steveej/infra
1
0
Fork 0
Code Issues 2 Pull requests Projects Releases Packages Wiki Activity Actions

Compare commits

base: steveej:master
Branches Tags
steveej:master
steveej:WIP-router0-nfmnk-tunnels
steveej:wip
steveej:wip-bpir3
steveej:pr_htz0
steveej:evolution_decsync
steveej:t14_relabel
steveej:t14_new_drive
steveej:srv0_drivechange
steveej:staging-steveej
steveej:pa600-unused
steveej:pr/odroidh2p-0
..
compare: steveej:WIP-router0-nfmnk-tunnels
Branches Tags
steveej:master
steveej:WIP-router0-nfmnk-tunnels
steveej:wip
steveej:wip-bpir3
steveej:pr_htz0
steveej:evolution_decsync
steveej:t14_relabel
steveej:t14_new_drive
steveej:srv0_drivechange
steveej:staging-steveej
steveej:pa600-unused
steveej:pr/odroidh2p-0

No commits in common. "master" and "WIP-router0-nfmnk-tunnels" have entirely different histories.
master ... WIP-router

274 changed files with 7041 additions and 9207 deletions
Download patch file Download diff file Expand all files Collapse all files

6
.envrc
View file

@ -1,5 +1,5 @@
if ! has nix_direnv_version || ! nix_direnv_version 3.0.6; then if ! has nix_direnv_version || ! nix_direnv_version 3.0.4; then
source_url "https://raw.githubusercontent.com/nix-community/nix-direnv/3.0.6/direnvrc" "sha256-RYcUJaRMf8oF5LznDrlCXbkOQrywm0HDv1VjYGaJGdM=" source_url "https://raw.githubusercontent.com/nix-community/nix-direnv/3.0.4/direnvrc" "sha256-DzlYZ33mWF/Gs8DDeyjr8mnVmQGx7ASYqA5WlxwvBG4="
fi fi
use flake .#develop use_flake .#develop

BIN
.git-crypt/keys/default/0/6F7069FE6B96E894E60EC45C6EEFA706CB17E89B.gpg
View file

Binary file not shown.

5
.gitignore vendored
View file

@ -4,8 +4,3 @@
.env .env
**/result **/result
.direnv/ .direnv/
# nixago: ignore-linked-files
/treefmt.toml
/debug-logs

10
.gitlab-ci.yml Normal file
View file

@ -0,0 +1,10 @@
stages:
- build
build:
stage: build
tags:
- nix
script:
# Test the nix-shell
- just run-with-channels 'nix-shell --run "echo OK"'

34
.sops.yaml
View file

@ -15,11 +15,9 @@ keys:
- &sj-vps-htz0 age18dmqd7r7fanrfmdxsvwgv9psvhs3hw5ydpvw0na0dv3dlrg4rs3q2wpvgv - &sj-vps-htz0 age18dmqd7r7fanrfmdxsvwgv9psvhs3hw5ydpvw0na0dv3dlrg4rs3q2wpvgv
- &sj-srv1 age18dmqd7r7fanrfmdxsvwgv9psvhs3hw5ydpvw0na0dv3dlrg4rs3q2wpvgv - &sj-srv1 age18dmqd7r7fanrfmdxsvwgv9psvhs3hw5ydpvw0na0dv3dlrg4rs3q2wpvgv
- &srv0-dmz0 age13cyvxrd28j68f97q2dwsn62q5dy8tdxtq86ql2dxv2ncwfrf63dsmkj7n3 - &srv0-dmz0 age13cyvxrd28j68f97q2dwsn62q5dy8tdxtq86ql2dxv2ncwfrf63dsmkj7n3
- &router0-dmz0 age1qju6ms625tlgcjwc9p447seu2p8gu0cr63e5gv5y0wx9mvgmre9slxzzs0 - &router0-dmz0 age1k7cejd9tqz6a3expd63wkn7kmeawhhrp9vy5vevhjn6eavhdwywqeh7j86
- &router0-ifog age1dktk5glcuu34u9t6kp3g2vqyj7dy0elray38t8n75mwa6l0s0vdst2cy00 - &router0-nfmnk age1x8fcjgaknfh5m2s4f0r2mjtfdjkuyj74y39jmh28k2pp5hmn25nschlra9
- &router0-hosthatch age1v458x2q70yt0a6m6cq5ehemphtrzfzyhmeg3r872vsyyf65asgwstmqqk4 - &sj-bm-hostkey0 age1dw43sxtdxptzgyhsxhrj36x5gn7376gqk45t7wtyt3s97v7ux39sdmdd44
- &hstk0 age10xwq7a4y256yhv02j0u80te0vt4krgfjc68r0uw07t96z7ggmpwqtv38a0
creation_rules: creation_rules:
- path_regex: ^(.+/|)secrets/[^/]+$ - path_regex: ^(.+/|)secrets/[^/]+$
key_groups: key_groups:
@ -36,9 +34,8 @@ creation_rules:
- *sj-vps-htz0 - *sj-vps-htz0
- *sj-srv1 - *sj-srv1
- *hstk0 - *sj-bm-hostkey0
- *router0-ifog - *router0-nfmnk
- *router0-hosthatch
- path_regex: ^secrets/steveej-t14/.+$ - path_regex: ^secrets/steveej-t14/.+$
key_groups: key_groups:
- pgp: - pgp:
@ -78,18 +75,12 @@ creation_rules:
- *steveej - *steveej
age: age:
- *router0-dmz0 - *router0-dmz0
- path_regex: ^secrets/router0-ifog/.+$ - path_regex: ^secrets/router0-nfmnk/.+$
key_groups: key_groups:
- pgp: - pgp:
- *steveej - *steveej
age: age:
- *router0-ifog - *router0-nfmnk
- path_regex: ^secrets/router0-hosthatch/.+$
key_groups:
- pgp:
- *steveej
age:
- *router0-hosthatch
- path_regex: ^secrets/sj-vps-htz0/.+$ - path_regex: ^secrets/sj-vps-htz0/.+$
key_groups: key_groups:
- pgp: - pgp:
@ -102,12 +93,12 @@ creation_rules:
- *steveej - *steveej
age: age:
- *sj-srv1 - *sj-srv1
- path_regex: ^secrets/hstk0/.+$ - path_regex: ^secrets/sj-bm-hostkey0/.+$
key_groups: key_groups:
- pgp: - pgp:
- *steveej - *steveej
age: age:
- *hstk0 - *sj-bm-hostkey0
- path_regex: ^secrets/steveej-x13s/.+$ - path_regex: ^secrets/steveej-x13s/.+$
key_groups: key_groups:
- pgp: - pgp:
@ -120,3 +111,10 @@ creation_rules:
- *steveej - *steveej
age: age:
- *steveej-x13s - *steveej-x13s
- *sj-bm-hostkey0
- path_regex: ^secrets/sj-bm-hostkey0/.+$
key_groups:
- pgp:
- *steveej
age:
- *sj-bm-hostkey0

20
.vscode/settings.json vendored
View file

@ -1,20 +1,6 @@
{ {
"editor.defaultFormatter": "ibecker.treefmt-vscode", "nixEnvSelector.nixFile": "${workspaceRoot}/shell.nix",
"editor.formatOnSave": true, "[nix]": {
"nix.enableLanguageServer": true, "editor.defaultFormatter": "jnoortheen.nix-ide"
"nix.serverPath": "nil",
"nix.serverSettings": {
// settings for 'nil' LSP
"nil": {
"autoArchive": true,
"diagnostics": {
"ignored": ["unused_binding", "unused_with"]
}, },
"formatting": {
"command": ["treefmt", "--stdin", ".nil.nix"]
}
}
},
"treefmt.command": "treefmt",
"treefmt.config": ""
} }

14
Justfile
View file

@ -127,7 +127,6 @@ disk-relabel dir previous:
# Mount the target disk specified by device configuration directory. The 'dir' argument points to a device configuration, e.g. 'nix/os/devices/steveej-live-mmc-SL32G_0x259093f6' # Mount the target disk specified by device configuration directory. The 'dir' argument points to a device configuration, e.g. 'nix/os/devices/steveej-live-mmc-SL32G_0x259093f6'
disk-mount dir: disk-mount dir:
just -v _device diskMount {{dir}} just -v _device diskMount {{dir}}
# Unmount target disk, specified by device configuration directory # Unmount target disk, specified by device configuration directory
disk-umount dir: disk-umount dir:
just -v _device diskUmount {{dir}} just -v _device diskUmount {{dir}}
@ -136,6 +135,7 @@ disk-umount dir:
disk-install dir: _render_templates disk-install dir: _render_templates
just -v _device diskInstall {{dir}} just -v _device diskInstall {{dir}}
verify-n-unlock sshserver attempts="10": verify-n-unlock sshserver attempts="10":
#!/usr/bin/env bash #!/usr/bin/env bash
set -e set -e
@ -222,7 +222,7 @@ install-config config root:
sudo just run-with-channels nixos-install -I nixos-config={{invocation_directory()}}/{{config}} --root {{root}} --no-root-passwd sudo just run-with-channels nixos-install -I nixos-config={{invocation_directory()}}/{{config}} --root {{root}} --no-root-passwd
# Switch between gpg-card capable devices which have a copy of the same key # Switch between gpg-card capable devices which have a copy of the same key
switch-gpg-card key-id="6EEFA706CB17E89B": switch-gpg-card:
#!/usr/bin/env bash #!/usr/bin/env bash
# #
# Derived from https://github.com/drduh/YubiKey-Guide/issues/19. # Derived from https://github.com/drduh/YubiKey-Guide/issues/19.
@ -230,11 +230,7 @@ switch-gpg-card key-id="6EEFA706CB17E89B":
# Connect the new device and then run this script to make it known to gnupg. # Connect the new device and then run this script to make it known to gnupg.
# #
set -xe set -xe
if [[ -n "{{key-id}}" ]]; then
KEY_ID="{{key-id}}"
else
KEY_ID=$(gpg --card-status | rg sec | rg -o '[0-9A-Z]{16}') KEY_ID=$(gpg --card-status | rg sec | rg -o '[0-9A-Z]{16}')
fi
# export pubkey and ownertrust # export pubkey and ownertrust
gpg2 --output "${KEY_ID}".pubkey --export "${KEY_ID}" gpg2 --output "${KEY_ID}".pubkey --export "${KEY_ID}"
@ -313,9 +309,3 @@ cachix-use name:
update-sops-keys: update-sops-keys:
for file in $(egrep -lr '"?sops"?:') secrets; do sops updatekeys -y $file; done for file in $(egrep -lr '"?sops"?:') secrets; do sops updatekeys -y $file; done
deploy-router0-dmz0:
NIX_SSHOPTS="-o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null -o CheckHostIP=no" nixos-rebuild switch --impure --flake .\#router0-dmz0 --target-host root@192.168.20.1
ttyusb:
screen -fa /dev/ttyUSB0 115200

