diff --git a/.envrc b/.envrc index 90160da..d8f5b3d 100644 --- a/.envrc +++ b/.envrc @@ -1,5 +1 @@ -if ! has nix_direnv_version || ! nix_direnv_version 3.0.6; then - source_url "https://raw.githubusercontent.com/nix-community/nix-direnv/3.0.6/direnvrc" "sha256-RYcUJaRMf8oF5LznDrlCXbkOQrywm0HDv1VjYGaJGdM=" -fi - -use flake .#develop +use_flake . --impure diff --git a/.git-crypt/keys/default/0/6F7069FE6B96E894E60EC45C6EEFA706CB17E89B.gpg b/.git-crypt/keys/default/0/6F7069FE6B96E894E60EC45C6EEFA706CB17E89B.gpg index fd34c43..9587742 100644 Binary files a/.git-crypt/keys/default/0/6F7069FE6B96E894E60EC45C6EEFA706CB17E89B.gpg and b/.git-crypt/keys/default/0/6F7069FE6B96E894E60EC45C6EEFA706CB17E89B.gpg differ diff --git a/.gitignore b/.gitignore index 8c927b6..92102e5 100644 --- a/.gitignore +++ b/.gitignore @@ -4,8 +4,3 @@ .env **/result .direnv/ - -# nixago: ignore-linked-files -/treefmt.toml - -/debug-logs diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml new file mode 100644 index 0000000..efb4d91 --- /dev/null +++ b/.gitlab-ci.yml @@ -0,0 +1,10 @@ +stages: + - build + +build: + stage: build + tags: + - nix + script: + # Test the nix-shell + - just run-with-channels 'nix-shell --run "echo OK"' diff --git a/.sops.yaml b/.sops.yaml index 9e709f9..c049481 100644 --- a/.sops.yaml +++ b/.sops.yaml @@ -1,122 +1,65 @@ -# This example uses YAML anchors which allows reuse of multiple keys +# This example uses YAML anchors which allows reuse of multiple keys # without having to repeat yourself. # Also see https://github.com/Mic92/dotfiles/blob/master/nixos/.sops.yaml # for a more complex example. -# use `ssh-keyscan | ssh-to-age` to get the age key for a remote machine -# use `for file in $(grep -lr "sops:") secrets; do sops updatekeys -y $file; done` for updating keys: - &steveej 6F7069FE6B96E894E60EC45C6EEFA706CB17E89B - &steveej-t14 age17jxphuql70wjkd84azn62ltx9ky69hyvkac23lm8f2j92lznf9hseqq0vl - - &steveej-x13s age1y9urllccdcemlv7g5z4peuzeh5ah0a8nu6cnkvym8v2vfhqjd5jql483c6 - &elias-e525 age1pmznn2tjpelpmxjxqef48rse5ujggf9kcr8x5vewuadqcw03aavqwy54zm - &justyna-p300 age1ye4fa0v37shz8q4e5uf9cp2avygcp9jtetmnj2sv9y9mqc7gjyksq2cjy8 - &sj-vps-htz0 age18dmqd7r7fanrfmdxsvwgv9psvhs3hw5ydpvw0na0dv3dlrg4rs3q2wpvgv - - &sj-srv1 age18dmqd7r7fanrfmdxsvwgv9psvhs3hw5ydpvw0na0dv3dlrg4rs3q2wpvgv - &srv0-dmz0 age13cyvxrd28j68f97q2dwsn62q5dy8tdxtq86ql2dxv2ncwfrf63dsmkj7n3 - - &router0-dmz0 age1qju6ms625tlgcjwc9p447seu2p8gu0cr63e5gv5y0wx9mvgmre9slxzzs0 - - &router0-ifog age1dktk5glcuu34u9t6kp3g2vqyj7dy0elray38t8n75mwa6l0s0vdst2cy00 - - &router0-hosthatch age1v458x2q70yt0a6m6cq5ehemphtrzfzyhmeg3r872vsyyf65asgwstmqqk4 - - &hstk0 age10xwq7a4y256yhv02j0u80te0vt4krgfjc68r0uw07t96z7ggmpwqtv38a0 - + # - &router0-dmz0 age1jetxwpmd9hc4crkjtrdle2qxn9dlq7vcmqhfslv0vlxctrk4u3xq8hcvkz + - &router0-dmz0 age1k7cejd9tqz6a3expd63wkn7kmeawhhrp9vy5vevhjn6eavhdwywqeh7j86 creation_rules: - path_regex: ^(.+/|)secrets/[^/]+$ key_groups: - - pgp: - - *steveej - age: - - *steveej-t14 - - *steveej-x13s - - *elias-e525 - - *justyna-p300 + - pgp: + - *steveej + age: + - *steveej-t14 + - *elias-e525 + - *justyna-p300 - - *srv0-dmz0 - - *router0-dmz0 + - *srv0-dmz0 + - *router0-dmz0 - - *sj-vps-htz0 - - *sj-srv1 - - *hstk0 - - *router0-ifog - - *router0-hosthatch + - *sj-vps-htz0 - path_regex: ^secrets/steveej-t14/.+$ key_groups: - - pgp: - - *steveej - age: - - *steveej-t14 - - path_regex: ^secrets/desktop/.+$ - key_groups: - - pgp: - - *steveej - age: - - *steveej-t14 - - *steveej-x13s + - pgp: + - *steveej + age: + - *steveej-t14 - path_regex: ^secrets/servers/.+$ key_groups: - - pgp: - - *steveej - age: - - *sj-vps-htz0 - - *sj-srv1 + - pgp: + - *steveej + age: + - *sj-vps-htz0 - path_regex: ^nix/os/containers/.+_secrets.+$ key_groups: - - pgp: - - *steveej - age: - - *sj-vps-htz0 - - *sj-srv1 + - pgp: + - *steveej + age: + - *sj-vps-htz0 - path_regex: ^secrets/holochain-infra/.+$ key_groups: - - pgp: - - *steveej - age: - - *srv0-dmz0 + - pgp: + - *steveej + age: + - *srv0-dmz0 - path_regex: ^secrets/router0-dmz0/.+$ key_groups: - - pgp: - - *steveej - age: - - *router0-dmz0 - - path_regex: ^secrets/router0-ifog/.+$ - key_groups: - - pgp: - - *steveej - age: - - *router0-ifog - - path_regex: ^secrets/router0-hosthatch/.+$ - key_groups: - - pgp: - - *steveej - age: - - *router0-hosthatch + - pgp: + - *steveej + age: + - *router0-dmz0 - path_regex: ^secrets/sj-vps-htz0/.+$ key_groups: - - pgp: - - *steveej - age: - - *sj-vps-htz0 - - path_regex: ^secrets/sj-srv1/.+$ - key_groups: - - pgp: - - *steveej - age: - - *sj-srv1 - - path_regex: ^secrets/hstk0/.+$ - key_groups: - - pgp: - - *steveej - age: - - *hstk0 - - path_regex: ^secrets/steveej-x13s/.+$ - key_groups: - - pgp: - - *steveej - age: - - *steveej-x13s - - path_regex: ^secrets/work-holo/.+$ - key_groups: - - pgp: - - *steveej - age: - - *steveej-x13s + - pgp: + - *steveej + age: + - *sj-vps-htz0 \ No newline at end of file diff --git a/.vscode/settings.json b/.vscode/settings.json index 660429d..df4ca93 100644 --- a/.vscode/settings.json +++ b/.vscode/settings.json @@ -1,20 +1,6 @@ { - "editor.defaultFormatter": "ibecker.treefmt-vscode", - "editor.formatOnSave": true, - "nix.enableLanguageServer": true, - "nix.serverPath": "nil", - "nix.serverSettings": { - // settings for 'nil' LSP - "nil": { - "autoArchive": true, - "diagnostics": { - "ignored": ["unused_binding", "unused_with"] - }, - "formatting": { - "command": ["treefmt", "--stdin", ".nil.nix"] - } - } - }, - "treefmt.command": "treefmt", - "treefmt.config": "" + "nixEnvSelector.nixFile": "${workspaceRoot}/shell.nix", + "[nix]": { + "editor.defaultFormatter": "kamadorueda.alejandra" + }, } diff --git a/Justfile b/Justfile index 414e736..e9cbfd7 100755 --- a/Justfile +++ b/Justfile @@ -1,321 +1,308 @@ -# _DEFAULT_VERSION_TMPL: -# echo "{{invocation_directory()}}/nix/variables/versions.tmpl.nix" +_DEFAULT_VERSION_TMPL: + echo "{{invocation_directory()}}/nix/variables/versions.tmpl.nix" _usage: - just -l + just -l # Re-render the default versions update-default-versions: - nix flake update + nix flake update _get_nix_path versionsPath: - echo $(set -x; nix-build --no-link --show-trace {{ invocation_directory() }}/nix/default.nix -A channelSources --argstr versionsPath {{ versionsPath }}) + echo $(set -x; nix-build --no-link --show-trace {{invocation_directory()}}/nix/default.nix -A channelSources --argstr versionsPath {{versionsPath}}) _device recipe dir +moreargs="": - #!/usr/bin/env bash - set -ex - unset NIX_PATH - source $(just -v _get_nix_path {{ invocation_directory() }}/{{ dir }}/versions.nix) - $(set -x; nix-build --no-link --show-trace $(dirname {{ dir }})/default.nix -A recipes.{{ recipe }} --argstr dir {{ dir }} {{ moreargs }}) + #!/usr/bin/env bash + set -ex + unset NIX_PATH + source $(just -v _get_nix_path {{invocation_directory()}}/{{dir}}/versions.nix) + $(set -x; nix-build --no-link --show-trace $(dirname {{dir}})/default.nix -A recipes.{{recipe}} --argstr dir {{dir}} {{moreargs}}) _render_templates: - #!/usr/bin/env bash - set -ex - if ! ip route get 1.1.1.1; then - echo No route to WAN. Skipping template rendering... - else - source $(just -v _get_nix_path {{ invocation_directory() }}/nix/variables/versions.nix) - # nix/scripts/pre-eval-fixed.sh nix/home-manager/profiles/dotfiles/vcsh{.tmpl,}.nix - fi + #!/usr/bin/env bash + set -ex + if ! ip route get 1.1.1.1; then + echo No route to WAN. Skipping template rendering... + else + source $(just -v _get_nix_path {{invocation_directory()}}/nix/variables/versions.nix) + # nix/scripts/pre-eval-fixed.sh nix/home-manager/profiles/dotfiles/vcsh{.tmpl,}.nix + fi rebuild-remote-device device +rebuildargs="dry-activate": - #!/usr/bin/env bash - set -ex - nix run .#colmena -- apply --impure --on {{ device }} {{ rebuildargs }} + #!/usr/bin/env bash + set -ex + nix run .#colmena -- apply --on {{device}} {{rebuildargs}} # Rebuild this device's NixOS rebuild-this-device +rebuildargs="dry-activate": - nix run .#colmena -- apply-local --impure --sudo {{ rebuildargs }} + nix run .#colmena -- apply-local --sudo {{rebuildargs}} # Re-render the versions of a remote device and rebuild its environment update-remote-device devicename +rebuildargs='build': - #!/usr/bin/env bash - set -e + #!/usr/bin/env bash + set -e - ( - set -xe - cd nix/os/devices/{{ devicename }} - nix flake update - ) + ( + set -xe + cd nix/os/devices/{{devicename}} + nix flake update + ) - just -v rebuild-remote-device {{ devicename }} {{ rebuildargs }} + just -v rebuild-remote-device {{devicename}} {{rebuildargs}} - git commit -v nix/os/devices/{{ devicename }}/flake.{nix,lock} -m "nix/os/devices/{{ devicename }}: bump versions" + git commit -v nix/os/devices/{{devicename}}/flake.{nix,lock} -m "nix/os/devices/{{devicename}}: bump versions" # Re-render the versions of the current device and rebuild its environment -update-this-device rebuild-mode='switch' +moreargs='': - #!/usr/bin/env bash - set -e +update-this-device rebuild-mode='switch': + #!/usr/bin/env bash + set -e - ( - set -xe - cd nix/os/devices/$(hostname -s) - nix flake update - ) + ( + set -xe + cd nix/os/devices/$(hostname -s) + nix flake update + ) - just -v rebuild-this-device {{ rebuild-mode }} {{ moreargs }} + just -v rebuild-this-device {{rebuild-mode}} - git commit -v nix/os/devices/$(hostname -s)/flake.{nix,lock} -m "nix/os/devices/$(hostname -s): bump versions" + git commit -v nix/os/devices/$(hostname -s)/flake.{nix,lock} -m "nix/os/devices/$(hostname -s): bump versions" # Rebuild an offline system rebuild-disk device: - #!/usr/bin/env bash - set -xe + #!/usr/bin/env bash + set -xe - just -v disk-mount {{ device }} - trap "set +e; just -v disk-umount {{ device }}" EXIT - just -v disk-install {{ device }} + just -v disk-mount {{device}} + trap "set +e; just -v disk-umount {{device}}" EXIT + just -v disk-install {{device}} # Re-render the versions of the given offline system and reinstall it in offline-mode update-disk dir: - #!/usr/bin/env bash - set -exuo pipefail + #!/usr/bin/env bash + set -exuo pipefail - dir={{ dir }} + dir={{dir}} - template={{ dir }}/versions.tmpl.nix - outfile={{ dir }}/versions.nix + template={{dir}}/versions.tmpl.nix + outfile={{dir}}/versions.nix - if ! test -e ${template}; then - template="$(just _DEFAULT_VERSION_TMPL)" - fi + if ! test -e ${template}; then + template="$(just _DEFAULT_VERSION_TMPL)" + fi - esh -o ${outfile} ${template} - if ! test "$(git diff ${outfile})"; then - echo Already on latest versions - exit 0 - fi + esh -o ${outfile} ${template} + if ! test "$(git diff ${outfile})"; then + echo Already on latest versions + exit 0 + fi - export SYSREBUILD_LOG=.{{ dir }}_sysrebuild.log - just -v rebuild-disk {{ dir }} || { - echo ERROR: Update of {{ dir }} failed, reverting ${outfile}... - exit 1 - } + export SYSREBUILD_LOG=.{{dir}}_sysrebuild.log + just -v rebuild-disk {{dir}} || { + echo ERROR: Update of {{dir}} failed, reverting ${outfile}... + exit 1 + } - git commit -v ${outfile} -m "${dir}: bump versions" + git commit -v ${outfile} -m "${dir}: bump versions" # Iterate on a qtile config by running it inside Xephyr. (un-/grab the mouse with Ctrl + Shift-L) hm-iterate-qtile: - #!/usr/bin/env bash - set -xe - home-manager switch || just -v rebuild-this-device switch - Xephyr -ac -br -resizeable :1 & - XEPHYR_PID=$! - echo ${XEPHYR_PID} - DISPLAY=:1 $(grep qtile ~/.xsession) & - echo "Xephyr started. un-/grab the mouse with Ctrl + Shift-L" - wait $! - kill ${XEPHYR_PID} + #!/usr/bin/env bash + set -xe + home-manager switch || just -v rebuild-this-device switch + Xephyr -ac -br -resizeable :1 & + XEPHYR_PID=$! + echo ${XEPHYR_PID} + DISPLAY=:1 $(grep qtile ~/.xsession) & + echo "Xephyr started. un-/grab the mouse with Ctrl + Shift-L" + wait $! + kill ${XEPHYR_PID} # !!! DANGERIOUS !!! This wipes the disk which is configured for the given device. disk-prepare dir: - just -v _device diskPrepare {{ dir }} + just -v _device diskPrepare {{dir}} disk-relabel dir previous: - just -v _device diskRelabel {{ dir }} --argstr previousDiskId {{ previous }} + just -v _device diskRelabel {{dir}} --argstr previousDiskId {{previous}} # Mount the target disk specified by device configuration directory. The 'dir' argument points to a device configuration, e.g. 'nix/os/devices/steveej-live-mmc-SL32G_0x259093f6' disk-mount dir: - just -v _device diskMount {{ dir }} - + just -v _device diskMount {{dir}} # Unmount target disk, specified by device configuration directory disk-umount dir: - just -v _device diskUmount {{ dir }} + just -v _device diskUmount {{dir}} # Perform an offline installation on the mounted target disk, specified by device configuration directory disk-install dir: _render_templates - just -v _device diskInstall {{ dir }} + just -v _device diskInstall {{dir}} + verify-n-unlock sshserver attempts="10": - #!/usr/bin/env bash - set -e - env \ - GETPW="just _get_pass_entry Infrastructure/VPS/{{ sshserver }} DRIVE_PW" \ - SSHOPTS="$(just _get_pass_entry Infrastructure/VPS/{{ sshserver }} SSHOPTS)" \ - VNCSOCK="$(just _get_pass_entry Infrastructure/VPS/{{ sshserver }} VNCSOCK)" \ - VNCPW="$(just _get_pass_entry Infrastructure/VPS/{{ sshserver }} VNCPW)" \ - \ - just _verify-n-unlock {{ sshserver }} {{ attempts }} + #!/usr/bin/env bash + set -e + env \ + GETPW="just _get_pass_entry Infrastructure/VPS/{{sshserver}} DRIVE_PW" \ + SSHOPTS="$(just _get_pass_entry Infrastructure/VPS/{{sshserver}} SSHOPTS)" \ + VNCSOCK="$(just _get_pass_entry Infrastructure/VPS/{{sshserver}} VNCSOCK)" \ + VNCPW="$(just _get_pass_entry Infrastructure/VPS/{{sshserver}} VNCPW)" \ + \ + just _verify-n-unlock {{sshserver}} {{attempts}} _verify-n-unlock sshserver attempts: - #!/usr/bin/env bash - set -e - : ${VNCSOCK:?VNCSOCK must be set} - : ${VNCPW:?VNCPW must be set} + #!/usr/bin/env bash + set -e + : ${VNCSOCK:?VNCSOCK must be set} + : ${VNCPW:?VNCPW must be set} - export MAGICK_ARGS="-filter Catrom -density 72 -resample 300 -contrast -normalize -despeckle -type grayscale -sharpen 1 -posterize 3 -negate -gamma 100 -blur 1x65535" - export TESS_ARGS="-c debug_file=/dev/null --psm 4" + export MAGICK_ARGS="-filter Catrom -density 72 -resample 300 -contrast -normalize -despeckle -type grayscale -sharpen 1 -posterize 3 -negate -gamma 100 -blur 1x65535" + export TESS_ARGS="-c debug_file=/dev/null --psm 4" - function send() { - local what="${1:?need something to send}" - ssh -4 ${SSHOPTS:?need sshopts} root@{{ sshserver }} "echo -e ${what}>> /dev/tty0" &>/dev/null - } + function send() { + local what="${1:?need something to send}" + ssh -4 ${SSHOPTS:?need sshopts} root@{{sshserver}} "echo -e ${what}>> /dev/tty0" &>/dev/null + } - function expect() { - local what="${1:?need something to expect}" - vncdo --server=${VNCSOCK} --password=${VNCPW} --disable-desktop-resizing --nocursor capture $PWD/screenshot.bmp - convert ${MAGICK_ARGS} screenshot.bmp screenshot.tiff - tesseract ${TESS_ARGS} screenshot.tiff screenshot - grep --quiet "${what}" screenshot.txt - } + function expect() { + local what="${1:?need something to expect}" + vncdo --server=${VNCSOCK} --password=${VNCPW} --disable-desktop-resizing --nocursor capture $PWD/screenshot.bmp + convert ${MAGICK_ARGS} screenshot.bmp screenshot.tiff + tesseract ${TESS_ARGS} screenshot.tiff screenshot + grep --quiet "${what}" screenshot.txt + } - function send_and_expect() { - local send="${1:?need something to send}" - local expect="${2:?need something to expect}" - if ! send "${send}"; then - echo warning: cannot send > /dev/stderr - return -1 - fi - expect "${expect}" - } + function send_and_expect() { + local send="${1:?need something to send}" + local expect="${2:?need something to expect}" + if ! send "${send}"; then + echo warning: cannot send > /dev/stderr + return -1 + fi + expect "${expect}" + } - trap 'E=$?; set +e; rm screenshot.*; echo Exiting...; kill $(jobs -p | cut -d " " -f 4); exit $E' EXIT + trap 'E=$?; set +e; rm screenshot.*; echo Exiting...; kill $(jobs -p | cut -d " " -f 4); exit $E' EXIT - for i in `seq 1 {{ attempts }}`; do - echo Attempt $i... - expect="$(pwgen -0 12)" - send="'\0033\0143'${expect}" - if send_and_expect "${send}" "${expect}"; then - pipe=$(mktemp -u) - mkfifo ${pipe} - exec 3<>${pipe} - rm ${pipe} + for i in `seq 1 {{attempts}}`; do + echo Attempt $i... + expect="$(pwgen -0 12)" + send="'\0033\0143'${expect}" + if send_and_expect "${send}" "${expect}"; then + pipe=$(mktemp -u) + mkfifo ${pipe} + exec 3<>${pipe} + rm ${pipe} - echo Verification succeeded at attempt $i. Unlocking remote drive... - ssh -4 ${SSHOPTS} root@{{ sshserver }} "cryptsetup-askpass" <&3 &>/dev/null & - eval ${GETPW} | head -n1 >&3 + echo Verification succeeded at attempt $i. Unlocking remote drive... + ssh -4 ${SSHOPTS} root@{{sshserver}} "cryptsetup-askpass" <&3 &>/dev/null & + eval ${GETPW} | head -n1 >&3 - for j in `seq 1 120`; do - sleep 0.5 - if expect '— success'; then - echo Unlock successful. - exit 0 - fi - done + for j in `seq 1 120`; do + sleep 0.5 + if expect '— success'; then + echo Unlock successful. + exit 0 + fi + done - echo Unlock failed... - exit 1 - fi - done - echo Verification failed {{ attempts }} times. Giving up... - exit 1 + echo Unlock failed... + exit 1 + fi + done + echo Verification failed {{attempts}} times. Giving up... + exit 1 _get_pass_entry path key: - pass show {{ path }}| grep -E "^{{ key }}:" | sed -E 's/^[^:]+: *//g' + pass show {{path}}| grep -E "^{{key}}:" | sed -E 's/^[^:]+: *//g' run-with-channels +cmds: - #!/usr/bin/env bash - source $(just -v _get_nix_path {{ invocation_directory() }}/nix/variables/versions.nix) - {{ cmds }} + #!/usr/bin/env bash + source $(just -v _get_nix_path {{invocation_directory()}}/nix/variables/versions.nix) + {{cmds}} install-config config root: - sudo just run-with-channels nixos-install -I nixos-config={{ invocation_directory() }}/{{ config }} --root {{ root }} --no-root-passwd + sudo just run-with-channels nixos-install -I nixos-config={{invocation_directory()}}/{{config}} --root {{root}} --no-root-passwd # Switch between gpg-card capable devices which have a copy of the same key -switch-gpg-card key-id="6EEFA706CB17E89B": - #!/usr/bin/env bash - # - # Derived from https://github.com/drduh/YubiKey-Guide/issues/19. - # - # Connect the new device and then run this script to make it known to gnupg. - # - set -xe - if [[ -n "{{key-id}}" ]]; then - KEY_ID="{{key-id}}" - else - KEY_ID=$(gpg --card-status | rg sec | rg -o '[0-9A-Z]{16}') - fi +switch-gpg-card: + #!/usr/bin/env bash + # + # Derived from https://github.com/drduh/YubiKey-Guide/issues/19. + # + # Connect the new device and then run this script to make it known to gnupg. + # + set -xe + KEY_ID=$(gpg --card-status | rg sec | rg -o '[0-9A-Z]{16}') - # export pubkey and ownertrust - gpg2 --output "${KEY_ID}".pubkey --export "${KEY_ID}" - # if this fails the trust in the key is missing and can be fixed with `gpg --edit-key ${KEY_ID}` - gpg2 --export-ownertrust | rg "${KEY_ID}" > "${KEY_ID}".ownertrust + # export pubkey and ownertrust + gpg2 --output "${KEY_ID}".pubkey --export "${KEY_ID}" + # if this fails the trust in the key is missing and can be fixed with `gpg --edit-key ${KEY_ID}` + gpg2 --export-ownertrust | rg "${KEY_ID}" > "${KEY_ID}".ownertrust - # delete the key - gpg --yes --delete-secret-and-public-keys "${KEY_ID}" + # delete the key + gpg --yes --delete-secret-and-public-keys "${KEY_ID}" - # import pubkey and ownertrust back and cleanup - gpg2 --import "${KEY_ID}".pubkey - gpg2 --import-ownertrust < "${KEY_ID}".ownertrust - rm "${KEY_ID}".{pubkey,ownertrust} + # import pubkey and ownertrust back and cleanup + gpg2 --import "${KEY_ID}".pubkey + gpg2 --import-ownertrust < "${KEY_ID}".ownertrust + rm "${KEY_ID}".{pubkey,ownertrust} - # refresh the gpg agent - gpg-connect-agent "scd serialno" "learn --force" /bye - gpg --card-status + # refresh the gpg agent + gpg-connect-agent "scd serialno" "learn --force" /bye + gpg --card-status # Connect to `remote` UUID, and turn it into a short name uuid-to-device-name remote: - #!/usr/bin/env bash - set -e -o pipefail - ssh {{ remote }} 'nix run nixpkgs.dmidecode -c dmidecode -s system-uuid' | xxhsum --quiet -H1 | awk '{print $1}' + #!/usr/bin/env bash + set -e -o pipefail + ssh {{remote}} 'nix run nixpkgs.dmidecode -c dmidecode -s system-uuid' | xxhsum --quiet -H1 | awk '{print $1}' test-connection: - #! /usr/bin/env nix-shell - #! nix-shell -p curl zsh - #! nix-shell -i zsh - #! nix-shell --pure + #! /usr/bin/env nix-shell + #! nix-shell -p curl zsh + #! nix-shell -i zsh + #! nix-shell --pure - while true; do - FAILURE="false" - output=$( - echo "$(date)\n---" - for url in \ - "https://172.16.0.1:65443/0.7/gui/#/login/" \ - "https://192.168.0.1" \ - "http://172.172.171.9" \ - "https://172.172.171.10:65443" \ - "https://172.172.171.11:65443" \ - "https://172.172.171.13:443" \ - "https://172.172.171.14:443" \ - "http://172.172.171.15:22" \ - "http://172.172.171.16:22" \ - "https://crates.io" \ - "https://holo.host" \ - ; \ - do - print "trying ${url}": $( - curl_output=$(curl --http0.9 -k --head --connect-timeout 0.5 ${url} 2>&1) - # if [ $? -ne 0 ]; then - if [[ "$curl_output" == *timeout* ]]; then - echo failure: $(echo ${curl_output} | tail -n1) - # BUG: outer FAILURE is not set by this - FAILURE="true" - else - echo success - fi - ) - done - ) - clear - echo ${output} + while true; do + FAILURE="false" + output=$( + echo "$(date)\n---" + for url in \ + "https://172.16.0.1:65443/0.7/gui/#/login/" \ + "https://192.168.0.1" \ + "http://172.172.171.9" \ + "https://172.172.171.10:65443" \ + "https://172.172.171.11:65443" \ + "https://172.172.171.13:443" \ + "https://172.172.171.14:443" \ + "http://172.172.171.15:22" \ + "http://172.172.171.16:22" \ + "https://crates.io" \ + "https://holo.host" \ + ; \ + do + print "trying ${url}": $( + curl_output=$(curl --http0.9 -k --head --connect-timeout 0.5 ${url} 2>&1) + # if [ $? -ne 0 ]; then + if [[ "$curl_output" == *timeout* ]]; then + echo failure: $(echo ${curl_output} | tail -n1) + # BUG: outer FAILURE is not set by this + FAILURE="true" + else + echo success + fi + ) + done + ) + clear + echo ${output} - if [[ ${FAILURE} == "true" ]]; then - echo something failed - tracepath -m5 -n1 172.16.0.1 - tracepath -m5 -n1 192.168.0.1 - fi + if [[ ${FAILURE} == "true" ]]; then + echo something failed + tracepath -m5 -n1 172.16.0.1 + tracepath -m5 -n1 192.168.0.1 + fi - sleep 5 - done + sleep 5 + done cachix-use name: - nix run nixpkgs/nixos-unstable#cachix -- use {{ name }} -m nixos -d nix/os/ - -update-sops-keys: - for file in $(egrep -lr '"?sops"?:') secrets; do sops updatekeys -y $file; done - -deploy-router0-dmz0: - NIX_SSHOPTS="-o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null -o CheckHostIP=no" nixos-rebuild switch --impure --flake .\#router0-dmz0 --target-host root@192.168.20.1 - -ttyusb: - screen -fa /dev/ttyUSB0 115200 + nix run nixpkgs/nixos-unstable#cachix -- use {{name}} -m nixos -d nix/os/ diff --git a/README.md b/README.md index 5d32951..8184c89 100644 --- a/README.md +++ b/README.md @@ -1,5 +1,4 @@ # steveej's infra - This repository helps me to manage all computer infrastructure. This is mostly achieved with the help of [Nix](https://nixos.org). @@ -20,7 +19,7 @@ In the unlikely case that you actually read this and have any questions please d - [ ] development environments - [x] (Semi-) automatic synchronization of important repositories - [x] Modification strategy - The approach is to use vcsh for the dotfiles + The approach is to use vcsh for the dotfiles - [x] dotfiles - [x] Toplevel Justfile for simple actions - [x] mount/umount disks @@ -38,48 +37,42 @@ In the unlikely case that you actually read this and have any questions please d - [x] steveej-t14 - [x] contabo vps - [x] sj-pve0 -- [x] use an existing secret management framework -- [x] adapt (or abandon?) _just_ recipes - - - [x] `rebuild-this-device` - - [x] `update-this-device` - - [x] `rebuild-remote-device` - - [x] `update-remote-device` - - evaluate, and understand a path to using these tools in a pull-based fashion: +- [ ] use an existing secret management framework +- [ ] adapt (or abandon?) _just_ recipes + - [ ] `rebuild-this-device` + - [ ] `update-this-device` + - [ ] `rebuild-remote-device` + - [ ] `update-remote-device` + evaluate, and understand a path to using these tools in a pull-based fashion: - [x] [colmena](https://github.com/zhaofengli/colmena) - - bootstrapping: https://github.com/zhaofengli/colmena/issues/68 + * bootstrapping: https://github.com/zhaofengli/colmena/issues/68 - [ ] deploy-rs +- [ ] 🚧 find a better alternative for the qtile-desktop -- [x] 🚧 find a better alternative for the qtile-desktop - current issues: - - - floating windows often get lost in the background - - plugging in-/out- screen crashes the desktop - - evaluate: - - - [x] ~~🚧 gnome3 + pop-shell~~ - - [x] ~~leftwm + eww (+ wayland?)~~ + current issues: + - floating windows often get lost in the background + - plugging in-/out- screen crashes the desktop + evaluate: + - [ ] 🚧 gnome3 + pop-shell + - [ ] leftwm + eww (+ wayland?) - [ ] (Re-)document bootstrap process - [ ] `apt install sudo cryptsetup` as a requirements on a deb admin machine - [ ] a new machine - [ ] an install media - [ ] Design disaster recovery - [ ] Automatic synchronization of other state files - see https://gitlab.com/steveeJ/nix-expressions/issues/2 -- [ ] Recycle _\_archived_ +- [ ] Recycle *\_archived* - [ ] container migrations - [ ] ensure DDNS is updated _before_ the containers are started -## Bugs +## Bugs - [ ] home-manager leaves ~/.gnupg at 0755 ## Usage - -_(These are reminders for my future self)_ +*(These are reminders for my future self)* ``` just --list @@ -88,17 +81,15 @@ just --list ## Bootstrap ### A new machine +* ensure the dotfiles repo has a branch with the new machine's hostname -- ensure the dotfiles repo has a branch with the new machine's hostname - -- boot with an install media and go through setup +* boot with an install media and go through setup #### Post-Install Setup - -- `chmod --recursive g-rwx,o-rwx ~/.gnupg` -- `gpg2 --edit-card; fetch` -- clone password-manager and infra repositories -- gpg2: ultimately trust my own key +* `chmod --recursive g-rwx,o-rwx ~/.gnupg` +* `gpg2 --edit-card; fetch` +* clone password-manager and infra repositories +* gpg2: ultimately trust my own key ## Swapping out a disk @@ -107,18 +98,10 @@ just --list 3. replace the driveId in the device's hw.nix 4. run the `just disk-relabel nix/os/devices/ ` command to rename the filesystem and volume group -## Rebuilding an offline system +## Backup + +### Copy existing subvolumes to new backup target ``` -( -sudo cryptsetup open /dev/sdb3 steveej-t14s-cryptroot -sleep 5 - -sudo mkdir -p /mnt/root -sudo mount /dev/mapper/nvme--WD_BLACK_SN850X_4000GB_2227DT443901-root /mnt/root -o subvol=nixos -sudo mount /dev/sdb2 /mnt/root/boot -sudo mount /dev/mapper/nvme--WD_BLACK_SN850X_4000GB_2227DT443901-root /mnt/root/home -o subvol=home - -sudo nixos-install -v --flake .#steveej-t14 --root /mnt/root/ --no-root-password -) +`systemctl cat bkp-run | grep ExecStart | awk -F '=' '{print $2}'` --verbose --progress archive /var/lib/container-volumes ssh://[IP]:[PORT]/mnt/backup/container-volumes/ ``` diff --git a/_archive/environments/dev/cross.nix b/_archive/environments/dev/cross.nix new file mode 100644 index 0000000..65e6c09 --- /dev/null +++ b/_archive/environments/dev/cross.nix @@ -0,0 +1,90 @@ +import /home/steveej/src/github/NixOS/nixpkgs/default.nix { + crossSystem = rec { + config = "armv7l-unknown-linux-gnueabi"; + bigEndian = false; + arch = "arm"; + float = "hard"; + fpu = "vfpv3-d16"; + withTLS = true; + libc = "glibc"; + platform = { + name = "armv7l-hf-multiplatform"; + gcc = { + arch = "armv7-a"; + fpu = "neon"; + float = "hard"; + }; + kernelMajor = "2.6"; # Using "2.6" enables 2.6 kernel syscalls in glibc. + kernelHeadersBaseConfig = "multi_v7_defconfig"; + kernelBaseConfig = "multi_v7_defconfig"; + kernelArch = "arm"; + kernelDTB = true; + kernelAutoModules = false; + kernelExtraConfig = '' + NAMESPACES y + BTRFS_FS y + BTRFS_FS_POSIX_ACL y + OVERLAY_FS y + FUSE_FS y + ''; + kernelTarget = "zImage"; + uboot = null; + }; + openssl.system = "linux-generic32"; + gcc = { + arch = "armv7-a"; + fpu = "neon"; + float = "hard"; + }; + }; +} +# pkgs.config = { +# packageOverrides = super: let self = super.pkgs; in { +# linux_4_0 = super.linux_3_18.override { +# kernelPatches = super.linux_3_18.kernelPatches ++ [ +# # we'll also add one of our own patches +# { patch = ./dts.patch; name = "dts-fix"; } +# ]; +# +# # add "CONFIG_PPP_FILTER y" option to the set of kernel options +# extraConfig = '' +# HAVE_IMX_ANATOP y +# HAVE_IMX_GPC y +# HAVE_IMX_MMDC y +# HAVE_IMX_SRC y +# SOC_IMX6 y +# SOC_IMX6Q y +# SOC_IMX6SL y +# PCI_IMX6 y +# ARM_IMX6Q_CPUFREQ y +# IMX_WEIM y +# AHCI_IMX y +# SERIAL_IMX y +# SERIAL_IMX_CONSOLE y +# I2C_IMX y +# SPI_IMX y +# PINCTRL_IMX y +# PINCTRL_IMX6Q y +# PINCTRL_IMX6SL y +# POWER_RESET_IMX y +# IMX_THERMAL y +# IMX2_WDT y +# IMX_IPUV3_CORE y +# DRM_IMX y +# DRM_IMX_FB_HELPER y +# DRM_IMX_PARALLEL_DISPLAY y +# DRM_IMX_TVE y +# DRM_IMX_LDB y +# DRM_IMX_IPUV3 y +# DRM_IMX_HDMI y +# MMC_SDHCI_ESDHC_IMX y +# IMX_SDMA y +# PWM_IMX y +# DEBUG_IMX6Q_UART y +# +# PPP_FILTER y +# ''; +# }; +# }; +# }; + diff --git a/_archive/environments/dev/go/default.nix b/_archive/environments/dev/go/default.nix new file mode 100644 index 0000000..c92aa9d --- /dev/null +++ b/_archive/environments/dev/go/default.nix @@ -0,0 +1,89 @@ +{ + gitpkgs ? import /home/steveej/src/github/NixOS/nixpkgs {}, + pkgs ? gitpkgs, + name ? "generic", + version, + extraBuildInputs ? [], + extraShellHook ? "", +}: let + go = builtins.getAttr "go_${version}" pkgs; + commonVimRC = '' + let g:tagbar_type_go = { + \ 'ctagstype' : 'go', + \ 'kinds' : [ + \ 'p:package', + \ 'i:imports:1', + \ 'c:constants', + \ 'v:variables', + \ 't:types', + \ 'n:interfaces', + \ 'w:fields', + \ 'e:embedded', + \ 'm:methods', + \ 'r:constructor', + \ 'f:functions' + \ ], + \ 'sro' : '.', + \ 'kind2scope' : { + \ 't' : 'ctype', + \ 'n' : 'ntype' + \ }, + \ 'scope2kind' : { + \ 'ctype' : 't', + \ 'ntype' : 'n' + \ }, + \ 'ctagsbin' : 'gotags', + \ 'ctagsargs' : '-sort -silent' + \ } + + " vim-go { + let g:go_highlight_functions = 1 + let g:go_highlight_methods = 1 + let g:go_highlight_structs = 1 + let g:go_highlight_interfaces = 1 + let g:go_highlight_operators = 1 + let g:go_highlight_build_constraints = 1 + let g:go_fmt_command = 'gofmt' + let g:go_fmt_options= '-s' + let g:go_def_mode = 'godef' + let g:go_def_reuse_buffer = 0 + + au FileType go nmap gds (go-def-split) + au FileType go nmap gdv (go-def-vertical) + au FileType go nmap gdt (go-def-tab) + au FileType go nmap gi (go-imports) + " } + ''; + buildInputs = with pkgs; [ + glibc.out + glibc.static + + go + gotools + #gotools.bin + #gocode.bin + #godef godef.bin + godep + #godep.bin + gox.bin + #ginkgo ginkgo.bin + #gomega + # ( import ./vim-go.nix { pkgs=gitpkgs; commonRC=commonVimRC; } ) + # ( import ./neovim-go.nix { pkgs=gitpkgs; commonRC=commonVimRC; } ) + ]; +in + pkgs.stdenv.mkDerivation { + inherit name; + buildInputs = extraBuildInputs ++ buildInputs; + shellHook = '' + goname=${go.version}_$name + # FIXME: setPS1 $goname + export GOROOT=${go}/share/go + export GOPATH="$HOME/.gopath_$goname" + export PATH="$HOME/.gopath_$goname/bin:$PATH" + unset name + unset SSL_CERT_FILE + + ${extraShellHook} + ''; + } diff --git a/_archive/environments/dev/go/neovim-go.nix b/_archive/environments/dev/go/neovim-go.nix new file mode 100644 index 0000000..1bbc4dc --- /dev/null +++ b/_archive/environments/dev/go/neovim-go.nix @@ -0,0 +1,12 @@ +{commonRC, ...} @ args: (import ../../pkg-configuration/vim-derivates/neovim.nix args + // { + additionalRC = + commonRC + + '' + " deoplete { + let g:deoplete#enable_at_startup = 1 + let g:deoplete#enable_smart_case = 1 + " } + ''; + additionalPlugins = ["deoplete-go" "deoplete-nvim" "vim-go"]; + }) diff --git a/_archive/environments/dev/pandoc.nix b/_archive/environments/dev/pandoc.nix new file mode 100644 index 0000000..fc4a298 --- /dev/null +++ b/_archive/environments/dev/pandoc.nix @@ -0,0 +1,31 @@ +{ + gitpkgs ? import /home/steveej/src/github/NixOS/nixpkgs {}, + pkgs ? gitpkgs, + name ? "generic", + version ? "Stable", + extraBuildInputs ? [], +}: let + commonVimRC = ""; +in + pkgs.stdenv.mkDerivation { + inherit name; + buildInputs = with pkgs; + [ + (import ./vim-pandoc.nix { + pkgs = gitpkgs; + commonRC = commonVimRC; + }) + pandoc + texlive.combined.scheme-medium + python27Packages.pandocfilters + python27Packages.htmltreediff + python27Packages.html5lib + python27Packages.dbus-python + ] + ++ extraBuildInputs; + shellHook = '' + pandocname=pandoc_${pkgs.pandoc.version} + setPS1 $pandocname + unset name + ''; + } diff --git a/_archive/environments/dev/rkt.nix b/_archive/environments/dev/rkt.nix new file mode 100644 index 0000000..aa01935 --- /dev/null +++ b/_archive/environments/dev/rkt.nix @@ -0,0 +1,71 @@ +{ + pkgs ? import /home/steveej/src/github/NixOS/nixpkgs {}, + mkGoEnv ? import ./go.nix, + rktPath, +}: let + rktBasebuildInputs = with pkgs; [ + glibc.out + glibc.static + autoreconfHook + gnupg1 + squashfsTools + cpio + tree + intltool + libtool + pkgconfig + libgcrypt + gperf + libcap + libseccomp + libzip + eject + iptables + bc + acl + trousers + systemd + ]; + extraShellHook = '' + TARGET=$GOPATH/src/github.com/coreos/rkt + if [[ -e ${rktPath}/rkt/rkt.go ]]; then + pushd ${rktPath} + else + echo rktPath must be run the rkt repository clone, but got '${rktPath}' + exit 1 + fi + if ! [[ -e $TARGET/rkt/rkt.go ]]; then + mkdir -p $TARGET + echo $PWD + sudo -E mount -o bind $PWD $TARGET + fi + pushd $TARGET + ''; +in { + go15 = mkGoEnv { + inherit pkgs; + + name = "rktGo15"; + version = "1_5"; + extraBuildInputs = rktBasebuildInputs; + inherit extraShellHook; + }; + + go16 = mkGoEnv { + inherit pkgs; + + name = "rktGo16"; + version = "1_6"; + extraBuildInputs = rktBasebuildInputs; + inherit extraShellHook; + }; + + go17 = mkGoEnv { + inherit pkgs; + + name = "rktGo17"; + version = "1_7"; + extraBuildInputs = rktBasebuildInputs; + inherit extraShellHook; + }; +} diff --git a/_archive/environments/dev/rust/.envrc b/_archive/environments/dev/rust/.envrc new file mode 100644 index 0000000..051d09d --- /dev/null +++ b/_archive/environments/dev/rust/.envrc @@ -0,0 +1 @@ +eval "$(lorri direnv)" diff --git a/_archive/environments/dev/rust/default.nix b/_archive/environments/dev/rust/default.nix new file mode 100644 index 0000000..11caffa --- /dev/null +++ b/_archive/environments/dev/rust/default.nix @@ -0,0 +1,39 @@ +{ + gitpkgs ? import /home/steveej/src/github/NixOS/nixpkgs {}, + pkgs ? gitpkgs, + name ? "generic", + version ? "Stable", + extraBuildInputs ? [], +}: let + rustPackages = builtins.getAttr "rust${version}" pkgs; + rustc = rustPackages.rustc; + rustShellHook = { + rustc, + name, + }: '' + rustname=rust_${rustc.version}_${name} + setPS1 $rustname + unset name + ''; + commonVimRC = ""; +in + pkgs.stdenv.mkDerivation { + inherit name; + buildInputs = with rustPackages; + [ + (import ./vim-rust.nix { + pkgs = gitpkgs; + commonRC = commonVimRC; + inherit rustc; + racerd = pkgs.rustracerd; + }) + rustc + cargo + ] + ++ [pkgs.rustfmt] + ++ extraBuildInputs; + shellHook = rustShellHook { + inherit name; + inherit rustc; + }; + } diff --git a/_archive/environments/dev/vim-go.nix b/_archive/environments/dev/vim-go.nix new file mode 100644 index 0000000..6eacc45 --- /dev/null +++ b/_archive/environments/dev/vim-go.nix @@ -0,0 +1,19 @@ +{commonRC, ...} @ args: +import ../../pkg-configuration/vim-derivates/vim.nix (args + // { + name = "vim-for-go"; + additionalRC = + commonRC + + '' + " Disable AutoComplPop. + let g:acp_enableAtStartup = 0 + " Use neocomplete. + let g:neocomplete#enable_at_startup = 1 + " Use smartcase. + let g:neocomplete#enable_smart_case = 1 + if !exists('g:neocomplete#sources#omni#input_patterns') + let g:neocomplete#sources#omni#input_patterns = {} + endif + ''; + additionalPlugins = ["neocomplete" "vim-go"]; + }) diff --git a/_archive/environments/dev/vim-pandoc.nix b/_archive/environments/dev/vim-pandoc.nix new file mode 100644 index 0000000..7fc03f2 --- /dev/null +++ b/_archive/environments/dev/vim-pandoc.nix @@ -0,0 +1,18 @@ +{commonRC, ...} @ args: +import ../../pkg-configuration/vim-derivates/vim.nix (args + // { + name = "vim-for-pandoc"; + additionalRC = + commonRC + + '' + set statusline+=%#warningmsg# + set statusline+=%{SyntasticStatuslineFlag()} + set statusline+=%* + + let g:syntastic_always_populate_loc_list = 1 + let g:syntastic_auto_loc_list = 1 + let g:syntastic_check_on_open = 1 + let g:syntastic_check_on_wq = 0 + ''; + additionalPlugins = ["vim-pandoc" "vim-pandoc-syntax" "vimpreviewpandoc"]; + }) diff --git a/_archive/environments/dev/vim-rust.nix b/_archive/environments/dev/vim-rust.nix new file mode 100644 index 0000000..56e3c7d --- /dev/null +++ b/_archive/environments/dev/vim-rust.nix @@ -0,0 +1,48 @@ +{ + commonRC, + rustc, + racerd, + ... +} @ args: +import ../../pkg-configuration/vim-derivates/vim.nix (args + // { + name = "vim-for-rust"; + additionalRC = + commonRC + + '' + set statusline+=%#warningmsg# + set statusline+=%{SyntasticStatuslineFlag()} + set statusline+=%* + + let g:syntastic_always_populate_loc_list = 1 + let g:syntastic_auto_loc_list = 1 + let g:syntastic_check_on_open = 1 + let g:syntastic_check_on_wq = 0 + + " tagbar + let g:tagbar_type_rust = { + \ 'ctagstype' : 'rust', + \ 'kinds' : [ + \'T:types,type definitions', + \'f:functions,function definitions', + \'g:enum,enumeration names', + \'s:structure names', + \'m:modules,module names', + \'c:consts,static constants', + \'t:traits,traits', + \'i:impls,trait implementations', + \] + \} + + let g:syntastic_rust_checkers = ["rustc"] + + "rustfmt + let g:rustfmt_autosave = 1 + + let g:ycm_auto_trigger = 1 + let g:ycm_rust_src_path = '${rustc.src}/src' + let g:ycm_racerd_binary_path = '${racerd.out}/bin/racerd' + + ''; + additionalPlugins = ["rust-vim"]; + }) diff --git a/_archive/environments/fhs/android.nix b/_archive/environments/fhs/android.nix new file mode 100644 index 0000000..074469e --- /dev/null +++ b/_archive/environments/fhs/android.nix @@ -0,0 +1,42 @@ +{pkgs ? import {}}: +(pkgs.buildFHSUserEnv { + name = "devfhs"; + multiPkgs = pkgs: (with pkgs; [ + android-udev-rules + sudo + gawk + bzip2 + file + gcc + getopt + git + gnumake + ncurses + openssl + patch + perl + pkgconfig + python + openssh + subversion + unzip + wget + which + vim + zlib + libusb + libusb1 + systemd + strace + swt + xorg.libXtst + glib + gtk2 + gnome.gtk + ]); + profile = '' + export LD_LIBRARY_PATH=$LD_LIBRARY_PATH:/lib:/lib64:/lib32:/usr/lib32:/usr/lib64:${pkgs.xorg.libXtst}/lib:${pkgs.glib}/lib:${pkgs.gtk2}/lib + ''; + runScript = "bash"; +}) +.env diff --git a/_archive/environments/fhs/vscode.nix b/_archive/environments/fhs/vscode.nix new file mode 100644 index 0000000..da08700 --- /dev/null +++ b/_archive/environments/fhs/vscode.nix @@ -0,0 +1,36 @@ +{pkgs ? import {}}: +(pkgs.buildFHSUserEnv { + name = "everydayFHS"; + targetPkgs = pkgs: (with pkgs; [ + which + gitFull + zsh + file + direnv + + xdg_utils + xsel + + vscode + + # vscode live share + gnome3.gcr + libgnome_keyring3 + liburcu + libunwind + lttng-ust + curl + openssl + libkrb5 + libuuid + icu + zlib + libsecret + ]); + multiPkgs = pkgs: (with pkgs; []); + profile = '' + export SHELL=/bin/zsh + ''; + # FIXME runScript = "$SHELL"; +}) +.env diff --git a/default.nix b/default.nix index 6aba02e..75e1dbb 100644 --- a/default.nix +++ b/default.nix @@ -4,9 +4,6 @@ # Having pkgs default to is fine though, and it lets you use short # commands such as: # nix-build -A mypackage -{ - pkgs ? import { }, -}: -{ - pkgs = import ./nix/pkgs { inherit pkgs; }; +{pkgs ? import {}}: { + pkgs = import ./nix/pkgs {inherit pkgs;}; } diff --git a/flake-sandbox/flake.lock b/flake-sandbox/flake.lock new file mode 100644 index 0000000..b600a49 --- /dev/null +++ b/flake-sandbox/flake.lock @@ -0,0 +1,27 @@ +{ + "nodes": { + "nixpkgs": { + "locked": { + "lastModified": 1681091990, + "narHash": "sha256-ifIzhksUBZKp5WgCuoVhDY32qaEplXp7khzrB6zkaFc=", + "owner": "nixos", + "repo": "nixpkgs", + "rev": "ea96b4af6148114421fda90df33cf236ff5ecf1d", + "type": "github" + }, + "original": { + "owner": "nixos", + "ref": "nixos-22.11", + "repo": "nixpkgs", + "type": "github" + } + }, + "root": { + "inputs": { + "nixpkgs": "nixpkgs" + } + } + }, + "root": "root", + "version": 7 +} diff --git a/flake-sandbox/flake.nix b/flake-sandbox/flake.nix new file mode 100644 index 0000000..112447e --- /dev/null +++ b/flake-sandbox/flake.nix @@ -0,0 +1,142 @@ +{ + inputs = { + nixpkgs.url = "github:nixos/nixpkgs/nixos-22.11"; + }; + outputs = { + self, + nixpkgs, + }: let + system = "x86_64-linux"; + pkgs = import nixpkgs {inherit system;}; + in { + devShells."${system}".default = pkgs.mkShell { + packages = with pkgs; + with pkgs.gnome; [ + hexchat + audacity + proot + yubikey-manager-qt + cheese + remmina + exiv2 + wireshark-qt + seahorse + kotatogram-desktop + usbutils + networkmanagerapplet + sshfs-fuse + pavucontrol + libwebcam + just + eog + git-crypt + espanso + unetbootin + vcsh + skypeforlinux + du-dust + bind + teamviewer + gparted + neovim + inkscape + rustdesk + gnome-themes-extra + pass + xdg-user-dirs + cbatticon + yubikey-personalization-gui + zoom + signal-desktop + xorg.xbacklight + vscode + ripgrep + lightdm + nixpkgs-fmt + git-lfs + qtpass + gimp + lxappearance + flameshot + thunderbird + fprintd + chromium + evtest + alejandra + vlc + pastebinit + evolution + zbar + libreoffice + brave + pidgin + direnv + xorg.xhost + lorri + firefox + logseq + x11_ssh_askpass + xsel + feh + htop + openvpn + syncthing + ncdu + rofi-pass + testdisk + vanilla-dmz + wireguard-tools + xarchive + gnome-icon-theme + wget + nix-index + mr + passff-host + browserpass + xorg.xcursorthemes + gitRepo + gitSVN + androidenv.androidPkgs_9_0.platform-tools + + # introduces python + (qtile.passthru.unwrapped.overrideAttrs (oldAttrs: { + propagatedBuildInputs = + [] + # ++ oldAttrs.passthru.unwrapped.propagatedBuildInputs + # ++ (with pkgs.python3Packages; [ + # # python-wifi + # # iwlib + # keyring + # ]) + ; + + makeWrapperArgs = + oldAttrs.makeWrapperArgs + ++ [ + "--prefix PATH : ${pkgs.lib.makeBinPath oldAttrs.propagatedBuildInputs}" + ]; + })) + + # gi-docgen + # yelp-tools + # scons + # autorandr + # arandr + # meson + # mercurial + # unrar-wrapper + # orca + # radicale + # criu + # gnome-music + # gnome-browser-connector + # radicale + # hplip + # qtile + # gtk-doc + # asciidoc + # meson + ]; + }; + }; +} diff --git a/flake.lock b/flake.lock index 595341f..b026e10 100644 --- a/flake.lock +++ b/flake.lock @@ -3,11 +3,11 @@ "aphorme_launcher": { "flake": false, "locked": { - "lastModified": 1719922896, - "narHash": "sha256-mOtCz42NFQn+0xPF3gBX4WHfo5UEClSsJ/tF8RdFQkY=", + "lastModified": 1683977169, + "narHash": "sha256-juRiokIk5x+eGJm+QuCdFPUjEggDmscpy2Ip7pU9KI4=", "owner": "Iaphetes", "repo": "aphorme_launcher", - "rev": "c7c7ce9f91a31cced181fa501a2cad3c68035def", + "rev": "211bc27de061b61e3119a7966cff09f4b8c3a1fe", "type": "github" }, "original": { @@ -21,18 +21,17 @@ "inputs": { "flake-compat": "flake-compat", "flake-utils": "flake-utils", - "nix-github-actions": "nix-github-actions", "nixpkgs": [ "nixpkgs" ], "stable": "stable" }, "locked": { - "lastModified": 1731527002, - "narHash": "sha256-dI9I6suECoIAmbS4xcrqF8r2pbmed8WWm5LIF1yWPw8=", + "lastModified": 1688224393, + "narHash": "sha256-rsAvFNhRFzTF7qyb6WprLFghJnRxMFjvD2e5/dqMp4I=", "owner": "zhaofengli", "repo": "colmena", - "rev": "e3ad42138015fcdf2524518dd564a13145c72ea1", + "rev": "19384f3ee2058c56021e4465a3ec57e84a47d8dd", "type": "github" }, "original": { @@ -42,38 +41,25 @@ } }, "crane": { - "locked": { - "lastModified": 1733286231, - "narHash": "sha256-mlIDSv1/jqWnH8JTiOV7GMUNPCXL25+6jmD+7hdxx5o=", - "owner": "ipetkov", - "repo": "crane", - "rev": "af1556ecda8bcf305820f68ec2f9d77b41d9cc80", - "type": "github" - }, - "original": { - "owner": "ipetkov", - "repo": "crane", - "type": "github" - } - }, - "devshell": { "inputs": { + "flake-compat": "flake-compat_2", + "flake-utils": "flake-utils_2", "nixpkgs": [ - "nixvim", "nixpkgs" - ] + ], + "rust-overlay": "rust-overlay" }, "locked": { - "lastModified": 1728330715, - "narHash": "sha256-xRJ2nPOXb//u1jaBnDP56M7v5ldavjbtR6lfGqSvcKg=", - "owner": "numtide", - "repo": "devshell", - "rev": "dd6b80932022cea34a019e2bb32f6fa9e494dfef", + "lastModified": 1691423162, + "narHash": "sha256-cReUZCo83YEEmFcHX8CcOVTZYUrcWgHQO34zxQzy7WI=", + "owner": "ipetkov", + "repo": "crane", + "rev": "b5d9d42ea3fa8fea1805d9af1416fe207d0dd1dc", "type": "github" }, "original": { - "owner": "numtide", - "repo": "devshell", + "owner": "ipetkov", + "repo": "crane", "type": "github" } }, @@ -85,11 +71,11 @@ ] }, "locked": { - "lastModified": 1727359191, - "narHash": "sha256-5PltTychnExFwzpEnY3WhOywaMV/M6NxYI/y3oXuUtw=", + "lastModified": 1687747614, + "narHash": "sha256-KXspKgtdO2YRL12Jv0sUgkwOwHrAFwdIG/90pDx8Ydg=", "owner": "nix-community", "repo": "disko", - "rev": "67dc29be3036cc888f0b9d4f0a788ee0f6768700", + "rev": "fef67a1ddc293b595d62a660f57deabbcb70ff95", "type": "github" }, "original": { @@ -99,23 +85,6 @@ "type": "github" } }, - "espanso": { - "flake": false, - "locked": { - "lastModified": 1711840403, - "narHash": "sha256-4y5yHFfA8SmtSJVC2YleoHCUXkgqee+k9A2pRUzqzDo=", - "owner": "espanso", - "repo": "espanso", - "rev": "db97658d1d80697a635b57801696c594eacf057b", - "type": "github" - }, - "original": { - "owner": "espanso", - "repo": "espanso", - "rev": "db97658d1d80697a635b57801696c594eacf057b", - "type": "github" - } - }, "fenix": { "inputs": { "nixpkgs": [ @@ -124,11 +93,11 @@ "rust-analyzer-src": "rust-analyzer-src" }, "locked": { - "lastModified": 1733380458, - "narHash": "sha256-H+IQB6cJ7ji/YD537pcSUWlwGGJ49RoYylBonyNW9hk=", + "lastModified": 1691648495, + "narHash": "sha256-JULr+eKL9rjfex17hZYn0K/fBxxfK/FM9TOCcxPQay4=", "owner": "nix-community", "repo": "fenix", - "rev": "08c9e4e29865b60cb81189f8e4de0dccaf297865", + "rev": "6c9f0709358f212766cff5ce79f6e8300ec1eb91", "type": "github" }, "original": { @@ -156,11 +125,11 @@ "flake-compat_2": { "flake": false, "locked": { - "lastModified": 1696426674, - "narHash": "sha256-kvjfFW7WAETZlt09AgDn1MrtKzP7t90Vf7vypd3OL1U=", + "lastModified": 1673956053, + "narHash": "sha256-4gtG9iQuiKITOjNQQeQIpoIB6b16fm+504Ch3sNKLd8=", "owner": "edolstra", "repo": "flake-compat", - "rev": "0f9255e01c2351cc7d116c072cb317785dd33b33", + "rev": "35bb57c0c8d8b62bbfd284272c928ceb64ddbde9", "type": "github" }, "original": { @@ -171,11 +140,11 @@ }, "flake-compat_3": { "locked": { - "lastModified": 1717312683, - "narHash": "sha256-FrlieJH50AuvagamEvWMIE6D2OAnERuDboFDYAED/dE=", + "lastModified": 1688025799, + "narHash": "sha256-ktpB4dRtnksm9F5WawoIkEneh1nrEvuxb5lJFt1iOyw=", "owner": "nix-community", "repo": "flake-compat", - "rev": "38fd3954cf65ce6faf3d0d45cd26059e059f07ea", + "rev": "8bf105319d44f6b9f0d764efa4fdef9f1cc9ba1c", "type": "github" }, "original": { @@ -184,30 +153,16 @@ "type": "github" } }, - "flake-compat_4": { - "locked": { - "lastModified": 1696426674, - "narHash": "sha256-kvjfFW7WAETZlt09AgDn1MrtKzP7t90Vf7vypd3OL1U=", - "rev": "0f9255e01c2351cc7d116c072cb317785dd33b33", - "revCount": 57, - "type": "tarball", - "url": "https://api.flakehub.com/f/pinned/edolstra/flake-compat/1.0.1/018afb31-abd1-7bff-a5e4-cff7e18efb7a/source.tar.gz" - }, - "original": { - "type": "tarball", - "url": "https://flakehub.com/f/edolstra/flake-compat/1.tar.gz" - } - }, "flake-parts": { "inputs": { "nixpkgs-lib": "nixpkgs-lib" }, "locked": { - "lastModified": 1733312601, - "narHash": "sha256-4pDvzqnegAfRkPwO3wmwBhVi/Sye1mzps0zHWYnP88c=", + "lastModified": 1690933134, + "narHash": "sha256-ab989mN63fQZBFrkk4Q8bYxQCktuHmBIBqUG1jl6/FQ=", "owner": "hercules-ci", "repo": "flake-parts", - "rev": "205b12d8b7cd4802fbcb8e8ef6a0f1408781a4f9", + "rev": "59cf3f1447cfc75087e7273b04b31e689a8599fb", "type": "github" }, "original": { @@ -224,11 +179,11 @@ ] }, "locked": { - "lastModified": 1726153070, - "narHash": "sha256-HO4zgY0ekfwO5bX0QH/3kJ/h4KvUDFZg8YpkNwIbg1U=", + "lastModified": 1687762428, + "narHash": "sha256-DIf7mi45PKo+s8dOYF+UlXHzE0Wl/+k3tXUyAoAnoGE=", "owner": "hercules-ci", "repo": "flake-parts", - "rev": "bcef6817a8b2aa20a5a6dbb19b43e63c5bf8619a", + "rev": "37dd7bb15791c86d55c5121740a1887ab55ee836", "type": "github" }, "original": { @@ -246,53 +201,11 @@ ] }, "locked": { - "lastModified": 1722555600, - "narHash": "sha256-XOQkdLafnb/p9ij77byFQjDf5m5QYl9b2REiVClC+x4=", + "lastModified": 1690933134, + "narHash": "sha256-ab989mN63fQZBFrkk4Q8bYxQCktuHmBIBqUG1jl6/FQ=", "owner": "hercules-ci", "repo": "flake-parts", - "rev": "8471fe90ad337a8074e957b69ca4d0089218391d", - "type": "github" - }, - "original": { - "owner": "hercules-ci", - "repo": "flake-parts", - "type": "github" - } - }, - "flake-parts_4": { - "inputs": { - "nixpkgs-lib": [ - "nixvim", - "nixpkgs" - ] - }, - "locked": { - "lastModified": 1730504689, - "narHash": "sha256-hgmguH29K2fvs9szpq2r3pz2/8cJd2LPS+b4tfNFCwE=", - "owner": "hercules-ci", - "repo": "flake-parts", - "rev": "506278e768c2a08bec68eb62932193e341f55c90", - "type": "github" - }, - "original": { - "owner": "hercules-ci", - "repo": "flake-parts", - "type": "github" - } - }, - "flake-parts_5": { - "inputs": { - "nixpkgs-lib": [ - "nur", - "nixpkgs" - ] - }, - "locked": { - "lastModified": 1733312601, - "narHash": "sha256-4pDvzqnegAfRkPwO3wmwBhVi/Sye1mzps0zHWYnP88c=", - "owner": "hercules-ci", - "repo": "flake-parts", - "rev": "205b12d8b7cd4802fbcb8e8ef6a0f1408781a4f9", + "rev": "59cf3f1447cfc75087e7273b04b31e689a8599fb", "type": "github" }, "original": { @@ -316,34 +229,16 @@ "type": "github" } }, - "flake-utils_10": { - "inputs": { - "systems": "systems_5" - }, - "locked": { - "lastModified": 1710146030, - "narHash": "sha256-SZ5L6eA7HJ/nmkzGG7/ISclqe6oZdOZTNoesiInkXPQ=", - "owner": "numtide", - "repo": "flake-utils", - "rev": "b1d9ab70662946ef0850d488da1c9019f3a9752a", - "type": "github" - }, - "original": { - "owner": "numtide", - "repo": "flake-utils", - "type": "github" - } - }, "flake-utils_2": { "inputs": { "systems": "systems" }, "locked": { - "lastModified": 1710146030, - "narHash": "sha256-SZ5L6eA7HJ/nmkzGG7/ISclqe6oZdOZTNoesiInkXPQ=", + "lastModified": 1689068808, + "narHash": "sha256-6ixXo3wt24N/melDWjq70UuHQLxGV8jZvooRanIHXw0=", "owner": "numtide", "repo": "flake-utils", - "rev": "b1d9ab70662946ef0850d488da1c9019f3a9752a", + "rev": "919d646de7be200f3bf08cb76ae1f09402b6f9b4", "type": "github" }, "original": { @@ -353,12 +248,15 @@ } }, "flake-utils_3": { + "inputs": { + "systems": "systems_2" + }, "locked": { - "lastModified": 1653893745, - "narHash": "sha256-0jntwV3Z8//YwuOjzhV2sgJJPt+HY6KhU7VZUL0fKZQ=", + "lastModified": 1689068808, + "narHash": "sha256-6ixXo3wt24N/melDWjq70UuHQLxGV8jZvooRanIHXw0=", "owner": "numtide", "repo": "flake-utils", - "rev": "1ed9fb1935d260de5fe1c2f7ee0ebaae17ed2fa1", + "rev": "919d646de7be200f3bf08cb76ae1f09402b6f9b4", "type": "github" }, "original": { @@ -369,92 +267,11 @@ }, "flake-utils_4": { "locked": { - "lastModified": 1653893745, - "narHash": "sha256-0jntwV3Z8//YwuOjzhV2sgJJPt+HY6KhU7VZUL0fKZQ=", + "lastModified": 1667395993, + "narHash": "sha256-nuEHfE/LcWyuSWnS8t12N1wc105Qtau+/OdUAjtQ0rA=", "owner": "numtide", "repo": "flake-utils", - "rev": "1ed9fb1935d260de5fe1c2f7ee0ebaae17ed2fa1", - "type": "github" - }, - "original": { - "owner": "numtide", - "repo": "flake-utils", - "type": "github" - } - }, - "flake-utils_5": { - "locked": { - "lastModified": 1653893745, - "narHash": "sha256-0jntwV3Z8//YwuOjzhV2sgJJPt+HY6KhU7VZUL0fKZQ=", - "owner": "numtide", - "repo": "flake-utils", - "rev": "1ed9fb1935d260de5fe1c2f7ee0ebaae17ed2fa1", - "type": "github" - }, - "original": { - "owner": "numtide", - "repo": "flake-utils", - "type": "github" - } - }, - "flake-utils_6": { - "locked": { - "lastModified": 1653893745, - "narHash": "sha256-0jntwV3Z8//YwuOjzhV2sgJJPt+HY6KhU7VZUL0fKZQ=", - "owner": "numtide", - "repo": "flake-utils", - "rev": "1ed9fb1935d260de5fe1c2f7ee0ebaae17ed2fa1", - "type": "github" - }, - "original": { - "owner": "numtide", - "repo": "flake-utils", - "type": "github" - } - }, - "flake-utils_7": { - "locked": { - "lastModified": 1653893745, - "narHash": "sha256-0jntwV3Z8//YwuOjzhV2sgJJPt+HY6KhU7VZUL0fKZQ=", - "owner": "numtide", - "repo": "flake-utils", - "rev": "1ed9fb1935d260de5fe1c2f7ee0ebaae17ed2fa1", - "type": "github" - }, - "original": { - "owner": "numtide", - "repo": "flake-utils", - "type": "github" - } - }, - "flake-utils_8": { - "inputs": { - "systems": "systems_3" - }, - "locked": { - "lastModified": 1731533236, - "narHash": "sha256-l0KFg5HjrsfsO/JpG+r7fRrqm12kzFHyUHqHCVpMMbI=", - "owner": "numtide", - "repo": "flake-utils", - "rev": "11707dc2f618dd54ca8739b309ec4fc024de578b", - "type": "github" - }, - "original": { - "owner": "numtide", - "repo": "flake-utils", - "type": "github" - } - }, - "flake-utils_9": { - "inputs": { - "systems": "systems_4" - }, - "locked": { - "lastModified": 1731533236, - "narHash": "sha256-l0KFg5HjrsfsO/JpG+r7fRrqm12kzFHyUHqHCVpMMbI=", - "owner": "numtide", - "repo": "flake-utils", - "rev": "11707dc2f618dd54ca8739b309ec4fc024de578b", + "rev": "5aed5285a952e0b949eb3ba02c12fa4fcfef535f", "type": "github" }, "original": { @@ -465,11 +282,11 @@ }, "get-flake": { "locked": { - "lastModified": 1714237590, - "narHash": "sha256-9gtHdGbzFHaR20xORN8IYd67ROWS+1nqQ5CsPf9MD8I=", + "lastModified": 1673819588, + "narHash": "sha256-gRtwKAlu4htvS6dxyZnW3n+vMS1acqnMGVHqxUdETeY=", "owner": "ursi", "repo": "get-flake", - "rev": "a6c57417d1b857b8be53aba4095869a0f438c502", + "rev": "e0917b6f564aa5acefb1484b5baf76da21746c3c", "type": "github" }, "original": { @@ -478,115 +295,14 @@ "type": "github" } }, - "git-hooks": { - "inputs": { - "flake-compat": [ - "nixvim", - "flake-compat" - ], - "gitignore": "gitignore", - "nixpkgs": [ - "nixvim", - "nixpkgs" - ], - "nixpkgs-stable": [ - "nixvim", - "nixpkgs" - ] - }, - "locked": { - "lastModified": 1732021966, - "narHash": "sha256-mnTbjpdqF0luOkou8ZFi2asa1N3AA2CchR/RqCNmsGE=", - "owner": "cachix", - "repo": "git-hooks.nix", - "rev": "3308484d1a443fc5bc92012435d79e80458fe43c", - "type": "github" - }, - "original": { - "owner": "cachix", - "repo": "git-hooks.nix", - "type": "github" - } - }, - "gitignore": { - "inputs": { - "nixpkgs": [ - "nixvim", - "git-hooks", - "nixpkgs" - ] - }, - "locked": { - "lastModified": 1709087332, - "narHash": "sha256-HG2cCnktfHsKV0s4XW83gU3F57gaTljL9KNSuG6bnQs=", - "owner": "hercules-ci", - "repo": "gitignore.nix", - "rev": "637db329424fd7e46cf4185293b9cc8c88c95394", - "type": "github" - }, - "original": { - "owner": "hercules-ci", - "repo": "gitignore.nix", - "type": "github" - } - }, - "home-manager": { - "inputs": { - "nixpkgs": [ - "nixvim", - "nixpkgs" - ] - }, - "locked": { - "lastModified": 1733175814, - "narHash": "sha256-zFOtOaqjzZfPMsm1mwu98syv3y+jziAq5DfWygaMtLg=", - "owner": "nix-community", - "repo": "home-manager", - "rev": "bf23fe41082aa0289c209169302afd3397092f22", - "type": "github" - }, - "original": { - "owner": "nix-community", - "repo": "home-manager", - "type": "github" - } - }, - "ixx": { - "inputs": { - "flake-utils": [ - "nixvim", - "nuschtosSearch", - "flake-utils" - ], - "nixpkgs": [ - "nixvim", - "nuschtosSearch", - "nixpkgs" - ] - }, - "locked": { - "lastModified": 1729958008, - "narHash": "sha256-EiOq8jF4Z/zQe0QYVc3+qSKxRK//CFHMB84aYrYGwEs=", - "owner": "NuschtOS", - "repo": "ixx", - "rev": "9fd01aad037f345350eab2cd45e1946cc66da4eb", - "type": "github" - }, - "original": { - "owner": "NuschtOS", - "ref": "v0.0.6", - "repo": "ixx", - "type": "github" - } - }, "jay": { "flake": false, "locked": { - "lastModified": 1732789238, - "narHash": "sha256-Yc87dku8r8m7YeVT9VBwfXYPdEfQbb8JKWbOMts6VqY=", + "lastModified": 1689440887, + "narHash": "sha256-+61dHuxk3FCP+H2PCoup6lZDlaTuJBqDzkiBNY6yaJ4=", "owner": "mahkoh", "repo": "jay", - "rev": "558fe3d3cef435108c7d31f9b3503263a14d38b0", + "rev": "eb83505e39ec8c2383ac233a8b8449803db52549", "type": "github" }, "original": { @@ -597,15 +313,15 @@ }, "lib-aggregate": { "inputs": { - "flake-utils": "flake-utils_8", + "flake-utils": "flake-utils_3", "nixpkgs-lib": "nixpkgs-lib_2" }, "locked": { - "lastModified": 1733055216, - "narHash": "sha256-yB2y7tGJxDI/SDQ0D7b6ocRtLTPm93u8ybdIKQGXRDE=", + "lastModified": 1691323683, + "narHash": "sha256-G7kMLDbYN03VNO+QYymFIp0o9jv+gflUpde8V4iYri8=", "owner": "nix-community", "repo": "lib-aggregate", - "rev": "f67bf0781c69a46bf3a1469f83c98518aa3054c3", + "rev": "99d95d9ca592022832e9f1b4d2a8327b8d50eb60", "type": "github" }, "original": { @@ -614,40 +330,34 @@ "type": "github" } }, - "nix-darwin": { - "inputs": { - "nixpkgs": [ - "nixvim", - "nixpkgs" - ] - }, + "magmawm": { + "flake": false, "locked": { - "lastModified": 1733105089, - "narHash": "sha256-Qs3YmoLYUJ8g4RkFj2rMrzrP91e4ShAioC9s+vG6ENM=", - "owner": "lnl7", - "repo": "nix-darwin", - "rev": "c6b65d946097baf3915dd51373251de98199280d", + "lastModified": 1687543996, + "narHash": "sha256-S8vRKXCHF7OHestoGNe6fqqxJIc8slhaOFjvGS3oflc=", + "owner": "MagmaWM", + "repo": "MagmaWM", + "rev": "c16fa624b2c86328081a1647f483273e131df29d", "type": "github" }, "original": { - "owner": "lnl7", - "repo": "nix-darwin", + "owner": "MagmaWM", + "repo": "MagmaWM", "type": "github" } }, "nix-eval-jobs": { "inputs": { "flake-parts": "flake-parts_3", - "nix-github-actions": "nix-github-actions_2", - "nixpkgs": "nixpkgs_4", + "nixpkgs": "nixpkgs", "treefmt-nix": "treefmt-nix_2" }, "locked": { - "lastModified": 1732631228, - "narHash": "sha256-/7Wyhp00yecUMPNz79gGZpjos8OLHqOfdiWWIQfZA1M=", + "lastModified": 1691371197, + "narHash": "sha256-YazAJxDjmAG9kiIEuqc+1CmmYIIt4wRIbEFb+TXf8WA=", "owner": "nix-community", "repo": "nix-eval-jobs", - "rev": "8f56354b794624689851b2d86c2ce0209cc8f0cf", + "rev": "b02b4e287fddc969fc490478b5666603f4ab0d3c", "type": "github" }, "original": { @@ -656,206 +366,19 @@ "type": "github" } }, - "nix-github-actions": { - "inputs": { - "nixpkgs": [ - "colmena", - "nixpkgs" - ] - }, + "nixos-2305": { "locked": { - "lastModified": 1729742964, - "narHash": "sha256-B4mzTcQ0FZHdpeWcpDYPERtyjJd/NIuaQ9+BV1h+MpA=", - "owner": "nix-community", - "repo": "nix-github-actions", - "rev": "e04df33f62cdcf93d73e9a04142464753a16db67", + "lastModified": 1687938137, + "narHash": "sha256-Z00c0Pk3aE1aw9x44lVcqHmvx+oX7dxCXCvKcUuE150=", + "owner": "NixOS", + "repo": "nixpkgs", + "rev": "ba2ded3227a2992f2040fad4ba6f218a701884a5", "type": "github" }, "original": { - "owner": "nix-community", - "repo": "nix-github-actions", - "type": "github" - } - }, - "nix-github-actions_2": { - "inputs": { - "nixpkgs": [ - "nixpkgs-wayland", - "nix-eval-jobs", - "nixpkgs" - ] - }, - "locked": { - "lastModified": 1731952509, - "narHash": "sha256-p4gB3Rhw8R6Ak4eMl8pqjCPOLCZRqaehZxdZ/mbFClM=", - "owner": "nix-community", - "repo": "nix-github-actions", - "rev": "7b5f051df789b6b20d259924d349a9ba3319b226", - "type": "github" - }, - "original": { - "owner": "nix-community", - "repo": "nix-github-actions", - "type": "github" - } - }, - "nix-vscode-extensions": { - "inputs": { - "flake-compat": "flake-compat_2", - "flake-utils": "flake-utils_2", - "nixpkgs": "nixpkgs" - }, - "locked": { - "lastModified": 1740852064, - "narHash": "sha256-A2zUu1n8Bg505s/GUIYUSQFLmYJAvx/01A2OkGAkevk=", - "owner": "nix-community", - "repo": "nix-vscode-extensions", - "rev": "1b34da949d188b205b4132c2b726415fa19d5086", - "type": "github" - }, - "original": { - "owner": "nix-community", - "repo": "nix-vscode-extensions", - "type": "github" - } - }, - "nix4vscode": { - "inputs": { - "nixpkgs": "nixpkgs_2", - "rust-overlay": "rust-overlay", - "systems": "systems_2" - }, - "locked": { - "lastModified": 1733089477, - "narHash": "sha256-G08QoIxpJlnP9PiUdo2ypmKOrgodwVD6pWEa/8CaDOE=", - "owner": "nix-community", - "repo": "nix4vscode", - "rev": "60f266d2584461611a9e91ad44bbda5c1b0f91f8", - "type": "github" - }, - "original": { - "owner": "nix-community", - "repo": "nix4vscode", - "type": "github" - } - }, - "nixago": { - "inputs": { - "flake-utils": "flake-utils_3", - "nixago-exts": "nixago-exts", - "nixpkgs": [ - "nixpkgs" - ] - }, - "locked": { - "lastModified": 1714086354, - "narHash": "sha256-yKVQMxL9p7zCWUhnGhDzRVT8sDgHoI3V595lBK0C2YA=", - "owner": "jmgilman", - "repo": "nixago", - "rev": "5133633e9fe6b144c8e00e3b212cdbd5a173b63d", - "type": "github" - }, - "original": { - "owner": "jmgilman", - "repo": "nixago", - "type": "github" - } - }, - "nixago-exts": { - "inputs": { - "flake-utils": "flake-utils_4", - "nixago": "nixago_2", - "nixpkgs": [ - "nixago", - "nixpkgs" - ] - }, - "locked": { - "lastModified": 1676070308, - "narHash": "sha256-QaJ65oc2l8iwQIGWUJ0EKjCeSuuCM/LqR8RauxZUUkc=", - "owner": "nix-community", - "repo": "nixago-extensions", - "rev": "e5380cb0456f4ea3c86cf94e3039eb856bf07d0b", - "type": "github" - }, - "original": { - "owner": "nix-community", - "repo": "nixago-extensions", - "type": "github" - } - }, - "nixago-exts_2": { - "inputs": { - "flake-utils": "flake-utils_6", - "nixago": "nixago_3", - "nixpkgs": [ - "nixago", - "nixago-exts", - "nixago", - "nixpkgs" - ] - }, - "locked": { - "lastModified": 1655508669, - "narHash": "sha256-BDDdo5dZQMmwNH/GNacy33nPBnCpSIydWFPZs0kkj/g=", - "owner": "nix-community", - "repo": "nixago-extensions", - "rev": "3022a932ce109258482ecc6568c163e8d0b426aa", - "type": "github" - }, - "original": { - "owner": "nix-community", - "repo": "nixago-extensions", - "type": "github" - } - }, - "nixago_2": { - "inputs": { - "flake-utils": "flake-utils_5", - "nixago-exts": "nixago-exts_2", - "nixpkgs": [ - "nixago", - "nixago-exts", - "nixpkgs" - ] - }, - "locked": { - "lastModified": 1676070010, - "narHash": "sha256-iYzJIWptE1EUD8VINAg66AAMUajizg8JUYN3oBmb8no=", - "owner": "nix-community", - "repo": "nixago", - "rev": "d480ba6c0c16e2c5c0bd2122852d6a0c9ad1ed0e", - "type": "github" - }, - "original": { - "owner": "nix-community", - "ref": "rename-config-data", - "repo": "nixago", - "type": "github" - } - }, - "nixago_3": { - "inputs": { - "flake-utils": "flake-utils_7", - "nixpkgs": [ - "nixago", - "nixago-exts", - "nixago", - "nixago-exts", - "nixpkgs" - ] - }, - "locked": { - "lastModified": 1655405483, - "narHash": "sha256-Crd49aZWNrpczlRTOwWGfwBMsTUoG9vlHDKQC7cx264=", - "owner": "nix-community", - "repo": "nixago", - "rev": "e6a9566c18063db5b120e69e048d3627414e327d", - "type": "github" - }, - "original": { - "owner": "nix-community", - "repo": "nixago", + "owner": "NixOS", + "ref": "release-23.05", + "repo": "nixpkgs", "type": "github" } }, @@ -863,19 +386,19 @@ "inputs": { "disko": "disko", "flake-parts": "flake-parts_2", + "nixos-2305": "nixos-2305", "nixos-images": "nixos-images", - "nixos-stable": "nixos-stable", "nixpkgs": [ "nixpkgs" ], "treefmt-nix": "treefmt-nix" }, "locked": { - "lastModified": 1733093391, - "narHash": "sha256-tktgkyaBCJDJs0qVyREpETTcpDY7FZbnDurTAM9jIOE=", + "lastModified": 1691224484, + "narHash": "sha256-0oodXqRRHXjUL7ssi1nIOKC8EzYD4f1e3eAaWexuF4M=", "owner": "numtide", "repo": "nixos-anywhere", - "rev": "9ba099b2ead073e0801b863c880be03a981f2dd1", + "rev": "9df79870b04667f2d16f1a78a1ab87d124403fb7", "type": "github" }, "original": { @@ -887,9 +410,9 @@ }, "nixos-images": { "inputs": { - "nixos-stable": [ + "nixos-2305": [ "nixos-anywhere", - "nixos-stable" + "nixos-2305" ], "nixos-unstable": [ "nixos-anywhere", @@ -897,11 +420,11 @@ ] }, "locked": { - "lastModified": 1727367213, - "narHash": "sha256-7O4pi8MmcJpA0nYUQkdolvKGyu6zNjf2gFYD1Q0xppc=", + "lastModified": 1686819168, + "narHash": "sha256-IbRVStbKoMC2fUX6TxNO82KgpVfI8LL4Cq0bTgdYhnY=", "owner": "nix-community", "repo": "nixos-images", - "rev": "3e7978bab153f39f3fc329ad346d35a8871420f7", + "rev": "ccc1a2c08ce2fc38bcece85d2a6e7bf17bac9e37", "type": "github" }, "original": { @@ -910,34 +433,18 @@ "type": "github" } }, - "nixos-stable": { - "locked": { - "lastModified": 1727264057, - "narHash": "sha256-KQPI8CTTnB9CrJ7LrmLC4VWbKZfljEPBXOFGZFRpxao=", - "owner": "NixOS", - "repo": "nixpkgs", - "rev": "759537f06e6999e141588ff1c9be7f3a5c060106", - "type": "github" - }, - "original": { - "owner": "NixOS", - "ref": "nixos-24.05", - "repo": "nixpkgs", - "type": "github" - } - }, "nixpkgs": { "locked": { - "lastModified": 1740547748, - "narHash": "sha256-Ly2fBL1LscV+KyCqPRufUBuiw+zmWrlJzpWOWbahplg=", + "lastModified": 1691370583, + "narHash": "sha256-LnKMx9NQ0Qx0DTYQVewkcRr+7uW5NY7xU9kjh+Lxnb0=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "3a05eebede89661660945da1f151959900903b6a", + "rev": "b51660a128c09baf31c614284b500eb53772496f", "type": "github" }, "original": { "owner": "NixOS", - "ref": "nixpkgs-unstable", + "ref": "master", "repo": "nixpkgs", "type": "github" } @@ -958,57 +465,47 @@ "type": "github" } }, - "nixpkgs-2411": { + "nixpkgs-2305": { "locked": { - "lastModified": 1733261153, - "narHash": "sha256-eq51hyiaIwtWo19fPEeE0Zr2s83DYMKJoukNLgGGpek=", + "lastModified": 1691592289, + "narHash": "sha256-Lqpw7lrXlLkYra33tp57ms8tZ0StWhbcl80vk4D90F8=", "owner": "nixos", "repo": "nixpkgs", - "rev": "b681065d0919f7eb5309a93cea2cfa84dec9aa88", + "rev": "9034b46dc4c7596a87ab837bb8a07ef2d887e8c7", "type": "github" }, "original": { "owner": "nixos", - "ref": "nixos-24.11", - "repo": "nixpkgs", - "type": "github" - } - }, - "nixpkgs-gimp": { - "locked": { - "lastModified": 1735507908, - "narHash": "sha256-VA+khC0S0di6w5Yv1kBNRpAihnt2prT/ehQzsKMhEoA=", - "owner": "jtojnar", - "repo": "nixpkgs", - "rev": "771cf18187fefcfaababd35834917c621447fee8", - "type": "github" - }, - "original": { - "owner": "jtojnar", - "ref": "gimp-meson", + "ref": "nixos-23.05", "repo": "nixpkgs", "type": "github" } }, "nixpkgs-lib": { "locked": { - "lastModified": 1733096140, - "narHash": "sha256-1qRH7uAUsyQI7R1Uwl4T+XvdNv778H0Nb5njNrqvylY=", - "type": "tarball", - "url": "https://github.com/NixOS/nixpkgs/archive/5487e69da40cbd611ab2cadee0b4637225f7cfae.tar.gz" + "dir": "lib", + "lastModified": 1690881714, + "narHash": "sha256-h/nXluEqdiQHs1oSgkOOWF+j8gcJMWhwnZ9PFabN6q0=", + "owner": "NixOS", + "repo": "nixpkgs", + "rev": "9e1960bc196baf6881340d53dccb203a951745a2", + "type": "github" }, "original": { - "type": "tarball", - "url": "https://github.com/NixOS/nixpkgs/archive/5487e69da40cbd611ab2cadee0b4637225f7cfae.tar.gz" + "dir": "lib", + "owner": "NixOS", + "ref": "nixos-unstable", + "repo": "nixpkgs", + "type": "github" } }, "nixpkgs-lib_2": { "locked": { - "lastModified": 1733015484, - "narHash": "sha256-qiyO0GrTvbp869U4VGX5GhAZ00fSiPXszvosY1AgKQ8=", + "lastModified": 1691282883, + "narHash": "sha256-YLu1Fs+J+hw0BebUhWIeFzSqhlsnf0K88RqhVJebF9E=", "owner": "nix-community", "repo": "nixpkgs.lib", - "rev": "0e4fdd4a0ab733276b6d2274ff84ae353f17129e", + "rev": "b1d35b759161787e1cda815c460050142bda9adb", "type": "github" }, "original": { @@ -1017,13 +514,29 @@ "type": "github" } }, + "nixpkgs-stable": { + "locked": { + "lastModified": 1690066826, + "narHash": "sha256-6L2qb+Zc0BFkh72OS9uuX637gniOjzU6qCDBpjB2LGY=", + "owner": "NixOS", + "repo": "nixpkgs", + "rev": "ce45b591975d070044ca24e3003c830d26fea1c8", + "type": "github" + }, + "original": { + "owner": "NixOS", + "ref": "release-23.05", + "repo": "nixpkgs", + "type": "github" + } + }, "nixpkgs-unstable": { "locked": { - "lastModified": 1739446958, - "narHash": "sha256-+/bYK3DbPxMIvSL4zArkMX0LQvS7rzBKXnDXLfKyRVc=", + "lastModified": 1691565530, + "narHash": "sha256-qZZ6DxvS1X/tjxXNUwJrPiaIWLZyWUDM2gkJCi5uZpE=", "owner": "nixos", "repo": "nixpkgs", - "rev": "2ff53fe64443980e139eaa286017f53f88336dd0", + "rev": "e528fa15d5f740a25b5f536c33932db64cb10fc8", "type": "github" }, "original": { @@ -1033,18 +546,18 @@ "type": "github" } }, - "nixpkgs-vscodium": { + "nixpkgs-unstable-small": { "locked": { - "lastModified": 1733212471, - "narHash": "sha256-M1+uCoV5igihRfcUKrr1riygbe73/dzNnzPsmaLCmpo=", + "lastModified": 1691644995, + "narHash": "sha256-/OL3sk+9iPv+pto8hs/3cPhGmcS+ugKowQ8FvopLMEA=", "owner": "nixos", "repo": "nixpkgs", - "rev": "55d15ad12a74eb7d4646254e13638ad0c4128776", + "rev": "f6f59fdce76ca4ee03852417a642b77a960229cd", "type": "github" }, "original": { "owner": "nixos", - "ref": "nixos-unstable", + "ref": "nixos-unstable-small", "repo": "nixpkgs", "type": "github" } @@ -1054,14 +567,14 @@ "flake-compat": "flake-compat_3", "lib-aggregate": "lib-aggregate", "nix-eval-jobs": "nix-eval-jobs", - "nixpkgs": "nixpkgs_5" + "nixpkgs": "nixpkgs_2" }, "locked": { - "lastModified": 1733388169, - "narHash": "sha256-WCfVVHIuxnz4O7O9BY76apUkA//ujG7rqkjAWCw0ujY=", + "lastModified": 1691518836, + "narHash": "sha256-sY9Unk1pCbMxMSX/SuoSUg8TY4TDN+edKY83cCEqb8g=", "owner": "nix-community", "repo": "nixpkgs-wayland", - "rev": "fe88399ae2d22a5381c65a51f8e5a0e4f2e7a38b", + "rev": "982c0c1ee398e8584d8c9cce011ec98392d2e3cc", "type": "github" }, "original": { @@ -1072,11 +585,11 @@ }, "nixpkgs_2": { "locked": { - "lastModified": 1722421184, - "narHash": "sha256-/DJBI6trCeVnasdjUo9pbnodCLZcFqnVZiLUfqLH4jA=", + "lastModified": 1691368598, + "narHash": "sha256-ia7li22keBBbj02tEdqjVeLtc7ZlSBuhUk+7XTUFr14=", "owner": "nixos", "repo": "nixpkgs", - "rev": "9f918d616c5321ad374ae6cb5ea89c9e04bf3e58", + "rev": "5a8e9243812ba528000995b294292d3b5e120947", "type": "github" }, "original": { @@ -1086,135 +599,14 @@ "type": "github" } }, - "nixpkgs_3": { - "locked": { - "lastModified": 1722415718, - "narHash": "sha256-5US0/pgxbMksF92k1+eOa8arJTJiPvsdZj9Dl+vJkM4=", - "owner": "NixOS", - "repo": "nixpkgs", - "rev": "c3392ad349a5227f4a3464dce87bcc5046692fce", - "type": "github" - }, - "original": { - "owner": "NixOS", - "ref": "nixpkgs-unstable", - "repo": "nixpkgs", - "type": "github" - } - }, - "nixpkgs_4": { - "locked": { - "lastModified": 1732238832, - "narHash": "sha256-sQxuJm8rHY20xq6Ah+GwIUkF95tWjGRd1X8xF+Pkk38=", - "owner": "NixOS", - "repo": "nixpkgs", - "rev": "8edf06bea5bcbee082df1b7369ff973b91618b8d", - "type": "github" - }, - "original": { - "owner": "NixOS", - "ref": "nixpkgs-unstable", - "repo": "nixpkgs", - "type": "github" - } - }, - "nixpkgs_5": { - "locked": { - "lastModified": 1733212471, - "narHash": "sha256-M1+uCoV5igihRfcUKrr1riygbe73/dzNnzPsmaLCmpo=", - "owner": "nixos", - "repo": "nixpkgs", - "rev": "55d15ad12a74eb7d4646254e13638ad0c4128776", - "type": "github" - }, - "original": { - "owner": "nixos", - "ref": "nixos-unstable", - "repo": "nixpkgs", - "type": "github" - } - }, - "nixvim": { - "inputs": { - "devshell": "devshell", - "flake-compat": "flake-compat_4", - "flake-parts": "flake-parts_4", - "git-hooks": "git-hooks", - "home-manager": "home-manager", - "nix-darwin": "nix-darwin", - "nixpkgs": [ - "nixpkgs" - ], - "nuschtosSearch": "nuschtosSearch", - "treefmt-nix": "treefmt-nix_3" - }, - "locked": { - "lastModified": 1733355056, - "narHash": "sha256-EOldkOLdgUVIa8ZJiHkqjD6yaW+AZiZwd94aBqfZERY=", - "owner": "nix-community", - "repo": "nixvim", - "rev": "277dbeb607210f6a6db656ac7eee9eef3143070c", - "type": "github" - }, - "original": { - "owner": "nix-community", - "repo": "nixvim", - "type": "github" - } - }, - "nur": { - "inputs": { - "flake-parts": "flake-parts_5", - "nixpkgs": [ - "nixpkgs" - ], - "treefmt-nix": "treefmt-nix_4" - }, - "locked": { - "lastModified": 1737225765, - "narHash": "sha256-wyJcROV/d6POpZRlfk79EWsRHZH0iP6aC5uhmM1cH98=", - "owner": "nix-community", - "repo": "NUR", - "rev": "7c2500d3cc3a1d4f51493ba208721ea7c2a4380f", - "type": "github" - }, - "original": { - "owner": "nix-community", - "repo": "NUR", - "type": "github" - } - }, - "nuschtosSearch": { - "inputs": { - "flake-utils": "flake-utils_9", - "ixx": "ixx", - "nixpkgs": [ - "nixvim", - "nixpkgs" - ] - }, - "locked": { - "lastModified": 1733006402, - "narHash": "sha256-BC1CecAQISV5Q4LZK72Gx0+faemOwaChiD9rMVfDPoA=", - "owner": "NuschtOS", - "repo": "search", - "rev": "16307548b7a1247291c84ae6a12c0aacb07dfba2", - "type": "github" - }, - "original": { - "owner": "NuschtOS", - "repo": "search", - "type": "github" - } - }, "ofi-pass": { "flake": false, "locked": { - "lastModified": 1723412133, - "narHash": "sha256-rOVbz4v1+DHPJMvRtxdOFWdOHlaxI7G2vm0bgEV/0Cg=", + "lastModified": 1687009458, + "narHash": "sha256-SgndtGEd3zDztqLJYSdun6IbOqgXsvw0Q8flicPHonY=", "owner": "sereinity", "repo": "ofi-pass", - "rev": "2b6aa6a3fc0504e63df4ac3449e0065a1a4d19d0", + "rev": "e99b15857438bbb6013f7f65513c13ea3f5ebdfa", "type": "github" }, "original": { @@ -1223,40 +615,6 @@ "type": "github" } }, - "openvscode-server": { - "flake": false, - "locked": { - "lastModified": 1714076069, - "narHash": "sha256-Yc16L13Z8AmsGoSFbvy+4+KBdHxvqLMwZLeU2/dAQVU=", - "owner": "gitpod-io", - "repo": "openvscode-server", - "rev": "7920868fc0c6f4e584cca7791c71d300f2bc3a56", - "type": "github" - }, - "original": { - "owner": "gitpod-io", - "ref": "openvscode-server-v1.88.1", - "repo": "openvscode-server", - "type": "github" - } - }, - "prs": { - "flake": false, - "locked": { - "lastModified": 1719086486, - "narHash": "sha256-YQYiN1T7YHYQYv6GoRNdi7Jq93+U+ydoF64tZxuVW+0=", - "owner": "timvisee", - "repo": "prs", - "rev": "07f17a93d19fb6bc92c9c7f3ae3f5cc750b1f973", - "type": "gitlab" - }, - "original": { - "owner": "timvisee", - "repo": "prs", - "rev": "07f17a93d19fb6bc92c9c7f3ae3f5cc750b1f973", - "type": "gitlab" - } - }, "root": { "inputs": { "aphorme_launcher": "aphorme_launcher", @@ -1266,63 +624,35 @@ "nixos-anywhere", "disko" ], - "espanso": "espanso", "fenix": "fenix", "flake-parts": "flake-parts", "get-flake": "get-flake", "jay": "jay", - "nix-vscode-extensions": "nix-vscode-extensions", - "nix4vscode": "nix4vscode", - "nixago": "nixago", + "magmawm": "magmawm", "nixos-anywhere": "nixos-anywhere", "nixpkgs": [ - "nixpkgs-2411" + "nixpkgs-2305" ], "nixpkgs-2211": "nixpkgs-2211", - "nixpkgs-2411": "nixpkgs-2411", - "nixpkgs-gimp": "nixpkgs-gimp", + "nixpkgs-2305": "nixpkgs-2305", "nixpkgs-unstable": "nixpkgs-unstable", - "nixpkgs-vscodium": "nixpkgs-vscodium", + "nixpkgs-unstable-small": "nixpkgs-unstable-small", "nixpkgs-wayland": "nixpkgs-wayland", - "nixvim": "nixvim", - "nur": "nur", "ofi-pass": "ofi-pass", - "openvscode-server": "openvscode-server", - "prs": "prs", - "radicalePkgs": [ - "nixpkgs-2211" - ], - "rperf": "rperf", + "salut": "salut", "sops-nix": "sops-nix", "srvos": "srvos", - "treefmt-nix": "treefmt-nix_5", "yofi": "yofi" } }, - "rperf": { - "flake": false, - "locked": { - "lastModified": 1712257145, - "narHash": "sha256-IMHpJWGja69nTwF9JJOaOZeC5zxzXGanSShompQfBJE=", - "owner": "steveej-forks", - "repo": "rperf", - "rev": "ec7e1fb3a776fce09ca7c497e1d1962c56ef3785", - "type": "github" - }, - "original": { - "owner": "steveej-forks", - "repo": "rperf", - "type": "github" - } - }, "rust-analyzer-src": { "flake": false, "locked": { - "lastModified": 1733330394, - "narHash": "sha256-1jwtAQYtErSsfkEQFvZJ9wJBrLGltzlvZKZzPXhpfpE=", + "lastModified": 1691604464, + "narHash": "sha256-nNc/c9r1O8ajE/LkMhGcvJGlyR6ykenR3aRkEkhutxA=", "owner": "rust-lang", "repo": "rust-analyzer", - "rev": "f499faf72bcd2abbfbf3d7171e5191100547a3df", + "rev": "05b061205179dab9a5cd94ae66d1c0e9b8febe08", "type": "github" }, "original": { @@ -1334,14 +664,21 @@ }, "rust-overlay": { "inputs": { - "nixpkgs": "nixpkgs_3" + "flake-utils": [ + "crane", + "flake-utils" + ], + "nixpkgs": [ + "crane", + "nixpkgs" + ] }, "locked": { - "lastModified": 1722565199, - "narHash": "sha256-2eek4vZKsYg8jip2WQWvAOGMMboQ40DIrllpsI6AlU4=", + "lastModified": 1691029059, + "narHash": "sha256-QwVeE9YTgH3LmL7yw2V/hgswL6yorIvYSp4YGI8lZYM=", "owner": "oxalica", "repo": "rust-overlay", - "rev": "a9cd2009fb2eeacfea785b45bdbbc33612bba1f1", + "rev": "99df4908445be37ddb2d332580365fce512a7dcf", "type": "github" }, "original": { @@ -1350,18 +687,35 @@ "type": "github" } }, + "salut": { + "flake": false, + "locked": { + "lastModified": 1671283721, + "narHash": "sha256-W0lhhImSXtYJDeMbxyEioYu/Bh7ZclwR1/5DzNbxM8o=", + "owner": "snakedye", + "repo": "salut", + "rev": "aa57c4d190812908a9c32cd49cff14390c6dfdcb", + "type": "gitlab" + }, + "original": { + "owner": "snakedye", + "repo": "salut", + "type": "gitlab" + } + }, "sops-nix": { "inputs": { "nixpkgs": [ "nixpkgs" - ] + ], + "nixpkgs-stable": "nixpkgs-stable" }, "locked": { - "lastModified": 1733128155, - "narHash": "sha256-m6/qwJAJYcidGMEdLqjKzRIjapK4nUfMq7rDCTmZajc=", + "lastModified": 1690199016, + "narHash": "sha256-yTLL72q6aqGmzHq+C3rDp3rIjno7EJZkFLof6Ika7cE=", "owner": "Mic92", "repo": "sops-nix", - "rev": "c6134b6fff6bda95a1ac872a2a9d5f32e3c37856", + "rev": "c36df4fe4bf4bb87759b1891cab21e7a05219500", "type": "github" }, "original": { @@ -1377,11 +731,11 @@ ] }, "locked": { - "lastModified": 1733365027, - "narHash": "sha256-Vl0pOGckECuFoMbiotwj65jjoFE8Mc2yUXNIllttxkI=", + "lastModified": 1691630941, + "narHash": "sha256-4+KVSa32impg0aBqXVEEty8uu3Urb64CjmseDkETofg=", "owner": "numtide", "repo": "srvos", - "rev": "6047d415ca8dc7eae73dd17c832f7dc08ad544f4", + "rev": "b7407c2dc143402de6f140575398020175f3ae1a", "type": "github" }, "original": { @@ -1392,16 +746,16 @@ }, "stable": { "locked": { - "lastModified": 1730883749, - "narHash": "sha256-mwrFF0vElHJP8X3pFCByJR365Q2463ATp2qGIrDUdlE=", + "lastModified": 1669735802, + "narHash": "sha256-qtG/o/i5ZWZLmXw108N2aPiVsxOcidpHJYNkT45ry9Q=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "dba414932936fde69f0606b4f1d87c5bc0003ede", + "rev": "731cc710aeebecbf45a258e977e8b68350549522", "type": "github" }, "original": { "owner": "NixOS", - "ref": "nixos-24.05", + "ref": "nixos-22.11", "repo": "nixpkgs", "type": "github" } @@ -1436,51 +790,6 @@ "type": "github" } }, - "systems_3": { - "locked": { - "lastModified": 1681028828, - "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=", - "owner": "nix-systems", - "repo": "default", - "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e", - "type": "github" - }, - "original": { - "owner": "nix-systems", - "repo": "default", - "type": "github" - } - }, - "systems_4": { - "locked": { - "lastModified": 1681028828, - "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=", - "owner": "nix-systems", - "repo": "default", - "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e", - "type": "github" - }, - "original": { - "owner": "nix-systems", - "repo": "default", - "type": "github" - } - }, - "systems_5": { - "locked": { - "lastModified": 1681028828, - "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=", - "owner": "nix-systems", - "repo": "default", - "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e", - "type": "github" - }, - "original": { - "owner": "nix-systems", - "repo": "default", - "type": "github" - } - }, "treefmt-nix": { "inputs": { "nixpkgs": [ @@ -1489,11 +798,11 @@ ] }, "locked": { - "lastModified": 1727252110, - "narHash": "sha256-3O7RWiXpvqBcCl84Mvqa8dXudZ1Bol1ubNdSmQt7nF4=", + "lastModified": 1687940979, + "narHash": "sha256-D4ZFkgIG2s9Fyi78T3fVG9mqMD+/UnFDB62jS4gjZKY=", "owner": "numtide", "repo": "treefmt-nix", - "rev": "1bff2ba6ec22bc90e9ad3f7e94cca0d37870afa3", + "rev": "0a4f06c27610a99080b69433873885df82003aae", "type": "github" }, "original": { @@ -1511,73 +820,11 @@ ] }, "locked": { - "lastModified": 1723303070, - "narHash": "sha256-krGNVA30yptyRonohQ+i9cnK+CfCpedg6z3qzqVJcTs=", + "lastModified": 1690874496, + "narHash": "sha256-qYZJVAfilFbUL6U+euMjKLXUADueMNQBqwihpNzTbDU=", "owner": "numtide", "repo": "treefmt-nix", - "rev": "14c092e0326de759e16b37535161b3cb9770cea3", - "type": "github" - }, - "original": { - "owner": "numtide", - "repo": "treefmt-nix", - "type": "github" - } - }, - "treefmt-nix_3": { - "inputs": { - "nixpkgs": [ - "nixvim", - "nixpkgs" - ] - }, - "locked": { - "lastModified": 1732894027, - "narHash": "sha256-2qbdorpq0TXHBWbVXaTqKoikN4bqAtAplTwGuII+oAc=", - "owner": "numtide", - "repo": "treefmt-nix", - "rev": "6209c381904cab55796c5d7350e89681d3b2a8ef", - "type": "github" - }, - "original": { - "owner": "numtide", - "repo": "treefmt-nix", - "type": "github" - } - }, - "treefmt-nix_4": { - "inputs": { - "nixpkgs": [ - "nur", - "nixpkgs" - ] - }, - "locked": { - "lastModified": 1733222881, - "narHash": "sha256-JIPcz1PrpXUCbaccEnrcUS8jjEb/1vJbZz5KkobyFdM=", - "owner": "numtide", - "repo": "treefmt-nix", - "rev": "49717b5af6f80172275d47a418c9719a31a78b53", - "type": "github" - }, - "original": { - "owner": "numtide", - "repo": "treefmt-nix", - "type": "github" - } - }, - "treefmt-nix_5": { - "inputs": { - "nixpkgs": [ - "nixpkgs" - ] - }, - "locked": { - "lastModified": 1738953846, - "narHash": "sha256-yrK3Hjcr8F7qS/j2F+r7C7o010eVWWlm4T1PrbKBOxQ=", - "owner": "numtide", - "repo": "treefmt-nix", - "rev": "4f09b473c936d41582dd744e19f34ec27592c5fd", + "rev": "fab56c8ce88f593300cd8c7351c9f97d10c333c5", "type": "github" }, "original": { @@ -1588,17 +835,17 @@ }, "yofi": { "inputs": { - "flake-utils": "flake-utils_10", + "flake-utils": "flake-utils_4", "nixpkgs": [ "nixpkgs" ] }, "locked": { - "lastModified": 1725018627, - "narHash": "sha256-uBEU/aKl9jlJ8vIK556TaqSBEHx6/t6AE4fbt/AoRfA=", + "lastModified": 1678976029, + "narHash": "sha256-AZ2+FQtVwUFgv4kiZqMKmiXS2qygMktDE185O19BXiM=", "owner": "l4l", "repo": "yofi", - "rev": "09901e75cbdf2147553ab888adde480e57baa0d1", + "rev": "811a4358913aed527348f9584d6c0767983299bb", "type": "github" }, "original": { diff --git a/flake.nix b/flake.nix index 832b535..6f441e1 100644 --- a/flake.nix +++ b/flake.nix @@ -1,36 +1,23 @@ # flake.nix { inputs = { - # TODO: where has this been used? - # dotfiles = { - # url = "git+https://forgejo.www.stefanjunker.de/steveej/dotfiles.git"; - # flake = false; - # }; - # flake and infra basics nixpkgs-2211.url = "github:nixos/nixpkgs/nixos-22.11"; - radicalePkgs.follows = "nixpkgs-2211"; - nixpkgs-2411.url = "github:nixos/nixpkgs/nixos-24.11"; + nixpkgs-2305.url = "github:nixos/nixpkgs/nixos-23.05"; nixpkgs-unstable.url = "github:nixos/nixpkgs/nixos-unstable"; - nixpkgs.follows = "nixpkgs-2411"; + nixpkgs-unstable-small.url = "github:nixos/nixpkgs/nixos-unstable-small"; + nixpkgs.follows = "nixpkgs-2305"; flake-parts.url = "github:hercules-ci/flake-parts"; get-flake.url = "github:ursi/get-flake"; srvos.url = "github:numtide/srvos"; srvos.inputs.nixpkgs.follows = "nixpkgs"; - nixos-anywhere.url = "github:numtide/nixos-anywhere/main"; + nixos-anywhere.url = github:numtide/nixos-anywhere/main; nixos-anywhere.inputs.nixpkgs.follows = "nixpkgs"; disko.follows = "nixos-anywhere/disko"; nixpkgs-wayland.url = "github:nix-community/nixpkgs-wayland"; - nix-vscode-extensions.url = "github:nix-community/nix-vscode-extensions"; - nixpkgs-vscodium.url = "github:nixos/nixpkgs/nixos-unstable"; - - # needs to be in sync with `vscodium --version` from `nixpkgs-vscodium` - openvscode-server.url = "github:gitpod-io/openvscode-server/openvscode-server-v1.88.1"; - openvscode-server.flake = false; - colmena = { url = "github:zhaofengli/colmena"; inputs.nixpkgs.follows = "nixpkgs"; @@ -41,13 +28,14 @@ url = "github:nix-community/fenix"; inputs.nixpkgs.follows = "nixpkgs"; }; - crane.url = "github:ipetkov/crane"; - - sops-nix = { - url = "github:Mic92/sops-nix"; + crane = { + url = "github:ipetkov/crane"; inputs.nixpkgs.follows = "nixpkgs"; }; + sops-nix.url = "github:Mic92/sops-nix"; + sops-nix.inputs.nixpkgs.follows = "nixpkgs"; + # applications aphorme_launcher = { url = "github:Iaphetes/aphorme_launcher/main"; @@ -70,359 +58,143 @@ flake = false; }; - prs = { - # url = "gitlab:timvisee/prs/v0.5.2"; - url = "gitlab:timvisee/prs/07f17a93d19fb6bc92c9c7f3ae3f5cc750b1f973"; + magmawm = { + url = "github:MagmaWM/MagmaWM"; flake = false; }; - rperf = { - url = "github:steveej-forks/rperf"; + salut = { + url = "gitlab:snakedye/salut"; flake = false; }; - - # nixpkgs-logseq.url = "github:steveej-forks/nixpkgs/logseq-linux-arm64-selfbuilt-appimage"; - - espanso = { - flake = false; - url = "github:espanso/espanso/db97658d1d80697a635b57801696c594eacf057b"; - }; - - nix4vscode = { - url = "github:nix-community/nix4vscode"; - # inputs.nixpkgs.follows = "nixpkgs"; - }; - nixvim = { - # TODO: pin to nixos-24.11 once available - url = "github:nix-community/nixvim"; - inputs.nixpkgs.follows = "nixpkgs"; - }; - treefmt-nix = { - url = "github:numtide/treefmt-nix"; - inputs.nixpkgs.follows = "nixpkgs"; - }; - nixago = { - url = "github:jmgilman/nixago"; - inputs.nixpkgs.follows = "nixpkgs"; - }; - - nur = { - url = "github:nix-community/NUR"; - inputs.nixpkgs.follows = "nixpkgs"; - }; - - nixpkgs-gimp.url = "github:jtojnar/nixpkgs/gimp-meson"; }; - outputs = - inputs@{ - self, - flake-parts, - nixpkgs, - ... - }: - let - inherit (nixpkgs) lib; + outputs = inputs @ { + self, + flake-parts, + nixpkgs, + ... + }: let + inherit (nixpkgs) lib; - systems = [ - "x86_64-linux" - "aarch64-linux" - ]; - in - flake-parts.lib.mkFlake { inherit inputs; } ( - { withSystem, ... }: - { - flake.colmena = - lib.lists.foldl (sum: cur: lib.attrsets.recursiveUpdate sum cur) - { meta.nixpkgs = import inputs.nixpkgs.outPath { system = builtins.elemAt systems 0; }; } - # FIXME: this doesn't seem to work to apply overlays into a node's nixpkgs import - # try this instead: https://github.com/zhaofengli/colmena/issues/60#issuecomment-1510496861 + systems = [ + "x86_64-linux" + "aarch64-linux" + ]; + in + flake-parts.lib.mkFlake {inherit inputs;} + ({withSystem, ...