steveej/infra
1
0
Fork 0
Code Issues 2 Pull requests Projects Releases Packages Wiki Activity Actions

Compare commits

merge into: steveej:master
Branches Tags
steveej:master
steveej:WIP-router0-nfmnk-tunnels
steveej:wip
steveej:wip-bpir3
steveej:pr_htz0
steveej:evolution_decsync
steveej:t14_relabel
steveej:t14_new_drive
steveej:srv0_drivechange
steveej:staging-steveej
steveej:pa600-unused
steveej:pr/odroidh2p-0
...
pull from: steveej:wip
Branches Tags
steveej:master
steveej:WIP-router0-nfmnk-tunnels
steveej:wip
steveej:wip-bpir3
steveej:pr_htz0
steveej:evolution_decsync
steveej:t14_relabel
steveej:t14_new_drive
steveej:srv0_drivechange
steveej:staging-steveej
steveej:pa600-unused
steveej:pr/odroidh2p-0
Sign in to create a new pull request.

42 commits
master ... wip

Author SHA1 Message Date
Stefan Junker
a1306114f7 WIP: x13s-rmvbl 
supposedly this will boot from USB
 2024-02-08 20:59:47 +01:00
Stefan Junker
45a283c7bd formatting 2024-02-08 20:59:31 +01:00
Stefan Junker
751bb82daf update x13s 2024-02-08 20:59:08 +01:00
Stefan Junker
8280b53865 remove obsolete nix/sources.* 2024-02-08 20:57:55 +01:00
Stefan Junker
b6d97d0581 nix fmt 2024-02-08 20:53:22 +01:00
Stefan Junker
028c57b0db zsh: unset empty TMP and TMPDIR 
this is a safety mechanism so that `/` is never used
 2024-02-08 13:58:05 +01:00
Stefan Junker
cbd73c7466 shift illum serivce around and enable on x13s 2024-02-07 11:15:16 +01:00
Stefan Junker
9b62708d32 x13s: enable ledger hw support 2024-02-07 11:08:46 +01:00
Stefan Junker
9e251bed9e update toplevel and nixos-x13s 2024-02-07 11:08:26 +01:00
Stefan Junker
40a165d541 nix/os/devices/steveej-x13s: bump versions 2024-02-01 21:46:57 +01:00
Stefan Junker
4716db6785 nix/os/devices/steveej-x13s: bump versions 2024-02-01 15:50:46 +01:00
Stefan Junker
8d23a787f1 graphical-fullblown: enable espanso 2024-01-31 09:42:30 +01:00
Stefan Junker
7f1d80176e fmt(espanso) 2024-01-31 09:42:16 +01:00
Stefan Junker
ff87988303 nix/os/devices/steveej-x13s: bump versions 2024-01-31 08:28:54 +01:00
Stefan Junker
9a9c912b77 steveej-x13s: switch to adamcstephens' repo 2024-01-30 14:14:49 +01:00
Stefan Junker
b3434c5ebb nix/os/devices/steveej-x13s: bump versions 2024-01-30 10:11:09 +01:00
Stefan Junker
80863e1bdf x13s-rmvbl: attempt to load msm with firmware 2024-01-28 21:54:43 +01:00
Stefan Junker
d97da5b9ac steveej-x13s-rmvbl: boring setup with copying the whole x13s flake 2024-01-28 21:18:08 +01:00
Stefan Junker
438793db87 fix duplicate luks name between x13s and x13s-rmvbl 2024-01-28 18:17:43 +01:00
Stefan Junker
a384026025 home-manager(vscode): use OSS vscodium 2024-01-28 17:49:13 +01:00
Stefan Junker
f243e0c2dc logseq on arm64, latest signal on arm, waydroid, radicale, vscode 2024-01-25 00:32:37 +01:00
Stefan Junker
a138ac20ac steveej-t14: disable radicale 2024-01-24 23:23:55 +00:00
Stefan Junker
eadfa1a28c radicale path updates and updatekey command 2024-01-25 00:09:06 +01:00
Stefan Junker
faf0818e00 clean up and refactor more into OS snippets; bluetooth works on x13s 2024-01-24 00:24:04 +00:00
Stefan Junker
13dcb13bac secrets: rename steveej-x13s{-rmvbl} and update key 2024-01-23 09:40:21 +00:00
Stefan Junker
bcaadcfb3d direnv,devShells: split into develop and install 2024-01-23 09:40:17 +00:00
Stefan Junker
d26e64452d mostly fix up stateVersions 2024-01-22 23:47:48 +00:00
Stefan Junker
82362958db refactor flaken.nix hive handling 2024-01-22 23:47:36 +00:00
Stefan Junker
ed4768a795 update commonUsers and refactor system config 2024-01-22 22:45:42 +00:00
Stefan Junker
255ca68af5 fixup! WIP: x13s: install to nvme, refactor into module 2024-01-22 23:05:23 +01:00
Stefan Junker
ea13703ea0 WIP: x13s: install to nvme, refactor into module 2024-01-22 22:50:51 +01:00
Stefan Junker
0d070589ef fmt 2024-01-22 19:02:32 +01:00
Stefan Junker
69b17e91f2 fmt 2024-01-22 15:01:36 +01:00
Stefan Junker
2ff952b3a3 x13s: fiddle with modules because of screen blanking issues 2024-01-22 14:51:46 +01:00
Stefan Junker
5af42df5a9 steveej-x13s-rmvbl: init with minimal setup 
this configures a standalone USB device that doesn't need configuration
of the firmware's EFI variables.
 2024-01-22 10:35:45 +01:00
Stefan Junker
93778b1f21 sj-srv1: set up restic backup 2024-01-19 22:21:14 +01:00
Stefan Junker
411896973a t14: disable thinkfan 2024-01-19 13:56:34 +01:00
Stefan Junker
d46eb4f3ab router0-dmz0: remove cname as it's not needed 2024-01-19 13:56:20 +01:00
Stefan Junker
2ab49e3de9 lib/default: add fuse to default groups 2024-01-19 11:49:49 +01:00
Stefan Junker
93282cdf6e lib/default: format 2024-01-19 11:49:33 +01:00
Stefan Junker
a7e2bc2c3b router0-dmz0: lots of formattign and exposed host fixes 2024-01-18 23:35:54 +01:00
Stefan Junker
a825e8eea9 sj-srv1 2024-01-18 21:06:45 +00:00
78 changed files with 3468 additions and 2049 deletions
Download patch file Download diff file Expand all files Collapse all files

2
.envrc
View file

@ -1 +1 @@
use_flake . --impure use_flake .#develop --impure

25
.sops.yaml
View file

@ -8,10 +8,12 @@
keys: keys:
- &steveej 6F7069FE6B96E894E60EC45C6EEFA706CB17E89B - &steveej 6F7069FE6B96E894E60EC45C6EEFA706CB17E89B
- &steveej-t14 age17jxphuql70wjkd84azn62ltx9ky69hyvkac23lm8f2j92lznf9hseqq0vl - &steveej-t14 age17jxphuql70wjkd84azn62ltx9ky69hyvkac23lm8f2j92lznf9hseqq0vl
- &steveej-x13s age1y9urllccdcemlv7g5z4peuzeh5ah0a8nu6cnkvym8v2vfhqjd5jql483c6
- &elias-e525 age1pmznn2tjpelpmxjxqef48rse5ujggf9kcr8x5vewuadqcw03aavqwy54zm - &elias-e525 age1pmznn2tjpelpmxjxqef48rse5ujggf9kcr8x5vewuadqcw03aavqwy54zm
- &justyna-p300 age1ye4fa0v37shz8q4e5uf9cp2avygcp9jtetmnj2sv9y9mqc7gjyksq2cjy8 - &justyna-p300 age1ye4fa0v37shz8q4e5uf9cp2avygcp9jtetmnj2sv9y9mqc7gjyksq2cjy8
- &sj-vps-htz0 age18dmqd7r7fanrfmdxsvwgv9psvhs3hw5ydpvw0na0dv3dlrg4rs3q2wpvgv - &sj-vps-htz0 age18dmqd7r7fanrfmdxsvwgv9psvhs3hw5ydpvw0na0dv3dlrg4rs3q2wpvgv
- &sj-srv1 age18dmqd7r7fanrfmdxsvwgv9psvhs3hw5ydpvw0na0dv3dlrg4rs3q2wpvgv
- &srv0-dmz0 age13cyvxrd28j68f97q2dwsn62q5dy8tdxtq86ql2dxv2ncwfrf63dsmkj7n3 - &srv0-dmz0 age13cyvxrd28j68f97q2dwsn62q5dy8tdxtq86ql2dxv2ncwfrf63dsmkj7n3
# - &router0-dmz0 age1jetxwpmd9hc4crkjtrdle2qxn9dlq7vcmqhfslv0vlxctrk4u3xq8hcvkz # - &router0-dmz0 age1jetxwpmd9hc4crkjtrdle2qxn9dlq7vcmqhfslv0vlxctrk4u3xq8hcvkz
- &router0-dmz0 age1k7cejd9tqz6a3expd63wkn7kmeawhhrp9vy5vevhjn6eavhdwywqeh7j86 - &router0-dmz0 age1k7cejd9tqz6a3expd63wkn7kmeawhhrp9vy5vevhjn6eavhdwywqeh7j86
@ -23,6 +25,7 @@ creation_rules:
- *steveej - *steveej
age: age:
- *steveej-t14 - *steveej-t14
- *steveej-x13s
- *elias-e525 - *elias-e525
- *justyna-p300 - *justyna-p300
@ -30,6 +33,7 @@ creation_rules:
- *router0-dmz0 - *router0-dmz0
- *sj-vps-htz0 - *sj-vps-htz0
- *sj-srv1
- *sj-bm-hostkey0 - *sj-bm-hostkey0
- path_regex: ^secrets/steveej-t14/.+$ - path_regex: ^secrets/steveej-t14/.+$
key_groups: key_groups:
@ -37,18 +41,27 @@ creation_rules:
- *steveej - *steveej
age: age:
- *steveej-t14 - *steveej-t14
- path_regex: ^secrets/desktop/.+$
key_groups:
- pgp:
- *steveej
age:
- *steveej-t14
- *steveej-x13s
- path_regex: ^secrets/servers/.+$ - path_regex: ^secrets/servers/.+$
key_groups: key_groups:
- pgp: - pgp:
- *steveej - *steveej
age: age:
- *sj-vps-htz0 - *sj-vps-htz0
- *sj-srv1
- path_regex: ^nix/os/containers/.+_secrets.+$ - path_regex: ^nix/os/containers/.+_secrets.+$
key_groups: key_groups:
- pgp: - pgp:
- *steveej - *steveej
age: age:
- *sj-vps-htz0 - *sj-vps-htz0
- *sj-srv1
- path_regex: ^secrets/holochain-infra/.+$ - path_regex: ^secrets/holochain-infra/.+$
key_groups: key_groups:
- pgp: - pgp:
@ -67,9 +80,21 @@ creation_rules:
- *steveej - *steveej
age: age:
- *sj-vps-htz0 - *sj-vps-htz0
- path_regex: ^secrets/sj-srv1/.+$
key_groups:
- pgp:
- *steveej
age:
- *sj-srv1
- path_regex: ^secrets/sj-bm-hostkey0/.+$ - path_regex: ^secrets/sj-bm-hostkey0/.+$
key_groups: key_groups:
- pgp: - pgp:
- *steveej - *steveej
age: age:
- *sj-bm-hostkey0 - *sj-bm-hostkey0
- path_regex: ^secrets/steveej-x13s/.+$
key_groups:
- pgp:
- *steveej
age:
- *steveej-x13s

3
Justfile
View file

@ -306,3 +306,6 @@ test-connection:
cachix-use name: cachix-use name:
nix run nixpkgs/nixos-unstable#cachix -- use {{name}} -m nixos -d nix/os/ nix run nixpkgs/nixos-unstable#cachix -- use {{name}} -m nixos -d nix/os/
update-sops-keys:
for file in $(egrep -lr '"?sops"?:') secrets; do sops updatekeys -y $file; done

274
flake.lock generated
View file

@ -1,5 +1,21 @@
{ {
"nodes": { "nodes": {
"adamcstephens_stop-export": {
"flake": false,
"locked": {
"lastModified": 1706405938,
"narHash": "sha256-L+MeX7m78uM09h/7b0jtyGOlgJC1ETQHCBphcJRa5V0=",
"ref": "refs/heads/main",
"rev": "823b14873da7cc0a8a6bf37eaab71d10863272d3",
"revCount": 16,
"type": "git",
"url": "https://codeberg.org/adamcstephens/stop-export.git"
},
"original": {
"type": "git",
"url": "https://codeberg.org/adamcstephens/stop-export.git"
}
},
"aphorme_launcher": { "aphorme_launcher": {
"flake": false, "flake": false,
"locked": { "locked": {
@ -17,6 +33,23 @@
"type": "github" "type": "github"
} }
}, },
"brainwart_x13s-nixos": {
"flake": false,
"locked": {
"lastModified": 1705565623,
"narHash": "sha256-sisr/dFIz8p3/Y7mz+arWxjeiBmUTQkMqkF9j3c2dWE=",
"owner": "BrainWart",
"repo": "x13s-nixos",
"rev": "29002122d86a1009ba70e7a4ca3063e5404c77a2",
"type": "github"
},
"original": {
"owner": "BrainWart",
"ref": "flake",
"repo": "x13s-nixos",
"type": "github"
}
},
"colmena": { "colmena": {
"inputs": { "inputs": {
"flake-compat": "flake-compat", "flake-compat": "flake-compat",
@ -27,11 +60,11 @@
"stable": "stable" "stable": "stable"
}, },
"locked": { "locked": {
"lastModified": 1699171528, "lastModified": 1706509311,
"narHash": "sha256-ZsN6y+tgN5w84oAqRQpMhIvQM39ZNSZoZvn2AK0QYr4=", "narHash": "sha256-QQKQ6r3CID8aXn2ZXZ79ZJxdCOeVP+JTnOctDALErOw=",
"owner": "zhaofengli", "owner": "zhaofengli",
"repo": "colmena", "repo": "colmena",
"rev": "665603956a1c3040d756987bc7a810ffe86a3b15", "rev": "c84ccd0a7a712475e861c2b111574472b1a8d0cd",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -47,11 +80,11 @@
] ]
}, },
"locked": { "locked": {
"lastModified": 1703439018, "lastModified": 1707075082,
"narHash": "sha256-VT+06ft/x3eMZ1MJxWzQP3zXFGcrxGo5VR2rB7t88hs=", "narHash": "sha256-PUplk5F5jlIyofxqn/xEDN9pbjrd0tnkd0pDsZ52db0=",
"owner": "ipetkov", "owner": "ipetkov",
"repo": "crane", "repo": "crane",
"rev": "afdcd41180e3dfe4dac46b5ee396e3b12ccc967a", "rev": "7d5b46c17d857ee9ddb2e8d88185729a3e5637b6",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -82,6 +115,22 @@
"type": "github" "type": "github"
} }
}, },
"dotfiles": {
"flake": false,
"locked": {
"lastModified": 1541334338,
"narHash": "sha256-9QAq7bjITpaO8A8qD8IVoa+89Bg13CEwxf771d9S/Ag=",
"owner": "steveeJ",
"repo": "dotfiles",
"rev": "9a8484f7094edc1b533bad3be71c511ba8ff45eb",
"type": "gitlab"
},
"original": {
"owner": "steveeJ",
"repo": "dotfiles",
"type": "gitlab"
}
},
"fenix": { "fenix": {
"inputs": { "inputs": {
"nixpkgs": [ "nixpkgs": [
@ -90,11 +139,11 @@
"rust-analyzer-src": "rust-analyzer-src" "rust-analyzer-src": "rust-analyzer-src"
}, },
"locked": { "locked": {
"lastModified": 1704176544, "lastModified": 1706941198,
"narHash": "sha256-A6PfA1DB6cF3cQerysGK8zIumGTrXucdHoFRU+8H7Lc=", "narHash": "sha256-t6/qloMYdknVJ9a3QzjylQIZnQfgefJ5kMim50B7dwA=",
"owner": "nix-community", "owner": "nix-community",
"repo": "fenix", "repo": "fenix",
"rev": "54df821cae7bd492a049ef213336810247128110", "rev": "28dbd8b43ea328ee708f7da538c63e03d5ed93c8",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -139,11 +188,11 @@
"nixpkgs-lib": "nixpkgs-lib" "nixpkgs-lib": "nixpkgs-lib"
}, },
"locked": { "locked": {
"lastModified": 1704152458, "lastModified": 1706830856,
"narHash": "sha256-DS+dGw7SKygIWf9w4eNBUZsK+4Ug27NwEWmn2tnbycg=", "narHash": "sha256-a0NYyp+h9hlb7ddVz4LUn1vT/PLwqfrWYcHMvFB1xYg=",
"owner": "hercules-ci", "owner": "hercules-ci",
"repo": "flake-parts", "repo": "flake-parts",
"rev": "88a2cd8166694ba0b6cb374700799cec53aef527", "rev": "b253292d9c0a5ead9bc98c4e9a26c6312e27d69f",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -195,6 +244,27 @@
"type": "github" "type": "github"
} }
}, },
"flake-parts_4": {
"inputs": {
"nixpkgs-lib": [
"srvos",
"nixpkgs"
]
},
"locked": {
"lastModified": 1706830856,
"narHash": "sha256-a0NYyp+h9hlb7ddVz4LUn1vT/PLwqfrWYcHMvFB1xYg=",
"owner": "hercules-ci",
"repo": "flake-parts",
"rev": "b253292d9c0a5ead9bc98c4e9a26c6312e27d69f",
"type": "github"
},
"original": {
"owner": "hercules-ci",
"repo": "flake-parts",
"type": "github"
}
},
"flake-utils": { "flake-utils": {
"locked": { "locked": {
"lastModified": 1659877975, "lastModified": 1659877975,
@ -215,11 +285,11 @@
"systems": "systems" "systems": "systems"
}, },
"locked": { "locked": {
"lastModified": 1701680307, "lastModified": 1705309234,
"narHash": "sha256-kAuep2h5ajznlPMD9rnQyffWG8EM/C73lejGofXvdM8=", "narHash": "sha256-uNRRNRKmJyCRC/8y1RqBkqWBLM034y4qN7EprSdmgyA=",
"owner": "numtide", "owner": "numtide",
"repo": "flake-utils", "repo": "flake-utils",
"rev": "4022d587cbbfd70fe950c1e2083a02621806a725", "rev": "1ef2e671c3b0c19053962c07dbda38332dcebf26",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -261,11 +331,11 @@
"jay": { "jay": {
"flake": false, "flake": false,
"locked": { "locked": {
"lastModified": 1698077919, "lastModified": 1707233644,
"narHash": "sha256-X4bMOBS2WFcbiOiynvSId1XoWgQW3wbO7/atJ9V7buk=", "narHash": "sha256-VMbqnbhmevlWjVaabBgwB62CKQay6LrTyQ7XvDv/lC0=",
"owner": "mahkoh", "owner": "mahkoh",
"repo": "jay", "repo": "jay",
"rev": "b4d73064d9c112c69ff16200231145ccffcb3e81", "rev": "e7709f695f3cfcf9bb9e857cb488f0c7f269d719",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -280,11 +350,11 @@
"nixpkgs-lib": "nixpkgs-lib_2" "nixpkgs-lib": "nixpkgs-lib_2"
}, },
"locked": { "locked": {
"lastModified": 1704024543, "lastModified": 1707048513,
"narHash": "sha256-hmKcKSuTqVK47l2G0PkLAinZN1oCOb6XdPPJhNCQ2rg=", "narHash": "sha256-gZh1mHkjtOmXrlgWWdl6G27NlKuNuruz1lOnhgmg1Nk=",
"owner": "nix-community", "owner": "nix-community",
"repo": "lib-aggregate", "repo": "lib-aggregate",
"rev": "4608880f02f8f868e1b7f85c60abdfc5cb0cf9ec", "rev": "83a014ca34f5cf6ef441b760e12d503856f20b35",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -293,22 +363,35 @@
"type": "github" "type": "github"
} }
}, },
"magmawm": { "linux_x13s": {
"flake": false, "flake": false,
"locked": { "locked": {
"lastModified": 1703542178, "lastModified": 1706261399,
"narHash": "sha256-HuCAz+B+cg7HoEEL67heaYRc8zmQCnPBR+DgmuiIZBk=", "narHash": "sha256-NJSN4j2VbFIPerb/bFqmaYbcHjxF3u6lijuXpC0USYo=",
"owner": "MagmaWM", "owner": "jhovold",
"repo": "MagmaWM", "repo": "linux",
"rev": "24dc21f228efb034cd0237fb5ff9a8310f1929b7", "rev": "b929f8eed9ad1f156cae932dea741bc4383e6367",
"type": "github" "type": "github"
}, },
"original": { "original": {
"owner": "MagmaWM", "owner": "jhovold",
"repo": "MagmaWM", "ref": "wip/sc8280xp-v6.7",
"repo": "linux",
"type": "github" "type": "github"
} }
}, },
"logseq_0_10_5_aarch64_appimage": {
"flake": false,
"locked": {
"narHash": "sha256-5uHRJpNcAzVRqyF5eR2sY0u/Q9rHXWh/g36/sehmSys=",
"type": "file",
"url": "https://www.stefanjunker.de/downloads/Logseq-0.10.5.AppImage"
},
"original": {
"type": "file",
"url": "https://www.stefanjunker.de/downloads/Logseq-0.10.5.AppImage"
}
},
"nix-eval-jobs": { "nix-eval-jobs": {
"inputs": { "inputs": {
"flake-parts": "flake-parts_3", "flake-parts": "flake-parts_3",
@ -317,11 +400,11 @@
"treefmt-nix": "treefmt-nix_2" "treefmt-nix": "treefmt-nix_2"
}, },
"locked": { "locked": {
"lastModified": 1703466376, "lastModified": 1705242886,
"narHash": "sha256-Wy8iF8u5KSzrTxg1hStTBmUjzzKdKyCyMOg8b/eTvVQ=", "narHash": "sha256-TLj334vRwFtSym3m+NnKcNCnKKPNoTC/TDZL40vmOso=",
"owner": "nix-community", "owner": "nix-community",
"repo": "nix-eval-jobs", "repo": "nix-eval-jobs",
"rev": "64104a3c55593c903af78af86a4c9d2e5487a2d7", "rev": "6b03a93296faf174b97546fd573c8b379f523a8d",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -364,11 +447,11 @@
"treefmt-nix": "treefmt-nix" "treefmt-nix": "treefmt-nix"
}, },
"locked": { "locked": {
"lastModified": 1704071157, "lastModified": 1704629536,
"narHash": "sha256-p8KFWE16nu8ltY17psLU4KTcxXTpjvc1fCzMVPel080=", "narHash": "sha256-hCMBZ61Kpj54JD/miAhhoSHWMyP6NWrOmYOSHd0rB4E=",
"owner": "numtide", "owner": "numtide",
"repo": "nixos-anywhere", "repo": "nixos-anywhere",
"rev": "d2911784c30a6c94d3a581bc99c94d3ce0deba0b", "rev": "4c94cecf3dd551adf1359fb06aa926330f44e5a6",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -419,22 +502,6 @@
"type": "github" "type": "github"
} }
}, },
"nixos-stable_2": {
"locked": {
"lastModified": 1703900474,
"narHash": "sha256-Zu+chYVYG2cQ4FCbhyo6rc5Lu0ktZCjRbSPE0fDgukI=",
"owner": "NixOS",
"repo": "nixpkgs",
"rev": "9dd7699928e26c3c00d5d46811f1358524081062",
"type": "github"
},
"original": {
"owner": "NixOS",
"ref": "nixos-23.11",
"repo": "nixpkgs",
"type": "github"
}
},
"nixpkgs": { "nixpkgs": {
"locked": { "locked": {
"lastModified": 1703134684, "lastModified": 1703134684,
@ -469,11 +536,11 @@
}, },
"nixpkgs-2305": { "nixpkgs-2305": {
"locked": { "locked": {
"lastModified": 1704018918, "lastModified": 1704290814,
"narHash": "sha256-erjg/HrpC9liEfm7oLqb8GXCqsxaFwIIPqCsknW5aFY=", "narHash": "sha256-LWvKHp7kGxk/GEtlrGYV68qIvPHkU9iToomNFGagixU=",
"owner": "nixos", "owner": "nixos",
"repo": "nixpkgs", "repo": "nixpkgs",
"rev": "2c9c58e98243930f8cb70387934daa4bc8b00373", "rev": "70bdadeb94ffc8806c0570eb5c2695ad29f0e421",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -485,16 +552,16 @@
}, },
"nixpkgs-2311": { "nixpkgs-2311": {
"locked": { "locked": {
"lastModified": 1704018918, "lastModified": 1707091808,
"narHash": "sha256-erjg/HrpC9liEfm7oLqb8GXCqsxaFwIIPqCsknW5aFY=", "narHash": "sha256-LahKBAfGbY836gtpVNnWwBTIzN7yf/uYM/S0g393r0Y=",
"owner": "nixos", "owner": "nixos",
"repo": "nixpkgs", "repo": "nixpkgs",
"rev": "2c9c58e98243930f8cb70387934daa4bc8b00373", "rev": "9f2ee8c91ac42da3ae6c6a1d21555f283458247e",
"type": "github" "type": "github"
}, },
"original": { "original": {
"owner": "nixos", "owner": "nixos",
"ref": "nixos-23.05", "ref": "nixos-23.11",
"repo": "nixpkgs", "repo": "nixpkgs",
"type": "github" "type": "github"
} }
@ -502,11 +569,11 @@
"nixpkgs-lib": { "nixpkgs-lib": {
"locked": { "locked": {
"dir": "lib", "dir": "lib",
"lastModified": 1703961334, "lastModified": 1706550542,
"narHash": "sha256-M1mV/Cq+pgjk0rt6VxoyyD+O8cOUiai8t9Q6Yyq4noY=", "narHash": "sha256-UcsnCG6wx++23yeER4Hg18CXWbgNpqNXcHIo5/1Y+hc=",
"owner": "NixOS", "owner": "NixOS",
"repo": "nixpkgs", "repo": "nixpkgs",
"rev": "b0d36bd0a420ecee3bc916c91886caca87c894e9", "rev": "97b17f32362e475016f942bbdfda4a4a72a8a652",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -519,11 +586,11 @@
}, },
"nixpkgs-lib_2": { "nixpkgs-lib_2": {
"locked": { "locked": {
"lastModified": 1703983607, "lastModified": 1707007541,
"narHash": "sha256-YECXW8P0bqFM5e65Mu2fL4wZlonNWCuNEk7UQPsuJZ0=", "narHash": "sha256-fuFppCuZO4wJAfodUkiWhtSxTb+pkBW+lJP2S51jRNU=",
"owner": "nix-community", "owner": "nix-community",
"repo": "nixpkgs.lib", "repo": "nixpkgs.lib",
"rev": "a6c99b57d2e58f7fc6d52a08b0ba40160e75f738", "rev": "948ff77600f9fff8c904d1e1ffb87a60773991af",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -534,11 +601,11 @@
}, },
"nixpkgs-stable": { "nixpkgs-stable": {
"locked": { "locked": {
"lastModified": 1703950681, "lastModified": 1705957679,
"narHash": "sha256-veU5bE4eLOmi7aOzhE7LfZXcSOONRMay0BKv01WHojo=", "narHash": "sha256-Q8LJaVZGJ9wo33wBafvZSzapYsjOaNjP/pOnSiKVGHY=",
"owner": "NixOS", "owner": "NixOS",
"repo": "nixpkgs", "repo": "nixpkgs",
"rev": "0aad9113182747452dbfc68b93c86e168811fa6c", "rev": "9a333eaa80901efe01df07eade2c16d183761fa3",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -548,29 +615,13 @@
"type": "github" "type": "github"
} }
}, },
"nixpkgs-unstable": {
"locked": {
"lastModified": 1703961334,
"narHash": "sha256-M1mV/Cq+pgjk0rt6VxoyyD+O8cOUiai8t9Q6Yyq4noY=",
"owner": "nixos",
"repo": "nixpkgs",
"rev": "b0d36bd0a420ecee3bc916c91886caca87c894e9",
"type": "github"
},
"original": {
"owner": "nixos",
"ref": "nixos-unstable",
"repo": "nixpkgs",
"type": "github"
}
},
"nixpkgs-unstable-small": { "nixpkgs-unstable-small": {
"locked": { "locked": {
"lastModified": 1704177376, "lastModified": 1707217908,
"narHash": "sha256-6AV8TWX/juwV8delRDtlbUzi1X8irrtCfrtcYByVhCs=", "narHash": "sha256-5Dauh04xrEZqlokpYWftfVmDrljORnA48tGrRp+TURM=",
"owner": "nixos", "owner": "nixos",
"repo": "nixpkgs", "repo": "nixpkgs",
"rev": "e2e36d8af3b7c465311f11913b7dedd209633c84", "rev": "3b0709da3eeed918323399c68b1fe4309b2ac483",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -588,11 +639,11 @@
"nixpkgs": "nixpkgs_2" "nixpkgs": "nixpkgs_2"
}, },
"locked": { "locked": {
"lastModified": 1704201485, "lastModified": 1707290091,
"narHash": "sha256-pFDUR45wmq1HehY3WlJOJydFkLOzKC2pWqvMykLj2Qk=", "narHash": "sha256-QX1lZCenEuNe/yFnPUuxEA5B3QJx3D5UEeLvWQ4QK1w=",
"owner": "nix-community", "owner": "nix-community",
"repo": "nixpkgs-wayland", "repo": "nixpkgs-wayland",
"rev": "b0c06873775fe978bd9384ab14c24903bde92e74", "rev": "2a54a12e504659a36b20bfce96522b403fa73fdd",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -603,11 +654,11 @@
}, },
"nixpkgs_2": { "nixpkgs_2": {
"locked": { "locked": {
"lastModified": 1703961334, "lastModified": 1707092692,
"narHash": "sha256-M1mV/Cq+pgjk0rt6VxoyyD+O8cOUiai8t9Q6Yyq4noY=", "narHash": "sha256-ZbHsm+mGk/izkWtT4xwwqz38fdlwu7nUUKXTOmm4SyE=",
"owner": "nixos", "owner": "nixos",
"repo": "nixpkgs", "repo": "nixpkgs",
"rev": "b0d36bd0a420ecee3bc916c91886caca87c894e9", "rev": "faf912b086576fd1a15fca610166c98d47bc667e",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -652,18 +703,22 @@
}, },
"root": { "root": {
"inputs": { "inputs": {
"adamcstephens_stop-export": "adamcstephens_stop-export",
"aphorme_launcher": "aphorme_launcher", "aphorme_launcher": "aphorme_launcher",
"brainwart_x13s-nixos": "brainwart_x13s-nixos",
"colmena": "colmena", "colmena": "colmena",
"crane": "crane", "crane": "crane",
"disko": [ "disko": [
"nixos-anywhere", "nixos-anywhere",
"disko" "disko"
], ],
"dotfiles": "dotfiles",
"fenix": "fenix", "fenix": "fenix",
"flake-parts": "flake-parts", "flake-parts": "flake-parts",
"get-flake": "get-flake", "get-flake": "get-flake",
"jay": "jay", "jay": "jay",
"magmawm": "magmawm", "linux_x13s": "linux_x13s",
"logseq_0_10_5_aarch64_appimage": "logseq_0_10_5_aarch64_appimage",
"nixos-anywhere": "nixos-anywhere", "nixos-anywhere": "nixos-anywhere",
"nixpkgs": [ "nixpkgs": [
"nixpkgs-2311" "nixpkgs-2311"
@ -671,11 +726,16 @@
"nixpkgs-2211": "nixpkgs-2211", "nixpkgs-2211": "nixpkgs-2211",
"nixpkgs-2305": "nixpkgs-2305", "nixpkgs-2305": "nixpkgs-2305",
"nixpkgs-2311": "nixpkgs-2311", "nixpkgs-2311": "nixpkgs-2311",
"nixpkgs-unstable": "nixpkgs-unstable", "nixpkgs-unstable": [
"nixpkgs-unstable-small"
],
"nixpkgs-unstable-small": "nixpkgs-unstable-small", "nixpkgs-unstable-small": "nixpkgs-unstable-small",
"nixpkgs-wayland": "nixpkgs-wayland", "nixpkgs-wayland": "nixpkgs-wayland",
"ofi-pass": "ofi-pass", "ofi-pass": "ofi-pass",
"prs": "prs", "prs": "prs",
"radicalePkgs": [
"nixpkgs-2211"
],
"salut": "salut", "salut": "salut",
"sops-nix": "sops-nix", "sops-nix": "sops-nix",
"srvos": "srvos", "srvos": "srvos",
@ -685,11 +745,11 @@
"rust-analyzer-src": { "rust-analyzer-src": {
"flake": false, "flake": false,
"locked": { "locked": {
"lastModified": 1704114818, "lastModified": 1706875368,
"narHash": "sha256-/0gMZ32JaUTQ0THA/S9rcQSAmEKfL3hGorX5En8lG98=", "narHash": "sha256-KOBXxNurIU2lEmO6lR2A5El32X9x8ITt25McxKZ/Ew0=",
"owner": "rust-lang", "owner": "rust-lang",
"repo": "rust-analyzer", "repo": "rust-analyzer",
"rev": "a8d935eedc80df8b453d90539cbe78b7e2c75e3c", "rev": "8f6a72871ec87ed53cfe43a09fb284168a284e7e",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -723,11 +783,11 @@
"nixpkgs-stable": "nixpkgs-stable" "nixpkgs-stable": "nixpkgs-stable"
}, },
"locked": { "locked": {
"lastModified": 1703991717, "lastModified": 1707015547,
"narHash": "sha256-XfBg2dmDJXPQEB8EdNBnzybvnhswaiAkUeeDj7fa/hQ=", "narHash": "sha256-YZr0OrqWPdbwBhxpBu69D32ngJZw8AMgZtJeaJn0e94=",
"owner": "Mic92", "owner": "Mic92",
"repo": "sops-nix", "repo": "sops-nix",
"rev": "cfdbaf68d00bc2f9e071f17ae77be4b27ff72fa6", "rev": "23f61b897c00b66855074db471ba016e0cda20dd",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -738,17 +798,17 @@
}, },
"srvos": { "srvos": {
"inputs": { "inputs": {
"nixos-stable": "nixos-stable_2", "flake-parts": "flake-parts_4",
"nixpkgs": [ "nixpkgs": [
"nixpkgs" "nixpkgs"
] ]
}, },
"locked": { "locked": {
"lastModified": 1704204620, "lastModified": 1707160670,
"narHash": "sha256-u7C59X3s706W9ptqfYHLlZlropun5Fzr9eYaKAsEuN8=", "narHash": "sha256-svt/yQB8l/edU9yhYB78lIGKiaO7mXzUQvu/uJLZAVs=",
"owner": "numtide", "owner": "numtide",
"repo": "srvos", "repo": "srvos",
"rev": "e5eecdf21bdf048cef7cb9e52bf573fdf959d491", "rev": "977371a151fc3c96d6fac923b3032d07000e9490",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -839,11 +899,11 @@
] ]
}, },
"locked": { "locked": {
"lastModified": 1702939607, "lastModified": 1707043587,
"narHash": "sha256-nPIt1JIQ3g6lBE7+qI8gV1cmJ+uA55aAzho2dGOIFik=", "narHash": "sha256-bSuJX5BNN31XMFPinZhteeJO0M8ZHaSoXQXXwZ5MR1c=",
"owner": "l4l", "owner": "l4l",
"repo": "yofi", "repo": "yofi",
"rev": "c0ca3365a702e7a2852a801ca357df5eb87d0cf9", "rev": "5b67f8db1ee9bd1e09b3bf3354d08bd5e89f596e",
"type": "github" "type": "github"
}, },
"original": { "original": {