30
README.md
View file

@ -1,5 +1,4 @@
# steveej's infra # steveej's infra
This repository helps me to manage all computer infrastructure. This repository helps me to manage all computer infrastructure.
This is mostly achieved with the help of [Nix](https://nixos.org). This is mostly achieved with the help of [Nix](https://nixos.org).
@ -40,46 +39,39 @@ In the unlikely case that you actually read this and have any questions please d
- [x] sj-pve0 - [x] sj-pve0
- [x] use an existing secret management framework - [x] use an existing secret management framework
- [x] adapt (or abandon?) _just_ recipes - [x] adapt (or abandon?) _just_ recipes
- [x] `rebuild-this-device` - [x] `rebuild-this-device`
- [x] `update-this-device` - [x] `update-this-device`
- [x] `rebuild-remote-device` - [x] `rebuild-remote-device`
- [x] `update-remote-device` - [x] `update-remote-device`
evaluate, and understand a path to using these tools in a pull-based fashion: evaluate, and understand a path to using these tools in a pull-based fashion:
- [x] [colmena](https://github.com/zhaofengli/colmena) - [x] [colmena](https://github.com/zhaofengli/colmena)
- bootstrapping: https://github.com/zhaofengli/colmena/issues/68 * bootstrapping: https://github.com/zhaofengli/colmena/issues/68
- [ ] deploy-rs - [ ] deploy-rs
- [x] 🚧 find a better alternative for the qtile-desktop - [x] 🚧 find a better alternative for the qtile-desktop
current issues: current issues:
- floating windows often get lost in the background - floating windows often get lost in the background
- plugging in-/out- screen crashes the desktop - plugging in-/out- screen crashes the desktop
evaluate: evaluate:
- [x] ~~🚧 gnome3 + pop-shell~~ - [x] ~~🚧 gnome3 + pop-shell~~
- [x] ~~leftwm + eww (+ wayland?)~~ - [x] ~~leftwm + eww (+ wayland?)~~
- [ ] (Re-)document bootstrap process - [ ] (Re-)document bootstrap process
- [ ] `apt install sudo cryptsetup` as a requirements on a deb admin machine - [ ] `apt install sudo cryptsetup` as a requirements on a deb admin machine
- [ ] a new machine - [ ] a new machine
- [ ] an install media - [ ] an install media
- [ ] Design disaster recovery - [ ] Design disaster recovery
- [ ] Automatic synchronization of other state files - see https://gitlab.com/steveeJ/nix-expressions/issues/2 - [ ] Automatic synchronization of other state files - see https://gitlab.com/steveeJ/nix-expressions/issues/2
- [ ] Recycle _\_archived_ - [ ] Recycle *\_archived*
- [ ] container migrations - [ ] container migrations
- [ ] ensure DDNS is updated _before_ the containers are started - [ ] ensure DDNS is updated _before_ the containers are started
## Bugs
## Bugs
- [ ] home-manager leaves ~/.gnupg at 0755 - [ ] home-manager leaves ~/.gnupg at 0755
## Usage ## Usage
*(These are reminders for my future self)*
_(These are reminders for my future self)_
``` ```
just --list just --list
@ -88,17 +80,15 @@ just --list
## Bootstrap ## Bootstrap
### A new machine ### A new machine
* ensure the dotfiles repo has a branch with the new machine's hostname
- ensure the dotfiles repo has a branch with the new machine's hostname * boot with an install media and go through setup
- boot with an install media and go through setup
#### Post-Install Setup #### Post-Install Setup
* `chmod --recursive g-rwx,o-rwx ~/.gnupg`
- `chmod --recursive g-rwx,o-rwx ~/.gnupg` * `gpg2 --edit-card; fetch`
- `gpg2 --edit-card; fetch` * clone password-manager and infra repositories
- clone password-manager and infra repositories * gpg2: ultimately trust my own key
- gpg2: ultimately trust my own key
## Swapping out a disk ## Swapping out a disk

5
default.nix
View file

@ -4,9 +4,6 @@
# Having pkgs default to <nixpkgs> is fine though, and it lets you use short # Having pkgs default to <nixpkgs> is fine though, and it lets you use short
# commands such as: # commands such as:
# nix-build -A mypackage # nix-build -A mypackage
{ {pkgs ? import <nixpkgs> {}}: {
pkgs ? import <nixpkgs> { },
}:
{
pkgs = import ./nix/pkgs {inherit pkgs;}; pkgs = import ./nix/pkgs {inherit pkgs;};
} }

1066
flake.lock generated
View file

File diff suppressed because it is too large Load diff

399
flake.nix
View file

@ -1,18 +1,18 @@
# flake.nix # flake.nix
{ {
inputs = { inputs = {
# TODO: where has this been used? dotfiles = {
# dotfiles = { url = "gitlab:steveeJ/dotfiles";
# url = "git+https://forgejo.www.stefanjunker.de/steveej/dotfiles.git"; flake = false;
# flake = false; };
# };
# flake and infra basics # flake and infra basics
nixpkgs-2211.url = "github:nixos/nixpkgs/nixos-22.11"; nixpkgs-2211.url = "github:nixos/nixpkgs/nixos-22.11";
radicalePkgs.follows = "nixpkgs-2211"; radicalePkgs.follows = "nixpkgs-2211";
nixpkgs-2411.url = "github:nixos/nixpkgs/nixos-24.11"; nixpkgs-2305.url = "github:nixos/nixpkgs/nixos-23.05";
nixpkgs-2311.url = "github:nixos/nixpkgs/nixos-23.11";
nixpkgs-unstable.url = "github:nixos/nixpkgs/nixos-unstable"; nixpkgs-unstable.url = "github:nixos/nixpkgs/nixos-unstable";
nixpkgs.follows = "nixpkgs-2411"; nixpkgs.follows = "nixpkgs-2311";
flake-parts.url = "github:hercules-ci/flake-parts"; flake-parts.url = "github:hercules-ci/flake-parts";
get-flake.url = "github:ursi/get-flake"; get-flake.url = "github:ursi/get-flake";
@ -41,13 +41,14 @@
url = "github:nix-community/fenix"; url = "github:nix-community/fenix";
inputs.nixpkgs.follows = "nixpkgs"; inputs.nixpkgs.follows = "nixpkgs";
}; };
crane.url = "github:ipetkov/crane"; crane = {
url = "github:ipetkov/crane";
sops-nix = {
url = "github:Mic92/sops-nix";
inputs.nixpkgs.follows = "nixpkgs"; inputs.nixpkgs.follows = "nixpkgs";
}; };
sops-nix.url = "github:Mic92/sops-nix";
sops-nix.inputs.nixpkgs.follows = "nixpkgs";
# applications # applications
aphorme_launcher = { aphorme_launcher = {
url = "github:Iaphetes/aphorme_launcher/main"; url = "github:Iaphetes/aphorme_launcher/main";
@ -70,9 +71,13 @@
flake = false; flake = false;
}; };
salut = {
url = "gitlab:snakedye/salut";
flake = false;
};
prs = { prs = {
# url = "gitlab:timvisee/prs/v0.5.2"; url = "gitlab:timvisee/prs/master";
url = "gitlab:timvisee/prs/07f17a93d19fb6bc92c9c7f3ae3f5cc750b1f973";
flake = false; flake = false;
}; };
@ -81,47 +86,43 @@
flake = false; flake = false;
}; };
# nixpkgs-logseq.url = "github:steveej-forks/nixpkgs/logseq-linux-arm64-selfbuilt-appimage"; ### inputs for thinkpad x13s
# see https://github.com/jhovold/linux/wiki/X13s for status updates
linux_x13s.url = "github:jhovold/linux/wip/sc8280xp-v6.7";
linux_x13s.flake = false;
brainwart_x13s-nixos = {
url = "github:BrainWart/x13s-nixos/flake";
flake = false;
};
adamcstephens_stop-export = {
flake = false;
url = "git+https://codeberg.org/adamcstephens/stop-export.git";
};
# alsa-ucm-conf = {
# flake = false;
# url = "github:alsa-project/alsa-ucm-conf/master";
# };
logseq_0_10_5_aarch64_appimage = {
flake = false;
url = "https://www.stefanjunker.de/downloads/Logseq-0.10.5.AppImage";
};
espanso = { espanso = {
flake = false; flake = false;
url = "github:espanso/espanso/db97658d1d80697a635b57801696c594eacf057b"; url = "github:espanso/espanso/db97658d1d80697a635b57801696c594eacf057b";
}; };
nix4vscode = {
url = "github:nix-community/nix4vscode";
# inputs.nixpkgs.follows = "nixpkgs";
};
nixvim = {
# TODO: pin to nixos-24.11 once available
url = "github:nix-community/nixvim";
inputs.nixpkgs.follows = "nixpkgs";
};
treefmt-nix = {
url = "github:numtide/treefmt-nix";
inputs.nixpkgs.follows = "nixpkgs";
};
nixago = {
url = "github:jmgilman/nixago";
inputs.nixpkgs.follows = "nixpkgs";
}; };
nur = { outputs = inputs @ {
url = "github:nix-community/NUR";
inputs.nixpkgs.follows = "nixpkgs";
};
nixpkgs-gimp.url = "github:jtojnar/nixpkgs/gimp-meson";
};
outputs =
inputs@{
self, self,
flake-parts, flake-parts,
nixpkgs, nixpkgs,
... ...
}: }: let
let
inherit (nixpkgs) lib; inherit (nixpkgs) lib;
systems = [ systems = [
@ -129,26 +130,25 @@
"aarch64-linux" "aarch64-linux"
]; ];
in in
flake-parts.lib.mkFlake { inherit inputs; } ( flake-parts.lib.mkFlake {inherit inputs;}
{ withSystem, ... }: ({withSystem, ...}: {
{
flake.colmena = flake.colmena =
lib.lists.foldl (sum: cur: lib.attrsets.recursiveUpdate sum cur) lib.lists.foldl (sum: cur: lib.attrsets.recursiveUpdate sum cur)
{ meta.nixpkgs = import inputs.nixpkgs.outPath { system = builtins.elemAt systems 0; }; } {
meta.nixpkgs = import inputs.nixpkgs.outPath {
system = builtins.elemAt systems 0;
};
}
# FIXME: this doesn't seem to work to apply overlays into a node's nixpkgs import # FIXME: this doesn't seem to work to apply overlays into a node's nixpkgs import
# try this instead: https://github.com/zhaofengli/colmena/issues/60#issuecomment-1510496861 # try this instead: https://github.com/zhaofengli/colmena/issues/60#issuecomment-1510496861
( (builtins.map
builtins.map (nodeName:
(
nodeName:
import ./nix/os/devices/${nodeName} { import ./nix/os/devices/${nodeName} {
inherit nodeName; inherit nodeName;
repoFlake = self; repoFlake = self;
repoFlakeWithSystem = withSystem; repoFlakeWithSystem = withSystem;
nodeFlake = self.inputs.get-flake (self + "/nix/os/devices/${nodeName}"); nodeFlake = self.inputs.get-flake ./nix/os/devices/${nodeName};
} }) [
)
[
"steveej-t14" "steveej-t14"
"steveej-x13s" "steveej-x13s"
"steveej-x13s-rmvbl" "steveej-x13s-rmvbl"
@ -156,24 +156,21 @@
# "justyna-p300" # "justyna-p300"
# "srv0-dmz0" # "srv0-dmz0"
# "router0-dmz0" # # "router0-dmz0"
"router0-ifog" "router0-nfmnk"
"router0-hosthatch"
"sj-srv1" "sj-srv1"
] "sj-bm-hostkey0"
);
flake.lib = { # "retro"
inherit withSystem; ]);
};
# this makes nixos-anywhere work # this makes nixos-anywhere work
flake.nixosConfigurations = flake.nixosConfigurations = let
let
colmenaHive = (inputs.colmena.lib.makeHive self.outputs.colmena).nodes; colmenaHive = (inputs.colmena.lib.makeHive self.outputs.colmena).nodes;
router0-dmz0 = (inputs.get-flake (self + "/nix/os/devices/router0-dmz0")).nixosConfigurations; router0-dmz0 = (inputs.get-flake ./nix/os/devices/router0-dmz0).nixosConfigurations;
in retro = (inputs.get-flake ./nix/os/devices/retro).nixosConfigurations;
in (
colmenaHive colmenaHive
// { // {
router0-dmz0 = router0-dmz0.native; router0-dmz0 = router0-dmz0.native;
@ -182,16 +179,17 @@
# nixos-rebuild switch --flake .\#router0-dmz0_cross --build-host localhost --target-host root@192.168.10.1 # nixos-rebuild switch --flake .\#router0-dmz0_cross --build-host localhost --target-host root@192.168.10.1
router0-dmz0_cross = router0-dmz0.cross; router0-dmz0_cross = router0-dmz0.cross;
steveej-x13s_cross = # nixos-install --flake .\#retro_cross
(inputs.get-flake (self + "./nix/os/devices/steveej-x13s")).nixosConfigurations.cross; retro_cross = retro.cross;
steveej-x13s-rmvbl_cross =
(inputs.get-flake ./nix/os/devices/steveej-x13s-rmvbl).nixosConfigurations.cross; steveej-x13s_cross = (inputs.get-flake ./nix/os/devices/steveej-x13s).nixosConfigurations.cross;
}; steveej-x13s-rmvbl_cross = (inputs.get-flake ./nix/os/devices/steveej-x13s-rmvbl).nixosConfigurations.cross;
}
);
inherit systems; inherit systems;
perSystem = perSystem = {
{
self', self',
inputs', inputs',
system, system,
@ -199,105 +197,94 @@
lib, lib,
pkgs, pkgs,
... ...
}: }: {
{ imports = [
imports = [ ./nix/modules/flake-parts/perSystem/default.nix ]; ./nix/modules/flake-parts/perSystem/default.nix
];
packages = packages = let
let
dcpj4110dw = pkgs.callPackage (self + /nix/pkgs/dcpj4110dw) {}; dcpj4110dw = pkgs.callPackage (self + /nix/pkgs/dcpj4110dw) {};
craneLibFn = (inputs.crane.mkLib inputs.nixpkgs.legacyPackages.${system}).overrideToolchain; craneLib =
inputs.crane.lib.${system}.overrideToolchain
inputs'.fenix.packages.stable.toolchain;
craneLib = craneLibFn inputs'.fenix.packages.stable.toolchain; craneLibOfiPass =
inputs.crane.lib.${system}.overrideToolchain
(
inputs'.fenix.packages.stable.toolchain
# .override {
# date = "1.60.0";
# }
);
in {
dcpj4110dwDriver = dcpj4110dw.driver;
dcpj4110dwCupswrapper = dcpj4110dw.cupswrapper;
_prsPackage = # broken as of 2023-04-27 because it doesn't load without a config
{ # aphorme_launcher = craneLib.buildPackage {src = inputs.aphorme_launcher;};
lib, # yofi = inputs'.yofi.packages.default;
rustPlatform, # ofi-pass = craneLibOfiPass.buildPackage {src = inputs.ofi-pass;};
installShellFiles,
pkg-config, inherit (inputs'.colmena.packages) colmena;
python3,
# jay = pkgs.callPackage (self + /nix/pkgs/jay.nix) {
# src = inputs.jay;
# rustPlatform = pkgs.makeRustPlatform {
# cargo = inputs'.fenix.packages.stable.toolchain;
# rustc = inputs'.fenix.packages.stable.toolchain;
# };
# };
salut = craneLib.buildPackage {
src = inputs.salut;
nativeBuildInputs = [
pkgs.pkg-config
];
buildInputs = [
pkgs.libxkbcommon
pkgs.fontconfig
];
};
prs =
pkgs.callPackage
({
pkgs,
dbus,
glib, glib,
gpgme, gpgme,
gtk3, gtk3,
stdenv, libxcb,
cargoHash ? "sha256-T57RqIzurpYLHyeFhvqxmC+DoB6zUf+iTu1YkMmwtp8=", libxkbcommon,
src, installShellFiles,
version, pkg-config,
makeWrapper, python3,
skim,
}: }:
craneLib.buildPackage {
rustPlatform.buildRustPackage rec {
pname = "prs"; pname = "prs";
version = inputs.prs.shortRev;
inherit src version cargoHash; src = inputs.prs;
nativeBuildInputs = [gpgme installShellFiles pkg-config python3];
nativeBuildInputs = [
gpgme
installShellFiles
pkg-config
python3
makeWrapper
];
cargoBuildFlags = [
"--no-default-features"
"--features=alias,backend-gpgme,clipboard,notify,select-fzf-bin,select-skim-bin,tomb,totp"
];
buildInputs = [ buildInputs = [
dbus
glib glib
gpgme gpgme
gtk3 gtk3
libxcb
libxkbcommon
]; ];
postInstall = lib.optionalString (stdenv.buildPlatform.canExecute stdenv.hostPlatform) '' cargoExtraArgs = "--features backend-gpgme";
postInstall = ''
for shell in bash fish zsh; do for shell in bash fish zsh; do
installShellCompletion --cmd prs --$shell <($out/bin/prs internal completions $shell --stdout) installShellCompletion --cmd prs --$shell <($out/bin/prs internal completions $shell --stdout)
done done
''; '';
})
postFixup = '' {};
wrapProgram $out/bin/prs \
--prefix PATH : ${lib.makeBinPath [ skim ]}
'';
meta = with lib; {
description = "Secure, fast & convenient password manager CLI using GPG and git to sync";
homepage = "https://gitlab.com/timvisee/prs";
changelog = "https://gitlab.com/timvisee/prs/-/blob/v${version}/CHANGELOG.md";
license = with licenses; [
lgpl3Only # lib
gpl3Only # everything else
];
maintainers = with maintainers; [ dotlambda ];
mainProgram = "prs";
};
};
local-xwayland = pkgs.writeShellScriptBin "local-xwayland" ''
set -x
${pkgs.wayland-proxy-virtwl}/bin/wayland-proxy-virtwl \
--wayland-display=wayland-3 \
--xwayland-binary=${pkgs.xwayland}/bin/Xwayland \
--x-display=0 \
# --x-unscale=3 \
--verbose
'';
in
{
dcpj4110dwDriver = dcpj4110dw.driver;
dcpj4110dwCupswrapper = dcpj4110dw.cupswrapper;
inherit (inputs'.colmena.packages) colmena;
prs = pkgs.callPackage _prsPackage {
src = inputs.prs;
version = inputs.prs.shortRev;
cargoHash = "sha256-oXuAKOHIfwUvcS0qXDTe68DN+MUNS4TAKV986vxdeh8=";