}: { + flake.colmena = + lib.lists.foldl (sum: cur: lib.attrsets.recursiveUpdate sum cur) + { + meta.nixpkgs = import inputs.nixpkgs.outPath { + system = builtins.elemAt systems 0; + }; + } + # FIXME: this doesn't seem to work to apply overlays into a node's nixpkgs import + # try this instead: https://github.com/zhaofengli/colmena/issues/60#issuecomment-1510496861 + (builtins.map (nodeName: + import ./nix/os/devices/${nodeName} { + inherit nodeName; + repoFlake = self; + repoFlakeWithSystem = withSystem; + nodeFlake = self.inputs.get-flake ./nix/os/devices/${nodeName}; + }) [ + "steveej-t14" + "elias-e525" + "justyna-p300" + + "srv0-dmz0" + "router0-dmz0" + + "sj-vps-htz0" + ]); + + # this makes nixos-anywhere work + flake.nixosConfigurations = + (inputs.colmena.lib.makeHive self.outputs.colmena).nodes + // (let + router0-dmz0 = (inputs.get-flake ./nix/os/devices/router0-dmz0).nixosConfigurations; + in { + router0-dmz0 = router0-dmz0.native; + + # for now deploy directly with: + # nixos-rebuild switch --flake .\#cross_router0-dmz0 --build-host localhost --target-host root@192.168.10.1 + cross_router0-dmz0 = router0-dmz0.cross; + }); + + inherit systems; + + perSystem = { + inputs', + system, + config, + lib, + pkgs, + ... + }: rec { + imports = [ + ./nix/modules/flake-parts/perSystem/default.nix + ]; + + packages = let + dcpj4110dw = pkgs.callPackage (self + /nix/pkgs/dcpj4110dw) {}; + + craneLib = + inputs.crane.lib.${system}.overrideToolchain + inputs'.fenix.packages.stable.toolchain; + + craneLibOfiPass = + inputs.crane.lib.${system}.overrideToolchain ( - builtins.map - ( - nodeName: - import ./nix/os/devices/${nodeName} { - inherit nodeName; - repoFlake = self; - repoFlakeWithSystem = withSystem; - nodeFlake = self.inputs.get-flake (self + "/nix/os/devices/${nodeName}"); - } - ) - [ - "steveej-t14" - "steveej-x13s" - "steveej-x13s-rmvbl" - # "elias-e525" - # "justyna-p300" - - # "srv0-dmz0" - # "router0-dmz0" - "router0-ifog" - "router0-hosthatch" - - "sj-srv1" - ] + inputs'.fenix.packages.stable.toolchain + # .override { + # date = "1.60.0"; + # } ); + in { + dcpj4110dwDriver = dcpj4110dw.driver; + dcpj4110dwCupswrapper = dcpj4110dw.cupswrapper; - flake.lib = { - inherit withSystem; + # broken as of 2023-04-27 because it doesn't load without a config + # aphorme_launcher = craneLib.buildPackage {src = inputs.aphorme_launcher;}; + # yofi = inputs'.yofi.packages.default; + # ofi-pass = craneLibOfiPass.buildPackage {src = inputs.ofi-pass;}; + + inherit (inputs'.colmena.packages) colmena; + + # jay = pkgs.callPackage (self + /nix/pkgs/jay.nix) { + # src = inputs.jay; + # rustPlatform = pkgs.makeRustPlatform { + # cargo = inputs'.fenix.packages.stable.toolchain; + # rustc = inputs'.fenix.packages.stable.toolchain; + # }; + # }; + + # magmawm = pkgs.callPackage (self + /nix/pkgs/magmawm.nix) { + # inherit craneLib; + # src = inputs.magmawm; + # }; + + salut = craneLib.buildPackage { + src = inputs.salut; + nativeBuildInputs = [ + pkgs.pkg-config + ]; + buildInputs = [ + pkgs.libxkbcommon + pkgs.fontconfig + ]; + }; + + nomad = inputs'.nixpkgs-unstable.legacyPackages.nomad_1_6; }; - # this makes nixos-anywhere work - flake.nixosConfigurations = - let - colmenaHive = (inputs.colmena.lib.makeHive self.outputs.colmena).nodes; - router0-dmz0 = (inputs.get-flake (self + "/nix/os/devices/router0-dmz0")).nixosConfigurations; - in - colmenaHive - // { - router0-dmz0 = router0-dmz0.native; - - # for now deploy directly with: - # nixos-rebuild switch --flake .\#router0-dmz0_cross --build-host localhost --target-host root@192.168.10.1 - router0-dmz0_cross = router0-dmz0.cross; - - steveej-x13s_cross = - (inputs.get-flake (self + "./nix/os/devices/steveej-x13s")).nixosConfigurations.cross; - steveej-x13s-rmvbl_cross = - (inputs.get-flake ./nix/os/devices/steveej-x13s-rmvbl).nixosConfigurations.cross; - }; - - inherit systems; - - perSystem = - { - self', - inputs', - system, - config, - lib, - pkgs, - ... - }: - { - imports = [ ./nix/modules/flake-parts/perSystem/default.nix ]; - - packages = - let - dcpj4110dw = pkgs.callPackage (self + /nix/pkgs/dcpj4110dw) { }; - - craneLibFn = (inputs.crane.mkLib inputs.nixpkgs.legacyPackages.${system}).overrideToolchain; - - craneLib = craneLibFn inputs'.fenix.packages.stable.toolchain; - - _prsPackage = - { - lib, - rustPlatform, - installShellFiles, - pkg-config, - python3, - glib, - gpgme, - gtk3, - stdenv, - cargoHash ? "sha256-T57RqIzurpYLHyeFhvqxmC+DoB6zUf+iTu1YkMmwtp8=", - src, - version, - makeWrapper, - skim, - }: - - rustPlatform.buildRustPackage rec { - pname = "prs"; - - inherit src version cargoHash; - - nativeBuildInputs = [ - gpgme - installShellFiles - pkg-config - python3 - makeWrapper - ]; - - cargoBuildFlags = [ - "--no-default-features" - "--features=alias,backend-gpgme,clipboard,notify,select-fzf-bin,select-skim-bin,tomb,totp" - ]; - - buildInputs = [ - glib - gpgme - gtk3 - ]; - - postInstall = lib.optionalString (stdenv.buildPlatform.canExecute stdenv.hostPlatform) '' - for shell in bash fish zsh; do - installShellCompletion --cmd prs --$shell <($out/bin/prs internal completions $shell --stdout) - done - ''; - - postFixup = '' - wrapProgram $out/bin/prs \ - --prefix PATH : ${lib.makeBinPath [ skim ]} - ''; - - meta = with lib; { - description = "Secure, fast & convenient password manager CLI using GPG and git to sync"; - homepage = "https://gitlab.com/timvisee/prs"; - changelog = "https://gitlab.com/timvisee/prs/-/blob/v${version}/CHANGELOG.md"; - license = with licenses; [ - lgpl3Only # lib - gpl3Only # everything else - ]; - maintainers = with maintainers; [ dotlambda ]; - mainProgram = "prs"; - }; - }; - - local-xwayland = pkgs.writeShellScriptBin "local-xwayland" '' - set -x - ${pkgs.wayland-proxy-virtwl}/bin/wayland-proxy-virtwl \ - --wayland-display=wayland-3 \ - --xwayland-binary=${pkgs.xwayland}/bin/Xwayland \ - --x-display=0 \ - # --x-unscale=3 \ - --verbose - ''; - in - { - dcpj4110dwDriver = dcpj4110dw.driver; - dcpj4110dwCupswrapper = dcpj4110dw.cupswrapper; - - inherit (inputs'.colmena.packages) colmena; - - prs = pkgs.callPackage _prsPackage { - src = inputs.prs; - version = inputs.prs.shortRev; - cargoHash = "sha256-oXuAKOHIfwUvcS0qXDTe68DN+MUNS4TAKV986vxdeh8="; - }; - - nomad = inputs'.nixpkgs-unstable.legacyPackages.nomad_1_6; - - ledger-live-desktop-wrapped = pkgs.writeShellScriptBin "ledger-live-desktop-wrapped" '' - set -x - pkill -9 wayland-proxy-v - export NIXOS_OZONE_WL="" - ${pkgs.wayland-proxy-virtwl}/bin/wayland-proxy-virtwl \ - --wayland-display=wayland-3 \ - --xwayland-binary=${pkgs.xwayland}/bin/Xwayland \ - --x-display=3 \ - & - # --x-unscale=3 \ - #--verbose \ - - export PROXYPID="$!" - - trap "kill -9 \$PROXYPID" EXIT - # trap "pkill -9 wayland-proxy-v" EXIT - - env \ - WAYLAND_DISPLAY=wayland-3 \ - DISPLAY=:3 \ - ledger-live-desktop - ''; - - syncthing-container-webui = pkgs.writeShellScriptBin "reverse-port-forward-syncthing-container" '' - ssh root@${self.colmena.sj-vps-htz0.deployment.targetHost} -L 8385:syncthing.containers:8384 - ''; - - rperf = craneLib.buildPackage { - src = inputs.rperf; - nativeBuildInputs = [ pkgs.pkg-config ]; - buildInputs = [ ]; - }; - - inherit local-xwayland; - - inherit (inputs'.nixpkgs-gimp.legacyPackages) gimp; - - }; - - formatter = - let - settingsNix = { - projectRootFile = ".git/config"; - - package = inputs'.nixpkgs-unstable.legacyPackages.treefmt2; - - programs = { - nixfmt.enable = true; - deadnix.enable = true; - statix.enable = true; - - shfmt.enable = true; - shellcheck.enable = true; - - prettier.enable = true; - just = { - enable = true; - includes = [ - "*/Justfile" - "Justfile" - ]; - }; - } // pkgs.lib.optionalAttrs (pkgs.system != "riscv64-linux") { shellcheck.enable = true; }; - - settings = { - global.excludes = [ - "LICENSE" - "secrets/" - ".git-crypt/" - - # unsupported extensions - "*.{enc,gif,png,svg,tape,mts,lock,mod,sum,toml,env,envrc,gitignore}" - ]; - - formatter = { - deadnix = { - priority = 1; - options = [ "--no-underscore" ]; - }; - - nixfmt = { - priority = 2; - }; - - statix = { - priority = 3; - }; - - prettier = { - options = [ - "--tab-width" - "2" - ]; - includes = [ "*.{css,html,js,json,jsx,md,mdx,scss,ts,yaml}" ]; - }; - }; - }; - }; - eval = inputs.treefmt-nix.lib.evalModule pkgs settingsNix; - in - eval.config.build.wrapper.overrideAttrs (_: { - passthru = { - inherit (eval.config) package settings; - }; - }); - - devShells = - let - all = import ./nix/devShells.nix { - inherit - self - self' - inputs' - pkgs - ; - }; - in - all - // { - default = all.develop; - }; - }; - } - ); + formatter = pkgs.alejandra; + devShells.default = import ./nix/devShells.nix { + inherit inputs' pkgs; + packages' = packages; + }; + }; + }); } diff --git a/misc/x13s_bt_firmware/hpnv21g.b8c.crypt.fw b/misc/x13s_bt_firmware/hpnv21g.b8c.crypt.fw deleted file mode 100644 index ea5b5b8..0000000 Binary files a/misc/x13s_bt_firmware/hpnv21g.b8c.crypt.fw and /dev/null differ diff --git a/nix/container-images/build.sh b/nix/container-images/build.sh index 1025cb4..6cfab1a 100755 --- a/nix/container-images/build.sh +++ b/nix/container-images/build.sh @@ -1,7 +1,7 @@ #!/usr/bin/env bash set -xe -[ -n "$NAME" ] +[ ! -z "$NAME" ] nix-build . --show-trace -A "$NAME" -docker image rm "$NAME":latest --force +docker image rm "$NAME":latest --force docker load -i result diff --git a/nix/container-images/default.nix b/nix/container-images/default.nix index 67f516d..7dcab2a 100644 --- a/nix/container-images/default.nix +++ b/nix/container-images/default.nix @@ -1,10 +1,6 @@ -{ - pkgs ? import { }, -}: -let - baseEnv = [ "SSL_CERT_FILE=${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt" ]; -in -rec { +{pkgs ? import {}}: let + baseEnv = ["SSL_CERT_FILE=${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt"]; +in rec { base = pkgs.dockerTools.buildImage rec { name = "base"; @@ -25,70 +21,59 @@ rec { interactive_base = pkgs.dockerTools.buildImage { name = "interactive_base"; fromImage = base; - contents = with pkgs; [ - procps - zsh - coreutils - neovim - ]; + contents = with pkgs; [procps zsh coreutils neovim]; - config = { - Cmd = [ "/bin/zsh" ]; - }; + config = {Cmd = ["/bin/zsh"];}; }; - s3ql = - let - entrypoint = pkgs.writeScript "entrypoint" '' - #!${pkgs.stdenv.shell} + s3ql = let + entrypoint = pkgs.writeScript "entrypoint" '' + #!${pkgs.stdenv.shell} - if [ -z "$S3QL_BUCKET" ]; then - echo S3QL_BUCKET not set - exit 1 - fi + if [ -z "$S3QL_BUCKET" ]; then + echo S3QL_BUCKET not set + exit 1 + fi - if [ -z "$S3QL_STORAGE_URL" ]; then - echo S3QL_STORAGE_URL not set - exit 1 - fi + if [ -z "$S3QL_STORAGE_URL" ]; then + echo S3QL_STORAGE_URL not set + exit 1 + fi - if [ -z "$S3QL_CACHESIZE" ]; then - echo S3QL_CACHESIZE not set - exit 1 - fi + if [ -z "$S3QL_CACHESIZE" ]; then + echo S3QL_CACHESIZE not set + exit 1 + fi - set -x + set -x - if [ "$S3QL_SKIP_FSCK" != "1" ]; then - fsck.s3ql \ - --authfile $S3QL_AUTHINFO2 \ - --log none \ - --cachedir $S3QL_CACHE_DIR \ - $S3QL_STORAGE_URL - fi - - exec mount.s3ql \ - --cachedir "$S3QL_CACHE_DIR" \ - --authfile "$S3QL_AUTHINFO2" \ - --cachesize "$S3QL_CACHESIZE" \ - --fg \ - --compress lzma-6 \ - --threads 4 \ + if [ "$S3QL_SKIP_FSCK" != "1" ]; then + fsck.s3ql \ + --authfile $S3QL_AUTHINFO2 \ --log none \ - --allow-root \ - "$S3QL_STORAGE_URL" \ - /bucket + --cachedir $S3QL_CACHE_DIR \ + $S3QL_STORAGE_URL + fi - # FIXME: touch .isbucket after mount - ''; - in + exec mount.s3ql \ + --cachedir "$S3QL_CACHE_DIR" \ + --authfile "$S3QL_AUTHINFO2" \ + --cachesize "$S3QL_CACHESIZE" \ + --fg \ + --compress lzma-6 \ + --threads 4 \ + --log none \ + --allow-root \ + "$S3QL_STORAGE_URL" \ + /bucket + + # FIXME: touch .isbucket after mount + ''; + in pkgs.dockerTools.buildImage { name = "s3ql"; fromImage = interactive_base; - contents = [ - pkgs.s3ql - pkgs.fuse - ]; + contents = [pkgs.s3ql pkgs.fuse]; runAsRoot = '' #!${pkgs.stdenv.shell} @@ -99,58 +84,57 @@ rec { ''; config = { - Env = baseEnv ++ [ - "HOME=/home/s3ql" - "S3QL_CACHE_DIR=/var/cache/s3ql" - "S3QL_AUTHINFO2=/etc/s3ql/authinfo2" - "CONTAINER_ENTRYPOINT=${entrypoint}" - ]; - Cmd = [ entrypoint ]; + Env = + baseEnv + ++ [ + "HOME=/home/s3ql" + "S3QL_CACHE_DIR=/var/cache/s3ql" + "S3QL_AUTHINFO2=/etc/s3ql/authinfo2" + "CONTAINER_ENTRYPOINT=${entrypoint}" + ]; + Cmd = [entrypoint]; Volumes = { - "/var/cache/s3ql" = { }; - "/etc/s3ql/authinfo2" = { }; - "/buckets" = { }; - "/tmp" = { }; + "/var/cache/s3ql" = {}; + "/etc/s3ql/authinfo2" = {}; + "/buckets" = {}; + "/tmp" = {}; }; }; }; - syncthing = - let - entrypoint = pkgs.writeScript "entrypoint" '' - #!${pkgs.stdenv.shell} - set -x - if [ ! -e /data/.isbucket ]; then - echo ERROR: Bucket not mounted at /data - exit 1 - fi + syncthing = let + entrypoint = pkgs.writeScript "entrypoint" '' + #!${pkgs.stdenv.shell} + set -x + if [ ! -e /data/.isbucket ]; then + echo ERROR: Bucket not mounted at /data + exit 1 + fi - if [ -z "$SYNCTHING_GUI_ADDRESS" ]; then - echo ERROR: SYNCTHING_GUI_ADDRESS is not set - exit 1 - fi + if [ -z "$SYNCTHING_GUI_ADDRESS" ]; then + echo ERROR: SYNCTHING_GUI_ADDRESS is not set + exit 1 + fi - if [ ! -w "$SYNCTHING_HOME" ]; then - echo ERROR : SYNCTHING_HOME is not writable - fi + if [ ! -w "$SYNCTHING_HOME" ]; then + echo ERROR : SYNCTHING_HOME is not writable + fi - exec syncthing \ - -home $SYNCTHING_HOME \ - -gui-address=$SYNCTHING_GUI_ADDRESS \ - -no-browser - ''; - in + exec syncthing \ + -home $SYNCTHING_HOME \ + -gui-address=$SYNCTHING_GUI_ADDRESS \ + -no-browser + ''; + in pkgs.dockerTools.buildImage { name = "syncthing"; fromImage = interactive_base; contents = pkgs.syncthing; config = { - Env = baseEnv ++ [ "SYNCTHING_HOME=/home/syncthing" ]; - Cmd = [ entrypoint ]; - Volumes = { - "/data" = { }; - }; + Env = baseEnv ++ ["SYNCTHING_HOME=/home/syncthing"]; + Cmd = [entrypoint]; + Volumes = {"/data" = {};}; }; }; } diff --git a/nix/default.nix b/nix/default.nix index f8947e0..888a4e9 100644 --- a/nix/default.nix +++ b/nix/default.nix @@ -1,34 +1,26 @@ -{ versionsPath }: -let +{versionsPath}: let channelVersions = import versionsPath; - mkChannelSource = - name: - let - channelVersion = builtins.getAttr name channelVersions; - in + mkChannelSource = name: let + channelVersion = builtins.getAttr name channelVersions; + in builtins.fetchGit { # Descriptive name to make the store path easier to identify inherit name; inherit (channelVersion) url ref rev; }; - nixPath = builtins.concatStringsSep ":" ( - builtins.map ( - elemName: - let - elem = builtins.getAttr elemName channelVersions; - elemPath = mkChannelSource elemName; - suffix = if builtins.hasAttr "suffix" elem then elem.suffix else ""; - in - builtins.concatStringsSep "=" [ - elemName - elemPath - ] - + suffix - ) (builtins.attrNames channelVersions) - ); - pkgs = import (mkChannelSource "nixpkgs") { }; -in -{ + nixPath = builtins.concatStringsSep ":" (builtins.map + (elemName: let + elem = builtins.getAttr elemName channelVersions; + elemPath = mkChannelSource elemName; + suffix = + if builtins.hasAttr "suffix" elem + then elem.suffix + else ""; + in + builtins.concatStringsSep "=" [elemName elemPath] + suffix) + (builtins.attrNames channelVersions)); + pkgs = import (mkChannelSource "nixpkgs") {}; +in { inherit nixPath; channelSources = pkgs.writeText "channels.rc" '' export NIX_PATH=${nixPath} diff --git a/nix/devShells.nix b/nix/devShells.nix index aa4eda5..34dfceb 100644 --- a/nix/devShells.nix +++ b/nix/devShells.nix @@ -1,103 +1,105 @@ { - self, - self', inputs', + packages', pkgs, }: -{ - install = pkgs.mkShell { - name = "infra-install"; - packages = with pkgs; [ - nixos-install-tools - inputs'.disko.packages.disko - just - git - git-crypt - gnupg - ]; - }; - - develop = pkgs.mkShell { - name = "infra-develop"; - inputsFrom = [ self'.devShells.install ]; - packages = with pkgs; [ - self'.formatter # .package +pkgs.stdenv.mkDerivation { + name = "infra-env"; + buildInputs = + [ + (with pkgs.callPackage (pkgs.path + "/nixos") {configuration = {};}; + with config.system.build; [ + nixos-generate-config + nixos-install + nixos-enter + manual.manpages + ]) + ] + ++ (with pkgs; [ inputs'.colmena.packages.colmena + nixos-install-tools dconf2nix inputs'.nixos-anywhere.packages.nixos-anywhere nurl + + just + git-crypt vcsh + gnupg + git ripgrep - # pass + lm_sensors + pass + prs + fuzzel + wofi age age-plugin-yubikey ssh-to-age yubico-piv-tool inputs'.sops-nix.packages.default sops - nil - nix-index apacheHttpd - # vncdo - # tesseract - # imagemagick + vncdo + tesseract + imagemagick - # lm_sensors + nmap + sysstat + lshw + xxHash + linssid + wavemon + wirelesstools - # nmap - # sysstat - # lshw - # xxHash - # linssid - # wavemon - # wirelesstools + zathura + xorg.xwininfo + glxinfo + autorandr + arandr + playerctl + x11docker + fwupd - # zathura - # xorg.xwininfo - # glxinfo - # autorandr - # arandr - # playerctl - # x11docker - # fwupd + ntfy - # ntfy - # hedgedoc-cli + hedgedoc-cli xwayland - pulsemixer + (banana-accounting.overrideDerivation (attrs: + with inputs'.nixpkgs-2211.legacyPackages; { + # dontWrapGApps = true; - (pkgs.writeShellScriptBin "rflk" '' - exec nix run nixpkgs#$@ - '') + srcs = builtins.fetchurl { + # hosted via https://web3.storage + url = "https://bafybeiabi4m2i4izummipbl5wzhwxjyjt2rylgsrahhkh7i63piwd37n4u.ipfs.w3s.link/mfpcksczayaqqx8fdacp0627zm36c001-bananaplus.tgz"; - (pkgs.writeShellScriptBin "r11" '' - exec env NIXOS_OZONE_WL="" WAYLAND_DISPLAY="" $@ - '') + sha256 = "09666iqzqdw2526pf6bg5kd0hfw0wblw8ag636ki72dsiw6bmbf1"; + }; - jq - yq - wireguard-tools + # nativeBuildInputs = + # attrs.nativeBuildInputs + # ++ [ + # qt5.qtbase + # qt5.wrapQtAppsHook + # ]; - screen + # buildInputs = + # attrs.buildInputs + # ++ [ + # qt5.qtwayland + # ]; - inputs'.nixpkgs-unstable.legacyPackages.kanidm - ]; + # preFixup = + # (attrs.preFixup or "") + # + '' + # qtWrapperArgs+=("''${gappsWrapperArgs[@]}") + # ''; + })) + ]); - # Set Environment Variables - RUST_BACKTRACE = 1; - - KANIDM_URL = - self.nixosConfigurations.sj-srv1.config.containers.webserver.config.services.kanidm.serverSettings.origin; - - shellHook = builtins.concatStringsSep "\n" [ - # (self.inputs.nixago.lib.${pkgs.system}.make { - # data = self'.formatter.settings; - # output = "treefmt.toml"; - # format = "toml"; - # }).shellHook - ]; - }; + # Set Environment Variables + RUST_BACKTRACE = 1; } diff --git a/nix/home-manager/configuration/graphical-fullblown.nix b/nix/home-manager/configuration/graphical-fullblown.nix index 921c4dc..d30e7a7 100644 --- a/nix/home-manager/configuration/graphical-fullblown.nix +++ b/nix/home-manager/configuration/graphical-fullblown.nix @@ -1,89 +1,71 @@ { pkgs, - lib, config, # these come in via home-manager.extraSpecialArgs and are specific to each node nodeFlake, + packages', repoFlake, + # repoFlakeInputs', ... -}: -let - pkgsUnstable = - pkgs.pkgsUnstable - or (import nodeFlake.inputs.nixpkgs-unstable { inherit (pkgs) system config overlays; }); -in -{ +}: let + pkgsMaster = nodeFlake.inputs.nixpkgs-master.legacyPackages.${pkgs.system}; + pkgsUnstableSmall = nodeFlake.inputs.nixpkgs-unstable-small.legacyPackages.${pkgs.system}; + pkgs2211 = nodeFlake.inputs.nixpkgs-2211.legacyPackages.${pkgs.system}; + pkgsUnstableSmallRepo = repoFlake.nixpkgs-unstable-small.${pkgs.system}.legacyPackages; +in { imports = [ ../profiles/common.nix - # ../profiles/dotfiles.nix + ../profiles/dotfiles.nix # FIXME: fix homeshick when no WAN connection is available # ../programs/homeshick.nix # ../profiles/gnome-desktop.nix + ../profiles/sway-desktop.nix # ../profiles/experimental-desktop.nix ../programs/redshift.nix - ../programs/gpg-agent.nix - ../programs/pass.nix - ../programs/espanso.nix + # ../programs/espanso.nix ../programs/firefox.nix ../programs/chromium.nix ../programs/libreoffice.nix ../programs/neovim.nix + ../programs/pass.nix ../programs/vscode - { home.packages = [ pkgsUnstable.markdown-oxide ]; } + + # TODO: bump these to 23.05 and make it work + (args: import ../programs/radicale.nix (args // {pkgs = pkgs2211;})) + # (args: import ../programs/espanso.nix (args // {pkgs = pkgs2211;})) ]; home.sessionVariables.HM_CONFIG = "graphical-fullblown"; home.sessionVariables.GOPATH = "$HOME/src/go"; - home.sessionVariables.PATH = pkgs.lib.concatStringsSep ":" [ - "$HOME/.local/bin" - "$PATH" - ]; - - nixpkgs.config.allowInsecurePredicate = - pkg: - builtins.elem (lib.getName pkg) [ - "electron-28.3.3" - "electron-27.3.11" - ]; + home.sessionVariables.PATH = pkgs.lib.concatStringsSep ":" ["$HOME/.local/bin" "$PATH"]; nixpkgs.config.permittedInsecurePackages = [ - "electron-28.3.3" - "electron-27.3.11" ]; - nixpkgs.config.allowUnfree = [ - "electron-28.3.3" - "electron-27.3.11" - ]; - - # nixpkgs.config.allowUnfreePredicate = pkg: - # builtins.elem (lib.getName pkg) [ - # "smartgithg" - # "electron-27.3.11" - # ]; - home.packages = - (with pkgs; [ + [] + ++ (with pkgs; [ # Authentication - # cacert - # fprintd - # openssl - # mkpasswd + cacert + fprintd + openssl + mkpasswd # Nix package related tools patchelf - # nix-index + nix-index nix-prefetch-scripts - nix-tree + # nix-prefetch-github # Version Control Systems gitFull + pijul # gitless gitRepo git-lfs @@ -105,13 +87,14 @@ in # Password Management gnupg - yubikey-manager + # yubikey-manager + yubikey-manager-qt yubikey-personalization yubikey-personalization-gui # gnome.gnome-keyring gcr - seahorse + gnome.seahorse # Language Support hunspellDicts.en-us @@ -119,59 +102,124 @@ in # Messaging/Communication # pidgin - # hexchat - pkgsUnstable.element-desktop + hexchat + schildichat-desktop aspellDicts.en aspellDicts.de # skypeforlinux # pkgsUnstable.jitsi-meet-electron - thunderbird-128 - # betterbird + thunderbird + evolution # gnome4.glib_networking # FIXME: depends on insecure openssl 1.1.1t # kotatogram-desktop - pkgsUnstable.tdesktop - pkgsUnstable.signal-desktop-source + tdesktop + (let + version = "6.20.0-beta.1"; + in + pkgsUnstableSmall.signal-desktop-beta.overrideAttrs (old: { + inherit version; + src = builtins.fetchurl { + url = "https://updates.signal.org/desktop/apt/pool/main/s/signal-desktop-beta/signal-desktop-beta_${version}_amd64.deb"; + sha256 = "0xkagnldagfxnpv4c23yd9w0kz1y719m1sj9vqn8mnr1zfn7j62a"; + }; + preFixup = + old.preFixup + + '' + gappsWrapperArgs+=( + --add-flags "\''${NIXOS_OZONE_WL:+\''${WAYLAND_DISPLAY:+--ozone-platform-hint=auto}}" + --add-flags "\''${NIXOS_OZONE_WL:+\''${WAYLAND_DISPLAY:+--enable-features=UseOzonePlatform}}" + ) + ''; + })) + + # --add-flags "--enable-features=UseOzonePlatform" + # --add-flags "--ozone-platform=wayland" + (pkgsUnstableSmall.session-desktop.overrideAttrs (old: { + nativeBuildInputs = + old.nativeBuildInputs + ++ [ + pkgs.wrapGAppsHook + ]; + + preFixup = + (old.preFixup or "") + + '' + gappsWrapperArgs+=( + --add-flags "--enable-features=UseOzonePlatform" + --add-flags "--ozone-platform=wayland" + # --add-flags "\''${NIXOS_OZONE_WL:+\''${WAYLAND_DISPLAY:+--ozone-platform-hint=auto}}" + # --add-flags "\''${NIXOS_OZONE_WL:+\''${WAYLAND_DISPLAY:+--enable-features=WaylandWindowDecorations}}" + # --add-flags "\''${NIXOS_OZONE_WL:+\''${WAYLAND_DISPLAY:+--enable-features=UseOzonePlatform}}" + ) + ''; + })) + + #(pkgsUnstableSmall.session-desktop.overrideAttrs(old: { + # nativeBuildInputs = old.nativeBuildInputs ++ [ + # pkgs.wrapGAppsHook + # ]; + # + # preFixup = (old.preFixup or "") + '' + # gappsWrapperArgs+=( + # --add-flags "\''${NIXOS_OZONE_WL:+\''${WAYLAND_DISPLAY:+--ozone-platform=wayland}}" + # --add-flags "\''${NIXOS_OZONE_WL:+\''${WAYLAND_DISPLAY:+--enable-features=UseOzonePlatform}}" + # ) + # ''; + # })) + + thunderbird + # gnome.cheese + discord # Virtualization - virt-manager + # virtmanager # Remote Control Tools remmina - # freerdp + freerdp + teamviewer + rustdesk # Audio/Video Players - # ffmpeg + ffmpeg vlc - # v4l-utils - # audacity - # spotify + audacity + spotify yt-dlp (writeShellScriptBin "youtube-dl-audio" "${yt-dlp}/bin/yt-dlp --extract-audio --audio-format best --audio-quality 9 \${@:?}") libwebcam - libcamera - snapshot # Network Tools + openvpn tcpdump iftop iperf bind socat - nethogs + # 2019-03-05: broken on 19.03 linssid + iptraf-ng + ipmitool - # Code Editing and Programming - # TODO(remove or use): pkgsUnstable.lapce - # TODO(remve or use): pkgsUnstable.helix + iptables + nftables + wireshark + wireguard-tools + + # Code Editors + xclip + xsel # Image/Graphic/Design Tools - eog - # gimp - # imagemagick - # exiv2 - # graphviz - # inkscape - # qrencode + gnome.eog + gimp + imagemagick + exiv2 + graphviz + inkscape + qrencode + zbar + feh # TODO: remove or move these: Modelling Tools # plantuml @@ -182,46 +230,55 @@ in # astah-community # Misc Development Tools - # qrcode - # jq - # cdrtools + qrcode + jq + cdrtools # Document Processing and Management - nautilus + gnome.nautilus + xfce.thunar pcmanfm # mendeley evince - xournalpp + pkgsUnstableSmall.logseq # File Synchronzation maestral + maestral-gui rsync # Filesystem Tools - # ntfs3g - # ddrescue - # ncdu - # hdparm + ntfs3g + ddrescue + ncdu + unetbootin + hdparm + testdisk # binwalk - # gptfdisk - # gparted - # smartmontools + gptfdisk + gparted + smartmontools + + ## Android + androidenv.androidPkgs_9_0.platform-tools ## Python - # packages'.myPython + packages'.myPython # Misc Desktop Tools - # ltunify + ltunify # dex + xorg.xbacklight coreutils lsof - xdg-utils + xdotool + xdg_utils xdg-user-dirs dconf picocom glib.dev # contains gdbus tool alacritty - # wally-cli + wally-cli man-pages # Screen recording @@ -231,45 +288,29 @@ in # shutter # kazam # doesn't start # xvidcap # doesn't keep the recording rectangle + # obs-studio # shotcut # openshot-qt # introduces python: screenkey - # avidemux # broken - # handbrake - - # snes9x - # snes9x-gtk - # this is a displaymanager! - # libretro.snes9x2010 - # retroarchFull - - # pkgs.logseq-bin - pkgs.logseq - # (pkgs.callPackage "${repoFlake.inputs.nixpkgs-logseq}/pkgs/by-name/lo/logseq-bin/package.nix" { }) - ]) - ++ (with repoFlake.packages.${pkgs.system}; [ gimp ]) - ++ (lib.lists.optionals (!pkgs.stdenv.targetPlatform.isAarch64) [ - pkgsUnstable.ledger-live-desktop - - # unsupported on aarch64-linux - pkgs.androidenv.androidPkgs_9_0.platform-tools - pkgs.teamviewer - pkgs.discord - pkgsUnstable.session-desktop - pkgsUnstable.rustdesk + pkgsUnstableSmall.ledger-live-desktop ]); systemd.user.startServices = true; - services.syncthing.enable = true; services.udiskie = { enable = true; - automount = false; + automount = true; notify = true; }; + # FIXME: doesn't work as the service can't seem to control its started PID + services.dropbox = { + enable = false; + path = "${config.home.homeDirectory}/Dropbox-Hm"; + }; + # TODO: uncomment this when it's in stable home-manger # programs.joshuto = { # enable = true; diff --git a/nix/home-manager/configuration/graphical-gnome3.nix b/nix/home-manager/configuration/graphical-gnome3.nix index 5eaebd1..12e1948 100644 --- a/nix/home-manager/configuration/graphical-gnome3.nix +++ b/nix/home-manager/configuration/graphical-gnome3.nix @@ -1,8 +1,13 @@ -{ pkgs, ... }: { - home.packages = with pkgs; [ - gnome.gnome-tweaks - gnome.gnome-keyring - gnome.seahorse - ]; + pkgs, + config, + ... +}: { + home.packages = + [] + ++ (with pkgs; [ + gnome.gnome-tweaks + gnome.gnome-keyring + gnome.seahorse + ]); } diff --git a/nix/home-manager/configuration/graphical-removable.nix b/nix/home-manager/configuration/graphical-removable.nix index d6296a2..faac0d5 100644 --- a/nix/home-manager/configuration/graphical-removable.nix +++ b/nix/home-manager/configuration/graphical-removable.nix @@ -1,5 +1,8 @@ -{ pkgs, ... }: { + pkgs, + config, + ... +}: { imports = [ ../profiles/common.nix ../profiles/qtile-desktop.nix @@ -13,87 +16,89 @@ ../programs/pass.nix ]; - home.packages = with pkgs; [ - # Nix package related tools - patchelf - nix-index - nix-prefetch-scripts + home.packages = + [] + ++ (with pkgs; [ + # Nix package related tools + patchelf + nix-index + nix-prefetch-scripts - # Version Control Systems - gitless + # Version Control Systems + gitless - # Process/System Administration - htop - gnome.gnome-tweaks - xorg.xhost - dmidecode - evtest + # Process/System Administration + htop + gnome.gnome-tweaks + xorg.xhost + dmidecode + evtest - # Archive Managers - sshfs-fuse - xarchive - p7zip - zip - unzip - gzip - lzop + # Archive Managers + sshfs-fuse + xarchive + p7zip + zip + unzip + gzip + lzop - # Password Management - gnome.gnome-keyring - gnome.seahorse + # Password Management + gnome.gnome-keyring + gnome.seahorse - # Remote Control Tools - remmina - freerdp + # Remote Control Tools + remmina + freerdp - # Network Tools - openvpn - tcpdump - iftop - iperf - bind - socat + # Network Tools + openvpn + tcpdump + iftop + iperf + bind + socat - # samba - iptables - nftables - wireshark + # samba + iptables + nftables + wireshark - # Code Editors - xclip - xsel + # Code Editors + xclip + xsel - # Image/Graphic/Design Tools - gnome.eog - gimp - inkscape + # Image/Graphic/Design Tools + gnome.eog + gimp + inkscape - # Misc Development Tools - qrcode - jq - cdrtools + # Misc Development Tools + qrcode + jq + cdrtools - # Document Processing and Management - zathura + # Document Processing and Management + zathura - # File Synchronzation - rsync + # File Synchronzation + rsync - # Filesystem Tools - ntfs3g - ddrescue - ncdu - woeusb - unetbootin - pcmanfm - hdparm - testdisk - binwalk - gptfdisk + # Filesystem Tools + ntfs3g + ddrescue + ncdu + woeusb + unetbootin + pcmanfm + hdparm + testdisk + binwalk + gptfdisk - packages'.myPython + packages'.myPython - # Virtualization - virtmanager - ]; + # Virtualization + virtmanager + ]); } diff --git a/nix/home-manager/configuration/text-minimal.nix b/nix/home-manager/configuration/text-minimal.nix new file mode 100644 index 0000000..4566af7 --- /dev/null +++ b/nix/home-manager/configuration/text-minimal.nix @@ -0,0 +1,12 @@ +{pkgs, ...}: { + imports = [ + ../profiles/common.nix + ../programs/neovim.nix + ]; + + home.packages = with pkgs; [ + iperf3 + inetutils + speedtest-cli + ]; +} diff --git a/nix/home-manager/lib.nix b/nix/home-manager/lib.nix index 7436034..b731c1d 100644 --- a/nix/home-manager/lib.nix +++ b/nix/home-manager/lib.nix @@ -1,19 +1,14 @@ -_: { - mkSimpleTrayService = - { execStart }: - { - Unit = { - Description = ""; - After = [ "graphical-session-pre.target" ]; - PartOf = [ "graphical-session.target" ]; - }; - - Install = { - WantedBy = [ "graphical-session.target" ]; - }; - - Service = { - ExecStart = execStart; - }; +{}: let +in { + mkSimpleTrayService = {execStart}: { + Unit = { + Description = ""; + After = ["graphical-session-pre.target"]; + PartOf = ["graphical-session.target"]; }; + + Install = {WantedBy = ["graphical-session.target"];}; + + Service = {ExecStart = execStart;}; + }; } diff --git a/nix/home-manager/profiles/common.nix b/nix/home-manager/profiles/common.nix index 77f6e57..20a17e3 100644 --- a/nix/home-manager/profiles/common.nix +++ b/nix/home-manager/profiles/common.nix @@ -1,38 +1,22 @@ -{ pkgs, lib, ... }: -{ - home.stateVersion = lib.mkDefault "23.11"; - +{pkgs, ...}: { # TODO: re-enable this with the appropriate version? # programs.home-manager.enable = true; # programs.home-manager.path = https://github.com/rycee/home-manager/archive/445c0b1482c38172a9f8294ee16a7ca7462388e5.tar.gz; - # TODO: move this to an OS snippet? + imports = [ + ../programs/zsh.nix + ]; + nixpkgs.config = { allowBroken = false; allowUnfree = true; - allowUnsupportedSystem = true; - allowInsecurePredicate = - pkg: - builtins.elem (lib.getName pkg) [ - "electron-32.3.3" - "electron" - ]; - - permittedInsecurePackages = [ - "electron-32.3.3" - "electron" - ]; - - allowUnfreePredicate = - pkg: - builtins.elem (lib.getName pkg) [ - "obsidian" - "vivaldi" - "aspell-dict-en-science" - ]; + permittedInsecurePackages = []; }; + nix.settings.experimental-features = ["nix-command" "flakes" "impure-derivations" "ca-derivations" "recursive-nix"]; + nix.settings.sandbox = "relaxed"; + home.keyboard = { layout = "us"; variant = "altgr-intl"; @@ -46,52 +30,53 @@ xdg.enable = true; programs.direnv.enable = true; + services.lorri.enable = true; + home.sessionVariables.NIXPKGS_ALLOW_UNFREE = "1"; # Don't create .pyc files. home.sessionVariables.PYTHONDONTWRITEBYTECODE = "1"; programs.command-not-found.enable = true; programs.fzf.enable = true; - home.packages = with pkgs; [ - coreutils + home.packages = + [] + ++ (with pkgs; [ + htop + vcsh - vcsh + # Authentication + cacert + openssl + mkpasswd - htop - iperf3 - nethogs + just + ripgrep + du-dust - # Authentication - cacert - openssl - mkpasswd + elfutils + exfat + file + tree + pwgen + proot - just - ripgrep - du-dust + parted + pv + tmux + wget + curl - elfutils - exfat - file - tree - pwgen - proot + # git helpers + git-crypt + gitFull + pastebinit + gist + mr - parted - pv - tmux - wget - curl + usbutils + pciutils + ]); - # git helpers - git-crypt - gitFull - pastebinit - gist - mr - - usbutils - pciutils - ]; + home.stateVersion = "22.05"; } diff --git a/nix/home-manager/profiles/dotfiles.nix b/nix/home-manager/profiles/dotfiles.nix index a7bddd9..95b5248 100644 --- a/nix/home-manager/profiles/dotfiles.nix +++ b/nix/home-manager/profiles/dotfiles.nix @@ -1,4 +1,10 @@ -_: { +{ + pkgs, + config, + ... +}: let + vcshActivationScript = pkgs.callPackage ./dotfiles/vcsh.nix {}; +in { # TODO: fix the dotfiles # home.activation.vcsh = config.lib.dag.entryAfter["linkGeneration"] '' # $DRY_RUN_CMD ${vcshActivationScript} diff --git a/nix/home-manager/profiles/dotfiles/vcsh.tmpl.nix b/nix/home-manager/profiles/dotfiles/vcsh.tmpl.nix index 2a866f2..84d629f 100644 --- a/nix/home-manager/profiles/dotfiles/vcsh.tmpl.nix +++ b/nix/home-manager/profiles/dotfiles/vcsh.tmpl.nix @@ -3,40 +3,38 @@ repoHttps ? "https://gitlab.com/steveeJ/dotfiles.git", repoSsh ? "git@gitlab.com:/steveeJ/dotfiles.git", ... -}: -let +}: let repoBareLocal = pkgs.runCommand "fetchbare" - { - outputHashMode = "recursive"; - outputHashAlgo = "sha256"; - outputHash = "0000000000000000000000000000000000000000000000000000"; - } - '' - ( - set -xe - export GIT_SSL_CAINFO=${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt - export SSL_CERT_FILE=${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt - ${pkgs.git}/bin/git clone --mirror ${repoHttps} $out - ) - ''; + { + outputHashMode = "recursive"; + outputHashAlgo = "sha256"; + outputHash = "0000000000000000000000000000000000000000000000000000"; + } '' + ( + set -xe + export GIT_SSL_CAINFO=${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt + export SSL_CERT_FILE=${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt + ${pkgs.git}/bin/git clone --mirror ${repoHttps} $out + ) + ''; in -pkgs.writeScript "activation-script" '' - export HOST=$(hostname -s) + pkgs.writeScript "activation-script" '' + export HOST=$(hostname -s) - function set_remotes { - ${pkgs.vcsh}/bin/vcsh dotfiles remote set-url origin $1 - ${pkgs.vcsh}/bin/vcsh dotfiles remote set-url --push origin $2 - } + function set_remotes { + ${pkgs.vcsh}/bin/vcsh dotfiles remote set-url origin $1 + ${pkgs.vcsh}/bin/vcsh dotfiles remote set-url --push origin $2 + } - if ! test -d $HOME/.config/vcsh/repo.d/dotfiles.git; then - echo Cloning dotfiles for $HOST... - ${pkgs.vcsh}/bin/vcsh clone -b $HOST ${repoBareLocal} dotfiles - set_remotes ${repoHttps} ${repoSsh} - else - set_remotes ${repoBareLocal} ${repoSsh} - echo Updating dotfiles for $HOST... - ${pkgs.vcsh}/bin/vcsh pull $HOST || true - set_remotes ${repoHttps} ${repoSsh} - fi -'' + if ! test -d $HOME/.config/vcsh/repo.d/dotfiles.git; then + echo Cloning dotfiles for $HOST... + ${pkgs.vcsh}/bin/vcsh clone -b $HOST ${repoBareLocal} dotfiles + set_remotes ${repoHttps} ${repoSsh} + else + set_remotes ${repoBareLocal} ${repoSsh} + echo Updating dotfiles for $HOST... + ${pkgs.vcsh}/bin/vcsh pull $HOST || true + set_remotes ${repoHttps} ${repoSsh} + fi + '' diff --git a/nix/home-manager/profiles/experimental-desktop.nix b/nix/home-manager/profiles/experimental-desktop.nix index d57a051..96daa60 100644 --- a/nix/home-manager/profiles/experimental-desktop.nix +++ b/nix/home-manager/profiles/experimental-desktop.nix @@ -1,6 +1,16 @@ -{ packages', ... }: { - imports = [ ../profiles/wayland-desktop.nix ]; + pkgs, + config, + lib, + nodeFlake, + packages', + ... +}: let + pkgsUnstable = pkgs.callPackage nodeFlake.inputs.nixpkgs-unstable.outPath {}; +in { + imports = [ + ../profiles/wayland-desktop.nix + ]; home.packages = [ # experimental WMs diff --git a/nix/home-manager/profiles/gnome-desktop.nix b/nix/home-manager/profiles/gnome-desktop.nix index 5051205..5ad7113 100644 --- a/nix/home-manager/profiles/gnome-desktop.nix +++ b/nix/home-manager/profiles/gnome-desktop.nix @@ -1,6 +1,13 @@ -{ pkgs, ... }: { - imports = [ ../profiles/wayland-desktop.nix ]; + pkgs, + config, + lib, + ... +}: let +in { + imports = [ + ../profiles/wayland-desktop.nix + ]; services = { gnome-keyring.enable = false; @@ -16,85 +23,86 @@ # Hidden=true # ''; - services.gpg-agent.pinentryPackage = pkgs.pinentry-gnome3; + services.gpg-agent.pinentryFlavor = "gnome3"; - dconf.settings = - let - manualKeybindings = [ - { - binding = "Print"; - command = "flameshot gui"; - name = "flameshot"; - } + dconf.settings = let + manualKeybindings = [ + { + binding = "Print"; + command = "flameshot gui"; + name = "flameshot"; + } - { - binding = "t"; - command = "alacritty"; - name = "alacritty"; - } - ]; + { + binding = "t"; + command = "alacritty"; + name = "alacritty"; + } + ]; - numWorkspaces = 10; - customKeybindingBaseName = "org/gnome/settings-daemon/plugins/media-keys/custom-keybindings/custom"; - customKeybindingsNames = builtins.genList (i: "/${customKeybindingBaseName}${toString i}/") ( - (builtins.length manualKeybindings) + numWorkspaces # for sending to the workspace + numWorkspaces = 10; + customKeybindingBaseName = "org/gnome/settings-daemon/plugins/media-keys/custom-keybindings/custom"; + customKeybindingsNames = + builtins.genList (i: "/${customKeybindingBaseName}${toString i}/") + ( + (builtins.length manualKeybindings) + + numWorkspaces # for sending to the workspace ); - workspacesKeyBindingsOffset = builtins.length manualKeybindings; + workspacesKeyBindingsOffset = builtins.length manualKeybindings; - # with this we can make use of all number keys [0-9] - mapToNumber = - i: - if i < 10 then - i - else if i == 10 then - 0 - else - throw "i exceeds 10: ${i}"; - in + # with this we can make use of all number keys [0-9] + mapToNumber = i: + if i < 10 + then i + else if i == 10 + then 0 + else throw "i exceeds 10: ${i}"; + in { "org/gnome/settings-daemon/plugins/media-keys" = { custom-keybindings = customKeybindingsNames; screenreader = "@as []"; - screensaver = [ "l" ]; + screensaver = ["l"]; }; # disable the builtin [1-9] functionality - "org/gnome/shell/keybindings" = builtins.listToAttrs ( - (builtins.genList (i: { + "org/gnome/shell/keybindings" = builtins.listToAttrs ((builtins.genList + (i: { name = "switch-to-application-${toString (i + 1)}"; - value = [ ]; - }) numWorkspaces) - ++ [ + value = []; + }) + numWorkspaces) ++ [ { name = "toggle-overview"; - value = [ ]; + value = []; } - ] - ); + ]); # remap it to switching to the workspaces - "org/gnome/desktop/wm/keybindings" = builtins.listToAttrs ( - builtins.genList (i: { + "org/gnome/desktop/wm/keybindings" = builtins.listToAttrs (builtins.genList + (i: { name = "switch-to-workspace-${toString (i + 1)}"; - value = [ "${toString (mapToNumber (i + 1))}" ]; - }) numWorkspaces - ); + value = [ + "${toString (mapToNumber (i + 1))}" + ]; + }) + numWorkspaces); } - // builtins.listToAttrs ( - builtins.genList (i: { + // builtins.listToAttrs (builtins.genList + (i: { name = "${customKeybindingBaseName}${toString i}"; value = builtins.elemAt manualKeybindings i; - }) (builtins.length manualKeybindings) - ) - // builtins.listToAttrs ( - builtins.genList (i: { + }) + (builtins.length manualKeybindings)) + // builtins.listToAttrs (builtins.genList + (i: { name = "${customKeybindingBaseName}${toString (workspacesKeyBindingsOffset + i)}"; value = { binding = "${toString (mapToNumber (i + 1))}"; command = "wmctrl -r :ACTIVE: -t ${toString i}"; name = "Send to workspace ${toString (i + 1)}"; }; - }) numWorkspaces - ); + }) + numWorkspaces); } diff --git a/nix/home-manager/profiles/nix-channels.nix b/nix/home-manager/profiles/nix-channels.nix index fc52ec6..68f21c7 100644 --- a/nix/home-manager/profiles/nix-channels.nix +++ b/nix/home-manager/profiles/nix-channels.nix @@ -1,22 +1,28 @@ -{ pkgs, config, ... }: { + pkgs, + config, + ... +}: let +in { home.file.".nix-channels".text = ""; - home.activation.removeExistingNixChannels = config.lib.dag.entryBefore [ "checkLinkTargets" ] '' - $DRY_RUN_CMD ${pkgs.writeScript "activation-script" '' - set -ex - if test -f $HOME/.nix-channels; then - echo Uninstalling available channels... - if test -f $HOME/.nix-channel; then - while read url channel; do - nix-channel --remove $channel - done < $HOME/.nix-channel + home.activation.removeExistingNixChannels = config.lib.dag.entryBefore ["checkLinkTargets"] '' + $DRY_RUN_CMD ${ + pkgs.writeScript "activation-script" '' + set -ex + if test -f $HOME/.nix-channels; then + echo Uninstalling available channels... + if test -f $HOME/.nix-channel; then + while read url channel; do + nix-channel --remove $channel + done < $HOME/.nix-channel + fi + echo Moving existing file away... + touch $HOME/.nix-channels.dummy + mv --backup=numbered $HOME/.nix-channels.dummy $HOME/.nix-channels + rm $HOME/.nix-channels fi - echo Moving existing file away... - touch $HOME/.nix-channels.dummy - mv --backup=numbered $HOME/.nix-channels.dummy $HOME/.nix-channels - rm $HOME/.nix-channels - fi - ''}; + '' + }; ''; } diff --git a/nix/home-manager/profiles/qtile-desktop.nix b/nix/home-manager/profiles/qtile-desktop.nix index 84d9c21..da12f62 100644 --- a/nix/home-manager/profiles/qtile-desktop.nix +++ b/nix/home-manager/profiles/qtile-desktop.nix @@ -1,14 +1,14 @@ -{ pkgs, ... }: -let +{ + pkgs, + config, + ... +}: let + inherit (import ../lib.nix {}) mkSimpleTrayService; audio = pkgs.writeShellScript "audio" '' export PATH=${ with pkgs; - lib.makeBinPath [ - pulseaudio - findutils - gnugrep - ] + lib.makeBinPath [pulseaudio findutils gnugrep] }:$PATH export MUTEFILE=''${TEMPDIR:-/tmp}/.qtilemute @@ -33,7 +33,7 @@ let terminalCommand = "${pkgs.alacritty}/bin/alacritty"; dpmsScript = pkgs.writeShellScript "dpmsScript" '' - export PATH=${with pkgs; lib.makeBinPath [ xorg.xset ]}:$PATH + export PATH=${with pkgs; lib.makeBinPath [xorg.xset]}:$PATH set -xe @@ -56,7 +56,7 @@ let ''; screenLockCommand = pkgs.writeShellScript "screenLock" '' - export PATH=${with pkgs; lib.makeBinPath [ i3lock ]}:$PATH + export PATH=${with pkgs; lib.makeBinPath [i3lock]}:$PATH revert() { ${dpmsScript} default @@ -251,8 +251,7 @@ let def print_new_window(window): print("new window: ", window) ''; -in -{ +in { services = { gnome-keyring.enable = true; blueman-applet.enable = true; @@ -287,7 +286,7 @@ in networkmanagerapplet gnome-icon-theme gnome.gnome-themes-extra - adwaita-icon-theme + gnome.adwaita-icon-theme lxappearance xorg.xcursorthemes pavucontrol diff --git a/nix/home-manager/profiles/sway-desktop.nix b/nix/home-manager/profiles/sway-desktop.nix index c6b1e1f..9640e4a 100644 --- a/nix/home-manager/profiles/sway-desktop.nix +++ b/nix/home-manager/profiles/sway-desktop.nix @@ -1,64 +1,57 @@ -/* - TODO: create helper scripts for sharing of a screen portion - ``` - - # this will create a new output named HEADLESS-. increments by 1 with each invocation even if the output is `unplug`ged. - swaymsg create_output - - # find the name and the workspace number - swaymsg -t get_outputs | jq '.[] | select(.name | test("HEADLESS-.*")) | (.name, .current_workspace)' - - swaymsg output HEADLESS-1 mode 1920@108060Hz - - # mirror the headless workspace on the current one - nix run nixpkgs\#wl-mirror -- HEADLESS-1 - - # shift windows to the workspace and switch the focus to it -*/ { pkgs, config, lib, - # packages', + packages', ... -}: -let +}: let + inherit (import ../lib.nix {}) mkSimpleTrayService; lockCmd = "${pkgs.swaylock}/bin/swaylock -efF --color '#000000'"; displayOffCmd = "${pkgs.sway}/bin/swaymsg 'output * power off'"; displayOnCmd = "${pkgs.sway}/bin/swaymsg 'output * power on'"; swapOutputWorkspaces = ../../../scripts/sway-swapoutputworkspaces.sh; -in -{ +in { imports = [ ../profiles/wayland-desktop.nix ../programs/waybar.nix + ../programs/salut.nix ]; - services.dunst = { - enable = true; + # TODO: autostart + # environment.loginShellInit = '' + # if [[ "$(tty)" == /dev/tty1 ]]; then + # echo starting sway.. + # exec sway + # fi + # ''; + + services = { + # TODO: doesn't work with 2 screens + # flameshot.enable = true; }; - services.gpg-agent.pinentryPackage = pkgs.pinentry-gnome3; + services.gpg-agent.pinentryFlavor = "gnome3"; home.packages = [ pkgs.swayidle pkgs.swaylock ## themes - pkgs.adwaita-icon-theme + pkgs.gnome.adwaita-icon-theme pkgs.hicolor-icon-theme pkgs.gnome-icon-theme ## fonts - # pkgs.nerd-fonts # TODO: reinstall selected ones pkgs.dejavu_fonts # just a basic good fond pkgs.font-awesome_5 # needed by i3status-rust + pkgs.nerdfonts pkgs.font-awesome pkgs.roboto pkgs.ttf_bitstream_vera pkgs.noto-fonts + pkgs.noto-fonts-cjk pkgs.noto-fonts-cjk-sans pkgs.noto-fonts-cjk-serif pkgs.noto-fonts-emoji @@ -73,146 +66,115 @@ in pkgs.dina-font pkgs.monoid pkgs.hermit - ### found on colemickens' repo + # found on colemickens' repo pkgs.gelasio # metric-compatible with Georgia pkgs.powerline-symbols pkgs.iosevka-comfy.comfy-fixed - ## experimental stuff + # experimental stuff pkgs.fuzzel ]; - # TODO: configure kanshi to always set the 5K resolution - # DP-1 "Philips Consumer Electronics Company PHL 499P9 AU02419010010 (DP-1 via DP)" - # Make: Philips Consumer Electronics Company - # Model: PHL 499P9 - # Serial: AU02419010010 - # Physical size: 1190x340 mm - # Enabled: yes - # Modes: - # 3840x1080 px, 59.967999 Hz (preferred) - # 5120x1440 px, 59.977001 Hz (current) - wayland.windowManager.sway = { enable = true; - systemd.enable = true; + systemdIntegration = true; + # systemd.enable = true; xwayland = false; - config = - let - modifier = "Mod4"; - inherit (config.wayland.windowManager.sway.config) - left - right - up - down - ; - in - { - inherit modifier; - bars = [ ]; + config = let + modifier = "Mod4"; + inherit (config.wayland.windowManager.sway.config) left right up down; + in { + inherit modifier; + bars = []; - input = { - "type:keyboard" = - { - xkb_layout = config.home.keyboard.layout; - xkb_variant = config.home.keyboard.variant; - } - // lib.attrsets.optionalAttrs (builtins.length (config.home.keyboard.options or [ ]) > 0) { - xkb_options = builtins.concatStringsSep "," config.home.keyboard.options; - }; - - "type:touchpad" = { - natural_scroll = "enabled"; + input = { + "type:keyboard" = + { + xkb_layout = config.home.keyboard.layout; + xkb_variant = config.home.keyboard.variant; + } + // lib.attrsets.optionalAttrs (builtins.length (config.home.keyboard.options or []) > 0) { + xkb_options = builtins.concatStringsSep "," config.home.keyboard.options; }; - # alternatively run this command - # swaymsg input "1386:914:Wacom_Intuos_Pro_S_Pen" tool_mode "* relative" - # and then switch to a different VT (alt+ctrl+f2) and back - "1386:914:Wacom_Intuos_Pro_S_Pen" = { - tool_mode = "* relative"; - }; + "type:touchpad" = { + natural_scroll = "enabled"; }; - - keybindings = lib.mkOptionDefault { - # as of 2023-05-21 the `!!` arg parsing mode was broken for me on yofi - # "${modifier}+d" = "exec ${packages'.yofi}/bin/yofi binapps"; - "${modifier}+d" = "exec ${pkgs.fuzzel}/bin/fuzzel --show-actions"; - - # only 1-9 exist on the default config - "${modifier}+0" = "workspace number 0"; - "${modifier}+Shift+0" = "move container to workspace number 0"; - - # disable splitting for now as i sometimes trigger it accidentally and then get stuck with it - "${modifier}+b" = "nop"; - "${modifier}+v" = "nop"; - - # move workspace to output - "${modifier}+Control+Shift+${left}" = "move workspace to output left"; - "${modifier}+Control+Shift+${right}" = "move workspace to output right"; - "${modifier}+Control+Shift+${up}" = "move workspace to output up"; - "${modifier}+Control+Shift+${down}" = "move workspace to output down"; - # move workspace to output with arrow keys - "${modifier}+Control+Shift+Left" = "move workspace to output left"; - "${modifier}+Control+Shift+Right" = "move workspace to output right"; - "${modifier}+Control+Shift+Up" = "move workspace to output up"; - "${modifier}+Control+Shift+Down" = "move workspace to output down"; - - # TODO: i've been hitting this one accidentally way too often. find a better place. - # "${modifier}+Shift+e" = "exec ${pkgs.sway}/bin/swaymsg exit"; - "${modifier}+q" = "kill"; - "${modifier}+Shift+q" = "exec ${pkgs.sway}/bin/swaymsg -t get_tree | ${pkgs.jq}/bin/jq 'recurse(.nodes[], .floating_nodes[]) | select(.focused).pid' | ${pkgs.findutils}/bin/xargs -L1 kill -9"; - - "${modifier}+x" = "exec ${swapOutputWorkspaces}"; - - "${modifier}+Ctrl+l" = "exec ${lockCmd}"; - - "--locked XF86AudioPlay" = "exec ${pkgs.playerctl}/bin/playerctl play-pause"; - "XF86AudioPrev" = "exec ${pkgs.playerctl}/bin/playerctl previous"; - "XF86AudioNext" = "exec ${pkgs.playerctl}/bin/playerctl next"; - - "XF86AudioRaiseVolume" = "exec ${pkgs.pulsemixer}/bin/pulsemixer --change-volume +5"; - "XF86AudioLowerVolume" = "exec ${pkgs.pulsemixer}/bin/pulsemixer --change-volume -5"; - "--locked XF86AudioMute" = "exec ${pkgs.pulsemixer}/bin/pulsemixer --toggle-mute"; - - "Print" = "exec ${pkgs.shotman}/bin/shotman --capture region"; - }; - - terminal = "alacritty"; - startup = - [ - { - command = builtins.toString ( - pkgs.writeShellScript "ensure-graphical-session" '' - ( - ${pkgs.coreutils}/bin/sleep 0.2 - ${pkgs.systemd}/bin/systemctl --user restart graphical-session.target - ) & - '' - ); - } - ] - ++ lib.optionals config.services.swayidle.enable [ - { - command = builtins.toString ( - pkgs.writeShellScript "ensure-graphical-session" '' - ( - ${pkgs.coreutils}/bin/sleep 0.2 - ${pkgs.systemd}/bin/systemctl --user restart swayidle - ) & - '' - ); - } - ]; - - colors.focused = lib.mkOptionDefault { childBorder = lib.mkForce "#ffa500"; }; - - window.titlebar = false; - window.border = 4; - - # this maps to focus_on_window_activation - focus.newWindow = "urgent"; }; + + keybindings = lib.mkOptionDefault { + # as of 2023-05-21 the `!!` arg parsing mode was broken for me on yofi + # "${modifier}+d" = "exec ${packages'.yofi}/bin/yofi binapps"; + "${modifier}+d" = "exec ${pkgs.fuzzel}/bin/fuzzel --show-actions"; + + # only 1-9 exist on the default config + "${modifier}+0" = "workspace number 0"; + "${modifier}+Shift+0" = "move container to workspace number 0"; + + # disable splitting for now as i sometimes trigger it accidentally and then get stuck with it + "${modifier}+b" = "nop"; + "${modifier}+v" = "nop"; + + # move workspace to output + "${modifier}+Control+Shift+${left}" = "move workspace to output left"; + "${modifier}+Control+Shift+${right}" = "move workspace to output right"; + "${modifier}+Control+Shift+${up}" = "move workspace to output up"; + "${modifier}+Control+Shift+${down}" = "move workspace to output down"; + # move workspace to output with arrow keys + "${modifier}+Control+Shift+Left" = "move workspace to output left"; + "${modifier}+Control+Shift+Right" = "move workspace to output right"; + "${modifier}+Control+Shift+Up" = "move workspace to output up"; + "${modifier}+Control+Shift+Down" = "move workspace to output down"; + + "${modifier}+Shift+e" = "exec ${pkgs.sway}/bin/swaymsg exit"; + "${modifier}+q" = "kill"; + "${modifier}+Shift+q" = "exec ${pkgs.sway}/bin/swaymsg -t get_tree | ${pkgs.jq}/bin/jq 'recurse(.nodes[], .floating_nodes[]) | select(.focused).pid' | ${pkgs.findutils}/bin/xargs -L1 kill -9"; + + "${modifier}+x" = "exec ${swapOutputWorkspaces}"; + + "${modifier}+Ctrl+l" = "exec ${lockCmd}"; + + "--locked XF86AudioPlay" = "exec ${pkgs.playerctl}/bin/playerctl play-pause"; + "XF86AudioPrev" = "exec ${pkgs.playerctl}/bin/playerctl previous"; + "XF86AudioNext" = "exec ${pkgs.playerctl}/bin/playerctl next"; + + "XF86AudioRaiseVolume" = "exec ${pkgs.pulsemixer}/bin/pulsemixer --change-volume +5"; + "XF86AudioLowerVolume" = "exec ${pkgs.pulsemixer}/bin/pulsemixer --change-volume -5"; + "--locked XF86AudioMute" = "exec ${pkgs.pulsemixer}/bin/pulsemixer --toggle-mute"; + + "Print" = "exec ${pkgs.shotman}/bin/shotman --capture region"; + }; + + terminal = "alacritty"; + startup = + [ + { + command = builtins.toString (pkgs.writeShellScript "ensure-graphical-session" '' + ( + ${pkgs.coreutils}/bin/sleep 0.2 + ${pkgs.systemd}/bin/systemctl --user restart graphical-session.target + ) & + ''); + } + ] + ++ lib.optionals config.services.swayidle.enable [ + { + command = builtins.toString (pkgs.writeShellScript "ensure-graphical-session" '' + ( + ${pkgs.coreutils}/bin/sleep 0.2 + ${pkgs.systemd}/bin/systemctl --user restart swayidle + ) & + ''); + } + ]; + + colors.focused = lib.mkOptionDefault { + childBorder = lib.mkForce "#ffa500"; + }; + + window.border = 4; + }; }; services.swayidle = { diff --git a/nix/home-manager/profiles/wayland-desktop.nix b/nix/home-manager/profiles/wayland-desktop.nix index 2f0d2ee..6c4d820 100644 --- a/nix/home-manager/profiles/wayland-desktop.nix +++ b/nix/home-manager/profiles/wayland-desktop.nix @@ -1,14 +1,19 @@ { pkgs, + config, lib, repoFlake, + nodeFlake, ... -}: -let +}: let + inherit (import ../lib.nix {}) mkSimpleTrayService; + nixpkgs-2211 = nodeFlake.inputs.nixpkgs-2211.legacyPackages.${pkgs.system}; + nixpkgs-unstable-small = nodeFlake.inputs.nixpkgs-unstable-small.legacyPackages.${pkgs.system}; nixpkgs-wayland' = repoFlake.inputs.nixpkgs-wayland.packages.${pkgs.system}; -in -{ + + wayprompt = nixpkgs-wayland'.wayprompt; +in { fonts.fontconfig.enable = true; # services.gpg-agent.pinentryFlavor = lib.mkForce null; @@ -24,57 +29,45 @@ in systemd.user.targets.tray = { Unit = { Description = "Home Manager System Tray"; - Requires = [ "graphical-session-pre.target" ]; + Requires = ["graphical-session-pre.target"]; }; }; - home.packages = - with pkgs; - [ - # required by network-manager-applet - networkmanagerapplet + home.packages = with pkgs; [ + # required by network-manager-applet + pkgs.networkmanagerapplet - wlr-randr - wayout - wl-clipboard - wmctrl + wlr-randr + wayout + wl-clipboard + wmctrl - nixpkgs-wayland'.shotman + wayprompt + nixpkgs-wayland'.shotman - # identifies key input syms - wev + # identifies key input syms + wev - # TODO: whwat's this for? - # wltype + # TODO: whwat's this for? + # wltype - qt5.qtwayland - qt6.qtwayland - # libsForQt5.qt5.qtwayland - # libsForQt6.qt6.qtwayland + pavucontrol + playerctl + pasystray + qt5.qtwayland + qt6.qtwayland + # libsForQt5.qt5.qtwayland + # libsForQt6.qt6.qtwayland - # audio - playerctl - helvum - pasystray - sonusmix - pwvucontrol - - # probably required by flameshot - # xdg-desktop-portal xdg-desktop-portal-wlr - # grim - - waypipe - ] - ++ (lib.lists.optionals (!pkgs.stdenv.isAarch64) - # TODO: broken on aarch64 - [ ] - ); + # probably required by flameshot + # xdg-desktop-portal xdg-desktop-portal-wlr + # grim + ]; home.sessionVariables = { XDG_SESSION_TYPE = "wayland"; NIXOS_OZONE_WL = "1"; MOZ_ENABLE_WAYLAND = "1"; - WLR_NO_HARDWARE_CURSORS = "1"; }; home.pointerCursor = { diff --git a/nix/home-manager/programs/chromium.nix b/nix/home-manager/programs/chromium.nix index aa3f531..dda9b61 100644 --- a/nix/home-manager/programs/chromium.nix +++ b/nix/home-manager/programs/chromium.nix @@ -1,81 +1,59 @@ { name, lib, - pkgs, ... -}: -let - extensions = - [ - #undetectable adblocker - { id = "gcfcpohokifjldeandkfjoboemihipmb"; } +}: let + extensions = + [ + #undetectable adblocker + {id = "gcfcpohokifjldeandkfjoboemihipmb";} - # ublock origin - { id = "cjpalhdlnbpafiamejdnhcphjbkeiagm"; } + # ublock origin + {id = "cjpalhdlnbpafiamejdnhcphjbkeiagm";} - # # YT ad block - # {id = "cmedhionkhpnakcndndgjdbohmhepckk";} + # # YT ad block + # {id = "cmedhionkhpnakcndndgjdbohmhepckk";} - # # Adblock Plus - # {id = "cfhdojbkjhnklbpkdaibdccddilifddb";} + # # Adblock Plus + # {id = "cfhdojbkjhnklbpkdaibdccddilifddb";} - # Cookie Notice Blocker - { id = "odhmfmnoejhihkmfebnolljiibpnednn"; } - # i don't care about cookies - { id = "fihnjjcciajhdojfnbdddfaoknhalnja"; } + # Cookie Notice Blocker + {id = "odhmfmnoejhihkmfebnolljiibpnednn";} + # i don't care about cookies + {id = "fihnjjcciajhdojfnbdddfaoknhalnja";} - # NopeCHA - { id = "dknlfmjaanfblgfdfebhijalfmhmjjjo"; } + # NopeCHA + {id = "dknlfmjaanfblgfdfebhijalfmhmjjjo";} - # h264ify - { id = "aleakchihdccplidncghkekgioiakgal"; } + # h264ify + {id = "aleakchihdccplidncghkekgioiakgal";} - # clippy - # {id = "honbeilkanbghjimjoniipnnehlmhggk"} + # clippy + # {id = "honbeilkanbghjimjoniipnnehlmhggk"} - { - id = "dcpihecpambacapedldabdbpakmachpb"; - updateUrl = "https://raw.githubusercontent.com/iamadamdev/bypass-paywalls-chrome/master/updates.xml"; - } + { + id = "dcpihecpambacapedldabdbpakmachpb"; + updateUrl = "https://raw.githubusercontent.com/iamadamdev/bypass-paywalls-chrome/master/updates.xml"; + } - # cookie autodelete - { id = "fhcgjolkccmbidfldomjliifgaodjagh"; } + # cookie autodelete + {id = "fhcgjolkccmbidfldomjliifgaodjagh";} + ] + ++ (lib.lists.optionals ((builtins.match "^steveej.*" name) != null) [ + # Vimium C + {id = "hfjbmagddngcpeloejdejnfgbamkjaeg";} + ]); - # unhook - { id = "khncfooichmfjbepaaaebmommgaepoid"; } - ] - ++ (lib.lists.optionals ((builtins.match "^steveej.*" name) != null) [ - # polkadotjs - { id = "mopnmbcafieddcagagdcbnhejhlodfdd"; } - - # rabby wallet - { id = "acmacodkjbdgmoleebolmdjonilkdbch"; } - - # phantom wallet - { id = "bfnaelmomeimhlpmgjnjophhpkkoljpa"; } - - # Vimium C - { id = "hfjbmagddngcpeloejdejnfgbamkjaeg"; } - - # TODO: this causes scrolling the tab bar all the way to the end. look for a different one or report - # always right - { id = "npjpaghfnndnnmjiliibnkmdfgbojokj"; } - - # shazam music - { id = "mmioliijnhnoblpgimnlajmefafdfilb"; } - ]); -in -{ +in { programs.chromium = { enable = true; inherit extensions; - # TODO: extensions currently don't work with ungoogled-chromium - package = pkgs.chromium; }; programs.brave = { - # TODO: enable this on aarch64-linux - enable = true && !pkgs.stdenv.targetPlatform.isAarch64; + enable = true; inherit extensions; }; + + programs.browserpass = {browsers = ["chromium" "brave"];}; } diff --git a/nix/home-manager/programs/espanso.nix b/nix/home-manager/programs/espanso.nix index 8297183..7497432 100644 --- a/nix/home-manager/programs/espanso.nix +++ b/nix/home-manager/programs/espanso.nix @@ -1,82 +1,65 @@ -{ pkgs, ... }: { + pkgs, + config, + ... +}: { services.espanso = { - package = pkgs.espanso-wayland; - # package = pkgs.espanso-wayland.overrideAttrs (_: { - # src = repoFlake.inputs.espanso; - - # cargoLock = { - # # lockFile = "${repoFlake.inputs.espanso.outPath}/Cargo.lock"; - # lockFile = repoFlake.inputs.espanso + "/Cargo.lock"; - # outputHashes = { - # "yaml-rust-0.4.6" = "sha256-wXFy0/s4y6wB3UO19jsLwBdzMy7CGX4JoUt5V6cU7LU="; - # }; - # }; - # }); - - enable = false; - configs = { - default = { - # backend = "Inject"; - # backend = "Clipboard"; - }; - }; - matches = - let - playerctl = ''${pkgs.coreutils}/bin/env DBUS_SESSION_BUS_ADDRESS="unix:path=/run/user/$(${pkgs.coreutils}/bin/id -u)/bus" ${pkgs.playerctl}/bin/playerctl''; - in - { - default = { - matches = [ + # package = pkgs.espanso.overrideAttrs(_: { + # # src = + # }) + enable = true; + settings = { + matches = let + playerctl = '' + ${pkgs.coreutils}/bin/env DBUS_SESSION_BUS_ADDRESS="unix:path=/run/user/$(${pkgs.coreutils}/bin/id -u)/bus" ${pkgs.playerctl}/bin/playerctl''; + in [ + { + trigger = ":vpos"; + replace = "{{output}}"; + vars = [ { - trigger = ":vpos"; - replace = "{{output}}"; - vars = [ - { - name = "output"; - type = "script"; - params = { - args = [ - (pkgs.writeScript "espanso" '' - #! ${pkgs.python3}/bin/python - import subprocess, os, math, datetime + name = "output"; + type = "script"; + params = { + args = [ + (pkgs.writeScript "espanso" '' + #! ${pkgs.python3}/bin/python + import subprocess, os, math, datetime - id=str(os.getuid()) - result=subprocess.run(args=["${pkgs.playerctl}/bin/playerctl", "position"], env={"DBUS_SESSION_BUS_ADDRESS": "unix:path=/run/user/"+id+"/bus"},capture_output=True) - result.check_returncode() + id=str(os.getuid()) + result=subprocess.run(args=["${pkgs.playerctl}/bin/playerctl", "position"], env={"DBUS_SESSION_BUS_ADDRESS": "unix:path=/run/user/"+id+"/bus"},capture_output=True) + result.check_returncode() - position_secs = math.trunc(float(result.stdout)) - position_human = datetime.timedelta(seconds=position_secs) - print("%s - %s" % (position_human, position_secs)) - '') - ]; - }; - } - ]; - } - { - trigger = ":vtit"; - replace = "{{output}}"; - vars = [ - { - name = "output"; - type = "script"; - params = { - args = [ (pkgs.writeShellScript "espanso" "${playerctl} metadata title") ]; - }; - } - ]; - } - { - trigger = ":dunno"; - replace = "¯\\_(ツ)_/¯"; - } - { - trigger = ":shrug"; - replace = "¯\\_(ツ)_/¯"; + position_secs = math.trunc(float(result.stdout)) + position_human = datetime.timedelta(seconds=position_secs) + print("%s - %s" % (position_human, position_secs)) + '') + ]; + }; } ]; - }; - }; + } + { + trigger = ":vtit"; + replace = "{{output}}"; + vars = [ + { + name = "output"; + type = "script"; + params = { + args = [ + (pkgs.writeShellScript "espanso" + "${playerctl} metadata title") + ]; + }; + } + ]; + } + { + trigger = ":dunno"; + replace = "¯\\_(ツ)_/¯"; + } + ]; + }; }; } diff --git a/nix/home-manager/programs/firefox.nix b/nix/home-manager/programs/firefox.nix index 51c7a93..b008242 100644 --- a/nix/home-manager/programs/firefox.nix +++ b/nix/home-manager/programs/firefox.nix @@ -1,417 +1,6 @@ -{ - repoFlake, - pkgs, - config, - lib, - ... -}: -let - # Search extension names with below command: - # nix flake show --json "gitlab:rycee/nur-expressions?dir=pkgs/firefox-addons" --all-systems | jq -r '.packages."x86_64-linux" | keys[]' | rg QUERY - ryceeAddons = with pkgs.nur.repos.rycee.firefox-addons; [ - ublock-origin +{pkgs, ...}: { + # programs.librewolf = {enable = true;}; + programs.firefox = {enable = true;}; - # bypass-paywalls-clean (can't use, was creating popups) - consent-o-matic - terms-of-service-didnt-read - - auto-tab-discard - - # redirector # For nixos wiki - # darkreader - - facebook-container - control-panel-for-twitter - # containerise - facebook-tracking-removal - vimium - cookie-autodelete - auto-tab-discard - istilldontcareaboutcookies - - youtube-recommended-videos - - display-_anchors - ]; - - customAddons = [ - - ]; - - search = { - force = true; - default = "DuckDuckGo"; - privateDefault = "DuckDuckGo"; - }; - - mkProfile = - override: - lib.recursiveUpdate { - extensions = ryceeAddons ++ customAddons; - inherit search; - - settings = { - # automatically enable extensions - "extensions.autoDisableScopes" = 0; - - "middlemouse.paste" = false; - - "browser.download.useDownloadDir" = false; - "browser.tabs.insertAfterCurrent" = true; - "browser.tabs.warnOnClose" = true; - "browser.toolbars.bookmarks.visibility" = "never"; - "browser.quitShortcut.disabled" = false; - - # restore the previous session automatically - "browser.startup.page" = 3; - "browser.sessionstore.resume_from_crash" = true; - "browser.sessionstore.restore_pinned_tabs_on_demand" = true; - "browser.sessionstore.restore_on_demand" = true; - - "browser.urlbar.suggest.bookmark" = true; - "browser.urlbar.suggest.engines" = true; - "browser.urlbar.suggest.history" = true; - "browser.urlbar.suggest.openpage" = true; - "browser.urlbar.suggest.topsites" = false; - "browser.urlbar.trimHttps" = true; - - "sidebar.position_start" = false; - "findbar.highlightAll" = true; - - "browser.tabs.hoverPreview.enabled" = true; - - # Disable fx accounts - "identity.fxaccounts.enabled" = false; - # Disable "save password" prompt - "signon.rememberSignons" = false; - # Harden - "privacy.trackingprotection.enabled" = true; - "dom.security.https_only_mode" = true; - - # Disable irritating first-run stuff - "browser.disableResetPrompt" = true; - "browser.download.panel.shown" = true; - "browser.feeds.showFirstRunUI" = false; - "browser.messaging-system.whatsNewPanel.enabled" = false; - "browser.rights.3.shown" = true; - "browser.shell.checkDefaultBrowser" = false; - "browser.shell.defaultBrowserCheckCount" = 1; - "browser.startup.homepage_override.mstone" = "ignore"; - "browser.uitour.enabled" = false; - "startup.homepage_override_url" = ""; - "trailhead.firstrun.didSeeAboutWelcome" = true; - "browser.bookmarks.restore_default_bookmarks" = false; - "browser.bookmarks.addedImportButton" = true; - - # Disable "Save to Pocket" or Pocket entirely - "extensions.pocket.enabled" = false; - - # Disable telemetry - "toolkit.telemetry.enabled" = false; - "toolkit.telemetry.unified" = false; - "toolkit.telemetry.archive.enabled" = false; - "datareporting.healthreport.uploadEnabled" = false; - "app.shield.optoutstudies.enabled" = false; - "browser.discovery.enabled" = false; - "browser.newtabpage.activity-stream.feeds.telemetry" = false; - "browser.newtabpage.activity-stream.telemetry" = false; - "browser.ping-centre.telemetry" = false; - "datareporting.healthreport.service.enabled" = false; - "datareporting.policy.dataSubmissionEnabled" = false; - "datareporting.sessions.current.clean" = true; - "devtools.onboarding.telemetry.logged" = false; - "toolkit.telemetry.bhrPing.enabled" = false; - "toolkit.telemetry.firstShutdownPing.enabled" = false; - "toolkit.telemetry.hybridContent.enabled" = false; - "toolkit.telemetry.newProfilePing.enabled" = false; - "toolkit.telemetry.prompted" = 2; - "toolkit.telemetry.rejected" = true; - "toolkit.telemetry.reportingpolicy.firstRun" = false; - "toolkit.telemetry.server" = ""; - "toolkit.telemetry.shutdownPingSender.enabled" = false; - "toolkit.telemetry.unifiedIsOptIn" = false; - "toolkit.telemetry.updatePing.enabled" = false; - - # Disable any feeds on the new tab page - "browser.newtabpage.activity-stream.showTopSites" = false; - "browser.newtabpage.activity-stream.default.sites" = lib.mkForce [ ]; - "browser.newtabpage.activity-stream.discoverystream.enabled" = false; - "browser.newtabpage.activity-stream.feeds.topsites" = false; - "browser.newtabpage.activity-stream.showSponsoredTopSites" = false; - "browser.newtabpage.activity-stream.improvesearch.topSiteSearchShortcuts" = false; - "browser.newtabpage.blocked" = lib.genAttrs [ - # Youtube - "26UbzFJ7qT9/4DhodHKA1Q==" - # Facebook - "4gPpjkxgZzXPVtuEoAL9Ig==" - # Wikipedia - "eV8/WsSLxHadrTL1gAxhug==" - # Reddit - "gLv0ja2RYVgxKdp0I5qwvA==" - # Amazon - "K00ILysCaEq8+bEqV/3nuw==" - # Twitter - "T9nJot5PurhJSy8n038xGA==" - ] (_: 1); - "browser.topsites.blockedSponsors" = [ - "adidas" - "temuaffiliateprogram.pxf" - "s.click.aliexpress" - ]; - - # enable userChrome - "toolkit.legacyUserProfileCustomizations.stylesheets" = true; - "devtools.chrome.enabled" = true; - "devtools.debugger.remote-enabled" = true; - - # disable translations for some languages - "browser.translations.neverTranslateLanguages" = [ - "en" - "de" - ]; - "browser.translations.automaticallyPopup" = false; - - # enable pipewire (and libcamera) sources - "media.webrtc.camera.allow-pipewire" = true; - }; - - userChrome = - let - name = override.color or colors.grey; - value = colorValues."${name}".normal; - valueBright = colorValues."${name}".highlight; - valueDark = colorValues."${name}".inactive; - in - '' - @namespace url("http://www.mozilla.org/keymaster/gatekeeper/there.is.only.xul"); /* only needed once */ - - #nav-bar { - background-color: ${value} !important; - color: black !important; - } - - /* don't show close button on background tabs */ - #tabbrowser-tabs[closebuttons="activetab"] .tabbrowser-tab:not([selected]):not([pinned]):not([hover]) .tab-close-button { - display: none !important; - } - - /* show close button on hover */ - #tabbrowser-tabs[closebuttons="activetab"] .tabbrowser-tab:not([selected]):not([pinned]):hover .tab-close-button { - display: -moz-inline-box !important; - } - - - /* default */ - #TabsToolbar { - background: ${valueDark} !important; - } - - /* default tab */ - #TabsToolbar #tabbrowser-tabs .tabbrowser-tab .tab-content { - background: ${value} !important; - opacity: 0.8 - } - - /* selected tab */ - #TabsToolbar #tabbrowser-tabs .tabbrowser-tab[selected] .tab-content { - background: ${valueBright} !important; - box-shadow: 0 8px 16px 0 rgba(0,0,0,0.2), 0 6px 20px 0 rgba(0,0,0,0.19); - } - - /* hovered tab */ - #TabsToolbar #tabbrowser-tabs .tabbrowser-tab:hover:not([selected]) .tab-content { - background: ${valueBright} !important; - } - - /* unloaded/pending tab */ - #TabsToolbar #tabbrowser-tabs .tabbrowser-tab[pending] .tab-content { - background: ${valueDark} !important; - } - ''; - - # /* new tab */ - # #TabsToolbar #tabbrowser-tabs #tabs-newtab-button .toolbarbutton-icon { - # background: unset !important; - # } - - # #TabsToolbar #tabbrowser-tabs #tabs-newtab-button { - # /* background: var(--default_tabs_bg_newtab) !important; - # } - - # /* hovered new tab */ - # #TabsToolbar #tabbrowser-tabs #tabs-newtab-button:hover { - # background: var(--default_tabs_bg_newtab_hovered) !important; - # } - - } (builtins.removeAttrs override [ "color" ]); - - # TODO: insert the id automatically - mkProfiles = attrs: builtins.mapAttrs (_k: v: v) attrs; - - colors = builtins.mapAttrs (name: _: name) colorValues; - - colorValues = { - blue = { - normal = "#49b1fc"; - highlight = "#05a9fc"; # Brighter blue - inactive = "#1f81c6"; # Darker blue - }; - green = { - normal = "#51cd00"; - highlight = "#5ae200"; # Brighter green - inactive = "#45ad00"; # Darker green - }; - orange = { - normal = "#ff9800"; - highlight = "#ffb74d"; # Brighter orange - inactive = "#c76a00"; # Darker orange - }; - red = { - normal = "#f6685e"; - highlight = "#ff4336"; # Brighter red - inactive = "#aa463f"; # Darker red - }; - yellow = { - normal = "#fced4b"; - highlight = "#fce705"; # Brighter yellow - inactive = "#dbbe00"; # Darker yellow - }; - purple = { - normal = "#9c27b0"; - highlight = "#ab47bc"; # Brighter purple - inactive = "#7b1fa2"; # Darker purple - }; - pink = { - normal = "#e91e63"; - highlight = "#ff6090"; # Brighter pink - inactive = "#c2185b"; # Darker pink - }; - brown = { - normal = "#795548"; - highlight = "#a88b6f"; # Brighter brown - inactive = "#4e3b30"; # Darker brown - }; - grey = { - normal = "#9e9e9e"; - highlight = "#bdbdbd"; # Brighter grey - inactive = "#757575"; # Darker grey - }; - teal = { - normal = "#009688"; - highlight = "#26c6da"; # Brighter teal - inactive = "#00796b"; # Darker teal - }; - }; - -in -{ - nixpkgs.overlays = [ - repoFlake.inputs.nur.overlays.default - ]; - - nixpkgs.config.allowUnfreePredicate = - pkg: - builtins.elem (lib.getName pkg) [ - "youtube-recommended-videos" - ]; - - programs.librewolf = { - enable = false; - }; - programs.firefox = { - enable = true; - package = pkgs.firefox-esr; - - profiles = mkProfiles { - "personal" = mkProfile { - id = 0; - isDefault = true; - color = colors.blue; - }; - "comms" = mkProfile { - id = 1; - color = colors.blue; - }; - "admin" = mkProfile { - id = 2; - color = colors.blue; - }; - "infra" = mkProfile { - id = 3; - color = colors.blue; - }; - "finance" = mkProfile { - id = 4; - color = colors.yellow; - }; - "business-admin" = mkProfile { - id = 5; - color = colors.teal; - }; - "business-comms" = mkProfile { - id = 6; - color = colors.teal; - }; - "business-dev" = mkProfile { - id = 7; - color = colors.teal; - }; - "holo-dev" = mkProfile { - id = 8; - color = colors.green; - }; - "holo-infra" = mkProfile { - id = 9; - color = colors.green; - }; - "holo-comms" = mkProfile { - id = 10; - color = colors.green; - }; - "justyna" = mkProfile { - id = 11; - color = colors.pink; - }; - "justyna-office" = mkProfile { - id = 12; - color = colors.pink; - }; - }; - - }; - - # create one desktop entry for each profile - xdg.desktopEntries = lib.mapAttrs' ( - k: _v: - lib.nameValuePair "firefox-profile-${k}" { - categories = [ - "Network" - "WebBrowser" - ]; - exec = "${lib.getExe config.programs.firefox.package} -P ${k}"; - genericName = "Web Browser"; - icon = - builtins.replaceStrings [ ".desktop" ] [ "" ] - config.programs.firefox.package.desktopItem.name; - mimeType = [ - "text/html" - "text/xml" - "application/xhtml+xml" - "application/vnd.mozilla.xul+xml" - "x-scheme-handler/http" - "x-scheme-handler/https" - ]; - name = "Firefox: ${k}"; - startupNotify = true; - settings.StartupWMClass = - # To group windows of different profiles. - # Set WM_CLASS on Xorg using --class, set app-id on Wayland using --name. - #if profile.name == "default" - #then "firefox" - #else "firefox-${profile.name}"; - "firefox"; - terminal = false; - type = "Application"; - } - ) config.programs.firefox.profiles; + home.file.".mozilla/native-messaging-hosts/passff.json".source = "${pkgs.passff-host}/share/passff-host/passff.json"; } diff --git a/nix/home-manager/programs/gpg-agent.nix b/nix/home-manager/programs/gpg-agent.nix index b81c150..79ce675 100644 --- a/nix/home-manager/programs/gpg-agent.nix +++ b/nix/home-manager/programs/gpg-agent.nix @@ -1,17 +1,20 @@ -{ lib, pkgs, osConfig, ... }: -{ - home.packages = [ pkgs.gcr ]; +{lib, pkgs, config, ...