467
flake.nix
View file

@ -1,19 +1,25 @@
# flake.nix # flake.nix
{ {
inputs = { inputs = {
dotfiles = {
url = "gitlab:steveeJ/dotfiles";
flake = false;
};
# flake and infra basics # flake and infra basics
nixpkgs-2211.url = "github:nixos/nixpkgs/nixos-22.11"; nixpkgs-2211.url = "github:nixos/nixpkgs/nixos-22.11";
radicalePkgs.follows = "nixpkgs-2211";
nixpkgs-2305.url = "github:nixos/nixpkgs/nixos-23.05"; nixpkgs-2305.url = "github:nixos/nixpkgs/nixos-23.05";
nixpkgs-2311.url = "github:nixos/nixpkgs/nixos-23.05"; nixpkgs-2311.url = "github:nixos/nixpkgs/nixos-23.11";
nixpkgs-unstable.url = "github:nixos/nixpkgs/nixos-unstable";
nixpkgs-unstable-small.url = "github:nixos/nixpkgs/nixos-unstable-small"; nixpkgs-unstable-small.url = "github:nixos/nixpkgs/nixos-unstable-small";
nixpkgs-unstable.follows = "nixpkgs-unstable-small";
nixpkgs.follows = "nixpkgs-2311"; nixpkgs.follows = "nixpkgs-2311";
flake-parts.url = "github:hercules-ci/flake-parts"; flake-parts.url = "github:hercules-ci/flake-parts";
get-flake.url = "github:ursi/get-flake"; get-flake.url = "github:ursi/get-flake";
srvos.url = "github:numtide/srvos"; srvos.url = "github:numtide/srvos";
srvos.inputs.nixpkgs.follows = "nixpkgs"; srvos.inputs.nixpkgs.follows = "nixpkgs";
nixos-anywhere.url = github:numtide/nixos-anywhere/main; nixos-anywhere.url = "github:numtide/nixos-anywhere/main";
nixos-anywhere.inputs.nixpkgs.follows = "nixpkgs"; nixos-anywhere.inputs.nixpkgs.follows = "nixpkgs";
disko.follows = "nixos-anywhere/disko"; disko.follows = "nixos-anywhere/disko";
@ -59,11 +65,6 @@
flake = false; flake = false;
}; };
magmawm = {
url = "github:MagmaWM/MagmaWM";
flake = false;
};
salut = { salut = {
url = "gitlab:snakedye/salut"; url = "gitlab:snakedye/salut";
flake = false; flake = false;
@ -73,214 +74,252 @@
url = "gitlab:timvisee/prs/master"; url = "gitlab:timvisee/prs/master";
flake = false; flake = false;
}; };
### inputs for thinkpad x13s
# see https://github.com/jhovold/linux/wiki/X13s for status updates
linux_x13s.url = "github:jhovold/linux/wip/sc8280xp-v6.7";
linux_x13s.flake = false;
brainwart_x13s-nixos = {
url = "github:BrainWart/x13s-nixos/flake";
flake = false;
};
adamcstephens_stop-export = {
flake = false;
url = "git+https://codeberg.org/adamcstephens/stop-export.git";
};
# alsa-ucm-conf = {
# flake = false;
# url = "github:alsa-project/alsa-ucm-conf/master";
# };
logseq_0_10_5_aarch64_appimage = {
flake = false;
url = "https://www.stefanjunker.de/downloads/Logseq-0.10.5.AppImage";
};
}; };
outputs = outputs = inputs @ {
inputs @ { self self,
, flake-parts flake-parts,
, nixpkgs nixpkgs,
, ... ...
}: }: let
let inherit (nixpkgs) lib;
inherit (nixpkgs) lib;
systems = [ systems = [
"x86_64-linux" "x86_64-linux"
"aarch64-linux" "aarch64-linux"
]; ];
in in
flake-parts.lib.mkFlake { inherit inputs; } flake-parts.lib.mkFlake {inherit inputs;}
({ withSystem, ... }: { ({withSystem, ...}: {
flake.colmena = flake.colmena =
lib.lists.foldl (sum: cur: lib.attrsets.recursiveUpdate sum cur) lib.lists.foldl (sum: cur: lib.attrsets.recursiveUpdate sum cur)
{ {
meta.nixpkgs = import inputs.nixpkgs.outPath { meta.nixpkgs = import inputs.nixpkgs.outPath {
system = builtins.elemAt systems 0; system = builtins.elemAt systems 0;
};
}
# FIXME: this doesn't seem to work to apply overlays into a node's nixpkgs import
# try this instead: https://github.com/zhaofengli/colmena/issues/60#issuecomment-1510496861
(builtins.map
(nodeName:
import ./nix/os/devices/${nodeName} {
inherit nodeName;
repoFlake = self;
repoFlakeWithSystem = withSystem;
nodeFlake = self.inputs.get-flake ./nix/os/devices/${nodeName};
}) [
"steveej-t14"
# "elias-e525"
# "justyna-p300"
# "srv0-dmz0"
# # "router0-dmz0"
# "sj-vps-htz0"
"sj-bm-hostkey0"
# "retro"
]);
# this makes nixos-anywhere work
flake.nixosConfigurations =
(inputs.colmena.lib.makeHive self.outputs.colmena).nodes
// (
let
router0-dmz0 = (inputs.get-flake ./nix/os/devices/router0-dmz0).nixosConfigurations;
steveej-x13s = (inputs.get-flake ./nix/os/devices/steveej-x13s).nixosConfigurations;
retro = (inputs.get-flake ./nix/os/devices/retro).nixosConfigurations;
in
{
router0-dmz0 = router0-dmz0.native;
# for now deploy directly with:
# nixos-rebuild switch --flake .\#router0-dmz0_cross --build-host localhost --target-host root@192.168.10.1
router0-dmz0_cross = router0-dmz0.cross;
# nixos-install --flake .\#retro_cross
retro_cross = retro.cross;
steveej-x13s_cross = steveej-x13s.cross;
}
);
inherit systems;
perSystem =
{ inputs'
, system
, config
, lib
, pkgs
, ...
}: rec {
imports = [
./nix/modules/flake-parts/perSystem/default.nix
];
packages =
let
dcpj4110dw = pkgs.callPackage (self + /nix/pkgs/dcpj4110dw) { };
craneLib =
inputs.crane.lib.${system}.overrideToolchain
inputs'.fenix.packages.stable.toolchain;
craneLibOfiPass =
inputs.crane.lib.${system}.overrideToolchain
(
inputs'.fenix.packages.stable.toolchain
# .override {
# date = "1.60.0";
# }
);
in
{
dcpj4110dwDriver = dcpj4110dw.driver;
dcpj4110dwCupswrapper = dcpj4110dw.cupswrapper;
# broken as of 2023-04-27 because it doesn't load without a config
# aphorme_launcher = craneLib.buildPackage {src = inputs.aphorme_launcher;};
# yofi = inputs'.yofi.packages.default;
# ofi-pass = craneLibOfiPass.buildPackage {src = inputs.ofi-pass;};
inherit (inputs'.colmena.packages) colmena;
# jay = pkgs.callPackage (self + /nix/pkgs/jay.nix) {
# src = inputs.jay;
# rustPlatform = pkgs.makeRustPlatform {
# cargo = inputs'.fenix.packages.stable.toolchain;
# rustc = inputs'.fenix.packages.stable.toolchain;
# };
# };
# magmawm = pkgs.callPackage (self + /nix/pkgs/magmawm.nix) {
# inherit craneLib;
# src = inputs.magmawm;
# };
salut = craneLib.buildPackage {
src = inputs.salut;
nativeBuildInputs = [
pkgs.pkg-config
];
buildInputs = [
pkgs.libxkbcommon
pkgs.fontconfig
];
};
prs = pkgs.callPackage
({ pkgs
, dbus
, glib
, gpgme
, gtk3
, libxcb
, libxkbcommon
, installShellFiles
, pkg-config
, python3
}: craneLib.buildPackage {
pname = "prs";
version = inputs.prs.shortRev;
src = inputs.prs;
nativeBuildInputs = [ gpgme installShellFiles pkg-config python3 ];
buildInputs = [
dbus
glib
gpgme
gtk3
libxcb
libxkbcommon
];
cargoExtraArgs = "--features backend-gpgme";
postInstall = ''
for shell in bash fish zsh; do
installShellCompletion --cmd prs --$shell <($out/bin/prs internal completions $shell --stdout)
done
'';
})
{ };
nomad = inputs'.nixpkgs-unstable.legacyPackages.nomad_1_6;
ledger-live-desktop-wrapped = pkgs.writeShellScriptBin "ledger-live-desktop-wrapped" ''
set -x
pkill -9 wayland-proxy-v
export NIXOS_OZONE_WL=""
${pkgs.wayland-proxy-virtwl}/bin/wayland-proxy-virtwl \
--wayland-display=wayland-3 \
--xwayland-binary=${pkgs.xwayland}/bin/Xwayland \
--x-display=3 \
&
# --x-unscale=3 \
#--verbose \
export PROXYPID="$!"
trap "kill -9 \$PROXYPID" EXIT
# trap "pkill -9 wayland-proxy-v" EXIT
env \
WAYLAND_DISPLAY=wayland-3 \
DISPLAY=:3 \
ledger-live-desktop
'';
syncthing-container-webui = pkgs.writeShellScriptBin "reverse-port-forward-syncthing-container" ''
ssh root@${self.colmena.sj-vps-htz0.deployment.targetHost} -L 8385:syncthing.containers:8384
'';
};
formatter = pkgs.alejandra;
devShells.default = import ./nix/devShells.nix {
inherit inputs' pkgs;
packages' = packages;
};
}; };
}); }
# FIXME: this doesn't seem to work to apply overlays into a node's nixpkgs import
# try this instead: https://github.com/zhaofengli/colmena/issues/60#issuecomment-1510496861
(builtins.map
(nodeName:
import ./nix/os/devices/${nodeName} {
inherit nodeName;
repoFlake = self;
repoFlakeWithSystem = withSystem;
nodeFlake = self.inputs.get-flake ./nix/os/devices/${nodeName};
}) [
"steveej-t14"
"steveej-x13s"
"steveej-x13s-rmvbl"
# "elias-e525"
# "justyna-p300"
# "srv0-dmz0"
# # "router0-dmz0"
"sj-srv1"
"sj-bm-hostkey0"
# "retro"
]);
# this makes nixos-anywhere work
flake.nixosConfigurations = let
colmenaHive = (inputs.colmena.lib.makeHive self.outputs.colmena).nodes;
router0-dmz0 = (inputs.get-flake ./nix/os/devices/router0-dmz0).nixosConfigurations;
retro = (inputs.get-flake ./nix/os/devices/retro).nixosConfigurations;
in (
colmenaHive
// {
router0-dmz0 = router0-dmz0.native;
# for now deploy directly with:
# nixos-rebuild switch --flake .\#router0-dmz0_cross --build-host localhost --target-host root@192.168.10.1
router0-dmz0_cross = router0-dmz0.cross;
# nixos-install --flake .\#retro_cross
retro_cross = retro.cross;
steveej-x13s_cross = (inputs.get-flake ./nix/os/devices/steveej-x13s).nixosConfigurations.cross;
steveej-x13s-rmvbl_cross = (inputs.get-flake ./nix/os/devices/steveej-x13s-rmvbl).nixosConfigurations.cross;
}
);
inherit systems;
perSystem = {
self',
inputs',
system,
config,
lib,
pkgs,
...
}: {
imports = [
./nix/modules/flake-parts/perSystem/default.nix
];
packages = let
dcpj4110dw = pkgs.callPackage (self + /nix/pkgs/dcpj4110dw) {};
craneLib =
inputs.crane.lib.${system}.overrideToolchain
inputs'.fenix.packages.stable.toolchain;
craneLibOfiPass =
inputs.crane.lib.${system}.overrideToolchain
(
inputs'.fenix.packages.stable.toolchain
# .override {
# date = "1.60.0";
# }
);
in {
dcpj4110dwDriver = dcpj4110dw.driver;
dcpj4110dwCupswrapper = dcpj4110dw.cupswrapper;
# broken as of 2023-04-27 because it doesn't load without a config
# aphorme_launcher = craneLib.buildPackage {src = inputs.aphorme_launcher;};
# yofi = inputs'.yofi.packages.default;
# ofi-pass = craneLibOfiPass.buildPackage {src = inputs.ofi-pass;};
inherit (inputs'.colmena.packages) colmena;
# jay = pkgs.callPackage (self + /nix/pkgs/jay.nix) {
# src = inputs.jay;
# rustPlatform = pkgs.makeRustPlatform {
# cargo = inputs'.fenix.packages.stable.toolchain;
# rustc = inputs'.fenix.packages.stable.toolchain;
# };
# };
salut = craneLib.buildPackage {
src = inputs.salut;
nativeBuildInputs = [
pkgs.pkg-config
];
buildInputs = [
pkgs.libxkbcommon
pkgs.fontconfig
];
};
prs =
pkgs.callPackage
({
pkgs,
dbus,
glib,
gpgme,
gtk3,
libxcb,
libxkbcommon,
installShellFiles,
pkg-config,
python3,
}:
craneLib.buildPackage {
pname = "prs";
version = inputs.prs.shortRev;
src = inputs.prs;
nativeBuildInputs = [gpgme installShellFiles pkg-config python3];
buildInputs = [
dbus
glib
gpgme
gtk3
libxcb
libxkbcommon
];
cargoExtraArgs = "--features backend-gpgme";
postInstall = ''
for shell in bash fish zsh; do
installShellCompletion --cmd prs --$shell <($out/bin/prs internal completions $shell --stdout)
done
'';
})
{};
nomad = inputs'.nixpkgs-unstable-small.legacyPackages.nomad_1_6;
ledger-live-desktop-wrapped = pkgs.writeShellScriptBin "ledger-live-desktop-wrapped" ''
set -x
pkill -9 wayland-proxy-v
export NIXOS_OZONE_WL=""
${pkgs.wayland-proxy-virtwl}/bin/wayland-proxy-virtwl \
--wayland-display=wayland-3 \
--xwayland-binary=${pkgs.xwayland}/bin/Xwayland \
--x-display=3 \
&
# --x-unscale=3 \
#--verbose \
export PROXYPID="$!"
trap "kill -9 \$PROXYPID" EXIT
# trap "pkill -9 wayland-proxy-v" EXIT
env \
WAYLAND_DISPLAY=wayland-3 \
DISPLAY=:3 \
ledger-live-desktop
'';
syncthing-container-webui = pkgs.writeShellScriptBin "reverse-port-forward-syncthing-container" ''
ssh root@${self.colmena.sj-vps-htz0.deployment.targetHost} -L 8385:syncthing.containers:8384
'';
logseq =
pkgs.callPackage ./nix/pkgs/logseq
(lib.attrsets.optionalAttrs pkgs.stdenv.isAarch64 {
overrideSrc = self.inputs.logseq_0_10_5_aarch64_appimage;
});
};
formatter = pkgs.alejandra;
devShells = let
all = import ./nix/devShells.nix {
inherit
self'
inputs'
pkgs
;
};
in (all // {default = all.develop;});
};
flake.nixosModules = {
# thinkpad-x13s = { pkgs, config, lib, options, ... } @ args: (import ./nix/os/modules/hardware.thinkpad-x13s.nix (args // { inherit self; }));
};
});
} }

96
nix/devShells.nix
View file

@ -1,70 +1,68 @@
{ {
self',
inputs', inputs',
packages',
pkgs, pkgs,
}: }: {
pkgs.stdenv.mkDerivation { install = pkgs.mkShell {
name = "infra-env"; name = "infra-install";
buildInputs = packages = with pkgs; [
[
(with pkgs.callPackage (pkgs.path + "/nixos") {configuration = {};};
with config.system.build; [
nixos-generate-config
nixos-install
nixos-enter
manual.manpages
])
]
++ (with pkgs; [
inputs'.colmena.packages.colmena
nixos-install-tools nixos-install-tools
inputs'.disko.packages.disko
just
git
git-crypt
gnupg
];
};
develop = pkgs.mkShell {
name = "infra-develop";
inputsFrom = [
self'.devShells.install
];
packages = with pkgs; [
inputs'.colmena.packages.colmena
dconf2nix dconf2nix
inputs'.nixos-anywhere.packages.nixos-anywhere inputs'.nixos-anywhere.packages.nixos-anywhere
nurl nurl
just
git-crypt
vcsh vcsh
gnupg
git
ripgrep ripgrep
lm_sensors # pass
pass
fuzzel
wofi
age age
age-plugin-yubikey age-plugin-yubikey
ssh-to-age ssh-to-age
yubico-piv-tool yubico-piv-tool
inputs'.sops-nix.packages.default inputs'.sops-nix.packages.default
sops sops
nil
apacheHttpd apacheHttpd
vncdo # vncdo
tesseract # tesseract
imagemagick # imagemagick
nmap # lm_sensors
sysstat
lshw
xxHash
linssid
wavemon
wirelesstools
zathura # nmap
xorg.xwininfo # sysstat
glxinfo # lshw
autorandr # xxHash
arandr # linssid
playerctl # wavemon
x11docker # wirelesstools
fwupd
ntfy # zathura
# xorg.xwininfo
# glxinfo
# autorandr
# arandr
# playerctl
# x11docker
# fwupd
hedgedoc-cli # ntfy
# hedgedoc-cli
xwayland xwayland
@ -75,9 +73,9 @@ pkgs.stdenv.mkDerivation {
(pkgs.writeShellScriptBin "r11" '' (pkgs.writeShellScriptBin "r11" ''
exec env NIXOS_OZONE_WL="" WAYLAND_DISPLAY="" $@ exec env NIXOS_OZONE_WL="" WAYLAND_DISPLAY="" $@
'') '')
];
]); # Set Environment Variables
RUST_BACKTRACE = 1;
# Set Environment Variables };
RUST_BACKTRACE = 1;
} }

283
nix/home-manager/configuration/graphical-fullblown.nix
View file

@ -1,25 +1,22 @@
{ {
pkgs, pkgs,
lib,
config, config,
# these come in via home-manager.extraSpecialArgs and are specific to each node # these come in via home-manager.extraSpecialArgs and are specific to each node
nodeFlake, nodeFlake,
packages', packages',
# repoFlake,
# repoFlakeInputs',
... ...
}: let }: let
# pkgsMaster = nodeFlake.inputs.nixpkgs-master.legacyPackages.${pkgs.system}; # pkgsMaster = nodeFlake.inputs.nixpkgs-master.legacyPackages.${pkgs.system};
pkgsUnstableSmall = import nodeFlake.inputs.nixpkgs-unstable-small {inherit (pkgs) system config;}; pkgsUnstableSmall = import nodeFlake.inputs.nixpkgs-unstable-small {inherit (pkgs) system config;};
pkgs2211 = nodeFlake.inputs.nixpkgs-2211.legacyPackages.${pkgs.system};
in { in {
imports = [ imports = [
../profiles/common.nix ../profiles/common.nix
../profiles/dotfiles.nix # ../profiles/dotfiles.nix
# FIXME: fix homeshick when no WAN connection is available # FIXME: fix homeshick when no WAN connection is available
# ../programs/homeshick.nix # ../programs/homeshick.nix
# ../profiles/gnome-desktop.nix # ../profiles/gnome-desktop.nix
../profiles/sway-desktop.nix
# ../profiles/experimental-desktop.nix # ../profiles/experimental-desktop.nix
../programs/redshift.nix ../programs/redshift.nix
@ -35,10 +32,6 @@ in {
../programs/libreoffice.nix ../programs/libreoffice.nix
../programs/neovim.nix ../programs/neovim.nix
../programs/vscode ../programs/vscode
# TODO: bump these to 23.05 and make it work
(args: import ../programs/radicale.nix (args // {pkgs = pkgs2211;}))
# (args: import ../programs/espanso.nix (args // {pkgs = pkgs2211;}))
]; ];
home.sessionVariables.HM_CONFIG = "graphical-fullblown"; home.sessionVariables.HM_CONFIG = "graphical-fullblown";
@ -46,7 +39,6 @@ in {
home.sessionVariables.PATH = pkgs.lib.concatStringsSep ":" ["$HOME/.local/bin" "$PATH"]; home.sessionVariables.PATH = pkgs.lib.concatStringsSep ":" ["$HOME/.local/bin" "$PATH"];
nixpkgs.config.permittedInsecurePackages = [ nixpkgs.config.permittedInsecurePackages = [
"electron-24.8.6"
"electron-25.9.0" "electron-25.9.0"
]; ];
@ -54,21 +46,19 @@ in {
[] []
++ (with pkgs; [ ++ (with pkgs; [
# Authentication # Authentication
cacert # cacert
fprintd # fprintd
openssl # openssl
mkpasswd # mkpasswd
# Nix package related tools # Nix package related tools
patchelf patchelf
nix-index # nix-index
nix-prefetch-scripts nix-prefetch-scripts
# nix-prefetch-github
nix-tree nix-tree
# Version Control Systems # Version Control Systems
gitFull gitFull
pijul
# gitless # gitless
gitRepo gitRepo
git-lfs git-lfs
@ -117,118 +107,66 @@ in {
# FIXME: depends on insecure openssl 1.1.1t # FIXME: depends on insecure openssl 1.1.1t
# kotatogram-desktop # kotatogram-desktop
tdesktop tdesktop
pkgsUnstableSmall.signal-desktop
#(let
# version = "6.20.0-beta.1";
#in
# pkgsUnstableSmall.signal-desktop-beta.overrideAttrs (old: {
# # inherit version;
# # src = builtins.fetchurl {
# # url = "https://updates.signal.org/desktop/apt/pool/main/s/signal-desktop-beta/signal-desktop-beta_${version}_amd64.deb";
# # sha256 = "0xkagnldagfxnpv4c23yd9w0kz1y719m1sj9vqn8mnr1zfn7j62a";
# # };
# preFixup =
# old.preFixup
# + ''
# gappsWrapperArgs+=(
# --add-flags "\''${NIXOS_OZONE_WL:+\''${WAYLAND_DISPLAY:+--ozone-platform-hint=auto}}"
# --add-flags "\''${NIXOS_OZONE_WL:+\''${WAYLAND_DISPLAY:+--enable-features=UseOzonePlatform}}"
# )
# '';
# }))
pkgsUnstableSmall.session-desktop (
# --add-flags "--enable-features=UseOzonePlatform" let
# --add-flags "--ozone-platform=wayland" version = "6.44.0";
# (pkgsUnstableSmall.session-desktop.overrideAttrs (old: { in
# nativeBuildInputs = pkgsUnstableSmall.signal-desktop.overrideAttrs (old:
# old.nativeBuildInputs lib.attrsets.optionalAttrs pkgs.stdenv.isAarch64 {
# ++ [ inherit version;
# pkgs.wrapGAppsHook src =
# ]; builtins.fetchurl
{
# preFixup = url = "https://github.com/0mniteck/Signal-Desktop-Mobian/raw/master/builds/release/signal-desktop_${version}_arm64.deb";
# (old.preFixup or "") sha256 =
# + '' # lib.fakeSha256
# gappsWrapperArgs+=( "sha256:0svb5vz08n3j4lx4kdjmx5lw9619kvvxg981rs6chh83qz5y519k";
# --add-flags "--enable-features=UseOzonePlatform" };
# --add-flags "--ozone-platform=wayland" })
# # --add-flags "\''${NIXOS_OZONE_WL:+\''${WAYLAND_DISPLAY:+--ozone-platform-hint=auto}}" )
# # --add-flags "\''${NIXOS_OZONE_WL:+\''${WAYLAND_DISPLAY:+--enable-features=WaylandWindowDecorations}}"
# # --add-flags "\''${NIXOS_OZONE_WL:+\''${WAYLAND_DISPLAY:+--enable-features=UseOzonePlatform}}"
# )
# '';
# }))
#(pkgsUnstableSmall.session-desktop.overrideAttrs(old: {
# nativeBuildInputs = old.nativeBuildInputs ++ [
# pkgs.wrapGAppsHook
# ];
#
# preFixup = (old.preFixup or "") + ''
# gappsWrapperArgs+=(
# --add-flags "\''${NIXOS_OZONE_WL:+\''${WAYLAND_DISPLAY:+--ozone-platform=wayland}}"
# --add-flags "\''${NIXOS_OZONE_WL:+\''${WAYLAND_DISPLAY:+--enable-features=UseOzonePlatform}}"
# )
# '';
# }))
thunderbird thunderbird
# gnome.cheese # gnome.cheese
discord
# Virtualization # Virtualization
# virtmanager # virtmanager
# Remote Control Tools # Remote Control Tools
remmina remmina
freerdp # freerdp
teamviewer
pkgsUnstableSmall.rustdesk
# Audio/Video Players # Audio/Video Players
ffmpeg ffmpeg
vlc vlc
v4l-utils # v4l-utils
audacity # audacity
spotify # spotify
yt-dlp yt-dlp
(writeShellScriptBin "youtube-dl-audio" "${yt-dlp}/bin/yt-dlp --extract-audio --audio-format best --audio-quality 9 \${@:?}") (writeShellScriptBin "youtube-dl-audio" "${yt-dlp}/bin/yt-dlp --extract-audio --audio-format best --audio-quality 9 \${@:?}")
libwebcam libwebcam
# Network Tools # Network Tools
openvpn
tcpdump tcpdump
iftop iftop
iperf iperf
bind bind
socat socat
# 2019-03-05: broken on 19.03 linssid nethogs
iptraf-ng
ipmitool
iptables
nftables
wireshark
wireguard-tools
# Code Editing and Programming # Code Editing and Programming
xclip # pkgsUnstableSmall.lapce
xsel # pkgsUnstableSmall.helix
pkgsUnstableSmall.lapce
pkgsUnstableSmall.helix
pkgsUnstableSmall.nil
# Image/Graphic/Design Tools # Image/Graphic/Design Tools
gnome.eog gnome.eog
gimp # gimp
imagemagick # imagemagick
exiv2 # exiv2
graphviz # graphviz
inkscape # inkscape
qrencode # qrencode
zbar
feh
# TODO: remove or move these: Modelling Tools # TODO: remove or move these: Modelling Tools
# plantuml # plantuml
@ -239,61 +177,45 @@ in {
# astah-community # astah-community
# Misc Development Tools # Misc Development Tools
qrcode # qrcode
jq # jq
cdrtools # cdrtools
# Document Processing and Management # Document Processing and Management
gnome.nautilus gnome.nautilus
xfce.thunar
pcmanfm pcmanfm
# mendeley # mendeley
evince evince
(runCommand "logseq-wrapper" {
nativeBuildInputs = [ makeWrapper ];
} ''
makeWrapper ${logseq}/bin/logseq $out/bin/logseq \
--set NIXOS_OZONE_WL ""
'')
# (logseq.override({ electron_25 = electron_26; }))
# File Synchronzation # File Synchronzation
maestral maestral
maestral-gui
rsync rsync
# Filesystem Tools # Filesystem Tools
ntfs3g # ntfs3g
ddrescue # ddrescue
ncdu # ncdu
unetbootin # hdparm
hdparm
testdisk
# binwalk # binwalk
gptfdisk # gptfdisk
gparted # gparted
smartmontools # smartmontools
## Android
androidenv.androidPkgs_9_0.platform-tools
## Python ## Python
packages'.myPython # packages'.myPython
# Misc Desktop Tools # Misc Desktop Tools
ltunify # ltunify
# dex # dex
xorg.xbacklight
coreutils coreutils
lsof lsof
xdotool
xdg_utils xdg_utils
xdg-user-dirs xdg-user-dirs
dconf dconf
picocom picocom
glib.dev # contains gdbus tool glib.dev # contains gdbus tool
alacritty alacritty
wally-cli # wally-cli
man-pages man-pages
# Screen recording # Screen recording
@ -309,47 +231,68 @@ in {
# introduces python: screenkey # introduces python: screenkey
# avidemux # broken # avidemux # broken
handbrake # handbrake
pkgsUnstableSmall.ledger-live-desktop # snes9x
# snes9x-gtk
(banana-accounting.overrideDerivation (attrs:
with inputs'.nixpkgs-2211.legacyPackages; {
# dontWrapGApps = true;
srcs = builtins.fetchurl {
# hosted via https://web3.storage
url = "https://bafybeiabi4m2i4izummipbl5wzhwxjyjt2rylgsrahhkh7i63piwd37n4u.ipfs.w3s.link/mfpcksczayaqqx8fdacp0627zm36c001-bananaplus.tgz";
sha256 = "09666iqzqdw2526pf6bg5kd0hfw0wblw8ag636ki72dsiw6bmbf1";
};
# nativeBuildInputs =
# attrs.nativeBuildInputs
# ++ [
# qt5.qtbase
# qt5.wrapQtAppsHook
# ];
# buildInputs =
# attrs.buildInputs
# ++ [
# qt5.qtwayland
# ];
# preFixup =
# (attrs.preFixup or "")
# + ''
# qtWrapperArgs+=("''${gappsWrapperArgs[@]}")
# '';
}))
snes9x
snes9x-gtk
# this is a displaymanager! # this is a displaymanager!
# libretro.snes9x2010 # libretro.snes9x2010
# retroarchFull # retroarchFull
packages'.logseq
# (pkgs.runCommand "logseq-wrapper"
# {
# nativeBuildInputs = [ pkgs.makeWrapper ];
# } ''
# makeWrapper ${pkgs.logseq}/bin/logseq $out/bin/logseq \
# --set NIXOS_OZONE_WL ""
# '')
])
++ (lib.lists.optionals (!pkgs.stdenv.targetPlatform.isAarch64) [
])
++ (lib.lists.optionals (!pkgs.stdenv.targetPlatform.isAarch64) [
(
pkgs.banana-accounting.overrideDerivation
(attrs:
with nodeFlake.inputs'.nixpkgs-2211.legacyPackages; {
# dontWrapGApps = true;
srcs = builtins.fetchurl {
# hosted via https://web3.storage
url = "https://bafybeiabi4m2i4izummipbl5wzhwxjyjt2rylgsrahhkh7i63piwd37n4u.ipfs.w3s.link/mfpcksczayaqqx8fdacp0627zm36c001-bananaplus.tgz";
sha256 = "09666iqzqdw2526pf6bg5kd0hfw0wblw8ag636ki72dsiw6bmbf1";
};
# nativeBuildInputs =
# attrs.nativeBuildInputs
# ++ [
# qt5.qtbase
# qt5.wrapQtAppsHook
# ];
# buildInputs =
# attrs.buildInputs
# ++ [
# qt5.qtwayland
# ];
# preFixup =
# (attrs.preFixup or "")
# + ''
# qtWrapperArgs+=("''${gappsWrapperArgs[@]}")
# '';
})
)
pkgsUnstableSmall.ledger-live-desktop
# unsupported on aarch64-linux
pkgs.androidenv.androidPkgs_9_0.platform-tools
pkgs.teamviewer
pkgs.discord
pkgsUnstableSmall.session-desktop
pkgsUnstableSmall.rustdesk
]); ]);
systemd.user.startServices = true; systemd.user.startServices = true;
@ -357,16 +300,10 @@ in {
services.udiskie = { services.udiskie = {
enable = true; enable = true;
automount = true; automount = false;
notify = true; notify = true;
}; };
# FIXME: doesn't work as the service can't seem to control its started PID
services.dropbox = {
enable = false;
path = "${config.home.homeDirectory}/Dropbox-Hm";
};
# TODO: uncomment this when it's in stable home-manger # TODO: uncomment this when it's in stable home-manger
# programs.joshuto = { # programs.joshuto = {
# enable = true; # enable = true;

