.crypt.nix; -in { + pkgs, + lib, + config, + ... +}: let + passwords = import ../../../variables/passwords.crypt.nix; +in { networking.firewall.enable = true; networking.firewall.allowedTCPPorts = [ # iperf3 @@ -36,13 +39,11 @@ in # udev.packages = [ pkgs.gnome3.gnome-settings-daemon ]; }; - security.pki.certificateFiles = [ "${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt" ]; + security.pki.certificateFiles = ["${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt"]; - services.xserver.videoDrivers = [ "modesetting" ]; + services.xserver.videoDrivers = ["modesetting"]; boot.kernelPackages = lib.mkForce pkgs.linuxPackages_latest; - nix.gc = { - automatic = true; - }; + nix.gc = {automatic = true;}; } diff --git a/nix/os/devices/justyna-p300/user.nix b/nix/os/devices/justyna-p300/user.nix index c4690cf..6d86c59 100644 --- a/nix/os/devices/justyna-p300/user.nix +++ b/nix/os/devices/justyna-p300/user.nix @@ -1,9 +1,11 @@ -{ config, pkgs, ... }: -let - keys = import ../../../variables/keys.nix; - inherit (pkgs.callPackage ../../lib/default.nix { }) mkUser; -in { + config, + pkgs, + ... +}: let + keys = import ../../../variables/keys.nix; + inherit (pkgs.callPackage ../../lib/default.nix {}) mkUser; +in { sops.secrets.sharedUsers-elias = { sopsFile = ../../../../secrets/shared-users.yaml; neededForUsers = true; diff --git a/nix/os/devices/router0-dmz0/configuration.nix b/nix/os/devices/router0-dmz0/configuration.nix index 07c6b1c..366c640 100644 --- a/nix/os/devices/router0-dmz0/configuration.nix +++ b/nix/os/devices/router0-dmz0/configuration.nix @@ -1,4 +1,3 @@ -# TODO: don't pull in bluez (or any bluetooth components) { repoFlake, pkgs, @@ -9,33 +8,33 @@ localDomainName, system, ... -}: -let - inherit (nodeFlake.inputs) nixos-nftables-firewall nixos-sbc; +}: let + inherit + (nodeFlake.inputs) + bpir3 + nixos-nftables-firewall + ; vlanRangeStart = builtins.head vlanRange; vlanRangeEnd = builtins.elemAt vlanRange ((builtins.length vlanRange) - 1); vlanRange = builtins.map (vlanid: (lib.strings.toInt vlanid)) (builtins.attrNames vlans); - vlanRangeWith0 = [ 0 ] ++ vlanRange; + vlanRangeWith0 = [0] ++ vlanRange; - mkVlanIpv4HostAddr = - { - vlanid, - host, - thirdIpv4SegmentMin ? 20, - cidr ? true, - }: - let - # reserve the first subnet for vlanid == 0 - # number the other subnets continously from there - offset = if vlanid == 0 then thirdIpv4SegmentMin else thirdIpv4SegmentMin + 1 - vlanRangeStart; - in - builtins.concatStringsSep "." [ - "192" - "168" - (toString (vlanid + offset)) - "${toString host}${lib.strings.optionalString cidr "/24"}" - ]; + mkVlanIpv4HostAddr = { + vlanid, + host, + thirdIpv4SegmentMin ? 20, + cidr ? true, + }: let + # reserve the first subnet for vlanid == 0 + # number the other subnets continously from there + offset = + if vlanid == 0 + then thirdIpv4SegmentMin + else thirdIpv4SegmentMin + 1 - vlanRangeStart; + in + builtins.concatStringsSep "." + ["192" "168" (toString (vlanid + offset)) "${toString host}${lib.strings.optionalString cidr "/24"}"]; defaultVlan = { name = "${localDomainName}"; @@ -43,68 +42,75 @@ let }; vlans = { - "2".name = "dmz"; - "2".packet_priority = -5; + "10".name = "mgmt"; + "10".packet_priority = 0; - "3".name = "iot"; - "3".packet_priority = -5; + "11".name = "dmz"; + "11".packet_priority = -5; - "4".name = "office"; - "4".packet_priority = -10; + "12".name = "iot"; + "12".packet_priority = -5; - "5".name = "guests"; - "5".packet_priority = 10; + "13".name = "office"; + "13".packet_priority = -10; + + "14".name = "guests"; + "14".packet_priority = 10; + + "15".name = "iot2"; + "15".packet_priority = -10; }; - vlansByName = lib.attrsets.mapAttrs' ( - vlanid': attrs: - lib.attrsets.nameValuePair attrs.name ( - attrs - // { - id = lib.strings.toInt vlanid'; - id' = vlanid'; - } + vlansByName = + lib.attrsets.mapAttrs' + ( + vlanid': attrs: + lib.attrsets.nameValuePair + attrs.name + (attrs + // { + id = lib.strings.toInt vlanid'; + id' = vlanid'; + }) ) - ) vlans; + vlans; - getVlanDomain = - { vlanid }: - if vlanid == 0 then defaultVlan.name else vlans."${toString vlanid}".name + "." + defaultVlan.name; + getVlanDomain = {vlanid}: + if vlanid == 0 + then defaultVlan.name + else vlans."${toString vlanid}".name + "." + defaultVlan.name; bridgeInterfaceName = "br-lan"; - mkInterfaceName = - { vlanid }: - if vlanid == 0 then bridgeInterfaceName else "${bridgeInterfaceName}.${toString vlanid}"; + mkInterfaceName = {vlanid}: + if vlanid == 0 + then bridgeInterfaceName + else "${bridgeInterfaceName}.${toString vlanid}"; - dmzExposedHost = "sj-srv1"; - dmzExposedHostDomain = "dmz.internal"; - dmzExposedHostFQDN = "${dmzExposedHost}.${dmzExposedHostDomain}"; - dmzExposedHostIpv4 = mkVlanIpv4HostAddr { - vlanid = vlansByName.dmz.id; - host = 99; - cidr = false; - }; - - dmzExposedHostMACaddr = - repoFlake.nixosConfigurations.${dmzExposedHost}.config.systemd.network.netdevs."10-dmz0".netdevConfig.MACAddress; -in -{ + exposedHost = "sj-srv1.dmz.internal"; +in { imports = [ - nixos-sbc.nixosModules.default - nixos-sbc.nixosModules.boards.bananapi.bpir3 - { - sbc.version = "0.2"; - sbc.bootstrap.rootFilesystem = "btrfs"; - sbc.wireless.wifi.acceptRegulatoryResponsibility = true; - } - repoFlake.inputs.sops-nix.nixosModules.sops ../../profiles/common/user.nix - ../../snippets/nix-settings.nix + + "${bpir3}/lib/sd-image-mt7986.nix" nixos-nftables-firewall.nixosModules.default + { + nix.nixPath = [ + "nixpkgs=${pkgs.path}" + ]; + + nix.settings.experimental-features = [ + "nix-command" + "flakes" + ]; + + nix.settings.max-jobs = lib.mkDefault "auto"; + nix.settings.cores = lib.mkDefault 0; + } + { services.openssh.enable = true; services.openssh.settings.PermitRootLogin = "yes"; @@ -120,8 +126,8 @@ in sops.secrets.passwords-root.neededForUsers = true; - # sops.secrets.wlan0_saePasswordsFile = {}; - sops.secrets.wlan0_wpaPskFile = { }; + sops.secrets.wlan0_saePasswordsFile = {}; + sops.secrets.wlan0_wpaPskFile = {}; } ]; @@ -179,19 +185,19 @@ in # TODO: configure packet_priority for VLANs (see https://wiki.nftables.org/wiki-nftables/index.php/Configuring_chains#Base_chain_priority, https://wiki.nftables.org/wiki-nftables/index.php/Setting_packet_metainformation#packet_priority) nftables = { enable = true; - stopRuleset = ""; + chains = { prerouting = { "exposeHost" = { - after = [ "hook" ]; - rules = - let - wanInterfaces = builtins.concatStringsSep ", " config.networking.nftables.firewall.zones.wan.interfaces; - in + after = ["hook"]; + rules = let + wanInterfaces = builtins.concatStringsSep ", " config.networking.nftables.firewall.zones.wan.interfaces; + in + # TODO: if this hostname doesn't resolve it'll break the whole ruleset [ "iifname { ${wanInterfaces} } tcp dport 220 redirect to 22" - "iifname { ${wanInterfaces} } dnat ip to ${dmzExposedHostIpv4}" + "iifname { ${wanInterfaces} } dnat ip to ${exposedHost}" ]; }; }; @@ -199,262 +205,146 @@ in firewall = { enable = true; - snippets.nnf-common.enable = true; - # included in the above - # snippets.nnf-conntrack.enable = true; zones = { - lan.interfaces = [ (mkInterfaceName { vlanid = 0; }) ]; - vlan.interfaces = builtins.map (vlanid: (mkInterfaceName { inherit vlanid; })) vlanRange; + lan.interfaces = [(mkInterfaceName {vlanid = 0;})]; + vlan.interfaces = builtins.map (vlanid: (mkInterfaceName {inherit vlanid;})) vlanRange; # lan.ipv4Addresses = ["192.168.0.0/16"]; - wan.interfaces = [ - "wan" - "lan0" - ]; - vpn.interfaces = [ - "wg0" - "wg1" - "wg2" - ]; + wan.interfaces = ["wan" "lan0"]; } // # generate a zone for each vlan - lib.attrsets.mapAttrs (_key: value: { - interfaces = [ (mkInterfaceName { vlanid = value.id; }) ]; - }) vlansByName; - rules = - let - ipv6IcmpTypes = [ - "destination-unreachable" - "echo-reply" - "echo-request" - "packet-too-big" - "parameter-problem" - "time-exceeded" + lib.attrsets.mapAttrs + (key: value: { + interfaces = [(mkInterfaceName {vlanid = value.id;})]; + }) + vlansByName; + rules = let + ipv6IcmpTypes = [ + "destination-unreachable" + "echo-reply" + "echo-request" + "packet-too-big" + "parameter-problem" + "time-exceeded" - # Without the nd-* ones ipv6 will not work. - "nd-neighbor-solicit" - "nd-router-advert" - "nd-neighbor-advert" - ]; - ipv4IcmpTypes = [ - "destination-unreachable" - "echo-reply" - "echo-request" - "source-quench" - "time-exceeded" - "router-advertisement" - ]; - allowIcmpLines = [ - "ip protocol icmp icmp type { ${builtins.concatStringsSep ", " ipv4IcmpTypes} } accept" - "ip6 nexthdr icmpv6 icmpv6 type { ${builtins.concatStringsSep ", " ipv6IcmpTypes} } accept" - ]; - in - { - fw = { - from = [ "fw" ]; - verdict = "accept"; - }; - - office-to-dmz = { - from = [ "office" ]; - to = [ "dmz" ]; - verdict = "accept"; - }; - - lan-to-fw = { - from = [ "lan" ]; - to = [ - "fw" - "lan" - ]; - verdict = "accept"; - }; - - lan-to-wan = { - from = [ "lan" ]; - to = [ "wan" ]; - verdict = "accept"; - }; - - vlan-to-wan = { - from = [ "vlan" ]; - to = [ "wan" ]; - verdict = "accept"; - }; - - vlan-to-fw = { - allowedUDPPortRanges = [ - { - from = 53; - to = 53; - } - { - from = 67; - to = 68; - } - { - from = 5201; - to = 5201; - } - ]; - allowedTCPPortRanges = [ - { - from = 22; - to = 22; - } - { - from = 53; - to = 53; - } - { - from = 5201; - to = 5201; - } - ]; - from = [ "vlan" ]; - to = [ "fw" ]; - extraLines = allowIcmpLines ++ [ "drop" ]; - }; - - to-wan-nat = { - from = [ - "lan" - "vlan" - ]; - to = [ "wan" ]; - masquerade = true; - verdict = "accept"; - }; - - wan-to-dmz = { - from = [ "wan" ]; - to = [ "dmz" ]; - verdict = "accept"; - }; - - wan-to-fw = { - from = [ "wan" ]; - to = [ "fw" ]; - allowedTCPPortRanges = [ - { - from = 22; - to = 22; - } - ]; - extraLines = allowIcmpLines ++ [ "drop" ]; - }; - - to-vpn-nat = { - from = [ - "lan" - "vlan" - ]; - to = [ "vpn" ]; - masquerade = false; - verdict = "accept"; - }; + # Without the nd-* ones ipv6 will not work. + "nd-neighbor-solicit" + "nd-router-advert" + "nd-neighbor-advert" + ]; + ipv4IcmpTypes = [ + "destination-unreachable" + "echo-reply" + "echo-request" + "source-quench" + "time-exceeded" + "router-advertisement" + ]; + allowIcmpLines = [ + "ip protocol icmp icmp type { ${builtins.concatStringsSep ", " ipv4IcmpTypes} } accept" + "ip6 nexthdr icmpv6 icmpv6 type { ${builtins.concatStringsSep ", " ipv6IcmpTypes} } accept" + ]; + in { + fw = { + from = ["fw"]; + verdict = "accept"; }; + + office-to-dmz = { + from = ["office"]; + to = ["dmz"]; + verdict = "accept"; + }; + + lan-to-fw = { + from = ["lan"]; + to = ["fw" "lan"]; + verdict = "accept"; + }; + + lan-to-wan = { + from = ["lan"]; + to = ["wan"]; + verdict = "accept"; + }; + + vlan-to-wan = { + from = ["vlan"]; + to = ["wan"]; + verdict = "accept"; + }; + + vlan-to-fw = { + allowedUDPPortRanges = [ + { + from = 67; + to = 68; + } + { + from = 53; + to = 53; + } + ]; + allowedTCPPortRanges = [ + { + from = 22; + to = 22; + } + { + from = 53; + to = 53; + } + { + from = 5201; + to = 5201; + } + ]; + from = ["vlan"]; + to = ["fw"]; + extraLines = + allowIcmpLines + ++ [ + "drop" + ]; + }; + + to-wan-nat = { + from = ["lan" "vlan"]; + to = ["wan"]; + masquerade = true; + verdict = "accept"; + }; + + wan-to-dmz = { + from = ["wan"]; + to = ["dmz"]; + verdict = "accept"; + }; + + wan-to-fw = { + from = ["wan"]; + to = ["fw"]; + allowedTCPPortRanges = [ + { + from = 22; + to = 22; + } + ]; + extraLines = + allowIcmpLines + ++ [ + "drop" + ]; + }; + }; }; }; }; - sops.secrets.wg0-privatekey = { - mode = "440"; - group = "systemd-network"; - }; - sops.secrets.wg1-privatekey = { - mode = "440"; - group = "systemd-network"; - }; - sops.secrets.wg0-peer0-psk = { - mode = "440"; - group = "systemd-network"; - }; - sops.secrets.wg1-peer0-psk = { - mode = "440"; - group = "systemd-network"; - }; - - # TODO: this shouldn't be necessary _at all_ - systemd.services.sfp-quirk = { - enable = true; - wantedBy = [ - "network.target" - "multi-user.target" - ]; - - requires = [ - "sys-subsystem-net-devices-lan4.device" - "sys-subsystem-net-devices-eth1.device" - ]; - - after = [ - "sys-subsystem-net-devices-lan4.device" - "sys-subsystem-net-devices-eth1.device" - ]; - - path = [ - pkgs.ethtool - pkgs.iproute2 - pkgs.coreutils - ]; - - script = '' - set -xeE - - ip l set dev lan4 down - ip l set dev eth1 down - - sleep 0.5 - - ethtool -s lan4 duplex full autoneg off - ethtool -s eth1 duplex full autoneg off - - sleep 0.5 - - ip l set dev lan4 up - ip l set dev eth1 up - - echo quirk applied, fingers crossed. - ''; - }; - systemd.network = { wait-online.anyInterface = true; - config.networkConfig = { - IPv4Forwarding = true; - IPv6Forwarding = true; - }; - links = { - # TODO: this doesn't work, thus shoving it into a quirk service. however, there's a proper solution beyond any of this. - # "00-eth1" = { - # enable = true; - # matchConfig.Name = "eth1"; - # linkConfig = { - # # BitsPerSecond = "2500M"; - # Duplex= "full"; - # AutoNegotiation = false; - # }; - # }; - # "00-lan4" = { - # enable = true; - # matchConfig.Name = "lan4@eth0"; - # linkConfig = { - # # BitsPerSecond = "1000M"; - # Duplex= "full"; - # AutoNegotiation = false; - # }; - # }; - }; netdevs = - let - router0-ifog_wg0Endpoint = "${repoFlake.colmena.router0-ifog.deployment.targetHost}:${builtins.toString repoFlake.nixosConfigurations.router0-ifog.config.systemd.network.netdevs.wg0.wireguardConfig.ListenPort}"; - - router0-ifog_wg1Endpoint = "${repoFlake.colmena.router0-ifog.deployment.targetHost}:${builtins.toString repoFlake.nixosConfigurations.router0-ifog.config.systemd.network.netdevs.wg1.wireguardConfig.ListenPort}"; - - router0-hosthatch_wg0Endpoint = "${repoFlake.colmena.router0-hosthatch.deployment.targetHost}:${builtins.toString repoFlake.nixosConfigurations.router0-hosthatch.config.systemd.network.netdevs.wg0.wireguardConfig.ListenPort}"; - in { # Create the bridge interface "20-${bridgeInterfaceName}" = { @@ -471,252 +361,66 @@ in DefaultPVID=0 ''; }; - - wg0 = { - enable = true; - netdevConfig = { - Name = "wg0"; - Kind = "wireguard"; - }; - wireguardConfig = { - PrivateKeyFile = builtins.toString config.sops.secrets.wg0-privatekey.path; - FirewallMark = 100; - }; - wireguardPeers = [ - { - AllowedIPs = [ - # this allows all traffic to be routed through this interface - "0.0.0.0/0" - - # # alternatively, specific destinations could be allowed - - # # remote peer wg addr - # "10.0.0.0/32" - - # "1.1.1.1/32" - # # ifconfig.co. - # "172.67.168.106" - # "104.21.54.91" - ]; - PersistentKeepalive = 15; - PresharedKeyFile = builtins.toString config.sops.secrets.wg0-peer0-psk.path; - PublicKey = "/RPDdqPzr9iRc7zR0bRkt9aS2QCt+b2K3WbsNg8XamM="; - Endpoint = router0-ifog_wg0Endpoint; - } - ]; - }; - - wg1 = { - enable = true; - netdevConfig = { - Name = "wg1"; - Kind = "wireguard"; - }; - wireguardConfig = { - PrivateKeyFile = builtins.toString config.sops.secrets.wg1-privatekey.path; - FirewallMark = 101; - }; - wireguardPeers = [ - { - AllowedIPs = [ - # this allows all traffic to be routed through this interface - "0.0.0.0/0" - ]; - PersistentKeepalive = 15; - PresharedKeyFile = builtins.toString config.sops.secrets.wg1-peer0-psk.path; - PublicKey = "/RPDdqPzr9iRc7zR0bRkt9aS2QCt+b2K3WbsNg8XamM="; - Endpoint = router0-ifog_wg1Endpoint; - } - ]; - }; - - wg2 = { - enable = true; - netdevConfig = { - Name = "wg2"; - Kind = "wireguard"; - }; - wireguardConfig = { - PrivateKeyFile = builtins.toString config.sops.secrets.wg0-privatekey.path; - FirewallMark = 102; - }; - wireguardPeers = [ - { - AllowedIPs = [ - # this allows all traffic to be routed through this interface - "0.0.0.0/0" - - # # alternatively, specific destinations could be allowed - - # # remote peer wg addr - # "10.0.0.0/32" - - # "1.1.1.1/32" - # # ifconfig.co. - # "172.67.168.106" - # "104.21.54.91" - ]; - PersistentKeepalive = 15; - PresharedKeyFile = builtins.toString config.sops.secrets.wg0-peer0-psk.path; - PublicKey = "/RPDdqPzr9iRc7zR0bRkt9aS2QCt+b2K3WbsNg8XamM="; - Endpoint = router0-hosthatch_wg0Endpoint; - } - ]; - }; } # generate the vlan devices. these will be tagged on the main bridge - // builtins.foldl' (acc: cur: acc // cur) { } ( + // builtins.foldl' + (acc: cur: acc // cur) + {} + ( builtins.map - ( - { vlanid, vlanid' }: - { - "20-${mkInterfaceName { inherit vlanid; }}" = { - netdevConfig = { - Kind = "vlan"; - Name = "${mkInterfaceName { inherit vlanid; }}"; - }; - vlanConfig.Id = vlanid; - }; - } - ) - ( - builtins.map (vlanid: { - inherit vlanid; - vlanid' = builtins.toString vlanid; - }) vlanRange - ) + ({ + vlanid, + vlanid', + }: { + "20-${mkInterfaceName {inherit vlanid;}}" = { + netdevConfig = { + Kind = "vlan"; + Name = "${mkInterfaceName {inherit vlanid;}}"; + }; + vlanConfig.Id = vlanid; + }; + }) + ( + builtins.map + (vlanid: { + inherit vlanid; + vlanid' = builtins.toString vlanid; + }) + vlanRange + ) ); networks = - let - commonWanOptions = { + { + # use lan0 as secondary WAN interface + "10-lan0-wan" = { + matchConfig.Name = "lan0"; networkConfig = { - # start a DHCP Client for IPv4/6 Addressing/Routing - DHCP = true; - DNSOverTLS = true; - DNSSEC = true; - + # start a DHCP Client for IPv4 Addressing/Routing + DHCP = "ipv4"; # accept Router Advertisements for Stateless IPv6 Autoconfiguraton (SLAAC) IPv6AcceptRA = true; + DNSOverTLS = true; + DNSSEC = true; IPv6PrivacyExtensions = false; - DHCPPrefixDelegation = true; + IPForward = true; }; - dhcpV4Config = { - UseDNS = false; - UseDomains = false; - UseHostname = false; - }; - dhcpV6Config = { - UseDNS = false; - UseDomains = false; - UseHostname = false; - PrefixDelegationHint = "::/56"; - UseDelegatedPrefix = true; - WithoutRA = "solicit"; - }; - ipv6AcceptRAConfig = { - UseDNS = false; - UseDomains = false; - }; - - # TODO: enable these somehow - # extraConfig = '' - # [IPv6AcceptRA] - # # FIXME: supported in nixos-24.11 - # DHCPv6Client=solicit - - # # FIXME: not supported at all yet - # UsePREF64=true - # ''; - }; - in - { - # places options here that should always exist - "lo" = { - matchConfig.Name = "lo"; - - # these are roughly equivalent to: - # ip rule add fwmark 100 priority 0 table 100 - # ip rule add fwmark 100 priority 1 prohibit - # ip rule add fwmark 101 priority 0 table 101 - # ip rule add fwmark 101 priority 1 prohibit - routingPolicyRules = [ - { - FirewallMark = 100; - Priority = 30000; - Table = 100; - } - { - FirewallMark = 100; - Priority = 30001; - Table = 100; - Type = "prohibit"; - } - { - FirewallMark = 101; - Priority = 30000; - Table = 101; - } - { - FirewallMark = 101; - Priority = 30001; - Table = 101; - Type = "prohibit"; - } - { - FirewallMark = 102; - Priority = 30000; - Table = 102; - } - { - FirewallMark = 102; - Priority = 30001; - Table = 102; - Type = "prohibit"; - } - ]; - }; - # use lan0 as secondary WAN interface - "10-lan0-wan" = lib.attrsets.recursiveUpdate commonWanOptions { - matchConfig.Name = "lan0"; - # make routing on this interface a dependency for network-online.target - # linkConfig.RequiredForOnline = "routable"; + # Don't wait for it as it also would wait for wlan and DFS which takes around 5 min linkConfig.RequiredForOnline = "no"; - - dhcpV4Config = { - RouteMetric = 2000; - }; - - # similar to - # ip route add default via 172.16.0.1 table 101 - routes = [ - { - Gateway = "_dhcp4"; - Table = 101; - } - ]; }; - "10-wan" = lib.attrsets.recursiveUpdate commonWanOptions { + "10-wan" = { matchConfig.Name = "wan"; - # make routing on this interface a dependency for network-online.target - # linkConfig.RequiredForOnline = "routable"; - linkConfig.RequiredForOnline = "no"; - - dhcpV4Config = { - RouteMetric = 1000; + networkConfig = { + # start a DHCP Client for IPv4 Addressing/Routing + DHCP = "ipv4"; + # accept Router Advertisements for Stateless IPv6 Autoconfiguraton (SLAAC) + IPv6AcceptRA = true; + DNSOverTLS = true; + DNSSEC = true; + IPv6PrivacyExtensions = false; + IPForward = true; }; - - # similar to - # ip route add default via 192.168.0.1 table 100 - routes = [ - { - Gateway = "_dhcp4"; - Table = 100; - } - { - Gateway = "_dhcp4"; - Table = 102; - } - ]; + # make routing on this interface a dependency for network-online.target + linkConfig.RequiredForOnline = "routable"; }; # Connect the bridge ports to the bridge @@ -730,9 +434,11 @@ in bridgeVLANs = [ { - VLAN = vlansByName.dmz.id; - PVID = vlansByName.dmz.id; - EgressUntagged = vlansByName.dmz.id; + bridgeVLANConfig = { + VLAN = vlansByName.dmz.id; + PVID = vlansByName.dmz.id; + EgressUntagged = vlansByName.dmz.id; + }; } ]; }; @@ -747,9 +453,11 @@ in bridgeVLANs = [ { - VLAN = vlansByName.office.id; - PVID = vlansByName.office.id; - EgressUntagged = vlansByName.office.id; + bridgeVLANConfig = { + VLAN = vlansByName.office.id; + PVID = vlansByName.office.id; + EgressUntagged = vlansByName.office.id; + }; } ]; }; @@ -764,46 +472,16 @@ in bridgeVLANs = [ { - VLAN = "${toString vlanRangeStart}-${toString vlanRangeEnd}"; - } - ]; - }; - "30-lan4" = { - matchConfig.Name = "lan4"; - networkConfig = { - Bridge = bridgeInterfaceName; - ConfigureWithoutCarrier = true; - }; - linkConfig.RequiredForOnline = "enslaved"; - - bridgeVLANs = [ - { - VLAN = vlansByName.office.id; - PVID = vlansByName.office.id; - EgressUntagged = vlansByName.office.id; - } - ]; - }; - "30-eth1" = { - matchConfig.Name = "eth1"; - networkConfig = { - Bridge = bridgeInterfaceName; - ConfigureWithoutCarrier = true; - }; - linkConfig.RequiredForOnline = "enslaved"; - - bridgeVLANs = [ - { - VLAN = vlansByName.dmz.id; - PVID = vlansByName.dmz.id; - EgressUntagged = vlansByName.dmz.id; + bridgeVLANConfig = { + VLAN = "${toString vlanRangeStart}-${toString vlanRangeEnd}"; + }; } ]; }; # Configure the bridge for its desired function "40-${bridgeInterfaceName}" = { matchConfig.Name = bridgeInterfaceName; - bridgeConfig = { }; + bridgeConfig = {}; address = [ (mkVlanIpv4HostAddr { vlanid = 0; @@ -819,320 +497,349 @@ in bridgeVLANs = [ { - VLAN = "${toString vlanRangeStart}-${toString vlanRangeEnd}"; + bridgeVLANConfig = { + VLAN = "${toString vlanRangeStart}-${toString vlanRangeEnd}"; + }; } ]; - vlan = builtins.map (vlanid: (mkInterfaceName { inherit vlanid; })) vlanRange; - }; - - "50-wg0" = { - enable = true; - matchConfig.Name = "wg0"; - address = [ "10.0.0.1/31" ]; - - routes = [ - # { - # # test the set uprouting to a specific IP - # Destination = "${repoFlake.colmena.sj-bm-hostkey0.deployment.targetHost}/32"; - # MultiPathRoute = "10.0.0.0 1"; - # } - ]; - }; - "50-wg1" = { - enable = true; - matchConfig.Name = "wg1"; - address = [ "10.0.0.3/31" ]; - routes = [ - # { - # Destination = "${repoFlake.colmena.sj-bm-hostkey0.deployment.targetHost}/32"; - # MultiPathRoute = "10.0.0.2 1"; - # } - ]; - }; - - "50-wg2" = { - enable = true; - matchConfig.Name = "wg2"; - address = [ "10.0.1.1/31" ]; - - routes = [ - # TODO: add a testing route here - ]; + vlan = ( + builtins.map + (vlanid: (mkInterfaceName {inherit vlanid;})) + vlanRange + ); }; } # configuration for the hostapd dynamic interfaces # * netdev type vlan # * host address for vlan # * vlan config for wlan interface - // builtins.foldl' (acc: cur: acc // cur) { } ( - builtins.map - ( - { vlanid, vlanid' }: - { - # configure the tagged vlan device with an address and vlan filtering. - # dnsmasq is configured to serve the respective /24 range on each tagged device. - # this device only receives traffic for the given vlanid and sends tagged traffic to the bridge. - "41-${mkInterfaceName { inherit vlanid; }}" = { - matchConfig.Name = "${mkInterfaceName { inherit vlanid; }}"; - address = [ - (mkVlanIpv4HostAddr { - inherit vlanid; - host = 1; - }) - ]; - networkConfig = { - ConfigureWithoutCarrier = true; + // builtins.foldl' + (acc: cur: acc // cur) + {} + (builtins.map + ({ + vlanid, + vlanid', + }: { + # configure the tagged vlan device with an address and vlan filtering. + # dnsmasq is configured to serve the respective /24 range on each tagged device. + # this device only receives traffic for the given vlanid and sends tagged traffic to the bridge. + "41-${mkInterfaceName {inherit vlanid;}}" = { + matchConfig.Name = "${mkInterfaceName {inherit vlanid;}}"; + address = [ + (mkVlanIpv4HostAddr { + inherit vlanid; + host = 1; + }) + ]; + networkConfig = { + ConfigureWithoutCarrier = true; + }; - # the client shouldn't be allowed to send us RAs, that would be weird. - IPv6AcceptRA = false; + linkConfig.RequiredForOnline = "no"; + linkConfig.ActivationPolicy = "always-up"; - DHCPPrefixDelegation = true; - IPv6SendRA = true; + bridgeVLANs = [ + { + bridgeVLANConfig = { + VLAN = vlanid; }; + } + ]; + }; - dhcpPrefixDelegationConfig = { - UplinkInterface = "wan"; - Assign = true; - SubnetId = vlanid; - Announce = true; + # configure the wlan interface as a bridge member that + # * only gets traffic for vid 15 + # * untags traffic after receiving it + # * tags traffic that comes out of it + "41-wlan0.${vlanid'}" = { + matchConfig.Name = "wlan0.${vlanid'}"; + networkConfig = { + Bridge = bridgeInterfaceName; + ConfigureWithoutCarrier = true; + }; + + linkConfig.RequiredForOnline = "no"; + + bridgeVLANs = [ + { + bridgeVLANConfig = { + VLAN = vlanid; + PVID = vlanid; + EgressUntagged = vlanid; }; + } + ]; + }; - linkConfig.RequiredForOnline = "no"; - linkConfig.ActivationPolicy = "always-up"; - - bridgeVLANs = [ - { - VLAN = vlanid; - } - ]; - }; - - # configure the wlan interface as a bridge member that - # * only gets traffic for vid 15 - # * untags traffic after receiving it - # * tags traffic that comes out of it - "41-wlan0.${vlanid'}" = { - matchConfig.Name = "wlan0.${vlanid'}"; - networkConfig = { - Bridge = bridgeInterfaceName; - ConfigureWithoutCarrier = true; - }; - - linkConfig.RequiredForOnline = "no"; - - bridgeVLANs = [ - { - VLAN = vlanid; - PVID = vlanid; - EgressUntagged = vlanid; - } - ]; - }; - - # "50-${mkInterfaceName {inherit vlanid;}}" = { - # matchConfig.Name = "${mkInterfaceName {inherit vlanid;}}"; - # address = [ - # (mkVlanIpv4HostAddr { - # inherit vlanid; - # host = 1; - # }) - # ]; - # networkConfig = { - # ConfigureWithoutCarrier = true; - # }; - # linkConfig.RequiredForOnline = "no"; - # }; - } - ) - ( - builtins.map (vlanid: { - inherit vlanid; - vlanid' = builtins.toString vlanid; - }) vlanRange - ) - ); + "50-${mkInterfaceName {inherit vlanid;}}" = { + matchConfig.Name = "${mkInterfaceName {inherit vlanid;}}"; + address = [ + (mkVlanIpv4HostAddr { + inherit vlanid; + host = 1; + }) + ]; + networkConfig = { + ConfigureWithoutCarrier = true; + }; + linkConfig.RequiredForOnline = "no"; + }; + }) + ( + builtins.map + (vlanid: { + inherit vlanid; + vlanid' = builtins.toString vlanid; + }) + vlanRange + )); }; # wireless access point services.hostapd = { enable = true; - # package = nodeFlake.packages.${system}.hostapd_patched; - radios = - let - # generated with https://miniwebtool.com/mac-address-generator/ - mkBssid = i: "34:56:ce:0f:ed:4${toString i}"; - in - { - wlan0 = { - band = "2g"; - # FIXME: apparently setting this could cause bugs, testing disabling it for a while. - # countryCode = "CH"; - channel = 0; # 0 would mean Automatic Channel Selection + package = nodeFlake.packages.${system}.hostapd_patched; + radios = let + # generated with https://miniwebtool.com/mac-address-generator/ + mkBssid = i: "34:56:ce:0f:ed:4${toString i}"; + in { + wlan0 = { + band = "2g"; + countryCode = "CH"; + channel = 0; # ACS - settings = { - # TODO: this would be faster but x13s on windows can't connect when it's enabled. - # ieee80211n = 1; + # use 'iw phy#1 info' to determine your VHT capabilities + wifi4 = { + enable = true; + capabilities = ["HT40+" "LDPC" "SHORT-GI-20" "SHORT-GI-40" "TX-STBC" "RX-STBC1" "MAX-AMSDU-7935"]; + }; + networks = { + wlan0 = let + iface = "wlan0"; + in { + ssid = "mlsia"; + bssid = mkBssid 0; - # Exclude DFS channels from ACS - # This option can be used to exclude all DFS channels from the ACS channel list - # in cases where the driver supports DFS channels. - acs_exclude_dfs = 0; - }; + # authentication.mode = "wpa3-sae"; + authentication.mode = "wpa3-sae-transition"; - # use 'iw phy#1 info' to determine your VHT capabilities - wifi4 = { - enable = true; - require = false; - capabilities = [ - "HT20" - "HT40+" - "LDPC" - "SHORT-GI-20" - "SHORT-GI-40" - "TX-STBC" - "RX-STBC1" - "MAX-AMSDU-7935" + authentication.wpaPskFile = config.sops.secrets."${iface}_wpaPskFile".path; + authentication.saePasswordsFile = config.sops.secrets."${iface}_saePasswordsFile".path; - "40-INTOLERANT" + # see https://w1.fi/cgit/hostap/plain/hostapd/hostapd.conf for reference + settings = { + # bridge = bridgeInterfaceName; - # not supported by BPI-R3 module - # "DELAYED-BA" - # "DSSS_CCK-40" - ]; - }; + # wpa_psk_file = config.sops.secrets.wlan0_wpaPskFile.path; + # not yet supported on hostapd 2.10 + # sae_password_file = config.sops.secrets.wlan0_saePasswordsFile.path; - wifi5 = { - enable = false; - require = false; - }; + # enables debug logging + logger_stdout_level = lib.mkForce 0; + logger_stdout = -1; + # logger_syslog_level= lib.mkForce 0; - wifi6 = { - enable = false; - require = false; - }; + # resources on vlan tagging + # https://wireless.wiki.kernel.org/en/users/Documentation/hostapd#dynamic_vlan_tagging + # https://forum.openwrt.org/t/individual-per-passphrase-wifi-vlans-using-wpa-psk-file-no-radius-required/161696/4 - networks = { - wlan0 = - let - iface = "wlan0"; + dynamic_vlan = 1; + + # this option currently requires a patch to hostapd + vlan_no_bridge = 1; + + /* + not used due to the above vlan_no_bridge setting + vlan_tagged_interface = bridgeInterfaceName; + vlan_naming = 1; + vlan_bridge = "br-${iface}."; + */ + + vlan_file = let + generated = + builtins.map + ( + vlanid: "${builtins.toString vlanid} ${iface}.${builtins.toString vlanid}" + ) + vlanRange; + + wildcard = [ + # Optional wildcard entry matching all VLAN IDs. The first # in the interface + # name will be replaced with the VLAN ID. The network interfaces are created + # (and removed) dynamically based on the use. + # see https://w1.fi/cgit/hostap/tree/hostapd/hostapd.vlan + "* ${iface}.#" + ]; + + file = + pkgs.writeText "hostapd.vlan" + (builtins.concatStringsSep "\n" (generated ++ wildcard)); + filePath = toString file; in - { - ssid = "mlsia"; - bssid = mkBssid 0; + filePath; - # enables debug logging - logLevel = 0; + wpa_key_mgmt = lib.mkForce (builtins.concatStringsSep " " [ + "WPA-PSK" - authentication.mode = "wpa2-sha256" - # "wpa3-sae-transition" - # "wpa3-sae" - ; + # TODO: the printer can't connect when this is on + # "WPA-PSK-SHA256" - authentication.wpaPskFile = config.sops.secrets."${iface}_wpaPskFile".path; + # unfortunately SAE doesn't support VLAN passwords in the way i'd like to use them + # "SAE" + ]); - # TODO: unfortunately SAE passwords don't work per VLAN like PSKs do - # authentication.saePasswordsFile = config.sops.secrets."${iface}_saePasswordsFile".path; + # wpa_psk_radius = 0; + wpa_pairwise = "CCMP"; + wmm_enabled = 1; - # see https://w1.fi/cgit/hostap/plain/hostapd/hostapd.conf for reference - settings = { - # disable syslog because it duplicates stdout - logger_syslog = lib.mkForce 0; + # IEEE 802.11i (authentication) related configuration + # Encrypt management frames to protect against deauthentication and similar attacks + ieee80211w = 1; + sae_require_mfp = 1; + sae_groups = "19 20 21"; - # bridge = bridgeInterfaceName; + # [ENABLE-TLSv1.3] = enable TLSv1.3 (experimental - disabled by default) + tls_flags = "[ENABLE-TLSv1.3]"; - # wpa_psk_file = config.sops.secrets.wlan0_wpaPskFile.path; - # not yet supported on hostapd 2.10 - # sae_password_file = config.sops.secrets.wlan0_saePasswordsFile.path; - - # resources on vlan tagging - # https://wireless.wiki.kernel.org/en/users/Documentation/hostapd#dynamic_vlan_tagging - # https://forum.openwrt.org/t/individual-per-passphrase-wifi-vlans-using-wpa-psk-file-no-radius-required/161696/4 - - dynamic_vlan = 1; - # this option currently requires a patch to hostapd - vlan_no_bridge = 1; - - /* - not used due to the above vlan_no_bridge setting - vlan_tagged_interface = bridgeInterfaceName; - vlan_naming = 1; - vlan_bridge = "br-${iface}."; - */ - - vlan_file = - let - generated = builtins.map ( - vlanid: "${builtins.toString vlanid} ${iface}.${builtins.toString vlanid}" - ) vlanRange; - - wildcard = [ - # Optional wildcard entry matching all VLAN IDs. The first # in the interface - # name will be replaced with the VLAN ID. The network interfaces are created - # (and removed) dynamically based on the use. - # see https://w1.fi/cgit/hostap/tree/hostapd/hostapd.vlan - "* ${iface}.#" - ]; - - file = pkgs.writeText "hostapd.vlan" (builtins.concatStringsSep "\n" (generated ++ wildcard)); - filePath = toString file; - in - filePath; - - wpa_key_mgmt = lib.mkForce ( - builtins.concatStringsSep " " [ - "WPA-PSK" - - # TODO: the printer can't connect when this is on - # "WPA-PSK-SHA256" - - # unfortunately SAE doesn't support VLAN passwords in the way i'd like to use them - # "SAE" - ] - ); - - # wpa_psk_radius = 0; - wpa_pairwise = "CCMP"; - wmm_enabled = 1; - - # IEEE 802.11i (authentication) related configuration - # Encrypt management frames to protect against deauthentication and similar attacks. - # 0 := disabled; 1 := optional; 2 := required - ieee80211w = 1; - # sae_require_mfp = 1; - # sae_groups = "19 20 21"; - - # [ENABLE-TLSv1.3] = enable TLSv1.3 (experimental - disabled by default) - tls_flags = "[ENABLE-TLSv1.3]"; - - # TODO: debugging for wifi drops happens below here - # Require IEEE 802.1X authorization - ieee8021x = 0; - - # Optionally, hostapd can be configured to use an integrated EAP server - # to process EAP authentication locally without need for an external RADIUS - # server. This functionality can be used both as a local authentication server - # for IEEE 802.1X/EAPOL and as a RADIUS server for other devices. - - # Use integrated EAP server instead of external RADIUS authentication - # server. This is also needed if hostapd is configured to act as a RADIUS - # authentication server. - eap_server = 0; - - # Disassociate stations based on excessive transmission failures or other - # indications of connection loss. This depends on the driver capabilities and - # may not be available with all drivers. - disassoc_low_ack = 0; - - skip_inactivity_poll = 1; - - # TODO: check if this is required. multicast can be more efficient so it'd be nice to disable this. - multicast_to_unicast = 0; - }; - }; + ieee8021x = 0; + eap_server = 0; + }; }; + + # wlan0-1 = { + # ssid = "mlsia-testing"; + # authentication = { + # mode = "wpa3-sae-transition"; + # }; + + # bssid = mkBssid 1; + # settings = { + # bridge = bridgeInterfaceName; + # }; + # }; + + # wlan0-1 = { + # ssid = "justtestingwifi-wpa3"; + # authentication = { + # mode = "wpa3-sae"; + # saePasswordsFile = config.sops.secrets.wlan0_1_saePasswordFile.path; + # }; + + # bssid = mkBssid 1; + # settings = { + # bridge = bridgeInterfaceName; + # }; + # }; + + # Uncomment when needed otherwise remove + # wlan0-1 = { + # ssid = "koteczkowo3"; + # authentication = { + # mode = "none"; # this is overriden by settings + # }; + # managementFrameProtection = "optional"; + # bssid = "e6:02:43:07:00:00"; + # settings = { + # bridge = bridgeInterfaceName; + # wpa = lib.mkForce 2; + # wpa_key_mgmt = "WPA-PSK"; + # wpa_pairwise = "CCMP"; + # wpa_psk_file = config.sops.secrets.legacyWifiPassword.path; + # }; + # }; }; }; + + # wlan1 = { + # band = "5g"; + # # channels with 160 MHz width in Poland: 36, 52, 100 i 116 + # channel = 0; # ACS + # countryCode = "PL"; + + # # use 'iw phy#1 info' to determine your VHT capabilities + # wifi4 = { + # enable = true; + # capabilities = ["HT40+" "LDPC" "SHORT-GI-20" "SHORT-GI-40" "TX-STBC" "RX-STBC1" "MAX-AMSDU-7935"]; + # }; + # wifi5 = { + # enable = true; + # operatingChannelWidth = "160"; + # capabilities = ["RXLDPC" "SHORT-GI-80" "SHORT-GI-160" "TX-STBC-2BY1" "SU-BEAMFORMER" "SU-BEAMFORMEE" "MU-BEAMFORMER" "MU-BEAMFORMEE" "RX-ANTENNA-PATTERN" "TX-ANTENNA-PATTERN" "RX-STBC-1" "SOUNDING-DIMENSION-4" "BF-ANTENNA-4" "VHT160" "MAX-MPDU-11454" "MAX-A-MPDU-LEN-EXP7"]; + # }; + # wifi6 = { + # enable = true; + # singleUserBeamformer = true; + # singleUserBeamformee = true; + # multiUserBeamformer = true; + # operatingChannelWidth = "160"; + # }; + # settings = { + # # these two are mandatory for wifi 5 & 6 to work + # vht_oper_centr_freq_seg0_idx = 50; + # he_oper_centr_freq_seg0_idx = 50; + + # # The "tx_queue_data2_burst" parameter in Linux refers to the burst size for + # # transmitting data packets from the second data queue of a network interface. + # # It determines the number of packets that can be sent in a burst. + # # Adjusting this parameter can impact network throughput and latency. + # tx_queue_data2_burst = 2; + + # # The "he_bss_color" parameter in Wi-Fi 6 (802.11ax) refers to the BSS Color field in the HE (High Efficiency) MAC header. + # # BSS Color is a mechanism introduced in Wi-Fi 6 to mitigate interference and improve network efficiency in dense deployment scenarios. + # # It allows multiple overlapping Basic Service Sets (BSS) to differentiate and coexist in the same area without causing excessive interference. + # he_bss_color = 63; # was set to 128 by openwrt but range of possible values in 2.10 is 1-63 + + # # Magic values that were set by openwrt but I didn't bother inspecting every single one + # he_spr_sr_control = 3; + # he_default_pe_duration = 4; + # he_rts_threshold = 1023; + + # he_mu_edca_qos_info_param_count = 0; + # he_mu_edca_qos_info_q_ack = 0; + # he_mu_edca_qos_info_queue_request = 0; + # he_mu_edca_qos_info_txop_request = 0; + + # # he_mu_edca_ac_be_aci=0; missing in 2.10 + # he_mu_edca_ac_be_aifsn = 8; + # he_mu_edca_ac_be_ecwmin = 9; + # he_mu_edca_ac_be_ecwmax = 10; + # he_mu_edca_ac_be_timer = 255; + + # he_mu_edca_ac_bk_aifsn = 15; + # he_mu_edca_ac_bk_aci = 1; + # he_mu_edca_ac_bk_ecwmin = 9; + # he_mu_edca_ac_bk_ecwmax = 10; + # he_mu_edca_ac_bk_timer = 255; + + # he_mu_edca_ac_vi_ecwmin = 5; + # he_mu_edca_ac_vi_ecwmax = 7; + # he_mu_edca_ac_vi_aifsn = 5; + # he_mu_edca_ac_vi_aci = 2; + # he_mu_edca_ac_vi_timer = 255; + + # he_mu_edca_ac_vo_aifsn = 5; + # he_mu_edca_ac_vo_aci = 3; + # he_mu_edca_ac_vo_ecwmin = 5; + # he_mu_edca_ac_vo_ecwmax = 7; + # he_mu_edca_ac_vo_timer = 255; + # }; + # networks = { + # wlan1 = { + # ssid = "koteczkowo5"; + # authentication = { + # mode = "wpa3-sae"; + # saePasswordsFile = config.sops.secrets.wifiPassword.path; # Use saePasswordsFile if possible. + # }; + # bssid = "36:b9:02:21:08:a2"; + # settings = { + # bridge = bridgeInterfaceName; + # }; + # }; + # }; + # }; + }; }; services.resolved.enable = false; @@ -1157,50 +864,49 @@ in local-ttl = 0; dhcp-ttl = 0; - # v6 config - enable-ra = true; - - dhcp-range = - let - mkDhcpRange = - { tag, vlanid }: - builtins.concatStringsSep "," [ - tag - (mkVlanIpv4HostAddr { - inherit vlanid; - host = 100; - cidr = false; - }) - (mkVlanIpv4HostAddr { - inherit vlanid; - host = 199; - cidr = false; - }) - "12h" - # "slaac" - # "ra-stateless" - # "ra-names" - ]; - in - builtins.map ( + dhcp-range = let + mkDhcpRange = { + tag, + vlanid, + }: + builtins.concatStringsSep "," [ + tag + (mkVlanIpv4HostAddr { + inherit vlanid; + host = 100; + cidr = false; + }) + (mkVlanIpv4HostAddr { + inherit vlanid; + host = 199; + cidr = false; + }) + "12h" + ]; + in + builtins.map + ( vlanid: - mkDhcpRange { - tag = mkInterfaceName { inherit vlanid; }; - inherit vlanid; - } - ) vlanRangeWith0; + mkDhcpRange { + tag = mkInterfaceName {inherit vlanid;}; + inherit vlanid; + } + ) + vlanRangeWith0; - dhcp-host = builtins.concatStringsSep "," [ - dmzExposedHostMACaddr - dmzExposedHostIpv4 - dmzExposedHostFQDN - ]; + # interface = bridgeInterfaceName; + # bind-interfaces = true; + # dhcp-host = "192.168.10.1"; + # local domains + # local = "/${getVlanDomain {vlanid = 0;}/"; + # domain = getVlanDomain {vlanid = 0;}; expand-hosts = true; # don't use /etc/hosts as this would advertise ${nodeName} as localhost no-hosts = true; + # address = "/${nodeName}.lan/${fwLanHostAddr}"; server = [ # upstream DNS servers @@ -1210,41 +916,44 @@ in "2a01:4f8:151:34aa::198" "2a01:4f8:141:316d::117" - # https://dismail.de/info.html#dns - "116.203.32.217" - "2a01:4f8:1c1b:44aa::1" - "159.69.114.157" - "2a01:4f8:c17:739a::2" + # cloudflare and google + # "9.9.9.9" "8.8.8.8" "1.1.1.1" ]; domain = - [ "/${getVlanDomain { vlanid = 0; }}/,local" ] - ++ builtins.map ( - vlanid: - "${getVlanDomain { inherit vlanid; }},${ - mkVlanIpv4HostAddr { - inherit vlanid; - host = 0; - cidr = true; - } - },local" - ) vlanRangeWith0; + [ + "/${getVlanDomain {vlanid = 0;}}/,local" + ] + ++ builtins.map + ( + vlanid: "${getVlanDomain {inherit vlanid;}},${mkVlanIpv4HostAddr { + inherit vlanid; + host = 0; + cidr = true; + }},local" + ) + vlanRangeWith0; # TODO: compare this to using `interface-name` - dynamic-host = builtins.map ( - vlanid: - builtins.concatStringsSep "," [ - # "${getVlanDomain{inherit vlanid;}}" "0.0.0.1" (mkInterfaceName {inherit vlanid;}) - "${nodeName}.${getVlanDomain { inherit vlanid; }}" - "0.0.0.1" - (mkInterfaceName { inherit vlanid; }) + dynamic-host = + [ ] - ) vlanRangeWith0; + ++ builtins.map + ( + vlanid: + builtins.concatStringsSep "," [ + # "${getVlanDomain{inherit vlanid;}}" "0.0.0.1" (mkInterfaceName {inherit vlanid;}) + "${nodeName}.