}: { + home.packages = [ + pkgs.gcr + ] ++ + (if config.services.gpg-agent.pinentryFlavor == "gtk2" then [pkgs.pinentry-gtk2] + else if config.services.gpg-agent.pinentryFlavor == "gnome3" then [pkgs.pinentry-gnome] + else []) + ; programs.gpg.enable = true; services.gpg-agent = { enable = true; - enableScDaemon = !osConfig.services.pcscd.enable; + enableScDaemon = true; enableSshSupport = true; grabKeyboardAndMouse = true; - pinentryPackage = lib.mkDefault pkgs.pinentry-gtk2; - extraConfig = '' - no-allow-external-cache - ''; + pinentryFlavor = lib.mkDefault "gtk2"; + extraConfig = ""; defaultCacheTtl = 0; maxCacheTtl = 0; diff --git a/nix/home-manager/programs/homeshick.nix b/nix/home-manager/programs/homeshick.nix index 4ba0dfe..cbd4964 100644 --- a/nix/home-manager/programs/homeshick.nix +++ b/nix/home-manager/programs/homeshick.nix @@ -1,25 +1,32 @@ -{ pkgs, config, ... }: { + pkgs, + config, + ... +}: let + # TODO: clean up the impurity in here +in { home.sessionVariables.HOMESHICK_DIR = "${pkgs.homeshick}"; - home.activation.bootstrapRepos = config.lib.dag.entryAfter [ "writeBoundary" ] '' - $DRY_RUN_CMD ${pkgs.writeScript "activation-script" '' - set -e - echo home-manager path is ${config.home.path} - echo home is $HOME + home.activation.bootstrapRepos = config.lib.dag.entryAfter ["writeBoundary"] '' + $DRY_RUN_CMD ${ + pkgs.writeScript "activation-script" '' + set -e + echo home-manager path is ${config.home.path} + echo home is $HOME - source ${pkgs.homeshick}/homeshick.sh - type homeshick + source ${pkgs.homeshick}/homeshick.sh + type homeshick - # echo Updating homeshick - # ln -sfT ${pkgs.homeshick} "$HOMESICK_REPOS"/.homeshick - # mv -Tf "$HOMESICK_REPOS"/{.,}homeshick - ''}; + # echo Updating homeshick + # ln -sfT ${pkgs.homeshick} "$HOMESICK_REPOS"/.homeshick + # mv -Tf "$HOMESICK_REPOS"/{.,}homeshick + '' + }; ''; nixpkgs.config = { - packageOverrides = - pkgs: with pkgs; { + packageOverrides = pkgs: + with pkgs; { homeshick = builtins.fetchGit { url = "https://github.com/andsens/homeshick.git"; ref = "master"; diff --git a/nix/home-manager/programs/libreoffice.nix b/nix/home-manager/programs/libreoffice.nix index 2091dc8..f5921e2 100644 --- a/nix/home-manager/programs/libreoffice.nix +++ b/nix/home-manager/programs/libreoffice.nix @@ -1,8 +1,3 @@ -{ pkgs, nodeFlake, ... }: - -let - pkgsStable = nodeFlake.inputs.nixpkgs-stable.legacyPackages.${pkgs.system}; -in -{ - home.packages = [ pkgsStable.libreoffice ]; +{pkgs, ...}: { + home.packages = with pkgs; [libreoffice-fresh]; } diff --git a/nix/home-manager/programs/neovim.nix b/nix/home-manager/programs/neovim.nix index d5f60dc..e169eea 100644 --- a/nix/home-manager/programs/neovim.nix +++ b/nix/home-manager/programs/neovim.nix @@ -1,161 +1,131 @@ -{ repoFlake, pkgs, ... }: { - imports = [ repoFlake.inputs.nixvim.homeManagerModules.nixvim ]; + pkgs, + lib, + ... +}: let +in { + # FIXME: this doesn't work + home.sessionVariables.EDITOR = "nvim"; - programs.nixvim = { + programs.neovim = { enable = true; - defaultEditor = true; - vimdiffAlias = true; - vimAlias = true; - extraPython3Packages = ps: with ps; [ ]; + extraPython3Packages = ps: with ps; []; - # extraConfigVim = builtins.readFile ./neovim/vimrc; + extraConfig = builtins.readFile ./neovim/vimrc; - clipboard = { - register = "unnamedplus"; - providers.wl-copy.enable = true; - }; + plugins = with pkgs; + [ + # yaml-folds + { + plugin = vimUtils.buildVimPlugin { + name = "vim-yaml-folds"; + src = fetchFromGitHub { + owner = "pedrohdz"; + repo = "vim-yaml-folds"; + rev = "890ccd8e5370808d569e96dbb06cbeca2cf5993a"; + sha256 = "018z6xcwrq58q6lj6gwhrifjaxkmrlkkg0n86s6mjjlwkbs2qa4m"; + }; + buildInputs = [zip vim]; + }; + } - plugins = { - airline = { - enable = true; - settings = { - powerline_fonts = 1; - skip_empty_sections = 1; - theme = "papercolor"; - }; - }; - fugitive.enable = true; - gitblame.enable = true; - lsp = { - enable = true; - }; + { + plugin = vimUtils.buildVimPlugin { + name = "vim-yaml"; + src = fetchFromGitHub { + owner = "stephpy"; + repo = "vim-yaml"; + rev = "e97e063b16eba4e593d620676a0a15fa98613979"; + sha256 = "0vqahbrnr43lxanpziyrmzaqqb3cmyny8ry1xvmy2xyd1larzfrk"; + }; + }; + } - nix.enable = true; + # broken 2021-06-08 + # { + # plugin = vimUtils.buildVimPlugin { + # name = "vim-markdown-toc"; + # src = fetchFromGitHub { + # owner = "mzlogin"; + # repo = "vim-markdown-toc"; + # rev = "b7bb6c37033d3a6c93906af48dc0e689bd948638"; + # sha256 = "026xf2gid4qivwawh7if3nfk7zja9di0flhdzdx82lvil9x48lyz"; + # }; + # }; + # } - # TODO: enable in next release - # numbertoggle.enable = true; + # broken 2021-06-08 + # { + # plugin = vimUtils.buildVimPlugin { + # name = "vim-perl"; + # src = fetchFromGitHub { + # owner = "vim-perl"; + # repo = "vim-perl"; + # rev = "f330b5d474c44e6cfae22ba50868093dea3e9adb"; + # sha256 = "1dy40ixgixj0536c5ggra51b4yd1lbw4j6l0j5zc3diasb7m2gvr"; + # }; + # }; + # } - # successfor to ctrlp and fzf - telescope.enable = true; + { + plugin = vimUtils.buildVimPlugin { + name = "git-blame"; + src = fetchFromGitHub { + "owner" = "zivyangll"; + "repo" = "git-blame.vim"; + "rev" = "9d144b7bed5d8f1c9259551768b7f3b3d1294917"; + "sha256" = "06zb5xcc59k25rpwl46j82fcqckiznmj97v6i0mwlb8jhqqrhy9j"; + }; + }; + } + ] + ++ (with pkgs.vimPlugins; [ + delimitMate + vim-airline + vim-airline-themes + ctrlp + vim-css-color + rainbow_parentheses + vim-colorschemes + vim-colorstepper + vim-signify + fugitive + vim-indent-guides + UltiSnips + fzfWrapper - todo-comments.enable = true; + ncm2 + ncm2-bufword + ncm2-path + ncm2-tmux + ncm2-ultisnips + nvim-yarp - toggleterm.enable = true; + LanguageClient-neovim - treesitter = { - enable = true; + Improved-AnsiEsc + tabular - grammarPackages = with pkgs.vimPlugins.nvim-treesitter.builtGrammars; [ - bash - json - lua - make - markdown - nix - regex - toml - vim - vimdoc - xml - yaml - ]; - }; + # Nix + vim-addon-nix + tlib + vim-addon-vim2nix - treesitter-context.enable = true; - treesitter-refactor.enable = true; + # LaTeX + vim-latex-live-preview + vimtex - # This plugin trims trailing whitespace and lines. - trim.enable = true; - }; + # YAML + vim-yaml - # plugins = with pkgs; - # [ - # # yaml-folds - # { - # plugin = vimUtils.buildVimPlugin { - # name = "vim-yaml-folds"; - # src = fetchFromGitHub { - # owner = "pedrohdz"; - # repo = "vim-yaml-folds"; - # rev = "890ccd8e5370808d569e96dbb06cbeca2cf5993a"; - # sha256 = "018z6xcwrq58q6lj6gwhrifjaxkmrlkkg0n86s6mjjlwkbs2qa4m"; - # }; - # buildInputs = [zip vim]; - # }; - # } + # markdown + vim-markdown + vim-markdown-toc - # { - # plugin = vimUtils.buildVimPlugin { - # name = "vim-yaml"; - # src = fetchFromGitHub { - # owner = "stephpy"; - # repo = "vim-yaml"; - # rev = "e97e063b16eba4e593d620676a0a15fa98613979"; - # sha256 = "0vqahbrnr43lxanpziyrmzaqqb3cmyny8ry1xvmy2xyd1larzfrk"; - # }; - # }; - # } - - # { - # plugin = vimUtils.buildVimPlugin { - # name = "git-blame"; - # src = fetchFromGitHub { - # "owner" = "zivyangll"; - # "repo" = "git-blame.vim"; - # "rev" = "9d144b7bed5d8f1c9259551768b7f3b3d1294917"; - # "sha256" = "06zb5xcc59k25rpwl46j82fcqckiznmj97v6i0mwlb8jhqqrhy9j"; - # }; - # }; - # } - # ] - # ++ (with pkgs.vimPlugins; [ - # delimitMate - # vim-airline - # vim-airline-themes - # ctrlp - # vim-css-color - # rainbow_parentheses - # vim-colorschemes - # vim-colorstepper - # vim-signify - # fugitive - # vim-indent-guides - # UltiSnips - # fzfWrapper - - # ncm2 - # ncm2-bufword - # ncm2-path - # ncm2-tmux - # ncm2-ultisnips - # nvim-yarp - - # LanguageClient-neovim - - # Improved-AnsiEsc - # tabular - - # # Nix - # vim-addon-nix - # tlib - # vim-addon-vim2nix - - # # LaTeX - # vim-latex-live-preview - # vimtex - - # # YAML - # vim-yaml - - # # markdown - # vim-markdown - # vim-markdown-toc - - # # misc syntax support - # vim-bazel - # maktaba - # ]); + # misc syntax support + vim-bazel + maktaba + ]); }; } diff --git a/nix/home-manager/programs/neovim/vimrc b/nix/home-manager/programs/neovim/vimrc index f3cb42b..c002c2b 100644 --- a/nix/home-manager/programs/neovim/vimrc +++ b/nix/home-manager/programs/neovim/vimrc @@ -49,8 +49,8 @@ let g:ctrlp_custom_ignore = { \ 'dir': '\v[\/]\.(git|hg|svn)$$', \ 'file': '\v\.(exe|so|dll)$$', \ } -"let g:ctrlp_max_files=0 -"let g:ctrlp_max_depth=1000 +let g:ctrlp_max_files=0 +let g:ctrlp_max_depth=1000 "let g:ctrlp_match_func = { 'match': 'pymatcher#PyMatch' } "let g:pydiction_location = '~/.vim/bundle/pydiction/complete-dict' diff --git a/nix/home-manager/programs/obs-studio.nix b/nix/home-manager/programs/obs-studio.nix deleted file mode 100644 index d99747d..0000000 --- a/nix/home-manager/programs/obs-studio.nix +++ /dev/null @@ -1,25 +0,0 @@ -{ pkgs, lib, ... }: -{ - programs.obs-studio = { - enable = true; - plugins = - builtins.map - ( - plugin: - (plugin.overrideAttrs (attrs: { - meta = lib.mkMerge [ - { inherit (attrs) meta; } - { meta.platforms = [ pkgs.stdenv.system ]; } - ]; - })) - ) - ( - with pkgs.obs-studio-plugins; - [ - # wlrobs - obs-backgroundremoval - obs-pipewire-audio-capture - ] - ); - }; -} diff --git a/nix/home-manager/programs/openvscode-server.nix b/nix/home-manager/programs/openvscode-server.nix deleted file mode 100644 index 4b01360..0000000 --- a/nix/home-manager/programs/openvscode-server.nix +++ /dev/null @@ -1,37 +0,0 @@ -{ pkgs, repoFlake, ... }: -let - pkgsVscodium = import repoFlake.inputs.nixpkgs-vscodium { inherit (pkgs) system config; }; -in -{ - home.packages = [ - pkgs.nil - pkgs.nixd - pkgs.nixfmt-rfc-style - - # TODO: automate linking this - # 1. get the commit with: `codium --version` - # 2. create the binary directory: `mkdir -p /home/steveej/.vscodium-server/bin/c8ce3ba4bc6b30b3b10edc61481cb85b1d2396bc/bin/` - # 3. link the binary. this relies on the client-side setting `"remote.SSH.experimental.serverBinaryName": "openvscode-server"` : ln -s $(which openvscode-server) /home/steveej/.vscodium-server/bin/c8ce3ba4bc6b30b3b10edc61481cb85b1d2396bc/bin/ - - /* - e.g.: - ``` - ( - set -e - export COMMIT=$(codium --version | rg '^[0-9a-f]{40}$') - ssh bm-hostkey0 "pkill -9 openvscode; rm -rf /home/steveej/.vscodium-server/bin/$COMMIT; mkdir -p /home/steveej/.vscodium-server/bin/$COMMIT/bin/; ln -s \$(which openvscode-server) /home/steveej/.vscodium-server/bin/$COMMIT/bin/" - ) - ``` - */ - - (pkgsVscodium.openvscode-server.overrideAttrs (attrs: { - src = repoFlake.inputs.openvscode-server; - version = "1.94.2"; - yarnCache = attrs.yarnCache.overrideAttrs (_: { - outputHash = "sha256-89c6GYLT2RzHqwxBKegYqB6g5rEJ6/nH53cnfV7b0Tt="; - }); - })) - - pkgs.waypipe - ]; -} diff --git a/nix/home-manager/programs/pass.nix b/nix/home-manager/programs/pass.nix index 056d08d..2be5230 100644 --- a/nix/home-manager/programs/pass.nix +++ b/nix/home-manager/programs/pass.nix @@ -1,16 +1,17 @@ -{ repoFlake, pkgs, ... }: -{ +{pkgs, ...}: { # required by pass-otp - # home.sessionVariables.PASSWORD_STORE_EXTENSIONS_DIR = "$HOME/.nix-profile/lib/password-store/extensions"; - # home.sessionVariables.PASSWORD_STORE_ENABLE_EXTENSIONS = "true"; - # programs.browserpass.enable = true; + home.sessionVariables.PASSWORD_STORE_EXTENSIONS_DIR = "$HOME/.nix-profile/lib/password-store/extensions"; + home.sessionVariables.PASSWORD_STORE_ENABLE_EXTENSIONS = "true"; + + programs.browserpass.enable = true; home.packages = with pkgs; [ - gnupg + gnupg + pass - # broken on wayland - # rofi-pass + # broken on wayland + # rofi-pass - repoFlake.packages.${pkgs.system}.prs + prs ]; } diff --git a/nix/home-manager/programs/radicale.nix b/nix/home-manager/programs/radicale.nix index be31268..a8e4eef 100644 --- a/nix/home-manager/programs/radicale.nix +++ b/nix/home-manager/programs/radicale.nix @@ -4,8 +4,7 @@ pkgs, osConfig, ... -}: -let +}: let libdecsync = pkgs.python3Packages.buildPythonPackage rec { pname = "libdecsync"; version = "2.2.1"; @@ -39,51 +38,50 @@ let # pkgs.libxcrypt ]; - propagatedBuildInputs = [ - libdecsync - pkgs.python3Packages.setuptools - ]; + propagatedBuildInputs = [libdecsync pkgs.python3Packages.setuptools]; }; radicale-decsync = pkgs.radicale.overrideAttrs (old: { - propagatedBuildInputs = old.propagatedBuildInputs ++ [ radicale-storage-decsync ]; + propagatedBuildInputs = + old.propagatedBuildInputs + ++ [radicale-storage-decsync]; }); - mkRadicaleService = - { suffix, port }: - let - radicale-config = pkgs.writeText "radicale-config-${suffix}" '' - [server] - hosts = localhost:${builtins.toString port} + mkRadicaleService = { + suffix, + port, + }: let + radicale-config = pkgs.writeText "radicale-config-${suffix}" '' + [server] + hosts = localhost:${builtins.toString port} - [auth] - type = htpasswd - htpasswd_filename = ${osConfig.sops.secrets.radicale_htpasswd.path} - htpasswd_encryption = bcrypt + [auth] + type = htpasswd + htpasswd_filename = ${osConfig.sops.secrets.radicale_htpasswd.path} + htpasswd_encryption = bcrypt - [storage] - type = radicale_storage_decsync - filesystem_folder = ${config.xdg.dataHome}/radicale/radicale-${suffix} - decsync_dir = ${config.xdg.dataHome}/decsync/decsync-${suffix} - ''; - in - { - systemd.user.services."radicale-${suffix}" = { - Unit.Description = "Radicale with DecSync (${suffix})"; - Service = { - ExecStart = "${radicale-decsync}/bin/radicale -C ${radicale-config}"; - Restart = "on-failure"; - }; - Install.WantedBy = [ "default.target" ]; + [storage] + type = radicale_storage_decsync + filesystem_folder = ${config.xdg.dataHome}/radicale-${suffix} + decsync_dir = ${config.xdg.dataHome}/decsync-${suffix} + ''; + in { + systemd.user.services."radicale-${suffix}" = { + Unit.Description = "Radicale with DecSync (${suffix})"; + Service = { + ExecStart = "${radicale-decsync}/bin/radicale -C ${radicale-config}"; + Restart = "on-failure"; }; + Install.WantedBy = ["default.target"]; }; + }; in -builtins.foldl' (sum: cur: lib.recursiveUpdate sum (mkRadicaleService cur)) { } [ - { - suffix = "personal"; - port = 5232; - } - { - suffix = "family"; - port = 5233; - } -] + builtins.foldl' (sum: cur: lib.recursiveUpdate sum (mkRadicaleService cur)) {} [ + { + suffix = "personal"; + port = 5232; + } + { + suffix = "family"; + port = 5233; + } + ] diff --git a/nix/home-manager/programs/redshift.nix b/nix/home-manager/programs/redshift.nix index 9e45594..0946b2e 100644 --- a/nix/home-manager/programs/redshift.nix +++ b/nix/home-manager/programs/redshift.nix @@ -1,26 +1,21 @@ -_: -let - passwords = import ../../variables/passwords.crypt.nix; -in { + pkgs, + config, + ... +}: let + passwords = import ../../variables/passwords.crypt.nix; +in { services.gammastep = { enable = true; - provider = "manual"; - enableVerboseLogging = true; inherit (passwords.location.stefan) longitude latitude; temperature = { - # day = 6700; - day = 3000; + day = 6700; night = 3000; }; tray = true; settings = { - general = { - adjustment-method = "wayland"; - }; gammastep = { - # brightness-day = 1.0; - brightness-day = 0.5; + brightness-day = 1.0; brightness-night = 0.5; }; }; diff --git a/nix/home-manager/programs/salut.nix b/nix/home-manager/programs/salut.nix index 415e3be..1d39b5e 100644 --- a/nix/home-manager/programs/salut.nix +++ b/nix/home-manager/programs/salut.nix @@ -1,11 +1,20 @@ -{ pkgs, packages', ... }: +{ + pkgs, + config, + lib, + packages', + ... +}: # useful testing command: # for i in `seq 0 10`; do nix shell nixpkgs#libnotify --command notify-send notifiiiiiii "$i"; sleep 1; done + let - inherit (import ../lib.nix { }) mkSimpleTrayService; + inherit (import ../lib.nix {}) mkSimpleTrayService; in { - home.packages = [ packages'.salut ]; + home.packages = [ + packages'.salut + ]; xdg.configFile."salut/config.ini" = { enable = true; @@ -27,5 +36,7 @@ in onChange = "${pkgs.systemd}/bin/systemctl --user restart salut"; }; - systemd.user.services.salut = mkSimpleTrayService { execStart = "${packages'.salut}/bin/salut"; }; + systemd.user.services.salut = mkSimpleTrayService { + execStart = "${packages'.salut}/bin/salut"; + }; } diff --git a/nix/home-manager/programs/vscode/default.nix b/nix/home-manager/programs/vscode/default.nix index df72028..1e9cacd 100644 --- a/nix/home-manager/programs/vscode/default.nix +++ b/nix/home-manager/programs/vscode/default.nix @@ -1,134 +1,482 @@ -{ - config, - pkgs, - repoFlake, - lib, - ... -}: -let - pkgsVscodium = import repoFlake.inputs.nixpkgs-vscodium { inherit (pkgs) system config; }; -in -{ +{pkgs, ...}: let + packagedExtensions = with pkgs.vscode-extensions; [ + # bbenoist.Nix + ms-vscode-remote.remote-ssh + + vscodevim.vim + ]; + + marketPlaceExtensions = pkgs.vscode-utils.extensionsFromVscodeMarketplace [ + # { + # name = "vim"; + # publisher = "vscodevim"; + # version = "1.17.1"; + # sha256 = "10f8jz52gr6k2553awa66m006wszj9z2rnshsic6h2aawxiz3zq1"; + # } + # { + # name = "remote-ssh-edit"; + # publisher = "ms-vscode-remote"; + # version = "0.56.0"; + # sha256 = "1gy03ff2xqg7q3y4j47z2l94x5gbw0mjd5h4cl3n0q3iaswk1c1r"; + # } + { + name = "Theme-NaturalContrast-With-HC"; + publisher = "74th"; + version = "1.0.0"; + sha256 = "1wxwk059znkflip0c8hyqdfq0h15n4idmff4bnnfdggiqjwhr5rm"; + } + { + name = "markdown-toc"; + publisher = "AlanWalk"; + version = "1.5.6"; + sha256 = "0hh38i2dpmrm2akcd4jkxchp6b374m5jzcqm1jqqmkqjmlig7qm5"; + } + { + name = "Paper-tmTheme"; + publisher = "DiryoX"; + version = "0.4.0"; + sha256 = "0l8hgbwwg87ysfb22rvwgmkk91i4vjd0kgi30c1bn26bm2pd1gw0"; + } + { + name = "Monokai-Polished"; + publisher = "Mit"; + version = "0.3.1"; + sha256 = "11h7sfwp9ikwc8z6bkyxk1678ymfpff8i2p876b208yrq8dy2kr1"; + } + { + name = "dot"; + publisher = "Stephanvs"; + version = "0.0.1"; + sha256 = "0rq0wvnbcggg4zb4swxym77knfjma0v9lwf3x45p22qsqx2crvgf"; + } + { + name = "rust-snippets"; + publisher = "ZakCodes"; + version = "0.0.1"; + sha256 = "152i23mh8j2l26zpwid3hllxc2abkhr3g939rvxk8bry137vryy2"; + } + { + name = "better-comments"; + publisher = "aaron-bond"; + version = "2.1.0"; + sha256 = "0kmmk6bpsdrvbb7dqf0d3annpg41n9g6ljzc1dh0akjzpbchdcwp"; + } + { + name = "vscode-icalendar"; + publisher = "af4jm"; + version = "1.0.1"; + sha256 = "0g15f2595ayy9ch4f2ccd8prc51q1mwslilk8sk2ldsmdksaya79"; + } + { + name = "hugofy"; + publisher = "akmittal"; + version = "0.1.1"; + sha256 = "02rjwmy7z4qfxws8lgdki53q4b2hjklxn2nlxx3w04kahr759dlg"; + } + { + name = "asciidoctor-vscode"; + publisher = "asciidoctor"; + version = "2.8.4"; + sha256 = "0j019vwmd83mbc75kfcqzmpvqzsp3s595cgh6n9978k9q0zjrqad"; + } + { + name = "markdown-preview-github-styles"; + publisher = "bierner"; + version = "0.1.6"; + sha256 = "1plj6a1hgbhb740zbw4pbnk7919cx1s6agf5xiiqbb9485x2pqiw"; + } + { + name = "made-of-code"; + publisher = "brian-yu"; + version = "0.0.5"; + sha256 = "1cmw63vrpzxv8vkgq674xa2wqqag0a8spr623ngi87925f17p965"; + } + { + name = "better-toml"; + publisher = "bungcip"; + version = "0.3.2"; + sha256 = "08lhzhrn6p0xwi0hcyp6lj9bvpfj87vr99klzsiy8ji7621dzql3"; + } + { + name = "tabulous"; + publisher = "bwildeman"; + version = "1.2.0"; + sha256 = "0hbp345i19ncvn1v792nr257gmw0nz09nhjniiypnzvz9wszw2j9"; + } + { + name = "bracket-pair-colorizer"; + publisher = "CoenraadS"; + version = "1.0.61"; + sha256 = "0r3bfp8kvhf9zpbiil7acx7zain26grk133f0r0syxqgml12i652"; + } + { + name = "mustache"; + publisher = "dawhite"; + version = "1.1.1"; + sha256 = "1j8qn5grg8v3n3v66d8c77slwpdr130xzpv06z1wp2bmxhqsck1y"; + } + { + name = "vscode-nomnoml"; + publisher = "doctorrustynelson"; + version = "0.3.0"; + sha256 = "07nr6n5ai8m6rap8av47mqi3vv6zchymiqfw8jlbl4hsryszyr43"; + } + { + name = "gitlens"; + publisher = "eamodio"; + version = "11.0.5"; + sha256 = "1fi8j5r6cd82a50hv2lwzqnvyvhxf9waamkviyh0wyqi5i1k4q88"; + } + { + name = "monokai-light"; + publisher = "ethansugar"; + version = "0.2.1"; + sha256 = "1xn74arpv58hwdywaxvv9xhljl23wsqdpyfrgn9nvd29gsiz71w0"; + } + { + name = "Theme-Monokai-Contrast"; + publisher = "gerane"; + version = "0.0.5"; + sha256 = "1m1n1izdjgng0q3yljccwjxj0s60p5nfw3hlw7hb467a1wz479pm"; + } + { + name = "Theme-snappy-light"; + publisher = "gerane"; + version = "0.0.5"; + sha256 = "0syrm921l4lka6dmg258c2zi0a758acvcs8y0qm0kjim7h7xxf0w"; + } + { + name = "vscode-pull-request-github"; + publisher = "GitHub"; + version = "0.21.3"; + sha256 = "0p03v6y1gh62jby74vkhi897mzj8dg9xb561v0b99x81r9zhwqw0"; + } + { + name = "go"; + publisher = "golang"; + version = "0.19.0"; + sha256 = "1xr2c4xn0w68fdcbm8d2wqfb9dxf03w38367ghycrzmz2p4syr98"; + } + { + name = "terraform"; + publisher = "hashicorp"; + version = "2.3.0"; + sha256 = "0696q8nr6kb5q08295zvbqwj7lr98z18gz1chf0adgrh476zm6qq"; + } + { + name = "bonsai"; + publisher = "hawkeyegold"; + version = "1.4.0"; + sha256 = "0r7bxx1lgbg6p97xwd2wr8j7slz720a1v6vzpd0fhcq83vqzkl89"; + } + { + name = "live-html-previewer"; + publisher = "hdg"; + version = "0.3.0"; + sha256 = "0hv5plh44q97355j5la83r8hjsxpv9d173mba34xr4p82a3pcq5p"; + } + { + name = "yuml"; + publisher = "JaimeOlivares"; + version = "3.5.1"; + sha256 = "01phwj8kn2zmzpjk97wacnc8iiby0szv40b1030fkcm3szafnya0"; + } + { + name = "latex-workshop"; + publisher = "James-Yu"; + version = "8.14.0"; + sha256 = "12bh2gpmak7vgzhjnvk2hw0yqm6wkd7vsm4ki4zbqa6lpriscjyi"; + } + { + name = "plantuml"; + publisher = "jebbs"; + version = "2.13.16"; + sha256 = "0672x0a1c9yk0g4vka40f4amgxir2bs25zg6qsims9plj0x2s4si"; + } + { + name = "tasks-chooser"; + publisher = "jeremyfa"; + version = "0.3.0"; + sha256 = "0bq80wv7zf94cgn94ll3jj68z35p13r0zw5by62dnlnj1sv7dghi"; + } + { + name = "asciidoctor-vscode"; + publisher = "joaompinto"; + version = "2.8.0"; + sha256 = "06nx627fik3c3x4gsq01rj0v59ckd4byvxffwmmigy3q2ljzsp0x"; + } + { + name = "contrast-theme"; + publisher = "johndugan"; + version = "1.1.10"; + sha256 = "0hib85318940ajfbzqrpgqh4jr39w18aq6babargbf64yxg94mbw"; + } + { + name = "theme-dark-plus-contrast"; + publisher = "k3a"; + version = "0.1.101"; + sha256 = "137kq6i6xn394msjrhj7v6c8shrvw9yf8i01mf4yl4aan2bw3419"; + } + { + name = "vscode-gist"; + publisher = "kenhowardpdx"; + version = "3.0.3"; + sha256 = "033iry115hbd5jbdr04frbrcgfpfnsc2z551nlfsaczbg4j9dydw"; + } + { + name = "quick-open"; + publisher = "leizongmin"; + version = "1.1.0"; + sha256 = "03avjgkvl2w51f0lvvfksa6lxqb4i9jgz2c74hw686yaydj8mfsp"; + } + { + name = "rainbow-csv"; + publisher = "mechatroner"; + version = "1.7.1"; + sha256 = "0w5mijs4ll5qjkpyw7qpn1k40pq8spm0b3q72x150ydbcini5hxw"; + } + { + name = "openapi-lint"; + publisher = "mermade"; + version = "1.2.0"; + sha256 = "0q81ifgr211apymbs21y0l3x8n324k6mh7p8kykz2xz38cslyq49"; + } + { + name = "swagger-doc-viewer"; + publisher = "mimarec"; + version = "1.0.4"; + sha256 = "1vvqwmfav6c2r1xkyfczm564bi2cpa9nklj35w3h3hrp4f6dnvpx"; + } + { + name = "vscode-clang"; + publisher = "mitaki28"; + version = "0.2.3"; + sha256 = "0xbg2frb4dxv7zl43gi25w2mkkh4xq2aidcf5i8b4imys9h720yr"; + } + { + name = "prettify-json"; + publisher = "mohsen1"; + version = "0.0.3"; + sha256 = "1spj01dpfggfchwly3iyfm2ak618q2wqd90qx5ndvkj3a7x6rxwn"; + } + { + name = "vscode-docker"; + publisher = "ms-azuretools"; + version = "1.8.1"; + sha256 = "08691mwb3kgmk5fnjpw1g3a5i7qwalw1yrv2skm519wh62w6nmw8"; + } + { + name = "python"; + publisher = "ms-python"; + version = "2020.11.371526539"; + sha256 = "0iavy4c209k53jkqsbhsvibzjj3fjxa500rv72fywgb2vxsi9fc3"; + } + { + name = "jupyter"; + publisher = "ms-toolsai"; + version = "2020.11.372831992"; + sha256 = "0r39xqrbkzcfkz6rca039s87ibx79a983y8lbiglhkmw3bp4p658"; + } + # fails to download C/C++ tools + # { + # name = "cpptools"; + # publisher = "ms-vscode"; + # version = "1.1.2"; + # sha256 = "09z1vrshvwimdrpsnfs4lyzca2qixp3h85xib8jf2fpxdjl3r5vg"; + # } + { + name = "vscode-quick-open-create"; + publisher = "nocksock"; + version = "0.6.0"; + sha256 = "0ipkjm74xpx44h130rmbnkjwsi63kcvq6fr0b0nxqqc9aa9jk22j"; + } + { + name = "indent-rainbow"; + publisher = "oderwat"; + version = "7.4.0"; + sha256 = "1xnsdwrcx24vlbpd2igjaqlk3ck5d6jzcfmxaisrgk7sac1aa81p"; + } + { + name = "phantypist"; + publisher = "paulofallon"; + version = "1.0.3"; + sha256 = "0rsaklwsd9i25p9j82ivblkbsk5cwjm22afzc2cq5klkbz9vxg62"; + } + { + name = "swaggitor"; + publisher = "qnsolutions"; + version = "0.1.1"; + sha256 = "0dhygxawxjhm0q1nmxwwcyhnk4hm1yzadnhc5ha7amdg7gddlrc1"; + } + { + name = "vscode-yaml"; + publisher = "redhat"; + version = "0.13.0"; + sha256 = "046kdk73a5xbrwq16ff0l64271c6q6ygjvxaph58z29gyiszfkig"; + } + { + name = "papercolor-vscode"; + publisher = "rozbo"; + version = "0.4.0"; + sha256 = "0fla4dfxm6ppqgfvp9rc2izhnv0909yk3r38xmh15ald84i1jhzm"; + } + { + name = "iferrblocks"; + publisher = "rstuven"; + version = "1.1.1"; + sha256 = "0ncj1g2dqa1wwqmj27w1356f4b9nlk2narvgyjn208axfwifz1lw"; + } + { + name = "rust"; + publisher = "rust-lang"; + version = "0.7.8"; + sha256 = "039ns854v1k4jb9xqknrjkj8lf62nfcpfn0716ancmjc4f0xlzb3"; + } + { + name = "bracket-jumper"; + publisher = "sashaweiss"; + version = "1.1.8"; + sha256 = "11sj7h13yjcpd94x07wlmck7cmidk1kla00kjq7wfw2xc1143rqs"; + } + { + name = "just"; + publisher = "skellock"; + version = "2.0.0"; + sha256 = "1ph869zl757a11f8iq643f79h8gry7650a9i03mlxyxlqmspzshl"; + } + { + name = "line-endings"; + publisher = "steditor"; + version = "1.0.3"; + sha256 = "1mdybbhs771w8r9xqy1n7x2is2vhh6axkssarb2yy7gps3v81ik7"; + } + { + name = "code-spell-checker"; + publisher = "streetsidesoftware"; + version = "1.10.0"; + sha256 = "1172wcw1a1mbx8nrlnh1hyizs9abzvqmhwgc6bmp8wvxk8hk4x3i"; + } + { + name = "code-spell-checker-german"; + publisher = "streetsidesoftware"; + version = "0.1.8"; + sha256 = "117ba1m427d7nqh2p4djjswbksz1nvy2zkgdnm2iis17gzxscbmz"; + } + { + name = "code-spell-checker-german"; + publisher = "streetsidesoftware"; + version = "0.1.8"; + sha256 = "117ba1m427d7nqh2p4djjswbksz1nvy2zkgdnm2iis17gzxscbmz"; + } + { + name = "code-spell-checker"; + publisher = "streetsidesoftware"; + version = "1.10.0"; + sha256 = "1172wcw1a1mbx8nrlnh1hyizs9abzvqmhwgc6bmp8wvxk8hk4x3i"; + } + { + name = "vscode-open-in-github"; + publisher = "sysoev"; + version = "1.14.0"; + sha256 = "1whyrsckx0gikgjj1812dlsykck7cs696wz9fn4fhcishp9479hp"; + } + { + name = "html-preview-vscode"; + publisher = "tht13"; + version = "0.2.5"; + sha256 = "0k75ivigzjfq8y4xwwrgs2iy913plkwp2a68f0i4bkz9kx39wq6v"; + } + { + name = "scrolloff"; + publisher = "tickleforce"; + version = "0.0.4"; + sha256 = "1n5xcbcwdj54c9dlscd5igdbga6v9wv5j1qbhjb7p2mf7sbps3cq"; + } + { + name = "shellcheck"; + publisher = "timonwong"; + version = "0.12.1"; + sha256 = "0apvbs90mdjk5y6vy2v4azwxhdjqfypqp5d5hh9rlgxyq4m0azz2"; + } + { + name = "sort-lines"; + publisher = "Tyriar"; + version = "1.9.0"; + sha256 = "0l4wibsjnlbzbrl1wcj18vnm1q4ygvxmh347jvzziv8f1l790qjl"; + } + # slow and currently not needed + # { + # name = "vscode-lldb"; + # publisher = "vadimcn"; + # version = "1.6.0"; + # sha256 = "15m0idk75bvbzfxipdxwz2vpdklr15zv92h4mxxpr8db9jjr32vi"; + # } + # { + # name = "vim"; + # publisher = "vscodevim"; + # version = "1.17.1"; + # sha256 = "10f8jz52gr6k2553awa66m006wszj9z2rnshsic6h2aawxiz3zq1"; + # } + { + name = "prettify-selected-json"; + publisher = "vthiery"; + version = "1.0.3"; + sha256 = "0g2svrls7x4w75fj6rr839mrwd3sn912vn6ysiy0sasnnc55rpgb"; + } + { + name = "debug"; + publisher = "webfreak"; + version = "0.25.0"; + sha256 = "0qm2jgkj17a0ca5z21xbqzfjpi0hzxw4h8y2hm8c4kk2bnw02sh1"; + } + { + name = "clang-format"; + publisher = "xaver"; + version = "1.9.0"; + sha256 = "0bwc4lpcjq1x73kwd6kxr674v3rb0d2cjj65g3r69y7gfs8yzl5b"; + } + { + name = "vscode-capnp"; + publisher = "xmonader"; + version = "1.0.0"; + sha256 = "0z2shl6qvr3y3m5y63v69x94rzyb2cmf5046afx2yswnll6j52fc"; + } + { + name = "plsql-language"; + publisher = "xyz"; + version = "1.8.2"; + sha256 = "16xxa6w03wzd95v1cycmjvw9hfg3chvpclrn28v0qsa3lir1mxrr"; + } + { + name = "markdown-pdf"; + publisher = "yzane"; + version = "1.4.4"; + sha256 = "00cjwjwzsv3wx2qy0faqxryirr2hp60yhkrlzsk0avmvb0bm9paf"; + } + { + name = "vscode-proto3"; + publisher = "zxh404"; + version = "0.5.2"; + sha256 = "1jmmbz3i0hxq5ka4rsk07mynxh3pkh5g736d9ryv1czhnrb06lwf"; + } + ]; +in { programs.vscode = { enable = true; - package = pkgsVscodium.vscodium; + package = pkgs.vscodium; extensions = - with pkgsVscodium.vscode-extensions; - [ - eamodio.gitlens - mkhl.direnv - tomoki1207.pdf - vscodevim.vim - - # bbenoist.nix - jnoortheen.nix-ide - - ms-vscode.theme-tomorrowkit - nonylene.dark-molokai-theme - - ms-python.vscode-pylance - - # TODO: these are not in nixpkgs - - # fredwangwang.vscode-hcl-format - # hashicorp.hcl - # mindaro-dev.file-downloader - # ms-vscode.remote-explorer - - # TODO: not compatible with vscodium - # ms-vscode-remote.remote-ssh - ] - ++ ( - let - extensions = repoFlake.inputs.nix-vscode-extensions.extensions.${pkgs.system}; - in - with extensions.vscode-marketplace; - with extensions.vscode-marketplace-release; - [ - - serayuzgur.crates - rust-lang.rust-analyzer - swellaby.vscode-rust-test-adapter - - tamasfe.even-better-toml - golang.go - jeff-hykin.better-go-syntax - blueglassblock.better-json5 - nefrob.vscode-just-syntax - # fabianlauer.vs-code-xml-format - - bierner.emojisense - ] - ) - ++ ( - let - nix4vscodeToml = pkgs.writeText "nix4vscode.toml" '' - vscode_version = "${config.programs.vscode.package.version}" - - [[extensions]] - publisher_name = "FelixZeller" - extension_name = "markdown-oxide" - - [[extensions]] - publisher_name = "ibecker" - extension_name = "treefmt-vscode" - - [[extensions]] - publisher_name = "AntiAntiSepticeye" - extension_name = "vscode-color-picker" - - # [[extensions]] - # publisher_name = "nefrob" - # extension_name = "vscode-just-syntax" - - [[extensions]] - publisher_name = "fabianlauer" - extension_name = "vs-code-xml-format" - ''; - - nix4vscodeNix = - pkgs.runCommand "nix4vscode.nix" - { - # nix4vscode needs internet access - __noChroot = true; - requiredSystemFeatures = [ "recursive-nix" ]; - buildInputs = [ - pkgs.nix - pkgs.cacert - (pkgs.callPackage "${repoFlake.inputs.nix4vscode.outPath}/nix/package.nix" { }) - # pkgs.strace - ]; - # outputHashAlgo = "sha256"; - # outputHashMode = "recursive"; - # outputHash = lib.fakeSha256; - } - '' - # set -x - # export RUST_BACKTRACE=full - # export RUST_LOG=trace - export HOME=$(mktemp -d) - # strace -ffZyyY - nix4vscode ${nix4vscodeToml} > $out - ''; - nix4vscodeExtensions = builtins.removeAttrs (pkgs.callPackage nix4vscodeNix { }) [ - "override" - "overrideDerivation" - ]; - nix4vscodeExtensions' = lib.attrsets.mapAttrsToList ( - _: v: builtins.head (builtins.attrValues v) - ) nix4vscodeExtensions; - in - nix4vscodeExtensions' - ); - mutableExtensionsDir = true; + [] ++ packagedExtensions + # ++ marketPlaceExtensions + ; }; - home.packages = [ - pkgs.nil - pkgs.nixfmt-rfc-style - ]; + home.packages = [pkgs.nixpkgs-fmt pkgs.alejandra]; } # TODO: automate +# rustup install stable +# rustup component add rust-analysis --toolchain stable +# rustup component add rust-src --toolchain stable +# rustup component add rls --toolchain stable ### original list: # 74th.Theme-NaturalContrast-With-HC # AlanWalk.markdown-toc @@ -202,3 +550,4 @@ in # xyz.plsql-language # yzane.markdown-pdf # zxh404.vscode-proto3 + diff --git a/nix/home-manager/programs/waybar.css b/nix/home-manager/programs/waybar.css index 664a47f..60eff50 100644 --- a/nix/home-manager/programs/waybar.css +++ b/nix/home-manager/programs/waybar.css @@ -1,5 +1,6 @@ + #custom-cputemp { - padding: 0 10px; - background-color: #f0932b; - color: #ffffff; + padding: 0 10px; + background-color: #f0932b; + color: #ffffff; } diff --git a/nix/home-manager/programs/waybar.nix b/nix/home-manager/programs/waybar.nix index a559dfc..05392c5 100644 --- a/nix/home-manager/programs/waybar.nix +++ b/nix/home-manager/programs/waybar.nix @@ -1,5 +1,9 @@ -{ pkgs, repoFlake, ... }: { + pkgs, + config, + repoFlake, + ... +}: { home.packages = [ # required by any bar that has a tray plugin pkgs.libappindicator-gtk3 @@ -8,18 +12,17 @@ programs.waybar = { enable = true; - package = - repoFlake.inputs.nixpkgs-wayland.outputs.packages.${pkgs.stdenv.hostPlatform.system}.waybar; - style = pkgs.lib.readFile "${pkgs.waybar.src}/resources/style.css" + pkgs.lib.readFile ./waybar.css; + package = repoFlake.inputs.nixpkgs-wayland.outputs.packages.${pkgs.stdenv.hostPlatform.system}.waybar; + style = + pkgs.lib.readFile "${pkgs.waybar.src}/resources/style.css" + + pkgs.lib.readFile ./waybar.css; systemd.enable = true; settings = { mainBar = { layer = "top"; position = "bottom"; height = 30; - output = - # hide the bar on HEADDLESS displays as i use them only for screensharing - (builtins.genList (i: "!HEADLESS-${builtins.toString i}") 99) ++ [ "*" ]; + output = ["*"]; # output = [ # "eDP-1" # "DP-*" diff --git a/nix/home-manager/programs/zsh.nix b/nix/home-manager/programs/zsh.nix index 333d3d7..724051b 100644 --- a/nix/home-manager/programs/zsh.nix +++ b/nix/home-manager/programs/zsh.nix @@ -3,29 +3,27 @@ lib, pkgs, ... -}: -let - just-plugin = - let - plugin_file = pkgs.writeText "_just" '' - #compdef just - #autload +}: let + just-plugin = let + plugin_file = pkgs.writeText "_just" '' + #compdef just + #autload - alias justl="\just --list" - alias juste="\just --evaluate" + alias justl="\just --list" + alias juste="\just --evaluate" - local subcmds=() + local subcmds=() - while read -r line ; do - if [[ ! $line == Available* ]] ; - then - subcmds+=(''${line/[[:space:]]*\#/:}) - fi - done < <(just --list) + while read -r line ; do + if [[ ! $line == Available* ]] ; + then + subcmds+=(''${line/[[:space:]]*\#/:}) + fi + done < <(just --list) - _describe 'command' subcmds - ''; - in + _describe 'command' subcmds + ''; + in pkgs.stdenv.mkDerivation { name = "just-completions"; version = "0.1.0"; @@ -37,8 +35,7 @@ let chmod --recursive a-w $out ''; }; -in -{ +in { programs.zsh = { enable = true; @@ -49,64 +46,60 @@ in # will be called again by oh-my-zsh enableCompletion = false; enableAutosuggestions = true; - initExtra = - let - inNixShell = ''$([[ -n "$IN_NIX_SHELL" ]] && printf " 🐚")''; - in - '' - if test ! -n "$TMPDIR" -a -z "$TMPDIR"; then - unset TMPDIR - fi + initExtra = let + inNixShell = ''$([[ -n "$IN_NIX_SHELL" ]] && printf " 🐚")''; + in '' + PROMPT='%F{%(!.red.green)}%n%f@%m %(?.%F{green}✓%f.%F{red}✗ ($?%))%f %F{blue}%~%f${inNixShell}%F{magenta}$(git_prompt_info)%f$prompt_newline%_%F{%(!.red.green)}$(prompt_char)%f ' + RPROMPT="" - if test ! -n "$TMP" -a -z "$TMP"; then - unset TMP - fi + # Automatic rehash + zstyle ':completion:*' rehash true + if [ -f $HOME/.shrc.d/sh_aliases ]; then + . $HOME/.shrc.d/sh_aliases + fi - PROMPT='%F{%(!.red.green)}%n%f@%m %(?.%F{green}✓%f.%F{red}✗ ($?%))%f %F{blue}%~%f${inNixShell}%F{magenta}$(git_prompt_info)%f$prompt_newline%_%F{%(!.red.green)}$(prompt_char)%f ' - RPROMPT="" + ${ + if builtins.hasAttr "homeshick" pkgs + then '' + source ${pkgs.homeshick}/homeshick.sh + fpath=(${pkgs.homeshick}/completions $fpath) + '' + else "" + } - # Automatic rehash - zstyle ':completion:*' rehash true + # Disable intercepting of ctrl-s and ctrl-q as flow control. + stty stop ''' -ixoff -ixon - if [ -f $HOME/.shrc.d/sh_aliases ]; then - . $HOME/.shrc.d/sh_aliases - fi + # don't cd into directories when executed + unsetopt AUTO_CD - ${ - if builtins.hasAttr "homeshick" pkgs then - '' - source ${pkgs.homeshick}/homeshick.sh - fpath=(${pkgs.homeshick}/completions $fpath) - '' - else - "" - } + export NIX_PATH="nixpkgs=${pkgs.path}" - # Disable intercepting of ctrl-s and ctrl-q as flow control. - stty stop ''' -ixoff -ixon + # print lines without termination + setopt PROMPT_CR + setopt PROMPT_SP + export PROMPT_EOL_MARK="" - # don't cd into directories when executed - unsetopt AUTO_CD + ${lib.optionalString config.services.gpg-agent.enable '' + export SSH_AUTH_SOCK="$XDG_RUNTIME_DIR/gnupg/S.gpg-agent.ssh" + ''} - # print lines without termination - setopt PROMPT_CR - setopt PROMPT_SP - export PROMPT_EOL_MARK="" - - ${lib.optionalString config.services.gpg-agent.enable '' - export SSH_AUTH_SOCK="$XDG_RUNTIME_DIR/gnupg/S.gpg-agent.ssh" - ''} - - ${lib.optionalString config.programs.neovim.enable '' - export EDITOR="nvim" - ''} - ''; + ${lib.optionalString config.programs.neovim.enable '' + export EDITOR="nvim" + ''} + ''; plugins = [ { + # will source zsh-autosuggestions.plugin.zsh name = "zsh-autosuggestions"; - src = pkgs.zsh-autosuggestions; + src = pkgs.fetchFromGitHub { + owner = "zsh-users"; + repo = "zsh-autosuggestions"; + rev = "v0.6.3"; + sha256 = "1h8h2mz9wpjpymgl2p7pc146c1jgb3dggpvzwm9ln3in336wl95c"; + }; } { name = "enhancd"; @@ -114,8 +107,8 @@ in src = pkgs.fetchFromGitHub { owner = "b4b4r07"; repo = "enhancd"; - rev = "v2.5.1"; - sha256 = "sha256-kaintLXSfLH7zdLtcoZfVNobCJCap0S/Ldq85wd3krI="; + rev = "v2.2.4"; + sha256 = "1smskx9vkx78yhwspjq2c5r5swh9fc5xxa40ib4753f00wk4dwpp"; }; } { @@ -134,10 +127,7 @@ in oh-my-zsh = { enable = true; theme = "tjkirch"; - plugins = [ - "git" - "sudo" - ]; + plugins = ["git" "sudo"]; }; }; } diff --git a/nix/modules/flake-parts/colmena.nix b/nix/modules/flake-parts/colmena.nix index 136a5a1..ee885cf 100644 --- a/nix/modules/flake-parts/colmena.nix +++ b/nix/modules/flake-parts/colmena.nix @@ -1,8 +1,7 @@ -{ lib, ... }: -{ +{lib, ...}: { options.flake.colmena = lib.mkOption { # type = lib.types.attrsOf lib.types.unspecified; type = lib.types.raw; - default = { }; + default = {}; }; } diff --git a/nix/modules/flake-parts/perSystem/default.nix b/nix/modules/flake-parts/perSystem/default.nix index da1e42a..a752173 100644 --- a/nix/modules/flake-parts/perSystem/default.nix +++ b/nix/modules/flake-parts/perSystem/default.nix @@ -1,37 +1,38 @@ -{ pkgs, ... }: { + inputs', + system, + config, + lib, + pkgs, + ... +}: { packages = { - myPython = pkgs.python310.withPackages ( - ps: + myPython = pkgs.python310.withPackages (ps: with ps; - [ - pep8 - yapf - flake8 - # autopep8 (broken) - # pylint (broken) - ipython - llfuse - dugong - defusedxml - wheel - pip - virtualenv - cffi - # pyopenssl - urllib3 - # mistune (insecure) - sympy + [ + pep8 + yapf + flake8 + # autopep8 (broken) + # pylint (broken) + ipython + llfuse + dugong + defusedxml + wheel + pip + virtualenv + cffi + # pyopenssl + urllib3 + # mistune (insecure) + sympy - flask + flask - pyaml - requests - ] - ++ [ - pkgs.pypi2nix - pkgs.libffi - ] - ); + pyaml + requests + ] + ++ [pkgs.pypi2nix pkgs.libffi]); }; } diff --git a/nix/os/cachix.nix b/nix/os/cachix.nix index 0d14a2f..332fc55 100644 --- a/nix/os/cachix.nix +++ b/nix/os/cachix.nix @@ -1,12 +1,14 @@ + # WARN: this file will get overwritten by $ cachix use -{ lib, ... }: +{ pkgs, lib, ... }: + let folder = ./cachix; - toImport = name: _value: folder + ("/" + name); + toImport = name: value: folder + ("/" + name); filterCaches = key: value: value == "regular" && lib.hasSuffix ".nix" key; imports = lib.mapAttrsToList toImport (lib.filterAttrs filterCaches (builtins.readDir folder)); -in -{ +in { inherit imports; - nix.settings.substituters = [ "https://cache.nixos.org/" ]; + nix.settings.substituters = ["https://cache.nixos.org/"]; } + diff --git a/nix/os/cachix/nixpkgs-wayland.nix b/nix/os/cachix/nixpkgs-wayland.nix index 1c0cca7..e370450 100644 --- a/nix/os/cachix/nixpkgs-wayland.nix +++ b/nix/os/cachix/nixpkgs-wayland.nix @@ -1,8 +1,12 @@ + { nix = { - settings.substituters = [ "https://nixpkgs-wayland.cachix.org" ]; + settings.substituters = [ + "https://nixpkgs-wayland.cachix.org" + ]; settings.trusted-public-keys = [ "nixpkgs-wayland.cachix.org-1:3lwxaILxMRkVhehr5StQprHdEo4IrE8sRho9R9HOLYA=" ]; }; } + diff --git a/nix/os/containers/backup-target.nix b/nix/os/containers/backup-target.nix new file mode 100644 index 0000000..608ac47 --- /dev/null +++ b/nix/os/containers/backup-target.nix @@ -0,0 +1,87 @@ +{ + hostAddress, + localAddress, + containerBackupCfg, + sshPort ? containerBackupCfg.portInt, + autoStart ? false, +}: { + config = { + config, + pkgs, + lib, + ... + }: { + system.stateVersion = "22.05"; # Did you read the comment? + + imports = [../profiles/containers/configuration.nix]; + + networking.firewall.enable = false; + + # services.ddclientovh = { + # enable = true; + # domain = containerBackupCfg.addr; + # }; + + services.openssh.enable = true; + + users.extraUsers."${containerBackupCfg.user}" = { + uid = 2000; + group = containerBackupCfg.group; + shell = pkgs.bashInteractive; + home = "/${containerBackupCfg.targetPath}"; + openssh.authorizedKeys.keys = [ + "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDNI3H0BRSYOZ/MbTs9J80doJwSd1HymFOP5quNt0J48vxZ5FPVrT2FHpQiNrCcYbCKRsU4X8AiGUHiXC0PapQQ3JDkqp6WZoqBNDx6BI7RadyH1TqVQPlou3pQmCAogzfBInruR53YTDmQqXiPwfM0okPOXgiBNjDfZXOX4+CyUfkmZZwASoicTInqWGkn1sFnh4tyXIkgWflg0njlVmfkVvH71+evvKLYHtoNpVXazkQ0SXbyuW5f3mSta7TNkpC3HbBm+4n+WxYGySrlRLWQhTo+aoWUKk9h5zvECDNpwRtbqzt+bA9nKrdg180ceu8hruwvWNiC6PPA2GW9Z1+VKROviGu1C3dliE/pPCBtK+ZoRVv2CGE+pmAuQsB9Nif9tk5tY6HJhuLNxKYiMfQkiLsDYv6KdZXUIVK/4BIDkZuQNnjhdOQBLnea0ANOhutA9gnjxnsd3UT6ovfazg5gud7n3u4yBtzjTkRrqWZ63eM1NmUVOgMWHQ715pV+hJfOFGqzRBEe3g/p3bWNgpROBYJbG1H8l9DN7emG4FGWsb1HeNFwQ5lS0Zsezb7qzahr4vSmHNugVw7w8ONt5dPbPI9wQnWvkkuHH76P/NYy6OC6lHrN1rXyA1okqdPr06YAZnCot+Pqdgn/ijxgp06J3dtkhin+Q7PoQbGff3ERIw== bkp" + ]; + + packages = with pkgs; [btrfs-progs]; + + isSystemUser = true; + }; + + security.sudo = { + enable = true; + extraRules = [ + { + users = ["bkp"]; + commands = [ + { + command = "/etc/profiles/per-user/bkp/bin/btrfs"; + options = ["NOPASSWD"]; + } + { + command = "/run/current-system/sw/bin/readlink"; + options = ["NOPASSWD"]; + } + { + command = "/run/current-system/sw/bin/test"; + options = ["NOPASSWD"]; + } + ]; + } + ]; + }; + }; + + inherit autoStart; + + bindMounts = { + "/${containerBackupCfg.targetPath}" = { + hostPath = "/var/lib/container-volumes/backup-target"; + isReadOnly = false; + }; + }; + + extraFlags = ["--resolv-conf=bind-host"]; + + privateNetwork = true; + forwardPorts = [ + { + # ssh + containerPort = 22; + hostPort = sshPort; + protocol = "tcp"; + } + ]; + + inherit hostAddress localAddress; +} diff --git a/nix/os/containers/backup.nix b/nix/os/containers/backup.nix index 2c2c171..864aa20 100644 --- a/nix/os/containers/backup.nix +++ b/nix/os/containers/backup.nix @@ -5,107 +5,88 @@ subvolumes, targetPathSuffix ? "", autoStart ? false, -}: -let +}: let passwords = import ../../variables/passwords.crypt.nix; subvolumeParentDir = "/var/lib/container-volumes"; -in -{ - config = - { pkgs, ... }: - { - system.stateVersion = "20.03"; # Did you read the comment? +in { + config = {pkgs, ...}: { + system.stateVersion = "20.03"; # Did you read the comment? - imports = [ ../profiles/containers/configuration.nix ]; + imports = [../profiles/containers/configuration.nix]; - environment.systemPackages = with pkgs; [ - btrfs-progs - btrbk - ]; + environment.systemPackages = with pkgs; [btrfs-progs btrbk]; - networking.firewall.enable = true; + networking.firewall.enable = true; - systemd.services."bkp-sync" = { - enable = true; - description = "bkp-sync service"; + systemd.services."bkp-sync" = { + enable = true; + description = "bkp-sync service"; - serviceConfig = { - Type = "oneshot"; - }; + serviceConfig = {Type = "oneshot";}; - after = [ "bkp-run.service" ]; + after = ["bkp-run.service"]; - requires = [ "bkp-run.service" ]; + requires = ["bkp-run.service"]; - path = with pkgs; [ utillinux ]; - script = '' - set -x - true + path = with pkgs; [utillinux]; + script = '' + set -x + true + ''; + }; + + systemd.services."bkp-run" = { + enable = true; + description = "bkp-run"; + + serviceConfig = {Type = "oneshot";}; + + partOf = ["bkp-sync.service"]; + + path = with pkgs; [btrfs-progs btrbk coreutils]; + + script = let + btrbkConf = pkgs.writeText "cfg" '' + timestamp_format long + ssh_identity ${passwords.storage.backupTarget.keyPath} + ssh_user ${passwords.storage.backupTarget.user} + ssh_compression no + backend_remote btrfs-progs-sudo + compat_remote busybox + btrfs_commit_delete each + snapshot_create onchange + snapshot_preserve_min latest + snapshot_preserve 7d 4w + target_preserve_min latest + target_preserve 7d 4w 12m *y + + volume ${subvolumeParentDir} + target ${passwords.storage.backupTarget.target}/container-volumes/${targetPathSuffix} + ${builtins.foldl' (sum: elem: sum + " subvolume " + elem + "\n") "" + subvolumes} ''; - }; + in '' + #! ${pkgs.bash}/bin/bash + set -Eeuxo pipefail - systemd.services."bkp-run" = { - enable = true; - description = "bkp-run"; + btrbk -c ${btrbkConf} --progress ''${@:-run} + ''; + }; - serviceConfig = { - Type = "oneshot"; - }; - - partOf = [ "bkp-sync.service" ]; - - path = with pkgs; [ - btrfs-progs - btrbk - coreutils - ]; - - script = - let - btrbkConf = pkgs.writeText "cfg" '' - timestamp_format long - ssh_identity ${passwords.storage.backupTarget.keyPath} - ssh_user ${passwords.storage.backupTarget.user} - ssh_compression no - backend_remote btrfs-progs-sudo - compat_remote busybox - btrfs_commit_delete each - snapshot_create onchange - snapshot_preserve_min latest - snapshot_preserve 7d 4w - target_preserve_min latest - target_preserve 7d 4w 12m *y - - volume ${subvolumeParentDir} - target ${passwords.storage.backupTarget.target}/container-volumes/${targetPathSuffix} - ${builtins.foldl' (sum: elem: sum + " subvolume " + elem + "\n") "" subvolumes} - ''; - in - '' - #! ${pkgs.bash}/bin/bash - set -Eeuxo pipefail - - btrbk -c ${btrbkConf} --progress ''${@:-run} - ''; - }; - - systemd.timers."bkp" = { - description = "Timer to trigger bkp periodically"; - enable = true; - wantedBy = [ - "timer.target" - "multi-user.target" - ]; - timerConfig = { - # Obtained using `systemd-analyze calendar "Wed 23:00"` - # OnCalendar = "Wed *-*-* 23:00:00"; - OnStartupSec = "1m"; - Unit = "bkp-sync.service"; - OnUnitInactiveSec = "2h"; - Persistent = "true"; - }; + systemd.timers."bkp" = { + description = "Timer to trigger bkp periodically"; + enable = true; + wantedBy = ["timer.target" "multi-user.target"]; + timerConfig = { + # Obtained using `systemd-analyze calendar "Wed 23:00"` + # OnCalendar = "Wed *-*-* 23:00:00"; + OnStartupSec = "1m"; + Unit = "bkp-sync.service"; + OnUnitInactiveSec = "2h"; + Persistent = "true"; }; }; + }; inherit autoStart; @@ -133,10 +114,10 @@ in } ]; - extraFlags = [ "--resolv-conf=bind-host" ]; + extraFlags = ["--resolv-conf=bind-host"]; privateNetwork = true; - forwardPorts = [ ]; + forwardPorts = []; inherit hostAddress localAddress; } diff --git a/nix/os/containers/mailserver.nix b/nix/os/containers/mailserver.nix index 0be078c..d113925 100644 --- a/nix/os/containers/mailserver.nix +++ b/nix/os/containers/mailserver.nix @@ -1,210 +1,194 @@ { - specialArgs, - hostBridge, + repoFlake, hostAddress, localAddress, imapsPort ? 993, sievePort ? 4190, autoStart ? false, -}: -{ - inherit specialArgs; - config = - { - pkgs, - config, - repoFlake, - ... - }: - { - system.stateVersion = "22.05"; # Did you read the comment? +}: { + config = { + pkgs, + config, + lib, + ... + }: { + system.stateVersion = "21.11"; # Did you read the comment? - imports = [ - ../profiles/containers/configuration.nix + imports = [ + ../profiles/containers/configuration.nix - repoFlake.inputs.sops-nix.nixosModules.sops - ../profiles/common/user.nix - ]; + repoFlake.inputs.sops-nix.nixosModules.sops + ../profiles/common/user.nix + ]; - networking.firewall.allowedTCPPorts = [ - imapsPort - sievePort - ]; + # FIXME: find out how to use the `defaultSopsFile` so i don't have to specify each secret separately + # sops.defaultSopsFile = ./mailserver_secrets.yaml; - # FIXME: find out how to use the `defaultSopsFile` so i don't have to specify each secret separately - # sops.defaultSopsFile = ./mailserver_secrets.yaml; - - sops.age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ]; - sops.secrets.email_mailStefanjunkerDe = { - sopsFile = ./mailserver_secrets.yaml; - owner = config.users.users.steveej.name; - }; - sops.secrets.email_mailStefanjunkerDeHetzner = { - sopsFile = ./mailserver_secrets.yaml; - owner = config.users.users.steveej.name; - }; - sops.secrets.email_schtifATwebDe = { - sopsFile = ./mailserver_secrets.yaml; - owner = config.users.users.steveej.name; - }; - sops.secrets.email_dovecot_steveej = { - sopsFile = ./mailserver_secrets.yaml; - owner = config.users.users.dovecot2.name; - }; - - # TODO: switch to something other than ddclient as it's no longer maintained - - # TODO: switch to a let's encrypt certificate - sops.secrets.dovecotSslServerCert = { - sopsFile = ./mailserver_secrets.yaml; - owner = config.users.users.dovecot2.name; - }; - sops.secrets.dovecotSslServerKey = { - sopsFile = ./mailserver_secrets.yaml; - owner = config.users.users.dovecot2.name; - }; - services.dovecot2 = { - enable = true; - - modules = [ pkgs.dovecot_pigeonhole ]; - protocols = [ "sieve" ]; - - enableImap = true; - enableLmtp = true; - enablePAM = true; - showPAMFailure = true; - mailLocation = "maildir:~/.maildir"; - sslServerCert = config.sops.secrets.dovecotSslServerCert.path; - sslServerKey = config.sops.secrets.dovecotSslServerKey.path; - - #configFile = "/etc/dovecot/dovecot2_manual.conf"; - extraConfig = '' - auth_mechanisms = cram-md5 digest-md5 - auth_verbose = yes - - passdb { - driver = passwd-file - args = scheme=CRYPT username_format=%u /etc/dovecot/users - } - - protocol lda { - postmaster_address = "mail@stefanjunker.de" - mail_plugins = $mail_plugins sieve - } - - protocol imap { - mail_max_userip_connections = 64 - } - ''; - }; - - environment.etc."dovecot/users".source = config.sops.secrets.email_dovecot_steveej.path; - - systemd.services.steveej-getmail-stefanjunker = { - enable = true; - wantedBy = [ "multi-user.target" ]; - serviceConfig.User = "steveej"; - serviceConfig.Group = "dovecot2"; - serviceConfig.RestartSec = 600; - serviceConfig.Restart = "always"; - description = "Getmail service"; - path = [ pkgs.getmail6 ]; - script = - let - rc = pkgs.writeText "mailATstefanjunker.de.getmail.rc" '' - [options] - verbose = 1 - read_all = 0 - delete_after = 30 - - [retriever] - type = SimpleIMAPSSLRetriever - server = ssl0.ovh.net - port = 993 - username = mail@stefanjunker.de - password_command = ("${pkgs.coreutils}/bin/cat", "${config.sops.secrets.email_mailStefanjunkerDe.path}") - mailboxes = ('INBOX',) - - [destination] - type = MDA_external - path = ${pkgs.dovecot}/libexec/dovecot/dovecot-lda - ''; - in - '' - getmail --idle=INBOX --rcfile=${rc} - ''; - }; - - systemd.services.steveej-getmail-stefanjunker-hetzner = { - enable = true; - wantedBy = [ "multi-user.target" ]; - serviceConfig.User = "steveej"; - serviceConfig.Group = "dovecot2"; - serviceConfig.RestartSec = 60; - serviceConfig.Restart = "always"; - description = "Getmail service"; - path = [ pkgs.getmail6 ]; - script = - let - rc = pkgs.writeText "mailATstefanjunker.de.getmail.rc" '' - [options] - verbose = 2 - read_all = 0 - delete_after = 30 - - [retriever] - type = SimpleIMAPSSLRetriever - server = mail.your-server.de - port = 993 - username = mail@stefanjunker.de - password_command = ("${pkgs.coreutils}/bin/cat", "${config.sops.secrets.email_mailStefanjunkerDeHetzner.path}") - mailboxes = ('INBOX',) - - [destination] - type = MDA_external - path = ${pkgs.dovecot}/libexec/dovecot/dovecot-lda - ''; - in - '' - getmail --rcfile=${rc} --idle=INBOX - ''; - }; - - systemd.services.steveej-getmail-webde = { - enable = true; - wantedBy = [ "multi-user.target" ]; - serviceConfig.User = "steveej"; - serviceConfig.Group = "dovecot2"; - description = "Getmail service"; - path = [ pkgs.getmail6 ]; - serviceConfig.RestartSec = 1000; - serviceConfig.Restart = "always"; - script = - let - rc = pkgs.writeText "schtifATweb.de.getmail.rc" '' - [options] - verbose = 1 - read_all = 0 - delete_after = 30 - - [retriever] - type = SimpleIMAPSSLRetriever - server = imap.web.de - port = 993 - username = schtif - password_command = ("${pkgs.coreutils}/bin/cat", "${config.sops.secrets.email_schtifATwebDe.path}") - mailboxes = ('INBOX',) - - [destination] - type = Maildir - path = ~/.maildir/ - ''; - in - '' - getmail --rcfile=${rc} --idle=INBOX - ''; - }; + sops.age.sshKeyPaths = ["/etc/ssh/ssh_host_ed25519_key"]; + sops.secrets.email_mailStefanjunkerDe = { + sopsFile = ./mailserver_secrets.yaml; + owner = config.users.users.steveej.name; }; + sops.secrets.email_mailStefanjunkerDeHetzner = { + sopsFile = ./mailserver_secrets.yaml; + owner = config.users.users.steveej.name; + }; + sops.secrets.email_schtifATwebDe = { + sopsFile = ./mailserver_secrets.yaml; + owner = config.users.users.steveej.name; + }; + sops.secrets.email_dovecot_steveej = { + sopsFile = ./mailserver_secrets.yaml; + owner = config.users.users.dovecot2.name; + }; + + # TODO: switch to something other than ddclient as it's no longer maintained + + # TODO: switch to a let's encrypt certificate + sops.secrets.dovecotSslServerCert = { + sopsFile = ./mailserver_secrets.yaml; + owner = config.users.users.dovecot2.name; + }; + sops.secrets.dovecotSslServerKey = { + sopsFile = ./mailserver_secrets.yaml; + owner = config.users.users.dovecot2.name; + }; + services.dovecot2 = { + enable = true; + + modules = [pkgs.dovecot_pigeonhole]; + protocols = ["sieve"]; + + enableImap = true; + enableLmtp = true; + enablePAM = true; + showPAMFailure = true; + mailLocation = "maildir:~/.maildir"; + sslServerCert = config.sops.secrets.dovecotSslServerCert.path; + sslServerKey = config.sops.secrets.dovecotSslServerKey.path; + + #configFile = "/etc/dovecot/dovecot2_manual.conf"; + extraConfig = '' + auth_mechanisms = cram-md5 digest-md5 + auth_verbose = yes + + passdb { + driver = passwd-file + args = scheme=CRYPT username_format=%u /etc/dovecot/users + } + + protocol lda { + postmaster_address = "mail@stefanjunker.de" + mail_plugins = $mail_plugins sieve + } + + protocol imap { + mail_max_userip_connections = 64 + } + ''; + }; + + environment.etc."dovecot/users".source = config.sops.secrets.email_dovecot_steveej.path; + + systemd.services.steveej-getmail-stefanjunker = { + enable = true; + wantedBy = ["multi-user.target"]; + serviceConfig.User = "steveej"; + serviceConfig.Group = "dovecot2"; + serviceConfig.RestartSec = 600; + serviceConfig.Restart = "always"; + description = "Getmail service"; + path = [pkgs.getmail6]; + script = let + rc = pkgs.writeText "mailATstefanjunker.de.getmail.rc" '' + [options] + verbose = 1 + read_all = 0 + delete_after = 30 + + [retriever] + type = SimpleIMAPSSLRetriever + server = ssl0.ovh.net + port = 993 + username = mail@stefanjunker.de + password_command = ("${pkgs.coreutils}/bin/cat", "${config.sops.secrets.email_mailStefanjunkerDe.path}") + mailboxes = ('INBOX',) + + [destination] + type = MDA_external + path = ${pkgs.dovecot}/libexec/dovecot/dovecot-lda + ''; + in '' + getmail --idle=INBOX --rcfile=${rc} + ''; + }; + + systemd.services.steveej-getmail-stefanjunker-hetzner = { + enable = true; + wantedBy = ["multi-user.target"]; + serviceConfig.User = "steveej"; + serviceConfig.Group = "dovecot2"; + serviceConfig.RestartSec = 60; + serviceConfig.Restart = "always"; + description = "Getmail service"; + path = [pkgs.getmail6]; + script = let + rc = pkgs.writeText "mailATstefanjunker.de.getmail.rc" '' + [options] + verbose = 2 + read_all = 0 + delete_after = 30 + + [retriever] + type = SimpleIMAPSSLRetriever + server = mail.your-server.de + port = 993 + username = mail@stefanjunker.de + password_command = ("${pkgs.coreutils}/bin/cat", "${config.sops.secrets.email_mailStefanjunkerDeHetzner.path}") + mailboxes = ('INBOX',) + + [destination] + type = MDA_external + path = ${pkgs.dovecot}/libexec/dovecot/dovecot-lda + ''; + in '' + getmail --rcfile=${rc} --idle=INBOX + ''; + }; + + systemd.services.steveej-getmail-webde = { + enable = true; + wantedBy = ["multi-user.target"]; + serviceConfig.User = "steveej"; + serviceConfig.Group = "dovecot2"; + description = "Getmail service"; + path = [pkgs.getmail6]; + serviceConfig.RestartSec = 1000; + serviceConfig.Restart = "always"; + script = let + rc = pkgs.writeText "schtifATweb.de.getmail.rc" '' + [options] + verbose = 1 + read_all = 0 + delete_after = 30 + + [retriever] + type = SimpleIMAPSSLRetriever + server = imap.web.de + port = 993 + username = schtif + password_command = ("${pkgs.coreutils}/bin/cat", "${config.sops.secrets.email_schtifATwebDe.path}") + mailboxes = ('INBOX',) + + [destination] + type = Maildir + path = ~/.maildir/ + ''; + in '' + getmail --rcfile=${rc} --idle=INBOX + ''; + }; + }; inherit autoStart; @@ -219,6 +203,8 @@ }; }; + # extraFlags = ["--resolv-conf=bind-host"]; + privateNetwork = true; forwardPorts = [ { @@ -236,5 +222,5 @@ } ]; - inherit hostBridge hostAddress localAddress; + inherit hostAddress localAddress; } diff --git a/nix/os/containers/mailserver_secrets.yaml b/nix/os/containers/mailserver_secrets.yaml index f519b36..ffb595a 100644 --- a/nix/os/containers/mailserver_secrets.yaml +++ b/nix/os/containers/mailserver_secrets.yaml @@ -7,37 +7,37 @@ dovecotSslServerCert: ENC[AES256_GCM,data:ylK0IIj2vdY0mXOqSgA5zYmFYGote/uMtDWy2r dovecotSslServerKey: ENC[AES256_GCM,data:KYpQZbioLGrp/6R6j/c4uJhBpoDT2aj7UffQQug8Otzr/0rk51tavsjg4YRQGIv+ZpFYpWAuHbhW4O8AsRgpi0AX3hKsZICEdNubfK5zfd+SInXveaVFbHHjOuzcqftraUrqx9APu+omk4LlpxpWTbj/bAcRnRBn0C093AeJNi1giaCZd4NxmmkYqwYzrjUc6LYHvICEnjA87ZVpeOKE/6B2Ng5QWDKhZNmjy7YDXAk4DS+P2grLmoGvnz6ubtaypSzaKXYTFz/uxEvtCCPlIaJHm3Nz0i0j1rjX3S/w3c26zuIFtwCmAQzGnHyQwbx7ILwCXfnyQnpM7+R5+fxcYvcK2GEJyTGzg/JFa++TI1YO+wpknjzxK3Sa8aX0pUbx/TEjnY3+tRnx7YNuih2ZNZrPHy8uJJtO9Aef84Sq5vLQG5n1/ya0pVhjCbs1pgpeK/qT3ikLbkcJg6NxAq3hqqQdR4TTkZBwKLVfzcMXLDZB0GphhVvtO0W7afRCE+nA/FPDT2NN6WLD15cN5F8w6USi0iQlwFb+TE8nt1ghhoGmwCMx+lX1Bk/jdIlYtJ62T8+T3nRVJ6ZRlUa1rkbAADaWZVvLR2/ylaEkeYFo/CC6lUg4DWPCVoGFxaWaU+ZaIDjbiYcqGQFBwq8JZ44hAOyJQpb7N1zgDVyPh/xr+ukmjutFuu97FY55VTn+8eipRiR4TZpPRH+KvB/FmlLNaim76YZCRH9Dv2ENbz9fXpWv7P+yh06+ci9HKvjNAzR6NRr368tK2srEEhWzFv+nAsRetzc2VcfwNMcg5/mvlWHVZSmONXC5adEo/W5XgJgUnH/fkz5IRPY/1iteq8PTCPUkubzF+qT2+suzEDnvgXlaKsqHkrk+n8YySl+GRABnasmnBYdb8vboDM41ptw3PXDoL+l07o6KxTwPOWWl9BVNMT8VzL7gAl+dlxjkEUSqn53OrsYDluxefBa3c0rfvk8CCvOMjgLkagK9O+VavqJEo00zd3f0ZzMcIoRebuDzYILw3DTrG/qyLXGsRoybBr+qcuSVBzM5RnjcToFJO4W/0EIdH1drZmqHdNgSNwPPRSNCivrhV25syUCrTee/xkDVUr47z67pK/5Mh0ewlwq0hcl/dBoA0YP/PptntK0CHfistD8chNtdMk3PyzqSiFaDPQ3T4wdc3zTNUjXeQ5643k5weJXFPg4tUuCCa8HxUJHd5sLnNY0OaRBwh2SLkQlcXYFQDzVHSoVscR3tf+57L7aF2hVQT2QtJKdZQjOyMg5YK0UlVc3tkyPZzyjOVaP7eTCRKwXI1NminHmmy1ZzZ+w+8+oX8cfvE9HdbqDoDp0MnkicS0+5S0lZwkRWrjUx/gS4aMWLbCHUQHY8wm+fmyDLJ/oI4ukdUI5YLOutlCsIY+aotnVMoORgdd/EPeZVYJmci/pvMjPF9Eard0aD4rLA7z/HwGgc3VEGmNluE+20BXO3bFIqwa9tzMqzOJB0qglP35MjVGiUe6Svq13DAmSOnzN+WqcVbTMJG8J1bwKqvmaN8AEpO0zU94ZhHspUtGyQQ0D6sMsw9jqJ1WyLE7aXeFR6OHrpw3DC2mCpr/qX8QFsveeyB83Za2+CuVVi2sqGAKYzkwlUPkeuaxfBak0apwJsF2trT1uMvPOuIda8k4XhtYLxah2BDJZIoMqUVz2xcN4OuW8bdSX/lepsyZZO34VEQDLBa2dxCCHJmCKf6io/0YlswNKGDQh+DI935KTdqBnHSJ9IjvADQuu+K37aS0L9V0ZLXiM5SBQtbB7kQpHjvivq97ru7QpFqJf8HCl1vDs4gJ/NV+J0+CX6dQTQOtHvwxD2CPGiiSv40ycoJAcwiqTh5T+hRPtca6bSes/jGN5iQjfLCRbwvL/ItLLAK3F2cEIdKZnfhJkdEAIwWFLvR4R5I7ZcCK5GgKz5dPROup8BAONA8XxcJWXaXV0YkfEmCDbZYMFC7pcx4NAnGp881RyAaG/HlstBHHVagpP2fwZ8K0J/2KPillOq/Die+vNc2++hx4EuftvNkZhSd+7zIYNKHQd0M4Ea74flgmmW5lG73bE1BkhVd2DsgEDihH19/vJjFH4PxKINKp0ij4jMyq9w+WsGiUqSDaQz/MZJ8wjzaSjvmSj4qlOAitr/s3f041e77rMb0W2ieCtYEy7IsebIqIWgKn/crm5FhyUtBCPEqFZgAKS313bXUio8LktqXCrZjZ0ZG8DmQG6hnK4PstKlIUQoNuFnb8Bp1zDgY4i2hb6Zmu7NnqnOaJJTjSGwaZOav0oMousn67BuFtwoMaGp+OjCopZ3HPfg19usnjvWpOgccXWYlQc0HOlGXUq+otKlXtQwAjUvz50GmV+lY3t4rpCgqk+pj9iH62xuzDQ01FOXl+v3Ehnw97mNJk9YarueG0Hl/1f6dhwXnjeEv35LLyWUjQolOoYgycEkgQ/cCCOSm7zgK1VT0oTLFISai8IG0qDP9HCszteHZhp+y4bsXQfAJTY11QLr7hx9/nQmVlHksDN5Wsno4wbkT+D2xb5EaDU2RBqZfTVcbRBWRtAhQcRPxdaUXyI7oKEaFg8fvQZ8wK/Ae+L18ub+Latb5W69dUVT6I13tPleXDl1oen9BXzaX7sygSpY4lJoXlu+SCKyNTMrC36PrB39QUWosw03ZsiKT5xjgN5+1m32yv4cg8lAwNCR4xxShrnhSbZ328yifaAuTnSawZmUGBVxPx4glVcvNUOXW2UvVtmeKU0SG1E+UGBAq7/UfaadMM7BsjyaaKpBa/tXZTm0rn8UiFqujvgNjQ3F/3ybRdlO5d6eMI9Na+1gqg6qxYSGR0H0wAdPhtyGRxpumehAQGeMKd49Sg6jspaf3NAjjuZ0Yp+eJV9652WqVZ7xtCNqRURV353h+XPGR+ZZ9siHRDQ+NcbxPkfbHw0/RTvZvEIdaDi5+DLh6tgIxMEtOpwTlfFrOUDaIcmWvzk92VtBFuafvoGzTipryTnMszjCsUTvyEPN8jPd6r8UmOFGXF2aVNksmn/bI97i4s1kYLgY8XsEOyx+Q9pUTkTEMn2JWgnEcSOAtaX1ZskHnfueKzUPb+/YWb+z8SNCgnUqHqa42qBqwlhdshzYhhfKhEisUptirzzp1kcbyHrug5PzHxh8Qri2pjHxSHYQ5sjig6K6B1YEuHP6uo19fL6BdgGlhKroiOF/6TMAcE9V3+yqvDdsW/IC0QXLHIBKC7wlDgLc25ltGogD/76P6tViDAb6+HNSSXJO056Ovq0z2BrXhnq1AmWa99mVnOLJwafRWPZC,iv:XxnAsh6yx9gICi3N6oTttpGXvguGZImWNIMp9srDJLM=,tag:M9gFSD5PNIfoCLet6Vy6QA==,type:str] hetznerDnsApiToken: ENC[AES256_GCM,data:JfL4Xg9TZu4Og35g0SwfrI1uxiqgdFa7p5AQcfiPwLY=,iv:yOak3uXX7CNglu8O2UW/1sOI7BGZxpRQAFJCvRbzU0Y=,tag:6orkQIy7BxACziLWpYoS5Q==,type:str] sops: - kms: [] - gcp_kms: [] - azure_kv: [] - hc_vault: [] - age: - - recipient: age18dmqd7r7fanrfmdxsvwgv9psvhs3hw5ydpvw0na0dv3dlrg4rs3q2wpvgv - enc: | - -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBWaE9nNytUbXhWeWZYWndn - R3pMV3N1NjJPK2gzUDl2YitxWEU4NUFPRUJ3Cm1tMGhGcU56bSs5SUIzRmhqVHN2 - dXIzYlkvS1JnWnladGdXTnRKMXNOWncKLS0tIGhyRFhFV1VRVXVYN1pJWjNFd1Rj - bENCWmVNUEJyZFBpRmYwbWVndFJGcUEKzvkGz3WycSrU4qPcBhs4cSCn/9TQ62sl - T6TuDra97qJJ1Pg9VZGHT/OoSleLA4s0qpNlAxnAnNaO0conTsREZQ== - -----END AGE ENCRYPTED FILE----- - lastmodified: "2023-07-17T12:01:21Z" - mac: ENC[AES256_GCM,data:003nzaNWdXLscJy9XZcwAb93M9Eo3Bdg9s5MHHiv4/TitaaZE7VghWHKv5DrcoA0GGdN9SnIVqHd+o6OPVER91XLVxoiX7ixtlu1RIRfqdama3RRPtSki5wP5wPz6qF4vRBIKfrTpZK7thXLYs2NhCB9HJYljNhcgLtzEG5bWgY=,iv:tEP530Pij3bt3hc5PCYGjFFyPiKgo34dHm23Xtmrxt8=,tag:macr/U8R5+wktTBJ9OqI/w==,type:str] - pgp: - - created_at: "2023-07-02T20:30:30Z" - enc: |- - -----BEGIN PGP MESSAGE----- + kms: [] + gcp_kms: [] + azure_kv: [] + hc_vault: [] + age: + - recipient: age18dmqd7r7fanrfmdxsvwgv9psvhs3hw5ydpvw0na0dv3dlrg4rs3q2wpvgv + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBWaE9nNytUbXhWeWZYWndn + R3pMV3N1NjJPK2gzUDl2YitxWEU4NUFPRUJ3Cm1tMGhGcU56bSs5SUIzRmhqVHN2 + dXIzYlkvS1JnWnladGdXTnRKMXNOWncKLS0tIGhyRFhFV1VRVXVYN1pJWjNFd1Rj + bENCWmVNUEJyZFBpRmYwbWVndFJGcUEKzvkGz3WycSrU4qPcBhs4cSCn/9TQ62sl + T6TuDra97qJJ1Pg9VZGHT/OoSleLA4s0qpNlAxnAnNaO0conTsREZQ== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2023-07-17T12:01:21Z" + mac: ENC[AES256_GCM,data:003nzaNWdXLscJy9XZcwAb93M9Eo3Bdg9s5MHHiv4/TitaaZE7VghWHKv5DrcoA0GGdN9SnIVqHd+o6OPVER91XLVxoiX7ixtlu1RIRfqdama3RRPtSki5wP5wPz6qF4vRBIKfrTpZK7thXLYs2NhCB9HJYljNhcgLtzEG5bWgY=,iv:tEP530Pij3bt3hc5PCYGjFFyPiKgo34dHm23Xtmrxt8=,tag:macr/U8R5+wktTBJ9OqI/w==,type:str] + pgp: + - created_at: "2023-07-02T20:30:30Z" + enc: |- + -----BEGIN PGP MESSAGE----- - wcBMA0SHG/zF3227AQgAli6PQTNwh9N5Oo1LJvHysQNdxdZAq4QbfcwcIfpJIDds - 0TQs28EeSttv47P2ga4Nb1O5dVUnlvwbP+uV9RbioYF4LfZ2/uNlS1lSGwsLbPcf - SsY+U2WvpJgyo3EWQRusR/OXLFg0EdqDPDseH1w1u8tGALDrewre5oBjrMa0GRbb - 5F8lK/FVxSJxz70UkHgE7c6pSqPpznlgVduUwoOWnlhTw4aet7lLik+/C9K7LBDc - Q04sW1W2yqYr2882xPAUwfBhgfZQ1Uld5aDwqwPH+1Ttx26e7JrGSFaIX8GTVVpc - RJqN6uman5at3lOaEKXS1qf7T9ZI003CvdFwHS1G89JRAemdeK4bur5wS3VXBhDx - 44fHgmDcOohHilTahwmyXCT70KjjHbd9665vAhsl0N9aOrOBdOgq0HmLjNzAQkz5 - uGcEfsNiUXPngkNrh/Nvhh9w - =yHDZ - -----END PGP MESSAGE----- - fp: 6F7069FE6B96E894E60EC45C6EEFA706CB17E89B - unencrypted_suffix: _unencrypted - version: 3.7.3 + wcBMA0SHG/zF3227AQgAli6PQTNwh9N5Oo1LJvHysQNdxdZAq4QbfcwcIfpJIDds + 0TQs28EeSttv47P2ga4Nb1O5dVUnlvwbP+uV9RbioYF4LfZ2/uNlS1lSGwsLbPcf + SsY+U2WvpJgyo3EWQRusR/OXLFg0EdqDPDseH1w1u8tGALDrewre5oBjrMa0GRbb + 5F8lK/FVxSJxz70UkHgE7c6pSqPpznlgVduUwoOWnlhTw4aet7lLik+/C9K7LBDc + Q04sW1W2yqYr2882xPAUwfBhgfZQ1Uld5aDwqwPH+1Ttx26e7JrGSFaIX8GTVVpc + RJqN6uman5at3lOaEKXS1qf7T9ZI003CvdFwHS1G89JRAemdeK4bur5wS3VXBhDx + 44fHgmDcOohHilTahwmyXCT70KjjHbd9665vAhsl0N9aOrOBdOgq0HmLjNzAQkz5 + uGcEfsNiUXPngkNrh/Nvhh9w + =yHDZ + -----END PGP MESSAGE----- + fp: 6F7069FE6B96E894E60EC45C6EEFA706CB17E89B + unencrypted_suffix: _unencrypted + version: 3.7.3 diff --git a/nix/os/containers/mycelium/flake.lock b/nix/os/containers/mycelium/flake.lock deleted file mode 100644 index 0a7597d..0000000 --- a/nix/os/containers/mycelium/flake.lock +++ /dev/null @@ -1,124 +0,0 @@ -{ - "nodes": { - "flake-compat": { - "flake": false, - "locked": { - "lastModified": 1696426674, - "narHash": "sha256-kvjfFW7WAETZlt09AgDn1MrtKzP7t90Vf7vypd3OL1U=", - "owner": "edolstra", - "repo": "flake-compat", - "rev": "0f9255e01c2351cc7d116c072cb317785dd33b33", - "type": "github" - }, - "original": { - "owner": "edolstra", - "repo": "flake-compat", - "type": "github" - } - }, - "flake-parts": { - "inputs": { - "nixpkgs-lib": [ - "nix-snapshotter", - "nixpkgs" - ] - }, - "locked": { - "lastModified": 1704152458, - "narHash": "sha256-DS+dGw7SKygIWf9w4eNBUZsK+4Ug27NwEWmn2tnbycg=", - "owner": "hercules-ci", - "repo": "flake-parts", - "rev": "88a2cd8166694ba0b6cb374700799cec53aef527", - "type": "github" - }, - "original": { - "owner": "hercules-ci", - "repo": "flake-parts", - "type": "github" - } - }, - "nix-snapshotter": { - "inputs": { - "flake-compat": "flake-compat", - "flake-parts": "flake-parts", - "nixpkgs": [ - "nixpkgs" - ] - }, - "locked": { - "lastModified": 1723875769, - "narHash": "sha256-66GofByLJ+S4ZZphIC+vJKeL9VJ2bzH2VbcJ3OqteMM=", - "owner": "pdtpartners", - "repo": "nix-snapshotter", - "rev": "6eaadfd8f89e5e7d79b2013626bbd36e388159da", - "type": "github" - }, - "original": { - "owner": "pdtpartners", - "repo": "nix-snapshotter", - "type": "github" - } - }, - "nixlib": { - "locked": { - "lastModified": 1728781282, - "narHash": "sha256-hUP9oxmnOmNnKcDOf5Y55HQ+NnoT0+bLWHLQWLLw9Ks=", - "owner": "nix-community", - "repo": "nixpkgs.lib", - "rev": "16340f605f4e8e5cf07fd74dcbe692eee2d4f51b", - "type": "github" - }, - "original": { - "owner": "nix-community", - "repo": "nixpkgs.lib", - "type": "github" - } - }, - "nixos-generators": { - "inputs": { - "nixlib": "nixlib", - "nixpkgs": [ - "nixpkgs" - ] - }, - "locked": { - "lastModified": 1728867876, - "narHash": "sha256-NCyOA8WZNoojmXH+kBDrQj3LwvakYNzSc0h+LTXkmPE=", - "owner": "nix-community", - "repo": "nixos-generators", - "rev": "fdf142111597f6c6283cf5ffe092b6293a3911d0", - "type": "github" - }, - "original": { - "owner": "nix-community", - "repo": "nixos-generators", - "type": "github" - } - }, - "nixpkgs": { - "locked": { - "lastModified": 1728897630, - "narHash": "sha256-0utJPs4o2Mody8GDwo4hnGuxc8dJqju4u9lLJY4d/Lw=", - "owner": "NixOS", - "repo": "nixpkgs", - "rev": "c9f0b4a395289ce18727e2a8e43cae6796693ccc", - "type": "github" - }, - "original": { - "owner": "NixOS", - "ref": "nixos-unstable-small", - "repo": "nixpkgs", - "type": "github" - } - }, - "root": { - "inputs": { - "nix-snapshotter": "nix-snapshotter", - "nixos-generators": "nixos-generators", - "nixpkgs": "nixpkgs" - } - } - }, - "root": "root", - "version": 7 -} diff --git a/nix/os/containers/mycelium/flake.nix b/nix/os/containers/mycelium/flake.nix deleted file mode 100644 index 1527acf..0000000 --- a/nix/os/containers/mycelium/flake.nix +++ /dev/null @@ -1,371 +0,0 @@ -{ - inputs = { - nixpkgs.url = "github:NixOS/nixpkgs/nixos-unstable-small"; - # nixpkgs-systemd256.url = "github:NixOS/nixpkgs/962cf03fb8c782c5e00f465397e03dc84284acc9"; - nixos-generators = { - url = "github:nix-community/nixos-generators"; - inputs.nixpkgs.follows = "nixpkgs"; - }; - nix-snapshotter = { - url = "github:pdtpartners/nix-snapshotter"; - inputs.nixpkgs.follows = "nixpkgs"; - }; - }; - outputs = - { self, nixpkgs, ... }: - let - systems = [ - "aarch64-linux" - "x86_64-linux" - ]; - forAllSystems = nixpkgs.lib.genAttrs systems; - in - { - nixosConfigurations.default = nixpkgs.lib.nixosSystem { - system = "aarch64-linux"; - - specialArgs = { }; - - modules = [ - ( - { - config, - modulesPath, - pkgs, - lib, - ... - }: - { - nixpkgs.overlays = [ - (_final: _previous: { - # inherit (self.inputs.nixpkgs-systemd256.legacyPackages.${pkgs.system}) systemd systemdMinimal; - # systemd = - # self.inputs.nixpkgs-systemd256.legacyPackages.${pkgs.system}.systemd.overrideAttrs (prevAttrs: { - # src = /home/steveej/src/others/systemd; - - # withAppArmor = false; - # withRepart = false; - # withHomed = false; - # withAcl = false; - # withEfi = false; - # withBootloader = false; - # withCryptsetup = false; - # withLibBPF = false; - # withOomd = false; - # withFido2 = false; - # withApparmor = false; - # withDocumentation = false; - # withUtmp = false; - # withQrencode = false; - # withVmspawn = false; - # withMachined = false; - # withLogTrace = true; - # withArchive = false; - # # don't need these but cause errors for exampel files not found - # # withLogind = false; - # }) - # pkgs.systemdMinimal.override { - # # getting errors with these disabled - # withCoredump = true; - # withCompression = true; - # withLogind = true; - # withSysusers = true; - # withUserDb = true; - # } - # pkgs.systemdMinimal - # pkgs.systemd.override { - # withRepart = false; - # withHomed = false; - # withAcl = false; - # withEfi = false; - # withBootloader = false; - # withCryptsetup = false; - # withLibBPF = false; - # withOomd = false; - # withFido2 = false; - # withApparmor = false; - # withDocumentation = false; - # withUtmp = false; - # withQrencode = false; - # withVmspawn = false; - # withMachined = false; - # withLogTrace = true; - # # don't need these but cause errors for exampel files not found - # # withLogind = false; - # } - # ; - }) - ]; - - imports = [ (modulesPath + "/profiles/minimal.nix") ]; - system.stateVersion = "24.11"; - - # https://github.com/hercules-ci/arion/blob/c24c185e67f093298a081900b49ca18716077dec/src/nix/modules/nixos/container-systemd.nix - boot.isContainer = true; - # boot.tmp.useTmpfs = true; - boot.loader.grub.enable = lib.mkForce false; - boot.loader.systemd-boot.enable = lib.mkForce false; - services.journald.console = "/dev/console"; - services.journald.storage = "none"; - # boot.specialFileSystems = lib.mkForce {}; - - services.nscd.enable = false; - system.nssModules = lib.mkForce [ ]; - systemd.services.systemd-logind.enable = false; - systemd.services.console-getty.enable = false; - - systemd.sockets.nix-daemon.enable = false; - systemd.services.nix-daemon.enable = false; - systemd.oomd.enable = false; - networking.useDHCP = false; - networking.firewall.enable = false; - - # system.build.earlyMountScript = - # lib.mkForce '' - # ''; - # system.activationScripts.specialfs = - # lib.mkForce '' - # ''; - boot.postBootCommands = '' - ls -lha /run - mkdir -p /run/wrappers - ''; - - boot.kernelParams = [ "systemd.log_level=debug" ]; - - # services.udev.enable = false; - - # TODO: this is only needed because `/run/current-system` is missing - # environment.variables.PATH = "${lib.makeBinPath config.environment.systemPackages}:$PATH"; - - systemd.mounts = lib.mkForce [ ]; - fileSystems = lib.mkForce { }; - - services.mycelium.enable = false; - services.mycelium.keyFile = "/var/lib/secrets/mycelium-keyfile"; - systemd.services.mycelium.serviceConfig.DynamicUser = lib.mkForce false; - systemd.services.mycelium.serviceConfig.User = lib.mkForce "root"; - systemd.services.mycelium.serviceConfig.ExecStart = lib.mkForce ( - pkgs.writeShellScript "mycelium" '' - while true; do - ls -lha $CREDENTIALS_DIRECTORY - sleep 5 - done - '' - ); - - systemd.services.testing-credentials = { - wantedBy = [ "multi-user.target" ]; - path = [ pkgs.coreutils ]; - - serviceConfig = { - # SyslogIdentifier = "testing-credentials"; - # StateDirectory = "testing-credentials"; - # DynamicUser = true; - # User = "tc"; - # ProtectHome = true; - # ProtectSystem = true; - # LoadCredential = [ - # "mycelium-keyfile:${self.nixosConfigurations.default.config.services.mycelium.keyFile}" - # "hosts:/etc/hosts" - # ]; - SetCredential = "mycelium-keyfile:not secret string"; - ExecStart = lib.mkForce ( - pkgs.writeShellScript "mycelium" '' - cd $STATE_DIRECTORY - pwd - env - while true; do - ls -lha $CREDENTIALS_DIRECTORY - sleep 5 - done - '' - ); - }; - }; - - services.caddy = { - enable = true; - globalConfig = '' - auto_https off - ''; - virtualHosts.":80" = { - extraConfig = '' - respond "hello from ${config.networking.hostName}" - ''; - }; - }; - } - ) - ]; - }; - packages = forAllSystems ( - system: - let - name = "mycelium"; - inherit (self.inputs) nix-snapshotter; - - config = { - entrypoint = "${self.nixosConfigurations.default.config.system.build.toplevel}/init"; - # port = 2379; - args = [ ]; - # nodePort = 30001; - }; - - myceliumPorts = { - tcp = [ 9651 ]; - udp = [ - 9650 - 9651 - ]; - }; - - inherit (config) - entrypoint - # port - - args - # nodePort - - ; - - pkgs = import nixpkgs { overlays = [ nix-snapshotter.overlays.default ]; }; - - image = pkgs.nix-snapshotter.buildImage { - inherit name; - resolvedByNix = true; - config = { - entrypoint = [ entrypoint ]; - env = [ - # this is read by the `/init` script and prevents various incompatible commands like mount, etc. - # the value of this doesn't seem to matter as long as it's not an empty string. - "container=nerd" - "SYSTEMD_LOG_LEVEL=debug" - ]; - volumes = { - # "/var/lib/private/mycelium/key.bin" = {}; - # "/run" = {}; - # "/tmp" = {}; - # "/etc" = {}; - }; - copyToRoot = [ - # self.nixosConfigurations.default.config.system.build.toplevel - ]; - }; - }; - in - { - k8s = - let - pod = pkgs.writeText "${name}-pod.json" ( - builtins.toJSON { - apiVersion = "v1"; - kind = "Pod"; - metadata = { - inherit name; - labels = { - inherit name; - }; - }; - spec.containers = [ - { - inherit name args; - image = "nix:0${image}"; - ports = [ - { - name = "mycelium-tcp-0"; - containerPort = builtins.elemAt myceliumPorts.tcp 0; - } - { - name = "mycelium-udp-0"; - protocol = "UDP"; - containerPort = builtins.elemAt myceliumPorts.udp 0; - } - { - name = "mycelium-udp-1"; - protocol = "UDP"; - containerPort = builtins.elemAt myceliumPorts.udp 1; - } - ]; - } - ]; - } - ); - - service = pkgs.writeText "${name}-service.json" ( - builtins.toJSON { - apiVersion = "v1"; - kind = "Service"; - metadata.name = "${name}-service"; - spec = { - type = "NodePort"; - selector = { - inherit name; - }; - ports = [ - { - name = "mycelium-tcp-0"; - port = builtins.elemAt myceliumPorts.tcp 0 + 50000; - targetPort = "mycelium-tcp-0"; - } - { - name = "mycelium-udp-0"; - protocol = "UDP"; - port = builtins.elemAt myceliumPorts.udp 0 + 50000; - targetPort = "mycelium-udp-0"; - } - { - name = "mycelium-udp-1"; - protocol = "UDP"; - port = builtins.elemAt myceliumPorts.udp 1 + 50000; - targetPort = "mycelium-udp-1"; - } - ]; - }; - } - ); - in - pkgs.runCommand "declarative-k8s" { } '' - mkdir -p $out/share/k8s - cp ${pod} $out/share/k8s/ - cp ${service} $out/share/k8s/ - ''; - - inherit image; - - start = pkgs.writeShellApplication { - name = "start"; - text = '' - set -x - rm -rf ./result - nix build --impure .#image - sudo nix2container load ./result - sudo -E nerdctl run --name ${name} --privileged -dt \ - --cgroup-manager cgroupfs \ - --volume "$PWD/key.bin.crypt:${self.nixosConfigurations.default.config.services.mycelium.keyFile}:ro" \ - "nix:0$(readlink result):latest" - ''; - }; - - stop = pkgs.writeShellApplication { - name = "stop"; - text = '' - set +e - sudo -E nerdctl stop -t 60 ${name} - sudo -E nerdctl rm --force ${name} - sudo -E nerdctl system prune --all --force - sudo systemctl stop nix-snapshotter - sudo systemctl stop containerd - mount | rg -No '(/var/lib/container|/tmp/initial)[^ ]+' | tac | xargs sudo umount -l - sudo systemctl start containerd - sudo systemctl start nix-snapshotter - ''; - - # tmpfs on /run/credentials/mycelium.service type tmpfs (ro,nosuid,nodev,noexec,relatime,nosymfollow,size=1024k,nr_inodes=1024,mode=700,noswap) - - # mount -t tmpfs tmpfs /run/credentials/mycelium.service -o ro,nosuid,nodev,noexec,relatime,nosymfollow,size=1024k,nr_inodes=1024,mode=700,noswap - }; - } - ); - }; -} diff --git a/nix/os/containers/syncthing.nix b/nix/os/containers/syncthing.nix index 921662f..72aaab8 100644 --- a/nix/os/containers/syncthing.nix +++ b/nix/os/containers/syncthing.nix @@ -1,81 +1,31 @@ { - specialArgs, - hostBridge, hostAddress, localAddress, syncthingPort ? 22000, syncthingLocalAnnouncePort ? 21027, - smbTcpPort ? 445, autoStart ? false, -}: -{ - inherit specialArgs; - config = - { ... }: - { - system.stateVersion = "20.05"; # Did you read the comment? +}: { + config = { + config, + pkgs, + ... + }: { + system.stateVersion = "20.05"; # Did you read the comment? - imports = [ ../profiles/containers/configuration.nix ]; + imports = [../profiles/containers/configuration.nix]; - networking.firewall.allowedTCPPorts = [ - # syncthing gui - 8384 - ]; + networking.firewall.enable = true; + networking.firewall.allowedTCPPorts = [ + # syncthing gui + 8384 + ]; - services.syncthing = { - enable = true; - openDefaultPorts = true; - guiAddress = "0.0.0.0:8384"; - }; - - services.samba = { - enable = true; - securityType = "user"; - openFirewall = true; - settings = { - global = { - "workgroup" = "DMZ"; - "server string" = "syncthing"; - "netbios name" = "syncthing"; - "security" = "user"; - #"use sendfile" = "yes"; - #"max protocol" = "smb2"; - # note: localhost is the ipv6 localhost ::1 - "hosts allow" = "192.168.23. 127.0.0.1 localhost"; - "hosts deny" = "0.0.0.0/0"; - "guest account" = "nobody"; - "map to guest" = "bad user"; - }; - "scan-stefan" = { - "path" = "/var/lib/syncthing/Sync/Home::Scan::Stefan"; - "browseable" = "yes"; - "read only" = "no"; - "guest ok" = "no"; - "create mask" = "0644"; - "directory mask" = "0755"; - "force user" = "syncthing"; - "force group" = "syncthing"; - }; - - "scan-justyna" = { - "path" = "/var/lib/syncthing/Sync/Home::Scan::Justyna"; - "browseable" = "yes"; - "read only" = "no"; - "guest ok" = "no"; - "create mask" = "0644"; - "directory mask" = "0755"; - "force user" = "syncthing"; - "force group" = "syncthing"; - }; - }; - }; - - - # TODO: find out if smbpasswd file is still used and set it here. or find an alternative - # sops.secrets.smbpasswd = { - # }; - # environment.etc."samba/smbpasswd".source = config.sops.secrets.smbpasswd.text; + services.syncthing = { + enable = true; + openDefaultPorts = true; + guiAddress = "0.0.0.0:8384"; }; + }; inherit autoStart; @@ -86,6 +36,8 @@ }; }; + extraFlags = ["--resolv-conf=bind-host"]; + privateNetwork = true; forwardPorts = [ { @@ -103,12 +55,7 @@ hostPort = syncthingLocalAnnouncePort; protocol = "udp"; } - { - containerPort = 445; - hostPort = smbTcpPort; - protocol = "tcp"; - } ]; - inherit hostBridge hostAddress localAddress; + inherit hostAddress localAddress; } diff --git a/nix/os/containers/webserver.nix b/nix/os/containers/webserver.nix index 6389cc5..520aa30 100644 --- a/nix/os/containers/webserver.nix +++ b/nix/os/containers/webserver.nix @@ -1,427 +1,210 @@ { - specialArgs, - hostBridge, + repoFlake, hostAddress, localAddress, - httpPort, - httpsPort, - forgejoSshPort, + httpPort ? 80, + httpsPort ? 443, autoStart ? false, -}: -let +}: let domain = "www.stefanjunker.de"; -in -{ - inherit specialArgs; - config = - { - config, - pkgs, - lib, - repoFlake, - nodeFlake, - system, - ... - }: - let - nixpkgs-kanidm = nodeFlake.inputs.nixpkgs-unstable; - in - { - system.stateVersion = "22.05"; # Did you read the comment? - - disabledModules = [ - "services/misc/forgejo.nix" - "services/security/kanidm.nix" - ]; - - imports = [ - "${nodeFlake.inputs.nixpkgs-unstable}/nixos/modules/services/misc/forgejo.nix" - "${nixpkgs-kanidm}/nixos/modules/services/security/kanidm.nix" - - ../profiles/containers/configuration.nix - - repoFlake.inputs.sops-nix.nixosModules.sops - ]; - - sops.defaultSopsFile = ./webserver_secrets.yaml; - - networking.firewall.allowedTCPPorts = [ - httpPort - httpsPort - forgejoSshPort - ]; - - sops.age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ]; - sops.secrets.hedgedoc_environment_file = { - sopsFile = ./webserver_secrets.yaml; - owner = config.users.users.hedgedoc.name; - }; - - services.caddy = { - enable = true; - logFormat = '' - level ERROR - ''; - virtualHosts."${domain}" = { - extraConfig = '' - redir /hedgedoc* https://hedgedoc.${domain} - - file_server /*/* { - browse - root /var/www/stefanjunker.de/htdocs/caddy - pass_thru - } - - # respond "Hi" - # respond (not /*/*) "Hi" - ''; - }; - - virtualHosts."hedgedoc.${domain}" = { - extraConfig = '' - reverse_proxy http://[::1]:3000 - ''; - }; - - virtualHosts."authelia.