12
nix/home-manager/configuration/text-minimal.nix
View file

@ -1,12 +0,0 @@
{pkgs, ...}: {
imports = [
../profiles/common.nix
../programs/neovim.nix
];
home.packages = with pkgs; [
iperf3
inetutils
speedtest-cli
];
}

25
nix/home-manager/profiles/common.nix
View file

@ -1,12 +1,13 @@
{pkgs, ...}: { {
pkgs,
lib,
...
}: {
# TODO: re-enable this with the appropriate version? # TODO: re-enable this with the appropriate version?
# programs.home-manager.enable = true; # programs.home-manager.enable = true;
# programs.home-manager.path = https://github.com/rycee/home-manager/archive/445c0b1482c38172a9f8294ee16a7ca7462388e5.tar.gz; # programs.home-manager.path = https://github.com/rycee/home-manager/archive/445c0b1482c38172a9f8294ee16a7ca7462388e5.tar.gz;
imports = [ # TODO: move this to an OS snippet?
../programs/zsh.nix
];
nixpkgs.config = { nixpkgs.config = {
allowBroken = false; allowBroken = false;
allowUnfree = true; allowUnfree = true;
@ -14,9 +15,6 @@
permittedInsecurePackages = []; permittedInsecurePackages = [];
}; };
nix.settings.experimental-features = ["nix-command" "flakes" "impure-derivations" "ca-derivations" "recursive-nix"];
nix.settings.sandbox = "relaxed";
home.keyboard = { home.keyboard = {
layout = "us"; layout = "us";
variant = "altgr-intl"; variant = "altgr-intl";
@ -30,9 +28,7 @@
xdg.enable = true; xdg.enable = true;
programs.direnv.enable = true; programs.direnv.enable = true;
services.lorri.enable = true;
home.sessionVariables.NIXPKGS_ALLOW_UNFREE = "1";
# Don't create .pyc files. # Don't create .pyc files.
home.sessionVariables.PYTHONDONTWRITEBYTECODE = "1"; home.sessionVariables.PYTHONDONTWRITEBYTECODE = "1";
@ -42,9 +38,14 @@
home.packages = home.packages =
[] []
++ (with pkgs; [ ++ (with pkgs; [
htop coreutils
vcsh vcsh
htop
iperf3
nethogs
# Authentication # Authentication
cacert cacert
openssl openssl
@ -77,6 +78,4 @@
usbutils usbutils
pciutils pciutils
]); ]);
home.stateVersion = "22.05";
} }

37
nix/home-manager/profiles/dotfiles.nix
View file

@ -1,9 +1,44 @@
{ {
repoFlake,
pkgs, pkgs,
config, config,
repoHttps ? "https://gitlab.com/steveeJ/dotfiles.git",
repoSsh ? "git@gitlab.com:/steveeJ/dotfiles.git",
... ...
}: let }: let
vcshActivationScript = pkgs.callPackage ./dotfiles/vcsh.nix {}; repoBareLocal =
pkgs.runCommand "fetchbare"
{
outputHashMode = "recursive";
outputHashAlgo = "sha256";
outputHash = "0000000000000000000000000000000000000000000000000000";
} ''
(
set -xe
export GIT_SSL_CAINFO=${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt
export SSL_CERT_FILE=${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt
${pkgs.git}/bin/git clone --mirror ${repoHttps} $out
)
'';
vcshActivationScript = pkgs.writeScript "activation-script" ''
export HOST=$(hostname -s)
function set_remotes {
${pkgs.vcsh}/bin/vcsh dotfiles remote set-url origin $1
${pkgs.vcsh}/bin/vcsh dotfiles remote set-url --push origin $2
}
if ! test -d $HOME/.config/vcsh/repo.d/dotfiles.git; then
echo Cloning dotfiles for $HOST...
${pkgs.vcsh}/bin/vcsh clone -b $HOST ${repoBareLocal} dotfiles
set_remotes ${repoHttps} ${repoSsh}
else
set_remotes ${repoBareLocal} ${repoSsh}
echo Updating dotfiles for $HOST...
${pkgs.vcsh}/bin/vcsh pull $HOST || true
set_remotes ${repoHttps} ${repoSsh}
fi
'';
in { in {
# TODO: fix the dotfiles # TODO: fix the dotfiles
# home.activation.vcsh = config.lib.dag.entryAfter["linkGeneration"] '' # home.activation.vcsh = config.lib.dag.entryAfter["linkGeneration"] ''

19
nix/home-manager/profiles/sway-desktop.nix
View file

@ -38,24 +38,6 @@ in {
services.gpg-agent.pinentryFlavor = "gnome3"; services.gpg-agent.pinentryFlavor = "gnome3";
nixpkgs.overlays = [
(final: prev: {
# xdg-desktop-portal-wlr' = repoFlakeInputs'.nixpkgs-wayland.packages.xdg-desktop-portal-wlr;
# xdg-desktop-portal-wlr-gtk' = repoFlakeInputs'.nixpkgs-wayland.packages.xdg-desktop-portal-wlr-gtk;
# sway-unwrapped = let
# fixed_wlroots = prev.wlroots_0_16.overrideAttrs (old: {
# patches = [
# (builtins.fetchurl {
# sha256 = "05h9xzicz3fccskg2hbqnw2qh4bm7mwi70c4m00y87w5yhj9gxps";
# url = "https://gist.githubusercontent.com/steveej/1d8c96ed2fdb3d9ddd0344ca5136073f/raw/d6a097a452b950865b554587db606e718d99c572/fix-wlroots.patch";
# })
# ];
# });
# in
# prev.sway-unwrapped.override {wlroots_0_16 = fixed_wlroots;};
})
];
home.packages = [ home.packages = [
pkgs.swayidle pkgs.swayidle
pkgs.swaylock pkgs.swaylock
@ -195,6 +177,7 @@ in {
childBorder = lib.mkForce "#ffa500"; childBorder = lib.mkForce "#ffa500";
}; };
window.titlebar = false;
window.border = 4; window.border = 4;
# this maps to focus_on_window_activation # this maps to focus_on_window_activation

57
nix/home-manager/profiles/wayland-desktop.nix
View file

@ -8,10 +8,7 @@
}: let }: let
inherit (import ../lib.nix {}) mkSimpleTrayService; inherit (import ../lib.nix {}) mkSimpleTrayService;
nixpkgs-2211 = nodeFlake.inputs.nixpkgs-2211.legacyPackages.${pkgs.system};
nixpkgs-unstable-small = nodeFlake.inputs.nixpkgs-unstable-small.legacyPackages.${pkgs.system};
nixpkgs-wayland' = repoFlake.inputs.nixpkgs-wayland.packages.${pkgs.system}; nixpkgs-wayland' = repoFlake.inputs.nixpkgs-wayland.packages.${pkgs.system};
wayprompt = nixpkgs-wayland'.wayprompt; wayprompt = nixpkgs-wayland'.wayprompt;
in { in {
fonts.fontconfig.enable = true; fonts.fontconfig.enable = true;
@ -33,36 +30,42 @@ in {
}; };
}; };
home.packages = with pkgs; [ home.packages = with pkgs;
# required by network-manager-applet [
pkgs.networkmanagerapplet # required by network-manager-applet
pkgs.networkmanagerapplet
wlr-randr wlr-randr
wayout wayout
wl-clipboard wl-clipboard
wmctrl wmctrl
wayprompt nixpkgs-wayland'.shotman
nixpkgs-wayland'.shotman
# identifies key input syms # identifies key input syms
wev wev
# TODO: whwat's this for? # TODO: whwat's this for?
# wltype # wltype
pavucontrol pavucontrol
playerctl playerctl
pasystray pasystray
qt5.qtwayland qt5.qtwayland
qt6.qtwayland qt6.qtwayland
# libsForQt5.qt5.qtwayland # libsForQt5.qt5.qtwayland
# libsForQt6.qt6.qtwayland # libsForQt6.qt6.qtwayland
# probably required by flameshot # probably required by flameshot
# xdg-desktop-portal xdg-desktop-portal-wlr # xdg-desktop-portal xdg-desktop-portal-wlr
# grim # grim
]; ]
++ (
lib.lists.optionals (!pkgs.stdenv.isAarch64)
# TODO: broken on aarch64
[
]
);
home.sessionVariables = { home.sessionVariables = {
XDG_SESSION_TYPE = "wayland"; XDG_SESSION_TYPE = "wayland";

11
nix/home-manager/programs/chromium.nix
View file

@ -1,6 +1,7 @@
{ {
name, name,
lib, lib,
pkgs,
... ...
}: let }: let
extensions = extensions =
@ -40,11 +41,14 @@
{id = "fhcgjolkccmbidfldomjliifgaodjagh";} {id = "fhcgjolkccmbidfldomjliifgaodjagh";}
# unhook # unhook
{ id = "khncfooichmfjbepaaaebmommgaepoid";} {id = "khncfooichmfjbepaaaebmommgaepoid";}
] ]
++ (lib.lists.optionals ((builtins.match "^steveej.*" name) != null) [ ++ (lib.lists.optionals ((builtins.match "^steveej.*" name) != null) [
# Vimium C # Vimium C
{id = "hfjbmagddngcpeloejdejnfgbamkjaeg";} {id = "hfjbmagddngcpeloejdejnfgbamkjaeg";}
# always right
{id = "npjpaghfnndnnmjiliibnkmdfgbojokj";}
]); ]);
in { in {
programs.chromium = { programs.chromium = {
@ -53,7 +57,10 @@ in {
}; };
programs.brave = { programs.brave = {
enable = true; # TODO: enable this on aarch64-linux
enable =
true
&& !pkgs.stdenv.targetPlatform.isAarch64;
inherit extensions; inherit extensions;
}; };

6
nix/home-manager/programs/pass.nix
View file

@ -1,4 +1,8 @@
{repoFlake, pkgs, ...}: { {
repoFlake,
pkgs,
...
}: {
# required by pass-otp # required by pass-otp
# home.sessionVariables.PASSWORD_STORE_EXTENSIONS_DIR = "$HOME/.nix-profile/lib/password-store/extensions"; # home.sessionVariables.PASSWORD_STORE_EXTENSIONS_DIR = "$HOME/.nix-profile/lib/password-store/extensions";
# home.sessionVariables.PASSWORD_STORE_ENABLE_EXTENSIONS = "true"; # home.sessionVariables.PASSWORD_STORE_ENABLE_EXTENSIONS = "true";

4
nix/home-manager/programs/radicale.nix
View file

@ -61,8 +61,8 @@
[storage] [storage]
type = radicale_storage_decsync type = radicale_storage_decsync
filesystem_folder = ${config.xdg.dataHome}/radicale-${suffix} filesystem_folder = ${config.xdg.dataHome}/radicale/radicale-${suffix}
decsync_dir = ${config.xdg.dataHome}/decsync-${suffix} decsync_dir = ${config.xdg.dataHome}/decsync/decsync-${suffix}
''; '';
in { in {
systemd.user.services."radicale-${suffix}" = { systemd.user.services."radicale-${suffix}" = {

46
nix/home-manager/programs/vscode/default.nix
View file

@ -1,20 +1,40 @@
{pkgs, ...}: let {
marketPlaceExtensions = pkgs,
pkgs.vscode-utils.extensionsFromVscodeMarketplace [ nodeFlake,
]; ...
in { }: {
programs.vscode = { programs.vscode = {
enable = true; enable = true;
# package = pkgs.vscodium; package = pkgs.vscodium;
extensions = with pkgs.vscode-extensions; extensions =
[ [
ms-vscode-remote.remote-ssh # TODO: how can i install (this) vsix(s) directly?
# bbenoist.nix # (builtins.fetchurl {
# vscodevim.vim # # https://open-vsx.org/extension/jeanp413/open-remote-ssh
# rust-lang.rust-analyzer # url = "https://open-vsx.org/api/jeanp413/open-remote-ssh/0.0.45/file/jeanp413.open-remote-ssh-0.0.45.vsix";
# mkhl.direnv # sha256 = "1qc1qsahfx1nvznq4adplx63w5d94xhafngv76vnqjjbzhv991v2";
# })
] ]
++ marketPlaceExtensions; ++ (with pkgs.vscode-extensions; [
bbenoist.nix
eamodio.gitlens
mkhl.direnv
jnoortheen.nix-ide
tomoki1207.pdf
vscodevim.vim
ms-vscode.theme-tomorrowkit
nonylene.dark-molokai-theme
# TODO: these are not in nixpkgs
# fredwangwang.vscode-hcl-format
# hashicorp.hcl
# mindaro-dev.file-downloader
# ms-vscode.remote-explorer
# TODO: not compatible with vscodium
# ms-vscode-remote.remote-ssh
]);
mutableExtensionsDir = true; mutableExtensionsDir = true;
}; };

9
nix/home-manager/programs/zsh.nix
View file

@ -49,6 +49,15 @@ in {
initExtra = let initExtra = let
inNixShell = ''$([[ -n "$IN_NIX_SHELL" ]] && printf " 🐚")''; inNixShell = ''$([[ -n "$IN_NIX_SHELL" ]] && printf " 🐚")'';
in '' in ''
if test ! -n "$TMPDIR" -a -z "$TMPDIR"; then
unset TMPDIR
fi
if test ! -n "$TMP" -a -z "$TMP"; then
unset TMP
fi
PROMPT='%F{%(!.red.green)}%n%f@%m %(?.%F{green}%f.%F{red} ($?%))%f %F{blue}%~%f${inNixShell}%F{magenta}$(git_prompt_info)%f$prompt_newline%_%F{%(!.red.green)}$(prompt_char)%f ' PROMPT='%F{%(!.red.green)}%n%f@%m %(?.%F{green}%f.%F{red} ($?%))%f %F{blue}%~%f${inNixShell}%F{magenta}$(git_prompt_info)%f$prompt_newline%_%F{%(!.red.green)}$(prompt_char)%f '
RPROMPT="" RPROMPT=""

6
nix/os/devices/justyna-p300/pkg.nix
View file

@ -50,11 +50,13 @@ in {
}; };
home-manager.users.justyna = home-manager.users.justyna =
lib.attrsets.recursiveUpdate (homeEnv { lib.attrsets.recursiveUpdate
(homeEnv {
layout = "de"; layout = "de";
options = []; options = [];
variant = ""; variant = "";
}) { })
{
services.syncthing.enable = true; services.syncthing.enable = true;
services.syncthing.tray = true; services.syncthing.tray = true;

721
nix/os/devices/router0-dmz0/configuration.nix
View file

@ -16,21 +16,25 @@
; ;
vlanRangeStart = builtins.head vlanRange; vlanRangeStart = builtins.head vlanRange;
vlanRangeEnd = builtins.elemAt vlanRange ((builtins.length vlanRange)-1); vlanRangeEnd = builtins.elemAt vlanRange ((builtins.length vlanRange) - 1);
vlanRange = builtins.map (vlanid: (lib.strings.toInt vlanid)) (builtins.attrNames vlans); vlanRange = builtins.map (vlanid: (lib.strings.toInt vlanid)) (builtins.attrNames vlans);
vlanRangeWith0 = [ 0 ] ++ vlanRange; vlanRangeWith0 = [0] ++ vlanRange;
mkVlanIpv4HostAddr = { vlanid, host, thirdIpv4SegmentMin ? 20, cidr ? true }: let mkVlanIpv4HostAddr = {
vlanid,
host,
thirdIpv4SegmentMin ? 20,
cidr ? true,
}: let
# reserve the first subnet for vlanid == 0 # reserve the first subnet for vlanid == 0
# number the other subnets continously from there # number the other subnets continously from there
offset = offset =
if vlanid == 0 if vlanid == 0
then thirdIpv4SegmentMin then thirdIpv4SegmentMin
else thirdIpv4SegmentMin + 1 - vlanRangeStart; else thirdIpv4SegmentMin + 1 - vlanRangeStart;
in in
builtins.concatStringsSep "." builtins.concatStringsSep "."
[ "192" "168" (toString (vlanid + offset)) "${toString host}${lib.strings.optionalString cidr "/24"}" ]; ["192" "168" (toString (vlanid + offset)) "${toString host}${lib.strings.optionalString cidr "/24"}"];
defaultVlan = { defaultVlan = {
name = "${localDomainName}"; name = "${localDomainName}";
@ -57,26 +61,32 @@
"15".packet_priority = -10; "15".packet_priority = -10;
}; };
vlansByName = lib.attrsets.mapAttrs' (vlanid': attrs: vlansByName =
lib.attrsets.nameValuePair lib.attrsets.mapAttrs'
attrs.name (
(attrs // { id = lib.strings.toInt vlanid'; id' = vlanid';}) vlanid': attrs:
) vlans; lib.attrsets.nameValuePair
attrs.name
(attrs
// {
id = lib.strings.toInt vlanid';
id' = vlanid';
})
)
vlans;
getVlanDomain = { vlanid }: getVlanDomain = {vlanid}:
if vlanid == 0 if vlanid == 0
then then defaultVlan.name
defaultVlan.name else vlans."${toString vlanid}".name + "." + defaultVlan.name;
else
vlans."${toString vlanid}".name + "." + defaultVlan.name
;
bridgeInterfaceName = "br-lan"; bridgeInterfaceName = "br-lan";
mkInterfaceName = { vlanid }: mkInterfaceName = {vlanid}:
if vlanid == 0 if vlanid == 0
then bridgeInterfaceName then bridgeInterfaceName
else "${bridgeInterfaceName}.${toString vlanid}" else "${bridgeInterfaceName}.${toString vlanid}";
;
exposedHost = "sj-srv1.dmz.internal";
in { in {
imports = [ imports = [
repoFlake.inputs.sops-nix.nixosModules.sops repoFlake.inputs.sops-nix.nixosModules.sops
@ -116,8 +126,8 @@ in {
sops.secrets.passwords-root.neededForUsers = true; sops.secrets.passwords-root.neededForUsers = true;
sops.secrets.wlan0_saePasswordsFile = { }; sops.secrets.wlan0_saePasswordsFile = {};
sops.secrets.wlan0_wpaPskFile = { }; sops.secrets.wlan0_wpaPskFile = {};
} }
]; ];
@ -173,51 +183,62 @@ in {
# https://github.com/thelegy/nixos-nftables-firewall/tree/main # https://github.com/thelegy/nixos-nftables-firewall/tree/main
# TODO: configure packet_priority for VLANs (see https://wiki.nftables.org/wiki-nftables/index.php/Configuring_chains#Base_chain_priority, https://wiki.nftables.org/wiki-nftables/index.php/Setting_packet_metainformation#packet_priority) # TODO: configure packet_priority for VLANs (see https://wiki.nftables.org/wiki-nftables/index.php/Configuring_chains#Base_chain_priority, https://wiki.nftables.org/wiki-nftables/index.php/Setting_packet_metainformation#packet_priority)
nftables = nftables = {
{
enable = true; enable = true;
stopRuleset = ""; stopRuleset = "";
chains = { chains = {
prerouting = { prerouting = {
"redirectweb" = { "exposeHost" = {
after = ["hook"]; after = ["hook"];
rules = let rules = let
wanInterfaces = builtins.concatStringsSep ", " config.networking.nftables.firewall.zones.wan.interfaces; wanInterfaces = builtins.concatStringsSep ", " config.networking.nftables.firewall.zones.wan.interfaces;
exposedHost = "srv0-dmz0.dmz.internal"; in
in [
"iifname { ${wanInterfaces} } tcp dport 220 redirect to 22"
# TODO: if this hostname doesn't resolve it'll break the whole ruleset # TODO: if this hostname doesn't resolve it'll break the whole ruleset
# "iifname { ${wanInterfaces} } dnat ip to ${exposedHost}" [
]; "iifname { ${wanInterfaces} } tcp dport 220 redirect to 22"
"iifname { ${wanInterfaces} } dnat ip to ${exposedHost}"
];
}; };
}; };
}; };
firewall = { firewall = {
enable = true; enable = true;
zones = { zones =
lan.interfaces = [ (mkInterfaceName {vlanid = 0;}) ]; {
vlan.interfaces = builtins.map (vlanid: (mkInterfaceName {inherit vlanid;})) vlanRange; lan.interfaces = [(mkInterfaceName {vlanid = 0;})];
# lan.ipv4Addresses = ["192.168.0.0/16"]; vlan.interfaces = builtins.map (vlanid: (mkInterfaceName {inherit vlanid;})) vlanRange;
wan.interfaces = ["wan" "lan0"]; # lan.ipv4Addresses = ["192.168.0.0/16"];
} // wan.interfaces = ["wan" "lan0"];
}
//
# generate a zone for each vlan # generate a zone for each vlan
lib.attrsets.mapAttrs (key: value: { lib.attrsets.mapAttrs
interfaces = [ (mkInterfaceName { vlanid = value.id; }) ]; (key: value: {
interfaces = [(mkInterfaceName {vlanid = value.id;})];
}) })
vlansByName vlansByName;
;
rules = let rules = let
ipv6IcmpTypes = [ ipv6IcmpTypes = [
"destination-unreachable" "echo-reply" "echo-request" "destination-unreachable"
"packet-too-big" "parameter-problem" "time-exceeded" "echo-reply"
"echo-request"
"packet-too-big"
"parameter-problem"
"time-exceeded"
# Without the nd-* ones ipv6 will not work. # Without the nd-* ones ipv6 will not work.
"nd-neighbor-solicit" "nd-router-advert" "nd-neighbor-advert" "nd-neighbor-solicit"
]; "nd-router-advert"
"nd-neighbor-advert"
];
ipv4IcmpTypes = [ ipv4IcmpTypes = [
"destination-unreachable" "echo-reply" "echo-request" "source-quench" "time-exceeded" "destination-unreachable"
"echo-reply"
"echo-request"
"source-quench"
"time-exceeded"
"router-advertisement" "router-advertisement"
]; ];
allowIcmpLines = [ allowIcmpLines = [
@ -256,19 +277,36 @@ in {
vlan-to-fw = { vlan-to-fw = {
allowedUDPPortRanges = [ allowedUDPPortRanges = [
{ from = 67; to = 68; } {
{ from = 53; to = 53; } from = 67;
to = 68;
}
{
from = 53;
to = 53;
}
]; ];
allowedTCPPortRanges = [ allowedTCPPortRanges = [
{ from = 22; to = 22; } {
{ from = 53; to = 53; } from = 22;
{ from = 5201; to = 5201; } to = 22;
}
{
from = 53;
to = 53;
}
{
from = 5201;
to = 5201;
}
]; ];
from = ["vlan"]; from = ["vlan"];
to = ["fw"]; to = ["fw"];
extraLines = allowIcmpLines ++ [ extraLines =
"drop" allowIcmpLines
]; ++ [
"drop"
];
}; };
to-wan-nat = { to-wan-nat = {
@ -293,9 +331,11 @@ in {
to = 22; to = 22;
} }
]; ];
extraLines = allowIcmpLines ++ [ extraLines =
"drop" allowIcmpLines
]; ++ [
"drop"
];
}; };
}; };
}; };
@ -304,235 +344,257 @@ in {
systemd.network = { systemd.network = {
wait-online.anyInterface = true; wait-online.anyInterface = true;
netdevs = { netdevs =
# Create the bridge interface {
"20-${bridgeInterfaceName}" = { # Create the bridge interface
netdevConfig = { "20-${bridgeInterfaceName}" = {
Kind = "bridge"; netdevConfig = {
Name = bridgeInterfaceName; Kind = "bridge";
Name = bridgeInterfaceName;
};
extraConfig = ''
[Bridge]
STP=yes
VLANFiltering=yes
VLANProtocol=802.1q
DefaultPVID=0
'';
}; };
}
extraConfig = ''
[Bridge]
STP=yes
VLANFiltering=yes
VLANProtocol=802.1q
DefaultPVID=0
'';
};
}
# generate the vlan devices. these will be tagged on the main bridge # generate the vlan devices. these will be tagged on the main bridge
// builtins.foldl' // builtins.foldl'
(acc: cur: acc // cur) (acc: cur: acc // cur)
{} {}
(builtins.map (
({ vlanid, vlanid' }: { builtins.map
"20-${mkInterfaceName { inherit vlanid; }}" = { ({
vlanid,
vlanid',
}: {
"20-${mkInterfaceName {inherit vlanid;}}" = {
netdevConfig = { netdevConfig = {
Kind = "vlan"; Kind = "vlan";
Name = "${mkInterfaceName { inherit vlanid; }}"; Name = "${mkInterfaceName {inherit vlanid;}}";
}; };
vlanConfig.Id = vlanid; vlanConfig.Id = vlanid;
}; };
}) })
(builtins.map (
(vlanid: { inherit vlanid; vlanid' = builtins.toString vlanid; }) builtins.map
(vlanid: {
inherit vlanid;
vlanid' = builtins.toString vlanid;
})
vlanRange vlanRange
) )
) );
; networks =
networks = { {
# use lan0 as secondary WAN interface # use lan0 as secondary WAN interface
"10-lan0-wan" = { "10-lan0-wan" = {
matchConfig.Name = "lan0"; matchConfig.Name = "lan0";
networkConfig = { networkConfig = {
# start a DHCP Client for IPv4 Addressing/Routing # start a DHCP Client for IPv4 Addressing/Routing
DHCP = "ipv4"; DHCP = "ipv4";
# accept Router Advertisements for Stateless IPv6 Autoconfiguraton (SLAAC) # accept Router Advertisements for Stateless IPv6 Autoconfiguraton (SLAAC)
IPv6AcceptRA = true; IPv6AcceptRA = true;
DNSOverTLS = true; DNSOverTLS = true;
DNSSEC = true; DNSSEC = true;
IPv6PrivacyExtensions = false; IPv6PrivacyExtensions = false;
IPForward = true; IPForward = true;
};
# Don't wait for it as it also would wait for wlan and DFS which takes around 5 min
linkConfig.RequiredForOnline = "no";
}; };
# Don't wait for it as it also would wait for wlan and DFS which takes around 5 min "10-wan" = {
linkConfig.RequiredForOnline = "no"; matchConfig.Name = "wan";
}; networkConfig = {
"10-wan" = { # start a DHCP Client for IPv4 Addressing/Routing
matchConfig.Name = "wan"; DHCP = "ipv4";
networkConfig = { # accept Router Advertisements for Stateless IPv6 Autoconfiguraton (SLAAC)
# start a DHCP Client for IPv4 Addressing/Routing IPv6AcceptRA = true;
DHCP = "ipv4"; DNSOverTLS = true;
# accept Router Advertisements for Stateless IPv6 Autoconfiguraton (SLAAC) DNSSEC = true;
IPv6AcceptRA = true; IPv6PrivacyExtensions = false;
DNSOverTLS = true; IPForward = true;
DNSSEC = true; };
IPv6PrivacyExtensions = false; # make routing on this interface a dependency for network-online.target
IPForward = true; linkConfig.RequiredForOnline = "routable";
}; };
# make routing on this interface a dependency for network-online.target
linkConfig.RequiredForOnline = "routable";
};
# Connect the bridge ports to the bridge # Connect the bridge ports to the bridge
"30-lan1" = { "30-lan1" = {
matchConfig.Name = "lan1"; matchConfig.Name = "lan1";
networkConfig = { networkConfig = {
Bridge = bridgeInterfaceName; Bridge = bridgeInterfaceName;
ConfigureWithoutCarrier = true; ConfigureWithoutCarrier = true;
}; };
linkConfig.RequiredForOnline = "enslaved"; linkConfig.RequiredForOnline = "enslaved";
bridgeVLANs = [ bridgeVLANs = [
{ {
bridgeVLANConfig = { bridgeVLANConfig = {
VLAN = vlansByName.dmz.id; VLAN = vlansByName.dmz.id;
PVID = vlansByName.dmz.id; PVID = vlansByName.dmz.id;
EgressUntagged = vlansByName.dmz.id; EgressUntagged = vlansByName.dmz.id;
};
}
];
};
"30-lan2" = {
matchConfig.Name = "lan2";
networkConfig = {
Bridge = bridgeInterfaceName;
ConfigureWithoutCarrier = true;
};
linkConfig.RequiredForOnline = "enslaved";
bridgeVLANs = [
{
bridgeVLANConfig = {
VLAN = vlansByName.office.id;
PVID = vlansByName.office.id;
EgressUntagged = vlansByName.office.id;
};
}
];
};
"30-lan3" = {
matchConfig.Name = "lan3";
networkConfig = {
Bridge = bridgeInterfaceName;
ConfigureWithoutCarrier = true;
};
linkConfig.RequiredForOnline = "enslaved";
bridgeVLANs = [
{
bridgeVLANConfig = {
VLAN = "${toString vlanRangeStart}-${toString vlanRangeEnd}";
};
}
];
};
# Configure the bridge for its desired function
"40-${bridgeInterfaceName}" = {
matchConfig.Name = bridgeInterfaceName;
bridgeConfig = {};
address = [
(mkVlanIpv4HostAddr {
vlanid = 0;
host = 1;
})
];
networkConfig = {
ConfigureWithoutCarrier = true;
};
# Don't wait for it as it also would wait for wlan and DFS which takes around 5 min
linkConfig.RequiredForOnline = "no";
linkConfig.ActivationPolicy = "always-up";
bridgeVLANs = [
{
bridgeVLANConfig = {
VLAN = "${toString vlanRangeStart}-${toString vlanRangeEnd}";
};
}
];
vlan = (
builtins.map
(vlanid: (mkInterfaceName {inherit vlanid;}))
vlanRange
);
};
}
# configuration for the hostapd dynamic interfaces
# * netdev type vlan
# * host address for vlan
# * vlan config for wlan interface
// builtins.foldl'
(acc: cur: acc // cur)
{}
(builtins.map
({
vlanid,
vlanid',
}: {
# configure the tagged vlan device with an address and vlan filtering.
# dnsmasq is configured to serve the respective /24 range on each tagged device.
# this device only receives traffic for the given vlanid and sends tagged traffic to the bridge.
"41-${mkInterfaceName {inherit vlanid;}}" = {
matchConfig.Name = "${mkInterfaceName {inherit vlanid;}}";
address = [
(mkVlanIpv4HostAddr {
inherit vlanid;
host = 1;
})
];
networkConfig = {
ConfigureWithoutCarrier = true;
}; };
}
];
};
"30-lan2" = { linkConfig.RequiredForOnline = "no";
matchConfig.Name = "lan2"; linkConfig.ActivationPolicy = "always-up";
networkConfig = {
Bridge = bridgeInterfaceName;
ConfigureWithoutCarrier = true;
};
linkConfig.RequiredForOnline = "enslaved";
bridgeVLANs = [ bridgeVLANs = [
{ {
bridgeVLANConfig = { bridgeVLANConfig = {
VLAN = vlansByName.office.id; VLAN = vlanid;
PVID = vlansByName.office.id; };
EgressUntagged = vlansByName.office.id; }
];
};
# configure the wlan interface as a bridge member that
# * only gets traffic for vid 15
# * untags traffic after receiving it
# * tags traffic that comes out of it
"41-wlan0.${vlanid'}" = {
matchConfig.Name = "wlan0.${vlanid'}";
networkConfig = {
Bridge = bridgeInterfaceName;
ConfigureWithoutCarrier = true;
}; };
}
];
};
"30-lan3" = { linkConfig.RequiredForOnline = "no";
matchConfig.Name = "lan3";
networkConfig = {
Bridge = bridgeInterfaceName;
ConfigureWithoutCarrier = true;
};
linkConfig.RequiredForOnline = "enslaved";
bridgeVLANs = [ bridgeVLANs = [
{ {
bridgeVLANConfig = { bridgeVLANConfig = {
VLAN = "${toString vlanRangeStart}-${toString vlanRangeEnd}"; VLAN = vlanid;
PVID = vlanid;
EgressUntagged = vlanid;
};
}
];
};
"50-${mkInterfaceName {inherit vlanid;}}" = {
matchConfig.Name = "${mkInterfaceName {inherit vlanid;}}";
address = [
(mkVlanIpv4HostAddr {
inherit vlanid;
host = 1;
})
];
networkConfig = {
ConfigureWithoutCarrier = true;
}; };
} linkConfig.RequiredForOnline = "no";
]; };
}; })
# Configure the bridge for its desired function (
"40-${bridgeInterfaceName}" = { builtins.map
matchConfig.Name = bridgeInterfaceName; (vlanid: {
bridgeConfig = {}; inherit vlanid;
address = [ vlanid' = builtins.toString vlanid;
(mkVlanIpv4HostAddr { vlanid = 0; host = 1;}) })
];
networkConfig = {
ConfigureWithoutCarrier = true;
};
# Don't wait for it as it also would wait for wlan and DFS which takes around 5 min
linkConfig.RequiredForOnline = "no";
linkConfig.ActivationPolicy = "always-up";
bridgeVLANs = [
{
bridgeVLANConfig = {
VLAN = "${toString vlanRangeStart}-${toString vlanRangeEnd}";
};
}
];
vlan = (builtins.map
(vlanid: (mkInterfaceName { inherit vlanid; }))
vlanRange vlanRange
); ));
};
}
# configuration for the hostapd dynamic interfaces
# * netdev type vlan
# * host address for vlan
# * vlan config for wlan interface
//
builtins.foldl'
(acc: cur: acc // cur)
{}
(builtins.map ({ vlanid, vlanid' }: {
# configure the tagged vlan device with an address and vlan filtering.
# dnsmasq is configured to serve the respective /24 range on each tagged device.
# this device only receives traffic for the given vlanid and sends tagged traffic to the bridge.
"41-${mkInterfaceName { inherit vlanid; }}" = {
matchConfig.Name = "${mkInterfaceName { inherit vlanid; }}";
address = [
(mkVlanIpv4HostAddr { inherit vlanid; host = 1; })
];
networkConfig = {
ConfigureWithoutCarrier = true;
};
linkConfig.RequiredForOnline = "no";
linkConfig.ActivationPolicy = "always-up";
bridgeVLANs = [
{
bridgeVLANConfig = {
VLAN = vlanid;
};
}
];
};
# configure the wlan interface as a bridge member that
# * only gets traffic for vid 15
# * untags traffic after receiving it
# * tags traffic that comes out of it
"41-wlan0.${vlanid'}" = {
matchConfig.Name = "wlan0.${vlanid'}";
networkConfig = {
Bridge = bridgeInterfaceName;
ConfigureWithoutCarrier = true;
};
linkConfig.RequiredForOnline = "no";
bridgeVLANs = [
{
bridgeVLANConfig = {
VLAN = vlanid;
PVID = vlanid;
EgressUntagged = vlanid;
};
}
];
};
"50-${mkInterfaceName { inherit vlanid; }}" = {
matchConfig.Name = "${mkInterfaceName { inherit vlanid; }}";
address = [
(mkVlanIpv4HostAddr { inherit vlanid; host = 1; })
];
networkConfig = {
ConfigureWithoutCarrier = true;
};
linkConfig.RequiredForOnline = "no";
};
})
(builtins.map
(vlanid: { inherit vlanid; vlanid' = builtins.toString vlanid; })
vlanRange
))
;
}; };
# wireless access point # wireless access point
@ -575,7 +637,7 @@ in {
# sae_password_file = config.sops.secrets.wlan0_saePasswordsFile.path; # sae_password_file = config.sops.secrets.wlan0_saePasswordsFile.path;
# enables debug logging # enables debug logging
logger_stdout_level= lib.mkForce 0; logger_stdout_level = lib.mkForce 0;
logger_stdout = -1; logger_stdout = -1;
# logger_syslog_level= lib.mkForce 0; # logger_syslog_level= lib.mkForce 0;
@ -588,30 +650,35 @@ in {
# this option currently requires a patch to hostapd # this option currently requires a patch to hostapd
vlan_no_bridge = 1; vlan_no_bridge = 1;
/* not used due to the above vlan_no_bridge setting /*
not used due to the above vlan_no_bridge setting
vlan_tagged_interface = bridgeInterfaceName; vlan_tagged_interface = bridgeInterfaceName;
vlan_naming = 1; vlan_naming = 1;
vlan_bridge = "br-${iface}."; vlan_bridge = "br-${iface}.";
*/ */
vlan_file = let vlan_file = let
generated = builtins.map (vlanid: generated =
"${builtins.toString vlanid} ${iface}.${builtins.toString vlanid}" builtins.map
) vlanRange (
; vlanid: "${builtins.toString vlanid} ${iface}.${builtins.toString vlanid}"
)
vlanRange;
wildcard = [ wildcard = [
# Optional wildcard entry matching all VLAN IDs. The first # in the interface # Optional wildcard entry matching all VLAN IDs. The first # in the interface
# name will be replaced with the VLAN ID. The network interfaces are created # name will be replaced with the VLAN ID. The network interfaces are created
# (and removed) dynamically based on the use. # (and removed) dynamically based on the use.
# see https://w1.fi/cgit/hostap/tree/hostapd/hostapd.vlan # see https://w1.fi/cgit/hostap/tree/hostapd/hostapd.vlan
"* ${iface}.#" "* ${iface}.#"
]; ];
file = pkgs.writeText "hostapd.vlan" file =
(builtins.concatStringsSep "\n" (generated ++ wildcard)); pkgs.writeText "hostapd.vlan"
(builtins.concatStringsSep "\n" (generated ++ wildcard));
filePath = toString file; filePath = toString file;
in filePath; in
filePath;
wpa_key_mgmt = lib.mkForce (builtins.concatStringsSep " " [ wpa_key_mgmt = lib.mkForce (builtins.concatStringsSep " " [
"WPA-PSK" "WPA-PSK"
@ -634,10 +701,10 @@ in {
sae_groups = "19 20 21"; sae_groups = "19 20 21";
# [ENABLE-TLSv1.3] = enable TLSv1.3 (experimental - disabled by default) # [ENABLE-TLSv1.3] = enable TLSv1.3 (experimental - disabled by default)
tls_flags= "[ENABLE-TLSv1.3]"; tls_flags = "[ENABLE-TLSv1.3]";
ieee8021x=0; ieee8021x = 0;
eap_server=0; eap_server = 0;
}; };
}; };
@ -798,19 +865,34 @@ in {
dhcp-ttl = 0; dhcp-ttl = 0;
dhcp-range = let dhcp-range = let
mkDhcpRange = { tag, vlanid }: builtins.concatStringsSep "," [ mkDhcpRange = {
tag tag,
(mkVlanIpv4HostAddr { inherit vlanid; host = 100; cidr = false; }) vlanid,
(mkVlanIpv4HostAddr { inherit vlanid; host = 199; cidr = false; }) }:
"12h" builtins.concatStringsSep "," [
]; tag
(mkVlanIpv4HostAddr {
inherit vlanid;
host = 100;
cidr = false;
})
(mkVlanIpv4HostAddr {
inherit vlanid;
host = 199;
cidr = false;
})
"12h"
];
in in
builtins.map builtins.map
(vlanid: (
mkDhcpRange { tag = mkInterfaceName {inherit vlanid;}; inherit vlanid; } vlanid:
) mkDhcpRange {
vlanRangeWith0 tag = mkInterfaceName {inherit vlanid;};
; inherit vlanid;
}
)
vlanRangeWith0;
# interface = bridgeInterfaceName; # interface = bridgeInterfaceName;
# bind-interfaces = true; # bind-interfaces = true;
@ -824,7 +906,6 @@ in {
# don't use /etc/hosts as this would advertise ${nodeName} as localhost # don't use /etc/hosts as this would advertise ${nodeName} as localhost
no-hosts = true; no-hosts = true;
# address = "/${nodeName}.lan/${fwLanHostAddr}"; # address = "/${nodeName}.lan/${fwLanHostAddr}";
server = [ server = [
# upstream DNS servers # upstream DNS servers
@ -839,31 +920,55 @@ in {
# "9.9.9.9" "8.8.8.8" "1.1.1.1" # "9.9.9.9" "8.8.8.8" "1.1.1.1"
]; ];
domain = [ domain =
"/${getVlanDomain {vlanid = 0;}}/,local" [
] ++ builtins.map "/${getVlanDomain {vlanid = 0;}}/,local"
(vlanid: ]
"${getVlanDomain {inherit vlanid;}},${mkVlanIpv4HostAddr { inherit vlanid; host = 0; cidr = true; }},local" ++ builtins.map
(
vlanid: "${getVlanDomain {inherit vlanid;}},${mkVlanIpv4HostAddr {
inherit vlanid;
host = 0;
cidr = true;
}},local"
) )
vlanRangeWith0 vlanRangeWith0;
;
# TODO: compare this to using `interface-name` # TODO: compare this to using `interface-name`
dynamic-host = [ dynamic-host =
] ++ builtins.map [
(vlanid: ]
builtins.concatStringsSep "," [ ++ builtins.map
# "${getVlanDomain{inherit vlanid;}}" "0.0.0.1" (mkInterfaceName {inherit vlanid;}) (
"${nodeName}.${getVlanDomain{inherit vlanid;}}" "0.0.0.1" (mkInterfaceName {inherit vlanid;}) vlanid:
] builtins.concatStringsSep "," [
# "${getVlanDomain{inherit vlanid;}}" "0.0.0.1" (mkInterfaceName {inherit vlanid;})
"${nodeName}.${getVlanDomain {inherit vlanid;}}"
"0.0.0.1"
(mkInterfaceName {inherit vlanid;})
]
) )
vlanRangeWith0 vlanRangeWith0;
;
dhcp-option-force = builtins.map dhcp-option-force =
(vlanid: "${mkInterfaceName {inherit vlanid;}},option:domain-search,${getVlanDomain{inherit vlanid;}}") builtins.map
vlanRangeWith0 (vlanid: "${mkInterfaceName {inherit vlanid;}},option:domain-search,${getVlanDomain {inherit vlanid;}}")
; vlanRangeWith0;
# auth-server = [
# (builtins.concatStringsSep "," [
# "www.stefanjunker.de"
# # (mkInterfaceName { vlanid = vlansByName.dmz.id; })
# # (mkInterfaceName { vlanid = vlansByName.office.id; })
# ])
# ];
# cname = [
# "mailserver.svc.stefanjunker.de,${exposedHost}"
# "www.stefanjunker.de,${exposedHost}"
# "hedgedoc.www.stefanjunker.de,${exposedHost}"
# "jitsi.www.stefanjunker.de,${exposedHost}"
# ];
}; };
}; };