${getVlanDomain {inherit vlanid;}}" + "0.0.0.1" + (mkInterfaceName {inherit vlanid;}) + ] + ) + vlanRangeWith0; - dhcp-option-force = builtins.map ( - vlanid: - "${mkInterfaceName { inherit vlanid; }},option:domain-search,${getVlanDomain { inherit vlanid; }}" - ) vlanRangeWith0; + dhcp-option-force = + builtins.map + (vlanid: "${mkInterfaceName {inherit vlanid;}},option:domain-search,${getVlanDomain {inherit vlanid;}}") + vlanRangeWith0; # auth-server = [ # (builtins.concatStringsSep "," [ @@ -1254,30 +963,84 @@ in # ]) # ]; - cname = [ - "mailserver.svc.stefanjunker.de,${dmzExposedHost}" - "www.stefanjunker.de,${dmzExposedHost}" - "hedgedoc.www.stefanjunker.de,${dmzExposedHost}" - "jitsi.www.stefanjunker.de,${dmzExposedHost}" - "lldap.www.stefanjunker.de,${dmzExposedHost}" - "forgejo.www.stefanjunker.de,${dmzExposedHost}" - "kanidm.www.stefanjunker.de,${dmzExposedHost}" - ]; + # cname = [ + # "mailserver.svc.stefanjunker.de,${exposedHost}" + # "www.stefanjunker.de,${exposedHost}" + # "hedgedoc.www.stefanjunker.de,${exposedHost}" + # "jitsi.www.stefanjunker.de,${exposedHost}" + # ]; }; }; - system.stateVersion = "24.11"; + # The service irqbalance is useful as it assigns certain IRQ calls to specific CPUs instead of letting the first CPU core to handle everything. This is supposed to increase performance by hitting CPU cache more often. + # disable for now as i think it causes wifi issues + services.irqbalance.enable = false; - # boot.kernelPackages = pkgs.linuxPackages_bpir3_6_6; + system.stateVersion = "23.05"; + + boot.kernelPackages = pkgs.linuxPackages_bpir3_latest; + # We exclude a number of modules included in the default list. A non-insignificant amount do + # not apply to embedded hardware like this, so simply skip the defaults. + # + # Custom kernel is required as a lot of MTK components misbehave when built as modules. + # They fail to load properly, leaving the system without working ethernet, they'll oops on + # remove. MTK-DSA parts and PCIe were observed to do this. + boot.initrd.includeDefaultModules = false; + boot.initrd.kernelModules = ["rfkill" "cfg80211" "mt7915e"]; + boot.initrd.availableKernelModules = ["nvme"]; + + boot.kernelParams = ["console=ttyS0,115200"]; + hardware.enableRedistributableFirmware = true; + # Wireless hardware exists, regulatory database is essential. + hardware.wirelessRegulatoryDatabase = true; + + # Extlinux compatible with custom uboot patches in this repo, which also provide unique + # MAC addresses instead of the non-unique one that gets used by a lot of MTK devices... + boot.loader.grub.enable = false; + boot.loader.generic-extlinux-compatible.enable = true; + # Known to work with u-boot; bz2, lzma, and lz4 should be safe too, need to test. + boot.initrd.compressor = "gzip"; + hardware.deviceTree.filter = "mt7986a-bananapi-bpi-r3.dtb"; + + hardware.deviceTree.overlays = [ + { + name = "bpir3-sd-enable"; + dtsFile = "${bpir3}/bpir3-dts/mt7986a-bananapi-bpi-r3-sd.dts"; + } + { + name = "bpir3-nand-enable"; + dtsFile = "${bpir3}/bpir3-dts/mt7986a-bananapi-bpi-r3-nand.dts"; + } + { + name = "bpi-r3 wifi training data"; + dtsFile = "${bpir3}/bpir3-dts/mt7986a-bananapi-bpi-r3-wirless.dts"; + } + { + name = "reset button disable"; + dtsFile = "${bpir3}/bpir3-dts/mt7986a-bananapi-bpi-r3-pcie-button.dts"; + } + { + name = "mt7986a efuses"; + dtsFile = "${bpir3}/bpir3-dts/mt7986a-efuse-device-tree-node.dts"; + } + ]; + + boot.initrd.preDeviceCommands = '' + if [ ! -d /sys/bus/pci/devices/0000:01:00.0 ]; then + if [ -d /sys/bus/pci/devices/0000:00:00.0 ]; then + # Remove PCI bridge, then rescan. NVMe init crashes if PCI bridge not removed first + echo 1 > /sys/bus/pci/devices/0000:00:00.0/remove + # Rescan brings PCI root back and brings the NVMe device in. + echo 1 > /sys/bus/pci/rescan + else + info "PCIe bridge missing" + fi + fi + ''; environment.systemPackages = [ pkgs.ethtool - pkgs.vim - pkgs.iperf3 - - pkgs.wireguard-tools - pkgs.tshark - pkgs.tmux + pkgs.neovim (pkgs.writeShellScriptBin "dbg-ip" '' echo links: diff --git a/nix/os/devices/router0-dmz0/default.nix b/nix/os/devices/router0-dmz0/default.nix index a0520dc..9dd8d5e 100644 --- a/nix/os/devices/router0-dmz0/default.nix +++ b/nix/os/devices/router0-dmz0/default.nix @@ -5,24 +5,25 @@ nodeFlake, localDomainName ? "internal", ... -}: -{ +}: { meta.nodeSpecialArgs.${nodeName} = { - inherit - repoFlake - nodeName - nodeFlake - system - ; + inherit repoFlake nodeName nodeFlake system; packages' = repoFlake.packages.${system}; nodePackages' = nodeFlake.packages.${system}; - inherit (nodeFlake.inputs.bpir3.packages.${system}) armTrustedFirmwareMT7986; + inherit + (nodeFlake.inputs.bpir3.packages.${system}) + armTrustedFirmwareMT7986 + ; inherit localDomainName; }; - meta.nodeNixpkgs.${nodeName} = import nodeFlake.inputs.nixpkgs.outPath { inherit system; }; + meta.nodeNixpkgs.${nodeName} = + import nodeFlake.inputs.nixpkgs.outPath + { + inherit system; + }; ${nodeName} = { deployment.targetHost = "${nodeName}.${localDomainName}"; diff --git a/nix/os/devices/router0-dmz0/flake.lock b/nix/os/devices/router0-dmz0/flake.lock index 8f55026..089ad5e 100644 --- a/nix/os/devices/router0-dmz0/flake.lock +++ b/nix/os/devices/router0-dmz0/flake.lock @@ -1,5 +1,26 @@ { "nodes": { + "bpir3": { + "inputs": { + "nixpkgs": [ + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1703603768, + "narHash": "sha256-ZViXHNt7ClqNtlRO9iot+LxiSbBvZi/RR+/6Q7W6UV8=", + "owner": "steveej-forks", + "repo": "nixos-bpir3", + "rev": "47cb545b92c136d1482a66b940c4719c40eb5fe3", + "type": "github" + }, + "original": { + "owner": "steveej-forks", + "ref": "linux-6.6", + "repo": "nixos-bpir3", + "type": "github" + } + }, "dependencyDagOfSubmodule": { "inputs": { "nixpkgs": [ @@ -28,11 +49,11 @@ ] }, "locked": { - "lastModified": 1738148035, - "narHash": "sha256-KYOATYEwaKysL3HdHdS5kbQMXvzS4iPJzJrML+3TKAo=", + "lastModified": 1703532766, + "narHash": "sha256-ojjW3cuNmqL5uqDWohwLoO8dYpheM5+AfgsNmGIMwG8=", "owner": "nix-community", "repo": "disko", - "rev": "18d0a984cc2bc82cf61df19523a34ad463aa7f54", + "rev": "1b191113874dee97796749bb21eac3d84735c70a", "type": "github" }, "original": { @@ -43,11 +64,11 @@ }, "get-flake": { "locked": { - "lastModified": 1714237590, - "narHash": "sha256-9gtHdGbzFHaR20xORN8IYd67ROWS+1nqQ5CsPf9MD8I=", + "lastModified": 1694475786, + "narHash": "sha256-s5wDmPooMUNIAAsxxCMMh9g68AueGg63DYk2hVZJbc8=", "owner": "ursi", "repo": "get-flake", - "rev": "a6c57417d1b857b8be53aba4095869a0f438c502", + "rev": "ac54750e3b95dab6ec0726d77f440efe6045bec1", "type": "github" }, "original": { @@ -63,16 +84,16 @@ ] }, "locked": { - "lastModified": 1736373539, - "narHash": "sha256-dinzAqCjenWDxuy+MqUQq0I4zUSfaCvN9rzuCmgMZJY=", + "lastModified": 1703527373, + "narHash": "sha256-AjypRssRtS6F3xkf7rE3/bXkIF2WJOZLbTIspjcE1zM=", "owner": "nix-community", "repo": "home-manager", - "rev": "bd65bc3cde04c16755955630b344bc9e35272c56", + "rev": "80679ea5074ab7190c4cce478c600057cfb5edae", "type": "github" }, "original": { "owner": "nix-community", - "ref": "release-24.11", + "ref": "master", "repo": "home-manager", "type": "github" } @@ -80,11 +101,11 @@ "hostapd": { "flake": false, "locked": { - "lastModified": 1738518662, - "narHash": "sha256-MeE2FTG7Jh4BqchSvevJH7IsqTotjemndLzev8TkiRk=", + "lastModified": 1703346062, + "narHash": "sha256-SHSBKIgKc5zEGhKDT2v+yGERTJHf8pe+9ZPUwJBTJKQ=", "ref": "refs/heads/main", - "rev": "c12fc97e3b59742e0c5743fceae6a87a8b13a576", - "revCount": 20282, + "rev": "196d6c83b9cb7d298fdc92684dc37115348b159e", + "revCount": 19119, "type": "git", "url": "git://w1.fi/hostap.git?branch=main" }, @@ -101,11 +122,11 @@ ] }, "locked": { - "lastModified": 1715521768, - "narHash": "sha256-BQkkBqDemoPRd2a4G94I9w9fNE0IxWtVsQ9SalnNqCQ=", + "lastModified": 1703279052, + "narHash": "sha256-0rbG/9SwaWtXT7ZuifMq+7wvfxDpZrjr0zdMcM4KK+E=", "owner": "thelegy", "repo": "nixos-nftables-firewall", - "rev": "2c5a19966b4dfc5ca92df7eb250c68f90be653c8", + "rev": "3bf23aeb346e772d157816e6b72a742a6c97db80", "type": "github" }, "original": { @@ -114,49 +135,29 @@ "type": "github" } }, - "nixos-sbc": { - "inputs": { - "nixpkgs": [ - "nixpkgs" - ] - }, + "nixos-stable": { "locked": { - "lastModified": 1738254353, - "narHash": "sha256-SYpvOn0v/wi8lrgEBhobjKFvFWPlJ3gP7SZPfyw9td0=", - "owner": "nakato", - "repo": "nixos-sbc", - "rev": "21be4ab012197a2eea4bbff8315c40f26f715a18", + "lastModified": 1703068421, + "narHash": "sha256-WSw5Faqlw75McIflnl5v7qVD/B3S2sLh+968bpOGrWA=", + "owner": "NixOS", + "repo": "nixpkgs", + "rev": "d65bceaee0fb1e64363f7871bc43dc1c6ecad99f", "type": "github" }, "original": { - "owner": "nakato", - "repo": "nixos-sbc", + "owner": "NixOS", + "ref": "nixos-23.11", + "repo": "nixpkgs", "type": "github" } }, "nixpkgs": { "locked": { - "lastModified": 1738702386, - "narHash": "sha256-nJj8f78AYAxl/zqLiFGXn5Im1qjFKU8yBPKoWEeZN5M=", + "lastModified": 1703255338, + "narHash": "sha256-Z6wfYJQKmDN9xciTwU3cOiOk+NElxdZwy/FiHctCzjU=", "owner": "nixos", "repo": "nixpkgs", - "rev": "030ba1976b7c0e1a67d9716b17308ccdab5b381e", - "type": "github" - }, - "original": { - "owner": "nixos", - "ref": "nixos-24.11", - "repo": "nixpkgs", - "type": "github" - } - }, - "nixpkgs-unstable": { - "locked": { - "lastModified": 1738680400, - "narHash": "sha256-ooLh+XW8jfa+91F1nhf9OF7qhuA/y1ChLx6lXDNeY5U=", - "owner": "nixos", - "repo": "nixpkgs", - "rev": "799ba5bffed04ced7067a91798353d360788b30d", + "rev": "6df37dc6a77654682fe9f071c62b4242b5342e04", "type": "github" }, "original": { @@ -186,30 +187,30 @@ }, "root": { "inputs": { + "bpir3": "bpir3", "disko": "disko", "get-flake": "get-flake", "home-manager": "home-manager", "hostapd": "hostapd", "nixos-nftables-firewall": "nixos-nftables-firewall", - "nixos-sbc": "nixos-sbc", "nixpkgs": "nixpkgs", - "nixpkgs-unstable": "nixpkgs-unstable", "openwrt": "openwrt", "srvos": "srvos" } }, "srvos": { "inputs": { + "nixos-stable": "nixos-stable", "nixpkgs": [ "nixpkgs" ] }, "locked": { - "lastModified": 1738198321, - "narHash": "sha256-lhnHBXO9Y8xEn92JqxjancdL8Gh16ONuxZp60iZfmX4=", + "lastModified": 1703469109, + "narHash": "sha256-hTQJ9uV43Vt8UXwervEj9mbDoQSN1mD3lwwPChG8jy8=", "owner": "numtide", "repo": "srvos", - "rev": "7d5a4aaadac9ff63f9ed4347df95175aceee5079", + "rev": "52d07db520046c4775f1047e68a05dcb53bba9ec", "type": "github" }, "original": { diff --git a/nix/os/devices/router0-dmz0/flake.nix b/nix/os/devices/router0-dmz0/flake.nix index d56e72a..22c71ae 100644 --- a/nix/os/devices/router0-dmz0/flake.nix +++ b/nix/os/devices/router0-dmz0/flake.nix @@ -1,11 +1,10 @@ { inputs = { - nixpkgs.url = "github:nixos/nixpkgs/nixos-24.11"; - nixpkgs-unstable.url = "github:nixos/nixpkgs/nixos-unstable"; + nixpkgs.url = "github:nixos/nixpkgs/nixos-unstable"; get-flake.url = "github:ursi/get-flake"; - home-manager.url = "github:nix-community/home-manager/release-24.11"; + home-manager.url = "github:nix-community/home-manager/master"; home-manager.inputs.nixpkgs.follows = "nixpkgs"; disko.url = "github:nix-community/disko"; @@ -13,14 +12,12 @@ srvos.url = "github:numtide/srvos"; srvos.inputs.nixpkgs.follows = "nixpkgs"; - nixos-sbc.url = "github:nakato/nixos-sbc" - # "github:steveej-forks/nakato_nixos-sbc//bpi-r3_kernel-6.12" - # "github:steveej-forks/nakato_nixos-sbc//bpi-r3_kernel-6.13" - # "github:steveej-forks/nakato_nixos-sbc/kernel-6.9_and_cross-compile" - # "github:steveej-forks/nakato_nixos-sbc/kernel-6.10_and_cross-compile" - # "git+file:///home/steveej/src/others/nakato_nixos-sbc/" - ; - nixos-sbc.inputs.nixpkgs.follows = "nixpkgs"; + bpir3.url = + "github:steveej-forks/nixos-bpir3/linux-6.6" + # "/home/steveej/src/steveej/nixos-bpir3" + ; + + bpir3.inputs.nixpkgs.follows = "nixpkgs"; nixos-nftables-firewall.url = "github:thelegy/nixos-nftables-firewall"; nixos-nftables-firewall.inputs.nixpkgs.follows = "nixpkgs"; @@ -37,71 +34,102 @@ # url = "file+https://raw.githubusercontent.com/openwrt/openwrt/847984c773d819d5579d5abae4b80a4983103ed9/package/network/services/hostapd/patches/710-vlan_no_bridge.patch"; # flake = false; # }; - - # repoFlake.url = "path:../../../.."; }; - outputs = - { - self, - get-flake, - nixpkgs, - ... - }: - let - nativeSystem = "aarch64-linux"; - nodeName = "router0-dmz0"; + outputs = { + self, + get-flake, + nixpkgs, + bpir3, + ... + }: let + nativeSystem = "aarch64-linux"; + nodeName = "router0-dmz0"; - mkNixosConfiguration = + pkgs = nixpkgs.legacyPackages.${nativeSystem}; + pkgsCross = import self.inputs.nixpkgs { + system = "x86_64-linux"; + crossSystem = { + config = "aarch64-unknown-linux-gnu"; + }; + }; + + mkNixosConfiguration = {extraModules ? [], ...} @ attrs: + nixpkgs.lib.nixosSystem ( + nixpkgs.lib.attrsets.recursiveUpdate + attrs { - extraModules ? [ ], - ... - }@attrs: - nixpkgs.lib.nixosSystem ( - nixpkgs.lib.attrsets.recursiveUpdate attrs { - specialArgs = - (import ./default.nix { - system = nativeSystem; - inherit nodeName; + specialArgs = + (import ./default.nix { + system = nativeSystem; + inherit nodeName; - repoFlake = get-flake ../../../..; - # repoFlake = get-flake ./.; - # repoFlake = self.inputs.repoFlake; - nodeFlake = self; - }).meta.nodeSpecialArgs.${nodeName}; + repoFlake = get-flake ../../../..; + nodeFlake = self; + }) + .meta + .nodeSpecialArgs + .${nodeName}; - modules = [ + modules = + [ ./configuration.nix # flake registry { - nixpkgs.overlays = builtins.attrValues self.overlays; nix.registry.nixpkgs.flake = nixpkgs; } - ] ++ extraModules; - } - ); - in - { - nixosConfigurations = { - native = mkNixosConfiguration { system = nativeSystem; }; - cross = mkNixosConfiguration { - extraModules = [ - { - nixpkgs.buildPlatform.system = "x86_64-linux"; - nixpkgs.hostPlatform.system = nativeSystem; - } - ]; - }; + { + nixpkgs.overlays = [ + (final: previous: let + bpir3Pkgs = previous.callPackage "${bpir3}/pkgs" {}; + in { + inherit + (bpir3Pkgs) + linuxPackages_bpir3 + linuxPackages_bpir3_latest + ; + }) + ]; + } + ] + ++ extraModules; + } + ); + in { + nixosConfigurations = { + native = mkNixosConfiguration { + system = nativeSystem; }; - overlays.default = _final: previous: { - hostapd = previous.hostapd.overrideDerivation (attrs: { - patches = attrs.patches ++ [ - "${self.inputs.openwrt}/package/network/services/hostapd/patches/710-vlan_no_bridge.patch" - ]; - }); + cross = mkNixosConfiguration { + extraModules = [ + { + nixpkgs.buildPlatform.system = "x86_64-linux"; + nixpkgs.hostPlatform.system = nativeSystem; + } + ]; }; }; + + packages = let + mkPatchedHostapd = pkgs: + pkgs.hostapd.overrideDerivation (attrs: { + patches = + attrs.patches + ++ [ + "${self.inputs.openwrt}/package/network/services/hostapd/patches/710-vlan_no_bridge.patch" + ]; + }); + in { + "${nativeSystem}" = { + hostapd_patched = mkPatchedHostapd pkgs; + }; + + cross = { + hostapd_patched = mkPatchedHostapd pkgsCross; + }; + }; + }; } diff --git a/nix/os/devices/router0-hosthatch/configuration.nix b/nix/os/devices/router0-hosthatch/configuration.nix deleted file mode 100644 index af02b3d..0000000 --- a/nix/os/devices/router0-hosthatch/configuration.nix +++ /dev/null @@ -1,337 +0,0 @@ -{ - repoFlake, - pkgs, - lib, - config, - nodeFlake, - nodeName, - system, - variables, - ... -}: -{ - system.stateVersion = "24.05"; - - imports = [ - nodeFlake.inputs.disko.nixosModules.disko - nodeFlake.inputs.srvos.nixosModules.mixins-terminfo - - repoFlake.inputs.sops-nix.nixosModules.sops - - ../../snippets/nix-settings.nix - ../../profiles/common/user.nix - - nodeFlake.inputs.nixos-nftables-firewall.nixosModules.default - - { - services.openssh.enable = true; - services.openssh.settings.PermitRootLogin = "yes"; - - users.commonUsers = { - enable = true; - enableNonRoot = false; - rootPasswordFile = config.sops.secrets.passwords-root.path; - }; - - # sops.age.keyFile = "/etc/age.key"; - # sops.age.sshKeyPaths = []; - - sops.defaultSopsFile = ../../../../secrets/${nodeName}/secrets.yaml; - sops.defaultSopsFormat = "yaml"; - - sops.secrets.passwords-root.neededForUsers = true; - } - - # TODO: extract this into single-disk VM BIOS module - { - boot.loader.systemd-boot.enable = false; - boot.loader.grub.efiSupport = false; - - # forcing seems required or else there's an error about duplicated devices - boot.loader.grub.devices = lib.mkForce [ "/dev/vda" ]; - - disko.devices.disk.vda = { - device = "/dev/vda"; - type = "disk"; - content = { - type = "gpt"; - partitions = { - boot = { - size = "1M"; - type = "EF02"; # for grub MBR - }; - root = { - size = "100%"; - content = { - type = "btrfs"; - extraArgs = [ "-f" ]; # Override existing partition - subvolumes = { - # Subvolume name is different from mountpoint - "/rootfs" = { - mountpoint = "/"; - }; - "/nix" = { - mountOptions = [ "noatime" ]; - mountpoint = "/nix"; - }; - "/boot" = { - mountpoint = "/boot"; - }; - }; - }; - }; - }; - }; - }; - - boot.initrd.kernelModules = [ - "virtio_balloon" - "virtio_scsi" - "virtio_net" - "virtio_pci" - "virtio_ring" - "virtio" - "scsi_mod" - - "virtio_blk" - "virtio_ring" - "ata_piix" - "pata_acpi" - "ata_generic" - ]; - } - ]; - - # sops.secrets.ssh_host_ed25519_key = { - # sopsFile = ../../../../secrets/${nodeName}/secrets.yaml; - # format = "yaml"; - - # path = "/etc/ssh/ssh_host_ed25519_key"; - # mode = "0600"; - # }; - # sops.secrets.ssh_host_ed25519_key_pub = { - # sopsFile = ../../../../secrets/${nodeName}/secrets.yaml; - # format = "yaml"; - - # path = "/etc/ssh/ssh_host_ed25519_key.pub"; - # mode = "0600"; - # }; - # sops.secrets.ssh_host_rsa_key = { - # sopsFile = ../../../../secrets/${nodeName}/secrets.yaml; - # format = "yaml"; - - # path = "/etc/ssh/ssh_host_rsa_key"; - # mode = "0600"; - # }; - # sops.secrets.ssh_host_rsa_key_pub = { - # sopsFile = ../../../../secrets/${nodeName}/secrets.yaml; - # format = "yaml"; - - # path = "/etc/ssh/ssh_host_rsa_key.pub"; - # mode = "0644"; - # }; - - boot = { - kernel = { - sysctl = { - "net.ipv4.conf.all.forwarding" = true; - "net.ipv6.conf.all.forwarding" = true; - }; - }; - }; - - networking = { - hostName = nodeName; - useNetworkd = true; - useDHCP = true; - usePredictableInterfaceNames = false; - - interfaces.eth0.ipv4.addresses = [ - { - address = variables.ipv4; - prefixLength = variables.ipv4length; - } - ]; - defaultGateway = { - interface = "eth0"; - address = variables.ipv4gateway; - }; - nameservers = [ variables.ipv4dns ]; - - # these will be configured via nftables - nat.enable = lib.mkForce false; - firewall.enable = lib.mkForce false; - - # Use the nftables firewall instead of the base nixos scripted rules. - # This flake provides a similar utility to the base nixos scripting. - # https://github.com/thelegy/nixos-nftables-firewall/tree/main - - nftables = { - enable = true; - - firewall = { - enable = true; - snippets.nnf-common.enable = true; - - zones.wan = { - interfaces = [ "eth0" ]; - }; - - zones.vpn = { - interfaces = [ - "wg0" - "wg1" - ]; - }; - - rules = { - to-fw = { - from = "all"; - to = [ "fw" ]; - verdict = "drop"; - - allowedTCPPorts = [ - 22 - 5201 - ]; - allowedUDPPorts = [ - 22 - 5201 - config.systemd.network.netdevs.wg0.wireguardConfig.ListenPort - config.systemd.network.netdevs.wg1.wireguardConfig.ListenPort - ]; - }; - - vpn-to-wan-nat = { - from = [ "vpn" ]; - to = [ "wan" ]; - masquerade = true; - verdict = "accept"; - }; - }; - }; - }; - }; - - sops.secrets.wg0-privatekey = { - mode = "440"; - group = "systemd-network"; - }; - sops.secrets.wg0-peer0-psk = { - mode = "440"; - group = "systemd-network"; - }; - sops.secrets.wg1-privatekey = { - mode = "440"; - group = "systemd-network"; - }; - sops.secrets.wg1-peer0-psk = { - mode = "440"; - group = "systemd-network"; - }; - - systemd.network.enable = true; - systemd.network.netdevs.wg0 = { - enable = true; - netdevConfig = { - Name = "wg0"; - Kind = "wireguard"; - }; - wireguardConfig = { - ListenPort = 51820; - # PublicKey /RPDdqPzr9iRc7zR0bRkt9aS2QCt+b2K3WbsNg8XamM= - PrivateKeyFile = builtins.toString config.sops.secrets.wg0-privatekey.path; - }; - wireguardPeers = [ - { - wireguardPeerConfig = { - AllowedIPs = [ - "10.0.1.1/32" - "192.168.0.0/16" - ]; - PersistentKeepalive = 15; - PresharedKeyFile = builtins.toString config.sops.secrets.wg0-peer0-psk.path; - PublicKey = "hsjIenUFV/FBqplIKxSL/Zn2zDAfojlIKHMxPA6RC04="; - }; - } - ]; - }; - systemd.network.netdevs.wg1 = { - enable = true; - netdevConfig = { - Name = "wg1"; - Kind = "wireguard"; - }; - wireguardConfig = { - ListenPort = 51821; - # PublicKey /RPDdqPzr9iRc7zR0bRkt9aS2QCt+b2K3WbsNg8XamM= - PrivateKeyFile = builtins.toString config.sops.secrets.wg1-privatekey.path; - }; - wireguardPeers = [ - { - wireguardPeerConfig = { - AllowedIPs = [ - "10.0.1.3/31" - "192.168.0.0/16" - ]; - PersistentKeepalive = 15; - PresharedKeyFile = builtins.toString config.sops.secrets.wg1-peer0-psk.path; - PublicKey = "Ha5hsarCRO8LX9SrkopUeP14ebLdFgxXUC0ezrobax4="; - }; - } - ]; - }; - systemd.network.networks.wg0 = { - enable = true; - matchConfig.Name = "wg0"; - address = [ "10.0.1.0/31" ]; - - routes = [ - { - routeConfig = { - Destination = "192.168.0.0/16"; - MultiPathRoute = "10.0.1.1 1"; - }; - } - ]; - }; - systemd.network.networks.wg1 = { - enable = true; - matchConfig.Name = "wg1"; - address = [ "10.0.1.2/31" ]; - - routes = [ - { - routeConfig = { - Destination = "192.168.0.0/16"; - MultiPathRoute = "10.0.1.3 1"; - }; - } - ]; - }; - - environment.systemPackages = [ - pkgs.ethtool - pkgs.neovim - pkgs.tmux - - pkgs.wireguard-tools - pkgs.tshark - - (pkgs.writeShellScriptBin "dbg-ip" '' - echo links: - ip -br -c l - echo - echo addresses: - ip -br -c a - echo - echo vlans: - bridge -c vlan - '') - - (pkgs.writeShellScriptBin "dbg-dnsmasq" '' - # get the rendered in-use config - pgrep -a dnsmasq | grep -Eo '[^ ]*conf' | xargs cat | grep -Eo '[^=]*conf' | xargs cat - '') - ]; -} diff --git a/nix/os/devices/router0-hosthatch/default.nix b/nix/os/devices/router0-hosthatch/default.nix deleted file mode 100644 index fd2c485..0000000 --- a/nix/os/devices/router0-hosthatch/default.nix +++ /dev/null @@ -1,38 +0,0 @@ -{ - system ? "x86_64-linux", - nodeName, - repoFlake, - nodeFlake, - ... -}: -let - variables = import ./variables.crypt.nix; -in -{ - meta.nodeSpecialArgs.${nodeName} = { - inherit - repoFlake - nodeName - nodeFlake - system - variables - ; - packages' = repoFlake.packages.${system}; - nodePackages' = nodeFlake.packages.${system}; - }; - - meta.nodeNixpkgs.${nodeName} = import nodeFlake.inputs.nixpkgs.outPath { inherit system; }; - - ${nodeName} = { - deployment.targetHost = variables.ipv4; - deployment.replaceUnknownProfiles = true; - - imports = [ - nodeFlake.inputs.home-manager.nixosModules.home-manager - - ./configuration.nix - ]; - - networking.hostName = nodeName; - }; -} diff --git a/nix/os/devices/router0-hosthatch/flake.lock b/nix/os/devices/router0-hosthatch/flake.lock deleted file mode 100644 index f66687f..0000000 --- a/nix/os/devices/router0-hosthatch/flake.lock +++ /dev/null @@ -1,151 +0,0 @@ -{ - "nodes": { - "dependencyDagOfSubmodule": { - "inputs": { - "nixpkgs": [ - "nixos-nftables-firewall", - "nixpkgs" - ] - }, - "locked": { - "lastModified": 1656615370, - "narHash": "sha256-IZDqz1aSySoqf1qtVQg+oJMHfC4IlT55Zoa7EkjvPug=", - "owner": "thelegy", - "repo": "nix-dependencyDagOfSubmodule", - "rev": "98eb563d80b35acafbfc1abb9ccee569c1efb19c", - "type": "github" - }, - "original": { - "owner": "thelegy", - "repo": "nix-dependencyDagOfSubmodule", - "type": "github" - } - }, - "disko": { - "inputs": { - "nixpkgs": [ - "nixpkgs" - ] - }, - "locked": { - "lastModified": 1719864345, - "narHash": "sha256-e4Pw+30vFAxuvkSTaTypd9zYemB/QlWcH186dsGT+Ms=", - "owner": "nix-community", - "repo": "disko", - "rev": "544a80a69d6e2da04e4df7ec8210a858de8c7533", - "type": "github" - }, - "original": { - "owner": "nix-community", - "repo": "disko", - "type": "github" - } - }, - "home-manager": { - "inputs": { - "nixpkgs": [ - "nixpkgs" - ] - }, - "locked": { - "lastModified": 1719827385, - "narHash": "sha256-qs+nU20Sm8czHg3bhGCqiH+8e13BJyRrKONW34g3i50=", - "owner": "nix-community", - "repo": "home-manager", - "rev": "391ca6e950c2525b4f853cbe29922452c14eda82", - "type": "github" - }, - "original": { - "owner": "nix-community", - "ref": "release-24.05", - "repo": "home-manager", - "type": "github" - } - }, - "nixos-nftables-firewall": { - "inputs": { - "dependencyDagOfSubmodule": "dependencyDagOfSubmodule", - "nixpkgs": [ - "nixpkgs" - ] - }, - "locked": { - "lastModified": 1715521768, - "narHash": "sha256-BQkkBqDemoPRd2a4G94I9w9fNE0IxWtVsQ9SalnNqCQ=", - "owner": "thelegy", - "repo": "nixos-nftables-firewall", - "rev": "2c5a19966b4dfc5ca92df7eb250c68f90be653c8", - "type": "github" - }, - "original": { - "owner": "thelegy", - "repo": "nixos-nftables-firewall", - "type": "github" - } - }, - "nixpkgs": { - "locked": { - "lastModified": 1719838683, - "narHash": "sha256-Zw9rQjHz1ilNIimEXFeVa1ERNRBF8DoXDhLAZq5B4pE=", - "owner": "nixos", - "repo": "nixpkgs", - "rev": "d032c1a6dfad4eedec7e35e91986becc699d7d69", - "type": "github" - }, - "original": { - "owner": "nixos", - "ref": "nixos-24.05", - "repo": "nixpkgs", - "type": "github" - } - }, - "nixpkgs-unstable": { - "locked": { - "lastModified": 1719848872, - "narHash": "sha256-H3+EC5cYuq+gQW8y0lSrrDZfH71LB4DAf+TDFyvwCNA=", - "owner": "nixos", - "repo": "nixpkgs", - "rev": "00d80d13810dbfea8ab4ed1009b09100cca86ba8", - "type": "github" - }, - "original": { - "owner": "nixos", - "ref": "nixos-unstable", - "repo": "nixpkgs", - "type": "github" - } - }, - "root": { - "inputs": { - "disko": "disko", - "home-manager": "home-manager", - "nixos-nftables-firewall": "nixos-nftables-firewall", - "nixpkgs": "nixpkgs", - "nixpkgs-unstable": "nixpkgs-unstable", - "srvos": "srvos" - } - }, - "srvos": { - "inputs": { - "nixpkgs": [ - "nixpkgs" - ] - }, - "locked": { - "lastModified": 1719965291, - "narHash": "sha256-IQiO6VNESSmgxQkpI1q86pqxRw0SZ45iSeM1jsmBpSw=", - "owner": "numtide", - "repo": "srvos", - "rev": "1844f1a15ef530c963bb07c3846172fccbfb9f74", - "type": "github" - }, - "original": { - "owner": "numtide", - "repo": "srvos", - "type": "github" - } - } - }, - "root": "root", - "version": 7 -} diff --git a/nix/os/devices/router0-hosthatch/flake.nix b/nix/os/devices/router0-hosthatch/flake.nix deleted file mode 100644 index 3057b9a..0000000 --- a/nix/os/devices/router0-hosthatch/flake.nix +++ /dev/null @@ -1,19 +0,0 @@ -{ - inputs = { - nixpkgs.url = "github:nixos/nixpkgs/nixos-24.05"; - nixpkgs-unstable.url = "github:nixos/nixpkgs/nixos-unstable"; - - home-manager.url = "github:nix-community/home-manager/release-24.05"; - home-manager.inputs.nixpkgs.follows = "nixpkgs"; - - disko.url = "github:nix-community/disko"; - disko.inputs.nixpkgs.follows = "nixpkgs"; - srvos.url = "github:numtide/srvos"; - srvos.inputs.nixpkgs.follows = "nixpkgs"; - - nixos-nftables-firewall.url = "github:thelegy/nixos-nftables-firewall"; - nixos-nftables-firewall.inputs.nixpkgs.follows = "nixpkgs"; - }; - - outputs = _: { }; -} diff --git a/nix/os/devices/router0-hosthatch/variables.crypt.nix b/nix/os/devices/router0-hosthatch/variables.crypt.nix deleted file mode 100644 index 38c17df..0000000 Binary files a/nix/os/devices/router0-hosthatch/variables.crypt.nix and /dev/null differ diff --git a/nix/os/devices/router0-ifog/configuration.nix b/nix/os/devices/router0-ifog/configuration.nix deleted file mode 100644 index 9bc91ee..0000000 --- a/nix/os/devices/router0-ifog/configuration.nix +++ /dev/null @@ -1,337 +0,0 @@ -{ - repoFlake, - pkgs, - lib, - config, - nodeFlake, - nodeName, - system, - variables, - ... -}: -{ - system.stateVersion = "23.11"; - - imports = [ - nodeFlake.inputs.disko.nixosModules.disko - nodeFlake.inputs.srvos.nixosModules.mixins-terminfo - - repoFlake.inputs.sops-nix.nixosModules.sops - - ../../snippets/nix-settings.nix - ../../profiles/common/user.nix - - nodeFlake.inputs.nixos-nftables-firewall.nixosModules.default - - { - services.openssh.enable = true; - services.openssh.settings.PermitRootLogin = "yes"; - - users.commonUsers = { - enable = true; - enableNonRoot = false; - rootPasswordFile = config.sops.secrets.passwords-root.path; - }; - - # sops.age.keyFile = "/etc/age.key"; - # sops.age.sshKeyPaths = []; - - sops.defaultSopsFile = ../../../../secrets/${nodeName}/secrets.yaml; - sops.defaultSopsFormat = "yaml"; - - sops.secrets.passwords-root.neededForUsers = true; - } - - # TODO: extract this into single-disk VM BIOS module - { - boot.loader.systemd-boot.enable = false; - boot.loader.grub.efiSupport = false; - - # forcing seems required or else there's an error about duplicated devices - boot.loader.grub.devices = lib.mkForce [ "/dev/vda" ]; - - disko.devices.disk.vda = { - device = "/dev/vda"; - type = "disk"; - content = { - type = "gpt"; - partitions = { - boot = { - size = "1M"; - type = "EF02"; # for grub MBR - }; - root = { - size = "100%"; - content = { - type = "btrfs"; - extraArgs = [ "-f" ]; # Override existing partition - subvolumes = { - # Subvolume name is different from mountpoint - "/rootfs" = { - mountpoint = "/"; - }; - "/nix" = { - mountOptions = [ "noatime" ]; - mountpoint = "/nix"; - }; - "/boot" = { - mountpoint = "/boot"; - }; - }; - }; - }; - }; - }; - }; - - boot.initrd.kernelModules = [ - "virtio_balloon" - "virtio_scsi" - "virtio_net" - "virtio_pci" - "virtio_ring" - "virtio" - "scsi_mod" - - "virtio_blk" - "virtio_ring" - "ata_piix" - "pata_acpi" - "ata_generic" - ]; - } - ]; - - # sops.secrets.ssh_host_ed25519_key = { - # sopsFile = ../../../../secrets/${nodeName}/secrets.yaml; - # format = "yaml"; - - # path = "/etc/ssh/ssh_host_ed25519_key"; - # mode = "0600"; - # }; - # sops.secrets.ssh_host_ed25519_key_pub = { - # sopsFile = ../../../../secrets/${nodeName}/secrets.yaml; - # format = "yaml"; - - # path = "/etc/ssh/ssh_host_ed25519_key.pub"; - # mode = "0600"; - # }; - # sops.secrets.ssh_host_rsa_key = { - # sopsFile = ../../../../secrets/${nodeName}/secrets.yaml; - # format = "yaml"; - - # path = "/etc/ssh/ssh_host_rsa_key"; - # mode = "0600"; - # }; - # sops.secrets.ssh_host_rsa_key_pub = { - # sopsFile = ../../../../secrets/${nodeName}/secrets.yaml; - # format = "yaml"; - - # path = "/etc/ssh/ssh_host_rsa_key.pub"; - # mode = "0644"; - # }; - - boot = { - kernel = { - sysctl = { - "net.ipv4.conf.all.forwarding" = true; - "net.ipv6.conf.all.forwarding" = true; - }; - }; - }; - - networking = { - hostName = nodeName; - useNetworkd = true; - useDHCP = true; - usePredictableInterfaceNames = false; - - interfaces.eth0.ipv4.addresses = [ - { - address = variables.ipv4; - prefixLength = variables.ipv4length; - } - ]; - defaultGateway = { - interface = "eth0"; - address = variables.ipv4gateway; - }; - nameservers = [ variables.ipv4dns ]; - - # these will be configured via nftables - nat.enable = lib.mkForce false; - firewall.enable = lib.mkForce false; - - # Use the nftables firewall instead of the base nixos scripted rules. - # This flake provides a similar utility to the base nixos scripting. - # https://github.com/thelegy/nixos-nftables-firewall/tree/main - - nftables = { - enable = true; - - firewall = { - enable = true; - snippets.nnf-common.enable = true; - - zones.wan = { - interfaces = [ "eth0" ]; - }; - - zones.vpn = { - interfaces = [ - "wg0" - "wg1" - ]; - }; - - rules = { - to-fw = { - from = "all"; - to = [ "fw" ]; - verdict = "drop"; - - allowedTCPPorts = [ - 22 - 5201 - ]; - allowedUDPPorts = [ - 22 - 5201 - config.systemd.network.netdevs.wg0.wireguardConfig.ListenPort - config.systemd.network.netdevs.wg1.wireguardConfig.ListenPort - ]; - }; - - vpn-to-wan-nat = { - from = [ "vpn" ]; - to = [ "wan" ]; - masquerade = true; - verdict = "accept"; - }; - }; - }; - }; - }; - - sops.secrets.wg0-privatekey = { - mode = "440"; - group = "systemd-network"; - }; - sops.secrets.wg0-peer0-psk = { - mode = "440"; - group = "systemd-network"; - }; - sops.secrets.wg1-privatekey = { - mode = "440"; - group = "systemd-network"; - }; - sops.secrets.wg1-peer0-psk = { - mode = "440"; - group = "systemd-network"; - }; - - systemd.network.enable = true; - systemd.network.netdevs.wg0 = { - enable = true; - netdevConfig = { - Name = "wg0"; - Kind = "wireguard"; - }; - wireguardConfig = { - ListenPort = 51820; - # PublicKey /RPDdqPzr9iRc7zR0bRkt9aS2QCt+b2K3WbsNg8XamM= - PrivateKeyFile = builtins.toString config.sops.secrets.wg0-privatekey.path; - }; - wireguardPeers = [ - { - wireguardPeerConfig = { - AllowedIPs = [ - "10.0.0.1/32" - "192.168.0.0/16" - ]; - PersistentKeepalive = 15; - PresharedKeyFile = builtins.toString config.sops.secrets.wg0-peer0-psk.path; - PublicKey = "hsjIenUFV/FBqplIKxSL/Zn2zDAfojlIKHMxPA6RC04="; - }; - } - ]; - }; - systemd.network.netdevs.wg1 = { - enable = true; - netdevConfig = { - Name = "wg1"; - Kind = "wireguard"; - }; - wireguardConfig = { - ListenPort = 51821; - # PublicKey /RPDdqPzr9iRc7zR0bRkt9aS2QCt+b2K3WbsNg8XamM= - PrivateKeyFile = builtins.toString config.sops.secrets.wg1-privatekey.path; - }; - wireguardPeers = [ - { - wireguardPeerConfig = { - AllowedIPs = [ - "10.0.0.3/31" - "192.168.0.0/16" - ]; - PersistentKeepalive = 15; - PresharedKeyFile = builtins.toString config.sops.secrets.wg1-peer0-psk.path; - PublicKey = "Ha5hsarCRO8LX9SrkopUeP14ebLdFgxXUC0ezrobax4="; - }; - } - ]; - }; - systemd.network.networks.wg0 = { - enable = true; - matchConfig.Name = "wg0"; - address = [ "10.0.0.0/31" ]; - - routes = [ - { - routeConfig = { - Destination = "192.168.0.0/16"; - MultiPathRoute = "10.0.0.1 1"; - }; - } - ]; - }; - systemd.network.networks.wg1 = { - enable = true; - matchConfig.Name = "wg1"; - address = [ "10.0.0.2/31" ]; - - routes = [ - { - routeConfig = { - Destination = "192.168.0.0/16"; - MultiPathRoute = "10.0.0.3 1"; - }; - } - ]; - }; - - environment.systemPackages = [ - pkgs.ethtool - pkgs.neovim - pkgs.tmux - - pkgs.wireguard-tools - pkgs.tshark - - (pkgs.writeShellScriptBin "dbg-ip" '' - echo links: - ip -br -c l - echo - echo addresses: - ip -br -c a - echo - echo vlans: - bridge -c vlan - '') - - (pkgs.writeShellScriptBin "dbg-dnsmasq" '' - # get the rendered in-use config - pgrep -a dnsmasq | grep -Eo '[^ ]*conf' | xargs cat | grep -Eo '[^=]*conf' | xargs cat - '') - ]; -} diff --git a/nix/os/devices/router0-ifog/default.nix b/nix/os/devices/router0-ifog/default.nix deleted file mode 100644 index fd2c485..0000000 --- a/nix/os/devices/router0-ifog/default.nix +++ /dev/null @@ -1,38 +0,0 @@ -{ - system ? "x86_64-linux", - nodeName, - repoFlake, - nodeFlake, - ... -}: -let - variables = import ./variables.crypt.nix; -in -{ - meta.nodeSpecialArgs.${nodeName} = { - inherit - repoFlake - nodeName - nodeFlake - system - variables - ; - packages' = repoFlake.packages.${system}; - nodePackages' = nodeFlake.packages.${system}; - }; - - meta.nodeNixpkgs.${nodeName} = import nodeFlake.inputs.nixpkgs.outPath { inherit system; }; - - ${nodeName} = { - deployment.targetHost = variables.ipv4; - deployment.replaceUnknownProfiles = true; - - imports = [ - nodeFlake.inputs.home-manager.nixosModules.home-manager - - ./configuration.nix - ]; - - networking.hostName = nodeName; - }; -} diff --git a/nix/os/devices/router0-ifog/flake.lock b/nix/os/devices/router0-ifog/flake.lock deleted file mode 100644 index f66687f..0000000 --- a/nix/os/devices/router0-ifog/flake.lock +++ /dev/null @@ -1,151 +0,0 @@ -{ - "nodes": { - "dependencyDagOfSubmodule": { - "inputs": { - "nixpkgs": [ - "nixos-nftables-firewall", - "nixpkgs" - ] - }, - "locked": { - "lastModified": 1656615370, - "narHash": "sha256-IZDqz1aSySoqf1qtVQg+oJMHfC4IlT55Zoa7EkjvPug=", - "owner": "thelegy", - "repo": "nix-dependencyDagOfSubmodule", - "rev": "98eb563d80b35acafbfc1abb9ccee569c1efb19c", - "type": "github" - }, - "original": { - "owner": "thelegy", - "repo": "nix-dependencyDagOfSubmodule", - "type": "github" - } - }, - "disko": { - "inputs": { - "nixpkgs": [ - "nixpkgs" - ] - }, - "locked": { - "lastModified": 1719864345, - "narHash": "sha256-e4Pw+30vFAxuvkSTaTypd9zYemB/QlWcH186dsGT+Ms=", - "owner": "nix-community", - "repo": "disko", - "rev": "544a80a69d6e2da04e4df7ec8210a858de8c7533", - "type": "github" - }, - "original": { - "owner": "nix-community", - "repo": "disko", - "type": "github" - } - }, - "home-manager": { - "inputs": { - "nixpkgs": [ - "nixpkgs" - ] - }, - "locked": { - "lastModified": 1719827385, - "narHash": "sha256-qs+nU20Sm8czHg3bhGCqiH+8e13BJyRrKONW34g3i50=", - "owner": "nix-community", - "repo": "home-manager", - "rev": "391ca6e950c2525b4f853cbe29922452c14eda82", - "type": "github" - }, - "original": { - "owner": "nix-community", - "ref": "release-24.05", - "repo": "home-manager", - "type": "github" - } - }, - "nixos-nftables-firewall": { - "inputs": { - "dependencyDagOfSubmodule": "dependencyDagOfSubmodule", - "nixpkgs": [ - "nixpkgs" - ] - }, - "locked": { - "lastModified": 1715521768, - "narHash": "sha256-BQkkBqDemoPRd2a4G94I9w9fNE0IxWtVsQ9SalnNqCQ=", - "owner": "thelegy", - "repo": "nixos-nftables-firewall", - "rev": "2c5a19966b4dfc5ca92df7eb250c68f90be653c8", - "type": "github" - }, - "original": { - "owner": "thelegy", - "repo": "nixos-nftables-firewall", - "type": "github" - } - }, - "nixpkgs": { - "locked": { - "lastModified": 1719838683, - "narHash": "sha256-Zw9rQjHz1ilNIimEXFeVa1ERNRBF8DoXDhLAZq5B4pE=", - "owner": "nixos", - "repo": "nixpkgs", - "rev": "d032c1a6dfad4eedec7e35e91986becc699d7d69", - "type": "github" - }, - "original": { - "owner": "nixos", - "ref": "nixos-24.05", - "repo": "nixpkgs", - "type": "github" - } - }, - "nixpkgs-unstable": { - "locked": { - "lastModified": 1719848872, - "narHash": "sha256-H3+EC5cYuq+gQW8y0lSrrDZfH71LB4DAf+TDFyvwCNA=", - "owner": "nixos", - "repo": "nixpkgs", - "rev": "00d80d13810dbfea8ab4ed1009b09100cca86ba8", - "type": "github" - }, - "original": { - "owner": "nixos", - "ref": "nixos-unstable", - "repo": "nixpkgs", - "type": "github" - } - }, - "root": { - "inputs": { - "disko": "disko", - "home-manager": "home-manager", - "nixos-nftables-firewall": "nixos-nftables-firewall", - "nixpkgs": "nixpkgs", - "nixpkgs-unstable": "nixpkgs-unstable", - "srvos": "srvos" - } - }, - "srvos": { - "inputs": { - "nixpkgs": [ - "nixpkgs" - ] - }, - "locked": { - "lastModified": 1719965291, - "narHash": "sha256-IQiO6VNESSmgxQkpI1q86pqxRw0SZ45iSeM1jsmBpSw=", - "owner": "numtide", - "repo": "srvos", - "rev": "1844f1a15ef530c963bb07c3846172fccbfb9f74", - "type": "github" - }, - "original": { - "owner": "numtide", - "repo": "srvos", - "type": "github" - } - } - }, - "root": "root", - "version": 7 -} diff --git a/nix/os/devices/router0-ifog/flake.nix b/nix/os/devices/router0-ifog/flake.nix deleted file mode 100644 index 3057b9a..0000000 --- a/nix/os/devices/router0-ifog/flake.nix +++ /dev/null @@ -1,19 +0,0 @@ -{ - inputs = { - nixpkgs.url = "github:nixos/nixpkgs/nixos-24.05"; - nixpkgs-unstable.url = "github:nixos/nixpkgs/nixos-unstable"; - - home-manager.url = "github:nix-community/home-manager/release-24.05"; - home-manager.inputs.nixpkgs.follows = "nixpkgs"; - - disko.url = "github:nix-community/disko"; - disko.inputs.nixpkgs.follows = "nixpkgs"; - srvos.url = "github:numtide/srvos"; - srvos.inputs.nixpkgs.follows = "nixpkgs"; - - nixos-nftables-firewall.url = "github:thelegy/nixos-nftables-firewall"; - nixos-nftables-firewall.inputs.nixpkgs.follows = "nixpkgs"; - }; - - outputs = _: { }; -} diff --git a/nix/os/devices/router0-ifog/variables.crypt.nix b/nix/os/devices/router0-ifog/variables.crypt.nix deleted file mode 100644 index 1dec120..0000000 Binary files a/nix/os/devices/router0-ifog/variables.crypt.nix and /dev/null differ diff --git a/nix/os/devices/hstk0/.gitignore b/nix/os/devices/sj-bm-hostkey0/.gitignore similarity index 100% rename from nix/os/devices/hstk0/.gitignore rename to nix/os/devices/sj-bm-hostkey0/.gitignore diff --git a/nix/os/devices/hstk0/README.md b/nix/os/devices/sj-bm-hostkey0/README.md similarity index 98% rename from nix/os/devices/hstk0/README.md rename to nix/os/devices/sj-bm-hostkey0/README.md index 60ee180..d70e379 100644 --- a/nix/os/devices/hstk0/README.md +++ b/nix/os/devices/sj-bm-hostkey0/README.md @@ -1,6 +1,7 @@ ## bootstrapping ``` -# TODO: generate an SSH host-key and deploy it via --extra-files +# TODO: generate an SSH host-key and deploy it via --extra-files nixos-anywhere --flake .\#sj-bm-hostkey0 root@185.130.227.252 ``` + diff --git a/nix/os/devices/sj-bm-hostkey0/configuration.nix b/nix/os/devices/sj-bm-hostkey0/configuration.nix new file mode 100644 index 0000000..5c32ea3 --- /dev/null +++ b/nix/os/devices/sj-bm-hostkey0/configuration.nix @@ -0,0 +1,166 @@ +{ + modulesPath, + repoFlake, + packages', + pkgs, + lib, + config, + nodeFlake, + nodeName, + system, + ... +}: { + disabledModules = [ + ]; + + imports = [ + nodeFlake.inputs.disko.nixosModules.disko + nodeFlake.inputs.srvos.nixosModules.roles-nix-remote-builder + repoFlake.inputs.sops-nix.nixosModules.sops + + ../../profiles/common/user.nix + ../../snippets/nix-settings-holo-chain.nix + + # TODO + # ./network.nix + # ./monitoring.nix + + # user config + { + users.commonUsers = { + enable = true; + enableNonRoot = true; + }; + home-manager.users.root = import ../../../home-manager/configuration/text-minimal.nix { + inherit pkgs; + }; + + home-manager.users.steveej = {pkgs, ...}: { + imports = [ + ../../../home-manager/configuration/text-minimal.nix + ]; + + home.packages = [ + pkgs.nil + pkgs.rnix-lsp + pkgs.nixd + pkgs.nixpkgs-fmt + pkgs.alejandra + pkgs.nixfmt + ]; + }; + + programs.zsh.enable = true; + users.defaultUserShell = pkgs.zsh; + environment.pathsToLink = ["/share/zsh"]; + } + ]; + + roles.nix-remote-builder.schedulerPublicKeys = [ + # TODO: make this a reference to the private key's secret + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIC8FHuK0k86iBWq41+NAhVwJqH1ZpGJe+q01m7iLviz6 root@steveej-t14" + ]; + + services.openssh.enable = true; + services.openssh.settings.PermitRootLogin = "yes"; + + boot = { + kernel = { + sysctl = { + "net.ipv4.conf.all.forwarding" = true; + "net.ipv6.conf.all.forwarding" = true; + }; + }; + }; + + networking = { + hostName = nodeName; + useNetworkd = true; + useDHCP = true; + + # No local firewall. + nat.enable = true; + firewall.enable = false; + }; + + disko.devices = let + disk = id: { + type = "disk"; + device = "/dev/${id}"; + content = { + type = "gpt"; + partitions = { + boot = { + size = "1M"; + type = "EF02"; # for grub MBR + }; + mdadm = { + size = "100%"; + content = { + type = "mdraid"; + name = "raid0"; + }; + }; + }; + }; + }; + in { + disk = { + sda = disk "sda"; + sdb = disk "sdb"; + }; + mdadm = { + raid0 = { + type = "mdadm"; + level = 0; + content = { + type = "gpt"; + partitions = { + primary = { + size = "100%"; + content = { + type = "filesystem"; + format = "btrfs"; + mountpoint = "/"; + }; + }; + }; + }; + }; + }; + }; + + system.stateVersion = "23.11"; + + boot.kernelPackages = pkgs.linuxPackages_latest; + boot.initrd.includeDefaultModules = true; + boot.initrd.kernelModules = [ + "dm-raid" + "dm-integrity" + "xhci_pci_renesas" + ]; + + hardware.enableRedistributableFirmware = true; + + environment.systemPackages = [ + pkgs.hdparm + ]; + + # home-manager.users.steveej = _: { + # imports = [ + # ../../../home-manager/configuration/text-minimal.nix + # ]; + + # home.sessionVariables = { + # }; + + # home.packages = with pkgs; [ + # ]; + # }; + + virtualisation.libvirtd.enable = true; + + boot.binfmt.emulatedSystems = [ + "aarch64-linux" + ]; +} diff --git a/nix/os/devices/hstk0/default.nix b/nix/os/devices/sj-bm-hostkey0/default.nix similarity index 73% rename from nix/os/devices/hstk0/default.nix rename to nix/os/devices/sj-bm-hostkey0/default.nix index 62e6cc1..86b5f1a 100644 --- a/nix/os/devices/hstk0/default.nix +++ b/nix/os/devices/sj-bm-hostkey0/default.nix @@ -3,22 +3,19 @@ repoFlake, nodeFlake, ... -}: -let +}: let system = "x86_64-linux"; -in -{ +in { meta.nodeSpecialArgs.${nodeName} = { - inherit - repoFlake - nodeName - nodeFlake - system - ; + inherit repoFlake nodeName nodeFlake system; packages' = repoFlake.packages.${system}; }; - meta.nodeNixpkgs.${nodeName} = import nodeFlake.inputs.nixpkgs.outPath { inherit system; }; + meta.nodeNixpkgs.