${domain}" = { - extraConfig = '' - reverse_proxy http://127.0.0.1:${builtins.toString config.services.authelia.instances.default.settings.server.port} - ''; - }; - - virtualHosts."lldap.${domain}" = { - extraConfig = '' - reverse_proxy http://127.0.0.1:${builtins.toString config.services.lldap.settings.http_port} - ''; - }; - - virtualHosts."forgejo.${domain}" = { - extraConfig = '' - reverse_proxy http://127.0.0.1:${builtins.toString config.services.forgejo.settings.server.HTTP_PORT} - ''; - }; - - virtualHosts."kanidm.${domain}" = { - extraConfig = '' - reverse_proxy https://${builtins.toString config.services.kanidm.serverSettings.bindaddress} { - transport http { - tls_server_name ${config.services.kanidm.serverSettings.domain} - } - } - ''; - }; - }; - - services.hedgedoc = { - enable = true; - settings = { - domain = "hedgedoc.${domain}"; - urlPath = ""; - protocolUseSSL = true; - db = { - dialect = "sqlite"; - storage = "/var/lib/hedgedoc/db.hedgedoc.sqlite"; - }; - - allowAnonymous = false; - allowAnonymousEdits = false; - allowGravatar = false; - allowFreeURL = false; - defaultPermission = "private"; - - allowEmailRegister = false; - email = false; - - ldap = { - url = "ldap://127.0.0.1:${builtins.toString config.services.lldap.settings.ldap_port}"; - bindDn = "uid=admin,ou=people,dc=stefanjunker,dc=de"; - # these are set via the `environmentFile` - # bindCredentials = "$LDAP_ADMIN_PASSWORD"; - searchBase = "ou=people,dc=stefanjunker,dc=de"; - searchFilter = "(&(memberOf=cn=hedgedoc,ou=groups,dc=stefanjunker,dc=de)(uid={{username}}))"; - useridField = "uid"; - }; - - oauth2 = - let - originURL = config.services.kanidm.serverSettings.origin; - in - { - providerName = "kanidm (${originURL})"; - - authorizationURL = "${originURL}/ui/oauth2"; - tokenURL = "${originURL}/oauth2/token"; - userProfileURL = "${originURL}/oauth2/openid/hedgedoc/userinfo"; - - scope = "openid email profile"; - # rolesClaim = "roles"; - # accessRole = "role/hedgedoc"; - - userProfileUsernameAttr = "name"; - userProfileDisplayNameAttr = "displayname"; - userProfileEmailAttr = "email"; - - clientID = "hedgedoc"; - # set via the `environmentFile` - # clientSecret = "$CMD_OAUTH2_CLIENT_SECRET"; - }; - - uploadsPath = "/var/lib/hedgedoc/uploads"; - }; - - environmentFile = config.sops.secrets.hedgedoc_environment_file.path; - }; - - services.jitsi-meet = { - enable = false; - hostName = "meet.${domain}"; - config = { - prejoinPageEnabled = true; - }; - caddy.enable = true; - nginx.enable = false; - }; - - sops.secrets.authelia_storageEncryptionKey = { - sopsFile = ./webserver_secrets.yaml; - owner = config.users.users.authelia-default.name; - }; - - sops.secrets.authelia_jwtSecret = { - sopsFile = ./webserver_secrets.yaml; - owner = config.users.users.authelia-default.name; - }; - - services.authelia.instances.default = - let - baseDir = "/var/lib/authelia-default"; - in - { - enable = true; - secrets.storageEncryptionKeyFile = config.sops.secrets.authelia_storageEncryptionKey.path; - secrets.jwtSecretFile = config.sops.secrets.authelia_jwtSecret.path; - settings = { - theme = "auto"; - default_2fa_method = "totp"; - log.level = "debug"; - - server = { - disable_healthcheck = true; - host = "127.0.0.1"; - port = 9091; - # path = "authelia"; - }; - - storage = { - local.path = "${baseDir}/authelia.sqlite"; - }; - - authentication_backend = { - file.path = "${baseDir}/first_factor.yaml"; - file.search.email = true; - file.search.case_insensitive = false; - }; - - access_control = { - default_policy = "one_factor"; - }; - - session.domain = "stefanjunker.de"; - - notifier = { - disable_startup_check = true; - filesystem.filename = "${baseDir}/notification.txt"; - }; - }; - }; - - users.groups.lldap = { }; - users.users.lldap = { - isSystemUser = true; - group = "lldap"; - }; - - sops.secrets.lldap_jwtSecret = { - sopsFile = ./webserver_secrets.yaml; - owner = config.users.users.lldap.name; - }; - - sops.secrets.lldap_adminPassword = { - sopsFile = ./webserver_secrets.yaml; - owner = config.users.users.lldap.name; - }; - - sops.secrets.lldap_environmentFile = { - sopsFile = ./webserver_secrets.yaml; - owner = config.users.users.lldap.name; - }; - - services.lldap = { - enable = true; - environment = { - LLDAP_JWT_SECRET_FILE = config.sops.secrets.lldap_jwtSecret.path; - LLDAP_LDAP_USER_PASS_FILE = config.sops.secrets.lldap_adminPassword.path; - }; - environmentFile = config.sops.secrets.lldap_environmentFile.path; - - settings = { - verbose = true; - - ldap_base_dn = "dc=stefanjunker,dc=de"; - http_url = "https://lldap.${domain}"; - - ## Options to configure SMTP parameters, to send password reset emails. - ## To set these options from environment variables, use the following format - ## (example with "password"): LLDAP_SMTP_OPTIONS__PASSWORD - smtp_options = { - ## Whether to enabled password reset via email, from LLDAP. - enable_password_reset = true; - - # port = 465; - ## How the connection is encrypted, either "NONE" (no encryption), "TLS" or "STARTTLS". - # smtp_encryption = "TLS"; - }; - - # database_url = "sqlite:///var/lib/lldap/users.db?mode=rwc"; - }; - }; - - sops.secrets.FORGEJO_JWT_SECRET = { }; - sops.secrets.FORGEJO_INTERNAL_TOKEN = { }; - sops.secrets.FORGEJO_SECRET_KEY = { }; - - services.forgejo = { - enable = true; - package = nodeFlake.inputs.nixpkgs-unstable.legacyPackages.${pkgs.system}.forgejo; - settings = { - service.DISABLE_REGISTRATION = true; - server.HTTP_ADDR = "127.0.0.1"; - server.START_SSH_SERVER = true; - server.SSH_PORT = forgejoSshPort; - server.ROOT_URL = "https://forgejo.${domain}"; - server.HTTP_PORT = 3001; - - # TODO: how do i get a 3072 length SSH key with the yubikey? - "ssh.minimum_key_sizes".RSA = 2048; - }; - secrets = { - oauth2.JWT_SECRET = lib.mkForce config.sops.secrets.FORGEJO_JWT_SECRET.path; - security.INTERNAL_TOKEN = lib.mkForce config.sops.secrets.FORGEJO_INTERNAL_TOKEN.path; - security.SECRET_KEY = lib.mkForce config.sops.secrets.FORGEJO_SECRET_KEY.path; - }; - }; - - systemd.services.lldap.serviceConfig.User = config.users.users.lldap.name; - systemd.services.lldap.serviceConfig.Group = config.users.groups.lldap.name; - systemd.services.lldap.serviceConfig.DynamicUser = lib.mkForce false; - - # combine a path watcher with a service that transfers the certs by caddy to kanidm - # TODO: had an issue where the certificate in kanidm was expired, despite caddy having a refreshed certificate - systemd.paths.kanidm-tls-watch = { - enable = true; - requiredBy = [ "kanidm.service" ]; - pathConfig = { - PathChanged = [ - "${config.services.caddy.dataDir}/.local/share/caddy/certificates/acme-v02.api.letsencrypt.org-directory/${config.services.kanidm.serverSettings.domain}/${config.services.kanidm.serverSettings.domain}.key" - "${config.services.caddy.dataDir}/.local/share/caddy/certificates/acme-v02.api.letsencrypt.org-directory/${config.services.kanidm.serverSettings.domain}/${config.services.kanidm.serverSettings.domain}.crt" - ]; - Unit = "kanidm-tls-update.service"; - }; - }; - systemd.services.kanidm-tls-update = - let - dbDir = builtins.dirOf config.services.kanidm.serverSettings.db_path; - in - { - enable = true; - requiredBy = [ "kanidm.service" ]; - unitConfig = { - # ConditionPathExists = [ - # "${config.services.caddy.dataDir}/.local/share/caddy/certificates/acme-v02.api.letsencrypt.org-directory/${config.services.kanidm.serverSettings.domain}/${config.services.kanidm.serverSettings.domain}.key" - # "${config.services.caddy.dataDir}/.local/share/caddy/certificates/acme-v02.api.letsencrypt.org-directory/${config.services.kanidm.serverSettings.domain}/${config.services.kanidm.serverSettings.domain}.crt" - # ]; - }; - serviceConfig.Type = "oneshot"; - script = - let - tlsDir = builtins.dirOf config.services.kanidm.serverSettings.tls_key; - in - '' - set -xe - - cat "${config.services.caddy.dataDir}/.local/share/caddy/certificates/acme-v02.api.letsencrypt.org-directory/${config.services.kanidm.serverSettings.domain}/${config.services.kanidm.serverSettings.domain}.key" > tls.key - cat "${config.services.caddy.dataDir}/.local/share/caddy/certificates/acme-v02.api.letsencrypt.org-directory/${config.services.kanidm.serverSettings.domain}/${config.services.kanidm.serverSettings.domain}.crt" > tls.chain - - chown ${config.systemd.services.kanidm.serviceConfig.User}:${config.systemd.services.kanidm.serviceConfig.Group} tls.{key,chain} - chmod 400 tls.{key,chain} - - # create the kanidm directory in case it's missing - if [[ ! -d ${tlsDir} ]]; then - mkdir -p ${tlsDir} - chown -R ${config.systemd.services.kanidm.serviceConfig.User}:${config.systemd.services.kanidm.serviceConfig.Group} ${tlsDir} - chmod 700 ${tlsDir} - fi - - mv tls.key ${config.services.kanidm.serverSettings.tls_key} - mv tls.chain ${config.services.kanidm.serverSettings.tls_chain} - - if [[ ! -d ${dbDir} ]]; then - mkdir -p ${dbDir} - chown -R ${config.systemd.services.kanidm.serviceConfig.User}:${config.systemd.services.kanidm.serviceConfig.Group} ${dbDir} - chmod 700 ${dbDir} - fi - ''; - }; - - systemd.services.kanidm.serviceConfig = - let - dbDir = builtins.dirOf config.services.kanidm.serverSettings.db_path; - in - # stateDir = "/var/lib/${config.systemd.services.kanidm.serviceConfig.StateDirectory}"; - { - # ExecStartPre = '' - # mkdir -p ${dbDir} - # ''; - BindPaths = [ - dbDir - # stateDir - ]; - }; - - services.kanidm = - let - dataDir = "/var/lib/kanidm"; - in - { - package = nixpkgs-kanidm.legacyPackages.${pkgs.system}.kanidm; - - enablePam = false; - enableClient = false; - - enableServer = true; - serverSettings = { - role = "WriteReplica"; - log_level = "debug"; - - domain = "kanidm.${domain}"; - origin = "https://kanidm.${domain}"; - - - bindaddress = "127.0.0.1:8444"; - - # don't expose ldap - # ldapbindaddress = "[::1]:6636"; - - tls_key = "${dataDir}/tls/tls.key"; - tls_chain = "${dataDir}/tls/tls.chain"; - - online_backup = { - schedule = "00 06 * * *"; - }; - }; - }; +in { + config = { + config, + pkgs, + lib, + ... + }: { + system.stateVersion = "22.05"; # Did you read the comment? + + imports = [ + ../profiles/containers/configuration.nix + + repoFlake.inputs.sops-nix.nixosModules.sops + ]; + + networking.firewall.enable = false; + + sops.age.sshKeyPaths = ["/etc/ssh/ssh_host_ed25519_key"]; + sops.secrets.hedgedoc_environment_file = { + sopsFile = ./webserver_secrets.yaml; + owner = config.users.users.hedgedoc.name; }; + services.caddy = { + enable = true; + virtualHosts."${domain}" = { + extraConfig = let + port = "${builtins.toString config.services.authelia.instances.default.settings.server.port}"; + path = "${config.services.authelia.instances.default.settings.server.path}"; + in '' + redir /hedgedoc* https://hedgedoc.${domain} + + respond "Hi!" + ''; + }; + + virtualHosts."hedgedoc.${domain}" = { + extraConfig = '' + reverse_proxy http://[::1]:3000 + ''; + }; + + virtualHosts."authelia.${domain}" = { + extraConfig = '' + reverse_proxy http://127.0.0.1:${builtins.toString config.services.authelia.instances.default.settings.server.port} + ''; + }; + + virtualHosts."lldap.${domain}" = { + extraConfig = '' + reverse_proxy http://127.0.0.1:${builtins.toString config.services.lldap.settings.http_port} + ''; + }; + }; + + services.hedgedoc = { + enable = true; + settings = { + domain = "hedgedoc.${domain}"; + urlPath = ""; + protocolUseSSL = true; + db = { + dialect = "sqlite"; + storage = "/var/lib/hedgedoc/db.hedgedoc.sqlite"; + }; + + allowAnonymous = false; + allowAnonymousEdits = false; + allowGravatar = false; + allowFreeURL = false; + defaultPermission = "private"; + + allowEmailRegister = false; + email = false; + + ldap = { + url = "ldap://127.0.0.1:${builtins.toString config.services.lldap.settings.ldap_port}"; + bindDn = "uid=admin,ou=people,dc=stefanjunker,dc=de"; + # these are set via the `environmentFile` + bindCredentials = "$LDAP_ADMIN_PASSWORD"; + searchBase = "ou=people,dc=stefanjunker,dc=de"; + searchFilter = "(&(memberOf=cn=hedgedoc,ou=groups,dc=stefanjunker,dc=de)(uid={{username}}))"; + useridField = "uid"; + }; + + uploadsPath = "/var/lib/hedgedoc/uploads"; + }; + + environmentFile = config.sops.secrets.hedgedoc_environment_file.path; + }; + + sops.secrets.authelia_storageEncryptionKey = { + sopsFile = ./webserver_secrets.yaml; + owner = config.users.users.authelia-default.name; + }; + + sops.secrets.authelia_jwtSecret = { + sopsFile = ./webserver_secrets.yaml; + owner = config.users.users.authelia-default.name; + }; + + services.authelia.instances.default = let + baseDir = "/var/lib/authelia-default"; + in { + enable = true; + secrets.storageEncryptionKeyFile = config.sops.secrets.authelia_storageEncryptionKey.path; + secrets.jwtSecretFile = config.sops.secrets.authelia_jwtSecret.path; + settings = { + theme = "auto"; + default_2fa_method = "totp"; + log.level = "debug"; + + server = { + disable_healthcheck = true; + host = "127.0.0.1"; + port = 9091; + # path = "authelia"; + }; + + storage = { + local.path = "${baseDir}/authelia.sqlite"; + }; + + authentication_backend = { + file.path = "${baseDir}/first_factor.yaml"; + file.search.email = true; + file.search.case_insensitive = false; + }; + + access_control = { + default_policy = "one_factor"; + }; + + session.domain = "stefanjunker.de"; + + notifier = { + disable_startup_check = true; + filesystem.filename = "${baseDir}/notification.txt"; + }; + }; + }; + + users.groups.lldap = {}; + users.users.lldap = { + isSystemUser = true; + group = "lldap"; + }; + + sops.secrets.lldap_jwtSecret = { + sopsFile = ./webserver_secrets.yaml; + owner = config.users.users.lldap.name; + }; + + sops.secrets.lldap_adminPassword = { + sopsFile = ./webserver_secrets.yaml; + owner = config.users.users.lldap.name; + }; + + sops.secrets.lldap_environmentFile = { + sopsFile = ./webserver_secrets.yaml; + owner = config.users.users.lldap.name; + }; + + services.lldap = { + enable = true; + environment = { + LLDAP_JWT_SECRET_FILE = config.sops.secrets.lldap_jwtSecret.path; + LLDAP_LDAP_USER_PASS_FILE = config.sops.secrets.lldap_adminPassword.path; + }; + environmentFile = config.sops.secrets.lldap_environmentFile.path; + + settings = { + verbose = true; + + ldap_base_dn = "dc=stefanjunker,dc=de"; + http_url = "https://lldap.${domain}"; + + ## Options to configure SMTP parameters, to send password reset emails. + ## To set these options from environment variables, use the following format + ## (example with "password"): LLDAP_SMTP_OPTIONS__PASSWORD + smtp_options = { + ## Whether to enabled password reset via email, from LLDAP. + enable_password_reset = true; + + # port = 465; + ## How the connection is encrypted, either "NONE" (no encryption), "TLS" or "STARTTLS". + # smtp_encryption = "TLS"; + }; + + # database_url = "sqlite:///var/lib/lldap/users.db?mode=rwc"; + }; + }; + + systemd.services.lldap.serviceConfig.User = config.users.users.lldap.name; + systemd.services.lldap.serviceConfig.Group = config.users.groups.lldap.name; + systemd.services.lldap.serviceConfig.DynamicUser = lib.mkForce false; + }; + inherit autoStart; bindMounts = { @@ -453,18 +236,11 @@ in hostPath = "/var/lib/container-volumes/webserver/var-lib-lldap"; isReadOnly = false; }; - - "/var/lib/forgejo" = { - hostPath = "/var/lib/container-volumes/webserver/var-lib-forgejo"; - isReadOnly = false; - }; - - "/var/lib/kanidm" = { - hostPath = "/var/lib/container-volumes/webserver/var-lib-kanidm"; - isReadOnly = false; - }; }; + # extraFlags = ["--resolv-conf=bind-host"]; + # networking.useHostResolvConf = true; + privateNetwork = true; forwardPorts = [ { @@ -479,14 +255,7 @@ in hostPort = httpsPort; protocol = "tcp"; } - - { - # forgejo ssh - containerPort = forgejoSshPort; - hostPort = forgejoSshPort; - protocol = "tcp"; - } ]; - inherit hostBridge hostAddress localAddress; + inherit hostAddress localAddress; } diff --git a/nix/os/containers/webserver_secrets.yaml b/nix/os/containers/webserver_secrets.yaml index 62dc6e8..29bb119 100644 --- a/nix/os/containers/webserver_secrets.yaml +++ b/nix/os/containers/webserver_secrets.yaml @@ -1,45 +1,41 @@ -hedgedoc_environment_file: ENC[AES256_GCM,data:gPTokPMGBAN/lGGeUs95vg45yVrrSmFCKWTjlMV4V+YnflcqiaZvifX9+0fe3DELwNL4kY4st4N0MadhLkTiSieyp46fP8Dujk4Prhi7JWweBDsN4WtxcwJfAdowgh5LTzqM3zggC/J9NGR/zgJGLYraOqsFueXycxDxntE+8MlepYFGsND4WbFHNRvsVd7xUWerZZD+JFhws2sjwC9DqoJ+mBX4u9J2faSrL3okBGwRpEZlJhe6/8pT0l1aVxI0b/9UsLUL/him/vVqY8ygMP8O95gzuDEaCtwSXw08ylhb3g3YHdMh9ZOe9dPNVocVFrB15HfxeY4KzRCVfvgmBsSiUrgUAZQ8aav2ZWHPKQ==,iv:AVtx/43MK5KVxP59olEmbkUzLhd0cBjPpVeiAJGELfM=,tag:Hd3edeUzLgHnwAwPiMGp4A==,type:str] +hedgedoc_environment_file: ENC[AES256_GCM,data:uBaATOTIkCkboAfaB7d6G2G4AfKszipQe+mc0XPJHik30wLppCKpEc61ELLbiZ1xGaOEWKUSMHc0GyBapykrgEe0UUYJ0Ukpq9bj9/J2VC7BLu1ABbr+pWpJR68+IOKY2GWlioSDIL6JwaGIjLV5sLrUjJgtwzAYrqAU13VS5RVHtGtz+7TgwHIJADoec+jSRhkh82g198eaAUbKyAFB9yhXFWgq6ozh8RgtkYKAP7LXIuyJt9BYJoNQ,iv:MCMJph0W1PC0n9h7xhPMxtJINQP+QRBf2anzXEzydwc=,tag:zj2o+/JpBRTYgYpSMJedPw==,type:str] authelia_storageEncryptionKey: ENC[AES256_GCM,data:BLj2+w0jUOiiqljd4WcYt90I1Y/tm6vYRn9IPvv7k+ykjeWeafDcb9LpAbYZ82iAbCDZ6cDnTIJSH50TYFM1Bw==,iv:DfrFuTMS6rzWS1F7hIloD7Eb9N6LV6MDsPGEidTCIkM=,tag:4TxiUuWj8LLCAe+3SQWthA==,type:str] authelia_jwtSecret: ENC[AES256_GCM,data:CtvhPJDlM8kZDh3MWI6jBEIK5P/Rc0ZY3JfQ/1qn2FyZ0kOE9CMznRQdzi125Mlh+LgfhS00aeY/esuSJ1YKnw==,iv:o29+Ja4E4USpxD5Bgg4nGpj1WdK+uJJeuyqa3c92Pys=,tag:Ko/6PqIM7FyvqMJAepTNKw==,type:str] lldap_jwtSecret: ENC[AES256_GCM,data:Jd05K5zZZcdFY9P+PM1ycpl4eKr7THXzlEC2gxhfq0kZ0c7NrmqpnxLFyMOoq0oZwFXQ3aE29N+dYYCbWgEs0g==,iv:k9Y4XZcFSUaaOvooMzH1AlHaI/RiZZ0cpSqTU6jzsUU=,tag:EHwIMQ00Z+IrXAKgugMbmQ==,type:str] lldap_adminPassword: ENC[AES256_GCM,data:qZviC+/V25iHWS2d5KKrMfCLmmWKAkXoiLW3NJyZWIvMRbFPtfJGv/5e++idcKNLdPHRgvGpdeTpOdZNK7ETSQ==,iv:jX8bzgYVXZfMQ8Qxa7WaUiQFE/mBmQWZ3o000njeEC8=,tag:4Rd3WVGIw1rBLKND4xPbMg==,type:str] lldap_environmentFile: ENC[AES256_GCM,data:TpdO1N2MgHWI4TipvlwfVjnKppzpluI9WA3ejbgT8jrRXXTCA94PS734wDHLtEAIwKdIQd/JGDS+1kbdvgDL3F3HIOX5HLz9h7CtkDBYT6qOy0Zb0tNHjmJco6dL/iMwuzglXxu2460nadO+lHoTs3DA3lesghzpJzm41hgElzcxXS2sa/hsV+kjmbyfu6Xi94kbqcHBLA/mppWmLSgJN6wu/bO07XfaSB1ghHnAR7BL9XZDjoNDzljZAXDpDBw3WD6mwoZeIjGbkEuL4nUnkS6CkA+y7IORA24XGGAczRxZp4vLfUOnnlFCPGIHBsRTbrTB4bcEDBK4+5gHfNhXxvD5VlNMb4TPqYdcEIxkgMxZNLV5U2LTlzn18HNOCvsPb9XOOtY21j6qHMMQDXZREmn5NsW0HXM4gNZ0fC9UEe1MYBhyE3gGEGDzzDUrrQCGLm7/1OC7NRlzuI7M/5DlgcREwK1PkjPDmfRCAq86l0N5lMP/A7MMq2SJWcZvf+ot3fInugq485773vgWWl2Rodl08SZ8YHnzj0L6anPu856v2BsIotE0iRJSCpzA2ZgOJ9RViBfoq6F3beJKLnGN7oGb8XBviRTnXrTN6BTuFyv3dIZ7qcuTGTY+ucjRXfGJ1TVlVQBbiqhQDz5c9D5e0RVnRe3AkMXeDMOd4GlWW5gsJSuZtlYq1aMEf/Bx+4WMyY/Wh+Jk1xxf30bth5L1dW82p6fNFhEuKabtkBALOg/CQzYczMeGP9ai6BWgZL8QPlQoEUpHh59Vz91V6unQSOJ2PNr5wzC6j75IKInVjcp4d1S9K2UAxg+HETn5p9T1sBRdAAVz0YgO5902FwDTsA+2x6Q=,iv:U94CNFxQ8kyIYdH0EyqQIJ3s7QKaLlMa+5coO0dQnto=,tag:KZEizL99W5BtcaXSnYXFhg==,type:str] -#ENC[AES256_GCM,data:uNqahO8WF6QFNkbPnQq2UDKn/gFt0H56keUb,iv:CDVKC3ER5rsKoMmBi2g5g+F3ZfKc3+Rs8bjxFhgSPZ4=,tag:oGPl6TB/nghGwWvVBLFlGQ==,type:comment] -FORGEJO_JWT_SECRET: ENC[AES256_GCM,data:nVz9x7+K+rBIZxuQP7o0WNFHUz89eR9cwBjfSAx9/WH5PF+/aWazZOJpVg==,iv:4qpHo143fe/sVhKfYDwxr+YiBZ2q/WWViYSwoxz0i/k=,tag:smSsJsqa6uZKarcoOMUjwQ==,type:str] -FORGEJO_INTERNAL_TOKEN: ENC[AES256_GCM,data:EIono9HSyvp1nQM0ij3ln3IUXO4moFbRgVddeV0BZBXmZG05jdjZ1SIXo/BxoSmRKnjllR7P00CpajNM5zORldlsBId5oAYL5GZtY3/nmxeXucJidknuow22G7Z8wRJJGBdishbgQhmc,iv:1D93gTUF1+DUR8qLJgML+oUhvSslhxEjGnbBC/PWHXw=,tag:NZB+mwba4TzLcUANZLDRTw==,type:str] -FORGEJO_SECRET_KEY: ENC[AES256_GCM,data:CewYFZtcXKUD5/oSM0Q32rhw+urdA0eQhdYp8EFHUXxEtL6f5NWK6IOwIlMuEv1/FjtTWlqxWekOZpmxBRzwnw==,iv:qLyVB7Nc+rDbBoO5g82/vPdykwOATHCSDLhvS+fK9PM=,tag:4NMhUvKmrRd6qrcQq3R8wA==,type:str] sops: - kms: [] - gcp_kms: [] - azure_kv: [] - hc_vault: [] - age: - - recipient: age18dmqd7r7fanrfmdxsvwgv9psvhs3hw5ydpvw0na0dv3dlrg4rs3q2wpvgv - enc: | - -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA0SkxFSkJQb29UeVRnZnFh - U3BJeGZ1NUVzMk0ycXBvWExyZDcveXZrd2pJCmpCeS80VE5McWVHQnZpaHFERmNh - YWZIMHRtQkd5Vm54MWR3bkhUUDRvejQKLS0tIG9NSkpCSkEyZFRyOXorWE1KLytP - eWdXVHg5MTlQQU9GeElPeUZXUlBlaTgKceDu3tLbQM/DxY0tJYJTPy2Dl/SBYaoc - KfMZOkc322/NvgWu/3Ke0hV1/eMk8EICwXbSwHhXr5a0+cwPZ9xV4A== - -----END AGE ENCRYPTED FILE----- - lastmodified: "2024-10-16T12:28:51Z" - mac: ENC[AES256_GCM,data:nrd2czzJlBcFfwn6lzh4qqco+/XsU2J6BqvQqMtskh3mL4Xx25IAzxiCno0KlNGr6o4YsuZP5anOX9RvrDq76Us3JQ7pDi3iQGPhmg+SE9u3Rwqn1/3YConvdfPV2DNB+tuyG3UVoRqpA4d+HdcYjN9n1UKk54R6UdSm9UrA+zc=,iv:Juupyet09zUAMu7bmVxq+/Q0bXJAzR0wAyt6vKNns3w=,tag:owdUWuXrQcDdiWi+1geY9A==,type:str] - pgp: - - created_at: "2023-07-09T17:51:27Z" - enc: |- - -----BEGIN PGP MESSAGE----- + kms: [] + gcp_kms: [] + azure_kv: [] + hc_vault: [] + age: + - recipient: age18dmqd7r7fanrfmdxsvwgv9psvhs3hw5ydpvw0na0dv3dlrg4rs3q2wpvgv + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA0SkxFSkJQb29UeVRnZnFh + U3BJeGZ1NUVzMk0ycXBvWExyZDcveXZrd2pJCmpCeS80VE5McWVHQnZpaHFERmNh + YWZIMHRtQkd5Vm54MWR3bkhUUDRvejQKLS0tIG9NSkpCSkEyZFRyOXorWE1KLytP + eWdXVHg5MTlQQU9GeElPeUZXUlBlaTgKceDu3tLbQM/DxY0tJYJTPy2Dl/SBYaoc + KfMZOkc322/NvgWu/3Ke0hV1/eMk8EICwXbSwHhXr5a0+cwPZ9xV4A== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2023-07-17T11:48:04Z" + mac: ENC[AES256_GCM,data:Bgmm5+IrFdnTG907cZe0cnSmbWLyNDVYyABFj5eRuGsYCthclRM9WEKktvJg2RVYcND39IEH/FiFR/Hxf5YgrUcU7HKEXKzn7U4AGcREh2tb5EVTELjAJ4e00omNoD1gmFOklRS9AWce1g03AGzfbzM68enpDUkxWWTU2FOPei8=,iv:A9V4EsMAIoEs7j/eWy06Y9RExz+N/PT70TBNSViswKc=,tag:287n8ygaEj/40vh1x2IQig==,type:str] + pgp: + - created_at: "2023-07-09T17:51:27Z" + enc: |- + -----BEGIN PGP MESSAGE----- - wcBMA0SHG/zF3227AQgAs92CvegZAcuyNllIp9zHUp7jFqfXhuoAOKKmOZvN4TBD - gQM7jKAXXwbMy90gGWF9EkdMzeBqG4S9ZM8gPAYcZkt98F0PGu6wBSvvYnUdDOcO - 8tvhEhBSE19xCIR7BeG9bhooEJ1V3LSZzrwyikeHUHAqDQLrwM7jrPOef22PIzH+ - XPtwWMVwVzwRJTZ/uV11vIV60b0zfnB8ZJzv7RbXsob8octy4LRe6Vb0BUd5ON3w - YULnyMlFFGekiqAPBk0K5Xib35qBu6mtnmxWzVUqT4pgiShoZsRQs3At1Onm7Cku - bqIDMoCYTvSzwDCOYp2+ni/ZOIuDvBiRCPoNuLjkD9JRAcCbjuxA6w0eaJKFTzoI - F1olIecBtQOQQn+iXya/rx69wDtR9965gecWRMbRg6tYncumpdQB//MWALhVmr6i - g+ZF+9NNqOTKsBzEnuGsZRnI - =iXfo - -----END PGP MESSAGE----- - fp: 6F7069FE6B96E894E60EC45C6EEFA706CB17E89B - unencrypted_suffix: _unencrypted - version: 3.8.1 + wcBMA0SHG/zF3227AQgAs92CvegZAcuyNllIp9zHUp7jFqfXhuoAOKKmOZvN4TBD + gQM7jKAXXwbMy90gGWF9EkdMzeBqG4S9ZM8gPAYcZkt98F0PGu6wBSvvYnUdDOcO + 8tvhEhBSE19xCIR7BeG9bhooEJ1V3LSZzrwyikeHUHAqDQLrwM7jrPOef22PIzH+ + XPtwWMVwVzwRJTZ/uV11vIV60b0zfnB8ZJzv7RbXsob8octy4LRe6Vb0BUd5ON3w + YULnyMlFFGekiqAPBk0K5Xib35qBu6mtnmxWzVUqT4pgiShoZsRQs3At1Onm7Cku + bqIDMoCYTvSzwDCOYp2+ni/ZOIuDvBiRCPoNuLjkD9JRAcCbjuxA6w0eaJKFTzoI + F1olIecBtQOQQn+iXya/rx69wDtR9965gecWRMbRg6tYncumpdQB//MWALhVmr6i + g+ZF+9NNqOTKsBzEnuGsZRnI + =iXfo + -----END PGP MESSAGE----- + fp: 6F7069FE6B96E894E60EC45C6EEFA706CB17E89B + unencrypted_suffix: _unencrypted + version: 3.7.3 diff --git a/nix/os/devices/default.nix b/nix/os/devices/default.nix index 02b0212..bc8e0ad 100644 --- a/nix/os/devices/default.nix +++ b/nix/os/devices/default.nix @@ -1,25 +1,20 @@ { dir, - pkgs ? import { }, - ownLib ? import ../lib/default.nix { inherit (pkgs) lib; }, + pkgs ? import {}, + ownLib ? import ../lib/default.nix {inherit (pkgs) lib;}, gitRoot ? "$(git rev-parse --show-toplevel)", # FIXME: why do these need explicit mentioning? moreargs ? "", rebuildarg ? "", ... -}@args: -let - rebuildargsSudo = [ - "switch" - "boot" - ]; - rebuild = - { - gitRoot, - rebuildarg ? "dry-activate", - moreargs ? "", - ... - }: +} @ args: let + rebuildargsSudo = ["switch" "boot"]; + rebuild = { + gitRoot, + rebuildarg ? "dry-activate", + moreargs ? "", + ... + }: pkgs.writeScript "script" '' #!/usr/bin/env bash set -xe @@ -35,24 +30,25 @@ let ${ if - (builtins.elem rebuildarg rebuildargsSudo) && (builtins.match ".*--target-host.*" moreargs) == null - then - "sudo -E \\" - else - "" + (builtins.elem rebuildarg rebuildargsSudo) + && (builtins.match ".*--target-host.*" moreargs) == null + then "sudo -E \\" + else "" } nixos-rebuild --show-trace -I nixos-config=''${NIXOS_CONFIG} ${rebuildarg} ${moreargs} ''; -in -{ - recipes = { - rebuild = rebuild { - inherit gitRoot; - inherit moreargs; - inherit rebuildarg; +in { + recipes = + { + rebuild = + rebuild { + inherit gitRoot; + inherit moreargs; + inherit rebuildarg; + } + # // pkgs.lib.attrsets.optionalAttrs (moreargs != "") { inherit moreargs; } + # // pkgs.lib.attrsets.optionalAttrs (rebuildarg != "") { inherit rebuildarg; } + ; } - # // pkgs.lib.attrsets.optionalAttrs (moreargs != "") { inherit moreargs; } - # // pkgs.lib.attrsets.optionalAttrs (rebuildarg != "") { inherit rebuildarg; } - ; - } // (import ./disk.nix (args // { inherit pkgs ownLib gitRoot; })); + // (import ./disk.nix (args // {inherit pkgs ownLib gitRoot;})); } diff --git a/nix/os/devices/disk.nix b/nix/os/devices/disk.nix index f639344..f62c6a9 100644 --- a/nix/os/devices/disk.nix +++ b/nix/os/devices/disk.nix @@ -3,29 +3,40 @@ ownLib, dir, gitRoot, - diskId ? (import ((builtins.getEnv "PWD") + "/${dir}/hw.nix") { }).hardware.opinionatedDisk.diskId, + diskId ? + (import ((builtins.getEnv "PWD") + "/${dir}/hw.nix") + {}) + .hardware + .opinionatedDisk + .diskId, encrypted ? - (import ((builtins.getEnv "PWD") + "/${dir}/hw.nix") { }).hardware.opinionatedDisk.encrypted, + (import ((builtins.getEnv "PWD") + "/${dir}/hw.nix") + {}) + .hardware + .opinionatedDisk + .encrypted, previousDiskId ? "", ... -}: -let +}: let mntRootVol = "/mnt/${diskId}-root"; -in -rec { +in rec { diskMount = pkgs.writeScript "script" '' #!/usr/bin/env bash set -xe echo Mounting ${diskId} ${pkgs.lib.strings.optionalString encrypted '' - sudo cryptsetup luksOpen ${ownLib.disk.bootLuksDevice diskId} ${ownLib.disk.luksName diskId} + sudo cryptsetup luksOpen ${ownLib.disk.bootLuksDevice diskId} ${ + ownLib.disk.luksName diskId + } ''} sleep 1 sudo vgchange -ay ${ownLib.disk.volumeGroup diskId} sudo mkdir -p /mnt sudo mkdir ${mntRootVol} sudo mount ${ownLib.disk.rootFsDevice diskId} ${mntRootVol} - sudo mount ${ownLib.disk.rootFsDevice diskId} ${mntRootVol}/nixos/home -o subvol=home + sudo mount ${ + ownLib.disk.rootFsDevice diskId + } ${mntRootVol}/nixos/home -o subvol=home sudo mount ${ownLib.disk.bootFsDevice diskId} ${mntRootVol}/nixos/boot ''; @@ -62,7 +73,9 @@ rec { #!/usr/bin/env bash set -xe - read -p "Continue to format ${ownLib.disk.bootGrubDevice diskId} (YES/n)? " choice + read -p "Continue to format ${ + ownLib.disk.bootGrubDevice diskId + } (YES/n)? " choice case "$choice" in YES ) echo "Continuing in 3 seconds..."; sleep 3;; n|N ) echo "Exiting..."; exit 0;; @@ -109,11 +122,15 @@ rec { ${pkgs.lib.strings.optionalString encrypted '' # Encrypt sudo cryptsetup luksFormat ${ownLib.disk.bootLuksDevice diskId} - - sudo cryptsetup luksOpen ${ownLib.disk.bootLuksDevice diskId} ${ownLib.disk.luksName diskId} + sudo cryptsetup luksOpen ${ownLib.disk.bootLuksDevice diskId} ${ + ownLib.disk.luksName diskId + } ''} # LVM - sudo vgcreate ${ownLib.disk.volumeGroup diskId} ${ownLib.disk.lvmPv diskId encrypted} + sudo vgcreate ${ownLib.disk.volumeGroup diskId} ${ + ownLib.disk.lvmPv diskId encrypted + } sudo lvcreate ${ownLib.disk.volumeGroup diskId} -L 2G -n swap sudo lvcreate ${ownLib.disk.volumeGroup diskId} -l 100%FREE -n root @@ -137,7 +154,9 @@ rec { #!/usr/bin/env bash set -xe - read -p "Continue to relabel ${ownLib.disk.bootGrubDevice diskId} (YES/n)?" choice + read -p "Continue to relabel ${ + ownLib.disk.bootGrubDevice diskId + } (YES/n)?" choice case "$choice" in YES ) echo "Continuing in 3 seconds..."; sleep 3;; n|N ) echo "Exiting..."; exit 0;; @@ -168,9 +187,13 @@ rec { if test "${previousDiskId}"; then - ${pkgs.lib.strings.optionalString encrypted '' - sudo cryptsetup luksOpen ${ownLib.disk.bootLuksDevice diskId} ${ownLib.disk.luksName diskId} - ''} + ${ + pkgs.lib.strings.optionalString encrypted '' + sudo cryptsetup luksOpen ${ownLib.disk.bootLuksDevice diskId} ${ + ownLib.disk.luksName diskId + } + '' + } sync sleep 1 if sudo vgs ${previousDiskId}; then diff --git a/nix/os/devices/elias-e525/boot.nix b/nix/os/devices/elias-e525/boot.nix index 6698046..4d8c1d1 100644 --- a/nix/os/devices/elias-e525/boot.nix +++ b/nix/os/devices/elias-e525/boot.nix @@ -1,5 +1,4 @@ -{ lib, ... }: -{ - boot.loader.grub.efiSupport = lib.mkForce false; +{lib, ...}: { + boot.loader.grub.efiInstallAsRemovable = lib.mkForce true; boot.loader.efi.canTouchEfiVariables = lib.mkForce false; } diff --git a/nix/os/devices/elias-e525/configuration.nix b/nix/os/devices/elias-e525/configuration.nix index ea92869..8974207 100644 --- a/nix/os/devices/elias-e525/configuration.nix +++ b/nix/os/devices/elias-e525/configuration.nix @@ -1,5 +1,4 @@ -{ ... }: -{ +{...}: { imports = [ ../../profiles/common/configuration.nix ../../profiles/graphical/configuration.nix @@ -10,6 +9,5 @@ ./hw.nix ./pkg.nix ./user.nix - ./boot.nix ]; } diff --git a/nix/os/devices/elias-e525/default.nix b/nix/os/devices/elias-e525/default.nix index ba02693..c169019 100644 --- a/nix/os/devices/elias-e525/default.nix +++ b/nix/os/devices/elias-e525/default.nix @@ -3,20 +3,20 @@ repoFlake, nodeFlake, ... -}: -let +}: let system = "x86_64-linux"; -in -{ +in { meta.nodeSpecialArgs.${nodeName} = { inherit repoFlake nodeName nodeFlake; packages' = repoFlake.packages.${system}; }; - meta.nodeNixpkgs.${nodeName} = import nodeFlake.inputs.nixpkgs.outPath { inherit system; }; + meta.nodeNixpkgs.${nodeName} = import nodeFlake.inputs.nixpkgs.outPath { + inherit system; + }; ${nodeName} = { - deployment.targetHost = "elias-e525.lan"; + deployment.targetHost = "192.168.15.198"; deployment.replaceUnknownProfiles = false; # deployment.allowLocalDeployment = true; diff --git a/nix/os/devices/elias-e525/flake.lock b/nix/os/devices/elias-e525/flake.lock index 9616d4f..dc66cc4 100644 --- a/nix/os/devices/elias-e525/flake.lock +++ b/nix/os/devices/elias-e525/flake.lock @@ -7,32 +7,32 @@ ] }, "locked": { - "lastModified": 1703113038, - "narHash": "sha256-oxkyzjpD+mNT7arzU/zHrkNHLuY9tKwmnD2MNaZiSDw=", + "lastModified": 1687871164, + "narHash": "sha256-bBFlPthuYX322xOlpJvkjUBz0C+MOBjZdDOOJJ+G2jU=", "owner": "nix-community", "repo": "home-manager", - "rev": "0c2353d5d930c3d93724df6858aef064a31b3c00", + "rev": "07c347bb50994691d7b0095f45ebd8838cf6bc38", "type": "github" }, "original": { "owner": "nix-community", - "ref": "release-23.11", + "ref": "release-23.05", "repo": "home-manager", "type": "github" } }, "nixpkgs": { "locked": { - "lastModified": 1703068421, - "narHash": "sha256-WSw5Faqlw75McIflnl5v7qVD/B3S2sLh+968bpOGrWA=", + "lastModified": 1688868408, + "narHash": "sha256-RR9N5XTAxSBhK8MCvLq9uxfdkd7etC//seVXldy0k48=", "owner": "nixos", "repo": "nixpkgs", - "rev": "d65bceaee0fb1e64363f7871bc43dc1c6ecad99f", + "rev": "510d721ce097150ae3b80f84b04b13b039186571", "type": "github" }, "original": { "owner": "nixos", - "ref": "nixos-23.11", + "ref": "nixos-23.05", "repo": "nixpkgs", "type": "github" } diff --git a/nix/os/devices/elias-e525/flake.nix b/nix/os/devices/elias-e525/flake.nix index d5bd2c5..81d8a95 100644 --- a/nix/os/devices/elias-e525/flake.nix +++ b/nix/os/devices/elias-e525/flake.nix @@ -1,10 +1,10 @@ { - inputs.nixpkgs.url = "github:nixos/nixpkgs/nixos-23.11"; + inputs.nixpkgs.url = "github:nixos/nixpkgs/nixos-23.05"; inputs.home-manager = { - url = "github:nix-community/home-manager/release-23.11"; + url = "github:nix-community/home-manager/release-23.05"; inputs.nixpkgs.follows = "nixpkgs"; }; - outputs = _: { }; + outputs = _: {}; } diff --git a/nix/os/devices/elias-e525/hw.nix b/nix/os/devices/elias-e525/hw.nix index 23d4edb..269281c 100644 --- a/nix/os/devices/elias-e525/hw.nix +++ b/nix/os/devices/elias-e525/hw.nix @@ -1,4 +1,4 @@ -_: { +{...}: { # TASK: new device hardware.opinionatedDisk = { enable = true; diff --git a/nix/os/devices/elias-e525/pkg.nix b/nix/os/devices/elias-e525/pkg.nix index 57d813e..e119032 100644 --- a/nix/os/devices/elias-e525/pkg.nix +++ b/nix/os/devices/elias-e525/pkg.nix @@ -1,5 +1,8 @@ -{ pkgs, lib, ... }: -let +{ + pkgs, + lib, + ... +}: let homeEnv = keyboard: { imports = [ ../../../home-manager/profiles/common.nix @@ -19,27 +22,26 @@ let rustdesk ]; }; -in -{ - services.gnome = builtins.mapAttrs (_attr: value: lib.mkForce value) { +in { + services.gnome = builtins.mapAttrs (attr: value: lib.mkForce value) { gnome-remote-desktop.enable = true; }; home-manager.users.steveej = homeEnv { layout = "en"; - options = [ "nodeadkey" ]; + options = ["nodeadkey"]; variant = "altgr-intl"; }; home-manager.users.elias = homeEnv { layout = "de"; - options = [ ]; + options = []; variant = ""; }; home-manager.users.justyna = homeEnv { layout = "de"; - options = [ ]; + options = []; variant = ""; }; diff --git a/nix/os/devices/elias-e525/system.nix b/nix/os/devices/elias-e525/system.nix index d2a3efe..6763062 100644 --- a/nix/os/devices/elias-e525/system.nix +++ b/nix/os/devices/elias-e525/system.nix @@ -1,5 +1,10 @@ -{ pkgs, lib, ... }: { + pkgs, + lib, + config, + ... +}: let +in { # TASK: new device networking.hostName = "elias-e525"; # Define your hostname. @@ -33,13 +38,11 @@ # udev.packages = [ pkgs.gnome3.gnome-settings-daemon ]; }; - security.pki.certificateFiles = [ "${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt" ]; + security.pki.certificateFiles = ["${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt"]; - services.xserver.videoDrivers = [ "modesetting" ]; + services.xserver.videoDrivers = ["modesetting"]; boot.kernelPackages = lib.mkForce pkgs.linuxPackages_latest; - nix.gc = { - automatic = true; - }; + nix.gc = {automatic = true;}; } diff --git a/nix/os/devices/elias-e525/user.nix b/nix/os/devices/elias-e525/user.nix index c4690cf..196c96a 100644 --- a/nix/os/devices/elias-e525/user.nix +++ b/nix/os/devices/elias-e525/user.nix @@ -1,9 +1,12 @@ -{ config, pkgs, ... }: -let - keys = import ../../../variables/keys.nix; - inherit (pkgs.callPackage ../../lib/default.nix { }) mkUser; -in { + config, + pkgs, + lib, + ... +}: let + keys = import ../../../variables/keys.nix; + inherit (pkgs.callPackage ../../lib/default.nix {}) mkUser; +in { sops.secrets.sharedUsers-elias = { sopsFile = ../../../../secrets/shared-users.yaml; neededForUsers = true; diff --git a/nix/os/devices/fwhost1/boot.nix b/nix/os/devices/fwhost1/boot.nix index 639698f..4d8c1d1 100644 --- a/nix/os/devices/fwhost1/boot.nix +++ b/nix/os/devices/fwhost1/boot.nix @@ -1,5 +1,4 @@ -{ lib, ... }: -{ +{lib, ...}: { boot.loader.grub.efiInstallAsRemovable = lib.mkForce true; boot.loader.efi.canTouchEfiVariables = lib.mkForce false; } diff --git a/nix/os/devices/fwhost1/configuration.nix b/nix/os/devices/fwhost1/configuration.nix index fbdc4c0..ed238cb 100644 --- a/nix/os/devices/fwhost1/configuration.nix +++ b/nix/os/devices/fwhost1/configuration.nix @@ -1,5 +1,4 @@ -{ ... }: -{ +{...}: { imports = [ ../../profiles/common/configuration.nix ../../modules/opinionatedDisk.nix diff --git a/nix/os/devices/fwhost1/hw.nix b/nix/os/devices/fwhost1/hw.nix index 43334ed..6c1aaaf 100644 --- a/nix/os/devices/fwhost1/hw.nix +++ b/nix/os/devices/fwhost1/hw.nix @@ -1,4 +1,5 @@ -_: { +{...}: let +in { # TASK: new device hardware.opinionatedDisk = { enable = true; diff --git a/nix/os/devices/fwhost1/pkg.nix b/nix/os/devices/fwhost1/pkg.nix index aacf501..6650ad9 100644 --- a/nix/os/devices/fwhost1/pkg.nix +++ b/nix/os/devices/fwhost1/pkg.nix @@ -1,17 +1,17 @@ -{ pkgs, ... }: -{ - nixpkgs.config.packageOverrides = - pkgs: with pkgs; { - inherit ((import ../../../default.nix { versionsPath = ./versions.nix; })) nixPath; +{pkgs, ...}: { + nixpkgs.config.packageOverrides = pkgs: + with pkgs; { + nixPath = + (import ../../../default.nix { + versionsPath = ./versions.nix; + }) + .nixPath; }; home-manager.users.steveej = import ../../../home-manager/configuration/text-minimal.nix { inherit pkgs; }; - environment.systemPackages = with pkgs; [ - iw - wirelesstools - ]; + environment.systemPackages = with pkgs; [iw wirelesstools]; system.stateVersion = "21.11"; } diff --git a/nix/os/devices/fwhost1/system.nix b/nix/os/devices/fwhost1/system.nix index 548caec..abe1717 100644 --- a/nix/os/devices/fwhost1/system.nix +++ b/nix/os/devices/fwhost1/system.nix @@ -1,8 +1,12 @@ -{ pkgs, lib, ... }: -let - passwords = import ../../../variables/passwords.crypt.nix; -in { + pkgs, + lib, + config, + ... +}: let + keys = import ../../../variables/keys.nix; + passwords = import ../../../variables/passwords.crypt.nix; +in { # TASK: new device networking.hostName = "fwhost1"; # Define your hostname. @@ -17,14 +21,11 @@ in networking.firewall.logRefusedConnections = false; networking.usePredictableInterfaceNames = false; - networking.bridges.breth.interfaces = [ - "eth0" - "eth1" - ]; + networking.bridges.breth.interfaces = ["eth0" "eth1"]; networking.bridges.breth.rstp = true; networking.defaultGateway.address = "172.172.171.10"; - networking.nameservers = [ "172.172.171.10" ]; + networking.nameservers = ["172.172.171.10"]; # WAN interfaces, currently unused because the OPNsense guest acts as a router. networking.vlans.wan1.id = 3; diff --git a/nix/os/devices/fwhost1/user.nix b/nix/os/devices/fwhost1/user.nix index 958608a..98f59ba 100644 --- a/nix/os/devices/fwhost1/user.nix +++ b/nix/os/devices/fwhost1/user.nix @@ -1 +1,9 @@ -_: { } +{ + config, + pkgs, + ... +}: let + passwords = import ../../../variables/passwords.crypt.nix; + keys = import ../../../variables/keys.nix; + inherit (import ../../lib/default.nix {}) mkUser; +in {} diff --git a/nix/os/devices/fwhost1/versions.nix b/nix/os/devices/fwhost1/versions.nix index 276eb87..c6dac79 100644 --- a/nix/os/devices/fwhost1/versions.nix +++ b/nix/os/devices/fwhost1/versions.nix @@ -4,12 +4,9 @@ let ref = "nixos-21.11"; rev = "386234e2a61e1e8acf94dfa3a3d3ca19a6776efb"; }; -in -{ +in { inherit nixpkgs; - nixos = nixpkgs // { - suffix = "/nixos"; - }; + nixos = nixpkgs // {suffix = "/nixos";}; "channels-nixos-stable" = nixpkgs; "channels-nixos-unstable" = { diff --git a/nix/os/devices/fwhost1/versions.tmpl.nix b/nix/os/devices/fwhost1/versions.tmpl.nix index d3d0c19..c9dc8a9 100644 --- a/nix/os/devices/fwhost1/versions.tmpl.nix +++ b/nix/os/devices/fwhost1/versions.tmpl.nix @@ -6,12 +6,9 @@ let <% git ls-remote https://github.com/nixos/nixpkgs nixos-21.11 | awk '{ print $1 }' | tr -d ' ' -%>''; }; -in -{ +in { inherit nixpkgs; - nixos = nixpkgs // { - suffix = "/nixos"; - }; + nixos = nixpkgs // {suffix = "/nixos";}; "channels-nixos-stable" = nixpkgs; "channels-nixos-unstable" = { diff --git a/nix/os/devices/fwhost2/boot.nix b/nix/os/devices/fwhost2/boot.nix index 639698f..4d8c1d1 100644 --- a/nix/os/devices/fwhost2/boot.nix +++ b/nix/os/devices/fwhost2/boot.nix @@ -1,5 +1,4 @@ -{ lib, ... }: -{ +{lib, ...}: { boot.loader.grub.efiInstallAsRemovable = lib.mkForce true; boot.loader.efi.canTouchEfiVariables = lib.mkForce false; } diff --git a/nix/os/devices/fwhost2/configuration.nix b/nix/os/devices/fwhost2/configuration.nix index fbdc4c0..ed238cb 100644 --- a/nix/os/devices/fwhost2/configuration.nix +++ b/nix/os/devices/fwhost2/configuration.nix @@ -1,5 +1,4 @@ -{ ... }: -{ +{...}: { imports = [ ../../profiles/common/configuration.nix ../../modules/opinionatedDisk.nix diff --git a/nix/os/devices/fwhost2/hw.nix b/nix/os/devices/fwhost2/hw.nix index a8891e3..c207b8c 100644 --- a/nix/os/devices/fwhost2/hw.nix +++ b/nix/os/devices/fwhost2/hw.nix @@ -1,4 +1,5 @@ -_: { +{...}: let +in { # TASK: new device hardware.opinionatedDisk = { enable = true; diff --git a/nix/os/devices/fwhost2/pkg.nix b/nix/os/devices/fwhost2/pkg.nix index aacf501..6650ad9 100644 --- a/nix/os/devices/fwhost2/pkg.nix +++ b/nix/os/devices/fwhost2/pkg.nix @@ -1,17 +1,17 @@ -{ pkgs, ... }: -{ - nixpkgs.config.packageOverrides = - pkgs: with pkgs; { - inherit ((import ../../../default.nix { versionsPath = ./versions.nix; })) nixPath; +{pkgs, ...}: { + nixpkgs.config.packageOverrides = pkgs: + with pkgs; { + nixPath = + (import ../../../default.nix { + versionsPath = ./versions.nix; + }) + .nixPath; }; home-manager.users.steveej = import ../../../home-manager/configuration/text-minimal.nix { inherit pkgs; }; - environment.systemPackages = with pkgs; [ - iw - wirelesstools - ]; + environment.systemPackages = with pkgs; [iw wirelesstools]; system.stateVersion = "21.11"; } diff --git a/nix/os/devices/fwhost2/system.nix b/nix/os/devices/fwhost2/system.nix index 652347f..54da0ba 100644 --- a/nix/os/devices/fwhost2/system.nix +++ b/nix/os/devices/fwhost2/system.nix @@ -1,8 +1,13 @@ -{ pkgs, lib, ... }: -let - passwords = import ../../../variables/passwords.crypt.nix; -in { + pkgs, + lib, + config, + utils, + ... +}: let + keys = import ../../../variables/keys.nix; + passwords = import ../../../variables/passwords.crypt.nix; +in { # TASK: new device networking.hostName = "fwhost2"; # Define your hostname. @@ -17,14 +22,11 @@ in networking.firewall.logRefusedConnections = false; networking.usePredictableInterfaceNames = false; - networking.bridges.breth.interfaces = [ - "eth0" - "eth1" - ]; + networking.bridges.breth.interfaces = ["eth0" "eth1"]; networking.bridges.breth.rstp = true; networking.defaultGateway.address = "172.172.171.10"; - networking.nameservers = [ "172.172.171.10" ]; + networking.nameservers = ["172.172.171.10"]; # WAN interfaces, currently unused because the OPNsense guest acts as a router. networking.vlans.wan1.id = 3; diff --git a/nix/os/devices/fwhost2/user.nix b/nix/os/devices/fwhost2/user.nix index 47efa02..d7dc0dc 100644 --- a/nix/os/devices/fwhost2/user.nix +++ b/nix/os/devices/fwhost2/user.nix @@ -1,4 +1,12 @@ -_: { +{ + config, + pkgs, + ... +}: let + passwords = import ../../../variables/passwords.crypt.nix; + keys = import ../../../variables/keys.nix; + inherit (import ../../lib/default.nix {inherit (pkgs) lib;}) mkUser; +in { # users.extraUsers.steveej2 = mkUser { # uid = 1001; # openssh.authorizedKeys.keys = keys.users.steveej.openssh; diff --git a/nix/os/devices/fwhost2/versions.nix b/nix/os/devices/fwhost2/versions.nix index 276eb87..c6dac79 100644 --- a/nix/os/devices/fwhost2/versions.nix +++ b/nix/os/devices/fwhost2/versions.nix @@ -4,12 +4,9 @@ let ref = "nixos-21.11"; rev = "386234e2a61e1e8acf94dfa3a3d3ca19a6776efb"; }; -in -{ +in { inherit nixpkgs; - nixos = nixpkgs // { - suffix = "/nixos"; - }; + nixos = nixpkgs // {suffix = "/nixos";}; "channels-nixos-stable" = nixpkgs; "channels-nixos-unstable" = { diff --git a/nix/os/devices/fwhost2/versions.tmpl.nix b/nix/os/devices/fwhost2/versions.tmpl.nix index d3d0c19..c9dc8a9 100644 --- a/nix/os/devices/fwhost2/versions.tmpl.nix +++ b/nix/os/devices/fwhost2/versions.tmpl.nix @@ -6,12 +6,9 @@ let <% git ls-remote https://github.com/nixos/nixpkgs nixos-21.11 | awk '{ print $1 }' | tr -d ' ' -%>''; }; -in -{ +in { inherit nixpkgs; - nixos = nixpkgs // { - suffix = "/nixos"; - }; + nixos = nixpkgs // {suffix = "/nixos";}; "channels-nixos-stable" = nixpkgs; "channels-nixos-unstable" = { diff --git a/nix/os/devices/hstk0/.gitignore b/nix/os/devices/hstk0/.gitignore deleted file mode 100644 index b2be92b..0000000 --- a/nix/os/devices/hstk0/.gitignore +++ /dev/null @@ -1 +0,0 @@ -result diff --git a/nix/os/devices/hstk0/README.md b/nix/os/devices/hstk0/README.md deleted file mode 100644 index 60ee180..0000000 --- a/nix/os/devices/hstk0/README.md +++ /dev/null @@ -1,6 +0,0 @@ -## bootstrapping - -``` -# TODO: generate an SSH host-key and deploy it via --extra-files -nixos-anywhere --flake .\#sj-bm-hostkey0 root@185.130.227.252 -``` diff --git a/nix/os/devices/hstk0/configuration.nix b/nix/os/devices/hstk0/configuration.nix deleted file mode 100644 index 32fad43..0000000 --- a/nix/os/devices/hstk0/configuration.nix +++ /dev/null @@ -1,146 +0,0 @@ -{ - repoFlake, - pkgs, - lib, - nodeFlake, - nodeName, - system, - ... -}: -{ - disabledModules = [ ]; - - imports = [ - nodeFlake.inputs.disko.nixosModules.disko - repoFlake.inputs.sops-nix.nixosModules.sops - - nodeFlake.inputs.srvos.nixosModules.roles-nix-remote-builder - { - roles.nix-remote-builder.schedulerPublicKeys = [ - "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINQ22z5rDdCLYH+MEoEt+tXJXTJqoeZNqvJl2n4aB+Kn steveej@steveej-x13s" - - # TODO: make this a reference to the private key's secret - "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIC8FHuK0k86iBWq41+NAhVwJqH1ZpGJe+q01m7iLviz6 root@steveej-t14" - ]; - } - - ../../snippets/nix-settings.nix - { nix.settings.sandbox = lib.mkForce "relaxed"; } - - ../../snippets/mycelium.nix - - # user config - ../../profiles/common/user.nix - { - users.commonUsers = { - enable = true; - enableNonRoot = true; - }; - } - - ../../snippets/home-manager-with-zsh.nix - # { - # home-manager.users.steveej = {pkgs, ...}: { - # imports = [ - # ../../../home-manager/programs/pass.nix - # ../../../home-manager/programs/openvscode-server.nix - # ]; - # }; - # } - ]; - - services.openssh = { - enable = true; - openFirewall = true; - settings.PermitRootLogin = "yes"; - extraConfig = '' - StreamLocalBindUnlink yes - ''; - }; - - boot = { - kernel = { - sysctl = { - "net.ipv4.conf.all.forwarding" = true; - "net.ipv6.conf.all.forwarding" = true; - }; - }; - }; - - networking = { - hostName = nodeName; - useNetworkd = true; - useDHCP = true; - - nat.enable = true; - firewall.enable = true; - - firewall.allowedTCPPorts = [ 5201 ]; - firewall.allowedUDPPorts = [ 5201 ]; - }; - - disko.devices = - let - disk = id: { - type = "disk"; - device = "/dev/${id}"; - content = { - type = "gpt"; - partitions = { - boot = { - size = "1M"; - type = "EF02"; # for grub MBR - }; - mdadm = { - size = "100%"; - content = { - type = "mdraid"; - name = "raid0"; - }; - }; - }; - }; - }; - in - { - disk = { - sda = disk "sda"; - sdb = disk "sdb"; - }; - mdadm = { - raid0 = { - type = "mdadm"; - level = 0; - content = { - type = "gpt"; - partitions = { - primary = { - size = "100%"; - content = { - type = "filesystem"; - format = "btrfs"; - mountpoint = "/"; - }; - }; - }; - }; - }; - }; - }; - - system.stateVersion = "24.05"; - - boot.kernelPackages = pkgs.linuxPackages_latest; - boot.initrd.includeDefaultModules = true; - boot.initrd.kernelModules = [ - "dm-raid" - "dm-integrity" - "xhci_pci_renesas" - ]; - - hardware.enableRedistributableFirmware = true; - - virtualisation.libvirtd.enable = true; - - boot.binfmt.emulatedSystems = [ "aarch64-linux" ]; -} diff --git a/nix/os/devices/hstk0/default.nix b/nix/os/devices/hstk0/default.nix deleted file mode 100644 index 62e6cc1..0000000 --- a/nix/os/devices/hstk0/default.nix +++ /dev/null @@ -1,37 +0,0 @@ -{ - nodeName, - repoFlake, - nodeFlake, - ... -}: -let - system = "x86_64-linux"; -in -{ - meta.nodeSpecialArgs.${nodeName} = { - inherit - repoFlake - nodeName - nodeFlake - system - ; - packages' = repoFlake.packages.${system}; - }; - - meta.nodeNixpkgs.${nodeName} = import nodeFlake.inputs.nixpkgs.outPath { inherit system; }; - - ${nodeName} = { - deployment.targetHost = "185.130.224.33"; - deployment.replaceUnknownProfiles = false; - - # nixpkgs.pkgs = nodeFlake.inputs.nixpkgs.legacyPackages.${system}; - - imports = [ - nodeFlake.inputs.home-manager.nixosModules.home-manager - - ./configuration.nix - ]; - - networking.hostName = nodeName; - }; -} diff --git a/nix/os/devices/hstk0/flake.lock b/nix/os/devices/hstk0/flake.lock deleted file mode 100644 index 8389a6a..0000000 --- a/nix/os/devices/hstk0/flake.lock +++ /dev/null @@ -1,124 +0,0 @@ -{ - "nodes": { - "disko": { - "inputs": { - "nixpkgs": [ - "nixpkgs" - ] - }, - "locked": { - "lastModified": 1719401812, - "narHash": "sha256-QONBQ/arBsKZNJuSd3sMIkSYFlBoRJpvf1jGlMfcOuI=", - "owner": "nix-community", - "repo": "disko", - "rev": "b6a1262796b2990ec3cc60bb2ec23583f35b2f43", - "type": "github" - }, - "original": { - "owner": "nix-community", - "repo": "disko", - "type": "github" - } - }, - "get-flake": { - "locked": { - "lastModified": 1714237590, - "narHash": "sha256-9gtHdGbzFHaR20xORN8IYd67ROWS+1nqQ5CsPf9MD8I=", - "owner": "ursi", - "repo": "get-flake", - "rev": "a6c57417d1b857b8be53aba4095869a0f438c502", - "type": "github" - }, - "original": { - "owner": "ursi", - "repo": "get-flake", - "type": "github" - } - }, - "home-manager": { - "inputs": { - "nixpkgs": [ - "nixpkgs" - ] - }, - "locked": { - "lastModified": 1718530513, - "narHash": "sha256-BmO8d0r+BVlwWtMLQEYnwmngqdXIuyFzMwvmTcLMee8=", - "owner": "nix-community", - "repo": "home-manager", - "rev": "a1fddf0967c33754271761d91a3d921772b30d0e", - "type": "github" - }, - "original": { - "owner": "nix-community", - "ref": "release-24.05", - "repo": "home-manager", - "type": "github" - } - }, - "nixpkgs": { - "locked": { - "lastModified": 1719253556, - "narHash": "sha256-A/76RFUVxZ/7Y8+OMVL1Lc8LRhBxZ8ZE2bpMnvZ1VpY=", - "owner": "nixos", - "repo": "nixpkgs", - "rev": "fc07dc3bdf2956ddd64f24612ea7fc894933eb2e", - "type": "github" - }, - "original": { - "owner": "nixos", - "ref": "nixos-24.05", - "repo": "nixpkgs", - "type": "github" - } - }, - "nixpkgs-unstable": { - "locked": { - "lastModified": 1719254875, - "narHash": "sha256-ECni+IkwXjusHsm9Sexdtq8weAq/yUyt1TWIemXt3Ko=", - "owner": "nixos", - "repo": "nixpkgs", - "rev": "2893f56de08021cffd9b6b6dfc70fd9ccd51eb60", - "type": "github" - }, - "original": { - "owner": "nixos", - "ref": "nixos-unstable", - "repo": "nixpkgs", - "type": "github" - } - }, - "root": { - "inputs": { - "disko": "disko", - "get-flake": "get-flake", - "home-manager": "home-manager", - "nixpkgs": "nixpkgs", - "nixpkgs-unstable": "nixpkgs-unstable", - "srvos": "srvos" - } - }, - "srvos": { - "inputs": { - "nixpkgs": [ - "nixpkgs" - ] - }, - "locked": { - "lastModified": 1719189969, - "narHash": "sha256-6MSZrWvXSvUKIr0iC9eSbQ09NSm+j1Oh4o9Gentu1CU=", - "owner": "numtide", - "repo": "srvos", - "rev": "4f314be1307c8d5f1fb3d882a67e09dbdf285850", - "type": "github" - }, - "original": { - "owner": "numtide", - "repo": "srvos", - "type": "github" - } - } - }, - "root": "root", - "version": 7 -} diff --git a/nix/os/devices/hstk0/flake.nix b/nix/os/devices/hstk0/flake.nix deleted file mode 100644 index 6c9b22f..0000000 --- a/nix/os/devices/hstk0/flake.nix +++ /dev/null @@ -1,52 +0,0 @@ -{ - inputs = { - nixpkgs.url = "github:nixos/nixpkgs/nixos-24.05"; - nixpkgs-unstable.url = "github:nixos/nixpkgs/nixos-unstable"; - - get-flake.url = "github:ursi/get-flake"; - - home-manager.url = "github:nix-community/home-manager/release-24.05"; - home-manager.inputs.nixpkgs.follows = "nixpkgs"; - - disko.url = "github:nix-community/disko"; - disko.inputs.nixpkgs.follows = "nixpkgs"; - srvos.url = "github:numtide/srvos"; - srvos.inputs.nixpkgs.follows = "nixpkgs"; - }; - - # outputs = _: {}; - - outputs = - { - self, - get-flake, - nixpkgs, - ... - }: - let - system = "x86_64-linux"; - nodeName = "hostkey-0"; - - mkNixosConfiguration = - { - extraModules ? [ ], - ... - }@attrs: - nixpkgs.lib.nixosSystem ( - nixpkgs.lib.attrsets.recursiveUpdate attrs { - specialArgs = { - nodeFlake = self; - repoFlake = get-flake ../../../..; - inherit nodeName; - }; - - modules = [ ./configuration.nix ] ++ extraModules; - } - ); - in - { - nixosConfigurations = { - native = mkNixosConfiguration { inherit system; }; - }; - }; -} diff --git a/nix/os/devices/hydra.json b/nix/os/devices/hydra.json index a0204bc..3723c24 100644 --- a/nix/os/devices/hydra.json +++ b/nix/os/devices/hydra.json @@ -1,24 +1,16 @@ { - "enabled": 1, - "hidden": false, - "description": "Jobsets", - "nixexprinput": "src", - "nixexprpath": "default.nix", - "checkinterval": 300, - "schedulingshares": 100, - "enableemail": false, - "emailoverride": "", - "keepnr": 3, - "inputs": { - "src": { - "type": "git", - "value": "git://github.com/shlevy/declarative-hydra-example.git", - "emailresponsible": false - }, - "nixpkgs": { - "type": "git", - "value": "git://github.com/NixOS/nixpkgs.git release-16.03", - "emailresponsible": false + "enabled": 1, + "hidden": false, + "description": "Jobsets", + "nixexprinput": "src", + "nixexprpath": "default.nix", + "checkinterval": 300, + "schedulingshares": 100, + "enableemail": false, + "emailoverride": "", + "keepnr": 3, + "inputs": { + "src": { "type": "git", "value": "git://github.com/shlevy/declarative-hydra-example.git", "emailresponsible": false }, + "nixpkgs": { "type": "git", "value": "git://github.com/NixOS/nixpkgs.git release-16.03", "emailresponsible": false } } - } } diff --git a/nix/os/devices/justyna-p300/boot.nix b/nix/os/devices/justyna-p300/boot.nix index 9d6bbe7..85006ed 100644 --- a/nix/os/devices/justyna-p300/boot.nix +++ b/nix/os/devices/justyna-p300/boot.nix @@ -1,5 +1,4 @@ -{ lib, ... }: -{ +{lib, ...}: { boot.loader.grub.efiInstallAsRemovable = lib.mkForce false; boot.loader.efi.canTouchEfiVariables = lib.mkForce false; boot.loader.grub.efiSupport = lib.mkForce false; diff --git a/nix/os/devices/justyna-p300/configuration.nix b/nix/os/devices/justyna-p300/configuration.nix index e636106..f2cb3f7 100644 --- a/nix/os/devices/justyna-p300/configuration.nix +++ b/nix/os/devices/justyna-p300/configuration.nix @@ -1,5 +1,4 @@ -{ ... }: -{ +{...}: { imports = [ ../../profiles/common/configuration.nix ../../profiles/graphical/configuration.nix diff --git a/nix/os/devices/justyna-p300/default.nix b/nix/os/devices/justyna-p300/default.nix index 427ce7e..907e60b 100644 --- a/nix/os/devices/justyna-p300/default.nix +++ b/nix/os/devices/justyna-p300/default.nix @@ -3,17 +3,17 @@ repoFlake, nodeFlake, ... -}: -let +}: let system = "x86_64-linux"; -in -{ +in { meta.nodeSpecialArgs.${nodeName} = { inherit repoFlake nodeName nodeFlake; packages' = repoFlake.packages.${system}; }; - meta.nodeNixpkgs.${nodeName} = import nodeFlake.inputs.nixpkgs.outPath { inherit system; }; + meta.nodeNixpkgs.${nodeName} = import nodeFlake.inputs.nixpkgs.outPath { + inherit system; + }; ${nodeName} = { deployment.targetHost = nodeName; diff --git a/nix/os/devices/justyna-p300/flake.nix b/nix/os/devices/justyna-p300/flake.nix index 9b8b8ed..3e68abe 100644 --- a/nix/os/devices/justyna-p300/flake.nix +++ b/nix/os/devices/justyna-p300/flake.nix @@ -6,8 +6,8 @@ inputs.nixpkgs.follows = "nixpkgs"; }; - inputs.disko.url = "github:nix-community/disko"; + inputs.disko.url = github:nix-community/disko; inputs.disko.inputs.nixpkgs.follows = "nixpkgs"; - outputs = _: { }; + outputs = _: {}; } diff --git a/nix/os/devices/justyna-p300/hw.nix b/nix/os/devices/justyna-p300/hw.nix index b68e082..0924dd2 100644 --- a/nix/os/devices/justyna-p300/hw.nix +++ b/nix/os/devices/justyna-p300/hw.nix @@ -1,6 +1,12 @@ -{ nodeFlake, ... }: { - imports = [ nodeFlake.inputs.disko.nixosModules.disko ]; + repoFlake, + nodeFlake, + lib, + ... +}: { + imports = [ + nodeFlake.inputs.disko.nixosModules.disko + ]; disko.devices.disk.sda = { device = "/dev/sda"; @@ -14,7 +20,7 @@ start = "0"; end = "1M"; part-type = "primary"; - flags = [ "bios_grub" ]; + flags = ["bios_grub"]; } { name = "root"; @@ -24,14 +30,14 @@ bootable = true; content = { type = "btrfs"; - extraArgs = [ "-f" ]; # Override existing partition + extraArgs = ["-f"]; # Override existing partition subvolumes = { # Subvolume name is different from mountpoint "/rootfs" = { mountpoint = "/"; }; "/nix" = { - mountOptions = [ "noatime" ]; + mountOptions = ["noatime"]; }; }; }; diff --git a/nix/os/devices/justyna-p300/pkg.nix b/nix/os/devices/justyna-p300/pkg.nix index d23cfb0..2b9ebf0 100644 --- a/nix/os/devices/justyna-p300/pkg.nix +++ b/nix/os/devices/justyna-p300/pkg.nix @@ -3,8 +3,7 @@ lib, packages', ... -}: -let +}: let homeEnv = keyboard: { imports = [ ../../../home-manager/profiles/common.nix @@ -24,19 +23,15 @@ let rustdesk ]; }; -in -{ - services.gnome = builtins.mapAttrs (_attr: value: lib.mkForce value) { +in { + services.gnome = builtins.mapAttrs (attr: value: lib.mkForce value) { gnome-remote-desktop.enable = true; }; - services.printing.drivers = lib.mkForce ( - with packages'; - [ - dcpj4110dwDriver - dcpj4110dwCupswrapper - ] - ); + services.printing.drivers = lib.mkForce (with packages'; [ + dcpj4110dwDriver + dcpj4110dwCupswrapper + ]); services.printing.extraConf = '' LogLevel debug @@ -44,29 +39,29 @@ in home-manager.users.steveej = homeEnv { layout = "en"; - options = [ "nodeadkey" ]; + options = ["nodeadkey"]; variant = "altgr-intl"; }; home-manager.users.elias = homeEnv { layout = "de"; - options = [ ]; + options = []; variant = ""; }; home-manager.users.justyna = - lib.attrsets.recursiveUpdate - (homeEnv { - layout = "de"; - options = [ ]; - variant = ""; - }) - { - services.syncthing.enable = true; - services.syncthing.tray = true; + lib.attrsets.recursiveUpdate (homeEnv { + layout = "de"; + options = []; + variant = ""; + }) { + services.syncthing.enable = true; + services.syncthing.tray = true; - home.packages = with pkgs; [ session-desktop ]; - }; + home.packages = with pkgs; [ + session-desktop + ]; + }; system.stateVersion = "21.11"; } diff --git a/nix/os/devices/justyna-p300/system.nix b/nix/os/devices/justyna-p300/system.nix index 82a7b02..44c3db9 100644 --- a/nix/os/devices/justyna-p300/system.nix +++ b/nix/os/devices/justyna-p300/system.nix @@ -1,8 +1,11 @@ -{ pkgs, lib, ... }: -let - passwords = import ../../../variables/passwords.crypt.nix; -in { + pkgs, + lib, + config, + ... +}: let + passwords = import ../../../variables/passwords.crypt.nix; +in { networking.firewall.enable = true; networking.firewall.allowedTCPPorts = [ # iperf3 @@ -36,13 +39,11 @@ in # udev.packages = [ pkgs.gnome3.gnome-settings-daemon ]; }; - security.pki.certificateFiles = [ "${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt" ]; + security.pki.certificateFiles = ["${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt"]; - services.xserver.videoDrivers = [ "modesetting" ]; + services.xserver.videoDrivers = ["modesetting"]; boot.kernelPackages = lib.mkForce pkgs.linuxPackages_latest; - nix.gc = { - automatic = true; - }; + nix.gc = {automatic = true;}; } diff --git a/nix/os/devices/justyna-p300/user.nix b/nix/os/devices/justyna-p300/user.nix index c4690cf..6d86c59 100644 --- a/nix/os/devices/justyna-p300/user.nix +++ b/nix/os/devices/justyna-p300/user.nix @@ -1,9 +1,11 @@ -{ config, pkgs, ... }: -let - keys = import ../../../variables/keys.nix; - inherit (pkgs.callPackage ../../lib/default.nix { }) mkUser; -in { + config, + pkgs, + ... +}: let + keys = import ../../../variables/keys.nix; + inherit (pkgs.callPackage ../../lib/default.nix {}) mkUser; +in { sops.secrets.sharedUsers-elias = { sopsFile = ../../../../secrets/shared-users.yaml; neededForUsers = true; diff --git a/nix/os/devices/router0-dmz0/configuration.nix b/nix/os/devices/router0-dmz0/configuration.nix index 07c6b1c..17f987d 100644 --- a/nix/os/devices/router0-dmz0/configuration.nix +++ b/nix/os/devices/router0-dmz0/configuration.nix @@ -1,110 +1,38 @@ -# TODO: don't pull in bluez (or any bluetooth components) { + modulesPath, repoFlake, + packages', pkgs, lib, config, nodeFlake, nodeName, - localDomainName, system, ... -}: -let - inherit (nodeFlake.inputs) nixos-nftables-firewall nixos-sbc; +}: let + inherit + (nodeFlake.inputs) + bpir3 + nixos-nftables-firewall + ; +in { + disabledModules = [ + # "services/networking/hostapd.nix" + ]; - vlanRangeStart = builtins.head vlanRange; - vlanRangeEnd = builtins.elemAt vlanRange ((builtins.length vlanRange) - 1); - vlanRange = builtins.map (vlanid: (lib.strings.toInt vlanid)) (builtins.attrNames vlans); - vlanRangeWith0 = [ 0 ] ++ vlanRange; - - mkVlanIpv4HostAddr = - { - vlanid, - host, - thirdIpv4SegmentMin ? 20, - cidr ? true, - }: - let - # reserve the first subnet for vlanid == 0 - # number the other subnets continously from there - offset = if vlanid == 0 then thirdIpv4SegmentMin else thirdIpv4SegmentMin + 1 - vlanRangeStart; - in - builtins.concatStringsSep "." [ - "192" - "168" - (toString (vlanid + offset)) - "${toString host}${lib.strings.optionalString cidr "/24"}" - ]; - - defaultVlan = { - name = "${localDomainName}"; - packet_priority = 0; - }; - - vlans = { - "2".name = "dmz"; - "2".packet_priority = -5; - - "3".name = "iot"; - "3".packet_priority = -5; - - "4".name = "office"; - "4".packet_priority = -10; - - "5".name = "guests"; - "5".packet_priority = 10; - }; - - vlansByName = lib.attrsets.mapAttrs' ( - vlanid': attrs: - lib.attrsets.nameValuePair attrs.name ( - attrs - // { - id = lib.strings.toInt vlanid'; - id' = vlanid'; - } - ) - ) vlans; - - getVlanDomain = - { vlanid }: - if vlanid == 0 then defaultVlan.name else vlans."${toString vlanid}".name + "." + defaultVlan.name; - - bridgeInterfaceName = "br-lan"; - mkInterfaceName = - { vlanid }: - if vlanid == 0 then bridgeInterfaceName else "${bridgeInterfaceName}.${toString vlanid}"; - - dmzExposedHost = "sj-srv1"; - dmzExposedHostDomain = "dmz.internal"; - dmzExposedHostFQDN = "${dmzExposedHost}.${dmzExposedHostDomain}"; - dmzExposedHostIpv4 = mkVlanIpv4HostAddr { - vlanid = vlansByName.dmz.id; - host = 99; - cidr = false; - }; - - dmzExposedHostMACaddr = - repoFlake.nixosConfigurations.${dmzExposedHost}.config.systemd.network.netdevs."10-dmz0".netdevConfig.MACAddress; -in -{ imports = [ - nixos-sbc.nixosModules.default - nixos-sbc.nixosModules.boards.bananapi.bpir3 - { - sbc.version = "0.2"; - sbc.bootstrap.rootFilesystem = "btrfs"; - sbc.wireless.wifi.acceptRegulatoryResponsibility = true; - } - + # nodeFlake.inputs.disko.nixosModules.disko repoFlake.inputs.sops-nix.nixosModules.sops ../../profiles/common/user.nix - ../../snippets/nix-settings.nix + + "${bpir3}/lib/sd-image-mt7986.nix" nixos-nftables-firewall.nixosModules.default + # TODO + # ./network.nix + # ./monitoring.nix { services.openssh.enable = true; services.openssh.settings.PermitRootLogin = "yes"; @@ -115,13 +43,11 @@ in rootPasswordFile = config.sops.secrets.passwords-root.path; }; - sops.defaultSopsFile = ../../../../secrets/${nodeName}/secrets.yaml; - sops.defaultSopsFormat = "yaml"; - - sops.secrets.passwords-root.neededForUsers = true; - - # sops.secrets.wlan0_saePasswordsFile = {}; - sops.secrets.wlan0_wpaPskFile = { }; + sops.secrets.passwords-root = { + sopsFile = ../../../../secrets/${nodeName}/secrets.yaml; + neededForUsers = true; + format = "yaml"; + }; } ]; @@ -168,971 +94,281 @@ in useNetworkd = true; useDHCP = false; - # these will be configured via nftables + # No local firewall. nat.enable = lib.mkForce false; firewall.enable = lib.mkForce false; # Use the nftables firewall instead of the base nixos scripted rules. # This flake provides a similar utility to the base nixos scripting. # https://github.com/thelegy/nixos-nftables-firewall/tree/main - - # TODO: configure packet_priority for VLANs (see https://wiki.nftables.org/wiki-nftables/index.php/Configuring_chains#Base_chain_priority, https://wiki.nftables.org/wiki-nftables/index.php/Setting_packet_metainformation#packet_priority) nftables = { enable = true; - stopRuleset = ""; - chains = { - prerouting = { - "exposeHost" = { - after = [ "hook" ]; - rules = - let - wanInterfaces = builtins.concatStringsSep ", " config.networking.nftables.firewall.zones.wan.interfaces; - in - [ - "iifname { ${wanInterfaces} } tcp dport 220 redirect to 22" - "iifname { ${wanInterfaces} } dnat ip to ${dmzExposedHostIpv4}" - ]; + firewall = { + enable = true; + zones = { + lan.interfaces = ["br-lan"]; + wan.interfaces = ["wan"]; + }; + rules = { + lan = { + from = ["lan"]; + to = ["fw"]; + verdict = "accept"; + }; + outbound = { + from = ["lan"]; + to = ["lan" "wan"]; + verdict = "accept"; + }; + nat = { + from = ["lan"]; + to = ["wan"]; + masquerade = true; + }; + + incoming-wan = { + from = ["wan"]; + to = ["fw"]; + verdict = "drop"; }; }; }; - - firewall = { - enable = true; - snippets.nnf-common.enable = true; - # included in the above - # snippets.nnf-conntrack.enable = true; - zones = - { - lan.interfaces = [ (mkInterfaceName { vlanid = 0; }) ]; - vlan.interfaces = builtins.map (vlanid: (mkInterfaceName { inherit vlanid; })) vlanRange; - # lan.ipv4Addresses = ["192.168.0.0/16"]; - wan.interfaces = [ - "wan" - "lan0" - ]; - vpn.interfaces = [ - "wg0" - "wg1" - "wg2" - ]; - } - // - # generate a zone for each vlan - lib.attrsets.mapAttrs (_key: value: { - interfaces = [ (mkInterfaceName { vlanid = value.id; }) ]; - }) vlansByName; - rules = - let - ipv6IcmpTypes = [ - "destination-unreachable" - "echo-reply" - "echo-request" - "packet-too-big" - "parameter-problem" - "time-exceeded" - - # Without the nd-* ones ipv6 will not work. - "nd-neighbor-solicit" - "nd-router-advert" - "nd-neighbor-advert" - ]; - ipv4IcmpTypes = [ - "destination-unreachable" - "echo-reply" - "echo-request" - "source-quench" - "time-exceeded" - "router-advertisement" - ]; - allowIcmpLines = [ - "ip protocol icmp icmp type { ${builtins.concatStringsSep ", " ipv4IcmpTypes} } accept" - "ip6 nexthdr icmpv6 icmpv6 type { ${builtins.concatStringsSep ", " ipv6IcmpTypes} } accept" - ]; - in - { - fw = { - from = [ "fw" ]; - verdict = "accept"; - }; - - office-to-dmz = { - from = [ "office" ]; - to = [ "dmz" ]; - verdict = "accept"; - }; - - lan-to-fw = { - from = [ "lan" ]; - to = [ - "fw" - "lan" - ]; - verdict = "accept"; - }; - - lan-to-wan = { - from = [ "lan" ]; - to = [ "wan" ]; - verdict = "accept"; - }; - - vlan-to-wan = { - from = [ "vlan" ]; - to = [ "wan" ]; - verdict = "accept"; - }; - - vlan-to-fw = { - allowedUDPPortRanges = [ - { - from = 53; - to = 53; - } - { - from = 67; - to = 68; - } - { - from = 5201; - to = 5201; - } - ]; - allowedTCPPortRanges = [ - { - from = 22; - to = 22; - } - { - from = 53; - to = 53; - } - { - from = 5201; - to = 5201; - } - ]; - from = [ "vlan" ]; - to = [ "fw" ]; - extraLines = allowIcmpLines ++ [ "drop" ]; - }; - - to-wan-nat = { - from = [ - "lan" - "vlan" - ]; - to = [ "wan" ]; - masquerade = true; - verdict = "accept"; - }; - - wan-to-dmz = { - from = [ "wan" ]; - to = [ "dmz" ]; - verdict = "accept"; - }; - - wan-to-fw = { - from = [ "wan" ]; - to = [ "fw" ]; - allowedTCPPortRanges = [ - { - from = 22; - to = 22; - } - ]; - extraLines = allowIcmpLines ++ [ "drop" ]; - }; - - to-vpn-nat = { - from = [ - "lan" - "vlan" - ]; - to = [ "vpn" ]; - masquerade = false; - verdict = "accept"; - }; - }; - }; }; }; - sops.secrets.wg0-privatekey = { - mode = "440"; - group = "systemd-network"; - }; - sops.secrets.wg1-privatekey = { - mode = "440"; - group = "systemd-network"; - }; - sops.secrets.wg0-peer0-psk = { - mode = "440"; - group = "systemd-network"; - }; - sops.secrets.wg1-peer0-psk = { - mode = "440"; - group = "systemd-network"; - }; - - # TODO: this shouldn't be necessary _at all_ - systemd.services.sfp-quirk = { - enable = true; - wantedBy = [ - "network.target" - "multi-user.target" - ]; - - requires = [ - "sys-subsystem-net-devices-lan4.device" - "sys-subsystem-net-devices-eth1.device" - ]; - - after = [ - "sys-subsystem-net-devices-lan4.device" - "sys-subsystem-net-devices-eth1.device" - ]; - - path = [ - pkgs.ethtool - pkgs.iproute2 - pkgs.coreutils - ]; - - script = '' - set -xeE - - ip l set dev lan4 down - ip l set dev eth1 down - - sleep 0.5 - - ethtool -s lan4 duplex full autoneg off - ethtool -s eth1 duplex full autoneg off - - sleep 0.5 - - ip l set dev lan4 up - ip l set dev eth1 up - - echo quirk applied, fingers crossed. - ''; - }; - systemd.network = { wait-online.anyInterface = true; - config.networkConfig = { - IPv4Forwarding = true; - IPv6Forwarding = true; + netdevs = { + # Create the bridge interface + "20-br-lan" = { + netdevConfig = { + Kind = "bridge"; + Name = "br-lan"; + }; + }; }; - links = { - # TODO: this doesn't work, thus shoving it into a quirk service. however, there's a proper solution beyond any of this. - # "00-eth1" = { - # enable = true; - # matchConfig.Name = "eth1"; - # linkConfig = { - # # BitsPerSecond = "2500M"; - # Duplex= "full"; - # AutoNegotiation = false; - # }; - # }; - # "00-lan4" = { - # enable = true; - # matchConfig.Name = "lan4@eth0"; - # linkConfig = { - # # BitsPerSecond = "1000M"; - # Duplex= "full"; - # AutoNegotiation = false; - # }; - # }; + networks = { + # Connect the bridge ports to the bridge + "30-lan0" = { + matchConfig.Name = "lan0"; + networkConfig = { + Bridge = "br-lan"; + ConfigureWithoutCarrier = true; + }; + linkConfig.RequiredForOnline = "enslaved"; + }; + "30-lan1" = { + matchConfig.Name = "lan1"; + networkConfig = { + Bridge = "br-lan"; + ConfigureWithoutCarrier = true; + }; + linkConfig.RequiredForOnline = "enslaved"; + }; + "30-lan2" = { + matchConfig.Name = "lan2"; + networkConfig = { + Bridge = "br-lan"; + ConfigureWithoutCarrier = true; + }; + linkConfig.RequiredForOnline = "enslaved"; + }; + "30-lan3" = { + matchConfig.Name = "lan3"; + networkConfig = { + Bridge = "br-lan"; + ConfigureWithoutCarrier = true; + }; + linkConfig.RequiredForOnline = "enslaved"; + }; + # Configure the bridge for its desired function + "40-br-lan" = { + matchConfig.Name = "br-lan"; + bridgeConfig = {}; + address = [ + "192.168.10.1/24" + ]; + networkConfig = { + ConfigureWithoutCarrier = true; + }; + # Don't wait for it as it also would wait for wlan and DFS which takes around 5 min + linkConfig.RequiredForOnline = "no"; + }; + "10-wan" = { + matchConfig.Name = "wan"; + networkConfig = { + # start a DHCP Client for IPv4 Addressing/Routing + DHCP = "ipv4"; + # accept Router Advertisements for Stateless IPv6 Autoconfiguraton (SLAAC) + IPv6AcceptRA = true; + DNSOverTLS = true; + DNSSEC = true; + IPv6PrivacyExtensions = false; + IPForward = true; + }; + # make routing on this interface a dependency for network-online.target + linkConfig.RequiredForOnline = "routable"; + }; }; - netdevs = - let - router0-ifog_wg0Endpoint = "${repoFlake.colmena.router0-ifog.deployment.targetHost}:${builtins.toString repoFlake.nixosConfigurations.router0-ifog.config.systemd.network.netdevs.wg0.wireguardConfig.ListenPort}"; - - router0-ifog_wg1Endpoint = "${repoFlake.colmena.router0-ifog.deployment.targetHost}:${builtins.toString repoFlake.nixosConfigurations.router0-ifog.config.systemd.network.netdevs.wg1.wireguardConfig.ListenPort}"; - - router0-hosthatch_wg0Endpoint = "${repoFlake.colmena.router0-hosthatch.deployment.targetHost}:${builtins.toString repoFlake.nixosConfigurations.router0-hosthatch.config.systemd.network.netdevs.wg0.wireguardConfig.ListenPort}"; - in - { - # Create the bridge interface - "20-${bridgeInterfaceName}" = { - netdevConfig = { - Kind = "bridge"; - Name = bridgeInterfaceName; - }; - - extraConfig = '' - [Bridge] - STP=yes - VLANFiltering=yes - VLANProtocol=802.1q - DefaultPVID=0 - ''; - }; - - wg0 = { - enable = true; - netdevConfig = { - Name = "wg0"; - Kind = "wireguard"; - }; - wireguardConfig = { - PrivateKeyFile = builtins.toString config.sops.secrets.wg0-privatekey.path; - FirewallMark = 100; - }; - wireguardPeers = [ - { - AllowedIPs = [ - # this allows all traffic to be routed through this interface - "0.0.0.0/0" - - # # alternatively, specific destinations could be allowed - - # # remote peer wg addr - # "10.0.0.0/32" - - # "1.1.1.1/32" - # # ifconfig.co. - # "172.67.168.106" - # "104.21.54.91" - ]; - PersistentKeepalive = 15; - PresharedKeyFile = builtins.toString config.sops.secrets.wg0-peer0-psk.path; - PublicKey = "/RPDdqPzr9iRc7zR0bRkt9aS2QCt+b2K3WbsNg8XamM="; - Endpoint = router0-ifog_wg0Endpoint; - } - ]; - }; - - wg1 = { - enable = true; - netdevConfig = { - Name = "wg1"; - Kind = "wireguard"; - }; - wireguardConfig = { - PrivateKeyFile = builtins.toString config.sops.secrets.wg1-privatekey.path; - FirewallMark = 101; - }; - wireguardPeers = [ - { - AllowedIPs = [ - # this allows all traffic to be routed through this interface - "0.0.0.0/0" - ]; - PersistentKeepalive = 15; - PresharedKeyFile = builtins.toString config.sops.secrets.wg1-peer0-psk.path; - PublicKey = "/RPDdqPzr9iRc7zR0bRkt9aS2QCt+b2K3WbsNg8XamM="; - Endpoint = router0-ifog_wg1Endpoint; - } - ]; - }; - - wg2 = { - enable = true; - netdevConfig = { - Name = "wg2"; - Kind = "wireguard"; - }; - wireguardConfig = { - PrivateKeyFile = builtins.toString config.sops.secrets.wg0-privatekey.path; - FirewallMark = 102; - }; - wireguardPeers = [ - { - AllowedIPs = [ - # this allows all traffic to be routed through this interface - "0.0.0.0/0" - - # # alternatively, specific destinations could be allowed - - # # remote peer wg addr - # "10.0.0.0/32" - - # "1.1.1.1/32" - # # ifconfig.co. - # "172.67.168.106" - # "104.21.54.91" - ]; - PersistentKeepalive = 15; - PresharedKeyFile = builtins.toString config.sops.secrets.wg0-peer0-psk.path; - PublicKey = "/RPDdqPzr9iRc7zR0bRkt9aS2QCt+b2K3WbsNg8XamM="; - Endpoint = router0-hosthatch_wg0Endpoint; - } - ]; - }; - } - # generate the vlan devices. these will be tagged on the main bridge - // builtins.foldl' (acc: cur: acc // cur) { } ( - builtins.map - ( - { vlanid, vlanid' }: - { - "20-${mkInterfaceName { inherit vlanid; }}" = { - netdevConfig = { - Kind = "vlan"; - Name = "${mkInterfaceName { inherit vlanid; }}"; - }; - vlanConfig.Id = vlanid; - }; - } - ) - ( - builtins.map (vlanid: { - inherit vlanid; - vlanid' = builtins.toString vlanid; - }) vlanRange - ) - ); - networks = - let - commonWanOptions = { - networkConfig = { - # start a DHCP Client for IPv4/6 Addressing/Routing - DHCP = true; - DNSOverTLS = true; - DNSSEC = true; - - # accept Router Advertisements for Stateless IPv6 Autoconfiguraton (SLAAC) - IPv6AcceptRA = true; - IPv6PrivacyExtensions = false; - DHCPPrefixDelegation = true; - }; - dhcpV4Config = { - UseDNS = false; - UseDomains = false; - UseHostname = false; - }; - dhcpV6Config = { - UseDNS = false; - UseDomains = false; - UseHostname = false; - PrefixDelegationHint = "::/56"; - UseDelegatedPrefix = true; - WithoutRA = "solicit"; - }; - ipv6AcceptRAConfig = { - UseDNS = false; - UseDomains = false; - }; - - # TODO: enable these somehow - # extraConfig = '' - # [IPv6AcceptRA] - # # FIXME: supported in nixos-24.11 - # DHCPv6Client=solicit - - # # FIXME: not supported at all yet - # UsePREF64=true - # ''; - }; - in - { - # places options here that should always exist - "lo" = { - matchConfig.Name = "lo"; - - # these are roughly equivalent to: - # ip rule add fwmark 100 priority 0 table 100 - # ip rule add fwmark 100 priority 1 prohibit - # ip rule add fwmark 101 priority 0 table 101 - # ip rule add fwmark 101 priority 1 prohibit - routingPolicyRules = [ - { - FirewallMark = 100; - Priority = 30000; - Table = 100; - } - { - FirewallMark = 100; - Priority = 30001; - Table = 100; - Type = "prohibit"; - } - { - FirewallMark = 101; - Priority = 30000; - Table = 101; - } - { - FirewallMark = 101; - Priority = 30001; - Table = 101; - Type = "prohibit"; - } - { - FirewallMark = 102; - Priority = 30000; - Table = 102; - } - { - FirewallMark = 102; - Priority = 30001; - Table = 102; - Type = "prohibit"; - } - ]; - }; - # use lan0 as secondary WAN interface - "10-lan0-wan" = lib.attrsets.recursiveUpdate commonWanOptions { - matchConfig.Name = "lan0"; - # make routing on this interface a dependency for network-online.target - # linkConfig.RequiredForOnline = "routable"; - linkConfig.RequiredForOnline = "no"; - - dhcpV4Config = { - RouteMetric = 2000; - }; - - # similar to - # ip route add default via 172.16.0.1 table 101 - routes = [ - { - Gateway = "_dhcp4"; - Table = 101; - } - ]; - }; - "10-wan" = lib.attrsets.recursiveUpdate commonWanOptions { - matchConfig.Name = "wan"; - # make routing on this interface a dependency for network-online.target - # linkConfig.RequiredForOnline = "routable"; - linkConfig.RequiredForOnline = "no"; - - dhcpV4Config = { - RouteMetric = 1000; - }; - - # similar to - # ip route add default via 192.168.0.1 table 100 - routes = [ - { - Gateway = "_dhcp4"; - Table = 100; - } - { - Gateway = "_dhcp4"; - Table = 102; - } - ]; - }; - - # Connect the bridge ports to the bridge - "30-lan1" = { - matchConfig.Name = "lan1"; - networkConfig = { - Bridge = bridgeInterfaceName; - ConfigureWithoutCarrier = true; - }; - linkConfig.RequiredForOnline = "enslaved"; - - bridgeVLANs = [ - { - VLAN = vlansByName.dmz.id; - PVID = vlansByName.dmz.id; - EgressUntagged = vlansByName.dmz.id; - } - ]; - }; - - "30-lan2" = { - matchConfig.Name = "lan2"; - networkConfig = { - Bridge = bridgeInterfaceName; - ConfigureWithoutCarrier = true; - }; - linkConfig.RequiredForOnline = "enslaved"; - - bridgeVLANs = [ - { - VLAN = vlansByName.office.id; - PVID = vlansByName.office.id; - EgressUntagged = vlansByName.office.id; - } - ]; - }; - - "30-lan3" = { - matchConfig.Name = "lan3"; - networkConfig = { - Bridge = bridgeInterfaceName; - ConfigureWithoutCarrier = true; - }; - linkConfig.RequiredForOnline = "enslaved"; - - bridgeVLANs = [ - { - VLAN = "${toString vlanRangeStart}-${toString vlanRangeEnd}"; - } - ]; - }; - "30-lan4" = { - matchConfig.Name = "lan4"; - networkConfig = { - Bridge = bridgeInterfaceName; - ConfigureWithoutCarrier = true; - }; - linkConfig.RequiredForOnline = "enslaved"; - - bridgeVLANs = [ - { - VLAN = vlansByName.office.id; - PVID = vlansByName.office.id; - EgressUntagged = vlansByName.office.id; - } - ]; - }; - "30-eth1" = { - matchConfig.Name = "eth1"; - networkConfig = { - Bridge = bridgeInterfaceName; - ConfigureWithoutCarrier = true; - }; - linkConfig.RequiredForOnline = "enslaved"; - - bridgeVLANs = [ - { - VLAN = vlansByName.dmz.id; - PVID = vlansByName.dmz.id; - EgressUntagged = vlansByName.dmz.id; - } - ]; - }; - # Configure the bridge for its desired function - "40-${bridgeInterfaceName}" = { - matchConfig.Name = bridgeInterfaceName; - bridgeConfig = { }; - address = [ - (mkVlanIpv4HostAddr { - vlanid = 0; - host = 1; - }) - ]; - networkConfig = { - ConfigureWithoutCarrier = true; - }; - # Don't wait for it as it also would wait for wlan and DFS which takes around 5 min - linkConfig.RequiredForOnline = "no"; - linkConfig.ActivationPolicy = "always-up"; - - bridgeVLANs = [ - { - VLAN = "${toString vlanRangeStart}-${toString vlanRangeEnd}"; - } - ]; - - vlan = builtins.map (vlanid: (mkInterfaceName { inherit vlanid; })) vlanRange; - }; - - "50-wg0" = { - enable = true; - matchConfig.Name = "wg0"; - address = [ "10.0.0.1/31" ]; - - routes = [ - # { - # # test the set uprouting to a specific IP - # Destination = "${repoFlake.colmena.sj-bm-hostkey0.deployment.targetHost}/32"; - # MultiPathRoute = "10.0.0.0 1"; - # } - ]; - }; - "50-wg1" = { - enable = true; - matchConfig.Name = "wg1"; - address = [ "10.0.0.3/31" ]; - routes = [ - # { - # Destination = "${repoFlake.colmena.sj-bm-hostkey0.deployment.targetHost}/32"; - # MultiPathRoute = "10.0.0.2 1"; - # } - ]; - }; - - "50-wg2" = { - enable = true; - matchConfig.Name = "wg2"; - address = [ "10.0.1.1/31" ]; - - routes = [ - # TODO: add a testing route here - ]; - }; - } - # configuration for the hostapd dynamic interfaces - # * netdev type vlan - # * host address for vlan - # * vlan config for wlan interface - // builtins.foldl' (acc: cur: acc // cur) { } ( - builtins.map - ( - { vlanid, vlanid' }: - { - # configure the tagged vlan device with an address and vlan filtering. - # dnsmasq is configured to serve the respective /24 range on each tagged device. - # this device only receives traffic for the given vlanid and sends tagged traffic to the bridge. - "41-${mkInterfaceName { inherit vlanid; }}" = { - matchConfig.Name = "${mkInterfaceName { inherit vlanid; }}"; - address = [ - (mkVlanIpv4HostAddr { - inherit vlanid; - host = 1; - }) - ]; - networkConfig = { - ConfigureWithoutCarrier = true; - - # the client shouldn't be allowed to send us RAs, that would be weird. - IPv6AcceptRA = false; - - DHCPPrefixDelegation = true; - IPv6SendRA = true; - }; - - dhcpPrefixDelegationConfig = { - UplinkInterface = "wan"; - Assign = true; - SubnetId = vlanid; - Announce = true; - }; - - linkConfig.RequiredForOnline = "no"; - linkConfig.ActivationPolicy = "always-up"; - - bridgeVLANs = [ - { - VLAN = vlanid; - } - ]; - }; - - # configure the wlan interface as a bridge member that - # * only gets traffic for vid 15 - # * untags traffic after receiving it - # * tags traffic that comes out of it - "41-wlan0.