43
nix/os/devices/router0-dmz0/flake.nix
View file

@ -19,7 +19,6 @@
bpir3.inputs.nixpkgs.follows = "nixpkgs"; bpir3.inputs.nixpkgs.follows = "nixpkgs";
nixos-nftables-firewall.url = "github:thelegy/nixos-nftables-firewall"; nixos-nftables-firewall.url = "github:thelegy/nixos-nftables-firewall";
nixos-nftables-firewall.inputs.nixpkgs.follows = "nixpkgs"; nixos-nftables-firewall.inputs.nixpkgs.follows = "nixpkgs";
@ -60,13 +59,17 @@
nixpkgs.lib.attrsets.recursiveUpdate nixpkgs.lib.attrsets.recursiveUpdate
attrs attrs
{ {
specialArgs = (import ./default.nix { specialArgs =
system = nativeSystem; (import ./default.nix {
inherit nodeName; system = nativeSystem;
inherit nodeName;
repoFlake = get-flake ../../../..; repoFlake = get-flake ../../../..;
nodeFlake = self; nodeFlake = self;
}).meta.nodeSpecialArgs.${nodeName}; })
.meta
.nodeSpecialArgs
.${nodeName};
modules = modules =
[ [
@ -88,7 +91,6 @@
linuxPackages_bpir3_latest linuxPackages_bpir3_latest
; ;
}) })
]; ];
} }
] ]
@ -112,19 +114,22 @@
}; };
packages = let packages = let
mkPatchedHostapd = pkgs: pkgs.hostapd.overrideDerivation(attrs: { mkPatchedHostapd = pkgs:
patches = attrs.patches ++ [ pkgs.hostapd.overrideDerivation (attrs: {
"${self.inputs.openwrt}/package/network/services/hostapd/patches/710-vlan_no_bridge.patch" patches =
]; attrs.patches
}); ++ [
"${self.inputs.openwrt}/package/network/services/hostapd/patches/710-vlan_no_bridge.patch"
];
});
in { in {
"${nativeSystem}" = { "${nativeSystem}" = {
hostapd_patched = mkPatchedHostapd pkgs; hostapd_patched = mkPatchedHostapd pkgs;
}; };
cross = { cross = {
hostapd_patched = mkPatchedHostapd pkgsCross; hostapd_patched = mkPatchedHostapd pkgsCross;
}; };
}; };
}; };
} }

5
nix/os/devices/sj-bm-hostkey0/configuration.nix
View file

@ -35,7 +35,7 @@
inherit pkgs; inherit pkgs;
}; };
home-manager.users.steveej = { pkgs, ... }: { home-manager.users.steveej = {pkgs, ...}: {
imports = [ imports = [
../../../home-manager/configuration/text-minimal.nix ../../../home-manager/configuration/text-minimal.nix
]; ];
@ -162,8 +162,5 @@
boot.binfmt.emulatedSystems = [ boot.binfmt.emulatedSystems = [
"aarch64-linux" "aarch64-linux"
"i686-linux"
# "i386-linux"
# "i586-linux"
]; ];
} }

3
nix/os/devices/sj-bm-hostkey0/flake.nix
View file

@ -46,8 +46,7 @@
{ {
nixpkgs.overlays = [ nixpkgs.overlays = [
(final: previous: { (final: previous: {})
})
]; ];
} }
] ]

1
nix/os/devices/sj-srv1/README.md Normal file
View file

@ -0,0 +1 @@
## bootstrapping

3
nix/os/devices/sj-srv1/boot.nix Normal file
View file

@ -0,0 +1,3 @@
{lib, ...}: {
boot.extraModulePackages = [];
}

30
nix/os/devices/sj-srv1/configuration.nix Normal file
View file

@ -0,0 +1,30 @@
{
nodeName,
config,
pkgs,
...
}: {
disabledModules = [];
imports = [
../../profiles/common/configuration.nix
{
users.commonUsers = {
enable = true;
enableNonRoot = true;
rootPasswordFile = config.sops.secrets.passwords-root.path;
};
sops.secrets.passwords-root = {
sopsFile = ../../../../secrets/${nodeName}/secrets.yaml;
neededForUsers = true;
format = "yaml";
};
}
../../modules/opinionatedDisk.nix
./system.nix
./hw.nix
./boot.nix
];
}

28
nix/os/devices/sj-srv1/default.nix Normal file
View file

@ -0,0 +1,28 @@
{
nodeName,
repoFlake,
nodeFlake,
...
}: let
system = "x86_64-linux";
in {
meta.nodeSpecialArgs.${nodeName} = {
inherit repoFlake nodeName nodeFlake;
packages' = repoFlake.packages.${system};
};
meta.nodeNixpkgs.${nodeName} = import nodeFlake.inputs.nixpkgs.outPath {
inherit system;
};
${nodeName} = {
deployment.targetHost = "${nodeName}.dmz.internal";
deployment.replaceUnknownProfiles = false;
imports = [
nodeFlake.inputs.home-manager.nixosModules.home-manager
./configuration.nix
];
};
}

83
nix/os/devices/sj-srv1/flake.lock generated Normal file
View file

@ -0,0 +1,83 @@
{
"nodes": {
"home-manager": {
"inputs": {
"nixpkgs": [
"nixpkgs"
]
},
"locked": {
"lastModified": 1700392168,
"narHash": "sha256-v5LprEFx3u4+1vmds9K0/i7sHjT0IYGs7u9v54iz/OA=",
"owner": "nix-community",
"repo": "home-manager",
"rev": "28535c3a34d79071f2ccb68671971ce0c0984d7e",
"type": "github"
},
"original": {
"owner": "nix-community",
"ref": "release-23.05",
"repo": "home-manager",
"type": "github"
}
},
"nixpkgs": {
"locked": {
"lastModified": 1700501263,
"narHash": "sha256-M0U063Ba2DKL4lMYI7XW13Rsk5tfUXnIYiAVa39AV/0=",
"owner": "nixos",
"repo": "nixpkgs",
"rev": "f741f8a839912e272d7e87ccf4b9dbc6012cdaf9",
"type": "github"
},
"original": {
"owner": "nixos",
"ref": "nixos-23.05",
"repo": "nixpkgs",
"type": "github"
}
},
"nixpkgs-master": {
"locked": {
"lastModified": 1700758842,
"narHash": "sha256-WNpG3F/0dktkYbG6O8Put9GtBw4C4vb1KwtIibfXYEE=",
"owner": "nixos",
"repo": "nixpkgs",
"rev": "359d577687ea3eb033590cf1259f0355e30b9c6f",
"type": "github"
},
"original": {
"owner": "nixos",
"ref": "master",
"repo": "nixpkgs",
"type": "github"
}
},
"nixpkgs-unstable": {
"locked": {
"lastModified": 1700641131,
"narHash": "sha256-M3bsoVMQM2PcuBWb6n1KDNeMX87svcSj/4qlBcVqs3k=",
"owner": "nixos",
"repo": "nixpkgs",
"rev": "da41de71f62bf7fb989a04e39629b8adbf8aa8b5",
"type": "github"
},
"original": {
"owner": "nixos",
"ref": "nixos-unstable-small",
"repo": "nixpkgs",
"type": "github"
}
},
"root": {
"inputs": {
"home-manager": "home-manager",
"nixpkgs": "nixpkgs",
"nixpkgs-master": "nixpkgs-master",
"nixpkgs-unstable": "nixpkgs-unstable"
}
}
},
"root": "root",
"version": 7
}

12
nix/os/devices/sj-srv1/flake.nix Normal file
View file

@ -0,0 +1,12 @@
{
inputs.nixpkgs.url = "github:nixos/nixpkgs/nixos-23.05";
inputs.nixpkgs-unstable.url = "github:nixos/nixpkgs/nixos-unstable-small";
inputs.nixpkgs-master.url = "github:nixos/nixpkgs/master";
inputs.home-manager = {
url = "github:nix-community/home-manager/release-23.05";
inputs.nixpkgs.follows = "nixpkgs";
};
outputs = _: {};
}

50
nix/os/devices/sj-srv1/hw.nix Normal file
View file

@ -0,0 +1,50 @@
{...}: let
stage1Modules = [
"virtio_balloon"
"virtio_scsi"
"virtio_net"
"virtio_pci"
"virtio_ring"
"virtio"
"scsi_mod"
"virtio_blk"
"virtio_ring"
"ata_piix"
"pata_acpi"
"ata_generic"
"aesni_intel"
"kvm_amd"
"nvme"
"nvme_core"
"thunderbolt"
"e1000e"
"usbcore"
"xhci_hcd"
"usbnet"
"snd_usb_audio"
"usbhid"
"snd_usbmidi_lib"
"cdc_mbim"
"cdc_ncm"
"usb_storage"
"cdc_wdm"
"uvcvideo"
"btusb"
"xhci_pci"
"cdc_ether"
"uas"
];
in {
hardware.opinionatedDisk = {
enable = true;
encrypted = false;
diskId = "virtio-virtio-paeNi8Fof9Oe";
earlyDiskIdOverride = "ata-INTEL_SSDSC2KB019TZ_PHYI315001FW1P9DGN";
};
boot.initrd.kernelModules = stage1Modules;
}

122
nix/os/devices/sj-srv1/system.nix Normal file
View file

@ -0,0 +1,122 @@
{
pkgs,
lib,
config,
repoFlake,
nodeName,
...
}: {
imports = [
../../snippets/systemd-resolved.nix
];
networking.firewall.enable = true;
networking.nftables.enable = true;
networking.firewall.allowedTCPPorts = [
# iperf3
5201
];
networking.firewall.logRefusedConnections = false;
networking.usePredictableInterfaceNames = false;
networking.useNetworkd = true;
networking.useDHCP = true;
networking.nat = {
enable = true;
internalInterfaces = ["ve-*"];
externalInterface = "eth0";
};
# virtualization
virtualisation = {docker.enable = false;};
nix.gc = {automatic = true;};
sops.secrets.restic-password.sopsFile = ../../../../secrets/${nodeName}/secrets.yaml;
# adapted from https://github.com/lilyinstarlight/foosteros/blob/5c75ded111878970fd4f600c7adc013f971d5e71/config/restic.nix
services.restic.backups.${nodeName} = let
btrfs = "${pkgs.btrfs-progs}/bin/btrfs";
in {
initialize = true;
repository = "sftp://u217879-sub3@u217879-sub3.your-storagebox.de:23/restic/${nodeName}";
paths = [
"/backup"
];
pruneOpts = [
"--keep-daily 7"
"--keep-weekly 5"
"--keep-monthly 12"
"--keep-yearly 2"
];
timerConfig = {
OnCalendar = lib.mkDefault "daily";
Persistent = true;
};
passwordFile = config.sops.secrets.restic-password.path;
backupPrepareCommand = ''
${btrfs} su snapshot -r /var/lib/container-volumes /backup/container-volumes
'';
backupCleanupCommand = ''
${btrfs} su delete /backup/container-volumes
'';
};
containers = {
mailserver = import ../../containers/mailserver.nix {
inherit repoFlake;
autoStart = true;
hostAddress = "192.168.100.10";
localAddress = "192.168.100.11";
imapsPort = 993;
sievePort = 4190;
};
webserver =
import ../../containers/webserver.nix
{
inherit repoFlake;
autoStart = true;
hostAddress = "192.168.100.12";
localAddress = "192.168.100.13";
httpPort = 80;
httpsPort = 443;
};
syncthing = import ../../containers/syncthing.nix {
autoStart = true;
hostAddress = "192.168.100.14";
localAddress = "192.168.100.15";
syncthingPort = 22000;
};
};
home-manager.users.steveej = import ../../../home-manager/configuration/text-minimal.nix {
inherit pkgs;
};
# This value determines the NixOS release from which the default
# settings for stateful data, like file locations and database versions
# on your system were taken. Its perfectly fine and recommended to leave
# this value at the release version of the first install of this system.
# Before changing this value read the documentation for this option
# (e.g. man configuration.nix or on https://nixos.org/nixos/options.html).
system.stateVersion = "22.11"; # Did you read the comment?
}

66
nix/os/devices/sj-vps-htz0/system.nix
View file

@ -1,14 +1,13 @@
{ pkgs
, lib
, config
, repoFlake
, nodeName
, ...
}:
let
wireguardPort = 51820;
in
{ {
pkgs,
lib,
config,
repoFlake,
nodeName,
...
}: let
wireguardPort = 51820;
in {
imports = [ imports = [
../../snippets/systemd-resolved.nix ../../snippets/systemd-resolved.nix
]; ];
@ -39,7 +38,7 @@ in
"prefixLength" = 29; "prefixLength" = 29;
} }
]; ];
ipv6.addresses = [ ]; ipv6.addresses = [];
}; };
networking.defaultGateway = { networking.defaultGateway = {
@ -54,7 +53,7 @@ in
networking.nat = { networking.nat = {
enable = true; enable = true;
internalInterfaces = [ "ve-*" "wg*" ]; internalInterfaces = ["ve-*" "wg*"];
externalInterface = "eth0"; externalInterface = "eth0";
}; };
@ -79,7 +78,7 @@ in
privateKeyFile = config.sops.secrets.wg0-private.path; privateKeyFile = config.sops.secrets.wg0-private.path;
peers = [ peers = [
{ {
allowedIPs = [ "192.168.99.2/32" ]; allowedIPs = ["192.168.99.2/32"];
publicKey = "O3k4jEdX6jkV1fHP/J8KSH5tvi+n1VvnBTD5na6Naw0="; publicKey = "O3k4jEdX6jkV1fHP/J8KSH5tvi+n1VvnBTD5na6Naw0=";
presharedKeyFile = config.sops.secrets.wg0-psk-steveej-psk.path; presharedKeyFile = config.sops.secrets.wg0-psk-steveej-psk.path;
} }
@ -87,49 +86,14 @@ in
}; };
# virtualization # virtualization
virtualisation = { docker.enable = false; }; virtualisation = {docker.enable = false;};
services.spice-vdagentd.enable = true; services.spice-vdagentd.enable = true;
services.qemuGuest.enable = true; services.qemuGuest.enable = true;
nix.gc = { automatic = true; }; nix.gc = {automatic = true;};
containers = { containers = {};
mailserver = import ../../containers/mailserver.nix {
inherit repoFlake;
autoStart = true;
hostAddress = "192.168.100.10";
localAddress = "192.168.100.11";
imapsPort = 993;
sievePort = 4190;
};
webserver =
import ../../containers/webserver.nix
{
inherit repoFlake;
autoStart = true;
hostAddress = "192.168.100.12";
localAddress = "192.168.100.13";
httpPort = 80;
httpsPort = 443;
};
syncthing = import ../../containers/syncthing.nix {
autoStart = true;
hostAddress = "192.168.100.14";
localAddress = "192.168.100.15";
syncthingPort = 22000;
};
};
home-manager.users.steveej = import ../../../home-manager/configuration/text-minimal.nix { home-manager.users.steveej = import ../../../home-manager/configuration/text-minimal.nix {
inherit pkgs; inherit pkgs;

3
nix/os/devices/srv0-dmz0/configuration.nix
View file

@ -121,8 +121,7 @@ in {
nix.gc = {automatic = true;}; nix.gc = {automatic = true;};
containers = { containers = {};
};
# sops.secrets.holochain-nomad-agent-ca = { # sops.secrets.holochain-nomad-agent-ca = {
# sopsFile = ../../../../secrets/holochain-infra/nomad.yaml; # sopsFile = ../../../../secrets/holochain-infra/nomad.yaml;

11
nix/os/devices/steveej-t14/configuration.nix
View file

@ -1,5 +1,12 @@
{...}: { {...}: {
imports = [ imports = [
../../snippets/home-manager-with-zsh.nix
../../snippets/nix-settings-holo-chain.nix
# TODO: double-check whether this works at all after the most recent changes
# ../../snippets/radicale.nix
../../snippets/sway-desktop.nix
../../snippets/timezone.nix
../../profiles/common/configuration.nix ../../profiles/common/configuration.nix
../../profiles/graphical/configuration.nix ../../profiles/graphical/configuration.nix
../../modules/opinionatedDisk.nix ../../modules/opinionatedDisk.nix
@ -10,11 +17,9 @@
./pkg.nix ./pkg.nix
./user.nix ./user.nix
./boot.nix ./boot.nix
./secrets.nix
# samba seerver # samba seerver
({ lib, ... }: { ({lib, ...}: {
# networking.firewall.enable = lib.mkForce false; # networking.firewall.enable = lib.mkForce false;
services.samba-wsdd.enable = true; # make shares visible for windows 10 clients services.samba-wsdd.enable = true; # make shares visible for windows 10 clients
networking.firewall.allowedTCPPorts = [ networking.firewall.allowedTCPPorts = [

8
nix/os/devices/steveej-t14/default.nix
View file

@ -3,6 +3,7 @@
repoFlake, repoFlake,
repoFlakeWithSystem, repoFlakeWithSystem,
nodeFlake, nodeFlake,
...
}: let }: let
system = "x86_64-linux"; system = "x86_64-linux";
in { in {
@ -14,11 +15,6 @@ in {
meta.nodeNixpkgs.${nodeName} = import nodeFlake.inputs.nixpkgs.outPath { meta.nodeNixpkgs.${nodeName} = import nodeFlake.inputs.nixpkgs.outPath {
inherit system; inherit system;
overlays = [
(final: prev: {
# FIXME: why are these not effective in for the configuration.nix below?
})
];
}; };
${nodeName} = { ${nodeName} = {
@ -28,8 +24,6 @@ in {
imports = [ imports = [
(repoFlake + "/nix/os/devices/${nodeName}/configuration.nix") (repoFlake + "/nix/os/devices/${nodeName}/configuration.nix")
nodeFlake.inputs.home-manager.nixosModules.home-manager
]; ];
}; };
} }

51
nix/os/devices/steveej-t14/hw.nix
View file

@ -1,43 +1,18 @@
{lib, ...}: let {lib, ...}: let
stage1Modules = [
"aesni_intel"
"kvm_amd"
"nvme"
"nvme_core"
"thunderbolt"
"e1000e"
"usbcore"
"xhci_hcd"
"usbnet"
"snd_usb_audio"
"usbhid"
"snd_usbmidi_lib"
"cdc_mbim"
"cdc_ncm"
"usb_storage"
"cdc_wdm"
"uvcvideo"
"btusb"
"xhci_pci"
"cdc_ether"
"uas"
];
in { in {
# TASK: new device # TASK: new device
hardware.opinionatedDisk = { hardware.opinionatedDisk = {
enable = true; enable = true;
encrypted = true; encrypted = true;
diskId = "nvme-WD_BLACK_SN850X_4000GB_2227DT443901"; diskId = "nvme-WD_BLACK_SN850X_4000GB_2227DT443901";
earlyDiskIdOverride = "usb-JMicron_Generic_0123456789ABCDEF-0:0"; earlyDiskIdOverride = "usb-JMicron_Generic_0123456789ABCDEF-0:0";
}; };
# boot.loader.grub.device = lib.mkForce "/dev/disk/by-id/usb-JMicron_Generic_0123456789ABCDEF-0:0"; # boot.loader.grub.device = lib.mkForce "/dev/disk/by-id/usb-JMicron_Generic_0123456789ABCDEF-0:0";
# see https://linrunner.de/tlp/ # see https://linrunner.de/tlp/
services.tlp = { services.tlp = {
enable = true; enable = false;
settings = { settings = {
CPU_DRIVER_OPMODE_ON_AC = "active"; CPU_DRIVER_OPMODE_ON_AC = "active";
CPU_DRIVER_OPMODE_ON_BAT = "passive"; CPU_DRIVER_OPMODE_ON_BAT = "passive";
@ -81,14 +56,14 @@ in {
# #DEVICES_TO_DISABLE_ON_WIFI_CONNECT="wwan"; # #DEVICES_TO_DISABLE_ON_WIFI_CONNECT="wwan";
# #DEVICES_TO_DISABLE_ON_WWAN_CONNECT="wifi"; # #DEVICES_TO_DISABLE_ON_WWAN_CONNECT="wifi";
SATA_LINKPWR_ON_AC = "maax_performance"; SATA_LINKPWR_ON_AC = "max_performance";
SATA_LINKPWR_ON_BAT = "min_power"; SATA_LINKPWR_ON_BAT = "min_power";
}; };
}; };
# see https://www.kernel.org/doc/html/v6.6/admin-guide/laptops/thinkpad-acpi.html#fan-control-and-monitoring-fan-speed-fan-enable-disable # see https://www.kernel.org/doc/html/v6.6/admin-guide/laptops/thinkpad-acpi.html#fan-control-and-monitoring-fan-speed-fan-enable-disable
services.thinkfan = { services.thinkfan = {
enable = true; enable = false;
levels = [ levels = [
# ["level auto" 0 60] # ["level auto" 0 60]
[0 0 60] [0 0 60]
@ -110,6 +85,20 @@ in {
}; };
hardware.enableRedistributableFirmware = true; hardware.enableRedistributableFirmware = true;
# boot.initrd.availableKernelModules = stage1Modules; boot.initrd.kernelModules = [
boot.initrd.kernelModules = stage1Modules; "aesni_intel"
"kvm_amd"
"nvme"
"nvme_core"
"thunderbolt"
"e1000e"
"usbcore"
"xhci_hcd"
"usbhid"
"usb_storage"
"xhci_pci"
"uas"
];
} }

66
nix/os/devices/steveej-t14/pkg.nix
View file

@ -5,7 +5,12 @@
nodeFlake, nodeFlake,
... ...
}: { }: {
system.stateVersion = "23.05";
home-manager.users.root = _: {
home.stateVersion = "22.05";
};
home-manager.users.steveej = _: { home-manager.users.steveej = _: {
home.stateVersion = "22.05";
imports = [ imports = [
../../../home-manager/configuration/graphical-fullblown.nix ../../../home-manager/configuration/graphical-fullblown.nix
@ -16,8 +21,7 @@
}) })
]; ];
home.sessionVariables = { home.sessionVariables = {};
};
home.packages = with pkgs; [ home.packages = with pkgs; [
]; ];
@ -59,25 +63,6 @@
sway sway
''; '';
# autologin steveej on tty1
systemd.services."autovt@tty1".description = "Autologin at the TTY1";
systemd.services."autovt@tty1".after = [ "systemd-logind.service" ]; # without it user session not started and xorg can't be run from this tty
systemd.services."autovt@tty1".wantedBy = [ "multi-user.target" ];
systemd.services."autovt@tty1".serviceConfig =
{ ExecStart = [
"" # override upstream default with an empty ExecStart
"@${pkgs.utillinux}/sbin/agetty agetty --login-program ${pkgs.shadow}/bin/login --autologin steveej --noclear %I $TERM"
];
Restart = "always";
Type = "idle";
};
programs.zsh.loginShellInit = ''
if test $(id --user steveej) = $(id -u) && test $(tty) = "/dev/tty1"; then
exec sway
fi
'';
# fonts = let # fonts = let
# prefs.font = rec { # prefs.font = rec {
# size = 13; # size = 13;
@ -121,43 +106,4 @@
# # }; # # };
# # }; # # };
# }; # };
security.pam.services.getty.enableGnomeKeyring = true;
services.gnome.gnome-keyring.enable = true;
# rtkit is optional but recommended
security.rtkit.enable = true;
services.pipewire = {
audio.enable = true;
enable = true;
alsa.enable = true;
alsa.support32Bit = true;
pulse.enable = true;
# If you want to use JACK applications, uncomment this
#jack.enable = true;
};
# required by swaywm
security.polkit.enable = true;
security.pam.services.swaylock = {};
# test these on https://mozilla.github.io/webrtc-landing/gum_test.html
xdg.portal = {
enable = true;
# FIXME: `true` breaks xdg-open from alacritty:
# $ xdg-open "https://github.com/"
# Error: GDBus.Error:org.freedesktop.DBus.Error.UnknownMethod: No such interface “org.freedesktop.portal.OpenURI” on object at path /org/freedesktop/portal/desktop
xdgOpenUsePortal = false;
extraPortals = [
pkgs.xdg-desktop-portal-wlr
pkgs.xdg-desktop-portal-gtk
# repoFlake.inputs.nixpkgs-wayland.packages.${pkgs.system}.xdg-desktop-portal-wlr
# (pkgs.xdg-desktop-portal-gtk.override (_: {
# buildPortalsInGnome = false;
# }))
];
};
system.stateVersion = "23.05";
} }

7
nix/os/devices/steveej-t14/secrets.nix
View file

@ -1,7 +0,0 @@
{config, ...}: {
sops.secrets.radicale_htpasswd = {
sopsFile = ../../../../secrets/steveej-t14/radicale_htpasswd;
format = "binary";
owner = config.users.users.steveej.name;
};
}