${nodeName} = + import nodeFlake.inputs.nixpkgs.outPath + { + inherit system; + }; ${nodeName} = { deployment.targetHost = "185.130.224.33"; diff --git a/nix/os/devices/hstk0/flake.lock b/nix/os/devices/sj-bm-hostkey0/flake.lock similarity index 60% rename from nix/os/devices/hstk0/flake.lock rename to nix/os/devices/sj-bm-hostkey0/flake.lock index 8389a6a..7b84218 100644 --- a/nix/os/devices/hstk0/flake.lock +++ b/nix/os/devices/sj-bm-hostkey0/flake.lock @@ -7,11 +7,11 @@ ] }, "locked": { - "lastModified": 1719401812, - "narHash": "sha256-QONBQ/arBsKZNJuSd3sMIkSYFlBoRJpvf1jGlMfcOuI=", + "lastModified": 1704318910, + "narHash": "sha256-wOIJwAsnZhM0NlFRwYJRgO4Lldh8j9viyzwQXtrbNtM=", "owner": "nix-community", "repo": "disko", - "rev": "b6a1262796b2990ec3cc60bb2ec23583f35b2f43", + "rev": "aef9a509db64a081186af2dc185654d78dc8e344", "type": "github" }, "original": { @@ -22,11 +22,11 @@ }, "get-flake": { "locked": { - "lastModified": 1714237590, - "narHash": "sha256-9gtHdGbzFHaR20xORN8IYd67ROWS+1nqQ5CsPf9MD8I=", + "lastModified": 1694475786, + "narHash": "sha256-s5wDmPooMUNIAAsxxCMMh9g68AueGg63DYk2hVZJbc8=", "owner": "ursi", "repo": "get-flake", - "rev": "a6c57417d1b857b8be53aba4095869a0f438c502", + "rev": "ac54750e3b95dab6ec0726d77f440efe6045bec1", "type": "github" }, "original": { @@ -42,48 +42,48 @@ ] }, "locked": { - "lastModified": 1718530513, - "narHash": "sha256-BmO8d0r+BVlwWtMLQEYnwmngqdXIuyFzMwvmTcLMee8=", + "lastModified": 1704383912, + "narHash": "sha256-Be7O73qoOj/z+4ZCgizdLlu+5BkVvO2KO299goZ9cW8=", "owner": "nix-community", "repo": "home-manager", - "rev": "a1fddf0967c33754271761d91a3d921772b30d0e", + "rev": "26b8adb300e50efceb51fff6859a1a6ba1ade4f7", "type": "github" }, "original": { "owner": "nix-community", - "ref": "release-24.05", + "ref": "master", "repo": "home-manager", "type": "github" } }, + "nixos-stable": { + "locked": { + "lastModified": 1703992652, + "narHash": "sha256-C0o8AUyu8xYgJ36kOxJfXIroy9if/G6aJbNOpA5W0+M=", + "owner": "NixOS", + "repo": "nixpkgs", + "rev": "32f63574c85fbc80e4ba1fbb932cde9619bad25e", + "type": "github" + }, + "original": { + "owner": "NixOS", + "ref": "nixos-23.11", + "repo": "nixpkgs", + "type": "github" + } + }, "nixpkgs": { "locked": { - "lastModified": 1719253556, - "narHash": "sha256-A/76RFUVxZ/7Y8+OMVL1Lc8LRhBxZ8ZE2bpMnvZ1VpY=", + "lastModified": 1704295289, + "narHash": "sha256-9WZDRfpMqCYL6g/HNWVvXF0hxdaAgwgIGeLYiOhmes8=", "owner": "nixos", "repo": "nixpkgs", - "rev": "fc07dc3bdf2956ddd64f24612ea7fc894933eb2e", + "rev": "b0b2c5445c64191fd8d0b31f2b1a34e45a64547d", "type": "github" }, "original": { "owner": "nixos", - "ref": "nixos-24.05", - "repo": "nixpkgs", - "type": "github" - } - }, - "nixpkgs-unstable": { - "locked": { - "lastModified": 1719254875, - "narHash": "sha256-ECni+IkwXjusHsm9Sexdtq8weAq/yUyt1TWIemXt3Ko=", - "owner": "nixos", - "repo": "nixpkgs", - "rev": "2893f56de08021cffd9b6b6dfc70fd9ccd51eb60", - "type": "github" - }, - "original": { - "owner": "nixos", - "ref": "nixos-unstable", + "ref": "nixos-23.11", "repo": "nixpkgs", "type": "github" } @@ -94,22 +94,22 @@ "get-flake": "get-flake", "home-manager": "home-manager", "nixpkgs": "nixpkgs", - "nixpkgs-unstable": "nixpkgs-unstable", "srvos": "srvos" } }, "srvos": { "inputs": { + "nixos-stable": "nixos-stable", "nixpkgs": [ "nixpkgs" ] }, "locked": { - "lastModified": 1719189969, - "narHash": "sha256-6MSZrWvXSvUKIr0iC9eSbQ09NSm+j1Oh4o9Gentu1CU=", + "lastModified": 1704357296, + "narHash": "sha256-npRcwAqeoLRdilyn4yOG9qShTRJ3sXL/xpyVOi+j7nw=", "owner": "numtide", "repo": "srvos", - "rev": "4f314be1307c8d5f1fb3d882a67e09dbdf285850", + "rev": "341c142aad6609161b6b74cfc2d288f0ead01585", "type": "github" }, "original": { diff --git a/nix/os/devices/sj-bm-hostkey0/flake.nix b/nix/os/devices/sj-bm-hostkey0/flake.nix new file mode 100644 index 0000000..74478dd --- /dev/null +++ b/nix/os/devices/sj-bm-hostkey0/flake.nix @@ -0,0 +1,63 @@ +{ + inputs = { + nixpkgs.url = "github:nixos/nixpkgs/nixos-23.11"; + + get-flake.url = "github:ursi/get-flake"; + + home-manager.url = "github:nix-community/home-manager/master"; + home-manager.inputs.nixpkgs.follows = "nixpkgs"; + + disko.url = "github:nix-community/disko"; + disko.inputs.nixpkgs.follows = "nixpkgs"; + srvos.url = "github:numtide/srvos"; + srvos.inputs.nixpkgs.follows = "nixpkgs"; + }; + + # outputs = _: {}; + + outputs = { + self, + get-flake, + nixpkgs, + ... + } @ attrs: let + system = "x86_64-linux"; + nodeName = "sj-bm-hostkey0"; + + mkNixosConfiguration = {extraModules ? [], ...} @ attrs: + nixpkgs.lib.nixosSystem ( + nixpkgs.lib.attrsets.recursiveUpdate + attrs + { + specialArgs = { + nodeFlake = self; + repoFlake = get-flake ../../../..; + inherit nodeName; + }; + + modules = + [ + ./configuration.nix + + # flake registry + { + nix.registry.nixpkgs.flake = nixpkgs; + } + + { + nixpkgs.overlays = [ + (final: previous: {}) + ]; + } + ] + ++ extraModules; + } + ); + in { + nixosConfigurations = { + native = mkNixosConfiguration { + inherit system; + }; + }; + }; +} diff --git a/nix/os/devices/sj-srv1/boot.nix b/nix/os/devices/sj-srv1/boot.nix new file mode 100644 index 0000000..59a5051 --- /dev/null +++ b/nix/os/devices/sj-srv1/boot.nix @@ -0,0 +1,3 @@ +{lib, ...}: { + boot.extraModulePackages = []; +} diff --git a/nix/os/devices/sj-srv1/configuration.nix b/nix/os/devices/sj-srv1/configuration.nix index 5184bd1..bada0c3 100644 --- a/nix/os/devices/sj-srv1/configuration.nix +++ b/nix/os/devices/sj-srv1/configuration.nix @@ -1,6 +1,10 @@ -{ nodeName, config, ... }: { - disabledModules = [ ]; + nodeName, + config, + pkgs, + ... +}: { + disabledModules = []; imports = [ ../../profiles/common/configuration.nix { @@ -17,7 +21,10 @@ }; } + ../../modules/opinionatedDisk.nix + ./system.nix ./hw.nix + ./boot.nix ]; } diff --git a/nix/os/devices/sj-srv1/default.nix b/nix/os/devices/sj-srv1/default.nix index 6ec896d..94458cb 100644 --- a/nix/os/devices/sj-srv1/default.nix +++ b/nix/os/devices/sj-srv1/default.nix @@ -3,17 +3,17 @@ repoFlake, nodeFlake, ... -}: -let +}: let system = "x86_64-linux"; -in -{ +in { meta.nodeSpecialArgs.${nodeName} = { inherit repoFlake nodeName nodeFlake; packages' = repoFlake.packages.${system}; }; - meta.nodeNixpkgs.${nodeName} = import nodeFlake.inputs.nixpkgs.outPath { inherit system; }; + meta.nodeNixpkgs.${nodeName} = import nodeFlake.inputs.nixpkgs.outPath { + inherit system; + }; ${nodeName} = { deployment.targetHost = "${nodeName}.dmz.internal"; diff --git a/nix/os/devices/sj-srv1/flake.lock b/nix/os/devices/sj-srv1/flake.lock index 05230e2..56c2d36 100644 --- a/nix/os/devices/sj-srv1/flake.lock +++ b/nix/os/devices/sj-srv1/flake.lock @@ -7,59 +7,43 @@ ] }, "locked": { - "lastModified": 1747020534, - "narHash": "sha256-D/6rkiC6w2p+4SwRiVKrWIeYzun8FBg7NlMKMwQMxO0=", + "lastModified": 1700392168, + "narHash": "sha256-v5LprEFx3u4+1vmds9K0/i7sHjT0IYGs7u9v54iz/OA=", "owner": "nix-community", "repo": "home-manager", - "rev": "b4bbdc6fde16fc2051fcde232f6e288cd22007ca", + "rev": "28535c3a34d79071f2ccb68671971ce0c0984d7e", "type": "github" }, "original": { "owner": "nix-community", - "ref": "release-24.11", + "ref": "release-23.05", "repo": "home-manager", "type": "github" } }, "nixpkgs": { "locked": { - "lastModified": 1746957726, - "narHash": "sha256-k9ut1LSfHCr0AW82ttEQzXVCqmyWVA5+SHJkS5ID/Jo=", + "lastModified": 1700501263, + "narHash": "sha256-M0U063Ba2DKL4lMYI7XW13Rsk5tfUXnIYiAVa39AV/0=", "owner": "nixos", "repo": "nixpkgs", - "rev": "a39ed32a651fdee6842ec930761e31d1f242cb94", + "rev": "f741f8a839912e272d7e87ccf4b9dbc6012cdaf9", "type": "github" }, "original": { "owner": "nixos", - "ref": "nixos-24.11", - "repo": "nixpkgs", - "type": "github" - } - }, - "nixpkgs-kanidm": { - "locked": { - "lastModified": 1729071019, - "narHash": "sha256-c4J/ZiMbjMf98FawO5XJaTWqvrvIXpxnIpxu4OV3CGA=", - "owner": "steveej-forks", - "repo": "nixpkgs", - "rev": "984b1d5a286d3a072b840b30ec49d96878d01e64", - "type": "github" - }, - "original": { - "owner": "steveej-forks", - "ref": "kanidm", + "ref": "nixos-23.05", "repo": "nixpkgs", "type": "github" } }, "nixpkgs-master": { "locked": { - "lastModified": 1747142919, - "narHash": "sha256-84jJ5uDXws7EYch+4fxmfoCCTWRWZCXCCVM0Dh65ZH8=", + "lastModified": 1700758842, + "narHash": "sha256-WNpG3F/0dktkYbG6O8Put9GtBw4C4vb1KwtIibfXYEE=", "owner": "nixos", "repo": "nixpkgs", - "rev": "60bdd7db9e890967224c2244be45beecd7d6e448", + "rev": "359d577687ea3eb033590cf1259f0355e30b9c6f", "type": "github" }, "original": { @@ -71,11 +55,11 @@ }, "nixpkgs-unstable": { "locked": { - "lastModified": 1747114929, - "narHash": "sha256-GnQGiZiOnGfxM9oVhgqOJk0Qv1aZ11p5Aloac2tdoKY=", + "lastModified": 1700641131, + "narHash": "sha256-M3bsoVMQM2PcuBWb6n1KDNeMX87svcSj/4qlBcVqs3k=", "owner": "nixos", "repo": "nixpkgs", - "rev": "fab95ba4b9523f310644e6e6087c0014535c8e02", + "rev": "da41de71f62bf7fb989a04e39629b8adbf8aa8b5", "type": "github" }, "original": { @@ -89,7 +73,6 @@ "inputs": { "home-manager": "home-manager", "nixpkgs": "nixpkgs", - "nixpkgs-kanidm": "nixpkgs-kanidm", "nixpkgs-master": "nixpkgs-master", "nixpkgs-unstable": "nixpkgs-unstable" } diff --git a/nix/os/devices/sj-srv1/flake.nix b/nix/os/devices/sj-srv1/flake.nix index 213d325..c315b8e 100644 --- a/nix/os/devices/sj-srv1/flake.nix +++ b/nix/os/devices/sj-srv1/flake.nix @@ -1,14 +1,12 @@ { - inputs.nixpkgs.url = "github:nixos/nixpkgs/nixos-24.11"; + inputs.nixpkgs.url = "github:nixos/nixpkgs/nixos-23.05"; inputs.nixpkgs-unstable.url = "github:nixos/nixpkgs/nixos-unstable-small"; inputs.nixpkgs-master.url = "github:nixos/nixpkgs/master"; - inputs.nixpkgs-kanidm.url = "github:steveej-forks/nixpkgs/kanidm"; - inputs.home-manager = { - url = "github:nix-community/home-manager/release-24.11"; + url = "github:nix-community/home-manager/release-23.05"; inputs.nixpkgs.follows = "nixpkgs"; }; - outputs = _: { }; + outputs = _: {}; } diff --git a/nix/os/devices/sj-srv1/hw.nix b/nix/os/devices/sj-srv1/hw.nix index ca9158b..65a001d 100644 --- a/nix/os/devices/sj-srv1/hw.nix +++ b/nix/os/devices/sj-srv1/hw.nix @@ -1,5 +1,4 @@ -_: -let +{...}: let stage1Modules = [ "virtio_balloon" "virtio_scsi" @@ -39,11 +38,7 @@ let "cdc_ether" "uas" ]; -in -{ - imports = [ - ../../modules/opinionatedDisk.nix - ]; +in { hardware.opinionatedDisk = { enable = true; encrypted = false; diff --git a/nix/os/devices/sj-srv1/system.nix b/nix/os/devices/sj-srv1/system.nix index c5e4c43..c481d5d 100644 --- a/nix/os/devices/sj-srv1/system.nix +++ b/nix/os/devices/sj-srv1/system.nix @@ -3,36 +3,15 @@ lib, config, repoFlake, - nodeFlake, nodeName, ... -}: -let - hostBridgeAddress = "192.168.101.1"; -in -{ +}: { imports = [ ../../snippets/systemd-resolved.nix - { - # make sure it uses the DNS that comes in via DHCP - networking.nameservers = lib.mkForce [ ]; - services.resolved.enable = true; - - # provide DNS to the containers - services.resolved.extraConfig = '' - DNSStubListenerExtra=${hostBridgeAddress} - ''; - networking.firewall.interfaces.br0.allowedTCPPorts = [ 53 ]; - networking.firewall.interfaces.br0.allowedUDPPorts = [ 53 ]; - } ]; - programs.wireshark.enable = true; - environment.systemPackages = [ pkgs.dnsutils ]; - networking.firewall.enable = true; networking.nftables.enable = true; - networking.nftables.flushRuleset = true; networking.firewall.allowedTCPPorts = [ # iperf3 @@ -44,172 +23,95 @@ in networking.usePredictableInterfaceNames = false; networking.useNetworkd = true; - networking.useDHCP = false; + networking.useDHCP = true; networking.nat = { enable = true; - internalInterfaces = [ "br0" ]; - externalInterface = "dmz0"; - }; - - networking.bridges = { - br0 = { - interfaces = [ ]; - }; - }; - networking.interfaces = { - br0 = { - ipv4.addresses = [ - { - address = hostBridgeAddress; - prefixLength = 24; - } - ]; - }; - }; - - systemd.network.netdevs."10-dmz0" = { - enable = true; - netdevConfig = { - Name = "dmz0"; - Kind = "macvlan"; - MACAddress = "1c:69:7a:07:08:6f"; - }; - - macvlanConfig = { - Mode = "bridge"; - }; - }; - - systemd.network.networks."20-eth0" = { - enable = true; - matchConfig.Name = "eth0"; - - linkConfig.RequiredForOnline = "carrier"; - networkConfig.LinkLocalAddressing = "no"; - - # TODO: i'm not sure if and if so why this is required - macvlan = [ "dmz0" ]; - - DHCP = "no"; - }; - - systemd.network.networks."30-dmz0" = { - enable = true; - matchConfig.Name = "dmz0"; - DHCP = "yes"; - - dhcpV4Config.UseDNS = true; - dhcpV6Config.UseDNS = true; - }; - - boot.kernel.sysctl = { - "net.ipv4.ip_forward" = 1; - "net.ipv6.ip_forward" = 1; + internalInterfaces = ["ve-*"]; + externalInterface = "eth0"; }; # virtualization - virtualisation = { - docker.enable = false; - }; + virtualisation = {docker.enable = false;}; - nix.gc = { - automatic = true; - }; + nix.gc = {automatic = true;}; sops.secrets.restic-password.sopsFile = ../../../../secrets/${nodeName}/secrets.yaml; # adapted from https://github.com/lilyinstarlight/foosteros/blob/5c75ded111878970fd4f600c7adc013f971d5e71/config/restic.nix - services.restic.backups.${nodeName} = - let - btrfs = "${pkgs.btrfs-progs}/bin/btrfs"; - in - { - initialize = true; - repository = "sftp://u217879-sub3@u217879-sub3.your-storagebox.de:23/restic/${nodeName}"; + services.restic.backups.${nodeName} = let + btrfs = "${pkgs.btrfs-progs}/bin/btrfs"; + in { + initialize = true; + repository = "sftp://u217879-sub3@u217879-sub3.your-storagebox.de:23/restic/${nodeName}"; - paths = [ "/backup" ]; + paths = [ + "/backup" + ]; - pruneOpts = [ - "--keep-daily 7" - "--keep-weekly 5" - "--keep-monthly 12" - "--keep-yearly 2" - ]; + pruneOpts = [ + "--keep-daily 7" + "--keep-weekly 5" + "--keep-monthly 12" + "--keep-yearly 2" + ]; - timerConfig = { - OnCalendar = lib.mkDefault "daily"; - Persistent = true; - }; - - passwordFile = config.sops.secrets.restic-password.path; - - backupPrepareCommand = '' - ${btrfs} su snapshot -r /var/lib/container-volumes /backup/container-volumes - ''; - backupCleanupCommand = '' - ${btrfs} su delete /backup/container-volumes - ''; + timerConfig = { + OnCalendar = lib.mkDefault "daily"; + Persistent = true; }; + passwordFile = config.sops.secrets.restic-password.path; + + backupPrepareCommand = '' + ${btrfs} su snapshot -r /var/lib/container-volumes /backup/container-volumes + ''; + backupCleanupCommand = '' + ${btrfs} su delete /backup/container-volumes + ''; + }; + containers = { mailserver = import ../../containers/mailserver.nix { - specialArgs = { - inherit repoFlake nodeFlake; - hostAddress = hostBridgeAddress; - }; + inherit repoFlake; autoStart = true; - hostBridge = "br0"; - hostAddress = hostBridgeAddress; - localAddress = "192.168.101.10/24"; + hostAddress = "192.168.100.10"; + localAddress = "192.168.100.11"; imapsPort = 993; sievePort = 4190; }; - webserver = import ../../containers/webserver.nix { - specialArgs = { - inherit repoFlake nodeFlake; - hostAddress = hostBridgeAddress; + webserver = + import ../../containers/webserver.nix + { + inherit repoFlake; + + autoStart = true; + + hostAddress = "192.168.100.12"; + localAddress = "192.168.100.13"; + + httpPort = 80; + httpsPort = 443; }; - autoStart = true; - - hostBridge = "br0"; - hostAddress = hostBridgeAddress; - localAddress = "192.168.101.11/24"; - - httpPort = 80; - httpsPort = 443; - forgejoSshPort = 2222; - }; - syncthing = import ../../containers/syncthing.nix { - specialArgs = { - inherit repoFlake nodeFlake; - hostAddress = hostBridgeAddress; - }; autoStart = true; - hostBridge = "br0"; - hostAddress = hostBridgeAddress; - localAddress = "192.168.101.12/24"; + hostAddress = "192.168.100.14"; + localAddress = "192.168.100.15"; syncthingPort = 22000; }; }; - virtualisation.libvirtd = { - enable = true; - onShutdown = "shutdown"; - parallelShutdown = 3; + home-manager.users.steveej = import ../../../home-manager/configuration/text-minimal.nix { + inherit pkgs; }; - # VM storage - # fileSystems."/mnt/8078-532D".device = "/dev/disk/by-uuid/8078-532D"; - # This value determines the NixOS release from which the default # settings for stateful data, like file locations and database versions # on your system were taken. It‘s perfectly fine and recommended to leave diff --git a/nix/os/devices/sj-vps-htz0/boot.nix b/nix/os/devices/sj-vps-htz0/boot.nix index ed21f9c..5713789 100644 --- a/nix/os/devices/sj-vps-htz0/boot.nix +++ b/nix/os/devices/sj-vps-htz0/boot.nix @@ -1,5 +1,4 @@ -{ lib, ... }: -{ +{lib, ...}: { boot.loader.grub.efiSupport = lib.mkForce false; - boot.extraModulePackages = [ ]; + boot.extraModulePackages = []; } diff --git a/nix/os/devices/sj-vps-htz0/configuration.nix b/nix/os/devices/sj-vps-htz0/configuration.nix index 0f9e008..b734123 100644 --- a/nix/os/devices/sj-vps-htz0/configuration.nix +++ b/nix/os/devices/sj-vps-htz0/configuration.nix @@ -1,6 +1,10 @@ -{ nodeName, config, ... }: { - disabledModules = [ ]; + nodeName, + config, + pkgs, + ... +}: { + disabledModules = []; imports = [ ../../profiles/common/configuration.nix { diff --git a/nix/os/devices/sj-vps-htz0/default.nix b/nix/os/devices/sj-vps-htz0/default.nix index 7683a53..12e0271 100644 --- a/nix/os/devices/sj-vps-htz0/default.nix +++ b/nix/os/devices/sj-vps-htz0/default.nix @@ -3,17 +3,17 @@ repoFlake, nodeFlake, ... -}: -let +}: let system = "x86_64-linux"; -in -{ +in { meta.nodeSpecialArgs.${nodeName} = { inherit repoFlake nodeName nodeFlake; packages' = repoFlake.packages.${system}; }; - meta.nodeNixpkgs.${nodeName} = import nodeFlake.inputs.nixpkgs.outPath { inherit system; }; + meta.nodeNixpkgs.${nodeName} = import nodeFlake.inputs.nixpkgs.outPath { + inherit system; + }; ${nodeName} = { deployment.targetHost = "${nodeName}.infra.stefanjunker.de"; diff --git a/nix/os/devices/sj-vps-htz0/flake.nix b/nix/os/devices/sj-vps-htz0/flake.nix index f8ca24f..c315b8e 100644 --- a/nix/os/devices/sj-vps-htz0/flake.nix +++ b/nix/os/devices/sj-vps-htz0/flake.nix @@ -8,5 +8,5 @@ inputs.nixpkgs.follows = "nixpkgs"; }; - outputs = _: { }; + outputs = _: {}; } diff --git a/nix/os/devices/sj-vps-htz0/hw.nix b/nix/os/devices/sj-vps-htz0/hw.nix index 080bb40..7566a02 100644 --- a/nix/os/devices/sj-vps-htz0/hw.nix +++ b/nix/os/devices/sj-vps-htz0/hw.nix @@ -1,5 +1,4 @@ -_: -let +{...}: let stage1Modules = [ "virtio_balloon" "virtio_scsi" @@ -15,8 +14,7 @@ let "pata_acpi" "ata_generic" ]; -in -{ +in { hardware.opinionatedDisk = { enable = true; encrypted = false; diff --git a/nix/os/devices/sj-vps-htz0/system.nix b/nix/os/devices/sj-vps-htz0/system.nix index 7380a35..7efcbbd 100644 --- a/nix/os/devices/sj-vps-htz0/system.nix +++ b/nix/os/devices/sj-vps-htz0/system.nix @@ -1,14 +1,16 @@ { pkgs, + lib, config, + repoFlake, nodeName, ... -}: -let +}: let wireguardPort = 51820; -in -{ - imports = [ ../../snippets/systemd-resolved.nix ]; +in { + imports = [ + ../../snippets/systemd-resolved.nix + ]; networking.firewall.enable = true; networking.nftables.enable = true; @@ -17,7 +19,9 @@ in # iperf3 5201 ]; - networking.firewall.allowedUDPPorts = [ wireguardPort ]; + networking.firewall.allowedUDPPorts = [ + wireguardPort + ]; networking.firewall.logRefusedConnections = false; @@ -34,7 +38,7 @@ in "prefixLength" = 29; } ]; - ipv6.addresses = [ ]; + ipv6.addresses = []; }; networking.defaultGateway = { @@ -49,10 +53,7 @@ in networking.nat = { enable = true; - internalInterfaces = [ - "ve-*" - "wg*" - ]; + internalInterfaces = ["ve-*" "wg*"]; externalInterface = "eth0"; }; @@ -69,12 +70,15 @@ in networking.wireguard.interfaces.wg0 = { # eth0 MTU (1400) - 80 mtu = 1320; - ips = [ "192.168.99.1/31" ]; - listenPort = wireguardPort; + ips = [ + "192.168.99.1/31" + ]; + listenPort = + wireguardPort; privateKeyFile = config.sops.secrets.wg0-private.path; peers = [ { - allowedIPs = [ "192.168.99.2/32" ]; + allowedIPs = ["192.168.99.2/32"]; publicKey = "O3k4jEdX6jkV1fHP/J8KSH5tvi+n1VvnBTD5na6Naw0="; presharedKeyFile = config.sops.secrets.wg0-psk-steveej-psk.path; } @@ -82,18 +86,14 @@ in }; # virtualization - virtualisation = { - docker.enable = false; - }; + virtualisation = {docker.enable = false;}; services.spice-vdagentd.enable = true; services.qemuGuest.enable = true; - nix.gc = { - automatic = true; - }; + nix.gc = {automatic = true;}; - containers = { }; + containers = {}; home-manager.users.steveej = import ../../../home-manager/configuration/text-minimal.nix { inherit pkgs; diff --git a/nix/os/devices/srv0-dmz0/README.md b/nix/os/devices/srv0-dmz0/README.md index c76c8a0..92893b6 100644 --- a/nix/os/devices/srv0-dmz0/README.md +++ b/nix/os/devices/srv0-dmz0/README.md @@ -1,6 +1,7 @@ ## bootstrapping ``` -# TODO: generate an SSH host-key and deploy it via --extra-files +# TODO: generate an SSH host-key and deploy it via --extra-files nixos-anywhere --flake .\#srv0-dmz0 root@srv0.dmz0.noosphere.life ``` + diff --git a/nix/os/devices/srv0-dmz0/configuration.nix b/nix/os/devices/srv0-dmz0/configuration.nix index 5514edf..b59afac 100644 --- a/nix/os/devices/srv0-dmz0/configuration.nix +++ b/nix/os/devices/srv0-dmz0/configuration.nix @@ -1,14 +1,14 @@ { modulesPath, repoFlake, + packages', + pkgs, config, ... -}: -let +}: let disk = "/dev/disk/by-id/ata-INTEL_SSDSC2BW240A4_PHDA435602332403GN"; -in -{ - disabledModules = [ ]; +in { + disabledModules = []; imports = [ repoFlake.inputs.disko.nixosModules.disko repoFlake.inputs.srvos.nixosModules.server @@ -23,7 +23,7 @@ in ]; ## bare-metal machines - srvos.boot.consoles = [ "tty0" ]; + srvos.boot.consoles = ["tty0"]; boot.loader.grub.enable = false; boot.loader.efi.canTouchEfiVariables = false; @@ -39,7 +39,7 @@ in start = "0"; end = "1M"; part-type = "primary"; - flags = [ "bios_grub" ]; + flags = ["bios_grub"]; } { name = "ESP"; @@ -60,14 +60,14 @@ in bootable = true; content = { type = "btrfs"; - extraArgs = [ "-f" ]; # Override existing partition + extraArgs = ["-f"]; # Override existing partition subvolumes = { # Subvolume name is different from mountpoint "/rootfs" = { mountpoint = "/"; }; "/nix" = { - mountOptions = [ "noatime" ]; + mountOptions = ["noatime"]; }; }; }; @@ -109,7 +109,7 @@ in networking.nat = { enable = true; - internalInterfaces = [ "ve-+" ]; + internalInterfaces = ["ve-+"]; externalInterface = "eth0"; }; @@ -119,11 +119,94 @@ in # virtualization # virtualisation = {docker.enable = true;}; - nix.gc = { - automatic = true; - }; + nix.gc = {automatic = true;}; - containers = { }; + containers = {}; + + # sops.secrets.holochain-nomad-agent-ca = { + # sopsFile = ../../../../secrets/holochain-infra/nomad.yaml; + # owner = config.users.extraUsers.nomad.name; + # group = config.users.groups.nomad.name; + # }; + # sops.secrets.holochain-global-nomad-client-cert = { + # sopsFile = ../../../../secrets/holochain-infra/nomad.yaml; + # owner = config.users.extraUsers.nomad.name; + # group = config.users.groups.nomad.name; + # }; + # sops.secrets.holochain-global-client-nomad-key = { + # sopsFile = ../../../../secrets/holochain-infra/nomad.yaml; + # owner = config.users.extraUsers.nomad.name; + # group = config.users.groups.nomad.name; + # }; + + # services.nomad = { + # enable = true; + # package = packages'.nomad; + # enableDocker = false; + # dropPrivileges = false; + + # extraPackages = [ + # pkgs.coreutils + # pkgs.nix + # pkgs.bash + # pkgs.gitFull + # pkgs.cacert + # ]; + + # settings = { + # server.enabled = false; + + # client = { + # enabled = true; + # server_join = { + # retry_join = [ + # "infra.holochain.org" + # ]; + # retry_interval = "60s"; + # }; + + # node_class = "testing"; + + # meta = { + # inherit (pkgs.targetPlatform) system; + + # features = builtins.concatStringsSep "," [ + # "poc-1" + # "poc-2" + # "ipv4-nat" + # "nix" + # "nixos" + # "holoport" + # ]; + + # machine_type = "baremetal"; + # }; + # }; + + # tls = { + # http = true; + # rpc = true; + # ca_file = config.sops.secrets.holochain-nomad-agent-ca.path; + # cert_file = config.sops.secrets.holochain-global-nomad-client-cert.path; + # key_file = config.sops.secrets.holochain-global-client-nomad-key.path; + + # verify_server_hostname = true; + # verify_https_client = true; + # }; + + # plugin.raw_exec.config.enabled = true; + # }; + # }; + + # users.extraUsers.nomad.isNormalUser = true; + # users.extraUsers.nomad.isSystemUser = false; + # users.extraUsers.nomad.group = "nomad"; + # users.extraUsers.nomad.home = config.services.nomad.settings.data_dir; + # users.extraUsers.nomad.createHome = true; + # users.groups.nomad.members = ["nomad"]; + + # systemd.services.nomad.serviceConfig.User = "nomad"; + # systemd.services.nomad.serviceConfig.Group = "nomad"; # This value determines the NixOS release from which the default # settings for stateful data, like file locations and database versions diff --git a/nix/os/devices/srv0-dmz0/default.nix b/nix/os/devices/srv0-dmz0/default.nix index 3af624b..5c0b7bb 100644 --- a/nix/os/devices/srv0-dmz0/default.nix +++ b/nix/os/devices/srv0-dmz0/default.nix @@ -3,17 +3,17 @@ repoFlake, nodeFlake, ... -}: -let +}: let system = "x86_64-linux"; -in -{ +in { meta.nodeSpecialArgs.${nodeName} = { inherit repoFlake nodeName nodeFlake; packages' = repoFlake.packages.${system}; }; - meta.nodeNixpkgs.${nodeName} = import nodeFlake.inputs.nixpkgs.outPath { inherit system; }; + meta.nodeNixpkgs.${nodeName} = import nodeFlake.inputs.nixpkgs.outPath { + inherit system; + }; ${nodeName} = { deployment.targetHost = "srv0.dmz0.noosphere.life"; diff --git a/nix/os/devices/srv0-dmz0/flake.lock b/nix/os/devices/srv0-dmz0/flake.lock index 4e1a641..5008566 100644 --- a/nix/os/devices/srv0-dmz0/flake.lock +++ b/nix/os/devices/srv0-dmz0/flake.lock @@ -7,43 +7,43 @@ ] }, "locked": { - "lastModified": 1716736833, - "narHash": "sha256-rNObca6dm7Qs524O4st8VJH6pZ/Xe1gxl+Rx6mcWYo0=", + "lastModified": 1703367386, + "narHash": "sha256-FMbm48UGrBfOWGt8+opuS+uLBLQlRfhiYXhHNcYMS5k=", "owner": "nix-community", "repo": "home-manager", - "rev": "a631666f5ec18271e86a5cde998cba68c33d9ac6", + "rev": "d5824a76bc6bb93d1dce9ebbbcb09a9b6abcc224", "type": "github" }, "original": { "owner": "nix-community", - "ref": "release-24.05", + "ref": "release-23.11", "repo": "home-manager", "type": "github" } }, "nixpkgs": { "locked": { - "lastModified": 1717144377, - "narHash": "sha256-F/TKWETwB5RaR8owkPPi+SPJh83AQsm6KrQAlJ8v/uA=", + "lastModified": 1703467016, + "narHash": "sha256-/5A/dNPhbQx/Oa2d+Get174eNI3LERQ7u6WTWOlR1eQ=", "owner": "nixos", "repo": "nixpkgs", - "rev": "805a384895c696f802a9bf5bf4720f37385df547", + "rev": "d02d818f22c777aa4e854efc3242ec451e5d462a", "type": "github" }, "original": { "owner": "nixos", - "ref": "nixos-24.05", + "ref": "nixos-23.11", "repo": "nixpkgs", "type": "github" } }, "nixpkgs-master": { "locked": { - "lastModified": 1717242134, - "narHash": "sha256-2X835ZESUaQ/KZEuG9HkoEB7h0USG5uvkSUmLzFkxAE=", + "lastModified": 1703766384, + "narHash": "sha256-PN7mpVqo/Rf/XIIJv7Kuc4MVvF349F9hBipcGjr4HNg=", "owner": "nixos", "repo": "nixpkgs", - "rev": "61c1d282153dbfcb5fe413c228d172d0fe7c2a7e", + "rev": "05d50dc97a11f0382514bb062ce470ce7da20dfd", "type": "github" }, "original": { @@ -55,11 +55,11 @@ }, "nixpkgs-unstable": { "locked": { - "lastModified": 1717216113, - "narHash": "sha256-DniggN0kphCCBpGlS2WyDPoNqxQoRFlhN2GMk35OHiM=", + "lastModified": 1703643441, + "narHash": "sha256-UsAtbIwxBuciNfiwY9g+jiLDyvYIaO5jai8avtAK+EE=", "owner": "nixos", "repo": "nixpkgs", - "rev": "21959d8d44197094aebc74ead6ca4a53bcce0adb", + "rev": "f930306a698f1ae7045cf3265693b7ebc9512f23", "type": "github" }, "original": { diff --git a/nix/os/devices/srv0-dmz0/flake.nix b/nix/os/devices/srv0-dmz0/flake.nix index 2f27989..991b38a 100644 --- a/nix/os/devices/srv0-dmz0/flake.nix +++ b/nix/os/devices/srv0-dmz0/flake.nix @@ -1,12 +1,12 @@ { - inputs.nixpkgs.url = "github:nixos/nixpkgs/nixos-24.05"; + inputs.nixpkgs.url = "github:nixos/nixpkgs/nixos-23.11"; inputs.nixpkgs-unstable.url = "github:nixos/nixpkgs/nixos-unstable-small"; inputs.nixpkgs-master.url = "github:nixos/nixpkgs/master"; inputs.home-manager = { - url = "github:nix-community/home-manager/release-24.05"; + url = "github:nix-community/home-manager/release-23.11"; inputs.nixpkgs.follows = "nixpkgs"; }; - outputs = _: { }; + outputs = _: {}; } diff --git a/nix/os/devices/srv0.home-ch.stefanjunker.de/boot.nix b/nix/os/devices/srv0.home-ch.stefanjunker.de/boot.nix index 9ddbde9..fe0b621 100644 --- a/nix/os/devices/srv0.home-ch.stefanjunker.de/boot.nix +++ b/nix/os/devices/srv0.home-ch.stefanjunker.de/boot.nix @@ -1,4 +1,4 @@ -_: { +{lib, ...}: { boot.loader.grub.efiSupport = true; - boot.extraModulePackages = [ ]; + boot.extraModulePackages = []; } diff --git a/nix/os/devices/srv0.home-ch.stefanjunker.de/configuration.nix b/nix/os/devices/srv0.home-ch.stefanjunker.de/configuration.nix index b29548c..28a63fb 100644 --- a/nix/os/devices/srv0.home-ch.stefanjunker.de/configuration.nix +++ b/nix/os/devices/srv0.home-ch.stefanjunker.de/configuration.nix @@ -1,6 +1,5 @@ -{ ... }: -{ - disabledModules = [ ]; +{...}: { + disabledModules = []; imports = [ ../../profiles/common/configuration.nix ../../modules/opinionatedDisk.nix diff --git a/nix/os/devices/srv0.home-ch.stefanjunker.de/hw.nix b/nix/os/devices/srv0.home-ch.stefanjunker.de/hw.nix index a89e29a..8815036 100644 --- a/nix/os/devices/srv0.home-ch.stefanjunker.de/hw.nix +++ b/nix/os/devices/srv0.home-ch.stefanjunker.de/hw.nix @@ -1,5 +1,4 @@ -_: -let +{...}: let stage1Modules = [ "aesni_intel" "kvm-intel" @@ -18,8 +17,7 @@ let "xhci_hcd" "xhci_pci" ]; -in -{ +in { # TASK: new device hardware.opinionatedDisk = { enable = true; diff --git a/nix/os/devices/srv0.home-ch.stefanjunker.de/pkg.nix b/nix/os/devices/srv0.home-ch.stefanjunker.de/pkg.nix index 607e7f3..b6c8038 100644 --- a/nix/os/devices/srv0.home-ch.stefanjunker.de/pkg.nix +++ b/nix/os/devices/srv0.home-ch.stefanjunker.de/pkg.nix @@ -1,8 +1,16 @@ -{ config, pkgs, ... }: { - nixpkgs.config.packageOverrides = - pkgs: with pkgs; { - inherit ((import ../../../default.nix { versionsPath = ./versions.nix; })) nixPath; + config, + pkgs, + lib, + ... +}: { + nixpkgs.config.packageOverrides = pkgs: + with pkgs; { + nixPath = + (import ../../../default.nix { + versionsPath = ./versions.nix; + }) + .nixPath; }; home-manager.users.steveej = import ../../../home-manager/configuration/text-minimal.nix { inherit pkgs; @@ -12,12 +20,7 @@ { hostName = "localhost"; system = "x86_64-linux"; - supportedFeatures = [ - "kvm" - "nixos-test" - "big-parallel" - "benchmark" - ]; + supportedFeatures = ["kvm" "nixos-test" "big-parallel" "benchmark"]; maxJobs = 4; } ]; diff --git a/nix/os/devices/srv0.home-ch.stefanjunker.de/system.nix b/nix/os/devices/srv0.home-ch.stefanjunker.de/system.nix index 84bb74d..e677958 100644 --- a/nix/os/devices/srv0.home-ch.stefanjunker.de/system.nix +++ b/nix/os/devices/srv0.home-ch.stefanjunker.de/system.nix @@ -1,4 +1,11 @@ -_: { +{ + pkgs, + lib, + config, + ... +}: let + keys = import ../../../variables/keys.nix; +in { # TASK: new device networking.hostName = "srv0"; # Define your hostname. # networking.domain = "home-ch.stefanjunker.de"; @@ -30,7 +37,7 @@ _: { networking.nat = { enable = true; - internalInterfaces = [ "ve-+" ]; + internalInterfaces = ["ve-+"]; externalInterface = "eth0"; }; @@ -38,20 +45,14 @@ _: { # services.kubernetes.roles = ["master" "node"]; # virtualization - virtualisation = { - docker.enable = true; - }; + virtualisation = {docker.enable = true;}; - nix.gc = { - automatic = true; - }; + nix.gc = {automatic = true;}; networking.useHostResolvConf = false; - services.resolved = { - enable = true; - }; + services.resolved = {enable = true;}; - containers = { }; + containers = {}; # This value determines the NixOS release from which the default # settings for stateful data, like file locations and database versions diff --git a/nix/os/devices/srv0.home-ch.stefanjunker.de/versions.nix b/nix/os/devices/srv0.home-ch.stefanjunker.de/versions.nix index 1bc2086..bb546e6 100644 --- a/nix/os/devices/srv0.home-ch.stefanjunker.de/versions.nix +++ b/nix/os/devices/srv0.home-ch.stefanjunker.de/versions.nix @@ -4,8 +4,7 @@ let ref = "nixos-22.05"; rev = "040c6d8374d090f46ab0e99f1f7c27a4529ecffd"; }; -in -{ +in { inherit nixpkgs; "channels-nixos-stable" = nixpkgs; "nixpkgs-master" = { diff --git a/nix/os/devices/srv0.home-ch.stefanjunker.de/versions.tmpl.nix b/nix/os/devices/srv0.home-ch.stefanjunker.de/versions.tmpl.nix index 5817e21..511138c 100644 --- a/nix/os/devices/srv0.home-ch.stefanjunker.de/versions.tmpl.nix +++ b/nix/os/devices/srv0.home-ch.stefanjunker.de/versions.tmpl.nix @@ -6,8 +6,7 @@ let <% git ls-remote https://github.com/nixos/nixpkgs nixos-22.05 | awk '{ print $1 }' | tr -d ' ' -%>''; }; -in -{ +in { inherit nixpkgs; "channels-nixos-stable" = nixpkgs; "nixpkgs-master" = { diff --git a/nix/os/devices/steveej-nuc7pjyh-work/configuration.nix b/nix/os/devices/steveej-nuc7pjyh-work/configuration.nix index d009275..a15e1aa 100644 --- a/nix/os/devices/steveej-nuc7pjyh-work/configuration.nix +++ b/nix/os/devices/steveej-nuc7pjyh-work/configuration.nix @@ -1,5 +1,4 @@ -{ ... }: -{ +{...}: { imports = [ ../../profiles/common/configuration.nix ../../profiles/graphical/configuration.nix diff --git a/nix/os/devices/steveej-nuc7pjyh-work/hw.nix b/nix/os/devices/steveej-nuc7pjyh-work/hw.nix index 76ab1b9..6d8eadd 100644 --- a/nix/os/devices/steveej-nuc7pjyh-work/hw.nix +++ b/nix/os/devices/steveej-nuc7pjyh-work/hw.nix @@ -1,4 +1,4 @@ -_: { +{...}: { # TASK: new device hardware.encryptedDisk = { enable = true; diff --git a/nix/os/devices/steveej-nuc7pjyh-work/system.nix b/nix/os/devices/steveej-nuc7pjyh-work/system.nix index efe0db2..73d39d9 100644 --- a/nix/os/devices/steveej-nuc7pjyh-work/system.nix +++ b/nix/os/devices/steveej-nuc7pjyh-work/system.nix @@ -1,7 +1,11 @@ -{ pkgs, lib, ... }: { + pkgs, + lib, + ... +}: let +in { services.udev.extraRules = ''SUBSYSTEM=="sgx", MODE="0660", GROUP="sgx"''; - users.groups.sgx = { }; + users.groups.sgx = {}; networking.hostName = "steveej-nuc7pjyh-work"; # Define your hostname. boot.kernelPackages = lib.mkForce pkgs.linuxPackages_sgx_latest; } diff --git a/nix/os/devices/steveej-nuc7pjyh-work/user.nix b/nix/os/devices/steveej-nuc7pjyh-work/user.nix index e37d392..2b72309 100644 --- a/nix/os/devices/steveej-nuc7pjyh-work/user.nix +++ b/nix/os/devices/steveej-nuc7pjyh-work/user.nix @@ -1,9 +1,12 @@ -{ pkgs, ... }: -let - keys = import ../../../variables/keys.nix; - inherit (import ../../lib/default.nix { inherit (pkgs) lib; }) mkUser; -in { + config, + pkgs, + ... +}: let + passwords = import ../../../variables/passwords.crypt.nix; + keys = import ../../../variables/keys.nix; + inherit (import ../../lib/default.nix {inherit (pkgs) lib;}) mkUser; +in { users.extraUsers.sjunker = mkUser { uid = 1001; openssh.authorizedKeys.keys = keys.users.steveej.openssh; @@ -11,7 +14,7 @@ in image = "quay.io/enarx/fedora"; run_args = "-v /dev/sgx:/dev/sgx"; }; - extraGroups = [ "sgx" ]; + extraGroups = ["sgx"]; subUidRanges = [ { diff --git a/nix/os/devices/steveej-pa600/boot.nix b/nix/os/devices/steveej-pa600/boot.nix index 639698f..4d8c1d1 100644 --- a/nix/os/devices/steveej-pa600/boot.nix +++ b/nix/os/devices/steveej-pa600/boot.nix @@ -1,5 +1,4 @@ -{ lib, ... }: -{ +{lib, ...}: { boot.loader.grub.efiInstallAsRemovable = lib.mkForce true; boot.loader.efi.canTouchEfiVariables = lib.mkForce false; } diff --git a/nix/os/devices/steveej-pa600/configuration.nix b/nix/os/devices/steveej-pa600/configuration.nix index 68ad190..37f4c61 100644 --- a/nix/os/devices/steveej-pa600/configuration.nix +++ b/nix/os/devices/steveej-pa600/configuration.nix @@ -1,5 +1,4 @@ -{ ... }: -{ +{...}: { imports = [ ../../profiles/common/configuration.nix ../../profiles/graphical/configuration.nix diff --git a/nix/os/devices/steveej-pa600/hw.nix b/nix/os/devices/steveej-pa600/hw.nix index 651a6e2..a563c1a 100644 --- a/nix/os/devices/steveej-pa600/hw.nix +++ b/nix/os/devices/steveej-pa600/hw.nix @@ -1,5 +1,4 @@ -_: -let +{...}: let stage1Modules = [ "aesni_intel" "kvm-intel" @@ -8,8 +7,7 @@ let "xhci_pci" "hxci_hcd" ]; -in -{ +in { # TASK: new device hardware.opinionatedDisk = { enable = true; diff --git a/nix/os/devices/steveej-pa600/pkg.nix b/nix/os/devices/steveej-pa600/pkg.nix index 360c17b..1db742a 100644 --- a/nix/os/devices/steveej-pa600/pkg.nix +++ b/nix/os/devices/steveej-pa600/pkg.nix @@ -1,8 +1,11 @@ -{ pkgs, ... }: -{ - nixpkgs.config.packageOverrides = - pkgs: with pkgs; { - inherit ((import ../../../default.nix { versionsPath = ./versions.nix; })) nixPath; +{pkgs, ...}: { + nixpkgs.config.packageOverrides = pkgs: + with pkgs; { + nixPath = + (import ../../../default.nix { + versionsPath = ./versions.nix; + }) + .nixPath; }; home-manager.users.steveej = import ../../../home-manager/configuration/graphical-fullblown.nix { inherit pkgs; diff --git a/nix/os/devices/steveej-pa600/system.nix b/nix/os/devices/steveej-pa600/system.nix index 2a4551a..02256d8 100644 --- a/nix/os/devices/steveej-pa600/system.nix +++ b/nix/os/devices/steveej-pa600/system.nix @@ -1,5 +1,11 @@ -{ pkgs, lib, ... }: { + pkgs, + lib, + config, + ... +}: let + keys = import ../../../variables/keys.nix; +in { # TASK: new device networking.hostName = "steveej-pa600"; # Define your hostname. @@ -14,11 +20,7 @@ services.printing = { enable = true; - drivers = with pkgs; [ - hplip - mfcl3770cdw.driver - mfcl3770cdw.cupswrapper - ]; + drivers = with pkgs; [hplip mfcl3770cdw.driver mfcl3770cdw.cupswrapper]; }; services.fprintd.enable = true; @@ -27,9 +29,9 @@ sudo.fprintAuth = true; }; - security.pki.certificateFiles = [ "${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt" ]; + security.pki.certificateFiles = ["${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt"]; - services.xserver.videoDrivers = [ "modesetting" ]; + services.xserver.videoDrivers = ["modesetting"]; services.xserver.serverFlagsSection = '' Option "BlankTime" "0" Option "StandbyTime" "0" diff --git a/nix/os/devices/steveej-pa600/user.nix b/nix/os/devices/steveej-pa600/user.nix index bb94098..4b85fea 100644 --- a/nix/os/devices/steveej-pa600/user.nix +++ b/nix/os/devices/steveej-pa600/user.nix @@ -1,9 +1,12 @@ -{ pkgs, ... }: -let - keys = import ../../../variables/keys.nix; - inherit (import ../../lib/default.nix { inherit (pkgs) lib; }) mkUser; -in { + config, + pkgs, + ... +}: let + passwords = import ../../../variables/passwords.crypt.nix; + keys = import ../../../variables/keys.nix; + inherit (import ../../lib/default.nix {inherit (pkgs) lib;}) mkUser; +in { users.extraUsers.steveej2 = mkUser { uid = 1001; openssh.authorizedKeys.keys = keys.users.steveej.openssh; diff --git a/nix/os/devices/steveej-pa600/versions.nix b/nix/os/devices/steveej-pa600/versions.nix index e7d4567..ce6b116 100644 --- a/nix/os/devices/steveej-pa600/versions.nix +++ b/nix/os/devices/steveej-pa600/versions.nix @@ -4,12 +4,9 @@ let ref = "nixos-20.09"; rev = "e065200fc90175a8f6e50e76ef10a48786126e1c"; }; -in -{ +in { inherit nixpkgs; - nixos = nixpkgs // { - suffix = "/nixos"; - }; + nixos = nixpkgs // {suffix = "/nixos";}; "channels-nixos-stable" = nixpkgs; "channels-nixos-unstable" = { url = "https://github.com/NixOS/nixpkgs/"; diff --git a/nix/os/devices/steveej-pa600/versions.tmpl.nix b/nix/os/devices/steveej-pa600/versions.tmpl.nix index 08f1a43..96f7be3 100644 --- a/nix/os/devices/steveej-pa600/versions.tmpl.nix +++ b/nix/os/devices/steveej-pa600/versions.tmpl.nix @@ -6,12 +6,9 @@ let <% git ls-remote https://github.com/nixos/nixpkgs nixos-20.09 | awk '{ print $1 }' | tr -d ' ' -%>''; }; -in -{ +in { inherit nixpkgs; - nixos = nixpkgs // { - suffix = "/nixos"; - }; + nixos = nixpkgs // {suffix = "/nixos";}; "channels-nixos-stable" = nixpkgs; "channels-nixos-unstable" = { url = "https://github.com/NixOS/nixpkgs/"; diff --git a/nix/os/devices/steveej-rmvbl-mmc-SL32G_0x259093f6/configuration.nix b/nix/os/devices/steveej-rmvbl-mmc-SL32G_0x259093f6/configuration.nix index 9682eb6..b32a198 100644 --- a/nix/os/devices/steveej-rmvbl-mmc-SL32G_0x259093f6/configuration.nix +++ b/nix/os/devices/steveej-rmvbl-mmc-SL32G_0x259093f6/configuration.nix @@ -1,5 +1,4 @@ -{ ... }: -{ +{...}: { imports = [ ../../profiles/common/configuration.nix ../../profiles/graphical/configuration.nix diff --git a/nix/os/devices/steveej-rmvbl-mmc-SL32G_0x259093f6/hw.nix b/nix/os/devices/steveej-rmvbl-mmc-SL32G_0x259093f6/hw.nix index 4af1def..14df96a 100644 --- a/nix/os/devices/steveej-rmvbl-mmc-SL32G_0x259093f6/hw.nix +++ b/nix/os/devices/steveej-rmvbl-mmc-SL32G_0x259093f6/hw.nix @@ -1,4 +1,4 @@ -_: { +{...}: { # TASK: new device hardware.encryptedDisk = { enable = true; diff --git a/nix/os/devices/steveej-rmvbl-mmc-SL32G_0x259093f6/system.nix b/nix/os/devices/steveej-rmvbl-mmc-SL32G_0x259093f6/system.nix index 7f69ec0..4329e5c 100644 --- a/nix/os/devices/steveej-rmvbl-mmc-SL32G_0x259093f6/system.nix +++ b/nix/os/devices/steveej-rmvbl-mmc-SL32G_0x259093f6/system.nix @@ -1,3 +1,3 @@ -_: { +{...}: { networking.hostName = "steveej-rmvbl-mmc-SL32G_0x259093f6"; # Define your hostname. } diff --git a/nix/os/devices/steveej-rmvbl-sdep0/configuration.nix b/nix/os/devices/steveej-rmvbl-sdep0/configuration.nix index 861a9ea..d49dbd3 100644 --- a/nix/os/devices/steveej-rmvbl-sdep0/configuration.nix +++ b/nix/os/devices/steveej-rmvbl-sdep0/configuration.nix @@ -1,8 +1,11 @@ -{ ... }: -{ - nixpkgs.config.packageOverrides = - pkgs: with pkgs; { - inherit ((import ../../../default.nix { versionsPath = ./versions.nix; })) nixPath; +{...}: { + nixpkgs.config.packageOverrides = pkgs: + with pkgs; { + nixPath = + (import ../../../default.nix { + versionsPath = ./versions.nix; + }) + .nixPath; }; imports = [ diff --git a/nix/os/devices/steveej-rmvbl-sdep0/hw.nix b/nix/os/devices/steveej-rmvbl-sdep0/hw.nix index c42f909..408b2a9 100644 --- a/nix/os/devices/steveej-rmvbl-sdep0/hw.nix +++ b/nix/os/devices/steveej-rmvbl-sdep0/hw.nix @@ -1,4 +1,4 @@ -_: { +{...}: { # TASK: new device hardware.opinionatedDisk.diskId = "usb-SanDisk_Extreme_Pro_12345978EC62-0:0"; hardware.opinionatedDisk.encrypted = true; diff --git a/nix/os/devices/steveej-rmvbl-sdep0/system.nix b/nix/os/devices/steveej-rmvbl-sdep0/system.nix index d409681..5bad73f 100644 --- a/nix/os/devices/steveej-rmvbl-sdep0/system.nix +++ b/nix/os/devices/steveej-rmvbl-sdep0/system.nix @@ -1,4 +1,4 @@ -_: { +{...}: { networking.hostName = "steveej-rmvbl-sdep0"; # Define your hostname. system.stateVersion = "21.05"; } diff --git a/nix/os/devices/steveej-rmvbl-sdep0/versions.nix b/nix/os/devices/steveej-rmvbl-sdep0/versions.nix index 3771f25..f8759b8 100644 --- a/nix/os/devices/steveej-rmvbl-sdep0/versions.nix +++ b/nix/os/devices/steveej-rmvbl-sdep0/versions.nix @@ -2,33 +2,35 @@ let nixpkgs = { url = "https://github.com/NixOS/nixpkgs/"; ref = "nixos-22.11"; - rev = ''0040164e473509b4aee6aedb3b923e400d6df10b''; + rev = '' + 0040164e473509b4aee6aedb3b923e400d6df10b''; }; -in -{ +in { inherit nixpkgs; - nixos = nixpkgs // { - suffix = "/nixos"; - }; + nixos = nixpkgs // {suffix = "/nixos";}; "channels-nixos-stable" = nixpkgs; "channels-nixos-unstable" = { url = "https://github.com/NixOS/nixpkgs/"; ref = "nixos-unstable"; - rev = ''d9f759f2ea8d265d974a6e1259bd510ac5844c5d''; + rev = '' + d9f759f2ea8d265d974a6e1259bd510ac5844c5d''; }; "channels-nixos-unstable-small" = { url = "https://github.com/NixOS/nixpkgs/"; ref = "nixos-unstable-small"; - rev = ''9c34c8adba80180608794cce600b10183b048942''; + rev = '' + 9c34c8adba80180608794cce600b10183b048942''; }; "nixpkgs-master" = { url = "https://github.com/NixOS/nixpkgs/"; ref = "master"; - rev = ''f9adb566707a492bd3d17fee1e223695d939b52a''; + rev = '' + f9adb566707a492bd3d17fee1e223695d939b52a''; }; "home-manager-module" = { url = "https://github.com/nix-community/home-manager"; ref = "release-22.11"; - rev = ''d6f3ba090ed090ae664ab5bac329654093aae725''; + rev = '' + d6f3ba090ed090ae664ab5bac329654093aae725''; }; } diff --git a/nix/os/devices/steveej-rmvbl-sdep0/versions.tmpl.nix b/nix/os/devices/steveej-rmvbl-sdep0/versions.tmpl.nix index 92abc4a..a0fa34a 100644 --- a/nix/os/devices/steveej-rmvbl-sdep0/versions.tmpl.nix +++ b/nix/os/devices/steveej-rmvbl-sdep0/versions.tmpl.nix @@ -6,12 +6,9 @@ let <% git ls-remote https://github.com/nixos/nixpkgs nixos-22.11 | awk '{ print $1 }' | tr -d ' ' -%>''; }; -in -{ +in { inherit nixpkgs; - nixos = nixpkgs // { - suffix = "/nixos"; - }; + nixos = nixpkgs // {suffix = "/nixos";}; "channels-nixos-stable" = nixpkgs; "channels-nixos-unstable" = { url = "https://github.com/NixOS/nixpkgs/"; diff --git a/nix/os/devices/steveej-t14/boot.nix b/nix/os/devices/steveej-t14/boot.nix index d3ff0b5..281d09e 100644 --- a/nix/os/devices/steveej-t14/boot.nix +++ b/nix/os/devices/steveej-t14/boot.nix @@ -1,5 +1,8 @@ -{ lib, pkgs, ... }: { + lib, + pkgs, + ... +}: { boot.loader.grub.efiInstallAsRemovable = lib.mkForce true; boot.loader.efi.canTouchEfiVariables = lib.mkForce false; boot.kernelPackages = lib.mkForce pkgs.linuxPackages_latest; diff --git a/nix/os/devices/steveej-t14/configuration.nix b/nix/os/devices/steveej-t14/configuration.nix index f5ccca0..a094278 100644 --- a/nix/os/devices/steveej-t14/configuration.nix +++ b/nix/os/devices/steveej-t14/configuration.nix @@ -1,5 +1,4 @@ -{ ... }: -{ +{...