${vlanid'}" = { - matchConfig.Name = "wlan0.${vlanid'}"; - networkConfig = { - Bridge = bridgeInterfaceName; - ConfigureWithoutCarrier = true; - }; - - linkConfig.RequiredForOnline = "no"; - - bridgeVLANs = [ - { - VLAN = vlanid; - PVID = vlanid; - EgressUntagged = vlanid; - } - ]; - }; - - # "50-${mkInterfaceName {inherit vlanid;}}" = { - # matchConfig.Name = "${mkInterfaceName {inherit vlanid;}}"; - # address = [ - # (mkVlanIpv4HostAddr { - # inherit vlanid; - # host = 1; - # }) - # ]; - # networkConfig = { - # ConfigureWithoutCarrier = true; - # }; - # linkConfig.RequiredForOnline = "no"; - # }; - } - ) - ( - builtins.map (vlanid: { - inherit vlanid; - vlanid' = builtins.toString vlanid; - }) vlanRange - ) - ); }; # wireless access point services.hostapd = { enable = true; - # package = nodeFlake.packages.${system}.hostapd_patched; - radios = - let - # generated with https://miniwebtool.com/mac-address-generator/ - mkBssid = i: "34:56:ce:0f:ed:4${toString i}"; - in - { - wlan0 = { - band = "2g"; - # FIXME: apparently setting this could cause bugs, testing disabling it for a while. - # countryCode = "CH"; - channel = 0; # 0 would mean Automatic Channel Selection + radios = { + wlan0 = { + band = "2g"; + countryCode = "CH"; + channel = 0; # ACS - settings = { - # TODO: this would be faster but x13s on windows can't connect when it's enabled. - # ieee80211n = 1; + # use 'iw phy#1 info' to determine your VHT capabilities + wifi4 = { + enable = true; + capabilities = ["HT40+" "LDPC" "SHORT-GI-20" "SHORT-GI-40" "TX-STBC" "RX-STBC1" "MAX-AMSDU-7935"]; + }; + networks = { + wlan0 = { + ssid = "justtestingwifi-wpa3"; + authentication = { + mode = "wpa3-sae"; + # saePasswordsFile = config.sops.secrets.wifiPassword.path; + saePasswords = [ + {password = "justtestingwifi";} + ]; + }; - # Exclude DFS channels from ACS - # This option can be used to exclude all DFS channels from the ACS channel list - # in cases where the driver supports DFS channels. - acs_exclude_dfs = 0; + # generated with https://miniwebtool.com/mac-address-generator/ + bssid = "34:56:ce:0f:ed:40"; + settings = { + bridge = "br-lan"; + }; }; - # use 'iw phy#1 info' to determine your VHT capabilities - wifi4 = { - enable = true; - require = false; - capabilities = [ - "HT20" - "HT40+" - "LDPC" - "SHORT-GI-20" - "SHORT-GI-40" - "TX-STBC" - "RX-STBC1" - "MAX-AMSDU-7935" + wlan0-1 = { + ssid = "justtestingwifi-compat"; + authentication = { + mode = "wpa3-sae-transition"; + # saePasswordsFile = config.sops.secrets.wifiPassword.path; + saePasswords = [ + {password = "justtestingwifi";} + ]; + wpaPassword = "justtestingwifi"; + }; - "40-INTOLERANT" - - # not supported by BPI-R3 module - # "DELAYED-BA" - # "DSSS_CCK-40" - ]; + # generated with https://miniwebtool.com/mac-address-generator/ + bssid = "34:56:ce:0f:ed:41"; + settings = { + bridge = "br-lan"; + }; }; - wifi5 = { - enable = false; - require = false; - }; - - wifi6 = { - enable = false; - require = false; - }; - - networks = { - wlan0 = - let - iface = "wlan0"; - in - { - ssid = "mlsia"; - bssid = mkBssid 0; - - # enables debug logging - logLevel = 0; - - authentication.mode = "wpa2-sha256" - # "wpa3-sae-transition" - # "wpa3-sae" - ; - - authentication.wpaPskFile = config.sops.secrets."${iface}_wpaPskFile".path; - - # TODO: unfortunately SAE passwords don't work per VLAN like PSKs do - # authentication.saePasswordsFile = config.sops.secrets."${iface}_saePasswordsFile".path; - - # see https://w1.fi/cgit/hostap/plain/hostapd/hostapd.conf for reference - settings = { - # disable syslog because it duplicates stdout - logger_syslog = lib.mkForce 0; - - # bridge = bridgeInterfaceName; - - # wpa_psk_file = config.sops.secrets.wlan0_wpaPskFile.path; - # not yet supported on hostapd 2.10 - # sae_password_file = config.sops.secrets.wlan0_saePasswordsFile.path; - - # resources on vlan tagging - # https://wireless.wiki.kernel.org/en/users/Documentation/hostapd#dynamic_vlan_tagging - # https://forum.openwrt.org/t/individual-per-passphrase-wifi-vlans-using-wpa-psk-file-no-radius-required/161696/4 - - dynamic_vlan = 1; - # this option currently requires a patch to hostapd - vlan_no_bridge = 1; - - /* - not used due to the above vlan_no_bridge setting - vlan_tagged_interface = bridgeInterfaceName; - vlan_naming = 1; - vlan_bridge = "br-${iface}."; - */ - - vlan_file = - let - generated = builtins.map ( - vlanid: "${builtins.toString vlanid} ${iface}.${builtins.toString vlanid}" - ) vlanRange; - - wildcard = [ - # Optional wildcard entry matching all VLAN IDs. The first # in the interface - # name will be replaced with the VLAN ID. The network interfaces are created - # (and removed) dynamically based on the use. - # see https://w1.fi/cgit/hostap/tree/hostapd/hostapd.vlan - "* ${iface}.#" - ]; - - file = pkgs.writeText "hostapd.vlan" (builtins.concatStringsSep "\n" (generated ++ wildcard)); - filePath = toString file; - in - filePath; - - wpa_key_mgmt = lib.mkForce ( - builtins.concatStringsSep " " [ - "WPA-PSK" - - # TODO: the printer can't connect when this is on - # "WPA-PSK-SHA256" - - # unfortunately SAE doesn't support VLAN passwords in the way i'd like to use them - # "SAE" - ] - ); - - # wpa_psk_radius = 0; - wpa_pairwise = "CCMP"; - wmm_enabled = 1; - - # IEEE 802.11i (authentication) related configuration - # Encrypt management frames to protect against deauthentication and similar attacks. - # 0 := disabled; 1 := optional; 2 := required - ieee80211w = 1; - # sae_require_mfp = 1; - # sae_groups = "19 20 21"; - - # [ENABLE-TLSv1.3] = enable TLSv1.3 (experimental - disabled by default) - tls_flags = "[ENABLE-TLSv1.3]"; - - # TODO: debugging for wifi drops happens below here - # Require IEEE 802.1X authorization - ieee8021x = 0; - - # Optionally, hostapd can be configured to use an integrated EAP server - # to process EAP authentication locally without need for an external RADIUS - # server. This functionality can be used both as a local authentication server - # for IEEE 802.1X/EAPOL and as a RADIUS server for other devices. - - # Use integrated EAP server instead of external RADIUS authentication - # server. This is also needed if hostapd is configured to act as a RADIUS - # authentication server. - eap_server = 0; - - # Disassociate stations based on excessive transmission failures or other - # indications of connection loss. This depends on the driver capabilities and - # may not be available with all drivers. - disassoc_low_ack = 0; - - skip_inactivity_poll = 1; - - # TODO: check if this is required. multicast can be more efficient so it'd be nice to disable this. - multicast_to_unicast = 0; - }; - }; - }; + # Uncomment when needed otherwise remove + # wlan0-1 = { + # ssid = "koteczkowo3"; + # authentication = { + # mode = "none"; # this is overriden by settings + # }; + # managementFrameProtection = "optional"; + # bssid = "e6:02:43:07:00:00"; + # settings = { + # bridge = "br-lan"; + # wpa = lib.mkForce 2; + # wpa_key_mgmt = "WPA-PSK"; + # wpa_pairwise = "CCMP"; + # wpa_psk_file = config.sops.secrets.legacyWifiPassword.path; + # }; + # }; }; }; + # wlan1 = { + # band = "5g"; + # # channels with 160 MHz width in Poland: 36, 52, 100 i 116 + # channel = 0; # ACS + # countryCode = "PL"; + + # # use 'iw phy#1 info' to determine your VHT capabilities + # wifi4 = { + # enable = true; + # capabilities = ["HT40+" "LDPC" "SHORT-GI-20" "SHORT-GI-40" "TX-STBC" "RX-STBC1" "MAX-AMSDU-7935"]; + # }; + # wifi5 = { + # enable = true; + # operatingChannelWidth = "160"; + # capabilities = ["RXLDPC" "SHORT-GI-80" "SHORT-GI-160" "TX-STBC-2BY1" "SU-BEAMFORMER" "SU-BEAMFORMEE" "MU-BEAMFORMER" "MU-BEAMFORMEE" "RX-ANTENNA-PATTERN" "TX-ANTENNA-PATTERN" "RX-STBC-1" "SOUNDING-DIMENSION-4" "BF-ANTENNA-4" "VHT160" "MAX-MPDU-11454" "MAX-A-MPDU-LEN-EXP7"]; + # }; + # wifi6 = { + # enable = true; + # singleUserBeamformer = true; + # singleUserBeamformee = true; + # multiUserBeamformer = true; + # operatingChannelWidth = "160"; + # }; + # settings = { + # # these two are mandatory for wifi 5 & 6 to work + # vht_oper_centr_freq_seg0_idx = 50; + # he_oper_centr_freq_seg0_idx = 50; + + # # The "tx_queue_data2_burst" parameter in Linux refers to the burst size for + # # transmitting data packets from the second data queue of a network interface. + # # It determines the number of packets that can be sent in a burst. + # # Adjusting this parameter can impact network throughput and latency. + # tx_queue_data2_burst = 2; + + # # The "he_bss_color" parameter in Wi-Fi 6 (802.11ax) refers to the BSS Color field in the HE (High Efficiency) MAC header. + # # BSS Color is a mechanism introduced in Wi-Fi 6 to mitigate interference and improve network efficiency in dense deployment scenarios. + # # It allows multiple overlapping Basic Service Sets (BSS) to differentiate and coexist in the same area without causing excessive interference. + # he_bss_color = 63; # was set to 128 by openwrt but range of possible values in 2.10 is 1-63 + + # # Magic values that were set by openwrt but I didn't bother inspecting every single one + # he_spr_sr_control = 3; + # he_default_pe_duration = 4; + # he_rts_threshold = 1023; + + # he_mu_edca_qos_info_param_count = 0; + # he_mu_edca_qos_info_q_ack = 0; + # he_mu_edca_qos_info_queue_request = 0; + # he_mu_edca_qos_info_txop_request = 0; + + # # he_mu_edca_ac_be_aci=0; missing in 2.10 + # he_mu_edca_ac_be_aifsn = 8; + # he_mu_edca_ac_be_ecwmin = 9; + # he_mu_edca_ac_be_ecwmax = 10; + # he_mu_edca_ac_be_timer = 255; + + # he_mu_edca_ac_bk_aifsn = 15; + # he_mu_edca_ac_bk_aci = 1; + # he_mu_edca_ac_bk_ecwmin = 9; + # he_mu_edca_ac_bk_ecwmax = 10; + # he_mu_edca_ac_bk_timer = 255; + + # he_mu_edca_ac_vi_ecwmin = 5; + # he_mu_edca_ac_vi_ecwmax = 7; + # he_mu_edca_ac_vi_aifsn = 5; + # he_mu_edca_ac_vi_aci = 2; + # he_mu_edca_ac_vi_timer = 255; + + # he_mu_edca_ac_vo_aifsn = 5; + # he_mu_edca_ac_vo_aci = 3; + # he_mu_edca_ac_vo_ecwmin = 5; + # he_mu_edca_ac_vo_ecwmax = 7; + # he_mu_edca_ac_vo_timer = 255; + # }; + # networks = { + # wlan1 = { + # ssid = "koteczkowo5"; + # authentication = { + # mode = "wpa3-sae"; + # saePasswordsFile = config.sops.secrets.wifiPassword.path; # Use saePasswordsFile if possible. + # }; + # bssid = "36:b9:02:21:08:a2"; + # settings = { + # bridge = "br-lan"; + # }; + # }; + # }; + # }; + }; }; services.resolved.enable = false; @@ -1140,159 +376,149 @@ in services.dnsmasq = { enable = true; settings = { + # upstream DNS servers + server = ["9.9.9.9" "8.8.8.8" "1.1.1.1"]; + # sensible behaviours domain-needed = true; bogus-priv = true; no-resolv = true; - localise-queries = true; - proxy-dnssec = true; - conntrack = true; - - # enable for debugging - # log-debug = true; - # log-queries = true; - - # disable negative caching - no-negcache = true; - local-ttl = 0; - dhcp-ttl = 0; - - # v6 config - enable-ra = true; - - dhcp-range = - let - mkDhcpRange = - { tag, vlanid }: - builtins.concatStringsSep "," [ - tag - (mkVlanIpv4HostAddr { - inherit vlanid; - host = 100; - cidr = false; - }) - (mkVlanIpv4HostAddr { - inherit vlanid; - host = 199; - cidr = false; - }) - "12h" - # "slaac" - # "ra-stateless" - # "ra-names" - ]; - in - builtins.map ( - vlanid: - mkDhcpRange { - tag = mkInterfaceName { inherit vlanid; }; - inherit vlanid; - } - ) vlanRangeWith0; - - dhcp-host = builtins.concatStringsSep "," [ - dmzExposedHostMACaddr - dmzExposedHostIpv4 - dmzExposedHostFQDN - ]; + dhcp-range = ["br-lan,192.168.10.50,192.168.10.254,24h"]; + interface = "br-lan"; + dhcp-host = "192.168.10.1"; + # local domains + local = "/lan/"; + domain = "lan"; expand-hosts = true; - # don't use /etc/hosts as this would advertise ${nodeName} as localhost + # don't use /etc/hosts as this would advertise surfer as localhost no-hosts = true; - - server = [ - # upstream DNS servers - - # https://dnsforge.de/ - "176.9.93.198" - "176.9.1.117" - "2a01:4f8:151:34aa::198" - "2a01:4f8:141:316d::117" - - # https://dismail.de/info.html#dns - "116.203.32.217" - "2a01:4f8:1c1b:44aa::1" - "159.69.114.157" - "2a01:4f8:c17:739a::2" - ]; - - domain = - [ "/${getVlanDomain { vlanid = 0; }}/,local" ] - ++ builtins.map ( - vlanid: - "${getVlanDomain { inherit vlanid; }},${ - mkVlanIpv4HostAddr { - inherit vlanid; - host = 0; - cidr = true; - } - },local" - ) vlanRangeWith0; - - # TODO: compare this to using `interface-name` - dynamic-host = builtins.map ( - vlanid: - builtins.concatStringsSep "," [ - # "${getVlanDomain{inherit vlanid;}}" "0.0.0.1" (mkInterfaceName {inherit vlanid;}) - "${nodeName}.${getVlanDomain { inherit vlanid; }}" - "0.0.0.1" - (mkInterfaceName { inherit vlanid; }) - ] - ) vlanRangeWith0; - - dhcp-option-force = builtins.map ( - vlanid: - "${mkInterfaceName { inherit vlanid; }},option:domain-search,${getVlanDomain { inherit vlanid; }}" - ) vlanRangeWith0; - - # auth-server = [ - # (builtins.concatStringsSep "," [ - # "www.stefanjunker.de" - # # (mkInterfaceName { vlanid = vlansByName.dmz.id; }) - # # (mkInterfaceName { vlanid = vlansByName.office.id; }) - # ]) - # ]; - - cname = [ - "mailserver.svc.stefanjunker.de,${dmzExposedHost}" - "www.stefanjunker.de,${dmzExposedHost}" - "hedgedoc.www.stefanjunker.de,${dmzExposedHost}" - "jitsi.www.stefanjunker.de,${dmzExposedHost}" - "lldap.www.stefanjunker.de,${dmzExposedHost}" - "forgejo.www.stefanjunker.de,${dmzExposedHost}" - "kanidm.www.stefanjunker.de,${dmzExposedHost}" - ]; + address = "/surfer.lan/192.168.10.1"; }; }; - system.stateVersion = "24.11"; + # The service irqbalance is useful as it assigns certain IRQ calls to specific CPUs instead of letting the first CPU core to handle everything. This is supposed to increase performance by hitting CPU cache more often. + services.irqbalance.enable = true; - # boot.kernelPackages = pkgs.linuxPackages_bpir3_6_6; + # disko.devices = { + # disk = { + # nvme0n1 = { + # device = "/dev/nvme0n1"; + # type = "disk"; + # content = { + # type = "table"; + # format = "gpt"; + # partitions = [ + # { + # name = "var-log"; + # start = "1MiB"; + # end = "20G"; + # content = { + # type = "filesystem"; + # format = "ext4"; + # mountpoint = "/var/log"; + # }; + # } + # { + # name = "tmp"; + # start = "20G"; + # end = "60G"; + # content = { + # type = "filesystem"; + # format = "ext4"; + # mountpoint = "/tmp"; + # }; + # } + # { + # name = "var"; + # start = "60G"; + # end = "100G"; + # content = { + # type = "filesystem"; + # format = "ext4"; + # mountpoint = "/var"; + # }; + # } + # { + # name = "swap"; + # start = "100G"; + # end = "100%"; + # content = { + # type = "swap"; + # randomEncryption = false; + # }; + # } + # ]; + # }; + # }; + # }; + # }; + + system.stateVersion = "23.05"; + + boot.kernelPackages = pkgs.linuxPackages_bpir3; + # boot.kernelPackages = bpir3.packages.aarch64-linux.linuxPackages_bpir3; + # We exclude a number of modules included in the default list. A non-insignificant amount do + # not apply to embedded hardware like this, so simply skip the defaults. + # + # Custom kernel is required as a lot of MTK components misbehave when built as modules. + # They fail to load properly, leaving the system without working ethernet, they'll oops on + # remove. MTK-DSA parts and PCIe were observed to do this. + boot.initrd.includeDefaultModules = false; + boot.initrd.kernelModules = ["rfkill" "cfg80211" "mt7915e"]; + boot.initrd.availableKernelModules = ["nvme"]; + + boot.kernelParams = ["console=ttyS0,115200"]; + hardware.enableRedistributableFirmware = true; + # Wireless hardware exists, regulatory database is essential. + hardware.wirelessRegulatoryDatabase = true; + + # Extlinux compatible with custom uboot patches in this repo, which also provide unique + # MAC addresses instead of the non-unique one that gets used by a lot of MTK devices... + boot.loader.grub.enable = false; + boot.loader.generic-extlinux-compatible.enable = true; + # Known to work with u-boot; bz2, lzma, and lz4 should be safe too, need to test. + boot.initrd.compressor = "gzip"; + hardware.deviceTree.filter = "mt7986a-bananapi-bpi-r3.dtb"; + + hardware.deviceTree.overlays = [ + { + name = "bpir3-sd-enable"; + dtsFile = "${bpir3}/bpir3-dts/mt7986a-bananapi-bpi-r3-sd.dts"; + } + { + name = "bpir3-nand-enable"; + dtsFile = "${bpir3}/bpir3-dts/mt7986a-bananapi-bpi-r3-nand.dts"; + } + { + name = "bpi-r3 wifi training data"; + dtsFile = "${bpir3}/bpir3-dts/mt7986a-bananapi-bpi-r3-wirless.dts"; + } + { + name = "reset button disable"; + dtsFile = "${bpir3}/bpir3-dts/mt7986a-bananapi-bpi-r3-pcie-button.dts"; + } + { + name = "mt7986a efuses"; + dtsFile = "${bpir3}/bpir3-dts/mt7986a-efuse-device-tree-node.dts"; + } + ]; + + boot.initrd.preDeviceCommands = '' + if [ ! -d /sys/bus/pci/devices/0000:01:00.0 ]; then + if [ -d /sys/bus/pci/devices/0000:00:00.0 ]; then + # Remove PCI bridge, then rescan. NVMe init crashes if PCI bridge not removed first + echo 1 > /sys/bus/pci/devices/0000:00:00.0/remove + # Rescan brings PCI root back and brings the NVMe device in. + echo 1 > /sys/bus/pci/rescan + else + info "PCIe bridge missing" + fi + fi + ''; environment.systemPackages = [ pkgs.ethtool - pkgs.vim - pkgs.iperf3 - - pkgs.wireguard-tools - pkgs.tshark - pkgs.tmux - - (pkgs.writeShellScriptBin "dbg-ip" '' - echo links: - ip -br -c l - echo - echo addresses: - ip -br -c a - echo - echo vlans: - bridge -c vlan - '') - - (pkgs.writeShellScriptBin "dbg-dnsmasq" '' - # get the rendered in-use config - pgrep -a dnsmasq | grep -Eo '[^ ]*conf' | xargs cat | grep -Eo '[^=]*conf' | xargs cat - '') ]; } diff --git a/nix/os/devices/router0-dmz0/default.nix b/nix/os/devices/router0-dmz0/default.nix index a0520dc..e8d521a 100644 --- a/nix/os/devices/router0-dmz0/default.nix +++ b/nix/os/devices/router0-dmz0/default.nix @@ -1,31 +1,29 @@ { - system ? "aarch64-linux", nodeName, repoFlake, nodeFlake, - localDomainName ? "internal", ... -}: -{ +}: let + system = "aarch64-linux"; +in { meta.nodeSpecialArgs.${nodeName} = { - inherit - repoFlake - nodeName - nodeFlake - system - ; + inherit repoFlake nodeName nodeFlake system; packages' = repoFlake.packages.${system}; - nodePackages' = nodeFlake.packages.${system}; - inherit (nodeFlake.inputs.bpir3.packages.${system}) armTrustedFirmwareMT7986; - - inherit localDomainName; + inherit + (nodeFlake.inputs.bpir3.packages.${system}) + armTrustedFirmwareMT7986 + ; }; - meta.nodeNixpkgs.${nodeName} = import nodeFlake.inputs.nixpkgs.outPath { inherit system; }; + meta.nodeNixpkgs.${nodeName} = + import nodeFlake.inputs.nixpkgs.outPath + { + inherit system; + }; ${nodeName} = { - deployment.targetHost = "${nodeName}.${localDomainName}"; + deployment.targetHost = "router0.dmz0.noosphere.life"; deployment.replaceUnknownProfiles = true; # nixpkgs.pkgs = nodeFlake.inputs.nixpkgs.legacyPackages.${system}; diff --git a/nix/os/devices/router0-dmz0/flake.lock b/nix/os/devices/router0-dmz0/flake.lock index 8f55026..9ad07a0 100644 --- a/nix/os/devices/router0-dmz0/flake.lock +++ b/nix/os/devices/router0-dmz0/flake.lock @@ -1,5 +1,25 @@ { "nodes": { + "bpir3": { + "inputs": { + "nixpkgs": [ + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1688620001, + "narHash": "sha256-8ACxxssPiQy/lsUsT8cAaT2te8p8d8ngmPwTc/erPnU=", + "owner": "nakato", + "repo": "nixos-bpir3-example", + "rev": "4210480bdebbf3a7953e22d5d9f183f47b725bff", + "type": "github" + }, + "original": { + "owner": "nakato", + "repo": "nixos-bpir3-example", + "type": "github" + } + }, "dependencyDagOfSubmodule": { "inputs": { "nixpkgs": [ @@ -28,11 +48,11 @@ ] }, "locked": { - "lastModified": 1738148035, - "narHash": "sha256-KYOATYEwaKysL3HdHdS5kbQMXvzS4iPJzJrML+3TKAo=", + "lastModified": 1691743546, + "narHash": "sha256-nS2uWOeEmMgUBEMDCvwLlXBBCLkW7agDcMtOXuf9PDc=", "owner": "nix-community", "repo": "disko", - "rev": "18d0a984cc2bc82cf61df19523a34ad463aa7f54", + "rev": "241c878d4b542fea7c61ed4421e9224af054ff56", "type": "github" }, "original": { @@ -43,11 +63,11 @@ }, "get-flake": { "locked": { - "lastModified": 1714237590, - "narHash": "sha256-9gtHdGbzFHaR20xORN8IYd67ROWS+1nqQ5CsPf9MD8I=", + "lastModified": 1673819588, + "narHash": "sha256-gRtwKAlu4htvS6dxyZnW3n+vMS1acqnMGVHqxUdETeY=", "owner": "ursi", "repo": "get-flake", - "rev": "a6c57417d1b857b8be53aba4095869a0f438c502", + "rev": "e0917b6f564aa5acefb1484b5baf76da21746c3c", "type": "github" }, "original": { @@ -63,36 +83,20 @@ ] }, "locked": { - "lastModified": 1736373539, - "narHash": "sha256-dinzAqCjenWDxuy+MqUQq0I4zUSfaCvN9rzuCmgMZJY=", + "lastModified": 1691672736, + "narHash": "sha256-HNPA/dKHerA0p4OsToEcW/DtTSXBcK5gFRsy/yPgV/Y=", "owner": "nix-community", "repo": "home-manager", - "rev": "bd65bc3cde04c16755955630b344bc9e35272c56", + "rev": "6e1eff9aac0e8d84bda7f2d60ba6108eea9b7e79", "type": "github" }, "original": { "owner": "nix-community", - "ref": "release-24.11", + "ref": "master", "repo": "home-manager", "type": "github" } }, - "hostapd": { - "flake": false, - "locked": { - "lastModified": 1738518662, - "narHash": "sha256-MeE2FTG7Jh4BqchSvevJH7IsqTotjemndLzev8TkiRk=", - "ref": "refs/heads/main", - "rev": "c12fc97e3b59742e0c5743fceae6a87a8b13a576", - "revCount": 20282, - "type": "git", - "url": "git://w1.fi/hostap.git?branch=main" - }, - "original": { - "type": "git", - "url": "git://w1.fi/hostap.git?branch=main" - } - }, "nixos-nftables-firewall": { "inputs": { "dependencyDagOfSubmodule": "dependencyDagOfSubmodule", @@ -101,11 +105,11 @@ ] }, "locked": { - "lastModified": 1715521768, - "narHash": "sha256-BQkkBqDemoPRd2a4G94I9w9fNE0IxWtVsQ9SalnNqCQ=", + "lastModified": 1677020959, + "narHash": "sha256-r06isoyASAIoYH+zcbb8jescQyYq+AYNccVPUlzivDk=", "owner": "thelegy", "repo": "nixos-nftables-firewall", - "rev": "2c5a19966b4dfc5ca92df7eb250c68f90be653c8", + "rev": "6cb25335de6f1fe0722f02573d0cfbaea4cd7ecf", "type": "github" }, "original": { @@ -114,49 +118,13 @@ "type": "github" } }, - "nixos-sbc": { - "inputs": { - "nixpkgs": [ - "nixpkgs" - ] - }, - "locked": { - "lastModified": 1738254353, - "narHash": "sha256-SYpvOn0v/wi8lrgEBhobjKFvFWPlJ3gP7SZPfyw9td0=", - "owner": "nakato", - "repo": "nixos-sbc", - "rev": "21be4ab012197a2eea4bbff8315c40f26f715a18", - "type": "github" - }, - "original": { - "owner": "nakato", - "repo": "nixos-sbc", - "type": "github" - } - }, "nixpkgs": { "locked": { - "lastModified": 1738702386, - "narHash": "sha256-nJj8f78AYAxl/zqLiFGXn5Im1qjFKU8yBPKoWEeZN5M=", + "lastModified": 1691654369, + "narHash": "sha256-gSILTEx1jRaJjwZxRlnu3ZwMn1FVNk80qlwiCX8kmpo=", "owner": "nixos", "repo": "nixpkgs", - "rev": "030ba1976b7c0e1a67d9716b17308ccdab5b381e", - "type": "github" - }, - "original": { - "owner": "nixos", - "ref": "nixos-24.11", - "repo": "nixpkgs", - "type": "github" - } - }, - "nixpkgs-unstable": { - "locked": { - "lastModified": 1738680400, - "narHash": "sha256-ooLh+XW8jfa+91F1nhf9OF7qhuA/y1ChLx6lXDNeY5U=", - "owner": "nixos", - "repo": "nixpkgs", - "rev": "799ba5bffed04ced7067a91798353d360788b30d", + "rev": "ce5e4a6ef2e59d89a971bc434ca8ca222b9c7f5e", "type": "github" }, "original": { @@ -166,35 +134,48 @@ "type": "github" } }, - "openwrt": { - "flake": false, + "nixpkgs-master": { "locked": { - "lastModified": 1691699580, - "narHash": "sha256-CV+ufXPEr5Nz2O2FBnnuPeHNsFQ7c5s0uW39u/q3cUo=", - "ref": "main", - "rev": "847984c773d819d5579d5abae4b80a4983103ed9", - "revCount": 58166, - "type": "git", - "url": "https://github.com/openwrt/openwrt.git" + "lastModified": 1691753935, + "narHash": "sha256-fjH5oZ0g8Cb0vrJ8TlS4B7kaVr7YmEdee64ueQ6arAo=", + "owner": "nixos", + "repo": "nixpkgs", + "rev": "650596759b8b38399a0c4d5e366847d190360e55", + "type": "github" }, "original": { - "ref": "main", - "rev": "847984c773d819d5579d5abae4b80a4983103ed9", - "type": "git", - "url": "https://github.com/openwrt/openwrt.git" + "owner": "nixos", + "ref": "master", + "repo": "nixpkgs", + "type": "github" + } + }, + "nixpkgs-unstable": { + "locked": { + "lastModified": 1691703261, + "narHash": "sha256-jUzmIeh+F+XKkuEhfY+VRgbVitTOr5oh5Oi5p5kr9tQ=", + "owner": "nixos", + "repo": "nixpkgs", + "rev": "079f7bd05bf72641e3b5904ed891d44d21ea90ed", + "type": "github" + }, + "original": { + "owner": "nixos", + "ref": "nixos-unstable-small", + "repo": "nixpkgs", + "type": "github" } }, "root": { "inputs": { + "bpir3": "bpir3", "disko": "disko", "get-flake": "get-flake", "home-manager": "home-manager", - "hostapd": "hostapd", "nixos-nftables-firewall": "nixos-nftables-firewall", - "nixos-sbc": "nixos-sbc", "nixpkgs": "nixpkgs", + "nixpkgs-master": "nixpkgs-master", "nixpkgs-unstable": "nixpkgs-unstable", - "openwrt": "openwrt", "srvos": "srvos" } }, @@ -205,11 +186,11 @@ ] }, "locked": { - "lastModified": 1738198321, - "narHash": "sha256-lhnHBXO9Y8xEn92JqxjancdL8Gh16ONuxZp60iZfmX4=", + "lastModified": 1691630941, + "narHash": "sha256-4+KVSa32impg0aBqXVEEty8uu3Urb64CjmseDkETofg=", "owner": "numtide", "repo": "srvos", - "rev": "7d5a4aaadac9ff63f9ed4347df95175aceee5079", + "rev": "b7407c2dc143402de6f140575398020175f3ae1a", "type": "github" }, "original": { diff --git a/nix/os/devices/router0-dmz0/flake.nix b/nix/os/devices/router0-dmz0/flake.nix index d56e72a..c934242 100644 --- a/nix/os/devices/router0-dmz0/flake.nix +++ b/nix/os/devices/router0-dmz0/flake.nix @@ -1,11 +1,13 @@ { inputs = { - nixpkgs.url = "github:nixos/nixpkgs/nixos-24.11"; - nixpkgs-unstable.url = "github:nixos/nixpkgs/nixos-unstable"; + # nixpkgs.url = "github:nixos/nixpkgs/nixos-23.05"; + nixpkgs.url = "github:nixos/nixpkgs/nixos-unstable"; + nixpkgs-unstable.url = "github:nixos/nixpkgs/nixos-unstable-small"; + nixpkgs-master.url = "github:nixos/nixpkgs/master"; get-flake.url = "github:ursi/get-flake"; - home-manager.url = "github:nix-community/home-manager/release-24.11"; + home-manager.url = "github:nix-community/home-manager/master"; home-manager.inputs.nixpkgs.follows = "nixpkgs"; disko.url = "github:nix-community/disko"; @@ -13,95 +15,79 @@ srvos.url = "github:numtide/srvos"; srvos.inputs.nixpkgs.follows = "nixpkgs"; - nixos-sbc.url = "github:nakato/nixos-sbc" - # "github:steveej-forks/nakato_nixos-sbc//bpi-r3_kernel-6.12" - # "github:steveej-forks/nakato_nixos-sbc//bpi-r3_kernel-6.13" - # "github:steveej-forks/nakato_nixos-sbc/kernel-6.9_and_cross-compile" - # "github:steveej-forks/nakato_nixos-sbc/kernel-6.10_and_cross-compile" - # "git+file:///home/steveej/src/others/nakato_nixos-sbc/" - ; - nixos-sbc.inputs.nixpkgs.follows = "nixpkgs"; + bpir3.url = "github:nakato/nixos-bpir3-example"; + bpir3.inputs.nixpkgs.follows = "nixpkgs"; nixos-nftables-firewall.url = "github:thelegy/nixos-nftables-firewall"; nixos-nftables-firewall.inputs.nixpkgs.follows = "nixpkgs"; - - hostapd.url = "git://w1.fi/hostap.git?branch=main"; - hostapd.flake = false; - - openwrt.url = "git+https://github.com/openwrt/openwrt.git?ref=main&rev=847984c773d819d5579d5abae4b80a4983103ed9"; - openwrt.flake = false; - - # TODO: would be nice if this worked but it throws an error when using the input as a patch: - # error: flake input has unsupported input type 'file' - # hostapd_patch_vlan_no_bridge = { - # url = "file+https://raw.githubusercontent.com/openwrt/openwrt/847984c773d819d5579d5abae4b80a4983103ed9/package/network/services/hostapd/patches/710-vlan_no_bridge.patch"; - # flake = false; - # }; - - # repoFlake.url = "path:../../../.."; }; - outputs = - { - self, - get-flake, - nixpkgs, - ... - }: - let - nativeSystem = "aarch64-linux"; - nodeName = "router0-dmz0"; + # outputs = _: {}; - mkNixosConfiguration = + outputs = { + self, + get-flake, + nixpkgs, + bpir3, + ... + } @ attrs: let + system = "aarch64-linux"; + nodeName = "router0-dmz0"; + + mkNixosConfiguration = {extraModules ? [], ...} @ attrs: + nixpkgs.lib.nixosSystem ( + nixpkgs.lib.attrsets.recursiveUpdate + attrs { - extraModules ? [ ], - ... - }@attrs: - nixpkgs.lib.nixosSystem ( - nixpkgs.lib.attrsets.recursiveUpdate attrs { - specialArgs = - (import ./default.nix { - system = nativeSystem; - inherit nodeName; + specialArgs = { + nodeFlake = self; + repoFlake = get-flake ../../../..; + inherit nodeName; + inherit + (bpir3.packages.${system}) + armTrustedFirmwareMT7986 + ; + }; - repoFlake = get-flake ../../../..; - # repoFlake = get-flake ./.; - # repoFlake = self.inputs.repoFlake; - nodeFlake = self; - }).meta.nodeSpecialArgs.${nodeName}; - - modules = [ + modules = + [ ./configuration.nix # flake registry { - nixpkgs.overlays = builtins.attrValues self.overlays; nix.registry.nixpkgs.flake = nixpkgs; } - ] ++ extraModules; - } - ); - in - { - nixosConfigurations = { - native = mkNixosConfiguration { system = nativeSystem; }; - cross = mkNixosConfiguration { - extraModules = [ - { - nixpkgs.buildPlatform.system = "x86_64-linux"; - nixpkgs.hostPlatform.system = nativeSystem; - } - ]; - }; + { + nixpkgs.overlays = [ + (final: previous: let + bpir3Pkgs = previous.callPackage "${bpir3}/pkgs" {}; + in { + inherit + (bpir3Pkgs) + linuxPackages_bpir3 + ; + }) + ]; + } + ] + ++ extraModules; + } + ); + in { + nixosConfigurations = { + native = mkNixosConfiguration { + inherit system; }; - overlays.default = _final: previous: { - hostapd = previous.hostapd.overrideDerivation (attrs: { - patches = attrs.patches ++ [ - "${self.inputs.openwrt}/package/network/services/hostapd/patches/710-vlan_no_bridge.patch" - ]; - }); + cross = mkNixosConfiguration { + extraModules = [ + { + nixpkgs.buildPlatform.system = "x86_64-linux"; + nixpkgs.hostPlatform.system = system; + } + ]; }; }; + }; } diff --git a/nix/os/devices/router0-hosthatch/configuration.nix b/nix/os/devices/router0-hosthatch/configuration.nix deleted file mode 100644 index af02b3d..0000000 --- a/nix/os/devices/router0-hosthatch/configuration.nix +++ /dev/null @@ -1,337 +0,0 @@ -{ - repoFlake, - pkgs, - lib, - config, - nodeFlake, - nodeName, - system, - variables, - ... -}: -{ - system.stateVersion = "24.05"; - - imports = [ - nodeFlake.inputs.disko.nixosModules.disko - nodeFlake.inputs.srvos.nixosModules.mixins-terminfo - - repoFlake.inputs.sops-nix.nixosModules.sops - - ../../snippets/nix-settings.nix - ../../profiles/common/user.nix - - nodeFlake.inputs.nixos-nftables-firewall.nixosModules.default - - { - services.openssh.enable = true; - services.openssh.settings.PermitRootLogin = "yes"; - - users.commonUsers = { - enable = true; - enableNonRoot = false; - rootPasswordFile = config.sops.secrets.passwords-root.path; - }; - - # sops.age.keyFile = "/etc/age.key"; - # sops.age.sshKeyPaths = []; - - sops.defaultSopsFile = ../../../../secrets/${nodeName}/secrets.yaml; - sops.defaultSopsFormat = "yaml"; - - sops.secrets.passwords-root.neededForUsers = true; - } - - # TODO: extract this into single-disk VM BIOS module - { - boot.loader.systemd-boot.enable = false; - boot.loader.grub.efiSupport = false; - - # forcing seems required or else there's an error about duplicated devices - boot.loader.grub.devices = lib.mkForce [ "/dev/vda" ]; - - disko.devices.disk.vda = { - device = "/dev/vda"; - type = "disk"; - content = { - type = "gpt"; - partitions = { - boot = { - size = "1M"; - type = "EF02"; # for grub MBR - }; - root = { - size = "100%"; - content = { - type = "btrfs"; - extraArgs = [ "-f" ]; # Override existing partition - subvolumes = { - # Subvolume name is different from mountpoint - "/rootfs" = { - mountpoint = "/"; - }; - "/nix" = { - mountOptions = [ "noatime" ]; - mountpoint = "/nix"; - }; - "/boot" = { - mountpoint = "/boot"; - }; - }; - }; - }; - }; - }; - }; - - boot.initrd.kernelModules = [ - "virtio_balloon" - "virtio_scsi" - "virtio_net" - "virtio_pci" - "virtio_ring" - "virtio" - "scsi_mod" - - "virtio_blk" - "virtio_ring" - "ata_piix" - "pata_acpi" - "ata_generic" - ]; - } - ]; - - # sops.secrets.ssh_host_ed25519_key = { - # sopsFile = ../../../../secrets/${nodeName}/secrets.yaml; - # format = "yaml"; - - # path = "/etc/ssh/ssh_host_ed25519_key"; - # mode = "0600"; - # }; - # sops.secrets.ssh_host_ed25519_key_pub = { - # sopsFile = ../../../../secrets/${nodeName}/secrets.yaml; - # format = "yaml"; - - # path = "/etc/ssh/ssh_host_ed25519_key.pub"; - # mode = "0600"; - # }; - # sops.secrets.ssh_host_rsa_key = { - # sopsFile = ../../../../secrets/${nodeName}/secrets.yaml; - # format = "yaml"; - - # path = "/etc/ssh/ssh_host_rsa_key"; - # mode = "0600"; - # }; - # sops.secrets.ssh_host_rsa_key_pub = { - # sopsFile = ../../../../secrets/${nodeName}/secrets.yaml; - # format = "yaml"; - - # path = "/etc/ssh/ssh_host_rsa_key.pub"; - # mode = "0644"; - # }; - - boot = { - kernel = { - sysctl = { - "net.ipv4.conf.all.forwarding" = true; - "net.ipv6.conf.all.forwarding" = true; - }; - }; - }; - - networking = { - hostName = nodeName; - useNetworkd = true; - useDHCP = true; - usePredictableInterfaceNames = false; - - interfaces.eth0.ipv4.addresses = [ - { - address = variables.ipv4; - prefixLength = variables.ipv4length; - } - ]; - defaultGateway = { - interface = "eth0"; - address = variables.ipv4gateway; - }; - nameservers = [ variables.ipv4dns ]; - - # these will be configured via nftables - nat.enable = lib.mkForce false; - firewall.enable = lib.mkForce false; - - # Use the nftables firewall instead of the base nixos scripted rules. - # This flake provides a similar utility to the base nixos scripting. - # https://github.com/thelegy/nixos-nftables-firewall/tree/main - - nftables = { - enable = true; - - firewall = { - enable = true; - snippets.nnf-common.enable = true; - - zones.wan = { - interfaces = [ "eth0" ]; - }; - - zones.vpn = { - interfaces = [ - "wg0" - "wg1" - ]; - }; - - rules = { - to-fw = { - from = "all"; - to = [ "fw" ]; - verdict = "drop"; - - allowedTCPPorts = [ - 22 - 5201 - ]; - allowedUDPPorts = [ - 22 - 5201 - config.systemd.network.netdevs.wg0.wireguardConfig.ListenPort - config.systemd.network.netdevs.wg1.wireguardConfig.ListenPort - ]; - }; - - vpn-to-wan-nat = { - from = [ "vpn" ]; - to = [ "wan" ]; - masquerade = true; - verdict = "accept"; - }; - }; - }; - }; - }; - - sops.secrets.wg0-privatekey = { - mode = "440"; - group = "systemd-network"; - }; - sops.secrets.wg0-peer0-psk = { - mode = "440"; - group = "systemd-network"; - }; - sops.secrets.wg1-privatekey = { - mode = "440"; - group = "systemd-network"; - }; - sops.secrets.wg1-peer0-psk = { - mode = "440"; - group = "systemd-network"; - }; - - systemd.network.enable = true; - systemd.network.netdevs.wg0 = { - enable = true; - netdevConfig = { - Name = "wg0"; - Kind = "wireguard"; - }; - wireguardConfig = { - ListenPort = 51820; - # PublicKey /RPDdqPzr9iRc7zR0bRkt9aS2QCt+b2K3WbsNg8XamM= - PrivateKeyFile = builtins.toString config.sops.secrets.wg0-privatekey.path; - }; - wireguardPeers = [ - { - wireguardPeerConfig = { - AllowedIPs = [ - "10.0.1.1/32" - "192.168.0.0/16" - ]; - PersistentKeepalive = 15; - PresharedKeyFile = builtins.toString config.sops.secrets.wg0-peer0-psk.path; - PublicKey = "hsjIenUFV/FBqplIKxSL/Zn2zDAfojlIKHMxPA6RC04="; - }; - } - ]; - }; - systemd.network.netdevs.wg1 = { - enable = true; - netdevConfig = { - Name = "wg1"; - Kind = "wireguard"; - }; - wireguardConfig = { - ListenPort = 51821; - # PublicKey /RPDdqPzr9iRc7zR0bRkt9aS2QCt+b2K3WbsNg8XamM= - PrivateKeyFile = builtins.toString config.sops.secrets.wg1-privatekey.path; - }; - wireguardPeers = [ - { - wireguardPeerConfig = { - AllowedIPs = [ - "10.0.1.3/31" - "192.168.0.0/16" - ]; - PersistentKeepalive = 15; - PresharedKeyFile = builtins.toString config.sops.secrets.wg1-peer0-psk.path; - PublicKey = "Ha5hsarCRO8LX9SrkopUeP14ebLdFgxXUC0ezrobax4="; - }; - } - ]; - }; - systemd.network.networks.wg0 = { - enable = true; - matchConfig.Name = "wg0"; - address = [ "10.0.1.0/31" ]; - - routes = [ - { - routeConfig = { - Destination = "192.168.0.0/16"; - MultiPathRoute = "10.0.1.1 1"; - }; - } - ]; - }; - systemd.network.networks.wg1 = { - enable = true; - matchConfig.Name = "wg1"; - address = [ "10.0.1.2/31" ]; - - routes = [ - { - routeConfig = { - Destination = "192.168.0.0/16"; - MultiPathRoute = "10.0.1.3 1"; - }; - } - ]; - }; - - environment.systemPackages = [ - pkgs.ethtool - pkgs.neovim - pkgs.tmux - - pkgs.wireguard-tools - pkgs.tshark - - (pkgs.writeShellScriptBin "dbg-ip" '' - echo links: - ip -br -c l - echo - echo addresses: - ip -br -c a - echo - echo vlans: - bridge -c vlan - '') - - (pkgs.writeShellScriptBin "dbg-dnsmasq" '' - # get the rendered in-use config - pgrep -a dnsmasq | grep -Eo '[^ ]*conf' | xargs cat | grep -Eo '[^=]*conf' | xargs cat - '') - ]; -} diff --git a/nix/os/devices/router0-hosthatch/default.nix b/nix/os/devices/router0-hosthatch/default.nix deleted file mode 100644 index fd2c485..0000000 --- a/nix/os/devices/router0-hosthatch/default.nix +++ /dev/null @@ -1,38 +0,0 @@ -{ - system ? "x86_64-linux", - nodeName, - repoFlake, - nodeFlake, - ... -}: -let - variables = import ./variables.crypt.nix; -in -{ - meta.nodeSpecialArgs.${nodeName} = { - inherit - repoFlake - nodeName - nodeFlake - system - variables - ; - packages' = repoFlake.packages.${system}; - nodePackages' = nodeFlake.packages.${system}; - }; - - meta.nodeNixpkgs.${nodeName} = import nodeFlake.inputs.nixpkgs.outPath { inherit system; }; - - ${nodeName} = { - deployment.targetHost = variables.ipv4; - deployment.replaceUnknownProfiles = true; - - imports = [ - nodeFlake.inputs.home-manager.nixosModules.home-manager - - ./configuration.nix - ]; - - networking.hostName = nodeName; - }; -} diff --git a/nix/os/devices/router0-hosthatch/flake.lock b/nix/os/devices/router0-hosthatch/flake.lock deleted file mode 100644 index f66687f..0000000 --- a/nix/os/devices/router0-hosthatch/flake.lock +++ /dev/null @@ -1,151 +0,0 @@ -{ - "nodes": { - "dependencyDagOfSubmodule": { - "inputs": { - "nixpkgs": [ - "nixos-nftables-firewall", - "nixpkgs" - ] - }, - "locked": { - "lastModified": 1656615370, - "narHash": "sha256-IZDqz1aSySoqf1qtVQg+oJMHfC4IlT55Zoa7EkjvPug=", - "owner": "thelegy", - "repo": "nix-dependencyDagOfSubmodule", - "rev": "98eb563d80b35acafbfc1abb9ccee569c1efb19c", - "type": "github" - }, - "original": { - "owner": "thelegy", - "repo": "nix-dependencyDagOfSubmodule", - "type": "github" - } - }, - "disko": { - "inputs": { - "nixpkgs": [ - "nixpkgs" - ] - }, - "locked": { - "lastModified": 1719864345, - "narHash": "sha256-e4Pw+30vFAxuvkSTaTypd9zYemB/QlWcH186dsGT+Ms=", - "owner": "nix-community", - "repo": "disko", - "rev": "544a80a69d6e2da04e4df7ec8210a858de8c7533", - "type": "github" - }, - "original": { - "owner": "nix-community", - "repo": "disko", - "type": "github" - } - }, - "home-manager": { - "inputs": { - "nixpkgs": [ - "nixpkgs" - ] - }, - "locked": { - "lastModified": 1719827385, - "narHash": "sha256-qs+nU20Sm8czHg3bhGCqiH+8e13BJyRrKONW34g3i50=", - "owner": "nix-community", - "repo": "home-manager", - "rev": "391ca6e950c2525b4f853cbe29922452c14eda82", - "type": "github" - }, - "original": { - "owner": "nix-community", - "ref": "release-24.05", - "repo": "home-manager", - "type": "github" - } - }, - "nixos-nftables-firewall": { - "inputs": { - "dependencyDagOfSubmodule": "dependencyDagOfSubmodule", - "nixpkgs": [ - "nixpkgs" - ] - }, - "locked": { - "lastModified": 1715521768, - "narHash": "sha256-BQkkBqDemoPRd2a4G94I9w9fNE0IxWtVsQ9SalnNqCQ=", - "owner": "thelegy", - "repo": "nixos-nftables-firewall", - "rev": "2c5a19966b4dfc5ca92df7eb250c68f90be653c8", - "type": "github" - }, - "original": { - "owner": "thelegy", - "repo": "nixos-nftables-firewall", - "type": "github" - } - }, - "nixpkgs": { - "locked": { - "lastModified": 1719838683, - "narHash": "sha256-Zw9rQjHz1ilNIimEXFeVa1ERNRBF8DoXDhLAZq5B4pE=", - "owner": "nixos", - "repo": "nixpkgs", - "rev": "d032c1a6dfad4eedec7e35e91986becc699d7d69", - "type": "github" - }, - "original": { - "owner": "nixos", - "ref": "nixos-24.05", - "repo": "nixpkgs", - "type": "github" - } - }, - "nixpkgs-unstable": { - "locked": { - "lastModified": 1719848872, - "narHash": "sha256-H3+EC5cYuq+gQW8y0lSrrDZfH71LB4DAf+TDFyvwCNA=", - "owner": "nixos", - "repo": "nixpkgs", - "rev": "00d80d13810dbfea8ab4ed1009b09100cca86ba8", - "type": "github" - }, - "original": { - "owner": "nixos", - "ref": "nixos-unstable", - "repo": "nixpkgs", - "type": "github" - } - }, - "root": { - "inputs": { - "disko": "disko", - "home-manager": "home-manager", - "nixos-nftables-firewall": "nixos-nftables-firewall", - "nixpkgs": "nixpkgs", - "nixpkgs-unstable": "nixpkgs-unstable", - "srvos": "srvos" - } - }, - "srvos": { - "inputs": { - "nixpkgs": [ - "nixpkgs" - ] - }, - "locked": { - "lastModified": 1719965291, - "narHash": "sha256-IQiO6VNESSmgxQkpI1q86pqxRw0SZ45iSeM1jsmBpSw=", - "owner": "numtide", - "repo": "srvos", - "rev": "1844f1a15ef530c963bb07c3846172fccbfb9f74", - "type": "github" - }, - "original": { - "owner": "numtide", - "repo": "srvos", - "type": "github" - } - } - }, - "root": "root", - "version": 7 -} diff --git a/nix/os/devices/router0-hosthatch/flake.nix b/nix/os/devices/router0-hosthatch/flake.nix deleted file mode 100644 index 3057b9a..0000000 --- a/nix/os/devices/router0-hosthatch/flake.nix +++ /dev/null @@ -1,19 +0,0 @@ -{ - inputs = { - nixpkgs.url = "github:nixos/nixpkgs/nixos-24.05"; - nixpkgs-unstable.url = "github:nixos/nixpkgs/nixos-unstable"; - - home-manager.url = "github:nix-community/home-manager/release-24.05"; - home-manager.inputs.nixpkgs.follows = "nixpkgs"; - - disko.url = "github:nix-community/disko"; - disko.inputs.nixpkgs.follows = "nixpkgs"; - srvos.url = "github:numtide/srvos"; - srvos.inputs.nixpkgs.follows = "nixpkgs"; - - nixos-nftables-firewall.url = "github:thelegy/nixos-nftables-firewall"; - nixos-nftables-firewall.inputs.nixpkgs.follows = "nixpkgs"; - }; - - outputs = _: { }; -} diff --git a/nix/os/devices/router0-hosthatch/variables.crypt.nix b/nix/os/devices/router0-hosthatch/variables.crypt.nix deleted file mode 100644 index 38c17df..0000000 Binary files a/nix/os/devices/router0-hosthatch/variables.crypt.nix and /dev/null differ diff --git a/nix/os/devices/router0-ifog/configuration.nix b/nix/os/devices/router0-ifog/configuration.nix deleted file mode 100644 index 9bc91ee..0000000 --- a/nix/os/devices/router0-ifog/configuration.nix +++ /dev/null @@ -1,337 +0,0 @@ -{ - repoFlake, - pkgs, - lib, - config, - nodeFlake, - nodeName, - system, - variables, - ... -}: -{ - system.stateVersion = "23.11"; - - imports = [ - nodeFlake.inputs.disko.nixosModules.disko - nodeFlake.inputs.srvos.nixosModules.mixins-terminfo - - repoFlake.inputs.sops-nix.nixosModules.sops - - ../../snippets/nix-settings.nix - ../../profiles/common/user.nix - - nodeFlake.inputs.nixos-nftables-firewall.nixosModules.default - - { - services.openssh.enable = true; - services.openssh.settings.PermitRootLogin = "yes"; - - users.commonUsers = { - enable = true; - enableNonRoot = false; - rootPasswordFile = config.sops.secrets.passwords-root.path; - }; - - # sops.age.keyFile = "/etc/age.key"; - # sops.age.sshKeyPaths = []; - - sops.defaultSopsFile = ../../../../secrets/${nodeName}/secrets.yaml; - sops.defaultSopsFormat = "yaml"; - - sops.secrets.passwords-root.neededForUsers = true; - } - - # TODO: extract this into single-disk VM BIOS module - { - boot.loader.systemd-boot.enable = false; - boot.loader.grub.efiSupport = false; - - # forcing seems required or else there's an error about duplicated devices - boot.loader.grub.devices = lib.mkForce [ "/dev/vda" ]; - - disko.devices.disk.vda = { - device = "/dev/vda"; - type = "disk"; - content = { - type = "gpt"; - partitions = { - boot = { - size = "1M"; - type = "EF02"; # for grub MBR - }; - root = { - size = "100%"; - content = { - type = "btrfs"; - extraArgs = [ "-f" ]; # Override existing partition - subvolumes = { - # Subvolume name is different from mountpoint - "/rootfs" = { - mountpoint = "/"; - }; - "/nix" = { - mountOptions = [ "noatime" ]; - mountpoint = "/nix"; - }; - "/boot" = { - mountpoint = "/boot"; - }; - }; - }; - }; - }; - }; - }; - - boot.initrd.kernelModules = [ - "virtio_balloon" - "virtio_scsi" - "virtio_net" - "virtio_pci" - "virtio_ring" - "virtio" - "scsi_mod" - - "virtio_blk" - "virtio_ring" - "ata_piix" - "pata_acpi" - "ata_generic" - ]; - } - ]; - - # sops.secrets.ssh_host_ed25519_key = { - # sopsFile = ../../../../secrets/${nodeName}/secrets.yaml; - # format = "yaml"; - - # path = "/etc/ssh/ssh_host_ed25519_key"; - # mode = "0600"; - # }; - # sops.secrets.ssh_host_ed25519_key_pub = { - # sopsFile = ../../../../secrets/${nodeName}/secrets.yaml; - # format = "yaml"; - - # path = "/etc/ssh/ssh_host_ed25519_key.pub"; - # mode = "0600"; - # }; - # sops.secrets.ssh_host_rsa_key = { - # sopsFile = ../../../../secrets/${nodeName}/secrets.yaml; - # format = "yaml"; - - # path = "/etc/ssh/ssh_host_rsa_key"; - # mode = "0600"; - # }; - # sops.secrets.ssh_host_rsa_key_pub = { - # sopsFile = ../../../../secrets/${nodeName}/secrets.yaml; - # format = "yaml"; - - # path = "/etc/ssh/ssh_host_rsa_key.pub"; - # mode = "0644"; - # }; - - boot = { - kernel = { - sysctl = { - "net.ipv4.conf.all.forwarding" = true; - "net.ipv6.conf.all.forwarding" = true; - }; - }; - }; - - networking = { - hostName = nodeName; - useNetworkd = true; - useDHCP = true; - usePredictableInterfaceNames = false; - - interfaces.eth0.ipv4.addresses = [ - { - address = variables.ipv4; - prefixLength = variables.ipv4length; - } - ]; - defaultGateway = { - interface = "eth0"; - address = variables.ipv4gateway; - }; - nameservers = [ variables.ipv4dns ]; - - # these will be configured via nftables - nat.enable = lib.mkForce false; - firewall.enable = lib.mkForce false; - - # Use the nftables firewall instead of the base nixos scripted rules. - # This flake provides a similar utility to the base nixos scripting. - # https://github.com/thelegy/nixos-nftables-firewall/tree/main - - nftables = { - enable = true; - - firewall = { - enable = true; - snippets.nnf-common.enable = true; - - zones.wan = { - interfaces = [ "eth0" ]; - }; - - zones.vpn = { - interfaces = [ - "wg0" - "wg1" - ]; - }; - - rules = { - to-fw = { - from = "all"; - to = [ "fw" ]; - verdict = "drop"; - - allowedTCPPorts = [ - 22 - 5201 - ]; - allowedUDPPorts = [ - 22 - 5201 - config.systemd.network.netdevs.wg0.wireguardConfig.ListenPort - config.systemd.network.netdevs.wg1.wireguardConfig.ListenPort - ]; - }; - - vpn-to-wan-nat = { - from = [ "vpn" ]; - to = [ "wan" ]; - masquerade = true; - verdict = "accept"; - }; - }; - }; - }; - }; - - sops.secrets.wg0-privatekey = { - mode = "440"; - group = "systemd-network"; - }; - sops.secrets.wg0-peer0-psk = { - mode = "440"; - group = "systemd-network"; - }; - sops.secrets.wg1-privatekey = { - mode = "440"; - group = "systemd-network"; - }; - sops.secrets.wg1-peer0-psk = { - mode = "440"; - group = "systemd-network"; - }; - - systemd.network.enable = true; - systemd.network.netdevs.wg0 = { - enable = true; - netdevConfig = { - Name = "wg0"; - Kind = "wireguard"; - }; - wireguardConfig = { - ListenPort = 51820; - # PublicKey /RPDdqPzr9iRc7zR0bRkt9aS2QCt+b2K3WbsNg8XamM= - PrivateKeyFile = builtins.toString config.sops.secrets.wg0-privatekey.path; - }; - wireguardPeers = [ - { - wireguardPeerConfig = { - AllowedIPs = [ - "10.0.0.1/32" - "192.168.0.0/16" - ]; - PersistentKeepalive = 15; - PresharedKeyFile = builtins.toString config.sops.secrets.wg0-peer0-psk.path; - PublicKey = "hsjIenUFV/FBqplIKxSL/Zn2zDAfojlIKHMxPA6RC04="; - }; - } - ]; - }; - systemd.network.netdevs.wg1 = { - enable = true; - netdevConfig = { - Name = "wg1"; - Kind = "wireguard"; - }; - wireguardConfig = { - ListenPort = 51821; - # PublicKey /RPDdqPzr9iRc7zR0bRkt9aS2QCt+b2K3WbsNg8XamM= - PrivateKeyFile = builtins.toString config.sops.secrets.wg1-privatekey.path; - }; - wireguardPeers = [ - { - wireguardPeerConfig = { - AllowedIPs = [ - "10.0.0.3/31" - "192.168.0.0/16" - ]; - PersistentKeepalive = 15; - PresharedKeyFile = builtins.toString config.sops.secrets.wg1-peer0-psk.path; - PublicKey = "Ha5hsarCRO8LX9SrkopUeP14ebLdFgxXUC0ezrobax4="; - }; - } - ]; - }; - systemd.network.networks.wg0 = { - enable = true; - matchConfig.Name = "wg0"; - address = [ "10.0.0.0/31" ]; - - routes = [ - { - routeConfig = { - Destination = "192.168.0.0/16"; - MultiPathRoute = "10.0.0.1 1"; - }; - } - ]; - }; - systemd.network.networks.wg1 = { - enable = true; - matchConfig.Name = "wg1"; - address = [ "10.0.0.2/31" ]; - - routes = [ - { - routeConfig = { - Destination = "192.168.0.0/16"; - MultiPathRoute = "10.0.0.3 1"; - }; - } - ]; - }; - - environment.systemPackages = [ - pkgs.ethtool - pkgs.neovim - pkgs.tmux - - pkgs.wireguard-tools - pkgs.tshark - - (pkgs.writeShellScriptBin "dbg-ip" '' - echo links: - ip -br -c l - echo - echo addresses: - ip -br -c a - echo - echo vlans: - bridge -c vlan - '') - - (pkgs.writeShellScriptBin "dbg-dnsmasq" '' - # get the rendered in-use config - pgrep -a dnsmasq | grep -Eo '[^ ]*conf' | xargs cat | grep -Eo '[^=]*conf' | xargs cat - '') - ]; -} diff --git a/nix/os/devices/router0-ifog/default.nix b/nix/os/devices/router0-ifog/default.nix deleted file mode 100644 index fd2c485..0000000 --- a/nix/os/devices/router0-ifog/default.nix +++ /dev/null @@ -1,38 +0,0 @@ -{ - system ? "x86_64-linux", - nodeName, - repoFlake, - nodeFlake, - ... -}: -let - variables = import ./variables.crypt.nix; -in -{ - meta.nodeSpecialArgs.${nodeName} = { - inherit - repoFlake - nodeName - nodeFlake - system - variables - ; - packages' = repoFlake.packages.${system}; - nodePackages' = nodeFlake.packages.${system}; - }; - - meta.nodeNixpkgs.${nodeName} = import nodeFlake.inputs.nixpkgs.outPath { inherit system; }; - - ${nodeName} = { - deployment.targetHost = variables.ipv4; - deployment.replaceUnknownProfiles = true; - - imports = [ - nodeFlake.inputs.home-manager.nixosModules.home-manager - - ./configuration.nix - ]; - - networking.hostName = nodeName; - }; -} diff --git a/nix/os/devices/router0-ifog/flake.lock b/nix/os/devices/router0-ifog/flake.lock deleted file mode 100644 index f66687f..0000000 --- a/nix/os/devices/router0-ifog/flake.lock +++ /dev/null @@ -1,151 +0,0 @@ -{ - "nodes": { - "dependencyDagOfSubmodule": { - "inputs": { - "nixpkgs": [ - "nixos-nftables-firewall", - "nixpkgs" - ] - }, - "locked": { - "lastModified": 1656615370, - "narHash": "sha256-IZDqz1aSySoqf1qtVQg+oJMHfC4IlT55Zoa7EkjvPug=", - "owner": "thelegy", - "repo": "nix-dependencyDagOfSubmodule", - "rev": "98eb563d80b35acafbfc1abb9ccee569c1efb19c", - "type": "github" - }, - "original": { - "owner": "thelegy", - "repo": "nix-dependencyDagOfSubmodule", - "type": "github" - } - }, - "disko": { - "inputs": { - "nixpkgs": [ - "nixpkgs" - ] - }, - "locked": { - "lastModified": 1719864345, - "narHash": "sha256-e4Pw+30vFAxuvkSTaTypd9zYemB/QlWcH186dsGT+Ms=", - "owner": "nix-community", - "repo": "disko", - "rev": "544a80a69d6e2da04e4df7ec8210a858de8c7533", - "type": "github" - }, - "original": { - "owner": "nix-community", - "repo": "disko", - "type": "github" - } - }, - "home-manager": { - "inputs": { - "nixpkgs": [ - "nixpkgs" - ] - }, - "locked": { - "lastModified": 1719827385, - "narHash": "sha256-qs+nU20Sm8czHg3bhGCqiH+8e13BJyRrKONW34g3i50=", - "owner": "nix-community", - "repo": "home-manager", - "rev": "391ca6e950c2525b4f853cbe29922452c14eda82", - "type": "github" - }, - "original": { - "owner": "nix-community", - "ref": "release-24.05", - "repo": "home-manager", - "type": "github" - } - }, - "nixos-nftables-firewall": { - "inputs": { - "dependencyDagOfSubmodule": "dependencyDagOfSubmodule", - "nixpkgs": [ - "nixpkgs" - ] - }, - "locked": { - "lastModified": 1715521768, - "narHash": "sha256-BQkkBqDemoPRd2a4G94I9w9fNE0IxWtVsQ9SalnNqCQ=", - "owner": "thelegy", - "repo": "nixos-nftables-firewall", - "rev": "2c5a19966b4dfc5ca92df7eb250c68f90be653c8", - "type": "github" - }, - "original": { - "owner": "thelegy", - "repo": "nixos-nftables-firewall", - "type": "github" - } - }, - "nixpkgs": { - "locked": { - "lastModified": 1719838683, - "narHash": "sha256-Zw9rQjHz1ilNIimEXFeVa1ERNRBF8DoXDhLAZq5B4pE=", - "owner": "nixos", - "repo": "nixpkgs", - "rev": "d032c1a6dfad4eedec7e35e91986becc699d7d69", - "type": "github" - }, - "original": { - "owner": "nixos", - "ref": "nixos-24.05", - "repo": "nixpkgs", - "type": "github" - } - }, - "nixpkgs-unstable": { - "locked": { - "lastModified": 1719848872, - "narHash": "sha256-H3+EC5cYuq+gQW8y0lSrrDZfH71LB4DAf+TDFyvwCNA=", - "owner": "nixos", - "repo": "nixpkgs", - "rev": "00d80d13810dbfea8ab4ed1009b09100cca86ba8", - "type": "github" - }, - "original": { - "owner": "nixos", - "ref": "nixos-unstable", - "repo": "nixpkgs", - "type": "github" - } - }, - "root": { - "inputs": { - "disko": "disko", - "home-manager": "home-manager", - "nixos-nftables-firewall": "nixos-nftables-firewall", - "nixpkgs": "nixpkgs", - "nixpkgs-unstable": "nixpkgs-unstable", - "srvos": "srvos" - } - }, - "srvos": { - "inputs": { - "nixpkgs": [ - "nixpkgs" - ] - }, - "locked": { - "lastModified": 1719965291, - "narHash": "sha256-IQiO6VNESSmgxQkpI1q86pqxRw0SZ45iSeM1jsmBpSw=", - "owner": "numtide", - "repo": "srvos", - "rev": "1844f1a15ef530c963bb07c3846172fccbfb9f74", - "type": "github" - }, - "original": { - "owner": "numtide", - "repo": "srvos", - "type": "github" - } - } - }, - "root": "root", - "version": 7 -} diff --git a/nix/os/devices/router0-ifog/flake.nix b/nix/os/devices/router0-ifog/flake.nix deleted file mode 100644 index 3057b9a..0000000 --- a/nix/os/devices/router0-ifog/flake.nix +++ /dev/null @@ -1,19 +0,0 @@ -{ - inputs = { - nixpkgs.url = "github:nixos/nixpkgs/nixos-24.05"; - nixpkgs-unstable.url = "github:nixos/nixpkgs/nixos-unstable"; - - home-manager.url = "github:nix-community/home-manager/release-24.05"; - home-manager.inputs.nixpkgs.follows = "nixpkgs"; - - disko.url = "github:nix-community/disko"; - disko.inputs.nixpkgs.follows = "nixpkgs"; - srvos.url = "github:numtide/srvos"; - srvos.inputs.nixpkgs.follows = "nixpkgs"; - - nixos-nftables-firewall.url = "github:thelegy/nixos-nftables-firewall"; - nixos-nftables-firewall.inputs.nixpkgs.follows = "nixpkgs"; - }; - - outputs = _: { }; -} diff --git a/nix/os/devices/router0-ifog/variables.crypt.nix b/nix/os/devices/router0-ifog/variables.crypt.nix deleted file mode 100644 index 1dec120..0000000 Binary files a/nix/os/devices/router0-ifog/variables.crypt.nix and /dev/null differ diff --git a/nix/os/devices/sj-srv1/README.md b/nix/os/devices/sj-srv1/README.md deleted file mode 100644 index 394da55..0000000 --- a/nix/os/devices/sj-srv1/README.md +++ /dev/null @@ -1 +0,0 @@ -## bootstrapping diff --git a/nix/os/devices/sj-srv1/configuration.nix b/nix/os/devices/sj-srv1/configuration.nix deleted file mode 100644 index 5184bd1..0000000 --- a/nix/os/devices/sj-srv1/configuration.nix +++ /dev/null @@ -1,23 +0,0 @@ -{ nodeName, config, ... }: -{ - disabledModules = [ ]; - imports = [ - ../../profiles/common/configuration.nix - { - users.commonUsers = { - enable = true; - enableNonRoot = true; - rootPasswordFile = config.sops.secrets.passwords-root.path; - }; - - sops.secrets.passwords-root = { - sopsFile = ../../../../secrets/${nodeName}/secrets.yaml; - neededForUsers = true; - format = "yaml"; - }; - } - - ./system.nix - ./hw.nix - ]; -} diff --git a/nix/os/devices/sj-srv1/default.nix b/nix/os/devices/sj-srv1/default.nix deleted file mode 100644 index 6ec896d..0000000 --- a/nix/os/devices/sj-srv1/default.nix +++ /dev/null @@ -1,28 +0,0 @@ -{ - nodeName, - repoFlake, - nodeFlake, - ... -}: -let - system = "x86_64-linux"; -in -{ - meta.nodeSpecialArgs.${nodeName} = { - inherit repoFlake nodeName nodeFlake; - packages' = repoFlake.packages.${system}; - }; - - meta.nodeNixpkgs.${nodeName} = import nodeFlake.inputs.nixpkgs.outPath { inherit system; }; - - ${nodeName} = { - deployment.targetHost = "${nodeName}.dmz.internal"; - deployment.replaceUnknownProfiles = false; - - imports = [ - nodeFlake.inputs.home-manager.nixosModules.home-manager - - ./configuration.nix - ]; - }; -} diff --git a/nix/os/devices/sj-srv1/flake.lock b/nix/os/devices/sj-srv1/flake.lock deleted file mode 100644 index 05230e2..0000000 --- a/nix/os/devices/sj-srv1/flake.lock +++ /dev/null @@ -1,100 +0,0 @@ -{ - "nodes": { - "home-manager": { - "inputs": { - "nixpkgs": [ - "nixpkgs" - ] - }, - "locked": { - "lastModified": 1747020534, - "narHash": "sha256-D/6rkiC6w2p+4SwRiVKrWIeYzun8FBg7NlMKMwQMxO0=", - "owner": "nix-community", - "repo": "home-manager", - "rev": "b4bbdc6fde16fc2051fcde232f6e288cd22007ca", - "type": "github" - }, - "original": { - "owner": "nix-community", - "ref": "release-24.11", - "repo": "home-manager", - "type": "github" - } - }, - "nixpkgs": { - "locked": { - "lastModified": 1746957726, - "narHash": "sha256-k9ut1LSfHCr0AW82ttEQzXVCqmyWVA5+SHJkS5ID/Jo=", - "owner": "nixos", - "repo": "nixpkgs", - "rev": "a39ed32a651fdee6842ec930761e31d1f242cb94", - "type": "github" - }, - "original": { - "owner": "nixos", - "ref": "nixos-24.11", - "repo": "nixpkgs", - "type": "github" - } - }, - "nixpkgs-kanidm": { - "locked": { - "lastModified": 1729071019, - "narHash": "sha256-c4J/ZiMbjMf98FawO5XJaTWqvrvIXpxnIpxu4OV3CGA=", - "owner": "steveej-forks", - "repo": "nixpkgs", - "rev": "984b1d5a286d3a072b840b30ec49d96878d01e64", - "type": "github" - }, - "original": { - "owner": "steveej-forks", - "ref": "kanidm", - "repo": "nixpkgs", - "type": "github" - } - }, - "nixpkgs-master": { - "locked": { - "lastModified": 1747142919, - "narHash": "sha256-84jJ5uDXws7EYch+4fxmfoCCTWRWZCXCCVM0Dh65ZH8=", - "owner": "nixos", - "repo": "nixpkgs", - "rev": "60bdd7db9e890967224c2244be45beecd7d6e448", - "type": "github" - }, - "original": { - "owner": "nixos", - "ref": "master", - "repo": "nixpkgs", - "type": "github" - } - }, - "nixpkgs-unstable": { - "locked": { - "lastModified": 1747114929, - "narHash": "sha256-GnQGiZiOnGfxM9oVhgqOJk0Qv1aZ11p5Aloac2tdoKY=", - "owner": "nixos", - "repo": "nixpkgs", - "rev": "fab95ba4b9523f310644e6e6087c0014535c8e02", - "type": "github" - }, - "original": { - "owner": "nixos", - "ref": "nixos-unstable-small", - "repo": "nixpkgs", - "type": "github" - } - }, - "root": { - "inputs": { - "home-manager": "home-manager", - "nixpkgs": "nixpkgs", - "nixpkgs-kanidm": "nixpkgs-kanidm", - "nixpkgs-master": "nixpkgs-master", - "nixpkgs-unstable": "nixpkgs-unstable" - } - } - }, - "root": "root", - "version": 7 -} diff --git a/nix/os/devices/sj-srv1/flake.nix b/nix/os/devices/sj-srv1/flake.nix deleted file mode 100644 index 213d325..0000000 --- a/nix/os/devices/sj-srv1/flake.nix +++ /dev/null @@ -1,14 +0,0 @@ -{ - inputs.nixpkgs.url = "github:nixos/nixpkgs/nixos-24.11"; - inputs.nixpkgs-unstable.url = "github:nixos/nixpkgs/nixos-unstable-small"; - inputs.nixpkgs-master.url = "github:nixos/nixpkgs/master"; - - inputs.nixpkgs-kanidm.url = "github:steveej-forks/nixpkgs/kanidm"; - - inputs.home-manager = { - url = "github:nix-community/home-manager/release-24.11"; - inputs.nixpkgs.follows = "nixpkgs"; - }; - - outputs = _: { }; -} diff --git a/nix/os/devices/sj-srv1/hw.nix b/nix/os/devices/sj-srv1/hw.nix deleted file mode 100644 index ca9158b..0000000 --- a/nix/os/devices/sj-srv1/hw.nix +++ /dev/null @@ -1,55 +0,0 @@ -_: -let - stage1Modules = [ - "virtio_balloon" - "virtio_scsi" - "virtio_net" - "virtio_pci" - "virtio_ring" - "virtio" - "scsi_mod" - - "virtio_blk" - "virtio_ring" - "ata_piix" - "pata_acpi" - "ata_generic" - - "aesni_intel" - "kvm_amd" - "nvme" - "nvme_core" - - "thunderbolt" - "e1000e" - - "usbcore" - "xhci_hcd" - "usbnet" - "snd_usb_audio" - "usbhid" - "snd_usbmidi_lib" - "cdc_mbim" - "cdc_ncm" - "usb_storage" - "cdc_wdm" - "uvcvideo" - "btusb" - "xhci_pci" - "cdc_ether" - "uas" - ]; -in -{ - imports = [ - ../../modules/opinionatedDisk.nix - ]; - hardware.opinionatedDisk = { - enable = true; - encrypted = false; - diskId = "virtio-virtio-paeNi8Fof9Oe"; - earlyDiskIdOverride = "ata-INTEL_SSDSC2KB019TZ_PHYI315001FW1P9DGN"; - }; - - boot.initrd.kernelModules = stage1Modules; -} diff --git a/nix/os/devices/sj-srv1/system.nix b/nix/os/devices/sj-srv1/system.nix deleted file mode 100644 index c5e4c43..0000000 --- a/nix/os/devices/sj-srv1/system.nix +++ /dev/null @@ -1,220 +0,0 @@ -{ - pkgs, - lib, - config, - repoFlake, - nodeFlake, - nodeName, - ... -}: -let - hostBridgeAddress = "192.168.101.1"; -in -{ - imports = [ - ../../snippets/systemd-resolved.nix - { - # make sure it uses the DNS that comes in via DHCP - networking.nameservers = lib.mkForce [ ]; - services.resolved.enable = true; - - # provide DNS to the containers - services.resolved.extraConfig = '' - DNSStubListenerExtra=${hostBridgeAddress} - ''; - networking.firewall.interfaces.br0.allowedTCPPorts = [ 53 ]; - networking.firewall.interfaces.br0.allowedUDPPorts = [ 53 ]; - } - ]; - - programs.wireshark.enable = true; - environment.systemPackages = [ pkgs.dnsutils ]; - - networking.firewall.enable = true; - networking.nftables.enable = true; - networking.nftables.flushRuleset = true; - - networking.firewall.allowedTCPPorts = [ - # iperf3 - 5201 - ]; - - networking.firewall.logRefusedConnections = false; - - networking.usePredictableInterfaceNames = false; - - networking.useNetworkd = true; - networking.useDHCP = false; - - networking.nat = { - enable = true; - internalInterfaces = [ "br0" ]; - externalInterface = "dmz0"; - }; - - networking.bridges = { - br0 = { - interfaces = [ ]; - }; - }; - networking.interfaces = { - br0 = { - ipv4.addresses = [ - { - address = hostBridgeAddress; - prefixLength = 24; - } - ]; - }; - }; - - systemd.network.netdevs."10-dmz0" = { - enable = true; - netdevConfig = { - Name = "dmz0"; - Kind = "macvlan"; - MACAddress = "1c:69:7a:07:08:6f"; - }; - - macvlanConfig = { - Mode = "bridge"; - }; - }; - - systemd.network.networks."20-eth0" = { - enable = true; - matchConfig.Name = "eth0"; - - linkConfig.RequiredForOnline = "carrier"; - networkConfig.LinkLocalAddressing = "no"; - - # TODO: i'm not sure if and if so why this is required - macvlan = [ "dmz0" ]; - - DHCP = "no"; - }; - - systemd.network.networks."30-dmz0" = { - enable = true; - matchConfig.Name = "dmz0"; - DHCP = "yes"; - - dhcpV4Config.UseDNS = true; - dhcpV6Config.UseDNS = true; - }; - - boot.kernel.sysctl = { - "net.ipv4.ip_forward" = 1; - "net.ipv6.ip_forward" = 1; - }; - - # virtualization - virtualisation = { - docker.enable = false; - }; - - nix.gc = { - automatic = true; - }; - - sops.secrets.restic-password.sopsFile = ../../../../secrets/${nodeName}/secrets.yaml; - - # adapted from https://github.com/lilyinstarlight/foosteros/blob/5c75ded111878970fd4f600c7adc013f971d5e71/config/restic.nix - services.restic.backups.${nodeName} = - let - btrfs = "${pkgs.btrfs-progs}/bin/btrfs"; - in - { - initialize = true; - repository = "sftp://u217879-sub3@u217879-sub3.your-storagebox.de:23/restic/${nodeName}"; - - paths = [ "/backup" ]; - - pruneOpts = [ - "--keep-daily 7" - "--keep-weekly 5" - "--keep-monthly 12" - "--keep-yearly 2" - ]; - - timerConfig = { - OnCalendar = lib.mkDefault "daily"; - Persistent = true; - }; - - passwordFile = config.sops.secrets.restic-password.path; - - backupPrepareCommand = '' - ${btrfs} su snapshot -r /var/lib/container-volumes /backup/container-volumes - ''; - backupCleanupCommand = '' - ${btrfs} su delete /backup/container-volumes - ''; - }; - - containers = { - mailserver = import ../../containers/mailserver.nix { - specialArgs = { - inherit repoFlake nodeFlake; - hostAddress = hostBridgeAddress; - }; - - autoStart = true; - - hostBridge = "br0"; - hostAddress = hostBridgeAddress; - localAddress = "192.168.101.10/24"; - - imapsPort = 993; - sievePort = 4190; - }; - - webserver = import ../../containers/webserver.nix { - specialArgs = { - inherit repoFlake nodeFlake; - hostAddress = hostBridgeAddress; - }; - - autoStart = true; - - hostBridge = "br0"; - hostAddress = hostBridgeAddress; - localAddress = "192.168.101.11/24"; - - httpPort = 80; - httpsPort = 443; - forgejoSshPort = 2222; - }; - - syncthing = import ../../containers/syncthing.nix { - specialArgs = { - inherit repoFlake nodeFlake; - hostAddress = hostBridgeAddress; - }; - autoStart = true; - - hostBridge = "br0"; - hostAddress = hostBridgeAddress; - localAddress = "192.168.101.12/24"; - - syncthingPort = 22000; - }; - }; - - virtualisation.libvirtd = { - enable = true; - onShutdown = "shutdown"; - parallelShutdown = 3; - }; - - # VM storage - # fileSystems."/mnt/8078-532D".device = "/dev/disk/by-uuid/8078-532D"; - - # This value determines the NixOS release from which the default - # settings for stateful data, like file locations and database versions - # on your system were taken. It‘s perfectly fine and recommended to leave - # this value at the release version of the first install of this system. - # Before changing this value read the documentation for this option - # (e.g. man configuration.nix or on https://nixos.org/nixos/options.html). - system.stateVersion = "22.11"; # Did you read the comment? -} diff --git a/nix/os/devices/sj-vps-htz0/boot.nix b/nix/os/devices/sj-vps-htz0/boot.nix index ed21f9c..5713789 100644 --- a/nix/os/devices/sj-vps-htz0/boot.nix +++ b/nix/os/devices/sj-vps-htz0/boot.nix @@ -1,5 +1,4 @@ -{ lib, ... }: -{ +{lib, ...}: { boot.loader.grub.efiSupport = lib.mkForce false; - boot.extraModulePackages = [ ]; + boot.extraModulePackages = []; } diff --git a/nix/os/devices/sj-vps-htz0/configuration.nix b/nix/os/devices/sj-vps-htz0/configuration.nix index 0f9e008..dbbf113 100644 --- a/nix/os/devices/sj-vps-htz0/configuration.nix +++ b/nix/os/devices/sj-vps-htz0/configuration.nix @@ -1,12 +1,15 @@ -{ nodeName, config, ... }: { - disabledModules = [ ]; + nodeName, + config, + ... +}: { + disabledModules = []; imports = [ ../../profiles/common/configuration.nix { users.commonUsers = { enable = true; - enableNonRoot = true; + enableNonRoot = false; rootPasswordFile = config.sops.secrets.passwords-root.path; }; diff --git a/nix/os/devices/sj-vps-htz0/default.nix b/nix/os/devices/sj-vps-htz0/default.nix index 7683a53..12e0271 100644 --- a/nix/os/devices/sj-vps-htz0/default.nix +++ b/nix/os/devices/sj-vps-htz0/default.nix @@ -3,17 +3,17 @@ repoFlake, nodeFlake, ... -}: -let +}: let system = "x86_64-linux"; -in -{ +in { meta.nodeSpecialArgs.${nodeName} = { inherit repoFlake nodeName nodeFlake; packages' = repoFlake.packages.${system}; }; - meta.nodeNixpkgs.${nodeName} = import nodeFlake.inputs.nixpkgs.outPath { inherit system; }; + meta.nodeNixpkgs.${nodeName} = import nodeFlake.inputs.nixpkgs.outPath { + inherit system; + }; ${nodeName} = { deployment.targetHost = "${nodeName}.infra.stefanjunker.de"; diff --git a/nix/os/devices/sj-vps-htz0/flake.lock b/nix/os/devices/sj-vps-htz0/flake.lock index 56c2d36..7bca561 100644 --- a/nix/os/devices/sj-vps-htz0/flake.lock +++ b/nix/os/devices/sj-vps-htz0/flake.lock @@ -7,11 +7,11 @@ ] }, "locked": { - "lastModified": 1700392168, - "narHash": "sha256-v5LprEFx3u4+1vmds9K0/i7sHjT0IYGs7u9v54iz/OA=", + "lastModified": 1687871164, + "narHash": "sha256-bBFlPthuYX322xOlpJvkjUBz0C+MOBjZdDOOJJ+G2jU=", "owner": "nix-community", "repo": "home-manager", - "rev": "28535c3a34d79071f2ccb68671971ce0c0984d7e", + "rev": "07c347bb50994691d7b0095f45ebd8838cf6bc38", "type": "github" }, "original": { @@ -23,11 +23,11 @@ }, "nixpkgs": { "locked": { - "lastModified": 1700501263, - "narHash": "sha256-M0U063Ba2DKL4lMYI7XW13Rsk5tfUXnIYiAVa39AV/0=", + "lastModified": 1688868408, + "narHash": "sha256-RR9N5XTAxSBhK8MCvLq9uxfdkd7etC//seVXldy0k48=", "owner": "nixos", "repo": "nixpkgs", - "rev": "f741f8a839912e272d7e87ccf4b9dbc6012cdaf9", + "rev": "510d721ce097150ae3b80f84b04b13b039186571", "type": "github" }, "original": { @@ -39,11 +39,11 @@ }, "nixpkgs-master": { "locked": { - "lastModified": 1700758842, - "narHash": "sha256-WNpG3F/0dktkYbG6O8Put9GtBw4C4vb1KwtIibfXYEE=", + "lastModified": 1688925019, + "narHash": "sha256-281HjmJycKt8rZ0/vpYTtJuZrQl6mpGNlUFf8cebmeA=", "owner": "nixos", "repo": "nixpkgs", - "rev": "359d577687ea3eb033590cf1259f0355e30b9c6f", + "rev": "2b356dae6208d422236c4cdc48f3bed749f9daea", "type": "github" }, "original": { @@ -55,11 +55,11 @@ }, "nixpkgs-unstable": { "locked": { - "lastModified": 1700641131, - "narHash": "sha256-M3bsoVMQM2PcuBWb6n1KDNeMX87svcSj/4qlBcVqs3k=", + "lastModified": 1688891216, + "narHash": "sha256-ZUQs8C5N6aw/QeBhUFGcX89OoYoP9jbdmbR6aSbvaHg=", "owner": "nixos", "repo": "nixpkgs", - "rev": "da41de71f62bf7fb989a04e39629b8adbf8aa8b5", + "rev": "e4a12fdac2a313b18e7f66a097108412b07c5f00", "type": "github" }, "original": { diff --git a/nix/os/devices/sj-vps-htz0/flake.nix b/nix/os/devices/sj-vps-htz0/flake.nix index f8ca24f..c315b8e 100644 --- a/nix/os/devices/sj-vps-htz0/flake.nix +++ b/nix/os/devices/sj-vps-htz0/flake.nix @@ -8,5 +8,5 @@ inputs.nixpkgs.follows = "nixpkgs"; }; - outputs = _: { }; + outputs = _: {}; } diff --git a/nix/os/devices/sj-vps-htz0/hw.nix b/nix/os/devices/sj-vps-htz0/hw.nix index 080bb40..7566a02 100644 --- a/nix/os/devices/sj-vps-htz0/hw.nix +++ b/nix/os/devices/sj-vps-htz0/hw.nix @@ -1,5 +1,4 @@ -_: -let +{...}: let stage1Modules = [ "virtio_balloon" "virtio_scsi" @@ -15,8 +14,7 @@ let "pata_acpi" "ata_generic" ]; -in -{ +in { hardware.opinionatedDisk = { enable = true; encrypted = false; diff --git a/nix/os/devices/sj-vps-htz0/system.nix b/nix/os/devices/sj-vps-htz0/system.nix index 7380a35..afba434 100644 --- a/nix/os/devices/sj-vps-htz0/system.nix +++ b/nix/os/devices/sj-vps-htz0/system.nix @@ -1,15 +1,10 @@ { pkgs, + lib, config, - nodeName, + repoFlake, ... -}: -let - wireguardPort = 51820; -in -{ - imports = [ ../../snippets/systemd-resolved.nix ]; - +}: { networking.firewall.enable = true; networking.nftables.enable = true; @@ -17,8 +12,6 @@ in # iperf3 5201 ]; - networking.firewall.allowedUDPPorts = [ wireguardPort ]; - networking.firewall.logRefusedConnections = false; networking.usePredictableInterfaceNames = false; @@ -27,14 +20,14 @@ in networking.interfaces.eth0 = { mtu = 1400; - useDHCP = true; + useDHCP = false; ipv4.addresses = [ { "address" = "167.233.1.14"; "prefixLength" = 29; } ]; - ipv6.addresses = [ ]; + ipv6.addresses = []; }; networking.defaultGateway = { @@ -47,12 +40,21 @@ in interface = "eth0"; }; + networking.nameservers = ["1.1.1.1#one.one.one.one" "1.0.0.1#one.one.one.one"]; + + services.resolved = { + enable = true; + dnssec = "true"; + domains = ["~."]; + fallbackDns = ["1.1.1.1#one.one.one.one" "1.0.0.1#one.one.one.one"]; + extraConfig = '' + DNSOverTLS=yes + ''; + }; + networking.nat = { enable = true; - internalInterfaces = [ - "ve-*" - "wg*" - ]; + internalInterfaces = ["ve-*"]; externalInterface = "eth0"; }; @@ -62,41 +64,49 @@ in meta nfproto ipv6 tcp flags syn tcp option maxseg size set 1340; ''; - sops.secrets.wg0-private.sopsFile = ../../../../secrets/${nodeName}/secrets.yaml; - sops.secrets.wg0-psk-steveej-psk.sopsFile = ../../../../secrets/${nodeName}/secrets.yaml; - - networking.wireguard.enable = true; - networking.wireguard.interfaces.wg0 = { - # eth0 MTU (1400) - 80 - mtu = 1320; - ips = [ "192.168.99.1/31" ]; - listenPort = wireguardPort; - privateKeyFile = config.sops.secrets.wg0-private.path; - peers = [ - { - allowedIPs = [ "192.168.99.2/32" ]; - publicKey = "O3k4jEdX6jkV1fHP/J8KSH5tvi+n1VvnBTD5na6Naw0="; - presharedKeyFile = config.sops.secrets.wg0-psk-steveej-psk.path; - } - ]; - }; - # virtualization - virtualisation = { - docker.enable = false; - }; + virtualisation = {docker.enable = false;}; services.spice-vdagentd.enable = true; services.qemuGuest.enable = true; - nix.gc = { - automatic = true; - }; + nix.gc = {automatic = true;}; - containers = { }; + containers = { + mailserver = import ../../containers/mailserver.nix { + inherit repoFlake; - home-manager.users.steveej = import ../../../home-manager/configuration/text-minimal.nix { - inherit pkgs; + autoStart = true; + + hostAddress = "192.168.100.10"; + localAddress = "192.168.100.11"; + + imapsPort = 993; + sievePort = 4190; + }; + + webserver = + import ../../containers/webserver.nix + { + inherit repoFlake; + + autoStart = true; + + hostAddress = "192.168.100.12"; + localAddress = "192.168.100.13"; + + httpPort = 80; + httpsPort = 443; + }; + + syncthing = import ../../containers/syncthing.nix { + autoStart = true; + + hostAddress = "192.168.100.14"; + localAddress = "192.168.100.15"; + + syncthingPort = 22000; + }; }; # This value determines the NixOS release from which the default diff --git a/nix/os/devices/srv0-dmz0/README.md b/nix/os/devices/srv0-dmz0/README.md index c76c8a0..92893b6 100644 --- a/nix/os/devices/srv0-dmz0/README.md +++ b/nix/os/devices/srv0-dmz0/README.md @@ -1,6 +1,7 @@ ## bootstrapping ``` -# TODO: generate an SSH host-key and deploy it via --extra-files +# TODO: generate an SSH host-key and deploy it via --extra-files nixos-anywhere --flake .\#srv0-dmz0 root@srv0.dmz0.noosphere.life ``` + diff --git a/nix/os/devices/srv0-dmz0/configuration.nix b/nix/os/devices/srv0-dmz0/configuration.nix index 5514edf..66e15d5 100644 --- a/nix/os/devices/srv0-dmz0/configuration.nix +++ b/nix/os/devices/srv0-dmz0/configuration.nix @@ -1,14 +1,14 @@ { modulesPath, repoFlake, + packages', + pkgs, config, ... -}: -let - disk = "/dev/disk/by-id/ata-INTEL_SSDSC2BW240A4_PHDA435602332403GN"; -in -{ - disabledModules = [ ]; +}: let + disk = "/dev/disk/by-id/ata-Corsair_Voyager_GTX_21488170000126002051"; +in { + disabledModules = []; imports = [ repoFlake.inputs.disko.nixosModules.disko repoFlake.inputs.srvos.nixosModules.server @@ -23,7 +23,7 @@ in ]; ## bare-metal machines - srvos.boot.consoles = [ "tty0" ]; + srvos.boot.consoles = ["tty0"]; boot.loader.grub.enable = false; boot.loader.efi.canTouchEfiVariables = false; @@ -39,7 +39,7 @@ in start = "0"; end = "1M"; part-type = "primary"; - flags = [ "bios_grub" ]; + flags = ["bios_grub"]; } { name = "ESP"; @@ -60,14 +60,14 @@ in bootable = true; content = { type = "btrfs"; - extraArgs = [ "-f" ]; # Override existing partition + extraArgs = ["-f"]; # Override existing partition subvolumes = { # Subvolume name is different from mountpoint "/rootfs" = { mountpoint = "/"; }; "/nix" = { - mountOptions = [ "noatime" ]; + mountOptions = ["noatime"]; }; }; }; @@ -109,7 +109,7 @@ in networking.nat = { enable = true; - internalInterfaces = [ "ve-+" ]; + internalInterfaces = ["ve-+"]; externalInterface = "eth0"; }; @@ -119,11 +119,95 @@ in # virtualization # virtualisation = {docker.enable = true;}; - nix.gc = { - automatic = true; + nix.gc = {automatic = true;}; + + containers = { }; - containers = { }; + sops.secrets.holochain-nomad-agent-ca = { + sopsFile = ../../../../secrets/holochain-infra/nomad.yaml; + owner = config.users.extraUsers.nomad.name; + group = config.users.groups.nomad.name; + }; + sops.secrets.holochain-global-nomad-client-cert = { + sopsFile = ../../../../secrets/holochain-infra/nomad.yaml; + owner = config.users.extraUsers.nomad.name; + group = config.users.groups.nomad.name; + }; + sops.secrets.holochain-global-client-nomad-key = { + sopsFile = ../../../../secrets/holochain-infra/nomad.yaml; + owner = config.users.extraUsers.nomad.name; + group = config.users.groups.nomad.name; + }; + + services.nomad = { + enable = true; + package = packages'.nomad; + enableDocker = false; + dropPrivileges = false; + + extraPackages = [ + pkgs.coreutils + pkgs.nix + pkgs.bash + pkgs.gitFull + pkgs.cacert + ]; + + settings = { + server.enabled = false; + + client = { + enabled = true; + server_join = { + retry_join = [ + "infra.holochain.org" + ]; + retry_interval = "60s"; + }; + + node_class = "testing"; + + meta = { + inherit (pkgs.targetPlatform) system; + + features = builtins.concatStringsSep "," [ + "poc-1" + "poc-2" + "ipv4-nat" + "nix" + "nixos" + "holoport" + ]; + + machine_type = "baremetal"; + }; + }; + + tls = { + http = true; + rpc = true; + ca_file = config.sops.secrets.holochain-nomad-agent-ca.path; + cert_file = config.sops.secrets.holochain-global-nomad-client-cert.path; + key_file = config.sops.secrets.holochain-global-client-nomad-key.path; + + verify_server_hostname = true; + verify_https_client = true; + }; + + plugin.raw_exec.config.enabled = true; + }; + }; + + users.extraUsers.nomad.isNormalUser = true; + users.extraUsers.nomad.isSystemUser = false; + users.extraUsers.nomad.group = "nomad"; + users.extraUsers.nomad.home = config.services.nomad.settings.data_dir; + users.extraUsers.nomad.createHome = true; + users.groups.nomad.members = ["nomad"]; + + systemd.services.nomad.serviceConfig.User = "nomad"; + systemd.services.nomad.serviceConfig.Group = "nomad"; # This value determines the NixOS release from which the default # settings for stateful data, like file locations and database versions @@ -131,5 +215,5 @@ in # this value at the release version of the first install of this system. # Before changing this value read the documentation for this option # (e.g. man configuration.nix or on https://nixos.org/nixos/options.html). - system.stateVersion = "23.11"; # Did you read the comment? + system.stateVersion = "23.05"; # Did you read the comment? } diff --git a/nix/os/devices/srv0-dmz0/default.nix b/nix/os/devices/srv0-dmz0/default.nix index 3af624b..5c0b7bb 100644 --- a/nix/os/devices/srv0-dmz0/default.nix +++ b/nix/os/devices/srv0-dmz0/default.nix @@ -3,17 +3,17 @@ repoFlake, nodeFlake, ... -}: -let +}: let system = "x86_64-linux"; -in -{ +in { meta.nodeSpecialArgs.${nodeName} = { inherit repoFlake nodeName nodeFlake; packages' = repoFlake.packages.${system}; }; - meta.nodeNixpkgs.${nodeName} = import nodeFlake.inputs.nixpkgs.outPath { inherit system; }; + meta.nodeNixpkgs.${nodeName} = import nodeFlake.inputs.nixpkgs.outPath { + inherit system; + }; ${nodeName} = { deployment.targetHost = "srv0.dmz0.noosphere.life"; diff --git a/nix/os/devices/srv0-dmz0/flake.lock b/nix/os/devices/srv0-dmz0/flake.lock index 4e1a641..38508fd 100644 --- a/nix/os/devices/srv0-dmz0/flake.lock +++ b/nix/os/devices/srv0-dmz0/flake.lock @@ -7,43 +7,43 @@ ] }, "locked": { - "lastModified": 1716736833, - "narHash": "sha256-rNObca6dm7Qs524O4st8VJH6pZ/Xe1gxl+Rx6mcWYo0=", + "lastModified": 1687871164, + "narHash": "sha256-bBFlPthuYX322xOlpJvkjUBz0C+MOBjZdDOOJJ+G2jU=", "owner": "nix-community", "repo": "home-manager", - "rev": "a631666f5ec18271e86a5cde998cba68c33d9ac6", + "rev": "07c347bb50994691d7b0095f45ebd8838cf6bc38", "type": "github" }, "original": { "owner": "nix-community", - "ref": "release-24.05", + "ref": "release-23.05", "repo": "home-manager", "type": "github" } }, "nixpkgs": { "locked": { - "lastModified": 1717144377, - "narHash": "sha256-F/TKWETwB5RaR8owkPPi+SPJh83AQsm6KrQAlJ8v/uA=", + "lastModified": 1688594934, + "narHash": "sha256-3dUo20PsmUd57jVZRx5vgKyIN1tv+v/JQweZsve5q/A=", "owner": "nixos", "repo": "nixpkgs", - "rev": "805a384895c696f802a9bf5bf4720f37385df547", + "rev": "e11142026e2cef35ea52c9205703823df225c947", "type": "github" }, "original": { "owner": "nixos", - "ref": "nixos-24.05", + "ref": "nixos-23.05", "repo": "nixpkgs", "type": "github" } }, "nixpkgs-master": { "locked": { - "lastModified": 1717242134, - "narHash": "sha256-2X835ZESUaQ/KZEuG9HkoEB7h0USG5uvkSUmLzFkxAE=", + "lastModified": 1688668881, + "narHash": "sha256-q5QIxsX5UR+P2uq8RyaJA/GI5z3yZiKl3Q35gVyr9UM=", "owner": "nixos", "repo": "nixpkgs", - "rev": "61c1d282153dbfcb5fe413c228d172d0fe7c2a7e", + "rev": "0ffe9cc640d092e6abd8c0adec483acfd2ed7cda", "type": "github" }, "original": { @@ -55,11 +55,11 @@ }, "nixpkgs-unstable": { "locked": { - "lastModified": 1717216113, - "narHash": "sha256-DniggN0kphCCBpGlS2WyDPoNqxQoRFlhN2GMk35OHiM=", + "lastModified": 1688640665, + "narHash": "sha256-bpNl3nTFDZqrLiRU0bO6vdIT5Ww13nNCVsOLLKEqGuE=", "owner": "nixos", "repo": "nixpkgs", - "rev": "21959d8d44197094aebc74ead6ca4a53bcce0adb", + "rev": "88faf206ce0d5cfda760539a367daf6cde5b3712", "type": "github" }, "original": { diff --git a/nix/os/devices/srv0-dmz0/flake.nix b/nix/os/devices/srv0-dmz0/flake.nix index 2f27989..c315b8e 100644 --- a/nix/os/devices/srv0-dmz0/flake.nix +++ b/nix/os/devices/srv0-dmz0/flake.nix @@ -1,12 +1,12 @@ { - inputs.nixpkgs.url = "github:nixos/nixpkgs/nixos-24.05"; + inputs.nixpkgs.url = "github:nixos/nixpkgs/nixos-23.05"; inputs.nixpkgs-unstable.url = "github:nixos/nixpkgs/nixos-unstable-small"; inputs.nixpkgs-master.url = "github:nixos/nixpkgs/master"; inputs.home-manager = { - url = "github:nix-community/home-manager/release-24.05"; + url = "github:nix-community/home-manager/release-23.05"; inputs.nixpkgs.follows = "nixpkgs"; }; - outputs = _: { }; + outputs = _: {}; } diff --git a/nix/os/devices/srv0.home-ch.stefanjunker.de/boot.nix b/nix/os/devices/srv0.home-ch.stefanjunker.de/boot.nix index 9ddbde9..fe0b621 100644 --- a/nix/os/devices/srv0.home-ch.stefanjunker.de/boot.nix +++ b/nix/os/devices/srv0.home-ch.stefanjunker.de/boot.nix @@ -1,4 +1,4 @@ -_: { +{lib, ...