62
nix/os/devices/steveej-t14/system.nix
View file

@ -1,13 +1,11 @@
{ pkgs {
, lib pkgs,
, config lib,
, nodeName config,
, repoFlake nodeName,
, ... repoFlake,
}: ...
let }: let
passwords = import ../../../variables/passwords.crypt.nix;
localTcpPorts = [ localTcpPorts = [
22 22
@ -23,13 +21,7 @@ let
22000 22000
21027 21027
]; ];
in {
in
{
imports = [
../../snippets/nix-settings-holo-chain.nix
];
nix.settings = { nix.settings = {
substituters = [ substituters = [
]; ];
@ -47,14 +39,27 @@ in
system = "x86_64-linux"; system = "x86_64-linux";
maxJobs = 32; maxJobs = 32;
speedFactor = 100; speedFactor = 100;
supportedFeatures = repoFlake.nixosConfigurations.router0-dmz0.config.nix.settings.system-features ++ [ ]; supportedFeatures = repoFlake.nixosConfigurations.steveej-t14.config.nix.settings.system-features ++ [];
}
{
hostName = repoFlake.colmena.sj-bm-hostkey0.deployment.targetHost;
# TODO: make this a reference
sshUser = "nix-remote-builder";
protocol = "ssh-ng";
system = "aarch64-linux";
maxJobs = 32;
speedFactor = 100;
supportedFeatures = repoFlake.nixosConfigurations.router0-dmz0.config.nix.settings.system-features ++ [];
} }
]; ];
networking.networkmanager.enable = true;
networking.extraHosts = '' networking.extraHosts = ''
''; '';
networking.bridges."virbr1".interfaces = [ ]; networking.bridges."virbr1".interfaces = [];
networking.interfaces."virbr1".ipv4.addresses = [ networking.interfaces."virbr1".ipv4.addresses = [
{ {
address = "10.254.254.254"; address = "10.254.254.254";
@ -87,7 +92,7 @@ in
# virtualization # virtualization
virtualisation = { virtualisation = {
libvirtd = { enable = true; }; libvirtd = {enable = true;};
virtualbox.host = { virtualbox.host = {
enable = false; enable = false;
@ -104,23 +109,10 @@ in
services.samba.extraConfig = '' services.samba.extraConfig = ''
# client min protocol = NT1 # client min protocol = NT1
''; '';
services.gvfs = {
enable = true;
package = lib.mkForce pkgs.gnome3.gvfs;
};
environment.systemPackages = with pkgs; [ lxqt.lxqt-policykit ]; # provides a default authentification client for policykit
security.pki.certificateFiles = [ "${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt" ]; security.pki.certificateFiles = ["${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt"];
services.xserver.videoDrivers = lib.mkForce [ "amdgpu" ]; services.xserver.videoDrivers = lib.mkForce ["amdgpu"];
services.xserver.serverFlagsSection = ''
Option "BlankTime" "0"
Option "StandbyTime" "0"
Option "SuspendTime" "0"
Option "OffTime" "0"
'';
time.timeZone = lib.mkForce passwords.timeZone.stefan;
hardware.ledger.enable = true; hardware.ledger.enable = true;

4
nix/os/devices/steveej-t14/user.nix
View file

@ -7,10 +7,10 @@
keys = import ../../../variables/keys.nix; keys = import ../../../variables/keys.nix;
inherit (pkgs.callPackage ../../lib/default.nix {}) mkUser; inherit (pkgs.callPackage ../../lib/default.nix {}) mkUser;
in { in {
users.extraUsers.steveej2 = mkUser { users.users.steveej2 = mkUser {
uid = 1001; uid = 1001;
openssh.authorizedKeys.keys = keys.users.steveej.openssh; openssh.authorizedKeys.keys = keys.users.steveej.openssh;
passwordFile = config.sops.secrets.sharedUsers-steveej.path; hashedPasswordFile = config.sops.secrets.sharedUsers-steveej.path;
}; };
nix.settings.trusted-users = ["steveej"]; nix.settings.trusted-users = ["steveej"];

1
nix/os/devices/steveej-x13s-rmvbl/.gitignore vendored Normal file
View file

@ -0,0 +1 @@
result

180
nix/os/devices/steveej-x13s-rmvbl/configuration.nix Normal file
View file

@ -0,0 +1,180 @@
{
repoFlake,
nodeFlake,
pkgs,
lib,
config,
nodeName,
localDomainName,
system,
...
}: {
nixos-x13s = {
enable = true;
# TODO: use hardware address
bluetoothMac = "65:9e:7a:8b:86:28";
};
systemd.services.bluetooth-mac = {
enable = true;
path = [
pkgs.systemd
pkgs.util-linux
pkgs.bluez5-experimental
pkgs.expect
];
script = ''
# TODO: this may not be required
while ! (journalctl -b0 | grep 'Bluetooth: hci0: QCA setup on UART is completed'); do
echo Waiting for bluetooth firmware to complete
echo sleep 1
done
(
# best effort
set +e
rfkill block bluetooth
echo $?
btmgmt public-addr ${config.nixos-x13s.bluetoothMac}
echo $?
rfkill unblock bluetooth
echo $?
)
'';
requiredBy = ["bluetooth.service"];
before = ["bluetooth.service"];
serviceConfig = {
Type = "oneshot";
RemainAfterExit = true;
# we need a tty, otherwise btmgmt will hang
StandardInput = "tty";
TTYPath = "/dev/tty2";
TTYReset = "yes";
TTYVHangup = "yes";
};
};
imports = [
nodeFlake.inputs.nixos-x13s.nixosModules.default
repoFlake.inputs.sops-nix.nixosModules.sops
nodeFlake.inputs.disko.nixosModules.disko
./disko.nix
../../snippets/nix-settings.nix
../../profiles/common/user.nix
{
services.openssh.enable = true;
services.openssh.settings.PermitRootLogin = "yes";
services.openssh.openFirewall = true;
sops.defaultSopsFile = ../../../../secrets/${nodeName}/secrets.yaml;
sops.defaultSopsFormat = "yaml";
users.commonUsers = {
enable = true;
enableNonRoot = true;
};
}
../../snippets/home-manager-with-zsh.nix
../../snippets/sway-desktop.nix
../../snippets/bluetooth.nix
../../snippets/timezone.nix
../../snippets/radicale.nix
];
networking.hostName = nodeName;
networking.firewall.enable = true;
networking.networkmanager.enable = true;
nixpkgs.config.allowUnfree = true;
environment.systemPackages = [
pkgs.sshfs
pkgs.util-linux
pkgs.coreutils
pkgs.vim
pkgs.git
pkgs.git-crypt
];
system.stateVersion = "23.11";
home-manager.users.root = _: {
home.stateVersion = "23.11";
};
home-manager.users.steveej = _: {
home.stateVersion = "23.11";
imports = [
../../../home-manager/configuration/graphical-fullblown.nix
];
home.sessionVariables = {};
home.packages = with pkgs; [
];
# TODO: currently unsupported
services.gammastep.enable = lib.mkForce false;
# programs.chromium.enable = lib.mkForce false;
};
boot = {
loader.systemd-boot.enable = true;
loader.efi.canTouchEfiVariables = lib.mkForce false;
loader.efi.efiSysMountPoint = "/boot";
blacklistedKernelModules = ["wwan"];
initrd.kernelModules = [
"uas"
"usb_storage"
"phy_qcom_qmp_pcie"
"phy_qcom_qmp_combo"
"phy_qcom_snps_femto_v2"
"phy_qcom_qmp_pcie"
"phy_qcom_qmp_usb"
"xhci-pci-renesas"
"msm"
];
initrd.extraFiles = {
"firmware/qcom/sc8280xp/LENOVO/21BX/adspr.jsn".source = pkgs.linux-firmware;
"firmware/qcom/sc8280xp/LENOVO/21BX/adspua.jsn".source = pkgs.linux-firmware;
"firmware/qcom/sc8280xp/LENOVO/21BX/audioreach-tplg.bin".source = pkgs.linux-firmware;
"firmware/qcom/sc8280xp/LENOVO/21BX/battmgr.jsn".source = pkgs.linux-firmware;
"firmware/qcom/sc8280xp/LENOVO/21BX/cdspr.jsn".source = pkgs.linux-firmware;
"firmware/qcom/sc8280xp/LENOVO/21BX/qcadsp8280.mbn".source = pkgs.linux-firmware;
"firmware/qcom/sc8280xp/LENOVO/21BX/qccdsp8280.mbn".source = pkgs.linux-firmware;
"firmware/qcom/sc8280xp/LENOVO/21BX/qcdxkmsuc8280.mbn".source = pkgs.linux-firmware;
"firmware/qcom/sc8280xp/LENOVO/21BX/qcslpi8280.mbn".source = pkgs.linux-firmware;
"firmware/qcom/sc8280xp/LENOVO/21BX/qcvss8280.mbn".source = nodeFlake.inputs.nixos-x13s.packages.${system}."x13s/extra-firmware";
};
};
hardware.firmware = [
pkgs.linux-firmware
nodeFlake.inputs.nixos-x13s.packages.${system}."x13s/extra-firmware"
];
hardware.enableAllFirmware = true;
# see https://linrunner.de/tlp/
services.tlp = {
enable = true;
settings = {
START_CHARGE_THRESH_BAT0 = "80";
STOP_CHARGE_THRESH_BAT0 = "85";
};
};
# android on linux
virtualisation.waydroid.enable = true;
virtualisation.podman.enable = true;
virtualisation.podman.dockerCompat = true;
}

36
nix/os/devices/steveej-x13s-rmvbl/default.nix Normal file
View file

@ -0,0 +1,36 @@
{
system ? "aarch64-linux",
nodeName,
repoFlake,
repoFlakeWithSystem,
nodeFlake,
localDomainName ? "internal",
...
}: {
meta.nodeSpecialArgs.${nodeName} = {
inherit repoFlake nodeName nodeFlake system;
packages' = repoFlake.packages.${system};
nodePackages' = nodeFlake.packages.${system};
repoFlakeInputs' = repoFlakeWithSystem system ({inputs', ...}: inputs');
inherit localDomainName;
};
meta.nodeNixpkgs.${nodeName} =
import nodeFlake.inputs.nixpkgs.outPath
{
inherit system;
};
${nodeName} = {
deployment.targetHost = "${nodeName}.${localDomainName}";
deployment.replaceUnknownProfiles = true;
deployment.allowLocalDeployment = true;
# nixpkgs.pkgs = nodeFlake.inputs.nixpkgs.legacyPackages.${system};
imports = [
(repoFlake + "/nix/os/devices/${nodeName}/configuration.nix")
];
};
}

66
nix/os/devices/steveej-x13s-rmvbl/disko.nix Normal file
View file

@ -0,0 +1,66 @@
{
disko.devices = {
disk = {
voyager-gtx = {
type = "disk";
device = "/dev/disk/by-id/ata-Corsair_Voyager_GTX_21488170000126002054";
content = {
type = "gpt";
partitions = {
ESP = {
size = "500M";
type = "EF00";
content = {
type = "filesystem";
format = "vfat";
mountpoint = "/boot";
mountOptions = [
"defaults"
];
};
};
luks = {
size = "100%";
content = {
type = "luks";
name = "x13s-usb-crypt";
extraOpenArgs = [];
# disable settings.keyFile if you want to use interactive password entry
#passwordFile = "/tmp/secret.key"; # Interactive
settings = {
# if you want to use the key for interactive login be sure there is no trailing newline
# for example use `echo -n "password" > /tmp/secret.key`
# keyFile = "/tmp/secret.key";
allowDiscards = true;
};
# additionalKeyFiles = [ "/tmp/additionalSecret.key" ];
content = {
type = "btrfs";
extraArgs = ["-f"];
subvolumes = {
"/root" = {
mountpoint = "/";
mountOptions = ["compress=zstd" "noatime"];
};
"/home" = {
mountpoint = "/home";
mountOptions = ["compress=zstd" "noatime"];
};
"/nix" = {
mountpoint = "/nix";
mountOptions = ["compress=zstd" "noatime"];
};
"/swap" = {
mountpoint = "/.swapvol";
swap.swapfile.size = "32G";
};
};
};
};
};
};
};
};
};
};
}

194
nix/os/devices/steveej-x13s-rmvbl/flake.lock generated Normal file
View file

@ -0,0 +1,194 @@
{
"nodes": {
"disko": {
"inputs": {
"nixpkgs": [
"nixpkgs"
]
},
"locked": {
"lastModified": 1705890365,
"narHash": "sha256-MObB+fipA/2Ai3uMuNouxcwz0cqvELPpJ+hfnhSaUeA=",
"owner": "nix-community",
"repo": "disko",
"rev": "9fcdf3375e01e2938a49df103af9fd21bd0f89d9",
"type": "github"
},
"original": {
"id": "disko",
"type": "indirect"
}
},
"flake-parts": {
"inputs": {
"nixpkgs-lib": "nixpkgs-lib"
},
"locked": {
"lastModified": 1704982712,
"narHash": "sha256-2Ptt+9h8dczgle2Oo6z5ni5rt/uLMG47UFTR1ry/wgg=",
"owner": "hercules-ci",
"repo": "flake-parts",
"rev": "07f6395285469419cf9d078f59b5b49993198c00",
"type": "github"
},
"original": {
"owner": "hercules-ci",
"repo": "flake-parts",
"type": "github"
}
},
"get-flake": {
"locked": {
"lastModified": 1694475786,
"narHash": "sha256-s5wDmPooMUNIAAsxxCMMh9g68AueGg63DYk2hVZJbc8=",
"owner": "ursi",
"repo": "get-flake",
"rev": "ac54750e3b95dab6ec0726d77f440efe6045bec1",
"type": "github"
},
"original": {
"owner": "ursi",
"repo": "get-flake",
"type": "github"
}
},
"home-manager": {
"inputs": {
"nixpkgs": [
"nixpkgs"
]
},
"locked": {
"lastModified": 1705659542,
"narHash": "sha256-WA3xVfAk1AYmFdwghT7mt/erYpsU6JPu9mdTEP/e9HQ=",
"owner": "nix-community",
"repo": "home-manager",
"rev": "10cd9c53115061aa6a0a90aad0b0dde6a999cdb9",
"type": "github"
},
"original": {
"owner": "nix-community",
"ref": "release-23.11",
"repo": "home-manager",
"type": "github"
}
},
"mobile-nixos": {
"flake": false,
"locked": {
"lastModified": 1705008488,
"narHash": "sha256-Gj97fDFZaK6gLb3ayZgTTtD+MFE1YjoyYHWkB1TIAe0=",
"owner": "NixOS",
"repo": "mobile-nixos",
"rev": "56e55df7b07b5e5c6d050732d851cec62b41df95",
"type": "github"
},
"original": {
"owner": "NixOS",
"repo": "mobile-nixos",
"type": "github"
}
},
"nixos-x13s": {
"inputs": {
"flake-parts": "flake-parts",
"nixpkgs": [
"nixpkgs"
]
},
"locked": {
"lastModified": 1706097550,
"narHash": "sha256-rR4HMpUlT7SbVPxQIvWH0DsxaEQcjTLqLrst2xoT1CY=",
"ref": "refs/heads/main",
"rev": "732a0f1549996740bdb06989599a5f0653de5056",
"revCount": 6,
"type": "git",
"url": "https://codeberg.org/steveej/nixos-x13s"
},
"original": {
"type": "git",
"url": "https://codeberg.org/steveej/nixos-x13s"
}
},
"nixpkgs": {
"locked": {
"lastModified": 1705916986,
"narHash": "sha256-iBpfltu6QvN4xMpen6jGGEb6jOqmmVQKUrXdOJ32u8w=",
"owner": "nixos",
"repo": "nixpkgs",
"rev": "d7f206b723e42edb09d9d753020a84b3061a79d8",
"type": "github"
},
"original": {
"owner": "nixos",
"ref": "nixos-23.11",
"repo": "nixpkgs",
"type": "github"
}
},
"nixpkgs-2211": {
"locked": {
"lastModified": 1688392541,
"narHash": "sha256-lHrKvEkCPTUO+7tPfjIcb7Trk6k31rz18vkyqmkeJfY=",
"owner": "nixos",
"repo": "nixpkgs",
"rev": "ea4c80b39be4c09702b0cb3b42eab59e2ba4f24b",
"type": "github"
},
"original": {
"owner": "nixos",
"ref": "nixos-22.11",
"repo": "nixpkgs",
"type": "github"
}
},
"nixpkgs-lib": {
"locked": {
"dir": "lib",
"lastModified": 1703961334,
"narHash": "sha256-M1mV/Cq+pgjk0rt6VxoyyD+O8cOUiai8t9Q6Yyq4noY=",
"owner": "NixOS",
"repo": "nixpkgs",
"rev": "b0d36bd0a420ecee3bc916c91886caca87c894e9",
"type": "github"
},
"original": {
"dir": "lib",
"owner": "NixOS",
"ref": "nixos-unstable",
"repo": "nixpkgs",
"type": "github"
}
},
"nixpkgs-unstable-small": {
"locked": {
"lastModified": 1706022028,
"narHash": "sha256-F8Gv4R4K/AvS3+6pWd8wlnw4Vhgf7bcszy7i8XPbzA0=",
"owner": "nixos",
"repo": "nixpkgs",
"rev": "15ff1758e7816331033baa14eebbea68626128f3",
"type": "github"
},
"original": {
"owner": "nixos",
"ref": "nixos-unstable-small",
"repo": "nixpkgs",
"type": "github"
}
},
"root": {
"inputs": {
"disko": "disko",
"get-flake": "get-flake",
"home-manager": "home-manager",
"mobile-nixos": "mobile-nixos",
"nixos-x13s": "nixos-x13s",
"nixpkgs": "nixpkgs",
"nixpkgs-2211": "nixpkgs-2211",
"nixpkgs-unstable-small": "nixpkgs-unstable-small"
}
}
},
"root": "root",
"version": 7
}

92
nix/os/devices/steveej-x13s-rmvbl/flake.nix Normal file
View file

@ -0,0 +1,92 @@
{
inputs = {
nixpkgs.url = "github:nixos/nixpkgs/nixos-23.11";
# required for home-manager modules
nixpkgs-unstable-small.url = "github:nixos/nixpkgs/nixos-unstable-small";
nixpkgs-2211.url = "github:nixos/nixpkgs/nixos-22.11";
get-flake.url = "github:ursi/get-flake";
disko.inputs.nixpkgs.follows = "nixpkgs";
mobile-nixos.url = "github:NixOS/mobile-nixos";
mobile-nixos.flake = false;
home-manager = {
url = "github:nix-community/home-manager/release-23.11";
inputs.nixpkgs.follows = "nixpkgs";
};
nixos-x13s.url = "git+https://codeberg.org/steveej/nixos-x13s";
nixos-x13s.inputs.nixpkgs.follows = "nixpkgs";
};
outputs = {
self,
get-flake,
nixpkgs,
...
}: let
system = "aarch64-linux";
buildPlatform = "x86_64-linux";
repoFlake = get-flake ../../../..;
in {
lib = {
mkNixosConfiguration = {
nodeName,
extraModules ? [],
...
} @ attrs:
nixpkgs.lib.nixosSystem (
nixpkgs.lib.attrsets.recursiveUpdate
attrs
{
specialArgs =
(import ./default.nix {
inherit system;
inherit nodeName repoFlake;
nodeFlake = self;
})
.meta
.nodeSpecialArgs
.${nodeName};
modules =
[
# repoFlake.nixosModules.hardware-x13s
]
++ extraModules;
}
);
};
nixosConfigurations = let
nodeName = "steveej-x13s-rmvbl";
in {
native = self.lib.mkNixosConfiguration {
inherit system nodeName;
extraModules = [
./configuration.nix
{
users.commonUsers.installPassword = "install";
}
];
};
cross = self.lib.mkNixosConfiguration {
inherit nodeName;
extraModules = [
./configuration.nix
{
nixpkgs.buildPlatform.system = buildPlatform;
nixpkgs.hostPlatform.system = system;
}
];
};
};
};
}

193
nix/os/devices/steveej-x13s/configuration.nix
View file

@ -1,82 +1,151 @@
{ repoFlake
, pkgs
, lib
, config
, nodeFlake
, nodeName
, localDomainName
, system
, ...
}:
{ {
repoFlake,
nodeFlake,
pkgs,
lib,
config,
nodeName,
localDomainName,
system,
...
}: {
nixos-x13s = {
enable = true;
# TODO: use hardware address
bluetoothMac = "65:9e:7a:8b:86:28";
};
services.illum.enable = true;
systemd.services.bluetooth-mac = {
enable = true;
path = [
pkgs.systemd
pkgs.util-linux
pkgs.bluez5-experimental
pkgs.expect
];
script = ''
# TODO: this may not be required
while ! (journalctl -b0 | grep 'Bluetooth: hci0: QCA setup on UART is completed'); do
echo Waiting for bluetooth firmware to complete
echo sleep 1
done
(
# best effort
set +e
rfkill block bluetooth
echo $?
btmgmt public-addr ${config.nixos-x13s.bluetoothMac}
echo $?
rfkill unblock bluetooth
echo $?
)
'';
requiredBy = ["bluetooth.service"];
before = ["bluetooth.service"];
serviceConfig = {
Type = "oneshot";
RemainAfterExit = true;
# we need a tty, otherwise btmgmt will hang
StandardInput = "tty";
TTYPath = "/dev/tty2";
TTYReset = "yes";
TTYVHangup = "yes";
};
};
imports = [ imports = [
# repoFlake.inputs.sops-nix.nixosModules.sops nodeFlake.inputs.nixos-x13s.nixosModules.default
# ../../profiles/common/user.nix repoFlake.inputs.sops-nix.nixosModules.sops
nodeFlake.inputs.disko.nixosModules.disko
./disko.nix
{ ../../snippets/nix-settings.nix
nix.nixPath = [ ../../profiles/common/user.nix
"nixpkgs=${pkgs.path}"
];
nix.settings.experimental-features = [
"nix-command"
"flakes"
];
nix.settings.max-jobs = lib.mkDefault "auto";
nix.settings.cores = lib.mkDefault 0;
}
{ {
services.openssh.enable = true; services.openssh.enable = true;
services.openssh.settings.PermitRootLogin = "yes"; services.openssh.settings.PermitRootLogin = "yes";
services.openssh.openFirewall = true;
# users.commonUsers = { sops.defaultSopsFile = ../../../../secrets/${nodeName}/secrets.yaml;
# enable = true; sops.defaultSopsFormat = "yaml";
# enableNonRoot = false;
# rootPasswordFile = config.sops.secrets.passwords-root.path;
# };
users.users.root.password = "install"; users.commonUsers = {
enable = true;
# sops.defaultSopsFile = ../../../../secrets/${nodeName}/secrets.yaml; enableNonRoot = true;
# sops.defaultSopsFormat = "yaml"; };
# sops.secrets.passwords-root.neededForUsers = true;
} }
../../snippets/home-manager-with-zsh.nix
../../snippets/sway-desktop.nix
../../snippets/bluetooth.nix
../../snippets/timezone.nix
../../snippets/radicale.nix
]; ];
networking = { networking.hostName = nodeName;
hostName = nodeName; networking.firewall.enable = true;
useNetworkd = false; networking.networkmanager.enable = true;
networkmanager.enable = false;
firewall.enable = false;
};
system.stateVersion = "23.11";
# We exclude a number of modules included in the default list. A non-insignificant amount do
# not apply to embedded hardware like this, so simply skip the defaults.
#
# Custom kernel is required as a lot of MTK components misbehave when built as modules.
# They fail to load properly, leaving the system without working ethernet, they'll oops on
# remove. MTK-DSA parts and PCIe were observed to do this.
# boot.initrd.includeDefaultModules = false;
# boot.initrd.kernelModules = ["rfkill" "cfg80211" "mt7915e"];
# boot.initrd.availableKernelModules = ["nvme"];
nixpkgs.config.allowUnfree = true; nixpkgs.config.allowUnfree = true;
# hardware.enableRedistributableFirmware = true;
environment.systemPackages = [ environment.systemPackages = [
pkgs.busybox pkgs.sshfs
pkgs.util-linux
pkgs.coreutils
pkgs.vim
pkgs.git
pkgs.git-crypt
]; ];
fileSystems."/".label = "x13s_root"; system.stateVersion = "23.11";
home-manager.users.root = _: {
home.stateVersion = "23.11";
};
home-manager.users.steveej = _: {
home.stateVersion = "23.11";
imports = [
../../../home-manager/configuration/graphical-fullblown.nix
];
home.sessionVariables = {};
home.packages = with pkgs; [
];
# TODO: currently unsupported
services.gammastep.enable = lib.mkForce false;
# programs.chromium.enable = lib.mkForce false;
};
boot = {
loader.systemd-boot.enable = true;
loader.efi.canTouchEfiVariables = lib.mkForce false;
loader.efi.efiSysMountPoint = "/boot";
blacklistedKernelModules = ["wwan"];
};
# see https://linrunner.de/tlp/
# TODO: find an equivalent to tlp that supports this machine
services.tlp = {
enable = false;
settings = {
START_CHARGE_THRESH_BAT0 = "80";
STOP_CHARGE_THRESH_BAT0 = "85";
};
};
# android on linux
virtualisation.waydroid.enable = true;
virtualisation.podman.enable = true;
virtualisation.podman.dockerCompat = true;
hardware.ledger.enable = true;
} }

7
nix/os/devices/steveej-x13s/default.nix
View file

@ -2,6 +2,7 @@
system ? "aarch64-linux", system ? "aarch64-linux",
nodeName, nodeName,
repoFlake, repoFlake,
repoFlakeWithSystem,
nodeFlake, nodeFlake,
localDomainName ? "internal", localDomainName ? "internal",
... ...
@ -10,6 +11,7 @@
inherit repoFlake nodeName nodeFlake system; inherit repoFlake nodeName nodeFlake system;
packages' = repoFlake.packages.${system}; packages' = repoFlake.packages.${system};
nodePackages' = nodeFlake.packages.${system}; nodePackages' = nodeFlake.packages.${system};
repoFlakeInputs' = repoFlakeWithSystem system ({inputs', ...}: inputs');
inherit localDomainName; inherit localDomainName;
}; };
@ -23,13 +25,12 @@
${nodeName} = { ${nodeName} = {
deployment.targetHost = "${nodeName}.${localDomainName}"; deployment.targetHost = "${nodeName}.${localDomainName}";
deployment.replaceUnknownProfiles = true; deployment.replaceUnknownProfiles = true;
deployment.allowLocalDeployment = true;
# nixpkgs.pkgs = nodeFlake.inputs.nixpkgs.legacyPackages.${system}; # nixpkgs.pkgs = nodeFlake.inputs.nixpkgs.legacyPackages.${system};
imports = [ imports = [
./configuration.nix (repoFlake + "/nix/os/devices/${nodeName}/configuration.nix")
]; ];
networking.hostName = nodeName;
}; };
} }

66
nix/os/devices/steveej-x13s/disko.nix Normal file
View file

@ -0,0 +1,66 @@
{
disko.devices = {
disk = {
x13s-nvme = {
type = "disk";
device = "/dev/disk/by-id/nvme-KBG5AZNT1T02_LA_KIOXIA_52QC84BEEJS6";
content = {
type = "gpt";
partitions = {
ESP = {
size = "500M";
type = "EF00";
content = {
type = "filesystem";
format = "vfat";
mountpoint = "/boot";
mountOptions = [
"defaults"
];
};
};
luks = {
size = "100%";
content = {
type = "luks";
name = "x13s-nvme-crypt";
extraOpenArgs = [];
# disable settings.keyFile if you want to use interactive password entry
#passwordFile = "/tmp/secret.key"; # Interactive
settings = {
# if you want to use the key for interactive login be sure there is no trailing newline
# for example use `echo -n "password" > /tmp/secret.key`
# keyFile = "/tmp/secret.key";
allowDiscards = true;
};
# additionalKeyFiles = [ "/tmp/additionalSecret.key" ];
content = {
type = "btrfs";
extraArgs = ["-f"];
subvolumes = {
"/root" = {
mountpoint = "/";
mountOptions = ["compress=zstd" "noatime"];
};
"/home" = {
mountpoint = "/home";
mountOptions = ["compress=zstd" "noatime"];
};
"/nix" = {
mountpoint = "/nix";
mountOptions = ["compress=zstd" "noatime"];
};
"/swap" = {
mountpoint = "/.swapvol";
swap.swapfile.size = "32G";
};
};
};
};
};
};
};
};
};
};
}

179
nix/os/devices/steveej-x13s/flake.lock generated
View file

@ -1,22 +1,5 @@
{ {
"nodes": { "nodes": {
"brainwart_x13s-nixos": {
"flake": false,
"locked": {
"lastModified": 1701822673,
"narHash": "sha256-F2LBV8tqGPhEAvmn5Frxj79RPWgPGUYxJRYz8Pn9uj0=",
"owner": "BrainWart",
"repo": "x13s-nixos",
"rev": "ba245df7a72a78ec93aa500ba1a0cb29f0f65f37",
"type": "github"
},
"original": {
"owner": "BrainWart",
"ref": "main",
"repo": "x13s-nixos",
"type": "github"
}
},
"disko": { "disko": {
"inputs": { "inputs": {
"nixpkgs": [ "nixpkgs": [
@ -24,11 +7,11 @@
] ]
}, },
"locked": { "locked": {
"lastModified": 1705348229, "lastModified": 1707354935,
"narHash": "sha256-CssPema1sBxZkrT95KFuKCNNiqxNe1lnf2QNeXk88Xk=", "narHash": "sha256-COv13Awbwut8Q8h8WxWpbVGHsUlZ6Yb+6YiWyWUV+yY=",
"owner": "nix-community", "owner": "nix-community",
"repo": "disko", "repo": "disko",
"rev": "d0b4408eaf782a1ada0a9133bb1cecefdd59c696", "rev": "c49bb95ac852841b9015fb56a503a36ebdb46a59",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -38,17 +21,14 @@
}, },
"flake-parts": { "flake-parts": {
"inputs": { "inputs": {
"nixpkgs-lib": [ "nixpkgs-lib": "nixpkgs-lib"
"srvos",
"nixpkgs"
]
}, },
"locked": { "locked": {
"lastModified": 1704982712, "lastModified": 1706830856,
"narHash": "sha256-2Ptt+9h8dczgle2Oo6z5ni5rt/uLMG47UFTR1ry/wgg=", "narHash": "sha256-a0NYyp+h9hlb7ddVz4LUn1vT/PLwqfrWYcHMvFB1xYg=",
"owner": "hercules-ci", "owner": "hercules-ci",
"repo": "flake-parts", "repo": "flake-parts",
"rev": "07f6395285469419cf9d078f59b5b49993198c00", "rev": "b253292d9c0a5ead9bc98c4e9a26c6312e27d69f",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -72,20 +52,24 @@
"type": "github" "type": "github"
} }
}, },
"linux_x13s": { "home-manager": {
"flake": false, "inputs": {
"nixpkgs": [
"nixpkgs"
]
},
"locked": { "locked": {
"lastModified": 1705487080, "lastModified": 1706981411,
"narHash": "sha256-DTOPiUGaeH5Ey+AZaO1c1n/QFikIXmvo2tTzgFtJ70k=", "narHash": "sha256-cLbLPTL1CDmETVh4p0nQtvoF+FSEjsnJTFpTxhXywhQ=",
"owner": "jhovold", "owner": "nix-community",
"repo": "linux", "repo": "home-manager",
"rev": "dd209a8fb4840e48ca4963bb23057f38b1066a6d", "rev": "652fda4ca6dafeb090943422c34ae9145787af37",
"type": "github" "type": "github"
}, },
"original": { "original": {
"owner": "jhovold", "owner": "nix-community",
"ref": "wip/sc8280xp-v6.7", "ref": "release-23.11",
"repo": "linux", "repo": "home-manager",
"type": "github" "type": "github"
} }
}, },
@ -105,34 +89,7 @@
"type": "github" "type": "github"
} }
}, },
"nixpkgs": { "nixos-x13s": {
"locked": {
"lastModified": 1705316053,
"narHash": "sha256-J2Ey5mPFT8gdfL2XC0JTZvKaBw/b2pnyudEXFvl+dQM=",
"owner": "nixos",
"repo": "nixpkgs",
"rev": "c3e128f3c0ecc1fb04aef9f72b3dcc2f6cecf370",
"type": "github"
},
"original": {
"owner": "nixos",
"ref": "nixos-unstable",
"repo": "nixpkgs",
"type": "github"
}
},
"root": {
"inputs": {
"brainwart_x13s-nixos": "brainwart_x13s-nixos",
"disko": "disko",
"get-flake": "get-flake",
"linux_x13s": "linux_x13s",
"mobile-nixos": "mobile-nixos",
"nixpkgs": "nixpkgs",
"srvos": "srvos"
}
},
"srvos": {
"inputs": { "inputs": {
"flake-parts": "flake-parts", "flake-parts": "flake-parts",
"nixpkgs": [ "nixpkgs": [
@ -140,18 +97,96 @@
] ]
}, },
"locked": { "locked": {
"lastModified": 1705346686, "lastModified": 1707341322,
"narHash": "sha256-lTf1b2I6wwNDhV5eEKIAMT5DOa43bK5KaPqDWH2yfek=", "narHash": "sha256-hfJDFRAFrdLDY0ebNy7BpaKBmj3BwR/WTbQswlrpU1Y=",
"owner": "numtide", "ref": "refs/heads/main",
"repo": "srvos", "rev": "e612b7c968318bcd7f6ae5a4eaf930e21baa644d",
"rev": "8e03bea707212a7225b0ab02a8186af8b1e98e0a", "revCount": 14,
"type": "git",
"url": "https://codeberg.org/adamcstephens/nixos-x13s"
},
"original": {
"type": "git",
"url": "https://codeberg.org/adamcstephens/nixos-x13s"
}
},
"nixpkgs": {
"locked": {
"lastModified": 1707238373,
"narHash": "sha256-WKxT0yLzWbFZwYi92lI0yWJpYtRaFSWHGX8QXzejapw=",
"owner": "nixos",
"repo": "nixpkgs",
"rev": "fb0c047e30b69696acc42e669d02452ca1b55755",
"type": "github" "type": "github"
}, },
"original": { "original": {
"owner": "numtide", "owner": "nixos",
"repo": "srvos", "ref": "nixos-23.11",
"repo": "nixpkgs",
"type": "github" "type": "github"
} }
},
"nixpkgs-2211": {
"locked": {
"lastModified": 1688392541,
"narHash": "sha256-lHrKvEkCPTUO+7tPfjIcb7Trk6k31rz18vkyqmkeJfY=",
"owner": "nixos",
"repo": "nixpkgs",
"rev": "ea4c80b39be4c09702b0cb3b42eab59e2ba4f24b",
"type": "github"
},
"original": {
"owner": "nixos",
"ref": "nixos-22.11",
"repo": "nixpkgs",
"type": "github"
}
},
"nixpkgs-lib": {
"locked": {
"dir": "lib",
"lastModified": 1706550542,
"narHash": "sha256-UcsnCG6wx++23yeER4Hg18CXWbgNpqNXcHIo5/1Y+hc=",
"owner": "NixOS",
"repo": "nixpkgs",
"rev": "97b17f32362e475016f942bbdfda4a4a72a8a652",
"type": "github"
},
"original": {
"dir": "lib",
"owner": "NixOS",
"ref": "nixos-unstable",
"repo": "nixpkgs",
"type": "github"
}
},
"nixpkgs-unstable-small": {
"locked": {
"lastModified": 1707347693,
"narHash": "sha256-/MxX1WUwKui2dWtKghN+8qIKf8X7hHPD1KCeDXoApEI=",
"owner": "nixos",
"repo": "nixpkgs",
"rev": "9a113b42b3b15eafa91a027bd9fb9fd69fa6ed96",
"type": "github"
},
"original": {
"owner": "nixos",
"ref": "nixos-unstable-small",
"repo": "nixpkgs",
"type": "github"
}
},
"root": {
"inputs": {
"disko": "disko",
"get-flake": "get-flake",
"home-manager": "home-manager",
"mobile-nixos": "mobile-nixos",
"nixos-x13s": "nixos-x13s",
"nixpkgs": "nixpkgs",
"nixpkgs-2211": "nixpkgs-2211",
"nixpkgs-unstable-small": "nixpkgs-unstable-small"
}
} }
}, },
"root": "root", "root": "root",