}: { imports = [ ../../snippets/home-manager-with-zsh.nix ../../snippets/nix-settings-holo-chain.nix @@ -20,7 +19,7 @@ ./boot.nix # samba seerver - (_: { + ({lib, ...}: { # networking.firewall.enable = lib.mkForce false; services.samba-wsdd.enable = true; # make shares visible for windows 10 clients networking.firewall.allowedTCPPorts = [ diff --git a/nix/os/devices/steveej-t14/default.nix b/nix/os/devices/steveej-t14/default.nix index d7e6d28..bcb5e94 100644 --- a/nix/os/devices/steveej-t14/default.nix +++ b/nix/os/devices/steveej-t14/default.nix @@ -4,24 +4,26 @@ repoFlakeWithSystem, nodeFlake, ... -}: -let +}: let system = "x86_64-linux"; -in -{ +in { meta.nodeSpecialArgs.${nodeName} = { inherit repoFlake nodeName nodeFlake; packages' = repoFlake.packages.${system}; - repoFlakeInputs' = repoFlakeWithSystem system ({ inputs', ... }: inputs'); + repoFlakeInputs' = repoFlakeWithSystem system ({inputs', ...}: inputs'); }; - meta.nodeNixpkgs.${nodeName} = import nodeFlake.inputs.nixpkgs.outPath { inherit system; }; + meta.nodeNixpkgs.${nodeName} = import nodeFlake.inputs.nixpkgs.outPath { + inherit system; + }; ${nodeName} = { deployment.targetHost = nodeName; deployment.replaceUnknownProfiles = false; deployment.allowLocalDeployment = true; - imports = [ (repoFlake + "/nix/os/devices/${nodeName}/configuration.nix") ]; + imports = [ + (repoFlake + "/nix/os/devices/${nodeName}/configuration.nix") + ]; }; } diff --git a/nix/os/devices/steveej-t14/flake.nix b/nix/os/devices/steveej-t14/flake.nix index 504ce45..357ecab 100644 --- a/nix/os/devices/steveej-t14/flake.nix +++ b/nix/os/devices/steveej-t14/flake.nix @@ -3,6 +3,7 @@ inputs.nixpkgs-2305.url = "github:nixos/nixpkgs/nixos-23.05"; inputs.nixpkgs-2311.url = "github:nixos/nixpkgs/nixos-23.11"; inputs.nixpkgs-unstable.url = "github:nixos/nixpkgs/nixos-unstable"; + inputs.nixpkgs-unstable-small.url = "github:nixos/nixpkgs/nixos-unstable-small"; inputs.nixpkgs-master.url = "github:nixos/nixpkgs/master"; inputs.nixpkgs.follows = "nixpkgs-2311"; @@ -12,5 +13,5 @@ inputs.nixpkgs.follows = "nixpkgs"; }; - outputs = _: { }; + outputs = _: {}; } diff --git a/nix/os/devices/steveej-t14/hw.nix b/nix/os/devices/steveej-t14/hw.nix index 0fa593a..1b905e0 100644 --- a/nix/os/devices/steveej-t14/hw.nix +++ b/nix/os/devices/steveej-t14/hw.nix @@ -1,4 +1,5 @@ -_: { +{lib, ...}: let +in { # TASK: new device hardware.opinionatedDisk = { enable = true; @@ -65,56 +66,16 @@ _: { enable = false; levels = [ # ["level auto" 0 60] - [ - 0 - 0 - 60 - ] - [ - 1 - 60 - 65 - ] - [ - 1 - 65 - 75 - ] - [ - 2 - 75 - 78 - ] - [ - 3 - 78 - 80 - ] - [ - 4 - 80 - 82 - ] - [ - 5 - 82 - 84 - ] - [ - 6 - 84 - 86 - ] - [ - 7 - 86 - 88 - ] - [ - "level full-speed" - 88 - 999 - ] + [0 0 60] + [1 60 65] + [1 65 75] + [2 75 78] + [3 78 80] + [4 80 82] + [5 82 84] + [6 84 86] + [7 86 88] + ["level full-speed" 88 999] ]; extraArgs = [ diff --git a/nix/os/devices/steveej-t14/pkg.nix b/nix/os/devices/steveej-t14/pkg.nix index 4e53eaf..0cc3c04 100644 --- a/nix/os/devices/steveej-t14/pkg.nix +++ b/nix/os/devices/steveej-t14/pkg.nix @@ -1,7 +1,14 @@ -{ pkgs, ... }: { + pkgs, + lib, + repoFlake, + nodeFlake, + ... +}: { system.stateVersion = "23.05"; - home-manager.users.root = _: { home.stateVersion = "22.05"; }; + home-manager.users.root = _: { + home.stateVersion = "22.05"; + }; home-manager.users.steveej = _: { home.stateVersion = "22.05"; imports = [ @@ -14,9 +21,10 @@ }) ]; - home.sessionVariables = { }; + home.sessionVariables = {}; - home.packages = with pkgs; [ ]; + home.packages = with pkgs; [ + ]; }; # TODO: fix the following errors with regreet @@ -30,28 +38,26 @@ # # (regreet:505614): Gtk-WARNING **: 10:31:42.532: Theme parser warning: :6:17-18: Empty declaration # Failed to create /var/empty/.cache for shader cache (Operation not permitted)---disabling. - services.greetd = - let - # exec "${pkgs.greetd.gtkgreet}/bin/gtkgreet -l; swaymsg exit" - swayConfig = pkgs.writeText "greetd-sway-config" '' - # `-l` activates layer-shell mode. Notice that `swaymsg exit` will run after gtkgreet. - exec "dbus-update-activation-environment --systemd DISPLAY WAYLAND_DISPLAY SWAYSOCK; ${pkgs.greetd.regreet}/bin/regreet; swaymsg exit" - bindsym Mod4+shift+e exec swaynag \ - -t warning \ - -m 'What do you want to do?' \ - -b 'Poweroff' 'systemctl poweroff' \ - -b 'Reboot' 'systemctl reboot' - ''; - in - { - enable = false; - settings = { - vt = 1; - default_session = { - command = "${pkgs.sway}/bin/sway --config ${swayConfig}"; - }; + services.greetd = let + # exec "${pkgs.greetd.gtkgreet}/bin/gtkgreet -l; swaymsg exit" + swayConfig = pkgs.writeText "greetd-sway-config" '' + # `-l` activates layer-shell mode. Notice that `swaymsg exit` will run after gtkgreet. + exec "dbus-update-activation-environment --systemd DISPLAY WAYLAND_DISPLAY SWAYSOCK; ${pkgs.greetd.regreet}/bin/regreet; swaymsg exit" + bindsym Mod4+shift+e exec swaynag \ + -t warning \ + -m 'What do you want to do?' \ + -b 'Poweroff' 'systemctl poweroff' \ + -b 'Reboot' 'systemctl reboot' + ''; + in { + enable = false; + settings = { + vt = 1; + default_session = { + command = "${pkgs.sway}/bin/sway --config ${swayConfig}"; }; }; + }; environment.etc."greetd/environments".text = '' sway diff --git a/nix/os/devices/steveej-t14/system.nix b/nix/os/devices/steveej-t14/system.nix index db19a3b..4d43885 100644 --- a/nix/os/devices/steveej-t14/system.nix +++ b/nix/os/devices/steveej-t14/system.nix @@ -2,10 +2,10 @@ pkgs, lib, config, + nodeName, repoFlake, ... -}: -let +}: let localTcpPorts = [ 22 @@ -21,11 +21,12 @@ let 22000 21027 ]; -in -{ +in { nix.settings = { - substituters = [ ]; - trusted-public-keys = [ ]; + substituters = [ + ]; + trusted-public-keys = [ + ]; }; nix.distributedBuilds = true; @@ -38,7 +39,7 @@ in system = "x86_64-linux"; maxJobs = 32; speedFactor = 100; - supportedFeatures = repoFlake.nixosConfigurations.steveej-t14.config.nix.settings.system-features; + supportedFeatures = repoFlake.nixosConfigurations.steveej-t14.config.nix.settings.system-features ++ []; } { @@ -49,15 +50,16 @@ in system = "aarch64-linux"; maxJobs = 32; speedFactor = 100; - supportedFeatures = repoFlake.nixosConfigurations.router0-dmz0.config.nix.settings.system-features; + supportedFeatures = repoFlake.nixosConfigurations.router0-dmz0.config.nix.settings.system-features ++ []; } ]; networking.networkmanager.enable = true; - networking.extraHosts = ''''; + networking.extraHosts = '' + ''; - networking.bridges."virbr1".interfaces = [ ]; + networking.bridges."virbr1".interfaces = []; networking.interfaces."virbr1".ipv4.addresses = [ { address = "10.254.254.254"; @@ -90,9 +92,7 @@ in # virtualization virtualisation = { - libvirtd = { - enable = true; - }; + libvirtd = {enable = true;}; virtualbox.host = { enable = false; @@ -110,11 +110,50 @@ in # client min protocol = NT1 ''; - security.pki.certificateFiles = [ "${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt" ]; + security.pki.certificateFiles = ["${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt"]; - services.xserver.videoDrivers = lib.mkForce [ "amdgpu" ]; + services.xserver.videoDrivers = lib.mkForce ["amdgpu"]; hardware.ledger.enable = true; - boot.binfmt.emulatedSystems = [ "aarch64-linux" ]; + # services.zerotierone = { + # enable = false; + # joinNetworks = [ + # # moved to the service below as it's now secret + # ]; + # }; + + # systemd.services.zerotieroneSecretNetworks = { + # enable = false; + # requiredBy = [ "zerotierone.service" ]; + # partOf = [ "zerotierone.service" ]; + + # serviceConfig.Type = "oneshot"; + # serviceConfig.RemainAfterExit = true; + + # script = + # let + # secret = config.sops.secrets.zerotieroneNetworks; + # in + # '' + # # include the secret's hash to trigger a restart on change + # # ${builtins.hashString "sha256" (builtins.toJSON secret)} + + # ${config.systemd.services.zerotierone.preStart} + + # rm -rf /var/lib/zerotier-one/networks.d/*.conf + # for network in `grep -v '#' ${secret.path}`; do + # touch /var/lib/zerotier-one/networks.d/''${network}.conf + # done + # ''; + # }; + + sops.secrets.zerotieroneNetworks = { + sopsFile = ../../../../secrets/zerotierone.txt; + format = "binary"; + }; + + boot.binfmt.emulatedSystems = [ + "aarch64-linux" + ]; } diff --git a/nix/os/devices/steveej-t14/user.nix b/nix/os/devices/steveej-t14/user.nix index dacf1f4..6068f93 100644 --- a/nix/os/devices/steveej-t14/user.nix +++ b/nix/os/devices/steveej-t14/user.nix @@ -1,16 +1,19 @@ -{ config, pkgs, ... }: -let - keys = import ../../../variables/keys.nix; - inherit (pkgs.callPackage ../../lib/default.nix { }) mkUser; -in { + config, + pkgs, + lib, + ... +}: let + keys = import ../../../variables/keys.nix; + inherit (pkgs.callPackage ../../lib/default.nix {}) mkUser; +in { users.users.steveej2 = mkUser { uid = 1001; openssh.authorizedKeys.keys = keys.users.steveej.openssh; hashedPasswordFile = config.sops.secrets.sharedUsers-steveej.path; }; - nix.settings.trusted-users = [ "steveej" ]; + nix.settings.trusted-users = ["steveej"]; security.pam.u2f.enable = true; security.pam.services.steveej.u2fAuth = true; diff --git a/nix/os/devices/steveej-utilitepro/configuration.nix b/nix/os/devices/steveej-utilitepro/configuration.nix index 76a34c8..06cc7d1 100644 --- a/nix/os/devices/steveej-utilitepro/configuration.nix +++ b/nix/os/devices/steveej-utilitepro/configuration.nix @@ -1,11 +1,13 @@ # Edit this configuration file to define what should be installed on # your system. Help is available in the configuration.nix(5) man page # and in the NixOS manual (accessible by running ‘nixos-help’). -{ config, pkgs, ... }: -let - passwords = import ../common/passwords.crypt.nix; -in { + config, + pkgs, + ... +}: let + passwords = import ../common/passwords.crypt.nix; +in { # The NixOS release to be compatible with for stateful data such as databases. system.stateVersion = "16.03"; nix.maxJobs = 4; @@ -17,18 +19,22 @@ in ''; nixpkgs.config = { - packageOverrides = super: { + packageOverrides = super: let + self = super.pkgs; + in { linux_4_1 = super.linux_4_1.override { - kernelPatches = super.linux_4_1.kernelPatches ++ [ - { - patch = ./patches/utilitepro-kernel-dts.patch; - name = "utilitepro-dts"; - } - { - patch = ./patches/utilitepro-kernel-dts-Makefile.patch; - name = "utilitepro-dts-Makefile"; - } - ]; + kernelPatches = + super.linux_4_1.kernelPatches + ++ [ + { + patch = ./patches/utilitepro-kernel-dts.patch; + name = "utilitepro-dts"; + } + { + patch = ./patches/utilitepro-kernel-dts-Makefile.patch; + name = "utilitepro-dts-Makefile"; + } + ]; # add "CONFIG_PPP_FILTER y" option to the set of kernel options extraConfig = '' BTRFS_FS y @@ -273,10 +279,7 @@ in uid = 1000; isNormalUser = true; home = "/home/steveej"; - extraGroups = [ - "wheel" - "libvirtd" - ]; + extraGroups = ["wheel" "libvirtd"]; # FIXME: this is deprecated but so is this device probably hashedPassword = passwords.users.steveej; openssh.authorizedKeys.keys = [ diff --git a/nix/os/devices/steveej-utilitepro/hardware-configuration.nix b/nix/os/devices/steveej-utilitepro/hardware-configuration.nix index 1d3e463..a325b30 100644 --- a/nix/os/devices/steveej-utilitepro/hardware-configuration.nix +++ b/nix/os/devices/steveej-utilitepro/hardware-configuration.nix @@ -1,13 +1,17 @@ # Do not modify this file! It was generated by ‘nixos-generate-config’ # and may be overwritten by future invocations. Please make changes # to /etc/nixos/configuration.nix instead. -{ ... }: { - imports = [ ]; + config, + lib, + pkgs, + ... +}: { + imports = []; - boot.initrd.availableKernelModules = [ ]; - boot.kernelModules = [ ]; - boot.extraModulePackages = [ ]; + boot.initrd.availableKernelModules = []; + boot.kernelModules = []; + boot.extraModulePackages = []; hardware.enableAllFirmware = true; @@ -20,5 +24,5 @@ device = "/dev/disk/by-uuid/f1e7e913-93a0-4258-88f9-f65041d91d66"; }; - swapDevices = [ ]; + swapDevices = []; } diff --git a/nix/os/devices/steveej-x13s-rmvbl/configuration.nix b/nix/os/devices/steveej-x13s-rmvbl/configuration.nix index 39e93de..9aec1e2 100644 --- a/nix/os/devices/steveej-x13s-rmvbl/configuration.nix +++ b/nix/os/devices/steveej-x13s-rmvbl/configuration.nix @@ -5,10 +5,10 @@ lib, config, nodeName, + localDomainName, system, ... -}: -{ +}: { nixos-x13s = { enable = true; # TODO: use hardware address @@ -41,8 +41,8 @@ echo $? ) ''; - requiredBy = [ "bluetooth.service" ]; - before = [ "bluetooth.service" ]; + requiredBy = ["bluetooth.service"]; + before = ["bluetooth.service"]; serviceConfig = { Type = "oneshot"; RemainAfterExit = true; @@ -103,15 +103,20 @@ ]; system.stateVersion = "23.11"; - home-manager.users.root = _: { home.stateVersion = "23.11"; }; + home-manager.users.root = _: { + home.stateVersion = "23.11"; + }; home-manager.users.steveej = _: { home.stateVersion = "23.11"; - imports = [ ../../../home-manager/configuration/graphical-fullblown.nix ]; + imports = [ + ../../../home-manager/configuration/graphical-fullblown.nix + ]; - home.sessionVariables = { }; + home.sessionVariables = {}; - home.packages = with pkgs; [ ]; + home.packages = with pkgs; [ + ]; # TODO: currently unsupported services.gammastep.enable = lib.mkForce false; @@ -122,7 +127,7 @@ loader.systemd-boot.enable = true; loader.efi.canTouchEfiVariables = lib.mkForce false; loader.efi.efiSysMountPoint = "/boot"; - blacklistedKernelModules = [ "wwan" ]; + blacklistedKernelModules = ["wwan"]; initrd.kernelModules = [ "uas" @@ -148,8 +153,7 @@ "firmware/qcom/sc8280xp/LENOVO/21BX/qccdsp8280.mbn".source = pkgs.linux-firmware; "firmware/qcom/sc8280xp/LENOVO/21BX/qcdxkmsuc8280.mbn".source = pkgs.linux-firmware; "firmware/qcom/sc8280xp/LENOVO/21BX/qcslpi8280.mbn".source = pkgs.linux-firmware; - "firmware/qcom/sc8280xp/LENOVO/21BX/qcvss8280.mbn".source = - nodeFlake.inputs.nixos-x13s.packages.${system}."x13s/extra-firmware"; + "firmware/qcom/sc8280xp/LENOVO/21BX/qcvss8280.mbn".source = nodeFlake.inputs.nixos-x13s.packages.${system}."x13s/extra-firmware"; }; }; diff --git a/nix/os/devices/steveej-x13s-rmvbl/default.nix b/nix/os/devices/steveej-x13s-rmvbl/default.nix index 2ba48d2..fa66cf4 100644 --- a/nix/os/devices/steveej-x13s-rmvbl/default.nix +++ b/nix/os/devices/steveej-x13s-rmvbl/default.nix @@ -6,23 +6,21 @@ nodeFlake, localDomainName ? "internal", ... -}: -{ +}: { meta.nodeSpecialArgs.${nodeName} = { - inherit - repoFlake - nodeName - nodeFlake - system - ; + inherit repoFlake nodeName nodeFlake system; packages' = repoFlake.packages.${system}; nodePackages' = nodeFlake.packages.${system}; - repoFlakeInputs' = repoFlakeWithSystem system ({ inputs', ... }: inputs'); + repoFlakeInputs' = repoFlakeWithSystem system ({inputs', ...}: inputs'); inherit localDomainName; }; - meta.nodeNixpkgs.${nodeName} = import nodeFlake.inputs.nixpkgs.outPath { inherit system; }; + meta.nodeNixpkgs.${nodeName} = + import nodeFlake.inputs.nixpkgs.outPath + { + inherit system; + }; ${nodeName} = { deployment.targetHost = "${nodeName}.${localDomainName}"; @@ -31,6 +29,8 @@ # nixpkgs.pkgs = nodeFlake.inputs.nixpkgs.legacyPackages.${system}; - imports = [ (repoFlake + "/nix/os/devices/${nodeName}/configuration.nix") ]; + imports = [ + (repoFlake + "/nix/os/devices/${nodeName}/configuration.nix") + ]; }; } diff --git a/nix/os/devices/steveej-x13s-rmvbl/disko.nix b/nix/os/devices/steveej-x13s-rmvbl/disko.nix index 2eb097a..e56b0d1 100644 --- a/nix/os/devices/steveej-x13s-rmvbl/disko.nix +++ b/nix/os/devices/steveej-x13s-rmvbl/disko.nix @@ -14,7 +14,9 @@ type = "filesystem"; format = "vfat"; mountpoint = "/boot"; - mountOptions = [ "defaults" ]; + mountOptions = [ + "defaults" + ]; }; }; luks = { @@ -22,7 +24,7 @@ content = { type = "luks"; name = "x13s-usb-crypt"; - extraOpenArgs = [ ]; + extraOpenArgs = []; # disable settings.keyFile if you want to use interactive password entry #passwordFile = "/tmp/secret.key"; # Interactive settings = { @@ -34,28 +36,19 @@ # additionalKeyFiles = [ "/tmp/additionalSecret.key" ]; content = { type = "btrfs"; - extraArgs = [ "-f" ]; + extraArgs = ["-f"]; subvolumes = { "/root" = { mountpoint = "/"; - mountOptions = [ - "compress=zstd" - "noatime" - ]; + mountOptions = ["compress=zstd" "noatime"]; }; "/home" = { mountpoint = "/home"; - mountOptions = [ - "compress=zstd" - "noatime" - ]; + mountOptions = ["compress=zstd" "noatime"]; }; "/nix" = { mountpoint = "/nix"; - mountOptions = [ - "compress=zstd" - "noatime" - ]; + mountOptions = ["compress=zstd" "noatime"]; }; "/swap" = { mountpoint = "/.swapvol"; diff --git a/nix/os/devices/steveej-x13s-rmvbl/flake.nix b/nix/os/devices/steveej-x13s-rmvbl/flake.nix index 043907d..bcc82bb 100644 --- a/nix/os/devices/steveej-x13s-rmvbl/flake.nix +++ b/nix/os/devices/steveej-x13s-rmvbl/flake.nix @@ -22,66 +22,71 @@ nixos-x13s.inputs.nixpkgs.follows = "nixpkgs"; }; - outputs = - { - self, - get-flake, - nixpkgs, - ... - }: - let - system = "aarch64-linux"; - buildPlatform = "x86_64-linux"; - repoFlake = get-flake ../../../..; - in - { - lib = { - mkNixosConfiguration = + outputs = { + self, + get-flake, + nixpkgs, + ... + }: let + system = "aarch64-linux"; + buildPlatform = "x86_64-linux"; + repoFlake = get-flake ../../../..; + in { + lib = { + mkNixosConfiguration = { + nodeName, + extraModules ? [], + ... + } @ attrs: + nixpkgs.lib.nixosSystem ( + nixpkgs.lib.attrsets.recursiveUpdate + attrs { - nodeName, - extraModules ? [ ], - ... - }@attrs: - nixpkgs.lib.nixosSystem ( - nixpkgs.lib.attrsets.recursiveUpdate attrs { - specialArgs = - (import ./default.nix { - inherit system; - inherit nodeName repoFlake; + specialArgs = + (import ./default.nix { + inherit system; + inherit nodeName repoFlake; - nodeFlake = self; - }).meta.nodeSpecialArgs.${nodeName}; + nodeFlake = self; + }) + .meta + .nodeSpecialArgs + .${nodeName}; - modules = extraModules; - } - ); + modules = + [ + # repoFlake.nixosModules.hardware-x13s + ] + ++ extraModules; + } + ); + }; + + nixosConfigurations = let + nodeName = "steveej-x13s-rmvbl"; + in { + native = self.lib.mkNixosConfiguration { + inherit system nodeName; + extraModules = [ + ./configuration.nix + + { + users.commonUsers.installPassword = "install"; + } + ]; }; - nixosConfigurations = - let - nodeName = "steveej-x13s-rmvbl"; - in - { - native = self.lib.mkNixosConfiguration { - inherit system nodeName; - extraModules = [ - ./configuration.nix + cross = self.lib.mkNixosConfiguration { + inherit nodeName; + extraModules = [ + ./configuration.nix - { users.commonUsers.installPassword = "install"; } - ]; - }; - - cross = self.lib.mkNixosConfiguration { - inherit nodeName; - extraModules = [ - ./configuration.nix - - { - nixpkgs.buildPlatform.system = buildPlatform; - nixpkgs.hostPlatform.system = system; - } - ]; - }; - }; + { + nixpkgs.buildPlatform.system = buildPlatform; + nixpkgs.hostPlatform.system = system; + } + ]; + }; }; + }; } diff --git a/nix/os/devices/steveej-x13s/configuration.nix b/nix/os/devices/steveej-x13s/configuration.nix index d5c9475..6d90f3d 100644 --- a/nix/os/devices/steveej-x13s/configuration.nix +++ b/nix/os/devices/steveej-x13s/configuration.nix @@ -5,32 +5,19 @@ lib, config, nodeName, + localDomainName, system, ... -}: -{ - nixpkgs.overlays = [ nodeFlake.overlays.default ]; - +}: { nixos-x13s = { enable = true; # TODO: use hardware address bluetoothMac = "65:9e:7a:8b:86:28"; - kernel = "jhovold"; }; services.illum.enable = true; - # printint and autodiscovery of printers - services.printing.enable = true; - services.printing.drivers = [ pkgs.hplip ]; - services.avahi = { - enable = true; - nssmdns4 = true; - openFirewall = true; - }; - hardware.sane.enable = true; # enables support for SANE scanners - - systemd.services.bluetooth-x13s-mac = lib.mkForce { + systemd.services.bluetooth-mac = { enable = true; path = [ pkgs.systemd @@ -56,8 +43,8 @@ echo $? ) ''; - requiredBy = [ "bluetooth.service" ]; - before = [ "bluetooth.service" ]; + requiredBy = ["bluetooth.service"]; + before = ["bluetooth.service"]; serviceConfig = { Type = "oneshot"; RemainAfterExit = true; @@ -77,26 +64,9 @@ nodeFlake.inputs.disko.nixosModules.disko ./disko.nix + ../../snippets/nix-settings.nix ../../profiles/common/user.nix - ../../snippets/nix-settings.nix - ../../snippets/nix-settings-holo-chain.nix - ../../snippets/mycelium.nix - - nodeFlake.inputs.extra-container.nixosModules.default - { - networking.nat = { - enable = true; - internalInterfaces = ["ve-+"]; - # externalInterface = "enu1u1u2"; - # Lazy IPv6 connectivity for the container - # enableIPv6 = true; - }; - } - - # TODO: broken with: v4l2loopback-0.13.2-6.13.0-rc3.drv - # make: *** [Makefile:53: v4l2loopback.ko] Error 2 - # ../../snippets/obs-studio.nix { services.openssh.enable = true; services.openssh.settings.PermitRootLogin = "yes"; @@ -109,95 +79,13 @@ enable = true; enableNonRoot = true; }; - - sops.secrets.builder-private-key = { }; - nix.distributedBuilds = true; - nix.buildMachines = [ - # test these with: sudo nix store ping --store 'ssh-ng://nix-remote-builder@?ssh-key=/run/secrets/builder-private-key' - { - hostName = "buildbot-nix-0.infra.holochain.org"; - sshUser = "nix-remote-builder"; - sshKey = config.sops.secrets.builder-private-key.path; - protocol = "ssh-ng"; - systems = [ "x86_64-linux" ]; - supportedFeatures = [ - "big-parallel" - "kvm" - "nixos-test" - ]; - maxJobs = 16; - } - - { - hostName = "aarch64-linux-builder-0.infra.holochain.org"; - sshUser = "nix-remote-builder"; - sshKey = config.sops.secrets.builder-private-key.path; - protocol = "ssh-ng"; - systems = [ "aarch64-linux" ]; - supportedFeatures = [ - "big-parallel" - "kvm" - "nixos-test" - ]; - maxJobs = 8; - } - - { - hostName = "x64-linux-dev-01.dev.infra.holochain.org"; - sshUser = "nix-remote-builder"; - sshKey = config.sops.secrets.builder-private-key.path; - protocol = "ssh-ng"; - systems = [ - # "x86_64-linux" - "aarch64-linux" - ]; - supportedFeatures = [ - "big-parallel" - "kvm" - "nixos-test" - ]; - maxJobs = 0; - } - ]; } - { - # yubikey / smartcard. only set to `true` for `ykman piv` commands. - services.pcscd.enable = false; - } - - # TODO: create syncthing os snippet - ( - let - tcp = [ 22000 ]; - udp = [ - 22000 - 21027 - ]; - in - { - # TODO: upstream feature for inverse rule to work: `! --in-interface zt+` - networking.firewall.interfaces."en+".allowedTCPPorts = tcp; - networking.firewall.interfaces."en+".allowedUDPPorts = udp; - networking.firewall.interfaces."wl+".allowedTCPPorts = tcp; - networking.firewall.interfaces."wl+".allowedUDPPorts = udp; - - networking.firewall.allowedTCPPorts = [ - # iperf3 - 5201 - ]; - } - ) - ../../snippets/home-manager-with-zsh.nix ../../snippets/sway-desktop.nix ../../snippets/bluetooth.nix ../../snippets/timezone.nix ../../snippets/radicale.nix - - ../../snippets/holo-zerotier.nix - - # ../../snippets/k3s-w-nix-snapshotter.nix ]; networking.hostName = nodeName; @@ -217,45 +105,33 @@ ]; system.stateVersion = "23.11"; - home-manager.users.root = _: { home.stateVersion = "23.11"; }; + home-manager.users.root = _: { + home.stateVersion = "23.11"; + }; home-manager.users.steveej = _: { home.stateVersion = "23.11"; - imports = [ ../../../home-manager/configuration/graphical-fullblown.nix ]; + imports = [ + ../../../home-manager/configuration/graphical-fullblown.nix + ]; - nixpkgs.overlays = [ nodeFlake.overlays.default ]; + home.sessionVariables = {}; - home.sessionVariables = { }; + home.packages = with pkgs; [ + ]; - home.packages = with pkgs; [ ]; - - # TODO(upstream): currently unsupported on x13s - services.gammastep.enable = true; + # TODO: currently unsupported + services.gammastep.enable = lib.mkForce false; + # programs.chromium.enable = lib.mkForce false; }; boot = { loader.systemd-boot.enable = true; - loader.systemd-boot.configurationLimit = 5; - loader.efi.canTouchEfiVariables = lib.mkForce false; loader.efi.efiSysMountPoint = "/boot"; - blacklistedKernelModules = [ - "wwan" - # "qcom_soundwire" - # "snd_soc_qcom_sdw" - # "snd_soc_sc8280xp" - ]; + blacklistedKernelModules = ["wwan"]; }; - # TODO: debug this collision: collision between `/nix/store/cb32qlzc4pm6h4arw59kxqyzbvgnmx7g-b43-firmware-6.30.163.46-zstd/lib/firmware/b43/a0g0bsinitvals5.fw.zst' and `/nix/store/niffz3cf0v91y5knz0an29fwvm8amigm-b43-firmware-5.100.138-zstd/lib/firmware/b43/a0g0bsinitvals5.fw.zst' - hardware.firmware = lib.mkBefore [ - (pkgs.runCommand "x13s-ath11k-firmware-before" { } '' - mkdir -p $out/lib/firmware/ath11k/WCN6855/hw2.1/ - cp -v ${nodeFlake.inputs.ath11k-firmware}/WCN6855/hw2.1/{board-2,regdb}.bin $out/lib/firmware/ath11k/WCN6855/hw2.1/ - cp -v ${nodeFlake.inputs.ath11k-firmware}/WCN6855/hw2.1/1.1/WLAN.HSP.1.1-03125-QCAHSPSWPL_V1_V2_SILICONZ_LITE-3.6510.41/{amss,m3}.bin $out/lib/firmware/ath11k/WCN6855/hw2.1/ - '') - ]; - # see https://linrunner.de/tlp/ # TODO: find an equivalent to tlp that supports this machine services.tlp = { @@ -268,20 +144,8 @@ # android on linux virtualisation.waydroid.enable = true; - hardware.ledger.enable = true; - - virtualisation.containers.enable = true; virtualisation.podman.enable = true; + virtualisation.podman.dockerCompat = true; - steveej.holo-zerotier = { - enable = true; - autostart = false; - }; - - services.udev.packages = [ pkgs.android-udev-rules ]; - programs.adb.enable = true; - - nix.settings.sandbox = lib.mkForce "relaxed"; - - systemd.user.services.wireplumber.environment.LIBCAMERA_IPA_PROXY_PATH = "${pkgs.libcamera}/libexec/libcamera"; + hardware.ledger.enable = true; } diff --git a/nix/os/devices/steveej-x13s/default.nix b/nix/os/devices/steveej-x13s/default.nix index bb170b2..fa66cf4 100644 --- a/nix/os/devices/steveej-x13s/default.nix +++ b/nix/os/devices/steveej-x13s/default.nix @@ -6,23 +6,21 @@ nodeFlake, localDomainName ? "internal", ... -}: -{ +}: { meta.nodeSpecialArgs.${nodeName} = { - inherit - repoFlake - nodeName - nodeFlake - system - ; + inherit repoFlake nodeName nodeFlake system; packages' = repoFlake.packages.${system}; nodePackages' = nodeFlake.packages.${system}; - repoFlakeInputs' = repoFlakeWithSystem system ({ inputs', ... }: inputs'); + repoFlakeInputs' = repoFlakeWithSystem system ({inputs', ...}: inputs'); inherit localDomainName; }; - meta.nodeNixpkgs.${nodeName} = import nodeFlake.inputs.nixpkgs.outPath { inherit system; }; + meta.nodeNixpkgs.${nodeName} = + import nodeFlake.inputs.nixpkgs.outPath + { + inherit system; + }; ${nodeName} = { deployment.targetHost = "${nodeName}.${localDomainName}"; @@ -31,6 +29,8 @@ # nixpkgs.pkgs = nodeFlake.inputs.nixpkgs.legacyPackages.${system}; - imports = [ ./configuration.nix ]; + imports = [ + (repoFlake + "/nix/os/devices/${nodeName}/configuration.nix") + ]; }; } diff --git a/nix/os/devices/steveej-x13s/disko.nix b/nix/os/devices/steveej-x13s/disko.nix index 40b2118..973c2a4 100644 --- a/nix/os/devices/steveej-x13s/disko.nix +++ b/nix/os/devices/steveej-x13s/disko.nix @@ -4,7 +4,6 @@ x13s-nvme = { type = "disk"; device = "/dev/disk/by-id/nvme-KBG5AZNT1T02_LA_KIOXIA_52QC84BEEJS6"; - # device = "/dev/disk/by-id/nvme-Corsair_MP600_CORE_MINI_A7SIB33902BQLN"; content = { type = "gpt"; partitions = { @@ -15,7 +14,9 @@ type = "filesystem"; format = "vfat"; mountpoint = "/boot"; - mountOptions = [ "defaults" ]; + mountOptions = [ + "defaults" + ]; }; }; luks = { @@ -23,7 +24,7 @@ content = { type = "luks"; name = "x13s-nvme-crypt"; - extraOpenArgs = [ ]; + extraOpenArgs = []; # disable settings.keyFile if you want to use interactive password entry #passwordFile = "/tmp/secret.key"; # Interactive settings = { @@ -35,28 +36,19 @@ # additionalKeyFiles = [ "/tmp/additionalSecret.key" ]; content = { type = "btrfs"; - extraArgs = [ "-f" ]; + extraArgs = ["-f"]; subvolumes = { "/root" = { mountpoint = "/"; - mountOptions = [ - "compress=zstd" - "noatime" - ]; + mountOptions = ["compress=zstd" "noatime"]; }; "/home" = { mountpoint = "/home"; - mountOptions = [ - "compress=zstd" - "noatime" - ]; + mountOptions = ["compress=zstd" "noatime"]; }; "/nix" = { mountpoint = "/nix"; - mountOptions = [ - "compress=zstd" - "noatime" - ]; + mountOptions = ["compress=zstd" "noatime"]; }; "/swap" = { mountpoint = "/.swapvol"; diff --git a/nix/os/devices/steveej-x13s/flake.lock b/nix/os/devices/steveej-x13s/flake.lock index 8ee318a..9a78061 100644 --- a/nix/os/devices/steveej-x13s/flake.lock +++ b/nix/os/devices/steveej-x13s/flake.lock @@ -1,36 +1,5 @@ { "nodes": { - "ath11k-firmware": { - "flake": false, - "locked": { - "lastModified": 1741293326, - "narHash": "sha256-Ew0d2h1pHqJB8SC0pEYezU5lMknvlcYazVVYCtjW3OY=", - "ref": "refs/heads/main", - "rev": "bc6359cb7ad38b7bc4de6580b7a3c70851c0cafb", - "revCount": 173, - "type": "git", - "url": "https://git.codelinaro.org/clo/ath-firmware/ath11k-firmware.git" - }, - "original": { - "type": "git", - "url": "https://git.codelinaro.org/clo/ath-firmware/ath11k-firmware.git" - } - }, - "crane": { - "locked": { - "lastModified": 1742317686, - "narHash": "sha256-ScJYnUykEDhYeCepoAWBbZWx2fpQ8ottyvOyGry7HqE=", - "owner": "ipetkov", - "repo": "crane", - "rev": "66cb0013f9a99d710b167ad13cbd8cc4e64f2ddb", - "type": "github" - }, - "original": { - "owner": "ipetkov", - "repo": "crane", - "type": "github" - } - }, "disko": { "inputs": { "nixpkgs": [ @@ -38,11 +7,11 @@ ] }, "locked": { - "lastModified": 1745812220, - "narHash": "sha256-hotBG0EJ9VmAHJYF0yhWuTVZpENHvwcJ2SxvIPrXm+g=", + "lastModified": 1707354935, + "narHash": "sha256-COv13Awbwut8Q8h8WxWpbVGHsUlZ6Yb+6YiWyWUV+yY=", "owner": "nix-community", "repo": "disko", - "rev": "d0c543d740fad42fe2c035b43c9d41127e073c78", + "rev": "c49bb95ac852841b9015fb56a503a36ebdb46a59", "type": "github" }, "original": { @@ -50,103 +19,16 @@ "type": "indirect" } }, - "extra-container": { - "inputs": { - "flake-utils": "flake-utils", - "nixpkgs": [ - "nixpkgs" - ] - }, - "locked": { - "lastModified": 1734542275, - "narHash": "sha256-wnRkafo4YrIuvJeRsOmfStxIzi7ty2I0OtGMO9chwJc=", - "owner": "erikarvstedt", - "repo": "extra-container", - "rev": "fa723fb67201c1b4610fd3d608681da362f800eb", - "type": "github" - }, - "original": { - "owner": "erikarvstedt", - "repo": "extra-container", - "type": "github" - } - }, - "flake-compat": { - "locked": { - "lastModified": 1733328505, - "narHash": "sha256-NeCCThCEP3eCl2l/+27kNNK7QrwZB1IJCrXfrbv5oqU=", - "owner": "edolstra", - "repo": "flake-compat", - "rev": "ff81ac966bb2cae68946d5ed5fc4994f96d0ffec", - "type": "github" - }, - "original": { - "owner": "edolstra", - "repo": "flake-compat", - "type": "github" - } - }, - "flake-compat_2": { - "locked": { - "lastModified": 1733328505, - "narHash": "sha256-NeCCThCEP3eCl2l/+27kNNK7QrwZB1IJCrXfrbv5oqU=", - "rev": "ff81ac966bb2cae68946d5ed5fc4994f96d0ffec", - "revCount": 69, - "type": "tarball", - "url": "https://api.flakehub.com/f/pinned/edolstra/flake-compat/1.1.0/01948eb7-9cba-704f-bbf3-3fa956735b52/source.tar.gz" - }, - "original": { - "type": "tarball", - "url": "https://flakehub.com/f/edolstra/flake-compat/1.tar.gz" - } - }, - "flake-compat_3": { - "flake": false, - "locked": { - "lastModified": 1696426674, - "narHash": "sha256-kvjfFW7WAETZlt09AgDn1MrtKzP7t90Vf7vypd3OL1U=", - "owner": "edolstra", - "repo": "flake-compat", - "rev": "0f9255e01c2351cc7d116c072cb317785dd33b33", - "type": "github" - }, - "original": { - "owner": "edolstra", - "repo": "flake-compat", - "type": "github" - } - }, "flake-parts": { - "inputs": { - "nixpkgs-lib": [ - "nix-snapshotter", - "nixpkgs" - ] - }, - "locked": { - "lastModified": 1704152458, - "narHash": "sha256-DS+dGw7SKygIWf9w4eNBUZsK+4Ug27NwEWmn2tnbycg=", - "owner": "hercules-ci", - "repo": "flake-parts", - "rev": "88a2cd8166694ba0b6cb374700799cec53aef527", - "type": "github" - }, - "original": { - "owner": "hercules-ci", - "repo": "flake-parts", - "type": "github" - } - }, - "flake-parts_2": { "inputs": { "nixpkgs-lib": "nixpkgs-lib" }, "locked": { - "lastModified": 1733312601, - "narHash": "sha256-4pDvzqnegAfRkPwO3wmwBhVi/Sye1mzps0zHWYnP88c=", + "lastModified": 1706830856, + "narHash": "sha256-a0NYyp+h9hlb7ddVz4LUn1vT/PLwqfrWYcHMvFB1xYg=", "owner": "hercules-ci", "repo": "flake-parts", - "rev": "205b12d8b7cd4802fbcb8e8ef6a0f1408781a4f9", + "rev": "b253292d9c0a5ead9bc98c4e9a26c6312e27d69f", "type": "github" }, "original": { @@ -155,51 +37,13 @@ "type": "github" } }, - "flake-utils": { - "inputs": { - "systems": "systems" - }, - "locked": { - "lastModified": 1731533236, - "narHash": "sha256-l0KFg5HjrsfsO/JpG+r7fRrqm12kzFHyUHqHCVpMMbI=", - "owner": "numtide", - "repo": "flake-utils", - "rev": "11707dc2f618dd54ca8739b309ec4fc024de578b", - "type": "github" - }, - "original": { - "owner": "numtide", - "repo": "flake-utils", - "type": "github" - } - }, - "flake-utils_2": { - "inputs": { - "systems": "systems_2" - }, - "locked": { - "lastModified": 1731533236, - "narHash": "sha256-l0KFg5HjrsfsO/JpG+r7fRrqm12kzFHyUHqHCVpMMbI=", - "owner": "numtide", - "repo": "flake-utils", - "rev": "11707dc2f618dd54ca8739b309ec4fc024de578b", - "type": "github" - }, - "original": { - "id": "flake-utils", - "type": "indirect" - } - }, "get-flake": { - "inputs": { - "flake-compat": "flake-compat" - }, "locked": { - "lastModified": 1745945175, - "narHash": "sha256-JGDbJRl5v1snA4JX+yp6m3UA6Mazr59Hrgz+UhhP91M=", + "lastModified": 1694475786, + "narHash": "sha256-s5wDmPooMUNIAAsxxCMMh9g68AueGg63DYk2hVZJbc8=", "owner": "ursi", "repo": "get-flake", - "rev": "38401aa2b3a99c77d0c02727471e99e7de2fc366", + "rev": "ac54750e3b95dab6ec0726d77f440efe6045bec1", "type": "github" }, "original": { @@ -215,249 +59,133 @@ ] }, "locked": { - "lastModified": 1737233786, - "narHash": "sha256-WO6owkCecetn7bbu/ofy8aftO3rPCHUeq5GlVLsfS4M=", - "owner": "steveej-forks", + "lastModified": 1706981411, + "narHash": "sha256-cLbLPTL1CDmETVh4p0nQtvoF+FSEjsnJTFpTxhXywhQ=", + "owner": "nix-community", "repo": "home-manager", - "rev": "40ecdf4fc8bb698b8cbdb2ddb0ed5b1868e43c1a", + "rev": "652fda4ca6dafeb090943422c34ae9145787af37", "type": "github" }, "original": { - "owner": "steveej-forks", - "ref": "master", + "owner": "nix-community", + "ref": "release-23.11", "repo": "home-manager", "type": "github" } }, - "linux-jhovold": { + "mobile-nixos": { "flake": false, "locked": { - "lastModified": 1745847827, - "narHash": "sha256-ewM7Rpd6On6ys3OkcWOtR7TNWSRZRLZpRP7L9syhn6s=", - "owner": "jhovold", - "repo": "linux", - "rev": "1786db28b335abb5a0fa1e8a27e9950a73f64acf", + "lastModified": 1705008488, + "narHash": "sha256-Gj97fDFZaK6gLb3ayZgTTtD+MFE1YjoyYHWkB1TIAe0=", + "owner": "NixOS", + "repo": "mobile-nixos", + "rev": "56e55df7b07b5e5c6d050732d851cec62b41df95", "type": "github" }, "original": { - "owner": "jhovold", - "ref": "wip/sc8280xp-6.15-rc4", - "repo": "linux", + "owner": "NixOS", + "repo": "mobile-nixos", "type": "github" } }, - "mycelium": { + "nixos-x13s": { "inputs": { - "crane": "crane", - "flake-compat": "flake-compat_2", - "flake-utils": "flake-utils_2", - "nix-filter": "nix-filter", - "nixpkgs": [ - "nixpkgs" - ] - }, - "locked": { - "lastModified": 1745920427, - "narHash": "sha256-E5uUuKv7Mn0/EfmffRQZpSeATcSzJFVeYVF6Cn7KbJc=", - "owner": "threefoldtech", - "repo": "mycelium", - "rev": "1eec5651bf5f194b7f7875ec2483582ccebf1cc1", - "type": "github" - }, - "original": { - "owner": "threefoldtech", - "repo": "mycelium", - "type": "github" - } - }, - "nix-filter": { - "locked": { - "lastModified": 1731533336, - "narHash": "sha256-oRam5PS1vcrr5UPgALW0eo1m/5/pls27Z/pabHNy2Ms=", - "owner": "numtide", - "repo": "nix-filter", - "rev": "f7653272fd234696ae94229839a99b73c9ab7de0", - "type": "github" - }, - "original": { - "owner": "numtide", - "repo": "nix-filter", - "type": "github" - } - }, - "nix-snapshotter": { - "inputs": { - "flake-compat": "flake-compat_3", "flake-parts": "flake-parts", "nixpkgs": [ "nixpkgs" ] }, "locked": { - "lastModified": 1717948701, - "narHash": "sha256-G7SXaZ7J4yO4OQEKSZPVWcccfV87uyLech0jEOU350g=", - "owner": "yu-re-ka", - "repo": "nix-snapshotter", - "rev": "c10b066a4b1bb3451507c141636014e3335e579e", + "lastModified": 1707341322, + "narHash": "sha256-hfJDFRAFrdLDY0ebNy7BpaKBmj3BwR/WTbQswlrpU1Y=", + "ref": "refs/heads/main", + "rev": "e612b7c968318bcd7f6ae5a4eaf930e21baa644d", + "revCount": 14, + "type": "git", + "url": "https://codeberg.org/adamcstephens/nixos-x13s" + }, + "original": { + "type": "git", + "url": "https://codeberg.org/adamcstephens/nixos-x13s" + } + }, + "nixpkgs": { + "locked": { + "lastModified": 1707238373, + "narHash": "sha256-WKxT0yLzWbFZwYi92lI0yWJpYtRaFSWHGX8QXzejapw=", + "owner": "nixos", + "repo": "nixpkgs", + "rev": "fb0c047e30b69696acc42e669d02452ca1b55755", "type": "github" }, "original": { - "owner": "yu-re-ka", - "repo": "nix-snapshotter", + "owner": "nixos", + "ref": "nixos-23.11", + "repo": "nixpkgs", "type": "github" } }, - "nixos-x13s": { - "inputs": { - "flake-parts": "flake-parts_2", - "linux-jhovold": "linux-jhovold", - "nixpkgs": [ - "nixpkgs" - ], - "x13s-bt-linux-firmware": "x13s-bt-linux-firmware" - }, + "nixpkgs-2211": { "locked": { - "lastModified": 1745914252, - "narHash": "sha256-u8hbsI+oW+cO+omdGeY6Q+Z/NvVZaHIZS70f1mq1gac=", - "ref": "bump", - "rev": "8bd7972c74b12b45aee190ce2ddd6960a0771af6", - "revCount": 147, - "type": "git", - "url": "https://forgejo.www.stefanjunker.de/steveej/nixos-x13s.git" + "lastModified": 1688392541, + "narHash": "sha256-lHrKvEkCPTUO+7tPfjIcb7Trk6k31rz18vkyqmkeJfY=", + "owner": "nixos", + "repo": "nixpkgs", + "rev": "ea4c80b39be4c09702b0cb3b42eab59e2ba4f24b", + "type": "github" }, "original": { - "ref": "bump", - "type": "git", - "url": "https://forgejo.www.stefanjunker.de/steveej/nixos-x13s.git" + "owner": "nixos", + "ref": "nixos-22.11", + "repo": "nixpkgs", + "type": "github" } }, "nixpkgs-lib": { "locked": { - "lastModified": 1733096140, - "narHash": "sha256-1qRH7uAUsyQI7R1Uwl4T+XvdNv778H0Nb5njNrqvylY=", - "type": "tarball", - "url": "https://github.com/NixOS/nixpkgs/archive/5487e69da40cbd611ab2cadee0b4637225f7cfae.tar.gz" - }, - "original": { - "type": "tarball", - "url": "https://github.com/NixOS/nixpkgs/archive/5487e69da40cbd611ab2cadee0b4637225f7cfae.tar.gz" - } - }, - "nixpkgs-stable": { - "locked": { - "lastModified": 1746055187, - "narHash": "sha256-3dqArYSMP9hM7Qpy5YWhnSjiqniSaT2uc5h2Po7tmg0=", - "owner": "nixos", + "dir": "lib", + "lastModified": 1706550542, + "narHash": "sha256-UcsnCG6wx++23yeER4Hg18CXWbgNpqNXcHIo5/1Y+hc=", + "owner": "NixOS", "repo": "nixpkgs", - "rev": "3e362ce63e16b9572d8c2297c04f7c19ab6725a5", + "rev": "97b17f32362e475016f942bbdfda4a4a72a8a652", "type": "github" }, "original": { - "owner": "nixos", - "ref": "nixos-24.11", - "repo": "nixpkgs", - "type": "github" - } - }, - "nixpkgs-unstable": { - "locked": { - "lastModified": 1745930157, - "narHash": "sha256-y3h3NLnzRSiUkYpnfvnS669zWZLoqqI6NprtLQ+5dck=", - "owner": "nixos", - "repo": "nixpkgs", - "rev": "46e634be05ce9dc6d4db8e664515ba10b78151ae", - "type": "github" - }, - "original": { - "owner": "nixos", + "dir": "lib", + "owner": "NixOS", "ref": "nixos-unstable", "repo": "nixpkgs", "type": "github" } }, + "nixpkgs-unstable-small": { + "locked": { + "lastModified": 1707347693, + "narHash": "sha256-/MxX1WUwKui2dWtKghN+8qIKf8X7hHPD1KCeDXoApEI=", + "owner": "nixos", + "repo": "nixpkgs", + "rev": "9a113b42b3b15eafa91a027bd9fb9fd69fa6ed96", + "type": "github" + }, + "original": { + "owner": "nixos", + "ref": "nixos-unstable-small", + "repo": "nixpkgs", + "type": "github" + } + }, "root": { "inputs": { - "ath11k-firmware": "ath11k-firmware", "disko": "disko", - "extra-container": "extra-container", "get-flake": "get-flake", "home-manager": "home-manager", - "mycelium": "mycelium", - "nix-snapshotter": "nix-snapshotter", + "mobile-nixos": "mobile-nixos", "nixos-x13s": "nixos-x13s", - "nixpkgs": [ - "nixpkgs-unstable" - ], - "nixpkgs-stable": "nixpkgs-stable", - "nixpkgs-unstable": "nixpkgs-unstable", - "signal-desktop": "signal-desktop" - } - }, - "signal-desktop": { - "inputs": { - "nixpkgs": [ - "nixpkgs" - ] - }, - "locked": { - "lastModified": 1745037528, - "narHash": "sha256-twzHVBNEX6daUCFwtjn3X7WaJnwRqHeAxX0MB7kosHo=", - "owner": "youwen5", - "repo": "signal-desktop-flake", - "rev": "1b41af6489574da6ba1e0186235c87acbf57163f", - "type": "github" - }, - "original": { - "owner": "youwen5", - "repo": "signal-desktop-flake", - "type": "github" - } - }, - "systems": { - "locked": { - "lastModified": 1681028828, - "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=", - "owner": "nix-systems", - "repo": "default", - "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e", - "type": "github" - }, - "original": { - "owner": "nix-systems", - "repo": "default", - "type": "github" - } - }, - "systems_2": { - "locked": { - "lastModified": 1681028828, - "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=", - "owner": "nix-systems", - "repo": "default", - "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e", - "type": "github" - }, - "original": { - "owner": "nix-systems", - "repo": "default", - "type": "github" - } - }, - "x13s-bt-linux-firmware": { - "flake": false, - "locked": { - "lastModified": 1733240564, - "narHash": "sha256-348f+wuX7x8xqaBRkraTclupdnRcwL/z2l/1Bs/reXc=", - "ref": "refs/heads/main", - "rev": "06aea4d8bfd5ca3624b56162b24339d7b0449913", - "revCount": 4282, - "type": "git", - "url": "git://git.kernel.org/pub/scm/linux/kernel/git/firmware/linux-firmware.git" - }, - "original": { - "rev": "06aea4d8bfd5ca3624b56162b24339d7b0449913", - "type": "git", - "url": "git://git.kernel.org/pub/scm/linux/kernel/git/firmware/linux-firmware.git" + "nixpkgs": "nixpkgs", + "nixpkgs-2211": "nixpkgs-2211", + "nixpkgs-unstable-small": "nixpkgs-unstable-small" } } }, diff --git a/nix/os/devices/steveej-x13s/flake.nix b/nix/os/devices/steveej-x13s/flake.nix index ffd00f9..4c632c8 100644 --- a/nix/os/devices/steveej-x13s/flake.nix +++ b/nix/os/devices/steveej-x13s/flake.nix @@ -1,121 +1,92 @@ { inputs = { - nixpkgs.follows = "nixpkgs-unstable"; - nixpkgs-stable.url = "github:nixos/nixpkgs/nixos-24.11"; - nixpkgs-unstable.url = "github:nixos/nixpkgs/nixos-unstable"; - # nixpkgs-unstable.url = "github:steveej-forks/nixpkgs/nixos-unstable"; + nixpkgs.url = "github:nixos/nixpkgs/nixos-23.11"; + + # required for home-manager modules + nixpkgs-unstable-small.url = "github:nixos/nixpkgs/nixos-unstable-small"; + nixpkgs-2211.url = "github:nixos/nixpkgs/nixos-22.11"; get-flake.url = "github:ursi/get-flake"; disko.inputs.nixpkgs.follows = "nixpkgs"; + mobile-nixos.url = "github:NixOS/mobile-nixos"; + mobile-nixos.flake = false; + home-manager = { - url = "github:steveej-forks/home-manager/master"; - # url = "github:nix-community/home-manager/master"; - # url = "github:nix-community/home-manager/release-24.11"; + url = "github:nix-community/home-manager/release-23.11"; inputs.nixpkgs.follows = "nixpkgs"; }; - nixos-x13s.url = "git+https://forgejo.www.stefanjunker.de/steveej/nixos-x13s.git?ref=bump" - # 6.13-rc2 - # "git+https://forgejo.www.stefanjunker.de/steveej/nixos-x13s.git?ref=bump&rev=c95058f8aa1b361df3874429c5dc0f694f9cba78" - # 6.11.0 - # "git+https://forgejo.www.stefanjunker.de/steveej/nixos-x13s.git?branch=remaintain&rev=6b9efe77ca80653354981c720af3c4241ac71490" - # 6.12.0-rc6 - # "git+https://forgejo.www.stefanjunker.de/steveej/nixos-x13s.git?branch=remaintain&rev=bd580ee9c35fcb8a720122d5bb2f903f1b7395ee" - # "git+https://forgejo.www.stefanjunker.de/steveej/nixos-x13s.git?branch=remaintain&rev=1286d20be2321a1a2d27f5d09257ebaf54ce0630" - #"/home/steveej/src/others/nixos-x13s" - # - ; + nixos-x13s.url = "git+https://codeberg.org/adamcstephens/nixos-x13s"; # nixos-x13s.url = "path:/home/steveej/src/others/nixos-x13s"; - # nixos-x13s.inputs.nixpkgs.follows = "nixpkgs"; nixos-x13s.inputs.nixpkgs.follows = "nixpkgs"; - - ath11k-firmware = { - url = "git+https://git.codelinaro.org/clo/ath-firmware/ath11k-firmware.git"; - flake = false; - }; - - mycelium.url = "github:threefoldtech/mycelium"; - mycelium.inputs.nixpkgs.follows = "nixpkgs"; - - nix-snapshotter = { - url = "github:yu-re-ka/nix-snapshotter"; - # url = "github:pdtpartners/nix-snapshotter"; - inputs.nixpkgs.follows = "nixpkgs"; - }; - - extra-container = { - url = "github:erikarvstedt/extra-container"; - inputs.nixpkgs.follows = "nixpkgs"; - }; - - signal-desktop = { - url = "github:youwen5/signal-desktop-flake"; - inputs.nixpkgs.follows = "nixpkgs"; - }; }; - outputs = - { - self, - get-flake, - nixpkgs, + outputs = { + self, + get-flake, + nixpkgs, + ... + }: let + targetPlatform = "aarch64-linux"; + buildPlatform = "x86_64-linux"; + repoFlake = get-flake ../../../..; + + mkNixosConfiguration = { + nodeName, + extraModules ? [], ... - }: - let - nativeSystem = "aarch64-linux"; - nodeName = "steveej-x13s"; - - repoFlake = get-flake ../../../..; - - mkNixosConfiguration = + } @ attrs: + nixpkgs.lib.nixosSystem ( + nixpkgs.lib.attrsets.recursiveUpdate + attrs { - extraModules ? [ ], - ... - }@attrs: - nixpkgs.lib.nixosSystem ( - nixpkgs.lib.attrsets.recursiveUpdate attrs { - specialArgs = - (import ./default.nix { - system = nativeSystem; - inherit nodeName; + specialArgs = + (import ./default.nix { + system = targetPlatform; + inherit nodeName repoFlake; - inherit repoFlake; - repoFlakeWithSystem = repoFlake.lib.withSystem; - nodeFlake = self; - }).meta.nodeSpecialArgs.