};
nomad = inputs'.nixpkgs-unstable.legacyPackages.nomad_1_6; nomad = inputs'.nixpkgs-unstable.legacyPackages.nomad_1_6;
@ -328,101 +315,37 @@
ssh root@${self.colmena.sj-vps-htz0.deployment.targetHost} -L 8385:syncthing.containers:8384 ssh root@${self.colmena.sj-vps-htz0.deployment.targetHost} -L 8385:syncthing.containers:8384
''; '';
rperf = craneLib.buildPackage { logseq =
src = inputs.rperf; pkgs.callPackage ./nix/pkgs/logseq
nativeBuildInputs = [ pkgs.pkg-config ]; (lib.attrsets.optionalAttrs pkgs.stdenv.isAarch64 {
buildInputs = [ ]; overrideSrc = self.inputs.logseq_0_10_5_aarch64_appimage;
};
inherit local-xwayland;
inherit (inputs'.nixpkgs-gimp.legacyPackages) gimp;
};
formatter =
let
settingsNix = {
projectRootFile = ".git/config";
package = inputs'.nixpkgs-unstable.legacyPackages.treefmt2;
programs = {
nixfmt.enable = true;
deadnix.enable = true;
statix.enable = true;
shfmt.enable = true;
shellcheck.enable = true;
prettier.enable = true;
just = {
enable = true;
includes = [
"*/Justfile"
"Justfile"
];
};
} // pkgs.lib.optionalAttrs (pkgs.system != "riscv64-linux") { shellcheck.enable = true; };
settings = {
global.excludes = [
"LICENSE"
"secrets/"
".git-crypt/"
# unsupported extensions
"*.{enc,gif,png,svg,tape,mts,lock,mod,sum,toml,env,envrc,gitignore}"
];
formatter = {
deadnix = {
priority = 1;
options = [ "--no-underscore" ];
};
nixfmt = {
priority = 2;
};
statix = {
priority = 3;
};
prettier = {
options = [
"--tab-width"
"2"
];
includes = [ "*.{css,html,js,json,jsx,md,mdx,scss,ts,yaml}" ];
};
};
};
};
eval = inputs.treefmt-nix.lib.evalModule pkgs settingsNix;
in
eval.config.build.wrapper.overrideAttrs (_: {
passthru = {
inherit (eval.config) package settings;
};
}); });
devShells = rperf = craneLib.buildPackage {
let src = inputs.rperf;
nativeBuildInputs = [
pkgs.pkg-config
];
buildInputs = [
];
};
};
formatter = pkgs.alejandra;
devShells = let
all = import ./nix/devShells.nix { all = import ./nix/devShells.nix {
inherit inherit
self
self' self'
inputs' inputs'
pkgs pkgs
; ;
}; };
in in (all // {default = all.develop;});
all
// {
default = all.develop;
}; };
flake.nixosModules = {
# thinkpad-x13s = { pkgs, config, lib, options, ... } @ args: (import ./nix/os/modules/hardware.thinkpad-x13s.nix (args // { inherit self; }));
}; };
} });
);
} }

BIN
misc/x13s_bt_firmware/hpnv21g.b8c.crypt.fw
View file

Binary file not shown.

2
nix/container-images/build.sh
View file

@ -1,6 +1,6 @@
#!/usr/bin/env bash #!/usr/bin/env bash
set -xe set -xe
[ -n "$NAME" ] [ ! -z "$NAME" ]
nix-build . --show-trace -A "$NAME" nix-build . --show-trace -A "$NAME"
docker image rm "$NAME":latest --force docker image rm "$NAME":latest --force

38
nix/container-images/default.nix
View file

@ -1,10 +1,6 @@
{ {pkgs ? import <nixpkgs> {}}: let
pkgs ? import <nixpkgs> { },
}:
let
baseEnv = ["SSL_CERT_FILE=${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt"]; baseEnv = ["SSL_CERT_FILE=${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt"];
in in rec {
rec {
base = pkgs.dockerTools.buildImage rec { base = pkgs.dockerTools.buildImage rec {
name = "base"; name = "base";
@ -25,20 +21,12 @@ rec {
interactive_base = pkgs.dockerTools.buildImage { interactive_base = pkgs.dockerTools.buildImage {
name = "interactive_base"; name = "interactive_base";
fromImage = base; fromImage = base;
contents = with pkgs; [ contents = with pkgs; [procps zsh coreutils neovim];
procps
zsh
coreutils
neovim
];
config = { config = {Cmd = ["/bin/zsh"];};
Cmd = [ "/bin/zsh" ];
};
}; };
s3ql = s3ql = let
let
entrypoint = pkgs.writeScript "entrypoint" '' entrypoint = pkgs.writeScript "entrypoint" ''
#!${pkgs.stdenv.shell} #!${pkgs.stdenv.shell}
@ -85,10 +73,7 @@ rec {
pkgs.dockerTools.buildImage { pkgs.dockerTools.buildImage {
name = "s3ql"; name = "s3ql";
fromImage = interactive_base; fromImage = interactive_base;
contents = [ contents = [pkgs.s3ql pkgs.fuse];
pkgs.s3ql
pkgs.fuse
];
runAsRoot = '' runAsRoot = ''
#!${pkgs.stdenv.shell} #!${pkgs.stdenv.shell}
@ -99,7 +84,9 @@ rec {
''; '';
config = { config = {
Env = baseEnv ++ [ Env =
baseEnv
++ [
"HOME=/home/s3ql" "HOME=/home/s3ql"
"S3QL_CACHE_DIR=/var/cache/s3ql" "S3QL_CACHE_DIR=/var/cache/s3ql"
"S3QL_AUTHINFO2=/etc/s3ql/authinfo2" "S3QL_AUTHINFO2=/etc/s3ql/authinfo2"
@ -115,8 +102,7 @@ rec {
}; };
}; };
syncthing = syncthing = let
let
entrypoint = pkgs.writeScript "entrypoint" '' entrypoint = pkgs.writeScript "entrypoint" ''
#!${pkgs.stdenv.shell} #!${pkgs.stdenv.shell}
set -x set -x
@ -148,9 +134,7 @@ rec {
config = { config = {
Env = baseEnv ++ ["SYNCTHING_HOME=/home/syncthing"]; Env = baseEnv ++ ["SYNCTHING_HOME=/home/syncthing"];
Cmd = [entrypoint]; Cmd = [entrypoint];
Volumes = { Volumes = {"/data" = {};};
"/data" = { };
};
}; };
}; };
} }

30
nix/default.nix
View file

@ -1,9 +1,6 @@
{ versionsPath }: {versionsPath}: let
let
channelVersions = import versionsPath; channelVersions = import versionsPath;
mkChannelSource = mkChannelSource = name: let
name:
let
channelVersion = builtins.getAttr name channelVersions; channelVersion = builtins.getAttr name channelVersions;
in in
builtins.fetchGit { builtins.fetchGit {
@ -11,24 +8,19 @@ let
inherit name; inherit name;
inherit (channelVersion) url ref rev; inherit (channelVersion) url ref rev;
}; };
nixPath = builtins.concatStringsSep ":" ( nixPath = builtins.concatStringsSep ":" (builtins.map
builtins.map ( (elemName: let
elemName:
let
elem = builtins.getAttr elemName channelVersions; elem = builtins.getAttr elemName channelVersions;
elemPath = mkChannelSource elemName; elemPath = mkChannelSource elemName;
suffix = if builtins.hasAttr "suffix" elem then elem.suffix else ""; suffix =
if builtins.hasAttr "suffix" elem
then elem.suffix
else "";
in in
builtins.concatStringsSep "=" [ builtins.concatStringsSep "=" [elemName elemPath] + suffix)
elemName (builtins.attrNames channelVersions));
elemPath
]
+ suffix
) (builtins.attrNames channelVersions)
);
pkgs = import (mkChannelSource "nixpkgs") {}; pkgs = import (mkChannelSource "nixpkgs") {};
in in {
{
inherit nixPath; inherit nixPath;
channelSources = pkgs.writeText "channels.rc" '' channelSources = pkgs.writeText "channels.rc" ''
export NIX_PATH=${nixPath} export NIX_PATH=${nixPath}

27
nix/devShells.nix
View file

@ -1,10 +1,10 @@
{ {
self,
self', self',
inputs', inputs',
pkgs, pkgs,
}: }: let
{ pkgsUnstable = inputs'.nixpkgs-unstable.legacyPackages;
in {
install = pkgs.mkShell { install = pkgs.mkShell {
name = "infra-install"; name = "infra-install";
packages = with pkgs; [ packages = with pkgs; [
@ -19,9 +19,10 @@
develop = pkgs.mkShell { develop = pkgs.mkShell {
name = "infra-develop"; name = "infra-develop";
inputsFrom = [ self'.devShells.install ]; inputsFrom = [
self'.devShells.install
];
packages = with pkgs; [ packages = with pkgs; [
self'.formatter # .package
inputs'.colmena.packages.colmena inputs'.colmena.packages.colmena
dconf2nix dconf2nix
inputs'.nixos-anywhere.packages.nixos-anywhere inputs'.nixos-anywhere.packages.nixos-anywhere
@ -67,7 +68,6 @@
# hedgedoc-cli # hedgedoc-cli
xwayland xwayland
pulsemixer
(pkgs.writeShellScriptBin "rflk" '' (pkgs.writeShellScriptBin "rflk" ''
exec nix run nixpkgs#$@ exec nix run nixpkgs#$@
@ -80,24 +80,9 @@
jq jq
yq yq
wireguard-tools wireguard-tools
screen
inputs'.nixpkgs-unstable.legacyPackages.kanidm
]; ];
# Set Environment Variables # Set Environment Variables
RUST_BACKTRACE = 1; RUST_BACKTRACE = 1;
KANIDM_URL =
self.nixosConfigurations.sj-srv1.config.containers.webserver.config.services.kanidm.serverSettings.origin;
shellHook = builtins.concatStringsSep "\n" [
# (self.inputs.nixago.lib.${pkgs.system}.make {
# data = self'.formatter.settings;
# output = "treefmt.toml";
# format = "toml";
# }).shellHook
];
}; };
} }

88
nix/home-manager/configuration/graphical-fullblown.nix
View file

@ -5,14 +5,12 @@
# these come in via home-manager.extraSpecialArgs and are specific to each node # these come in via home-manager.extraSpecialArgs and are specific to each node
nodeFlake, nodeFlake,
repoFlake, repoFlake,
packages',
... ...
}: }: let
let # pkgsMaster = nodeFlake.inputs.nixpkgs-master.legacyPackages.${pkgs.system};
pkgsUnstable = pkgsUnstable = import nodeFlake.inputs.nixpkgs-unstable {inherit (pkgs) system config;};
pkgs.pkgsUnstable in {
or (import nodeFlake.inputs.nixpkgs-unstable { inherit (pkgs) system config overlays; });
in
{
imports = [ imports = [
../profiles/common.nix ../profiles/common.nix
# ../profiles/dotfiles.nix # ../profiles/dotfiles.nix
@ -35,41 +33,20 @@ in
../programs/libreoffice.nix ../programs/libreoffice.nix
../programs/neovim.nix ../programs/neovim.nix
../programs/vscode ../programs/vscode
{ home.packages = [ pkgsUnstable.markdown-oxide ]; }
../programs/obs-studio.nix
]; ];
home.sessionVariables.HM_CONFIG = "graphical-fullblown"; home.sessionVariables.HM_CONFIG = "graphical-fullblown";
home.sessionVariables.GOPATH = "$HOME/src/go"; home.sessionVariables.GOPATH = "$HOME/src/go";
home.sessionVariables.PATH = pkgs.lib.concatStringsSep ":" [ home.sessionVariables.PATH = pkgs.lib.concatStringsSep ":" ["$HOME/.local/bin" "$PATH"];
"$HOME/.local/bin"
"$PATH"
];
nixpkgs.config.allowInsecurePredicate =
pkg:
builtins.elem (lib.getName pkg) [
"electron-28.3.3"
"electron-27.3.11"
];
nixpkgs.config.permittedInsecurePackages = [ nixpkgs.config.permittedInsecurePackages = [
"electron-28.3.3"
"electron-27.3.11"
]; ];
nixpkgs.config.allowUnfree = [
"electron-28.3.3"
"electron-27.3.11"
];
# nixpkgs.config.allowUnfreePredicate = pkg:
# builtins.elem (lib.getName pkg) [
# "smartgithg"
# "electron-27.3.11"
# ];
home.packages = home.packages =
(with pkgs; [ []
++ (with pkgs; [
# Authentication # Authentication
# cacert # cacert
# fprintd # fprintd
@ -105,13 +82,14 @@ in
# Password Management # Password Management
gnupg gnupg
yubikey-manager # yubikey-manager
yubikey-manager-qt
yubikey-personalization yubikey-personalization
yubikey-personalization-gui yubikey-personalization-gui
# gnome.gnome-keyring # gnome.gnome-keyring
gcr gcr
seahorse gnome.seahorse
# Language Support # Language Support
hunspellDicts.en-us hunspellDicts.en-us
@ -125,13 +103,16 @@ in
aspellDicts.de aspellDicts.de
# skypeforlinux # skypeforlinux
# pkgsUnstable.jitsi-meet-electron # pkgsUnstable.jitsi-meet-electron
thunderbird-128 thunderbird
# betterbird
# FIXME: depends on insecure openssl 1.1.1t # FIXME: depends on insecure openssl 1.1.1t
# kotatogram-desktop # kotatogram-desktop
pkgsUnstable.tdesktop tdesktop
pkgsUnstable.signal-desktop-source signal-desktop
thunderbird
# gnome.cheese
# Virtualization # Virtualization
virt-manager virt-manager
@ -141,7 +122,7 @@ in
# freerdp # freerdp
# Audio/Video Players # Audio/Video Players
# ffmpeg ffmpeg
vlc vlc
# v4l-utils # v4l-utils
# audacity # audacity
@ -149,8 +130,6 @@ in
yt-dlp yt-dlp
(writeShellScriptBin "youtube-dl-audio" "${yt-dlp}/bin/yt-dlp --extract-audio --audio-format best --audio-quality 9 \${@:?}") (writeShellScriptBin "youtube-dl-audio" "${yt-dlp}/bin/yt-dlp --extract-audio --audio-format best --audio-quality 9 \${@:?}")
libwebcam libwebcam
libcamera
snapshot
# Network Tools # Network Tools
tcpdump tcpdump
@ -161,11 +140,11 @@ in
nethogs nethogs
# Code Editing and Programming # Code Editing and Programming
# TODO(remove or use): pkgsUnstable.lapce pkgsUnstable.lapce
# TODO(remve or use): pkgsUnstable.helix pkgsUnstable.helix
# Image/Graphic/Design Tools # Image/Graphic/Design Tools
eog gnome.eog
# gimp # gimp
# imagemagick # imagemagick
# exiv2 # exiv2
@ -187,11 +166,10 @@ in
# cdrtools # cdrtools
# Document Processing and Management # Document Processing and Management
nautilus gnome.nautilus
pcmanfm pcmanfm
# mendeley # mendeley
evince evince
xournalpp
# File Synchronzation # File Synchronzation
maestral maestral
@ -215,7 +193,7 @@ in
# dex # dex
coreutils coreutils
lsof lsof
xdg-utils xdg_utils
xdg-user-dirs xdg-user-dirs
dconf dconf
picocom picocom
@ -244,11 +222,17 @@ in
# libretro.snes9x2010 # libretro.snes9x2010
# retroarchFull # retroarchFull
# pkgs.logseq-bin packages'.logseq
pkgs.logseq # (pkgs.runCommand "logseq-wrapper"
# (pkgs.callPackage "${repoFlake.inputs.nixpkgs-logseq}/pkgs/by-name/lo/logseq-bin/package.nix" { }) # {
# nativeBuildInputs = [ pkgs.makeWrapper ];
# } ''
# makeWrapper ${pkgs.logseq}/bin/logseq $out/bin/logseq \
# --set NIXOS_OZONE_WL ""
# '')
])
++ (lib.lists.optionals (!pkgs.stdenv.targetPlatform.isAarch64) [
]) ])
++ (with repoFlake.packages.${pkgs.system}; [ gimp ])
++ (lib.lists.optionals (!pkgs.stdenv.targetPlatform.isAarch64) [ ++ (lib.lists.optionals (!pkgs.stdenv.targetPlatform.isAarch64) [
pkgsUnstable.ledger-live-desktop pkgsUnstable.ledger-live-desktop

11
nix/home-manager/configuration/graphical-gnome3.nix
View file

@ -1,8 +1,13 @@
{ pkgs, ... }:
{ {
home.packages = with pkgs; [ pkgs,
config,
...
}: {
home.packages =
[]
++ (with pkgs; [
gnome.gnome-tweaks gnome.gnome-tweaks
gnome.gnome-keyring gnome.gnome-keyring
gnome.seahorse gnome.seahorse
]; ]);
} }

11
nix/home-manager/configuration/graphical-removable.nix
View file

@ -1,5 +1,8 @@
{ pkgs, ... }:
{ {
pkgs,
config,
...
}: {
imports = [ imports = [
../profiles/common.nix ../profiles/common.nix
../profiles/qtile-desktop.nix ../profiles/qtile-desktop.nix
@ -13,7 +16,9 @@
../programs/pass.nix ../programs/pass.nix
]; ];
home.packages = with pkgs; [ home.packages =
[]
++ (with pkgs; [
# Nix package related tools # Nix package related tools
patchelf patchelf
nix-index nix-index
@ -95,5 +100,5 @@
# Virtualization # Virtualization
virtmanager virtmanager
]; ]);
} }

15
nix/home-manager/lib.nix
View file

@ -1,19 +1,14 @@
_: { {}: let
mkSimpleTrayService = in {
{ execStart }: mkSimpleTrayService = {execStart}: {
{
Unit = { Unit = {
Description = ""; Description = "";
After = ["graphical-session-pre.target"]; After = ["graphical-session-pre.target"];
PartOf = ["graphical-session.target"]; PartOf = ["graphical-session.target"];
}; };
Install = { Install = {WantedBy = ["graphical-session.target"];};
WantedBy = [ "graphical-session.target" ];
};
Service = { Service = {ExecStart = execStart;};
ExecStart = execStart;
};
}; };
} }

30
nix/home-manager/profiles/common.nix
View file

@ -1,5 +1,8 @@
{ pkgs, lib, ... }:
{ {
pkgs,
lib,
...
}: {
home.stateVersion = lib.mkDefault "23.11"; home.stateVersion = lib.mkDefault "23.11";
# TODO: re-enable this with the appropriate version? # TODO: re-enable this with the appropriate version?
@ -10,26 +13,9 @@
nixpkgs.config = { nixpkgs.config = {
allowBroken = false; allowBroken = false;
allowUnfree = true; allowUnfree = true;
allowUnsupportedSystem = true;
allowInsecurePredicate =
pkg:
builtins.elem (lib.getName pkg) [
"electron-32.3.3"
"electron"
];
permittedInsecurePackages = [ permittedInsecurePackages = [
"electron-32.3.3" "nix-2.15.3"
"electron"
];
allowUnfreePredicate =
pkg:
builtins.elem (lib.getName pkg) [
"obsidian"
"vivaldi"
"aspell-dict-en-science"
]; ];
}; };
@ -53,7 +39,9 @@