332
nix/os/devices/steveej-x13s/flake.nix
View file

@ -1,270 +1,92 @@
{ {
inputs = inputs = {
{ nixpkgs.url = "github:nixos/nixpkgs/nixos-23.11";
nixpkgs.url = "github:nixos/nixpkgs/nixos-unstable";
get-flake.url = "github:ursi/get-flake"; # required for home-manager modules
nixpkgs-unstable-small.url = "github:nixos/nixpkgs/nixos-unstable-small";
nixpkgs-2211.url = "github:nixos/nixpkgs/nixos-22.11";
disko.inputs.nixpkgs.follows = "nixpkgs"; get-flake.url = "github:ursi/get-flake";
srvos.url = "github:numtide/srvos";
srvos.inputs.nixpkgs.follows = "nixpkgs";
mobile-nixos.url = "github:NixOS/mobile-nixos"; disko.inputs.nixpkgs.follows = "nixpkgs";
mobile-nixos.flake = false;
# see https://github.com/jhovold/linux/wiki/X13s for status updates mobile-nixos.url = "github:NixOS/mobile-nixos";
linux_x13s.url = "github:jhovold/linux/wip/sc8280xp-v6.7"; mobile-nixos.flake = false;
linux_x13s.flake = false;
brainwart_x13s-nixos = { home-manager = {
url = "github:BrainWart/x13s-nixos/main"; url = "github:nix-community/home-manager/release-23.11";
flake = false; inputs.nixpkgs.follows = "nixpkgs";
};
}; };
outputs = nixos-x13s.url = "git+https://codeberg.org/adamcstephens/nixos-x13s";
{ self # nixos-x13s.url = "path:/home/steveej/src/others/nixos-x13s";
, get-flake nixos-x13s.inputs.nixpkgs.follows = "nixpkgs";
, nixpkgs };
, ...
}:
let
targetPlatform = "aarch64-linux";
buildPlatform = "x86_64-linux";
nodeName = "steveej-x13s";
pkgs = nixpkgs.legacyPackages.${targetPlatform}; outputs = {
pkgsCross = import self.inputs.nixpkgs { self,
system = buildPlatform; get-flake,
crossSystem = { nixpkgs,
config = "pentium2-unknown-linux-gnu"; ...
}; }: let
}; targetPlatform = "aarch64-linux";
buildPlatform = "x86_64-linux";
repoFlake = get-flake ../../../..;
mkNixosConfiguration = { extraModules ? [ ], ... } @ attrs: mkNixosConfiguration = {
nixpkgs.lib.nixosSystem ( nodeName,
nixpkgs.lib.attrsets.recursiveUpdate extraModules ? [],
attrs ...
{ } @ attrs:
specialArgs = (import ./default.nix { nixpkgs.lib.nixosSystem (
system = targetPlatform; nixpkgs.lib.attrsets.recursiveUpdate
inherit nodeName; attrs
repoFlake = get-flake ../../../..;
nodeFlake = self;
}).meta.nodeSpecialArgs.${nodeName};
modules =
[
self.nixosModules.hardware-x13s
./configuration.nix
# flake registry
{
nix.registry.nixpkgs.flake = nixpkgs;
}
{
nixpkgs.overlays = [
(final: prev:
{
qrtr = final.callPackage "${self.inputs.mobile-nixos}/overlay/qrtr/qrtr.nix" { };
qmic = final.callPackage "${self.inputs.mobile-nixos}/overlay/qrtr/qmic.nix" { };
rmtfs = final.callPackage "${self.inputs.mobile-nixos}/overlay/qrtr/rmtfs.nix" { };
pd-mapper = final.callPackage "${self.inputs.mobile-nixos}/overlay/qrtr/pd-mapper.nix" {
inherit (final) qrtr;
};
compressFirmwareXz = prev.lib.id; #this leaves all firmware uncompressed :) for pd-mapper
})
];
}
]
++ extraModules;
}
);
in
{
nixosConfigurations = {
native = mkNixosConfiguration {
system = targetPlatform;
};
cross = mkNixosConfiguration {
extraModules = [
{
nixpkgs.buildPlatform.system = buildPlatform;
nixpkgs.hostPlatform.system = targetPlatform;
}
];
};
};
nixosModules.hardware-x13s = { pkgs, config, lib, options, ... }:
let
# TODO: introduce options for these
kernelPdMapper = true;
in
{ {
config = specialArgs =
let (import ./default.nix {
inherit (config.boot.loader) efi; system = targetPlatform;
kp = [ inherit nodeName repoFlake;
{
name = "x13s-cfg";
patch = null;
extraStructuredConfig = with lib.kernel; {
EFI_ARMSTUB_DTB_LOADER = lib.mkForce yes;
OF_OVERLAY = lib.mkForce yes;
BTRFS_FS = lib.mkForce yes;
BTRFS_FS_POSIX_ACL = lib.mkForce yes;
MEDIA_CONTROLLER = lib.mkForce yes;
SND_USB_AUDIO_USE_MEDIA_CONTROLLER = lib.mkForce yes;
SND_USB = lib.mkForce yes;
SND_USB_AUDIO = lib.mkForce module;
USB_XHCI_PCI = lib.mkForce module;
NO_HZ_FULL = lib.mkForce yes;
HZ_100 = lib.mkForce yes;
HZ_250 = lib.mkForce no;
DRM_AMDGPU = lib.mkForce no;
DRM_NOUVEAU = lib.mkForce no;
QCOM_TSENS = lib.mkForce yes;
NVMEM_QCOM_QFPROM = lib.mkForce yes;
ARM_QCOM_CPUFREQ_NVMEM = lib.mkForce yes;
} // lib.optionalAttrs kernelPdMapper {
QCOM_PD_MAPPER = lib.mkForce yes;
QRTR = lib.mkForce yes;
};
}
];
# We can't quite move to mainline linux nodeFlake = self;
linux_x13s_pkg = { buildLinux, ... } @ args: })
buildLinux (args // rec { .meta
version = "6.7.0"; .nodeSpecialArgs
modDirVersion = lib.versions.pad 3 version; .${nodeName};
extraMeta.branch = lib.versions.majorMinor version;
src = self.inputs.linux_x13s; modules =
kernelPatches = (args.kernelPatches or [ ]) ++ kp; [
} // (args.argsOverride or { })); # repoFlake.nixosModules.hardware-x13s
]
# we add additional configuration on top of te normal configuration above ++ extraModules;
# using the extraStructuredConfig option on the kernel patch }
linux_x13s = pkgs.callPackage linux_x13s_pkg { );
defconfig = "johan_defconfig"; in {
}; lib = {
inherit mkNixosConfiguration;
uncompressed-fw = pkgs.callPackage
({ lib, runCommand, buildEnv, firmwareFilesList }:
runCommand "qcom-modem-uncompressed-firmware-share"
{
firmwareFiles = buildEnv {
name = "qcom-modem-uncompressed-firmware";
paths = firmwareFilesList;
pathsToLink = [
"/lib/firmware/rmtfs"
"/lib/firmware/qcom"
];
};
} ''
PS4=" $ "
(
set -x
mkdir -p $out/share/
ln -s $firmwareFiles/lib/firmware/ $out/share/uncompressed-firmware
)
'')
{
firmwareFilesList = lib.flatten options.hardware.firmware.definitions;
};
linuxPackages_x13s = pkgs.linuxPackagesFor linux_x13s;
dtb = "${linuxPackages_x13s.kernel}/dtbs/qcom/sc8280xp-lenovo-thinkpad-x13s.dtb";
dtbName = "x13s63rc4.dtb";
in
{
boot = {
loader.systemd-boot.enable = true;
loader.systemd-boot.extraFiles = {
"${dtbName}" = dtb;
};
loader.efi.canTouchEfiVariables = true;
loader.efi.efiSysMountPoint = "/boot";
kernelPackages = linuxPackages_x13s;
kernelParams = [
"boot.shell_on_fail"
"clk_ignore_unused"
"pd_ignore_unused"
"arm64.nopauth"
"cma=128M"
"nvme.noacpi=1"
"iommu.strict=0"
"dtb=${dtbName}"
];
initrd = {
includeDefaultModules = false;
availableKernelModules = [
"i2c_hid"
"i2c_hid_of"
"i2c_qcom_geni"
"leds_qcom_lpg"
"pwm_bl"
"qrtr"
"pmic_glink_altmode"
"gpio_sbu_mux"
"phy_qcom_qmp_combo"
"panel-edp"
"msm"
"phy_qcom_edp"
"i2c-core"
"i2c-hid"
"i2c-hid-of"
"i2c-qcom-geni"
"pcie-qcom"
"phy-qcom-qmp-combo"
"phy-qcom-qmp-pcie"
"phy-qcom-qmp-usb"
"phy-qcom-snps-femto-v2"
"phy-qcom-usb-hs"
"nvme"
];
};
};
# power management, etc.
environment.systemPackages = with pkgs; [
qrtr
qmic
rmtfs
pd-mapper
uncompressed-fw
];
environment.pathsToLink = [ "share/uncompressed-firmware" ];
# ensure the x13s' dtb file is in the boot partition
system.activationScripts.x13s-dtb = ''
in_package="${dtb}"
esp_tool_folder="${efi.efiSysMountPoint}/"
in_esp="''${esp_tool_folder}${dtbName}"
>&2 echo "Ensuring $in_esp in EFI System Partition"
if ! ${pkgs.diffutils}/bin/cmp --silent "$in_package" "$in_esp"; then
>&2 echo "Copying $in_package -> $in_esp"
mkdir -p "$esp_tool_folder"
cp "$in_package" "$in_esp"
sync
fi
'';
hardware.enableAllFirmware = true;
hardware.firmware = [
pkgs.linux-firmware
(pkgs.callPackage "${self.inputs.brainwart_x13s-nixos}/pkgs/x13s-firmware.nix" { })
];
};
};
}; };
nixosConfigurations = let
nodeName = "steveej-x13s";
in {
native = mkNixosConfiguration {
inherit nodeName;
system = targetPlatform;
extraModules = [
./configuration.nix
];
};
cross = mkNixosConfiguration {
inherit nodeName;
extraModules = [
./configuration.nix
{
nixpkgs.buildPlatform.system = buildPlatform;
nixpkgs.hostPlatform.system = targetPlatform;
}
];
};
};
};
} }

21
nix/os/devices/voodoo/flake.nix
View file

@ -32,13 +32,17 @@
nixpkgs.lib.attrsets.recursiveUpdate nixpkgs.lib.attrsets.recursiveUpdate
attrs attrs
{ {
specialArgs = (import ./default.nix { specialArgs =
system = targetPlatform; (import ./default.nix {
inherit nodeName; system = targetPlatform;
inherit nodeName;
repoFlake = get-flake ../../../..; repoFlake = get-flake ../../../..;
nodeFlake = self; nodeFlake = self;
}).meta.nodeSpecialArgs.${nodeName}; })
.meta
.nodeSpecialArgs
.${nodeName};
modules = modules =
[ [
@ -51,10 +55,7 @@
{ {
nixpkgs.overlays = [ nixpkgs.overlays = [
(final: previous: (final: previous: {})
{
})
]; ];
} }
] ]

54
nix/os/lib/default.nix
View file

@ -4,33 +4,35 @@
}: let }: let
keys = import ../../variables/keys.nix; keys = import ../../variables/keys.nix;
in { in {
mkUser = args: ( mkUser = args:
lib.attrsets.recursiveUpdate { lib.mkMerge [
isNormalUser = true; {
extraGroups = [ isNormalUser = true;
"docker" extraGroups = [
"wheel" "docker"
"libvirtd" "wheel"
"networkmanager" "libvirtd"
"vboxusers" "networkmanager"
"users" "vboxusers"
"input" "users"
"audio" "input"
"video" "audio"
"cdrom" "video"
"adbusers" "cdrom"
"dialout" "adbusers"
"cdrom" "dialout"
]; "cdrom"
openssh.authorizedKeys.keys = keys.users.steveej.openssh; "fuse"
];
openssh.authorizedKeys.keys = keys.users.steveej.openssh;
# TODO: investigate why this secret cannot be found # TODO: investigate why this secret cannot be found
# openssh.authorizedKeys.keyFiles = [ # openssh.authorizedKeys.keyFiles = [
# config.sops.secrets.sharedSshKeys-steveej.path # config.sops.secrets.sharedSshKeys-steveej.path
# ]; # ];
} }
args args
); ];
disk = rec { disk = rec {
# TODO: verify the GPT PARTLABEL cap at 36 chars # TODO: verify the GPT PARTLABEL cap at 36 chars

240
nix/os/modules/hardware.thinkpad-x13s.nix Normal file
View file

@ -0,0 +1,240 @@
{
self,
pkgs,
config,
lib,
options,
...
}: let
# TODO: introduce options for these
kernelPdMapper = true;
cfg = config.hardware.thinkpad-x13s;
in {
options.hardware.thinkpad-x13s = {
# TODO: respect this
enable = lib.mkEnableOption "x13s hardware support";
bluetoothMac = lib.mkOption {
type = lib.types.str;
description = "mac address to set on boot";
};
};
config = let
inherit (config.boot.loader) efi;
kp = [
{
name = "x13s-cfg";
patch = null;
extraStructuredConfig = with lib.kernel; {
EFI_ARMSTUB_DTB_LOADER = lib.mkForce yes;
OF_OVERLAY = lib.mkForce yes;
BTRFS_FS = lib.mkForce yes;
BTRFS_FS_POSIX_ACL = lib.mkForce yes;
MEDIA_CONTROLLER = lib.mkForce yes;
SND_USB_AUDIO_USE_MEDIA_CONTROLLER = lib.mkForce yes;
SND_USB = lib.mkForce yes;
SND_USB_AUDIO = lib.mkForce module;
USB_XHCI_PCI = lib.mkForce module;
NO_HZ_FULL = lib.mkForce yes;
HZ_100 = lib.mkForce yes;
HZ_250 = lib.mkForce no;
DRM_AMDGPU = lib.mkForce no;
DRM_NOUVEAU = lib.mkForce no;
QCOM_TSENS = lib.mkForce yes;
NVMEM_QCOM_QFPROM = lib.mkForce yes;
ARM_QCOM_CPUFREQ_NVMEM = lib.mkForce yes;
VIRTIO_PCI = lib.mkForce module;
# forthcoming kernel work: QCOM_PD_MAPPER = lib.mkForce module;
};
}
];
qrtr = pkgs.callPackage "${self.inputs.adamcstephens_stop-export}/hardware/x13s/qrtr/qrtr.nix" {};
pd-mapper = pkgs.callPackage "${self.inputs.adamcstephens_stop-export}/hardware/x13s/qrtr/pd-mapper.nix" {
inherit qrtr;
};
# We can't quite move to mainline linux
linux_x13s_pkg = {buildLinux, ...} @ args:
buildLinux (args
// rec {
version = "6.7.0";
modDirVersion = lib.versions.pad 3 version;
extraMeta.branch = lib.versions.majorMinor version;
src = self.inputs.linux_x13s;
kernelPatches = (args.kernelPatches or []) ++ kp;
}
// (args.argsOverride or {}));
# we add additional configuration on top of te normal configuration above
# using the extraStructuredConfig option on the kernel patch
linux_x13s = pkgs.callPackage linux_x13s_pkg {
defconfig = "johan_defconfig";
};
linuxPackages_x13s = pkgs.linuxPackagesFor linux_x13s;
dtbName = "sc8280xp-lenovo-thinkpad-x13s.dtb";
dtb = "${linuxPackages_x13s.kernel}/dtbs/qcom/${dtbName}";
x13s_alsa-ucm-conf = pkgs.alsa-ucm-conf.overrideAttrs (prev: {
src = self.inputs.alsa-ucm-conf;
});
alsa-ucm-conf-env.ALSA_CONFIG_UCM2 = "${x13s_alsa-ucm-conf}/share/alsa/ucm2";
in
lib.mkIf cfg.enable
{
nixpkgs.overlays = [
(
final: prev: {
x13s_extra-firmware =
pkgs.callPackage
"${self.inputs.adamcstephens_stop-export}/hardware/x13s/extra-firmware.nix"
{};
inherit qrtr pd-mapper;
}
)
];
# ensure the x13s' dtb file is in the boot partition
# TODO:: is this needed for the VT display somehow?
system.activationScripts.x13s-dtb = ''
in_package="${dtb}"
esp_tool_folder="${efi.efiSysMountPoint}/"
in_esp="''${esp_tool_folder}${dtbName}"
>&2 echo "Ensuring $in_esp in EFI System Partition"
if ! ${pkgs.diffutils}/bin/cmp --silent "$in_package" "$in_esp"; then
>&2 echo "Copying $in_package -> $in_esp"
mkdir -p "$esp_tool_folder"
cp "$in_package" "$in_esp"
sync
fi
'';
boot = {
loader.systemd-boot.enable = true;
loader.systemd-boot.extraFiles = {
"${dtbName}" = dtb;
};
loader.efi.canTouchEfiVariables = false;
loader.efi.efiSysMountPoint = "/boot";
blacklistedKernelModules = ["wwan"];
kernelPackages = linuxPackages_x13s;
kernelParams = [
"dtb=${dtbName}"
"boot.shell_on_fail"
# jhovold recommended
"efi=noruntime"
"clk_ignore_unused"
"pd_ignore_unused"
"arm64.nopauth"
# blacklist graphics in initrd so the firmware can load from disk
"rd.driver.blacklist=msm"
];
initrd = {
includeDefaultModules = false;
# kernelModules = [
# "nvme"
# "phy_qcom_qmp_pcie"
# "pcie_qcom"
# "i2c_core"
# "i2c_hid"
# "i2c_hid_of"
# "i2c_qcom_geni"
# "leds_qcom_lpg"
# "pwm_bl"
# "qrtr"
# "pmic_glink_altmode"
# "gpio_sbu_mux"
# "phy_qcom_qmp_combo"
# "gpucc_sc8280xp"
# "dispcc_sc8280xp"
# "phy_qcom_edp"
# "panel_edp"
# # "msm"
# ];
availableKernelModules = [
"i2c_hid"
"i2c_hid_of"
"i2c_qcom_geni"
"leds_qcom_lpg"
"pwm_bl"
"qrtr"
"pmic_glink_altmode"
"gpio_sbu_mux"
"phy_qcom_qmp_combo"
"panel_edp"
# "msm"
"phy_qcom_edp"
"i2c_core"
"i2c_hid"
"i2c_hid_of"
"i2c_qcom_geni"
"pcie_qcom"
"phy_qcom_qmp_combo"
"phy_qcom_qmp_pcie"
"phy_qcom_qmp_usb"
"phy_qcom_snps_femto_v2"
"phy_qcom_usb_hs"
"nvme"
"usbcore"
"xhci_hcd"
"usbhid"
"usb_storage"
"uas"
];
};
};
# default is performance
powerManagement.cpuFreqGovernor = "ondemand";
hardware.enableAllFirmware = true;
hardware.firmware = [
# pkgs.linux-firmware
pkgs.x13s_extra-firmware
];
systemd.services.pd-mapper = {
wantedBy = ["multi-user.target"];
serviceConfig = {
ExecStart = "${lib.getExe pd-mapper}";
Restart = "always";
};
};
environment.sessionVariables = alsa-ucm-conf-env;
systemd.user.services.pipewire.environment = alsa-ucm-conf-env;
systemd.user.services.wireplumber.environment = alsa-ucm-conf-env;
systemd.services.bluetooth = {
serviceConfig = {
# disabled because btmgmt call hangs
ExecStartPre = [
""
"${pkgs.util-linux}/bin/rfkill block bluetooth"
"${pkgs.bluez5-experimental}/bin/btmgmt public-addr ${cfg.bluetoothMac}"
"${pkgs.util-linux}/bin/rfkill unblock bluetooth"
];
RestartSec = 5;
Restart = "on-failure";
};
};
};
}

5
nix/os/modules/opinionatedDisk.nix
View file

@ -11,8 +11,7 @@ with lib; let
earlyDiskId = cfg: earlyDiskId = cfg:
if cfg.earlyDiskIdOverride != "" if cfg.earlyDiskIdOverride != ""
then cfg.earlyDiskIdOverride then cfg.earlyDiskIdOverride
else cfg.diskId else cfg.diskId;
;
in { in {
options.hardware.opinionatedDisk = { options.hardware.opinionatedDisk = {
enable = mkEnableOption "Enable opinionated filesystem layout"; enable = mkEnableOption "Enable opinionated filesystem layout";
@ -24,7 +23,7 @@ in {
earlyDiskIdOverride = mkOption { earlyDiskIdOverride = mkOption {
default = ""; default = "";
type = types.string; type = types.str;
}; };
}; };

15
nix/os/profiles/common/boot.nix
View file

@ -1,15 +0,0 @@
{pkgs, ...}: {
boot.kernelPackages = pkgs.linuxPackages;
boot.loader.grub = {
enable = true;
efiSupport = true;
efiInstallAsRemovable = false;
};
boot.loader.systemd-boot.enable = false;
boot.loader.efi.canTouchEfiVariables = true;
boot.tmp.useTmpfs = true;
# Workaround for nm-pptp to enforce module load
boot.kernelModules = ["nf_conntrack_proto_gre" "nf_conntrack_pptp"];
}

37
nix/os/profiles/common/configuration.nix
View file

@ -2,17 +2,38 @@
config, config,
pkgs, pkgs,
repoFlake, repoFlake,
nodeFlake,
repoFlakeInputs',
packages',
... ...
}: { }: {
imports = [ imports = [
./boot.nix
./pkg.nix
./system.nix
../../snippets/nix-settings.nix
./hw.nix
./user.nix
repoFlake.inputs.sops-nix.nixosModules.sops repoFlake.inputs.sops-nix.nixosModules.sops
../../snippets/nix-settings.nix
../../snippets/home-manager-with-zsh.nix
./system.nix
./hw.nix
./user.nix
]; ];
boot.kernelPackages = pkgs.linuxPackages;
boot.loader.grub = {
enable = true;
efiSupport = true;
efiInstallAsRemovable = false;
};
boot.loader.systemd-boot.enable = false;
boot.loader.efi.canTouchEfiVariables = true;
boot.tmp.useTmpfs = true;
# Workaround for nm-pptp to enforce module load
boot.kernelModules = ["nf_conntrack_proto_gre" "nf_conntrack_pptp"];
nixpkgs.config = {
allowBroken = false;
allowUnfree = true;
};
} }

37
nix/os/profiles/common/pkg.nix
View file

@ -1,37 +0,0 @@
{
config,
pkgs,
# these come in via nodeSpecialArgs and are expected to be defined for every node
repoFlake,
repoFlakeInputs',
nodeFlake,
packages',
...
}: {
imports = [
];
nix.registry.nixpkgs.flake = nodeFlake.inputs.nixpkgs;
home-manager.useGlobalPkgs = false;
home-manager.useUserPackages = true;
home-manager.users.root = import ../../../home-manager/configuration/text-minimal.nix;
# TODO: investigate an issue with the "name" arg contained here, which causes problems with home-manager
# home-manager.extraSpecialArgs = specialArgs;
# hence, opt for passing the arguments selectively instead
home-manager.extraSpecialArgs = {
inherit
repoFlake
repoFlakeInputs'
packages'
nodeFlake
;
osConfig = config;
};
nixpkgs.config = {
allowBroken = false;
allowUnfree = true;
};
}

7
nix/os/profiles/common/system.nix
View file

@ -15,7 +15,7 @@
''; '';
# Fonts, I18N, Date ... # Fonts, I18N, Date ...
fonts.fonts = [pkgs.corefonts]; fonts.packages = [pkgs.corefonts];
console.font = "lat9w-16"; console.font = "lat9w-16";
@ -43,15 +43,12 @@
# mv -Tf /etc/X11/.sessions /etc/X11/sessions # mv -Tf /etc/X11/.sessions /etc/X11/sessions
# ''; # '';
# TODO: adapt this to be arch agnostic
system.activationScripts.lib64 = '' system.activationScripts.lib64 = ''
echo "setting up /lib64..." echo "setting up /lib64..."
mkdir -p /lib64 mkdir -p /lib64
ln -sfT ${pkgs.glibc}/lib/ld-linux-x86-64.so.2 /lib64/.ld-linux-x86-64.so.2 ln -sfT ${pkgs.glibc}/lib/ld-linux-x86-64.so.2 /lib64/.ld-linux-x86-64.so.2
mv -Tf /lib64/.ld-linux-x86-64.so.2 /lib64/ld-linux-x86-64.so.2 mv -Tf /lib64/.ld-linux-x86-64.so.2 /lib64/ld-linux-x86-64.so.2
''; '';
programs.zsh.enable = true;
users.defaultUserShell = pkgs.zsh;
environment.pathsToLink = ["/share/zsh"];
programs.fuse.userAllowOther = true; programs.fuse.userAllowOther = true;
} }

82
nix/os/profiles/common/user.nix
View file

@ -32,41 +32,63 @@ in {
default = config.sops.secrets.sharedUsers-root.path; default = config.sops.secrets.sharedUsers-root.path;
type = types.path; type = types.path;
}; };
installPassword = lib.mkOption {
default = "";
type = types.str;
};
}; };
config = lib.mkIf cfg.enable { config = lib.mkIf cfg.enable (lib.mkMerge [
sops.secrets.sharedUsers-root = { (lib.mkIf (cfg.installPassword == "") {
sopsFile = ../../../../secrets/shared-users.yaml; sops.secrets.sharedUsers-root = {
neededForUsers = true; sopsFile = ../../../../secrets/shared-users.yaml;
format = "yaml"; neededForUsers = true;
}; format = "yaml";
};
sops.secrets.sharedUsers-steveej = lib.mkIf cfg.enableNonRoot { sops.secrets.sharedUsers-steveej = lib.mkIf cfg.enableNonRoot {
sopsFile = ../../../../secrets/shared-users.yaml; sopsFile = ../../../../secrets/shared-users.yaml;
neededForUsers = true; neededForUsers = true;
format = "yaml"; format = "yaml";
}; };
sops.secrets.sharedSshKeys-steveej = lib.mkIf cfg.enableNonRoot { sops.secrets.sharedSshKeys-steveej = lib.mkIf cfg.enableNonRoot {
sopsFile = ../../../../secrets/shared-users.yaml; sopsFile = ../../../../secrets/shared-users.yaml;
# neededForUsers = true; # neededForUsers = true;
format = "yaml"; format = "yaml";
}; };
})
users.mutableUsers = lib.mkForce false; {
users.mutableUsers = cfg.installPassword != "";
users.extraUsers.root = { users.users.root = lib.mkMerge [
passwordFile = cfg.rootPasswordFile; {
openssh.authorizedKeys.keys = keys.users.steveej.openssh; openssh.authorizedKeys.keys = keys.users.steveej.openssh;
}
# TODO: investigate why this secret cannot be found (lib.mkIf (cfg.installPassword != "") {
# openssh.authorizedKeys.keyFiles = [ password = cfg.installPassword;
# config.sops.secrets.sharedSshKeys-steveej.path })
# ];
};
users.extraUsers.steveej = lib.mkIf cfg.enableNonRoot (mkUser { (lib.mkIf (cfg.installPassword == "") {
uid = 1000; hashedPasswordFile = cfg.rootPasswordFile;
passwordFile = config.sops.secrets.sharedUsers-steveej.path; })
}); ];
};
users.users.steveej = lib.mkIf cfg.enableNonRoot (mkUser (lib.mkMerge [
{
uid = 1000;
}
(lib.mkIf (cfg.installPassword != "") {
password = cfg.installPassword;
})
(lib.mkIf (cfg.installPassword == "") {
hashedPasswordFile = config.sops.secrets.sharedUsers-steveej.path;
})
]));
}
]);
} }

9
nix/os/profiles/graphical/system.nix
View file

@ -3,6 +3,10 @@
lib, lib,
... ...
}: { }: {
imports = [
../../snippets/bluetooth.nix
];
networking.networkmanager = { networking.networkmanager = {
enable = true; enable = true;
dns = "systemd-resolved"; dns = "systemd-resolved";
@ -19,13 +23,8 @@
services.resolved.enable = true; services.resolved.enable = true;
# hardware related services # hardware related services
services.illum.enable = true;
services.pcscd.enable = true; services.pcscd.enable = true;
hardware.opengl.enable = true; hardware.opengl.enable = true;
hardware.bluetooth.enable = true;
# required for running blueman-applet in user sessions
services.dbus.packages = with pkgs; [blueman];
services.blueman.enable = true;
services.udev.packages = [pkgs.libu2f-host pkgs.yubikey-personalization pkgs.android-udev-rules]; services.udev.packages = [pkgs.libu2f-host pkgs.yubikey-personalization pkgs.android-udev-rules];
services.udev.extraRules = '' services.udev.extraRules = ''

2
nix/os/profiles/removable-medium/system.nix
View file

@ -5,6 +5,8 @@
... ...
}: let }: let
in { in {
services.illum.enable = true;
services.printing = {enable = false;}; services.printing = {enable = false;};
services.spice-vdagentd.enable = true; services.spice-vdagentd.enable = true;

10
nix/os/snippets/bluetooth.nix Normal file
View file

@ -0,0 +1,10 @@
{
pkgs,
lib,
...
}: {
# required for running blueman-applet in user sessions
services.dbus.packages = with pkgs; [blueman];
hardware.bluetooth.enable = true;
services.blueman.enable = true;
}

47
nix/os/snippets/home-manager-with-zsh.nix Normal file
View file

@ -0,0 +1,47 @@
{
nodeFlake,
repoFlake,
repoFlakeInputs',
packages',
pkgs,
...
}: let
# TODO: make this configurable
homeUser = "steveej";
commonHomeImports = [
../../home-manager/profiles/common.nix
../../home-manager/programs/neovim.nix
../../home-manager/programs/zsh.nix
];
in {
imports = [
nodeFlake.inputs.home-manager.nixosModules.home-manager
];
# TODO: investigate an issue with the "name" arg contained here, which causes problems with home-manager
# home-manager.extraSpecialArgs = specialArgs;
# hence, opt for passing the arguments selectively instead
home-manager.extraSpecialArgs = {
inherit
repoFlake
repoFlakeInputs'
packages'
nodeFlake
;
};
home-manager.useGlobalPkgs = false;
home-manager.useUserPackages = true;
home-manager.users.root = _: {
imports = commonHomeImports;
};
home-manager.users."${homeUser}" = _: {
imports = commonHomeImports;
};
programs.zsh.enable = true;
users.defaultUserShell = pkgs.zsh;
environment.pathsToLink = ["/share/zsh"];
}

3
nix/os/snippets/nix-settings.nix
View file

@ -1,6 +1,5 @@
{ {
nodeFlake, nodeFlake,
pkgs, pkgs,
lib, lib,
... ...
@ -17,8 +16,6 @@
nix.settings.experimental-features = [ nix.settings.experimental-features = [
"nix-command" "nix-command"
"flakes" "flakes"
"ca-derivations"
"impure-derivations"
]; ];
nix.settings.system-features = [ nix.settings.system-features = [

30
nix/os/snippets/radicale.nix Normal file
View file

@ -0,0 +1,30 @@
{
config,
lib,
pkgs,
repoFlakeInputs',
...
}: let
# TODO: make configurable
homeUser = "steveej";
in {
sops.secrets.radicale_htpasswd = {
sopsFile = ../../../secrets/desktop/radicale_htpasswd;
format = "binary";
owner = config.users.users."${homeUser}".name;
};
home-manager.users.${homeUser} = _: {
imports = [
# TODO: bump these to latest and make it work
(
args:
import ../../home-manager/programs/radicale.nix (args
// {
osConfig = config;
pkgs = repoFlakeInputs'.radicalePkgs.legacyPackages;
})
)
];
};
}