${nodeName}; + nodeFlake = self; + }) + .meta + .nodeSpecialArgs + .${nodeName}; - modules = [ - ./configuration.nix + modules = + [ + # repoFlake.nixosModules.hardware-x13s + ] + ++ extraModules; + } + ); + in { + lib = { + inherit mkNixosConfiguration; + }; - # flake registry - { nix.registry.nixpkgs.flake = nixpkgs; } - ] ++ extraModules; - } - ); - in - { - lib = { - inherit mkNixosConfiguration; + nixosConfigurations = let + nodeName = "steveej-x13s"; + in { + native = mkNixosConfiguration { + inherit nodeName; + system = targetPlatform; + extraModules = [ + ./configuration.nix + ]; }; - overlays.default = - _final: _previous: - { - }; + cross = mkNixosConfiguration { + inherit nodeName; + extraModules = [ + ./configuration.nix - nixosConfigurations = { - native = mkNixosConfiguration { system = nativeSystem; }; - - cross = mkNixosConfiguration { - extraModules = [ - { - nixpkgs.buildPlatform.system = "x86_64-linux"; - nixpkgs.hostPlatform.system = nativeSystem; - } - ]; - }; + { + nixpkgs.buildPlatform.system = buildPlatform; + nixpkgs.hostPlatform.system = targetPlatform; + } + ]; }; }; + }; } diff --git a/nix/os/devices/vmd102066.contaboserver.net/boot.nix b/nix/os/devices/vmd102066.contaboserver.net/boot.nix index ed21f9c..5713789 100644 --- a/nix/os/devices/vmd102066.contaboserver.net/boot.nix +++ b/nix/os/devices/vmd102066.contaboserver.net/boot.nix @@ -1,5 +1,4 @@ -{ lib, ... }: -{ +{lib, ...}: { boot.loader.grub.efiSupport = lib.mkForce false; - boot.extraModulePackages = [ ]; + boot.extraModulePackages = []; } diff --git a/nix/os/devices/vmd102066.contaboserver.net/configuration.nix b/nix/os/devices/vmd102066.contaboserver.net/configuration.nix index b29548c..28a63fb 100644 --- a/nix/os/devices/vmd102066.contaboserver.net/configuration.nix +++ b/nix/os/devices/vmd102066.contaboserver.net/configuration.nix @@ -1,6 +1,5 @@ -{ ... }: -{ - disabledModules = [ ]; +{...}: { + disabledModules = []; imports = [ ../../profiles/common/configuration.nix ../../modules/opinionatedDisk.nix diff --git a/nix/os/devices/vmd102066.contaboserver.net/default.nix b/nix/os/devices/vmd102066.contaboserver.net/default.nix index 958331e..db025f1 100644 --- a/nix/os/devices/vmd102066.contaboserver.net/default.nix +++ b/nix/os/devices/vmd102066.contaboserver.net/default.nix @@ -1,17 +1,17 @@ -{ repoFlake, ... }: -let +{repoFlake, ...}: let nodeName = "vmd102066.contaboserver.net"; system = "x86_64-linux"; nodeFlake = repoFlake.inputs.get-flake ./.; -in -{ +in { meta.nodeSpecialArgs.${nodeName} = { inherit nodeName nodeFlake; packages' = repoFlake.packages.${system}; }; - meta.nodeNixpkgs.${nodeName} = import nodeFlake.inputs.nixpkgs.outPath { inherit system; }; + meta.nodeNixpkgs.${nodeName} = import nodeFlake.inputs.nixpkgs.outPath { + inherit system; + }; ${nodeName} = { deployment.targetHost = nodeName; diff --git a/nix/os/devices/vmd102066.contaboserver.net/flake.nix b/nix/os/devices/vmd102066.contaboserver.net/flake.nix index 0547466..d432f24 100644 --- a/nix/os/devices/vmd102066.contaboserver.net/flake.nix +++ b/nix/os/devices/vmd102066.contaboserver.net/flake.nix @@ -8,5 +8,5 @@ inputs.nixpkgs.follows = "nixpkgs"; }; - outputs = _: { }; + outputs = _: {}; } diff --git a/nix/os/devices/vmd102066.contaboserver.net/hw.nix b/nix/os/devices/vmd102066.contaboserver.net/hw.nix index 392bb1b..e09b10e 100644 --- a/nix/os/devices/vmd102066.contaboserver.net/hw.nix +++ b/nix/os/devices/vmd102066.contaboserver.net/hw.nix @@ -1,5 +1,4 @@ -_: -let +{...}: let stage1Modules = [ "aesni_intel" "kvm-intel" @@ -12,8 +11,7 @@ let "virtio" "scsi_mod" ]; -in -{ +in { # TASK: new device hardware.opinionatedDisk = { enable = true; diff --git a/nix/os/devices/vmd102066.contaboserver.net/pkg.nix b/nix/os/devices/vmd102066.contaboserver.net/pkg.nix index 2857a30..96cfc55 100644 --- a/nix/os/devices/vmd102066.contaboserver.net/pkg.nix +++ b/nix/os/devices/vmd102066.contaboserver.net/pkg.nix @@ -1,5 +1,9 @@ -{ config, pkgs, ... }: { + config, + pkgs, + lib, + ... +}: { home-manager.users.steveej = import ../../../home-manager/configuration/text-minimal.nix { inherit pkgs; }; @@ -8,12 +12,7 @@ { hostName = "localhost"; system = "x86_64-linux"; - supportedFeatures = [ - "kvm" - "nixos-test" - "big-parallel" - "benchmark" - ]; + supportedFeatures = ["kvm" "nixos-test" "big-parallel" "benchmark"]; maxJobs = 4; } ]; @@ -23,7 +22,7 @@ hydraURL = "http://localhost:3000"; # externally visible URL notificationSender = "hydra@${config.networking.hostName}.stefanjunker.de"; # e-mail of hydra service # a standalone hydra will require you to unset the buildMachinesFiles list to avoid using a nonexistant /etc/nix/machines - buildMachinesFiles = [ ]; + buildMachinesFiles = []; # you will probably also want, otherwise *everything* will be built from scratch useSubstitutes = true; }; @@ -31,13 +30,7 @@ services.gitlab-runner = { enable = false; - extraPackages = with pkgs; [ - bash - gitlab-runner - nix - gitFull - git-crypt - ]; + extraPackages = with pkgs; [bash gitlab-runner nix gitFull git-crypt]; concurrent = 2; checkInterval = 0; @@ -46,7 +39,7 @@ executor = "shell"; runUntagged = true; registrationConfigFile = "/etc/secrets/gitlab-runner/nix-runner.registration"; - tagList = [ "nix" ]; + tagList = ["nix"]; }; }; }; diff --git a/nix/os/devices/vmd102066.contaboserver.net/system.nix b/nix/os/devices/vmd102066.contaboserver.net/system.nix index cebed6a..45c6b0c 100644 --- a/nix/os/devices/vmd102066.contaboserver.net/system.nix +++ b/nix/os/devices/vmd102066.contaboserver.net/system.nix @@ -1,9 +1,13 @@ -{ pkgs, config, ... }: -let +{ + pkgs, + lib, + config, + nodeName, + ... +}: let keys = import ../../../variables/keys.nix; passwords = import ../../../variables/passwords.crypt.nix; -in -{ +in { networking.firewall.enable = true; networking.firewall.allowedTCPPorts = [ # iperf3 @@ -33,7 +37,7 @@ in networking.nat = { enable = true; - internalInterfaces = [ "ve-+" ]; + internalInterfaces = ["ve-+"]; externalInterface = "eth0"; }; @@ -41,9 +45,7 @@ in # services.kubernetes.roles = ["master" "node"]; # virtualization - virtualisation = { - docker.enable = true; - }; + virtualisation = {docker.enable = true;}; services.spice-vdagentd.enable = true; services.qemuGuest.enable = true; @@ -51,7 +53,7 @@ in systemd.services."sshd-status" = { enable = true; description = "sshd-status service"; - path = [ pkgs.systemd ]; + path = [pkgs.systemd]; script = '' systemctl status sshd | grep -i tasks ''; @@ -71,13 +73,11 @@ in # }; # }; - nix.gc = { - automatic = true; - }; + nix.gc = {automatic = true;}; boot.initrd.network = { enable = true; - udhcpc.extraArgs = [ "-x hostname:${config.networking.hostName}" ]; + udhcpc.extraArgs = ["-x hostname:${config.networking.hostName}"]; ssh = { enable = true; @@ -104,12 +104,7 @@ in inherit config; hostAddress = "192.168.100.16"; localAddress = "192.168.100.17"; - subvolumes = [ - "mailserver" - "webserver" - "backup" - "syncthing" - ]; + subvolumes = ["mailserver" "webserver" "backup" "syncthing"]; }; bkpTarget = import ../../containers/backup-target.nix { diff --git a/nix/os/devices/voodoo/.gitignore b/nix/os/devices/voodoo/.gitignore new file mode 100644 index 0000000..b2be92b --- /dev/null +++ b/nix/os/devices/voodoo/.gitignore @@ -0,0 +1 @@ +result diff --git a/nix/os/devices/voodoo/configuration.nix b/nix/os/devices/voodoo/configuration.nix new file mode 100644 index 0000000..d6ae93c --- /dev/null +++ b/nix/os/devices/voodoo/configuration.nix @@ -0,0 +1,85 @@ +{ + repoFlake, + pkgs, + lib, + config, + nodeFlake, + nodeName, + localDomainName, + system, + ... +}: let +in { + imports = [ + # repoFlake.inputs.sops-nix.nixosModules.sops + + # ../../profiles/common/user.nix + + { + nix.nixPath = [ + "nixpkgs=${pkgs.path}" + ]; + + nix.settings.experimental-features = [ + "nix-command" + "flakes" + ]; + + nix.settings.max-jobs = lib.mkDefault "auto"; + nix.settings.cores = lib.mkDefault 0; + } + + { + services.openssh.enable = true; + services.openssh.settings.PermitRootLogin = "yes"; + + # users.commonUsers = { + # enable = true; + # enableNonRoot = false; + # rootPasswordFile = config.sops.secrets.passwords-root.path; + # }; + + users.users.root.password = "voodoo"; + + # sops.defaultSopsFile = ../../../../secrets/${nodeName}/secrets.yaml; + # sops.defaultSopsFormat = "yaml"; + + # sops.secrets.passwords-root.neededForUsers = true; + } + ]; + + networking = { + hostName = nodeName; + useNetworkd = false; + useDHCP = true; + firewall.enable = false; + }; + + system.stateVersion = "23.11"; + + # We exclude a number of modules included in the default list. A non-insignificant amount do + # not apply to embedded hardware like this, so simply skip the defaults. + # + # Custom kernel is required as a lot of MTK components misbehave when built as modules. + # They fail to load properly, leaving the system without working ethernet, they'll oops on + # remove. MTK-DSA parts and PCIe were observed to do this. + + # boot.initrd.includeDefaultModules = false; + # boot.initrd.kernelModules = ["rfkill" "cfg80211" "mt7915e"]; + # boot.initrd.availableKernelModules = ["nvme"]; + + hardware.enableRedistributableFirmware = false; + + # Extlinux compatible with custom uboot patches in this repo, which also provide unique + # MAC addresses instead of the non-unique one that gets used by a lot of MTK devices... + boot.loader.grub.enable = true; + + environment.systemPackages = [ + # pkgs.pciutils + ]; + + fileSystems."/".label = "voodoo_root"; + boot.loader.grub.devices = [ + "/dev/disk/by-id/usb-ST313640_A_20171021-0" + ]; +} diff --git a/nix/os/devices/voodoo/default.nix b/nix/os/devices/voodoo/default.nix new file mode 100644 index 0000000..e43dbc4 --- /dev/null +++ b/nix/os/devices/voodoo/default.nix @@ -0,0 +1,35 @@ +{ + system ? "i586-linux", + nodeName, + repoFlake, + nodeFlake, + localDomainName ? "internal", + ... +}: { + meta.nodeSpecialArgs.${nodeName} = { + inherit repoFlake nodeName nodeFlake system; + packages' = repoFlake.packages.${system}; + nodePackages' = nodeFlake.packages.${system}; + + inherit localDomainName; + }; + + meta.nodeNixpkgs.${nodeName} = + import nodeFlake.inputs.nixpkgs.outPath + { + inherit system; + }; + + ${nodeName} = { + deployment.targetHost = "${nodeName}.${localDomainName}"; + deployment.replaceUnknownProfiles = true; + + # nixpkgs.pkgs = nodeFlake.inputs.nixpkgs.legacyPackages.${system}; + + imports = [ + ./configuration.nix + ]; + + networking.hostName = nodeName; + }; +} diff --git a/nix/os/devices/voodoo/flake.lock b/nix/os/devices/voodoo/flake.lock new file mode 100644 index 0000000..089ad5e --- /dev/null +++ b/nix/os/devices/voodoo/flake.lock @@ -0,0 +1,225 @@ +{ + "nodes": { + "bpir3": { + "inputs": { + "nixpkgs": [ + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1703603768, + "narHash": "sha256-ZViXHNt7ClqNtlRO9iot+LxiSbBvZi/RR+/6Q7W6UV8=", + "owner": "steveej-forks", + "repo": "nixos-bpir3", + "rev": "47cb545b92c136d1482a66b940c4719c40eb5fe3", + "type": "github" + }, + "original": { + "owner": "steveej-forks", + "ref": "linux-6.6", + "repo": "nixos-bpir3", + "type": "github" + } + }, + "dependencyDagOfSubmodule": { + "inputs": { + "nixpkgs": [ + "nixos-nftables-firewall", + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1656615370, + "narHash": "sha256-IZDqz1aSySoqf1qtVQg+oJMHfC4IlT55Zoa7EkjvPug=", + "owner": "thelegy", + "repo": "nix-dependencyDagOfSubmodule", + "rev": "98eb563d80b35acafbfc1abb9ccee569c1efb19c", + "type": "github" + }, + "original": { + "owner": "thelegy", + "repo": "nix-dependencyDagOfSubmodule", + "type": "github" + } + }, + "disko": { + "inputs": { + "nixpkgs": [ + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1703532766, + "narHash": "sha256-ojjW3cuNmqL5uqDWohwLoO8dYpheM5+AfgsNmGIMwG8=", + "owner": "nix-community", + "repo": "disko", + "rev": "1b191113874dee97796749bb21eac3d84735c70a", + "type": "github" + }, + "original": { + "owner": "nix-community", + "repo": "disko", + "type": "github" + } + }, + "get-flake": { + "locked": { + "lastModified": 1694475786, + "narHash": "sha256-s5wDmPooMUNIAAsxxCMMh9g68AueGg63DYk2hVZJbc8=", + "owner": "ursi", + "repo": "get-flake", + "rev": "ac54750e3b95dab6ec0726d77f440efe6045bec1", + "type": "github" + }, + "original": { + "owner": "ursi", + "repo": "get-flake", + "type": "github" + } + }, + "home-manager": { + "inputs": { + "nixpkgs": [ + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1703527373, + "narHash": "sha256-AjypRssRtS6F3xkf7rE3/bXkIF2WJOZLbTIspjcE1zM=", + "owner": "nix-community", + "repo": "home-manager", + "rev": "80679ea5074ab7190c4cce478c600057cfb5edae", + "type": "github" + }, + "original": { + "owner": "nix-community", + "ref": "master", + "repo": "home-manager", + "type": "github" + } + }, + "hostapd": { + "flake": false, + "locked": { + "lastModified": 1703346062, + "narHash": "sha256-SHSBKIgKc5zEGhKDT2v+yGERTJHf8pe+9ZPUwJBTJKQ=", + "ref": "refs/heads/main", + "rev": "196d6c83b9cb7d298fdc92684dc37115348b159e", + "revCount": 19119, + "type": "git", + "url": "git://w1.fi/hostap.git?branch=main" + }, + "original": { + "type": "git", + "url": "git://w1.fi/hostap.git?branch=main" + } + }, + "nixos-nftables-firewall": { + "inputs": { + "dependencyDagOfSubmodule": "dependencyDagOfSubmodule", + "nixpkgs": [ + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1703279052, + "narHash": "sha256-0rbG/9SwaWtXT7ZuifMq+7wvfxDpZrjr0zdMcM4KK+E=", + "owner": "thelegy", + "repo": "nixos-nftables-firewall", + "rev": "3bf23aeb346e772d157816e6b72a742a6c97db80", + "type": "github" + }, + "original": { + "owner": "thelegy", + "repo": "nixos-nftables-firewall", + "type": "github" + } + }, + "nixos-stable": { + "locked": { + "lastModified": 1703068421, + "narHash": "sha256-WSw5Faqlw75McIflnl5v7qVD/B3S2sLh+968bpOGrWA=", + "owner": "NixOS", + "repo": "nixpkgs", + "rev": "d65bceaee0fb1e64363f7871bc43dc1c6ecad99f", + "type": "github" + }, + "original": { + "owner": "NixOS", + "ref": "nixos-23.11", + "repo": "nixpkgs", + "type": "github" + } + }, + "nixpkgs": { + "locked": { + "lastModified": 1703255338, + "narHash": "sha256-Z6wfYJQKmDN9xciTwU3cOiOk+NElxdZwy/FiHctCzjU=", + "owner": "nixos", + "repo": "nixpkgs", + "rev": "6df37dc6a77654682fe9f071c62b4242b5342e04", + "type": "github" + }, + "original": { + "owner": "nixos", + "ref": "nixos-unstable", + "repo": "nixpkgs", + "type": "github" + } + }, + "openwrt": { + "flake": false, + "locked": { + "lastModified": 1691699580, + "narHash": "sha256-CV+ufXPEr5Nz2O2FBnnuPeHNsFQ7c5s0uW39u/q3cUo=", + "ref": "main", + "rev": "847984c773d819d5579d5abae4b80a4983103ed9", + "revCount": 58166, + "type": "git", + "url": "https://github.com/openwrt/openwrt.git" + }, + "original": { + "ref": "main", + "rev": "847984c773d819d5579d5abae4b80a4983103ed9", + "type": "git", + "url": "https://github.com/openwrt/openwrt.git" + } + }, + "root": { + "inputs": { + "bpir3": "bpir3", + "disko": "disko", + "get-flake": "get-flake", + "home-manager": "home-manager", + "hostapd": "hostapd", + "nixos-nftables-firewall": "nixos-nftables-firewall", + "nixpkgs": "nixpkgs", + "openwrt": "openwrt", + "srvos": "srvos" + } + }, + "srvos": { + "inputs": { + "nixos-stable": "nixos-stable", + "nixpkgs": [ + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1703469109, + "narHash": "sha256-hTQJ9uV43Vt8UXwervEj9mbDoQSN1mD3lwwPChG8jy8=", + "owner": "numtide", + "repo": "srvos", + "rev": "52d07db520046c4775f1047e68a05dcb53bba9ec", + "type": "github" + }, + "original": { + "owner": "numtide", + "repo": "srvos", + "type": "github" + } + } + }, + "root": "root", + "version": 7 +} diff --git a/nix/os/devices/voodoo/flake.nix b/nix/os/devices/voodoo/flake.nix new file mode 100644 index 0000000..7e94241 --- /dev/null +++ b/nix/os/devices/voodoo/flake.nix @@ -0,0 +1,81 @@ +{ + inputs = { + nixpkgs.url = "github:nixos/nixpkgs/nixos-23.11"; + + get-flake.url = "github:ursi/get-flake"; + + disko.inputs.nixpkgs.follows = "nixpkgs"; + srvos.url = "github:numtide/srvos"; + srvos.inputs.nixpkgs.follows = "nixpkgs"; + }; + + outputs = { + self, + get-flake, + nixpkgs, + ... + }: let + targetPlatform = "i686-linux"; + buildPlatform = "x86_64-linux"; + nodeName = "voodoo"; + + pkgs = nixpkgs.legacyPackages.${targetPlatform}; + pkgsCross = import self.inputs.nixpkgs { + system = buildPlatform; + crossSystem = { + config = "pentium2-unknown-linux-gnu"; + }; + }; + + mkNixosConfiguration = {extraModules ? [], ...} @ attrs: + nixpkgs.lib.nixosSystem ( + nixpkgs.lib.attrsets.recursiveUpdate + attrs + { + specialArgs = + (import ./default.nix { + system = targetPlatform; + inherit nodeName; + + repoFlake = get-flake ../../../..; + nodeFlake = self; + }) + .meta + .nodeSpecialArgs + .${nodeName}; + + modules = + [ + ./configuration.nix + + # flake registry + { + nix.registry.nixpkgs.flake = nixpkgs; + } + + { + nixpkgs.overlays = [ + (final: previous: {}) + ]; + } + ] + ++ extraModules; + } + ); + in { + nixosConfigurations = { + native = mkNixosConfiguration { + system = targetPlatform; + }; + + cross = mkNixosConfiguration { + extraModules = [ + { + nixpkgs.buildPlatform.system = buildPlatform; + nixpkgs.hostPlatform.system = targetPlatform; + } + ]; + }; + }; + }; +} diff --git a/nix/os/lib/default.nix b/nix/os/lib/default.nix index b4f4dcc..a4dbcff 100644 --- a/nix/os/lib/default.nix +++ b/nix/os/lib/default.nix @@ -1,16 +1,15 @@ -{ lib, config }: -let - keys = import ../../variables/keys.nix; -in { - mkUser = - args: + lib, + config, +}: let + keys = import ../../variables/keys.nix; +in { + mkUser = args: lib.mkMerge [ { isNormalUser = true; extraGroups = [ "docker" - "podman" "wheel" "libvirtd" "networkmanager" @@ -24,10 +23,6 @@ in "dialout" "cdrom" "fuse" - "adbusers" - "scanner" - "lp" - "kvm" ]; openssh.authorizedKeys.keys = keys.users.steveej.openssh; @@ -45,7 +40,7 @@ in # LVM doesn't allow most characters in VG names # TODO: replace this with a whitelist for: [a-zA-Z0-9.-_+] - volumeGroup = diskId: builtins.replaceStrings [ ":" ] [ "" ] diskId; + volumeGroup = diskId: builtins.replaceStrings [":"] [""] diskId; # This is important at install-time bootGrubDevice = diskId: "/dev/disk/by-id/" + diskId; @@ -56,10 +51,15 @@ in # Cannot use the disk ID here because might be different at install vs. runtime. # Example: MMC card which is used in the internal reader vs. USB reader - bootFsDevice = diskId: "/dev/disk/by-partlabel/" + (shortenGptPartlabel ("2-" + diskId)); - bootLuksDevice = diskId: "/dev/disk/by-partlabel/" + (shortenGptPartlabel ("3-" + diskId)); + bootFsDevice = diskId: + "/dev/disk/by-partlabel/" + (shortenGptPartlabel ("2-" + diskId)); + bootLuksDevice = diskId: + "/dev/disk/by-partlabel/" + (shortenGptPartlabel ("3-" + diskId)); luksName = diskId: (volumeGroup diskId) + "pv"; luksPhysicalVolume = diskId: "/dev/mapper/" + (luksName diskId); - lvmPv = diskId: encrypted: if encrypted then luksPhysicalVolume diskId else bootLuksDevice diskId; + lvmPv = diskId: encrypted: + if encrypted == true + then luksPhysicalVolume diskId + else bootLuksDevice diskId; }; } diff --git a/nix/os/modules/ddclient-hetzner.nix b/nix/os/modules/ddclient-hetzner.nix index 622ae62..893620a 100644 --- a/nix/os/modules/ddclient-hetzner.nix +++ b/nix/os/modules/ddclient-hetzner.nix @@ -1,9 +1,14 @@ -{ lib, ... }: { + lib, + config, + ... +}: let + cfg = config.services.ddclient-hetzner; +in { options.services.ddclient-hetzner = with lib; { enable = mkEnableOption "Enable ddclient-hetzner"; - zone = mkOption { type = types.str; }; - domains = mkOption { type = types.listOf types.str; }; - passwordFile = mkOption { type = types.path; }; + zone = mkOption {type = types.str;}; + domains = mkOption {type = types.listOf types.str;}; + passwordFile = mkOption {type = types.path;}; }; } diff --git a/nix/os/modules/ddclient-ovh.nix b/nix/os/modules/ddclient-ovh.nix index 150d688..9b0321d 100644 --- a/nix/os/modules/ddclient-ovh.nix +++ b/nix/os/modules/ddclient-ovh.nix @@ -1,7 +1,12 @@ -{ lib, ... }: { + lib, + config, + ... +}: let + cfg = config.services.ddclientovh; +in { options.services.ddclientovh = with lib; { enable = mkEnableOption "Enable ddclient-ovh"; - domain = mkOption { type = types.str; }; + domain = mkOption {type = types.str;}; }; } diff --git a/nix/os/modules/hardware.thinkpad-x13s.nix b/nix/os/modules/hardware.thinkpad-x13s.nix new file mode 100644 index 0000000..1e7223d --- /dev/null +++ b/nix/os/modules/hardware.thinkpad-x13s.nix @@ -0,0 +1,240 @@ +{ + self, + pkgs, + config, + lib, + options, + ... +}: let + # TODO: introduce options for these + kernelPdMapper = true; + cfg = config.hardware.thinkpad-x13s; +in { + options.hardware.thinkpad-x13s = { + # TODO: respect this + enable = lib.mkEnableOption "x13s hardware support"; + + bluetoothMac = lib.mkOption { + type = lib.types.str; + description = "mac address to set on boot"; + }; + }; + config = let + inherit (config.boot.loader) efi; + kp = [ + { + name = "x13s-cfg"; + patch = null; + extraStructuredConfig = with lib.kernel; { + EFI_ARMSTUB_DTB_LOADER = lib.mkForce yes; + OF_OVERLAY = lib.mkForce yes; + BTRFS_FS = lib.mkForce yes; + BTRFS_FS_POSIX_ACL = lib.mkForce yes; + MEDIA_CONTROLLER = lib.mkForce yes; + SND_USB_AUDIO_USE_MEDIA_CONTROLLER = lib.mkForce yes; + SND_USB = lib.mkForce yes; + SND_USB_AUDIO = lib.mkForce module; + USB_XHCI_PCI = lib.mkForce module; + NO_HZ_FULL = lib.mkForce yes; + HZ_100 = lib.mkForce yes; + HZ_250 = lib.mkForce no; + DRM_AMDGPU = lib.mkForce no; + DRM_NOUVEAU = lib.mkForce no; + QCOM_TSENS = lib.mkForce yes; + NVMEM_QCOM_QFPROM = lib.mkForce yes; + ARM_QCOM_CPUFREQ_NVMEM = lib.mkForce yes; + VIRTIO_PCI = lib.mkForce module; + # forthcoming kernel work: QCOM_PD_MAPPER = lib.mkForce module; + }; + } + ]; + + qrtr = pkgs.callPackage "${self.inputs.adamcstephens_stop-export}/hardware/x13s/qrtr/qrtr.nix" {}; + pd-mapper = pkgs.callPackage "${self.inputs.adamcstephens_stop-export}/hardware/x13s/qrtr/pd-mapper.nix" { + inherit qrtr; + }; + + # We can't quite move to mainline linux + linux_x13s_pkg = {buildLinux, ...} @ args: + buildLinux (args + // rec { + version = "6.7.0"; + modDirVersion = lib.versions.pad 3 version; + extraMeta.branch = lib.versions.majorMinor version; + + src = self.inputs.linux_x13s; + kernelPatches = (args.kernelPatches or []) ++ kp; + } + // (args.argsOverride or {})); + + # we add additional configuration on top of te normal configuration above + # using the extraStructuredConfig option on the kernel patch + linux_x13s = pkgs.callPackage linux_x13s_pkg { + defconfig = "johan_defconfig"; + }; + + linuxPackages_x13s = pkgs.linuxPackagesFor linux_x13s; + dtbName = "sc8280xp-lenovo-thinkpad-x13s.dtb"; + dtb = "${linuxPackages_x13s.kernel}/dtbs/qcom/${dtbName}"; + + x13s_alsa-ucm-conf = pkgs.alsa-ucm-conf.overrideAttrs (prev: { + src = self.inputs.alsa-ucm-conf; + }); + alsa-ucm-conf-env.ALSA_CONFIG_UCM2 = "${x13s_alsa-ucm-conf}/share/alsa/ucm2"; + in + lib.mkIf cfg.enable + { + nixpkgs.overlays = [ + ( + final: prev: { + x13s_extra-firmware = + pkgs.callPackage + "${self.inputs.adamcstephens_stop-export}/hardware/x13s/extra-firmware.nix" + {}; + + inherit qrtr pd-mapper; + } + ) + ]; + + # ensure the x13s' dtb file is in the boot partition + # TODO:: is this needed for the VT display somehow? + system.activationScripts.x13s-dtb = '' + in_package="${dtb}" + esp_tool_folder="${efi.efiSysMountPoint}/" + in_esp="''${esp_tool_folder}${dtbName}" + >&2 echo "Ensuring $in_esp in EFI System Partition" + if ! ${pkgs.diffutils}/bin/cmp --silent "$in_package" "$in_esp"; then + >&2 echo "Copying $in_package -> $in_esp" + mkdir -p "$esp_tool_folder" + cp "$in_package" "$in_esp" + sync + fi + ''; + + boot = { + loader.systemd-boot.enable = true; + loader.systemd-boot.extraFiles = { + "${dtbName}" = dtb; + }; + loader.efi.canTouchEfiVariables = false; + loader.efi.efiSysMountPoint = "/boot"; + + blacklistedKernelModules = ["wwan"]; + + kernelPackages = linuxPackages_x13s; + + kernelParams = [ + "dtb=${dtbName}" + + "boot.shell_on_fail" + + # jhovold recommended + "efi=noruntime" + "clk_ignore_unused" + "pd_ignore_unused" + "arm64.nopauth" + + # blacklist graphics in initrd so the firmware can load from disk + "rd.driver.blacklist=msm" + ]; + + initrd = { + includeDefaultModules = false; + + # kernelModules = [ + # "nvme" + # "phy_qcom_qmp_pcie" + # "pcie_qcom" + + # "i2c_core" + # "i2c_hid" + # "i2c_hid_of" + # "i2c_qcom_geni" + + # "leds_qcom_lpg" + # "pwm_bl" + # "qrtr" + # "pmic_glink_altmode" + # "gpio_sbu_mux" + # "phy_qcom_qmp_combo" + # "gpucc_sc8280xp" + # "dispcc_sc8280xp" + # "phy_qcom_edp" + # "panel_edp" + # # "msm" + + # ]; + + availableKernelModules = [ + "i2c_hid" + "i2c_hid_of" + "i2c_qcom_geni" + "leds_qcom_lpg" + "pwm_bl" + "qrtr" + "pmic_glink_altmode" + "gpio_sbu_mux" + "phy_qcom_qmp_combo" + "panel_edp" + # "msm" + "phy_qcom_edp" + "i2c_core" + "i2c_hid" + "i2c_hid_of" + "i2c_qcom_geni" + "pcie_qcom" + "phy_qcom_qmp_combo" + "phy_qcom_qmp_pcie" + "phy_qcom_qmp_usb" + "phy_qcom_snps_femto_v2" + "phy_qcom_usb_hs" + "nvme" + + "usbcore" + "xhci_hcd" + "usbhid" + "usb_storage" + "uas" + ]; + }; + }; + + # default is performance + powerManagement.cpuFreqGovernor = "ondemand"; + + hardware.enableAllFirmware = true; + hardware.firmware = [ + # pkgs.linux-firmware + + pkgs.x13s_extra-firmware + ]; + + systemd.services.pd-mapper = { + wantedBy = ["multi-user.target"]; + + serviceConfig = { + ExecStart = "${lib.getExe pd-mapper}"; + Restart = "always"; + }; + }; + + environment.sessionVariables = alsa-ucm-conf-env; + systemd.user.services.pipewire.environment = alsa-ucm-conf-env; + systemd.user.services.wireplumber.environment = alsa-ucm-conf-env; + + systemd.services.bluetooth = { + serviceConfig = { + # disabled because btmgmt call hangs + ExecStartPre = [ + "" + "${pkgs.util-linux}/bin/rfkill block bluetooth" + "${pkgs.bluez5-experimental}/bin/btmgmt public-addr ${cfg.bluetoothMac}" + "${pkgs.util-linux}/bin/rfkill unblock bluetooth" + ]; + RestartSec = 5; + Restart = "on-failure"; + }; + }; + }; +} diff --git a/nix/os/modules/initrd-network.nix b/nix/os/modules/initrd-network.nix index 4ca89cf..e517d62 100644 --- a/nix/os/modules/initrd-network.nix +++ b/nix/os/modules/initrd-network.nix @@ -4,8 +4,7 @@ pkgs, ... }: -with lib; -let +with lib; let cfg = config.boot.initrd.network; udhcpcScript = pkgs.writeScript "udhcp-script" '' @@ -26,8 +25,7 @@ let ''; udhcpcArgs = toString cfg.udhcpc.extraArgs; -in -{ +in { options = { boot.initrd.network.enable = mkOption { type = types.bool; @@ -48,7 +46,7 @@ in }; boot.initrd.network.udhcpc.extraArgs = mkOption { - default = [ ]; + default = []; type = types.listOf types.str; description = '' Additional command-line arguments passed verbatim to udhcpc if @@ -76,9 +74,9 @@ in }; config = mkIf cfg.enable { - warnings = [ "Enabled SSH for stage1" ]; + warnings = ["Enabled SSH for stage1"]; - boot.initrd.kernelModules = [ "af_packet" ]; + boot.initrd.kernelModules = ["af_packet"]; boot.initrd.extraUtilsCommands = '' copy_bin_and_libs ${pkgs.mkinitcpio-nfs-utils}/bin/ipconfig diff --git a/nix/os/modules/natrouter.nix b/nix/os/modules/natrouter.nix index d853c28..62af2a8 100644 --- a/nix/os/modules/natrouter.nix +++ b/nix/os/modules/natrouter.nix @@ -1,6 +1,9 @@ -{ lib, ... }: -with lib; { + lib, + config, + ... +}: +with lib; { # TODO # Provide a NAT/DHCP Router # diff --git a/nix/os/modules/opinionatedDisk.nix b/nix/os/modules/opinionatedDisk.nix index db2bbbf..dbe449b 100644 --- a/nix/os/modules/opinionatedDisk.nix +++ b/nix/os/modules/opinionatedDisk.nix @@ -4,17 +4,18 @@ pkgs, ... }: -with lib; -let +with lib; let cfg = config.hardware.opinionatedDisk; - ownLib = pkgs.callPackage ../lib/default.nix { }; + ownLib = pkgs.callPackage ../lib/default.nix {}; - earlyDiskId = cfg: if cfg.earlyDiskIdOverride != "" then cfg.earlyDiskIdOverride else cfg.diskId; -in -{ + earlyDiskId = cfg: + if cfg.earlyDiskIdOverride != "" + then cfg.earlyDiskIdOverride + else cfg.diskId; +in { options.hardware.opinionatedDisk = { enable = mkEnableOption "Enable opinionated filesystem layout"; - diskId = mkOption { type = types.str; }; + diskId = mkOption {type = types.str;}; encrypted = mkOption { default = true; type = types.bool; @@ -35,30 +36,31 @@ in fileSystems."/" = { device = ownLib.disk.rootFsDevice cfg.diskId; fsType = "btrfs"; - options = [ "subvol=nixos" ]; + options = ["subvol=nixos"]; }; fileSystems."/home" = { device = ownLib.disk.rootFsDevice cfg.diskId; fsType = "btrfs"; - options = [ "subvol=home" ]; + options = ["subvol=home"]; }; - swapDevices = [ { device = ownLib.disk.swapFsDevice cfg.diskId; } ]; + swapDevices = [{device = ownLib.disk.swapFsDevice cfg.diskId;}]; boot.loader.grub = { device = ownLib.disk.bootGrubDevice (earlyDiskId cfg); enableCryptodisk = cfg.encrypted; }; - boot.initrd.luks.devices = lib.optionalAttrs cfg.encrypted ( - builtins.listToAttrs [ + boot.initrd.luks.devices = + lib.optionalAttrs cfg.encrypted + (builtins.listToAttrs [ { - name = - let - splitstring = builtins.split "/" (ownLib.disk.bootLuksDevice cfg.diskId); - lastelem = (builtins.length splitstring) - 1; - in + name = let + splitstring = + builtins.split "/" (ownLib.disk.bootLuksDevice cfg.diskId); + lastelem = (builtins.length splitstring) - 1; + in builtins.elemAt splitstring lastelem; value = { device = ownLib.disk.bootLuksDevice cfg.diskId; @@ -67,7 +69,6 @@ in allowDiscards = true; }; } - ] - ); + ]); }; } diff --git a/nix/os/profiles/common/configuration.nix b/nix/os/profiles/common/configuration.nix index 61b4cb8..7c1f786 100644 --- a/nix/os/profiles/common/configuration.nix +++ b/nix/os/profiles/common/configuration.nix @@ -2,9 +2,11 @@ config, pkgs, repoFlake, + nodeFlake, + repoFlakeInputs', + packages', ... -}: -{ +}: { imports = [ repoFlake.inputs.sops-nix.nixosModules.sops @@ -28,10 +30,7 @@ boot.tmp.useTmpfs = true; # Workaround for nm-pptp to enforce module load - boot.kernelModules = [ - "nf_conntrack_proto_gre" - "nf_conntrack_pptp" - ]; + boot.kernelModules = ["nf_conntrack_proto_gre" "nf_conntrack_pptp"]; nixpkgs.config = { allowBroken = false; diff --git a/nix/os/profiles/common/hw.nix b/nix/os/profiles/common/hw.nix index 4d6eb74..80bdc31 100644 --- a/nix/os/profiles/common/hw.nix +++ b/nix/os/profiles/common/hw.nix @@ -1,12 +1,5 @@ -_: { +{...}: { hardware.trackpoint.emulateWheel = true; - boot.initrd.availableKernelModules = [ - "xhci_pci" - "ahci" - "usb_storage" - "sd_mod" - "rtsx_pci_sdmmc" - "cryptd" - ]; + boot.initrd.availableKernelModules = ["xhci_pci" "ahci" "usb_storage" "sd_mod" "rtsx_pci_sdmmc" "cryptd"]; } diff --git a/nix/os/profiles/common/system.nix b/nix/os/profiles/common/system.nix index edf8717..f576a28 100644 --- a/nix/os/profiles/common/system.nix +++ b/nix/os/profiles/common/system.nix @@ -1,5 +1,10 @@ -{ pkgs, nodeName, ... }: { + config, + pkgs, + lib, + nodeName, + ... +}: { networking.hostName = builtins.elemAt (builtins.split "\\." nodeName) 0; # Define your hostname. networking.domain = builtins.elemAt (builtins.split "(^[^\\.]+\.)" nodeName) 2; @@ -10,13 +15,11 @@ ''; # Fonts, I18N, Date ... - fonts.packages = [ pkgs.corefonts ]; + fonts.packages = [pkgs.corefonts]; console.font = "lat9w-16"; - i18n = { - defaultLocale = "en_US.UTF-8"; - }; + i18n = {defaultLocale = "en_US.UTF-8";}; time.timeZone = "Etc/UTC"; services.gpm.enable = true; diff --git a/nix/os/profiles/common/user.nix b/nix/os/profiles/common/user.nix index 6c799c9..3d74166 100644 --- a/nix/os/profiles/common/user.nix +++ b/nix/os/profiles/common/user.nix @@ -3,8 +3,7 @@ pkgs, lib, ... -}: -let +}: let keys = import ../../../variables/keys.nix; inherit (import ../../lib/default.nix { @@ -17,8 +16,7 @@ let inherit (lib) types; cfg = config.users.commonUsers; -in -{ +in { options.users.commonUsers = { enable = lib.mkOption { default = true; @@ -35,59 +33,62 @@ in type = types.path; }; - # TODO: test if this works installPassword = lib.mkOption { default = ""; type = types.str; }; }; - config = lib.mkIf cfg.enable ( - lib.mkMerge [ - (lib.mkIf (cfg.installPassword == "") { - sops.secrets.sharedUsers-root = { - sopsFile = ../../../../secrets/shared-users.yaml; - neededForUsers = true; - format = "yaml"; - }; + config = lib.mkIf cfg.enable (lib.mkMerge [ + (lib.mkIf (cfg.installPassword == "") { + sops.secrets.sharedUsers-root = { + sopsFile = ../../../../secrets/shared-users.yaml; + neededForUsers = true; + format = "yaml"; + }; - sops.secrets.sharedUsers-steveej = lib.mkIf cfg.enableNonRoot { - sopsFile = ../../../../secrets/shared-users.yaml; - neededForUsers = true; - format = "yaml"; - }; + sops.secrets.sharedUsers-steveej = lib.mkIf cfg.enableNonRoot { + sopsFile = ../../../../secrets/shared-users.yaml; + neededForUsers = true; + format = "yaml"; + }; - sops.secrets.sharedSshKeys-steveej = lib.mkIf cfg.enableNonRoot { - sopsFile = ../../../../secrets/shared-users.yaml; - # neededForUsers = true; - format = "yaml"; - }; - }) + sops.secrets.sharedSshKeys-steveej = lib.mkIf cfg.enableNonRoot { + sopsFile = ../../../../secrets/shared-users.yaml; + # neededForUsers = true; + format = "yaml"; + }; + }) - { - users.mutableUsers = cfg.installPassword != ""; + { + users.mutableUsers = cfg.installPassword != ""; - users.users.root = lib.mkMerge [ - { openssh.authorizedKeys.keys = keys.users.steveej.openssh; } + users.users.root = lib.mkMerge [ + { + openssh.authorizedKeys.keys = keys.users.steveej.openssh; + } - (lib.mkIf (cfg.installPassword != "") { password = cfg.installPassword; }) + (lib.mkIf (cfg.installPassword != "") { + password = cfg.installPassword; + }) - (lib.mkIf (cfg.installPassword == "") { hashedPasswordFile = cfg.rootPasswordFile; }) - ]; + (lib.mkIf (cfg.installPassword == "") { + hashedPasswordFile = cfg.rootPasswordFile; + }) + ]; - users.users.steveej = lib.mkIf cfg.enableNonRoot ( - mkUser ( - lib.mkMerge [ - { uid = 1000; } + users.users.steveej = lib.mkIf cfg.enableNonRoot (mkUser (lib.mkMerge [ + { + uid = 1000; + } - (lib.mkIf (cfg.installPassword != "") { password = cfg.installPassword; }) + (lib.mkIf (cfg.installPassword != "") { + password = cfg.installPassword; + }) - (lib.mkIf (cfg.installPassword == "") { - hashedPasswordFile = config.sops.secrets.sharedUsers-steveej.path; - }) - ] - ) - ); - } - ] - ); + (lib.mkIf (cfg.installPassword == "") { + hashedPasswordFile = config.sops.secrets.sharedUsers-steveej.path; + }) + ])); + } + ]); } diff --git a/nix/os/profiles/containers/configuration.nix b/nix/os/profiles/containers/configuration.nix index 40fd3f4..7462c08 100644 --- a/nix/os/profiles/containers/configuration.nix +++ b/nix/os/profiles/containers/configuration.nix @@ -1,27 +1,8 @@ -{ - hostAddress, - pkgs, - lib, - ... -}: -{ +{...}: { networking.useHostResolvConf = false; - networking.firewall.enable = true; - networking.nftables.enable = true; - networking.nftables.flushRuleset = true; - - networking.nameservers = lib.mkForce [ hostAddress ]; - - environment.systemPackages = [ pkgs.dnsutils ]; - imports = [ - { - # keep DNS set up to a minimum: only query the container host - services.resolved.enable = lib.mkForce false; - networking.nameservers = [ hostAddress ]; - } - ../../snippets/nix-settings.nix + ../../snippets/systemd-resolved.nix # ../../modules/ddclient-ovh.nix # ../../modules/ddclient-hetzner.nix ]; diff --git a/nix/os/profiles/graphical-gnome-xorg.nix b/nix/os/profiles/graphical-gnome-xorg.nix index a13dd07..bfd4036 100644 --- a/nix/os/profiles/graphical-gnome-xorg.nix +++ b/nix/os/profiles/graphical-gnome-xorg.nix @@ -1,5 +1,8 @@ -{ pkgs, lib, ... }: { + pkgs, + lib, + ... +}: { services.xserver = { enable = true; libinput.enable = true; @@ -95,11 +98,8 @@ support32Bit = true; }; - services.dbus.packages = with pkgs; [ dconf ]; + services.dbus.packages = with pkgs; [dconf]; # More Services - environment.systemPackages = [ - pkgs.gnome.adwaita-icon-theme - pkgs.gnomeExtensions.appindicator - ]; + environment.systemPackages = [pkgs.gnome.adwaita-icon-theme pkgs.gnomeExtensions.appindicator]; } diff --git a/nix/os/profiles/graphical/boot.nix b/nix/os/profiles/graphical/boot.nix index 4bf6ca4..91b4ae9 100644 --- a/nix/os/profiles/graphical/boot.nix +++ b/nix/os/profiles/graphical/boot.nix @@ -1,4 +1,5 @@ -{ config, ... }: -{ - boot.extraModulePackages = [ config.boot.kernelPackages.v4l2loopback ]; +{config, ...}: { + boot.extraModulePackages = [ + config.boot.kernelPackages.v4l2loopback + ]; } diff --git a/nix/os/profiles/graphical/configuration.nix b/nix/os/profiles/graphical/configuration.nix index 477a93d..b9cf53e 100644 --- a/nix/os/profiles/graphical/configuration.nix +++ b/nix/os/profiles/graphical/configuration.nix @@ -1,8 +1,3 @@ -{ ... }: -{ - imports = [ - ./boot.nix - ./system.nix - ./hw.nix - ]; +{pkgs, ...}: { + imports = [./boot.nix ./system.nix ./hw.nix]; } diff --git a/nix/os/profiles/graphical/hw.nix b/nix/os/profiles/graphical/hw.nix index 821f5bf..abb1e68 100644 --- a/nix/os/profiles/graphical/hw.nix +++ b/nix/os/profiles/graphical/hw.nix @@ -1 +1,3 @@ -_: { hardware.enableAllFirmware = true; } +{...}: { + hardware.enableAllFirmware = true; +} diff --git a/nix/os/profiles/graphical/system.nix b/nix/os/profiles/graphical/system.nix index 42eccfb..ce49500 100644 --- a/nix/os/profiles/graphical/system.nix +++ b/nix/os/profiles/graphical/system.nix @@ -1,6 +1,11 @@ -{ pkgs, ... }: { - imports = [ ../../snippets/bluetooth.nix ]; + pkgs, + lib, + ... +}: { + imports = [ + ../../snippets/bluetooth.nix + ]; networking.networkmanager = { enable = true; @@ -21,11 +26,7 @@ services.pcscd.enable = true; hardware.opengl.enable = true; - services.udev.packages = [ - pkgs.libu2f-host - pkgs.yubikey-personalization - pkgs.android-udev-rules - ]; + services.udev.packages = [pkgs.libu2f-host pkgs.yubikey-personalization pkgs.android-udev-rules]; services.udev.extraRules = '' # OnePlusOne ATTR{idVendor}=="05c6", ATTR{idProduct}=="6764", SYMLINK+="libmtp-%k", MODE="660", GROUP="audio", ENV{ID_MTP_DEVICE}="1", ENV{ID_MEDIA_PLAYER}="1", TAG+="uaccess" @@ -52,9 +53,6 @@ services.printing = { enable = true; - drivers = with pkgs; [ - mfcl3770cdwlpr - mfcl3770cdwcupswrapper - ]; + drivers = with pkgs; [mfcl3770cdwlpr mfcl3770cdwcupswrapper]; }; } diff --git a/nix/os/profiles/install-medium/iso/Justfile b/nix/os/profiles/install-medium/iso/Justfile index 099a8aa..bcd3c66 100644 --- a/nix/os/profiles/install-medium/iso/Justfile +++ b/nix/os/profiles/install-medium/iso/Justfile @@ -1,2 +1,2 @@ build: - nix-build '' -A config.system.build.isoImage -I nixos-config=iso.nix + nix-build '' -A config.system.build.isoImage -I nixos-config=iso.nix diff --git a/nix/os/profiles/install-medium/iso/iso.nix b/nix/os/profiles/install-medium/iso/iso.nix index a32f3f6..394aece 100644 --- a/nix/os/profiles/install-medium/iso/iso.nix +++ b/nix/os/profiles/install-medium/iso/iso.nix @@ -5,26 +5,25 @@ pkgs, lib, ... -}: -let +}: let nixos-init-script = '' #!${pkgs.stdenv.shell} export HOME=/root export PATH=${ - pkgs.lib.makeBinPath [ - config.nix.package - pkgs.systemd - pkgs.gnugrep - pkgs.gnused - config.system.build.nixos-rebuild - config.system.build.nixos-install - pkgs.utillinux - pkgs.e2fsprogs - pkgs.coreutils - pkgs.hdparm - ] - }:$PATH + pkgs.lib.makeBinPath [ + config.nix.package + pkgs.systemd + pkgs.gnugrep + pkgs.gnused + config.system.build.nixos-rebuild + config.system.build.nixos-install + pkgs.utillinux + pkgs.e2fsprogs + pkgs.coreutils + pkgs.hdparm + ] + }:$PATH export NIX_PATH=/nix/var/nix/profiles/per-user/root/channels/nixos:nixos-config=/etc/nixos/configuration.nix:/nix/var/nix/profiles/per-user/root/channels set -xe @@ -62,8 +61,7 @@ let nixos-install reboot ''; -in -{ +in { imports = [ @@ -72,11 +70,13 @@ in # ]; - isoImage.isoName = lib.mkForce "${config.isoImage.isoBaseName}-${pkgs.stdenv.hostPlatform.system}.iso"; + isoImage.isoName = + lib.mkForce + "${config.isoImage.isoBaseName}-${pkgs.stdenv.hostPlatform.system}.iso"; boot.loader.timeout = lib.mkForce 0; boot.postBootCommands = ""; - environment.systemPackages = [ ]; + environment.systemPackages = []; users.users.root = { openssh.authorizedKeys.keys = [ @@ -85,18 +85,18 @@ in }; services.gpm.enable = true; - systemd.services.sshd.wantedBy = lib.mkForce [ "multi-user.target" ]; + systemd.services.sshd.wantedBy = lib.mkForce ["multi-user.target"]; systemd.services.nixos-init = { script = nixos-init-script; - path = with pkgs; [ ]; + path = with pkgs; []; description = "Initialize /dev/vda from configuration.nix found at /dev/vdb"; enable = true; - wantedBy = [ "multi-user.target" ]; - after = [ "multi-user.target" ]; - requires = [ "network-online.target" ]; + wantedBy = ["multi-user.target"]; + after = ["multi-user.target"]; + requires = ["network-online.target"]; restartIfChanged = false; unitConfig.X-StopOnRemoval = false; diff --git a/nix/os/profiles/removable-medium/boot.nix b/nix/os/profiles/removable-medium/boot.nix index 17a1dba..e0938bd 100644 --- a/nix/os/profiles/removable-medium/boot.nix +++ b/nix/os/profiles/removable-medium/boot.nix @@ -1,6 +1,5 @@ -{ lib, ... }: -{ +{lib, ...