}: { boot.loader.grub.efiSupport = true; - boot.extraModulePackages = [ ]; + boot.extraModulePackages = []; } diff --git a/nix/os/devices/srv0.home-ch.stefanjunker.de/configuration.nix b/nix/os/devices/srv0.home-ch.stefanjunker.de/configuration.nix index b29548c..28a63fb 100644 --- a/nix/os/devices/srv0.home-ch.stefanjunker.de/configuration.nix +++ b/nix/os/devices/srv0.home-ch.stefanjunker.de/configuration.nix @@ -1,6 +1,5 @@ -{ ... }: -{ - disabledModules = [ ]; +{...}: { + disabledModules = []; imports = [ ../../profiles/common/configuration.nix ../../modules/opinionatedDisk.nix diff --git a/nix/os/devices/srv0.home-ch.stefanjunker.de/hw.nix b/nix/os/devices/srv0.home-ch.stefanjunker.de/hw.nix index a89e29a..8815036 100644 --- a/nix/os/devices/srv0.home-ch.stefanjunker.de/hw.nix +++ b/nix/os/devices/srv0.home-ch.stefanjunker.de/hw.nix @@ -1,5 +1,4 @@ -_: -let +{...}: let stage1Modules = [ "aesni_intel" "kvm-intel" @@ -18,8 +17,7 @@ let "xhci_hcd" "xhci_pci" ]; -in -{ +in { # TASK: new device hardware.opinionatedDisk = { enable = true; diff --git a/nix/os/devices/srv0.home-ch.stefanjunker.de/pkg.nix b/nix/os/devices/srv0.home-ch.stefanjunker.de/pkg.nix index 607e7f3..b6c8038 100644 --- a/nix/os/devices/srv0.home-ch.stefanjunker.de/pkg.nix +++ b/nix/os/devices/srv0.home-ch.stefanjunker.de/pkg.nix @@ -1,8 +1,16 @@ -{ config, pkgs, ... }: { - nixpkgs.config.packageOverrides = - pkgs: with pkgs; { - inherit ((import ../../../default.nix { versionsPath = ./versions.nix; })) nixPath; + config, + pkgs, + lib, + ... +}: { + nixpkgs.config.packageOverrides = pkgs: + with pkgs; { + nixPath = + (import ../../../default.nix { + versionsPath = ./versions.nix; + }) + .nixPath; }; home-manager.users.steveej = import ../../../home-manager/configuration/text-minimal.nix { inherit pkgs; @@ -12,12 +20,7 @@ { hostName = "localhost"; system = "x86_64-linux"; - supportedFeatures = [ - "kvm" - "nixos-test" - "big-parallel" - "benchmark" - ]; + supportedFeatures = ["kvm" "nixos-test" "big-parallel" "benchmark"]; maxJobs = 4; } ]; diff --git a/nix/os/devices/srv0.home-ch.stefanjunker.de/system.nix b/nix/os/devices/srv0.home-ch.stefanjunker.de/system.nix index 84bb74d..e677958 100644 --- a/nix/os/devices/srv0.home-ch.stefanjunker.de/system.nix +++ b/nix/os/devices/srv0.home-ch.stefanjunker.de/system.nix @@ -1,4 +1,11 @@ -_: { +{ + pkgs, + lib, + config, + ... +}: let + keys = import ../../../variables/keys.nix; +in { # TASK: new device networking.hostName = "srv0"; # Define your hostname. # networking.domain = "home-ch.stefanjunker.de"; @@ -30,7 +37,7 @@ _: { networking.nat = { enable = true; - internalInterfaces = [ "ve-+" ]; + internalInterfaces = ["ve-+"]; externalInterface = "eth0"; }; @@ -38,20 +45,14 @@ _: { # services.kubernetes.roles = ["master" "node"]; # virtualization - virtualisation = { - docker.enable = true; - }; + virtualisation = {docker.enable = true;}; - nix.gc = { - automatic = true; - }; + nix.gc = {automatic = true;}; networking.useHostResolvConf = false; - services.resolved = { - enable = true; - }; + services.resolved = {enable = true;}; - containers = { }; + containers = {}; # This value determines the NixOS release from which the default # settings for stateful data, like file locations and database versions diff --git a/nix/os/devices/srv0.home-ch.stefanjunker.de/versions.nix b/nix/os/devices/srv0.home-ch.stefanjunker.de/versions.nix index 1bc2086..bb546e6 100644 --- a/nix/os/devices/srv0.home-ch.stefanjunker.de/versions.nix +++ b/nix/os/devices/srv0.home-ch.stefanjunker.de/versions.nix @@ -4,8 +4,7 @@ let ref = "nixos-22.05"; rev = "040c6d8374d090f46ab0e99f1f7c27a4529ecffd"; }; -in -{ +in { inherit nixpkgs; "channels-nixos-stable" = nixpkgs; "nixpkgs-master" = { diff --git a/nix/os/devices/srv0.home-ch.stefanjunker.de/versions.tmpl.nix b/nix/os/devices/srv0.home-ch.stefanjunker.de/versions.tmpl.nix index 5817e21..511138c 100644 --- a/nix/os/devices/srv0.home-ch.stefanjunker.de/versions.tmpl.nix +++ b/nix/os/devices/srv0.home-ch.stefanjunker.de/versions.tmpl.nix @@ -6,8 +6,7 @@ let <% git ls-remote https://github.com/nixos/nixpkgs nixos-22.05 | awk '{ print $1 }' | tr -d ' ' -%>''; }; -in -{ +in { inherit nixpkgs; "channels-nixos-stable" = nixpkgs; "nixpkgs-master" = { diff --git a/nix/os/devices/steveej-nuc7pjyh-work/configuration.nix b/nix/os/devices/steveej-nuc7pjyh-work/configuration.nix index d009275..a15e1aa 100644 --- a/nix/os/devices/steveej-nuc7pjyh-work/configuration.nix +++ b/nix/os/devices/steveej-nuc7pjyh-work/configuration.nix @@ -1,5 +1,4 @@ -{ ... }: -{ +{...}: { imports = [ ../../profiles/common/configuration.nix ../../profiles/graphical/configuration.nix diff --git a/nix/os/devices/steveej-nuc7pjyh-work/hw.nix b/nix/os/devices/steveej-nuc7pjyh-work/hw.nix index 76ab1b9..6d8eadd 100644 --- a/nix/os/devices/steveej-nuc7pjyh-work/hw.nix +++ b/nix/os/devices/steveej-nuc7pjyh-work/hw.nix @@ -1,4 +1,4 @@ -_: { +{...}: { # TASK: new device hardware.encryptedDisk = { enable = true; diff --git a/nix/os/devices/steveej-nuc7pjyh-work/system.nix b/nix/os/devices/steveej-nuc7pjyh-work/system.nix index efe0db2..73d39d9 100644 --- a/nix/os/devices/steveej-nuc7pjyh-work/system.nix +++ b/nix/os/devices/steveej-nuc7pjyh-work/system.nix @@ -1,7 +1,11 @@ -{ pkgs, lib, ... }: { + pkgs, + lib, + ... +}: let +in { services.udev.extraRules = ''SUBSYSTEM=="sgx", MODE="0660", GROUP="sgx"''; - users.groups.sgx = { }; + users.groups.sgx = {}; networking.hostName = "steveej-nuc7pjyh-work"; # Define your hostname. boot.kernelPackages = lib.mkForce pkgs.linuxPackages_sgx_latest; } diff --git a/nix/os/devices/steveej-nuc7pjyh-work/user.nix b/nix/os/devices/steveej-nuc7pjyh-work/user.nix index e37d392..2b72309 100644 --- a/nix/os/devices/steveej-nuc7pjyh-work/user.nix +++ b/nix/os/devices/steveej-nuc7pjyh-work/user.nix @@ -1,9 +1,12 @@ -{ pkgs, ... }: -let - keys = import ../../../variables/keys.nix; - inherit (import ../../lib/default.nix { inherit (pkgs) lib; }) mkUser; -in { + config, + pkgs, + ... +}: let + passwords = import ../../../variables/passwords.crypt.nix; + keys = import ../../../variables/keys.nix; + inherit (import ../../lib/default.nix {inherit (pkgs) lib;}) mkUser; +in { users.extraUsers.sjunker = mkUser { uid = 1001; openssh.authorizedKeys.keys = keys.users.steveej.openssh; @@ -11,7 +14,7 @@ in image = "quay.io/enarx/fedora"; run_args = "-v /dev/sgx:/dev/sgx"; }; - extraGroups = [ "sgx" ]; + extraGroups = ["sgx"]; subUidRanges = [ { diff --git a/nix/os/devices/steveej-pa600/boot.nix b/nix/os/devices/steveej-pa600/boot.nix index 639698f..4d8c1d1 100644 --- a/nix/os/devices/steveej-pa600/boot.nix +++ b/nix/os/devices/steveej-pa600/boot.nix @@ -1,5 +1,4 @@ -{ lib, ... }: -{ +{lib, ...}: { boot.loader.grub.efiInstallAsRemovable = lib.mkForce true; boot.loader.efi.canTouchEfiVariables = lib.mkForce false; } diff --git a/nix/os/devices/steveej-pa600/configuration.nix b/nix/os/devices/steveej-pa600/configuration.nix index 68ad190..37f4c61 100644 --- a/nix/os/devices/steveej-pa600/configuration.nix +++ b/nix/os/devices/steveej-pa600/configuration.nix @@ -1,5 +1,4 @@ -{ ... }: -{ +{...}: { imports = [ ../../profiles/common/configuration.nix ../../profiles/graphical/configuration.nix diff --git a/nix/os/devices/steveej-pa600/hw.nix b/nix/os/devices/steveej-pa600/hw.nix index 651a6e2..a563c1a 100644 --- a/nix/os/devices/steveej-pa600/hw.nix +++ b/nix/os/devices/steveej-pa600/hw.nix @@ -1,5 +1,4 @@ -_: -let +{...}: let stage1Modules = [ "aesni_intel" "kvm-intel" @@ -8,8 +7,7 @@ let "xhci_pci" "hxci_hcd" ]; -in -{ +in { # TASK: new device hardware.opinionatedDisk = { enable = true; diff --git a/nix/os/devices/steveej-pa600/pkg.nix b/nix/os/devices/steveej-pa600/pkg.nix index 360c17b..1db742a 100644 --- a/nix/os/devices/steveej-pa600/pkg.nix +++ b/nix/os/devices/steveej-pa600/pkg.nix @@ -1,8 +1,11 @@ -{ pkgs, ... }: -{ - nixpkgs.config.packageOverrides = - pkgs: with pkgs; { - inherit ((import ../../../default.nix { versionsPath = ./versions.nix; })) nixPath; +{pkgs, ...}: { + nixpkgs.config.packageOverrides = pkgs: + with pkgs; { + nixPath = + (import ../../../default.nix { + versionsPath = ./versions.nix; + }) + .nixPath; }; home-manager.users.steveej = import ../../../home-manager/configuration/graphical-fullblown.nix { inherit pkgs; diff --git a/nix/os/devices/steveej-pa600/system.nix b/nix/os/devices/steveej-pa600/system.nix index 2a4551a..02256d8 100644 --- a/nix/os/devices/steveej-pa600/system.nix +++ b/nix/os/devices/steveej-pa600/system.nix @@ -1,5 +1,11 @@ -{ pkgs, lib, ... }: { + pkgs, + lib, + config, + ... +}: let + keys = import ../../../variables/keys.nix; +in { # TASK: new device networking.hostName = "steveej-pa600"; # Define your hostname. @@ -14,11 +20,7 @@ services.printing = { enable = true; - drivers = with pkgs; [ - hplip - mfcl3770cdw.driver - mfcl3770cdw.cupswrapper - ]; + drivers = with pkgs; [hplip mfcl3770cdw.driver mfcl3770cdw.cupswrapper]; }; services.fprintd.enable = true; @@ -27,9 +29,9 @@ sudo.fprintAuth = true; }; - security.pki.certificateFiles = [ "${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt" ]; + security.pki.certificateFiles = ["${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt"]; - services.xserver.videoDrivers = [ "modesetting" ]; + services.xserver.videoDrivers = ["modesetting"]; services.xserver.serverFlagsSection = '' Option "BlankTime" "0" Option "StandbyTime" "0" diff --git a/nix/os/devices/steveej-pa600/user.nix b/nix/os/devices/steveej-pa600/user.nix index bb94098..4b85fea 100644 --- a/nix/os/devices/steveej-pa600/user.nix +++ b/nix/os/devices/steveej-pa600/user.nix @@ -1,9 +1,12 @@ -{ pkgs, ... }: -let - keys = import ../../../variables/keys.nix; - inherit (import ../../lib/default.nix { inherit (pkgs) lib; }) mkUser; -in { + config, + pkgs, + ... +}: let + passwords = import ../../../variables/passwords.crypt.nix; + keys = import ../../../variables/keys.nix; + inherit (import ../../lib/default.nix {inherit (pkgs) lib;}) mkUser; +in { users.extraUsers.steveej2 = mkUser { uid = 1001; openssh.authorizedKeys.keys = keys.users.steveej.openssh; diff --git a/nix/os/devices/steveej-pa600/versions.nix b/nix/os/devices/steveej-pa600/versions.nix index e7d4567..ce6b116 100644 --- a/nix/os/devices/steveej-pa600/versions.nix +++ b/nix/os/devices/steveej-pa600/versions.nix @@ -4,12 +4,9 @@ let ref = "nixos-20.09"; rev = "e065200fc90175a8f6e50e76ef10a48786126e1c"; }; -in -{ +in { inherit nixpkgs; - nixos = nixpkgs // { - suffix = "/nixos"; - }; + nixos = nixpkgs // {suffix = "/nixos";}; "channels-nixos-stable" = nixpkgs; "channels-nixos-unstable" = { url = "https://github.com/NixOS/nixpkgs/"; diff --git a/nix/os/devices/steveej-pa600/versions.tmpl.nix b/nix/os/devices/steveej-pa600/versions.tmpl.nix index 08f1a43..96f7be3 100644 --- a/nix/os/devices/steveej-pa600/versions.tmpl.nix +++ b/nix/os/devices/steveej-pa600/versions.tmpl.nix @@ -6,12 +6,9 @@ let <% git ls-remote https://github.com/nixos/nixpkgs nixos-20.09 | awk '{ print $1 }' | tr -d ' ' -%>''; }; -in -{ +in { inherit nixpkgs; - nixos = nixpkgs // { - suffix = "/nixos"; - }; + nixos = nixpkgs // {suffix = "/nixos";}; "channels-nixos-stable" = nixpkgs; "channels-nixos-unstable" = { url = "https://github.com/NixOS/nixpkgs/"; diff --git a/nix/os/devices/steveej-rmvbl-mmc-SL32G_0x259093f6/configuration.nix b/nix/os/devices/steveej-rmvbl-mmc-SL32G_0x259093f6/configuration.nix index 9682eb6..b32a198 100644 --- a/nix/os/devices/steveej-rmvbl-mmc-SL32G_0x259093f6/configuration.nix +++ b/nix/os/devices/steveej-rmvbl-mmc-SL32G_0x259093f6/configuration.nix @@ -1,5 +1,4 @@ -{ ... }: -{ +{...}: { imports = [ ../../profiles/common/configuration.nix ../../profiles/graphical/configuration.nix diff --git a/nix/os/devices/steveej-rmvbl-mmc-SL32G_0x259093f6/hw.nix b/nix/os/devices/steveej-rmvbl-mmc-SL32G_0x259093f6/hw.nix index 4af1def..14df96a 100644 --- a/nix/os/devices/steveej-rmvbl-mmc-SL32G_0x259093f6/hw.nix +++ b/nix/os/devices/steveej-rmvbl-mmc-SL32G_0x259093f6/hw.nix @@ -1,4 +1,4 @@ -_: { +{...}: { # TASK: new device hardware.encryptedDisk = { enable = true; diff --git a/nix/os/devices/steveej-rmvbl-mmc-SL32G_0x259093f6/system.nix b/nix/os/devices/steveej-rmvbl-mmc-SL32G_0x259093f6/system.nix index 7f69ec0..4329e5c 100644 --- a/nix/os/devices/steveej-rmvbl-mmc-SL32G_0x259093f6/system.nix +++ b/nix/os/devices/steveej-rmvbl-mmc-SL32G_0x259093f6/system.nix @@ -1,3 +1,3 @@ -_: { +{...}: { networking.hostName = "steveej-rmvbl-mmc-SL32G_0x259093f6"; # Define your hostname. } diff --git a/nix/os/devices/steveej-rmvbl-sdep0/configuration.nix b/nix/os/devices/steveej-rmvbl-sdep0/configuration.nix index 861a9ea..d49dbd3 100644 --- a/nix/os/devices/steveej-rmvbl-sdep0/configuration.nix +++ b/nix/os/devices/steveej-rmvbl-sdep0/configuration.nix @@ -1,8 +1,11 @@ -{ ... }: -{ - nixpkgs.config.packageOverrides = - pkgs: with pkgs; { - inherit ((import ../../../default.nix { versionsPath = ./versions.nix; })) nixPath; +{...}: { + nixpkgs.config.packageOverrides = pkgs: + with pkgs; { + nixPath = + (import ../../../default.nix { + versionsPath = ./versions.nix; + }) + .nixPath; }; imports = [ diff --git a/nix/os/devices/steveej-rmvbl-sdep0/hw.nix b/nix/os/devices/steveej-rmvbl-sdep0/hw.nix index c42f909..408b2a9 100644 --- a/nix/os/devices/steveej-rmvbl-sdep0/hw.nix +++ b/nix/os/devices/steveej-rmvbl-sdep0/hw.nix @@ -1,4 +1,4 @@ -_: { +{...}: { # TASK: new device hardware.opinionatedDisk.diskId = "usb-SanDisk_Extreme_Pro_12345978EC62-0:0"; hardware.opinionatedDisk.encrypted = true; diff --git a/nix/os/devices/steveej-rmvbl-sdep0/system.nix b/nix/os/devices/steveej-rmvbl-sdep0/system.nix index d409681..5bad73f 100644 --- a/nix/os/devices/steveej-rmvbl-sdep0/system.nix +++ b/nix/os/devices/steveej-rmvbl-sdep0/system.nix @@ -1,4 +1,4 @@ -_: { +{...}: { networking.hostName = "steveej-rmvbl-sdep0"; # Define your hostname. system.stateVersion = "21.05"; } diff --git a/nix/os/devices/steveej-rmvbl-sdep0/versions.nix b/nix/os/devices/steveej-rmvbl-sdep0/versions.nix index 3771f25..f8759b8 100644 --- a/nix/os/devices/steveej-rmvbl-sdep0/versions.nix +++ b/nix/os/devices/steveej-rmvbl-sdep0/versions.nix @@ -2,33 +2,35 @@ let nixpkgs = { url = "https://github.com/NixOS/nixpkgs/"; ref = "nixos-22.11"; - rev = ''0040164e473509b4aee6aedb3b923e400d6df10b''; + rev = '' + 0040164e473509b4aee6aedb3b923e400d6df10b''; }; -in -{ +in { inherit nixpkgs; - nixos = nixpkgs // { - suffix = "/nixos"; - }; + nixos = nixpkgs // {suffix = "/nixos";}; "channels-nixos-stable" = nixpkgs; "channels-nixos-unstable" = { url = "https://github.com/NixOS/nixpkgs/"; ref = "nixos-unstable"; - rev = ''d9f759f2ea8d265d974a6e1259bd510ac5844c5d''; + rev = '' + d9f759f2ea8d265d974a6e1259bd510ac5844c5d''; }; "channels-nixos-unstable-small" = { url = "https://github.com/NixOS/nixpkgs/"; ref = "nixos-unstable-small"; - rev = ''9c34c8adba80180608794cce600b10183b048942''; + rev = '' + 9c34c8adba80180608794cce600b10183b048942''; }; "nixpkgs-master" = { url = "https://github.com/NixOS/nixpkgs/"; ref = "master"; - rev = ''f9adb566707a492bd3d17fee1e223695d939b52a''; + rev = '' + f9adb566707a492bd3d17fee1e223695d939b52a''; }; "home-manager-module" = { url = "https://github.com/nix-community/home-manager"; ref = "release-22.11"; - rev = ''d6f3ba090ed090ae664ab5bac329654093aae725''; + rev = '' + d6f3ba090ed090ae664ab5bac329654093aae725''; }; } diff --git a/nix/os/devices/steveej-rmvbl-sdep0/versions.tmpl.nix b/nix/os/devices/steveej-rmvbl-sdep0/versions.tmpl.nix index 92abc4a..a0fa34a 100644 --- a/nix/os/devices/steveej-rmvbl-sdep0/versions.tmpl.nix +++ b/nix/os/devices/steveej-rmvbl-sdep0/versions.tmpl.nix @@ -6,12 +6,9 @@ let <% git ls-remote https://github.com/nixos/nixpkgs nixos-22.11 | awk '{ print $1 }' | tr -d ' ' -%>''; }; -in -{ +in { inherit nixpkgs; - nixos = nixpkgs // { - suffix = "/nixos"; - }; + nixos = nixpkgs // {suffix = "/nixos";}; "channels-nixos-stable" = nixpkgs; "channels-nixos-unstable" = { url = "https://github.com/NixOS/nixpkgs/"; diff --git a/nix/os/devices/steveej-t14/boot.nix b/nix/os/devices/steveej-t14/boot.nix index d3ff0b5..281d09e 100644 --- a/nix/os/devices/steveej-t14/boot.nix +++ b/nix/os/devices/steveej-t14/boot.nix @@ -1,5 +1,8 @@ -{ lib, pkgs, ... }: { + lib, + pkgs, + ... +}: { boot.loader.grub.efiInstallAsRemovable = lib.mkForce true; boot.loader.efi.canTouchEfiVariables = lib.mkForce false; boot.kernelPackages = lib.mkForce pkgs.linuxPackages_latest; diff --git a/nix/os/devices/steveej-t14/configuration.nix b/nix/os/devices/steveej-t14/configuration.nix index f5ccca0..8d578b7 100644 --- a/nix/os/devices/steveej-t14/configuration.nix +++ b/nix/os/devices/steveej-t14/configuration.nix @@ -1,13 +1,5 @@ -{ ... }: -{ +{...}: { imports = [ - ../../snippets/home-manager-with-zsh.nix - ../../snippets/nix-settings-holo-chain.nix - # TODO: double-check whether this works at all after the most recent changes - # ../../snippets/radicale.nix - ../../snippets/sway-desktop.nix - ../../snippets/timezone.nix - ../../profiles/common/configuration.nix ../../profiles/graphical/configuration.nix ../../modules/opinionatedDisk.nix @@ -18,60 +10,6 @@ ./pkg.nix ./user.nix ./boot.nix - - # samba seerver - (_: { - # networking.firewall.enable = lib.mkForce false; - services.samba-wsdd.enable = true; # make shares visible for windows 10 clients - networking.firewall.allowedTCPPorts = [ - 5357 # wsdd - ]; - networking.firewall.allowedUDPPorts = [ - 3702 # wsdd - ]; - services.samba = { - enable = true; - - securityType = "user"; - - extraConfig = '' - workgroup = ARBEITSGRUPPE - server string = steveej-t14 - netbios name = steveej-t14 - security = user - - # use sendfile = yes - - # for executables on windows - acl allow execute always = True - - # legacy windows quirks - max protocol = NT1 - min protocol = NT1 - ntlm auth = yes - - # client max protocol = SMB1 - # client min protocol = NT1 - - # note: localhost is the ipv6 localhost ::1 - hosts allow = 192.168. 127.0.0.1 localhost - hosts deny = 0.0.0.0/0 - guest account = nobody - map to guest = bad user - ''; - shares = { - voodoo = { - path = "/home/steveej/Desktop/voodoo"; - browseable = "yes"; - "read only" = "no"; - "guest ok" = "no"; - "create mask" = "0644"; - "directory mask" = "0755"; - # "force user" = "steveej"; - # "force group" = "users"; - }; - }; - }; - }) + ./secrets.nix ]; } diff --git a/nix/os/devices/steveej-t14/default.nix b/nix/os/devices/steveej-t14/default.nix index d7e6d28..739065b 100644 --- a/nix/os/devices/steveej-t14/default.nix +++ b/nix/os/devices/steveej-t14/default.nix @@ -3,25 +3,35 @@ repoFlake, repoFlakeWithSystem, nodeFlake, - ... -}: -let +}: let system = "x86_64-linux"; -in -{ +in { meta.nodeSpecialArgs.${nodeName} = { inherit repoFlake nodeName nodeFlake; packages' = repoFlake.packages.${system}; - repoFlakeInputs' = repoFlakeWithSystem system ({ inputs', ... }: inputs'); + repoFlakeInputs' = repoFlakeWithSystem system ({inputs', ...}: inputs'); }; - meta.nodeNixpkgs.${nodeName} = import nodeFlake.inputs.nixpkgs.outPath { inherit system; }; + meta.nodeNixpkgs.${nodeName} = import nodeFlake.inputs.nixpkgs.outPath { + inherit system; + overlays = [ + (final: prev: { + # FIXME: why are these not effective in for the configuration.nix below? + xdg-desktop-portal-wlr' = repoFlake.inputs.nixpkgs-wayland.packages.${system}.xdg-desktop-portal-wlr; + xdg-desktop-portal-wlr-gtk' = repoFlake.inputs.nixpkgs-wayland.packages.${system}.xdg-desktop-portal-wlr-gtk; + }) + ]; + }; ${nodeName} = { deployment.targetHost = nodeName; deployment.replaceUnknownProfiles = false; deployment.allowLocalDeployment = true; - imports = [ (repoFlake + "/nix/os/devices/${nodeName}/configuration.nix") ]; + imports = [ + (repoFlake + "/nix/os/devices/${nodeName}/configuration.nix") + + nodeFlake.inputs.home-manager.nixosModules.home-manager + ]; }; } diff --git a/nix/os/devices/steveej-t14/flake.lock b/nix/os/devices/steveej-t14/flake.lock index 5960780..1941acf 100644 --- a/nix/os/devices/steveej-t14/flake.lock +++ b/nix/os/devices/steveej-t14/flake.lock @@ -7,16 +7,16 @@ ] }, "locked": { - "lastModified": 1705273357, - "narHash": "sha256-JAlkxgJbWh7+auiT0rJL3IUXXtkULRqygfxQA6mvLgc=", + "lastModified": 1687871164, + "narHash": "sha256-bBFlPthuYX322xOlpJvkjUBz0C+MOBjZdDOOJJ+G2jU=", "owner": "nix-community", "repo": "home-manager", - "rev": "924d91e1e4c802fd8e60279a022dbae5acb36f2d", + "rev": "07c347bb50994691d7b0095f45ebd8838cf6bc38", "type": "github" }, "original": { "owner": "nix-community", - "ref": "release-23.11", + "ref": "release-23.05", "repo": "home-manager", "type": "github" } @@ -39,11 +39,11 @@ }, "nixpkgs-2305": { "locked": { - "lastModified": 1704290814, - "narHash": "sha256-LWvKHp7kGxk/GEtlrGYV68qIvPHkU9iToomNFGagixU=", + "lastModified": 1691421349, + "narHash": "sha256-RRJyX0CUrs4uW4gMhd/X4rcDG8PTgaaCQM5rXEJOx6g=", "owner": "nixos", "repo": "nixpkgs", - "rev": "70bdadeb94ffc8806c0570eb5c2695ad29f0e421", + "rev": "011567f35433879aae5024fc6ec53f2a0568a6c4", "type": "github" }, "original": { @@ -53,29 +53,13 @@ "type": "github" } }, - "nixpkgs-2311": { - "locked": { - "lastModified": 1705183652, - "narHash": "sha256-rnfkyUH0x72oHfiSDhuCHDHg3gFgF+lF8zkkg5Zihsw=", - "owner": "nixos", - "repo": "nixpkgs", - "rev": "428544ae95eec077c7f823b422afae5f174dee4b", - "type": "github" - }, - "original": { - "owner": "nixos", - "ref": "nixos-23.11", - "repo": "nixpkgs", - "type": "github" - } - }, "nixpkgs-master": { "locked": { - "lastModified": 1705325703, - "narHash": "sha256-ckwq5uZTOg79p6j9Op4tuKUiEIf0gaLskMS5g43MfVI=", + "lastModified": 1691518494, + "narHash": "sha256-Xa77u1HcXQ3p+v+8EoHi5ZgHnh8uNcQkEIoNF5xGSVU=", "owner": "nixos", "repo": "nixpkgs", - "rev": "7081bd488c8fd2a1ac54fda9676e22e6f8fb581f", + "rev": "c9a4aa0cd93d9c73a50015d9df19ee65e5f793f8", "type": "github" }, "original": { @@ -87,11 +71,11 @@ }, "nixpkgs-unstable": { "locked": { - "lastModified": 1705133751, - "narHash": "sha256-rCIsyE80jgiOU78gCWN3A0wE0tR2GI5nH6MlS+HaaSQ=", + "lastModified": 1691368598, + "narHash": "sha256-ia7li22keBBbj02tEdqjVeLtc7ZlSBuhUk+7XTUFr14=", "owner": "nixos", "repo": "nixpkgs", - "rev": "9b19f5e77dd906cb52dade0b7bd280339d2a1f3d", + "rev": "5a8e9243812ba528000995b294292d3b5e120947", "type": "github" }, "original": { @@ -103,11 +87,11 @@ }, "nixpkgs-unstable-small": { "locked": { - "lastModified": 1705249824, - "narHash": "sha256-ZLPa6YWHeX+/yzaxU7uMWq9eMMncffrzkgOXe6AODMU=", + "lastModified": 1691472822, + "narHash": "sha256-XVfYZ2oB3lNPVq6sHCY9WkdQ8lHoIDzzbpg8bB6oBxA=", "owner": "nixos", "repo": "nixpkgs", - "rev": "0c741cd9fbdc435b7ca88e17efc371b48e7c23b8", + "rev": "41c7605718399dcfa53dd7083793b6ae3bc969ff", "type": "github" }, "original": { @@ -121,11 +105,10 @@ "inputs": { "home-manager": "home-manager", "nixpkgs": [ - "nixpkgs-2311" + "nixpkgs-2305" ], "nixpkgs-2211": "nixpkgs-2211", "nixpkgs-2305": "nixpkgs-2305", - "nixpkgs-2311": "nixpkgs-2311", "nixpkgs-master": "nixpkgs-master", "nixpkgs-unstable": "nixpkgs-unstable", "nixpkgs-unstable-small": "nixpkgs-unstable-small" diff --git a/nix/os/devices/steveej-t14/flake.nix b/nix/os/devices/steveej-t14/flake.nix index 504ce45..4786ee1 100644 --- a/nix/os/devices/steveej-t14/flake.nix +++ b/nix/os/devices/steveej-t14/flake.nix @@ -1,16 +1,16 @@ { inputs.nixpkgs-2211.url = "github:nixos/nixpkgs/nixos-22.11"; inputs.nixpkgs-2305.url = "github:nixos/nixpkgs/nixos-23.05"; - inputs.nixpkgs-2311.url = "github:nixos/nixpkgs/nixos-23.11"; inputs.nixpkgs-unstable.url = "github:nixos/nixpkgs/nixos-unstable"; + inputs.nixpkgs-unstable-small.url = "github:nixos/nixpkgs/nixos-unstable-small"; inputs.nixpkgs-master.url = "github:nixos/nixpkgs/master"; - inputs.nixpkgs.follows = "nixpkgs-2311"; + inputs.nixpkgs.follows = "nixpkgs-2305"; inputs.home-manager = { - url = "github:nix-community/home-manager/release-23.11"; + url = "github:nix-community/home-manager/release-23.05"; inputs.nixpkgs.follows = "nixpkgs"; }; - outputs = _: { }; + outputs = _: {}; } diff --git a/nix/os/devices/steveej-t14/hw.nix b/nix/os/devices/steveej-t14/hw.nix index 0fa593a..9f7d778 100644 --- a/nix/os/devices/steveej-t14/hw.nix +++ b/nix/os/devices/steveej-t14/hw.nix @@ -1,130 +1,5 @@ -_: { - # TASK: new device - hardware.opinionatedDisk = { - enable = true; - encrypted = true; - diskId = "nvme-WD_BLACK_SN850X_4000GB_2227DT443901"; - earlyDiskIdOverride = "usb-JMicron_Generic_0123456789ABCDEF-0:0"; - }; - - # boot.loader.grub.device = lib.mkForce "/dev/disk/by-id/usb-JMicron_Generic_0123456789ABCDEF-0:0"; - - # see https://linrunner.de/tlp/ - services.tlp = { - enable = false; - settings = { - CPU_DRIVER_OPMODE_ON_AC = "active"; - CPU_DRIVER_OPMODE_ON_BAT = "passive"; - - CPU_SCALING_GOVERNOR_ON_AC = "performance"; - CPU_SCALING_GOVERNOR_ON_BAT = "powersave"; - - CPU_ENERGY_PERF_POLICY_ON_AC = "performance"; - CPU_ENERGY_PERF_POLICY_ON_BAT = "power"; - - CPU_BOOST_ON_AC = "0"; - CPU_BOOST_ON_BAT = "0"; - - RADEON_DPM_PERF_LEVEL_ON_AC = "low"; - RADEON_DPM_PERF_LEVEL_ON_BAT = "low"; - RADEON_POWER_PROFILE_ON_AC = "low"; - RADEON_POWER_PROFILE_ON_BAT = "low"; - RADEON_DPM_STATE_ON_AC = "battery"; - RADEON_DPM_STATE_ON_BAT = "battery"; - - # SOUND_POWER_SAVE_ON_AC="1"; - SOUND_POWER_SAVE_ON_BAT = "1"; - - PLATFORM_PROFILE_ON_AC = "performance"; - PLATFORM_PROFILE_ON_BAT = "low-power"; - - RUNTIME_PM_ON_AC = "on"; - RUNTIME_PM_ON_BAT = "auto"; - - PCIE_ASPM_ON_AC = "default"; - PCIE_ASPM_ON_BAT = "powersupersave"; - - START_CHARGE_THRESH_BAT0 = "80"; - STOP_CHARGE_THRESH_BAT0 = "85"; - - WOL_DISABLE = "Y"; - # WIFI_PWR_ON_AC="on"; - # WIFI_PWR_ON_BAT = "on"; - DEVICES_TO_DISABLE_ON_STARTUP = "wwan"; - # #DEVICES_TO_DISABLE_ON_LAN_CONNECT="wifi wwan"; - # #DEVICES_TO_DISABLE_ON_WIFI_CONNECT="wwan"; - # #DEVICES_TO_DISABLE_ON_WWAN_CONNECT="wifi"; - - SATA_LINKPWR_ON_AC = "max_performance"; - SATA_LINKPWR_ON_BAT = "min_power"; - }; - }; - - # see https://www.kernel.org/doc/html/v6.6/admin-guide/laptops/thinkpad-acpi.html#fan-control-and-monitoring-fan-speed-fan-enable-disable - services.thinkfan = { - enable = false; - levels = [ - # ["level auto" 0 60] - [ - 0 - 0 - 60 - ] - [ - 1 - 60 - 65 - ] - [ - 1 - 65 - 75 - ] - [ - 2 - 75 - 78 - ] - [ - 3 - 78 - 80 - ] - [ - 4 - 80 - 82 - ] - [ - 5 - 82 - 84 - ] - [ - 6 - 84 - 86 - ] - [ - 7 - 86 - 88 - ] - [ - "level full-speed" - 88 - 999 - ] - ]; - - extraArgs = [ - "-b-3" - "-s1" - ]; - }; - - hardware.enableRedistributableFirmware = true; - boot.initrd.kernelModules = [ +{...}: let + stage1Modules = [ "aesni_intel" "kvm_amd" "nvme" @@ -132,12 +7,80 @@ _: { "thunderbolt" "e1000e" - - "usbcore" - "xhci_hcd" - "usbhid" - "usb_storage" - "xhci_pci" - "uas" ]; +in { + # TASK: new device + hardware.opinionatedDisk = { + enable = true; + encrypted = true; + diskId = "nvme-WD_BLACK_SN850X_4000GB_2227DT443901"; + }; + + # see https://linrunner.de/tlp/ + services.tlp = { + enable = true; + settings = { + # CPU_SCALING_GOVERNOR_ON_AC = "schedutil"; + CPU_SCALING_GOVERNOR_ON_BAT = "schedutil"; + + # CPU_ENERGY_PERF_POLICY_ON_AC="balance_power"; + CPU_ENERGY_PERF_POLICY_ON_BAT="power"; + + # SCHED_POWERSAVE_ON_AC="1"; + SCHED_POWERSAVE_ON_BAT="1"; + + CPU_BOOST_ON_AC="0"; + CPU_BOOST_ON_BAT="0"; + + # RADEON_DPM_PERF_LEVEL_ON_AC="auto"; + RADEON_DPM_PERF_LEVEL_ON_BAT="low"; + # RADEON_DPM_STATE_ON_AC="balanced"; + RADEON_DPM_STATE_ON_BAT="battery"; + + # SOUND_POWER_SAVE_ON_AC="1"; + SOUND_POWER_SAVE_ON_BAT="1"; + + # # PLATFORM_PROFILE_ON_AC="low-power"; + # # PLATFORM_PROFILE_ON_BAT="low-power"; + # PLATFORM_PROFILE_ON_AC="balanced"; + PLATFORM_PROFILE_ON_BAT="low-power"; + + # RUNTIME_PM_ON_AC = "auto"; + RUNTIME_PM_ON_BAT = "auto"; + + # PCIE_ASPM_ON_AC="default"; + PCIE_ASPM_ON_BAT="powersave"; + + START_CHARGE_THRESH_BAT0 = "75"; + STOP_CHARGE_THRESH_BAT0 = "80"; + + WOL_DISABLE="Y"; + # WIFI_PWR_ON_AC="on"; + WIFI_PWR_ON_BAT="on"; + DEVICES_TO_DISABLE_ON_STARTUP="wwan"; + # #DEVICES_TO_DISABLE_ON_LAN_CONNECT="wifi wwan"; + # #DEVICES_TO_DISABLE_ON_WIFI_CONNECT="wwan"; + # #DEVICES_TO_DISABLE_ON_WWAN_CONNECT="wifi"; + }; + }; + + services.thinkfan = { + enable = true; + levels = [ + [0 0 55] + [1 55 65] + [1 65 75] + [2 75 78] + [3 78 80] + [4 80 82] + [5 82 84] + [6 84 86] + [7 86 88] + ["level full-speed" 88 999] + ]; + }; + + + # boot.initrd.availableKernelModules = stage1Modules; + boot.initrd.kernelModules = stage1Modules; } diff --git a/nix/os/devices/steveej-t14/pkg.nix b/nix/os/devices/steveej-t14/pkg.nix index 4e53eaf..95dc2d4 100644 --- a/nix/os/devices/steveej-t14/pkg.nix +++ b/nix/os/devices/steveej-t14/pkg.nix @@ -1,9 +1,11 @@ -{ pkgs, ... }: { - system.stateVersion = "23.05"; - home-manager.users.root = _: { home.stateVersion = "22.05"; }; + pkgs, + lib, + repoFlake, + nodeFlake, + ... +}: { home-manager.users.steveej = _: { - home.stateVersion = "22.05"; imports = [ ../../../home-manager/configuration/graphical-fullblown.nix @@ -14,9 +16,11 @@ }) ]; - home.sessionVariables = { }; + home.sessionVariables = { + }; - home.packages = with pkgs; [ ]; + home.packages = with pkgs; [ + ]; }; # TODO: fix the following errors with regreet @@ -30,28 +34,26 @@ # # (regreet:505614): Gtk-WARNING **: 10:31:42.532: Theme parser warning: :6:17-18: Empty declaration # Failed to create /var/empty/.cache for shader cache (Operation not permitted)---disabling. - services.greetd = - let - # exec "${pkgs.greetd.gtkgreet}/bin/gtkgreet -l; swaymsg exit" - swayConfig = pkgs.writeText "greetd-sway-config" '' - # `-l` activates layer-shell mode. Notice that `swaymsg exit` will run after gtkgreet. - exec "dbus-update-activation-environment --systemd DISPLAY WAYLAND_DISPLAY SWAYSOCK; ${pkgs.greetd.regreet}/bin/regreet; swaymsg exit" - bindsym Mod4+shift+e exec swaynag \ - -t warning \ - -m 'What do you want to do?' \ - -b 'Poweroff' 'systemctl poweroff' \ - -b 'Reboot' 'systemctl reboot' - ''; - in - { - enable = false; - settings = { - vt = 1; - default_session = { - command = "${pkgs.sway}/bin/sway --config ${swayConfig}"; - }; + services.greetd = let + # exec "${pkgs.greetd.gtkgreet}/bin/gtkgreet -l; swaymsg exit" + swayConfig = pkgs.writeText "greetd-sway-config" '' + # `-l` activates layer-shell mode. Notice that `swaymsg exit` will run after gtkgreet. + exec "dbus-update-activation-environment --systemd DISPLAY WAYLAND_DISPLAY SWAYSOCK; ${pkgs.greetd.regreet}/bin/regreet; swaymsg exit" + bindsym Mod4+shift+e exec swaynag \ + -t warning \ + -m 'What do you want to do?' \ + -b 'Poweroff' 'systemctl poweroff' \ + -b 'Reboot' 'systemctl reboot' + ''; + in { + enable = false; + settings = { + vt = 1; + default_session = { + command = "${pkgs.sway}/bin/sway --config ${swayConfig}"; }; }; + }; environment.etc."greetd/environments".text = '' sway @@ -100,4 +102,42 @@ # # }; # # }; # }; + + security.pam.services.getty.enableGnomeKeyring = true; + services.gnome.gnome-keyring.enable = true; + + # rtkit is optional but recommended + security.rtkit.enable = true; + services.pipewire = { + enable = true; + alsa.enable = true; + alsa.support32Bit = true; + pulse.enable = true; + # If you want to use JACK applications, uncomment this + #jack.enable = true; + }; + + # required by swaywm + security.polkit.enable = true; + security.pam.services.swaylock = {}; + + # test these on https://mozilla.github.io/webrtc-landing/gum_test.html + xdg.portal = { + enable = true; + # FIXME: `true` breaks xdg-open from alacritty: + # $ xdg-open "https://github.com/" + # Error: GDBus.Error:org.freedesktop.DBus.Error.UnknownMethod: No such interface “org.freedesktop.portal.OpenURI” on object at path /org/freedesktop/portal/desktop + xdgOpenUsePortal = false; + extraPortals = [ + pkgs.xdg-desktop-portal-wlr + pkgs.xdg-desktop-portal-gtk + + # repoFlake.inputs.nixpkgs-wayland.packages.${pkgs.system}.xdg-desktop-portal-wlr + # (pkgs.xdg-desktop-portal-gtk.override (_: { + # buildPortalsInGnome = false; + # })) + ]; + }; + + system.stateVersion = "23.05"; } diff --git a/nix/os/devices/steveej-t14/secrets.nix b/nix/os/devices/steveej-t14/secrets.nix new file mode 100644 index 0000000..a97d67d --- /dev/null +++ b/nix/os/devices/steveej-t14/secrets.nix @@ -0,0 +1,7 @@ +{config, ...}: { + sops.secrets.radicale_htpasswd = { + sopsFile = ../../../../secrets/steveej-t14/radicale_htpasswd; + format = "binary"; + owner = config.users.users.steveej.name; + }; +} diff --git a/nix/os/devices/steveej-t14/system.nix b/nix/os/devices/steveej-t14/system.nix index db19a3b..c2cd584 100644 --- a/nix/os/devices/steveej-t14/system.nix +++ b/nix/os/devices/steveej-t14/system.nix @@ -2,11 +2,43 @@ pkgs, lib, config, + nodeName, repoFlake, ... -}: -let - localTcpPorts = [ +}: let + passwords = import ../../../variables/passwords.crypt.nix; +in { + nix.settings = { + substituters = [ + "https://holochain-ci.cachix.org" + "https://cache.holo.host/" + ]; + trusted-public-keys = [ + "holochain-ci.cachix.org-1:5IUSkZc0aoRS53rfkvH9Kid40NpyjwCMCzwRTXy+QN8=" + "cache.holo.host-1:lNXIXtJgS9Iuw4Cu6X0HINLu9sTfcjEntnrgwMQIMcE=" + "cache.holo.host-2:ZJCkX3AUYZ8soxTLfTb60g+F3MkWD7hkH9y8CgqwhDQ=" + ]; + + extra-experimental-features = ["impure-derivations"]; + system-features = ["recursive-nix" "big-parallel"]; + }; + + networking.extraHosts = '' + ''; + + networking.bridges."virbr1".interfaces = []; + networking.interfaces."virbr1".ipv4.addresses = [ + { + address = "10.254.254.254"; + prefixLength = 24; + } + ]; + + networking.firewall.enable = true; + services.openssh.openFirewall = false; + + # TODO: upstream feature for inverse rule to work: `! --in-interface zt+` + networking.firewall.interfaces."eth+".allowedTCPPorts = [ 22 # syncthing @@ -15,67 +47,11 @@ let # iperf3 5201 ]; - - localUdpPorts = [ + networking.firewall.interfaces."eth+".allowedUDPPorts = [ # syncthing 22000 21027 ]; -in -{ - nix.settings = { - substituters = [ ]; - trusted-public-keys = [ ]; - }; - - nix.distributedBuilds = true; - nix.buildMachines = [ - { - hostName = repoFlake.colmena.sj-bm-hostkey0.deployment.targetHost; - # TODO: make this a reference - sshUser = "nix-remote-builder"; - protocol = "ssh-ng"; - system = "x86_64-linux"; - maxJobs = 32; - speedFactor = 100; - supportedFeatures = repoFlake.nixosConfigurations.steveej-t14.config.nix.settings.system-features; - } - - { - hostName = repoFlake.colmena.sj-bm-hostkey0.deployment.targetHost; - # TODO: make this a reference - sshUser = "nix-remote-builder"; - protocol = "ssh-ng"; - system = "aarch64-linux"; - maxJobs = 32; - speedFactor = 100; - supportedFeatures = repoFlake.nixosConfigurations.router0-dmz0.config.nix.settings.system-features; - } - ]; - - networking.networkmanager.enable = true; - - networking.extraHosts = ''''; - - networking.bridges."virbr1".interfaces = [ ]; - networking.interfaces."virbr1".ipv4.addresses = [ - { - address = "10.254.254.254"; - prefixLength = 24; - } - ]; - - # needed to make wireguard managed by networkmanager route all traffic through it - networking.firewall.checkReversePath = false; - - networking.firewall.enable = true; - services.openssh.openFirewall = false; - - # TODO: upstream feature for inverse rule to work: `! --in-interface zt+` - networking.firewall.interfaces."eth+".allowedTCPPorts = localTcpPorts; - networking.firewall.interfaces."eth+".allowedUDPPorts = localUdpPorts; - networking.firewall.interfaces."wlan+".allowedTCPPorts = localTcpPorts; - networking.firewall.interfaces."wlan+".allowedUDPPorts = localUdpPorts; networking.firewall.logRefusedConnections = false; networking.usePredictableInterfaceNames = false; @@ -90,9 +66,7 @@ in # virtualization virtualisation = { - libvirtd = { - enable = true; - }; + libvirtd = {enable = true;}; virtualbox.host = { enable = false; @@ -110,11 +84,56 @@ in # client min protocol = NT1 ''; - security.pki.certificateFiles = [ "${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt" ]; + security.pki.certificateFiles = ["${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt"]; - services.xserver.videoDrivers = lib.mkForce [ "amdgpu" ]; + services.xserver.videoDrivers = lib.mkForce ["amdgpu"]; + services.xserver.serverFlagsSection = '' + Option "BlankTime" "0" + Option "StandbyTime" "0" + Option "SuspendTime" "0" + Option "OffTime" "0" + ''; + + time.timeZone = lib.mkForce passwords.timeZone.stefan; hardware.ledger.enable = true; - boot.binfmt.emulatedSystems = [ "aarch64-linux" ]; + services.zerotierone = { + enable = true; + joinNetworks = [ + # moved to the service below as it's now secret + ]; + }; + + systemd.services.zerotieroneSecretNetworks = { + enable = true; + requiredBy = ["zerotierone.service"]; + partOf = ["zerotierone.service"]; + + serviceConfig.Type = "oneshot"; + serviceConfig.RemainAfterExit = true; + + script = let + secret = config.sops.secrets.zerotieroneNetworks; + in '' + # include the secret's hash to trigger a restart on change + # ${builtins.hashString "sha256" (builtins.toJSON secret)} + + ${config.systemd.services.zerotierone.preStart} + + rm -rf /var/lib/zerotier-one/networks.d/*.conf + for network in `grep -v '#' ${secret.path}`; do + touch /var/lib/zerotier-one/networks.d/''${network}.conf + done + ''; + }; + + sops.secrets.zerotieroneNetworks = { + sopsFile = ../../../../secrets/zerotierone.txt; + format = "binary"; + }; + + boot.binfmt.emulatedSystems = [ + "aarch64-linux" + ]; } diff --git a/nix/os/devices/steveej-t14/user.nix b/nix/os/devices/steveej-t14/user.nix index dacf1f4..ece9cec 100644 --- a/nix/os/devices/steveej-t14/user.nix +++ b/nix/os/devices/steveej-t14/user.nix @@ -1,16 +1,19 @@ -{ config, pkgs, ... }: -let - keys = import ../../../variables/keys.nix; - inherit (pkgs.callPackage ../../lib/default.nix { }) mkUser; -in { - users.users.steveej2 = mkUser { + config, + pkgs, + lib, + ... +}: let + keys = import ../../../variables/keys.nix; + inherit (pkgs.callPackage ../../lib/default.nix {}) mkUser; +in { + users.extraUsers.steveej2 = mkUser { uid = 1001; openssh.authorizedKeys.keys = keys.users.steveej.openssh; - hashedPasswordFile = config.sops.secrets.sharedUsers-steveej.path; + passwordFile = config.sops.secrets.sharedUsers-steveej.path; }; - nix.settings.trusted-users = [ "steveej" ]; + nix.settings.trusted-users = ["steveej"]; security.pam.u2f.enable = true; security.pam.services.steveej.u2fAuth = true; diff --git a/nix/os/devices/steveej-utilitepro/configuration.nix b/nix/os/devices/steveej-utilitepro/configuration.nix index 76a34c8..06cc7d1 100644 --- a/nix/os/devices/steveej-utilitepro/configuration.nix +++ b/nix/os/devices/steveej-utilitepro/configuration.nix @@ -1,11 +1,13 @@ # Edit this configuration file to define what should be installed on # your system. Help is available in the configuration.nix(5) man page # and in the NixOS manual (accessible by running ‘nixos-help’). -{ config, pkgs, ... }: -let - passwords = import ../common/passwords.crypt.nix; -in { + config, + pkgs, + ... +}: let + passwords = import ../common/passwords.crypt.nix; +in { # The NixOS release to be compatible with for stateful data such as databases. system.stateVersion = "16.03"; nix.maxJobs = 4; @@ -17,18 +19,22 @@ in ''; nixpkgs.config = { - packageOverrides = super: { + packageOverrides = super: let + self = super.pkgs; + in { linux_4_1 = super.linux_4_1.override { - kernelPatches = super.linux_4_1.kernelPatches ++ [ - { - patch = ./patches/utilitepro-kernel-dts.patch; - name = "utilitepro-dts"; - } - { - patch = ./patches/utilitepro-kernel-dts-Makefile.patch; - name = "utilitepro-dts-Makefile"; - } - ]; + kernelPatches = + super.linux_4_1.kernelPatches + ++ [ + { + patch = ./patches/utilitepro-kernel-dts.patch; + name = "utilitepro-dts"; + } + { + patch = ./patches/utilitepro-kernel-dts-Makefile.patch; + name = "utilitepro-dts-Makefile"; + } + ]; # add "CONFIG_PPP_FILTER y" option to the set of kernel options extraConfig = '' BTRFS_FS y @@ -273,10 +279,7 @@ in uid = 1000; isNormalUser = true; home = "/home/steveej"; - extraGroups = [ - "wheel" - "libvirtd" - ]; + extraGroups = ["wheel" "libvirtd"]; # FIXME: this is deprecated but so is this device probably hashedPassword = passwords.users.steveej; openssh.authorizedKeys.keys = [ diff --git a/nix/os/devices/steveej-utilitepro/hardware-configuration.nix b/nix/os/devices/steveej-utilitepro/hardware-configuration.nix index 1d3e463..a325b30 100644 --- a/nix/os/devices/steveej-utilitepro/hardware-configuration.nix +++ b/nix/os/devices/steveej-utilitepro/hardware-configuration.nix @@ -1,13 +1,17 @@ # Do not modify this file! It was generated by ‘nixos-generate-config’ # and may be overwritten by future invocations. Please make changes # to /etc/nixos/configuration.nix instead. -{ ... }: { - imports = [ ]; + config, + lib, + pkgs, + ... +}: { + imports = []; - boot.initrd.availableKernelModules = [ ]; - boot.kernelModules = [ ]; - boot.extraModulePackages = [ ]; + boot.initrd.availableKernelModules = []; + boot.kernelModules = []; + boot.extraModulePackages = []; hardware.enableAllFirmware = true; @@ -20,5 +24,5 @@ device = "/dev/disk/by-uuid/f1e7e913-93a0-4258-88f9-f65041d91d66"; }; - swapDevices = [ ]; + swapDevices = []; } diff --git a/nix/os/devices/steveej-x13s-rmvbl/.gitignore b/nix/os/devices/steveej-x13s-rmvbl/.gitignore deleted file mode 100644 index b2be92b..0000000 --- a/nix/os/devices/steveej-x13s-rmvbl/.gitignore +++ /dev/null @@ -1 +0,0 @@ -result diff --git a/nix/os/devices/steveej-x13s-rmvbl/configuration.nix b/nix/os/devices/steveej-x13s-rmvbl/configuration.nix deleted file mode 100644 index 39e93de..0000000 --- a/nix/os/devices/steveej-x13s-rmvbl/configuration.nix +++ /dev/null @@ -1,176 +0,0 @@ -{ - repoFlake, - nodeFlake, - pkgs, - lib, - config, - nodeName, - system, - ... -}: -{ - nixos-x13s = { - enable = true; - # TODO: use hardware address - bluetoothMac = "65:9e:7a:8b:86:28"; - }; - - systemd.services.bluetooth-mac = { - enable = true; - path = [ - pkgs.systemd - pkgs.util-linux - pkgs.bluez5-experimental - pkgs.expect - ]; - script = '' - # TODO: this may not be required - while ! (journalctl -b0 | grep 'Bluetooth: hci0: QCA setup on UART is completed'); do - echo Waiting for bluetooth firmware to complete - echo sleep 1 - done - - ( - # best effort - set +e - rfkill block bluetooth - echo $? - btmgmt public-addr ${config.nixos-x13s.bluetoothMac} - echo $? - rfkill unblock bluetooth - echo $? - ) - ''; - requiredBy = [ "bluetooth.service" ]; - before = [ "bluetooth.service" ]; - serviceConfig = { - Type = "oneshot"; - RemainAfterExit = true; - - # we need a tty, otherwise btmgmt will hang - StandardInput = "tty"; - TTYPath = "/dev/tty2"; - TTYReset = "yes"; - TTYVHangup = "yes"; - }; - }; - - imports = [ - nodeFlake.inputs.nixos-x13s.nixosModules.default - - repoFlake.inputs.sops-nix.nixosModules.sops - nodeFlake.inputs.disko.nixosModules.disko - ./disko.nix - - ../../snippets/nix-settings.nix - ../../profiles/common/user.nix - - { - services.openssh.enable = true; - services.openssh.settings.PermitRootLogin = "yes"; - services.openssh.openFirewall = true; - - sops.defaultSopsFile = ../../../../secrets/${nodeName}/secrets.yaml; - sops.defaultSopsFormat = "yaml"; - - users.commonUsers = { - enable = true; - enableNonRoot = true; - }; - } - - ../../snippets/home-manager-with-zsh.nix - ../../snippets/sway-desktop.nix - ../../snippets/bluetooth.nix - ../../snippets/timezone.nix - ../../snippets/radicale.nix - ]; - - networking.hostName = nodeName; - networking.firewall.enable = true; - networking.networkmanager.enable = true; - - nixpkgs.config.allowUnfree = true; - - environment.systemPackages = [ - pkgs.sshfs - pkgs.util-linux - pkgs.coreutils - pkgs.vim - - pkgs.git - pkgs.git-crypt - ]; - - system.stateVersion = "23.11"; - home-manager.users.root = _: { home.stateVersion = "23.11"; }; - home-manager.users.steveej = _: { - home.stateVersion = "23.11"; - - imports = [ ../../../home-manager/configuration/graphical-fullblown.nix ]; - - home.sessionVariables = { }; - - home.packages = with pkgs; [ ]; - - # TODO: currently unsupported - services.gammastep.enable = lib.mkForce false; - # programs.chromium.enable = lib.mkForce false; - }; - - boot = { - loader.systemd-boot.enable = true; - loader.efi.canTouchEfiVariables = lib.mkForce false; - loader.efi.efiSysMountPoint = "/boot"; - blacklistedKernelModules = [ "wwan" ]; - - initrd.kernelModules = [ - "uas" - "usb_storage" - - "phy_qcom_qmp_pcie" - "phy_qcom_qmp_combo" - "phy_qcom_snps_femto_v2" - "phy_qcom_qmp_pcie" - "phy_qcom_qmp_usb" - "xhci-pci-renesas" - - "msm" - ]; - - initrd.extraFiles = { - "firmware/qcom/sc8280xp/LENOVO/21BX/adspr.jsn".source = pkgs.linux-firmware; - "firmware/qcom/sc8280xp/LENOVO/21BX/adspua.jsn".source = pkgs.linux-firmware; - "firmware/qcom/sc8280xp/LENOVO/21BX/audioreach-tplg.bin".source = pkgs.linux-firmware; - "firmware/qcom/sc8280xp/LENOVO/21BX/battmgr.jsn".source = pkgs.linux-firmware; - "firmware/qcom/sc8280xp/LENOVO/21BX/cdspr.jsn".source = pkgs.linux-firmware; - "firmware/qcom/sc8280xp/LENOVO/21BX/qcadsp8280.mbn".source = pkgs.linux-firmware; - "firmware/qcom/sc8280xp/LENOVO/21BX/qccdsp8280.mbn".source = pkgs.linux-firmware; - "firmware/qcom/sc8280xp/LENOVO/21BX/qcdxkmsuc8280.mbn".source = pkgs.linux-firmware; - "firmware/qcom/sc8280xp/LENOVO/21BX/qcslpi8280.mbn".source = pkgs.linux-firmware; - "firmware/qcom/sc8280xp/LENOVO/21BX/qcvss8280.mbn".source = - nodeFlake.inputs.nixos-x13s.packages.${system}."x13s/extra-firmware"; - }; - }; - - hardware.firmware = [ - pkgs.linux-firmware - nodeFlake.inputs.nixos-x13s.packages.${system}."x13s/extra-firmware" - ]; - - hardware.enableAllFirmware = true; - - # see https://linrunner.de/tlp/ - services.tlp = { - enable = true; - settings = { - START_CHARGE_THRESH_BAT0 = "80"; - STOP_CHARGE_THRESH_BAT0 = "85"; - }; - }; - - # android on linux - virtualisation.waydroid.enable = true; - virtualisation.podman.enable = true; - virtualisation.podman.dockerCompat = true; -} diff --git a/nix/os/devices/steveej-x13s-rmvbl/default.nix b/nix/os/devices/steveej-x13s-rmvbl/default.nix deleted file mode 100644 index 2ba48d2..0000000 --- a/nix/os/devices/steveej-x13s-rmvbl/default.nix +++ /dev/null @@ -1,36 +0,0 @@ -{ - system ? "aarch64-linux", - nodeName, - repoFlake, - repoFlakeWithSystem, - nodeFlake, - localDomainName ? "internal", - ... -}: -{ - meta.nodeSpecialArgs.${nodeName} = { - inherit - repoFlake - nodeName - nodeFlake - system - ; - packages' = repoFlake.packages.${system}; - nodePackages' = nodeFlake.packages.${system}; - repoFlakeInputs' = repoFlakeWithSystem system ({ inputs', ... }: inputs'); - - inherit localDomainName; - }; - - meta.nodeNixpkgs.${nodeName} = import nodeFlake.inputs.nixpkgs.outPath { inherit system; }; - - ${nodeName} = { - deployment.targetHost = "${nodeName}.${localDomainName}"; - deployment.replaceUnknownProfiles = true; - deployment.allowLocalDeployment = true; - - # nixpkgs.pkgs = nodeFlake.inputs.nixpkgs.legacyPackages.${system}; - - imports = [ (repoFlake + "/nix/os/devices/${nodeName}/configuration.nix") ]; - }; -} diff --git a/nix/os/devices/steveej-x13s-rmvbl/disko.nix b/nix/os/devices/steveej-x13s-rmvbl/disko.nix deleted file mode 100644 index 2eb097a..0000000 --- a/nix/os/devices/steveej-x13s-rmvbl/disko.nix +++ /dev/null @@ -1,73 +0,0 @@ -{ - disko.devices = { - disk = { - voyager-gtx = { - type = "disk"; - device = "/dev/disk/by-id/ata-Corsair_Voyager_GTX_21488170000126002054"; - content = { - type = "gpt"; - partitions = { - ESP = { - size = "500M"; - type = "EF00"; - content = { - type = "filesystem"; - format = "vfat"; - mountpoint = "/boot"; - mountOptions = [ "defaults" ]; - }; - }; - luks = { - size = "100%"; - content = { - type = "luks"; - name = "x13s-usb-crypt"; - extraOpenArgs = [ ]; - # disable settings.keyFile if you want to use interactive password entry - #passwordFile = "/tmp/secret.key"; # Interactive - settings = { - # if you want to use the key for interactive login be sure there is no trailing newline - # for example use `echo -n "password" > /tmp/secret.key` - # keyFile = "/tmp/secret.key"; - allowDiscards = true; - }; - # additionalKeyFiles = [ "/tmp/additionalSecret.key" ]; - content = { - type = "btrfs"; - extraArgs = [ "-f" ]; - subvolumes = { - "/root" = { - mountpoint = "/"; - mountOptions = [ - "compress=zstd" - "noatime" - ]; - }; - "/home" = { - mountpoint = "/home"; - mountOptions = [ - "compress=zstd" - "noatime" - ]; - }; - "/nix" = { - mountpoint = "/nix"; - mountOptions = [ - "compress=zstd" - "noatime" - ]; - }; - "/swap" = { - mountpoint = "/.swapvol"; - swap.swapfile.size = "32G"; - }; - }; - }; - }; - }; - }; - }; - }; - }; - }; -} diff --git a/nix/os/devices/steveej-x13s-rmvbl/flake.lock b/nix/os/devices/steveej-x13s-rmvbl/flake.lock deleted file mode 100644 index dcc457f..0000000 --- a/nix/os/devices/steveej-x13s-rmvbl/flake.lock +++ /dev/null @@ -1,194 +0,0 @@ -{ - "nodes": { - "disko": { - "inputs": { - "nixpkgs": [ - "nixpkgs" - ] - }, - "locked": { - "lastModified": 1705890365, - "narHash": "sha256-MObB+fipA/2Ai3uMuNouxcwz0cqvELPpJ+hfnhSaUeA=", - "owner": "nix-community", - "repo": "disko", - "rev": "9fcdf3375e01e2938a49df103af9fd21bd0f89d9", - "type": "github" - }, - "original": { - "id": "disko", - "type": "indirect" - } - }, - "flake-parts": { - "inputs": { - "nixpkgs-lib": "nixpkgs-lib" - }, - "locked": { - "lastModified": 1704982712, - "narHash": "sha256-2Ptt+9h8dczgle2Oo6z5ni5rt/uLMG47UFTR1ry/wgg=", - "owner": "hercules-ci", - "repo": "flake-parts", - "rev": "07f6395285469419cf9d078f59b5b49993198c00", - "type": "github" - }, - "original": { - "owner": "hercules-ci", - "repo": "flake-parts", - "type": "github" - } - }, - "get-flake": { - "locked": { - "lastModified": 1694475786, - "narHash": "sha256-s5wDmPooMUNIAAsxxCMMh9g68AueGg63DYk2hVZJbc8=", - "owner": "ursi", - "repo": "get-flake", - "rev": "ac54750e3b95dab6ec0726d77f440efe6045bec1", - "type": "github" - }, - "original": { - "owner": "ursi", - "repo": "get-flake", - "type": "github" - } - }, - "home-manager": { - "inputs": { - "nixpkgs": [ - "nixpkgs" - ] - }, - "locked": { - "lastModified": 1705659542, - "narHash": "sha256-WA3xVfAk1AYmFdwghT7mt/erYpsU6JPu9mdTEP/e9HQ=", - "owner": "nix-community", - "repo": "home-manager", - "rev": "10cd9c53115061aa6a0a90aad0b0dde6a999cdb9", - "type": "github" - }, - "original": { - "owner": "nix-community", - "ref": "release-23.11", - "repo": "home-manager", - "type": "github" - } - }, - "mobile-nixos": { - "flake": false, - "locked": { - "lastModified": 1705008488, - "narHash": "sha256-Gj97fDFZaK6gLb3ayZgTTtD+MFE1YjoyYHWkB1TIAe0=", - "owner": "NixOS", - "repo": "mobile-nixos", - "rev": "56e55df7b07b5e5c6d050732d851cec62b41df95", - "type": "github" - }, - "original": { - "owner": "NixOS", - "repo": "mobile-nixos", - "type": "github" - } - }, - "nixos-x13s": { - "inputs": { - "flake-parts": "flake-parts", - "nixpkgs": [ - "nixpkgs" - ] - }, - "locked": { - "lastModified": 1706097550, - "narHash": "sha256-rR4HMpUlT7SbVPxQIvWH0DsxaEQcjTLqLrst2xoT1CY=", - "ref": "refs/heads/main", - "rev": "732a0f1549996740bdb06989599a5f0653de5056", - "revCount": 6, - "type": "git", - "url": "https://codeberg.org/steveej/nixos-x13s" - }, - "original": { - "type": "git", - "url": "https://codeberg.org/steveej/nixos-x13s" - } - }, - "nixpkgs": { - "locked": { - "lastModified": 1705916986, - "narHash": "sha256-iBpfltu6QvN4xMpen6jGGEb6jOqmmVQKUrXdOJ32u8w=", - "owner": "nixos", - "repo": "nixpkgs", - "rev": "d7f206b723e42edb09d9d753020a84b3061a79d8", - "type": "github" - }, - "original": { - "owner": "nixos", - "ref": "nixos-23.11", - "repo": "nixpkgs", - "type": "github" - } - }, - "nixpkgs-2211": { - "locked": { - "lastModified": 1688392541, - "narHash": "sha256-lHrKvEkCPTUO+7tPfjIcb7Trk6k31rz18vkyqmkeJfY=", - "owner": "nixos", - "repo": "nixpkgs", - "rev": "ea4c80b39be4c09702b0cb3b42eab59e2ba4f24b", - "type": "github" - }, - "original": { - "owner": "nixos", - "ref": "nixos-22.11", - "repo": "nixpkgs", - "type": "github" - } - }, - "nixpkgs-lib": { - "locked": { - "dir": "lib", - "lastModified": 1703961334, - "narHash": "sha256-M1mV/Cq+pgjk0rt6VxoyyD+O8cOUiai8t9Q6Yyq4noY=", - "owner": "NixOS", - "repo": "nixpkgs", - "rev": "b0d36bd0a420ecee3bc916c91886caca87c894e9", - "type": "github" - }, - "original": { - "dir": "lib", - "owner": "NixOS", - "ref": "nixos-unstable", - "repo": "nixpkgs", - "type": "github" - } - }, - "nixpkgs-unstable-small": { - "locked": { - "lastModified": 1706022028, - "narHash": "sha256-F8Gv4R4K/AvS3+6pWd8wlnw4Vhgf7bcszy7i8XPbzA0=", - "owner": "nixos", - "repo": "nixpkgs", - "rev": "15ff1758e7816331033baa14eebbea68626128f3", - "type": "github" - }, - "original": { - "owner": "nixos", - "ref": "nixos-unstable-small", - "repo": "nixpkgs", - "type": "github" - } - }, - "root": { - "inputs": { - "disko": "disko", - "get-flake": "get-flake", - "home-manager": "home-manager", - "mobile-nixos": "mobile-nixos", - "nixos-x13s": "nixos-x13s", - "nixpkgs": "nixpkgs", - "nixpkgs-2211": "nixpkgs-2211", - "nixpkgs-unstable-small": "nixpkgs-unstable-small" - } - } - }, - "root": "root", - "version": 7 -} diff --git a/nix/os/devices/steveej-x13s-rmvbl/flake.nix b/nix/os/devices/steveej-x13s-rmvbl/flake.nix deleted file mode 100644 index 043907d..0000000 --- a/nix/os/devices/steveej-x13s-rmvbl/flake.nix +++ /dev/null @@ -1,87 +0,0 @@ -{ - inputs = { - nixpkgs.url = "github:nixos/nixpkgs/nixos-23.11"; - - # required for home-manager modules - nixpkgs-unstable-small.url = "github:nixos/nixpkgs/nixos-unstable-small"; - nixpkgs-2211.url = "github:nixos/nixpkgs/nixos-22.11"; - - get-flake.url = "github:ursi/get-flake"; - - disko.inputs.nixpkgs.follows = "nixpkgs"; - - mobile-nixos.url = "github:NixOS/mobile-nixos"; - mobile-nixos.flake = false; - - home-manager = { - url = "github:nix-community/home-manager/release-23.11"; - inputs.nixpkgs.follows = "nixpkgs"; - }; - - nixos-x13s.url = "git+https://codeberg.org/steveej/nixos-x13s"; - nixos-x13s.inputs.nixpkgs.follows = "nixpkgs"; - }; - - outputs = - { - self, - get-flake, - nixpkgs, - ... - }: - let - system = "aarch64-linux"; - buildPlatform = "x86_64-linux"; - repoFlake = get-flake ../../../..; - in - { - lib = { - mkNixosConfiguration = - { - nodeName, - extraModules ? [ ], - ... - }@attrs: - nixpkgs.lib.nixosSystem ( - nixpkgs.lib.attrsets.recursiveUpdate attrs { - specialArgs = - (import ./default.nix { - inherit system; - inherit nodeName repoFlake; - - nodeFlake = self; - }).meta.nodeSpecialArgs.${nodeName}; - - modules = extraModules; - } - ); - }; - - nixosConfigurations = - let - nodeName = "steveej-x13s-rmvbl"; - in - { - native = self.lib.mkNixosConfiguration { - inherit system nodeName; - extraModules = [ - ./configuration.nix - - { users.commonUsers.installPassword = "install"; } - ]; - }; - - cross = self.lib.mkNixosConfiguration { - inherit nodeName; - extraModules = [ - ./configuration.nix - - { - nixpkgs.buildPlatform.system = buildPlatform; - nixpkgs.hostPlatform.system = system; - } - ]; - }; - }; - }; -} diff --git a/nix/os/devices/steveej-x13s/.gitignore b/nix/os/devices/steveej-x13s/.gitignore deleted file mode 100644 index b2be92b..0000000 --- a/nix/os/devices/steveej-x13s/.gitignore +++ /dev/null @@ -1 +0,0 @@ -result diff --git a/nix/os/devices/steveej-x13s/configuration.nix b/nix/os/devices/steveej-x13s/configuration.nix deleted file mode 100644 index d5c9475..0000000 --- a/nix/os/devices/steveej-x13s/configuration.nix +++ /dev/null @@ -1,287 +0,0 @@ -{ - repoFlake, - nodeFlake, - pkgs, - lib, - config, - nodeName, - system, - ... -}: -{ - nixpkgs.overlays = [ nodeFlake.overlays.default ]; - - nixos-x13s = { - enable = true; - # TODO: use hardware address - bluetoothMac = "65:9e:7a:8b:86:28"; - kernel = "jhovold"; - }; - - services.illum.enable = true; - - # printint and autodiscovery of printers - services.printing.enable = true; - services.printing.drivers = [ pkgs.hplip ]; - services.avahi = { - enable = true; - nssmdns4 = true; - openFirewall = true; - }; - hardware.sane.enable = true; # enables support for SANE scanners - - systemd.services.bluetooth-x13s-mac = lib.mkForce { - enable = true; - path = [ - pkgs.systemd - pkgs.util-linux - pkgs.bluez5-experimental - pkgs.expect - ]; - script = '' - # TODO: this may not be required - while ! (journalctl -b0 | grep 'Bluetooth: hci0: QCA setup on UART is completed'); do - echo Waiting for bluetooth firmware to complete - echo sleep 1 - done - - ( - # best effort - set +e - rfkill block bluetooth - echo $? - btmgmt public-addr ${config.nixos-x13s.bluetoothMac} - echo $? - rfkill unblock bluetooth - echo $? - ) - ''; - requiredBy = [ "bluetooth.service" ]; - before = [ "bluetooth.service" ]; - serviceConfig = { - Type = "oneshot"; - RemainAfterExit = true; - - # we need a tty, otherwise btmgmt will hang - StandardInput = "tty"; - TTYPath = "/dev/tty2"; - TTYReset = "yes"; - TTYVHangup = "yes"; - }; - }; - - imports = [ - nodeFlake.inputs.nixos-x13s.nixosModules.default - - repoFlake.inputs.sops-nix.nixosModules.sops - nodeFlake.inputs.disko.nixosModules.disko - ./disko.nix - - ../../profiles/common/user.nix - - ../../snippets/nix-settings.nix - ../../snippets/nix-settings-holo-chain.nix - ../../snippets/mycelium.nix - - nodeFlake.inputs.extra-container.nixosModules.default - { - networking.nat = { - enable = true; - internalInterfaces = ["ve-+"]; - # externalInterface = "enu1u1u2"; - # Lazy IPv6 connectivity for the container - # enableIPv6 = true; - }; - } - - # TODO: broken with: v4l2loopback-0.13.2-6.13.0-rc3.drv - # make: *** [Makefile:53: v4l2loopback.ko] Error 2 - # ../../snippets/obs-studio.nix - { - services.openssh.enable = true; - services.openssh.settings.PermitRootLogin = "yes"; - services.openssh.openFirewall = true; - - sops.defaultSopsFile = ../../../../secrets/${nodeName}/secrets.yaml; - sops.defaultSopsFormat = "yaml"; - - users.commonUsers = { - enable = true; - enableNonRoot = true; - }; - - sops.secrets.builder-private-key = { }; - nix.distributedBuilds = true; - nix.buildMachines = [ - # test these with: sudo nix store ping --store 'ssh-ng://nix-remote-builder@?ssh-key=/run/secrets/builder-private-key' - { - hostName = "buildbot-nix-0.infra.holochain.org"; - sshUser = "nix-remote-builder"; - sshKey = config.sops.secrets.builder-private-key.path; - protocol = "ssh-ng"; - systems = [ "x86_64-linux" ]; - supportedFeatures = [ - "big-parallel" - "kvm" - "nixos-test" - ]; - maxJobs = 16; - } - - { - hostName = "aarch64-linux-builder-0.infra.holochain.org"; - sshUser = "nix-remote-builder"; - sshKey = config.sops.secrets.builder-private-key.path; - protocol = "ssh-ng"; - systems = [ "aarch64-linux" ]; - supportedFeatures = [ - "big-parallel" - "kvm" - "nixos-test" - ]; - maxJobs = 8; - } - - { - hostName = "x64-linux-dev-01.dev.infra.holochain.org"; - sshUser = "nix-remote-builder"; - sshKey = config.sops.secrets.builder-private-key.path; - protocol = "ssh-ng"; - systems = [ - # "x86_64-linux" - "aarch64-linux" - ]; - supportedFeatures = [ - "big-parallel" - "kvm" - "nixos-test" - ]; - maxJobs = 0; - } - ]; - } - - { - # yubikey / smartcard. only set to `true` for `ykman piv` commands. - services.pcscd.enable = false; - } - - # TODO: create syncthing os snippet - ( - let - tcp = [ 22000 ]; - udp = [ - 22000 - 21027 - ]; - in - { - # TODO: upstream feature for inverse rule to work: `! --in-interface zt+` - networking.firewall.interfaces."en+".allowedTCPPorts = tcp; - networking.firewall.interfaces."en+".allowedUDPPorts = udp; - networking.firewall.interfaces."wl+".allowedTCPPorts = tcp; - networking.firewall.interfaces."wl+".allowedUDPPorts = udp; - - networking.firewall.allowedTCPPorts = [ - # iperf3 - 5201 - ]; - } - ) - - ../../snippets/home-manager-with-zsh.nix - ../../snippets/sway-desktop.nix - ../../snippets/bluetooth.nix - ../../snippets/timezone.nix - ../../snippets/radicale.nix - - ../../snippets/holo-zerotier.nix - - # ../../snippets/k3s-w-nix-snapshotter.nix - ]; - - networking.hostName = nodeName; - networking.firewall.enable = true; - networking.networkmanager.enable = true; - - nixpkgs.config.allowUnfree = true; - - environment.systemPackages = [ - pkgs.sshfs - pkgs.util-linux - pkgs.coreutils - pkgs.vim - - pkgs.git - pkgs.git-crypt - ]; - - system.stateVersion = "23.11"; - home-manager.users.root = _: { home.stateVersion = "23.11"; }; - home-manager.users.steveej = _: { - home.stateVersion = "23.11"; - - imports = [ ../../../home-manager/configuration/graphical-fullblown.nix ]; - - nixpkgs.overlays = [ nodeFlake.overlays.default ]; - - home.sessionVariables = { }; - - home.packages = with pkgs; [ ]; - - # TODO(upstream): currently unsupported on x13s - services.gammastep.enable = true; - }; - - boot = { - loader.systemd-boot.enable = true; - loader.systemd-boot.configurationLimit = 5; - - loader.efi.canTouchEfiVariables = lib.mkForce false; - loader.efi.efiSysMountPoint = "/boot"; - blacklistedKernelModules = [ - "wwan" - # "qcom_soundwire" - # "snd_soc_qcom_sdw" - # "snd_soc_sc8280xp" - ]; - }; - - # TODO: debug this collision: collision between `/nix/store/cb32qlzc4pm6h4arw59kxqyzbvgnmx7g-b43-firmware-6.30.163.46-zstd/lib/firmware/b43/a0g0bsinitvals5.fw.zst' and `/nix/store/niffz3cf0v91y5knz0an29fwvm8amigm-b43-firmware-5.100.138-zstd/lib/firmware/b43/a0g0bsinitvals5.fw.zst' - hardware.firmware = lib.mkBefore [ - (pkgs.runCommand "x13s-ath11k-firmware-before" { } '' - mkdir -p $out/lib/firmware/ath11k/WCN6855/hw2.1/ - cp -v ${nodeFlake.inputs.ath11k-firmware}/WCN6855/hw2.1/{board-2,regdb}.bin $out/lib/firmware/ath11k/WCN6855/hw2.1/ - cp -v ${nodeFlake.inputs.ath11k-firmware}/WCN6855/hw2.1/1.1/WLAN.HSP.1.1-03125-QCAHSPSWPL_V1_V2_SILICONZ_LITE-3.6510.41/{amss,m3}.bin $out/lib/firmware/ath11k/WCN6855/hw2.1/ - '') - ]; - - # see https://linrunner.de/tlp/ - # TODO: find an equivalent to tlp that supports this machine - services.tlp = { - enable = false; - settings = { - START_CHARGE_THRESH_BAT0 = "80"; - STOP_CHARGE_THRESH_BAT0 = "85"; - }; - }; - - # android on linux - virtualisation.waydroid.enable = true; - hardware.ledger.enable = true; - - virtualisation.containers.enable = true; - virtualisation.podman.enable = true; - - steveej.holo-zerotier = { - enable = true; - autostart = false; - }; - - services.udev.packages = [ pkgs.android-udev-rules ]; - programs.adb.enable = true; - - nix.settings.sandbox = lib.mkForce "relaxed"; - - systemd.user.services.wireplumber.environment.LIBCAMERA_IPA_PROXY_PATH = "${pkgs.libcamera}/libexec/libcamera"; -} diff --git a/nix/os/devices/steveej-x13s/default.nix b/nix/os/devices/steveej-x13s/default.nix deleted file mode 100644 index bb170b2..0000000 --- a/nix/os/devices/steveej-x13s/default.nix +++ /dev/null @@ -1,36 +0,0 @@ -{ - system ? "aarch64-linux", - nodeName, - repoFlake, - repoFlakeWithSystem, - nodeFlake, - localDomainName ? "internal", - ... -}: -{ - meta.nodeSpecialArgs.${nodeName} = { - inherit - repoFlake - nodeName - nodeFlake - system - ; - packages' = repoFlake.packages.${system}; - nodePackages' = nodeFlake.packages.${system}; - repoFlakeInputs' = repoFlakeWithSystem system ({ inputs', ... }: inputs'); - - inherit localDomainName; - }; - - meta.nodeNixpkgs.${nodeName} = import nodeFlake.inputs.nixpkgs.outPath { inherit system; }; - - ${nodeName} = { - deployment.targetHost = "${nodeName}.${localDomainName}"; - deployment.replaceUnknownProfiles = true; - deployment.allowLocalDeployment = true; - - # nixpkgs.pkgs = nodeFlake.inputs.nixpkgs.legacyPackages.${system}; - - imports = [ ./configuration.nix ]; - }; -} diff --git a/nix/os/devices/steveej-x13s/disko.nix b/nix/os/devices/steveej-x13s/disko.nix deleted file mode 100644 index 40b2118..0000000 --- a/nix/os/devices/steveej-x13s/disko.nix +++ /dev/null @@ -1,74 +0,0 @@ -{ - disko.devices = { - disk = { - x13s-nvme = { - type = "disk"; - device = "/dev/disk/by-id/nvme-KBG5AZNT1T02_LA_KIOXIA_52QC84BEEJS6"; - # device = "/dev/disk/by-id/nvme-Corsair_MP600_CORE_MINI_A7SIB33902BQLN"; - content = { - type = "gpt"; - partitions = { - ESP = { - size = "500M"; - type = "EF00"; - content = { - type = "filesystem"; - format = "vfat"; - mountpoint = "/boot"; - mountOptions = [ "defaults" ]; - }; - }; - luks = { - size = "100%"; - content = { - type = "luks"; - name = "x13s-nvme-crypt"; - extraOpenArgs = [ ]; - # disable settings.keyFile if you want to use interactive password entry - #passwordFile = "/tmp/secret.key"; # Interactive - settings = { - # if you want to use the key for interactive login be sure there is no trailing newline - # for example use `echo -n "password" > /tmp/secret.key` - # keyFile = "/tmp/secret.key"; - allowDiscards = true; - }; - # additionalKeyFiles = [ "/tmp/additionalSecret.key" ]; - content = { - type = "btrfs"; - extraArgs = [ "-f" ]; - subvolumes = { - "/root" = { - mountpoint = "/"; - mountOptions = [ - "compress=zstd" - "noatime" - ]; - }; - "/home" = { - mountpoint = "/home"; - mountOptions = [ - "compress=zstd" - "noatime" - ]; - }; - "/nix" = { - mountpoint = "/nix"; - mountOptions = [ - "compress=zstd" - "noatime" - ]; - }; - "/swap" = { - mountpoint = "/.swapvol"; - swap.swapfile.size = "32G"; - }; - }; - }; - }; - }; - }; - }; - }; - }; - }; -} diff --git a/nix/os/devices/steveej-x13s/flake.lock b/nix/os/devices/steveej-x13s/flake.lock deleted file mode 100644 index 8ee318a..0000000 --- a/nix/os/devices/steveej-x13s/flake.lock +++ /dev/null @@ -1,466 +0,0 @@ -{ - "nodes": { - "ath11k-firmware": { - "flake": false, - "locked": { - "lastModified": 1741293326, - "narHash": "sha256-Ew0d2h1pHqJB8SC0pEYezU5lMknvlcYazVVYCtjW3OY=", - "ref": "refs/heads/main", - "rev": "bc6359cb7ad38b7bc4de6580b7a3c70851c0cafb", - "revCount": 173, - "type": "git", - "url": "https://git.codelinaro.org/clo/ath-firmware/ath11k-firmware.git" - }, - "original": { - "type": "git", - "url": "https://git.codelinaro.org/clo/ath-firmware/ath11k-firmware.git" - } - }, - "crane": { - "locked": { - "lastModified": 1742317686, - "narHash": "sha256-ScJYnUykEDhYeCepoAWBbZWx2fpQ8ottyvOyGry7HqE=", - "owner": "ipetkov", - "repo": "crane", - "rev": "66cb0013f9a99d710b167ad13cbd8cc4e64f2ddb", - "type": "github" - }, - "original": { - "owner": "ipetkov", - "repo": "crane", - "type": "github" - } - }, - "disko": { - "inputs": { - "nixpkgs": [ - "nixpkgs" - ] - }, - "locked": { - "lastModified": 1745812220, - "narHash": "sha256-hotBG0EJ9VmAHJYF0yhWuTVZpENHvwcJ2SxvIPrXm+g=", - "owner": "nix-community", - "repo": "disko", - "rev": "d0c543d740fad42fe2c035b43c9d41127e073c78", - "type": "github" - }, - "original": { - "id": "disko", - "type": "indirect" - } - }, - "extra-container": { - "inputs": { - "flake-utils": "flake-utils", - "nixpkgs": [ - "nixpkgs" - ] - }, - "locked": { - "lastModified": 1734542275, - "narHash": "sha256-wnRkafo4YrIuvJeRsOmfStxIzi7ty2I0OtGMO9chwJc=", - "owner": "erikarvstedt", - "repo": "extra-container", - "rev": "fa723fb67201c1b4610fd3d608681da362f800eb", - "type": "github" - }, - "original": { - "owner": "erikarvstedt", - "repo": "extra-container", - "type": "github" - } - }, - "flake-compat": { - "locked": { - "lastModified": 1733328505, - "narHash": "sha256-NeCCThCEP3eCl2l/+27kNNK7QrwZB1IJCrXfrbv5oqU=", - "owner": "edolstra", - "repo": "flake-compat", - "rev": "ff81ac966bb2cae68946d5ed5fc4994f96d0ffec", - "type": "github" - }, - "original": { - "owner": "edolstra", - "repo": "flake-compat", - "type": "github" - } - }, - "flake-compat_2": { - "locked": { - "lastModified": 1733328505, - "narHash": "sha256-NeCCThCEP3eCl2l/+27kNNK7QrwZB1IJCrXfrbv5oqU=", - "rev": "ff81ac966bb2cae68946d5ed5fc4994f96d0ffec", - "revCount": 69, - "type": "tarball", - "url": "https://api.flakehub.com/f/pinned/edolstra/flake-compat/1.1.0/01948eb7-9cba-704f-bbf3-3fa956735b52/source.tar.gz" - }, - "original": { - "type": "tarball", - "url": "https://flakehub.com/f/edolstra/flake-compat/1.tar.gz" - } - }, - "flake-compat_3": { - "flake": false, - "locked": { - "lastModified": 1696426674, - "narHash": "sha256-kvjfFW7WAETZlt09AgDn1MrtKzP7t90Vf7vypd3OL1U=", - "owner": "edolstra", - "repo": "flake-compat", - "rev": "0f9255e01c2351cc7d116c072cb317785dd33b33", - "type": "github" - }, - "original": { - "owner": "edolstra", - "repo": "flake-compat", - "type": "github" - } - }, - "flake-parts": { - "inputs": { - "nixpkgs-lib": [ - "nix-snapshotter", - "nixpkgs" - ] - }, - "locked": { - "lastModified": 1704152458, - "narHash": "sha256-DS+dGw7SKygIWf9w4eNBUZsK+4Ug27NwEWmn2tnbycg=", - "owner": "hercules-ci", - "repo": "flake-parts", - "rev": "88a2cd8166694ba0b6cb374700799cec53aef527", - "type": "github" - }, - "original": { - "owner": "hercules-ci", - "repo": "flake-parts", - "type": "github" - } - }, - "flake-parts_2": { - "inputs": { - "nixpkgs-lib": "nixpkgs-lib" - }, - "locked": { - "lastModified": 1733312601, - "narHash": "sha256-4pDvzqnegAfRkPwO3wmwBhVi/Sye1mzps0zHWYnP88c=", - "owner": "hercules-ci", - "repo": "flake-parts", - "rev": "205b12d8b7cd4802fbcb8e8ef6a0f1408781a4f9", - "type": "github" - }, - "original": { - "owner": "hercules-ci", - "repo": "flake-parts", - "type": "github" - } - }, - "flake-utils": { - "inputs": { - "systems": "systems" - }, - "locked": { - "lastModified": 1731533236, - "narHash": "sha256-l0KFg5HjrsfsO/JpG+r7fRrqm12kzFHyUHqHCVpMMbI=", - "owner": "numtide", - "repo": "flake-utils", - "rev": "11707dc2f618dd54ca8739b309ec4fc024de578b", - "type": "github" - }, - "original": { - "owner": "numtide", - "repo": "flake-utils", - "type": "github" - } - }, - "flake-utils_2": { - "inputs": { - "systems": "systems_2" - }, - "locked": { - "lastModified": 1731533236, - "narHash": "sha256-l0KFg5HjrsfsO/JpG+r7fRrqm12kzFHyUHqHCVpMMbI=", - "owner": "numtide", - "repo": "flake-utils", - "rev": "11707dc2f618dd54ca8739b309ec4fc024de578b", - "type": "github" - }, - "original": { - "id": "flake-utils", - "type": "indirect" - } - }, - "get-flake": { - "inputs": { - "flake-compat": "flake-compat" - }, - "locked": { - "lastModified": 1745945175, - "narHash": "sha256-JGDbJRl5v1snA4JX+yp6m3UA6Mazr59Hrgz+UhhP91M=", - "owner": "ursi", - "repo": "get-flake", - "rev": "38401aa2b3a99c77d0c02727471e99e7de2fc366", - "type": "github" - }, - "original": { - "owner": "ursi", - "repo": "get-flake", - "type": "github" - } - }, - "home-manager": { - "inputs": { - "nixpkgs": [ - "nixpkgs" - ] - }, - "locked": { - "lastModified": 1737233786, - "narHash": "sha256-WO6owkCecetn7bbu/ofy8aftO3rPCHUeq5GlVLsfS4M=", - "owner": "steveej-forks", - "repo": "home-manager", - "rev": "40ecdf4fc8bb698b8cbdb2ddb0ed5b1868e43c1a", - "type": "github" - }, - "original": { - "owner": "steveej-forks", - "ref": "master", - "repo": "home-manager", - "type": "github" - } - }, - "linux-jhovold": { - "flake": false, - "locked": { - "lastModified": 1745847827, - "narHash": "sha256-ewM7Rpd6On6ys3OkcWOtR7TNWSRZRLZpRP7L9syhn6s=", - "owner": "jhovold", - "repo": "linux", - "rev": "1786db28b335abb5a0fa1e8a27e9950a73f64acf", - "type": "github" - }, - "original": { - "owner": "jhovold", - "ref": "wip/sc8280xp-6.15-rc4", - "repo": "linux", - "type": "github" - } - }, - "mycelium": { - "inputs": { - "crane": "crane", - "flake-compat": "flake-compat_2", - "flake-utils": "flake-utils_2", - "nix-filter": "nix-filter", - "nixpkgs": [ - "nixpkgs" - ] - }, - "locked": { - "lastModified": 1745920427, - "narHash": "sha256-E5uUuKv7Mn0/EfmffRQZpSeATcSzJFVeYVF6Cn7KbJc=", - "owner": "threefoldtech", - "repo": "mycelium", - "rev": "1eec5651bf5f194b7f7875ec2483582ccebf1cc1", - "type": "github" - }, - "original": { - "owner": "threefoldtech", - "repo": "mycelium", - "type": "github" - } - }, - "nix-filter": { - "locked": { - "lastModified": 1731533336, - "narHash": "sha256-oRam5PS1vcrr5UPgALW0eo1m/5/pls27Z/pabHNy2Ms=", - "owner": "numtide", - "repo": "nix-filter", - "rev": "f7653272fd234696ae94229839a99b73c9ab7de0", - "type": "github" - }, - "original": { - "owner": "numtide", - "repo": "nix-filter", - "type": "github" - } - }, - "nix-snapshotter": { - "inputs": { - "flake-compat": "flake-compat_3", - "flake-parts": "flake-parts", - "nixpkgs": [ - "nixpkgs" - ] - }, - "locked": { - "lastModified": 1717948701, - "narHash": "sha256-G7SXaZ7J4yO4OQEKSZPVWcccfV87uyLech0jEOU350g=", - "owner": "yu-re-ka", - "repo": "nix-snapshotter", - "rev": "c10b066a4b1bb3451507c141636014e3335e579e", - "type": "github" - }, - "original": { - "owner": "yu-re-ka", - "repo": "nix-snapshotter", - "type": "github" - } - }, - "nixos-x13s": { - "inputs": { - "flake-parts": "flake-parts_2", - "linux-jhovold": "linux-jhovold", - "nixpkgs": [ - "nixpkgs" - ], - "x13s-bt-linux-firmware": "x13s-bt-linux-firmware" - }, - "locked": { - "lastModified": 1745914252, - "narHash": "sha256-u8hbsI+oW+cO+omdGeY6Q+Z/NvVZaHIZS70f1mq1gac=", - "ref": "bump", - "rev": "8bd7972c74b12b45aee190ce2ddd6960a0771af6", - "revCount": 147, - "type": "git", - "url": "https://forgejo.www.stefanjunker.de/steveej/nixos-x13s.git" - }, - "original": { - "ref": "bump", - "type": "git", - "url": "https://forgejo.www.stefanjunker.de/steveej/nixos-x13s.git" - } - }, - "nixpkgs-lib": { - "locked": { - "lastModified": 1733096140, - "narHash": "sha256-1qRH7uAUsyQI7R1Uwl4T+XvdNv778H0Nb5njNrqvylY=", - "type": "tarball", - "url": "https://github.com/NixOS/nixpkgs/archive/5487e69da40cbd611ab2cadee0b4637225f7cfae.tar.gz" - }, - "original": { - "type": "tarball", - "url": "https://github.com/NixOS/nixpkgs/archive/5487e69da40cbd611ab2cadee0b4637225f7cfae.tar.gz" - } - }, - "nixpkgs-stable": { - "locked": { - "lastModified": 1746055187, - "narHash": "sha256-3dqArYSMP9hM7Qpy5YWhnSjiqniSaT2uc5h2Po7tmg0=", - "owner": "nixos", - "repo": "nixpkgs", - "rev": "3e362ce63e16b9572d8c2297c04f7c19ab6725a5", - "type": "github" - }, - "original": { - "owner": "nixos", - "ref": "nixos-24.11", - "repo": "nixpkgs", - "type": "github" - } - }, - "nixpkgs-unstable": { - "locked": { - "lastModified": 1745930157, - "narHash": "sha256-y3h3NLnzRSiUkYpnfvnS669zWZLoqqI6NprtLQ+5dck=", - "owner": "nixos", - "repo": "nixpkgs", - "rev": "46e634be05ce9dc6d4db8e664515ba10b78151ae", - "type": "github" - }, - "original": { - "owner": "nixos", - "ref": "nixos-unstable", - "repo": "nixpkgs", - "type": "github" - } - }, - "root": { - "inputs": { - "ath11k-firmware": "ath11k-firmware", - "disko": "disko", - "extra-container": "extra-container", - "get-flake": "get-flake", - "home-manager": "home-manager", - "mycelium": "mycelium", - "nix-snapshotter": "nix-snapshotter", - "nixos-x13s": "nixos-x13s", - "nixpkgs": [ - "nixpkgs-unstable" - ], - "nixpkgs-stable": "nixpkgs-stable", - "nixpkgs-unstable": "nixpkgs-unstable", - "signal-desktop": "signal-desktop" - } - }, - "signal-desktop": { - "inputs": { - "nixpkgs": [ - "nixpkgs" - ] - }, - "locked": { - "lastModified": 1745037528, - "narHash": "sha256-twzHVBNEX6daUCFwtjn3X7WaJnwRqHeAxX0MB7kosHo=", - "owner": "youwen5", - "repo": "signal-desktop-flake", - "rev": "1b41af6489574da6ba1e0186235c87acbf57163f", - "type": "github" - }, - "original": { - "owner": "youwen5", - "repo": "signal-desktop-flake", - "type": "github" - } - }, - "systems": { - "locked": { - "lastModified": 1681028828, - "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=", - "owner": "nix-systems", - "repo": "default", - "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e", - "type": "github" - }, - "original": { - "owner": "nix-systems", - "repo": "default", - "type": "github" - } - }, - "systems_2": { - "locked": { - "lastModified": 1681028828, - "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=", - "owner": "nix-systems", - "repo": "default", - "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e", - "type": "github" - }, - "original": { - "owner": "nix-systems", - "repo": "default", - "type": "github" - } - }, - "x13s-bt-linux-firmware": { - "flake": false, - "locked": { - "lastModified": 1733240564, - "narHash": "sha256-348f+wuX7x8xqaBRkraTclupdnRcwL/z2l/1Bs/reXc=", - "ref": "refs/heads/main", - "rev": "06aea4d8bfd5ca3624b56162b24339d7b0449913", - "revCount": 4282, - "type": "git", - "url": "git://git.kernel.org/pub/scm/linux/kernel/git/firmware/linux-firmware.git" - }, - "original": { - "rev": "06aea4d8bfd5ca3624b56162b24339d7b0449913", - "type": "git", - "url": "git://git.kernel.org/pub/scm/linux/kernel/git/firmware/linux-firmware.git" - } - } - }, - "root": "root", - "version": 7 -} diff --git a/nix/os/devices/steveej-x13s/flake.nix b/nix/os/devices/steveej-x13s/flake.nix deleted file mode 100644 index ffd00f9..0000000 --- a/nix/os/devices/steveej-x13s/flake.nix +++ /dev/null @@ -1,121 +0,0 @@ -{ - inputs = { - nixpkgs.follows = "nixpkgs-unstable"; - nixpkgs-stable.url = "github:nixos/nixpkgs/nixos-24.11"; - nixpkgs-unstable.url = "github:nixos/nixpkgs/nixos-unstable"; - # nixpkgs-unstable.url = "github:steveej-forks/nixpkgs/nixos-unstable"; - - get-flake.url = "github:ursi/get-flake"; - - disko.inputs.nixpkgs.follows = "nixpkgs"; - - home-manager = { - url = "github:steveej-forks/home-manager/master"; - # url = "github:nix-community/home-manager/master"; - # url = "github:nix-community/home-manager/release-24.11"; - inputs.nixpkgs.follows = "nixpkgs"; - }; - - nixos-x13s.url = "git+https://forgejo.www.stefanjunker.de/steveej/nixos-x13s.git?ref=bump" - # 6.13-rc2 - # "git+https://forgejo.www.stefanjunker.de/steveej/nixos-x13s.git?ref=bump&rev=c95058f8aa1b361df3874429c5dc0f694f9cba78" - # 6.11.0 - # "git+https://forgejo.www.stefanjunker.de/steveej/nixos-x13s.git?branch=remaintain&rev=6b9efe77ca80653354981c720af3c4241ac71490" - # 6.12.0-rc6 - # "git+https://forgejo.www.stefanjunker.de/steveej/nixos-x13s.git?branch=remaintain&rev=bd580ee9c35fcb8a720122d5bb2f903f1b7395ee" - # "git+https://forgejo.www.stefanjunker.de/steveej/nixos-x13s.git?branch=remaintain&rev=1286d20be2321a1a2d27f5d09257ebaf54ce0630" - #"/home/steveej/src/others/nixos-x13s" - # - ; - # nixos-x13s.url = "path:/home/steveej/src/others/nixos-x13s"; - # nixos-x13s.inputs.nixpkgs.follows = "nixpkgs"; - nixos-x13s.inputs.nixpkgs.follows = "nixpkgs"; - - ath11k-firmware = { - url = "git+https://git.codelinaro.org/clo/ath-firmware/ath11k-firmware.git"; - flake = false; - }; - - mycelium.url = "github:threefoldtech/mycelium"; - mycelium.inputs.nixpkgs.follows = "nixpkgs"; - - nix-snapshotter = { - url = "github:yu-re-ka/nix-snapshotter"; - # url = "github:pdtpartners/nix-snapshotter"; - inputs.nixpkgs.follows = "nixpkgs"; - }; - - extra-container = { - url = "github:erikarvstedt/extra-container"; - inputs.nixpkgs.follows = "nixpkgs"; - }; - - signal-desktop = { - url = "github:youwen5/signal-desktop-flake"; - inputs.nixpkgs.follows = "nixpkgs"; - }; - }; - - outputs = - { - self, - get-flake, - nixpkgs, - ... - }: - let - nativeSystem = "aarch64-linux"; - nodeName = "steveej-x13s"; - - repoFlake = get-flake ../../../..; - - mkNixosConfiguration = - { - extraModules ? [ ], - ... - }@attrs: - nixpkgs.lib.nixosSystem ( - nixpkgs.lib.attrsets.recursiveUpdate attrs { - specialArgs = - (import ./default.nix { - system = nativeSystem; - inherit nodeName; - - inherit repoFlake; - repoFlakeWithSystem = repoFlake.lib.withSystem; - nodeFlake = self; - }).meta.nodeSpecialArgs.