102
nix/os/snippets/sway-desktop.nix Normal file
View file

@ -0,0 +1,102 @@
{
pkgs,
lib,
config,
...
}: let
# TODO: make this configurable
homeUser = "steveej";
in {
services.xserver.serverFlagsSection = ''
Option "BlankTime" "0"
Option "StandbyTime" "0"
Option "SuspendTime" "0"
Option "OffTime" "0"
'';
hardware.opengl.enable = true;
services.gvfs = {
enable = true;
package = lib.mkForce pkgs.gnome3.gvfs;
};
environment.systemPackages = with pkgs; [
# provides a default authentification client for policykit
lxqt.lxqt-policykit
];
# required by swaywm
security.polkit.enable = true;
security.pam.services.swaylock = {};
# test these on https://mozilla.github.io/webrtc-landing/gum_test.html
xdg.portal = {
enable = true;
# FIXME: `true` breaks xdg-open from alacritty:
# $ xdg-open "https://github.com/"
# Error: GDBus.Error:org.freedesktop.DBus.Error.UnknownMethod: No such interface “org.freedesktop.portal.OpenURI” on object at path /org/freedesktop/portal/desktop
xdgOpenUsePortal = false;
# keep the behaviour in < 1.17, which uses the first portal implementation found in lexicographical order, use the following:
config.common.default = "*";
extraPortals = [
pkgs.xdg-desktop-portal-wlr
pkgs.xdg-desktop-portal-gtk
# repoFlake.inputs.nixpkgs-wayland.packages.${pkgs.system}.xdg-desktop-portal-wlr
# (pkgs.xdg-desktop-portal-gtk.override (_: {
# buildPortalsInGnome = false;
# }))
];
};
# rtkit is optional but recommended
security.rtkit.enable = true;
services.pipewire = {
audio.enable = true;
enable = true;
alsa.enable = true;
alsa.support32Bit = true;
pulse.enable = true;
# If you want to use JACK applications, uncomment this
#jack.enable = true;
};
security.pam.services.getty.enableGnomeKeyring = true;
security.pam.services."autovt@tty1".enableGnomeKeyring = true;
services.gnome.gnome-keyring.enable = true;
# autologin steveej on tty1
# TODO: make user configurable
systemd.services."autovt@tty1".description = "Autologin at the TTY1";
systemd.services."autovt@tty1".after = ["systemd-logind.service"]; # without it user session not started and xorg can't be run from this tty
systemd.services."autovt@tty1".wantedBy = ["multi-user.target"];
systemd.services."autovt@tty1".serviceConfig = {
ExecStart = [
"" # override upstream default with an empty ExecStart
"@${pkgs.utillinux}/sbin/agetty agetty --login-program ${pkgs.shadow}/bin/login --autologin steveej --noclear %I $TERM"
];
Restart = "always";
Type = "idle";
};
programs = let
steveejSwayOnTty1 = ''
if test $(id --user steveej) = $(id -u) && test $(tty) = "/dev/tty1"; then
exec sway
fi
'';
in {
bash.loginShellInit = steveejSwayOnTty1;
# TODO: only do this when zsh is enabled. first naiv attempt lead infinite recursion
zsh.loginShellInit = steveejSwayOnTty1;
};
home-manager.users."${homeUser}" = _: {
imports = [
../../home-manager/profiles/sway-desktop.nix
];
};
}

5
nix/os/snippets/timezone.nix Normal file
View file

@ -0,0 +1,5 @@
{lib, ...}: let
passwords = import ../../variables/passwords.crypt.nix;
in {
time.timeZone = lib.mkDefault passwords.timeZone.stefan;
}

59
nix/pkgs/logseq/Containerfile Normal file
View file

@ -0,0 +1,59 @@
# NOTE: please keep it in sync with .github pipelines
# NOTE: during testing make sure to change the branch below
# NOTE: before running the build-docker GH action edit
# build-docker.yml and change the release channel from :latest to :testing
# Builder image
FROM clojure:temurin-11-tools-deps-1.11.1.1208-bullseye-slim as builder
ARG DEBIAN_FRONTEND=noninteractive
# Install reqs
RUN apt-get update && apt-get install -y --no-install-recommends \
curl \
ca-certificates \
apt-transport-https \
gpg \
build-essential libcairo2-dev libpango1.0-dev libjpeg-dev libgif-dev librsvg2-dev \
zip
# install NodeJS & yarn
RUN curl -sL https://deb.nodesource.com/setup_18.x | bash -
RUN curl -sS https://dl.yarnpkg.com/debian/pubkey.gpg | gpg --dearmor | \
tee /etc/apt/trusted.gpg.d/yarn.gpg && \
echo "deb https://dl.yarnpkg.com/debian/ stable main" | \
tee /etc/apt/sources.list.d/yarn.list && \
apt-get update && apt-get install -y nodejs yarn
WORKDIR /data
ENV VERSION=0.10.5
# build Logseq static resources
RUN git clone -b ${VERSION} https://github.com/logseq/logseq.git .
RUN yarn config set network-timeout 240000 -g && yarn install
RUN yarn release-electron
RUN mkdir /out
RUN mv /data/static/out/make/zip /out/${VERSION}.zip
RUN mv /data/static/out/make/*.AppImage /out/
FROM scratch as artifacts
COPY --from=builder /out /
# Logseq-${VERSION}.AppImage
# RUN mv zip /${VERSION}.zip
# RUN \
# mkdir -p builds
# # NOTE: save VERSION file to builds directory
# cp static/VERSION ./builds/VERSION
# mv static/out/make/*-*.AppImage ./builds/Logseq-linux-aarch64-${VERSION}.AppImage
# mv static/out/make/zip/linux/x64/*-linux-x64-*.zip ./builds/Logseq-linux-aarch64-${VERSION}.zip
# # Web App Runner image
# FROM nginx:1.24.0-alpine3.17
#
# COPY --from=builder /data/static /usr/share/nginx/html
#

14
nix/pkgs/logseq/README.md Normal file
View file

@ -0,0 +1,14 @@
# build instructions
this is pseudocode that serves as a reminder
1. podman build -f Containerfile
2. podman unshare
3. podman mount $CONTAINER_ID
4. upload the AppImaeg
# resources
* https://github.com/logseq/logseq/blob/dc5127b48a7874627bd9ab63696f7ddf821b90a7/docs/develop-logseq.md?plain=1#L90
* https://github.com/logseq/logseq/blob/master/Dockerfile
* https://github.com/randomwangran/logseq-nix-flake

83
nix/pkgs/logseq/default.nix Normal file
View file

@ -0,0 +1,83 @@
{
lib,
stdenv,
fetchurl,
appimageTools,
makeWrapper,
# graphs will not sync without matching upstream's major electron version
electron_27,
git,
nix-update-script,
overrideSrc ? null,
}:
stdenv.mkDerivation (finalAttrs: let
inherit (finalAttrs) pname version src appimageContents;
in {
pname = "logseq";
version = "0.10.5";
src =
if overrideSrc != null
then overrideSrc
else
(fetchurl {
url = "https://github.com/logseq/logseq/releases/download/${version}/logseq-linux-x64-${version}.AppImage";
hash = "sha256-F3YbqgvL04P0nXaIVkJlCq/z8hUE0M0UutkBs2omuBE=";
name = "${pname}-${version}.AppImage";
});
appimageContents = appimageTools.extract {
inherit pname src version;
};
dontUnpack = true;
dontConfigure = true;
dontBuild = true;
nativeBuildInputs = [makeWrapper];
installPhase = ''
runHook preInstall
mkdir -p $out/bin $out/share/${pname} $out/share/applications
cp -a ${appimageContents}/{locales,resources} $out/share/${pname}
cp -a ${appimageContents}/Logseq.desktop $out/share/applications/${pname}.desktop
# remove the `git` in `dugite` because we want the `git` in `nixpkgs`
if test -e $out/share/${pname}/resources/app/node_modules/dugite/git; then
chmod +w -R $out/share/${pname}/resources/app/node_modules/dugite/git
chmod +w $out/share/${pname}/resources/app/node_modules/dugite
rm -rf $out/share/${pname}/resources/app/node_modules/dugite/git
chmod -w $out/share/${pname}/resources/app/node_modules/dugite
fi
mkdir -p $out/share/pixmaps
ln -s $out/share/${pname}/resources/app/icons/logseq.png $out/share/pixmaps/${pname}.png
substituteInPlace $out/share/applications/${pname}.desktop \
--replace Exec=Logseq Exec=${pname} \
--replace Icon=Logseq Icon=${pname}
runHook postInstall
'';
postFixup = ''
# set the env "LOCAL_GIT_DIRECTORY" for dugite so that we can use the git in nixpkgs
makeWrapper ${electron_27}/bin/electron $out/bin/${pname} \
--set "LOCAL_GIT_DIRECTORY" ${git} \
--add-flags $out/share/${pname}/resources/app \
--add-flags "\''${NIXOS_OZONE_WL:+\''${WAYLAND_DISPLAY:+--ozone-platform-hint=auto --enable-features=WaylandWindowDecorations}}" \
--prefix LD_LIBRARY_PATH : "${lib.makeLibraryPath [stdenv.cc.cc.lib]}"
'';
passthru.updateScript = nix-update-script {};
meta = {
description = "A local-first, non-linear, outliner notebook for organizing and sharing your personal knowledge base";
homepage = "https://github.com/logseq/logseq";
changelog = "https://github.com/logseq/logseq/releases/tag/${version}";
license = lib.licenses.agpl3Plus;
maintainers = with lib.maintainers; [];
platforms = ["x86_64-linux" "aarch64-linux"];
};
})

14
nix/sources.json
View file

@ -1,14 +0,0 @@
{
"nixpkgs": {
"branch": "release-22.05",
"description": "Nix Packages collection",
"homepage": "https://github.com/NixOS/nixpkgs",
"owner": "NixOS",
"repo": "nixpkgs",
"rev": "26fe7618c7efbbfe28db9a52a21fb87e67ebaf06",
"sha256": "0wi8l10zn808psf0i7ka3ifpx46vdv2fkq3hcb9d5m72fv64vznr",
"type": "tarball",
"url": "https://github.com/NixOS/nixpkgs/archive/26fe7618c7efbbfe28db9a52a21fb87e67ebaf06.tar.gz",
"url_template": "https://github.com/<owner>/<repo>/archive/<rev>.tar.gz"
}
}

260
nix/sources.nix
View file

@ -1,260 +0,0 @@
# This file has been generated by Niv.
let
#
# The fetchers. fetch_<type> fetches specs of type <type>.
#
fetch_file = pkgs: name: spec: let
name' = sanitizeName name + "-src";
in
if spec.builtin or true
then
builtins_fetchurl
{
inherit (spec) url sha256;
name = name';
}
else
pkgs.fetchurl {
inherit (spec) url sha256;
name = name';
};
fetch_tarball = pkgs: name: spec: let
name' = sanitizeName name + "-src";
in
if spec.builtin or true
then
builtins_fetchTarball
{
name = name';
inherit (spec) url sha256;
}
else
pkgs.fetchzip {
name = name';
inherit (spec) url sha256;
};
fetch_git = name: spec: let
ref =
if spec ? ref
then spec.ref
else if spec ? branch
then "refs/heads/${spec.branch}"
else if spec ? tag
then "refs/tags/${spec.tag}"
else
abort
"In git source '${name}': Please specify `ref`, `tag` or `branch`!";
submodules =
if spec ? submodules
then spec.submodules
else false;
submoduleArg = let
nixSupportsSubmodules =
builtins.compareVersions builtins.nixVersion "2.4" >= 0;
emptyArgWithWarning =
if submodules == true
then
builtins.trace
(''The niv input "${name}" uses submodules ''
+ "but your nix's (${builtins.nixVersion}) builtins.fetchGit "
+ "does not support them")
{}
else {};
in
if nixSupportsSubmodules
then {
inherit submodules;
}
else emptyArgWithWarning;
in
builtins.fetchGit ({
url = spec.repo;
inherit (spec) rev;
inherit ref;
}
// submoduleArg);
fetch_local = spec: spec.path;
fetch_builtin-tarball = name:
throw ''
[${name}] The niv type "builtin-tarball" is deprecated. You should instead use `builtin = true`.
$ niv modify ${name} -a type=tarball -a builtin=true'';
fetch_builtin-url = name:
throw ''
[${name}] The niv type "builtin-url" will soon be deprecated. You should instead use `builtin = true`.
$ niv modify ${name} -a type=file -a builtin=true'';
#
# Various helpers
#
# https://github.com/NixOS/nixpkgs/pull/83241/files#diff-c6f540a4f3bfa4b0e8b6bafd4cd54e8bR695
sanitizeName = name: (concatMapStrings (s:
if builtins.isList s
then "-"
else s)
(builtins.split "[^[:alnum:]+._?=-]+"
((x: builtins.elemAt (builtins.match "\\.*(.*)" x) 0) name)));
# The set of packages used when specs are fetched using non-builtins.
mkPkgs = sources: system: let
sourcesNixpkgs =
import
(builtins_fetchTarball {inherit (sources.nixpkgs) url sha256;})
{
inherit system;
};
hasNixpkgsPath = builtins.any (x: x.prefix == "nixpkgs") builtins.nixPath;
hasThisAsNixpkgsPath = <nixpkgs> == ./.;
in
if builtins.hasAttr "nixpkgs" sources
then sourcesNixpkgs
else if hasNixpkgsPath && !hasThisAsNixpkgsPath
then import <nixpkgs> {}
else
abort ''
Please specify either <nixpkgs> (through -I or NIX_PATH=nixpkgs=...) or
add a package called "nixpkgs" to your sources.json.
'';
# The actual fetching function.
fetch = pkgs: name: spec:
if !builtins.hasAttr "type" spec
then abort "ERROR: niv spec ${name} does not have a 'type' attribute"
else if spec.type == "file"
then fetch_file pkgs name spec
else if spec.type == "tarball"
then fetch_tarball pkgs name spec
else if spec.type == "git"
then fetch_git name spec
else if spec.type == "local"
then fetch_local spec
else if spec.type == "builtin-tarball"
then fetch_builtin-tarball name
else if spec.type == "builtin-url"
then fetch_builtin-url name
else
abort
"ERROR: niv spec ${name} has unknown type ${builtins.toJSON spec.type}";
# If the environment variable NIV_OVERRIDE_${name} is set, then use
# the path directly as opposed to the fetched source.
replace = name: drv: let
saneName =
stringAsChars
(c:
if isNull (builtins.match "[a-zA-Z0-9]" c)
then "_"
else c)
name;
ersatz = builtins.getEnv "NIV_OVERRIDE_${saneName}";
in
if ersatz == ""
then drv
else
# this turns the string into an actual Nix path (for both absolute and
# relative paths)
if builtins.substring 0 1 ersatz == "/"
then /. + ersatz
else /. + builtins.getEnv "PWD" + "/${ersatz}";
# Ports of functions for older nix versions
# a Nix version of mapAttrs if the built-in doesn't exist
mapAttrs =
builtins.mapAttrs
or (f: set:
with builtins;
listToAttrs (map (attr: {
name = attr;
value = f attr set.${attr};
}) (attrNames set)));
# https://github.com/NixOS/nixpkgs/blob/0258808f5744ca980b9a1f24fe0b1e6f0fecee9c/lib/lists.nix#L295
range = first: last:
if first > last
then []
else builtins.genList (n: first + n) (last - first + 1);
# https://github.com/NixOS/nixpkgs/blob/0258808f5744ca980b9a1f24fe0b1e6f0fecee9c/lib/strings.nix#L257
stringToCharacters = s:
map (p: builtins.substring p 1 s) (range 0 (builtins.stringLength s - 1));
# https://github.com/NixOS/nixpkgs/blob/0258808f5744ca980b9a1f24fe0b1e6f0fecee9c/lib/strings.nix#L269
stringAsChars = f: s: concatStrings (map f (stringToCharacters s));
concatMapStrings = f: list: concatStrings (map f list);
concatStrings = builtins.concatStringsSep "";
# https://github.com/NixOS/nixpkgs/blob/8a9f58a375c401b96da862d969f66429def1d118/lib/attrsets.nix#L331
optionalAttrs = cond: as:
if cond
then as
else {};
# fetchTarball version that is compatible between all the versions of Nix
builtins_fetchTarball = {
url,
name ? null,
sha256,
} @ attrs: let
inherit (builtins) lessThan nixVersion fetchTarball;
in
if lessThan nixVersion "1.12"
then
fetchTarball
({inherit url;} // (optionalAttrs (!isNull name) {inherit name;}))
else fetchTarball attrs;
# fetchurl version that is compatible between all the versions of Nix
builtins_fetchurl = {
url,
name ? null,
sha256,
} @ attrs: let
inherit (builtins) lessThan nixVersion fetchurl;
in
if lessThan nixVersion "1.12"
then
fetchurl
({inherit url;} // (optionalAttrs (!isNull name) {inherit name;}))
else fetchurl attrs;
# Create the final "sources" from the config
mkSources = config:
mapAttrs
(name: spec:
if builtins.hasAttr "outPath" spec
then
abort
"The values in sources.json should not have an 'outPath' attribute"
else spec // {outPath = replace name (fetch config.pkgs name spec);})
config.sources;
# The "config" used by the fetchers
mkConfig = {
sourcesFile ?
if builtins.pathExists ./sources.json
then ./sources.json
else null,
sources ?
if isNull sourcesFile
then {}
else builtins.fromJSON (builtins.readFile sourcesFile),
system ? builtins.currentSystem,
pkgs ? mkPkgs sources system,
}: rec {
# The sources, i.e. the attribute set of spec name to spec
inherit sources;
# The "pkgs" (evaluated nixpkgs) to use for e.g. non-builtin fetchers
inherit pkgs;
};
in
mkSources (mkConfig {})
// {
__functor = _: settings: mkSources (mkConfig settings);
}

30
secrets/desktop/radicale_htpasswd Normal file
View file

@ -0,0 +1,30 @@
{
"data": "ENC[AES256_GCM,data:rUTsNj5pW/7JhyfRWiEoOHVT06tmbAHarOEuMkWaP+jz9FX3Qvjtv2S767Be89RwBdZZPTyO5+DcWUH+m2AOoAFKZs8TgT7lmQCuweXE27HZe88y+mNvHYfExWbLaC3fxheHgy8BgZBQNdVMKhZlYr5nLxJBrUY+j2sRP/CuucUcbsCojoHqYmb9hpS03PZ7i6Uf7tImgvFc,iv:pnYzcggEWKAhRxJyOGYaXFrS6kN7uLHic+tO1PeHZmg=,tag:4eXlaWf7hJxcy6zlQC5U8Q==,type:str]",
"sops": {
"kms": null,
"gcp_kms": null,
"azure_kv": null,
"hc_vault": null,
"age": [
{
"recipient": "age17jxphuql70wjkd84azn62ltx9ky69hyvkac23lm8f2j92lznf9hseqq0vl",
"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBsRG1PWnJpTjRCOFVXS21h\nTUxFb1ZsS1piTUxtdmRSVGFmNGlzZmZqWXo4CnhMY3hBZU93bE45MFBJSG9Nd3Zh\nNi9DQjZlb2FzQXplZXovOENBOWRUQ0kKLS0tIFJsNklCUWFZdzhNaXlFQ2lFTGd5\nREp5VFZaNFlZeWVTUXlJSWpUOXA0OEEKEO5EEvjKL2BdBd+eHxvicl3IhGV/WNRS\ni5065sFhraZ+6MAg91eHUcwcfwjhx0tr06v9xARtKzgEEpgxHLT6BQ==\n-----END AGE ENCRYPTED FILE-----\n"
},
{
"recipient": "age1y9urllccdcemlv7g5z4peuzeh5ah0a8nu6cnkvym8v2vfhqjd5jql483c6",
"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAvWHZjdERBT0hHTVVnMzJJ\nSURhU0NrelB4b0FuTmM1VFIvRFRpQS9sMEQwClJsWGVTUE1hN0Y5c3dETUcyUllX\nSmIzR2ZhMDJDa1hsY0xBaGJrNXkrMUUKLS0tIHAwenJOOHZOSksrQ2dacVhKQVg5\ndEl6QVdkTHdGbG81OUUzOFprZHVRUm8KVYgQ5wUkCDZa9SUbmJgtpWY/LWruAg2t\nZFVYJUZ7B/Pd6rzvtOVjU8mEOaMbtq1cYkiAcuzhIdoTxu1TX11OPA==\n-----END AGE ENCRYPTED FILE-----\n"
}
],
"lastmodified": "2024-01-24T22:45:02Z",
"mac": "ENC[AES256_GCM,data:70nJ8FwQqWKUs5tVZTdaUSnFdvzh7h7GG9lJU9IVuSW8GHs9N4srFRJ0DtJbrIYm4YasNsZqNUcWx/ptxzP0DG/IJs8Vpnb4U5SXKw+zN7B5GBM0Xnh6pZZcylAw7lcXevBfI4jw7Ymmj5zBIFyKTCKhietayfmxdIxyoaxNH34=,iv:XJgmRc0tONH9H6AQyfJvDdkfJgP3ugAxOPxMkBqhLMo=,tag:MBN8FJglHqTiS5nLjtMXiA==,type:str]",
"pgp": [
{
"created_at": "2024-01-24T22:48:30Z",
"enc": "-----BEGIN PGP MESSAGE-----\n\nhQEMA0SHG/zF3227AQgAl7wj8pgA42CyZ+b0ykAVMIzfVsX5zfyLTL3fKRC78kGH\n7D6Lp6Fesp3dZ8c7awWEM3b1WEFOS8Yklo6bfZCnioJoqZhMtYhyTCi+KEBXdw7g\n+KAquXkrD6mYOVBXoKHUqUBoDjFjU/stfV2Pdnl5I7SGYFHtyv8jwdJXbBInDNI6\nmtVzpKoM7pCFHH0Vz+A1D1X4k+96znbSnjHVBgOFLjyZ2KGPKBKud4nM0idAO/tO\nH77ApV1qRBU7weI5yTbK7GeuUxFYrolxkqOCPUH6E5Z2eVQ8ACUFpvgX4ET91jeP\nYTbTuq9cfm/gPsFIGtZLgWSq7cCZHe12nPHT//ajK9JcASNmmTiJFvK19WmN7spg\nbfDJLZud80PNu6MVXthwRGJ50/yRSrO8e/5tCjVz7UlkOmVG5ClsGDfRCH5gJDqS\nMJ+UdOHZjqcZu6TkBmSNX+9fRS1hgCiGxOjT2mU=\n=q3es\n-----END PGP MESSAGE-----",
"fp": "6F7069FE6B96E894E60EC45C6EEFA706CB17E89B"
}
],
"unencrypted_suffix": "_unencrypted",
"version": "3.8.1"
}
}

108
secrets/shared-users.yaml
View file

@ -16,82 +16,100 @@ sops:
- recipient: age17jxphuql70wjkd84azn62ltx9ky69hyvkac23lm8f2j92lznf9hseqq0vl - recipient: age17jxphuql70wjkd84azn62ltx9ky69hyvkac23lm8f2j92lznf9hseqq0vl
enc: | enc: |
-----BEGIN AGE ENCRYPTED FILE----- -----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBlbG5RWWVBZ2JZOXlENDVr YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAzWFp1QUNPeEJDci9ibTg2
M3lCdEc4RnVwWlZJZXY5RGJ5aEFmcmlmK0hFCnNFSHliMHZyWTBLZG5ub2hPSy93 ZUNkMVNld1ZxNkVmUk9jMld3L01ndWVtakZ3ClQ1V2crS3hITG8rSmx4OWE3RU96
dDNoWmgvTEhQdUdWL1dEbDZpRnBacFUKLS0tIFpjdVZBZjhRdll2TGdKdFVQTzVp SC9xb0VybDZDN0FwU0JTTHJPRDB0QkUKLS0tIEU5cmh3bW1iWHJ4RDdrUUF0VG5M
UDV5bXpzWXNzMTQwTkZPVjc0ckNUUFEKwYIl0ErBjh83ogRau2mYzkivxruLKQXj MUhWRm5qdnpCUFZ2N3FvL1FITDhNMmsK1TKbM1jrJMvy16yhZwLGcqOan5RTiKYu
eEQgNMf/xdWZ76OAKDwCF/7zmCSeT2UYoJFCfYtnMw7OxwOCyvPIOg== jVaSgPaxJLPhtWReAH5RM2JOmrET1DdI7q8vFD7eaJIzKdBxAIwhQg==
-----END AGE ENCRYPTED FILE-----
- recipient: age1y9urllccdcemlv7g5z4peuzeh5ah0a8nu6cnkvym8v2vfhqjd5jql483c6
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB6K2x0c0swK1lHb2VCZi9v
RUo5VkRPayt2V0RyRVVhSlRGME5TMm9KZFRFCnY0NTdEb1FqK1JUaUdmQ09mOGha
SCtMVnRWYUpmYkM5OUY4TlJQd3MrdE0KLS0tIGdiZFpuZnFiNloxMTNFOWhoM2hV
TlovVmMrVHdDdmQ0dnRhZWxRZHJkMmMKpYOiZy2BVhddpSNiXasycmDaD9lA8irk
ThkO0iaLu2fG7RhT9A9VfXu6eE3ZHN6vr4hv/ItzAbP+T8Ro+Yvwfg==
-----END AGE ENCRYPTED FILE----- -----END AGE ENCRYPTED FILE-----
- recipient: age1pmznn2tjpelpmxjxqef48rse5ujggf9kcr8x5vewuadqcw03aavqwy54zm - recipient: age1pmznn2tjpelpmxjxqef48rse5ujggf9kcr8x5vewuadqcw03aavqwy54zm
enc: | enc: |
-----BEGIN AGE ENCRYPTED FILE----- -----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAramZoZmdSOFdoWEttNndT YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBuS0FVR3N3YnRlMXBwMVpj
RHVWUC9RekVVL21iQVA5Z3JvajliSVZVNVNFCjhiMkdGOXNTa2FnVStUTVRVZm1s elZ6dVlyMWRoSUx1UlVmYThBcWFFdmxEWTNRCkhFZEVDUGpsS1ZmelBSQVpZUWVC
Y1ZVdGFnZ0I2VGYxTW1Wakt5Znd3NXcKLS0tIERvVjFySDJDU3lRNGlpL3pYRWwy ZlNqcm9EVXF3U3hLYThpbGVSeVFDNDQKLS0tIGV0bkI2aVNmbnJmR2lqSFVLMGNr
UU0ybTRsSVlBaFV2d2xqVTc5Q1lNQWcKUti+W3HLneDzq/VI5yPBsTPyDUAUYL6U aVZFd091T1U4QVdVcWtSbnppd3BEODAKPzj/phV8BijdFewcwBV+loKk4o1tBJ6t
tO1SMC8xBVbgzlFQtM84gYCE8ATxvwOJV+8wNrcHdWXQ8AJLF9UwPA== CP8kwiIb03/lCd9HmyLgAUt0PlMJFbT4FJNEjwBstMErUdvClXO3dg==
-----END AGE ENCRYPTED FILE----- -----END AGE ENCRYPTED FILE-----
- recipient: age1ye4fa0v37shz8q4e5uf9cp2avygcp9jtetmnj2sv9y9mqc7gjyksq2cjy8 - recipient: age1ye4fa0v37shz8q4e5uf9cp2avygcp9jtetmnj2sv9y9mqc7gjyksq2cjy8
enc: | enc: |
-----BEGIN AGE ENCRYPTED FILE----- -----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA2ZXpGREZxdzREU0tSV1Nu YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAwOEZ0V2pOcStDb2YwclZG
ZnVONGdxU0VBb3RXY21pTEJVWUw3aUV1UG5ZCmZYcXVzdUgzalFvdXR1Q0FESENF U0t2RklFMkJQdE82cTVDK1NGMUt5R2R0c0VFCmV4Q2Rob2E2REVMUlRkeS8xTVVu
Q0VDSmlqbGRxemlGYVRQN2NQcGU3VEEKLS0tIFp1N2V6V3dkeWVpRGtrTzhyNUFE U296N2FFRHpmRnJPQjRBUmRaMEpnL2cKLS0tIFBseEpvSTJ0azBRUEVRa1dqT1RK
TUdFcXpEbnpmdTlWM1I3UTBYSFo5UnMKJm4gkNDHnCujMk+i46hGEMoQWEs9IBRM bFVpbVY5RU01R3pEcWFsQ0pkQWkwYlEKIW1AmTBR1UIjD9n3o2QyWb/FfUUa8qQz
/Lb1BpHA+5BB0LB6yL1VkXttSBNp69s5LN/EgdvTnZ7qL4/KqhwvMg== b0GtaaQkY17GyoBzrBh0G4D2yziPy8N9AwOTaaDJ7l5VZq9ydKbTrA==
-----END AGE ENCRYPTED FILE----- -----END AGE ENCRYPTED FILE-----
- recipient: age13cyvxrd28j68f97q2dwsn62q5dy8tdxtq86ql2dxv2ncwfrf63dsmkj7n3 - recipient: age13cyvxrd28j68f97q2dwsn62q5dy8tdxtq86ql2dxv2ncwfrf63dsmkj7n3
enc: | enc: |
-----BEGIN AGE ENCRYPTED FILE----- -----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAxSk9GbVpxaHJPUGY4U3hu YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA2YTZGb1pXSWZVNk95aFVp
K3hpbzhkMWVJNHIrNWVPRUphcjkvY0h1cWpnCkxYTmtiWjk2QktxSHJON01XRGJD UTFDUHlweGVUQmV1KyttSXpjeng0WFd5d1ZFClJwL2xGVmhlTlJzNVhhaElmbnl2
MDZZZlB3dU9NbXN4RHRMc2ZRTHdERE0KLS0tIFJpdUhWdm1INFU3eU96NFN3OFk1 K2RmUlR0SzNkMWhmb1lOTTMyVUt4Rk0KLS0tIElFV0hCZVRwWTNJYldmR2ZYU2Rm
Z2dMQ2xGOTJCcXdCU0FFdVJjQVIwK1EKHLo6YIsfKAwQ/yBQvS1icIAS6W7AwABw dHRuVThQRm9NT05HdzdHOWh6R2dLYnMKvrsQXgfRyHOl2aN64JHPXEdlvcHynEss
d5hD2G0KVJK66HnYWuQALQbuWh2i0OA2fNAywcKe4R5ACN5M8TKHew== I4dCLuvKuPh5WjcFZ16zidGzffNKZTHsXPv/WKFUsy20lONByRuRbA==
-----END AGE ENCRYPTED FILE----- -----END AGE ENCRYPTED FILE-----
- recipient: age1k7cejd9tqz6a3expd63wkn7kmeawhhrp9vy5vevhjn6eavhdwywqeh7j86 - recipient: age1k7cejd9tqz6a3expd63wkn7kmeawhhrp9vy5vevhjn6eavhdwywqeh7j86
enc: | enc: |
-----BEGIN AGE ENCRYPTED FILE----- -----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB3dEttcnphWlVpbTdET1pY YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB4WndIcHhndkVjazRKV3Rq
L2RxWkx2VWVxZ21URE53MFg1cVFpTkwxN1N3CmJSRk1DY2JkZk5DMlUvZFp5RXNw U2JjYTZyYUhheG5pSlI0VE9tZ2w0SlRBM0JBCm1YSWxFa0RjVUhFb2xHMnMxbGZy
YWh0Q1FxTUJwTWNVY09NTTdSRHEzM1UKLS0tIEREeGY4M2J1QWZUTThhTWxoOUVX S1V1b1RMVExFRW0rUU03YXNjejJ3enMKLS0tIHlwdHNNRHNYL2xyeFFCcHdIVFRi
QVJSemJ4eldSbGU4dWZtU1hRNi9VQk0KhT8lL2mk8J/uZ0dECGbi14Se2cC7l6AK MDZaQjREbWw5aG82NG1Ea0J2d0tTMWMKCodGBDTKbq5qcmtrAh0HrdZ7fmEx8VhH
yWgNHggdrPcSvHH/A2u1yUdfQCU36yEvoxAwa8y/uQW3lgU35iVT+g== InCa5SXSRo7cVQe6VRBczF3RC/Mc2u+xzEDd1XbyGviqt1CkI1UPRQ==
-----END AGE ENCRYPTED FILE----- -----END AGE ENCRYPTED FILE-----
- recipient: age18dmqd7r7fanrfmdxsvwgv9psvhs3hw5ydpvw0na0dv3dlrg4rs3q2wpvgv - recipient: age18dmqd7r7fanrfmdxsvwgv9psvhs3hw5ydpvw0na0dv3dlrg4rs3q2wpvgv
enc: | enc: |
-----BEGIN AGE ENCRYPTED FILE----- -----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBuT29LTzAxcHZPd0VFa2pG YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBDa2YzeTBEOXlIcUJlZlVl
ZVJ6K2tiT2V3MDJlakpjZ1puczFWZEdORFJNCitNRzViZHU4ZTRXMmJZYUZqRHJ2 NUdCTGRYcUhOa0dkRjR2RHJNZ3VWclJWd3hjCmFZY0dEVTlwb3lNajE2emFCZmZ2
aDZtRlAyMDdOUHoxbWJ1c0JHaURXSlEKLS0tIHpnRitqc1BmV3FyUjZQcGtZZUtG SkhTejc3cFA1Yjc0ZHF2TjRYZ1Qvc1kKLS0tIGxDbWNjaXlvU2ttbDR4NW9UYThr
dXRPaEJna0duZDVLZVRpODM2enpiUmcKWLmGdJzLZ6UMcGRAzCb/UmsHl1Q+FQgk OWRZb1d5dkxETCt1RThQK0Z4cmJSb28KGrAeCR7Q37WwyEzHT5CvaMVmVUoyv1s3
IPTiCyyun+1JjWMSXC/z7rf2LFuvWvPPxHOChnYivBD60BYMgHJ8Sg== dDbEu8mtNhDBi9LYMwfbXiZHAlPWQ1Ogveot8vc4kMOAlvWMR4FwdA==
-----END AGE ENCRYPTED FILE-----
- recipient: age18dmqd7r7fanrfmdxsvwgv9psvhs3hw5ydpvw0na0dv3dlrg4rs3q2wpvgv
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBRT2dIMGFEbUErU1pYUXRR
Yk1tUmx2R3BmUXVhK1JMd3J6WVNwOGVmRkUwCnZBSGxvcFd4Y1dGbkg4UEF2RUxE
TUdpVGV1ZEpFQmNWN1ZKei8rSWJtaVEKLS0tIGRLd013RVB2eHhXeHpXbWoyaktu
OExualc3eWk1UGgvZDlNbWZydXBXWkUK0vhwGhegmrQASWqFQYpZgJungzt7vtfC
sBna05p6lnSEdtclUa1MZ/a9wlqAtmrA2fUarLnc6/bs0K8Oz9HRPA==
-----END AGE ENCRYPTED FILE----- -----END AGE ENCRYPTED FILE-----
- recipient: age1dw43sxtdxptzgyhsxhrj36x5gn7376gqk45t7wtyt3s97v7ux39sdmdd44 - recipient: age1dw43sxtdxptzgyhsxhrj36x5gn7376gqk45t7wtyt3s97v7ux39sdmdd44
enc: | enc: |
-----BEGIN AGE ENCRYPTED FILE----- -----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBXN1hoQWdERDRTN0lJM0pI YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBsSFIvcUEwbnZ6Qm95V3hT
RWcvZXVPN3ljd0h0QTA1SmN6dlorVi9vWjNNCmhscXhNTmhBVlZZN3VzdzFnRWNt SlBiSS9ycE4xTmpRR1l0SDZKYkFNVmtXUG00ClBKYzBMSmNOMmdCSktGV29WbFBE
VTlTUGk0RnRIaHF2bnBPeFpOVHY4RGsKLS0tIDA5MjVFZnU3bTE3bHZZSzJJQmpD U0x1K2dsU2FoVVBPSWthZ0hmRkdTKzAKLS0tIGhZaU9kQU54ZzNWVnhLNEozWXZN
NEJkTStUaWVzZTNpKzZNTnRmR0tJUGsKBsVqJ0Xg8qWHGb2IDJXrEq4k4LgQFhQS Z3MvRnRGSUlVNlJVdzVEMjcxNE4xbWcKkS3GagirASPe/XnJgwBIZ9cCdyeOi9Uy
HrVF7MAwE/WSnGRhh/V8osej3QHW4vLg37IjaT6v+hCcBOiJeCqg5g== mcD5Pa6AU7itXL9pHtDcMUsDlKkKYWSUtouW8wAESWdXfFBd2Q+Vgg==
-----END AGE ENCRYPTED FILE----- -----END AGE ENCRYPTED FILE-----
lastmodified: "2023-07-06T20:14:22Z" lastmodified: "2023-07-06T20:14:22Z"
mac: ENC[AES256_GCM,data:GPWu5DjjJ1ki+HRuedGdDCt+2V0RPbOsD/yWJxPIkgu5923vnF8y9y4V6e6+ZsTqHv4hsKeCjKtUnh2Ldn+xadwJmqrIxyJ8NzH5TOvcBxAab9cJCp/yKENw0O1WMUTlDPelvQKMDwbgiebaVVfxbQPUEfJGOgkHkyXrgqN94FU=,iv:h9YALYahUl7mRJmZKjArEfaMrfW9YZkVYd2CEooF13Q=,tag:wotqxup/ouG/bEVOZCs19w==,type:str] mac: ENC[AES256_GCM,data:GPWu5DjjJ1ki+HRuedGdDCt+2V0RPbOsD/yWJxPIkgu5923vnF8y9y4V6e6+ZsTqHv4hsKeCjKtUnh2Ldn+xadwJmqrIxyJ8NzH5TOvcBxAab9cJCp/yKENw0O1WMUTlDPelvQKMDwbgiebaVVfxbQPUEfJGOgkHkyXrgqN94FU=,iv:h9YALYahUl7mRJmZKjArEfaMrfW9YZkVYd2CEooF13Q=,tag:wotqxup/ouG/bEVOZCs19w==,type:str]
pgp: pgp:
- created_at: "2023-11-23T20:47:07Z" - created_at: "2024-01-23T09:01:13Z"
enc: |- enc: |-
-----BEGIN PGP MESSAGE----- -----BEGIN PGP MESSAGE-----
wcBMA0SHG/zF3227AQf/Y907bW+LYWHAT8FPF12f8+GvUy744+9sMZe3oSX1ML9F wcBMA0SHG/zF3227AQf+Oo8GZF91ry7FhASb7USKTxKYFfdlJPWDxLFtBNSFkqdV
JOEjxSOs9OCWM79qBIMI6Nets3lV1eEoR8eG74jcIwNPQMfQn/U4hHtJM9Nq4yI7 U7tOgAB3WJTSlED8Cs+6gyNNr3n7Y6p2KaOLYjft05T/Ms9pDuJAV1S8Ogfo5zys
1FLQEfGZcuSMUk2/1c/9lEi+Sye9W+9ZYGUIcvBu1ksPmZpJT/BVOaNc8xWe1hzY W7Ss4hkCMZqIXZXTQ03yZner+8o8v/F/f0SPNji8znT2qZmLZbhwa2IPjmORo3L7
FmEzwaWAPaxSH1EM3KnPhxezzn76DxjDKc4iMNi+5UoAIT2cssbdckf5uDaTa3CE y4F38IVie8keQNWObSFqd7qVqKynHHg+ur5NmVgUAVO/wMg6TytV3Wa11Hfq50tc
6GrfR9//5ldsPqineM2MHeEMHgn+mlVYmpiXNBCfcMfEi81o6l5nmNjy1qjABEKC EenVAyBW1GUOtsBCH8MOCgH4paZcrzkBPU2dK9UppUWzB5RxayIZT34Qf4mNHwdL
254kSW+vMFOhdH6AZvJ/21z/3aUTwMM2mFEti/nh4dJRAWNWEymviIC1o2esJ9K6 sa83I2MwMp0fuTW66YvJPR1vjcYgY/wOxxZw28biidJRAWpiGsPhGKg+AHmHNp/T
77xHv4pEIEahuBcHLBbeBK3AYYqJxcZr5BhIqGAir8OlCOaXzRsN5ElzmVS+Hoib NjN/7MVxZMUX/DHm2LmF6sjSp99wqCl8yvEIrXcGXSSY218XZ0QgXQRhhErwCEaT
t04nfgpuRfKyso0zrndvLwDn JM145ZTHicA2qi4NqMkfsvjf
=lmD0 =6arN
-----END PGP MESSAGE----- -----END PGP MESSAGE-----
fp: 6F7069FE6B96E894E60EC45C6EEFA706CB17E89B fp: 6F7069FE6B96E894E60EC45C6EEFA706CB17E89B
unencrypted_suffix: _unencrypted unencrypted_suffix: _unencrypted