}: { boot.loader.grub.efiInstallAsRemovable = lib.mkForce true; boot.loader.efi.canTouchEfiVariables = lib.mkForce false; - boot.extraModulePackages = [ ]; + boot.extraModulePackages = []; } diff --git a/nix/os/profiles/removable-medium/configuration.nix b/nix/os/profiles/removable-medium/configuration.nix index ad7def0..95ca049 100644 --- a/nix/os/profiles/removable-medium/configuration.nix +++ b/nix/os/profiles/removable-medium/configuration.nix @@ -1,5 +1,4 @@ -{ ... }: -{ +{...}: { imports = [ ../../modules/opinionatedDisk.nix diff --git a/nix/os/profiles/removable-medium/hw.nix b/nix/os/profiles/removable-medium/hw.nix index 0f7cbec..17c16b0 100644 --- a/nix/os/profiles/removable-medium/hw.nix +++ b/nix/os/profiles/removable-medium/hw.nix @@ -1,4 +1,4 @@ -_: { +{...}: { hardware.opinionatedDisk.enable = true; hardware.enableAllFirmware = true; } diff --git a/nix/os/profiles/removable-medium/pkg.nix b/nix/os/profiles/removable-medium/pkg.nix index d27081f..5a54115 100644 --- a/nix/os/profiles/removable-medium/pkg.nix +++ b/nix/os/profiles/removable-medium/pkg.nix @@ -1,5 +1,4 @@ -{ pkgs, ... }: -{ +{pkgs, ...}: { home-manager.users.steveej = import ../../../home-manager/configuration/graphical-removable.nix { inherit pkgs; }; diff --git a/nix/os/profiles/removable-medium/system.nix b/nix/os/profiles/removable-medium/system.nix index 243edf7..7586a85 100644 --- a/nix/os/profiles/removable-medium/system.nix +++ b/nix/os/profiles/removable-medium/system.nix @@ -1,9 +1,13 @@ -_: { +{ + config, + lib, + pkgs, + ... +}: let +in { services.illum.enable = true; - services.printing = { - enable = false; - }; + services.printing = {enable = false;}; services.spice-vdagentd.enable = true; services.qemuGuest.enable = true; diff --git a/nix/os/snippets/bluetooth.nix b/nix/os/snippets/bluetooth.nix index 090217e..a4cfeca 100644 --- a/nix/os/snippets/bluetooth.nix +++ b/nix/os/snippets/bluetooth.nix @@ -1,7 +1,10 @@ -{ pkgs, ... }: { + pkgs, + lib, + ... +}: { # required for running blueman-applet in user sessions - services.dbus.packages = with pkgs; [ blueman ]; + services.dbus.packages = with pkgs; [blueman]; hardware.bluetooth.enable = true; services.blueman.enable = true; } diff --git a/nix/os/snippets/holo-zerotier.nix b/nix/os/snippets/holo-zerotier.nix deleted file mode 100644 index 4371b78..0000000 --- a/nix/os/snippets/holo-zerotier.nix +++ /dev/null @@ -1,53 +0,0 @@ -{ config, lib, ... }: -let - cfg = config.steveej.holo-zerotier; -in -{ - options.steveej.holo-zerotier = { - enable = lib.mkEnableOption "Enable holo-zerotier"; - autostart = lib.mkOption { default = false; }; - }; - - config = { - nixpkgs.config.allowUnfreePredicate = pkg: builtins.elem (lib.getName pkg) [ "zerotierone" ]; - - services.zerotierone = { - inherit (cfg) enable; - joinNetworks = [ - # moved to the service below as it's now secret - ]; - }; - - systemd.services.zerotierone.wantedBy = lib.mkIf (!cfg.autostart) (lib.mkForce [ ]); - - systemd.services.zerotieroneSecretNetworks = { - inherit (cfg) enable; - requiredBy = [ "zerotierone.service" ]; - partOf = [ "zerotierone.service" ]; - - serviceConfig.Type = "oneshot"; - serviceConfig.RemainAfterExit = true; - - script = - let - secret = config.sops.secrets.zerotieroneNetworks; - in - '' - # include the secret's hash to trigger a restart on change - # ${builtins.hashString "sha256" (builtins.toJSON secret)} - - ${config.systemd.services.zerotierone.preStart} - - rm -rf /var/lib/zerotier-one/networks.d/*.conf - for network in `grep -v '#' ${secret.path}`; do - touch /var/lib/zerotier-one/networks.d/''${network}.conf - done - ''; - }; - - sops.secrets.zerotieroneNetworks = { - sopsFile = ../../../secrets/work-holo/zerotierone.txt; - format = "binary"; - }; - }; -} diff --git a/nix/os/snippets/home-manager-with-zsh.nix b/nix/os/snippets/home-manager-with-zsh.nix index 47ddd8a..63f4962 100644 --- a/nix/os/snippets/home-manager-with-zsh.nix +++ b/nix/os/snippets/home-manager-with-zsh.nix @@ -5,8 +5,7 @@ packages', pkgs, ... -}: -let +}: let # TODO: make this configurable homeUser = "steveej"; commonHomeImports = [ @@ -14,9 +13,10 @@ let ../../home-manager/programs/neovim.nix ../../home-manager/programs/zsh.nix ]; -in -{ - imports = [ nodeFlake.inputs.home-manager.nixosModules.home-manager ]; +in { + imports = [ + nodeFlake.inputs.home-manager.nixosModules.home-manager + ]; # TODO: investigate an issue with the "name" arg contained here, which causes problems with home-manager # home-manager.extraSpecialArgs = specialArgs; @@ -33,11 +33,15 @@ in home-manager.useGlobalPkgs = false; home-manager.useUserPackages = true; - home-manager.users.root = _: { imports = commonHomeImports; }; + home-manager.users.root = _: { + imports = commonHomeImports; + }; - home-manager.users."${homeUser}" = _: { imports = commonHomeImports; }; + home-manager.users."${homeUser}" = _: { + imports = commonHomeImports; + }; programs.zsh.enable = true; users.defaultUserShell = pkgs.zsh; - environment.pathsToLink = [ "/share/zsh" ]; + environment.pathsToLink = ["/share/zsh"]; } diff --git a/nix/os/snippets/k3s-w-nix-snapshotter.nix b/nix/os/snippets/k3s-w-nix-snapshotter.nix deleted file mode 100644 index 1774650..0000000 --- a/nix/os/snippets/k3s-w-nix-snapshotter.nix +++ /dev/null @@ -1,58 +0,0 @@ -# experiment with k3s, nix-snapshotter, and nixos images -{ - nodeFlake, - pkgs, - lib, - system, - config, - ... -}: -let - cfg = config.steveej.k3s; - -in -# TODO: make this configurable -{ - options.steveej.k3s = { - enable = lib.mkOption { - description = "steveej's k3s distro"; - type = lib.types.bool; - default = true; - }; - }; - - # (1) Import nixos module. - imports = [ nodeFlake.inputs.nix-snapshotter.nixosModules.default ]; - - config = lib.mkIf cfg.enable { - # (2) Add overlay. - nixpkgs.overlays = [ nodeFlake.inputs.nix-snapshotter.overlays.default ]; - - # (3) Enable service. - virtualisation.containerd = { - enable = true; - nixSnapshotterIntegration = true; - - # TODO: understand if this has an influence on the systemd LoadCredential issue - # settings.plugins."io.containerd.grpc.v1.cri".containerd.runtimes.runc.options.SystemdCgroup = lib.mkForce true; - }; - services.nix-snapshotter = { - enable = true; - }; - - # (4) Add a containerd CLI like nerdctl. - environment.systemPackages = [ - pkgs.nerdctl - nodeFlake.inputs.nix-snapshotter.packages.${system}.default - ]; - - services.k3s = { - enable = false; - setKubeConfig = true; - }; - - # home-manager.users."${homeUser}" = _: { - # home.sessionVariables.CONTAINERD_ADDRESS = "/run/user/1000/containerd/containerd.sock"; - # }; - }; -} diff --git a/nix/os/snippets/mycelium.nix b/nix/os/snippets/mycelium.nix deleted file mode 100644 index 990477e..0000000 --- a/nix/os/snippets/mycelium.nix +++ /dev/null @@ -1,32 +0,0 @@ -{ - repoFlake, - nodeName, - config, - lib, - ... -}: -let - cfg.autostart = false; -in -{ - imports = [ ]; - - sops.secrets.mycelium-key = { - format = "binary"; - sopsFile = repoFlake + "/secrets/${nodeName}/mycelium_priv_key.bin.enc"; - }; - - services.mycelium = { - enable = true; - # package = nodeFlake.inputs.mycelium.packages.${system}.myceliumd; - keyFile = config.sops.secrets.mycelium-key.path; - addHostedPublicNodes = true; - peers = [ ]; - - # tunName = "mycelium-pub"; - - extraArgs = [ ]; - }; - - systemd.services.mycelium.wantedBy = lib.mkIf (!cfg.autostart) (lib.mkForce [ ]); -} diff --git a/nix/os/snippets/nix-settings-holo-chain.nix b/nix/os/snippets/nix-settings-holo-chain.nix index b660f1c..660695c 100644 --- a/nix/os/snippets/nix-settings-holo-chain.nix +++ b/nix/os/snippets/nix-settings-holo-chain.nix @@ -1,9 +1,9 @@ -_: { +{pkgs, ...}: { nix.settings = { substituters = [ "https://holochain-ci.cachix.org" "https://holochain-ci-internal.cachix.org" - # "https://cache.holo.host/" + "https://cache.holo.host/" ]; trusted-public-keys = [ diff --git a/nix/os/snippets/nix-settings.nix b/nix/os/snippets/nix-settings.nix index 6340977..704d69a 100644 --- a/nix/os/snippets/nix-settings.nix +++ b/nix/os/snippets/nix-settings.nix @@ -3,23 +3,19 @@ pkgs, lib, ... -}: -let - pkgsUnstable = import nodeFlake.inputs.nixpkgs-unstable { inherit (pkgs) system config; }; -in -{ +}: { nix.daemonCPUSchedPolicy = "idle"; nix.daemonIOSchedClass = "idle"; nix.settings.max-jobs = lib.mkDefault "auto"; nix.settings.cores = lib.mkDefault 0; nix.settings.sandbox = true; - nix.nixPath = [ "nixpkgs=${pkgs.path}" ]; + nix.nixPath = [ + "nixpkgs=${pkgs.path}" + ]; nix.settings.experimental-features = [ "nix-command" "flakes" - "ca-derivations" - "recursive-nix" ]; nix.settings.system-features = [ @@ -29,12 +25,5 @@ in "nixos-test" ]; - # nix.registry.nixpkgs.flake = nodeFlake.inputs.nixpkgs; - nix.registry.nixpkgs.to = { - type = "path"; - path = nodeFlake.inputs.nixpkgs.outPath; - inherit (nodeFlake.inputs.nixpkgs) narHash; - }; - - nix.package = pkgsUnstable.nixVersions.latest; + nix.registry.nixpkgs.flake = nodeFlake.inputs.nixpkgs; } diff --git a/nix/os/snippets/obs-studio.nix b/nix/os/snippets/obs-studio.nix deleted file mode 100644 index 8a99fcb..0000000 --- a/nix/os/snippets/obs-studio.nix +++ /dev/null @@ -1,27 +0,0 @@ -{ config, ... }: -let - # TODO: make configurable - homeUser = "steveej"; -in -{ - boot.extraModulePackages = [ config.boot.kernelPackages.v4l2loopback.out ]; - - # Activate kernel modules (choose from built-ins and extra ones) - boot.kernelModules = [ - # Virtual Camera - "v4l2loopback" - # Virtual Microphone, built-in - "snd-aloop" - ]; - - # exclusive_caps: Skype, Zoom, Teams etc. will only show device when actually streaming - # card_label: Name of virtual camera, how it'll show up in Skype, Zoom, Teams - # https://github.com/umlaeute/v4l2loopback - boot.extraModprobeConfig = '' - options v4l2loopback devices=1 video_nr=1 card_label="OBSCam" exclusive_caps=1 - ''; - - security.polkit.enable = true; - - home-manager.users.${homeUser} = _: { imports = [ ../../home-manager/programs/obs-studio.nix ]; }; -} diff --git a/nix/os/snippets/radicale.nix b/nix/os/snippets/radicale.nix index 709b601..69628bf 100644 --- a/nix/os/snippets/radicale.nix +++ b/nix/os/snippets/radicale.nix @@ -1,14 +1,13 @@ { config, + lib, pkgs, repoFlakeInputs', ... -}: -let +}: let # TODO: make configurable homeUser = "steveej"; -in -{ +in { sops.secrets.radicale_htpasswd = { sopsFile = ../../../secrets/desktop/radicale_htpasswd; format = "binary"; @@ -20,13 +19,11 @@ in # TODO: bump these to latest and make it work ( args: - import ../../home-manager/programs/radicale.nix ( - args - // { - osConfig = config; - pkgs = repoFlakeInputs'.radicalePkgs.legacyPackages; - } - ) + import ../../home-manager/programs/radicale.nix (args + // { + osConfig = config; + pkgs = repoFlakeInputs'.radicalePkgs.legacyPackages; + }) ) ]; }; diff --git a/nix/os/snippets/sway-desktop.nix b/nix/os/snippets/sway-desktop.nix index a40eb85..46c2bc0 100644 --- a/nix/os/snippets/sway-desktop.nix +++ b/nix/os/snippets/sway-desktop.nix @@ -3,12 +3,10 @@ lib, config, ... -}: -let +}: let # TODO: make this configurable homeUser = "steveej"; -in -{ +in { services.xserver.serverFlagsSection = '' Option "BlankTime" "0" Option "StandbyTime" "0" @@ -20,7 +18,7 @@ in services.gvfs = { enable = true; - package = lib.mkForce pkgs.gnome.gvfs; + package = lib.mkForce pkgs.gnome3.gvfs; }; environment.systemPackages = with pkgs; [ @@ -30,7 +28,7 @@ in # required by swaywm security.polkit.enable = true; - security.pam.services.swaylock = { }; + security.pam.services.swaylock = {}; # test these on https://mozilla.github.io/webrtc-landing/gum_test.html xdg.portal = { @@ -40,45 +38,14 @@ in # Error: GDBus.Error:org.freedesktop.DBus.Error.UnknownMethod: No such interface “org.freedesktop.portal.OpenURI” on object at path /org/freedesktop/portal/desktop xdgOpenUsePortal = false; - wlr = { - enable = true; - settings = { - screencast = { - chooser_type = "dmenu"; - # display the output as a list in favor of the default mouse selection - chooser_cmd = lib.getExe ( - pkgs.writeShellApplication { - name = "chooser_cmd"; - runtimeInputs = [ - pkgs.sway - pkgs.jq - pkgs.fuzzel - pkgs.gnused - ]; - text = '' - swaymsg -t get_outputs | jq '.[] | "\(.name)@\(.current_mode.width)x\(.current_mode.height) on \(.model)"' | sed 's/"//g' | fuzzel -d | sed 's/@.*//' - ''; - } - ); - max_fps = 30; - }; - }; - }; - # keep the behaviour in < 1.17, which uses the first portal implementation found in lexicographical order, use the following: - config = { - common = { - default = [ - "wlr" - "gtk" - ]; - }; - }; + config.common.default = "*"; extraPortals = [ - # repoFlake.inputs.nixpkgs-wayland.packages.${pkgs.system}.xdg-desktop-portal-wlr - + pkgs.xdg-desktop-portal-wlr pkgs.xdg-desktop-portal-gtk + + # repoFlake.inputs.nixpkgs-wayland.packages.${pkgs.system}.xdg-desktop-portal-wlr # (pkgs.xdg-desktop-portal-gtk.override (_: { # buildPortalsInGnome = false; # })) @@ -93,7 +60,6 @@ in alsa.enable = true; alsa.support32Bit = true; pulse.enable = true; - wireplumber.enable = true; # If you want to use JACK applications, uncomment this #jack.enable = true; }; @@ -105,8 +71,8 @@ in # autologin steveej on tty1 # TODO: make user configurable systemd.services."autovt@tty1".description = "Autologin at the TTY1"; - systemd.services."autovt@tty1".after = [ "systemd-logind.service" ]; # without it user session not started and xorg can't be run from this tty - systemd.services."autovt@tty1".wantedBy = [ "multi-user.target" ]; + systemd.services."autovt@tty1".after = ["systemd-logind.service"]; # without it user session not started and xorg can't be run from this tty + systemd.services."autovt@tty1".wantedBy = ["multi-user.target"]; systemd.services."autovt@tty1".serviceConfig = { ExecStart = [ "" # override upstream default with an empty ExecStart @@ -116,21 +82,21 @@ in Type = "idle"; }; - programs = - let - steveejSwayOnTty1 = '' - if test $(id --user steveej) = $(id -u) && test $(tty) = "/dev/tty1"; then - exec sway - fi - ''; - in - { - bash.loginShellInit = steveejSwayOnTty1; - # TODO: only do this when zsh is enabled. first naiv attempt lead infinite recursion - zsh.loginShellInit = steveejSwayOnTty1; - }; + programs = let + steveejSwayOnTty1 = '' + if test $(id --user steveej) = $(id -u) && test $(tty) = "/dev/tty1"; then + exec sway + fi + ''; + in { + bash.loginShellInit = steveejSwayOnTty1; + # TODO: only do this when zsh is enabled. first naiv attempt lead infinite recursion + zsh.loginShellInit = steveejSwayOnTty1; + }; home-manager.users."${homeUser}" = _: { - imports = [ ../../home-manager/profiles/sway-desktop.nix ]; + imports = [ + ../../home-manager/profiles/sway-desktop.nix + ]; }; } diff --git a/nix/os/snippets/systemd-resolved.nix b/nix/os/snippets/systemd-resolved.nix index f7c2301..57dfb86 100644 --- a/nix/os/snippets/systemd-resolved.nix +++ b/nix/os/snippets/systemd-resolved.nix @@ -1,4 +1,3 @@ -{ lib, ... }: { networking.nameservers = [ # https://dnsforge.de/ @@ -13,16 +12,10 @@ services.resolved = { enable = true; dnssec = "true"; - domains = [ "~." ]; - - # TODO: figure out why "true" doesn't work - dnsovertls = "opportunistic"; - - fallbackDns = lib.mkForce [ ]; - - # TODO: IPv6 - # extraConfig = '' - # DNSStubListenerExtra=[::1]:53 - # ''; + domains = ["~."]; + extraConfig = '' + # TODO: figure out why "true" doesn't work + DNSOverTLS=opportunistic + ''; }; } diff --git a/nix/os/snippets/timezone.nix b/nix/os/snippets/timezone.nix index 67db1e8..25aee48 100644 --- a/nix/os/snippets/timezone.nix +++ b/nix/os/snippets/timezone.nix @@ -1,7 +1,5 @@ -{ lib, ... }: -let +{lib, ...}: let passwords = import ../../variables/passwords.crypt.nix; -in -{ +in { time.timeZone = lib.mkDefault passwords.timeZone.stefan; } diff --git a/nix/pkgs/browserpass/default.nix b/nix/pkgs/browserpass/default.nix index 34a6977..5b13732 100644 --- a/nix/pkgs/browserpass/default.nix +++ b/nix/pkgs/browserpass/default.nix @@ -1,27 +1,27 @@ -with import { }; -stdenv.mkDerivation rec { - broken = true; +with import {}; + stdenv.mkDerivation rec { + broken = true; - name = "browserpass"; - version = "2.0.9"; + name = "browserpass"; + version = "2.0.9"; - src = fetchzip { - url = "https://github.com/dannyvankooten/browserpass/releases/download/${version}/${name}-linux64.zip"; - sha256 = "1nygcfjhyrcvbdmz4hjphcnmr4lm9y24lpdkdcjix6vbsjs0hipw"; - stripRoot = false; - }; + src = fetchzip { + url = "https://github.com/dannyvankooten/browserpass/releases/download/${version}/${name}-linux64.zip"; + sha256 = "1nygcfjhyrcvbdmz4hjphcnmr4lm9y24lpdkdcjix6vbsjs0hipw"; + stripRoot = false; + }; - buildPhase = ":"; + buildPhase = ":"; - libPath = lib.makeLibraryPath [ ]; - installPhase = '' - set -x - patchelf --set-interpreter ${glibc}/lib/ld-linux-x86-64.so.2 browserpass-linux64 + libPath = lib.makeLibraryPath []; + installPhase = '' + set -x + patchelf --set-interpreter ${glibc}/lib/ld-linux-x86-64.so.2 browserpass-linux64 - mkdir -p $out/bin - cp -a * $out/bin/ - # wrapProgram $out/bin/browserpass-linux64 \ - # --prefix LD_LIBRARY_PATH : "${libPath}" - # - ''; -} + mkdir -p $out/bin + cp -a * $out/bin/ + # wrapProgram $out/bin/browserpass-linux64 \ + # --prefix LD_LIBRARY_PATH : "${libPath}" + # + ''; + } diff --git a/nix/pkgs/dcpj4110dw/default.nix b/nix/pkgs/dcpj4110dw/default.nix index 93f59c7..8a4f6a6 100644 --- a/nix/pkgs/dcpj4110dw/default.nix +++ b/nix/pkgs/dcpj4110dw/default.nix @@ -16,8 +16,7 @@ file, proot, bash, -}: -let +}: let model = "dcpj4110dw"; version = "3.0.1-1"; src = fetchurl { @@ -25,16 +24,12 @@ let sha256 = "sha256-ryKDsSkabAD2X3WLmeqjdB3+4DXdJ0qUz3O64DV+ixw="; }; reldir = "opt/brother/Printers/${model}/"; -in -rec { +in rec { driver = pkgsi686Linux.stdenv.mkDerivation rec { inherit src version; name = "${model}drv-${version}"; - nativeBuildInputs = [ - dpkg - makeWrapper - ]; + nativeBuildInputs = [dpkg makeWrapper]; unpackPhase = "dpkg-deb -x $src $out"; @@ -50,18 +45,7 @@ rec { mv $out/${reldir}/lpd/filter${model} $out/${reldir}/lpd/.wrapped_filter${model} cat <<-EOF >$out/${reldir}/lpd/.wrapper_inner_filter${model} - export PATH=\$PATH:${ - lib.makeBinPath [ - gawk - file - a2ps - coreutils - ghostscript - gnugrep - gnused - which - ] - } + export PATH=\$PATH:${lib.makeBinPath [gawk file a2ps coreutils ghostscript gnugrep gnused which]} exec $out/${reldir}/lpd/.wrapped_filter${model} EOF chmod +x $out/${reldir}/lpd/.wrapper_inner_filter${model} @@ -80,13 +64,10 @@ rec { meta = { description = "Brother ${lib.strings.toUpper model} driver"; homepage = "http://www.brother.com/"; - sourceProvenance = with lib.sourceTypes; [ binaryNativeCode ]; + sourceProvenance = with lib.sourceTypes; [binaryNativeCode]; # license = lib.licenses.unfree; - platforms = [ - "x86_64-linux" - "i686-linux" - ]; - maintainers = [ lib.maintainers.steveej ]; + platforms = ["x86_64-linux" "i686-linux"]; + maintainers = [lib.maintainers.steveej]; }; }; @@ -100,29 +81,14 @@ rec { name = "${model}cupswrapper-${version}"; - nativeBuildInputs = [ - dpkg - makeWrapper - ]; - buildInputs = [ - cups - ghostscript - a2ps - gawk - ]; + nativeBuildInputs = [dpkg makeWrapper]; + buildInputs = [cups ghostscript a2ps gawk]; unpackPhase = "dpkg-deb -x $src $out"; installPhase = '' wrapProgram $out/${reldir}/cupswrapper/cupswrapper${model} \ - --prefix PATH : ${ - lib.makeBinPath [ - coreutils - ghostscript - gnugrep - gnused - ] - } + --prefix PATH : ${lib.makeBinPath [coreutils ghostscript gnugrep gnused]} patchelf --set-interpreter "$(cat $NIX_CC/nix-support/dynamic-linker)" \ $out/${reldir}/cupswrapper/brcupsconfpt1 @@ -134,13 +100,10 @@ rec { meta = { description = "Brother ${lib.strings.toUpper model} CUPS wrapper driver"; homepage = "http://www.brother.com/"; - sourceProvenance = with lib.sourceTypes; [ binaryNativeCode ]; + sourceProvenance = with lib.sourceTypes; [binaryNativeCode]; license = lib.licenses.gpl2; - platforms = [ - "x86_64-linux" - "i686-linux" - ]; - maintainers = [ lib.maintainers.steveej ]; + platforms = ["x86_64-linux" "i686-linux"]; + maintainers = [lib.maintainers.steveej]; }; }; } diff --git a/nix/pkgs/default.nix b/nix/pkgs/default.nix index 78b37a6..6f114b2 100644 --- a/nix/pkgs/default.nix +++ b/nix/pkgs/default.nix @@ -1,6 +1,5 @@ -{ pkgs }: -{ - duplicacy = pkgs.callPackage ../pkgs/duplicacy { }; +{pkgs}: { + duplicacy = pkgs.callPackage ../pkgs/duplicacy {}; staruml = pkgs.callPackage ../pkgs/staruml.nix { inherit (pkgs.gnome2) GConf; libgcrypt = pkgs.libgcrypt_1_5; diff --git a/nix/pkgs/duplicacy/default.nix b/nix/pkgs/duplicacy/default.nix index b961a17..7a3fc19 100644 --- a/nix/pkgs/duplicacy/default.nix +++ b/nix/pkgs/duplicacy/default.nix @@ -1,4 +1,7 @@ -{ buildGoPackage, fetchFromGitHub }: +{ + buildGoPackage, + fetchFromGitHub, +}: buildGoPackage rec { name = "duplicay-${version}"; version = "2.1.2"; diff --git a/nix/pkgs/duplicacy/shell.nix b/nix/pkgs/duplicacy/shell.nix index 045572c..051e832 100644 --- a/nix/pkgs/duplicacy/shell.nix +++ b/nix/pkgs/duplicacy/shell.nix @@ -1,12 +1,12 @@ -with import { }; -stdenv.mkDerivation { - name = "env"; - buildInputs = [ - zsh - go - go2nix - dep2nix - nix-prefetch-github - (callPackage ./default.nix { }) - ]; -} +with import {}; + stdenv.mkDerivation { + name = "env"; + buildInputs = [ + zsh + go + go2nix + dep2nix + nix-prefetch-github + (callPackage ./default.nix {}) + ]; + } diff --git a/nix/pkgs/jay.nix b/nix/pkgs/jay.nix index 9a7b0e5..a4c2db4 100644 --- a/nix/pkgs/jay.nix +++ b/nix/pkgs/jay.nix @@ -31,6 +31,6 @@ rustPlatform.buildRustPackage rec { homepage = "https://github.com/mahkoh/jay"; license = licenses.gpl3; platforms = platforms.linux; - maintainers = with maintainers; [ dit7ya ]; + maintainers = with maintainers; [dit7ya]; }; } diff --git a/nix/pkgs/logseq/Containerfile b/nix/pkgs/logseq/Containerfile index 97464d1..e61e2b9 100644 --- a/nix/pkgs/logseq/Containerfile +++ b/nix/pkgs/logseq/Containerfile @@ -4,13 +4,11 @@ # build-docker.yml and change the release channel from :latest to :testing # Builder image -# FROM clojure:temurin-11-tools-deps-1.11.1.1208-bullseye-slim as builder -FROM clojure:temurin-11-tools-deps-bullseye-slim as builder +FROM clojure:temurin-11-tools-deps-1.11.1.1208-bullseye-slim as builder ARG DEBIAN_FRONTEND=noninteractive # Install reqs -RUN echo 1 RUN apt-get update && apt-get install -y --no-install-recommends \ curl \ ca-certificates \ @@ -20,13 +18,17 @@ RUN apt-get update && apt-get install -y --no-install-recommends \ zip # install NodeJS & yarn -RUN curl -sL https://deb.nodesource.com/setup_20.x | bash - +RUN curl -sL https://deb.nodesource.com/setup_18.x | bash - -RUN curl -sS https://dl.yarnpkg.com/debian/pubkey.gpg | gpg --dearmor | tee /etc/apt/trusted.gpg.d/yarn.gpg && echo "deb https://dl.yarnpkg.com/debian/ stable main" | tee /etc/apt/sources.list.d/yarn.list && apt-get update && apt-get install -y nodejs yarn +RUN curl -sS https://dl.yarnpkg.com/debian/pubkey.gpg | gpg --dearmor | \ + tee /etc/apt/trusted.gpg.d/yarn.gpg && \ + echo "deb https://dl.yarnpkg.com/debian/ stable main" | \ + tee /etc/apt/sources.list.d/yarn.list && \ + apt-get update && apt-get install -y nodejs yarn WORKDIR /data -ENV VERSION=0.10.9 +ENV VERSION=0.10.5 # build Logseq static resources RUN git clone -b ${VERSION} https://github.com/logseq/logseq.git . diff --git a/nix/pkgs/logseq/README.md b/nix/pkgs/logseq/README.md index 0c596b6..e7be282 100644 --- a/nix/pkgs/logseq/README.md +++ b/nix/pkgs/logseq/README.md @@ -2,21 +2,13 @@ this is pseudocode that serves as a reminder -1. podman build -f Containerfile -t logseq -2. CONTAINER_ID=$(podman container create logseq) -3. podman unshare -4. podman mount $CONTAINER_ID -5. copy and upload the AppImage. e.g. - ``` - cp /home/steveej/.local/share/containers/storage/overlay/f932ca9f11ea2bfd6b221118eb54775a623bc519bfe38188afcbad51dda2777f/merged/Logseq-0.10.9.AppImage . - exit - scp Logseq-0.10.9.AppImage root@www.stefanjunker.de:/var/lib/container-volumes/webserver/var-www/stefanjunker.de/htdocs/caddy/downloads/ - ``` -6. podman unshare -7. podman unmount +1. podman build -f Containerfile +2. podman unshare +3. podman mount $CONTAINER_ID +4. upload the AppImaeg # resources -- https://github.com/logseq/logseq/blob/dc5127b48a7874627bd9ab63696f7ddf821b90a7/docs/develop-logseq.md?plain=1#L90 -- https://github.com/logseq/logseq/blob/master/Dockerfile -- https://github.com/randomwangran/logseq-nix-flake +* https://github.com/logseq/logseq/blob/dc5127b48a7874627bd9ab63696f7ddf821b90a7/docs/develop-logseq.md?plain=1#L90 +* https://github.com/logseq/logseq/blob/master/Dockerfile +* https://github.com/randomwangran/logseq-nix-flake diff --git a/nix/pkgs/logseq/default.nix b/nix/pkgs/logseq/default.nix new file mode 100644 index 0000000..c1dffd0 --- /dev/null +++ b/nix/pkgs/logseq/default.nix @@ -0,0 +1,83 @@ +{ + lib, + stdenv, + fetchurl, + appimageTools, + makeWrapper, + # graphs will not sync without matching upstream's major electron version + electron_27, + git, + nix-update-script, + overrideSrc ? null, +}: +stdenv.mkDerivation (finalAttrs: let + inherit (finalAttrs) pname version src appimageContents; +in { + pname = "logseq"; + version = "0.10.5"; + + src = + if overrideSrc != null + then overrideSrc + else + (fetchurl { + url = "https://github.com/logseq/logseq/releases/download/${version}/logseq-linux-x64-${version}.AppImage"; + hash = "sha256-F3YbqgvL04P0nXaIVkJlCq/z8hUE0M0UutkBs2omuBE="; + name = "${pname}-${version}.AppImage"; + }); + + appimageContents = appimageTools.extract { + inherit pname src version; + }; + + dontUnpack = true; + dontConfigure = true; + dontBuild = true; + + nativeBuildInputs = [makeWrapper]; + + installPhase = '' + runHook preInstall + + mkdir -p $out/bin $out/share/${pname} $out/share/applications + cp -a ${appimageContents}/{locales,resources} $out/share/${pname} + cp -a ${appimageContents}/Logseq.desktop $out/share/applications/${pname}.desktop + + # remove the `git` in `dugite` because we want the `git` in `nixpkgs` + if test -e $out/share/${pname}/resources/app/node_modules/dugite/git; then + chmod +w -R $out/share/${pname}/resources/app/node_modules/dugite/git + chmod +w $out/share/${pname}/resources/app/node_modules/dugite + rm -rf $out/share/${pname}/resources/app/node_modules/dugite/git + chmod -w $out/share/${pname}/resources/app/node_modules/dugite + fi + + mkdir -p $out/share/pixmaps + ln -s $out/share/${pname}/resources/app/icons/logseq.png $out/share/pixmaps/${pname}.png + + substituteInPlace $out/share/applications/${pname}.desktop \ + --replace Exec=Logseq Exec=${pname} \ + --replace Icon=Logseq Icon=${pname} + + runHook postInstall + ''; + + postFixup = '' + # set the env "LOCAL_GIT_DIRECTORY" for dugite so that we can use the git in nixpkgs + makeWrapper ${electron_27}/bin/electron $out/bin/${pname} \ + --set "LOCAL_GIT_DIRECTORY" ${git} \ + --add-flags $out/share/${pname}/resources/app \ + --add-flags "\''${NIXOS_OZONE_WL:+\''${WAYLAND_DISPLAY:+--ozone-platform-hint=auto --enable-features=WaylandWindowDecorations}}" \ + --prefix LD_LIBRARY_PATH : "${lib.makeLibraryPath [stdenv.cc.cc.lib]}" + ''; + + passthru.updateScript = nix-update-script {}; + + meta = { + description = "A local-first, non-linear, outliner notebook for organizing and sharing your personal knowledge base"; + homepage = "https://github.com/logseq/logseq"; + changelog = "https://github.com/logseq/logseq/releases/tag/${version}"; + license = lib.licenses.agpl3Plus; + maintainers = with lib.maintainers; []; + platforms = ["x86_64-linux" "aarch64-linux"]; + }; +}) diff --git a/nix/pkgs/magmawm.nix b/nix/pkgs/magmawm.nix index c1850c1..2d4c335 100644 --- a/nix/pkgs/magmawm.nix +++ b/nix/pkgs/magmawm.nix @@ -8,6 +8,7 @@ libinput, libxkbcommon, mesa, + pango, udev, dbus, libGL, @@ -17,7 +18,9 @@ craneLib.buildPackage { pname = "magmawm"; version = src.rev; - nativeBuildInputs = [ pkg-config ]; + nativeBuildInputs = [ + pkg-config + ]; buildInputs = [ wayland @@ -42,6 +45,6 @@ craneLib.buildPackage { homepage = "https://github.com/MagmaWM/MagmaWM"; license = licenses.gpl3; platforms = platforms.linux; - maintainers = with maintainers; [ ]; + maintainers = with maintainers; []; }; } diff --git a/nix/pkgs/mfcl3770cdw.nix b/nix/pkgs/mfcl3770cdw.nix index 142c1c0..5c04cbf 100644 --- a/nix/pkgs/mfcl3770cdw.nix +++ b/nix/pkgs/mfcl3770cdw.nix @@ -11,8 +11,7 @@ which, perl, lib, -}: -let +}: let model = "mfcl3770cdw"; version = "1.0.2-0"; src = fetchurl { @@ -20,16 +19,12 @@ let sha256 = "09fhbzhpjymhkwxqyxzv24b06ybmajr6872yp7pri39595mhrvay"; }; reldir = "opt/brother/Printers/${model}/"; -in -rec { +in rec { driver = stdenv.mkDerivation rec { inherit src version; name = "${model}drv-${version}"; - nativeBuildInputs = [ - dpkg - makeWrapper - ]; + nativeBuildInputs = [dpkg makeWrapper]; unpackPhase = "dpkg-deb -x $src $out"; @@ -41,14 +36,8 @@ rec { --replace "PRINTER =~" "PRINTER = \"${model}\"; #" wrapProgram $dir/lpd/filter_${model} \ --prefix PATH : ${ - lib.makeBinPath [ - coreutils - ghostscript - gnugrep - gnused - which - ] - } + lib.makeBinPath [coreutils ghostscript gnugrep gnused which] + } # need to use i686 glibc here, these are 32bit proprietary binaries interpreter=${pkgsi686Linux.glibc}/lib/ld-linux.so.2 patchelf --set-interpreter "$interpreter" $dir/lpd/brmfcl3770cdwfilter @@ -58,11 +47,8 @@ rec { description = "Brother ${lib.strings.toUpper model} driver"; homepage = "http://www.brother.com/"; license = lib.licenses.unfree; - platforms = [ - "x86_64-linux" - "i686-linux" - ]; - maintainers = [ lib.maintainers.steveej ]; + platforms = ["x86_64-linux" "i686-linux"]; + maintainers = [lib.maintainers.steveej]; }; }; @@ -70,10 +56,7 @@ rec { inherit version src; name = "${model}cupswrapper-${version}"; - nativeBuildInputs = [ - dpkg - makeWrapper - ]; + nativeBuildInputs = [dpkg makeWrapper]; unpackPhase = "dpkg-deb -x $src $out"; @@ -85,13 +68,7 @@ rec { --replace "basedir =~" "basedir = \"$basedir\"; #" \ --replace "PRINTER =~" "PRINTER = \"${model}\"; #" wrapProgram $dir/cupswrapper/brother_lpdwrapper_${model} \ - --prefix PATH : ${ - lib.makeBinPath [ - coreutils - gnugrep - gnused - ] - } + --prefix PATH : ${lib.makeBinPath [coreutils gnugrep gnused]} mkdir -p $out/lib/cups/filter mkdir -p $out/share/cups/model ln $dir/cupswrapper/brother_lpdwrapper_${model} $out/lib/cups/filter @@ -102,11 +79,8 @@ rec { description = "Brother ${lib.strings.toUpper model} CUPS wrapper driver"; homepage = "http://www.brother.com/"; license = lib.licenses.gpl2; - platforms = [ - "x86_64-linux" - "i686-linux" - ]; - maintainers = [ lib.maintainers.steveej ]; + platforms = ["x86_64-linux" "i686-linux"]; + maintainers = [lib.maintainers.steveej]; }; }; } diff --git a/nix/pkgs/nozbe/default.nix b/nix/pkgs/nozbe/default.nix index e5ac519..368add8 100644 --- a/nix/pkgs/nozbe/default.nix +++ b/nix/pkgs/nozbe/default.nix @@ -1,60 +1,60 @@ -with import { }; -stdenv.mkDerivation rec { - name = "nozbe"; - version = "3.6.3"; +with import {}; + stdenv.mkDerivation rec { + name = "nozbe"; + version = "3.6.3"; - src = fetchzip { - url = "https://files.nozbe.com/linux/linux64_newest.tar.gz"; - sha256 = "08hag0kv23psqa1pl9kardz90scgk21rsr5xxfg8jvmnxy2nc858"; - stripRoot = false; - }; + src = fetchzip { + url = "https://files.nozbe.com/linux/linux64_newest.tar.gz"; + sha256 = "08hag0kv23psqa1pl9kardz90scgk21rsr5xxfg8jvmnxy2nc858"; + stripRoot = false; + }; - buildInputs = [ makeWrapper ]; + buildInputs = [makeWrapper]; - buildPhase = ":"; + buildPhase = ":"; - libPath = lib.makeLibraryPath [ - alsaLib - atk - cairo - cups - dbus - expat - freetype - fontconfig - gnome3.gconf - gcc.cc - gdk_pixbuf - gtk2-x11 - glib - pango - nss - nspr - systemd.lib - xorg.libX11 - xorg.libXcursor - xorg.libXcomposite - xorg.libXext - xorg.libXfixes - xorg.libXdamage - xorg.libXi - xorg.libXrandr - xorg.libXrender - xorg.libXtst - xorg.libXScrnSaver - ]; - installPhase = '' - pushd Nozbe-${version} - ls -lha + libPath = lib.makeLibraryPath [ + alsaLib + atk + cairo + cups + dbus + expat + freetype + fontconfig + gnome3.gconf + gcc.cc + gdk_pixbuf + gtk2-x11 + glib + pango + nss + nspr + systemd.lib + xorg.libX11 + xorg.libXcursor + xorg.libXcomposite + xorg.libXext + xorg.libXfixes + xorg.libXdamage + xorg.libXi + xorg.libXrandr + xorg.libXrender + xorg.libXtst + xorg.libXScrnSaver + ]; + installPhase = '' + pushd Nozbe-${version} + ls -lha - patchelf --set-interpreter ${stdenv.glibc}/lib/ld-linux-x86-64.so.2 Nozbe + patchelf --set-interpreter ${stdenv.glibc}/lib/ld-linux-x86-64.so.2 Nozbe - mkdir -p $out/bin - cp -a * $out/ + mkdir -p $out/bin + cp -a * $out/ - wrapProgram $out/Nozbe \ - --prefix LD_LIBRARY_PATH : "${libPath}" + wrapProgram $out/Nozbe \ + --prefix LD_LIBRARY_PATH : "${libPath}" - ln -sf ../Nozbe $out/bin/ - ''; -} + ln -sf ../Nozbe $out/bin/ + ''; + } diff --git a/nix/pkgs/posh.nix b/nix/pkgs/posh.nix index b7ad5cb..4d993ba 100644 --- a/nix/pkgs/posh.nix +++ b/nix/pkgs/posh.nix @@ -1,44 +1,42 @@ # posh makes use of podman to run an encapsulated shell session -{ pkgs, ... }: -let - cniConfigDir = - let - loopback = pkgs.writeText "00-loopback.conf" '' - { - "cniVersion": "0.3.0", - "type": "loopback" - } - ''; +{pkgs, ...}: let + cniConfigDir = let + loopback = pkgs.writeText "00-loopback.conf" '' + { + "cniVersion": "0.3.0", + "type": "loopback" + } + ''; - podman-bridge = pkgs.writeText "87-podman-bridge.conflist" '' - { - "cniVersion": "0.3.0", - "name": "podman", - "plugins": [ - { - "type": "bridge", - "bridge": "cni0", - "isGateway": true, - "ipMasq": true, - "ipam": { - "type": "host-local", - "subnet": "10.88.0.0/16", - "routes": [ - { "dst": "0.0.0.0/0" } - ] - } - }, - { - "type": "portmap", - "capabilities": { - "portMappings": true - } + podman-bridge = pkgs.writeText "87-podman-bridge.conflist" '' + { + "cniVersion": "0.3.0", + "name": "podman", + "plugins": [ + { + "type": "bridge", + "bridge": "cni0", + "isGateway": true, + "ipMasq": true, + "ipam": { + "type": "host-local", + "subnet": "10.88.0.0/16", + "routes": [ + { "dst": "0.0.0.0/0" } + ] } - ] - } - ''; - in - pkgs.runCommand "cniConfig" { } '' + }, + { + "type": "portmap", + "capabilities": { + "portMappings": true + } + } + ] + } + ''; + in + pkgs.runCommand "cniConfig" {} '' set -x mkdir $out; ln -s ${loopback} $out/${loopback.name} @@ -127,58 +125,54 @@ let } ''; in -{ - image, - pull ? "always", - global_args ? "", - run_args ? "", - userns ? "keep-id", -}: -(pkgs.writeScriptBin "posh" '' - #! ${pkgs.bash}/bin/bash - source /etc/profile + { + image, + pull ? "always", + global_args ? "", + run_args ? "", + userns ? "keep-id", + }: + (pkgs.writeScriptBin "posh" '' + #! ${pkgs.bash}/bin/bash + source /etc/profile - test -S "$SSH_AUTH_SOCK" && ssh="-v $SSH_AUTH_SOCK:$SSH_AUTH_SOCK -e SSH_AUTH_SOCK" - tty -s && tty="-t" entrypoint=--entrypoint='["/usr/bin/env","bash","-il"]' || quiet="-q" + test -S "$SSH_AUTH_SOCK" && ssh="-v $SSH_AUTH_SOCK:$SSH_AUTH_SOCK -e SSH_AUTH_SOCK" + tty -s && tty="-t" entrypoint=--entrypoint='["/usr/bin/env","bash","-il"]' || quiet="-q" - # define these as variables so we can override them at runtime - POSH_IMAGE=${image} - POSH_PULL=${pull} + # define these as variables so we can override them at runtime + POSH_IMAGE=${image} + POSH_PULL=${pull} - if [ "$1" == "-c" ]; then - # We've most likely been spawned by sshd and are interested in $2 whitch contains the command string - shift - # TODO parse the beginning of the command for POSH_* overrides - fi + if [ "$1" == "-c" ]; then + # We've most likely been spawned by sshd and are interested in $2 whitch contains the command string + shift + # TODO parse the beginning of the command for POSH_* overrides + fi - test "$@" && cmd=( -c "$@") + test "$@" && cmd=( -c "$@") - HOME_CONTAINERS_CONFIGDIR="$HOME/.config/containers" - HOME_POLICY_JSON="$HOME_CONTAINERS_CONFIGDIR/policy.json" - test -d $HOME_CONTAINERS_CONFIGIDR || mkdir $HOME_CONTAINERS_CONFIGIDR - ln -sf ${policy-json} $HOME_POLICY_JSON + HOME_CONTAINERS_CONFIGDIR="$HOME/.config/containers" + HOME_POLICY_JSON="$HOME_CONTAINERS_CONFIGDIR/policy.json" + test -d $HOME_CONTAINERS_CONFIGIDR || mkdir $HOME_CONTAINERS_CONFIGIDR + ln -sf ${policy-json} $HOME_POLICY_JSON - set -x - exec ${pkgs.podman}/bin/podman \ - --cgroup-manager=cgroupfs \ - ${global_args} \ - run \ - --annotation=io.crun.keep_original_groups=1 \ - --config ${podmanConfig} \ - --conmon ${pkgs.conmon}/bin/conmon --runtime ${pkgs.crun}/bin/crun \ - --rm -i --network host --pull=''${POSH_PULL} \ - $tty $ssh -e HOME -v $HOME:$HOME -w $HOME \ - ${if userns != null then "--userns=" + userns else ""} \ - ${run_args} \ - ''${POSH_IMAGE} /usr/bin/env bash -l "''${cmd[@]}" -'').overrideAttrs - ( - attrs: - attrs - // { - passthru = { - shellPath = "/bin/posh"; - }; - } - ) + set -x + exec ${pkgs.podman}/bin/podman \ + --cgroup-manager=cgroupfs \ + ${global_args} \ + run \ + --annotation=io.crun.keep_original_groups=1 \ + --config ${podmanConfig} \ + --conmon ${pkgs.conmon}/bin/conmon --runtime ${pkgs.crun}/bin/crun \ + --rm -i --network host --pull=''${POSH_PULL} \ + $tty $ssh -e HOME -v $HOME:$HOME -w $HOME \ + ${ + if userns != null + then "--userns=" + userns + else "" + } \ + ${run_args} \ + ''${POSH_IMAGE} /usr/bin/env bash -l "''${cmd[@]}" + '') + .overrideAttrs (attrs: attrs // {passthru = {shellPath = "/bin/posh";};}) diff --git a/nix/pkgs/slirp4netns.nix b/nix/pkgs/slirp4netns.nix index 5e50ecf..ffcc730 100644 --- a/nix/pkgs/slirp4netns.nix +++ b/nix/pkgs/slirp4netns.nix @@ -18,13 +18,7 @@ stdenv.mkDerivation rec { sha256 = "0kqncza4kgqkqiki569j7ym9pvp7879i6q2z0djvda9y0i6b80w4"; }; - buildInputs = [ - autoconf - automake - libtool - gnumake - gcc - ]; + buildInputs = [autoconf automake libtool gnumake gcc]; configurePhase = '' ./autogen.sh @@ -43,7 +37,7 @@ stdenv.mkDerivation rec { description = "User-mode networking for unprivileged network namespaces"; homepage = "https://github.com/rootless-containers/slirp4netns"; license = null; - maintainers = [ maintainers.steveej ]; + maintainers = [maintainers.steveej]; platforms = platforms.all; }; } diff --git a/nix/pkgs/staruml.nix b/nix/pkgs/staruml.nix index 35399ad..a0e9d90 100644 --- a/nix/pkgs/staruml.nix +++ b/nix/pkgs/staruml.nix @@ -15,8 +15,7 @@ libgcrypt, dbus, systemd, -}: -let +}: let inherit (stdenv) lib; LD_LIBRARY_PATH = lib.makeLibraryPath [ glib @@ -31,56 +30,55 @@ let dbus ]; in -stdenv.mkDerivation rec { - version = "2.8.1"; - name = "staruml-${version}"; + stdenv.mkDerivation rec { + version = "2.8.1"; + name = "staruml-${version}"; - src = - if stdenv.system == "i686-linux" then - fetchurl { - url = "http://staruml.io/download/release/v${version}/StarUML-v${version}-32-bit.deb"; - sha256 = "0vb3k9m3l6pmsid4shlk0xdjsriq3gxzm8q7l04didsppg0vvq1n"; - } - else - fetchurl { - url = "https://s3.amazonaws.com/staruml-bucket/releases-v2/StarUML-v${version}-64-bit.deb"; - sha256 = "05gzrnlssjkhyh0wv019d4r7p40lxnsa1sghazll6f233yrqmxb0"; - }; + src = + if stdenv.system == "i686-linux" + then + fetchurl + { + url = "http://staruml.io/download/release/v${version}/StarUML-v${version}-32-bit.deb"; + sha256 = "0vb3k9m3l6pmsid4shlk0xdjsriq3gxzm8q7l04didsppg0vvq1n"; + } + else + fetchurl { + url = "https://s3.amazonaws.com/staruml-bucket/releases-v2/StarUML-v${version}-64-bit.deb"; + sha256 = "05gzrnlssjkhyh0wv019d4r7p40lxnsa1sghazll6f233yrqmxb0"; + }; - buildInputs = [ dpkg ]; + buildInputs = [dpkg]; - nativeBuildInputs = [ makeWrapper ]; + nativeBuildInputs = [makeWrapper]; - unpackPhase = '' - mkdir pkg - dpkg-deb -x $src pkg - sourceRoot=pkg - ''; + unpackPhase = '' + mkdir pkg + dpkg-deb -x $src pkg + sourceRoot=pkg + ''; - installPhase = '' - mkdir $out - mv opt/staruml $out/bin + installPhase = '' + mkdir $out + mv opt/staruml $out/bin - mkdir -p $out/lib - ln -s ${stdenv.cc.cc.lib}/lib/libstdc++.so.6 $out/lib/ - ln -s ${systemd.lib}/lib/libudev.so.1 $out/lib/libudev.so.0 + mkdir -p $out/lib + ln -s ${stdenv.cc.cc.lib}/lib/libstdc++.so.6 $out/lib/ + ln -s ${systemd.lib}/lib/libudev.so.1 $out/lib/libudev.so.0 - for binary in StarUML Brackets-node; do - ${patchelf}/bin/patchelf \ - --interpreter "$(cat $NIX_CC/nix-support/dynamic-linker)" \ - $out/bin/$binary - wrapProgram $out/bin/$binary \ - --prefix LD_LIBRARY_PATH : $out/lib:${LD_LIBRARY_PATH} - done - ''; + for binary in StarUML Brackets-node; do + ${patchelf}/bin/patchelf \ + --interpreter "$(cat $NIX_CC/nix-support/dynamic-linker)" \ + $out/bin/$binary + wrapProgram $out/bin/$binary \ + --prefix LD_LIBRARY_PATH : $out/lib:${LD_LIBRARY_PATH} + done + ''; - meta = with stdenv.lib; { - description = "A sophisticated software modeler"; - homepage = "http://staruml.io/"; - license = licenses.unfree; - platforms = [ - "i686-linux" - "x86_64-linux" - ]; - }; -} + meta = with stdenv.lib; { + description = "A sophisticated software modeler"; + homepage = "http://staruml.io/"; + license = licenses.unfree; + platforms = ["i686-linux" "x86_64-linux"]; + }; + } diff --git a/nix/scripts/pre-eval-fixed.sh b/nix/scripts/pre-eval-fixed.sh index ec7b14e..25a3e36 100755 --- a/nix/scripts/pre-eval-fixed.sh +++ b/nix/scripts/pre-eval-fixed.sh @@ -3,7 +3,7 @@ set -xe INFILE="${1:?Please set arg1 to INFILE}" OUTFILE="${2:?Please set arg2 to OUTFILE}" # sha256-1fm94N2Y9ptXVN6ni0nJyPRK+nsvoeliqBcFyjlaTH4= -# sha256:0zjcb8wwl18pm1ifk89gggx4mx68r54qp9yyaibrpxlqvphbvyfm -hash=$(nix-build "${INFILE}" --arg pkgs 'import {}' --arg config 'null' 2>&1 | rg -o 'got.*(sha256[:-].+)$' -r '$1') +# sha256:0zjcb8wwl18pm1ifk89gggx4mx68r54qp9yyaibrpxlqvphbvyfm +hash=$(nix-build ${INFILE} --arg pkgs 'import {}' --arg config 'null' 2>&1 | rg -o 'got.*(sha256[:-].+)$' -r '$1') -sed -E "s/0{52}/${hash}/" "${INFILE}" >"${OUTFILE}" +sed -E "s/0{52}/${hash}/" ${INFILE} > ${OUTFILE} diff --git a/nix/tests/buildvmwithbootloader/build-vm.nix b/nix/tests/buildvmwithbootloader/build-vm.nix index a085713..be819b6 100644 --- a/nix/tests/buildvmwithbootloader/build-vm.nix +++ b/nix/tests/buildvmwithbootloader/build-vm.nix @@ -3,14 +3,20 @@ vmPkgsPath, buildPkgsPath, nixosConfigPath, -}: -let - vmPkgs' = import vmPkgsPath { }; - vmPkgs = vmPkgs' // { - runtimeShell = "${vmPkgs'.bash}/${vmPkgs'.bash.shellPath}"; - }; +}: let + buildPkgs = import buildPkgsPath {}; + vmPkgs' = import vmPkgsPath {}; + vmPkgs = + vmPkgs' + // { + runtimeShell = "${vmPkgs'.bash}/${vmPkgs'.bash.shellPath}"; + }; - importWithPkgs = { path, pkgs }: args: import path (args // { inherit pkgs; }); + importWithPkgs = { + path, + pkgs, + }: args: + import path (args // {inherit pkgs;}); nixosConfig = importWithPkgs { path = "${nixosConfigPath}"; @@ -30,10 +36,8 @@ let modules = [ nixosConfig vmConfig - { virtualisation.useBootLoader = true; } + {virtualisation.useBootLoader = true;} ]; - }).config; -in -{ - vmWithBootLoaderMixed = vmWithBootLoaderConfigMixed.system.build.vm; -} + }) + .config; +in {vmWithBootLoaderMixed = vmWithBootLoaderConfigMixed.system.build.vm;} diff --git a/nix/tests/buildvmwithbootloader/build-vm.sh b/nix/tests/buildvmwithbootloader/build-vm.sh index 3ee6ee0..520e0c8 100755 --- a/nix/tests/buildvmwithbootloader/build-vm.sh +++ b/nix/tests/buildvmwithbootloader/build-vm.sh @@ -1,6 +1,6 @@ #!