programs.command-not-found.enable = true; programs.command-not-found.enable = true;
programs.fzf.enable = true; programs.fzf.enable = true;
home.packages = with pkgs; [ home.packages =
[]
++ (with pkgs; [
coreutils coreutils
vcsh vcsh
@ -93,5 +81,5 @@
usbutils usbutils
pciutils pciutils
]; ]);
} }

43
nix/home-manager/profiles/dotfiles.nix
View file

@ -1,4 +1,45 @@
_: { {
repoFlake,
pkgs,
config,
repoHttps ? "https://gitlab.com/steveeJ/dotfiles.git",
repoSsh ? "git@gitlab.com:/steveeJ/dotfiles.git",
...
}: let
repoBareLocal =
pkgs.runCommand "fetchbare"
{
outputHashMode = "recursive";
outputHashAlgo = "sha256";
outputHash = "0000000000000000000000000000000000000000000000000000";
} ''
(
set -xe
export GIT_SSL_CAINFO=${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt
export SSL_CERT_FILE=${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt
${pkgs.git}/bin/git clone --mirror ${repoHttps} $out
)
'';
vcshActivationScript = pkgs.writeScript "activation-script" ''
export HOST=$(hostname -s)
function set_remotes {
${pkgs.vcsh}/bin/vcsh dotfiles remote set-url origin $1
${pkgs.vcsh}/bin/vcsh dotfiles remote set-url --push origin $2
}
if ! test -d $HOME/.config/vcsh/repo.d/dotfiles.git; then
echo Cloning dotfiles for $HOST...
${pkgs.vcsh}/bin/vcsh clone -b $HOST ${repoBareLocal} dotfiles
set_remotes ${repoHttps} ${repoSsh}
else
set_remotes ${repoBareLocal} ${repoSsh}
echo Updating dotfiles for $HOST...
${pkgs.vcsh}/bin/vcsh pull $HOST || true
set_remotes ${repoHttps} ${repoSsh}
fi
'';
in {
# TODO: fix the dotfiles # TODO: fix the dotfiles
# home.activation.vcsh = config.lib.dag.entryAfter["linkGeneration"] '' # home.activation.vcsh = config.lib.dag.entryAfter["linkGeneration"] ''
# $DRY_RUN_CMD ${vcshActivationScript} # $DRY_RUN_CMD ${vcshActivationScript}

6
nix/home-manager/profiles/dotfiles/vcsh.tmpl.nix
View file

@ -3,16 +3,14 @@
repoHttps ? "https://gitlab.com/steveeJ/dotfiles.git", repoHttps ? "https://gitlab.com/steveeJ/dotfiles.git",
repoSsh ? "git@gitlab.com:/steveeJ/dotfiles.git", repoSsh ? "git@gitlab.com:/steveeJ/dotfiles.git",
... ...
}: }: let
let
repoBareLocal = repoBareLocal =
pkgs.runCommand "fetchbare" pkgs.runCommand "fetchbare"
{ {
outputHashMode = "recursive"; outputHashMode = "recursive";
outputHashAlgo = "sha256"; outputHashAlgo = "sha256";
outputHash = "0000000000000000000000000000000000000000000000000000"; outputHash = "0000000000000000000000000000000000000000000000000000";
} } ''
''
( (
set -xe set -xe
export GIT_SSL_CAINFO=${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt export GIT_SSL_CAINFO=${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt

14
nix/home-manager/profiles/experimental-desktop.nix
View file

@ -1,6 +1,16 @@
{ packages', ... }:
{ {
imports = [ ../profiles/wayland-desktop.nix ]; pkgs,
config,
lib,
nodeFlake,
packages',
...
}: let
pkgsUnstable = pkgs.callPackage nodeFlake.inputs.nixpkgs-unstable.outPath {};
in {
imports = [
../profiles/wayland-desktop.nix
];
home.packages = [ home.packages = [
# experimental WMs # experimental WMs

75
nix/home-manager/profiles/gnome-desktop.nix
View file

@ -1,6 +1,13 @@
{ pkgs, ... }:
{ {
imports = [ ../profiles/wayland-desktop.nix ]; pkgs,
config,
lib,
...
}: let
in {
imports = [
../profiles/wayland-desktop.nix
];
services = { services = {
gnome-keyring.enable = false; gnome-keyring.enable = false;
@ -16,10 +23,9 @@
# Hidden=true # Hidden=true
# ''; # '';
services.gpg-agent.pinentryPackage = pkgs.pinentry-gnome3; services.gpg-agent.pinentryFlavor = "gnome3";
dconf.settings = dconf.settings = let
let
manualKeybindings = [ manualKeybindings = [
{ {
binding = "Print"; binding = "Print";
@ -36,21 +42,22 @@
numWorkspaces = 10; numWorkspaces = 10;
customKeybindingBaseName = "org/gnome/settings-daemon/plugins/media-keys/custom-keybindings/custom"; customKeybindingBaseName = "org/gnome/settings-daemon/plugins/media-keys/custom-keybindings/custom";
customKeybindingsNames = builtins.genList (i: "/${customKeybindingBaseName}${toString i}/") ( customKeybindingsNames =
(builtins.length manualKeybindings) + numWorkspaces # for sending to the workspace builtins.genList (i: "/${customKeybindingBaseName}${toString i}/")
(
(builtins.length manualKeybindings)
+ numWorkspaces # for sending to the workspace
); );
workspacesKeyBindingsOffset = builtins.length manualKeybindings; workspacesKeyBindingsOffset = builtins.length manualKeybindings;
# with this we can make use of all number keys [0-9] # with this we can make use of all number keys [0-9]
mapToNumber = mapToNumber = i:
i: if i < 10
if i < 10 then then i
i else if i == 10
else if i == 10 then then 0
0 else throw "i exceeds 10: ${i}";
else
throw "i exceeds 10: ${i}";
in in
{ {
"org/gnome/settings-daemon/plugins/media-keys" = { "org/gnome/settings-daemon/plugins/media-keys" = {
@ -60,41 +67,43 @@
}; };
# disable the builtin <Super>[1-9] functionality # disable the builtin <Super>[1-9] functionality
"org/gnome/shell/keybindings" = builtins.listToAttrs ( "org/gnome/shell/keybindings" = builtins.listToAttrs ((builtins.genList
(builtins.genList (i: { (i: {
name = "switch-to-application-${toString (i + 1)}"; name = "switch-to-application-${toString (i + 1)}";
value = []; value = [];
}) numWorkspaces) })
numWorkspaces)
++ [ ++ [
{ {
name = "toggle-overview"; name = "toggle-overview";
value = []; value = [];
} }
] ]);
);
# remap it to switching to the workspaces # remap it to switching to the workspaces
"org/gnome/desktop/wm/keybindings" = builtins.listToAttrs ( "org/gnome/desktop/wm/keybindings" = builtins.listToAttrs (builtins.genList
builtins.genList (i: { (i: {
name = "switch-to-workspace-${toString (i + 1)}"; name = "switch-to-workspace-${toString (i + 1)}";
value = [ "<Super>${toString (mapToNumber (i + 1))}" ]; value = [
}) numWorkspaces "<Super>${toString (mapToNumber (i + 1))}"
); ];
})
numWorkspaces);
} }
// builtins.listToAttrs ( // builtins.listToAttrs (builtins.genList
builtins.genList (i: { (i: {
name = "${customKeybindingBaseName}${toString i}"; name = "${customKeybindingBaseName}${toString i}";
value = builtins.elemAt manualKeybindings i; value = builtins.elemAt manualKeybindings i;
}) (builtins.length manualKeybindings) })
) (builtins.length manualKeybindings))
// builtins.listToAttrs ( // builtins.listToAttrs (builtins.genList
builtins.genList (i: { (i: {
name = "${customKeybindingBaseName}${toString (workspacesKeyBindingsOffset + i)}"; name = "${customKeybindingBaseName}${toString (workspacesKeyBindingsOffset + i)}";
value = { value = {
binding = "<Control><Super>${toString (mapToNumber (i + 1))}"; binding = "<Control><Super>${toString (mapToNumber (i + 1))}";
command = "wmctrl -r :ACTIVE: -t ${toString i}"; command = "wmctrl -r :ACTIVE: -t ${toString i}";
name = "Send to workspace ${toString (i + 1)}"; name = "Send to workspace ${toString (i + 1)}";
}; };
}) numWorkspaces })
); numWorkspaces);
} }

12
nix/home-manager/profiles/nix-channels.nix
View file

@ -1,9 +1,14 @@
{ pkgs, config, ... }:
{ {
pkgs,
config,
...
}: let
in {
home.file.".nix-channels".text = ""; home.file.".nix-channels".text = "";
home.activation.removeExistingNixChannels = config.lib.dag.entryBefore ["checkLinkTargets"] '' home.activation.removeExistingNixChannels = config.lib.dag.entryBefore ["checkLinkTargets"] ''
$DRY_RUN_CMD ${pkgs.writeScript "activation-script" '' $DRY_RUN_CMD ${
pkgs.writeScript "activation-script" ''
set -ex set -ex
if test -f $HOME/.nix-channels; then if test -f $HOME/.nix-channels; then
echo Uninstalling available channels... echo Uninstalling available channels...
@ -17,6 +22,7 @@
mv --backup=numbered $HOME/.nix-channels.dummy $HOME/.nix-channels mv --backup=numbered $HOME/.nix-channels.dummy $HOME/.nix-channels
rm $HOME/.nix-channels rm $HOME/.nix-channels
fi fi
''}; ''
};
''; '';
} }

19
nix/home-manager/profiles/qtile-desktop.nix
View file

@ -1,14 +1,14 @@
{ pkgs, ... }: {
let pkgs,
config,
...
}: let
inherit (import ../lib.nix {}) mkSimpleTrayService;
audio = pkgs.writeShellScript "audio" '' audio = pkgs.writeShellScript "audio" ''
export PATH=${ export PATH=${
with pkgs; with pkgs;
lib.makeBinPath [ lib.makeBinPath [pulseaudio findutils gnugrep]
pulseaudio
findutils
gnugrep
]
}:$PATH }:$PATH
export MUTEFILE=''${TEMPDIR:-/tmp}/.qtilemute export MUTEFILE=''${TEMPDIR:-/tmp}/.qtilemute
@ -251,8 +251,7 @@ let
def print_new_window(window): def print_new_window(window):
print("new window: ", window) print("new window: ", window)
''; '';
in in {
{
services = { services = {
gnome-keyring.enable = true; gnome-keyring.enable = true;
blueman-applet.enable = true; blueman-applet.enable = true;
@ -287,7 +286,7 @@ in
networkmanagerapplet networkmanagerapplet
gnome-icon-theme gnome-icon-theme
gnome.gnome-themes-extra gnome.gnome-themes-extra
adwaita-icon-theme gnome.adwaita-icon-theme
lxappearance lxappearance
xorg.xcursorthemes xorg.xcursorthemes
pavucontrol pavucontrol

93
nix/home-manager/profiles/sway-desktop.nix
View file

@ -1,64 +1,62 @@
/*
TODO: create helper scripts for sharing of a screen portion
```
# this will create a new output named HEADLESS-<n>. <n> increments by 1 with each invocation even if the output is `unplug`ged.
swaymsg create_output
# find the name and the workspace number
swaymsg -t get_outputs | jq '.[] | select(.name | test("HEADLESS-.*")) | (.name, .current_workspace)'
swaymsg output HEADLESS-1 mode 1920@108060Hz
# mirror the headless workspace on the current one
nix run nixpkgs\#wl-mirror -- HEADLESS-1
# shift windows to the workspace and switch the focus to it
*/
{ {
pkgs, pkgs,
config, config,
lib, lib,
# packages', # packages',
repoFlakeInputs',
... ...
}: }: let
let inherit (import ../lib.nix {}) mkSimpleTrayService;
lockCmd = "${pkgs.swaylock}/bin/swaylock -efF --color '#000000'"; lockCmd = "${pkgs.swaylock}/bin/swaylock -efF --color '#000000'";
displayOffCmd = "${pkgs.sway}/bin/swaymsg 'output * power off'"; displayOffCmd = "${pkgs.sway}/bin/swaymsg 'output * power off'";
displayOnCmd = "${pkgs.sway}/bin/swaymsg 'output * power on'"; displayOnCmd = "${pkgs.sway}/bin/swaymsg 'output * power on'";
swapOutputWorkspaces = ../../../scripts/sway-swapoutputworkspaces.sh; swapOutputWorkspaces = ../../../scripts/sway-swapoutputworkspaces.sh;
in in {
{
imports = [ imports = [
../profiles/wayland-desktop.nix ../profiles/wayland-desktop.nix
../programs/waybar.nix ../programs/waybar.nix
# ../programs/salut.nix
]; ];
# TODO: autostart
# environment.loginShellInit = ''
# if [[ "$(tty)" == /dev/tty1 ]]; then
# echo starting sway..
# exec sway
# fi
# '';
services = {
# TODO: doesn't work with 2 screens
# flameshot.enable = true;
};
services.dunst = { services.dunst = {
enable = true; enable = true;
}; };
services.gpg-agent.pinentryPackage = pkgs.pinentry-gnome3; services.gpg-agent.pinentryFlavor = "gnome3";
home.packages = [ home.packages = [
pkgs.swayidle pkgs.swayidle
pkgs.swaylock pkgs.swaylock
## themes ## themes
pkgs.adwaita-icon-theme pkgs.gnome.adwaita-icon-theme
pkgs.hicolor-icon-theme pkgs.hicolor-icon-theme
pkgs.gnome-icon-theme pkgs.gnome-icon-theme
## fonts ## fonts
# pkgs.nerd-fonts # TODO: reinstall selected ones
pkgs.dejavu_fonts # just a basic good fond pkgs.dejavu_fonts # just a basic good fond
pkgs.font-awesome_5 # needed by i3status-rust pkgs.font-awesome_5 # needed by i3status-rust
pkgs.nerdfonts
pkgs.font-awesome pkgs.font-awesome
pkgs.roboto pkgs.roboto
pkgs.ttf_bitstream_vera pkgs.ttf_bitstream_vera
pkgs.noto-fonts pkgs.noto-fonts
pkgs.noto-fonts-cjk
pkgs.noto-fonts-cjk-sans pkgs.noto-fonts-cjk-sans
pkgs.noto-fonts-cjk-serif pkgs.noto-fonts-cjk-serif
pkgs.noto-fonts-emoji pkgs.noto-fonts-emoji
@ -73,42 +71,24 @@ in
pkgs.dina-font pkgs.dina-font
pkgs.monoid pkgs.monoid
pkgs.hermit pkgs.hermit
### found on colemickens' repo # found on colemickens' repo
pkgs.gelasio # metric-compatible with Georgia pkgs.gelasio # metric-compatible with Georgia
pkgs.powerline-symbols pkgs.powerline-symbols
pkgs.iosevka-comfy.comfy-fixed pkgs.iosevka-comfy.comfy-fixed
## experimental stuff # experimental stuff
pkgs.fuzzel pkgs.fuzzel
]; ];
# TODO: configure kanshi to always set the 5K resolution
# DP-1 "Philips Consumer Electronics Company PHL 499P9 AU02419010010 (DP-1 via DP)"
# Make: Philips Consumer Electronics Company
# Model: PHL 499P9
# Serial: AU02419010010
# Physical size: 1190x340 mm
# Enabled: yes
# Modes:
# 3840x1080 px, 59.967999 Hz (preferred)
# 5120x1440 px, 59.977001 Hz (current)
wayland.windowManager.sway = { wayland.windowManager.sway = {
enable = true; enable = true;
systemd.enable = true; systemd.enable = true;
xwayland = false; xwayland = false;
config = config = let
let
modifier = "Mod4"; modifier = "Mod4";
inherit (config.wayland.windowManager.sway.config) inherit (config.wayland.windowManager.sway.config) left right up down;
left in {
right
up
down
;
in
{
inherit modifier; inherit modifier;
bars = []; bars = [];
@ -158,8 +138,7 @@ in
"${modifier}+Control+Shift+Up" = "move workspace to output up"; "${modifier}+Control+Shift+Up" = "move workspace to output up";
"${modifier}+Control+Shift+Down" = "move workspace to output down"; "${modifier}+Control+Shift+Down" = "move workspace to output down";
# TODO: i've been hitting this one accidentally way too often. find a better place. "${modifier}+Shift+e" = "exec ${pkgs.sway}/bin/swaymsg exit";
# "${modifier}+Shift+e" = "exec ${pkgs.sway}/bin/swaymsg exit";
"${modifier}+q" = "kill"; "${modifier}+q" = "kill";
"${modifier}+Shift+q" = "exec ${pkgs.sway}/bin/swaymsg -t get_tree | ${pkgs.jq}/bin/jq 'recurse(.nodes[], .floating_nodes[]) | select(.focused).pid' | ${pkgs.findutils}/bin/xargs -L1 kill -9"; "${modifier}+Shift+q" = "exec ${pkgs.sway}/bin/swaymsg -t get_tree | ${pkgs.jq}/bin/jq 'recurse(.nodes[], .floating_nodes[]) | select(.focused).pid' | ${pkgs.findutils}/bin/xargs -L1 kill -9";
@ -182,30 +161,28 @@ in
startup = startup =
[ [
{ {
command = builtins.toString ( command = builtins.toString (pkgs.writeShellScript "ensure-graphical-session" ''
pkgs.writeShellScript "ensure-graphical-session" ''
( (
${pkgs.coreutils}/bin/sleep 0.2 ${pkgs.coreutils}/bin/sleep 0.2
${pkgs.systemd}/bin/systemctl --user restart graphical-session.target ${pkgs.systemd}/bin/systemctl --user restart graphical-session.target
) & ) &
'' '');
);
} }
] ]
++ lib.optionals config.services.swayidle.enable [ ++ lib.optionals config.services.swayidle.enable [
{ {
command = builtins.toString ( command = builtins.toString (pkgs.writeShellScript "ensure-graphical-session" ''
pkgs.writeShellScript "ensure-graphical-session" ''
( (
${pkgs.coreutils}/bin/sleep 0.2 ${pkgs.coreutils}/bin/sleep 0.2
${pkgs.systemd}/bin/systemctl --user restart swayidle ${pkgs.systemd}/bin/systemctl --user restart swayidle
) & ) &
'' '');
);
} }
]; ];
colors.focused = lib.mkOptionDefault { childBorder = lib.mkForce "#ffa500"; }; colors.focused = lib.mkOptionDefault {
childBorder = lib.mkForce "#ffa500";
};
window.titlebar = false; window.titlebar = false;
window.border = 4; window.border = 4;