${nodeName}; - - modules = [ - ./configuration.nix - - # flake registry - { nix.registry.nixpkgs.flake = nixpkgs; } - ] ++ extraModules; - } - ); - in - { - lib = { - inherit mkNixosConfiguration; - }; - - overlays.default = - _final: _previous: - { - }; - - nixosConfigurations = { - native = mkNixosConfiguration { system = nativeSystem; }; - - cross = mkNixosConfiguration { - extraModules = [ - { - nixpkgs.buildPlatform.system = "x86_64-linux"; - nixpkgs.hostPlatform.system = nativeSystem; - } - ]; - }; - }; - }; -} diff --git a/nix/os/devices/vmd102066.contaboserver.net/boot.nix b/nix/os/devices/vmd102066.contaboserver.net/boot.nix index ed21f9c..5713789 100644 --- a/nix/os/devices/vmd102066.contaboserver.net/boot.nix +++ b/nix/os/devices/vmd102066.contaboserver.net/boot.nix @@ -1,5 +1,4 @@ -{ lib, ... }: -{ +{lib, ...}: { boot.loader.grub.efiSupport = lib.mkForce false; - boot.extraModulePackages = [ ]; + boot.extraModulePackages = []; } diff --git a/nix/os/devices/vmd102066.contaboserver.net/configuration.nix b/nix/os/devices/vmd102066.contaboserver.net/configuration.nix index b29548c..28a63fb 100644 --- a/nix/os/devices/vmd102066.contaboserver.net/configuration.nix +++ b/nix/os/devices/vmd102066.contaboserver.net/configuration.nix @@ -1,6 +1,5 @@ -{ ... }: -{ - disabledModules = [ ]; +{...}: { + disabledModules = []; imports = [ ../../profiles/common/configuration.nix ../../modules/opinionatedDisk.nix diff --git a/nix/os/devices/vmd102066.contaboserver.net/default.nix b/nix/os/devices/vmd102066.contaboserver.net/default.nix index 958331e..db025f1 100644 --- a/nix/os/devices/vmd102066.contaboserver.net/default.nix +++ b/nix/os/devices/vmd102066.contaboserver.net/default.nix @@ -1,17 +1,17 @@ -{ repoFlake, ... }: -let +{repoFlake, ...}: let nodeName = "vmd102066.contaboserver.net"; system = "x86_64-linux"; nodeFlake = repoFlake.inputs.get-flake ./.; -in -{ +in { meta.nodeSpecialArgs.${nodeName} = { inherit nodeName nodeFlake; packages' = repoFlake.packages.${system}; }; - meta.nodeNixpkgs.${nodeName} = import nodeFlake.inputs.nixpkgs.outPath { inherit system; }; + meta.nodeNixpkgs.${nodeName} = import nodeFlake.inputs.nixpkgs.outPath { + inherit system; + }; ${nodeName} = { deployment.targetHost = nodeName; diff --git a/nix/os/devices/vmd102066.contaboserver.net/flake.nix b/nix/os/devices/vmd102066.contaboserver.net/flake.nix index 0547466..d432f24 100644 --- a/nix/os/devices/vmd102066.contaboserver.net/flake.nix +++ b/nix/os/devices/vmd102066.contaboserver.net/flake.nix @@ -8,5 +8,5 @@ inputs.nixpkgs.follows = "nixpkgs"; }; - outputs = _: { }; + outputs = _: {}; } diff --git a/nix/os/devices/vmd102066.contaboserver.net/hw.nix b/nix/os/devices/vmd102066.contaboserver.net/hw.nix index 392bb1b..e09b10e 100644 --- a/nix/os/devices/vmd102066.contaboserver.net/hw.nix +++ b/nix/os/devices/vmd102066.contaboserver.net/hw.nix @@ -1,5 +1,4 @@ -_: -let +{...}: let stage1Modules = [ "aesni_intel" "kvm-intel" @@ -12,8 +11,7 @@ let "virtio" "scsi_mod" ]; -in -{ +in { # TASK: new device hardware.opinionatedDisk = { enable = true; diff --git a/nix/os/devices/vmd102066.contaboserver.net/pkg.nix b/nix/os/devices/vmd102066.contaboserver.net/pkg.nix index 2857a30..96cfc55 100644 --- a/nix/os/devices/vmd102066.contaboserver.net/pkg.nix +++ b/nix/os/devices/vmd102066.contaboserver.net/pkg.nix @@ -1,5 +1,9 @@ -{ config, pkgs, ... }: { + config, + pkgs, + lib, + ... +}: { home-manager.users.steveej = import ../../../home-manager/configuration/text-minimal.nix { inherit pkgs; }; @@ -8,12 +12,7 @@ { hostName = "localhost"; system = "x86_64-linux"; - supportedFeatures = [ - "kvm" - "nixos-test" - "big-parallel" - "benchmark" - ]; + supportedFeatures = ["kvm" "nixos-test" "big-parallel" "benchmark"]; maxJobs = 4; } ]; @@ -23,7 +22,7 @@ hydraURL = "http://localhost:3000"; # externally visible URL notificationSender = "hydra@${config.networking.hostName}.stefanjunker.de"; # e-mail of hydra service # a standalone hydra will require you to unset the buildMachinesFiles list to avoid using a nonexistant /etc/nix/machines - buildMachinesFiles = [ ]; + buildMachinesFiles = []; # you will probably also want, otherwise *everything* will be built from scratch useSubstitutes = true; }; @@ -31,13 +30,7 @@ services.gitlab-runner = { enable = false; - extraPackages = with pkgs; [ - bash - gitlab-runner - nix - gitFull - git-crypt - ]; + extraPackages = with pkgs; [bash gitlab-runner nix gitFull git-crypt]; concurrent = 2; checkInterval = 0; @@ -46,7 +39,7 @@ executor = "shell"; runUntagged = true; registrationConfigFile = "/etc/secrets/gitlab-runner/nix-runner.registration"; - tagList = [ "nix" ]; + tagList = ["nix"]; }; }; }; diff --git a/nix/os/devices/vmd102066.contaboserver.net/system.nix b/nix/os/devices/vmd102066.contaboserver.net/system.nix index cebed6a..45c6b0c 100644 --- a/nix/os/devices/vmd102066.contaboserver.net/system.nix +++ b/nix/os/devices/vmd102066.contaboserver.net/system.nix @@ -1,9 +1,13 @@ -{ pkgs, config, ... }: -let +{ + pkgs, + lib, + config, + nodeName, + ... +}: let keys = import ../../../variables/keys.nix; passwords = import ../../../variables/passwords.crypt.nix; -in -{ +in { networking.firewall.enable = true; networking.firewall.allowedTCPPorts = [ # iperf3 @@ -33,7 +37,7 @@ in networking.nat = { enable = true; - internalInterfaces = [ "ve-+" ]; + internalInterfaces = ["ve-+"]; externalInterface = "eth0"; }; @@ -41,9 +45,7 @@ in # services.kubernetes.roles = ["master" "node"]; # virtualization - virtualisation = { - docker.enable = true; - }; + virtualisation = {docker.enable = true;}; services.spice-vdagentd.enable = true; services.qemuGuest.enable = true; @@ -51,7 +53,7 @@ in systemd.services."sshd-status" = { enable = true; description = "sshd-status service"; - path = [ pkgs.systemd ]; + path = [pkgs.systemd]; script = '' systemctl status sshd | grep -i tasks ''; @@ -71,13 +73,11 @@ in # }; # }; - nix.gc = { - automatic = true; - }; + nix.gc = {automatic = true;}; boot.initrd.network = { enable = true; - udhcpc.extraArgs = [ "-x hostname:${config.networking.hostName}" ]; + udhcpc.extraArgs = ["-x hostname:${config.networking.hostName}"]; ssh = { enable = true; @@ -104,12 +104,7 @@ in inherit config; hostAddress = "192.168.100.16"; localAddress = "192.168.100.17"; - subvolumes = [ - "mailserver" - "webserver" - "backup" - "syncthing" - ]; + subvolumes = ["mailserver" "webserver" "backup" "syncthing"]; }; bkpTarget = import ../../containers/backup-target.nix { diff --git a/nix/os/lib/default.nix b/nix/os/lib/default.nix index b4f4dcc..5ed886d 100644 --- a/nix/os/lib/default.nix +++ b/nix/os/lib/default.nix @@ -1,43 +1,35 @@ -{ lib, config }: -let - keys = import ../../variables/keys.nix; -in { - mkUser = - args: - lib.mkMerge [ - { - isNormalUser = true; - extraGroups = [ - "docker" - "podman" - "wheel" - "libvirtd" - "networkmanager" - "vboxusers" - "users" - "input" - "audio" - "video" - "cdrom" - "adbusers" - "dialout" - "cdrom" - "fuse" - "adbusers" - "scanner" - "lp" - "kvm" - ]; - openssh.authorizedKeys.keys = keys.users.steveej.openssh; + lib, + config, +}: let + keys = import ../../variables/keys.nix; +in { + mkUser = args: ( + lib.attrsets.recursiveUpdate { + isNormalUser = true; + extraGroups = [ + "docker" + "wheel" + "libvirtd" + "networkmanager" + "vboxusers" + "users" + "input" + "audio" + "video" + "cdrom" + "adbusers" + "dialout" + ]; + openssh.authorizedKeys.keys = keys.users.steveej.openssh; - # TODO: investigate why this secret cannot be found - # openssh.authorizedKeys.keyFiles = [ - # config.sops.secrets.sharedSshKeys-steveej.path - # ]; - } - args - ]; + # TODO: investigate why this secret cannot be found + # openssh.authorizedKeys.keyFiles = [ + # config.sops.secrets.sharedSshKeys-steveej.path + # ]; + } + args + ); disk = rec { # TODO: verify the GPT PARTLABEL cap at 36 chars @@ -45,7 +37,7 @@ in # LVM doesn't allow most characters in VG names # TODO: replace this with a whitelist for: [a-zA-Z0-9.-_+] - volumeGroup = diskId: builtins.replaceStrings [ ":" ] [ "" ] diskId; + volumeGroup = diskId: builtins.replaceStrings [":"] [""] diskId; # This is important at install-time bootGrubDevice = diskId: "/dev/disk/by-id/" + diskId; @@ -56,10 +48,15 @@ in # Cannot use the disk ID here because might be different at install vs. runtime. # Example: MMC card which is used in the internal reader vs. USB reader - bootFsDevice = diskId: "/dev/disk/by-partlabel/" + (shortenGptPartlabel ("2-" + diskId)); - bootLuksDevice = diskId: "/dev/disk/by-partlabel/" + (shortenGptPartlabel ("3-" + diskId)); + bootFsDevice = diskId: + "/dev/disk/by-partlabel/" + (shortenGptPartlabel ("2-" + diskId)); + bootLuksDevice = diskId: + "/dev/disk/by-partlabel/" + (shortenGptPartlabel ("3-" + diskId)); luksName = diskId: (volumeGroup diskId) + "pv"; luksPhysicalVolume = diskId: "/dev/mapper/" + (luksName diskId); - lvmPv = diskId: encrypted: if encrypted then luksPhysicalVolume diskId else bootLuksDevice diskId; + lvmPv = diskId: encrypted: + if encrypted == true + then luksPhysicalVolume diskId + else bootLuksDevice diskId; }; } diff --git a/nix/os/modules/ddclient-hetzner.nix b/nix/os/modules/ddclient-hetzner.nix index 622ae62..893620a 100644 --- a/nix/os/modules/ddclient-hetzner.nix +++ b/nix/os/modules/ddclient-hetzner.nix @@ -1,9 +1,14 @@ -{ lib, ... }: { + lib, + config, + ... +}: let + cfg = config.services.ddclient-hetzner; +in { options.services.ddclient-hetzner = with lib; { enable = mkEnableOption "Enable ddclient-hetzner"; - zone = mkOption { type = types.str; }; - domains = mkOption { type = types.listOf types.str; }; - passwordFile = mkOption { type = types.path; }; + zone = mkOption {type = types.str;}; + domains = mkOption {type = types.listOf types.str;}; + passwordFile = mkOption {type = types.path;}; }; } diff --git a/nix/os/modules/ddclient-ovh.nix b/nix/os/modules/ddclient-ovh.nix index 150d688..9b0321d 100644 --- a/nix/os/modules/ddclient-ovh.nix +++ b/nix/os/modules/ddclient-ovh.nix @@ -1,7 +1,12 @@ -{ lib, ... }: { + lib, + config, + ... +}: let + cfg = config.services.ddclientovh; +in { options.services.ddclientovh = with lib; { enable = mkEnableOption "Enable ddclient-ovh"; - domain = mkOption { type = types.str; }; + domain = mkOption {type = types.str;}; }; } diff --git a/nix/os/modules/initrd-network.nix b/nix/os/modules/initrd-network.nix index 4ca89cf..e517d62 100644 --- a/nix/os/modules/initrd-network.nix +++ b/nix/os/modules/initrd-network.nix @@ -4,8 +4,7 @@ pkgs, ... }: -with lib; -let +with lib; let cfg = config.boot.initrd.network; udhcpcScript = pkgs.writeScript "udhcp-script" '' @@ -26,8 +25,7 @@ let ''; udhcpcArgs = toString cfg.udhcpc.extraArgs; -in -{ +in { options = { boot.initrd.network.enable = mkOption { type = types.bool; @@ -48,7 +46,7 @@ in }; boot.initrd.network.udhcpc.extraArgs = mkOption { - default = [ ]; + default = []; type = types.listOf types.str; description = '' Additional command-line arguments passed verbatim to udhcpc if @@ -76,9 +74,9 @@ in }; config = mkIf cfg.enable { - warnings = [ "Enabled SSH for stage1" ]; + warnings = ["Enabled SSH for stage1"]; - boot.initrd.kernelModules = [ "af_packet" ]; + boot.initrd.kernelModules = ["af_packet"]; boot.initrd.extraUtilsCommands = '' copy_bin_and_libs ${pkgs.mkinitcpio-nfs-utils}/bin/ipconfig diff --git a/nix/os/modules/natrouter.nix b/nix/os/modules/natrouter.nix index d853c28..62af2a8 100644 --- a/nix/os/modules/natrouter.nix +++ b/nix/os/modules/natrouter.nix @@ -1,6 +1,9 @@ -{ lib, ... }: -with lib; { + lib, + config, + ... +}: +with lib; { # TODO # Provide a NAT/DHCP Router # diff --git a/nix/os/modules/opinionatedDisk.nix b/nix/os/modules/opinionatedDisk.nix index db2bbbf..758c50e 100644 --- a/nix/os/modules/opinionatedDisk.nix +++ b/nix/os/modules/opinionatedDisk.nix @@ -4,26 +4,17 @@ pkgs, ... }: -with lib; -let +with lib; let cfg = config.hardware.opinionatedDisk; - ownLib = pkgs.callPackage ../lib/default.nix { }; - - earlyDiskId = cfg: if cfg.earlyDiskIdOverride != "" then cfg.earlyDiskIdOverride else cfg.diskId; -in -{ + ownLib = pkgs.callPackage ../lib/default.nix {}; +in { options.hardware.opinionatedDisk = { enable = mkEnableOption "Enable opinionated filesystem layout"; - diskId = mkOption { type = types.str; }; + diskId = mkOption {type = types.str;}; encrypted = mkOption { default = true; type = types.bool; }; - - earlyDiskIdOverride = mkOption { - default = ""; - type = types.str; - }; }; config = lib.mkIf cfg.enable { @@ -35,39 +26,38 @@ in fileSystems."/" = { device = ownLib.disk.rootFsDevice cfg.diskId; fsType = "btrfs"; - options = [ "subvol=nixos" ]; + options = ["subvol=nixos"]; }; fileSystems."/home" = { device = ownLib.disk.rootFsDevice cfg.diskId; fsType = "btrfs"; - options = [ "subvol=home" ]; + options = ["subvol=home"]; }; - swapDevices = [ { device = ownLib.disk.swapFsDevice cfg.diskId; } ]; + swapDevices = [{device = ownLib.disk.swapFsDevice cfg.diskId;}]; boot.loader.grub = { - device = ownLib.disk.bootGrubDevice (earlyDiskId cfg); + device = ownLib.disk.bootGrubDevice cfg.diskId; enableCryptodisk = cfg.encrypted; }; - boot.initrd.luks.devices = lib.optionalAttrs cfg.encrypted ( - builtins.listToAttrs [ + boot.initrd.luks.devices = + lib.optionalAttrs cfg.encrypted + (builtins.listToAttrs [ { - name = - let - splitstring = builtins.split "/" (ownLib.disk.bootLuksDevice cfg.diskId); - lastelem = (builtins.length splitstring) - 1; - in + name = let + splitstring = + builtins.split "/" (ownLib.disk.bootLuksDevice cfg.diskId); + lastelem = (builtins.length splitstring) - 1; + in builtins.elemAt splitstring lastelem; value = { device = ownLib.disk.bootLuksDevice cfg.diskId; - preLVM = true; allowDiscards = true; }; } - ] - ); + ]); }; } diff --git a/nix/os/profiles/common/boot.nix b/nix/os/profiles/common/boot.nix new file mode 100644 index 0000000..21fa70c --- /dev/null +++ b/nix/os/profiles/common/boot.nix @@ -0,0 +1,15 @@ +{pkgs, ...}: { + boot.kernelPackages = pkgs.linuxPackages; + boot.loader.grub = { + enable = true; + efiSupport = true; + efiInstallAsRemovable = false; + }; + + boot.loader.systemd-boot.enable = false; + boot.loader.efi.canTouchEfiVariables = true; + boot.tmp.useTmpfs = true; + + # Workaround for nm-pptp to enforce module load + boot.kernelModules = ["nf_conntrack_proto_gre" "nf_conntrack_pptp"]; +} diff --git a/nix/os/profiles/common/configuration.nix b/nix/os/profiles/common/configuration.nix index 61b4cb8..d68a694 100644 --- a/nix/os/profiles/common/configuration.nix +++ b/nix/os/profiles/common/configuration.nix @@ -3,38 +3,15 @@ pkgs, repoFlake, ... -}: -{ +}: { imports = [ - repoFlake.inputs.sops-nix.nixosModules.sops - - ../../snippets/nix-settings.nix - ../../snippets/home-manager-with-zsh.nix - + ./boot.nix + ./pkg.nix ./system.nix ./hw.nix + ./user.nix + + repoFlake.inputs.sops-nix.nixosModules.sops ]; - - boot.kernelPackages = pkgs.linuxPackages; - boot.loader.grub = { - enable = true; - efiSupport = true; - efiInstallAsRemovable = false; - }; - - boot.loader.systemd-boot.enable = false; - boot.loader.efi.canTouchEfiVariables = true; - boot.tmp.useTmpfs = true; - - # Workaround for nm-pptp to enforce module load - boot.kernelModules = [ - "nf_conntrack_proto_gre" - "nf_conntrack_pptp" - ]; - - nixpkgs.config = { - allowBroken = false; - allowUnfree = true; - }; } diff --git a/nix/os/profiles/common/hw.nix b/nix/os/profiles/common/hw.nix index 4d6eb74..80bdc31 100644 --- a/nix/os/profiles/common/hw.nix +++ b/nix/os/profiles/common/hw.nix @@ -1,12 +1,5 @@ -_: { +{...}: { hardware.trackpoint.emulateWheel = true; - boot.initrd.availableKernelModules = [ - "xhci_pci" - "ahci" - "usb_storage" - "sd_mod" - "rtsx_pci_sdmmc" - "cryptd" - ]; + boot.initrd.availableKernelModules = ["xhci_pci" "ahci" "usb_storage" "sd_mod" "rtsx_pci_sdmmc" "cryptd"]; } diff --git a/nix/os/profiles/common/pkg.nix b/nix/os/profiles/common/pkg.nix new file mode 100644 index 0000000..7cd1dfb --- /dev/null +++ b/nix/os/profiles/common/pkg.nix @@ -0,0 +1,37 @@ +{ + config, + pkgs, + # these come in via nodeSpecialArgs and are expected to be defined for every node + repoFlake, + repoFlakeInputs', + nodeFlake, + packages', + ... +}: { + imports = [ + ]; + + nix.registry.nixpkgs.flake = nodeFlake.inputs.nixpkgs; + home-manager.useGlobalPkgs = false; + home-manager.useUserPackages = true; + home-manager.users.root = import ../../../home-manager/configuration/text-minimal.nix; + + # TODO: investigate an issue with the "name" arg contained here, which causes problems with home-manager + # home-manager.extraSpecialArgs = specialArgs; + # hence, opt for passing the arguments selectively instead + home-manager.extraSpecialArgs = { + inherit + repoFlake + repoFlakeInputs' + packages' + nodeFlake + ; + + osConfig = config; + }; + + nixpkgs.config = { + allowBroken = false; + allowUnfree = true; + }; +} diff --git a/nix/os/profiles/common/system.nix b/nix/os/profiles/common/system.nix index edf8717..388a07b 100644 --- a/nix/os/profiles/common/system.nix +++ b/nix/os/profiles/common/system.nix @@ -1,8 +1,20 @@ -{ pkgs, nodeName, ... }: { + config, + pkgs, + lib, + nodeName, + ... +}: { networking.hostName = builtins.elemAt (builtins.split "\\." nodeName) 0; # Define your hostname. networking.domain = builtins.elemAt (builtins.split "(^[^\\.]+\.)" nodeName) 2; + nix.daemonCPUSchedPolicy = "idle"; + nix.daemonIOSchedClass = "idle"; + nix.settings.max-jobs = lib.mkDefault "auto"; + nix.settings.cores = lib.mkDefault 0; + nix.settings.sandbox = true; + nix.nixPath = ["nixpkgs=${pkgs.path}"]; + environment.etc."lvm/lvm.conf".text = '' devices { issue_discards = 1 @@ -10,13 +22,11 @@ ''; # Fonts, I18N, Date ... - fonts.packages = [ pkgs.corefonts ]; + fonts.fonts = [pkgs.corefonts]; console.font = "lat9w-16"; - i18n = { - defaultLocale = "en_US.UTF-8"; - }; + i18n = {defaultLocale = "en_US.UTF-8";}; time.timeZone = "Etc/UTC"; services.gpm.enable = true; @@ -40,12 +50,15 @@ # mv -Tf /etc/X11/.sessions /etc/X11/sessions # ''; - # TODO: adapt this to be arch agnostic system.activationScripts.lib64 = '' echo "setting up /lib64..." mkdir -p /lib64 ln -sfT ${pkgs.glibc}/lib/ld-linux-x86-64.so.2 /lib64/.ld-linux-x86-64.so.2 mv -Tf /lib64/.ld-linux-x86-64.so.2 /lib64/ld-linux-x86-64.so.2 ''; + + programs.zsh.enable = true; + users.defaultUserShell = pkgs.zsh; + environment.pathsToLink = ["/share/zsh"]; programs.fuse.userAllowOther = true; } diff --git a/nix/os/profiles/common/user.nix b/nix/os/profiles/common/user.nix index 6c799c9..b21cd4e 100644 --- a/nix/os/profiles/common/user.nix +++ b/nix/os/profiles/common/user.nix @@ -3,8 +3,7 @@ pkgs, lib, ... -}: -let +}: let keys = import ../../../variables/keys.nix; inherit (import ../../lib/default.nix { @@ -17,8 +16,7 @@ let inherit (lib) types; cfg = config.users.commonUsers; -in -{ +in { options.users.commonUsers = { enable = lib.mkOption { default = true; @@ -34,60 +32,41 @@ in default = config.sops.secrets.sharedUsers-root.path; type = types.path; }; - - # TODO: test if this works - installPassword = lib.mkOption { - default = ""; - type = types.str; - }; }; - config = lib.mkIf cfg.enable ( - lib.mkMerge [ - (lib.mkIf (cfg.installPassword == "") { - sops.secrets.sharedUsers-root = { - sopsFile = ../../../../secrets/shared-users.yaml; - neededForUsers = true; - format = "yaml"; - }; + config = lib.mkIf cfg.enable { + sops.secrets.sharedUsers-root = { + sopsFile = ../../../../secrets/shared-users.yaml; + neededForUsers = true; + format = "yaml"; + }; - sops.secrets.sharedUsers-steveej = lib.mkIf cfg.enableNonRoot { - sopsFile = ../../../../secrets/shared-users.yaml; - neededForUsers = true; - format = "yaml"; - }; + sops.secrets.sharedUsers-steveej = lib.mkIf cfg.enableNonRoot { + sopsFile = ../../../../secrets/shared-users.yaml; + neededForUsers = true; + format = "yaml"; + }; - sops.secrets.sharedSshKeys-steveej = lib.mkIf cfg.enableNonRoot { - sopsFile = ../../../../secrets/shared-users.yaml; - # neededForUsers = true; - format = "yaml"; - }; - }) + sops.secrets.sharedSshKeys-steveej = lib.mkIf cfg.enableNonRoot { + sopsFile = ../../../../secrets/shared-users.yaml; + # neededForUsers = true; + format = "yaml"; + }; - { - users.mutableUsers = cfg.installPassword != ""; + users.mutableUsers = lib.mkForce false; - users.users.root = lib.mkMerge [ - { openssh.authorizedKeys.keys = keys.users.steveej.openssh; } + users.extraUsers.root = { + passwordFile = cfg.rootPasswordFile; + openssh.authorizedKeys.keys = keys.users.steveej.openssh; - (lib.mkIf (cfg.installPassword != "") { password = cfg.installPassword; }) + # TODO: investigate why this secret cannot be found + # openssh.authorizedKeys.keyFiles = [ + # config.sops.secrets.sharedSshKeys-steveej.path + # ]; + }; - (lib.mkIf (cfg.installPassword == "") { hashedPasswordFile = cfg.rootPasswordFile; }) - ]; - - users.users.steveej = lib.mkIf cfg.enableNonRoot ( - mkUser ( - lib.mkMerge [ - { uid = 1000; } - - (lib.mkIf (cfg.installPassword != "") { password = cfg.installPassword; }) - - (lib.mkIf (cfg.installPassword == "") { - hashedPasswordFile = config.sops.secrets.sharedUsers-steveej.path; - }) - ] - ) - ); - } - ] - ); + users.extraUsers.steveej = lib.mkIf cfg.enableNonRoot (mkUser { + uid = 1000; + passwordFile = config.sops.secrets.sharedUsers-steveej.path; + }); + }; } diff --git a/nix/os/profiles/containers/configuration.nix b/nix/os/profiles/containers/configuration.nix index 40fd3f4..edf3974 100644 --- a/nix/os/profiles/containers/configuration.nix +++ b/nix/os/profiles/containers/configuration.nix @@ -1,27 +1,19 @@ -{ - hostAddress, - pkgs, - lib, - ... -}: -{ +{...}: { networking.useHostResolvConf = false; - networking.firewall.enable = true; - networking.nftables.enable = true; - networking.nftables.flushRuleset = true; + networking.nameservers = ["1.1.1.1#one.one.one.one" "1.0.0.1#one.one.one.one"]; - networking.nameservers = lib.mkForce [ hostAddress ]; - - environment.systemPackages = [ pkgs.dnsutils ]; + services.resolved = { + enable = true; + dnssec = "true"; + domains = ["~."]; + fallbackDns = ["1.1.1.1#one.one.one.one" "1.0.0.1#one.one.one.one"]; + extraConfig = '' + DNSOverTLS=yes + ''; + }; imports = [ - { - # keep DNS set up to a minimum: only query the container host - services.resolved.enable = lib.mkForce false; - networking.nameservers = [ hostAddress ]; - } - ../../snippets/nix-settings.nix # ../../modules/ddclient-ovh.nix # ../../modules/ddclient-hetzner.nix ]; diff --git a/nix/os/profiles/graphical-gnome-xorg.nix b/nix/os/profiles/graphical-gnome-xorg.nix index a13dd07..8cf3c58 100644 --- a/nix/os/profiles/graphical-gnome-xorg.nix +++ b/nix/os/profiles/graphical-gnome-xorg.nix @@ -1,5 +1,8 @@ -{ pkgs, lib, ... }: { + pkgs, + lib, + ... +}: { services.xserver = { enable = true; libinput.enable = true; @@ -33,6 +36,7 @@ }; }; + # gnome, most of it is disabled and ideally it could live entirely in the user's home config programs.gpaste.enable = false; programs.gnome-terminal.enable = false; @@ -95,11 +99,8 @@ support32Bit = true; }; - services.dbus.packages = with pkgs; [ dconf ]; + services.dbus.packages = with pkgs; [dconf]; # More Services - environment.systemPackages = [ - pkgs.gnome.adwaita-icon-theme - pkgs.gnomeExtensions.appindicator - ]; + environment.systemPackages = [pkgs.gnome.adwaita-icon-theme pkgs.gnomeExtensions.appindicator]; } diff --git a/nix/os/profiles/graphical/boot.nix b/nix/os/profiles/graphical/boot.nix index 4bf6ca4..f6d9452 100644 --- a/nix/os/profiles/graphical/boot.nix +++ b/nix/os/profiles/graphical/boot.nix @@ -1,4 +1 @@ -{ config, ... }: -{ - boot.extraModulePackages = [ config.boot.kernelPackages.v4l2loopback ]; -} +{lib, ...}: {} diff --git a/nix/os/profiles/graphical/configuration.nix b/nix/os/profiles/graphical/configuration.nix index 477a93d..b9cf53e 100644 --- a/nix/os/profiles/graphical/configuration.nix +++ b/nix/os/profiles/graphical/configuration.nix @@ -1,8 +1,3 @@ -{ ... }: -{ - imports = [ - ./boot.nix - ./system.nix - ./hw.nix - ]; +{pkgs, ...}: { + imports = [./boot.nix ./system.nix ./hw.nix]; } diff --git a/nix/os/profiles/graphical/hw.nix b/nix/os/profiles/graphical/hw.nix index 821f5bf..abb1e68 100644 --- a/nix/os/profiles/graphical/hw.nix +++ b/nix/os/profiles/graphical/hw.nix @@ -1 +1,3 @@ -_: { hardware.enableAllFirmware = true; } +{...}: { + hardware.enableAllFirmware = true; +} diff --git a/nix/os/profiles/graphical/system.nix b/nix/os/profiles/graphical/system.nix index 42eccfb..2e125c0 100644 --- a/nix/os/profiles/graphical/system.nix +++ b/nix/os/profiles/graphical/system.nix @@ -1,7 +1,8 @@ -{ pkgs, ... }: { - imports = [ ../../snippets/bluetooth.nix ]; - + pkgs, + lib, + ... +}: { networking.networkmanager = { enable = true; dns = "systemd-resolved"; @@ -17,15 +18,17 @@ services.resolved.enable = true; + # hardware related services + services.illum.enable = true; services.pcscd.enable = true; hardware.opengl.enable = true; + hardware.bluetooth.enable = true; + # required for running blueman-applet in user sessions + services.dbus.packages = with pkgs; [blueman]; + services.blueman.enable = true; - services.udev.packages = [ - pkgs.libu2f-host - pkgs.yubikey-personalization - pkgs.android-udev-rules - ]; + services.udev.packages = [pkgs.libu2f-host pkgs.yubikey-personalization pkgs.android-udev-rules]; services.udev.extraRules = '' # OnePlusOne ATTR{idVendor}=="05c6", ATTR{idProduct}=="6764", SYMLINK+="libmtp-%k", MODE="660", GROUP="audio", ENV{ID_MTP_DEVICE}="1", ENV{ID_MEDIA_PLAYER}="1", TAG+="uaccess" @@ -40,21 +43,15 @@ SUBSYSTEM=="usb", ATTR{idVendor}=="1050", ATTR{idProduct}=="0406", ENV{ID_SECURITY_TOKEN}="1", GROUP="wheel" ''; - # services.samba.enable = true; - # services.samba.extraConfig = '' - # client max protocol = SMB3 - # # client min protocol = SMB2_10 - # # client min protocol = NT1 - # # ntlm auth = yes - # ''; + services.samba.enable = true; + services.samba.extraConfig = '' + client max protocol = SMB3 + ''; services.logind.lidSwitchExternalPower = "ignore"; services.printing = { enable = true; - drivers = with pkgs; [ - mfcl3770cdwlpr - mfcl3770cdwcupswrapper - ]; + drivers = with pkgs; [mfcl3770cdwlpr mfcl3770cdwcupswrapper]; }; } diff --git a/nix/os/profiles/install-medium/iso/Justfile b/nix/os/profiles/install-medium/iso/Justfile index 099a8aa..bcd3c66 100644 --- a/nix/os/profiles/install-medium/iso/Justfile +++ b/nix/os/profiles/install-medium/iso/Justfile @@ -1,2 +1,2 @@ build: - nix-build '' -A config.system.build.isoImage -I nixos-config=iso.nix + nix-build '' -A config.system.build.isoImage -I nixos-config=iso.nix diff --git a/nix/os/profiles/install-medium/iso/iso.nix b/nix/os/profiles/install-medium/iso/iso.nix index a32f3f6..394aece 100644 --- a/nix/os/profiles/install-medium/iso/iso.nix +++ b/nix/os/profiles/install-medium/iso/iso.nix @@ -5,26 +5,25 @@ pkgs, lib, ... -}: -let +}: let nixos-init-script = '' #!${pkgs.stdenv.shell} export HOME=/root export PATH=${ - pkgs.lib.makeBinPath [ - config.nix.package - pkgs.systemd - pkgs.gnugrep - pkgs.gnused - config.system.build.nixos-rebuild - config.system.build.nixos-install - pkgs.utillinux - pkgs.e2fsprogs - pkgs.coreutils - pkgs.hdparm - ] - }:$PATH + pkgs.lib.makeBinPath [ + config.nix.package + pkgs.systemd + pkgs.gnugrep + pkgs.gnused + config.system.build.nixos-rebuild + config.system.build.nixos-install + pkgs.utillinux + pkgs.e2fsprogs + pkgs.coreutils + pkgs.hdparm + ] + }:$PATH export NIX_PATH=/nix/var/nix/profiles/per-user/root/channels/nixos:nixos-config=/etc/nixos/configuration.nix:/nix/var/nix/profiles/per-user/root/channels set -xe @@ -62,8 +61,7 @@ let nixos-install reboot ''; -in -{ +in { imports = [ @@ -72,11 +70,13 @@ in # ]; - isoImage.isoName = lib.mkForce "${config.isoImage.isoBaseName}-${pkgs.stdenv.hostPlatform.system}.iso"; + isoImage.isoName = + lib.mkForce + "${config.isoImage.isoBaseName}-${pkgs.stdenv.hostPlatform.system}.iso"; boot.loader.timeout = lib.mkForce 0; boot.postBootCommands = ""; - environment.systemPackages = [ ]; + environment.systemPackages = []; users.users.root = { openssh.authorizedKeys.keys = [ @@ -85,18 +85,18 @@ in }; services.gpm.enable = true; - systemd.services.sshd.wantedBy = lib.mkForce [ "multi-user.target" ]; + systemd.services.sshd.wantedBy = lib.mkForce ["multi-user.target"]; systemd.services.nixos-init = { script = nixos-init-script; - path = with pkgs; [ ]; + path = with pkgs; []; description = "Initialize /dev/vda from configuration.nix found at /dev/vdb"; enable = true; - wantedBy = [ "multi-user.target" ]; - after = [ "multi-user.target" ]; - requires = [ "network-online.target" ]; + wantedBy = ["multi-user.target"]; + after = ["multi-user.target"]; + requires = ["network-online.target"]; restartIfChanged = false; unitConfig.X-StopOnRemoval = false; diff --git a/nix/os/profiles/removable-medium/boot.nix b/nix/os/profiles/removable-medium/boot.nix index 17a1dba..e0938bd 100644 --- a/nix/os/profiles/removable-medium/boot.nix +++ b/nix/os/profiles/removable-medium/boot.nix @@ -1,6 +1,5 @@ -{ lib, ... }: -{ +{lib, ...}: { boot.loader.grub.efiInstallAsRemovable = lib.mkForce true; boot.loader.efi.canTouchEfiVariables = lib.mkForce false; - boot.extraModulePackages = [ ]; + boot.extraModulePackages = []; } diff --git a/nix/os/profiles/removable-medium/configuration.nix b/nix/os/profiles/removable-medium/configuration.nix index ad7def0..95ca049 100644 --- a/nix/os/profiles/removable-medium/configuration.nix +++ b/nix/os/profiles/removable-medium/configuration.nix @@ -1,5 +1,4 @@ -{ ... }: -{ +{...}: { imports = [ ../../modules/opinionatedDisk.nix diff --git a/nix/os/profiles/removable-medium/hw.nix b/nix/os/profiles/removable-medium/hw.nix index 0f7cbec..17c16b0 100644 --- a/nix/os/profiles/removable-medium/hw.nix +++ b/nix/os/profiles/removable-medium/hw.nix @@ -1,4 +1,4 @@ -_: { +{...}: { hardware.opinionatedDisk.enable = true; hardware.enableAllFirmware = true; } diff --git a/nix/os/profiles/removable-medium/pkg.nix b/nix/os/profiles/removable-medium/pkg.nix index d27081f..5a54115 100644 --- a/nix/os/profiles/removable-medium/pkg.nix +++ b/nix/os/profiles/removable-medium/pkg.nix @@ -1,5 +1,4 @@ -{ pkgs, ... }: -{ +{pkgs, ...}: { home-manager.users.steveej = import ../../../home-manager/configuration/graphical-removable.nix { inherit pkgs; }; diff --git a/nix/os/profiles/removable-medium/system.nix b/nix/os/profiles/removable-medium/system.nix index 243edf7..10a18ef 100644 --- a/nix/os/profiles/removable-medium/system.nix +++ b/nix/os/profiles/removable-medium/system.nix @@ -1,9 +1,11 @@ -_: { - services.illum.enable = true; - - services.printing = { - enable = false; - }; +{ + config, + lib, + pkgs, + ... +}: let +in { + services.printing = {enable = false;}; services.spice-vdagentd.enable = true; services.qemuGuest.enable = true; diff --git a/nix/os/snippets/bluetooth.nix b/nix/os/snippets/bluetooth.nix deleted file mode 100644 index 090217e..0000000 --- a/nix/os/snippets/bluetooth.nix +++ /dev/null @@ -1,7 +0,0 @@ -{ pkgs, ... }: -{ - # required for running blueman-applet in user sessions - services.dbus.packages = with pkgs; [ blueman ]; - hardware.bluetooth.enable = true; - services.blueman.enable = true; -} diff --git a/nix/os/snippets/holo-zerotier.nix b/nix/os/snippets/holo-zerotier.nix deleted file mode 100644 index 4371b78..0000000 --- a/nix/os/snippets/holo-zerotier.nix +++ /dev/null @@ -1,53 +0,0 @@ -{ config, lib, ... }: -let - cfg = config.steveej.holo-zerotier; -in -{ - options.steveej.holo-zerotier = { - enable = lib.mkEnableOption "Enable holo-zerotier"; - autostart = lib.mkOption { default = false; }; - }; - - config = { - nixpkgs.config.allowUnfreePredicate = pkg: builtins.elem (lib.getName pkg) [ "zerotierone" ]; - - services.zerotierone = { - inherit (cfg) enable; - joinNetworks = [ - # moved to the service below as it's now secret - ]; - }; - - systemd.services.zerotierone.wantedBy = lib.mkIf (!cfg.autostart) (lib.mkForce [ ]); - - systemd.services.zerotieroneSecretNetworks = { - inherit (cfg) enable; - requiredBy = [ "zerotierone.service" ]; - partOf = [ "zerotierone.service" ]; - - serviceConfig.Type = "oneshot"; - serviceConfig.RemainAfterExit = true; - - script = - let - secret = config.sops.secrets.zerotieroneNetworks; - in - '' - # include the secret's hash to trigger a restart on change - # ${builtins.hashString "sha256" (builtins.toJSON secret)} - - ${config.systemd.services.zerotierone.preStart} - - rm -rf /var/lib/zerotier-one/networks.d/*.conf - for network in `grep -v '#' ${secret.path}`; do - touch /var/lib/zerotier-one/networks.d/''${network}.conf - done - ''; - }; - - sops.secrets.zerotieroneNetworks = { - sopsFile = ../../../secrets/work-holo/zerotierone.txt; - format = "binary"; - }; - }; -} diff --git a/nix/os/snippets/home-manager-with-zsh.nix b/nix/os/snippets/home-manager-with-zsh.nix deleted file mode 100644 index 47ddd8a..0000000 --- a/nix/os/snippets/home-manager-with-zsh.nix +++ /dev/null @@ -1,43 +0,0 @@ -{ - nodeFlake, - repoFlake, - repoFlakeInputs', - packages', - pkgs, - ... -}: -let - # TODO: make this configurable - homeUser = "steveej"; - commonHomeImports = [ - ../../home-manager/profiles/common.nix - ../../home-manager/programs/neovim.nix - ../../home-manager/programs/zsh.nix - ]; -in -{ - imports = [ nodeFlake.inputs.home-manager.nixosModules.home-manager ]; - - # TODO: investigate an issue with the "name" arg contained here, which causes problems with home-manager - # home-manager.extraSpecialArgs = specialArgs; - # hence, opt for passing the arguments selectively instead - home-manager.extraSpecialArgs = { - inherit - repoFlake - repoFlakeInputs' - packages' - nodeFlake - ; - }; - - home-manager.useGlobalPkgs = false; - home-manager.useUserPackages = true; - - home-manager.users.root = _: { imports = commonHomeImports; }; - - home-manager.users."${homeUser}" = _: { imports = commonHomeImports; }; - - programs.zsh.enable = true; - users.defaultUserShell = pkgs.zsh; - environment.pathsToLink = [ "/share/zsh" ]; -} diff --git a/nix/os/snippets/k3s-w-nix-snapshotter.nix b/nix/os/snippets/k3s-w-nix-snapshotter.nix deleted file mode 100644 index 1774650..0000000 --- a/nix/os/snippets/k3s-w-nix-snapshotter.nix +++ /dev/null @@ -1,58 +0,0 @@ -# experiment with k3s, nix-snapshotter, and nixos images -{ - nodeFlake, - pkgs, - lib, - system, - config, - ... -}: -let - cfg = config.steveej.k3s; - -in -# TODO: make this configurable -{ - options.steveej.k3s = { - enable = lib.mkOption { - description = "steveej's k3s distro"; - type = lib.types.bool; - default = true; - }; - }; - - # (1) Import nixos module. - imports = [ nodeFlake.inputs.nix-snapshotter.nixosModules.default ]; - - config = lib.mkIf cfg.enable { - # (2) Add overlay. - nixpkgs.overlays = [ nodeFlake.inputs.nix-snapshotter.overlays.default ]; - - # (3) Enable service. - virtualisation.containerd = { - enable = true; - nixSnapshotterIntegration = true; - - # TODO: understand if this has an influence on the systemd LoadCredential issue - # settings.plugins."io.containerd.grpc.v1.cri".containerd.runtimes.runc.options.SystemdCgroup = lib.mkForce true; - }; - services.nix-snapshotter = { - enable = true; - }; - - # (4) Add a containerd CLI like nerdctl. - environment.systemPackages = [ - pkgs.nerdctl - nodeFlake.inputs.nix-snapshotter.packages.${system}.default - ]; - - services.k3s = { - enable = false; - setKubeConfig = true; - }; - - # home-manager.users."${homeUser}" = _: { - # home.sessionVariables.CONTAINERD_ADDRESS = "/run/user/1000/containerd/containerd.sock"; - # }; - }; -} diff --git a/nix/os/snippets/mycelium.nix b/nix/os/snippets/mycelium.nix deleted file mode 100644 index 990477e..0000000 --- a/nix/os/snippets/mycelium.nix +++ /dev/null @@ -1,32 +0,0 @@ -{ - repoFlake, - nodeName, - config, - lib, - ... -}: -let - cfg.autostart = false; -in -{ - imports = [ ]; - - sops.secrets.mycelium-key = { - format = "binary"; - sopsFile = repoFlake + "/secrets/${nodeName}/mycelium_priv_key.bin.enc"; - }; - - services.mycelium = { - enable = true; - # package = nodeFlake.inputs.mycelium.packages.${system}.myceliumd; - keyFile = config.sops.secrets.mycelium-key.path; - addHostedPublicNodes = true; - peers = [ ]; - - # tunName = "mycelium-pub"; - - extraArgs = [ ]; - }; - - systemd.services.mycelium.wantedBy = lib.mkIf (!cfg.autostart) (lib.mkForce [ ]); -} diff --git a/nix/os/snippets/nix-settings-holo-chain.nix b/nix/os/snippets/nix-settings-holo-chain.nix deleted file mode 100644 index b660f1c..0000000 --- a/nix/os/snippets/nix-settings-holo-chain.nix +++ /dev/null @@ -1,16 +0,0 @@ -_: { - nix.settings = { - substituters = [ - "https://holochain-ci.cachix.org" - "https://holochain-ci-internal.cachix.org" - # "https://cache.holo.host/" - ]; - - trusted-public-keys = [ - "holochain-ci.cachix.org-1:5IUSkZc0aoRS53rfkvH9Kid40NpyjwCMCzwRTXy+QN8=" - "holochain-ci-internal.cachix.org-1:QvVsSrTiearCjrLTVtNtJOdQCDTseXh7UXUuSMx46NE=" - "cache.holo.host-1:lNXIXtJgS9Iuw4Cu6X0HINLu9sTfcjEntnrgwMQIMcE=" - "cache.holo.host-2:ZJCkX3AUYZ8soxTLfTb60g+F3MkWD7hkH9y8CgqwhDQ=" - ]; - }; -} diff --git a/nix/os/snippets/nix-settings.nix b/nix/os/snippets/nix-settings.nix deleted file mode 100644 index 6340977..0000000 --- a/nix/os/snippets/nix-settings.nix +++ /dev/null @@ -1,40 +0,0 @@ -{ - nodeFlake, - pkgs, - lib, - ... -}: -let - pkgsUnstable = import nodeFlake.inputs.nixpkgs-unstable { inherit (pkgs) system config; }; -in -{ - nix.daemonCPUSchedPolicy = "idle"; - nix.daemonIOSchedClass = "idle"; - nix.settings.max-jobs = lib.mkDefault "auto"; - nix.settings.cores = lib.mkDefault 0; - nix.settings.sandbox = true; - nix.nixPath = [ "nixpkgs=${pkgs.path}" ]; - - nix.settings.experimental-features = [ - "nix-command" - "flakes" - "ca-derivations" - "recursive-nix" - ]; - - nix.settings.system-features = [ - "recursive-nix" - "big-parallel" - "kvm" - "nixos-test" - ]; - - # nix.registry.nixpkgs.flake = nodeFlake.inputs.nixpkgs; - nix.registry.nixpkgs.to = { - type = "path"; - path = nodeFlake.inputs.nixpkgs.outPath; - inherit (nodeFlake.inputs.nixpkgs) narHash; - }; - - nix.package = pkgsUnstable.nixVersions.latest; -} diff --git a/nix/os/snippets/obs-studio.nix b/nix/os/snippets/obs-studio.nix deleted file mode 100644 index 8a99fcb..0000000 --- a/nix/os/snippets/obs-studio.nix +++ /dev/null @@ -1,27 +0,0 @@ -{ config, ... }: -let - # TODO: make configurable - homeUser = "steveej"; -in -{ - boot.extraModulePackages = [ config.boot.kernelPackages.v4l2loopback.out ]; - - # Activate kernel modules (choose from built-ins and extra ones) - boot.kernelModules = [ - # Virtual Camera - "v4l2loopback" - # Virtual Microphone, built-in - "snd-aloop" - ]; - - # exclusive_caps: Skype, Zoom, Teams etc. will only show device when actually streaming - # card_label: Name of virtual camera, how it'll show up in Skype, Zoom, Teams - # https://github.com/umlaeute/v4l2loopback - boot.extraModprobeConfig = '' - options v4l2loopback devices=1 video_nr=1 card_label="OBSCam" exclusive_caps=1 - ''; - - security.polkit.enable = true; - - home-manager.users.${homeUser} = _: { imports = [ ../../home-manager/programs/obs-studio.nix ]; }; -} diff --git a/nix/os/snippets/radicale.nix b/nix/os/snippets/radicale.nix deleted file mode 100644 index 709b601..0000000 --- a/nix/os/snippets/radicale.nix +++ /dev/null @@ -1,33 +0,0 @@ -{ - config, - pkgs, - repoFlakeInputs', - ... -}: -let - # TODO: make configurable - homeUser = "steveej"; -in -{ - sops.secrets.radicale_htpasswd = { - sopsFile = ../../../secrets/desktop/radicale_htpasswd; - format = "binary"; - owner = config.users.users."${homeUser}".name; - }; - - home-manager.users.${homeUser} = _: { - imports = [ - # TODO: bump these to latest and make it work - ( - args: - import ../../home-manager/programs/radicale.nix ( - args - // { - osConfig = config; - pkgs = repoFlakeInputs'.radicalePkgs.legacyPackages; - } - ) - ) - ]; - }; -} diff --git a/nix/os/snippets/sway-desktop.nix b/nix/os/snippets/sway-desktop.nix deleted file mode 100644 index a40eb85..0000000 --- a/nix/os/snippets/sway-desktop.nix +++ /dev/null @@ -1,136 +0,0 @@ -{ - pkgs, - lib, - config, - ... -}: -let - # TODO: make this configurable - homeUser = "steveej"; -in -{ - services.xserver.serverFlagsSection = '' - Option "BlankTime" "0" - Option "StandbyTime" "0" - Option "SuspendTime" "0" - Option "OffTime" "0" - ''; - - hardware.opengl.enable = true; - - services.gvfs = { - enable = true; - package = lib.mkForce pkgs.gnome.gvfs; - }; - - environment.systemPackages = with pkgs; [ - # provides a default authentification client for policykit - lxqt.lxqt-policykit - ]; - - # required by swaywm - security.polkit.enable = true; - security.pam.services.swaylock = { }; - - # test these on https://mozilla.github.io/webrtc-landing/gum_test.html - xdg.portal = { - enable = true; - # FIXME: `true` breaks xdg-open from alacritty: - # $ xdg-open "https://github.com/" - # Error: GDBus.Error:org.freedesktop.DBus.Error.UnknownMethod: No such interface “org.freedesktop.portal.OpenURI” on object at path /org/freedesktop/portal/desktop - xdgOpenUsePortal = false; - - wlr = { - enable = true; - settings = { - screencast = { - chooser_type = "dmenu"; - # display the output as a list in favor of the default mouse selection - chooser_cmd = lib.getExe ( - pkgs.writeShellApplication { - name = "chooser_cmd"; - runtimeInputs = [ - pkgs.sway - pkgs.jq - pkgs.fuzzel - pkgs.gnused - ]; - text = '' - swaymsg -t get_outputs | jq '.[] | "\(.name)@\(.current_mode.width)x\(.current_mode.height) on \(.model)"' | sed 's/"//g' | fuzzel -d | sed 's/@.*//' - ''; - } - ); - max_fps = 30; - }; - }; - }; - - # keep the behaviour in < 1.17, which uses the first portal implementation found in lexicographical order, use the following: - config = { - common = { - default = [ - "wlr" - "gtk" - ]; - }; - }; - - extraPortals = [ - # repoFlake.inputs.nixpkgs-wayland.packages.${pkgs.system}.xdg-desktop-portal-wlr - - pkgs.xdg-desktop-portal-gtk - # (pkgs.xdg-desktop-portal-gtk.override (_: { - # buildPortalsInGnome = false; - # })) - ]; - }; - - # rtkit is optional but recommended - security.rtkit.enable = true; - services.pipewire = { - audio.enable = true; - enable = true; - alsa.enable = true; - alsa.support32Bit = true; - pulse.enable = true; - wireplumber.enable = true; - # If you want to use JACK applications, uncomment this - #jack.enable = true; - }; - - security.pam.services.getty.enableGnomeKeyring = true; - security.pam.services."autovt@tty1".enableGnomeKeyring = true; - services.gnome.gnome-keyring.enable = true; - - # autologin steveej on tty1 - # TODO: make user configurable - systemd.services."autovt@tty1".description = "Autologin at the TTY1"; - systemd.services."autovt@tty1".after = [ "systemd-logind.service" ]; # without it user session not started and xorg can't be run from this tty - systemd.services."autovt@tty1".wantedBy = [ "multi-user.target" ]; - systemd.services."autovt@tty1".serviceConfig = { - ExecStart = [ - "" # override upstream default with an empty ExecStart - "@${pkgs.utillinux}/sbin/agetty agetty --login-program ${pkgs.shadow}/bin/login --autologin steveej --noclear %I $TERM" - ]; - Restart = "always"; - Type = "idle"; - }; - - programs = - let - steveejSwayOnTty1 = '' - if test $(id --user steveej) = $(id -u) && test $(tty) = "/dev/tty1"; then - exec sway - fi - ''; - in - { - bash.loginShellInit = steveejSwayOnTty1; - # TODO: only do this when zsh is enabled. first naiv attempt lead infinite recursion - zsh.loginShellInit = steveejSwayOnTty1; - }; - - home-manager.users."${homeUser}" = _: { - imports = [ ../../home-manager/profiles/sway-desktop.nix ]; - }; -} diff --git a/nix/os/snippets/systemd-resolved.nix b/nix/os/snippets/systemd-resolved.nix deleted file mode 100644 index f7c2301..0000000 --- a/nix/os/snippets/systemd-resolved.nix +++ /dev/null @@ -1,28 +0,0 @@ -{ lib, ... }: -{ - networking.nameservers = [ - # https://dnsforge.de/ - "176.9.93.198" - "176.9.1.117" - - # TODO: enable IPv6 - # "2a01:4f8:151:34aa::198" - # "2a01:4f8:141:316d::117" - ]; - - services.resolved = { - enable = true; - dnssec = "true"; - domains = [ "~." ]; - - # TODO: figure out why "true" doesn't work - dnsovertls = "opportunistic"; - - fallbackDns = lib.mkForce [ ]; - - # TODO: IPv6 - # extraConfig = '' - # DNSStubListenerExtra=[::1]:53 - # ''; - }; -} diff --git a/nix/os/snippets/timezone.nix b/nix/os/snippets/timezone.nix deleted file mode 100644 index 67db1e8..0000000 --- a/nix/os/snippets/timezone.nix +++ /dev/null @@ -1,7 +0,0 @@ -{ lib, ... }: -let - passwords = import ../../variables/passwords.crypt.nix; -in -{ - time.timeZone = lib.mkDefault passwords.timeZone.stefan; -} diff --git a/nix/pkgs/browserpass/default.nix b/nix/pkgs/browserpass/default.nix index 34a6977..5b13732 100644 --- a/nix/pkgs/browserpass/default.nix +++ b/nix/pkgs/browserpass/default.nix @@ -1,27 +1,27 @@ -with import { }; -stdenv.mkDerivation rec { - broken = true; +with import {}; + stdenv.mkDerivation rec { + broken = true; - name = "browserpass"; - version = "2.0.9"; + name = "browserpass"; + version = "2.0.9"; - src = fetchzip { - url = "https://github.com/dannyvankooten/browserpass/releases/download/${version}/${name}-linux64.zip"; - sha256 = "1nygcfjhyrcvbdmz4hjphcnmr4lm9y24lpdkdcjix6vbsjs0hipw"; - stripRoot = false; - }; + src = fetchzip { + url = "https://github.com/dannyvankooten/browserpass/releases/download/${version}/${name}-linux64.zip"; + sha256 = "1nygcfjhyrcvbdmz4hjphcnmr4lm9y24lpdkdcjix6vbsjs0hipw"; + stripRoot = false; + }; - buildPhase = ":"; + buildPhase = ":"; - libPath = lib.makeLibraryPath [ ]; - installPhase = '' - set -x - patchelf --set-interpreter ${glibc}/lib/ld-linux-x86-64.so.2 browserpass-linux64 + libPath = lib.makeLibraryPath []; + installPhase = '' + set -x + patchelf --set-interpreter ${glibc}/lib/ld-linux-x86-64.so.2 browserpass-linux64 - mkdir -p $out/bin - cp -a * $out/bin/ - # wrapProgram $out/bin/browserpass-linux64 \ - # --prefix LD_LIBRARY_PATH : "${libPath}" - # - ''; -} + mkdir -p $out/bin + cp -a * $out/bin/ + # wrapProgram $out/bin/browserpass-linux64 \ + # --prefix LD_LIBRARY_PATH : "${libPath}" + # + ''; + } diff --git a/nix/pkgs/dcpj4110dw/default.nix b/nix/pkgs/dcpj4110dw/default.nix index 93f59c7..8a4f6a6 100644 --- a/nix/pkgs/dcpj4110dw/default.nix +++ b/nix/pkgs/dcpj4110dw/default.nix @@ -16,8 +16,7 @@ file, proot, bash, -}: -let +}: let model = "dcpj4110dw"; version = "3.0.1-1"; src = fetchurl { @@ -25,16 +24,12 @@ let sha256 = "sha256-ryKDsSkabAD2X3WLmeqjdB3+4DXdJ0qUz3O64DV+ixw="; }; reldir = "opt/brother/Printers/${model}/"; -in -rec { +in rec { driver = pkgsi686Linux.stdenv.mkDerivation rec { inherit src version; name = "${model}drv-${version}"; - nativeBuildInputs = [ - dpkg - makeWrapper - ]; + nativeBuildInputs = [dpkg makeWrapper]; unpackPhase = "dpkg-deb -x $src $out"; @@ -50,18 +45,7 @@ rec { mv $out/${reldir}/lpd/filter${model} $out/${reldir}/lpd/.wrapped_filter${model} cat <<-EOF >$out/${reldir}/lpd/.wrapper_inner_filter${model} - export PATH=\$PATH:${ - lib.makeBinPath [ - gawk - file - a2ps - coreutils - ghostscript - gnugrep - gnused - which - ] - } + export PATH=\$PATH:${lib.makeBinPath [gawk file a2ps coreutils ghostscript gnugrep gnused which]} exec $out/${reldir}/lpd/.wrapped_filter${model} EOF chmod +x $out/${reldir}/lpd/.wrapper_inner_filter${model} @@ -80,13 +64,10 @@ rec { meta = { description = "Brother ${lib.strings.toUpper model} driver"; homepage = "http://www.brother.com/"; - sourceProvenance = with lib.sourceTypes; [ binaryNativeCode ]; + sourceProvenance = with lib.sourceTypes; [binaryNativeCode]; # license = lib.licenses.unfree; - platforms = [ - "x86_64-linux" - "i686-linux" - ]; - maintainers = [ lib.maintainers.steveej ]; + platforms = ["x86_64-linux" "i686-linux"]; + maintainers = [lib.maintainers.steveej]; }; }; @@ -100,29 +81,14 @@ rec { name = "${model}cupswrapper-${version}"; - nativeBuildInputs = [ - dpkg - makeWrapper - ]; - buildInputs = [ - cups - ghostscript - a2ps - gawk - ]; + nativeBuildInputs = [dpkg makeWrapper]; + buildInputs = [cups ghostscript a2ps gawk]; unpackPhase = "dpkg-deb -x $src $out"; installPhase = '' wrapProgram $out/${reldir}/cupswrapper/cupswrapper${model} \ - --prefix PATH : ${ - lib.makeBinPath [ - coreutils - ghostscript - gnugrep - gnused - ] - } + --prefix PATH : ${lib.makeBinPath [coreutils ghostscript gnugrep gnused]} patchelf --set-interpreter "$(cat $NIX_CC/nix-support/dynamic-linker)" \ $out/${reldir}/cupswrapper/brcupsconfpt1 @@ -134,13 +100,10 @@ rec { meta = { description = "Brother ${lib.strings.toUpper model} CUPS wrapper driver"; homepage = "http://www.brother.com/"; - sourceProvenance = with lib.sourceTypes; [ binaryNativeCode ]; + sourceProvenance = with lib.sourceTypes; [binaryNativeCode]; license = lib.licenses.gpl2; - platforms = [ - "x86_64-linux" - "i686-linux" - ]; - maintainers = [ lib.maintainers.steveej ]; + platforms = ["x86_64-linux" "i686-linux"]; + maintainers = [lib.maintainers.steveej]; }; }; } diff --git a/nix/pkgs/default.nix b/nix/pkgs/default.nix index 78b37a6..6f114b2 100644 --- a/nix/pkgs/default.nix +++ b/nix/pkgs/default.nix @@ -1,6 +1,5 @@ -{ pkgs }: -{ - duplicacy = pkgs.callPackage ../pkgs/duplicacy { }; +{pkgs}: { + duplicacy = pkgs.callPackage ../pkgs/duplicacy {}; staruml = pkgs.callPackage ../pkgs/staruml.nix { inherit (pkgs.gnome2) GConf; libgcrypt = pkgs.libgcrypt_1_5; diff --git a/nix/pkgs/duplicacy/default.nix b/nix/pkgs/duplicacy/default.nix index b961a17..7a3fc19 100644 --- a/nix/pkgs/duplicacy/default.nix +++ b/nix/pkgs/duplicacy/default.nix @@ -1,4 +1,7 @@ -{ buildGoPackage, fetchFromGitHub }: +{ + buildGoPackage, + fetchFromGitHub, +}: buildGoPackage rec { name = "duplicay-${version}"; version = "2.1.2"; diff --git a/nix/pkgs/duplicacy/shell.nix b/nix/pkgs/duplicacy/shell.nix index 045572c..051e832 100644 --- a/nix/pkgs/duplicacy/shell.nix +++ b/nix/pkgs/duplicacy/shell.nix @@ -1,12 +1,12 @@ -with import { }; -stdenv.mkDerivation { - name = "env"; - buildInputs = [ - zsh - go - go2nix - dep2nix - nix-prefetch-github - (callPackage ./default.nix { }) - ]; -} +with import {}; + stdenv.mkDerivation { + name = "env"; + buildInputs = [ + zsh + go + go2nix + dep2nix + nix-prefetch-github + (callPackage ./default.nix {}) + ]; + } diff --git a/nix/pkgs/jay.nix b/nix/pkgs/jay.nix index 9a7b0e5..634de0c 100644 --- a/nix/pkgs/jay.nix +++ b/nix/pkgs/jay.nix @@ -1,13 +1,13 @@ -{ - lib, - src, - rustPlatform, - libinput, - libxkbcommon, - mesa, - pango, - udev, +{ lib +, src +, rustPlatform +, libinput +, libxkbcommon +, mesa +, pango +, udev }: + rustPlatform.buildRustPackage rec { pname = "jay"; version = src.rev; @@ -30,7 +30,7 @@ rustPlatform.buildRustPackage rec { description = "A Wayland compositor written in Rust"; homepage = "https://github.com/mahkoh/jay"; license = licenses.gpl3; - platforms = platforms.linux; + platforms = platforms.linux; maintainers = with maintainers; [ dit7ya ]; }; } diff --git a/nix/pkgs/logseq/Containerfile b/nix/pkgs/logseq/Containerfile deleted file mode 100644 index 97464d1..0000000 --- a/nix/pkgs/logseq/Containerfile +++ /dev/null @@ -1,57 +0,0 @@ -# NOTE: please keep it in sync with .github pipelines -# NOTE: during testing make sure to change the branch below -# NOTE: before running the build-docker GH action edit -# build-docker.yml and change the release channel from :latest to :testing - -# Builder image -# FROM clojure:temurin-11-tools-deps-1.11.1.1208-bullseye-slim as builder -FROM clojure:temurin-11-tools-deps-bullseye-slim as builder - -ARG DEBIAN_FRONTEND=noninteractive - -# Install reqs -RUN echo 1 -RUN apt-get update && apt-get install -y --no-install-recommends \ - curl \ - ca-certificates \ - apt-transport-https \ - gpg \ - build-essential libcairo2-dev libpango1.0-dev libjpeg-dev libgif-dev librsvg2-dev \ - zip - -# install NodeJS & yarn -RUN curl -sL https://deb.nodesource.com/setup_20.x | bash - - -RUN curl -sS https://dl.yarnpkg.com/debian/pubkey.gpg | gpg --dearmor | tee /etc/apt/trusted.gpg.d/yarn.gpg && echo "deb https://dl.yarnpkg.com/debian/ stable main" | tee /etc/apt/sources.list.d/yarn.list && apt-get update && apt-get install -y nodejs yarn - -WORKDIR /data - -ENV VERSION=0.10.9 - -# build Logseq static resources -RUN git clone -b ${VERSION} https://github.com/logseq/logseq.git . - -RUN yarn config set network-timeout 240000 -g && yarn install -RUN yarn release-electron - -RUN mkdir /out -RUN mv /data/static/out/make/zip /out/${VERSION}.zip -RUN mv /data/static/out/make/*.AppImage /out/ - -FROM scratch as artifacts -COPY --from=builder /out / -# Logseq-${VERSION}.AppImage -# RUN mv zip /${VERSION}.zip - -# RUN \ -# mkdir -p builds -# # NOTE: save VERSION file to builds directory -# cp static/VERSION ./builds/VERSION -# mv static/out/make/*-*.AppImage ./builds/Logseq-linux-aarch64-${VERSION}.AppImage -# mv static/out/make/zip/linux/x64/*-linux-x64-*.zip ./builds/Logseq-linux-aarch64-${VERSION}.zip - -# # Web App Runner image -# FROM nginx:1.24.0-alpine3.17 -# -# COPY --from=builder /data/static /usr/share/nginx/html -# diff --git a/nix/pkgs/logseq/README.md b/nix/pkgs/logseq/README.md deleted file mode 100644 index 0c596b6..0000000 --- a/nix/pkgs/logseq/README.md +++ /dev/null @@ -1,22 +0,0 @@ -# build instructions - -this is pseudocode that serves as a reminder - -1. podman build -f Containerfile -t logseq -2. CONTAINER_ID=$(podman container create logseq) -3. podman unshare -4. podman mount $CONTAINER_ID -5. copy and upload the AppImage. e.g. - ``` - cp /home/steveej/.local/share/containers/storage/overlay/f932ca9f11ea2bfd6b221118eb54775a623bc519bfe38188afcbad51dda2777f/merged/Logseq-0.10.9.AppImage . - exit - scp Logseq-0.10.9.AppImage root@www.stefanjunker.de:/var/lib/container-volumes/webserver/var-www/stefanjunker.de/htdocs/caddy/downloads/ - ``` -6. podman unshare -7. podman unmount - -# resources - -- https://github.com/logseq/logseq/blob/dc5127b48a7874627bd9ab63696f7ddf821b90a7/docs/develop-logseq.md?plain=1#L90 -- https://github.com/logseq/logseq/blob/master/Dockerfile -- https://github.com/randomwangran/logseq-nix-flake diff --git a/nix/pkgs/magmawm.nix b/nix/pkgs/magmawm.nix index c1850c1..23445cc 100644 --- a/nix/pkgs/magmawm.nix +++ b/nix/pkgs/magmawm.nix @@ -1,23 +1,26 @@ -{ - lib, - src, - craneLib, - pkg-config, - wayland, - libseat, - libinput, - libxkbcommon, - mesa, - udev, - dbus, - libGL, +{ lib +, src +, craneLib + +, pkg-config +, wayland +, libseat +, libinput +, libxkbcommon +, mesa +, pango +, udev +, dbus +, libGL }: -craneLib.buildPackage { - inherit src; + +craneLib.buildPackage {inherit src; pname = "magmawm"; version = src.rev; - nativeBuildInputs = [ pkg-config ]; + nativeBuildInputs = [ + pkg-config + ]; buildInputs = [ wayland @@ -41,7 +44,7 @@ craneLib.buildPackage { description = "A versatile and customizable Window Manager and Wayland Compositor"; homepage = "https://github.com/MagmaWM/MagmaWM"; license = licenses.gpl3; - platforms = platforms.linux; + platforms = platforms.linux; maintainers = with maintainers; [ ]; }; } diff --git a/nix/pkgs/mfcl3770cdw.nix b/nix/pkgs/mfcl3770cdw.nix index 142c1c0..5c04cbf 100644 --- a/nix/pkgs/mfcl3770cdw.nix +++ b/nix/pkgs/mfcl3770cdw.nix @@ -11,8 +11,7 @@ which, perl, lib, -}: -let +}: let model = "mfcl3770cdw"; version = "1.0.2-0"; src = fetchurl { @@ -20,16 +19,12 @@ let sha256 = "09fhbzhpjymhkwxqyxzv24b06ybmajr6872yp7pri39595mhrvay"; }; reldir = "opt/brother/Printers/${model}/"; -in -rec { +in rec { driver = stdenv.mkDerivation rec { inherit src version; name = "${model}drv-${version}"; - nativeBuildInputs = [ - dpkg - makeWrapper - ]; + nativeBuildInputs = [dpkg makeWrapper]; unpackPhase = "dpkg-deb -x $src $out"; @@ -41,14 +36,8 @@ rec { --replace "PRINTER =~" "PRINTER = \"${model}\"; #" wrapProgram $dir/lpd/filter_${model} \ --prefix PATH : ${ - lib.makeBinPath [ - coreutils - ghostscript - gnugrep - gnused - which - ] - } + lib.makeBinPath [coreutils ghostscript gnugrep gnused which] + } # need to use i686 glibc here, these are 32bit proprietary binaries interpreter=${pkgsi686Linux.glibc}/lib/ld-linux.so.2 patchelf --set-interpreter "$interpreter" $dir/lpd/brmfcl3770cdwfilter @@ -58,11 +47,8 @@ rec { description = "Brother ${lib.strings.toUpper model} driver"; homepage = "http://www.brother.com/"; license = lib.licenses.unfree; - platforms = [ - "x86_64-linux" - "i686-linux" - ]; - maintainers = [ lib.maintainers.steveej ]; + platforms = ["x86_64-linux" "i686-linux"]; + maintainers = [lib.maintainers.steveej]; }; }; @@ -70,10 +56,7 @@ rec { inherit version src; name = "${model}cupswrapper-${version}"; - nativeBuildInputs = [ - dpkg - makeWrapper - ]; + nativeBuildInputs = [dpkg makeWrapper]; unpackPhase = "dpkg-deb -x $src $out"; @@ -85,13 +68,7 @@ rec { --replace "basedir =~" "basedir = \"$basedir\"; #" \ --replace "PRINTER =~" "PRINTER = \"${model}\"; #" wrapProgram $dir/cupswrapper/brother_lpdwrapper_${model} \ - --prefix PATH : ${ - lib.makeBinPath [ - coreutils - gnugrep - gnused - ] - } + --prefix PATH : ${lib.makeBinPath [coreutils gnugrep gnused]} mkdir -p $out/lib/cups/filter mkdir -p $out/share/cups/model ln $dir/cupswrapper/brother_lpdwrapper_${model} $out/lib/cups/filter @@ -102,11 +79,8 @@ rec { description = "Brother ${lib.strings.toUpper model} CUPS wrapper driver"; homepage = "http://www.brother.com/"; license = lib.licenses.gpl2; - platforms = [ - "x86_64-linux" - "i686-linux" - ]; - maintainers = [ lib.maintainers.steveej ]; + platforms = ["x86_64-linux" "i686-linux"]; + maintainers = [lib.maintainers.steveej]; }; }; } diff --git a/nix/pkgs/nozbe/default.nix b/nix/pkgs/nozbe/default.nix index e5ac519..368add8 100644 --- a/nix/pkgs/nozbe/default.nix +++ b/nix/pkgs/nozbe/default.nix @@ -1,60 +1,60 @@ -with import { }; -stdenv.mkDerivation rec { - name = "nozbe"; - version = "3.6.3"; +with import {}; + stdenv.mkDerivation rec { + name = "nozbe"; + version = "3.6.3"; - src = fetchzip { - url = "https://files.nozbe.com/linux/linux64_newest.tar.gz"; - sha256 = "08hag0kv23psqa1pl9kardz90scgk21rsr5xxfg8jvmnxy2nc858"; - stripRoot = false; - }; + src = fetchzip { + url = "https://files.nozbe.com/linux/linux64_newest.tar.gz"; + sha256 = "08hag0kv23psqa1pl9kardz90scgk21rsr5xxfg8jvmnxy2nc858"; + stripRoot = false; + }; - buildInputs = [ makeWrapper ]; + buildInputs = [makeWrapper]; - buildPhase = ":"; + buildPhase = ":"; - libPath = lib.makeLibraryPath [ - alsaLib - atk - cairo - cups - dbus - expat - freetype - fontconfig - gnome3.gconf - gcc.cc - gdk_pixbuf - gtk2-x11 - glib - pango - nss - nspr - systemd.lib - xorg.libX11 - xorg.libXcursor - xorg.libXcomposite - xorg.libXext - xorg.libXfixes - xorg.libXdamage - xorg.libXi - xorg.libXrandr - xorg.libXrender - xorg.libXtst - xorg.libXScrnSaver - ]; - installPhase = '' - pushd Nozbe-${version} - ls -lha + libPath = lib.makeLibraryPath [ + alsaLib + atk + cairo + cups + dbus + expat + freetype + fontconfig + gnome3.gconf + gcc.cc + gdk_pixbuf + gtk2-x11 + glib + pango + nss + nspr + systemd.lib + xorg.libX11 + xorg.libXcursor + xorg.libXcomposite + xorg.libXext + xorg.libXfixes + xorg.libXdamage + xorg.libXi + xorg.libXrandr + xorg.libXrender + xorg.libXtst + xorg.libXScrnSaver + ]; + installPhase = '' + pushd Nozbe-${version} + ls -lha - patchelf --set-interpreter ${stdenv.glibc}/lib/ld-linux-x86-64.so.2 Nozbe + patchelf --set-interpreter ${stdenv.glibc}/lib/ld-linux-x86-64.so.2 Nozbe - mkdir -p $out/bin - cp -a * $out/ + mkdir -p $out/bin + cp -a * $out/ - wrapProgram $out/Nozbe \ - --prefix LD_LIBRARY_PATH : "${libPath}" + wrapProgram $out/Nozbe \ + --prefix LD_LIBRARY_PATH : "${libPath}" - ln -sf ../Nozbe $out/bin/ - ''; -} + ln -sf ../Nozbe $out/bin/ + ''; + } diff --git a/nix/pkgs/posh.nix b/nix/pkgs/posh.nix index b7ad5cb..4d993ba 100644 --- a/nix/pkgs/posh.nix +++ b/nix/pkgs/posh.nix @@ -1,44 +1,42 @@ # posh makes use of podman to run an encapsulated shell session -{ pkgs, ... }: -let - cniConfigDir = - let - loopback = pkgs.writeText "00-loopback.conf" '' - { - "cniVersion": "0.3.0", - "type": "loopback" - } - ''; +{pkgs, ...}: let + cniConfigDir = let + loopback = pkgs.writeText "00-loopback.conf" '' + { + "cniVersion": "0.3.0", + "type": "loopback" + } + ''; - podman-bridge = pkgs.writeText "87-podman-bridge.conflist" '' - { - "cniVersion": "0.3.0", - "name": "podman", - "plugins": [ - { - "type": "bridge", - "bridge": "cni0", - "isGateway": true, - "ipMasq": true, - "ipam": { - "type": "host-local", - "subnet": "10.88.0.0/16", - "routes": [ - { "dst": "0.0.0.0/0" } - ] - } - }, - { - "type": "portmap", - "capabilities": { - "portMappings": true - } + podman-bridge = pkgs.writeText "87-podman-bridge.conflist" '' + { + "cniVersion": "0.3.0", + "name": "podman", + "plugins": [ + { + "type": "bridge", + "bridge": "cni0", + "isGateway": true, + "ipMasq": true, + "ipam": { + "type": "host-local", + "subnet": "10.88.0.0/16", + "routes": [ + { "dst": "0.0.0.0/0" } + ] } - ] - } - ''; - in - pkgs.runCommand "cniConfig" { } '' + }, + { + "type": "portmap", + "capabilities": { + "portMappings": true + } + } + ] + } + ''; + in + pkgs.runCommand "cniConfig" {} '' set -x mkdir $out; ln -s ${loopback} $out/${loopback.name} @@ -127,58 +125,54 @@ let } ''; in -{ - image, - pull ? "always", - global_args ? "", - run_args ? "", - userns ? "keep-id", -}: -(pkgs.writeScriptBin "posh" '' - #! ${pkgs.bash}/bin/bash - source /etc/profile + { + image, + pull ? "always", + global_args ? "", + run_args ? "", + userns ? "keep-id", + }: + (pkgs.writeScriptBin "posh" '' + #! ${pkgs.bash}/bin/bash + source /etc/profile - test -S "$SSH_AUTH_SOCK" && ssh="-v $SSH_AUTH_SOCK:$SSH_AUTH_SOCK -e SSH_AUTH_SOCK" - tty -s && tty="-t" entrypoint=--entrypoint='["/usr/bin/env","bash","-il"]' || quiet="-q" + test -S "$SSH_AUTH_SOCK" && ssh="-v $SSH_AUTH_SOCK:$SSH_AUTH_SOCK -e SSH_AUTH_SOCK" + tty -s && tty="-t" entrypoint=--entrypoint='["/usr/bin/env","bash","-il"]' || quiet="-q" - # define these as variables so we can override them at runtime - POSH_IMAGE=${image} - POSH_PULL=${pull} + # define these as variables so we can override them at runtime + POSH_IMAGE=${image} + POSH_PULL=${pull} - if [ "$1" == "-c" ]; then - # We've most likely been spawned by sshd and are interested in $2 whitch contains the command string - shift - # TODO parse the beginning of the command for POSH_* overrides - fi + if [ "$1" == "-c" ]; then + # We've most likely been spawned by sshd and are interested in $2 whitch contains the command string + shift + # TODO parse the beginning of the command for POSH_* overrides + fi - test "$@" && cmd=( -c "$@") + test "$@" && cmd=( -c "$@") - HOME_CONTAINERS_CONFIGDIR="$HOME/.config/containers" - HOME_POLICY_JSON="$HOME_CONTAINERS_CONFIGDIR/policy.json" - test -d $HOME_CONTAINERS_CONFIGIDR || mkdir $HOME_CONTAINERS_CONFIGIDR - ln -sf ${policy-json} $HOME_POLICY_JSON + HOME_CONTAINERS_CONFIGDIR="$HOME/.config/containers" + HOME_POLICY_JSON="$HOME_CONTAINERS_CONFIGDIR/policy.json" + test -d $HOME_CONTAINERS_CONFIGIDR || mkdir $HOME_CONTAINERS_CONFIGIDR + ln -sf ${policy-json} $HOME_POLICY_JSON - set -x - exec ${pkgs.podman}/bin/podman \ - --cgroup-manager=cgroupfs \ - ${global_args} \ - run \ - --annotation=io.crun.keep_original_groups=1 \ - --config ${podmanConfig} \ - --conmon ${pkgs.conmon}/bin/conmon --runtime ${pkgs.crun}/bin/crun \ - --rm -i --network host --pull=''${POSH_PULL} \ - $tty $ssh -e HOME -v $HOME:$HOME -w $HOME \ - ${if userns != null then "--userns=" + userns else ""} \ - ${run_args} \ - ''${POSH_IMAGE} /usr/bin/env bash -l "''${cmd[@]}" -'').overrideAttrs - ( - attrs: - attrs - // { - passthru = { - shellPath = "/bin/posh"; - }; - } - ) + set -x + exec ${pkgs.podman}/bin/podman \ + --cgroup-manager=cgroupfs \ + ${global_args} \ + run \ + --annotation=io.crun.keep_original_groups=1 \ + --config ${podmanConfig} \ + --conmon ${pkgs.conmon}/bin/conmon --runtime ${pkgs.crun}/bin/crun \ + --rm -i --network host --pull=''${POSH_PULL} \ + $tty $ssh -e HOME -v $HOME:$HOME -w $HOME \ + ${ + if userns != null + then "--userns=" + userns + else "" + } \ + ${run_args} \ + ''${POSH_IMAGE} /usr/bin/env bash -l "''${cmd[@]}" + '') + .overrideAttrs (attrs: attrs // {passthru = {shellPath = "/bin/posh";};}) diff --git a/nix/pkgs/slirp4netns.nix b/nix/pkgs/slirp4netns.nix index 5e50ecf..ffcc730 100644 --- a/nix/pkgs/slirp4netns.nix +++ b/nix/pkgs/slirp4netns.nix @@ -18,13 +18,7 @@ stdenv.mkDerivation rec { sha256 = "0kqncza4kgqkqiki569j7ym9pvp7879i6q2z0djvda9y0i6b80w4"; }; - buildInputs = [ - autoconf - automake - libtool - gnumake - gcc - ]; + buildInputs = [autoconf automake libtool gnumake gcc]; configurePhase = '' ./autogen.sh @@ -43,7 +37,7 @@ stdenv.mkDerivation rec { description = "User-mode networking for unprivileged network namespaces"; homepage = "https://github.com/rootless-containers/slirp4netns"; license = null; - maintainers = [ maintainers.steveej ]; + maintainers = [maintainers.steveej]; platforms = platforms.all; }; } diff --git a/nix/pkgs/staruml.nix b/nix/pkgs/staruml.nix index 35399ad..a0e9d90 100644 --- a/nix/pkgs/staruml.nix +++ b/nix/pkgs/staruml.nix @@ -15,8 +15,7 @@ libgcrypt, dbus, systemd, -}: -let +}: let inherit (stdenv) lib; LD_LIBRARY_PATH = lib.makeLibraryPath [ glib @@ -31,56 +30,55 @@ let dbus ]; in -stdenv.mkDerivation rec { - version = "2.8.1"; - name = "staruml-${version}"; + stdenv.mkDerivation rec { + version = "2.8.1"; + name = "staruml-${version}"; - src = - if stdenv.system == "i686-linux" then - fetchurl { - url = "http://staruml.io/download/release/v${version}/StarUML-v${version}-32-bit.deb"; - sha256 = "0vb3k9m3l6pmsid4shlk0xdjsriq3gxzm8q7l04didsppg0vvq1n"; - } - else - fetchurl { - url = "https://s3.amazonaws.com/staruml-bucket/releases-v2/StarUML-v${version}-64-bit.deb"; - sha256 = "05gzrnlssjkhyh0wv019d4r7p40lxnsa1sghazll6f233yrqmxb0"; - }; + src = + if stdenv.system == "i686-linux" + then + fetchurl + { + url = "http://staruml.io/download/release/v${version}/StarUML-v${version}-32-bit.deb"; + sha256 = "0vb3k9m3l6pmsid4shlk0xdjsriq3gxzm8q7l04didsppg0vvq1n"; + } + else + fetchurl { + url = "https://s3.amazonaws.com/staruml-bucket/releases-v2/StarUML-v${version}-64-bit.deb"; + sha256 = "05gzrnlssjkhyh0wv019d4r7p40lxnsa1sghazll6f233yrqmxb0"; + }; - buildInputs = [ dpkg ]; + buildInputs = [dpkg]; - nativeBuildInputs = [ makeWrapper ]; + nativeBuildInputs = [makeWrapper]; - unpackPhase = '' - mkdir pkg - dpkg-deb -x $src pkg - sourceRoot=pkg - ''; + unpackPhase = '' + mkdir pkg + dpkg-deb -x $src pkg + sourceRoot=pkg + ''; - installPhase = '' - mkdir $out - mv opt/staruml $out/bin + installPhase = '' + mkdir $out + mv opt/staruml $out/bin - mkdir -p $out/lib - ln -s ${stdenv.cc.cc.lib}/lib/libstdc++.so.6 $out/lib/ - ln -s ${systemd.lib}/lib/libudev.so.1 $out/lib/libudev.so.0 + mkdir -p $out/lib + ln -s ${stdenv.cc.cc.lib}/lib/libstdc++.so.6 $out/lib/ + ln -s ${systemd.lib}/lib/libudev.so.1 $out/lib/libudev.so.0 - for binary in StarUML Brackets-node; do - ${patchelf}/bin/patchelf \ - --interpreter "$(cat $NIX_CC/nix-support/dynamic-linker)" \ - $out/bin/$binary - wrapProgram $out/bin/$binary \ - --prefix LD_LIBRARY_PATH : $out/lib:${LD_LIBRARY_PATH} - done - ''; + for binary in StarUML Brackets-node; do + ${patchelf}/bin/patchelf \ + --interpreter "$(cat $NIX_CC/nix-support/dynamic-linker)" \ + $out/bin/$binary + wrapProgram $out/bin/$binary \ + --prefix LD_LIBRARY_PATH : $out/lib:${LD_LIBRARY_PATH} + done + ''; - meta = with stdenv.lib; { - description = "A sophisticated software modeler"; - homepage = "http://staruml.io/"; - license = licenses.unfree; - platforms = [ - "i686-linux" - "x86_64-linux" - ]; - }; -} + meta = with stdenv.lib; { + description = "A sophisticated software modeler"; + homepage = "http://staruml.io/"; + license = licenses.unfree; + platforms = ["i686-linux" "x86_64-linux"]; + }; + } diff --git a/nix/scripts/pre-eval-fixed.sh b/nix/scripts/pre-eval-fixed.sh index ec7b14e..25a3e36 100755 --- a/nix/scripts/pre-eval-fixed.sh +++ b/nix/scripts/pre-eval-fixed.sh @@ -3,7 +3,7 @@ set -xe INFILE="${1:?Please set arg1 to INFILE}" OUTFILE="${2:?Please set arg2 to OUTFILE}" # sha256-1fm94N2Y9ptXVN6ni0nJyPRK+nsvoeliqBcFyjlaTH4= -# sha256:0zjcb8wwl18pm1ifk89gggx4mx68r54qp9yyaibrpxlqvphbvyfm -hash=$(nix-build "${INFILE}" --arg pkgs 'import {}' --arg config 'null' 2>&1 | rg -o 'got.*(sha256[:-].+)$' -r '$1') +# sha256:0zjcb8wwl18pm1ifk89gggx4mx68r54qp9yyaibrpxlqvphbvyfm +hash=$(nix-build ${INFILE} --arg pkgs 'import {}' --arg config 'null' 2>&1 | rg -o 'got.*(sha256[:-].+)$' -r '$1') -sed -E "s/0{52}/${hash}/" "${INFILE}" >"${OUTFILE}" +sed -E "s/0{52}/${hash}/" ${INFILE} > ${OUTFILE} diff --git a/nix/sources.json b/nix/sources.json new file mode 100644 index 0000000..49bfd31 --- /dev/null +++ b/nix/sources.json @@ -0,0 +1,14 @@ +{ + "nixpkgs": { + "branch": "release-22.05", + "description": "Nix Packages collection", + "homepage": "https://github.com/NixOS/nixpkgs", + "owner": "NixOS", + "repo": "nixpkgs", + "rev": "26fe7618c7efbbfe28db9a52a21fb87e67ebaf06", + "sha256": "0wi8l10zn808psf0i7ka3ifpx46vdv2fkq3hcb9d5m72fv64vznr", + "type": "tarball", + "url": "https://github.com/NixOS/nixpkgs/archive/26fe7618c7efbbfe28db9a52a21fb87e67ebaf06.tar.gz", + "url_template": "https://github.com///archive/.tar.gz" + } +} diff --git a/nix/sources.nix b/nix/sources.nix new file mode 100644 index 0000000..87a7093 --- /dev/null +++ b/nix/sources.nix @@ -0,0 +1,260 @@ +# This file has been generated by Niv. +let + # + # The fetchers. fetch_ fetches specs of type . + # + fetch_file = pkgs: name: spec: let + name' = sanitizeName name + "-src"; + in + if spec.builtin or true + then + builtins_fetchurl + { + inherit (spec) url sha256; + name = name'; + } + else + pkgs.fetchurl { + inherit (spec) url sha256; + name = name'; + }; + + fetch_tarball = pkgs: name: spec: let + name' = sanitizeName name + "-src"; + in + if spec.builtin or true + then + builtins_fetchTarball + { + name = name'; + inherit (spec) url sha256; + } + else + pkgs.fetchzip { + name = name'; + inherit (spec) url sha256; + }; + + fetch_git = name: spec: let + ref = + if spec ? ref + then spec.ref + else if spec ? branch + then "refs/heads/${spec.branch}" + else if spec ? tag + then "refs/tags/${spec.tag}" + else + abort + "In git source '${name}': Please specify `ref`, `tag` or `branch`!"; + submodules = + if spec ? submodules + then spec.submodules + else false; + submoduleArg = let + nixSupportsSubmodules = + builtins.compareVersions builtins.nixVersion "2.4" >= 0; + emptyArgWithWarning = + if submodules == true + then + builtins.trace + (''The niv input "${name}" uses submodules '' + + "but your nix's (${builtins.nixVersion}) builtins.fetchGit " + + "does not support them") + {} + else {}; + in + if nixSupportsSubmodules + then { + inherit submodules; + } + else emptyArgWithWarning; + in + builtins.fetchGit ({ + url = spec.repo; + inherit (spec) rev; + inherit ref; + } + // submoduleArg); + + fetch_local = spec: spec.path; + + fetch_builtin-tarball = name: + throw '' + [${name}] The niv type "builtin-tarball" is deprecated. You should instead use `builtin = true`. + $ niv modify ${name} -a type=tarball -a builtin=true''; + + fetch_builtin-url = name: + throw '' + [${name}] The niv type "builtin-url" will soon be deprecated. You should instead use `builtin = true`. + $ niv modify ${name} -a type=file -a builtin=true''; + + # + # Various helpers + # + + # https://github.com/NixOS/nixpkgs/pull/83241/files#diff-c6f540a4f3bfa4b0e8b6bafd4cd54e8bR695 + sanitizeName = name: (concatMapStrings (s: + if builtins.isList s + then "-" + else s) + (builtins.split "[^[:alnum:]+._?=-]+" + ((x: builtins.elemAt (builtins.match "\\.*(.*)" x) 0) name))); + + # The set of packages used when specs are fetched using non-builtins. + mkPkgs = sources: system: let + sourcesNixpkgs = + import + (builtins_fetchTarball {inherit (sources.nixpkgs) url sha256;}) + { + inherit system; + }; + hasNixpkgsPath = builtins.any (x: x.prefix == "nixpkgs") builtins.nixPath; + hasThisAsNixpkgsPath = == ./.; + in + if builtins.hasAttr "nixpkgs" sources + then sourcesNixpkgs + else if hasNixpkgsPath && !hasThisAsNixpkgsPath + then import {} + else + abort '' + Please specify either (through -I or NIX_PATH=nixpkgs=...) or + add a package called "nixpkgs" to your sources.json. + ''; + + # The actual fetching function. + fetch = pkgs: name: spec: + if !builtins.hasAttr "type" spec + then abort "ERROR: niv spec ${name} does not have a 'type' attribute" + else if spec.type == "file" + then fetch_file pkgs name spec + else if spec.type == "tarball" + then fetch_tarball pkgs name spec + else if spec.type == "git" + then fetch_git name spec + else if spec.type == "local" + then fetch_local spec + else if spec.type == "builtin-tarball" + then fetch_builtin-tarball name + else if spec.type == "builtin-url" + then fetch_builtin-url name + else + abort + "ERROR: niv spec ${name} has unknown type ${builtins.toJSON spec.type}"; + + # If the environment variable NIV_OVERRIDE_${name} is set, then use + # the path directly as opposed to the fetched source. + replace = name: drv: let + saneName = + stringAsChars + (c: + if isNull (builtins.match "[a-zA-Z0-9]" c) + then "_" + else c) + name; + ersatz = builtins.getEnv "NIV_OVERRIDE_${saneName}"; + in + if ersatz == "" + then drv + else + # this turns the string into an actual Nix path (for both absolute and + # relative paths) + if builtins.substring 0 1 ersatz == "/" + then /. + ersatz + else /. + builtins.getEnv "PWD" + "/${ersatz}"; + + # Ports of functions for older nix versions + + # a Nix version of mapAttrs if the built-in doesn't exist + mapAttrs = + builtins.mapAttrs + or (f: set: + with builtins; + listToAttrs (map (attr: { + name = attr; + value = f attr set.${attr}; + }) (attrNames set))); + + # https://github.com/NixOS/nixpkgs/blob/0258808f5744ca980b9a1f24fe0b1e6f0fecee9c/lib/lists.nix#L295 + range = first: last: + if first > last + then [] + else builtins.genList (n: first + n) (last - first + 1); + + # https://github.com/NixOS/nixpkgs/blob/0258808f5744ca980b9a1f24fe0b1e6f0fecee9c/lib/strings.nix#L257 + stringToCharacters = s: + map (p: builtins.substring p 1 s) (range 0 (builtins.stringLength s - 1)); + + # https://github.com/NixOS/nixpkgs/blob/0258808f5744ca980b9a1f24fe0b1e6f0fecee9c/lib/strings.nix#L269 + stringAsChars = f: s: concatStrings (map f (stringToCharacters s)); + concatMapStrings = f: list: concatStrings (map f list); + concatStrings = builtins.concatStringsSep ""; + + # https://github.com/NixOS/nixpkgs/blob/8a9f58a375c401b96da862d969f66429def1d118/lib/attrsets.nix#L331 + optionalAttrs = cond: as: + if cond + then as + else {}; + + # fetchTarball version that is compatible between all the versions of Nix + builtins_fetchTarball = { + url, + name ? null, + sha256, + } @ attrs: let + inherit (builtins) lessThan nixVersion fetchTarball; + in + if lessThan nixVersion "1.12" + then + fetchTarball + ({inherit url;} // (optionalAttrs (!isNull name) {inherit name;})) + else fetchTarball attrs; + + # fetchurl version that is compatible between all the versions of Nix + builtins_fetchurl = { + url, + name ? null, + sha256, + } @ attrs: let + inherit (builtins) lessThan nixVersion fetchurl; + in + if lessThan nixVersion "1.12" + then + fetchurl + ({inherit url;} // (optionalAttrs (!isNull name) {inherit name;})) + else fetchurl attrs; + + # Create the final "sources" from the config + mkSources = config: + mapAttrs + (name: spec: + if builtins.hasAttr "outPath" spec + then + abort + "The values in sources.json should not have an 'outPath' attribute" + else spec // {outPath = replace name (fetch config.pkgs name spec);}) + config.sources; + + # The "config" used by the fetchers + mkConfig = { + sourcesFile ? + if builtins.pathExists ./sources.json + then ./sources.json + else null, + sources ? + if isNull sourcesFile + then {} + else builtins.fromJSON (builtins.readFile sourcesFile), + system ? builtins.currentSystem, + pkgs ? mkPkgs sources system, + }: rec { + # The sources, i.e. the attribute set of spec name to spec + inherit sources; + + # The "pkgs" (evaluated nixpkgs) to use for e.g. non-builtin fetchers + inherit pkgs; + }; +in + mkSources (mkConfig {}) + // { + __functor = _: settings: mkSources (mkConfig settings); + } diff --git a/nix/tests/buildvmwithbootloader/build-vm.nix b/nix/tests/buildvmwithbootloader/build-vm.nix index a085713..be819b6 100644 --- a/nix/tests/buildvmwithbootloader/build-vm.nix +++ b/nix/tests/buildvmwithbootloader/build-vm.nix @@ -3,14 +3,20 @@ vmPkgsPath, buildPkgsPath, nixosConfigPath, -}: -let - vmPkgs' = import vmPkgsPath { }; - vmPkgs = vmPkgs' // { - runtimeShell = "${vmPkgs'.bash}/${vmPkgs'.bash.shellPath}"; - }; +}: let + buildPkgs = import buildPkgsPath {}; + vmPkgs' = import vmPkgsPath {}; + vmPkgs = + vmPkgs' + // { + runtimeShell = "${vmPkgs'.bash}/${vmPkgs'.bash.shellPath}"; + }; - importWithPkgs = { path, pkgs }: args: import path (args // { inherit pkgs; }); + importWithPkgs = { + path, + pkgs, + }: args: + import path (args // {inherit pkgs;}); nixosConfig = importWithPkgs { path = "${nixosConfigPath}"; @@ -30,10 +36,8 @@ let modules = [ nixosConfig vmConfig - { virtualisation.useBootLoader = true; } + {virtualisation.useBootLoader = true;} ]; - }).config; -in -{ - vmWithBootLoaderMixed = vmWithBootLoaderConfigMixed.system.build.vm; -} + }) + .config; +in {vmWithBootLoaderMixed = vmWithBootLoaderConfigMixed.system.build.vm;} diff --git a/nix/tests/buildvmwithbootloader/build-vm.sh b/nix/tests/buildvmwithbootloader/build-vm.sh index 3ee6ee0..520e0c8 100755 --- a/nix/tests/buildvmwithbootloader/build-vm.sh +++ b/nix/tests/buildvmwithbootloader/build-vm.sh @@ -1,6 +1,6 @@ #!/usr/bin/env bash set -x -rm ./*.qcow2 +rm *.qcow2 rm result* set -e @@ -8,9 +8,9 @@ BUILD_NIXPKGS="${BUILD_NIXPKGS:-${HOME}/src/github/NixOS/nixpkgs.dev}" NIXOS_CONFIG="${NIXOS_CONFIG_OVERRIDE:-${PWD}/configuration.nix}" nix-build -K --show-trace build-vm.nix \ - --arg vmPkgsPath '' \ - --argstr buildPkgsPath "${BUILD_NIXPKGS}" \ - --argstr nixosConfigPath "${NIXOS_CONFIG}" \ - -A vmWithBootLoaderMixed + --arg vmPkgsPath '' \ + --argstr buildPkgsPath "${BUILD_NIXPKGS}" \ + --argstr nixosConfigPath "${NIXOS_CONFIG}" \ + -A vmWithBootLoaderMixed -"./result/bin/run-*-vm" +./result/bin/run-*-vm diff --git a/nix/tests/buildvmwithbootloader/configuration.nix b/nix/tests/buildvmwithbootloader/configuration.nix index 49dc463..92072fe 100644 --- a/nix/tests/buildvmwithbootloader/configuration.nix +++ b/nix/tests/buildvmwithbootloader/configuration.nix @@ -1,5 +1,9 @@ -{ lib, ... }: { + pkgs, + lib, + ... +}: let +in { boot.loader.grub = { enable = true; version = 2; @@ -18,23 +22,13 @@ allowDiscards = true; } ]; - fileSystems."/" = { - label = "root"; - }; + fileSystems."/" = {label = "root";}; - fileSystems."/boot" = { - label = "boot"; - }; + fileSystems."/boot" = {label = "boot";}; boot.tmpOnTmpfs = true; - boot.initrd.availableKernelModules = [ - "xhci_pci" - "ahci" - "usb_storage" - "sd_mod" - "rtsx_pci_sdmmc" - ]; + boot.initrd.availableKernelModules = ["xhci_pci" "ahci" "usb_storage" "sd_mod" "rtsx_pci_sdmmc"]; users.extraUsers.root.initialPassword = lib.mkForce "toorroot"; users.mutableUsers = false; diff --git a/nix/tests/buildvmwithbootloader/debug-vm.sh b/nix/tests/buildvmwithbootloader/debug-vm.sh index 8e3bdce..0d11067 100755 --- a/nix/tests/buildvmwithbootloader/debug-vm.sh +++ b/nix/tests/buildvmwithbootloader/debug-vm.sh @@ -1,5 +1,3 @@ -#!