/usr/bin/env bash set -x -rm ./*.qcow2 +rm *.qcow2 rm result* set -e @@ -8,9 +8,9 @@ BUILD_NIXPKGS="${BUILD_NIXPKGS:-${HOME}/src/github/NixOS/nixpkgs.dev}" NIXOS_CONFIG="${NIXOS_CONFIG_OVERRIDE:-${PWD}/configuration.nix}" nix-build -K --show-trace build-vm.nix \ - --arg vmPkgsPath '' \ - --argstr buildPkgsPath "${BUILD_NIXPKGS}" \ - --argstr nixosConfigPath "${NIXOS_CONFIG}" \ - -A vmWithBootLoaderMixed + --arg vmPkgsPath '' \ + --argstr buildPkgsPath "${BUILD_NIXPKGS}" \ + --argstr nixosConfigPath "${NIXOS_CONFIG}" \ + -A vmWithBootLoaderMixed -"./result/bin/run-*-vm" +./result/bin/run-*-vm diff --git a/nix/tests/buildvmwithbootloader/configuration.nix b/nix/tests/buildvmwithbootloader/configuration.nix index 49dc463..92072fe 100644 --- a/nix/tests/buildvmwithbootloader/configuration.nix +++ b/nix/tests/buildvmwithbootloader/configuration.nix @@ -1,5 +1,9 @@ -{ lib, ... }: { + pkgs, + lib, + ... +}: let +in { boot.loader.grub = { enable = true; version = 2; @@ -18,23 +22,13 @@ allowDiscards = true; } ]; - fileSystems."/" = { - label = "root"; - }; + fileSystems."/" = {label = "root";}; - fileSystems."/boot" = { - label = "boot"; - }; + fileSystems."/boot" = {label = "boot";}; boot.tmpOnTmpfs = true; - boot.initrd.availableKernelModules = [ - "xhci_pci" - "ahci" - "usb_storage" - "sd_mod" - "rtsx_pci_sdmmc" - ]; + boot.initrd.availableKernelModules = ["xhci_pci" "ahci" "usb_storage" "sd_mod" "rtsx_pci_sdmmc"]; users.extraUsers.root.initialPassword = lib.mkForce "toorroot"; users.mutableUsers = false; diff --git a/nix/tests/buildvmwithbootloader/debug-vm.sh b/nix/tests/buildvmwithbootloader/debug-vm.sh index 8e3bdce..0d11067 100755 --- a/nix/tests/buildvmwithbootloader/debug-vm.sh +++ b/nix/tests/buildvmwithbootloader/debug-vm.sh @@ -1,5 +1,3 @@ -#!/usr/bin/env bash - # /nix/store/lya9qyl9z5xb4vzdzh4vzcr7gfssk47z-qemu-host-cpu-only-for-vm-tests-2.12.0/bin/qemu-kvm \ # -cpu \ # kvm64 \ @@ -26,6 +24,7 @@ # -drive \ # index=0,id=drive1,file=/home/steveej/src/steveej/nix-expressions/nixos.qcow2,cache=writeback,werror=report,if=virtio \ + /nix/store/0i6fr8vv559a50w0vipvd22r0kkg1kx1-qemu-host-cpu-only-for-vm-tests-3.0.0/bin/qemu-kvm -cpu kvm64 -name nixos -m 384 -smp 1 -device virtio-rng-pci -net nic,netdev=user.0,model=virtio -netdev user,id=user.0 -virtfs local,path=/nix/store,security_model=none,mount_tag=store -virtfs local,path=/tmp/nix-vm.BXlbOnli8K/xchg,security_model=none,mount_tag=xchg -virtfs local,path=/tmp/nix-vm.BXlbOnli8K/xchg,security_model=none,mount_tag=shared \ - -drive index=1,id=drive2,file=/tmp/nix-vm.BXlbOnli8K/disk.img,media=disk,if=virtio \ - -drive index=0,id=drive1,file=/home/steveej/src/steveej/nix-expressions/tests/nixos.qcow2,cache=writeback,werror=report,if=virtio + -drive index=1,id=drive2,file=/tmp/nix-vm.BXlbOnli8K/disk.img,media=disk,if=virtio \ + -drive index=0,id=drive1,file=/home/steveej/src/steveej/nix-expressions/tests/nixos.qcow2,cache=writeback,werror=report,if=virtio \ diff --git a/nix/tests/test-vm.nix b/nix/tests/test-vm.nix index fc956b6..55053e2 100644 --- a/nix/tests/test-vm.nix +++ b/nix/tests/test-vm.nix @@ -1,4 +1,10 @@ -_: { +{ + lib, + config, + pkgs, + fetchgit, + ... +}: { boot.consoleLogLevel = 6; users.users.root.initialPassword = "root"; systemd.services."serial-getty@ttyS0".enable = true; diff --git a/nix/variables/keys.nix b/nix/variables/keys.nix index bd140a9..8eb8229 100644 --- a/nix/variables/keys.nix +++ b/nix/variables/keys.nix @@ -3,7 +3,6 @@ steveej = { openssh = [ # active, current - "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQC98w24rC+0YwkR/60VvuHVo+HaojvrM0rre0WCj1s1YVFiLPycsAKhZvl/yo06RKgkhChGb0tHZRGseQSmyb+rEbuNFxXQZnjOylT4jlrQvFR+S9WulkHrLMU0wodwEOpTrzJr/zqThEy3pj61KpC+Yhj9FfCn/p3l7HvL2yp3j+TyclyGbEQtt3Dgo1Ls5ZiD5FVhZAMkto4mK9fThyKjQhT6dUu47j2mxhT5OB8gHNtmPvpdQAUQCNrIz4oP5gilGKsWILmXM0/UwnrSXVdR2cUeiRkKqT0h/Q5jp/+/aW8oDoNYluHw2unWJcMTF0zoVWy/IcuNBTqzfiAhiDICCJN9Y0IXf4KhYN2mGtYJjioEVzmaIp/djxDt1Ra4PTNk1DqazRX72XgXcC9hFskLgiRSGSTR1EJk8dmfN0fE9Kv7IwgmHpyGciUy9WIX4o/eYHt7uO8cmJldtt9dPT7OV3DqGWrmgdCgzV5hVrxPVyOyvuLZa2J1N3T/5v1a8zrsyJ0KwuWH64VJqjVL7dTSKCyHKKIwx5ksLwIpFXBxPiypgCtYyvM6IY7PzF492cBucKimD5wd4f5mY5YxEGZC53/ZgodFVQJkyjmIiO/E06KUjLilmnSzf/nOtk3hoiWK8av47mr8otj+UCfWx6xXVKvGAjSOt4MEzUDDG3D+nw== cardno:17_673_091" "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDAIODJoJ7Chi8jPTGmKQ5MlB7+TgNGznreeRW/K34v1ey23/FlnIxP9XyyLkzojKALTfAQYgqzrQV3HDSRwhd1rXB7YLq1/CiVWRJvDMTkJiOCV515eiUJGXu1G8e12d/USPNBMEzMJGvqBCIGYen5OxXkyIHIREfePNi5k337G5z9fiuiggxJl9ty6qZ4XIRgFQj9jAoShixP/+99I7XrGWeFQ1BmLZWzi20SQGKvogYnOszDZFqBAHGFnCFYHaTz2jOXXCtQsa27gr8D2iLRFaxvhB7XMK+VbpDcZGjmfRJ701XxFv15GFnFAV71hTaYqj/Ebpw9Vs02+gUp3+tt cardno:000608695695" "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDAIODJoJ7Chi8jPTGmKQ5MlB7+TgNGznreeRW/K34v1ey23/FlnIxP9XyyLkzojKALTfAQYgqzrQV3HDSRwhd1rXB7YLq1/CiVWRJvDMTkJiOCV515eiUJGXu1G8e12d/USPNBMEzMJGvqBCIGYen5OxXkyIHIREfePNi5k337G5z9fiuiggxJl9ty6qZ4XIRgFQj9jAoShixP/+99I7XrGWeFQ1BmLZWzi20SQGKvogYnOszDZFqBAHGFnCFYHaTz2jOXXCtQsa27gr8D2iLRFaxvhB7XMK+VbpDcZGjmfRJ701XxFv15GFnFAV71hTaYqj/Ebpw9Vs02+gUp3+tt cardno:000605247559" diff --git a/nix/variables/passwords.crypt.nix b/nix/variables/passwords.crypt.nix index 91d2eb6..ce2f0fc 100644 Binary files a/nix/variables/passwords.crypt.nix and b/nix/variables/passwords.crypt.nix differ diff --git a/nix/variables/versions.nix b/nix/variables/versions.nix index 6d441a6..535d7d3 100644 --- a/nix/variables/versions.nix +++ b/nix/variables/versions.nix @@ -2,28 +2,29 @@ let nixpkgs = { url = "https://github.com/NixOS/nixpkgs/"; ref = "nixos-22.11"; - rev = ''5b7cd5c39befee629be284970415b6eb3b0ff000''; + rev = '' + 5b7cd5c39befee629be284970415b6eb3b0ff000''; }; -in -{ +in { inherit nixpkgs; - nixos = nixpkgs // { - suffix = "/nixos"; - }; + nixos = nixpkgs // {suffix = "/nixos";}; "channels-nixos-stable" = nixpkgs; "channels-nixos-unstable" = { url = "https://github.com/NixOS/nixpkgs/"; ref = "nixos-unstable"; - rev = ''4bb072f0a8b267613c127684e099a70e1f6ff106''; + rev = '' + 4bb072f0a8b267613c127684e099a70e1f6ff106''; }; "nixpkgs-master" = { url = "https://github.com/NixOS/nixpkgs/"; ref = "master"; - rev = ''a8636efe2df64047cd58898010a72f73efd56722''; + rev = '' + a8636efe2df64047cd58898010a72f73efd56722''; }; "home-manager-module" = { url = "https://github.com/nix-community/home-manager"; ref = "release-22.11"; - rev = ''83110c259889230b324bb2d35bef78bf5f214a1f''; + rev = '' + 83110c259889230b324bb2d35bef78bf5f214a1f''; }; } diff --git a/nix/variables/versions.tmpl.nix b/nix/variables/versions.tmpl.nix index 66e90e3..e0734f1 100644 --- a/nix/variables/versions.tmpl.nix +++ b/nix/variables/versions.tmpl.nix @@ -6,12 +6,9 @@ let <% git ls-remote https://github.com/nixos/nixpkgs nixos-22.11 | awk '{ print $1 }' | tr -d ' ' -%>''; }; -in -{ +in { inherit nixpkgs; - nixos = nixpkgs // { - suffix = "/nixos"; - }; + nixos = nixpkgs // {suffix = "/nixos";}; "channels-nixos-stable" = nixpkgs; "channels-nixos-unstable" = { url = "https://github.com/NixOS/nixpkgs/"; diff --git a/oci/user-ubuntu/Containerfile b/oci/user-ubuntu/Containerfile deleted file mode 100644 index 8afa2ce..0000000 --- a/oci/user-ubuntu/Containerfile +++ /dev/null @@ -1,27 +0,0 @@ -FROM ubuntu - -ARG USERNAME=user -ARG USER_UID=1000 -ARG USER_GID=$USER_UID - -# Create the user -RUN groupadd --gid $USER_GID $USERNAME \ - && useradd --uid $USER_UID --gid $USER_GID -m $USERNAME \ - # - # [Optional] Add sudo support. Omit if you don't need to install software after connecting. - && apt-get update \ - && apt-get install -y sudo \ - && echo $USERNAME ALL=\(root\) NOPASSWD:ALL > /etc/sudoers.d/$USERNAME \ - && chmod 0440 /etc/sudoers.d/$USERNAME - -# ******************************************************** -# * Anything else you want to do like clean up goes here * -# ******************************************************** - -# [Optional] Set the default user. Omit if you want to keep the default as root. -USER $USERNAME - - -ENV DEBIAN_FRONTEND=noninteractive -RUN sudo apt install -y curl xz-utils -RUN curl --proto '=https' --tlsv1.2 -sSf -L https://install.determinate.systems/nix | sh -s - install --init none --no-confirm diff --git a/scripts/sway-swapoutputworkspaces.sh b/scripts/sway-swapoutputworkspaces.sh index 6ed8d64..9f8f637 100755 --- a/scripts/sway-swapoutputworkspaces.sh +++ b/scripts/sway-swapoutputworkspaces.sh @@ -9,33 +9,33 @@ workspace_active=$(swaymsg -t get_workspaces | jq -r '.[] | select(.focused==tru # If any of the outputs doesn't have a workspace, do nothing if [ "$workspace1" = null ] || [ "$workspace2" = null ]; then - exit 0 + exit 0 else - # If script is provided with `follow` argument, then follow focused workspace - if [ "$1" = "follow" ]; then - if [ "$workspace1" = "$workspace_active" ]; then - swaymsg move workspace to output "$output2" - swaymsg workspace "$workspace2" - swaymsg move workspace to output "$output1" - swaymsg workspace "$workspace2" + # If script is provided with `follow` argument, then follow focused workspace + if [ "$1" = "follow" ]; then + if [ "$workspace1" = "$workspace_active" ]; then + swaymsg move workspace to output "$output2" + swaymsg workspace "$workspace2" + swaymsg move workspace to output "$output1" + swaymsg workspace "$workspace2" + else + swaymsg workspace "$workspace1" + swaymsg move workspace to output "$output2" + swaymsg workspace "$workspace2" + swaymsg move workspace to output "$output1" + fi + # Else focus stays with focused output else - swaymsg workspace "$workspace1" - swaymsg move workspace to output "$output2" - swaymsg workspace "$workspace2" - swaymsg move workspace to output "$output1" + if [ "$workspace1" = "$workspace_active" ]; then + swaymsg move workspace to output "$output2" + swaymsg workspace "$workspace2" + swaymsg move workspace to output "$output1" + else + swaymsg workspace "$workspace1" + swaymsg move workspace to output "$output2" + swaymsg workspace "$workspace2" + swaymsg move workspace to output "$output1" + swaymsg workspace "$workspace1" + fi fi - # Else focus stays with focused output - else - if [ "$workspace1" = "$workspace_active" ]; then - swaymsg move workspace to output "$output2" - swaymsg workspace "$workspace2" - swaymsg move workspace to output "$output1" - else - swaymsg workspace "$workspace1" - swaymsg move workspace to output "$output2" - swaymsg workspace "$workspace2" - swaymsg move workspace to output "$output1" - swaymsg workspace "$workspace1" - fi - fi fi diff --git a/secrets/holochain-infra/nomad.yaml b/secrets/holochain-infra/nomad.yaml index f0fe5cd..89bcb33 100644 --- a/secrets/holochain-infra/nomad.yaml +++ b/secrets/holochain-infra/nomad.yaml @@ -4,37 +4,37 @@ holochain-nomad-cli-key: ENC[AES256_GCM,data:Kl7EJI1V5HGeE9nogY5rujwe8MQYA6tIc3b holochain-global-nomad-client-cert: ENC[AES256_GCM,data:eiPqZA5kCi5HPa5AlCTKmOD9r0uU5DlSClNTvg6asWybYZcipiQ6Md+cXxMl3VnemwBbxS8KxjuPg6k63SA+gypEW+XZP7VtCdHl4d65MOfIT6CpzTDVi0FUj58z2v7W6XfgAu33uDxTy+e4+SX69duUmmKicwe+CLK2ckfR3U32s39GKBDKYBZ8DTsAJmex45hf17rwcKsaMM142zgBcn2wbuNF46US8iWf4pKXJ4827pgD1HZ2Ry/IgFcRdSXGdsuAU9FcsuwTNfVftOtf/XGxrIJsvCoC7t/SalQSH4eg5s1N9N68vruKlV6AfVNIiQwfwdJ9ldeTOT3of/Fmu0ftiLaq5ZZ97zxd9Bean49EmJw5VEf63+cWKPonLxls1CV02dy1ua9zrjyX37Jz4dQiS02lZF/ljfcaGL+5TOQaX0oEIAA5tl7uaR/UIV7lqfFMZDUtQMHkYAkPkV/VF8wgyE8mD88KqKU+AdsL2yEyKo7VBAe/pYtGWsbyYhemmmpfPnUkt3wz+YQc7zs+MzaI/Z36BIGtY6ObNUfg++4dYXdoMrHufeRbihsLJ69m/bjF0qYtGCjrEPqTwF7WuWSz28to/ZOVrUKZgH8MOMoKKedzZ+kbzs9+hPDawCHs9VtiFo4d/roHBKMquDZVc6+VYtCjj8xjG8TJoJVWlKQogKa3zoWA0ZPwywwWb2V2ehocOk7MRxFZcek4gjvIJ7Ud6aom7dq3HIJJJYxwdVh7pJO9tJhW1T5R/n9g8zrANzXUvMyt55zUZytjF3pPFfaE7en+9LCf4h7AUocI1gOToUC9hlv/uhTOLCYU5S1xAtrlvvX4QSkmTyBTHe9XeOIZbI7LjzINRuO/XFKN/4dqz5/q195OprOBxg2fv1ETPJUwSN66PFYGh6VqhZZf/NokW1qYyrC0kW8lP/EZN6YGhQTyDRrSn3Y+U3nJuVEcydAKTSwzafR4pO4V6U02/CnBH8IqMsNMIhPPPwC1Wntqne3Rabdbx6ZWOxHQuv3cEPEronKGeeU4ADLBPSWnvGcVZuwgxzVpvVwCWtF59Aiew4pmWd8sqLnTOKrxY9BsV9nwRv0ZGE8l0NwiRGw2YIGWaXup0kwl6UVkSOgSuKqvIff09t3XXRINcwIh13jSAipsDpDjqT59qE0Uoc6/lV63eQKkqYs0wFTwc/XXZ2RJusNX+PDDCRW8xykmu4HC+rX7EMeF53xfDEi4wJGoSCySn3idt33A/QotnjDOl385/lkXwgVz4RjCiiCY016fje+78j7RBH3q,iv:nSXO+1ALy6Ie5aNIEm1ZZgZwOdJLrHjO+BwKVbbZQ7c=,tag:n4V165c86IQ3QHzYb1ThJA==,type:str] holochain-global-client-nomad-key: ENC[AES256_GCM,data:9w+1CYOXgm+xvg9iER+cLJBlKLyYmanr93tZ8xTl63ZIKho6DJLqGPCYdjlG4sHWyQUM6/Dpaa490yC4CToLX5MuUnSvqiaSgugcGqPa1DhlRYVsa8j5rdp90EDMoarN7xKe0ShIRW2GTT9S5EEyF2qdZUAFybpDPX2laZZ44UBz1QvlCp7gzs0duO4b95WPTHmlhfaw0BVF7FhFqkAHtH6qg24qEtwB3I4NmW5UsTKR+tbUCEyQcADQr1CrXhIHkQ8yZ52rc42H6gRQXoVrJomJgtiXf28ARY5K1oZMmICLDw==,iv:FSiRHgbqpKEYINVBLYp1A9YgroLT07GMDFqT/k8Vyqs=,tag:XX7oQhllDmrRLCEiMMYsfA==,type:str] sops: - kms: [] - gcp_kms: [] - azure_kv: [] - hc_vault: [] - age: - - recipient: age13cyvxrd28j68f97q2dwsn62q5dy8tdxtq86ql2dxv2ncwfrf63dsmkj7n3 - enc: | - -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBtQmFtWk8vSHYydmt5OW5I - Z2JCVFJ0MHRoWkU1QXpzY1NGOFU5NHF1SkNzCkN6SEVXUlhnRHZKVXcrVStYRHFL - R2g5WG5tbExSVkVYMFlFL2tnWHlCNW8KLS0tIG5CaURNSjQ3QkRUS1FkdjljbmNB - YUwvY0hIZkhJcEZLUkFMWXBjMW1VSFUKBDDoDAbVaex00VRjuWKifbTrtKaHz7m8 - M3nrwfIcjsJiMs9vJXWh5J/dhRTWQp0kEZRaCtxN6gDz+dDE3TVAiw== - -----END AGE ENCRYPTED FILE----- - lastmodified: "2023-07-12T09:51:29Z" - mac: ENC[AES256_GCM,data:Eq/hdaWf9+CG2jLQsL2Sw+IHy0vef7cC0IR5xL3jooYbmilRYS2Lj+lRckVcLKTRHjLBlJmnY20wbL/iNwlyTsY3MkCTEMAg1aY2GVPq3/gL0Gl0/Em4pktfVLZGVTZLt6mKzAJMWM9RdTapW5sRlywZ4/fa1YQwoQQ3tFVWm4U=,iv:+Oy+dBT0B5k5eItscLlXrRzbPO1u8eQNBwoDLnZC06I=,tag:hVwJwd6m6oCOlQ0jC8H+Ew==,type:str] - pgp: - - created_at: "2023-07-12T10:09:31Z" - enc: |- - -----BEGIN PGP MESSAGE----- + kms: [] + gcp_kms: [] + azure_kv: [] + hc_vault: [] + age: + - recipient: age13cyvxrd28j68f97q2dwsn62q5dy8tdxtq86ql2dxv2ncwfrf63dsmkj7n3 + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBtQmFtWk8vSHYydmt5OW5I + Z2JCVFJ0MHRoWkU1QXpzY1NGOFU5NHF1SkNzCkN6SEVXUlhnRHZKVXcrVStYRHFL + R2g5WG5tbExSVkVYMFlFL2tnWHlCNW8KLS0tIG5CaURNSjQ3QkRUS1FkdjljbmNB + YUwvY0hIZkhJcEZLUkFMWXBjMW1VSFUKBDDoDAbVaex00VRjuWKifbTrtKaHz7m8 + M3nrwfIcjsJiMs9vJXWh5J/dhRTWQp0kEZRaCtxN6gDz+dDE3TVAiw== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2023-07-12T09:51:29Z" + mac: ENC[AES256_GCM,data:Eq/hdaWf9+CG2jLQsL2Sw+IHy0vef7cC0IR5xL3jooYbmilRYS2Lj+lRckVcLKTRHjLBlJmnY20wbL/iNwlyTsY3MkCTEMAg1aY2GVPq3/gL0Gl0/Em4pktfVLZGVTZLt6mKzAJMWM9RdTapW5sRlywZ4/fa1YQwoQQ3tFVWm4U=,iv:+Oy+dBT0B5k5eItscLlXrRzbPO1u8eQNBwoDLnZC06I=,tag:hVwJwd6m6oCOlQ0jC8H+Ew==,type:str] + pgp: + - created_at: "2023-07-12T10:09:31Z" + enc: |- + -----BEGIN PGP MESSAGE----- - wcBMA0SHG/zF3227AQgAlXTAMih9lsxCEvh3UyK8vxuhnmnlluf22D+oz/e0JabE - DirPEM4FUlCV+8j+Hia5mKpgWJFDcMK0FqxIQvUwTj/I9AnIB740kcr5TVPcOWOU - 9TPmhjLT8RRhQWu8/URUnjdiF1YypOHYfUItSw/agTJa89T4ZJFsaA9IjNdZBUq8 - e0eTF+7Ha0wfll+V+veOPfL53uYuuIoDXoi5wwAjYa2433QsdLwUTKrRi4dNrQyo - dYnYltYRAe/4w/sFCkMlLRpo47J5m7SEggXrM8wni8QpTOJzOIqCP7XTm8MX3MKE - pU25kh0iCsBaNfwD34NF2Ti5l9aUuRWmy0EI+wcTKtJRAaMojKInR/TB8Tj4OD2O - p2IVFwZlPGgOOwZUTn5wyWWSuZD8JRJHxrYETpejXtPIGtnSkiVgphYlD/bagPA5 - eHRQH6uDdKM+/6FXnNMiu50G - =itdA - -----END PGP MESSAGE----- - fp: 6F7069FE6B96E894E60EC45C6EEFA706CB17E89B - unencrypted_suffix: _unencrypted - version: 3.7.3 + wcBMA0SHG/zF3227AQgAlXTAMih9lsxCEvh3UyK8vxuhnmnlluf22D+oz/e0JabE + DirPEM4FUlCV+8j+Hia5mKpgWJFDcMK0FqxIQvUwTj/I9AnIB740kcr5TVPcOWOU + 9TPmhjLT8RRhQWu8/URUnjdiF1YypOHYfUItSw/agTJa89T4ZJFsaA9IjNdZBUq8 + e0eTF+7Ha0wfll+V+veOPfL53uYuuIoDXoi5wwAjYa2433QsdLwUTKrRi4dNrQyo + dYnYltYRAe/4w/sFCkMlLRpo47J5m7SEggXrM8wni8QpTOJzOIqCP7XTm8MX3MKE + pU25kh0iCsBaNfwD34NF2Ti5l9aUuRWmy0EI+wcTKtJRAaMojKInR/TB8Tj4OD2O + p2IVFwZlPGgOOwZUTn5wyWWSuZD8JRJHxrYETpejXtPIGtnSkiVgphYlD/bagPA5 + eHRQH6uDdKM+/6FXnNMiu50G + =itdA + -----END PGP MESSAGE----- + fp: 6F7069FE6B96E894E60EC45C6EEFA706CB17E89B + unencrypted_suffix: _unencrypted + version: 3.7.3 diff --git a/secrets/hstk0/mycelium_priv_key.bin.enc b/secrets/hstk0/mycelium_priv_key.bin.enc deleted file mode 100644 index 49f69ca..0000000 --- a/secrets/hstk0/mycelium_priv_key.bin.enc +++ /dev/null @@ -1,26 +0,0 @@ -{ - "data": "ENC[AES256_GCM,data:2DcYHv5RCSoM3olKYZhn4BTwEROwC4+JZ/PQxF4SV7I=,iv:B27a2XnhgiHW3HAh/MnTUonmhkWvaZkmG2c2JPWV05A=,tag:TKZ/rFzQH0uvbOFoeas3Ag==,type:str]", - "sops": { - "kms": null, - "gcp_kms": null, - "azure_kv": null, - "hc_vault": null, - "age": [ - { - "recipient": "age10xwq7a4y256yhv02j0u80te0vt4krgfjc68r0uw07t96z7ggmpwqtv38a0", - "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAwKzZsYytMYkd0WTF1TW5a\nZGpQcUYyUjYzY2UrQVp2bHhJTHRSR013Z1h3CmtjSEFaOGE5WDNDZElkM0c2N0Nh\nQTFRU2hvdlpGYlhsUlZoUGZSaWg1UTgKLS0tIHNNWUw0YytRTm5pRTFXTndBamVL\nbTJUNGNSdTloZXM4OWhrN1dlVFpHUGcKq+owmJktDTqpOgtD/makczGkRTphCtb/\nKnL1ig8xdnG+DdyhVCDmtjC7tAFgSUJBZnQi8ervh+yXOXvTJfGglg==\n-----END AGE ENCRYPTED FILE-----\n" - } - ], - "lastmodified": "2024-05-17T14:49:38Z", - "mac": "ENC[AES256_GCM,data:HqeOxzTlr6tyDWmSpvAthf/puD1wdv3a3Nv8qdt9GcR2UqmByreFPRktTwRL53NvCW+8QGSrUjah7fB2GWsuSVXowSSkY5h8W5s0O+YkFLXo9K67hhtEk+4QwYKQk5w4ZdlAEFrgDAzCFr27Mron53VLhVo0DA6GesgywTLf/B4=,iv:uV/dpuhxXl39MTzystHafirJH0mVnLsT+0h9jh4Epm8=,tag:s5uRzLtcfyNuWau9RteyvA==,type:str]", - "pgp": [ - { - "created_at": "2024-06-26T19:27:08Z", - "enc": "-----BEGIN PGP MESSAGE-----\n\nhQEMA0SHG/zF3227AQf+NduNIJaTv/DNmY3dGucui5Ud/ONikEdt/8q3M/iSNeQy\njdHjDbHu0UDBwKqD0Pmhs3StWSv2cs4UDvxPtaPV2sN8/WjeAUZJ1Sf2+k1Duy3n\ns40TpaHAf66JuDRkkFaYt5114AE1ypbMp29S0nv9OTpvAFy7FWtw1dsgKskQOWxW\nTnkxfttpaMoCVoUTjPZFbfPE3WJrp+r20QzwzelX5xl3SGmYvdPVDCPp1S54q+gY\n4l3b5R2wvGv3IAA0l7tKtmFe6XqzYlATOSUaP3+qHTKnXFmT1GAr3o+mLRJOG5/R\ny2CJS0wR9JKowAk23ubc1gYxcc/gIUzi5BGMvM4GlNJcAb3Q/nBs5WtjnHrk7zPK\nzzhV758th72GKhzJko6qUFwcfjaIB6h3o0NQAAlVCMXKUWk4KFY1TCgpLbd0Z6Gm\nv8tE1CFUViT/8Ys+2x7UYeWqN53ZWsioGzrk2F4=\n=sXbx\n-----END PGP MESSAGE-----", - "fp": "6F7069FE6B96E894E60EC45C6EEFA706CB17E89B" - } - ], - "unencrypted_suffix": "_unencrypted", - "version": "3.8.1" - } -} \ No newline at end of file diff --git a/secrets/hstk0/secrets.yaml b/secrets/hstk0/secrets.yaml deleted file mode 100644 index 044372c..0000000 --- a/secrets/hstk0/secrets.yaml +++ /dev/null @@ -1,36 +0,0 @@ -tf-eval-minio-root: ENC[AES256_GCM,data:83SacYkxLHU2fHbHNiLG9owDgakOY/nrZBnlDgltRlQDTSW9HkKejVrKtTaixjbxKCgsy9sgJBv8LZtqwthgZ6MI942YU2pJHL8le1wBsuY=,iv:uXbOw/9ljYjWCdafhupVJA7tIvcL801xszI8lrQnQIA=,tag:yolnZdYD1KZJFnH2gs8zzw==,type:str] -sops: - kms: [] - gcp_kms: [] - azure_kv: [] - hc_vault: [] - age: - - recipient: age10xwq7a4y256yhv02j0u80te0vt4krgfjc68r0uw07t96z7ggmpwqtv38a0 - enc: | - -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBuVXBDSTgwVWtpN01ldjdv - UWIxNEZFVVowbFk4bnRNSEl6M1pHcUdIelFFClVHK211enBkODljWHVYNmFYM0gx - L01hVFFSeExtQmFXbytzSEMrbVMxYTAKLS0tIG9lMnBTMXJMMUZUcTRFcThrd1Ny - bEhlUzFqU2hkbXBZaldzeTdCbnhOdTgKsCcLlqcl+fnvZ8EGKNWlbSbLQvzx099E - fC/QlagRvdmVfsFpOQnd0cFzQ1X0EDAx6XcGF8mHBrAKqCS9GCAIyA== - -----END AGE ENCRYPTED FILE----- - lastmodified: "2024-03-08T16:59:30Z" - mac: ENC[AES256_GCM,data:VIA7UaP1c2kli+BuppPl4LH1jiU9qAfqvfejZ0Mv0E8CxQ0eLAMJVkZIzSygLCx00cPbqAkESrniCeLYagyEP4tS/cff2ngplzig4uFbZzniYMXcYF9VIAyBhGgQGEZlZPgh4r4wmBdUFfhc0CPzmYt0obJ1LXElGdAoeM4OcPs=,iv:KPFJX2qJaxMwvrw/R8xrw5Fk5FRyTQdxq7DnszToy88=,tag:/H7iPZlWk2qMrWbwZdeF5w==,type:str] - pgp: - - created_at: "2024-06-26T19:27:08Z" - enc: |- - -----BEGIN PGP MESSAGE----- - - hQEMA0SHG/zF3227AQgA1qnWMAoXFJsx0A9dX2qFhRUHOlO+VKOi678pGQu4Pwld - wUdqAylrtaLDsr+kFwLvsGUKKHzfvaQH/EfEChQb2L9njzQjwNwmgZPAq6NqZAmB - EhudaY7R12Lb507Fsh/k7dgOFTuH0/ceKtW+QKF3SVVa+DwgOx8VRP3LJwGW4PQq - mRmPkyjnuFmepziTULe0ZPvO6PaH8FvLISBvMkBH+IGXat98OVgqGFzxHkpA3pey - 8w7mKDEi6i6g72GrrjuWFuh5JjSSb3og1ziO4O8XQ7mHqbUYwc4NfeVTYD7thdyh - OsijkXHvvHkRidTjTn4ZEzxFaNgTvzRB0V7r/jEu3tJcASfyDt4sXkKv84xu29Pp - BYZLj9xUrS30bmI8NOP77sy/3++ppX96oKhi91S7F0HZcznJPOhS+YtomXCCGvS9 - qaN8kkDXt5k5dkLd2+eft7CCF8+lwf6XX/qEjPw= - =+0h1 - -----END PGP MESSAGE----- - fp: 6F7069FE6B96E894E60EC45C6EEFA706CB17E89B - unencrypted_suffix: _unencrypted - version: 3.8.1 diff --git a/secrets/router0-dmz0/secrets.yaml b/secrets/router0-dmz0/secrets.yaml index b797baa..56e013e 100644 --- a/secrets/router0-dmz0/secrets.yaml +++ b/secrets/router0-dmz0/secrets.yaml @@ -1,53 +1,43 @@ -#ENC[AES256_GCM,data:ZkUrwF6DTQFainYhDA==,iv:VDjRBF4WfPmJdKtUpZYJcOPxoUYT3DUxAC9ct7EvFss=,tag:efllkpv2SxRv6+DyuqRQCQ==,type:comment] -#ENC[AES256_GCM,data:2luPn7XRMTtgNpz0QLXQwF92kbBLdjJoUdFKdayy0A==,iv:dr//F4r/8k9zSzkWXUlVT+81iYLTX2rmXIp+Z9Lt4XY=,tag:RZTSqCqqmRxBvWqHqmF7Gw==,type:comment] -#ENC[AES256_GCM,data:SjwWciLOzMxrq/QV00Q+gt1sNXwl6N/eTHsN9jeFHwFeOQrZ0M7/36WgjSVHpGlVmklzd0LiOB+LhNlzqysM6RI=,iv:vznczLEeyTmCxExlkFiv8ftQy+3z0LyAg8vhcpGT4M8=,tag:+QgSJtX7FFLfMnPLhrgcvQ==,type:comment] -passwords-root: ENC[AES256_GCM,data:BzQYUCGJwyA/mUohN3OkKdjkuHUfOgYFs01W/F1WM7i/UyOXA3HooUjbGe1KVQkn5NGTvWvR6t3CCr2o4Bjvq2pXrH+92a1kpQ==,iv:9PCLNVUyI2R0F5LmLe9spp7q65pwMJ9TUHmT/VtPazM=,tag:apsIgXhOkoZ8Gb0UshKg7g==,type:str] +#ENC[AES256_GCM,data:QydWKuMH8uixprFup1rEwvPkKAMw0yat9MOOK1DleeCJ5tqRqrPh9NiOpJs6nve8Rmji3WyrHAkUaK9zT/f8VKk=,iv:I6OHO6sLTtFBV6CYGmLh5owCrNjzS/LBjOjW9VovGlE=,tag:Vg0IZSFbYa7UQvuPpmMVKw==,type:comment] +passwords-root: ENC[AES256_GCM,data:+8IcZ4pbJ1qIjRCK7oycmgOVWy6hzc2oDISYMMqE9SmgRE//PQ5ABwtBtpaghrhZTXrUV2l3qsvTHD9UdYRNMB1VBlM6vn4Iug==,iv:2eUIa46QNby++yLK9dax/SD7Ajtj+U0ptheRuKV9r+g=,tag:5tA5rhm1eztDh7Q4d+C1BQ==,type:str] ssh_host_ed25519_key: ENC[AES256_GCM,data:XQjTqNADLhisxPBIJ7x0bs3qgQk0u4q9HKSDukRbzel7hUiDqc6ELQAvffRqJQUtAS5Cfz9PzVcnyEA4wapvK7RLFavOmaN2MhcnQR24oQks5RVYmlvcems02Qovd15iE07XR4KCDcmQ5/XM5v4/RxW2zYzV5Il67Vzhij2wA9bJ7D3sbKUfyc6pBoIXvURbq6QO8ZMIU6ckAuOqG2230KwXLdz/ld0s3Ir1q/7t+rrrS7BPkeA+SRdYhb5XDOTKtfgFxNvdI6DSETV+q67xAalAkM/cZ2rqHJQd+wgH2VIPyiGqeq6LvPT0vmopFJn0CqQA2HauQAmBNIAtXel8GbK+qA11XilMx+hp6qhVH+BnSWWY3GriGfaGlpUZ0E7uymqRkpRwBcHmZto6E/E/XUxBfISVyJf/2RcTy10RelWLJtNuaXT2eHgXmZ/uAlcTGlCYYirr5g3iAGUoqxYbWlZb9SdqVO/0PLCZo7AkDWxk57wer/lHOG59ZpoiZnanaMIaNqJ7Tsslvvm0JuoP,iv:2U5IpWTRyQ8basBRoYpFe6Ycc5qdeCUAUTwlEHttRJU=,tag:jA0mFsMxWKq7dnkGQWNP9Q==,type:str] ssh_host_ed25519_key_pub: ENC[AES256_GCM,data:MQ0q/I6clKNz6uzoztGA06vOjIbpK6Dsf3WbgddRA0B8nEJ4EUmRBT0KkX3o+LZmQPhmURHWWFtOSqvAzkyoxAoBZEh98H3IDsLE5PgcNbxK3dAh36+AAMPLzVFnHLyaWLQW,iv:9XIw29PkSHCeU7C2GuSJ+J+mBrwOrbSMmm7kOtCkiyI=,tag:x3JqFF08f2eVfOrrQ1gzYw==,type:str] ssh_host_rsa_key: ENC[AES256_GCM,data:tFGQ77X5Y1TRR2F0EJ4hmauE9ABILP6V0CSmzb1QLaH6VlhriXSE1UQcQ2Rc73CR7+JLjLbggL7RKpkA8gJQq/ubhiXHJokBEo6rfBXETVepv0HlyX5UvzWhi6iKBE5YsYyyBI1VWDcx+oTR8+daqnKwbbqPeDUpC2coT3S9svEsKXeb3YOMxJ9X/Rvh96UtMmlk7WeZa2JvOP3k62HROVo8QRYXeQWTO87TCzVdU7OWnbRIuC6bu+32Uy70AsIu39fazX7WqIUxaeO/oNHsay0/TBXKNu2El0JRG8tHCHdXe1tahniGbGH5xeEZmgLTOjHntw5UIdxZbgvcbxmt9seDXUxjhhEMS8eHWaxnRDSI7n2KOb/3UaBQ3BHnYpuRjW++uFBgRHxxANlYfpfEdz/LNexdPb9+QCw80r38uZxP8yD5/PxFV/Y+gSX+WnNE0YQnBDtHFjKhHpqpm2P4Ek3hLzjXh6CPzUZru6LAO/FklcLCGaq94fDC5wW3K0x1UvyfMjBwwyeSymcV95YcZu8Ty280jRhG8l719KkEJjnBdnB25PQ5gEwc34dG5xH5HwVUDPIM9v9m+cXtldUIk3BH4PiTEI1aZsZx50BtBhxybAxhTqNElrP+/2W73muTSQboDIB1Xb2NhArLB6XnnVhVUD/Pg/9wiDUY0mYyr0eIp9AmBfSmSIDjFyVUB9o+gv/B+LpxwxPKmsPt3MRKWoZw+bIGTI82UqBv0eX6Xqq71H4DYFnJ3J+n+Jzp5ww5mSPPHffZZFSBbZSpTk8El4L5II/hyyxk7yJopt19AAsw+UgLJDO31XnyiGAEbbDdwjuCWQMmuzKJ6H7c7UGDXLO92jAlXwEWT5fwzG6Wvu5+n/OToz3CN1Cv40uwVb/fOqmzep9hoOrXeuzmnGULfGmwItjuJoMkfmPUq8obAuj5ml0YduU2eLbe15OlD2Vg2I+BH0WuCPYnnCrLyX8ixhJEuGGDkhGhaKMHaMjNuMOGmDQ6oRCVU8BA/zDgnF/GrcHgIe742Yh68PyaH2j+iX6/5YvUB+R1sDnrgfXlgET1V+nny+fD4GBnP+RKYtdGG0P4y3AYlACQE9sJ6Nkb8CTVb2Va6L3rXzeyJG2FtYkUKxxwDUv/KyieclHiJpdawunOLVkmI6p/iaZIThrdGA5p7b01/WOyJFA9aI3oU2f2rMYBLGHYirrRs3WtS7ExhKriHpgax574UIcW0mecFto9dHkGlBOTQy+Zp1GARnePXKZcyKm2qhTIjw0ho/DUe3+t1knbR6WJCwl1LDtfpPD2KPDDH+HpHm3EoiA1mDSp6lYMVxwBr2eBmFPKuPkkAL/3Bf6SKlEp1UCDee7BPlzS9kwmIEt/EuIohbMDdyaHtulW31Hdrsai8fCxc7AAzgsmoMBp2Smwoe3C8K5K8RaNp6v4boY8WBH3rLjAFTmOPB7TiZfplQjV8triZS3JFopNjvCglfZSXxSs+RjZUgSgL/1fFLT2m0Mp1XPMvGZlD73TzJ5RH5WWlxliaau42Q4vXRFUK+ZFx0SvwOO5xZvRNtAOfipEoqscKOopV+HHl74DJEk/xLibWJmkEBqoVbf1BFDUAiRSSb/0RdfCAGaj1mqV68szVtLt3jB1AJm9iu9RNU047HHQeOi++8g6lOpHmhsksfQLAucLVtLTrXpHDEAugDbSXrwPkhWa2Ej+Iva1p2vteIExcT+8h3WiXkamDBZALpJcLkDSazgAmmrB+6u6odsyin9Z5zB55EN2iz24nGNgyylt9FehC4/2SNHMX42hZ/JPQw51+vZQLoLQv+oOJAVXGBHeDy3kDl60fL6Fr5jZ0YOfO+rFGk4bDpXYjq27ahLv763tVs8SrgMseNWNWTakZUAXuYPbP3GBFEjTPHM4216WABj2cC3zSmrnbEyNRMWTdsm46ASZvhZo4wO8eTrndvy44Q2UKOFOh1sYCY4jjCWCI74pEV3rRcBJASuUipep65ZwXOlFOXu7uiaG01/KWofn4JzzrlX3MfhKsUBaEDTUXwDGw0RAEHQXb3rvfiIjCQBcpy8kM1fBR97K5LFJzZ2/qf2bPGs0yxma1O0Z6TT/2Uk2n62jK2xIM7gvTjPOVDP2etHKVxMpMjhTAbRj4K3568HZM/POBC5AORLAtBAo14CNxRMN8f05Gs13wn9ZI+pqiaOpTTnfH1xL9fd/6I03utzMKnoR8IVhrQLDLT6OAIkdeJX8s99R/J/nTOApk3XACWqjmMTcWtwt6g3x2iTk/1jTTn70rYVr8JLHHCt+bd5H/eDUiq9HpG1oFEZPXuvgATOovru0YVtmVx+yea0jWpJOsK+/SZjYAfvAKh0ZNr8dKHug/gGEpp6SfFBI+c4ywR1kM83OUHLaI/dOU9rLeCKktB+UcvTPoLhHLbTAlTrizeRmYY16Z1a+47LvwX944js3TZZkxqylz73cekWidYiiLNbiHwACftOK/GwZCG0WrVfcSi6pJYDgPgbcqFohaKI7ltKZgTlHGT1mZr1IH1RnauZmN/MkBEKVHO3E/PFgKkWNcXQi4uV2P3j8aHHc0RJrxx7qAFFXCYEwu02pv9nmul/HClLMmDYHDY1lHZvIIyPcsmr1ZkCFRV4UtnZRtXhHNAZCGFRX+y5HQXnubjPmV5I2R/gcLLi//2vIE6V2i8SpEJZlVweLpjRYwb6H6xFTuvHN+9Y5pd3rFx2BapR0AzYdOXUVqKF5ewrfE/1iitsEeDJj8OqmNzpmLBrnROnPyPh/+KGWBG5Nm4QKVMhP7XN1F+Fr7sTxw1ignXsfSwH8v/ELMzxVLu3ijWxvmk3/eOsrKYB/x3h6I1SFWZUoTjVPAmlNAnYl90Xf+FMPiII11+zrYwsJbCh25gmSvtKR+hmoTxXbJ2w5E2cFoVHMBOmS8Uo8L0BDOUzUE64cPl/v119BafVUOohLF1l3Ob19td+sMvqX8OHLGgB+/r6jKmUPnNNEzbDAogMydcVVjtPRIoDScw4ExxuxILN4/V+VulyAgU29OvFWS6+r5Y+bjqgqMg55Of0le3HUqt65qMuqiaUR5P/9WP+H666GsYTSg5I5gPJv0FF6tqXCWE9mpQ4sk2/BiWWaNeojxyhyH/cv4fbUmcee6K3+P+liXyFGGAWdBP5uGb+BzIfSaXVN3xEBPWAAe+BMkJrxbc6FSS12Wkh+bLM+NJH7XaoDl6+8LtF3bstsCoXvQgNlXHlbt4/aIIFEBShlYSQwLMDcey1VB4pu4SBv2HXwaX9zXPd+MGH77DeQU4yBkrElly51/68yzdSGpe6mNFy57Hc3UJBW1pNbds5Gxu+jFbQ6Phxvn38u9V8cphjxzgig0uZjkKHYx0EwFjBqmfrP0hQDnpcyg5QCPhnXOthmVL4jkJs3OrRHhoYRgbXpaVRMpVMLFeeSqcQABaRK5ibpB81WP8yCJPIMsbWW7sDTCiIyLq6qW5pKNq8/l3sq042+6bJgJ3CfDYdNKJCTF/09F5JKkpXeIxL4MGqvg5nOoyiahDQsUzMT3dwGg7IWqxQidcJ576XSBkR2qNwUrl6qq87JP+Zo3RJbA5bpPubm6sUonWE3hRGg4LWceVBO34J/wutWVt4W7dXnK5WVhJv8UHJcbgWR9dMpWkbeMpakqlRRLOTibztMFkx3xyIMmZS+cNyhRyatw+DwX/opuY+bl8X4yKgNOuW/w6r06r4MrL78MTjqZDQ4xkCSL3x3KWr2Tf4lAX6sdwKTzdBdzvFuLeuijngrvRYRyk/3jk/o4ujfHMdrergMjlP5Js7ICZSLhXHHOc2Hc5oPaBIx59r6FynA+W6ROmk5kVF2BNkRlP6/oV5Apn3MMUnDc4YjHaowt8UVkIHZOEL8hxymYDR4g9y1wOoIwKCorBQa5jsXH+AEop3hlsv4uqzrrcGGQhfQEW0Vb1fG4N0VAyWEodaw7wOY3XCrW7yHjIgRM3Is+juT7jMeACW+OQuvQHTS/9bc9n9sXjjVwsvoHROLxsXMFO9HablXaEKzFL1oGXpnavYf/MuZMwALsPish2Mmj9fONNMBo1yYy/j+8GzHCqByDS1ZPnlzPQD0ztGNwNfOOhNOqamqaE9GNHv92yQIf/KKGhnjFH/I9IlzA28eaaSVql/1vdhRAI2G1WxpgyQ1ryRPLYHA/Qw9OYrb+jIxHj9uqfohShgIqnv6TCXRmByfyU6Te3oqKLyezKj7tPCqv1la1ostycmE4msAs4EI7pe1OZcRulPkUJrZCPkvo+EYTw8AfGmwHFb5foQ4wk8pkjTvo1zHmjy0GjMAZpcmDHfyHAyoaED6DUKAHRBbMdSqQJWmzhHkzn5oRCR6UlWSyxRZ1wBIKn+T+kcn28XiLlJrJVK3n2CQkE1c3EfFemnimo0Yc9yNQZygfZjr2W2TnmtAZ5jHiMmv7E8CPxBQBd/pf29z/uAEwQIqVFSHxkVaVjHW5wlhfWwOuj0xZFly,iv:mXE8xpXFBYSJce9pg+g3OedMS9+ZHOHHwydCY0NbGRQ=,tag:cEqbUu9Y1PFKXwaeqioXWA==,type:str] ssh_host_rsa_key_pub: ENC[AES256_GCM,data:N60bGf/6KNRhVUq1EIbPVo3aBDDKEpMBr5+Gt3+FMPt3uQEaKk8jBg5mOdxWMTPoLg1ZP/Pme8afoM+Skc0b50WnpErF3Ox1w+4eM0oMJYOhIvHLGURNM3Dba5MgA7YfhPdTsVdjD2yks2vYqhdtEvzTTgCJbFimVJlp+wDqE6czPgMjD03c7oJDtv38OBtc1vRMzVw3cIuyxz2yNnXQxiMgTR6pZN7+Brami2dfXOHEVgymmlU5PRE8Ykerq2fB36N5uqu4/xSPaHaM+/f2OA/TLlYYB+sGMDExZfbO/vsiRBLvTY/f4KG2mEkmH+IFH1bk6UF47xTFEe8tHN/TlLo+9OmjZTph221ZYnOsIqBY+F822ctZEe8Ikz9Ti4F1ApvxxRcWHajbgQnDJdDiHJvt3OHal4rNBtYwxxV/MDZtvKSVxmFwgx7nwNP0oKhAigQkU7Mvp1q5p3dZsdbGCUeFm2S5/qIxWPfr7wg4xocLNSsLW1EpGo6A2RUXWIV+lPuZd9dNEjGC5zKKAgMI94is6MtMXgqlFqTcZuQ9hvhoVDcFhVSJylu8pzk9d/tKviwcd98jHAhdfGpnc9eJbtyBU6/HvxLzQpsbFjwa3LGirEdtgxRZn2nJx++0U6XuLcbGwjOVAhkde6g2vFv5hsC6KaZQcp4AFvMvEdJyrnb0b2TOeOD8zEljb8u2q/eexCRSjGpobEINwu5qV+tF9eHIJ1YFzhCSmmLGKXjc7bC8uv5ffl39JmAbUrffd18zqae+Xpijd+QzwF425NG9+PksAt+PPzt4SDgGfKBIpMNFxIb18oo88z4YDLuNzRy/HVF90JV0LlAxES4ZOxoWUjJPrR6dGxNRANYOyFGmoN+yG3B9kd1NRGRNGh5P9EtZBxlPIi24djzF1n4GQSW1NFDgoGcxaXhk0PlpPxwuHK0X9FkFDDzQUYNBhx7py+hev5rBUCs7Yhj5xgcM88fdLRZi8MulNws=,iv:8c3hDcJ8wzTugmJ3Mhzx/qEXnnlpFefBmRTG/MqyeEg=,tag:uSz6+CYu9uQa0C2DXnHPUA==,type:str] -#ENC[AES256_GCM,data:QOMW5ALQD+CIXyqRAUzZfv42HvMfq9qiTho=,iv:/KlPuB6aBBhdMvJ9kYClfFRBMC0bSF16/EKrnH/Ifsk=,tag:Wwfk7YnNvla06I2/ajTd4g==,type:comment] -#ENC[AES256_GCM,data:6/aUsWY875jPKZZiJLL3TWYeZT9VOjoJBDwjRTfjnUHcc/NTTeQRPvb+keJeMt5kfWmAzieYpslvz21UktTKqHO/,iv:+zwyh6nAP7DRhQX48/BmMCbv3W3wKfUiAWCvu8UvS8A=,tag:doc142ZXZO6ajPcuWftdtA==,type:comment] -#ENC[AES256_GCM,data:GG3qBrBJSmJfUun5+0fKkp7J280oW3r5tGGjm9UMolUsZCYYv5E=,iv:gFGxT9Jr/d3fVouWEphJUxW/Hid8dAIvldkxYHb9DvM=,tag:DkgD7SIgIYyk5Ne/lGWcwQ==,type:comment] -wlan0_wpaPskFile: ENC[AES256_GCM,data:yB/1MLibWzQuV+LnM01DoOaImu6aCHB9TMsIDaby9MxjRCQNuI7qxc5dvTQ3RtA1V6at97r3ufw0W2Vwtkf8Mu3l/UL33nWoX8n4RAykF5HkDK+l1hzdW+41wZMZPc+NDE6ZgMSNG3N9gipHSjYQ+vU6KPX9RQwWTUbJiWWYtii+hi9NXMa7sBvjl1WUQtrKdAmc+7flAEFxOY1pOvkj87yOQDybQYdx268Gh2wkfgtacet4zwWvC/VGNrN2p3Eub8S16vHAZZKeW+2rr4U/GiOeS65CSk9srOGwlD6IboTUXSAoSChJmevnm+cgkzZsuOKS7knEZPjQ+l2Z+K4l3FnB8+CVvHw/DlUAG0pFgw49NfBGczGSAFh34b0k,iv:2AkphYXeupcDvB5KXlnuC7QsVJdBZHnR684045DJtfw=,tag:YFNcunSPVJUSLIPTTQ7szA==,type:str] -wg0-privatekey: ENC[AES256_GCM,data:5/5llD0itgdKhZ53IbtkwfhO+qUI+/xBCxnfQOg9yjS7knvUINURY7rl/F8=,iv:86t6XuY4a1rHY3kmC3XB6WwwPZVWAyM2saGqEZaHdJ0=,tag:4xemlclKI4RIxAe60HGuuQ==,type:str] -wg0-publickey: ENC[AES256_GCM,data:D/RU+43/bYhg1lRZE9zA52AIWGd2KRF0EQcvteS4CtQN0Yy65vjGqVEkjyk=,iv:BmS0TfUQXRt1tdWBBKIUi+DqXCLTXePzbq4dUYSlQQw=,tag:qglrKjhcSBPtqNd6YCMlPQ==,type:str] -wg0-peer0-psk: ENC[AES256_GCM,data:859rOfvyaeaH07s06IT2qJZjXcWZiXazQPUImYOMngTj+xNop8UHX0iDegA=,iv:V7cR9mGQrk6aKctY+1egYFhBiveqc0OwrQSJxByk0zk=,tag:WF5via8rVm8Leol5rANPqQ==,type:str] -wg1-privatekey: ENC[AES256_GCM,data:Q3zb6oLhBqW+D063S37O2vZD3PSn3yIYWWkOtZwvpmMmdAMtztGqdrHzXRE=,iv:tIEDtHa3s2/Shg6Kw/8G+xjtixH32fxS3l5KtR2VUIs=,tag:JpKjYmV2pPip9hDkKg8pRQ==,type:str] -wg1-publickey: ENC[AES256_GCM,data:7svFjRVdWBmrUt2qzHSmgBo4HPwJR6I6p3rZg2U+h1uVhQwCnUCH6JATVZs=,iv:xWUKpjmmrf/U8T8XmdL4Ox+aqkftnh8oeORCkhtJoBU=,tag:+k+E13X+EbZxfiq0MoGIEg==,type:str] -wg1-peer0-psk: ENC[AES256_GCM,data:egtyccOYD4NAUTunpvVXTJwjtSdJJT8v5O9Wl7NoCKy2eDzrQvrEEK8Zzts=,iv:D7EQkj2Oz2JJIF6slTLq3A4esKN6VfkOA+odHvjSeUE=,tag:z/blOUXX1JOyqtXgMldnlg==,type:str] +wlan0_saePasswordsFile: ENC[AES256_GCM,data:ylY1LwMYlHdvYIVPIIr65BuxkW/BHCikkbGO5nNSU9WVekWiDXNIt2EQ2sYcdqnvZMGvcG0G4SQvCwpNO8ihh/RqcLYpTxldI8zwSqAwvATu7prV8l2bCvBQ+NXZ3yAW,iv:L6ncjd0u316gF/3InI7cuqO1kDpH7ahWGcsssYfb2YU=,tag:IAqt8vSDjW3OasOTJ44PeQ==,type:str] +wlan0_wpaPskFile: ENC[AES256_GCM,data:I/30uOrCPoWqnNq4WelPsDMevrmO+TuzmNrjMtPeCLS5MncX7BnX20YV5LxLsLCJS0NmCEqE58pgpeQEaUUcR0YRejCdO0yZnpMRbla6IR/irNSR/xctDQmMV6HYe6IKWE2d2LA/qWTkj+uBGJ0NtAsPIRLknuCwT8SLjClzF4/WCdoqHvxhBCESxhd3OTYr9op9uxk94iRxKsFfUBuNnckIeT/tQKqOQIHlkpperGBNRtTZ9q+Glb6lqFO1o/BJ8tAGpw0qyNO48jrRAtiIG3sauMH+UPWp86AYPhwQjwA6iDReFoH5KhZsohJSTX4vwoj46yycOTPu/loHrxySBSrYuRyOuIv7mwpRVZgJP+c3ZcngVncE3YQhLA==,iv:AlQIFKqcFSnyH1LrRN/XaTTocsMjZM20YHWcz7S3gCE=,tag:octNvum5lOOUOS6ALJ0x4g==,type:str] sops: - kms: [] - gcp_kms: [] - azure_kv: [] - hc_vault: [] - age: - - recipient: age1qju6ms625tlgcjwc9p447seu2p8gu0cr63e5gv5y0wx9mvgmre9slxzzs0 - enc: | - -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBRNE9VK05aYlRKcXRBak1h - Sk5GS08zUE93U2VSL2FYTTllS3Fjb2I5R1ZZCjFtL1RZUWVvbzdlcnBCN1NJbE5S - QW9paVFDaldhSVh2eitoaStpZU94T2MKLS0tIHV4ajZFdEl0TjFNNXhhTlFBaGMz - S0Y0WjA5eXovc2pUUzdUY0ZEZVN1dkUKNuvEcQ5lmVUNan4fj0tfwXc3JUfV8opV - KCBiiPEIBRwryWg7CLo7qgFU9nRTnA7Wjjo2vnh9nLLnIjNSmc/ECQ== - -----END AGE ENCRYPTED FILE----- - lastmodified: "2025-02-05T09:44:59Z" - mac: ENC[AES256_GCM,data:P2bEHq4ZBg2Y8RPmUSuIOxWxJdYTUpTD5nXv3vqAHOU0t5ZlyOjFUPYejGBLdvd++v+plwo4lYG4/JJ3/LFIM/n2f1kFOOPSIt6yox6oYHHzJRly2kBfyIpUz4q+1c/xhMjpcQdAlWEdIQLm80BMUpny9y2KhVYot9TvTNTSkxM=,iv:uso8kcW8gildOD7FF1Xvage2dccQ8GkMI6nDCaUw2qc=,tag:urKtsRoGqwoZzk7DuMCINw==,type:str] - pgp: - - created_at: "2024-12-24T19:36:20Z" - enc: |- - -----BEGIN PGP MESSAGE----- + kms: [] + gcp_kms: [] + azure_kv: [] + hc_vault: [] + age: + - recipient: age1k7cejd9tqz6a3expd63wkn7kmeawhhrp9vy5vevhjn6eavhdwywqeh7j86 + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB6NDRCejdyRzY4Q3RwY3Nk + REV5RklTUWluQzVZZ3V0VUdKTnF3TFRzTUVFCnZxUXRaRlJXSWRqVWZwNG55OW5P + T1RHT0xXaDc0bkFCNHZQdW53aWpZMHcKLS0tIDVIWTM4VjN0UXdxK3ptOEtMWG1r + THRNR0tEUzhPdFFhWWxvZlpKYmZKM2MKxc5s1jsci8jPOrvZAoofVNvHT4o9P6yv + J8rALQQXgql6obK51Q/Doyzvo1RJ0T7epiWEAZm5B3vDrf6KqbWBYw== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2023-12-25T21:25:35Z" + mac: ENC[AES256_GCM,data:Sk3eyBaxhL7cX78YprYsv75oO+auEoxxGHCk1MRYGcAkat3vrc2vXjmKn6SsVQC8SWvu2YR2dOGU85Z7FCUUmmnwKeh+1PKMsurwfrNkB4umADXjaESNUWNevzAK9LR4pI1I6rGzl7mFEFYGEPd948JMOfkIfwNm1KMmETGkkI0=,iv:UzfDF94UFjPuEgRkpkRyLxSwZGymZclboHYQ/HxulJQ=,tag:MIBhvegV4NaZF+nGShotPw==,type:str] + pgp: + - created_at: "2023-08-11T16:15:11Z" + enc: |- + -----BEGIN PGP MESSAGE----- - hQEMA0SHG/zF3227AQf/RIzNBL+pVy3msNL8iuGdPXywQhS4JPgP9QqiYu8hqTsw - ja/jx8ShJmLjC5i7D8nwwbUyY1DJTSdHcRblcsROgo4DgthdtuprJlSQIPZhaW5Q - Rbo52yT1LkzypUcSQFIDY2QFpPw2zL3ZmPyIwg7YCI3seNQckv93nZQzpLx2Ifad - hLU0+C8tU94z+sgqLq0OVryZb6taQP/h41niFKHZtemnykA03JIbCmyl1HZDEtRJ - 1xSFpAKAtfzdhR5SfrGYtSBj7FysanfSEi4Gxxp7VcfqBVYTHAOsDLFnFCEwr13H - sopUdgCeZdZTBFgzS+AVb0zcHti/YJ9xUNrIKJXwAdJcAS9w3Y4MqcbEdcFp/CD5 - W8w7WZjHm8ly0qm2DgyQmd3040V64mt5cDe7+8YRqu5cZILyKpRGwUx3ES0eJ+g3 - g2P8+l5NEvzTX3ldXHObOUVebLouZrxd6UjWvUo= - =mYf/ - -----END PGP MESSAGE----- - fp: 6F7069FE6B96E894E60EC45C6EEFA706CB17E89B - unencrypted_suffix: _unencrypted - version: 3.9.1 + wcBMA0SHG/zF3227AQf+LuGZY70bnoWRAzpxCJnxtf0UfoYkIQoVGeHdnjJ5DTx+ + NXtGN+gYTfuCUIf1lQRnd8FdQbDUSuHFmaDKFFts3SJR24ZO3N761Ye429FycMp3 + pyx5RYs1qXYMilN/RLSnEqrsjOpnO21VpxuAxbe9HY5Wp0jLDGdUvpdk2mQqqhx8 + ZYFbEs9ZZHq568k9ELpJcudlNnvkZPoecMsFiAWP1oh7V0cSacfSUJiqXA2/Ug1a + 8vweej2pwJ6kaoLIFqjD6qI2rKNtSC+woHD517kldLr6BMetNNc/gEiyat2zOGRB + 596SIBBf3eCvXCHSMJDtOWsT977CUO2pz+DPTmdqMtJRAbbz9Ks22jtPViAFZDzY + pyDwCuX2hTJ2c7r3KA0o7lG4pfvfLkOqXXcV3SnSBvYy4fuhLp2Id+1GWCOD0o1O + v5QlxcXSMuOeGygclwHdxzs+ + =NQjH + -----END PGP MESSAGE----- + fp: 6F7069FE6B96E894E60EC45C6EEFA706CB17E89B + unencrypted_suffix: _unencrypted + version: 3.7.3 diff --git a/secrets/router0-hosthatch/secrets.yaml b/secrets/router0-hosthatch/secrets.yaml deleted file mode 100644 index c0606da..0000000 --- a/secrets/router0-hosthatch/secrets.yaml +++ /dev/null @@ -1,43 +0,0 @@ -#ENC[AES256_GCM,data:62US77UkclVlR3klMH6P/oYC006vFa6DEVgvmemMFh6INuw95NyRwJaiMs4EGaNFuX+jkfBbtlm0MQK73rXfGxg=,iv:UALT0vebke8KDPdroZnC3rSUCB0CmlX9dfbLqNAlJ7Y=,tag:iKxAWDTdUZDBD0PWfomeWQ==,type:comment] -passwords-root: ENC[AES256_GCM,data:ummvEe+5HipUvVEyHLA6NULuWJuPyv2VqlXEZFp/UdybLU+1t/VRo+KPLYRPpXQBbsBaHVa/XOiOqLK9dPDHuVZBavnTTMC3Yg==,iv:pqjtzPH+T8CLJsJusi5CpVklPUAnioIoTjBXAR3y620=,tag:vrGzZlRX1TJ5b6Wxt29V+Q==,type:str] -wg0-privatekey: ENC[AES256_GCM,data:6BR3zB5oDPu5XyM5pgrdXoYKvwf+rAK7ngDzLcIQZnr4JH2YXH9UWERjVpg=,iv:2Z3yG+fWC4diGANCurCEpA5ybEpMdE1t/rviRJtUE0Q=,tag:4sqnLfAnxQOAci37RCY6jQ==,type:str] -wg0-publickey: ENC[AES256_GCM,data:7QLstpkyVDFU5oxgRdVYdBOZB1tjKMbzxgZtCYp3G1+AO85ir6kNXo8P65U=,iv:XRnPg93nnSR3h+R/K2rh1QYgmdJTE6i17ZomMf0BJ9k=,tag:fhyySGI0y5swGp3ot+q3pA==,type:str] -wg0-peer0-psk: ENC[AES256_GCM,data:p5V/8fFEmozG6nFCpHNcWNdunYlHxnsnW+YjTAIEXlm2ku4yEL45H9t9/Sw=,iv:jDZMhrZIJwaDWm+s6aXVWovdo116q2D5cUyHzMdWCIU=,tag:M5IebfGfeL6VW+OOgtARpA==,type:str] -wg1-privatekey: ENC[AES256_GCM,data:dcD5isfYT+diae7tS6OSEQiqEkrpUxw0io8EqaSUaaFxKf2RAqSqxEXkhzU=,iv:HVB+uJG0SwxH3gbSpyZJZnzadVK2MYWvaZ3t7vPXn3E=,tag:/q7hgBA45Hq3446w83ConA==,type:str] -wg1-publickey: ENC[AES256_GCM,data:08fRjmGysmgGwXgwGqtMmO4iMWNIOucRnD7l4qaCh1hVWAk2BbO3OcHw010=,iv:PfKUVRyjEVT2BBUCmruR026n/P2kT2Papq46DOFq3rE=,tag:AhyI1yHdEucmQEo6iHnznQ==,type:str] -wg1-peer0-psk: ENC[AES256_GCM,data:zlQv7B2Xm+QUzevsYDD2ckIp3PdEAOSEPv6UKYLKRUGWXKE9eLhC1dNq5t8=,iv:kehiDKfew68S2pfRFq5OyTm+Ixo05uiAiHDg30xhP4Y=,tag:0GSr1d26ALehewMF5b6woQ==,type:str] -sops: - kms: [] - gcp_kms: [] - azure_kv: [] - hc_vault: [] - age: - - recipient: age1v458x2q70yt0a6m6cq5ehemphtrzfzyhmeg3r872vsyyf65asgwstmqqk4 - enc: | - -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBuRzJxaGJVclFwZE9ZT3BP - OHNEaVg5ZVl0Nm9YTWo3Q1lmSEw5dnRoRVY0CkpCeWxXU0RybU45Y3RvVkxJYkEv - TjJsb3AyNVR6QmJVbnJsZzE3S0VmQjgKLS0tIHVHSTZVOHc4R0E1TWNETWNlWEty - czc2YUdudGdnVlZteXBmaHZaV1NWbGcK6jWSkOEBYN+1HQ+IZdBKknYo96Aydp/s - +hK8V6qEyCkAqWLYEnZ5ErMEc8OcOyYCQnYyCb10SWJvye+uyX8SZg== - -----END AGE ENCRYPTED FILE----- - lastmodified: "2024-06-09T14:08:09Z" - mac: ENC[AES256_GCM,data:nCwAca0MktoxUb0W+1B7+4UP5IOG4cuj2BhJBxjDV4gjYBSKYJs5gSdYytjOpu76ePXSUHgyiPH0Joe5ESubaUN4zPIWMLpkEk6WjXnmXRTY8B5ZZ+AVR2lxNi7UtiCyx0yjAVZFxuk33MmKR2yXMLEqE6U/70fccJlY+dbTaVU=,iv:QTafba+auq3Zv/xoBzHmnIMmfDAynqApAcr/T0Uh/2g=,tag:RREUDKF4Kruy0AEFDqSVuw==,type:str] - pgp: - - created_at: "2024-06-09T14:07:43Z" - enc: |- - -----BEGIN PGP MESSAGE----- - - hQEMA0SHG/zF3227AQgAkYv+dSMKF647ApqeslZpv22LmhdphDTSQjaRJdIK4gM4 - kv4aJ4L0K/fDqKtsbszbAnuratJnOxnhGaydTX5Ob9tb5QbFfmC2C4OED6hB/enu - hsP9BpsA945Keqf27NyXgxnLDVr6OXcpZqWZbYqHmWDx+BHrw500hgFb91ejzf3c - 6KF2Rrp4PsUl58D6LcSFxfqcna7l2+Ptx+k2vfInSkyPit/5tjry8SyBbUFWPwz2 - gVj9MN0bLCMqhToFh532GSDmnxNd8d1Sb8G1riJ4JaTHStV3s6KebF90ws3FtC5n - y0f/BbjkSqEqNIKFplPZ4Cx6O7WsXbH1hU1Dgba9G9JeAYVAFyi+OnCV49ugZ93p - uwGhpXmP6RbGVT6JB/beAdUToTdP0EfdVE4LlxkssEFd8HHzO8kD2u7k7glkDEq7 - Ox1QlDrMuz0zRE6D5B4DwXrWvAOw/TjvydWjyS6HCg== - =5YRC - -----END PGP MESSAGE----- - fp: 6F7069FE6B96E894E60EC45C6EEFA706CB17E89B - unencrypted_suffix: _unencrypted - version: 3.8.1 diff --git a/secrets/router0-ifog/secrets.yaml b/secrets/router0-ifog/secrets.yaml deleted file mode 100644 index 0566d57..0000000 --- a/secrets/router0-ifog/secrets.yaml +++ /dev/null @@ -1,45 +0,0 @@ -#ENC[AES256_GCM,data:+I8pZeH8kkkGaeUJ7A==,iv:5Yv2K6pU33CA82oCspb5exjaAPMRszslozTphxvDhbw=,tag:OpKwj8SYXSMcLlusEVX7GA==,type:comment] -age-key: ENC[AES256_GCM,data:8L4IWs31RUXGns25pP6BrhFKVAYvVY7yIOe6MSk4abvgks2eyHnQDTiSKVUQGjTyZFVbQ4mtF9O8CmqqlaK5z4nrUYSUN/Ustc13L98V+PMUOxljka0UL/pOe36aHEQz3Z2MuobEtZHwccPEqWhOlF2v+OgFQ4Kp2Vczw9REf4ahxyqz3fz58ymR8HKfTHD7YBawEAgYU6WVyrLfyA78860pkjlYMwhnjkVBvkP/zd4H+L2JxzjwUeUCqcm0,iv:8RwmmtgKqLsJov+DxNjvtjPk8t8yVmRhRa3k5HdCvgk=,tag:CZoZL3aYucIk1JENWY/mMQ==,type:str] -#ENC[AES256_GCM,data:62US77UkclVlR3klMH6P/oYC006vFa6DEVgvmemMFh6INuw95NyRwJaiMs4EGaNFuX+jkfBbtlm0MQK73rXfGxg=,iv:UALT0vebke8KDPdroZnC3rSUCB0CmlX9dfbLqNAlJ7Y=,tag:iKxAWDTdUZDBD0PWfomeWQ==,type:comment] -passwords-root: ENC[AES256_GCM,data:ummvEe+5HipUvVEyHLA6NULuWJuPyv2VqlXEZFp/UdybLU+1t/VRo+KPLYRPpXQBbsBaHVa/XOiOqLK9dPDHuVZBavnTTMC3Yg==,iv:pqjtzPH+T8CLJsJusi5CpVklPUAnioIoTjBXAR3y620=,tag:vrGzZlRX1TJ5b6Wxt29V+Q==,type:str] -wg0-privatekey: ENC[AES256_GCM,data:6BR3zB5oDPu5XyM5pgrdXoYKvwf+rAK7ngDzLcIQZnr4JH2YXH9UWERjVpg=,iv:2Z3yG+fWC4diGANCurCEpA5ybEpMdE1t/rviRJtUE0Q=,tag:4sqnLfAnxQOAci37RCY6jQ==,type:str] -wg0-publickey: ENC[AES256_GCM,data:7QLstpkyVDFU5oxgRdVYdBOZB1tjKMbzxgZtCYp3G1+AO85ir6kNXo8P65U=,iv:XRnPg93nnSR3h+R/K2rh1QYgmdJTE6i17ZomMf0BJ9k=,tag:fhyySGI0y5swGp3ot+q3pA==,type:str] -wg0-peer0-psk: ENC[AES256_GCM,data:p5V/8fFEmozG6nFCpHNcWNdunYlHxnsnW+YjTAIEXlm2ku4yEL45H9t9/Sw=,iv:jDZMhrZIJwaDWm+s6aXVWovdo116q2D5cUyHzMdWCIU=,tag:M5IebfGfeL6VW+OOgtARpA==,type:str] -wg1-privatekey: ENC[AES256_GCM,data:dcD5isfYT+diae7tS6OSEQiqEkrpUxw0io8EqaSUaaFxKf2RAqSqxEXkhzU=,iv:HVB+uJG0SwxH3gbSpyZJZnzadVK2MYWvaZ3t7vPXn3E=,tag:/q7hgBA45Hq3446w83ConA==,type:str] -wg1-publickey: ENC[AES256_GCM,data:08fRjmGysmgGwXgwGqtMmO4iMWNIOucRnD7l4qaCh1hVWAk2BbO3OcHw010=,iv:PfKUVRyjEVT2BBUCmruR026n/P2kT2Papq46DOFq3rE=,tag:AhyI1yHdEucmQEo6iHnznQ==,type:str] -wg1-peer0-psk: ENC[AES256_GCM,data:zlQv7B2Xm+QUzevsYDD2ckIp3PdEAOSEPv6UKYLKRUGWXKE9eLhC1dNq5t8=,iv:kehiDKfew68S2pfRFq5OyTm+Ixo05uiAiHDg30xhP4Y=,tag:0GSr1d26ALehewMF5b6woQ==,type:str] -sops: - kms: [] - gcp_kms: [] - azure_kv: [] - hc_vault: [] - age: - - recipient: age1dktk5glcuu34u9t6kp3g2vqyj7dy0elray38t8n75mwa6l0s0vdst2cy00 - enc: | - -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBuNmRsNDJRbHZmS3JmOVht - c1kyKzBXdGxkQXErQlhXUzBmMm12eXNCVlVVCm9KUCtZeWJWYWVJUFhYRUlLVDdD - Nk9Wdk5WeXl2ZGNybGxnZWtGR2thTDgKLS0tIEovQnU0bzRCdEp6RnVvZCtUTlFL - dFBOcE9leDQrYzVQNUpLZzJBYlBYaE0KyKVh0VDpbA2eIh9d+KhCYKjbl4fHPt07 - fVbbDEz67bWNjaH6Yg6xlNQIhv9prUK2isckVizpUANmOKxPJ2ia2Q== - -----END AGE ENCRYPTED FILE----- - lastmodified: "2024-05-26T17:23:41Z" - mac: ENC[AES256_GCM,data:Ez/79vUHs+9B/v2qlUiPQeuYHRdvjUg1jJOt3C6xEnncDQ2fH0CUxKEIfjgJR7eatwvZSznprv2wCD8Ik0SKunjRI1UGe5JmrVstqoSDbo+MxpdwrqA8zC5unpRUYenvyo9m8ZW/DnjKz0ArorYjA9vid878MdemkHtSjjZzik8=,iv:2CkmPRjYYt7q7HAdEjIbJHaSUG6Yr92pEkk+Dd3E7LE=,tag:S8LPb0mEjRZQqawX310SOg==,type:str] - pgp: - - created_at: "2024-06-08T18:36:55Z" - enc: |- - -----BEGIN PGP MESSAGE----- - - hQEMA0SHG/zF3227AQf/VntYsys2fb7NslwBbEwQ4VYh8OOWtCGhqbVw045QflFD - 2hS1cT85MDNTwPnnDW4NYbf3UEIq12eXVDFR8+4S4mMun68OmxEf3UhSB6k2cDgh - iwM6HdAh13cC4UfYBpEq/NTr9omdoXPrcjQNYxqm8OBRNf1126L5XmQ4NT2Lg8Yw - 2HcDIxrl9vX1X8OYd7fwc7TIJpVYCmG2UhVrz+gS4q51s1hi1t1BZdeUhU9RpSdZ - Mu2HlB68t597wAXOB88K+zJG4+uUQrpz9V2Xd/lfzFIeQtwLcA/NdoZs+AMEQE+j - wa5FPI08uF68KbwzXYCq2NEPKA4SX9UzlirJjdAukdJeAfqO5woWkuDHmDj+nDDS - fSwL7mVNd43h9uO3PXi7j8kj32dwLcBSjkeuN1+gaTBLixzzp0drLTD1DkeY8kBS - ROvWaNhXsrm+uB9d8aaznqfWS9C+3PE5fY9untPIUA== - =f2HS - -----END PGP MESSAGE----- - fp: 6F7069FE6B96E894E60EC45C6EEFA706CB17E89B - unencrypted_suffix: _unencrypted - version: 3.8.1 diff --git a/secrets/servers/dyndns.yaml b/secrets/servers/dyndns.yaml index b93a80f..94768bd 100644 --- a/secrets/servers/dyndns.yaml +++ b/secrets/servers/dyndns.yaml @@ -1,37 +1,37 @@ dyndns_www.stefanjunker.de: ENC[AES256_GCM,data:xHpC/V9OWCMpTKs1,iv:gW6f6kQedbdxbz1zJAY6xceoeG/LqPG/Ss3DaBm/Ta0=,tag:v2V/hzRg+xgO8zpwyIBVXA==,type:str] dyndns_mailserver.svc.stefanjunker.de: ENC[AES256_GCM,data:auVHa5n4335mNXAy,iv:WZMOA+Z7/w+Jsu5193WwERXZrt/5JDiMUKIZo8ieT7w=,tag:YmEDp/0gjgPY2kg9GNKmxQ==,type:str] sops: - kms: [] - gcp_kms: [] - azure_kv: [] - hc_vault: [] - age: - - recipient: age18dmqd7r7fanrfmdxsvwgv9psvhs3hw5ydpvw0na0dv3dlrg4rs3q2wpvgv - enc: | - -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBnWFR1cWJkWFl3SHphNVlt - NmI0eDFJanVLVlFKeWcydDNaclp0VlQveVJnCnRBc0JTUzZkV0l6cWdaNko3YUNM - bWZRaGpYMHZWWkRPMjY4SEF3S200YlUKLS0tIExrWGhjM01YdS85U000Q2o1TjUw - VFpZb0dEL2w5NWErR245MUplZE9xN28KiGaqrH9wYZ2goHKYygLgPZIZmUCosHc0 - RNaMVrIv7I9dPMiqlKdSl1Xp/ePa9gxUhVCpsFIZmlrlhHxv0TLtkQ== - -----END AGE ENCRYPTED FILE----- - lastmodified: "2023-07-14T20:50:30Z" - mac: ENC[AES256_GCM,data:09EAhiFSNroQKelSHF0YdJl8INdYVcjK4BfiOktY+Nx1GK2BA6T8grvIHGB1UZaDvS/AzjcSIq+5ZnyfBU13Ks8zH5oQ11La48FheE3bL38KS+JNgqw3F53w/NUVFkYFp2YRuCqkg8/OBmT3OONLggF7ziuQEByW5NlOUdLejkA=,iv:qe4kBBxxpFdKNszbvZlIXjA2Ybc+NAU2GkMcSviZczE=,tag:98ABbbVh5qPnAzo0xkZ81w==,type:str] - pgp: - - created_at: "2023-11-23T12:05:35Z" - enc: |- - -----BEGIN PGP MESSAGE----- + kms: [] + gcp_kms: [] + azure_kv: [] + hc_vault: [] + age: + - recipient: age18dmqd7r7fanrfmdxsvwgv9psvhs3hw5ydpvw0na0dv3dlrg4rs3q2wpvgv + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBnWFR1cWJkWFl3SHphNVlt + NmI0eDFJanVLVlFKeWcydDNaclp0VlQveVJnCnRBc0JTUzZkV0l6cWdaNko3YUNM + bWZRaGpYMHZWWkRPMjY4SEF3S200YlUKLS0tIExrWGhjM01YdS85U000Q2o1TjUw + VFpZb0dEL2w5NWErR245MUplZE9xN28KiGaqrH9wYZ2goHKYygLgPZIZmUCosHc0 + RNaMVrIv7I9dPMiqlKdSl1Xp/ePa9gxUhVCpsFIZmlrlhHxv0TLtkQ== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2023-07-14T20:50:30Z" + mac: ENC[AES256_GCM,data:09EAhiFSNroQKelSHF0YdJl8INdYVcjK4BfiOktY+Nx1GK2BA6T8grvIHGB1UZaDvS/AzjcSIq+5ZnyfBU13Ks8zH5oQ11La48FheE3bL38KS+JNgqw3F53w/NUVFkYFp2YRuCqkg8/OBmT3OONLggF7ziuQEByW5NlOUdLejkA=,iv:qe4kBBxxpFdKNszbvZlIXjA2Ybc+NAU2GkMcSviZczE=,tag:98ABbbVh5qPnAzo0xkZ81w==,type:str] + pgp: + - created_at: "2023-11-23T12:05:35Z" + enc: |- + -----BEGIN PGP MESSAGE----- - wcBMA0SHG/zF3227AQgAjfBO/8RSFW5aIhchSLLvhNzhIF+p2f4KZTAiT0uhB5u6 - T10j8i0q5IV9XVDdRXxYZwBn6LDFOJ6WJ7hIv61Ri+jCGZ8N8Mr6OA7HyB+6zQmg - 3PON+5qJC8FHFHiW+bB7NEULdlILS5Q6E3atjGmgOHKYq2O5L+IZgxp5Udt/oXuF - CqIW22M/9ftEipgG2b2Txgq1PTNFWI8gYRVacuSU5UD687EacH4fTDyIdXk01FMW - LmIh9h64kA5b6VALma1C2ztP0uvCUOSfVsvKJEILOb/kTb0qCdSkEM44onXTCHM+ - fBo140l54Cy1aIxFPsU8J/KkVbQ9Q6dOxIxrpaEQP9JRAUrBpLwbVLpWww2WFwG3 - nTplRw3DzGTGoV7CgdzRRhjv7fkb+h5eWLpFqSj6r2MG5PnEjnnDiBaa611sDN// - ijdeSDMnCT93t6BEeNKvmTPS - =60WW - -----END PGP MESSAGE----- - fp: 6F7069FE6B96E894E60EC45C6EEFA706CB17E89B - unencrypted_suffix: _unencrypted - version: 3.7.3 + wcBMA0SHG/zF3227AQgAjfBO/8RSFW5aIhchSLLvhNzhIF+p2f4KZTAiT0uhB5u6 + T10j8i0q5IV9XVDdRXxYZwBn6LDFOJ6WJ7hIv61Ri+jCGZ8N8Mr6OA7HyB+6zQmg + 3PON+5qJC8FHFHiW+bB7NEULdlILS5Q6E3atjGmgOHKYq2O5L+IZgxp5Udt/oXuF + CqIW22M/9ftEipgG2b2Txgq1PTNFWI8gYRVacuSU5UD687EacH4fTDyIdXk01FMW + LmIh9h64kA5b6VALma1C2ztP0uvCUOSfVsvKJEILOb/kTb0qCdSkEM44onXTCHM+ + fBo140l54Cy1aIxFPsU8J/KkVbQ9Q6dOxIxrpaEQP9JRAUrBpLwbVLpWww2WFwG3 + nTplRw3DzGTGoV7CgdzRRhjv7fkb+h5eWLpFqSj6r2MG5PnEjnnDiBaa611sDN// + ijdeSDMnCT93t6BEeNKvmTPS + =60WW + -----END PGP MESSAGE----- + fp: 6F7069FE6B96E894E60EC45C6EEFA706CB17E89B + unencrypted_suffix: _unencrypted + version: 3.7.3 diff --git a/secrets/shared-users.yaml b/secrets/shared-users.yaml index 428b745..66305f1 100644 --- a/secrets/shared-users.yaml +++ b/secrets/shared-users.yaml @@ -1,8 +1,6 @@ #ENC[AES256_GCM,data:aqlLlXgwwtjBYxytS2H33KbN0z8pHijFXKBAPQyQ7cxE8iO6tDfn/3kEVaEa1YaiYUMXACX2Ow==,iv:uKTUsccWAqrBkdG/ymCZB1pcumRreGv/2rIn6YG8Y7c=,tag:NWDO4dPRA45Ki4ymGblGIg==,type:comment] sharedUsers-root: ENC[AES256_GCM,data:RhMqzHmMzsPZnskGAKQ5GEagkAmtCqbp3FI4XPWweq6U8WcML+XEOKBfRoemK6yMHpSobBUPEHudNDeVxhGLH1VREmO6+JVZ/3dz44qWudhyuAj2CHiVkVgMlSfOKIbY9FLLxXxfySnEsQ==,iv:EYWeRKI+nFpEkxtBJ57xH6V4arE+hVAHy5ht9v8P1oQ=,tag:I5WA5+FjJ3lF30dth3H2ug==,type:str] -#ENC[AES256_GCM,data:d9jstVxMebNWmJHo79RF0YdurMqwRoDrFzbwjoQ=,iv:UG+qk8hc/WiCviJSCmrUyQZATDD1gBhqiYU6spf7Zo4=,tag:4HNfJQh+3GEP+MHqg1KNHA==,type:comment] -#ENC[AES256_GCM,data:4FjqAy/pZMkBFC7aq6Jqx+TqCtU=,iv:iWxPm8etDkAIuz9op4ck5AgszLuEN9cXXixzO705afc=,tag:MC03p7Kqk0srtDjbov91LA==,type:comment] -sharedUsers-steveej: ENC[AES256_GCM,data:almzynLh7RHcjTFOQWVaGk027uAanFcE+AYVhcbzSs5Xwd9sZR5+Ckbb//YxT/Imz9WKVG7z+bxPuhYPgbzUPCyxUu6/X9ZeCF0gmffyTbXVQHpo2W+71Zcob2Mbt9yMAF1146Dr1Q5R2w==,iv:fHMmtO3U6f/0ZNjxcvm0vOx/W/BYWvpD3WtzLNejGpA=,tag:tsLziHECG323TCKBLO6FzA==,type:str] +sharedUsers-steveej: ENC[AES256_GCM,data:vuvklQJFb0kziB/qr7LNiTB30T/1UmZUV3YE3fFpKLZSlxqwYR7e8pnj94hFMhCtPquw3qdtB8vFAIQSb2LxXUgsfNo1bmkGJU86vz3Vy9Js7oua7KlLyZjoFNpMBgbD7swyXns=,iv:nsymZS1wQ7QSL5ZqoVx/ygaP4UR/e0cYIXHg+UyhbYs=,tag:+/N1QRESOUUK/XJXgiyFfg==,type:str] sharedSshKeys-steveej: ENC[AES256_GCM,data:Cj8aoHYN95kOuFwMIr+gYTtvE2MNMT6WhHg+r5cEvfgLbI6EJQdMBU30nhJZ8S7uRwJwyVEnqw9qgaZYVorXrIh4oZoQBT6g0UGQ5b5lhtfj86omP7w/NukvpjUPBJEUL+JgvaNGsAbAmExPb1yQY9f/kn2QuyY31pTywcV6qeSHHlK8I2cpei5RxtuG2IX+EjvDXZ3CtQwLY7YrhLvv0K+N8XlEusnytNkXLfjRgd0dJqNLQdkuzrjFPQnuzkxoBBmwfheO8CaTpmH1C5z/dbmeIP5H9GY2gnBCu5xB2zp8ZerVi2E3teW5EZ+Sh+lz/5DOuVpPn3G8W7l4fTM8iX2IHeakjlpYewx1wmW9SZdV/zxyt5rQUtmMj3F+IVktbOWsOyXwSz0CDUlKkVKJdvzATlWdIjteKTwKEgS8RWjg5H7mGylfxyg6YrHYAHTZjC4J1Qz2CwWmAFxzpFCkHvF6QwAOUg+ST+crfw4DiSamb6SKjIg7LNz6VZTOeji6+71Q59u6g2RcdgNowzgrrQCAw7qHnewbFX/2IOW+pdASCB/q9/7218yM6fzMtcPHPiDpZ2tLHQd+45zxZpbUXXCNdNm5v9OTjjK+uA0ARLOVCw5gtd2FbKsJcwyMhXY/h028tgdRhsXIalLolorrYBPx9hR+UHU0TNihspajoNYJCTuJccMiwo8N9AT1DIdUXcOxrQL80RvWY0S6rBzES3q7a91aC/lGEmS/beO7MDgOKaEV+qwPZOLOZXWAesqsR3sKzpOdPx1gFrLvX6vIhAtzuteH0KvKujIAhCg0sEz3Ct/A1S2uNtohz8CstvEEqP6GiR6/X+sQRgxOcXGPQglz68FFKOErIz5XZJBz5+14u/lady1jxhXnVW0cxZDgmqmAvNbrQ9JjNgBvremaDUvuO5R5V5K4MHAMsNQ5yxE9iScXEfwmEvo+Gj4huJwXvwLDE/1TqIaQWX6LfZKOOZ93ivhj7eEiAz7TsLojdNUeDhnWGOYcWbEkMNzYyPb7obN/HgKzcuSixpYm+IZu4sOzXyoO5Lblzd7OObtG4P9jIj4cdxF+vm/s6MYYxtst7jRwzcv9vMLETDXx40IOSqTo2e8New2e/D003T4jx2sis0+68Iyg9m8ltEYb85v6oGFshIdafIGKBaNHm/zIL4Dw03M8kxxfuVuWZD8S2P3bnfryfA4lbOZttv2DnlPZf/Dfb+Ax5qTe5yn4uzLYDTqq9rIqdoNYUmx1OaxGa69oTIqCpL7FC6xe+9NnTEdojl9svZUhtGfThiphYcK72lryqrTyYVuAOa3WjZtHgUJ5lU8x79eExXyDexmC4RNDszar+qMiwlzMC977qsKczfTGe2audm5PLaLTYhWSOZ1p83d/xhFWhLmqjqHrPF5kYrnG+W4ZuVIqxJOrLHQhseKc4fFZrF/XCusgIcoDEq81M/EmHeEDcuWEYldn1pjbE8yzb2ZgfG8mycNh8z41lKsalKmesyZs0k0IvWmrdCpLXqWl/TgsPSO1q+zbQHyfiNewoZec3GC8k1k64zrG3CNI8bP40L6i4Uo/GFPS/y0OjgQhww+He0bWY7yP9MKqdbahpdYQE9kYU5yoJTUG+ZYRir6h6o/JmTJQy4QIvwmcx2jiiA5XXpj3cYAJ9/3eHDFCeg==,iv:QeYNlLR97tdC9i5N909GnoNyBwNNiuljF/eVbdhvGXg=,tag:lBWDaaZMQRPX/4Ln+oUQPA==,type:str] #ENC[AES256_GCM,data:8u2UAE6lXi0e6qKJxB3VP1k7hmfUYRcejXoR7K6NIQ9E7AqOlMiLDyQFw77NBlqpy0G6mPVOnC+XskGAscm3TLFzs7+o+/i0IxH7uDPwoh+U,iv:n4wheHkpPbnKeXb4DTxwks2bph4LO6xQW6LcrlA4jKU=,tag:mgwa7rYvqoubFdQDXJADZQ==,type:comment] sharedUsers-radicale: ENC[AES256_GCM,data:Mn1QIwQDX0ZnZ0Jbk1RYY60k+XbbGPYYf+NG3xQz3oR14CqSVy3hjQEkqcezwj/v2ELrLWid2hK+lDtY,iv:TNoJ7Kq3WDkkPBLG3a+N/A8yBZcx7Gc0jaBToYX3Y5M=,tag:VU5P4YtzMv1FVc3ugig8TA==,type:str] @@ -10,118 +8,109 @@ sharedUsers-radicale: ENC[AES256_GCM,data:Mn1QIwQDX0ZnZ0Jbk1RYY60k+XbbGPYYf+NG3x sharedUsers-elias: ENC[AES256_GCM,data:RsGDCguYkqegKhkO20lr8HjrTABAaNJmDiGK3DhhbX1sOLMweZwDtESvYjCfAOzWpiAaFh0BqevMkuUcEYQTBubSX+X0EZ0dFrdbVxIe7lq7Dosds98SqKLL4zWqe2y2qsphvj+oAz7Utg==,iv:JXIbyqAUt1OcB+bvgK6H2NU6Ip4nWRJ1/Hje75FfHC4=,tag:kPFALVkf1GbRj1J85SZm6Q==,type:str] sharedUsers-justyna: ENC[AES256_GCM,data:BGVp2QppWWaYHK3rwLlyy7SOWxSqKGsn7lemWe0KUzgiQc6D8ivYvXdGaAhJNvhgVTxlK6BZOacG4NESWf5hi7sN8AkwTT/6pa9WzhQQGNnwZIaVulXeddzFlebbh8pAt0WYV82DRejX3Q==,iv:RMysIp0pMnCLhWogWiGq4IpZA43sd0DPj3jeV0oRkY8=,tag:VvXPzyGAoATlSedvV2prJA==,type:str] sops: - kms: [] - gcp_kms: [] - azure_kv: [] - hc_vault: [] - age: - - recipient: age17jxphuql70wjkd84azn62ltx9ky69hyvkac23lm8f2j92lznf9hseqq0vl - enc: | - -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB6T2hmV3BOU0M1MTloWktK - YTRXS3lTcERncjNpaFlhRlljNWlJQURmdW1FCmQzNEFFZ2VxTmdmZ21idzZEUHVZ - clFMZU1tTG9kWkNFVzdXK0NYQjVMMnMKLS0tIHVwRzlpR2VwcXlCdUxUbTN4YWcy - Y3dqOXlTeDZRU3YycUtqTXpKcWt4bk0KT71rTNU/kZci9u3NahgR3/fL6IHHxVdu - unIWav0e6cZVQXKw29Pji966zuB5Rv0vb+5LAYsXzC0E6vtiC7kwzA== - -----END AGE ENCRYPTED FILE----- - - recipient: age1y9urllccdcemlv7g5z4peuzeh5ah0a8nu6cnkvym8v2vfhqjd5jql483c6 - enc: | - -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBxM0NiZ1RIekpsY2pDVEh0 - MldzL0Zna045QVY5TnAwYU1rTitQMkxOZ1M4Ck80a2dnTlFxYkZyKzE3emFTa29R - THNTblJuU1g0Zlg1RlhMV0JsY3ZpR0UKLS0tIGhLWFZOcS9za0Riak9QUVZ1dGhZ - SnVNUTJFWnVHTDZKZzFBME5ZZzFBWE0K6jMchwT9eJOqyBhSiyg0XS69KxWc2Xx1 - SJS0acLF+Lcrw0xEr856846P/bH+l/SY4Ii7Mv0b38GOb5KPGra3cA== - -----END AGE ENCRYPTED FILE----- - - recipient: age1pmznn2tjpelpmxjxqef48rse5ujggf9kcr8x5vewuadqcw03aavqwy54zm - enc: | - -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBENVQ5MHZ3VXBMbUdBTHFN - Z09QTDdyWFpHUG9LWGdqZXhBRm90ZnBsNFhJClJpaTFCaSt6Q0E1UlR0WEljWjVv - UE1LUDZ1by9zYmhibGJHRGpKT2RhbzQKLS0tIEhKYTlTcmw2NDBDVGluc1N0Y2Rl - d2dsU0ZnMFVlYnJtai9UWDJROG9JTWcKeCVOvRWUJutoFOhDLni2CpgKUUvxTFUS - NNozeDy27P+ZZFDHxBGPoJhJmAKt7Vs4FpdAYJM1xeZWd4BgakdUZw== - -----END AGE ENCRYPTED FILE----- - - recipient: age1ye4fa0v37shz8q4e5uf9cp2avygcp9jtetmnj2sv9y9mqc7gjyksq2cjy8 - enc: | - -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBIMWxSQ3ovamNoaFovcDRi - NGVRRGNZZDJoVWdhMDBhRU9VZHNzMUkzV1RFCjgzQ1FDdSsyMWYrZC9iZXBDa1NJ - dThoNms4aW5iQVBzK21URXkrQjFQR3cKLS0tIDFmR2o4OEpxZnJheGJTWHRMNDBV - djkrN0xTR25zeEVjYnpMbllZRHcySGsKvPzezvh4MF5TvrqEAg5z/nDRw8iviIx0 - wcnO7RQZGSZ71Cv0T11dIpAixUE90l5b6xHKdaeS8vtYFTKdw8FjKg== - -----END AGE ENCRYPTED FILE----- - - recipient: age13cyvxrd28j68f97q2dwsn62q5dy8tdxtq86ql2dxv2ncwfrf63dsmkj7n3 - enc: | - -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB5ZW9HdjNSTE5xWlVWY01R - bXAyWVZhcjlkbFVneXhaVnZOQkQ5amszeDJJCjVWa3lLSWhBUDYyd1N1QlZ3T2Fs - QkN2MDViUGwyV0w4NGJiZHhaQ0VjcW8KLS0tIFNkZnNJbXpFOVZsdjREbWFwQ1RB - RTVML1czWWk1QkYzMlVwOWVXNVRwancKKngA02rNH1ZN2jvJ4QZcN07djYzzqoPo - OFeFoOHOKNz3Obwlxv6eW1bd0AP/MT7VR+cTDdaAxwNf8I1gEC9bjw== - -----END AGE ENCRYPTED FILE----- - - recipient: age1qju6ms625tlgcjwc9p447seu2p8gu0cr63e5gv5y0wx9mvgmre9slxzzs0 - enc: | - -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBkdG5NWlVURFA0TDhWak5u - R0tmR3JiMThtNnpqM05yQWZTdVAxZTQ4TEcwCndjSlYvMTg1NlRvSHhmdmNMRzhS - MjgwMU5ZcnVnWVplY1lOc1JQNFkxMDQKLS0tIHhHenE2SmdFcC95ampNbmdOSDJX - ZnJLR0RKZ3FrOUxRSU11dlh5ZzBidmcK7PsJYwMJpv9YoaYiN+U20HA2opK2IUnF - elU57b01ZOZM5nfpnyZBdqZO6VRDAZC2h81z+BCNXUQus4SSNQi0aw== - -----END AGE ENCRYPTED FILE----- - - recipient: age18dmqd7r7fanrfmdxsvwgv9psvhs3hw5ydpvw0na0dv3dlrg4rs3q2wpvgv - enc: | - -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB2bzBRSi9qOEsxR0Z4RTNt - U0VKT0o3b3I0dXJxSHRSVnFiR3BWOUNTR2ljCmlHWWZnTGJKeWNhTWxKaEVrbWdG - M2twejZqaFU2RU8wemVxWHlpQVJYZWcKLS0tIDA5Y1Q0RWJvbUlGUHpKN1BIMGM2 - cGU2bXpEaVNRcko4TVlBMG9KdnJibjQK86rJ3S+JQhD8+gCkr748z1oVy55ukOMv - c408QBFGToOuzvaRbOIb8lhci4ImuSJJE7TZUzgYsADEAaeudDKVtw== - -----END AGE ENCRYPTED FILE----- - - recipient: age10xwq7a4y256yhv02j0u80te0vt4krgfjc68r0uw07t96z7ggmpwqtv38a0 - enc: | - -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB5WHJjQThud1IzSHk2Z0Zn - L2NybEJyMVdoRWszb0lZTlcyN1ppa1BOSmdzCitZa2thNkJyWWxKU0IxdnhrVXNI - Q2dXL1BST1hzMy9PZWpVcU1lckcvdVkKLS0tIDd1VXBGRmdkdnV6UHdzbU1UMjVB - WjB5akxEeUd2eS95ZnZHSUFXSmNXWncK3VXZqfKo8jat4gbn/5YSL/cV5qILqV5b - E/OBRFStWmfhuCZJzCDhU9a0QJocW+UkkI4XRzDDaN66gEmZe+u7mA== - -----END AGE ENCRYPTED FILE----- - - recipient: age1dktk5glcuu34u9t6kp3g2vqyj7dy0elray38t8n75mwa6l0s0vdst2cy00 - enc: | - -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA2cE5lLy9ZNXdXb0owcnZk - S0JRSkc4Q2p4bGxPSG14VjlKZ3NMMUpEd2drClBGU0FyaGJ1WCtHVHRzYTFqRXpz - VWJvTlBEcXg4TVVLZzV4djE2bUhIRVEKLS0tICtSTCtNS2dON0pIMHNzWmE5Q253 - c3loYWpFd0h6N3FpdkdpZGdHZjU0aE0K2zsQNBl1jdhLWf1PeGVo+deCc6BwnTo4 - tUg59pWQ5BvwMQx0kjhEoa29S1QUU4Or4erPPoHS5teK4Llv0s2gRQ== - -----END AGE ENCRYPTED FILE----- - - recipient: age1v458x2q70yt0a6m6cq5ehemphtrzfzyhmeg3r872vsyyf65asgwstmqqk4 - enc: | - -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBUNHNvaU5sUDEvd3JGWUFa - VjZDbm9VMXpjQWhCYTRxbUlEREErT0tDUXpRCnN4YXhVVW8zTi9ZZmVUYWwwRHhH - dXd0dnB5WE9sTDZ2R3d4MlFiWlFZcmsKLS0tIENJSTNvNWV3SlVwRk15RDRpNllQ - YmZuei9iVFMvcytqS3podTZZb2g3S0kK+qGQ8LkLO6v8T718dyD5j5CTC+UwBaCn - 9dxkh9MWkKknRL89MHbV9gVG/StiOa+USGqulXEGbapiZ9q1JYCa7A== - -----END AGE ENCRYPTED FILE----- - lastmodified: "2024-11-16T19:17:41Z" - mac: ENC[AES256_GCM,data:WWOWqwrUtpJWY7o7M6Aac7B9O6tw91yNiL74Fg0TKq4OH/0TGHI7YJK4c9swXs95jctFvFL9qQPTNEENgnqhJyZJGuc2qTsSaKERsSReaV4gURNEm2J2R52EQkyZXRbrn0oSoDazORqRXQo1KvULV75fyIPtsE1OcU/1/TPkWHY=,iv:XwyR6rM+0eTmKg4+vpQx26iKgKm0NL6siKxLoF3MufM=,tag:ks777fUl7uUgn7W48zBoMg==,type:str] - pgp: - - created_at: "2024-12-24T19:36:21Z" - enc: |- - -----BEGIN PGP MESSAGE----- + kms: [] + gcp_kms: [] + azure_kv: [] + hc_vault: [] + age: + - recipient: age17jxphuql70wjkd84azn62ltx9ky69hyvkac23lm8f2j92lznf9hseqq0vl + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAzWFp1QUNPeEJDci9ibTg2 + ZUNkMVNld1ZxNkVmUk9jMld3L01ndWVtakZ3ClQ1V2crS3hITG8rSmx4OWE3RU96 + SC9xb0VybDZDN0FwU0JTTHJPRDB0QkUKLS0tIEU5cmh3bW1iWHJ4RDdrUUF0VG5M + MUhWRm5qdnpCUFZ2N3FvL1FITDhNMmsK1TKbM1jrJMvy16yhZwLGcqOan5RTiKYu + jVaSgPaxJLPhtWReAH5RM2JOmrET1DdI7q8vFD7eaJIzKdBxAIwhQg== + -----END AGE ENCRYPTED FILE----- + - recipient: age1y9urllccdcemlv7g5z4peuzeh5ah0a8nu6cnkvym8v2vfhqjd5jql483c6 + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB6K2x0c0swK1lHb2VCZi9v + RUo5VkRPayt2V0RyRVVhSlRGME5TMm9KZFRFCnY0NTdEb1FqK1JUaUdmQ09mOGha + SCtMVnRWYUpmYkM5OUY4TlJQd3MrdE0KLS0tIGdiZFpuZnFiNloxMTNFOWhoM2hV + TlovVmMrVHdDdmQ0dnRhZWxRZHJkMmMKpYOiZy2BVhddpSNiXasycmDaD9lA8irk + ThkO0iaLu2fG7RhT9A9VfXu6eE3ZHN6vr4hv/ItzAbP+T8Ro+Yvwfg== + -----END AGE ENCRYPTED FILE----- + - recipient: age1pmznn2tjpelpmxjxqef48rse5ujggf9kcr8x5vewuadqcw03aavqwy54zm + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBuS0FVR3N3YnRlMXBwMVpj + elZ6dVlyMWRoSUx1UlVmYThBcWFFdmxEWTNRCkhFZEVDUGpsS1ZmelBSQVpZUWVC + ZlNqcm9EVXF3U3hLYThpbGVSeVFDNDQKLS0tIGV0bkI2aVNmbnJmR2lqSFVLMGNr + aVZFd091T1U4QVdVcWtSbnppd3BEODAKPzj/phV8BijdFewcwBV+loKk4o1tBJ6t + CP8kwiIb03/lCd9HmyLgAUt0PlMJFbT4FJNEjwBstMErUdvClXO3dg== + -----END AGE ENCRYPTED FILE----- + - recipient: age1ye4fa0v37shz8q4e5uf9cp2avygcp9jtetmnj2sv9y9mqc7gjyksq2cjy8 + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAwOEZ0V2pOcStDb2YwclZG + U0t2RklFMkJQdE82cTVDK1NGMUt5R2R0c0VFCmV4Q2Rob2E2REVMUlRkeS8xTVVu + U296N2FFRHpmRnJPQjRBUmRaMEpnL2cKLS0tIFBseEpvSTJ0azBRUEVRa1dqT1RK + bFVpbVY5RU01R3pEcWFsQ0pkQWkwYlEKIW1AmTBR1UIjD9n3o2QyWb/FfUUa8qQz + b0GtaaQkY17GyoBzrBh0G4D2yziPy8N9AwOTaaDJ7l5VZq9ydKbTrA== + -----END AGE ENCRYPTED FILE----- + - recipient: age13cyvxrd28j68f97q2dwsn62q5dy8tdxtq86ql2dxv2ncwfrf63dsmkj7n3 + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA2YTZGb1pXSWZVNk95aFVp + UTFDUHlweGVUQmV1KyttSXpjeng0WFd5d1ZFClJwL2xGVmhlTlJzNVhhaElmbnl2 + K2RmUlR0SzNkMWhmb1lOTTMyVUt4Rk0KLS0tIElFV0hCZVRwWTNJYldmR2ZYU2Rm + dHRuVThQRm9NT05HdzdHOWh6R2dLYnMKvrsQXgfRyHOl2aN64JHPXEdlvcHynEss + I4dCLuvKuPh5WjcFZ16zidGzffNKZTHsXPv/WKFUsy20lONByRuRbA== + -----END AGE ENCRYPTED FILE----- + - recipient: age1k7cejd9tqz6a3expd63wkn7kmeawhhrp9vy5vevhjn6eavhdwywqeh7j86 + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB4WndIcHhndkVjazRKV3Rq + U2JjYTZyYUhheG5pSlI0VE9tZ2w0SlRBM0JBCm1YSWxFa0RjVUhFb2xHMnMxbGZy + S1V1b1RMVExFRW0rUU03YXNjejJ3enMKLS0tIHlwdHNNRHNYL2xyeFFCcHdIVFRi + MDZaQjREbWw5aG82NG1Ea0J2d0tTMWMKCodGBDTKbq5qcmtrAh0HrdZ7fmEx8VhH + InCa5SXSRo7cVQe6VRBczF3RC/Mc2u+xzEDd1XbyGviqt1CkI1UPRQ== + -----END AGE ENCRYPTED FILE----- + - recipient: age18dmqd7r7fanrfmdxsvwgv9psvhs3hw5ydpvw0na0dv3dlrg4rs3q2wpvgv + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBDa2YzeTBEOXlIcUJlZlVl + NUdCTGRYcUhOa0dkRjR2RHJNZ3VWclJWd3hjCmFZY0dEVTlwb3lNajE2emFCZmZ2 + SkhTejc3cFA1Yjc0ZHF2TjRYZ1Qvc1kKLS0tIGxDbWNjaXlvU2ttbDR4NW9UYThr + OWRZb1d5dkxETCt1RThQK0Z4cmJSb28KGrAeCR7Q37WwyEzHT5CvaMVmVUoyv1s3 + dDbEu8mtNhDBi9LYMwfbXiZHAlPWQ1Ogveot8vc4kMOAlvWMR4FwdA== + -----END AGE ENCRYPTED FILE----- + - recipient: age18dmqd7r7fanrfmdxsvwgv9psvhs3hw5ydpvw0na0dv3dlrg4rs3q2wpvgv + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBRT2dIMGFEbUErU1pYUXRR + Yk1tUmx2R3BmUXVhK1JMd3J6WVNwOGVmRkUwCnZBSGxvcFd4Y1dGbkg4UEF2RUxE + TUdpVGV1ZEpFQmNWN1ZKei8rSWJtaVEKLS0tIGRLd013RVB2eHhXeHpXbWoyaktu + OExualc3eWk1UGgvZDlNbWZydXBXWkUK0vhwGhegmrQASWqFQYpZgJungzt7vtfC + sBna05p6lnSEdtclUa1MZ/a9wlqAtmrA2fUarLnc6/bs0K8Oz9HRPA== + -----END AGE ENCRYPTED FILE----- + - recipient: age1dw43sxtdxptzgyhsxhrj36x5gn7376gqk45t7wtyt3s97v7ux39sdmdd44 + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBsSFIvcUEwbnZ6Qm95V3hT + SlBiSS9ycE4xTmpRR1l0SDZKYkFNVmtXUG00ClBKYzBMSmNOMmdCSktGV29WbFBE + U0x1K2dsU2FoVVBPSWthZ0hmRkdTKzAKLS0tIGhZaU9kQU54ZzNWVnhLNEozWXZN + Z3MvRnRGSUlVNlJVdzVEMjcxNE4xbWcKkS3GagirASPe/XnJgwBIZ9cCdyeOi9Uy + mcD5Pa6AU7itXL9pHtDcMUsDlKkKYWSUtouW8wAESWdXfFBd2Q+Vgg== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2023-07-06T20:14:22Z" + mac: ENC[AES256_GCM,data:GPWu5DjjJ1ki+HRuedGdDCt+2V0RPbOsD/yWJxPIkgu5923vnF8y9y4V6e6+ZsTqHv4hsKeCjKtUnh2Ldn+xadwJmqrIxyJ8NzH5TOvcBxAab9cJCp/yKENw0O1WMUTlDPelvQKMDwbgiebaVVfxbQPUEfJGOgkHkyXrgqN94FU=,iv:h9YALYahUl7mRJmZKjArEfaMrfW9YZkVYd2CEooF13Q=,tag:wotqxup/ouG/bEVOZCs19w==,type:str] + pgp: + - created_at: "2024-01-23T09:01:13Z" + enc: |- + -----BEGIN PGP MESSAGE----- - hQEMA0SHG/zF3227AQgAqL1QC5kKDaMVQQp9Lboe3krFMW6MxBjilO3BvGYoXHKu - kKP4hJomuF8wqkKzwsXZihIoXmc767/lKG7AIIMnMJjShGgIjSU668l0guuxlGdT - r58W+JvA1Hu6LadQ6iPS5dVJgW0MJj5YGG0+EPljHVjFIXOKJff+09jBv2648kDh - SuuDVwFueX88qgKLnGNw/JWsmG6TRb8WPpbtK0zd30Y/guTRdx57+W4GcLz6zs98 - kkU/VwAKy8ghkXlDyG/TBWipgj+xPGvOIRYiddZc6FBE14e5Miyuw4vgtLaYIWpS - aDB0BUbjmCaiVyZ3PF8nzJcUj3thAepkGyGIgPAgCNJcAW0hIzLoYdU9Dt5kxmGf - tCH3/l3nOuqFZ2EFe6xlBuYEfkjCDLMnDD6W4gvJTkOjfYDWuF0TldyfXeGken+J - BYeYA3OGTslhrVlXSPQeY1OqITnbqbPgwLkd7D0= - =Nc6x - -----END PGP MESSAGE----- - fp: 6F7069FE6B96E894E60EC45C6EEFA706CB17E89B - unencrypted_suffix: _unencrypted - version: 3.8.1 + wcBMA0SHG/zF3227AQf+Oo8GZF91ry7FhASb7USKTxKYFfdlJPWDxLFtBNSFkqdV + U7tOgAB3WJTSlED8Cs+6gyNNr3n7Y6p2KaOLYjft05T/Ms9pDuJAV1S8Ogfo5zys + W7Ss4hkCMZqIXZXTQ03yZner+8o8v/F/f0SPNji8znT2qZmLZbhwa2IPjmORo3L7 + y4F38IVie8keQNWObSFqd7qVqKynHHg+ur5NmVgUAVO/wMg6TytV3Wa11Hfq50tc + EenVAyBW1GUOtsBCH8MOCgH4paZcrzkBPU2dK9UppUWzB5RxayIZT34Qf4mNHwdL + sa83I2MwMp0fuTW66YvJPR1vjcYgY/wOxxZw28biidJRAWpiGsPhGKg+AHmHNp/T + NjN/7MVxZMUX/DHm2LmF6sjSp99wqCl8yvEIrXcGXSSY218XZ0QgXQRhhErwCEaT + JM145ZTHicA2qi4NqMkfsvjf + =6arN + -----END PGP MESSAGE----- + fp: 6F7069FE6B96E894E60EC45C6EEFA706CB17E89B + unencrypted_suffix: _unencrypted + version: 3.7.3 diff --git a/secrets/sj-bm-hostkey0/secrets.yaml b/secrets/sj-bm-hostkey0/secrets.yaml new file mode 100644 index 0000000..7d9cdc0 --- /dev/null +++ b/secrets/sj-bm-hostkey0/secrets.yaml @@ -0,0 +1,36 @@ +unused-secret: ENC[AES256_GCM,data:rKIjC2Ri,iv:PIs3Xuv9zEMhawvMyxwN0CI4Xzr1lTpg1o2scsosizs=,tag:++t0A80KDxctiXwxW5Vd2Q==,type:str] +sops: + kms: [] + gcp_kms: [] + azure_kv: [] + hc_vault: [] + age: + - recipient: age1dw43sxtdxptzgyhsxhrj36x5gn7376gqk45t7wtyt3s97v7ux39sdmdd44 + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBBa2YwTDAyWUZqRjFPWnc3 + R2FySXZ4d2RxRjlLTkZFblZIOUNPUS9kM1EwCjUrNTE2cmx6bGVTOXljZVllQzJG + clBPa1BjcC9GQ3Z6N0xYSFMvZ0J2c0EKLS0tIFQzQ2NHdmJBTFdNck53NVVyejRN + Y0xhYnI3MlhnbjhTS1dFMUdNZFdnSjgK4cl3R943LNMxA3dODf8nsSdmINkKIjB+ + fgp2whfSacWQchsWgpzdiayQoZ9XlWoklmTAX+yN0J8Q3j3CBb3S5g== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2023-11-23T11:45:17Z" + mac: ENC[AES256_GCM,data:VFEtWuEoqlU3wW8SwgWjlnnuv8aJw5Az9j82gc9YfexwR6lNyyQHY5EdZfqPdO4ZRNLen60Xq98kotTYiY7GJ9x3ZR8KPW3puRvqeD8qZf1NMwvkzQliZ+078HCBHmBTeoouWLuvWdP9uv3XOQWdR7/ZfMB/eC4bWS+Acq+tVZ4=,iv:5CRupDm9jNslcn96kUrhQdT5zadEqyKtrKbv+BtcYW0=,tag:ukHLjRdZCTRliB+LXGBHWQ==,type:str] + pgp: + - created_at: "2023-11-23T20:47:08Z" + enc: |- + -----BEGIN PGP MESSAGE----- + + wcBMA0SHG/zF3227AQf/VZ3eNZsb6emw7b5N9rgkRqTW3QvHe/w2QJcjCjp4Hk2M + Es2jYS6EaMLvduiSf6Xl5qHoQNS+HfM3GBKyRdgP/AcrjXXqj5CzmmbMYk5MY2oU + qseV4VFvvk9i9gbHaGbbntixYHBDeBSEHb/k7jWfUxz4wPhSWxpsEW/UQ1UabDgU + C54m3l9NoJw8oseDHOW7gTPW1mm1KFVBqaJ9zeZX5FHSJ0OBDj015wuGwTxkR7pv + /NL1Xg3wtpYHEhRKh1qxqwijW6EkTK9aAJFutkkYE9nI4x48cLCHjDg1GbXgYQkn + 5rPRZPPmWhJPJIyCZIX1RkrVSXSIkI2Vjr3iKpEfltJRAY1KD6PSI3rWRHPDbM7B + oFIdVwLKvV1tBrdVk+3M+nDrXwEshBJUt7r9GTdsWVxjdFgCteTkgkSnzM2y5mbG + AUodj6a/Fvni4sYQka1QbRLn + =YLrT + -----END PGP MESSAGE----- + fp: 6F7069FE6B96E894E60EC45C6EEFA706CB17E89B + unencrypted_suffix: _unencrypted + version: 3.7.3 diff --git a/secrets/sj-srv1/secrets.yaml b/secrets/sj-srv1/secrets.yaml index 40a927b..2303d41 100644 --- a/secrets/sj-srv1/secrets.yaml +++ b/secrets/sj-srv1/secrets.yaml @@ -2,37 +2,37 @@ passwords-root: ENC[AES256_GCM,data:mDQXWfH3zcvIifhmFdB5rfuiImHLX0Wb2WuR5Jb4lBII72AN9sEy436nHKLHdDHYDgzBkTHXDz63SfK28GEckJJKXHPcKuYl/g==,iv:M8tcUyUVuYAIesuGxQHQ/JRDlzeklTBAVgD1oBzsbVM=,tag:E8g5Qo1zAJkCvNPDeAv7pw==,type:str] restic-password: ENC[AES256_GCM,data:0cTVlqHCW/xCk7y3ikh0RtVk/5xFOrcrnQmMbIBtfOd7PYbiTUzwBtYXwOaXO4ob7/+KJUEwhl5TzX/Of1J+y7ML7JbpNPtLr8r0gzDYOvBPY5GlmkDGcorz7QTaomuDprJkoD06lJWme/L893u7rxwamF222D2JvGz5FfTuWfaRWb1PcehBkew89gjdAgqFJJwqlX1vwvQDPg6yj+vnk9ZqR/E967bbQeN/G/qGJ9xfVmeuOPYoZH2IrL0Zgif/FLqZWZtlJ1JnRUBXsVN6FZXfT1Q82euLPOpaUHrFJjAF26PuTwVreIjcBLX3wqc8vhAYWfc+RThS3ITwNdNTSA==,iv:KBqME0cqIIX15xPgKi5mBalk01tswj8xVd8rFETX9zU=,tag:V6KltIGVarWXP1R5lY2FAw==,type:str] sops: - kms: [] - gcp_kms: [] - azure_kv: [] - hc_vault: [] - age: - - recipient: age18dmqd7r7fanrfmdxsvwgv9psvhs3hw5ydpvw0na0dv3dlrg4rs3q2wpvgv - enc: | - -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBUOFB4VWUyT1pqVWF6b01v - ZmEyeG0zSjRsWTRkWW9FUmtUWlNiS3VTN2dNClcvQitVUDk1d3oxTnErRG1wZmpL - dHlkZnE2VlVUOGMyeW0xNmo5OHdmbmcKLS0tIFlnbXNvUWRPWGI2KzkrMW01Y0E2 - czdzaWhBRWJyb0pBSnphamZVZDgyMDAKjTYixgD7CzJImvPFRYJKJXefXqxSA6I0 - iOyW6E++Ax0MsYll77sR9eMNMgPCromY3uzKVJe640HKY/E1cLoi0Q== - -----END AGE ENCRYPTED FILE----- - lastmodified: "2024-01-19T20:25:37Z" - mac: ENC[AES256_GCM,data:gAn4HAJRiejixDApIBZD87JjHLyOnC9LvYR0E4oDa0GVu6/BLVNbie0zG1TdnYl4LAuLa0rf4gkSDCLNvjkBGesGb7oez06WAHJd3VAK6wyFYxQSxKA8U5OZu8nozciuatTCvc/JL1ZjxxGlDFDSHSP2m1PsB6br2e0g8oL1vJw=,iv:7rOU6w+Ly+OYEnF5SikijEpauMp5lhTae74zDi2vF+U=,tag:EURfxNbEe4ZLFF4l19EzFA==,type:str] - pgp: - - created_at: "2023-08-11T16:31:41Z" - enc: |- - -----BEGIN PGP MESSAGE----- + kms: [] + gcp_kms: [] + azure_kv: [] + hc_vault: [] + age: + - recipient: age18dmqd7r7fanrfmdxsvwgv9psvhs3hw5ydpvw0na0dv3dlrg4rs3q2wpvgv + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBUOFB4VWUyT1pqVWF6b01v + ZmEyeG0zSjRsWTRkWW9FUmtUWlNiS3VTN2dNClcvQitVUDk1d3oxTnErRG1wZmpL + dHlkZnE2VlVUOGMyeW0xNmo5OHdmbmcKLS0tIFlnbXNvUWRPWGI2KzkrMW01Y0E2 + czdzaWhBRWJyb0pBSnphamZVZDgyMDAKjTYixgD7CzJImvPFRYJKJXefXqxSA6I0 + iOyW6E++Ax0MsYll77sR9eMNMgPCromY3uzKVJe640HKY/E1cLoi0Q== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2024-01-19T20:25:37Z" + mac: ENC[AES256_GCM,data:gAn4HAJRiejixDApIBZD87JjHLyOnC9LvYR0E4oDa0GVu6/BLVNbie0zG1TdnYl4LAuLa0rf4gkSDCLNvjkBGesGb7oez06WAHJd3VAK6wyFYxQSxKA8U5OZu8nozciuatTCvc/JL1ZjxxGlDFDSHSP2m1PsB6br2e0g8oL1vJw=,iv:7rOU6w+Ly+OYEnF5SikijEpauMp5lhTae74zDi2vF+U=,tag:EURfxNbEe4ZLFF4l19EzFA==,type:str] + pgp: + - created_at: "2023-08-11T16:31:41Z" + enc: |- + -----BEGIN PGP MESSAGE----- - wcBMA0SHG/zF3227AQf+ONiHDN6/hgu1g4WBaQOtAd3tnruoG+O9pbv/IIR86T3n - TIQElcQNsWJpHpoTeXB9G+H3HPh1f3z95tdHwQZOD78HpP0B7sOqx/KUOSJqTkC7 - R8jsuAxrIpidr9MIxAypsK5UE3SnZodf6E0IhWR5H26oWXtKPRd2TIBEMwbJZ4dZ - JLZ1D1pYIrJfNez1SP9r8SBMaKJgxLn65sFzonj8j6C+8CpStun2ykLfflsoQzXP - kiCzxG/IR9fA7fyq38h+QdeQgcX7/kyhC/g1tnfDoZRjmcS7gA2yI9Dlxr08cOvy - 0Dbruq0tykU0isHSPQHgKQpX/7PD5aV3mXTyvNyzEtJRASftwq7H5sDJXvAXWLMT - eKfUnGyPanQqVNA/jAPhOj/tAIVQZbL4UIPOlT6REfxmNk9tl7JSDhMJzKAEdkk7 - C5Jot9exml6467YZkApBm0eM - =HulH - -----END PGP MESSAGE----- - fp: 6F7069FE6B96E894E60EC45C6EEFA706CB17E89B - unencrypted_suffix: _unencrypted - version: 3.7.3 + wcBMA0SHG/zF3227AQf+ONiHDN6/hgu1g4WBaQOtAd3tnruoG+O9pbv/IIR86T3n + TIQElcQNsWJpHpoTeXB9G+H3HPh1f3z95tdHwQZOD78HpP0B7sOqx/KUOSJqTkC7 + R8jsuAxrIpidr9MIxAypsK5UE3SnZodf6E0IhWR5H26oWXtKPRd2TIBEMwbJZ4dZ + JLZ1D1pYIrJfNez1SP9r8SBMaKJgxLn65sFzonj8j6C+8CpStun2ykLfflsoQzXP + kiCzxG/IR9fA7fyq38h+QdeQgcX7/kyhC/g1tnfDoZRjmcS7gA2yI9Dlxr08cOvy + 0Dbruq0tykU0isHSPQHgKQpX/7PD5aV3mXTyvNyzEtJRASftwq7H5sDJXvAXWLMT + eKfUnGyPanQqVNA/jAPhOj/tAIVQZbL4UIPOlT6REfxmNk9tl7JSDhMJzKAEdkk7 + C5Jot9exml6467YZkApBm0eM + =HulH + -----END PGP MESSAGE----- + fp: 6F7069FE6B96E894E60EC45C6EEFA706CB17E89B + unencrypted_suffix: _unencrypted + version: 3.7.3 diff --git a/secrets/sj-vps-htz0/secrets.yaml b/secrets/sj-vps-htz0/secrets.yaml index 09a13a2..5eba76e 100644 --- a/secrets/sj-vps-htz0/secrets.yaml +++ b/secrets/sj-vps-htz0/secrets.yaml @@ -5,37 +5,37 @@ wg0-public: ENC[AES256_GCM,data:AnEK0wlEIlVrz0nubLWr3lv7R1ddzA/RPjP0CosyEJzCJU6c wg0-psk-steveej-psk: ENC[AES256_GCM,data:Z5txIdXKVshlqMBLEnW/ulFiQSmMKj6m1vLE8fuL+zl+tJxh9EX/XvjLaC4=,iv:h4ypudvQAKPM7+5vQNAb69JntdZPNa8Km6wd14ovCHc=,tag:t7ZbbcpRCTAF7zP8vKPpJw==,type:str] wg0-psk-steveej-public: ENC[AES256_GCM,data:KU6aRVK06RkyvvYFzFZaCplz1HyirSfpjW+jjvHP+eTMs3hfhFUnPSZRCN4=,iv:2A019CQD2vjcOmX6PFpDaDCo8yN9oA9kdKxiW1e3Dss=,tag:kfRENOJY7RnwWGN1eOeEhQ==,type:str] sops: - kms: [] - gcp_kms: [] - azure_kv: [] - hc_vault: [] - age: - - recipient: age18dmqd7r7fanrfmdxsvwgv9psvhs3hw5ydpvw0na0dv3dlrg4rs3q2wpvgv - enc: | - -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBUOFB4VWUyT1pqVWF6b01v - ZmEyeG0zSjRsWTRkWW9FUmtUWlNiS3VTN2dNClcvQitVUDk1d3oxTnErRG1wZmpL - dHlkZnE2VlVUOGMyeW0xNmo5OHdmbmcKLS0tIFlnbXNvUWRPWGI2KzkrMW01Y0E2 - czdzaWhBRWJyb0pBSnphamZVZDgyMDAKjTYixgD7CzJImvPFRYJKJXefXqxSA6I0 - iOyW6E++Ax0MsYll77sR9eMNMgPCromY3uzKVJe640HKY/E1cLoi0Q== - -----END AGE ENCRYPTED FILE----- - lastmodified: "2023-08-13T17:03:01Z" - mac: ENC[AES256_GCM,data:AtD2QZsLpOLQB7Jcb0Cn+zGUK/fMzuVhQ2r5f4jL3dttqfaDa4k+bUMP7wQ9RW6cUXm5ps+s1t9TkRUi2P7bkQjtEuyiTGAUiM8OnkJQ26npITWWs8giekKq01m2DlZufWRcrZrQU43EgVNDqRTVlMK1IoVS4zqNwqt4tXG6YWk=,iv:F+BbR5aGg+6/0LBxpC+AoNT4dLutvkgeUJszkMrV5xk=,tag:4Cvd4nG+h1+hXg/NzH0wRg==,type:str] - pgp: - - created_at: "2023-08-11T16:31:41Z" - enc: |- - -----BEGIN PGP MESSAGE----- + kms: [] + gcp_kms: [] + azure_kv: [] + hc_vault: [] + age: + - recipient: age18dmqd7r7fanrfmdxsvwgv9psvhs3hw5ydpvw0na0dv3dlrg4rs3q2wpvgv + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBUOFB4VWUyT1pqVWF6b01v + ZmEyeG0zSjRsWTRkWW9FUmtUWlNiS3VTN2dNClcvQitVUDk1d3oxTnErRG1wZmpL + dHlkZnE2VlVUOGMyeW0xNmo5OHdmbmcKLS0tIFlnbXNvUWRPWGI2KzkrMW01Y0E2 + czdzaWhBRWJyb0pBSnphamZVZDgyMDAKjTYixgD7CzJImvPFRYJKJXefXqxSA6I0 + iOyW6E++Ax0MsYll77sR9eMNMgPCromY3uzKVJe640HKY/E1cLoi0Q== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2023-08-13T17:03:01Z" + mac: ENC[AES256_GCM,data:AtD2QZsLpOLQB7Jcb0Cn+zGUK/fMzuVhQ2r5f4jL3dttqfaDa4k+bUMP7wQ9RW6cUXm5ps+s1t9TkRUi2P7bkQjtEuyiTGAUiM8OnkJQ26npITWWs8giekKq01m2DlZufWRcrZrQU43EgVNDqRTVlMK1IoVS4zqNwqt4tXG6YWk=,iv:F+BbR5aGg+6/0LBxpC+AoNT4dLutvkgeUJszkMrV5xk=,tag:4Cvd4nG+h1+hXg/NzH0wRg==,type:str] + pgp: + - created_at: "2023-08-11T16:31:41Z" + enc: |- + -----BEGIN PGP MESSAGE----- - wcBMA0SHG/zF3227AQf+ONiHDN6/hgu1g4WBaQOtAd3tnruoG+O9pbv/IIR86T3n - TIQElcQNsWJpHpoTeXB9G+H3HPh1f3z95tdHwQZOD78HpP0B7sOqx/KUOSJqTkC7 - R8jsuAxrIpidr9MIxAypsK5UE3SnZodf6E0IhWR5H26oWXtKPRd2TIBEMwbJZ4dZ - JLZ1D1pYIrJfNez1SP9r8SBMaKJgxLn65sFzonj8j6C+8CpStun2ykLfflsoQzXP - kiCzxG/IR9fA7fyq38h+QdeQgcX7/kyhC/g1tnfDoZRjmcS7gA2yI9Dlxr08cOvy - 0Dbruq0tykU0isHSPQHgKQpX/7PD5aV3mXTyvNyzEtJRASftwq7H5sDJXvAXWLMT - eKfUnGyPanQqVNA/jAPhOj/tAIVQZbL4UIPOlT6REfxmNk9tl7JSDhMJzKAEdkk7 - C5Jot9exml6467YZkApBm0eM - =HulH - -----END PGP MESSAGE----- - fp: 6F7069FE6B96E894E60EC45C6EEFA706CB17E89B - unencrypted_suffix: _unencrypted - version: 3.7.3 + wcBMA0SHG/zF3227AQf+ONiHDN6/hgu1g4WBaQOtAd3tnruoG+O9pbv/IIR86T3n + TIQElcQNsWJpHpoTeXB9G+H3HPh1f3z95tdHwQZOD78HpP0B7sOqx/KUOSJqTkC7 + R8jsuAxrIpidr9MIxAypsK5UE3SnZodf6E0IhWR5H26oWXtKPRd2TIBEMwbJZ4dZ + JLZ1D1pYIrJfNez1SP9r8SBMaKJgxLn65sFzonj8j6C+8CpStun2ykLfflsoQzXP + kiCzxG/IR9fA7fyq38h+QdeQgcX7/kyhC/g1tnfDoZRjmcS7gA2yI9Dlxr08cOvy + 0Dbruq0tykU0isHSPQHgKQpX/7PD5aV3mXTyvNyzEtJRASftwq7H5sDJXvAXWLMT + eKfUnGyPanQqVNA/jAPhOj/tAIVQZbL4UIPOlT6REfxmNk9tl7JSDhMJzKAEdkk7 + C5Jot9exml6467YZkApBm0eM + =HulH + -----END PGP MESSAGE----- + fp: 6F7069FE6B96E894E60EC45C6EEFA706CB17E89B + unencrypted_suffix: _unencrypted + version: 3.7.3 diff --git a/secrets/steveej-x13s/mycelium_priv_key.bin.enc b/secrets/steveej-x13s/mycelium_priv_key.bin.enc deleted file mode 100644 index d1693e7..0000000 --- a/secrets/steveej-x13s/mycelium_priv_key.bin.enc +++ /dev/null @@ -1,26 +0,0 @@ -{ - "data": "ENC[AES256_GCM,data:ILo+B9hfSEOaNleohfdc+RlzFHOu5y0kS9Ocys5KBKQ=,iv:GNzGem+eBseA99FoFHRSDQbnpo0RS6lRRR6oLV5xajE=,tag:FmBrSBT1qQ+jXhUlAjCRSg==,type:str]", - "sops": { - "kms": null, - "gcp_kms": null, - "azure_kv": null, - "hc_vault": null, - "age": [ - { - "recipient": "age1y9urllccdcemlv7g5z4peuzeh5ah0a8nu6cnkvym8v2vfhqjd5jql483c6", - "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBvOHM2dFdaSmRjVXRGOWdM\nc3NySkxDWjl3bXl0VHpRUURINlRWNTJhM1JNCmQzV2xUTUlEb0l2Q0FZUDMrOVVF\neTNEWG1kV1hlY3dWaDVubzdBMUpjdjgKLS0tIGtzeUF5TCtoSk92aDZkdkhqMjZm\nellNZk84ckRXZW5LYlA0Zjc0MXFVMFUKkbgJvketPLkiRtiM2ot/o2q0roCyMcNB\nDjvUDLeExvpz11T12pFETaeSGKMH/R6HfDt37T/K2cpCNvOXHU8MpQ==\n-----END AGE ENCRYPTED FILE-----\n" - } - ], - "lastmodified": "2024-04-19T19:07:46Z", - "mac": "ENC[AES256_GCM,data:e6xOIt73MDaMOnP3d2G/xqjwozdvdkxNkso4ry3Wj5UELoSKtjOXn0oWA1KIApQM72rcytyAMuvuF8nIRzOsU+RjCxyoyFxK+x1ljvXcjJF/mrB8+27QEIKMFbCRYDtDtiax0MnVkW3a4zqAz9ETd2hlBRS2DcVXvgV8GVRZL4o=,iv:jd5Mwf+IUrm5vbHftImsB7iX3AP8O61/2kEf2BpOFRQ=,tag:aXmSU8qPGTKRmzddVz6s8w==,type:str]", - "pgp": [ - { - "created_at": "2024-04-19T19:07:46Z", - "enc": "-----BEGIN PGP MESSAGE-----\n\nhQEMA0SHG/zF3227AQf/UWVXKoYna+QMRhlTcMeEYBYD1twGiU2M+Qov7lMwCVd0\nyLd/TW0E3l7nNp+8pVeQb2a84F3W6kitWSv6sSEQuz74vMGtAHJs63NRaRP+apdV\nKE9kada00clOgd8gDAwEZUUMaTuCxZalsLHOLmKa/5UJVCaYuHcS1wyKWqhK7l9j\nYuELlmM0DcJixWved7t0UL9O1s15b6aFGjc029OIEXwIGuh9Fe01lDjqC/NM+bZC\neL8osDcyTvz2AJB7IjlKQ9EQ9SGxhKXdcoJ0iGvZn5UJx4Dmvw7U2egHN511WDR7\nE4UGux7u7D+DfvOmeCxd/6iCzMdOZUUk3E+yb05YxNJcAZNG/2HLxs2eIs/W81Uk\nLM4UVDBrrrH9hAAyE5sSHsZOIxoqbNol9FSU3iTKEdCq9giU1C8P5mjKymr1hhro\nbYiCYZXhSV0X+bEm27NH8KqEg7wYv6FWMwiYVVY=\n=Itgp\n-----END PGP MESSAGE-----", - "fp": "6F7069FE6B96E894E60EC45C6EEFA706CB17E89B" - } - ], - "unencrypted_suffix": "_unencrypted", - "version": "3.8.1" - } -} \ No newline at end of file diff --git a/secrets/steveej-x13s/secrets.yaml b/secrets/steveej-x13s/secrets.yaml index a76e0dc..f8c2741 100644 --- a/secrets/steveej-x13s/secrets.yaml +++ b/secrets/steveej-x13s/secrets.yaml @@ -1,36 +1,36 @@ -builder-private-key: ENC[AES256_GCM,data:KG5V86SDVM5LfFPZI5rjKGvYwqLZInEqpwdIJPAiF7fMdG3rTq3JgNJCQr0eOhfmLwT3KEN2Fv0mHZS4smMGdh0WCkza8CzRn/KFY8gqEWxxdff1Wqj7+2/5lSI8I7Qp2EW+eaAgU53PPOh/M3Cgm/Rraw2ARmIJNIgtuJC8ZeZlsh3sl0tacF9rgSrP8p4xAH3C/QUs1HW+10eL9F3STtAV+ZBruU68lNmCdiyqKjg3O3qdRFsjdGWAwHNHL42cEm3il4PofyS5fDDF4otQktZa5n8832ukF5Aj6RNgJwubrsxB9+1M9s7hD1UQyKo6oQKJr1GXNK+IPyXAvdxckZ8INhsxP4c4v8GzR0zJK4MfESx0r67ciGLOcYulNBDOMSbD57oW+wRvCI2eZlpB3ugBcUm/rsQbgFVEX8q6jD8WipJ+Q3hz1zWq45s66XooFmnwc2nBhT6cRmtGzTJCcDpiovgj5tKXSXrWfwYO7tWr7lYg8T4zhfplZBtQOaqTUrAOhW7IRT5Lo/310cMRcp1h44TSnpWXZN7l,iv:DOUijPr4wHmjNIniF2IRjinXZ6iyg8Z1Nt5EgFfX5Zw=,tag:VWxHpfpyphtu6XLR1yKugg==,type:str] +hello: ENC[AES256_GCM,data:9dO0Gd4YDDxWHHBYtdomfK8BJnBZC+SQYfUvTAkCq9sOO/ZH/bFhN0Fl/NvLzQ==,iv:m1TZ9PGjsoMo7NA9EHrLb0tCtIl98E3OEN1bkpZZxXY=,tag:Gup/pACLIXGXu8KEyzmfWg==,type:str] sops: - kms: [] - gcp_kms: [] - azure_kv: [] - hc_vault: [] - age: - - recipient: age1y9urllccdcemlv7g5z4peuzeh5ah0a8nu6cnkvym8v2vfhqjd5jql483c6 - enc: | - -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSByZWRvaWFlU25sYkdTejg3 - YXRrVHhHaDN2anR0WWJmcDdCZDNLUFhiU2hrCmZSNWNFbVd3Wm95SU9iNmhqaVE1 - TlFuYzFNOVFEekYvWjlQWEpqbzZCU1UKLS0tIFczTHlsN2lNdlh3clI2VEI4Y0lI - dUQ5ZE9keUtxVU5mMklGODRjSld0TnMKGWu7m6/q6PhS1R8N9YBsxDs9O76U6Bta - wr8Tqr/1JLWoSLbPapltKH8+hKAb84LeILezVS1SrL+mjf2KYa3WQQ== - -----END AGE ENCRYPTED FILE----- - lastmodified: "2024-05-01T16:50:35Z" - mac: ENC[AES256_GCM,data:wDnv7wZLks2EME+JqlBtagVaDZEo9ap3d6xFfnBy2/D4wrJhhYlo8vOYM8GFXEhfa0Jek+9ZlkmXYerLNWLMiUMKWIvk0cvHjxBaR2wcxt9FnynPT9W9hSX7UFhM/eTiJviksOESTI7pqNh9X7ggLSZ0c+O5mBxxEh/bcjz8vIU=,iv:vgvmyvUkZBapCpRbPU3cDgmHsc5NwHzCsMzjHvr/Xc0=,tag:FMI0YrwdCPIFe8tnLQr69w==,type:str] - pgp: - - created_at: "2024-04-04T18:26:01Z" - enc: |- - -----BEGIN PGP MESSAGE----- + kms: [] + gcp_kms: [] + azure_kv: [] + hc_vault: [] + age: + - recipient: age1y9urllccdcemlv7g5z4peuzeh5ah0a8nu6cnkvym8v2vfhqjd5jql483c6 + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBjU3VmRjNmYzhPT1A5WFpB + S2ZBeE0xWGkyR0pJVm9vVnc2ZzNWWHNkY2tvCnhHUlh6d3F2cDdHZWpvMGJ6ajhw + WHgyd21RZWQrSHA4bllsWVExRksrcm8KLS0tIGVvNVF1TkJ0MDBxMzRFZE01VVVz + Q1FmbW9BL3E1emwwWFhJTTZoRlhVdFEKCkpvkW65v0+fuh2bXZVNVbnwsl1Aca/O + 9tkIMNLFhD/Rn8MFmkhIZmWYWB4IUwW/UNSxrmkt7cyFJNlpAH0+YA== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2024-01-23T09:41:31Z" + mac: ENC[AES256_GCM,data:xGspZnqqcwoxM0otV3m6RJdwp4laYC+b6DSOEhzbQDeS6hslD6BddQ2g+tS7l3QTtItOjmB6pLb1JJkyhaG3PDWaDu89GNlvUyTyTUxfZWzTfiB6LWJS7eDTwb6OvzDklzCRltoH+8bWTjedWkeWIOtYbjJPo6zwUAiXgiKOj2s=,iv:MSgm5HXlb/NtvqHvVmDdwzX5ebipf7UJnmPNFUV9Nzs=,tag:XT4Evu+Sn+t/+EPb+dZ61Q==,type:str] + pgp: + - created_at: "2024-01-23T09:01:14Z" + enc: |- + -----BEGIN PGP MESSAGE----- - hQEMA0SHG/zF3227AQgAn6CqJhclheA82nJm39h/52Ir/gVGRZz1ViK157MxRVs3 - NSrNZCPW+x9vGExPWJ8wnT3KZ7jeo7jEbJ260WSp4xwQtCuUrDR6Oyp0mrtN6SMo - 4hHZo+OwLb3brQGHOng43Hedk6E74ZRMyUr5mmRKLTC1l9GeKtf3HoSvNq+bS7B8 - SrmkemzsS2SrXYE7Qslzhi8QKwby8nsjN2pE5hk12wZKefT4XP3q+lf7n2QeboG0 - 8d4u+706BO4DoxtnXPs1Gop3sJ3TZdAXTdfjnuv+LDMOmIDoVp1tgXRPiAvCfMPV - 9YiFS/WYMD5OA69SPBjCWIMPMw8PIU8OuHjy71eXlNJeAXeVLp70pGQOiPOZSvtl - vmfiPWOZnX+6jSpsSfmEa8FxAZYLgHUayF8YMtHi3kdz3x0kWMx3Pzvjvs4BfIyd - pp7PTfMycrk67Y3lcokNswt/fle0tN6xuqP4Uv4zWw== - =y1Sk - -----END PGP MESSAGE----- - fp: 6F7069FE6B96E894E60EC45C6EEFA706CB17E89B - unencrypted_suffix: _unencrypted - version: 3.8.1 + wcBMA0SHG/zF3227AQgAp6QdUiZPpktzBQ4kG3QctoiCJ6NwiYEtPJAftgbbBCDb + WdtjiLmp0+XFf4TvihdaFy7kDQh2wvMSj3dOLANV/V3BSJwk4WjtJoEEG+B8ZVEN + T0B2SauM7FcgN4eRe3jx0R9xoQGsE8vXdDbyU/rRpf1LZ6HuEjFC1Boe98mtWsAD + MRxYbBfmIsh0DBF9GZyaKR62PyHu7+doRHzxxDJXhItaGW96cKdydw4GhXBvqiXn + 9SUxxXhg+FpIMXysncB4+yWKSV8FoCkmqPeNlONgk5hwDNpkeXEDND8mHbhZFN5n + ElUTO2ild4Cxh8E1U3A4IQ8ARMcmyag7wnCUmcxnTdJRAa11NhS+6h2PVNqRt53E + p2UKvgbpMgMYj3pWlP9dSuege0+YhynTGRpjTbbUqNJVGFAKfwvPa0zY0hc0hG6G + 7Y5zpcqR+/NlVgerPZwLNFib + =0kQe + -----END PGP MESSAGE----- + fp: 6F7069FE6B96E894E60EC45C6EEFA706CB17E89B + unencrypted_suffix: _unencrypted + version: 3.7.3 diff --git a/secrets/work-holo/zerotierone.txt b/secrets/work-holo/zerotierone.txt deleted file mode 100644 index 38a76e4..0000000 --- a/secrets/work-holo/zerotierone.txt +++ /dev/null @@ -1,26 +0,0 @@ -{ - "data": "ENC[AES256_GCM,data:D6xhJ8RgtO3wuNQF0N9V4TlYcKahT8Rv3rHPeZH5F2Wk+V1GhZ+Bhl+D75ersKPv3vmNWlKD2lHb46LaM3Cz7gKAgcQ=,iv:BsnB+Tt+83QVdfive5+s824f3MBZSy6N3g+/raqWgGA=,tag:foQL/RYGfovt1feSlE5GAg==,type:str]", - "sops": { - "kms": null, - "gcp_kms": null, - "azure_kv": null, - "hc_vault": null, - "age": [ - { - "recipient": "age1y9urllccdcemlv7g5z4peuzeh5ah0a8nu6cnkvym8v2vfhqjd5jql483c6", - "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSByYWNzWm5ZQVFRNWRSQ3I2\nckQ0YVc0NlJPYVFvYi9Zd2ZNaVh3UG91T2xNClVDaGtvcHlvUnZTOVgyV242OHhy\nWW84NW9LZ242Nk5RalBWUUFITmEvaVEKLS0tIEtOemlTWHYwU3RTVUFoQU8yNU9N\nMlJnL2ZjWVh1RWJwMEpXUjZQZDIxb0kKKbe3H99dII7ni0NQv/QcotAQ4OdrV87/\nro5JVYotk/m0NtS76nJ0NuNpkz4/r4D0XE1r/y3eRH/q+JHyjHFX1w==\n-----END AGE ENCRYPTED FILE-----\n" - } - ], - "lastmodified": "2023-07-01T20:19:12Z", - "mac": "ENC[AES256_GCM,data:aIizzl+WFLI8rwp9r9p3kJIsbAISp8vRnSUQKKRIY8V8WdjBNuR+ebSlMf8kBg4e+D9hpTGEY0byv8bpgx/1m5MMEXIDBiBb8GHBk8qwB/3JWsBMyCHOyylw9AAgteyCDEKMCHgU/ZBvExW9n5gnuvkngKK8X1imrNG2ySL9cIo=,iv:UFacq8BdavyiHGRAcKq9obdAD7ZsW8wqugkvtbpi8pw=,tag:fkoaJKrA54tNlTLbAwRsug==,type:str]", - "pgp": [ - { - "created_at": "2024-06-26T19:27:08Z", - "enc": "-----BEGIN PGP MESSAGE-----\n\nhQEMA0SHG/zF3227AQgAgxxDv/vq2N5Hn37enDmLSjOegRW+IbDE/M3zbEvaKh9R\n+UdPf2+9oBjMLX42fOdSihGIHbrQtfG37nFLcJb/W1+Kay205INSDLSWIyUlyNvT\nwtPSVBZdgCbH5rW8yoX5xaS6Fdm1ANCof+hYyQxNtC7LgcgHLKvubhPrsckEoul1\nVuL0g9DGFysxnb4MCOZyFmziucwTKvLFzkaIb68PAYigPJG+wWVx5G/CvoC7Mzxp\nVYApk/6OnHR8TZOhtpnD9Q7Uj5g2ZGAJWE/B2z6xY2m9NJNC8UEL0QypVOnqBaSq\nyDDwrfOdTHqm3u0huJ4mV3cXzzb6RtRw89AuXS+6O9JcATtlFBazwos44yV/WAKz\nT3ZOZ4oD6elvqnvj9J7oOIwuPylaXd802YQSzPrfWQSqMUYds0gt3gklfIx+/SRm\nqBvQqStPmm3njU1TEPU3xrTywDSWGDKXCklnkVM=\n=CPPt\n-----END PGP MESSAGE-----", - "fp": "6F7069FE6B96E894E60EC45C6EEFA706CB17E89B" - } - ], - "unencrypted_suffix": "_unencrypted", - "version": "3.7.3" - } -} \ No newline at end of file diff --git a/secrets/zerotierone.txt b/secrets/zerotierone.txt new file mode 100644 index 0000000..9059ac3 --- /dev/null +++ b/secrets/zerotierone.txt @@ -0,0 +1,58 @@ +{ + "data": "ENC[AES256_GCM,data:D6xhJ8RgtO3wuNQF0N9V4TlYcKahT8Rv3rHPeZH5F2Wk+V1GhZ+Bhl+D75ersKPv3vmNWlKD2lHb46LaM3Cz7gKAgcQ=,iv:BsnB+Tt+83QVdfive5+s824f3MBZSy6N3g+/raqWgGA=,tag:foQL/RYGfovt1feSlE5GAg==,type:str]", + "sops": { + "kms": null, + "gcp_kms": null, + "azure_kv": null, + "hc_vault": null, + "age": [ + { + "recipient": "age17jxphuql70wjkd84azn62ltx9ky69hyvkac23lm8f2j92lznf9hseqq0vl", + "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBva2lYMFY1V1piNlBpUURv\naWh3dHpaQXdqdzRCU2JIcHExbkhwZzhXd0JnCkFTMG5wVDNQVzNVUmo1cUh1TWtF\naHVTcGRpSDNxa1NHVDZvZWFpREdOcVEKLS0tIFVJSTdiZFBwTlJEMFowYnJqdjFr\nWDdKM2FGM0dQS1NZOTlZUGlOa2srV2cKr/EwcrbOw9vjmFp7OsEF6y0KxACs8NPM\nRYMKhnzd/6VFY5aK79V6JuMSOLaMT+AbQODg+R/iA3TNLev22Jfcvw==\n-----END AGE ENCRYPTED FILE-----\n" + }, + { + "recipient": "age1y9urllccdcemlv7g5z4peuzeh5ah0a8nu6cnkvym8v2vfhqjd5jql483c6", + "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBkOWsvenhWdC9ENVlXTXZi\ndWtJWWZUZGMyTzduMzFvK2M1NmFLZ1JwVFNFCkpTMDh6eWhwV0Fya0syRDhuWDlK\nV1lBbGNDbXUvNHB5MGMrS3R0b043YnMKLS0tIExXNXlsaUhsTUxGZGY5U2VRNXJr\nNjZmTU80QVZ1blFKd2dGandsVm42blEK/3uqLhxS16HU67wA0T0Y9uqb2WJI6dII\ndCktjLZcKKyGB+UXNyzDiRgMR4OKIvB0MjLIql2SZKt53OpkpytAbQ==\n-----END AGE ENCRYPTED FILE-----\n" + }, + { + "recipient": "age1pmznn2tjpelpmxjxqef48rse5ujggf9kcr8x5vewuadqcw03aavqwy54zm", + "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBjWlErYU5pUHJRdXlCRmZS\nNWlWalFDb0xFZFlrbkdXMG0zYXl1UjhmNUQwCmNCcWZPME8yOGcycnVRWXJxeFo3\nTHFuWHY5aXRxZERNU3duSzRsaFIreWMKLS0tIDRyWmFzeGN2YU9LNW9IWUZNWkVJ\nOTlYTlNteEU0REhmd3ovbGQ4Z09FakkKliCyJsTqsUD5t2vOfTigqA7WObfNCcsd\nt1Fs8vf/1tReWqF8V0f97lD2APgfqgg0hqWFcKkiGYBRWEJvBAj8Lw==\n-----END AGE ENCRYPTED FILE-----\n" + }, + { + "recipient": "age1ye4fa0v37shz8q4e5uf9cp2avygcp9jtetmnj2sv9y9mqc7gjyksq2cjy8", + "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBRT0xzWEtNRHl3bFBZRGl2\nTlkyaWRGTHcxcDVqa012VUk1ZUVjREF2bGlJCmRBNkdzRmsxT2dFemJ6NFAxV1g5\nV2p2c09VKzNVSTJ0V2lheWNwMFlMdk0KLS0tIDZWMTBtaWZjcmRYMnhjY3VudlUz\nem10U1FzZ3p2VzZrRXZyRDFUTy92dkUKcM0Nh1/rQ/aoXHJ16QjZ0daxyaOIyzyx\nXbWDj0opTiYweKrL93P8MSQr8V5i2zVcxP7Gw/fZsWlCs26nBeK1xQ==\n-----END AGE ENCRYPTED FILE-----\n" + }, + { + "recipient": "age13cyvxrd28j68f97q2dwsn62q5dy8tdxtq86ql2dxv2ncwfrf63dsmkj7n3", + "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB1ZVdzS2lONzg0eGJUei9X\nem9Nc1FhTm5XampHVjJieHJjOUczR09VNTFjCjBkejNlY0I3dEhYbzYvaTBsMDd5\ndjc0alpKNWF6YTVOczltTFRueWZBYXcKLS0tIFJTSThncVdhajhaNmdZTjRNQVFB\nTi93ejQ2bUsrVXl0eDRkbFE5UlhKUzQKg/cJKYzhq1YIBvvNx/N4F258WUnrmNMs\n2MnxrLk9a67AGciCynEMO02dpUXPWxgUkTSqOjRkkcA20x5Rpn4e6w==\n-----END AGE ENCRYPTED FILE-----\n" + }, + { + "recipient": "age1k7cejd9tqz6a3expd63wkn7kmeawhhrp9vy5vevhjn6eavhdwywqeh7j86", + "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBLRUliYTB2MG1zUVU0ZWFM\nNUNEMUdha3ZSZ2dkYmZuVk96VjlUTVpWNkI0ClIyUFBZWFppTzJwbHhJaFhXWTBM\nT0pvVklqbE00aW9GMG4wWnFkZkNoQVkKLS0tIExoeTBBcjlsUkZyQkNrUW1zdXU2\nUytDNk9YOXNtU3hLUzdFQnlzQ1lJSjgK+64AJTx4ZjT4njl0Gr4Hk3ykljRTgaqO\nuOjLz/9Qy2rM3BcJzajhCU1pU4f1A0qDQRjoYj5+M9qW/NMbZt6Ujw==\n-----END AGE ENCRYPTED FILE-----\n" + }, + { + "recipient": "age18dmqd7r7fanrfmdxsvwgv9psvhs3hw5ydpvw0na0dv3dlrg4rs3q2wpvgv", + "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBoWjJsQVpGQXhLdkh0UGtp\nUkZKa0hRblFHaHpVZm9MNnA2SnBIYVdLUDE4Cmkvbmx1aVBVMVFjdlBjU2JTNlVa\nYTQwdUF0ZHhzRGFIY2RUS1JmOVhCWE0KLS0tIGd0eHNOUmJ3T21jQ0QvRHlnOWRw\ndXBIVFdRQld3RmR3VWhpRS9XLy93ZzgKIcCl3r4Q+p1GqeMQmTQFDOhGDN1KE1Fl\npdx6QOkhZSVAux3YcbWNex7nDju5Meqhyhfe5l4YLJKnM5gs3efFcQ==\n-----END AGE ENCRYPTED FILE-----\n" + }, + { + "recipient": "age18dmqd7r7fanrfmdxsvwgv9psvhs3hw5ydpvw0na0dv3dlrg4rs3q2wpvgv", + "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSArazhNT3QzWFpXNTFmWVkr\nTklLei9RN1M1R0pVVTBZTUJkTDVvbzdWbG5zCmx0RVgwbG5IZXNvZUFkaWNzRW10\nKzdNTDZyaGZVNDg0MXR6aGpVQ3FOSEUKLS0tIHB2WnNHZStodXZJTElBV0ljWExy\nbFo2Q3RMRm5BNm1zcnNhdzRYbk5CcWMKsdK8OIVKidayA0LU1NF2pjHjTirVQ/MA\nS4yGouebH4YbFkHDpHbttv572Iw1mbZK0EVIbiJuYoGudb1w60ROIA==\n-----END AGE ENCRYPTED FILE-----\n" + }, + { + "recipient": "age1dw43sxtdxptzgyhsxhrj36x5gn7376gqk45t7wtyt3s97v7ux39sdmdd44", + "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBUU090RWZqSnpSaGFWcmVM\nQlRWckdLMk5Kd2E0dFVnSzZEcXBPNmkyTkVZCnNtekhvcUhYZG1RS0ZINVBNMU9L\nSHFqNlMxODdRbm5MOEw3UG9VM2NlVUUKLS0tIE5acnhENFNwR3JMc0s3N2g4dFBs\nR0FuSi94d3RUNFVWQ01uM3UyZW1tRDAKfIVF6+PE2iMC3m81wPoqH9LqL3MsK1WV\nslE4l1m04UL315vdAyPm3k9b+vkTGD4Fmeywsto7Am92/JCanlT7+g==\n-----END AGE ENCRYPTED FILE-----\n" + } + ], + "lastmodified": "2023-07-01T20:19:12Z", + "mac": "ENC[AES256_GCM,data:aIizzl+WFLI8rwp9r9p3kJIsbAISp8vRnSUQKKRIY8V8WdjBNuR+ebSlMf8kBg4e+D9hpTGEY0byv8bpgx/1m5MMEXIDBiBb8GHBk8qwB/3JWsBMyCHOyylw9AAgteyCDEKMCHgU/ZBvExW9n5gnuvkngKK8X1imrNG2ySL9cIo=,iv:UFacq8BdavyiHGRAcKq9obdAD7ZsW8wqugkvtbpi8pw=,tag:fkoaJKrA54tNlTLbAwRsug==,type:str]", + "pgp": [ + { + "created_at": "2024-01-24T22:48:30Z", + "enc": "-----BEGIN PGP MESSAGE-----\n\nhQEMA0SHG/zF3227AQf9H8VPhApFkYZi72afxgtHIqclNN4BPuSEhYQYR0m2tvm+\nj0sa3ehI6frkH8KxCtgXgaVB+74yWe+JeVnWRZUk1nIm+q0kuN+0Kn5+YQW0iYuv\n3z34VCw938Gebz57BLaWZTcns3xur+Ug3a+fjyjsKW7w90aP2Q7V2qp9AgxxsN1U\nl9Z1RXHlIUS1CGqA8py2mIkgvlK0WHiYRXsqdRvJh1jdUvzkJjYSpgz4Kj7pyyte\nvXIB4HckW6Fjn6Nlfeyzt6Ka9NziX7EAFlBs/8U8QvkX8AizCxuTwwB9n5rbRxb3\nDjXbgckkkKHc2nEx3xSRe7vh1cfQhTU/TNTuZI3GcNJeAVD89dwR7hhkqFzkanw+\n3hVV1mbDNIDA2fCfxiDLvBDYq8jhaMosAIrwO5TcXEm1PeEuRx1mDEjHsthwmOad\nEJNSBWKGzd13r23WlPRjdeCUF0YSnNFbhM0rwLlLdA==\n=5GJ1\n-----END PGP MESSAGE-----", + "fp": "6F7069FE6B96E894E60EC45C6EEFA706CB17E89B" + } + ], + "unencrypted_suffix": "_unencrypted", + "version": "3.7.3" + } +} \ No newline at end of file diff --git a/services/home-ch/router-family.lan/Justfile b/services/home-ch/router-family.lan/Justfile index c15ed68..c599600 100644 --- a/services/home-ch/router-family.lan/Justfile +++ b/services/home-ch/router-family.lan/Justfile @@ -1,12 +1,12 @@ _run_ssh_cmd cmd: - ssh root@router-family.lan "{{ cmd }}" + ssh root@router-family.lan "{{cmd}}" post-setup: - just -v _run_ssh_cmd "opkg update" - just -v _run_ssh_cmd "opkg install luci-ssl luci-app-ddns" - just -v _run_ssh_cmd "opkg install luci-app-samba samba36-server" - just -v _run_ssh_cmd "opkg install block-mount blockd kmod-fs-vfat kmod-usb-storage usbutils kmod-usb-storage-uas kmod-fs-btrfs btrfs-progs" - # multiuser SFTP - just -v _run_ssh_cmd "opkg install openssh-server openssh-sftp-server" - just -v _run_ssh_cmd "opkg install sudo coreutils-readlink" - just -v _run_ssh_cmd "/etc/init.d/uhttpd restart" + just -v _run_ssh_cmd "opkg update" + just -v _run_ssh_cmd "opkg install luci-ssl luci-app-ddns" + just -v _run_ssh_cmd "opkg install luci-app-samba samba36-server" + just -v _run_ssh_cmd "opkg install block-mount blockd kmod-fs-vfat kmod-usb-storage usbutils kmod-usb-storage-uas kmod-fs-btrfs btrfs-progs" + # multiuser SFTP + just -v _run_ssh_cmd "opkg install openssh-server openssh-sftp-server" + just -v _run_ssh_cmd "opkg install sudo coreutils-readlink" + just -v _run_ssh_cmd "/etc/init.d/uhttpd restart" diff --git a/services/home-ch/router-wan.dmz/Justfile b/services/home-ch/router-wan.dmz/Justfile index 6f818a8..921adb4 100644 --- a/services/home-ch/router-wan.dmz/Justfile +++ b/services/home-ch/router-wan.dmz/Justfile @@ -1,9 +1,9 @@ _run_ssh_cmd cmd: - ssh root@router-wan.dmz "{{ cmd }}" + ssh root@router-wan.dmz "{{cmd}}" post-setup: - just -v _run_ssh_cmd "opkg update" - just -v _run_ssh_cmd "opkg install luci-ssl" - just -v _run_ssh_cmd "opkg install luci-app-mwan3" - # multiuser SFTP - just -v _run_ssh_cmd "/etc/init.d/uhttpd restart" + just -v _run_ssh_cmd "opkg update" + just -v _run_ssh_cmd "opkg install luci-ssl" + just -v _run_ssh_cmd "opkg install luci-app-mwan3" + # multiuser SFTP + just -v _run_ssh_cmd "/etc/init.d/uhttpd restart"