34
nix/home-manager/profiles/wayland-desktop.nix
View file

@ -1,14 +1,16 @@
{ {
pkgs, pkgs,
config,
lib, lib,
repoFlake, repoFlake,
nodeFlake,
... ...
}: }: let
let inherit (import ../lib.nix {}) mkSimpleTrayService;
nixpkgs-wayland' = repoFlake.inputs.nixpkgs-wayland.packages.${pkgs.system}; nixpkgs-wayland' = repoFlake.inputs.nixpkgs-wayland.packages.${pkgs.system};
in wayprompt = nixpkgs-wayland'.wayprompt;
{ in {
fonts.fontconfig.enable = true; fonts.fontconfig.enable = true;
# services.gpg-agent.pinentryFlavor = lib.mkForce null; # services.gpg-agent.pinentryFlavor = lib.mkForce null;
@ -28,11 +30,10 @@ in
}; };
}; };
home.packages = home.packages = with pkgs;
with pkgs;
[ [
# required by network-manager-applet # required by network-manager-applet
networkmanagerapplet pkgs.networkmanagerapplet
wlr-randr wlr-randr
wayout wayout
@ -47,34 +48,29 @@ in
# TODO: whwat's this for? # TODO: whwat's this for?
# wltype # wltype
pavucontrol
playerctl
pasystray
qt5.qtwayland qt5.qtwayland
qt6.qtwayland qt6.qtwayland
# libsForQt5.qt5.qtwayland # libsForQt5.qt5.qtwayland
# libsForQt6.qt6.qtwayland # libsForQt6.qt6.qtwayland
# audio
playerctl
helvum
pasystray
sonusmix
pwvucontrol
# probably required by flameshot # probably required by flameshot
# xdg-desktop-portal xdg-desktop-portal-wlr # xdg-desktop-portal xdg-desktop-portal-wlr
# grim # grim
waypipe
] ]
++ (lib.lists.optionals (!pkgs.stdenv.isAarch64) ++ (
lib.lists.optionals (!pkgs.stdenv.isAarch64)
# TODO: broken on aarch64 # TODO: broken on aarch64
[ ] [
]
); );
home.sessionVariables = { home.sessionVariables = {
XDG_SESSION_TYPE = "wayland"; XDG_SESSION_TYPE = "wayland";
NIXOS_OZONE_WL = "1"; NIXOS_OZONE_WL = "1";
MOZ_ENABLE_WAYLAND = "1"; MOZ_ENABLE_WAYLAND = "1";
WLR_NO_HARDWARE_CURSORS = "1";
}; };
home.pointerCursor = { home.pointerCursor = {

27
nix/home-manager/programs/chromium.nix
View file

@ -3,8 +3,7 @@
lib, lib,
pkgs, pkgs,
... ...
}: }: let
let
extensions = extensions =
[ [
#undetectable adblocker #undetectable adblocker
@ -45,37 +44,25 @@ let
{id = "khncfooichmfjbepaaaebmommgaepoid";} {id = "khncfooichmfjbepaaaebmommgaepoid";}
] ]
++ (lib.lists.optionals ((builtins.match "^steveej.*" name) != null) [ ++ (lib.lists.optionals ((builtins.match "^steveej.*" name) != null) [
# polkadotjs
{ id = "mopnmbcafieddcagagdcbnhejhlodfdd"; }
# rabby wallet
{ id = "acmacodkjbdgmoleebolmdjonilkdbch"; }
# phantom wallet
{ id = "bfnaelmomeimhlpmgjnjophhpkkoljpa"; }
# Vimium C # Vimium C
{id = "hfjbmagddngcpeloejdejnfgbamkjaeg";} {id = "hfjbmagddngcpeloejdejnfgbamkjaeg";}
# TODO: this causes scrolling the tab bar all the way to the end. look for a different one or report
# always right # always right
{id = "npjpaghfnndnnmjiliibnkmdfgbojokj";} {id = "npjpaghfnndnnmjiliibnkmdfgbojokj";}
# shazam music
{ id = "mmioliijnhnoblpgimnlajmefafdfilb"; }
]); ]);
in in {
{
programs.chromium = { programs.chromium = {
enable = true; enable = true;
inherit extensions; inherit extensions;
# TODO: extensions currently don't work with ungoogled-chromium
package = pkgs.chromium;
}; };
programs.brave = { programs.brave = {
# TODO: enable this on aarch64-linux # TODO: enable this on aarch64-linux
enable = true && !pkgs.stdenv.targetPlatform.isAarch64; enable =
true
&& !pkgs.stdenv.targetPlatform.isAarch64;
inherit extensions; inherit extensions;
}; };
programs.browserpass = {browsers = ["chromium" "brave"];};
} }

19
nix/home-manager/programs/espanso.nix
View file

@ -1,5 +1,8 @@
{ pkgs, ... }:
{ {
pkgs,
repoFlake,
...
}: {
services.espanso = { services.espanso = {
package = pkgs.espanso-wayland; package = pkgs.espanso-wayland;
# package = pkgs.espanso-wayland.overrideAttrs (_: { # package = pkgs.espanso-wayland.overrideAttrs (_: {
@ -21,11 +24,10 @@
# backend = "Clipboard"; # backend = "Clipboard";
}; };
}; };
matches = matches = let
let playerctl = ''
playerctl = ''${pkgs.coreutils}/bin/env DBUS_SESSION_BUS_ADDRESS="unix:path=/run/user/$(${pkgs.coreutils}/bin/id -u)/bus" ${pkgs.playerctl}/bin/playerctl''; ${pkgs.coreutils}/bin/env DBUS_SESSION_BUS_ADDRESS="unix:path=/run/user/$(${pkgs.coreutils}/bin/id -u)/bus" ${pkgs.playerctl}/bin/playerctl'';
in in {
{
default = { default = {
matches = [ matches = [
{ {
@ -62,7 +64,10 @@
name = "output"; name = "output";
type = "script"; type = "script";
params = { params = {
args = [ (pkgs.writeShellScript "espanso" "${playerctl} metadata title") ]; args = [
(pkgs.writeShellScript "espanso"
"${playerctl} metadata title")
];
}; };
} }
]; ];