38
secrets/sj-srv1/secrets.yaml Normal file
View file

@ -0,0 +1,38 @@
#ENC[AES256_GCM,data:NJd2BaOWeCr6IER0GSL4OrnABI65kMLg0ft0auq4gazQJ+40vYKwN7pMimXnhQrIsax01pQocF0x0R9we0i/dbE=,iv:OlqfIRF9FtZVHT4QzjQuKCMbVaA+ei7PE9QvbyWj9OA=,tag:8uPJVrva06SUg0DQ26mNow==,type:comment]
passwords-root: ENC[AES256_GCM,data:mDQXWfH3zcvIifhmFdB5rfuiImHLX0Wb2WuR5Jb4lBII72AN9sEy436nHKLHdDHYDgzBkTHXDz63SfK28GEckJJKXHPcKuYl/g==,iv:M8tcUyUVuYAIesuGxQHQ/JRDlzeklTBAVgD1oBzsbVM=,tag:E8g5Qo1zAJkCvNPDeAv7pw==,type:str]
restic-password: ENC[AES256_GCM,data:0cTVlqHCW/xCk7y3ikh0RtVk/5xFOrcrnQmMbIBtfOd7PYbiTUzwBtYXwOaXO4ob7/+KJUEwhl5TzX/Of1J+y7ML7JbpNPtLr8r0gzDYOvBPY5GlmkDGcorz7QTaomuDprJkoD06lJWme/L893u7rxwamF222D2JvGz5FfTuWfaRWb1PcehBkew89gjdAgqFJJwqlX1vwvQDPg6yj+vnk9ZqR/E967bbQeN/G/qGJ9xfVmeuOPYoZH2IrL0Zgif/FLqZWZtlJ1JnRUBXsVN6FZXfT1Q82euLPOpaUHrFJjAF26PuTwVreIjcBLX3wqc8vhAYWfc+RThS3ITwNdNTSA==,iv:KBqME0cqIIX15xPgKi5mBalk01tswj8xVd8rFETX9zU=,tag:V6KltIGVarWXP1R5lY2FAw==,type:str]
sops:
kms: []
gcp_kms: []
azure_kv: []
hc_vault: []
age:
- recipient: age18dmqd7r7fanrfmdxsvwgv9psvhs3hw5ydpvw0na0dv3dlrg4rs3q2wpvgv
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBUOFB4VWUyT1pqVWF6b01v
ZmEyeG0zSjRsWTRkWW9FUmtUWlNiS3VTN2dNClcvQitVUDk1d3oxTnErRG1wZmpL
dHlkZnE2VlVUOGMyeW0xNmo5OHdmbmcKLS0tIFlnbXNvUWRPWGI2KzkrMW01Y0E2
czdzaWhBRWJyb0pBSnphamZVZDgyMDAKjTYixgD7CzJImvPFRYJKJXefXqxSA6I0
iOyW6E++Ax0MsYll77sR9eMNMgPCromY3uzKVJe640HKY/E1cLoi0Q==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2024-01-19T20:25:37Z"
mac: ENC[AES256_GCM,data:gAn4HAJRiejixDApIBZD87JjHLyOnC9LvYR0E4oDa0GVu6/BLVNbie0zG1TdnYl4LAuLa0rf4gkSDCLNvjkBGesGb7oez06WAHJd3VAK6wyFYxQSxKA8U5OZu8nozciuatTCvc/JL1ZjxxGlDFDSHSP2m1PsB6br2e0g8oL1vJw=,iv:7rOU6w+Ly+OYEnF5SikijEpauMp5lhTae74zDi2vF+U=,tag:EURfxNbEe4ZLFF4l19EzFA==,type:str]
pgp:
- created_at: "2023-08-11T16:31:41Z"
enc: |-
-----BEGIN PGP MESSAGE-----
wcBMA0SHG/zF3227AQf+ONiHDN6/hgu1g4WBaQOtAd3tnruoG+O9pbv/IIR86T3n
TIQElcQNsWJpHpoTeXB9G+H3HPh1f3z95tdHwQZOD78HpP0B7sOqx/KUOSJqTkC7
R8jsuAxrIpidr9MIxAypsK5UE3SnZodf6E0IhWR5H26oWXtKPRd2TIBEMwbJZ4dZ
JLZ1D1pYIrJfNez1SP9r8SBMaKJgxLn65sFzonj8j6C+8CpStun2ykLfflsoQzXP
kiCzxG/IR9fA7fyq38h+QdeQgcX7/kyhC/g1tnfDoZRjmcS7gA2yI9Dlxr08cOvy
0Dbruq0tykU0isHSPQHgKQpX/7PD5aV3mXTyvNyzEtJRASftwq7H5sDJXvAXWLMT
eKfUnGyPanQqVNA/jAPhOj/tAIVQZbL4UIPOlT6REfxmNk9tl7JSDhMJzKAEdkk7
C5Jot9exml6467YZkApBm0eM
=HulH
-----END PGP MESSAGE-----
fp: 6F7069FE6B96E894E60EC45C6EEFA706CB17E89B
unencrypted_suffix: _unencrypted
version: 3.7.3

26
secrets/steveej-t14/radicale_htpasswd
View file

@ -1,26 +0,0 @@
{
"data": "ENC[AES256_GCM,data:4Oo7a4iL9ry9qFnzd/uwllP8UZ1re+RglnvkEO11XvSqqGhGOCUX0k0kOVD/CYbdLNq7jqVI8h5Fw5grSb6SCDzlknV0bJ70mmBQ9wEhRA82P1M/T50KH6V6XIVR7IlVhjMKkdW6YH0XAyrqaVh3fJUbOk9hJVvrylLvPF4vpc9+aYdzUCvn5jbecpywYY7NRKLI7H7xUmnW,iv:vvyS08x5yXTmlZo1A+Z2zsW9Mj6JrIkNt+CvB7VZJ38=,tag:MrjYVpS+SyYLUAbin85fkw==,type:str]",
"sops": {
"kms": null,
"gcp_kms": null,
"azure_kv": null,
"hc_vault": null,
"age": [
{
"recipient": "age17jxphuql70wjkd84azn62ltx9ky69hyvkac23lm8f2j92lznf9hseqq0vl",
"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBmTVMxdkpjQllIZlRpQjEr\nc0RqNzNnOGplcDR6by9aL0JQY0ZmZjV3OUhrCm1sbHEvQ3hFZVg1YU5wOU5kaGpI\nK25zckJNaXhWd21kUHIyTm8yVW0reWsKLS0tIHVvbDhYZjRSbVRjOWZNaWkwcm1z\neVJyTTRNNTJBeVYxdDFCL1ozQjhQUkUK09k0LVNUugbxtZJB1JEXWmB2Q35mK1MW\nY12rpx4QwFUf1uhZDGmHMU0mrmaZRhkiTXTW+MtbHHtiGCxI8JrgLQ==\n-----END AGE ENCRYPTED FILE-----\n"
}
],
"lastmodified": "2023-07-01T17:49:07Z",
"mac": "ENC[AES256_GCM,data:DLKp0oBRgqoC1vm7Gt8IgTXQZBVhFMzRlP2CeWUHCi0PhOFFDCQCbJMJ4GnLeVAMgn1PTQXxDBJsqx1dd99oR3xXOqV6s9RUrg7BNql6G1PRnROnvGavVq+K8Oqyc6K3RDMK95Fwd20Svvyplc7fvvJVYA7XE8oVyPCj7adgIzA=,iv:0T60zdgBXTNEUyzWNH2gRJsH7D/mofiBQKD4XpaTdf4=,tag:9s0g5W0fu7PrKybYNQMfxA==,type:str]",
"pgp": [
{
"created_at": "2023-07-01T17:45:58Z",
"enc": "-----BEGIN PGP MESSAGE-----\n\nwcBMA0SHG/zF3227AQf/e3rEGHYLdAQ3t5Ye7EY8HGj3zplmEm6yX/OD6atnIH56\n1n+buBEsCnj6OMJ8IPBI1KMlR3agvrTcP1U428VaJKEqMAfAbmTxHvuYv17r4z3c\nuxtvnK4BUC0BIgf3b9FP1uQBvmwSR3bIV1JuD1or88j9iY3dO7KbwbAEF+HMqj9/\nz+NM9ZGi/mpdFHLCKp52FgKi+eiNyGiJS1a8VSda/X8GwcmQYUzSkUxOcjGVTmYr\nBzie319eutOq6zf9+8WGO+Jd8XDlFdmucXyb5kkJkKv0kUeEMKePktpxjh/SUH2E\nVWLDa3rLPEZWvvLtDeOgAWdxNVBsvAhFwyUl7hJ+INJRAbgK7jJpGJuNUmN48P/Y\nKj1/x5hKlBOQpqWyoB751Sq2hAITS/UyvpIEL7cH9ASq369SVa7tI6KL0Ut5wSDb\n1681kueTerz2szUe6DPcAC4U\n=Bu6s\n-----END PGP MESSAGE-----",
"fp": "6F7069FE6B96E894E60EC45C6EEFA706CB17E89B"
}
],
"unencrypted_suffix": "_unencrypted",
"version": "3.7.3"
}
}

36
secrets/steveej-x13s/secrets.yaml Normal file
View file

@ -0,0 +1,36 @@
hello: ENC[AES256_GCM,data:9dO0Gd4YDDxWHHBYtdomfK8BJnBZC+SQYfUvTAkCq9sOO/ZH/bFhN0Fl/NvLzQ==,iv:m1TZ9PGjsoMo7NA9EHrLb0tCtIl98E3OEN1bkpZZxXY=,tag:Gup/pACLIXGXu8KEyzmfWg==,type:str]
sops:
kms: []
gcp_kms: []
azure_kv: []
hc_vault: []
age:
- recipient: age1y9urllccdcemlv7g5z4peuzeh5ah0a8nu6cnkvym8v2vfhqjd5jql483c6
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBjU3VmRjNmYzhPT1A5WFpB
S2ZBeE0xWGkyR0pJVm9vVnc2ZzNWWHNkY2tvCnhHUlh6d3F2cDdHZWpvMGJ6ajhw
WHgyd21RZWQrSHA4bllsWVExRksrcm8KLS0tIGVvNVF1TkJ0MDBxMzRFZE01VVVz
Q1FmbW9BL3E1emwwWFhJTTZoRlhVdFEKCkpvkW65v0+fuh2bXZVNVbnwsl1Aca/O
9tkIMNLFhD/Rn8MFmkhIZmWYWB4IUwW/UNSxrmkt7cyFJNlpAH0+YA==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2024-01-23T09:41:31Z"
mac: ENC[AES256_GCM,data:xGspZnqqcwoxM0otV3m6RJdwp4laYC+b6DSOEhzbQDeS6hslD6BddQ2g+tS7l3QTtItOjmB6pLb1JJkyhaG3PDWaDu89GNlvUyTyTUxfZWzTfiB6LWJS7eDTwb6OvzDklzCRltoH+8bWTjedWkeWIOtYbjJPo6zwUAiXgiKOj2s=,iv:MSgm5HXlb/NtvqHvVmDdwzX5ebipf7UJnmPNFUV9Nzs=,tag:XT4Evu+Sn+t/+EPb+dZ61Q==,type:str]
pgp:
- created_at: "2024-01-23T09:01:14Z"
enc: |-
-----BEGIN PGP MESSAGE-----
wcBMA0SHG/zF3227AQgAp6QdUiZPpktzBQ4kG3QctoiCJ6NwiYEtPJAftgbbBCDb
WdtjiLmp0+XFf4TvihdaFy7kDQh2wvMSj3dOLANV/V3BSJwk4WjtJoEEG+B8ZVEN
T0B2SauM7FcgN4eRe3jx0R9xoQGsE8vXdDbyU/rRpf1LZ6HuEjFC1Boe98mtWsAD
MRxYbBfmIsh0DBF9GZyaKR62PyHu7+doRHzxxDJXhItaGW96cKdydw4GhXBvqiXn
9SUxxXhg+FpIMXysncB4+yWKSV8FoCkmqPeNlONgk5hwDNpkeXEDND8mHbhZFN5n
ElUTO2ild4Cxh8E1U3A4IQ8ARMcmyag7wnCUmcxnTdJRAa11NhS+6h2PVNqRt53E
p2UKvgbpMgMYj3pWlP9dSuege0+YhynTGRpjTbbUqNJVGFAKfwvPa0zY0hc0hG6G
7Y5zpcqR+/NlVgerPZwLNFib
=0kQe
-----END PGP MESSAGE-----
fp: 6F7069FE6B96E894E60EC45C6EEFA706CB17E89B
unencrypted_suffix: _unencrypted
version: 3.7.3

36
secrets/zerotierone.txt
View file

@ -8,19 +8,47 @@
"age": [ "age": [
{ {
"recipient": "age17jxphuql70wjkd84azn62ltx9ky69hyvkac23lm8f2j92lznf9hseqq0vl", "recipient": "age17jxphuql70wjkd84azn62ltx9ky69hyvkac23lm8f2j92lznf9hseqq0vl",
"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAybUlwMVhVSTlxWjk0aXV1\nRkFKN0d2TWdTNGxFK1o3QitpTG5JN1FUNEVFCmRZdVYrSlJYbVF2NFlkRHBQNFgx\nM2dGOE5yaWl0VnJVU1MzNGJ1VUZYK1kKLS0tIEh4dkI2Vk9yUStHRlNzVUVPeWVB\nVmw0V0MxWWdudE1ONkszRSs5MEtUT28KkIW7Y+9AfxbPu1V0YoL5Brdv+2AaTAn0\nXmJmn8qwOtuyWRR3sJfDfkR2eW85mrMmhJnNa1aHg5lDQUGA/eqinQ==\n-----END AGE ENCRYPTED FILE-----\n" "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBva2lYMFY1V1piNlBpUURv\naWh3dHpaQXdqdzRCU2JIcHExbkhwZzhXd0JnCkFTMG5wVDNQVzNVUmo1cUh1TWtF\naHVTcGRpSDNxa1NHVDZvZWFpREdOcVEKLS0tIFVJSTdiZFBwTlJEMFowYnJqdjFr\nWDdKM2FGM0dQS1NZOTlZUGlOa2srV2cKr/EwcrbOw9vjmFp7OsEF6y0KxACs8NPM\nRYMKhnzd/6VFY5aK79V6JuMSOLaMT+AbQODg+R/iA3TNLev22Jfcvw==\n-----END AGE ENCRYPTED FILE-----\n"
},
{
"recipient": "age1y9urllccdcemlv7g5z4peuzeh5ah0a8nu6cnkvym8v2vfhqjd5jql483c6",
"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBkOWsvenhWdC9ENVlXTXZi\ndWtJWWZUZGMyTzduMzFvK2M1NmFLZ1JwVFNFCkpTMDh6eWhwV0Fya0syRDhuWDlK\nV1lBbGNDbXUvNHB5MGMrS3R0b043YnMKLS0tIExXNXlsaUhsTUxGZGY5U2VRNXJr\nNjZmTU80QVZ1blFKd2dGandsVm42blEK/3uqLhxS16HU67wA0T0Y9uqb2WJI6dII\ndCktjLZcKKyGB+UXNyzDiRgMR4OKIvB0MjLIql2SZKt53OpkpytAbQ==\n-----END AGE ENCRYPTED FILE-----\n"
},
{
"recipient": "age1pmznn2tjpelpmxjxqef48rse5ujggf9kcr8x5vewuadqcw03aavqwy54zm",
"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBjWlErYU5pUHJRdXlCRmZS\nNWlWalFDb0xFZFlrbkdXMG0zYXl1UjhmNUQwCmNCcWZPME8yOGcycnVRWXJxeFo3\nTHFuWHY5aXRxZERNU3duSzRsaFIreWMKLS0tIDRyWmFzeGN2YU9LNW9IWUZNWkVJ\nOTlYTlNteEU0REhmd3ovbGQ4Z09FakkKliCyJsTqsUD5t2vOfTigqA7WObfNCcsd\nt1Fs8vf/1tReWqF8V0f97lD2APgfqgg0hqWFcKkiGYBRWEJvBAj8Lw==\n-----END AGE ENCRYPTED FILE-----\n"
},
{
"recipient": "age1ye4fa0v37shz8q4e5uf9cp2avygcp9jtetmnj2sv9y9mqc7gjyksq2cjy8",
"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBRT0xzWEtNRHl3bFBZRGl2\nTlkyaWRGTHcxcDVqa012VUk1ZUVjREF2bGlJCmRBNkdzRmsxT2dFemJ6NFAxV1g5\nV2p2c09VKzNVSTJ0V2lheWNwMFlMdk0KLS0tIDZWMTBtaWZjcmRYMnhjY3VudlUz\nem10U1FzZ3p2VzZrRXZyRDFUTy92dkUKcM0Nh1/rQ/aoXHJ16QjZ0daxyaOIyzyx\nXbWDj0opTiYweKrL93P8MSQr8V5i2zVcxP7Gw/fZsWlCs26nBeK1xQ==\n-----END AGE ENCRYPTED FILE-----\n"
},
{
"recipient": "age13cyvxrd28j68f97q2dwsn62q5dy8tdxtq86ql2dxv2ncwfrf63dsmkj7n3",
"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB1ZVdzS2lONzg0eGJUei9X\nem9Nc1FhTm5XampHVjJieHJjOUczR09VNTFjCjBkejNlY0I3dEhYbzYvaTBsMDd5\ndjc0alpKNWF6YTVOczltTFRueWZBYXcKLS0tIFJTSThncVdhajhaNmdZTjRNQVFB\nTi93ejQ2bUsrVXl0eDRkbFE5UlhKUzQKg/cJKYzhq1YIBvvNx/N4F258WUnrmNMs\n2MnxrLk9a67AGciCynEMO02dpUXPWxgUkTSqOjRkkcA20x5Rpn4e6w==\n-----END AGE ENCRYPTED FILE-----\n"
},
{
"recipient": "age1k7cejd9tqz6a3expd63wkn7kmeawhhrp9vy5vevhjn6eavhdwywqeh7j86",
"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBLRUliYTB2MG1zUVU0ZWFM\nNUNEMUdha3ZSZ2dkYmZuVk96VjlUTVpWNkI0ClIyUFBZWFppTzJwbHhJaFhXWTBM\nT0pvVklqbE00aW9GMG4wWnFkZkNoQVkKLS0tIExoeTBBcjlsUkZyQkNrUW1zdXU2\nUytDNk9YOXNtU3hLUzdFQnlzQ1lJSjgK+64AJTx4ZjT4njl0Gr4Hk3ykljRTgaqO\nuOjLz/9Qy2rM3BcJzajhCU1pU4f1A0qDQRjoYj5+M9qW/NMbZt6Ujw==\n-----END AGE ENCRYPTED FILE-----\n"
}, },
{ {
"recipient": "age18dmqd7r7fanrfmdxsvwgv9psvhs3hw5ydpvw0na0dv3dlrg4rs3q2wpvgv", "recipient": "age18dmqd7r7fanrfmdxsvwgv9psvhs3hw5ydpvw0na0dv3dlrg4rs3q2wpvgv",
"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBFOGdQN0xOVzYvOFdzbUgy\ncStsYXdxUkY4OEJ5TGhVWitoQnpsSGYxS1VjCkhaYmxOOEh6eS8yeGViZjJZZ3o5\nUVBSYXFOSkJHQnB3aHVTeEk1VWNhblEKLS0tIG9NRTFpZFJlRUVYeHpVN2ljVngv\nRzJNZnZMRlJsL0F0eVIzcnhEbSszSGsKnK0SfJe7hQKyslklwvvFlBX9GjGWf6md\nl7AZLivBP67A0GbD2DztUaiS8NsPtlV899xqIH4/YUIIUGG9M2XHew==\n-----END AGE ENCRYPTED FILE-----\n" "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBoWjJsQVpGQXhLdkh0UGtp\nUkZKa0hRblFHaHpVZm9MNnA2SnBIYVdLUDE4Cmkvbmx1aVBVMVFjdlBjU2JTNlVa\nYTQwdUF0ZHhzRGFIY2RUS1JmOVhCWE0KLS0tIGd0eHNOUmJ3T21jQ0QvRHlnOWRw\ndXBIVFdRQld3RmR3VWhpRS9XLy93ZzgKIcCl3r4Q+p1GqeMQmTQFDOhGDN1KE1Fl\npdx6QOkhZSVAux3YcbWNex7nDju5Meqhyhfe5l4YLJKnM5gs3efFcQ==\n-----END AGE ENCRYPTED FILE-----\n"
},
{
"recipient": "age18dmqd7r7fanrfmdxsvwgv9psvhs3hw5ydpvw0na0dv3dlrg4rs3q2wpvgv",
"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSArazhNT3QzWFpXNTFmWVkr\nTklLei9RN1M1R0pVVTBZTUJkTDVvbzdWbG5zCmx0RVgwbG5IZXNvZUFkaWNzRW10\nKzdNTDZyaGZVNDg0MXR6aGpVQ3FOSEUKLS0tIHB2WnNHZStodXZJTElBV0ljWExy\nbFo2Q3RMRm5BNm1zcnNhdzRYbk5CcWMKsdK8OIVKidayA0LU1NF2pjHjTirVQ/MA\nS4yGouebH4YbFkHDpHbttv572Iw1mbZK0EVIbiJuYoGudb1w60ROIA==\n-----END AGE ENCRYPTED FILE-----\n"
},
{
"recipient": "age1dw43sxtdxptzgyhsxhrj36x5gn7376gqk45t7wtyt3s97v7ux39sdmdd44",
"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBUU090RWZqSnpSaGFWcmVM\nQlRWckdLMk5Kd2E0dFVnSzZEcXBPNmkyTkVZCnNtekhvcUhYZG1RS0ZINVBNMU9L\nSHFqNlMxODdRbm5MOEw3UG9VM2NlVUUKLS0tIE5acnhENFNwR3JMc0s3N2g4dFBs\nR0FuSi94d3RUNFVWQ01uM3UyZW1tRDAKfIVF6+PE2iMC3m81wPoqH9LqL3MsK1WV\nslE4l1m04UL315vdAyPm3k9b+vkTGD4Fmeywsto7Am92/JCanlT7+g==\n-----END AGE ENCRYPTED FILE-----\n"
} }
], ],
"lastmodified": "2023-07-01T20:19:12Z", "lastmodified": "2023-07-01T20:19:12Z",
"mac": "ENC[AES256_GCM,data:aIizzl+WFLI8rwp9r9p3kJIsbAISp8vRnSUQKKRIY8V8WdjBNuR+ebSlMf8kBg4e+D9hpTGEY0byv8bpgx/1m5MMEXIDBiBb8GHBk8qwB/3JWsBMyCHOyylw9AAgteyCDEKMCHgU/ZBvExW9n5gnuvkngKK8X1imrNG2ySL9cIo=,iv:UFacq8BdavyiHGRAcKq9obdAD7ZsW8wqugkvtbpi8pw=,tag:fkoaJKrA54tNlTLbAwRsug==,type:str]", "mac": "ENC[AES256_GCM,data:aIizzl+WFLI8rwp9r9p3kJIsbAISp8vRnSUQKKRIY8V8WdjBNuR+ebSlMf8kBg4e+D9hpTGEY0byv8bpgx/1m5MMEXIDBiBb8GHBk8qwB/3JWsBMyCHOyylw9AAgteyCDEKMCHgU/ZBvExW9n5gnuvkngKK8X1imrNG2ySL9cIo=,iv:UFacq8BdavyiHGRAcKq9obdAD7ZsW8wqugkvtbpi8pw=,tag:fkoaJKrA54tNlTLbAwRsug==,type:str]",
"pgp": [ "pgp": [
{ {
"created_at": "2023-07-01T20:50:27Z", "created_at": "2024-01-24T22:48:30Z",
"enc": "-----BEGIN PGP MESSAGE-----\n\nwcBMA0SHG/zF3227AQf+JijZCf20beuFsUX5Qjt9IVmeA1VG+iRiSncX6Q9NQWqc\nRlxZP3gZz9a/SQDaG3v7S0v5FBmbCScan2xrHSrJne6ljVkxlsiE4SE9Mq1wczF7\n0gdt1pnmjKMjhVVeG2jzNqL3bPGlhIBIIBB+Sv3FHftiXwfBYP5OJh9MTaokwj5/\ntd2x9LxBi6seH+RShrFk33wKJ3gMA2cF9aFEsbvmdXPHs91glwLD1NHN3vp0lGNX\nm4otFLZ0e36aqSVyAiwpoIgLwInZxtx6nnMWVk25s0fj+fKfgnHE3RNh9BntQ19d\nZDpQn7b2DqrKozUnycwpPRojPkmaqpom5XmbuurrA9JRAQYWSmeOuJXUBfZclzLJ\nERYPWDJIN7bmYPFoMkZ2YdV/GCin6lwFfl6u74VAkpU+AMgB+0c51nEHZcO5UaWT\nLRcMPADwjmk35oiltQYOvOpm\n=CGsu\n-----END PGP MESSAGE-----", "enc": "-----BEGIN PGP MESSAGE-----\n\nhQEMA0SHG/zF3227AQf9H8VPhApFkYZi72afxgtHIqclNN4BPuSEhYQYR0m2tvm+\nj0sa3ehI6frkH8KxCtgXgaVB+74yWe+JeVnWRZUk1nIm+q0kuN+0Kn5+YQW0iYuv\n3z34VCw938Gebz57BLaWZTcns3xur+Ug3a+fjyjsKW7w90aP2Q7V2qp9AgxxsN1U\nl9Z1RXHlIUS1CGqA8py2mIkgvlK0WHiYRXsqdRvJh1jdUvzkJjYSpgz4Kj7pyyte\nvXIB4HckW6Fjn6Nlfeyzt6Ka9NziX7EAFlBs/8U8QvkX8AizCxuTwwB9n5rbRxb3\nDjXbgckkkKHc2nEx3xSRe7vh1cfQhTU/TNTuZI3GcNJeAVD89dwR7hhkqFzkanw+\n3hVV1mbDNIDA2fCfxiDLvBDYq8jhaMosAIrwO5TcXEm1PeEuRx1mDEjHsthwmOad\nEJNSBWKGzd13r23WlPRjdeCUF0YSnNFbhM0rwLlLdA==\n=5GJ1\n-----END PGP MESSAGE-----",
"fp": "6F7069FE6B96E894E60EC45C6EEFA706CB17E89B" "fp": "6F7069FE6B96E894E60EC45C6EEFA706CB17E89B"
} }
], ],