/usr/bin/env bash - # /nix/store/lya9qyl9z5xb4vzdzh4vzcr7gfssk47z-qemu-host-cpu-only-for-vm-tests-2.12.0/bin/qemu-kvm \ # -cpu \ # kvm64 \ @@ -26,6 +24,7 @@ # -drive \ # index=0,id=drive1,file=/home/steveej/src/steveej/nix-expressions/nixos.qcow2,cache=writeback,werror=report,if=virtio \ + /nix/store/0i6fr8vv559a50w0vipvd22r0kkg1kx1-qemu-host-cpu-only-for-vm-tests-3.0.0/bin/qemu-kvm -cpu kvm64 -name nixos -m 384 -smp 1 -device virtio-rng-pci -net nic,netdev=user.0,model=virtio -netdev user,id=user.0 -virtfs local,path=/nix/store,security_model=none,mount_tag=store -virtfs local,path=/tmp/nix-vm.BXlbOnli8K/xchg,security_model=none,mount_tag=xchg -virtfs local,path=/tmp/nix-vm.BXlbOnli8K/xchg,security_model=none,mount_tag=shared \ - -drive index=1,id=drive2,file=/tmp/nix-vm.BXlbOnli8K/disk.img,media=disk,if=virtio \ - -drive index=0,id=drive1,file=/home/steveej/src/steveej/nix-expressions/tests/nixos.qcow2,cache=writeback,werror=report,if=virtio + -drive index=1,id=drive2,file=/tmp/nix-vm.BXlbOnli8K/disk.img,media=disk,if=virtio \ + -drive index=0,id=drive1,file=/home/steveej/src/steveej/nix-expressions/tests/nixos.qcow2,cache=writeback,werror=report,if=virtio \ diff --git a/nix/tests/test-vm.nix b/nix/tests/test-vm.nix index fc956b6..55053e2 100644 --- a/nix/tests/test-vm.nix +++ b/nix/tests/test-vm.nix @@ -1,4 +1,10 @@ -_: { +{ + lib, + config, + pkgs, + fetchgit, + ... +}: { boot.consoleLogLevel = 6; users.users.root.initialPassword = "root"; systemd.services."serial-getty@ttyS0".enable = true; diff --git a/nix/variables/keys.nix b/nix/variables/keys.nix index bd140a9..8eb8229 100644 --- a/nix/variables/keys.nix +++ b/nix/variables/keys.nix @@ -3,7 +3,6 @@ steveej = { openssh = [ # active, current - "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQC98w24rC+0YwkR/60VvuHVo+HaojvrM0rre0WCj1s1YVFiLPycsAKhZvl/yo06RKgkhChGb0tHZRGseQSmyb+rEbuNFxXQZnjOylT4jlrQvFR+S9WulkHrLMU0wodwEOpTrzJr/zqThEy3pj61KpC+Yhj9FfCn/p3l7HvL2yp3j+TyclyGbEQtt3Dgo1Ls5ZiD5FVhZAMkto4mK9fThyKjQhT6dUu47j2mxhT5OB8gHNtmPvpdQAUQCNrIz4oP5gilGKsWILmXM0/UwnrSXVdR2cUeiRkKqT0h/Q5jp/+/aW8oDoNYluHw2unWJcMTF0zoVWy/IcuNBTqzfiAhiDICCJN9Y0IXf4KhYN2mGtYJjioEVzmaIp/djxDt1Ra4PTNk1DqazRX72XgXcC9hFskLgiRSGSTR1EJk8dmfN0fE9Kv7IwgmHpyGciUy9WIX4o/eYHt7uO8cmJldtt9dPT7OV3DqGWrmgdCgzV5hVrxPVyOyvuLZa2J1N3T/5v1a8zrsyJ0KwuWH64VJqjVL7dTSKCyHKKIwx5ksLwIpFXBxPiypgCtYyvM6IY7PzF492cBucKimD5wd4f5mY5YxEGZC53/ZgodFVQJkyjmIiO/E06KUjLilmnSzf/nOtk3hoiWK8av47mr8otj+UCfWx6xXVKvGAjSOt4MEzUDDG3D+nw== cardno:17_673_091" "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDAIODJoJ7Chi8jPTGmKQ5MlB7+TgNGznreeRW/K34v1ey23/FlnIxP9XyyLkzojKALTfAQYgqzrQV3HDSRwhd1rXB7YLq1/CiVWRJvDMTkJiOCV515eiUJGXu1G8e12d/USPNBMEzMJGvqBCIGYen5OxXkyIHIREfePNi5k337G5z9fiuiggxJl9ty6qZ4XIRgFQj9jAoShixP/+99I7XrGWeFQ1BmLZWzi20SQGKvogYnOszDZFqBAHGFnCFYHaTz2jOXXCtQsa27gr8D2iLRFaxvhB7XMK+VbpDcZGjmfRJ701XxFv15GFnFAV71hTaYqj/Ebpw9Vs02+gUp3+tt cardno:000608695695" "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDAIODJoJ7Chi8jPTGmKQ5MlB7+TgNGznreeRW/K34v1ey23/FlnIxP9XyyLkzojKALTfAQYgqzrQV3HDSRwhd1rXB7YLq1/CiVWRJvDMTkJiOCV515eiUJGXu1G8e12d/USPNBMEzMJGvqBCIGYen5OxXkyIHIREfePNi5k337G5z9fiuiggxJl9ty6qZ4XIRgFQj9jAoShixP/+99I7XrGWeFQ1BmLZWzi20SQGKvogYnOszDZFqBAHGFnCFYHaTz2jOXXCtQsa27gr8D2iLRFaxvhB7XMK+VbpDcZGjmfRJ701XxFv15GFnFAV71hTaYqj/Ebpw9Vs02+gUp3+tt cardno:000605247559" diff --git a/nix/variables/passwords.crypt.nix b/nix/variables/passwords.crypt.nix index 91d2eb6..ce2f0fc 100644 Binary files a/nix/variables/passwords.crypt.nix and b/nix/variables/passwords.crypt.nix differ diff --git a/nix/variables/versions.nix b/nix/variables/versions.nix index 6d441a6..535d7d3 100644 --- a/nix/variables/versions.nix +++ b/nix/variables/versions.nix @@ -2,28 +2,29 @@ let nixpkgs = { url = "https://github.com/NixOS/nixpkgs/"; ref = "nixos-22.11"; - rev = ''5b7cd5c39befee629be284970415b6eb3b0ff000''; + rev = '' + 5b7cd5c39befee629be284970415b6eb3b0ff000''; }; -in -{ +in { inherit nixpkgs; - nixos = nixpkgs // { - suffix = "/nixos"; - }; + nixos = nixpkgs // {suffix = "/nixos";}; "channels-nixos-stable" = nixpkgs; "channels-nixos-unstable" = { url = "https://github.com/NixOS/nixpkgs/"; ref = "nixos-unstable"; - rev = ''4bb072f0a8b267613c127684e099a70e1f6ff106''; + rev = '' + 4bb072f0a8b267613c127684e099a70e1f6ff106''; }; "nixpkgs-master" = { url = "https://github.com/NixOS/nixpkgs/"; ref = "master"; - rev = ''a8636efe2df64047cd58898010a72f73efd56722''; + rev = '' + a8636efe2df64047cd58898010a72f73efd56722''; }; "home-manager-module" = { url = "https://github.com/nix-community/home-manager"; ref = "release-22.11"; - rev = ''83110c259889230b324bb2d35bef78bf5f214a1f''; + rev = '' + 83110c259889230b324bb2d35bef78bf5f214a1f''; }; } diff --git a/nix/variables/versions.tmpl.nix b/nix/variables/versions.tmpl.nix index 66e90e3..e0734f1 100644 --- a/nix/variables/versions.tmpl.nix +++ b/nix/variables/versions.tmpl.nix @@ -6,12 +6,9 @@ let <% git ls-remote https://github.com/nixos/nixpkgs nixos-22.11 | awk '{ print $1 }' | tr -d ' ' -%>''; }; -in -{ +in { inherit nixpkgs; - nixos = nixpkgs // { - suffix = "/nixos"; - }; + nixos = nixpkgs // {suffix = "/nixos";}; "channels-nixos-stable" = nixpkgs; "channels-nixos-unstable" = { url = "https://github.com/NixOS/nixpkgs/"; diff --git a/oci/user-ubuntu/Containerfile b/oci/user-ubuntu/Containerfile deleted file mode 100644 index 8afa2ce..0000000 --- a/oci/user-ubuntu/Containerfile +++ /dev/null @@ -1,27 +0,0 @@ -FROM ubuntu - -ARG USERNAME=user -ARG USER_UID=1000 -ARG USER_GID=$USER_UID - -# Create the user -RUN groupadd --gid $USER_GID $USERNAME \ - && useradd --uid $USER_UID --gid $USER_GID -m $USERNAME \ - # - # [Optional] Add sudo support. Omit if you don't need to install software after connecting. - && apt-get update \ - && apt-get install -y sudo \ - && echo $USERNAME ALL=\(root\) NOPASSWD:ALL > /etc/sudoers.d/$USERNAME \ - && chmod 0440 /etc/sudoers.d/$USERNAME - -# ******************************************************** -# * Anything else you want to do like clean up goes here * -# ******************************************************** - -# [Optional] Set the default user. Omit if you want to keep the default as root. -USER $USERNAME - - -ENV DEBIAN_FRONTEND=noninteractive -RUN sudo apt install -y curl xz-utils -RUN curl --proto '=https' --tlsv1.2 -sSf -L https://install.determinate.systems/nix | sh -s - install --init none --no-confirm diff --git a/scripts/sway-swapoutputworkspaces.sh b/scripts/sway-swapoutputworkspaces.sh index 6ed8d64..9f8f637 100755 --- a/scripts/sway-swapoutputworkspaces.sh +++ b/scripts/sway-swapoutputworkspaces.sh @@ -9,33 +9,33 @@ workspace_active=$(swaymsg -t get_workspaces | jq -r '.[] | select(.focused==tru # If any of the outputs doesn't have a workspace, do nothing if [ "$workspace1" = null ] || [ "$workspace2" = null ]; then - exit 0 + exit 0 else - # If script is provided with `follow` argument, then follow focused workspace - if [ "$1" = "follow" ]; then - if [ "$workspace1" = "$workspace_active" ]; then - swaymsg move workspace to output "$output2" - swaymsg workspace "$workspace2" - swaymsg move workspace to output "$output1" - swaymsg workspace "$workspace2" + # If script is provided with `follow` argument, then follow focused workspace + if [ "$1" = "follow" ]; then + if [ "$workspace1" = "$workspace_active" ]; then + swaymsg move workspace to output "$output2" + swaymsg workspace "$workspace2" + swaymsg move workspace to output "$output1" + swaymsg workspace "$workspace2" + else + swaymsg workspace "$workspace1" + swaymsg move workspace to output "$output2" + swaymsg workspace "$workspace2" + swaymsg move workspace to output "$output1" + fi + # Else focus stays with focused output else - swaymsg workspace "$workspace1" - swaymsg move workspace to output "$output2" - swaymsg workspace "$workspace2" - swaymsg move workspace to output "$output1" + if [ "$workspace1" = "$workspace_active" ]; then + swaymsg move workspace to output "$output2" + swaymsg workspace "$workspace2" + swaymsg move workspace to output "$output1" + else + swaymsg workspace "$workspace1" + swaymsg move workspace to output "$output2" + swaymsg workspace "$workspace2" + swaymsg move workspace to output "$output1" + swaymsg workspace "$workspace1" + fi fi - # Else focus stays with focused output - else - if [ "$workspace1" = "$workspace_active" ]; then - swaymsg move workspace to output "$output2" - swaymsg workspace "$workspace2" - swaymsg move workspace to output "$output1" - else - swaymsg workspace "$workspace1" - swaymsg move workspace to output "$output2" - swaymsg workspace "$workspace2" - swaymsg move workspace to output "$output1" - swaymsg workspace "$workspace1" - fi - fi fi diff --git a/secrets/desktop/radicale_htpasswd b/secrets/desktop/radicale_htpasswd deleted file mode 100644 index 5b0f6b6..0000000 --- a/secrets/desktop/radicale_htpasswd +++ /dev/null @@ -1,30 +0,0 @@ -{ - "data": "ENC[AES256_GCM,data:rUTsNj5pW/7JhyfRWiEoOHVT06tmbAHarOEuMkWaP+jz9FX3Qvjtv2S767Be89RwBdZZPTyO5+DcWUH+m2AOoAFKZs8TgT7lmQCuweXE27HZe88y+mNvHYfExWbLaC3fxheHgy8BgZBQNdVMKhZlYr5nLxJBrUY+j2sRP/CuucUcbsCojoHqYmb9hpS03PZ7i6Uf7tImgvFc,iv:pnYzcggEWKAhRxJyOGYaXFrS6kN7uLHic+tO1PeHZmg=,tag:4eXlaWf7hJxcy6zlQC5U8Q==,type:str]", - "sops": { - "kms": null, - "gcp_kms": null, - "azure_kv": null, - "hc_vault": null, - "age": [ - { - "recipient": "age17jxphuql70wjkd84azn62ltx9ky69hyvkac23lm8f2j92lznf9hseqq0vl", - "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBsRG1PWnJpTjRCOFVXS21h\nTUxFb1ZsS1piTUxtdmRSVGFmNGlzZmZqWXo4CnhMY3hBZU93bE45MFBJSG9Nd3Zh\nNi9DQjZlb2FzQXplZXovOENBOWRUQ0kKLS0tIFJsNklCUWFZdzhNaXlFQ2lFTGd5\nREp5VFZaNFlZeWVTUXlJSWpUOXA0OEEKEO5EEvjKL2BdBd+eHxvicl3IhGV/WNRS\ni5065sFhraZ+6MAg91eHUcwcfwjhx0tr06v9xARtKzgEEpgxHLT6BQ==\n-----END AGE ENCRYPTED FILE-----\n" - }, - { - "recipient": "age1y9urllccdcemlv7g5z4peuzeh5ah0a8nu6cnkvym8v2vfhqjd5jql483c6", - "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAvWHZjdERBT0hHTVVnMzJJ\nSURhU0NrelB4b0FuTmM1VFIvRFRpQS9sMEQwClJsWGVTUE1hN0Y5c3dETUcyUllX\nSmIzR2ZhMDJDa1hsY0xBaGJrNXkrMUUKLS0tIHAwenJOOHZOSksrQ2dacVhKQVg5\ndEl6QVdkTHdGbG81OUUzOFprZHVRUm8KVYgQ5wUkCDZa9SUbmJgtpWY/LWruAg2t\nZFVYJUZ7B/Pd6rzvtOVjU8mEOaMbtq1cYkiAcuzhIdoTxu1TX11OPA==\n-----END AGE ENCRYPTED FILE-----\n" - } - ], - "lastmodified": "2024-01-24T22:45:02Z", - "mac": "ENC[AES256_GCM,data:70nJ8FwQqWKUs5tVZTdaUSnFdvzh7h7GG9lJU9IVuSW8GHs9N4srFRJ0DtJbrIYm4YasNsZqNUcWx/ptxzP0DG/IJs8Vpnb4U5SXKw+zN7B5GBM0Xnh6pZZcylAw7lcXevBfI4jw7Ymmj5zBIFyKTCKhietayfmxdIxyoaxNH34=,iv:XJgmRc0tONH9H6AQyfJvDdkfJgP3ugAxOPxMkBqhLMo=,tag:MBN8FJglHqTiS5nLjtMXiA==,type:str]", - "pgp": [ - { - "created_at": "2024-01-24T22:48:30Z", - "enc": "-----BEGIN PGP MESSAGE-----\n\nhQEMA0SHG/zF3227AQgAl7wj8pgA42CyZ+b0ykAVMIzfVsX5zfyLTL3fKRC78kGH\n7D6Lp6Fesp3dZ8c7awWEM3b1WEFOS8Yklo6bfZCnioJoqZhMtYhyTCi+KEBXdw7g\n+KAquXkrD6mYOVBXoKHUqUBoDjFjU/stfV2Pdnl5I7SGYFHtyv8jwdJXbBInDNI6\nmtVzpKoM7pCFHH0Vz+A1D1X4k+96znbSnjHVBgOFLjyZ2KGPKBKud4nM0idAO/tO\nH77ApV1qRBU7weI5yTbK7GeuUxFYrolxkqOCPUH6E5Z2eVQ8ACUFpvgX4ET91jeP\nYTbTuq9cfm/gPsFIGtZLgWSq7cCZHe12nPHT//ajK9JcASNmmTiJFvK19WmN7spg\nbfDJLZud80PNu6MVXthwRGJ50/yRSrO8e/5tCjVz7UlkOmVG5ClsGDfRCH5gJDqS\nMJ+UdOHZjqcZu6TkBmSNX+9fRS1hgCiGxOjT2mU=\n=q3es\n-----END PGP MESSAGE-----", - "fp": "6F7069FE6B96E894E60EC45C6EEFA706CB17E89B" - } - ], - "unencrypted_suffix": "_unencrypted", - "version": "3.8.1" - } -} \ No newline at end of file diff --git a/secrets/holochain-infra/nomad.yaml b/secrets/holochain-infra/nomad.yaml index f0fe5cd..89bcb33 100644 --- a/secrets/holochain-infra/nomad.yaml +++ b/secrets/holochain-infra/nomad.yaml @@ -4,37 +4,37 @@ holochain-nomad-cli-key: ENC[AES256_GCM,data:Kl7EJI1V5HGeE9nogY5rujwe8MQYA6tIc3b holochain-global-nomad-client-cert: ENC[AES256_GCM,data:eiPqZA5kCi5HPa5AlCTKmOD9r0uU5DlSClNTvg6asWybYZcipiQ6Md+cXxMl3VnemwBbxS8KxjuPg6k63SA+gypEW+XZP7VtCdHl4d65MOfIT6CpzTDVi0FUj58z2v7W6XfgAu33uDxTy+e4+SX69duUmmKicwe+CLK2ckfR3U32s39GKBDKYBZ8DTsAJmex45hf17rwcKsaMM142zgBcn2wbuNF46US8iWf4pKXJ4827pgD1HZ2Ry/IgFcRdSXGdsuAU9FcsuwTNfVftOtf/XGxrIJsvCoC7t/SalQSH4eg5s1N9N68vruKlV6AfVNIiQwfwdJ9ldeTOT3of/Fmu0ftiLaq5ZZ97zxd9Bean49EmJw5VEf63+cWKPonLxls1CV02dy1ua9zrjyX37Jz4dQiS02lZF/ljfcaGL+5TOQaX0oEIAA5tl7uaR/UIV7lqfFMZDUtQMHkYAkPkV/VF8wgyE8mD88KqKU+AdsL2yEyKo7VBAe/pYtGWsbyYhemmmpfPnUkt3wz+YQc7zs+MzaI/Z36BIGtY6ObNUfg++4dYXdoMrHufeRbihsLJ69m/bjF0qYtGCjrEPqTwF7WuWSz28to/ZOVrUKZgH8MOMoKKedzZ+kbzs9+hPDawCHs9VtiFo4d/roHBKMquDZVc6+VYtCjj8xjG8TJoJVWlKQogKa3zoWA0ZPwywwWb2V2ehocOk7MRxFZcek4gjvIJ7Ud6aom7dq3HIJJJYxwdVh7pJO9tJhW1T5R/n9g8zrANzXUvMyt55zUZytjF3pPFfaE7en+9LCf4h7AUocI1gOToUC9hlv/uhTOLCYU5S1xAtrlvvX4QSkmTyBTHe9XeOIZbI7LjzINRuO/XFKN/4dqz5/q195OprOBxg2fv1ETPJUwSN66PFYGh6VqhZZf/NokW1qYyrC0kW8lP/EZN6YGhQTyDRrSn3Y+U3nJuVEcydAKTSwzafR4pO4V6U02/CnBH8IqMsNMIhPPPwC1Wntqne3Rabdbx6ZWOxHQuv3cEPEronKGeeU4ADLBPSWnvGcVZuwgxzVpvVwCWtF59Aiew4pmWd8sqLnTOKrxY9BsV9nwRv0ZGE8l0NwiRGw2YIGWaXup0kwl6UVkSOgSuKqvIff09t3XXRINcwIh13jSAipsDpDjqT59qE0Uoc6/lV63eQKkqYs0wFTwc/XXZ2RJusNX+PDDCRW8xykmu4HC+rX7EMeF53xfDEi4wJGoSCySn3idt33A/QotnjDOl385/lkXwgVz4RjCiiCY016fje+78j7RBH3q,iv:nSXO+1ALy6Ie5aNIEm1ZZgZwOdJLrHjO+BwKVbbZQ7c=,tag:n4V165c86IQ3QHzYb1ThJA==,type:str] holochain-global-client-nomad-key: ENC[AES256_GCM,data:9w+1CYOXgm+xvg9iER+cLJBlKLyYmanr93tZ8xTl63ZIKho6DJLqGPCYdjlG4sHWyQUM6/Dpaa490yC4CToLX5MuUnSvqiaSgugcGqPa1DhlRYVsa8j5rdp90EDMoarN7xKe0ShIRW2GTT9S5EEyF2qdZUAFybpDPX2laZZ44UBz1QvlCp7gzs0duO4b95WPTHmlhfaw0BVF7FhFqkAHtH6qg24qEtwB3I4NmW5UsTKR+tbUCEyQcADQr1CrXhIHkQ8yZ52rc42H6gRQXoVrJomJgtiXf28ARY5K1oZMmICLDw==,iv:FSiRHgbqpKEYINVBLYp1A9YgroLT07GMDFqT/k8Vyqs=,tag:XX7oQhllDmrRLCEiMMYsfA==,type:str] sops: - kms: [] - gcp_kms: [] - azure_kv: [] - hc_vault: [] - age: - - recipient: age13cyvxrd28j68f97q2dwsn62q5dy8tdxtq86ql2dxv2ncwfrf63dsmkj7n3 - enc: | - -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBtQmFtWk8vSHYydmt5OW5I - Z2JCVFJ0MHRoWkU1QXpzY1NGOFU5NHF1SkNzCkN6SEVXUlhnRHZKVXcrVStYRHFL - R2g5WG5tbExSVkVYMFlFL2tnWHlCNW8KLS0tIG5CaURNSjQ3QkRUS1FkdjljbmNB - YUwvY0hIZkhJcEZLUkFMWXBjMW1VSFUKBDDoDAbVaex00VRjuWKifbTrtKaHz7m8 - M3nrwfIcjsJiMs9vJXWh5J/dhRTWQp0kEZRaCtxN6gDz+dDE3TVAiw== - -----END AGE ENCRYPTED FILE----- - lastmodified: "2023-07-12T09:51:29Z" - mac: ENC[AES256_GCM,data:Eq/hdaWf9+CG2jLQsL2Sw+IHy0vef7cC0IR5xL3jooYbmilRYS2Lj+lRckVcLKTRHjLBlJmnY20wbL/iNwlyTsY3MkCTEMAg1aY2GVPq3/gL0Gl0/Em4pktfVLZGVTZLt6mKzAJMWM9RdTapW5sRlywZ4/fa1YQwoQQ3tFVWm4U=,iv:+Oy+dBT0B5k5eItscLlXrRzbPO1u8eQNBwoDLnZC06I=,tag:hVwJwd6m6oCOlQ0jC8H+Ew==,type:str] - pgp: - - created_at: "2023-07-12T10:09:31Z" - enc: |- - -----BEGIN PGP MESSAGE----- + kms: [] + gcp_kms: [] + azure_kv: [] + hc_vault: [] + age: + - recipient: age13cyvxrd28j68f97q2dwsn62q5dy8tdxtq86ql2dxv2ncwfrf63dsmkj7n3 + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBtQmFtWk8vSHYydmt5OW5I + Z2JCVFJ0MHRoWkU1QXpzY1NGOFU5NHF1SkNzCkN6SEVXUlhnRHZKVXcrVStYRHFL + R2g5WG5tbExSVkVYMFlFL2tnWHlCNW8KLS0tIG5CaURNSjQ3QkRUS1FkdjljbmNB + YUwvY0hIZkhJcEZLUkFMWXBjMW1VSFUKBDDoDAbVaex00VRjuWKifbTrtKaHz7m8 + M3nrwfIcjsJiMs9vJXWh5J/dhRTWQp0kEZRaCtxN6gDz+dDE3TVAiw== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2023-07-12T09:51:29Z" + mac: ENC[AES256_GCM,data:Eq/hdaWf9+CG2jLQsL2Sw+IHy0vef7cC0IR5xL3jooYbmilRYS2Lj+lRckVcLKTRHjLBlJmnY20wbL/iNwlyTsY3MkCTEMAg1aY2GVPq3/gL0Gl0/Em4pktfVLZGVTZLt6mKzAJMWM9RdTapW5sRlywZ4/fa1YQwoQQ3tFVWm4U=,iv:+Oy+dBT0B5k5eItscLlXrRzbPO1u8eQNBwoDLnZC06I=,tag:hVwJwd6m6oCOlQ0jC8H+Ew==,type:str] + pgp: + - created_at: "2023-07-12T10:09:31Z" + enc: |- + -----BEGIN PGP MESSAGE----- - wcBMA0SHG/zF3227AQgAlXTAMih9lsxCEvh3UyK8vxuhnmnlluf22D+oz/e0JabE - DirPEM4FUlCV+8j+Hia5mKpgWJFDcMK0FqxIQvUwTj/I9AnIB740kcr5TVPcOWOU - 9TPmhjLT8RRhQWu8/URUnjdiF1YypOHYfUItSw/agTJa89T4ZJFsaA9IjNdZBUq8 - e0eTF+7Ha0wfll+V+veOPfL53uYuuIoDXoi5wwAjYa2433QsdLwUTKrRi4dNrQyo - dYnYltYRAe/4w/sFCkMlLRpo47J5m7SEggXrM8wni8QpTOJzOIqCP7XTm8MX3MKE - pU25kh0iCsBaNfwD34NF2Ti5l9aUuRWmy0EI+wcTKtJRAaMojKInR/TB8Tj4OD2O - p2IVFwZlPGgOOwZUTn5wyWWSuZD8JRJHxrYETpejXtPIGtnSkiVgphYlD/bagPA5 - eHRQH6uDdKM+/6FXnNMiu50G - =itdA - -----END PGP MESSAGE----- - fp: 6F7069FE6B96E894E60EC45C6EEFA706CB17E89B - unencrypted_suffix: _unencrypted - version: 3.7.3 + wcBMA0SHG/zF3227AQgAlXTAMih9lsxCEvh3UyK8vxuhnmnlluf22D+oz/e0JabE + DirPEM4FUlCV+8j+Hia5mKpgWJFDcMK0FqxIQvUwTj/I9AnIB740kcr5TVPcOWOU + 9TPmhjLT8RRhQWu8/URUnjdiF1YypOHYfUItSw/agTJa89T4ZJFsaA9IjNdZBUq8 + e0eTF+7Ha0wfll+V+veOPfL53uYuuIoDXoi5wwAjYa2433QsdLwUTKrRi4dNrQyo + dYnYltYRAe/4w/sFCkMlLRpo47J5m7SEggXrM8wni8QpTOJzOIqCP7XTm8MX3MKE + pU25kh0iCsBaNfwD34NF2Ti5l9aUuRWmy0EI+wcTKtJRAaMojKInR/TB8Tj4OD2O + p2IVFwZlPGgOOwZUTn5wyWWSuZD8JRJHxrYETpejXtPIGtnSkiVgphYlD/bagPA5 + eHRQH6uDdKM+/6FXnNMiu50G + =itdA + -----END PGP MESSAGE----- + fp: 6F7069FE6B96E894E60EC45C6EEFA706CB17E89B + unencrypted_suffix: _unencrypted + version: 3.7.3 diff --git a/secrets/hstk0/mycelium_priv_key.bin.enc b/secrets/hstk0/mycelium_priv_key.bin.enc deleted file mode 100644 index 49f69ca..0000000 --- a/secrets/hstk0/mycelium_priv_key.bin.enc +++ /dev/null @@ -1,26 +0,0 @@ -{ - "data": "ENC[AES256_GCM,data:2DcYHv5RCSoM3olKYZhn4BTwEROwC4+JZ/PQxF4SV7I=,iv:B27a2XnhgiHW3HAh/MnTUonmhkWvaZkmG2c2JPWV05A=,tag:TKZ/rFzQH0uvbOFoeas3Ag==,type:str]", - "sops": { - "kms": null, - "gcp_kms": null, - "azure_kv": null, - "hc_vault": null, - "age": [ - { - "recipient": "age10xwq7a4y256yhv02j0u80te0vt4krgfjc68r0uw07t96z7ggmpwqtv38a0", - "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAwKzZsYytMYkd0WTF1TW5a\nZGpQcUYyUjYzY2UrQVp2bHhJTHRSR013Z1h3CmtjSEFaOGE5WDNDZElkM0c2N0Nh\nQTFRU2hvdlpGYlhsUlZoUGZSaWg1UTgKLS0tIHNNWUw0YytRTm5pRTFXTndBamVL\nbTJUNGNSdTloZXM4OWhrN1dlVFpHUGcKq+owmJktDTqpOgtD/makczGkRTphCtb/\nKnL1ig8xdnG+DdyhVCDmtjC7tAFgSUJBZnQi8ervh+yXOXvTJfGglg==\n-----END AGE ENCRYPTED FILE-----\n" - } - ], - "lastmodified": "2024-05-17T14:49:38Z", - "mac": "ENC[AES256_GCM,data:HqeOxzTlr6tyDWmSpvAthf/puD1wdv3a3Nv8qdt9GcR2UqmByreFPRktTwRL53NvCW+8QGSrUjah7fB2GWsuSVXowSSkY5h8W5s0O+YkFLXo9K67hhtEk+4QwYKQk5w4ZdlAEFrgDAzCFr27Mron53VLhVo0DA6GesgywTLf/B4=,iv:uV/dpuhxXl39MTzystHafirJH0mVnLsT+0h9jh4Epm8=,tag:s5uRzLtcfyNuWau9RteyvA==,type:str]", - "pgp": [ - { - "created_at": "2024-06-26T19:27:08Z", - "enc": "-----BEGIN PGP MESSAGE-----\n\nhQEMA0SHG/zF3227AQf+NduNIJaTv/DNmY3dGucui5Ud/ONikEdt/8q3M/iSNeQy\njdHjDbHu0UDBwKqD0Pmhs3StWSv2cs4UDvxPtaPV2sN8/WjeAUZJ1Sf2+k1Duy3n\ns40TpaHAf66JuDRkkFaYt5114AE1ypbMp29S0nv9OTpvAFy7FWtw1dsgKskQOWxW\nTnkxfttpaMoCVoUTjPZFbfPE3WJrp+r20QzwzelX5xl3SGmYvdPVDCPp1S54q+gY\n4l3b5R2wvGv3IAA0l7tKtmFe6XqzYlATOSUaP3+qHTKnXFmT1GAr3o+mLRJOG5/R\ny2CJS0wR9JKowAk23ubc1gYxcc/gIUzi5BGMvM4GlNJcAb3Q/nBs5WtjnHrk7zPK\nzzhV758th72GKhzJko6qUFwcfjaIB6h3o0NQAAlVCMXKUWk4KFY1TCgpLbd0Z6Gm\nv8tE1CFUViT/8Ys+2x7UYeWqN53ZWsioGzrk2F4=\n=sXbx\n-----END PGP MESSAGE-----", - "fp": "6F7069FE6B96E894E60EC45C6EEFA706CB17E89B" - } - ], - "unencrypted_suffix": "_unencrypted", - "version": "3.8.1" - } -} \ No newline at end of file diff --git a/secrets/hstk0/secrets.yaml b/secrets/hstk0/secrets.yaml deleted file mode 100644 index 044372c..0000000 --- a/secrets/hstk0/secrets.yaml +++ /dev/null @@ -1,36 +0,0 @@ -tf-eval-minio-root: ENC[AES256_GCM,data:83SacYkxLHU2fHbHNiLG9owDgakOY/nrZBnlDgltRlQDTSW9HkKejVrKtTaixjbxKCgsy9sgJBv8LZtqwthgZ6MI942YU2pJHL8le1wBsuY=,iv:uXbOw/9ljYjWCdafhupVJA7tIvcL801xszI8lrQnQIA=,tag:yolnZdYD1KZJFnH2gs8zzw==,type:str] -sops: - kms: [] - gcp_kms: [] - azure_kv: [] - hc_vault: [] - age: - - recipient: age10xwq7a4y256yhv02j0u80te0vt4krgfjc68r0uw07t96z7ggmpwqtv38a0 - enc: | - -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBuVXBDSTgwVWtpN01ldjdv - UWIxNEZFVVowbFk4bnRNSEl6M1pHcUdIelFFClVHK211enBkODljWHVYNmFYM0gx - L01hVFFSeExtQmFXbytzSEMrbVMxYTAKLS0tIG9lMnBTMXJMMUZUcTRFcThrd1Ny - bEhlUzFqU2hkbXBZaldzeTdCbnhOdTgKsCcLlqcl+fnvZ8EGKNWlbSbLQvzx099E - fC/QlagRvdmVfsFpOQnd0cFzQ1X0EDAx6XcGF8mHBrAKqCS9GCAIyA== - -----END AGE ENCRYPTED FILE----- - lastmodified: "2024-03-08T16:59:30Z" - mac: ENC[AES256_GCM,data:VIA7UaP1c2kli+BuppPl4LH1jiU9qAfqvfejZ0Mv0E8CxQ0eLAMJVkZIzSygLCx00cPbqAkESrniCeLYagyEP4tS/cff2ngplzig4uFbZzniYMXcYF9VIAyBhGgQGEZlZPgh4r4wmBdUFfhc0CPzmYt0obJ1LXElGdAoeM4OcPs=,iv:KPFJX2qJaxMwvrw/R8xrw5Fk5FRyTQdxq7DnszToy88=,tag:/H7iPZlWk2qMrWbwZdeF5w==,type:str] - pgp: - - created_at: "2024-06-26T19:27:08Z" - enc: |- - -----BEGIN PGP MESSAGE----- - - hQEMA0SHG/zF3227AQgA1qnWMAoXFJsx0A9dX2qFhRUHOlO+VKOi678pGQu4Pwld - wUdqAylrtaLDsr+kFwLvsGUKKHzfvaQH/EfEChQb2L9njzQjwNwmgZPAq6NqZAmB - EhudaY7R12Lb507Fsh/k7dgOFTuH0/ceKtW+QKF3SVVa+DwgOx8VRP3LJwGW4PQq - mRmPkyjnuFmepziTULe0ZPvO6PaH8FvLISBvMkBH+IGXat98OVgqGFzxHkpA3pey - 8w7mKDEi6i6g72GrrjuWFuh5JjSSb3og1ziO4O8XQ7mHqbUYwc4NfeVTYD7thdyh - OsijkXHvvHkRidTjTn4ZEzxFaNgTvzRB0V7r/jEu3tJcASfyDt4sXkKv84xu29Pp - BYZLj9xUrS30bmI8NOP77sy/3++ppX96oKhi91S7F0HZcznJPOhS+YtomXCCGvS9 - qaN8kkDXt5k5dkLd2+eft7CCF8+lwf6XX/qEjPw= - =+0h1 - -----END PGP MESSAGE----- - fp: 6F7069FE6B96E894E60EC45C6EEFA706CB17E89B - unencrypted_suffix: _unencrypted - version: 3.8.1 diff --git a/secrets/router0-dmz0/secrets.yaml b/secrets/router0-dmz0/secrets.yaml index b797baa..ee184e9 100644 --- a/secrets/router0-dmz0/secrets.yaml +++ b/secrets/router0-dmz0/secrets.yaml @@ -1,53 +1,41 @@ -#ENC[AES256_GCM,data:ZkUrwF6DTQFainYhDA==,iv:VDjRBF4WfPmJdKtUpZYJcOPxoUYT3DUxAC9ct7EvFss=,tag:efllkpv2SxRv6+DyuqRQCQ==,type:comment] -#ENC[AES256_GCM,data:2luPn7XRMTtgNpz0QLXQwF92kbBLdjJoUdFKdayy0A==,iv:dr//F4r/8k9zSzkWXUlVT+81iYLTX2rmXIp+Z9Lt4XY=,tag:RZTSqCqqmRxBvWqHqmF7Gw==,type:comment] -#ENC[AES256_GCM,data:SjwWciLOzMxrq/QV00Q+gt1sNXwl6N/eTHsN9jeFHwFeOQrZ0M7/36WgjSVHpGlVmklzd0LiOB+LhNlzqysM6RI=,iv:vznczLEeyTmCxExlkFiv8ftQy+3z0LyAg8vhcpGT4M8=,tag:+QgSJtX7FFLfMnPLhrgcvQ==,type:comment] -passwords-root: ENC[AES256_GCM,data:BzQYUCGJwyA/mUohN3OkKdjkuHUfOgYFs01W/F1WM7i/UyOXA3HooUjbGe1KVQkn5NGTvWvR6t3CCr2o4Bjvq2pXrH+92a1kpQ==,iv:9PCLNVUyI2R0F5LmLe9spp7q65pwMJ9TUHmT/VtPazM=,tag:apsIgXhOkoZ8Gb0UshKg7g==,type:str] +#ENC[AES256_GCM,data:QydWKuMH8uixprFup1rEwvPkKAMw0yat9MOOK1DleeCJ5tqRqrPh9NiOpJs6nve8Rmji3WyrHAkUaK9zT/f8VKk=,iv:I6OHO6sLTtFBV6CYGmLh5owCrNjzS/LBjOjW9VovGlE=,tag:Vg0IZSFbYa7UQvuPpmMVKw==,type:comment] +passwords-root: ENC[AES256_GCM,data:+8IcZ4pbJ1qIjRCK7oycmgOVWy6hzc2oDISYMMqE9SmgRE//PQ5ABwtBtpaghrhZTXrUV2l3qsvTHD9UdYRNMB1VBlM6vn4Iug==,iv:2eUIa46QNby++yLK9dax/SD7Ajtj+U0ptheRuKV9r+g=,tag:5tA5rhm1eztDh7Q4d+C1BQ==,type:str] ssh_host_ed25519_key: ENC[AES256_GCM,data:XQjTqNADLhisxPBIJ7x0bs3qgQk0u4q9HKSDukRbzel7hUiDqc6ELQAvffRqJQUtAS5Cfz9PzVcnyEA4wapvK7RLFavOmaN2MhcnQR24oQks5RVYmlvcems02Qovd15iE07XR4KCDcmQ5/XM5v4/RxW2zYzV5Il67Vzhij2wA9bJ7D3sbKUfyc6pBoIXvURbq6QO8ZMIU6ckAuOqG2230KwXLdz/ld0s3Ir1q/7t+rrrS7BPkeA+SRdYhb5XDOTKtfgFxNvdI6DSETV+q67xAalAkM/cZ2rqHJQd+wgH2VIPyiGqeq6LvPT0vmopFJn0CqQA2HauQAmBNIAtXel8GbK+qA11XilMx+hp6qhVH+BnSWWY3GriGfaGlpUZ0E7uymqRkpRwBcHmZto6E/E/XUxBfISVyJf/2RcTy10RelWLJtNuaXT2eHgXmZ/uAlcTGlCYYirr5g3iAGUoqxYbWlZb9SdqVO/0PLCZo7AkDWxk57wer/lHOG59ZpoiZnanaMIaNqJ7Tsslvvm0JuoP,iv:2U5IpWTRyQ8basBRoYpFe6Ycc5qdeCUAUTwlEHttRJU=,tag:jA0mFsMxWKq7dnkGQWNP9Q==,type:str] ssh_host_ed25519_key_pub: ENC[AES256_GCM,data:MQ0q/I6clKNz6uzoztGA06vOjIbpK6Dsf3WbgddRA0B8nEJ4EUmRBT0KkX3o+LZmQPhmURHWWFtOSqvAzkyoxAoBZEh98H3IDsLE5PgcNbxK3dAh36+AAMPLzVFnHLyaWLQW,iv:9XIw29PkSHCeU7C2GuSJ+J+mBrwOrbSMmm7kOtCkiyI=,tag:x3JqFF08f2eVfOrrQ1gzYw==,type:str] ssh_host_rsa_key: ENC[AES256_GCM,data:tFGQ77X5Y1TRR2F0EJ4hmauE9ABILP6V0CSmzb1QLaH6VlhriXSE1UQcQ2Rc73CR7+JLjLbggL7RKpkA8gJQq/ubhiXHJokBEo6rfBXETVepv0HlyX5UvzWhi6iKBE5YsYyyBI1VWDcx+oTR8+daqnKwbbqPeDUpC2coT3S9svEsKXeb3YOMxJ9X/Rvh96UtMmlk7WeZa2JvOP3k62HROVo8QRYXeQWTO87TCzVdU7OWnbRIuC6bu+32Uy70AsIu39fazX7WqIUxaeO/oNHsay0/TBXKNu2El0JRG8tHCHdXe1tahniGbGH5xeEZmgLTOjHntw5UIdxZbgvcbxmt9seDXUxjhhEMS8eHWaxnRDSI7n2KOb/3UaBQ3BHnYpuRjW++uFBgRHxxANlYfpfEdz/LNexdPb9+QCw80r38uZxP8yD5/PxFV/Y+gSX+WnNE0YQnBDtHFjKhHpqpm2P4Ek3hLzjXh6CPzUZru6LAO/FklcLCGaq94fDC5wW3K0x1UvyfMjBwwyeSymcV95YcZu8Ty280jRhG8l719KkEJjnBdnB25PQ5gEwc34dG5xH5HwVUDPIM9v9m+cXtldUIk3BH4PiTEI1aZsZx50BtBhxybAxhTqNElrP+/2W73muTSQboDIB1Xb2NhArLB6XnnVhVUD/Pg/9wiDUY0mYyr0eIp9AmBfSmSIDjFyVUB9o+gv/B+LpxwxPKmsPt3MRKWoZw+bIGTI82UqBv0eX6Xqq71H4DYFnJ3J+n+Jzp5ww5mSPPHffZZFSBbZSpTk8El4L5II/hyyxk7yJopt19AAsw+UgLJDO31XnyiGAEbbDdwjuCWQMmuzKJ6H7c7UGDXLO92jAlXwEWT5fwzG6Wvu5+n/OToz3CN1Cv40uwVb/fOqmzep9hoOrXeuzmnGULfGmwItjuJoMkfmPUq8obAuj5ml0YduU2eLbe15OlD2Vg2I+BH0WuCPYnnCrLyX8ixhJEuGGDkhGhaKMHaMjNuMOGmDQ6oRCVU8BA/zDgnF/GrcHgIe742Yh68PyaH2j+iX6/5YvUB+R1sDnrgfXlgET1V+nny+fD4GBnP+RKYtdGG0P4y3AYlACQE9sJ6Nkb8CTVb2Va6L3rXzeyJG2FtYkUKxxwDUv/KyieclHiJpdawunOLVkmI6p/iaZIThrdGA5p7b01/WOyJFA9aI3oU2f2rMYBLGHYirrRs3WtS7ExhKriHpgax574UIcW0mecFto9dHkGlBOTQy+Zp1GARnePXKZcyKm2qhTIjw0ho/DUe3+t1knbR6WJCwl1LDtfpPD2KPDDH+HpHm3EoiA1mDSp6lYMVxwBr2eBmFPKuPkkAL/3Bf6SKlEp1UCDee7BPlzS9kwmIEt/EuIohbMDdyaHtulW31Hdrsai8fCxc7AAzgsmoMBp2Smwoe3C8K5K8RaNp6v4boY8WBH3rLjAFTmOPB7TiZfplQjV8triZS3JFopNjvCglfZSXxSs+RjZUgSgL/1fFLT2m0Mp1XPMvGZlD73TzJ5RH5WWlxliaau42Q4vXRFUK+ZFx0SvwOO5xZvRNtAOfipEoqscKOopV+HHl74DJEk/xLibWJmkEBqoVbf1BFDUAiRSSb/0RdfCAGaj1mqV68szVtLt3jB1AJm9iu9RNU047HHQeOi++8g6lOpHmhsksfQLAucLVtLTrXpHDEAugDbSXrwPkhWa2Ej+Iva1p2vteIExcT+8h3WiXkamDBZALpJcLkDSazgAmmrB+6u6odsyin9Z5zB55EN2iz24nGNgyylt9FehC4/2SNHMX42hZ/JPQw51+vZQLoLQv+oOJAVXGBHeDy3kDl60fL6Fr5jZ0YOfO+rFGk4bDpXYjq27ahLv763tVs8SrgMseNWNWTakZUAXuYPbP3GBFEjTPHM4216WABj2cC3zSmrnbEyNRMWTdsm46ASZvhZo4wO8eTrndvy44Q2UKOFOh1sYCY4jjCWCI74pEV3rRcBJASuUipep65ZwXOlFOXu7uiaG01/KWofn4JzzrlX3MfhKsUBaEDTUXwDGw0RAEHQXb3rvfiIjCQBcpy8kM1fBR97K5LFJzZ2/qf2bPGs0yxma1O0Z6TT/2Uk2n62jK2xIM7gvTjPOVDP2etHKVxMpMjhTAbRj4K3568HZM/POBC5AORLAtBAo14CNxRMN8f05Gs13wn9ZI+pqiaOpTTnfH1xL9fd/6I03utzMKnoR8IVhrQLDLT6OAIkdeJX8s99R/J/nTOApk3XACWqjmMTcWtwt6g3x2iTk/1jTTn70rYVr8JLHHCt+bd5H/eDUiq9HpG1oFEZPXuvgATOovru0YVtmVx+yea0jWpJOsK+/SZjYAfvAKh0ZNr8dKHug/gGEpp6SfFBI+c4ywR1kM83OUHLaI/dOU9rLeCKktB+UcvTPoLhHLbTAlTrizeRmYY16Z1a+47LvwX944js3TZZkxqylz73cekWidYiiLNbiHwACftOK/GwZCG0WrVfcSi6pJYDgPgbcqFohaKI7ltKZgTlHGT1mZr1IH1RnauZmN/MkBEKVHO3E/PFgKkWNcXQi4uV2P3j8aHHc0RJrxx7qAFFXCYEwu02pv9nmul/HClLMmDYHDY1lHZvIIyPcsmr1ZkCFRV4UtnZRtXhHNAZCGFRX+y5HQXnubjPmV5I2R/gcLLi//2vIE6V2i8SpEJZlVweLpjRYwb6H6xFTuvHN+9Y5pd3rFx2BapR0AzYdOXUVqKF5ewrfE/1iitsEeDJj8OqmNzpmLBrnROnPyPh/+KGWBG5Nm4QKVMhP7XN1F+Fr7sTxw1ignXsfSwH8v/ELMzxVLu3ijWxvmk3/eOsrKYB/x3h6I1SFWZUoTjVPAmlNAnYl90Xf+FMPiII11+zrYwsJbCh25gmSvtKR+hmoTxXbJ2w5E2cFoVHMBOmS8Uo8L0BDOUzUE64cPl/v119BafVUOohLF1l3Ob19td+sMvqX8OHLGgB+/r6jKmUPnNNEzbDAogMydcVVjtPRIoDScw4ExxuxILN4/V+VulyAgU29OvFWS6+r5Y+bjqgqMg55Of0le3HUqt65qMuqiaUR5P/9WP+H666GsYTSg5I5gPJv0FF6tqXCWE9mpQ4sk2/BiWWaNeojxyhyH/cv4fbUmcee6K3+P+liXyFGGAWdBP5uGb+BzIfSaXVN3xEBPWAAe+BMkJrxbc6FSS12Wkh+bLM+NJH7XaoDl6+8LtF3bstsCoXvQgNlXHlbt4/aIIFEBShlYSQwLMDcey1VB4pu4SBv2HXwaX9zXPd+MGH77DeQU4yBkrElly51/68yzdSGpe6mNFy57Hc3UJBW1pNbds5Gxu+jFbQ6Phxvn38u9V8cphjxzgig0uZjkKHYx0EwFjBqmfrP0hQDnpcyg5QCPhnXOthmVL4jkJs3OrRHhoYRgbXpaVRMpVMLFeeSqcQABaRK5ibpB81WP8yCJPIMsbWW7sDTCiIyLq6qW5pKNq8/l3sq042+6bJgJ3CfDYdNKJCTF/09F5JKkpXeIxL4MGqvg5nOoyiahDQsUzMT3dwGg7IWqxQidcJ576XSBkR2qNwUrl6qq87JP+Zo3RJbA5bpPubm6sUonWE3hRGg4LWceVBO34J/wutWVt4W7dXnK5WVhJv8UHJcbgWR9dMpWkbeMpakqlRRLOTibztMFkx3xyIMmZS+cNyhRyatw+DwX/opuY+bl8X4yKgNOuW/w6r06r4MrL78MTjqZDQ4xkCSL3x3KWr2Tf4lAX6sdwKTzdBdzvFuLeuijngrvRYRyk/3jk/o4ujfHMdrergMjlP5Js7ICZSLhXHHOc2Hc5oPaBIx59r6FynA+W6ROmk5kVF2BNkRlP6/oV5Apn3MMUnDc4YjHaowt8UVkIHZOEL8hxymYDR4g9y1wOoIwKCorBQa5jsXH+AEop3hlsv4uqzrrcGGQhfQEW0Vb1fG4N0VAyWEodaw7wOY3XCrW7yHjIgRM3Is+juT7jMeACW+OQuvQHTS/9bc9n9sXjjVwsvoHROLxsXMFO9HablXaEKzFL1oGXpnavYf/MuZMwALsPish2Mmj9fONNMBo1yYy/j+8GzHCqByDS1ZPnlzPQD0ztGNwNfOOhNOqamqaE9GNHv92yQIf/KKGhnjFH/I9IlzA28eaaSVql/1vdhRAI2G1WxpgyQ1ryRPLYHA/Qw9OYrb+jIxHj9uqfohShgIqnv6TCXRmByfyU6Te3oqKLyezKj7tPCqv1la1ostycmE4msAs4EI7pe1OZcRulPkUJrZCPkvo+EYTw8AfGmwHFb5foQ4wk8pkjTvo1zHmjy0GjMAZpcmDHfyHAyoaED6DUKAHRBbMdSqQJWmzhHkzn5oRCR6UlWSyxRZ1wBIKn+T+kcn28XiLlJrJVK3n2CQkE1c3EfFemnimo0Yc9yNQZygfZjr2W2TnmtAZ5jHiMmv7E8CPxBQBd/pf29z/uAEwQIqVFSHxkVaVjHW5wlhfWwOuj0xZFly,iv:mXE8xpXFBYSJce9pg+g3OedMS9+ZHOHHwydCY0NbGRQ=,tag:cEqbUu9Y1PFKXwaeqioXWA==,type:str] ssh_host_rsa_key_pub: ENC[AES256_GCM,data:N60bGf/6KNRhVUq1EIbPVo3aBDDKEpMBr5+Gt3+FMPt3uQEaKk8jBg5mOdxWMTPoLg1ZP/Pme8afoM+Skc0b50WnpErF3Ox1w+4eM0oMJYOhIvHLGURNM3Dba5MgA7YfhPdTsVdjD2yks2vYqhdtEvzTTgCJbFimVJlp+wDqE6czPgMjD03c7oJDtv38OBtc1vRMzVw3cIuyxz2yNnXQxiMgTR6pZN7+Brami2dfXOHEVgymmlU5PRE8Ykerq2fB36N5uqu4/xSPaHaM+/f2OA/TLlYYB+sGMDExZfbO/vsiRBLvTY/f4KG2mEkmH+IFH1bk6UF47xTFEe8tHN/TlLo+9OmjZTph221ZYnOsIqBY+F822ctZEe8Ikz9Ti4F1ApvxxRcWHajbgQnDJdDiHJvt3OHal4rNBtYwxxV/MDZtvKSVxmFwgx7nwNP0oKhAigQkU7Mvp1q5p3dZsdbGCUeFm2S5/qIxWPfr7wg4xocLNSsLW1EpGo6A2RUXWIV+lPuZd9dNEjGC5zKKAgMI94is6MtMXgqlFqTcZuQ9hvhoVDcFhVSJylu8pzk9d/tKviwcd98jHAhdfGpnc9eJbtyBU6/HvxLzQpsbFjwa3LGirEdtgxRZn2nJx++0U6XuLcbGwjOVAhkde6g2vFv5hsC6KaZQcp4AFvMvEdJyrnb0b2TOeOD8zEljb8u2q/eexCRSjGpobEINwu5qV+tF9eHIJ1YFzhCSmmLGKXjc7bC8uv5ffl39JmAbUrffd18zqae+Xpijd+QzwF425NG9+PksAt+PPzt4SDgGfKBIpMNFxIb18oo88z4YDLuNzRy/HVF90JV0LlAxES4ZOxoWUjJPrR6dGxNRANYOyFGmoN+yG3B9kd1NRGRNGh5P9EtZBxlPIi24djzF1n4GQSW1NFDgoGcxaXhk0PlpPxwuHK0X9FkFDDzQUYNBhx7py+hev5rBUCs7Yhj5xgcM88fdLRZi8MulNws=,iv:8c3hDcJ8wzTugmJ3Mhzx/qEXnnlpFefBmRTG/MqyeEg=,tag:uSz6+CYu9uQa0C2DXnHPUA==,type:str] -#ENC[AES256_GCM,data:QOMW5ALQD+CIXyqRAUzZfv42HvMfq9qiTho=,iv:/KlPuB6aBBhdMvJ9kYClfFRBMC0bSF16/EKrnH/Ifsk=,tag:Wwfk7YnNvla06I2/ajTd4g==,type:comment] -#ENC[AES256_GCM,data:6/aUsWY875jPKZZiJLL3TWYeZT9VOjoJBDwjRTfjnUHcc/NTTeQRPvb+keJeMt5kfWmAzieYpslvz21UktTKqHO/,iv:+zwyh6nAP7DRhQX48/BmMCbv3W3wKfUiAWCvu8UvS8A=,tag:doc142ZXZO6ajPcuWftdtA==,type:comment] -#ENC[AES256_GCM,data:GG3qBrBJSmJfUun5+0fKkp7J280oW3r5tGGjm9UMolUsZCYYv5E=,iv:gFGxT9Jr/d3fVouWEphJUxW/Hid8dAIvldkxYHb9DvM=,tag:DkgD7SIgIYyk5Ne/lGWcwQ==,type:comment] -wlan0_wpaPskFile: ENC[AES256_GCM,data:yB/1MLibWzQuV+LnM01DoOaImu6aCHB9TMsIDaby9MxjRCQNuI7qxc5dvTQ3RtA1V6at97r3ufw0W2Vwtkf8Mu3l/UL33nWoX8n4RAykF5HkDK+l1hzdW+41wZMZPc+NDE6ZgMSNG3N9gipHSjYQ+vU6KPX9RQwWTUbJiWWYtii+hi9NXMa7sBvjl1WUQtrKdAmc+7flAEFxOY1pOvkj87yOQDybQYdx268Gh2wkfgtacet4zwWvC/VGNrN2p3Eub8S16vHAZZKeW+2rr4U/GiOeS65CSk9srOGwlD6IboTUXSAoSChJmevnm+cgkzZsuOKS7knEZPjQ+l2Z+K4l3FnB8+CVvHw/DlUAG0pFgw49NfBGczGSAFh34b0k,iv:2AkphYXeupcDvB5KXlnuC7QsVJdBZHnR684045DJtfw=,tag:YFNcunSPVJUSLIPTTQ7szA==,type:str] -wg0-privatekey: ENC[AES256_GCM,data:5/5llD0itgdKhZ53IbtkwfhO+qUI+/xBCxnfQOg9yjS7knvUINURY7rl/F8=,iv:86t6XuY4a1rHY3kmC3XB6WwwPZVWAyM2saGqEZaHdJ0=,tag:4xemlclKI4RIxAe60HGuuQ==,type:str] -wg0-publickey: ENC[AES256_GCM,data:D/RU+43/bYhg1lRZE9zA52AIWGd2KRF0EQcvteS4CtQN0Yy65vjGqVEkjyk=,iv:BmS0TfUQXRt1tdWBBKIUi+DqXCLTXePzbq4dUYSlQQw=,tag:qglrKjhcSBPtqNd6YCMlPQ==,type:str] -wg0-peer0-psk: ENC[AES256_GCM,data:859rOfvyaeaH07s06IT2qJZjXcWZiXazQPUImYOMngTj+xNop8UHX0iDegA=,iv:V7cR9mGQrk6aKctY+1egYFhBiveqc0OwrQSJxByk0zk=,tag:WF5via8rVm8Leol5rANPqQ==,type:str] -wg1-privatekey: ENC[AES256_GCM,data:Q3zb6oLhBqW+D063S37O2vZD3PSn3yIYWWkOtZwvpmMmdAMtztGqdrHzXRE=,iv:tIEDtHa3s2/Shg6Kw/8G+xjtixH32fxS3l5KtR2VUIs=,tag:JpKjYmV2pPip9hDkKg8pRQ==,type:str] -wg1-publickey: ENC[AES256_GCM,data:7svFjRVdWBmrUt2qzHSmgBo4HPwJR6I6p3rZg2U+h1uVhQwCnUCH6JATVZs=,iv:xWUKpjmmrf/U8T8XmdL4Ox+aqkftnh8oeORCkhtJoBU=,tag:+k+E13X+EbZxfiq0MoGIEg==,type:str] -wg1-peer0-psk: ENC[AES256_GCM,data:egtyccOYD4NAUTunpvVXTJwjtSdJJT8v5O9Wl7NoCKy2eDzrQvrEEK8Zzts=,iv:D7EQkj2Oz2JJIF6slTLq3A4esKN6VfkOA+odHvjSeUE=,tag:z/blOUXX1JOyqtXgMldnlg==,type:str] sops: - kms: [] - gcp_kms: [] - azure_kv: [] - hc_vault: [] - age: - - recipient: age1qju6ms625tlgcjwc9p447seu2p8gu0cr63e5gv5y0wx9mvgmre9slxzzs0 - enc: | - -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBRNE9VK05aYlRKcXRBak1h - Sk5GS08zUE93U2VSL2FYTTllS3Fjb2I5R1ZZCjFtL1RZUWVvbzdlcnBCN1NJbE5S - QW9paVFDaldhSVh2eitoaStpZU94T2MKLS0tIHV4ajZFdEl0TjFNNXhhTlFBaGMz - S0Y0WjA5eXovc2pUUzdUY0ZEZVN1dkUKNuvEcQ5lmVUNan4fj0tfwXc3JUfV8opV - KCBiiPEIBRwryWg7CLo7qgFU9nRTnA7Wjjo2vnh9nLLnIjNSmc/ECQ== - -----END AGE ENCRYPTED FILE----- - lastmodified: "2025-02-05T09:44:59Z" - mac: ENC[AES256_GCM,data:P2bEHq4ZBg2Y8RPmUSuIOxWxJdYTUpTD5nXv3vqAHOU0t5ZlyOjFUPYejGBLdvd++v+plwo4lYG4/JJ3/LFIM/n2f1kFOOPSIt6yox6oYHHzJRly2kBfyIpUz4q+1c/xhMjpcQdAlWEdIQLm80BMUpny9y2KhVYot9TvTNTSkxM=,iv:uso8kcW8gildOD7FF1Xvage2dccQ8GkMI6nDCaUw2qc=,tag:urKtsRoGqwoZzk7DuMCINw==,type:str] - pgp: - - created_at: "2024-12-24T19:36:20Z" - enc: |- - -----BEGIN PGP MESSAGE----- + kms: [] + gcp_kms: [] + azure_kv: [] + hc_vault: [] + age: + - recipient: age1k7cejd9tqz6a3expd63wkn7kmeawhhrp9vy5vevhjn6eavhdwywqeh7j86 + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB6NDRCejdyRzY4Q3RwY3Nk + REV5RklTUWluQzVZZ3V0VUdKTnF3TFRzTUVFCnZxUXRaRlJXSWRqVWZwNG55OW5P + T1RHT0xXaDc0bkFCNHZQdW53aWpZMHcKLS0tIDVIWTM4VjN0UXdxK3ptOEtMWG1r + THRNR0tEUzhPdFFhWWxvZlpKYmZKM2MKxc5s1jsci8jPOrvZAoofVNvHT4o9P6yv + J8rALQQXgql6obK51Q/Doyzvo1RJ0T7epiWEAZm5B3vDrf6KqbWBYw== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2023-08-11T16:46:38Z" + mac: ENC[AES256_GCM,data:W9aRsPPRKro6rGbNvBV8bftPklQn6LN6Lq+G45vYTVRZs5t0F1qFqUpXDXKTrZ040mkYnECi7JSRWeJvyfGqHK5KPY1uWtBxDoghYfO/J7VXBNv+NbROO4KoAKYAoOpZSECVqXgm6U69G1GGu8yyrDPDFAcfbFXivXqH+e7t42A=,iv:uUndgDmUHBYCKvb2LHC9zRp+eBwcy6107ocaJFniV6o=,tag:VGKODnvz107hvEoCT0risw==,type:str] + pgp: + - created_at: "2023-08-11T16:15:11Z" + enc: |- + -----BEGIN PGP MESSAGE----- - hQEMA0SHG/zF3227AQf/RIzNBL+pVy3msNL8iuGdPXywQhS4JPgP9QqiYu8hqTsw - ja/jx8ShJmLjC5i7D8nwwbUyY1DJTSdHcRblcsROgo4DgthdtuprJlSQIPZhaW5Q - Rbo52yT1LkzypUcSQFIDY2QFpPw2zL3ZmPyIwg7YCI3seNQckv93nZQzpLx2Ifad - hLU0+C8tU94z+sgqLq0OVryZb6taQP/h41niFKHZtemnykA03JIbCmyl1HZDEtRJ - 1xSFpAKAtfzdhR5SfrGYtSBj7FysanfSEi4Gxxp7VcfqBVYTHAOsDLFnFCEwr13H - sopUdgCeZdZTBFgzS+AVb0zcHti/YJ9xUNrIKJXwAdJcAS9w3Y4MqcbEdcFp/CD5 - W8w7WZjHm8ly0qm2DgyQmd3040V64mt5cDe7+8YRqu5cZILyKpRGwUx3ES0eJ+g3 - g2P8+l5NEvzTX3ldXHObOUVebLouZrxd6UjWvUo= - =mYf/ - -----END PGP MESSAGE----- - fp: 6F7069FE6B96E894E60EC45C6EEFA706CB17E89B - unencrypted_suffix: _unencrypted - version: 3.9.1 + wcBMA0SHG/zF3227AQf+LuGZY70bnoWRAzpxCJnxtf0UfoYkIQoVGeHdnjJ5DTx+ + NXtGN+gYTfuCUIf1lQRnd8FdQbDUSuHFmaDKFFts3SJR24ZO3N761Ye429FycMp3 + pyx5RYs1qXYMilN/RLSnEqrsjOpnO21VpxuAxbe9HY5Wp0jLDGdUvpdk2mQqqhx8 + ZYFbEs9ZZHq568k9ELpJcudlNnvkZPoecMsFiAWP1oh7V0cSacfSUJiqXA2/Ug1a + 8vweej2pwJ6kaoLIFqjD6qI2rKNtSC+woHD517kldLr6BMetNNc/gEiyat2zOGRB + 596SIBBf3eCvXCHSMJDtOWsT977CUO2pz+DPTmdqMtJRAbbz9Ks22jtPViAFZDzY + pyDwCuX2hTJ2c7r3KA0o7lG4pfvfLkOqXXcV3SnSBvYy4fuhLp2Id+1GWCOD0o1O + v5QlxcXSMuOeGygclwHdxzs+ + =NQjH + -----END PGP MESSAGE----- + fp: 6F7069FE6B96E894E60EC45C6EEFA706CB17E89B + unencrypted_suffix: _unencrypted + version: 3.7.3 diff --git a/secrets/router0-hosthatch/secrets.yaml b/secrets/router0-hosthatch/secrets.yaml deleted file mode 100644 index c0606da..0000000 --- a/secrets/router0-hosthatch/secrets.yaml +++ /dev/null @@ -1,43 +0,0 @@ -#ENC[AES256_GCM,data:62US77UkclVlR3klMH6P/oYC006vFa6DEVgvmemMFh6INuw95NyRwJaiMs4EGaNFuX+jkfBbtlm0MQK73rXfGxg=,iv:UALT0vebke8KDPdroZnC3rSUCB0CmlX9dfbLqNAlJ7Y=,tag:iKxAWDTdUZDBD0PWfomeWQ==,type:comment] -passwords-root: ENC[AES256_GCM,data:ummvEe+5HipUvVEyHLA6NULuWJuPyv2VqlXEZFp/UdybLU+1t/VRo+KPLYRPpXQBbsBaHVa/XOiOqLK9dPDHuVZBavnTTMC3Yg==,iv:pqjtzPH+T8CLJsJusi5CpVklPUAnioIoTjBXAR3y620=,tag:vrGzZlRX1TJ5b6Wxt29V+Q==,type:str] -wg0-privatekey: ENC[AES256_GCM,data:6BR3zB5oDPu5XyM5pgrdXoYKvwf+rAK7ngDzLcIQZnr4JH2YXH9UWERjVpg=,iv:2Z3yG+fWC4diGANCurCEpA5ybEpMdE1t/rviRJtUE0Q=,tag:4sqnLfAnxQOAci37RCY6jQ==,type:str] -wg0-publickey: ENC[AES256_GCM,data:7QLstpkyVDFU5oxgRdVYdBOZB1tjKMbzxgZtCYp3G1+AO85ir6kNXo8P65U=,iv:XRnPg93nnSR3h+R/K2rh1QYgmdJTE6i17ZomMf0BJ9k=,tag:fhyySGI0y5swGp3ot+q3pA==,type:str] -wg0-peer0-psk: ENC[AES256_GCM,data:p5V/8fFEmozG6nFCpHNcWNdunYlHxnsnW+YjTAIEXlm2ku4yEL45H9t9/Sw=,iv:jDZMhrZIJwaDWm+s6aXVWovdo116q2D5cUyHzMdWCIU=,tag:M5IebfGfeL6VW+OOgtARpA==,type:str] -wg1-privatekey: ENC[AES256_GCM,data:dcD5isfYT+diae7tS6OSEQiqEkrpUxw0io8EqaSUaaFxKf2RAqSqxEXkhzU=,iv:HVB+uJG0SwxH3gbSpyZJZnzadVK2MYWvaZ3t7vPXn3E=,tag:/q7hgBA45Hq3446w83ConA==,type:str] -wg1-publickey: ENC[AES256_GCM,data:08fRjmGysmgGwXgwGqtMmO4iMWNIOucRnD7l4qaCh1hVWAk2BbO3OcHw010=,iv:PfKUVRyjEVT2BBUCmruR026n/P2kT2Papq46DOFq3rE=,tag:AhyI1yHdEucmQEo6iHnznQ==,type:str] -wg1-peer0-psk: ENC[AES256_GCM,data:zlQv7B2Xm+QUzevsYDD2ckIp3PdEAOSEPv6UKYLKRUGWXKE9eLhC1dNq5t8=,iv:kehiDKfew68S2pfRFq5OyTm+Ixo05uiAiHDg30xhP4Y=,tag:0GSr1d26ALehewMF5b6woQ==,type:str] -sops: - kms: [] - gcp_kms: [] - azure_kv: [] - hc_vault: [] - age: - - recipient: age1v458x2q70yt0a6m6cq5ehemphtrzfzyhmeg3r872vsyyf65asgwstmqqk4 - enc: | - -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBuRzJxaGJVclFwZE9ZT3BP - OHNEaVg5ZVl0Nm9YTWo3Q1lmSEw5dnRoRVY0CkpCeWxXU0RybU45Y3RvVkxJYkEv - TjJsb3AyNVR6QmJVbnJsZzE3S0VmQjgKLS0tIHVHSTZVOHc4R0E1TWNETWNlWEty - czc2YUdudGdnVlZteXBmaHZaV1NWbGcK6jWSkOEBYN+1HQ+IZdBKknYo96Aydp/s - +hK8V6qEyCkAqWLYEnZ5ErMEc8OcOyYCQnYyCb10SWJvye+uyX8SZg== - -----END AGE ENCRYPTED FILE----- - lastmodified: "2024-06-09T14:08:09Z" - mac: ENC[AES256_GCM,data:nCwAca0MktoxUb0W+1B7+4UP5IOG4cuj2BhJBxjDV4gjYBSKYJs5gSdYytjOpu76ePXSUHgyiPH0Joe5ESubaUN4zPIWMLpkEk6WjXnmXRTY8B5ZZ+AVR2lxNi7UtiCyx0yjAVZFxuk33MmKR2yXMLEqE6U/70fccJlY+dbTaVU=,iv:QTafba+auq3Zv/xoBzHmnIMmfDAynqApAcr/T0Uh/2g=,tag:RREUDKF4Kruy0AEFDqSVuw==,type:str] - pgp: - - created_at: "2024-06-09T14:07:43Z" - enc: |- - -----BEGIN PGP MESSAGE----- - - hQEMA0SHG/zF3227AQgAkYv+dSMKF647ApqeslZpv22LmhdphDTSQjaRJdIK4gM4 - kv4aJ4L0K/fDqKtsbszbAnuratJnOxnhGaydTX5Ob9tb5QbFfmC2C4OED6hB/enu - hsP9BpsA945Keqf27NyXgxnLDVr6OXcpZqWZbYqHmWDx+BHrw500hgFb91ejzf3c - 6KF2Rrp4PsUl58D6LcSFxfqcna7l2+Ptx+k2vfInSkyPit/5tjry8SyBbUFWPwz2 - gVj9MN0bLCMqhToFh532GSDmnxNd8d1Sb8G1riJ4JaTHStV3s6KebF90ws3FtC5n - y0f/BbjkSqEqNIKFplPZ4Cx6O7WsXbH1hU1Dgba9G9JeAYVAFyi+OnCV49ugZ93p - uwGhpXmP6RbGVT6JB/beAdUToTdP0EfdVE4LlxkssEFd8HHzO8kD2u7k7glkDEq7 - Ox1QlDrMuz0zRE6D5B4DwXrWvAOw/TjvydWjyS6HCg== - =5YRC - -----END PGP MESSAGE----- - fp: 6F7069FE6B96E894E60EC45C6EEFA706CB17E89B - unencrypted_suffix: _unencrypted - version: 3.8.1 diff --git a/secrets/router0-ifog/secrets.yaml b/secrets/router0-ifog/secrets.yaml deleted file mode 100644 index 0566d57..0000000 --- a/secrets/router0-ifog/secrets.yaml +++ /dev/null @@ -1,45 +0,0 @@ -#ENC[AES256_GCM,data:+I8pZeH8kkkGaeUJ7A==,iv:5Yv2K6pU33CA82oCspb5exjaAPMRszslozTphxvDhbw=,tag:OpKwj8SYXSMcLlusEVX7GA==,type:comment] -age-key: ENC[AES256_GCM,data:8L4IWs31RUXGns25pP6BrhFKVAYvVY7yIOe6MSk4abvgks2eyHnQDTiSKVUQGjTyZFVbQ4mtF9O8CmqqlaK5z4nrUYSUN/Ustc13L98V+PMUOxljka0UL/pOe36aHEQz3Z2MuobEtZHwccPEqWhOlF2v+OgFQ4Kp2Vczw9REf4ahxyqz3fz58ymR8HKfTHD7YBawEAgYU6WVyrLfyA78860pkjlYMwhnjkVBvkP/zd4H+L2JxzjwUeUCqcm0,iv:8RwmmtgKqLsJov+DxNjvtjPk8t8yVmRhRa3k5HdCvgk=,tag:CZoZL3aYucIk1JENWY/mMQ==,type:str] -#ENC[AES256_GCM,data:62US77UkclVlR3klMH6P/oYC006vFa6DEVgvmemMFh6INuw95NyRwJaiMs4EGaNFuX+jkfBbtlm0MQK73rXfGxg=,iv:UALT0vebke8KDPdroZnC3rSUCB0CmlX9dfbLqNAlJ7Y=,tag:iKxAWDTdUZDBD0PWfomeWQ==,type:comment] -passwords-root: ENC[AES256_GCM,data:ummvEe+5HipUvVEyHLA6NULuWJuPyv2VqlXEZFp/UdybLU+1t/VRo+KPLYRPpXQBbsBaHVa/XOiOqLK9dPDHuVZBavnTTMC3Yg==,iv:pqjtzPH+T8CLJsJusi5CpVklPUAnioIoTjBXAR3y620=,tag:vrGzZlRX1TJ5b6Wxt29V+Q==,type:str] -wg0-privatekey: ENC[AES256_GCM,data:6BR3zB5oDPu5XyM5pgrdXoYKvwf+rAK7ngDzLcIQZnr4JH2YXH9UWERjVpg=,iv:2Z3yG+fWC4diGANCurCEpA5ybEpMdE1t/rviRJtUE0Q=,tag:4sqnLfAnxQOAci37RCY6jQ==,type:str] -wg0-publickey: ENC[AES256_GCM,data:7QLstpkyVDFU5oxgRdVYdBOZB1tjKMbzxgZtCYp3G1+AO85ir6kNXo8P65U=,iv:XRnPg93nnSR3h+R/K2rh1QYgmdJTE6i17ZomMf0BJ9k=,tag:fhyySGI0y5swGp3ot+q3pA==,type:str] -wg0-peer0-psk: ENC[AES256_GCM,data:p5V/8fFEmozG6nFCpHNcWNdunYlHxnsnW+YjTAIEXlm2ku4yEL45H9t9/Sw=,iv:jDZMhrZIJwaDWm+s6aXVWovdo116q2D5cUyHzMdWCIU=,tag:M5IebfGfeL6VW+OOgtARpA==,type:str] -wg1-privatekey: ENC[AES256_GCM,data:dcD5isfYT+diae7tS6OSEQiqEkrpUxw0io8EqaSUaaFxKf2RAqSqxEXkhzU=,iv:HVB+uJG0SwxH3gbSpyZJZnzadVK2MYWvaZ3t7vPXn3E=,tag:/q7hgBA45Hq3446w83ConA==,type:str] -wg1-publickey: ENC[AES256_GCM,data:08fRjmGysmgGwXgwGqtMmO4iMWNIOucRnD7l4qaCh1hVWAk2BbO3OcHw010=,iv:PfKUVRyjEVT2BBUCmruR026n/P2kT2Papq46DOFq3rE=,tag:AhyI1yHdEucmQEo6iHnznQ==,type:str] -wg1-peer0-psk: ENC[AES256_GCM,data:zlQv7B2Xm+QUzevsYDD2ckIp3PdEAOSEPv6UKYLKRUGWXKE9eLhC1dNq5t8=,iv:kehiDKfew68S2pfRFq5OyTm+Ixo05uiAiHDg30xhP4Y=,tag:0GSr1d26ALehewMF5b6woQ==,type:str] -sops: - kms: [] - gcp_kms: [] - azure_kv: [] - hc_vault: [] - age: - - recipient: age1dktk5glcuu34u9t6kp3g2vqyj7dy0elray38t8n75mwa6l0s0vdst2cy00 - enc: | - -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBuNmRsNDJRbHZmS3JmOVht - c1kyKzBXdGxkQXErQlhXUzBmMm12eXNCVlVVCm9KUCtZeWJWYWVJUFhYRUlLVDdD - Nk9Wdk5WeXl2ZGNybGxnZWtGR2thTDgKLS0tIEovQnU0bzRCdEp6RnVvZCtUTlFL - dFBOcE9leDQrYzVQNUpLZzJBYlBYaE0KyKVh0VDpbA2eIh9d+KhCYKjbl4fHPt07 - fVbbDEz67bWNjaH6Yg6xlNQIhv9prUK2isckVizpUANmOKxPJ2ia2Q== - -----END AGE ENCRYPTED FILE----- - lastmodified: "2024-05-26T17:23:41Z" - mac: ENC[AES256_GCM,data:Ez/79vUHs+9B/v2qlUiPQeuYHRdvjUg1jJOt3C6xEnncDQ2fH0CUxKEIfjgJR7eatwvZSznprv2wCD8Ik0SKunjRI1UGe5JmrVstqoSDbo+MxpdwrqA8zC5unpRUYenvyo9m8ZW/DnjKz0ArorYjA9vid878MdemkHtSjjZzik8=,iv:2CkmPRjYYt7q7HAdEjIbJHaSUG6Yr92pEkk+Dd3E7LE=,tag:S8LPb0mEjRZQqawX310SOg==,type:str] - pgp: - - created_at: "2024-06-08T18:36:55Z" - enc: |- - -----BEGIN PGP MESSAGE----- - - hQEMA0SHG/zF3227AQf/VntYsys2fb7NslwBbEwQ4VYh8OOWtCGhqbVw045QflFD - 2hS1cT85MDNTwPnnDW4NYbf3UEIq12eXVDFR8+4S4mMun68OmxEf3UhSB6k2cDgh - iwM6HdAh13cC4UfYBpEq/NTr9omdoXPrcjQNYxqm8OBRNf1126L5XmQ4NT2Lg8Yw - 2HcDIxrl9vX1X8OYd7fwc7TIJpVYCmG2UhVrz+gS4q51s1hi1t1BZdeUhU9RpSdZ - Mu2HlB68t597wAXOB88K+zJG4+uUQrpz9V2Xd/lfzFIeQtwLcA/NdoZs+AMEQE+j - wa5FPI08uF68KbwzXYCq2NEPKA4SX9UzlirJjdAukdJeAfqO5woWkuDHmDj+nDDS - fSwL7mVNd43h9uO3PXi7j8kj32dwLcBSjkeuN1+gaTBLixzzp0drLTD1DkeY8kBS - ROvWaNhXsrm+uB9d8aaznqfWS9C+3PE5fY9untPIUA== - =f2HS - -----END PGP MESSAGE----- - fp: 6F7069FE6B96E894E60EC45C6EEFA706CB17E89B - unencrypted_suffix: _unencrypted - version: 3.8.1 diff --git a/secrets/servers/dyndns.yaml b/secrets/servers/dyndns.yaml index b93a80f..ad8635f 100644 --- a/secrets/servers/dyndns.yaml +++ b/secrets/servers/dyndns.yaml @@ -1,37 +1,46 @@ dyndns_www.stefanjunker.de: ENC[AES256_GCM,data:xHpC/V9OWCMpTKs1,iv:gW6f6kQedbdxbz1zJAY6xceoeG/LqPG/Ss3DaBm/Ta0=,tag:v2V/hzRg+xgO8zpwyIBVXA==,type:str] dyndns_mailserver.svc.stefanjunker.de: ENC[AES256_GCM,data:auVHa5n4335mNXAy,iv:WZMOA+Z7/w+Jsu5193WwERXZrt/5JDiMUKIZo8ieT7w=,tag:YmEDp/0gjgPY2kg9GNKmxQ==,type:str] sops: - kms: [] - gcp_kms: [] - azure_kv: [] - hc_vault: [] - age: - - recipient: age18dmqd7r7fanrfmdxsvwgv9psvhs3hw5ydpvw0na0dv3dlrg4rs3q2wpvgv - enc: | - -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBnWFR1cWJkWFl3SHphNVlt - NmI0eDFJanVLVlFKeWcydDNaclp0VlQveVJnCnRBc0JTUzZkV0l6cWdaNko3YUNM - bWZRaGpYMHZWWkRPMjY4SEF3S200YlUKLS0tIExrWGhjM01YdS85U000Q2o1TjUw - VFpZb0dEL2w5NWErR245MUplZE9xN28KiGaqrH9wYZ2goHKYygLgPZIZmUCosHc0 - RNaMVrIv7I9dPMiqlKdSl1Xp/ePa9gxUhVCpsFIZmlrlhHxv0TLtkQ== - -----END AGE ENCRYPTED FILE----- - lastmodified: "2023-07-14T20:50:30Z" - mac: ENC[AES256_GCM,data:09EAhiFSNroQKelSHF0YdJl8INdYVcjK4BfiOktY+Nx1GK2BA6T8grvIHGB1UZaDvS/AzjcSIq+5ZnyfBU13Ks8zH5oQ11La48FheE3bL38KS+JNgqw3F53w/NUVFkYFp2YRuCqkg8/OBmT3OONLggF7ziuQEByW5NlOUdLejkA=,iv:qe4kBBxxpFdKNszbvZlIXjA2Ybc+NAU2GkMcSviZczE=,tag:98ABbbVh5qPnAzo0xkZ81w==,type:str] - pgp: - - created_at: "2023-11-23T12:05:35Z" - enc: |- - -----BEGIN PGP MESSAGE----- + kms: [] + gcp_kms: [] + azure_kv: [] + hc_vault: [] + age: + - recipient: age18dmqd7r7fanrfmdxsvwgv9psvhs3hw5ydpvw0na0dv3dlrg4rs3q2wpvgv + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBhT0t1U2hOR2RpVU5HWVU2 + aWpSNklwak9HYUYwSEltaWlUNyt1OENLdTNRCkxyTGZZQ0ZncmZnYTdTMC90RnpT + dlRpWGVtNWhtUS9IeEJsb0VpU3greEUKLS0tIHNBQlh4NEFsZC9NQ3hRSTBTdC9W + TjVwOWJVQkZIc2RuWEU3QkxyVnc0UXcKIQm61AimM7hch3tT/KownHqZT7NyLNv+ + H69zogFe63Oj27a5OK5cdcy9W6u4ew7b35ybkpeooMBuy2WbUld5LQ== + -----END AGE ENCRYPTED FILE----- + - recipient: age17jxphuql70wjkd84azn62ltx9ky69hyvkac23lm8f2j92lznf9hseqq0vl + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB3SWZSRHF6L1d6dVd1dTVB + elBvaGR4V1ZySW03S2Z4SWliZDVscjZQM1JJCjNscTJRM29HUXVxOWhUU0tZZllm + dHRKUlpqTDdjd3paWjViYlIrL2g5RUEKLS0tIEJLdDJVbkVYTDVRd0toZGZVOGxu + Vm8rS25SbE56c2RiRFFtM29pRm1ZR1kK4yKaQ5VP+X+WnIPNpVWniCX+NisVBhaO + DM4Tz7OJuDSSWZ19kVIN+eXrLftQbKCj8+9QgbzzjgoIpER+N2Z28A== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2023-07-14T20:50:30Z" + mac: ENC[AES256_GCM,data:09EAhiFSNroQKelSHF0YdJl8INdYVcjK4BfiOktY+Nx1GK2BA6T8grvIHGB1UZaDvS/AzjcSIq+5ZnyfBU13Ks8zH5oQ11La48FheE3bL38KS+JNgqw3F53w/NUVFkYFp2YRuCqkg8/OBmT3OONLggF7ziuQEByW5NlOUdLejkA=,iv:qe4kBBxxpFdKNszbvZlIXjA2Ybc+NAU2GkMcSviZczE=,tag:98ABbbVh5qPnAzo0xkZ81w==,type:str] + pgp: + - created_at: "2023-07-01T21:42:42Z" + enc: |- + -----BEGIN PGP MESSAGE----- - wcBMA0SHG/zF3227AQgAjfBO/8RSFW5aIhchSLLvhNzhIF+p2f4KZTAiT0uhB5u6 - T10j8i0q5IV9XVDdRXxYZwBn6LDFOJ6WJ7hIv61Ri+jCGZ8N8Mr6OA7HyB+6zQmg - 3PON+5qJC8FHFHiW+bB7NEULdlILS5Q6E3atjGmgOHKYq2O5L+IZgxp5Udt/oXuF - CqIW22M/9ftEipgG2b2Txgq1PTNFWI8gYRVacuSU5UD687EacH4fTDyIdXk01FMW - LmIh9h64kA5b6VALma1C2ztP0uvCUOSfVsvKJEILOb/kTb0qCdSkEM44onXTCHM+ - fBo140l54Cy1aIxFPsU8J/KkVbQ9Q6dOxIxrpaEQP9JRAUrBpLwbVLpWww2WFwG3 - nTplRw3DzGTGoV7CgdzRRhjv7fkb+h5eWLpFqSj6r2MG5PnEjnnDiBaa611sDN// - ijdeSDMnCT93t6BEeNKvmTPS - =60WW - -----END PGP MESSAGE----- - fp: 6F7069FE6B96E894E60EC45C6EEFA706CB17E89B - unencrypted_suffix: _unencrypted - version: 3.7.3 + wcBMA0SHG/zF3227AQf/XI/S30xYCkzBweU75bCZBYDwR7hprSygW4xCI5qc8xax + dpT5RpIrfPOelxrtjuDvkWCMa5Xfu/A6eQAF0EABZVMNiy1PpMTuarU1Np1Zfgoo + vhYJDCe329/kQBlMFT8/6wyxQRi7bEjK19wsYrsFbKA9wSXIpz2Drx6DG5Zck4bU + 5RvAdeWgZUcnuPAlc0SYZOfl/8EBqKG83U7NW8VdoJpphifYHK2HMJpOD0mxzZ8V + sR93tVdRA856O8ZhxdC1l1HkSSnR+0B+Dku8t4Bmy+4H6Y4KqmMhbKUIMFY+0pW9 + MDIPJ8zVGkU4PyCjDwCqoYu/XgoJvTCAYgZFpyCyPdJRAftjWvzD59u31zjJKwiG + eyU7I73Q+jDIJDYPIrt8K7+CpEmDBpIZBQxsfmP5xFznNt4LPB07HFgC/yPDmjiC + Vu3cIGSwFgRRdXUYnLTQCQM/ + =g1+E + -----END PGP MESSAGE----- + fp: 6F7069FE6B96E894E60EC45C6EEFA706CB17E89B + unencrypted_suffix: _unencrypted + version: 3.7.3 diff --git a/secrets/shared-users.yaml b/secrets/shared-users.yaml index 428b745..abd3292 100644 --- a/secrets/shared-users.yaml +++ b/secrets/shared-users.yaml @@ -1,8 +1,6 @@ #ENC[AES256_GCM,data:aqlLlXgwwtjBYxytS2H33KbN0z8pHijFXKBAPQyQ7cxE8iO6tDfn/3kEVaEa1YaiYUMXACX2Ow==,iv:uKTUsccWAqrBkdG/ymCZB1pcumRreGv/2rIn6YG8Y7c=,tag:NWDO4dPRA45Ki4ymGblGIg==,type:comment] sharedUsers-root: ENC[AES256_GCM,data:RhMqzHmMzsPZnskGAKQ5GEagkAmtCqbp3FI4XPWweq6U8WcML+XEOKBfRoemK6yMHpSobBUPEHudNDeVxhGLH1VREmO6+JVZ/3dz44qWudhyuAj2CHiVkVgMlSfOKIbY9FLLxXxfySnEsQ==,iv:EYWeRKI+nFpEkxtBJ57xH6V4arE+hVAHy5ht9v8P1oQ=,tag:I5WA5+FjJ3lF30dth3H2ug==,type:str] -#ENC[AES256_GCM,data:d9jstVxMebNWmJHo79RF0YdurMqwRoDrFzbwjoQ=,iv:UG+qk8hc/WiCviJSCmrUyQZATDD1gBhqiYU6spf7Zo4=,tag:4HNfJQh+3GEP+MHqg1KNHA==,type:comment] -#ENC[AES256_GCM,data:4FjqAy/pZMkBFC7aq6Jqx+TqCtU=,iv:iWxPm8etDkAIuz9op4ck5AgszLuEN9cXXixzO705afc=,tag:MC03p7Kqk0srtDjbov91LA==,type:comment] -sharedUsers-steveej: ENC[AES256_GCM,data:almzynLh7RHcjTFOQWVaGk027uAanFcE+AYVhcbzSs5Xwd9sZR5+Ckbb//YxT/Imz9WKVG7z+bxPuhYPgbzUPCyxUu6/X9ZeCF0gmffyTbXVQHpo2W+71Zcob2Mbt9yMAF1146Dr1Q5R2w==,iv:fHMmtO3U6f/0ZNjxcvm0vOx/W/BYWvpD3WtzLNejGpA=,tag:tsLziHECG323TCKBLO6FzA==,type:str] +sharedUsers-steveej: ENC[AES256_GCM,data:vuvklQJFb0kziB/qr7LNiTB30T/1UmZUV3YE3fFpKLZSlxqwYR7e8pnj94hFMhCtPquw3qdtB8vFAIQSb2LxXUgsfNo1bmkGJU86vz3Vy9Js7oua7KlLyZjoFNpMBgbD7swyXns=,iv:nsymZS1wQ7QSL5ZqoVx/ygaP4UR/e0cYIXHg+UyhbYs=,tag:+/N1QRESOUUK/XJXgiyFfg==,type:str] sharedSshKeys-steveej: ENC[AES256_GCM,data:Cj8aoHYN95kOuFwMIr+gYTtvE2MNMT6WhHg+r5cEvfgLbI6EJQdMBU30nhJZ8S7uRwJwyVEnqw9qgaZYVorXrIh4oZoQBT6g0UGQ5b5lhtfj86omP7w/NukvpjUPBJEUL+JgvaNGsAbAmExPb1yQY9f/kn2QuyY31pTywcV6qeSHHlK8I2cpei5RxtuG2IX+EjvDXZ3CtQwLY7YrhLvv0K+N8XlEusnytNkXLfjRgd0dJqNLQdkuzrjFPQnuzkxoBBmwfheO8CaTpmH1C5z/dbmeIP5H9GY2gnBCu5xB2zp8ZerVi2E3teW5EZ+Sh+lz/5DOuVpPn3G8W7l4fTM8iX2IHeakjlpYewx1wmW9SZdV/zxyt5rQUtmMj3F+IVktbOWsOyXwSz0CDUlKkVKJdvzATlWdIjteKTwKEgS8RWjg5H7mGylfxyg6YrHYAHTZjC4J1Qz2CwWmAFxzpFCkHvF6QwAOUg+ST+crfw4DiSamb6SKjIg7LNz6VZTOeji6+71Q59u6g2RcdgNowzgrrQCAw7qHnewbFX/2IOW+pdASCB/q9/7218yM6fzMtcPHPiDpZ2tLHQd+45zxZpbUXXCNdNm5v9OTjjK+uA0ARLOVCw5gtd2FbKsJcwyMhXY/h028tgdRhsXIalLolorrYBPx9hR+UHU0TNihspajoNYJCTuJccMiwo8N9AT1DIdUXcOxrQL80RvWY0S6rBzES3q7a91aC/lGEmS/beO7MDgOKaEV+qwPZOLOZXWAesqsR3sKzpOdPx1gFrLvX6vIhAtzuteH0KvKujIAhCg0sEz3Ct/A1S2uNtohz8CstvEEqP6GiR6/X+sQRgxOcXGPQglz68FFKOErIz5XZJBz5+14u/lady1jxhXnVW0cxZDgmqmAvNbrQ9JjNgBvremaDUvuO5R5V5K4MHAMsNQ5yxE9iScXEfwmEvo+Gj4huJwXvwLDE/1TqIaQWX6LfZKOOZ93ivhj7eEiAz7TsLojdNUeDhnWGOYcWbEkMNzYyPb7obN/HgKzcuSixpYm+IZu4sOzXyoO5Lblzd7OObtG4P9jIj4cdxF+vm/s6MYYxtst7jRwzcv9vMLETDXx40IOSqTo2e8New2e/D003T4jx2sis0+68Iyg9m8ltEYb85v6oGFshIdafIGKBaNHm/zIL4Dw03M8kxxfuVuWZD8S2P3bnfryfA4lbOZttv2DnlPZf/Dfb+Ax5qTe5yn4uzLYDTqq9rIqdoNYUmx1OaxGa69oTIqCpL7FC6xe+9NnTEdojl9svZUhtGfThiphYcK72lryqrTyYVuAOa3WjZtHgUJ5lU8x79eExXyDexmC4RNDszar+qMiwlzMC977qsKczfTGe2audm5PLaLTYhWSOZ1p83d/xhFWhLmqjqHrPF5kYrnG+W4ZuVIqxJOrLHQhseKc4fFZrF/XCusgIcoDEq81M/EmHeEDcuWEYldn1pjbE8yzb2ZgfG8mycNh8z41lKsalKmesyZs0k0IvWmrdCpLXqWl/TgsPSO1q+zbQHyfiNewoZec3GC8k1k64zrG3CNI8bP40L6i4Uo/GFPS/y0OjgQhww+He0bWY7yP9MKqdbahpdYQE9kYU5yoJTUG+ZYRir6h6o/JmTJQy4QIvwmcx2jiiA5XXpj3cYAJ9/3eHDFCeg==,iv:QeYNlLR97tdC9i5N909GnoNyBwNNiuljF/eVbdhvGXg=,tag:lBWDaaZMQRPX/4Ln+oUQPA==,type:str] #ENC[AES256_GCM,data:8u2UAE6lXi0e6qKJxB3VP1k7hmfUYRcejXoR7K6NIQ9E7AqOlMiLDyQFw77NBlqpy0G6mPVOnC+XskGAscm3TLFzs7+o+/i0IxH7uDPwoh+U,iv:n4wheHkpPbnKeXb4DTxwks2bph4LO6xQW6LcrlA4jKU=,tag:mgwa7rYvqoubFdQDXJADZQ==,type:comment] sharedUsers-radicale: ENC[AES256_GCM,data:Mn1QIwQDX0ZnZ0Jbk1RYY60k+XbbGPYYf+NG3xQz3oR14CqSVy3hjQEkqcezwj/v2ELrLWid2hK+lDtY,iv:TNoJ7Kq3WDkkPBLG3a+N/A8yBZcx7Gc0jaBToYX3Y5M=,tag:VU5P4YtzMv1FVc3ugig8TA==,type:str] @@ -10,118 +8,82 @@ sharedUsers-radicale: ENC[AES256_GCM,data:Mn1QIwQDX0ZnZ0Jbk1RYY60k+XbbGPYYf+NG3x sharedUsers-elias: ENC[AES256_GCM,data:RsGDCguYkqegKhkO20lr8HjrTABAaNJmDiGK3DhhbX1sOLMweZwDtESvYjCfAOzWpiAaFh0BqevMkuUcEYQTBubSX+X0EZ0dFrdbVxIe7lq7Dosds98SqKLL4zWqe2y2qsphvj+oAz7Utg==,iv:JXIbyqAUt1OcB+bvgK6H2NU6Ip4nWRJ1/Hje75FfHC4=,tag:kPFALVkf1GbRj1J85SZm6Q==,type:str] sharedUsers-justyna: ENC[AES256_GCM,data:BGVp2QppWWaYHK3rwLlyy7SOWxSqKGsn7lemWe0KUzgiQc6D8ivYvXdGaAhJNvhgVTxlK6BZOacG4NESWf5hi7sN8AkwTT/6pa9WzhQQGNnwZIaVulXeddzFlebbh8pAt0WYV82DRejX3Q==,iv:RMysIp0pMnCLhWogWiGq4IpZA43sd0DPj3jeV0oRkY8=,tag:VvXPzyGAoATlSedvV2prJA==,type:str] sops: - kms: [] - gcp_kms: [] - azure_kv: [] - hc_vault: [] - age: - - recipient: age17jxphuql70wjkd84azn62ltx9ky69hyvkac23lm8f2j92lznf9hseqq0vl - enc: | - -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB6T2hmV3BOU0M1MTloWktK - YTRXS3lTcERncjNpaFlhRlljNWlJQURmdW1FCmQzNEFFZ2VxTmdmZ21idzZEUHVZ - clFMZU1tTG9kWkNFVzdXK0NYQjVMMnMKLS0tIHVwRzlpR2VwcXlCdUxUbTN4YWcy - Y3dqOXlTeDZRU3YycUtqTXpKcWt4bk0KT71rTNU/kZci9u3NahgR3/fL6IHHxVdu - unIWav0e6cZVQXKw29Pji966zuB5Rv0vb+5LAYsXzC0E6vtiC7kwzA== - -----END AGE ENCRYPTED FILE----- - - recipient: age1y9urllccdcemlv7g5z4peuzeh5ah0a8nu6cnkvym8v2vfhqjd5jql483c6 - enc: | - -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBxM0NiZ1RIekpsY2pDVEh0 - MldzL0Zna045QVY5TnAwYU1rTitQMkxOZ1M4Ck80a2dnTlFxYkZyKzE3emFTa29R - THNTblJuU1g0Zlg1RlhMV0JsY3ZpR0UKLS0tIGhLWFZOcS9za0Riak9QUVZ1dGhZ - SnVNUTJFWnVHTDZKZzFBME5ZZzFBWE0K6jMchwT9eJOqyBhSiyg0XS69KxWc2Xx1 - SJS0acLF+Lcrw0xEr856846P/bH+l/SY4Ii7Mv0b38GOb5KPGra3cA== - -----END AGE ENCRYPTED FILE----- - - recipient: age1pmznn2tjpelpmxjxqef48rse5ujggf9kcr8x5vewuadqcw03aavqwy54zm - enc: | - -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBENVQ5MHZ3VXBMbUdBTHFN - Z09QTDdyWFpHUG9LWGdqZXhBRm90ZnBsNFhJClJpaTFCaSt6Q0E1UlR0WEljWjVv - UE1LUDZ1by9zYmhibGJHRGpKT2RhbzQKLS0tIEhKYTlTcmw2NDBDVGluc1N0Y2Rl - d2dsU0ZnMFVlYnJtai9UWDJROG9JTWcKeCVOvRWUJutoFOhDLni2CpgKUUvxTFUS - NNozeDy27P+ZZFDHxBGPoJhJmAKt7Vs4FpdAYJM1xeZWd4BgakdUZw== - -----END AGE ENCRYPTED FILE----- - - recipient: age1ye4fa0v37shz8q4e5uf9cp2avygcp9jtetmnj2sv9y9mqc7gjyksq2cjy8 - enc: | - -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBIMWxSQ3ovamNoaFovcDRi - NGVRRGNZZDJoVWdhMDBhRU9VZHNzMUkzV1RFCjgzQ1FDdSsyMWYrZC9iZXBDa1NJ - dThoNms4aW5iQVBzK21URXkrQjFQR3cKLS0tIDFmR2o4OEpxZnJheGJTWHRMNDBV - djkrN0xTR25zeEVjYnpMbllZRHcySGsKvPzezvh4MF5TvrqEAg5z/nDRw8iviIx0 - wcnO7RQZGSZ71Cv0T11dIpAixUE90l5b6xHKdaeS8vtYFTKdw8FjKg== - -----END AGE ENCRYPTED FILE----- - - recipient: age13cyvxrd28j68f97q2dwsn62q5dy8tdxtq86ql2dxv2ncwfrf63dsmkj7n3 - enc: | - -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB5ZW9HdjNSTE5xWlVWY01R - bXAyWVZhcjlkbFVneXhaVnZOQkQ5amszeDJJCjVWa3lLSWhBUDYyd1N1QlZ3T2Fs - QkN2MDViUGwyV0w4NGJiZHhaQ0VjcW8KLS0tIFNkZnNJbXpFOVZsdjREbWFwQ1RB - RTVML1czWWk1QkYzMlVwOWVXNVRwancKKngA02rNH1ZN2jvJ4QZcN07djYzzqoPo - OFeFoOHOKNz3Obwlxv6eW1bd0AP/MT7VR+cTDdaAxwNf8I1gEC9bjw== - -----END AGE ENCRYPTED FILE----- - - recipient: age1qju6ms625tlgcjwc9p447seu2p8gu0cr63e5gv5y0wx9mvgmre9slxzzs0 - enc: | - -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBkdG5NWlVURFA0TDhWak5u - R0tmR3JiMThtNnpqM05yQWZTdVAxZTQ4TEcwCndjSlYvMTg1NlRvSHhmdmNMRzhS - MjgwMU5ZcnVnWVplY1lOc1JQNFkxMDQKLS0tIHhHenE2SmdFcC95ampNbmdOSDJX - ZnJLR0RKZ3FrOUxRSU11dlh5ZzBidmcK7PsJYwMJpv9YoaYiN+U20HA2opK2IUnF - elU57b01ZOZM5nfpnyZBdqZO6VRDAZC2h81z+BCNXUQus4SSNQi0aw== - -----END AGE ENCRYPTED FILE----- - - recipient: age18dmqd7r7fanrfmdxsvwgv9psvhs3hw5ydpvw0na0dv3dlrg4rs3q2wpvgv - enc: | - -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB2bzBRSi9qOEsxR0Z4RTNt - U0VKT0o3b3I0dXJxSHRSVnFiR3BWOUNTR2ljCmlHWWZnTGJKeWNhTWxKaEVrbWdG - M2twejZqaFU2RU8wemVxWHlpQVJYZWcKLS0tIDA5Y1Q0RWJvbUlGUHpKN1BIMGM2 - cGU2bXpEaVNRcko4TVlBMG9KdnJibjQK86rJ3S+JQhD8+gCkr748z1oVy55ukOMv - c408QBFGToOuzvaRbOIb8lhci4ImuSJJE7TZUzgYsADEAaeudDKVtw== - -----END AGE ENCRYPTED FILE----- - - recipient: age10xwq7a4y256yhv02j0u80te0vt4krgfjc68r0uw07t96z7ggmpwqtv38a0 - enc: | - -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB5WHJjQThud1IzSHk2Z0Zn - L2NybEJyMVdoRWszb0lZTlcyN1ppa1BOSmdzCitZa2thNkJyWWxKU0IxdnhrVXNI - Q2dXL1BST1hzMy9PZWpVcU1lckcvdVkKLS0tIDd1VXBGRmdkdnV6UHdzbU1UMjVB - WjB5akxEeUd2eS95ZnZHSUFXSmNXWncK3VXZqfKo8jat4gbn/5YSL/cV5qILqV5b - E/OBRFStWmfhuCZJzCDhU9a0QJocW+UkkI4XRzDDaN66gEmZe+u7mA== - -----END AGE ENCRYPTED FILE----- - - recipient: age1dktk5glcuu34u9t6kp3g2vqyj7dy0elray38t8n75mwa6l0s0vdst2cy00 - enc: | - -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA2cE5lLy9ZNXdXb0owcnZk - S0JRSkc4Q2p4bGxPSG14VjlKZ3NMMUpEd2drClBGU0FyaGJ1WCtHVHRzYTFqRXpz - VWJvTlBEcXg4TVVLZzV4djE2bUhIRVEKLS0tICtSTCtNS2dON0pIMHNzWmE5Q253 - c3loYWpFd0h6N3FpdkdpZGdHZjU0aE0K2zsQNBl1jdhLWf1PeGVo+deCc6BwnTo4 - tUg59pWQ5BvwMQx0kjhEoa29S1QUU4Or4erPPoHS5teK4Llv0s2gRQ== - -----END AGE ENCRYPTED FILE----- - - recipient: age1v458x2q70yt0a6m6cq5ehemphtrzfzyhmeg3r872vsyyf65asgwstmqqk4 - enc: | - -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBUNHNvaU5sUDEvd3JGWUFa - VjZDbm9VMXpjQWhCYTRxbUlEREErT0tDUXpRCnN4YXhVVW8zTi9ZZmVUYWwwRHhH - dXd0dnB5WE9sTDZ2R3d4MlFiWlFZcmsKLS0tIENJSTNvNWV3SlVwRk15RDRpNllQ - YmZuei9iVFMvcytqS3podTZZb2g3S0kK+qGQ8LkLO6v8T718dyD5j5CTC+UwBaCn - 9dxkh9MWkKknRL89MHbV9gVG/StiOa+USGqulXEGbapiZ9q1JYCa7A== - -----END AGE ENCRYPTED FILE----- - lastmodified: "2024-11-16T19:17:41Z" - mac: ENC[AES256_GCM,data:WWOWqwrUtpJWY7o7M6Aac7B9O6tw91yNiL74Fg0TKq4OH/0TGHI7YJK4c9swXs95jctFvFL9qQPTNEENgnqhJyZJGuc2qTsSaKERsSReaV4gURNEm2J2R52EQkyZXRbrn0oSoDazORqRXQo1KvULV75fyIPtsE1OcU/1/TPkWHY=,iv:XwyR6rM+0eTmKg4+vpQx26iKgKm0NL6siKxLoF3MufM=,tag:ks777fUl7uUgn7W48zBoMg==,type:str] - pgp: - - created_at: "2024-12-24T19:36:21Z" - enc: |- - -----BEGIN PGP MESSAGE----- + kms: [] + gcp_kms: [] + azure_kv: [] + hc_vault: [] + age: + - recipient: age17jxphuql70wjkd84azn62ltx9ky69hyvkac23lm8f2j92lznf9hseqq0vl + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBMVEs2NzlqWnExV28vOG9j + Zjc0QXgrc2M3SkkvS3dyL3QrSHFYa0JSRmhZCmZFd3EzcURSWmRvK3VIakQyNFhR + dWN0c1FqR09XSkFUV3pEOFpsRlZhVlUKLS0tIDVDb25JMUh3TkJYa0pTdDUrYnpl + R3RVdkdvVnhIc2ZKUldGYjlnMzdicHcKL0Bcw6N93/v32cqFuoalcdmTv8/MLs7f + 9EgegS0+/xOriZmrwel6kNZlcoBR1JbC9qZO6s0D1B5nA1QLHnwvRw== + -----END AGE ENCRYPTED FILE----- + - recipient: age1pmznn2tjpelpmxjxqef48rse5ujggf9kcr8x5vewuadqcw03aavqwy54zm + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB0MFg3TkhOY3hNZE9Uc1pF + OWJGWHh2cHJDUlhJUmVSMlFGR0lxSG1pcVRjCjZqMTdOTkJyT2N1QWdBOC9sbVo2 + NnIvRUtqUTZkbFI3WGZJaHg5M01DUnMKLS0tIGY1eG44NHlSY2RPeVFWWlpaQ2w5 + dGNsUHhEYjhkTVY1bFdpQmJMSzh5aVkKK6t7EUzhCUNjxl5dFXPezX53EVCworvn + NMaDqS5RgwQhILl04/eGyb5KcQksGQBdN5MacXX872BlOUeuWOez2g== + -----END AGE ENCRYPTED FILE----- + - recipient: age1ye4fa0v37shz8q4e5uf9cp2avygcp9jtetmnj2sv9y9mqc7gjyksq2cjy8 + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBkdXA0SllGSjZRMDhXajFK + REp4RzBjQ3pqYnRZLzRMb0NGQVJyeDJYa2dRCk4ydjFmU0pEazJaUTNDV2pKQUUr + cExrU09iTHFWdXB1UGJBcnRsd3VraGcKLS0tIHVid2dhUWpSN09uU0IwUVFBcmdM + OGxuOTZJR3JnVUFGbjczYzQwSGc1Sm8KhzJ0+4No3Z8sAshkEIj5/4Sz3rJxC7Ki + 0VTPwftdnPcnOAhZ3z8xrZILeOPjzHwCC4N45vAvYbiNOXCr8VF5NA== + -----END AGE ENCRYPTED FILE----- + - recipient: age13cyvxrd28j68f97q2dwsn62q5dy8tdxtq86ql2dxv2ncwfrf63dsmkj7n3 + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBiZEFoTWFWMHl0dkoycXU5 + TmhYU3hCWENGMzRqdnZNckVhODhzUUFlcWpFCldBYkkveTBPSGkvSEVrUXRXcE5E + UnFkNnB4TjZBN2Z1ODZVOHlacHZkc0EKLS0tIEI3Vjhzb2FXU05aSTNpT2pzWndV + NEdsK2xDaEkwekR2SS9DUmxzc2pKdTQKq/blmeAXpmo9Gmh8Ws1kLuio+sJUZXaC + BOBc0m4Dp5y+lTpqvyA9jA9sAZngPo502B+M9tY5rdIxkAR+aCbVUQ== + -----END AGE ENCRYPTED FILE----- + - recipient: age1k7cejd9tqz6a3expd63wkn7kmeawhhrp9vy5vevhjn6eavhdwywqeh7j86 + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBjUGorR0ZIa3hNRWJvc0Zl + a1pPRExtbWc3a0VRS2duamZKTVBvL2FtaTFFCkpyTzdoRTh1bHJTclNFQXJBdDlw + M3RSQk9jMWh5ODdxY3FRamw1eWYwcFEKLS0tIHRIVk1ESk4yNkZ0MGxBTmtUVTJB + czlMQml3R1FlNEh6cnNoaGxXQk5jSk0KWuhdW4hVOTHaLwmmlnUazb5XLQdRcZRz + aN2qDOsAnSOqPgE/iXp4+88Y3iu05dWHgbMuWpS1lAFN+bv4s0zxCg== + -----END AGE ENCRYPTED FILE----- + - recipient: age18dmqd7r7fanrfmdxsvwgv9psvhs3hw5ydpvw0na0dv3dlrg4rs3q2wpvgv + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB5VG5odWxKdkN5NFRUcnA3 + ZFZpWDl3MGlzUmVrWVBEaWhrczVDdDgrM0FVCk5pOFJYSlcyclE1V3lUT1JWY01a + czVHcnlMcVZISFprdEZvRGxKditsVlUKLS0tIGJmZVVnTngyZWZaSkoyZ0doa0VD + bkIzU1ZCV20wRHhNaWtFcTMrNlQvSUEKrd4c5oMU+UqxbDM4sc2JVmlK+Qmoj/zp + 2Qc29mNIxP98cjfiPKe3IHidXIbzH0OluYfeFTfBCclbsn3mLpvltg== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2023-07-06T20:14:22Z" + mac: ENC[AES256_GCM,data:GPWu5DjjJ1ki+HRuedGdDCt+2V0RPbOsD/yWJxPIkgu5923vnF8y9y4V6e6+ZsTqHv4hsKeCjKtUnh2Ldn+xadwJmqrIxyJ8NzH5TOvcBxAab9cJCp/yKENw0O1WMUTlDPelvQKMDwbgiebaVVfxbQPUEfJGOgkHkyXrgqN94FU=,iv:h9YALYahUl7mRJmZKjArEfaMrfW9YZkVYd2CEooF13Q=,tag:wotqxup/ouG/bEVOZCs19w==,type:str] + pgp: + - created_at: "2023-08-11T16:15:15Z" + enc: |- + -----BEGIN PGP MESSAGE----- - hQEMA0SHG/zF3227AQgAqL1QC5kKDaMVQQp9Lboe3krFMW6MxBjilO3BvGYoXHKu - kKP4hJomuF8wqkKzwsXZihIoXmc767/lKG7AIIMnMJjShGgIjSU668l0guuxlGdT - r58W+JvA1Hu6LadQ6iPS5dVJgW0MJj5YGG0+EPljHVjFIXOKJff+09jBv2648kDh - SuuDVwFueX88qgKLnGNw/JWsmG6TRb8WPpbtK0zd30Y/guTRdx57+W4GcLz6zs98 - kkU/VwAKy8ghkXlDyG/TBWipgj+xPGvOIRYiddZc6FBE14e5Miyuw4vgtLaYIWpS - aDB0BUbjmCaiVyZ3PF8nzJcUj3thAepkGyGIgPAgCNJcAW0hIzLoYdU9Dt5kxmGf - tCH3/l3nOuqFZ2EFe6xlBuYEfkjCDLMnDD6W4gvJTkOjfYDWuF0TldyfXeGken+J - BYeYA3OGTslhrVlXSPQeY1OqITnbqbPgwLkd7D0= - =Nc6x - -----END PGP MESSAGE----- - fp: 6F7069FE6B96E894E60EC45C6EEFA706CB17E89B - unencrypted_suffix: _unencrypted - version: 3.8.1 + wcBMA0SHG/zF3227AQf/aAO5OvMbhN/6/U9b1gj415csZ/PYBB8GJuQ+disXV/Tp + mTMdzmsQVcfefdVoBhd2HUfLv/OlcM2eF4751eu6NP7MBDad5XHZpYON0SCRjiJv + vG0xl+KwI/AQYUWQjBhyMcECqjRLJL6EyyW37ykSGMLNMjbdDCISkVniNYFt9pRE + XkuWQNnDF++vDSZtVxDZvuCIXNZC7isSh5UNjtFdGpc9nMcAra/ALuWx2NjOTKpG + QJ4Ilic2mrE4PIQuf60MnC5lfOJWWbKgR832Sik+ZY/2Nocp2KYsrDyrKRglUu2S + AGdmQrPl3nq0yp1zCGujYFQIQmCQKLPTcoz99x5xR9JRAeK6e/xKJcCM5UgRk6IK + ULdIYK3EGv432KHj6DJFhW6lYWJBnZwkcNsVhxS3qbuccP7CJr51UDZ4ipfoQQtV + irHq+0IfShQpgoPu8YJ+A1T1 + =qLIi + -----END PGP MESSAGE----- + fp: 6F7069FE6B96E894E60EC45C6EEFA706CB17E89B + unencrypted_suffix: _unencrypted + version: 3.7.3 diff --git a/secrets/sj-srv1/secrets.yaml b/secrets/sj-srv1/secrets.yaml deleted file mode 100644 index 40a927b..0000000 --- a/secrets/sj-srv1/secrets.yaml +++ /dev/null @@ -1,38 +0,0 @@ -#ENC[AES256_GCM,data:NJd2BaOWeCr6IER0GSL4OrnABI65kMLg0ft0auq4gazQJ+40vYKwN7pMimXnhQrIsax01pQocF0x0R9we0i/dbE=,iv:OlqfIRF9FtZVHT4QzjQuKCMbVaA+ei7PE9QvbyWj9OA=,tag:8uPJVrva06SUg0DQ26mNow==,type:comment] -passwords-root: ENC[AES256_GCM,data:mDQXWfH3zcvIifhmFdB5rfuiImHLX0Wb2WuR5Jb4lBII72AN9sEy436nHKLHdDHYDgzBkTHXDz63SfK28GEckJJKXHPcKuYl/g==,iv:M8tcUyUVuYAIesuGxQHQ/JRDlzeklTBAVgD1oBzsbVM=,tag:E8g5Qo1zAJkCvNPDeAv7pw==,type:str] -restic-password: ENC[AES256_GCM,data:0cTVlqHCW/xCk7y3ikh0RtVk/5xFOrcrnQmMbIBtfOd7PYbiTUzwBtYXwOaXO4ob7/+KJUEwhl5TzX/Of1J+y7ML7JbpNPtLr8r0gzDYOvBPY5GlmkDGcorz7QTaomuDprJkoD06lJWme/L893u7rxwamF222D2JvGz5FfTuWfaRWb1PcehBkew89gjdAgqFJJwqlX1vwvQDPg6yj+vnk9ZqR/E967bbQeN/G/qGJ9xfVmeuOPYoZH2IrL0Zgif/FLqZWZtlJ1JnRUBXsVN6FZXfT1Q82euLPOpaUHrFJjAF26PuTwVreIjcBLX3wqc8vhAYWfc+RThS3ITwNdNTSA==,iv:KBqME0cqIIX15xPgKi5mBalk01tswj8xVd8rFETX9zU=,tag:V6KltIGVarWXP1R5lY2FAw==,type:str] -sops: - kms: [] - gcp_kms: [] - azure_kv: [] - hc_vault: [] - age: - - recipient: age18dmqd7r7fanrfmdxsvwgv9psvhs3hw5ydpvw0na0dv3dlrg4rs3q2wpvgv - enc: | - -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBUOFB4VWUyT1pqVWF6b01v - ZmEyeG0zSjRsWTRkWW9FUmtUWlNiS3VTN2dNClcvQitVUDk1d3oxTnErRG1wZmpL - dHlkZnE2VlVUOGMyeW0xNmo5OHdmbmcKLS0tIFlnbXNvUWRPWGI2KzkrMW01Y0E2 - czdzaWhBRWJyb0pBSnphamZVZDgyMDAKjTYixgD7CzJImvPFRYJKJXefXqxSA6I0 - iOyW6E++Ax0MsYll77sR9eMNMgPCromY3uzKVJe640HKY/E1cLoi0Q== - -----END AGE ENCRYPTED FILE----- - lastmodified: "2024-01-19T20:25:37Z" - mac: ENC[AES256_GCM,data:gAn4HAJRiejixDApIBZD87JjHLyOnC9LvYR0E4oDa0GVu6/BLVNbie0zG1TdnYl4LAuLa0rf4gkSDCLNvjkBGesGb7oez06WAHJd3VAK6wyFYxQSxKA8U5OZu8nozciuatTCvc/JL1ZjxxGlDFDSHSP2m1PsB6br2e0g8oL1vJw=,iv:7rOU6w+Ly+OYEnF5SikijEpauMp5lhTae74zDi2vF+U=,tag:EURfxNbEe4ZLFF4l19EzFA==,type:str] - pgp: - - created_at: "2023-08-11T16:31:41Z" - enc: |- - -----BEGIN PGP MESSAGE----- - - wcBMA0SHG/zF3227AQf+ONiHDN6/hgu1g4WBaQOtAd3tnruoG+O9pbv/IIR86T3n - TIQElcQNsWJpHpoTeXB9G+H3HPh1f3z95tdHwQZOD78HpP0B7sOqx/KUOSJqTkC7 - R8jsuAxrIpidr9MIxAypsK5UE3SnZodf6E0IhWR5H26oWXtKPRd2TIBEMwbJZ4dZ - JLZ1D1pYIrJfNez1SP9r8SBMaKJgxLn65sFzonj8j6C+8CpStun2ykLfflsoQzXP - kiCzxG/IR9fA7fyq38h+QdeQgcX7/kyhC/g1tnfDoZRjmcS7gA2yI9Dlxr08cOvy - 0Dbruq0tykU0isHSPQHgKQpX/7PD5aV3mXTyvNyzEtJRASftwq7H5sDJXvAXWLMT - eKfUnGyPanQqVNA/jAPhOj/tAIVQZbL4UIPOlT6REfxmNk9tl7JSDhMJzKAEdkk7 - C5Jot9exml6467YZkApBm0eM - =HulH - -----END PGP MESSAGE----- - fp: 6F7069FE6B96E894E60EC45C6EEFA706CB17E89B - unencrypted_suffix: _unencrypted - version: 3.7.3 diff --git a/secrets/sj-vps-htz0/secrets.yaml b/secrets/sj-vps-htz0/secrets.yaml index 09a13a2..6f888b6 100644 --- a/secrets/sj-vps-htz0/secrets.yaml +++ b/secrets/sj-vps-htz0/secrets.yaml @@ -1,41 +1,37 @@ #ENC[AES256_GCM,data:NJd2BaOWeCr6IER0GSL4OrnABI65kMLg0ft0auq4gazQJ+40vYKwN7pMimXnhQrIsax01pQocF0x0R9we0i/dbE=,iv:OlqfIRF9FtZVHT4QzjQuKCMbVaA+ei7PE9QvbyWj9OA=,tag:8uPJVrva06SUg0DQ26mNow==,type:comment] passwords-root: ENC[AES256_GCM,data:mDQXWfH3zcvIifhmFdB5rfuiImHLX0Wb2WuR5Jb4lBII72AN9sEy436nHKLHdDHYDgzBkTHXDz63SfK28GEckJJKXHPcKuYl/g==,iv:M8tcUyUVuYAIesuGxQHQ/JRDlzeklTBAVgD1oBzsbVM=,tag:E8g5Qo1zAJkCvNPDeAv7pw==,type:str] -wg0-private: ENC[AES256_GCM,data:hiUUUhQ/hi6d51Wgwb0gZ5lBB5TS9+F8gVEGrRUqLauKjGZujyqjZIFix7E=,iv:ISb5cqkOE0UyQqlQCeclyMBof037XF1+7zDFslKStr0=,tag:Ox0S+YOkfXpFCSbNrdSrxQ==,type:str] -wg0-public: ENC[AES256_GCM,data:AnEK0wlEIlVrz0nubLWr3lv7R1ddzA/RPjP0CosyEJzCJU6cF2DBJig4xYo=,iv:ifaQVHQyoYqcr6a4kJ1Kvd4QBDLT5xNyr75GuogBv5g=,tag:Tl9HpsJ5+LaV81LiLcThkg==,type:str] -wg0-psk-steveej-psk: ENC[AES256_GCM,data:Z5txIdXKVshlqMBLEnW/ulFiQSmMKj6m1vLE8fuL+zl+tJxh9EX/XvjLaC4=,iv:h4ypudvQAKPM7+5vQNAb69JntdZPNa8Km6wd14ovCHc=,tag:t7ZbbcpRCTAF7zP8vKPpJw==,type:str] -wg0-psk-steveej-public: ENC[AES256_GCM,data:KU6aRVK06RkyvvYFzFZaCplz1HyirSfpjW+jjvHP+eTMs3hfhFUnPSZRCN4=,iv:2A019CQD2vjcOmX6PFpDaDCo8yN9oA9kdKxiW1e3Dss=,tag:kfRENOJY7RnwWGN1eOeEhQ==,type:str] sops: - kms: [] - gcp_kms: [] - azure_kv: [] - hc_vault: [] - age: - - recipient: age18dmqd7r7fanrfmdxsvwgv9psvhs3hw5ydpvw0na0dv3dlrg4rs3q2wpvgv - enc: | - -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBUOFB4VWUyT1pqVWF6b01v - ZmEyeG0zSjRsWTRkWW9FUmtUWlNiS3VTN2dNClcvQitVUDk1d3oxTnErRG1wZmpL - dHlkZnE2VlVUOGMyeW0xNmo5OHdmbmcKLS0tIFlnbXNvUWRPWGI2KzkrMW01Y0E2 - czdzaWhBRWJyb0pBSnphamZVZDgyMDAKjTYixgD7CzJImvPFRYJKJXefXqxSA6I0 - iOyW6E++Ax0MsYll77sR9eMNMgPCromY3uzKVJe640HKY/E1cLoi0Q== - -----END AGE ENCRYPTED FILE----- - lastmodified: "2023-08-13T17:03:01Z" - mac: ENC[AES256_GCM,data:AtD2QZsLpOLQB7Jcb0Cn+zGUK/fMzuVhQ2r5f4jL3dttqfaDa4k+bUMP7wQ9RW6cUXm5ps+s1t9TkRUi2P7bkQjtEuyiTGAUiM8OnkJQ26npITWWs8giekKq01m2DlZufWRcrZrQU43EgVNDqRTVlMK1IoVS4zqNwqt4tXG6YWk=,iv:F+BbR5aGg+6/0LBxpC+AoNT4dLutvkgeUJszkMrV5xk=,tag:4Cvd4nG+h1+hXg/NzH0wRg==,type:str] - pgp: - - created_at: "2023-08-11T16:31:41Z" - enc: |- - -----BEGIN PGP MESSAGE----- + kms: [] + gcp_kms: [] + azure_kv: [] + hc_vault: [] + age: + - recipient: age18dmqd7r7fanrfmdxsvwgv9psvhs3hw5ydpvw0na0dv3dlrg4rs3q2wpvgv + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBUOFB4VWUyT1pqVWF6b01v + ZmEyeG0zSjRsWTRkWW9FUmtUWlNiS3VTN2dNClcvQitVUDk1d3oxTnErRG1wZmpL + dHlkZnE2VlVUOGMyeW0xNmo5OHdmbmcKLS0tIFlnbXNvUWRPWGI2KzkrMW01Y0E2 + czdzaWhBRWJyb0pBSnphamZVZDgyMDAKjTYixgD7CzJImvPFRYJKJXefXqxSA6I0 + iOyW6E++Ax0MsYll77sR9eMNMgPCromY3uzKVJe640HKY/E1cLoi0Q== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2023-08-11T16:32:20Z" + mac: ENC[AES256_GCM,data:dgiAU9oMoHi1KvmkSbmNYRA6s2dIrsn8JC5UVpmfUUV5X+u+xwzt+QA/9IRHQoBWL3UZNz4E5qIvitEDx0xP8BktfNd2cGmeaBWT5e7YiSYGWNek0r/2SgXf8aSKsay4g+qdkE4mnxhRcj1pOc6dP5cKE/qh7vjnjlpTOMdp1wE=,iv:M7HE/XQGwttkwY7uXf7SHffwcaSzLqATB5Vqes3+W9w=,tag:vBhNC8zgNPPIzeNjikLt9A==,type:str] + pgp: + - created_at: "2023-08-11T16:31:41Z" + enc: |- + -----BEGIN PGP MESSAGE----- - wcBMA0SHG/zF3227AQf+ONiHDN6/hgu1g4WBaQOtAd3tnruoG+O9pbv/IIR86T3n - TIQElcQNsWJpHpoTeXB9G+H3HPh1f3z95tdHwQZOD78HpP0B7sOqx/KUOSJqTkC7 - R8jsuAxrIpidr9MIxAypsK5UE3SnZodf6E0IhWR5H26oWXtKPRd2TIBEMwbJZ4dZ - JLZ1D1pYIrJfNez1SP9r8SBMaKJgxLn65sFzonj8j6C+8CpStun2ykLfflsoQzXP - kiCzxG/IR9fA7fyq38h+QdeQgcX7/kyhC/g1tnfDoZRjmcS7gA2yI9Dlxr08cOvy - 0Dbruq0tykU0isHSPQHgKQpX/7PD5aV3mXTyvNyzEtJRASftwq7H5sDJXvAXWLMT - eKfUnGyPanQqVNA/jAPhOj/tAIVQZbL4UIPOlT6REfxmNk9tl7JSDhMJzKAEdkk7 - C5Jot9exml6467YZkApBm0eM - =HulH - -----END PGP MESSAGE----- - fp: 6F7069FE6B96E894E60EC45C6EEFA706CB17E89B - unencrypted_suffix: _unencrypted - version: 3.7.3 + wcBMA0SHG/zF3227AQf+ONiHDN6/hgu1g4WBaQOtAd3tnruoG+O9pbv/IIR86T3n + TIQElcQNsWJpHpoTeXB9G+H3HPh1f3z95tdHwQZOD78HpP0B7sOqx/KUOSJqTkC7 + R8jsuAxrIpidr9MIxAypsK5UE3SnZodf6E0IhWR5H26oWXtKPRd2TIBEMwbJZ4dZ + JLZ1D1pYIrJfNez1SP9r8SBMaKJgxLn65sFzonj8j6C+8CpStun2ykLfflsoQzXP + kiCzxG/IR9fA7fyq38h+QdeQgcX7/kyhC/g1tnfDoZRjmcS7gA2yI9Dlxr08cOvy + 0Dbruq0tykU0isHSPQHgKQpX/7PD5aV3mXTyvNyzEtJRASftwq7H5sDJXvAXWLMT + eKfUnGyPanQqVNA/jAPhOj/tAIVQZbL4UIPOlT6REfxmNk9tl7JSDhMJzKAEdkk7 + C5Jot9exml6467YZkApBm0eM + =HulH + -----END PGP MESSAGE----- + fp: 6F7069FE6B96E894E60EC45C6EEFA706CB17E89B + unencrypted_suffix: _unencrypted + version: 3.7.3 diff --git a/secrets/steveej-t14/radicale_htpasswd b/secrets/steveej-t14/radicale_htpasswd new file mode 100644 index 0000000..0ab6e33 --- /dev/null +++ b/secrets/steveej-t14/radicale_htpasswd @@ -0,0 +1,26 @@ +{ + "data": "ENC[AES256_GCM,data:4Oo7a4iL9ry9qFnzd/uwllP8UZ1re+RglnvkEO11XvSqqGhGOCUX0k0kOVD/CYbdLNq7jqVI8h5Fw5grSb6SCDzlknV0bJ70mmBQ9wEhRA82P1M/T50KH6V6XIVR7IlVhjMKkdW6YH0XAyrqaVh3fJUbOk9hJVvrylLvPF4vpc9+aYdzUCvn5jbecpywYY7NRKLI7H7xUmnW,iv:vvyS08x5yXTmlZo1A+Z2zsW9Mj6JrIkNt+CvB7VZJ38=,tag:MrjYVpS+SyYLUAbin85fkw==,type:str]", + "sops": { + "kms": null, + "gcp_kms": null, + "azure_kv": null, + "hc_vault": null, + "age": [ + { + "recipient": "age17jxphuql70wjkd84azn62ltx9ky69hyvkac23lm8f2j92lznf9hseqq0vl", + "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBmTVMxdkpjQllIZlRpQjEr\nc0RqNzNnOGplcDR6by9aL0JQY0ZmZjV3OUhrCm1sbHEvQ3hFZVg1YU5wOU5kaGpI\nK25zckJNaXhWd21kUHIyTm8yVW0reWsKLS0tIHVvbDhYZjRSbVRjOWZNaWkwcm1z\neVJyTTRNNTJBeVYxdDFCL1ozQjhQUkUK09k0LVNUugbxtZJB1JEXWmB2Q35mK1MW\nY12rpx4QwFUf1uhZDGmHMU0mrmaZRhkiTXTW+MtbHHtiGCxI8JrgLQ==\n-----END AGE ENCRYPTED FILE-----\n" + } + ], + "lastmodified": "2023-07-01T17:49:07Z", + "mac": "ENC[AES256_GCM,data:DLKp0oBRgqoC1vm7Gt8IgTXQZBVhFMzRlP2CeWUHCi0PhOFFDCQCbJMJ4GnLeVAMgn1PTQXxDBJsqx1dd99oR3xXOqV6s9RUrg7BNql6G1PRnROnvGavVq+K8Oqyc6K3RDMK95Fwd20Svvyplc7fvvJVYA7XE8oVyPCj7adgIzA=,iv:0T60zdgBXTNEUyzWNH2gRJsH7D/mofiBQKD4XpaTdf4=,tag:9s0g5W0fu7PrKybYNQMfxA==,type:str]", + "pgp": [ + { + "created_at": "2023-07-01T17:45:58Z", + "enc": "-----BEGIN PGP MESSAGE-----\n\nwcBMA0SHG/zF3227AQf/e3rEGHYLdAQ3t5Ye7EY8HGj3zplmEm6yX/OD6atnIH56\n1n+buBEsCnj6OMJ8IPBI1KMlR3agvrTcP1U428VaJKEqMAfAbmTxHvuYv17r4z3c\nuxtvnK4BUC0BIgf3b9FP1uQBvmwSR3bIV1JuD1or88j9iY3dO7KbwbAEF+HMqj9/\nz+NM9ZGi/mpdFHLCKp52FgKi+eiNyGiJS1a8VSda/X8GwcmQYUzSkUxOcjGVTmYr\nBzie319eutOq6zf9+8WGO+Jd8XDlFdmucXyb5kkJkKv0kUeEMKePktpxjh/SUH2E\nVWLDa3rLPEZWvvLtDeOgAWdxNVBsvAhFwyUl7hJ+INJRAbgK7jJpGJuNUmN48P/Y\nKj1/x5hKlBOQpqWyoB751Sq2hAITS/UyvpIEL7cH9ASq369SVa7tI6KL0Ut5wSDb\n1681kueTerz2szUe6DPcAC4U\n=Bu6s\n-----END PGP MESSAGE-----", + "fp": "6F7069FE6B96E894E60EC45C6EEFA706CB17E89B" + } + ], + "unencrypted_suffix": "_unencrypted", + "version": "3.7.3" + } +} \ No newline at end of file diff --git a/secrets/steveej-x13s/mycelium_priv_key.bin.enc b/secrets/steveej-x13s/mycelium_priv_key.bin.enc deleted file mode 100644 index d1693e7..0000000 --- a/secrets/steveej-x13s/mycelium_priv_key.bin.enc +++ /dev/null @@ -1,26 +0,0 @@ -{ - "data": "ENC[AES256_GCM,data:ILo+B9hfSEOaNleohfdc+RlzFHOu5y0kS9Ocys5KBKQ=,iv:GNzGem+eBseA99FoFHRSDQbnpo0RS6lRRR6oLV5xajE=,tag:FmBrSBT1qQ+jXhUlAjCRSg==,type:str]", - "sops": { - "kms": null, - "gcp_kms": null, - "azure_kv": null, - "hc_vault": null, - "age": [ - { - "recipient": "age1y9urllccdcemlv7g5z4peuzeh5ah0a8nu6cnkvym8v2vfhqjd5jql483c6", - "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBvOHM2dFdaSmRjVXRGOWdM\nc3NySkxDWjl3bXl0VHpRUURINlRWNTJhM1JNCmQzV2xUTUlEb0l2Q0FZUDMrOVVF\neTNEWG1kV1hlY3dWaDVubzdBMUpjdjgKLS0tIGtzeUF5TCtoSk92aDZkdkhqMjZm\nellNZk84ckRXZW5LYlA0Zjc0MXFVMFUKkbgJvketPLkiRtiM2ot/o2q0roCyMcNB\nDjvUDLeExvpz11T12pFETaeSGKMH/R6HfDt37T/K2cpCNvOXHU8MpQ==\n-----END AGE ENCRYPTED FILE-----\n" - } - ], - "lastmodified": "2024-04-19T19:07:46Z", - "mac": "ENC[AES256_GCM,data:e6xOIt73MDaMOnP3d2G/xqjwozdvdkxNkso4ry3Wj5UELoSKtjOXn0oWA1KIApQM72rcytyAMuvuF8nIRzOsU+RjCxyoyFxK+x1ljvXcjJF/mrB8+27QEIKMFbCRYDtDtiax0MnVkW3a4zqAz9ETd2hlBRS2DcVXvgV8GVRZL4o=,iv:jd5Mwf+IUrm5vbHftImsB7iX3AP8O61/2kEf2BpOFRQ=,tag:aXmSU8qPGTKRmzddVz6s8w==,type:str]", - "pgp": [ - { - "created_at": "2024-04-19T19:07:46Z", - "enc": "-----BEGIN PGP MESSAGE-----\n\nhQEMA0SHG/zF3227AQf/UWVXKoYna+QMRhlTcMeEYBYD1twGiU2M+Qov7lMwCVd0\nyLd/TW0E3l7nNp+8pVeQb2a84F3W6kitWSv6sSEQuz74vMGtAHJs63NRaRP+apdV\nKE9kada00clOgd8gDAwEZUUMaTuCxZalsLHOLmKa/5UJVCaYuHcS1wyKWqhK7l9j\nYuELlmM0DcJixWved7t0UL9O1s15b6aFGjc029OIEXwIGuh9Fe01lDjqC/NM+bZC\neL8osDcyTvz2AJB7IjlKQ9EQ9SGxhKXdcoJ0iGvZn5UJx4Dmvw7U2egHN511WDR7\nE4UGux7u7D+DfvOmeCxd/6iCzMdOZUUk3E+yb05YxNJcAZNG/2HLxs2eIs/W81Uk\nLM4UVDBrrrH9hAAyE5sSHsZOIxoqbNol9FSU3iTKEdCq9giU1C8P5mjKymr1hhro\nbYiCYZXhSV0X+bEm27NH8KqEg7wYv6FWMwiYVVY=\n=Itgp\n-----END PGP MESSAGE-----", - "fp": "6F7069FE6B96E894E60EC45C6EEFA706CB17E89B" - } - ], - "unencrypted_suffix": "_unencrypted", - "version": "3.8.1" - } -} \ No newline at end of file diff --git a/secrets/steveej-x13s/secrets.yaml b/secrets/steveej-x13s/secrets.yaml deleted file mode 100644 index a76e0dc..0000000 --- a/secrets/steveej-x13s/secrets.yaml +++ /dev/null @@ -1,36 +0,0 @@ -builder-private-key: ENC[AES256_GCM,data:KG5V86SDVM5LfFPZI5rjKGvYwqLZInEqpwdIJPAiF7fMdG3rTq3JgNJCQr0eOhfmLwT3KEN2Fv0mHZS4smMGdh0WCkza8CzRn/KFY8gqEWxxdff1Wqj7+2/5lSI8I7Qp2EW+eaAgU53PPOh/M3Cgm/Rraw2ARmIJNIgtuJC8ZeZlsh3sl0tacF9rgSrP8p4xAH3C/QUs1HW+10eL9F3STtAV+ZBruU68lNmCdiyqKjg3O3qdRFsjdGWAwHNHL42cEm3il4PofyS5fDDF4otQktZa5n8832ukF5Aj6RNgJwubrsxB9+1M9s7hD1UQyKo6oQKJr1GXNK+IPyXAvdxckZ8INhsxP4c4v8GzR0zJK4MfESx0r67ciGLOcYulNBDOMSbD57oW+wRvCI2eZlpB3ugBcUm/rsQbgFVEX8q6jD8WipJ+Q3hz1zWq45s66XooFmnwc2nBhT6cRmtGzTJCcDpiovgj5tKXSXrWfwYO7tWr7lYg8T4zhfplZBtQOaqTUrAOhW7IRT5Lo/310cMRcp1h44TSnpWXZN7l,iv:DOUijPr4wHmjNIniF2IRjinXZ6iyg8Z1Nt5EgFfX5Zw=,tag:VWxHpfpyphtu6XLR1yKugg==,type:str] -sops: - kms: [] - gcp_kms: [] - azure_kv: [] - hc_vault: [] - age: - - recipient: age1y9urllccdcemlv7g5z4peuzeh5ah0a8nu6cnkvym8v2vfhqjd5jql483c6 - enc: | - -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSByZWRvaWFlU25sYkdTejg3 - YXRrVHhHaDN2anR0WWJmcDdCZDNLUFhiU2hrCmZSNWNFbVd3Wm95SU9iNmhqaVE1 - TlFuYzFNOVFEekYvWjlQWEpqbzZCU1UKLS0tIFczTHlsN2lNdlh3clI2VEI4Y0lI - dUQ5ZE9keUtxVU5mMklGODRjSld0TnMKGWu7m6/q6PhS1R8N9YBsxDs9O76U6Bta - wr8Tqr/1JLWoSLbPapltKH8+hKAb84LeILezVS1SrL+mjf2KYa3WQQ== - -----END AGE ENCRYPTED FILE----- - lastmodified: "2024-05-01T16:50:35Z" - mac: ENC[AES256_GCM,data:wDnv7wZLks2EME+JqlBtagVaDZEo9ap3d6xFfnBy2/D4wrJhhYlo8vOYM8GFXEhfa0Jek+9ZlkmXYerLNWLMiUMKWIvk0cvHjxBaR2wcxt9FnynPT9W9hSX7UFhM/eTiJviksOESTI7pqNh9X7ggLSZ0c+O5mBxxEh/bcjz8vIU=,iv:vgvmyvUkZBapCpRbPU3cDgmHsc5NwHzCsMzjHvr/Xc0=,tag:FMI0YrwdCPIFe8tnLQr69w==,type:str] - pgp: - - created_at: "2024-04-04T18:26:01Z" - enc: |- - -----BEGIN PGP MESSAGE----- - - hQEMA0SHG/zF3227AQgAn6CqJhclheA82nJm39h/52Ir/gVGRZz1ViK157MxRVs3 - NSrNZCPW+x9vGExPWJ8wnT3KZ7jeo7jEbJ260WSp4xwQtCuUrDR6Oyp0mrtN6SMo - 4hHZo+OwLb3brQGHOng43Hedk6E74ZRMyUr5mmRKLTC1l9GeKtf3HoSvNq+bS7B8 - SrmkemzsS2SrXYE7Qslzhi8QKwby8nsjN2pE5hk12wZKefT4XP3q+lf7n2QeboG0 - 8d4u+706BO4DoxtnXPs1Gop3sJ3TZdAXTdfjnuv+LDMOmIDoVp1tgXRPiAvCfMPV - 9YiFS/WYMD5OA69SPBjCWIMPMw8PIU8OuHjy71eXlNJeAXeVLp70pGQOiPOZSvtl - vmfiPWOZnX+6jSpsSfmEa8FxAZYLgHUayF8YMtHi3kdz3x0kWMx3Pzvjvs4BfIyd - pp7PTfMycrk67Y3lcokNswt/fle0tN6xuqP4Uv4zWw== - =y1Sk - -----END PGP MESSAGE----- - fp: 6F7069FE6B96E894E60EC45C6EEFA706CB17E89B - unencrypted_suffix: _unencrypted - version: 3.8.1 diff --git a/secrets/work-holo/zerotierone.txt b/secrets/work-holo/zerotierone.txt deleted file mode 100644 index 38a76e4..0000000 --- a/secrets/work-holo/zerotierone.txt +++ /dev/null @@ -1,26 +0,0 @@ -{ - "data": "ENC[AES256_GCM,data:D6xhJ8RgtO3wuNQF0N9V4TlYcKahT8Rv3rHPeZH5F2Wk+V1GhZ+Bhl+D75ersKPv3vmNWlKD2lHb46LaM3Cz7gKAgcQ=,iv:BsnB+Tt+83QVdfive5+s824f3MBZSy6N3g+/raqWgGA=,tag:foQL/RYGfovt1feSlE5GAg==,type:str]", - "sops": { - "kms": null, - "gcp_kms": null, - "azure_kv": null, - "hc_vault": null, - "age": [ - { - "recipient": "age1y9urllccdcemlv7g5z4peuzeh5ah0a8nu6cnkvym8v2vfhqjd5jql483c6", - "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSByYWNzWm5ZQVFRNWRSQ3I2\nckQ0YVc0NlJPYVFvYi9Zd2ZNaVh3UG91T2xNClVDaGtvcHlvUnZTOVgyV242OHhy\nWW84NW9LZ242Nk5RalBWUUFITmEvaVEKLS0tIEtOemlTWHYwU3RTVUFoQU8yNU9N\nMlJnL2ZjWVh1RWJwMEpXUjZQZDIxb0kKKbe3H99dII7ni0NQv/QcotAQ4OdrV87/\nro5JVYotk/m0NtS76nJ0NuNpkz4/r4D0XE1r/y3eRH/q+JHyjHFX1w==\n-----END AGE ENCRYPTED FILE-----\n" - } - ], - "lastmodified": "2023-07-01T20:19:12Z", - "mac": "ENC[AES256_GCM,data:aIizzl+WFLI8rwp9r9p3kJIsbAISp8vRnSUQKKRIY8V8WdjBNuR+ebSlMf8kBg4e+D9hpTGEY0byv8bpgx/1m5MMEXIDBiBb8GHBk8qwB/3JWsBMyCHOyylw9AAgteyCDEKMCHgU/ZBvExW9n5gnuvkngKK8X1imrNG2ySL9cIo=,iv:UFacq8BdavyiHGRAcKq9obdAD7ZsW8wqugkvtbpi8pw=,tag:fkoaJKrA54tNlTLbAwRsug==,type:str]", - "pgp": [ - { - "created_at": "2024-06-26T19:27:08Z", - "enc": "-----BEGIN PGP MESSAGE-----\n\nhQEMA0SHG/zF3227AQgAgxxDv/vq2N5Hn37enDmLSjOegRW+IbDE/M3zbEvaKh9R\n+UdPf2+9oBjMLX42fOdSihGIHbrQtfG37nFLcJb/W1+Kay205INSDLSWIyUlyNvT\nwtPSVBZdgCbH5rW8yoX5xaS6Fdm1ANCof+hYyQxNtC7LgcgHLKvubhPrsckEoul1\nVuL0g9DGFysxnb4MCOZyFmziucwTKvLFzkaIb68PAYigPJG+wWVx5G/CvoC7Mzxp\nVYApk/6OnHR8TZOhtpnD9Q7Uj5g2ZGAJWE/B2z6xY2m9NJNC8UEL0QypVOnqBaSq\nyDDwrfOdTHqm3u0huJ4mV3cXzzb6RtRw89AuXS+6O9JcATtlFBazwos44yV/WAKz\nT3ZOZ4oD6elvqnvj9J7oOIwuPylaXd802YQSzPrfWQSqMUYds0gt3gklfIx+/SRm\nqBvQqStPmm3njU1TEPU3xrTywDSWGDKXCklnkVM=\n=CPPt\n-----END PGP MESSAGE-----", - "fp": "6F7069FE6B96E894E60EC45C6EEFA706CB17E89B" - } - ], - "unencrypted_suffix": "_unencrypted", - "version": "3.7.3" - } -} \ No newline at end of file diff --git a/secrets/zerotierone.txt b/secrets/zerotierone.txt new file mode 100644 index 0000000..347b737 --- /dev/null +++ b/secrets/zerotierone.txt @@ -0,0 +1,30 @@ +{ + "data": "ENC[AES256_GCM,data:D6xhJ8RgtO3wuNQF0N9V4TlYcKahT8Rv3rHPeZH5F2Wk+V1GhZ+Bhl+D75ersKPv3vmNWlKD2lHb46LaM3Cz7gKAgcQ=,iv:BsnB+Tt+83QVdfive5+s824f3MBZSy6N3g+/raqWgGA=,tag:foQL/RYGfovt1feSlE5GAg==,type:str]", + "sops": { + "kms": null, + "gcp_kms": null, + "azure_kv": null, + "hc_vault": null, + "age": [ + { + "recipient": "age17jxphuql70wjkd84azn62ltx9ky69hyvkac23lm8f2j92lznf9hseqq0vl", + "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAybUlwMVhVSTlxWjk0aXV1\nRkFKN0d2TWdTNGxFK1o3QitpTG5JN1FUNEVFCmRZdVYrSlJYbVF2NFlkRHBQNFgx\nM2dGOE5yaWl0VnJVU1MzNGJ1VUZYK1kKLS0tIEh4dkI2Vk9yUStHRlNzVUVPeWVB\nVmw0V0MxWWdudE1ONkszRSs5MEtUT28KkIW7Y+9AfxbPu1V0YoL5Brdv+2AaTAn0\nXmJmn8qwOtuyWRR3sJfDfkR2eW85mrMmhJnNa1aHg5lDQUGA/eqinQ==\n-----END AGE ENCRYPTED FILE-----\n" + }, + { + "recipient": "age18dmqd7r7fanrfmdxsvwgv9psvhs3hw5ydpvw0na0dv3dlrg4rs3q2wpvgv", + "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBFOGdQN0xOVzYvOFdzbUgy\ncStsYXdxUkY4OEJ5TGhVWitoQnpsSGYxS1VjCkhaYmxOOEh6eS8yeGViZjJZZ3o5\nUVBSYXFOSkJHQnB3aHVTeEk1VWNhblEKLS0tIG9NRTFpZFJlRUVYeHpVN2ljVngv\nRzJNZnZMRlJsL0F0eVIzcnhEbSszSGsKnK0SfJe7hQKyslklwvvFlBX9GjGWf6md\nl7AZLivBP67A0GbD2DztUaiS8NsPtlV899xqIH4/YUIIUGG9M2XHew==\n-----END AGE ENCRYPTED FILE-----\n" + } + ], + "lastmodified": "2023-07-01T20:19:12Z", + "mac": "ENC[AES256_GCM,data:aIizzl+WFLI8rwp9r9p3kJIsbAISp8vRnSUQKKRIY8V8WdjBNuR+ebSlMf8kBg4e+D9hpTGEY0byv8bpgx/1m5MMEXIDBiBb8GHBk8qwB/3JWsBMyCHOyylw9AAgteyCDEKMCHgU/ZBvExW9n5gnuvkngKK8X1imrNG2ySL9cIo=,iv:UFacq8BdavyiHGRAcKq9obdAD7ZsW8wqugkvtbpi8pw=,tag:fkoaJKrA54tNlTLbAwRsug==,type:str]", + "pgp": [ + { + "created_at": "2023-07-01T20:50:27Z", + "enc": "-----BEGIN PGP MESSAGE-----\n\nwcBMA0SHG/zF3227AQf+JijZCf20beuFsUX5Qjt9IVmeA1VG+iRiSncX6Q9NQWqc\nRlxZP3gZz9a/SQDaG3v7S0v5FBmbCScan2xrHSrJne6ljVkxlsiE4SE9Mq1wczF7\n0gdt1pnmjKMjhVVeG2jzNqL3bPGlhIBIIBB+Sv3FHftiXwfBYP5OJh9MTaokwj5/\ntd2x9LxBi6seH+RShrFk33wKJ3gMA2cF9aFEsbvmdXPHs91glwLD1NHN3vp0lGNX\nm4otFLZ0e36aqSVyAiwpoIgLwInZxtx6nnMWVk25s0fj+fKfgnHE3RNh9BntQ19d\nZDpQn7b2DqrKozUnycwpPRojPkmaqpom5XmbuurrA9JRAQYWSmeOuJXUBfZclzLJ\nERYPWDJIN7bmYPFoMkZ2YdV/GCin6lwFfl6u74VAkpU+AMgB+0c51nEHZcO5UaWT\nLRcMPADwjmk35oiltQYOvOpm\n=CGsu\n-----END PGP MESSAGE-----", + "fp": "6F7069FE6B96E894E60EC45C6EEFA706CB17E89B" + } + ], + "unencrypted_suffix": "_unencrypted", + "version": "3.7.3" + } +} \ No newline at end of file diff --git a/services/home-ch/router-family.lan/Justfile b/services/home-ch/router-family.lan/Justfile index c15ed68..c599600 100644 --- a/services/home-ch/router-family.lan/Justfile +++ b/services/home-ch/router-family.lan/Justfile @@ -1,12 +1,12 @@ _run_ssh_cmd cmd: - ssh root@router-family.lan "{{ cmd }}" + ssh root@router-family.lan "{{cmd}}" post-setup: - just -v _run_ssh_cmd "opkg update" - just -v _run_ssh_cmd "opkg install luci-ssl luci-app-ddns" - just -v _run_ssh_cmd "opkg install luci-app-samba samba36-server" - just -v _run_ssh_cmd "opkg install block-mount blockd kmod-fs-vfat kmod-usb-storage usbutils kmod-usb-storage-uas kmod-fs-btrfs btrfs-progs" - # multiuser SFTP - just -v _run_ssh_cmd "opkg install openssh-server openssh-sftp-server" - just -v _run_ssh_cmd "opkg install sudo coreutils-readlink" - just -v _run_ssh_cmd "/etc/init.d/uhttpd restart" + just -v _run_ssh_cmd "opkg update" + just -v _run_ssh_cmd "opkg install luci-ssl luci-app-ddns" + just -v _run_ssh_cmd "opkg install luci-app-samba samba36-server" + just -v _run_ssh_cmd "opkg install block-mount blockd kmod-fs-vfat kmod-usb-storage usbutils kmod-usb-storage-uas kmod-fs-btrfs btrfs-progs" + # multiuser SFTP + just -v _run_ssh_cmd "opkg install openssh-server openssh-sftp-server" + just -v _run_ssh_cmd "opkg install sudo coreutils-readlink" + just -v _run_ssh_cmd "/etc/init.d/uhttpd restart" diff --git a/services/home-ch/router-wan.dmz/Justfile b/services/home-ch/router-wan.dmz/Justfile index 6f818a8..921adb4 100644 --- a/services/home-ch/router-wan.dmz/Justfile +++ b/services/home-ch/router-wan.dmz/Justfile @@ -1,9 +1,9 @@ _run_ssh_cmd cmd: - ssh root@router-wan.dmz "{{ cmd }}" + ssh root@router-wan.dmz "{{cmd}}" post-setup: - just -v _run_ssh_cmd "opkg update" - just -v _run_ssh_cmd "opkg install luci-ssl" - just -v _run_ssh_cmd "opkg install luci-app-mwan3" - # multiuser SFTP - just -v _run_ssh_cmd "/etc/init.d/uhttpd restart" + just -v _run_ssh_cmd "opkg update" + just -v _run_ssh_cmd "opkg install luci-ssl" + just -v _run_ssh_cmd "opkg install luci-app-mwan3" + # multiuser SFTP + just -v _run_ssh_cmd "/etc/init.d/uhttpd restart"