419
nix/home-manager/programs/firefox.nix
View file

@ -1,417 +1,6 @@
{ {pkgs, ...}: {
repoFlake, programs.librewolf = {enable = true;};
pkgs, programs.firefox = {enable = true;};
config,
lib,
...
}:
let
# Search extension names with below command:
# nix flake show --json "gitlab:rycee/nur-expressions?dir=pkgs/firefox-addons" --all-systems | jq -r '.packages."x86_64-linux" | keys[]' | rg QUERY
ryceeAddons = with pkgs.nur.repos.rycee.firefox-addons; [
ublock-origin
# bypass-paywalls-clean (can't use, was creating popups) # home.file.".mozilla/native-messaging-hosts/passff.json".source = "${pkgs.passff-host}/share/passff-host/passff.json";
consent-o-matic
terms-of-service-didnt-read
auto-tab-discard
# redirector # For nixos wiki
# darkreader
facebook-container
control-panel-for-twitter
# containerise
facebook-tracking-removal
vimium
cookie-autodelete
auto-tab-discard
istilldontcareaboutcookies
youtube-recommended-videos
display-_anchors
];
customAddons = [
];
search = {
force = true;
default = "DuckDuckGo";
privateDefault = "DuckDuckGo";
};
mkProfile =
override:
lib.recursiveUpdate {
extensions = ryceeAddons ++ customAddons;
inherit search;
settings = {
# automatically enable extensions
"extensions.autoDisableScopes" = 0;
"middlemouse.paste" = false;
"browser.download.useDownloadDir" = false;
"browser.tabs.insertAfterCurrent" = true;
"browser.tabs.warnOnClose" = true;
"browser.toolbars.bookmarks.visibility" = "never";
"browser.quitShortcut.disabled" = false;
# restore the previous session automatically
"browser.startup.page" = 3;
"browser.sessionstore.resume_from_crash" = true;
"browser.sessionstore.restore_pinned_tabs_on_demand" = true;
"browser.sessionstore.restore_on_demand" = true;
"browser.urlbar.suggest.bookmark" = true;
"browser.urlbar.suggest.engines" = true;
"browser.urlbar.suggest.history" = true;
"browser.urlbar.suggest.openpage" = true;
"browser.urlbar.suggest.topsites" = false;
"browser.urlbar.trimHttps" = true;
"sidebar.position_start" = false;
"findbar.highlightAll" = true;
"browser.tabs.hoverPreview.enabled" = true;
# Disable fx accounts
"identity.fxaccounts.enabled" = false;
# Disable "save password" prompt
"signon.rememberSignons" = false;
# Harden
"privacy.trackingprotection.enabled" = true;
"dom.security.https_only_mode" = true;
# Disable irritating first-run stuff
"browser.disableResetPrompt" = true;
"browser.download.panel.shown" = true;
"browser.feeds.showFirstRunUI" = false;
"browser.messaging-system.whatsNewPanel.enabled" = false;
"browser.rights.3.shown" = true;
"browser.shell.checkDefaultBrowser" = false;
"browser.shell.defaultBrowserCheckCount" = 1;
"browser.startup.homepage_override.mstone" = "ignore";
"browser.uitour.enabled" = false;
"startup.homepage_override_url" = "";
"trailhead.firstrun.didSeeAboutWelcome" = true;
"browser.bookmarks.restore_default_bookmarks" = false;
"browser.bookmarks.addedImportButton" = true;
# Disable "Save to Pocket" or Pocket entirely
"extensions.pocket.enabled" = false;
# Disable telemetry
"toolkit.telemetry.enabled" = false;
"toolkit.telemetry.unified" = false;
"toolkit.telemetry.archive.enabled" = false;
"datareporting.healthreport.uploadEnabled" = false;
"app.shield.optoutstudies.enabled" = false;
"browser.discovery.enabled" = false;
"browser.newtabpage.activity-stream.feeds.telemetry" = false;
"browser.newtabpage.activity-stream.telemetry" = false;
"browser.ping-centre.telemetry" = false;
"datareporting.healthreport.service.enabled" = false;
"datareporting.policy.dataSubmissionEnabled" = false;
"datareporting.sessions.current.clean" = true;
"devtools.onboarding.telemetry.logged" = false;
"toolkit.telemetry.bhrPing.enabled" = false;
"toolkit.telemetry.firstShutdownPing.enabled" = false;
"toolkit.telemetry.hybridContent.enabled" = false;
"toolkit.telemetry.newProfilePing.enabled" = false;
"toolkit.telemetry.prompted" = 2;
"toolkit.telemetry.rejected" = true;
"toolkit.telemetry.reportingpolicy.firstRun" = false;
"toolkit.telemetry.server" = "";
"toolkit.telemetry.shutdownPingSender.enabled" = false;
"toolkit.telemetry.unifiedIsOptIn" = false;
"toolkit.telemetry.updatePing.enabled" = false;
# Disable any feeds on the new tab page
"browser.newtabpage.activity-stream.showTopSites" = false;
"browser.newtabpage.activity-stream.default.sites" = lib.mkForce [ ];
"browser.newtabpage.activity-stream.discoverystream.enabled" = false;
"browser.newtabpage.activity-stream.feeds.topsites" = false;
"browser.newtabpage.activity-stream.showSponsoredTopSites" = false;
"browser.newtabpage.activity-stream.improvesearch.topSiteSearchShortcuts" = false;
"browser.newtabpage.blocked" = lib.genAttrs [
# Youtube
"26UbzFJ7qT9/4DhodHKA1Q=="
# Facebook
"4gPpjkxgZzXPVtuEoAL9Ig=="
# Wikipedia
"eV8/WsSLxHadrTL1gAxhug=="
# Reddit
"gLv0ja2RYVgxKdp0I5qwvA=="
# Amazon
"K00ILysCaEq8+bEqV/3nuw=="
# Twitter
"T9nJot5PurhJSy8n038xGA=="
] (_: 1);
"browser.topsites.blockedSponsors" = [
"adidas"
"temuaffiliateprogram.pxf"
"s.click.aliexpress"
];
# enable userChrome
"toolkit.legacyUserProfileCustomizations.stylesheets" = true;
"devtools.chrome.enabled" = true;
"devtools.debugger.remote-enabled" = true;
# disable translations for some languages
"browser.translations.neverTranslateLanguages" = [
"en"
"de"
];
"browser.translations.automaticallyPopup" = false;
# enable pipewire (and libcamera) sources
"media.webrtc.camera.allow-pipewire" = true;
};
userChrome =
let
name = override.color or colors.grey;
value = colorValues."${name}".normal;
valueBright = colorValues."${name}".highlight;
valueDark = colorValues."${name}".inactive;
in
''
@namespace url("http://www.mozilla.org/keymaster/gatekeeper/there.is.only.xul"); /* only needed once */
#nav-bar {
background-color: ${value} !important;
color: black !important;
}
/* don't show close button on background tabs */
#tabbrowser-tabs[closebuttons="activetab"] .tabbrowser-tab:not([selected]):not([pinned]):not([hover]) .tab-close-button {
display: none !important;
}
/* show close button on hover */
#tabbrowser-tabs[closebuttons="activetab"] .tabbrowser-tab:not([selected]):not([pinned]):hover .tab-close-button {
display: -moz-inline-box !important;
}
/* default */
#TabsToolbar {
background: ${valueDark} !important;
}
/* default tab */
#TabsToolbar #tabbrowser-tabs .tabbrowser-tab .tab-content {
background: ${value} !important;
opacity: 0.8
}
/* selected tab */
#TabsToolbar #tabbrowser-tabs .tabbrowser-tab[selected] .tab-content {
background: ${valueBright} !important;
box-shadow: 0 8px 16px 0 rgba(0,0,0,0.2), 0 6px 20px 0 rgba(0,0,0,0.19);
}
/* hovered tab */
#TabsToolbar #tabbrowser-tabs .tabbrowser-tab:hover:not([selected]) .tab-content {
background: ${valueBright} !important;
}
/* unloaded/pending tab */
#TabsToolbar #tabbrowser-tabs .tabbrowser-tab[pending] .tab-content {
background: ${valueDark} !important;
}
'';
# /* new tab */
# #TabsToolbar #tabbrowser-tabs #tabs-newtab-button .toolbarbutton-icon {
# background: unset !important;
# }
# #TabsToolbar #tabbrowser-tabs #tabs-newtab-button {
# /* background: var(--default_tabs_bg_newtab) !important;
# }
# /* hovered new tab */
# #TabsToolbar #tabbrowser-tabs #tabs-newtab-button:hover {
# background: var(--default_tabs_bg_newtab_hovered) !important;
# }
} (builtins.removeAttrs override [ "color" ]);
# TODO: insert the id automatically
mkProfiles = attrs: builtins.mapAttrs (_k: v: v) attrs;
colors = builtins.mapAttrs (name: _: name) colorValues;
colorValues = {
blue = {
normal = "#49b1fc";
highlight = "#05a9fc"; # Brighter blue
inactive = "#1f81c6"; # Darker blue
};
green = {
normal = "#51cd00";
highlight = "#5ae200"; # Brighter green
inactive = "#45ad00"; # Darker green
};
orange = {
normal = "#ff9800";
highlight = "#ffb74d"; # Brighter orange
inactive = "#c76a00"; # Darker orange
};
red = {
normal = "#f6685e";
highlight = "#ff4336"; # Brighter red
inactive = "#aa463f"; # Darker red
};
yellow = {
normal = "#fced4b";
highlight = "#fce705"; # Brighter yellow
inactive = "#dbbe00"; # Darker yellow
};
purple = {
normal = "#9c27b0";
highlight = "#ab47bc"; # Brighter purple
inactive = "#7b1fa2"; # Darker purple
};
pink = {
normal = "#e91e63";
highlight = "#ff6090"; # Brighter pink
inactive = "#c2185b"; # Darker pink
};
brown = {
normal = "#795548";
highlight = "#a88b6f"; # Brighter brown
inactive = "#4e3b30"; # Darker brown
};
grey = {
normal = "#9e9e9e";
highlight = "#bdbdbd"; # Brighter grey
inactive = "#757575"; # Darker grey
};
teal = {
normal = "#009688";
highlight = "#26c6da"; # Brighter teal
inactive = "#00796b"; # Darker teal
};
};
in
{
nixpkgs.overlays = [
repoFlake.inputs.nur.overlays.default
];
nixpkgs.config.allowUnfreePredicate =
pkg:
builtins.elem (lib.getName pkg) [
"youtube-recommended-videos"
];
programs.librewolf = {
enable = false;
};
programs.firefox = {
enable = true;
package = pkgs.firefox-esr;
profiles = mkProfiles {
"personal" = mkProfile {
id = 0;
isDefault = true;
color = colors.blue;
};
"comms" = mkProfile {
id = 1;
color = colors.blue;
};
"admin" = mkProfile {
id = 2;
color = colors.blue;
};
"infra" = mkProfile {
id = 3;
color = colors.blue;
};
"finance" = mkProfile {
id = 4;
color = colors.yellow;
};
"business-admin" = mkProfile {
id = 5;
color = colors.teal;
};
"business-comms" = mkProfile {
id = 6;
color = colors.teal;
};
"business-dev" = mkProfile {
id = 7;
color = colors.teal;
};
"holo-dev" = mkProfile {
id = 8;
color = colors.green;
};
"holo-infra" = mkProfile {
id = 9;
color = colors.green;
};
"holo-comms" = mkProfile {
id = 10;
color = colors.green;
};
"justyna" = mkProfile {
id = 11;
color = colors.pink;
};
"justyna-office" = mkProfile {
id = 12;
color = colors.pink;
};
};
};
# create one desktop entry for each profile
xdg.desktopEntries = lib.mapAttrs' (
k: _v:
lib.nameValuePair "firefox-profile-${k}" {
categories = [
"Network"
"WebBrowser"
];
exec = "${lib.getExe config.programs.firefox.package} -P ${k}";
genericName = "Web Browser";
icon =
builtins.replaceStrings [ ".desktop" ] [ "" ]
config.programs.firefox.package.desktopItem.name;
mimeType = [
"text/html"
"text/xml"
"application/xhtml+xml"
"application/vnd.mozilla.xul+xml"
"x-scheme-handler/http"
"x-scheme-handler/https"
];
name = "Firefox: ${k}";
startupNotify = true;
settings.StartupWMClass =
# To group windows of different profiles.
# Set WM_CLASS on Xorg using --class, set app-id on Wayland using --name.
#if profile.name == "default"
#then "firefox"
#else "firefox-${profile.name}";
"firefox";
terminal = false;
type = "Application";
}
) config.programs.firefox.profiles;
} }

22
nix/home-manager/programs/gpg-agent.nix
View file

@ -1,14 +1,28 @@
{ lib, pkgs, osConfig, ... }:
{ {
home.packages = [ pkgs.gcr ]; lib,
pkgs,
config,
...
}: {
home.packages =
[
pkgs.gcr
]
++ (
if config.services.gpg-agent.pinentryFlavor == "gtk2"
then [pkgs.pinentry-gtk2]
else if config.services.gpg-agent.pinentryFlavor == "gnome3"
then [pkgs.pinentry-gnome]
else []
);
programs.gpg.enable = true; programs.gpg.enable = true;
services.gpg-agent = { services.gpg-agent = {
enable = true; enable = true;
enableScDaemon = !osConfig.services.pcscd.enable; enableScDaemon = true;
enableSshSupport = true; enableSshSupport = true;
grabKeyboardAndMouse = true; grabKeyboardAndMouse = true;
pinentryPackage = lib.mkDefault pkgs.pinentry-gtk2; pinentryFlavor = lib.mkDefault "gtk2";
extraConfig = '' extraConfig = ''
no-allow-external-cache no-allow-external-cache
''; '';

17
nix/home-manager/programs/homeshick.nix
View file

@ -1,9 +1,15 @@
{ pkgs, config, ... }:
{ {
pkgs,
config,
...
}: let
# TODO: clean up the impurity in here
in {
home.sessionVariables.HOMESHICK_DIR = "${pkgs.homeshick}"; home.sessionVariables.HOMESHICK_DIR = "${pkgs.homeshick}";
home.activation.bootstrapRepos = config.lib.dag.entryAfter ["writeBoundary"] '' home.activation.bootstrapRepos = config.lib.dag.entryAfter ["writeBoundary"] ''
$DRY_RUN_CMD ${pkgs.writeScript "activation-script" '' $DRY_RUN_CMD ${
pkgs.writeScript "activation-script" ''
set -e set -e
echo home-manager path is ${config.home.path} echo home-manager path is ${config.home.path}
echo home is $HOME echo home is $HOME
@ -14,12 +20,13 @@
# echo Updating homeshick # echo Updating homeshick
# ln -sfT ${pkgs.homeshick} "$HOMESICK_REPOS"/.homeshick # ln -sfT ${pkgs.homeshick} "$HOMESICK_REPOS"/.homeshick
# mv -Tf "$HOMESICK_REPOS"/{.,}homeshick # mv -Tf "$HOMESICK_REPOS"/{.,}homeshick
''}; ''
};
''; '';
nixpkgs.config = { nixpkgs.config = {
packageOverrides = packageOverrides = pkgs:
pkgs: with pkgs; { with pkgs; {
homeshick = builtins.fetchGit { homeshick = builtins.fetchGit {
url = "https://github.com/andsens/homeshick.git"; url = "https://github.com/andsens/homeshick.git";
ref = "master"; ref = "master";

9
nix/home-manager/programs/libreoffice.nix
View file

@ -1,8 +1,3 @@
{ pkgs, nodeFlake, ... }: {pkgs, ...}: {
home.packages = with pkgs; [libreoffice-fresh];
let
pkgsStable = nodeFlake.inputs.nixpkgs-stable.legacyPackages.${pkgs.system};
in
{
home.packages = [ pkgsStable.libreoffice ];
} }

272
nix/home-manager/programs/neovim.nix
View file

@ -1,161 +1,131 @@
{ repoFlake, pkgs, ... }:
{ {
imports = [ repoFlake.inputs.nixvim.homeManagerModules.nixvim ]; pkgs,
lib,
...
}: let
in {
# FIXME: this doesn't work
home.sessionVariables.EDITOR = "nvim";
programs.nixvim = { programs.neovim = {
enable = true; enable = true;
defaultEditor = true;
vimdiffAlias = true;
vimAlias = true;
extraPython3Packages = ps: with ps; []; extraPython3Packages = ps: with ps; [];
# extraConfigVim = builtins.readFile ./neovim/vimrc; extraConfig = builtins.readFile ./neovim/vimrc;
clipboard = { plugins = with pkgs;
register = "unnamedplus"; [
providers.wl-copy.enable = true; # yaml-folds
{
plugin = vimUtils.buildVimPlugin {
name = "vim-yaml-folds";
src = fetchFromGitHub {
owner = "pedrohdz";
repo = "vim-yaml-folds";
rev = "890ccd8e5370808d569e96dbb06cbeca2cf5993a";
sha256 = "018z6xcwrq58q6lj6gwhrifjaxkmrlkkg0n86s6mjjlwkbs2qa4m";
}; };
buildInputs = [zip vim];
plugins = { };
airline = { }
enable = true;
settings = { {
powerline_fonts = 1; plugin = vimUtils.buildVimPlugin {
skip_empty_sections = 1; name = "vim-yaml";
theme = "papercolor"; src = fetchFromGitHub {
}; owner = "stephpy";
}; repo = "vim-yaml";
fugitive.enable = true; rev = "e97e063b16eba4e593d620676a0a15fa98613979";
gitblame.enable = true; sha256 = "0vqahbrnr43lxanpziyrmzaqqb3cmyny8ry1xvmy2xyd1larzfrk";
lsp = { };
enable = true; };
}; }
nix.enable = true; # broken 2021-06-08
# {
# TODO: enable in next release # plugin = vimUtils.buildVimPlugin {
# numbertoggle.enable = true; # name = "vim-markdown-toc";
# src = fetchFromGitHub {
# successfor to ctrlp and fzf # owner = "mzlogin";
telescope.enable = true; # repo = "vim-markdown-toc";
# rev = "b7bb6c37033d3a6c93906af48dc0e689bd948638";
todo-comments.enable = true; # sha256 = "026xf2gid4qivwawh7if3nfk7zja9di0flhdzdx82lvil9x48lyz";
# };
toggleterm.enable = true; # };
# }
treesitter = {
enable = true; # broken 2021-06-08
# {
grammarPackages = with pkgs.vimPlugins.nvim-treesitter.builtGrammars; [ # plugin = vimUtils.buildVimPlugin {
bash # name = "vim-perl";
json # src = fetchFromGitHub {
lua # owner = "vim-perl";
make # repo = "vim-perl";
markdown # rev = "f330b5d474c44e6cfae22ba50868093dea3e9adb";
nix # sha256 = "1dy40ixgixj0536c5ggra51b4yd1lbw4j6l0j5zc3diasb7m2gvr";
regex # };
toml # };
vim # }
vimdoc
xml {
yaml plugin = vimUtils.buildVimPlugin {
]; name = "git-blame";
}; src = fetchFromGitHub {
"owner" = "zivyangll";
treesitter-context.enable = true; "repo" = "git-blame.vim";
treesitter-refactor.enable = true; "rev" = "9d144b7bed5d8f1c9259551768b7f3b3d1294917";
"sha256" = "06zb5xcc59k25rpwl46j82fcqckiznmj97v6i0mwlb8jhqqrhy9j";
# This plugin trims trailing whitespace and lines. };
trim.enable = true; };
}; }
]
# plugins = with pkgs; ++ (with pkgs.vimPlugins; [
# [ delimitMate
# # yaml-folds vim-airline
# { vim-airline-themes
# plugin = vimUtils.buildVimPlugin { ctrlp
# name = "vim-yaml-folds"; vim-css-color
# src = fetchFromGitHub { rainbow_parentheses
# owner = "pedrohdz"; vim-colorschemes
# repo = "vim-yaml-folds"; vim-colorstepper
# rev = "890ccd8e5370808d569e96dbb06cbeca2cf5993a"; vim-signify
# sha256 = "018z6xcwrq58q6lj6gwhrifjaxkmrlkkg0n86s6mjjlwkbs2qa4m"; fugitive
# }; vim-indent-guides
# buildInputs = [zip vim]; UltiSnips
# }; fzfWrapper
# }
ncm2
# { ncm2-bufword
# plugin = vimUtils.buildVimPlugin { ncm2-path
# name = "vim-yaml"; ncm2-tmux
# src = fetchFromGitHub { ncm2-ultisnips
# owner = "stephpy"; nvim-yarp
# repo = "vim-yaml";
# rev = "e97e063b16eba4e593d620676a0a15fa98613979"; LanguageClient-neovim
# sha256 = "0vqahbrnr43lxanpziyrmzaqqb3cmyny8ry1xvmy2xyd1larzfrk";
# }; Improved-AnsiEsc
# }; tabular
# }
# Nix
# { vim-addon-nix
# plugin = vimUtils.buildVimPlugin { tlib
# name = "git-blame"; vim-addon-vim2nix
# src = fetchFromGitHub {
# "owner" = "zivyangll"; # LaTeX
# "repo" = "git-blame.vim"; vim-latex-live-preview
# "rev" = "9d144b7bed5d8f1c9259551768b7f3b3d1294917"; vimtex
# "sha256" = "06zb5xcc59k25rpwl46j82fcqckiznmj97v6i0mwlb8jhqqrhy9j";
# }; # YAML
# }; vim-yaml
# }
# ] # markdown
# ++ (with pkgs.vimPlugins; [ vim-markdown
# delimitMate vim-markdown-toc
# vim-airline
# vim-airline-themes # misc syntax support
# ctrlp vim-bazel
# vim-css-color maktaba
# rainbow_parentheses ]);
# vim-colorschemes
# vim-colorstepper
# vim-signify
# fugitive
# vim-indent-guides
# UltiSnips
# fzfWrapper
# ncm2
# ncm2-bufword
# ncm2-path
# ncm2-tmux
# ncm2-ultisnips
# nvim-yarp
# LanguageClient-neovim
# Improved-AnsiEsc
# tabular
# # Nix
# vim-addon-nix
# tlib
# vim-addon-vim2nix
# # LaTeX
# vim-latex-live-preview
# vimtex
# # YAML
# vim-yaml
# # markdown
# vim-markdown
# vim-markdown-toc
# # misc syntax support
# vim-bazel
# maktaba
# ]);
}; };
} }

4
nix/home-manager/programs/neovim/vimrc
View file

@ -49,8 +49,8 @@ let g:ctrlp_custom_ignore = {
\ 'dir': '\v[\/]\.(git|hg|svn)$$', \ 'dir': '\v[\/]\.(git|hg|svn)$$',
\ 'file': '\v\.(exe|so|dll)$$', \ 'file': '\v\.(exe|so|dll)$$',
\ } \ }
"let g:ctrlp_max_files=0 let g:ctrlp_max_files=0
"let g:ctrlp_max_depth=1000 let g:ctrlp_max_depth=1000
"let g:ctrlp_match_func = { 'match': 'pymatcher#PyMatch' } "let g:ctrlp_match_func = { 'match': 'pymatcher#PyMatch' }
"let g:pydiction_location = '~/.vim/bundle/pydiction/complete-dict' "let g:pydiction_location = '~/.vim/bundle/pydiction/complete-dict'

22
nix/home-manager/programs/obs-studio.nix
View file

@ -1,25 +1,21 @@
{ pkgs, lib, ... }:
{ {
pkgs,
lib,
...
}: {
programs.obs-studio = { programs.obs-studio = {
enable = true; enable = true;
plugins = plugins =
builtins.map builtins.map (plugin: (plugin.overrideAttrs (attrs: {
(
plugin:
(plugin.overrideAttrs (attrs: {
meta = lib.mkMerge [ meta = lib.mkMerge [
{inherit (attrs) meta;} {inherit (attrs) meta;}
{ meta.platforms = [ pkgs.stdenv.system ]; } {meta.platforms = ["aarch64-linux"];}
]; ];
})) })))
) (with pkgs.obs-studio-plugins; [
(
with pkgs.obs-studio-plugins;
[
# wlrobs # wlrobs
obs-backgroundremoval obs-backgroundremoval
obs-pipewire-audio-capture obs-pipewire-audio-capture
] ]);
);
}; };
} }

37
nix/home-manager/programs/openvscode-server.nix
View file

@ -1,37 +0,0 @@
{ pkgs, repoFlake, ... }:
let
pkgsVscodium = import repoFlake.inputs.nixpkgs-vscodium { inherit (pkgs) system config; };
in
{
home.packages = [
pkgs.nil
pkgs.nixd
pkgs.nixfmt-rfc-style
# TODO: automate linking this
# 1. get the commit with: `codium --version`
# 2. create the binary directory: `mkdir -p /home/steveej/.vscodium-server/bin/c8ce3ba4bc6b30b3b10edc61481cb85b1d2396bc/bin/`
# 3. link the binary. this relies on the client-side setting `"remote.SSH.experimental.serverBinaryName": "openvscode-server"` : ln -s $(which openvscode-server) /home/steveej/.vscodium-server/bin/c8ce3ba4bc6b30b3b10edc61481cb85b1d2396bc/bin/
/*
e.g.:
```
(
set -e
export COMMIT=$(codium --version | rg '^[0-9a-f]{40}$')
ssh bm-hostkey0 "pkill -9 openvscode; rm -rf /home/steveej/.vscodium-server/bin/$COMMIT; mkdir -p /home/steveej/.vscodium-server/bin/$COMMIT/bin/; ln -s \$(which openvscode-server) /home/steveej/.vscodium-server/bin/$COMMIT/bin/"
)
```
*/
(pkgsVscodium.openvscode-server.overrideAttrs (attrs: {
src = repoFlake.inputs.openvscode-server;
version = "1.94.2";
yarnCache = attrs.yarnCache.overrideAttrs (_: {
outputHash = "sha256-89c6GYLT2RzHqwxBKegYqB6g5rEJ6/nH53cnfV7b0Tt=";
});
}))
pkgs.waypipe
];
}

6
nix/home-manager/programs/pass.nix
View file

@ -1,5 +1,8 @@
{ repoFlake, pkgs, ... }:
{ {
repoFlake,
pkgs,
...
}: {
# required by pass-otp # required by pass-otp
# home.sessionVariables.PASSWORD_STORE_EXTENSIONS_DIR = "$HOME/.nix-profile/lib/password-store/extensions"; # home.sessionVariables.PASSWORD_STORE_EXTENSIONS_DIR = "$HOME/.nix-profile/lib/password-store/extensions";
# home.sessionVariables.PASSWORD_STORE_ENABLE_EXTENSIONS = "true"; # home.sessionVariables.PASSWORD_STORE_ENABLE_EXTENSIONS = "true";
@ -7,6 +10,7 @@
home.packages = with pkgs; [ home.packages = with pkgs; [
gnupg gnupg
pass
# broken on wayland # broken on wayland
# rofi-pass # rofi-pass

22
nix/home-manager/programs/radicale.nix
View file

@ -4,8 +4,7 @@
pkgs, pkgs,
osConfig, osConfig,
... ...
}: }: let
let
libdecsync = pkgs.python3Packages.buildPythonPackage rec { libdecsync = pkgs.python3Packages.buildPythonPackage rec {
pname = "libdecsync"; pname = "libdecsync";
version = "2.2.1"; version = "2.2.1";
@ -39,18 +38,18 @@ let
# pkgs.libxcrypt # pkgs.libxcrypt
]; ];
propagatedBuildInputs = [ propagatedBuildInputs = [libdecsync pkgs.python3Packages.setuptools];
libdecsync
pkgs.python3Packages.setuptools
];
}; };
radicale-decsync = pkgs.radicale.overrideAttrs (old: { radicale-decsync = pkgs.radicale.overrideAttrs (old: {
propagatedBuildInputs = old.propagatedBuildInputs ++ [ radicale-storage-decsync ]; propagatedBuildInputs =
old.propagatedBuildInputs
++ [radicale-storage-decsync];
}); });
mkRadicaleService = mkRadicaleService = {
{ suffix, port }: suffix,
let port,
}: let
radicale-config = pkgs.writeText "radicale-config-${suffix}" '' radicale-config = pkgs.writeText "radicale-config-${suffix}" ''
[server] [server]
hosts = localhost:${builtins.toString port} hosts = localhost:${builtins.toString port}
@ -65,8 +64,7 @@ let
filesystem_folder = ${config.xdg.dataHome}/radicale/radicale-${suffix} filesystem_folder = ${config.xdg.dataHome}/radicale/radicale-${suffix}
decsync_dir = ${config.xdg.dataHome}/decsync/decsync-${suffix} decsync_dir = ${config.xdg.dataHome}/decsync/decsync-${suffix}
''; '';
in in {
{
systemd.user.services."radicale-${suffix}" = { systemd.user.services."radicale-${suffix}" = {
Unit.Description = "Radicale with DecSync (${suffix})"; Unit.Description = "Radicale with DecSync (${suffix})";
Service = { Service = {

21
nix/home-manager/programs/redshift.nix
View file

@ -1,26 +1,21 @@
_:
let
passwords = import ../../variables/passwords.crypt.nix;
in
{ {
pkgs,
config,
...
}: let
passwords = import ../../variables/passwords.crypt.nix;
in {
services.gammastep = { services.gammastep = {
enable = true; enable = true;
provider = "manual";
enableVerboseLogging = true;
inherit (passwords.location.stefan) longitude latitude; inherit (passwords.location.stefan) longitude latitude;
temperature = { temperature = {
# day = 6700; day = 6700;
day = 3000;
night = 3000; night = 3000;
}; };
tray = true; tray = true;
settings = { settings = {
general = {
adjustment-method = "wayland";
};
gammastep = { gammastep = {
# brightness-day = 1.0; brightness-day = 1.0;
brightness-day = 0.5;
brightness-night = 0.5; brightness-night = 0.5;
}; };
}; };

19
nix/home-manager/programs/salut.nix
View file

@ -1,11 +1,18 @@
{ pkgs, packages', ... }: {
pkgs,
config,
lib,
packages',
...
}:
# useful testing command: # useful testing command:
# for i in `seq 0 10`; do nix shell nixpkgs#libnotify --command notify-send notifiiiiiii "$i"; sleep 1; done # for i in `seq 0 10`; do nix shell nixpkgs#libnotify --command notify-send notifiiiiiii "$i"; sleep 1; done
let let
inherit (import ../lib.nix {}) mkSimpleTrayService; inherit (import ../lib.nix {}) mkSimpleTrayService;
in in {
{ home.packages = [
home.packages = [ packages'.salut ]; packages'.salut
];
xdg.configFile."salut/config.ini" = { xdg.configFile."salut/config.ini" = {
enable = true; enable = true;
@ -27,5 +34,7 @@ in
onChange = "${pkgs.systemd}/bin/systemctl --user restart salut"; onChange = "${pkgs.systemd}/bin/systemctl --user restart salut";
}; };
systemd.user.services.salut = mkSimpleTrayService { execStart = "${packages'.salut}/bin/salut"; }; systemd.user.services.salut = mkSimpleTrayService {
execStart = "${packages'.salut}/bin/salut";
};
} }

109
nix/home-manager/programs/vscode/default.nix
View file

@ -1,32 +1,34 @@
{ {
config,
pkgs, pkgs,
nodeFlake,
repoFlake, repoFlake,
lib,
... ...
}: }: let
let
pkgsVscodium = import repoFlake.inputs.nixpkgs-vscodium {inherit (pkgs) system config;}; pkgsVscodium = import repoFlake.inputs.nixpkgs-vscodium {inherit (pkgs) system config;};
in in {
{
programs.vscode = { programs.vscode = {
enable = true; enable = true;
package = pkgsVscodium.vscodium; package = pkgsVscodium.vscodium;
extensions = extensions =
with pkgsVscodium.vscode-extensions;
[ [
# TODO: how can i install (this) vsix(s) directly?
# (builtins.fetchurl {
# # https://open-vsx.org/extension/jeanp413/open-remote-ssh
# url = "https://open-vsx.org/api/jeanp413/open-remote-ssh/0.0.45/file/jeanp413.open-remote-ssh-0.0.45.vsix";
# sha256 = "1qc1qsahfx1nvznq4adplx63w5d94xhafngv76vnqjjbzhv991v2";
# })
]
++ (with pkgsVscodium.vscode-extensions; [
bbenoist.nix
eamodio.gitlens eamodio.gitlens
mkhl.direnv mkhl.direnv
jnoortheen.nix-ide
tomoki1207.pdf tomoki1207.pdf
vscodevim.vim vscodevim.vim
# bbenoist.nix
jnoortheen.nix-ide
ms-vscode.theme-tomorrowkit ms-vscode.theme-tomorrowkit
nonylene.dark-molokai-theme nonylene.dark-molokai-theme
kamadorueda.alejandra
ms-python.vscode-pylance
# TODO: these are not in nixpkgs # TODO: these are not in nixpkgs
@ -37,95 +39,25 @@ in
# TODO: not compatible with vscodium # TODO: not compatible with vscodium
# ms-vscode-remote.remote-ssh # ms-vscode-remote.remote-ssh
] ] ++ (let
++ (
let
extensions = repoFlake.inputs.nix-vscode-extensions.extensions.${pkgs.system}; extensions = repoFlake.inputs.nix-vscode-extensions.extensions.${pkgs.system};
in in (with extensions.vscode-marketplace; [
with extensions.vscode-marketplace; tamasfe.even-better-toml
with extensions.vscode-marketplace-release;
[
serayuzgur.crates serayuzgur.crates
rust-lang.rust-analyzer rust-lang.rust-analyzer
swellaby.vscode-rust-test-adapter swellaby.vscode-rust-test-adapter
tamasfe.even-better-toml
golang.go golang.go
jeff-hykin.better-go-syntax jeff-hykin.better-go-syntax
blueglassblock.better-json5 ])));
nefrob.vscode-just-syntax
# fabianlauer.vs-code-xml-format
bierner.emojisense
]
)
++ (
let
nix4vscodeToml = pkgs.writeText "nix4vscode.toml" ''
vscode_version = "${config.programs.vscode.package.version}"
[[extensions]]
publisher_name = "FelixZeller"
extension_name = "markdown-oxide"
[[extensions]]
publisher_name = "ibecker"
extension_name = "treefmt-vscode"
[[extensions]]
publisher_name = "AntiAntiSepticeye"
extension_name = "vscode-color-picker"
# [[extensions]]
# publisher_name = "nefrob"
# extension_name = "vscode-just-syntax"
[[extensions]]
publisher_name = "fabianlauer"
extension_name = "vs-code-xml-format"
'';
nix4vscodeNix =
pkgs.runCommand "nix4vscode.nix"
{
# nix4vscode needs internet access
__noChroot = true;
requiredSystemFeatures = [ "recursive-nix" ];
buildInputs = [
pkgs.nix
pkgs.cacert
(pkgs.callPackage "${repoFlake.inputs.nix4vscode.outPath}/nix/package.nix" { })
# pkgs.strace
];
# outputHashAlgo = "sha256";
# outputHashMode = "recursive";
# outputHash = lib.fakeSha256;
}
''
# set -x
# export RUST_BACKTRACE=full
# export RUST_LOG=trace
export HOME=$(mktemp -d)
# strace -ffZyyY
nix4vscode ${nix4vscodeToml} > $out
'';
nix4vscodeExtensions = builtins.removeAttrs (pkgs.callPackage nix4vscodeNix { }) [
"override"
"overrideDerivation"
];
nix4vscodeExtensions' = lib.attrsets.mapAttrsToList (
_: v: builtins.head (builtins.attrValues v)
) nix4vscodeExtensions;
in
nix4vscodeExtensions'
);
mutableExtensionsDir = true; mutableExtensionsDir = true;
}; };
home.packages = [ home.packages = [
pkgs.nixpkgs-fmt
pkgs.alejandra
pkgs.nil pkgs.nil
pkgs.nixfmt-rfc-style
]; ];
} }
# TODO: automate # TODO: automate
@ -202,3 +134,4 @@ in
# xyz.plsql-language # xyz.plsql-language
# yzane.markdown-pdf # yzane.markdown-pdf
# zxh404.vscode-proto3 # zxh404.vscode-proto3

1
nix/home-manager/programs/waybar.css
View file

@ -1,3 +1,4 @@
#custom-cputemp { #custom-cputemp {
padding: 0 10px; padding: 0 10px;
background-color: #f0932b; background-color: #f0932b;

17
nix/home-manager/programs/waybar.nix
View file

@ -1,5 +1,9 @@
{ pkgs, repoFlake, ... }:
{ {
pkgs,
config,
repoFlake,
...
}: {
home.packages = [ home.packages = [
# required by any bar that has a tray plugin # required by any bar that has a tray plugin
pkgs.libappindicator-gtk3 pkgs.libappindicator-gtk3
@ -8,18 +12,17 @@
programs.waybar = { programs.waybar = {
enable = true; enable = true;
package = package = repoFlake.inputs.nixpkgs-wayland.outputs.packages.${pkgs.stdenv.hostPlatform.system}.waybar;
repoFlake.inputs.nixpkgs-wayland.outputs.packages.${pkgs.stdenv.hostPlatform.system}.waybar; style =
style = pkgs.lib.readFile "${pkgs.waybar.src}/resources/style.css" + pkgs.lib.readFile ./waybar.css; pkgs.lib.readFile "${pkgs.waybar.src}/resources/style.css"
+ pkgs.lib.readFile ./waybar.css;
systemd.enable = true; systemd.enable = true;
settings = { settings = {
mainBar = { mainBar = {
layer = "top"; layer = "top";
position = "bottom"; position = "bottom";
height = 30; height = 30;
output = output = ["*"];
# hide the bar on HEADDLESS displays as i use them only for screensharing
(builtins.genList (i: "!HEADLESS-${builtins.toString i}") 99) ++ [ "*" ];
# output = [ # output = [
# "eDP-1" # "eDP-1"
# "DP-*" # "DP-*"

27
nix/home-manager/programs/zsh.nix
View file

@ -3,10 +3,8 @@
lib, lib,
pkgs, pkgs,
... ...
}: }: let
let just-plugin = let
just-plugin =
let
plugin_file = pkgs.writeText "_just" '' plugin_file = pkgs.writeText "_just" ''
#compdef just #compdef just
#autload #autload
@ -37,8 +35,7 @@ let
chmod --recursive a-w $out chmod --recursive a-w $out
''; '';
}; };
in in {
{
programs.zsh = { programs.zsh = {
enable = true; enable = true;
@ -49,11 +46,9 @@ in
# will be called again by oh-my-zsh # will be called again by oh-my-zsh
enableCompletion = false; enableCompletion = false;
enableAutosuggestions = true; enableAutosuggestions = true;
initExtra = initExtra = let
let
inNixShell = ''$([[ -n "$IN_NIX_SHELL" ]] && printf " 🐚")''; inNixShell = ''$([[ -n "$IN_NIX_SHELL" ]] && printf " 🐚")'';
in in ''
''
if test ! -n "$TMPDIR" -a -z "$TMPDIR"; then if test ! -n "$TMPDIR" -a -z "$TMPDIR"; then
unset TMPDIR unset TMPDIR
fi fi
@ -74,13 +69,12 @@ in
fi fi
${ ${
if builtins.hasAttr "homeshick" pkgs then if builtins.hasAttr "homeshick" pkgs
'' then ''
source ${pkgs.homeshick}/homeshick.sh source ${pkgs.homeshick}/homeshick.sh
fpath=(${pkgs.homeshick}/completions $fpath) fpath=(${pkgs.homeshick}/completions $fpath)
'' ''
else else ""
""
} }
# Disable intercepting of ctrl-s and ctrl-q as flow control. # Disable intercepting of ctrl-s and ctrl-q as flow control.
@ -134,10 +128,7 @@ in
oh-my-zsh = { oh-my-zsh = {
enable = true; enable = true;
theme = "tjkirch"; theme = "tjkirch";
plugins = [ plugins = ["git" "sudo"];
"git"
"sudo"
];
}; };
}; };
} }

3
nix/modules/flake-parts/colmena.nix
View file

@ -1,5 +1,4 @@
{ lib, ... }: {lib, ...}: {
{
options.flake.colmena = lib.mkOption { options.flake.colmena = lib.mkOption {
# type = lib.types.attrsOf lib.types.unspecified; # type = lib.types.attrsOf lib.types.unspecified;
type = lib.types.raw; type = lib.types.raw;

17
nix/modules/flake-parts/perSystem/default.nix
View file

@ -1,8 +1,13 @@
{ pkgs, ... }:
{ {
inputs',
system,
config,
lib,
pkgs,
...
}: {
packages = { packages = {
myPython = pkgs.python310.withPackages ( myPython = pkgs.python310.withPackages (ps:
ps:
with ps; with ps;
[ [
pep8 pep8
@ -28,10 +33,6 @@
pyaml pyaml
requests requests
] ]
++ [ ++ [pkgs.pypi2nix pkgs.libffi]);
pkgs.pypi2nix
pkgs.libffi
]
);
}; };
} }

12
nix/os/cachix.nix
View file

@ -1,12 +1,14 @@
# WARN: this file will get overwritten by $ cachix use <name> # WARN: this file will get overwritten by $ cachix use <name>
{ lib, ... }: {
let pkgs,
lib,
...
}: let
folder = ./cachix; folder = ./cachix;
toImport = name: _value: folder + ("/" + name); toImport = name: value: folder + ("/" + name);
filterCaches = key: value: value == "regular" && lib.hasSuffix ".nix" key; filterCaches = key: value: value == "regular" && lib.hasSuffix ".nix" key;
imports = lib.mapAttrsToList toImport (lib.filterAttrs filterCaches (builtins.readDir folder)); imports = lib.mapAttrsToList toImport (lib.filterAttrs filterCaches (builtins.readDir folder));
in in {
{
inherit imports; inherit imports;
nix.settings.substituters = ["https://cache.nixos.org/"]; nix.settings.substituters = ["https://cache.nixos.org/"];
} }

4
nix/os/cachix/nixpkgs-wayland.nix
View file

@ -1,6 +1,8 @@
{ {
nix = { nix = {
settings.substituters = [ "https://nixpkgs-wayland.cachix.org" ]; settings.substituters = [
"https://nixpkgs-wayland.cachix.org"
];
settings.trusted-public-keys = [ settings.trusted-public-keys = [
"nixpkgs-wayland.cachix.org-1:3lwxaILxMRkVhehr5StQprHdEo4IrE8sRho9R9HOLYA=" "nixpkgs-wayland.cachix.org-1:3lwxaILxMRkVhehr5StQprHdEo4IrE8sRho9R9HOLYA="
]; ];

87
nix/os/containers/backup-target.nix Normal file
View file

@ -0,0 +1,87 @@
{
hostAddress,
localAddress,
containerBackupCfg,
sshPort ? containerBackupCfg.portInt,
autoStart ? false,
}: {
config = {
config,
pkgs,
lib,
...
}: {
system.stateVersion = "22.05"; # Did you read the comment?
imports = [../profiles/containers/configuration.nix];
networking.firewall.enable = false;
# services.ddclientovh = {
# enable = true;
# domain = containerBackupCfg.addr;
# };
services.openssh.enable = true;
users.extraUsers."${containerBackupCfg.user}" = {
uid = 2000;
group = containerBackupCfg.group;
shell = pkgs.bashInteractive;
home = "/${containerBackupCfg.targetPath}";
openssh.authorizedKeys.keys = [
"ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDNI3H0BRSYOZ/MbTs9J80doJwSd1HymFOP5quNt0J48vxZ5FPVrT2FHpQiNrCcYbCKRsU4X8AiGUHiXC0PapQQ3JDkqp6WZoqBNDx6BI7RadyH1TqVQPlou3pQmCAogzfBInruR53YTDmQqXiPwfM0okPOXgiBNjDfZXOX4+CyUfkmZZwASoicTInqWGkn1sFnh4tyXIkgWflg0njlVmfkVvH71+evvKLYHtoNpVXazkQ0SXbyuW5f3mSta7TNkpC3HbBm+4n+WxYGySrlRLWQhTo+aoWUKk9h5zvECDNpwRtbqzt+bA9nKrdg180ceu8hruwvWNiC6PPA2GW9Z1+VKROviGu1C3dliE/pPCBtK+ZoRVv2CGE+pmAuQsB9Nif9tk5tY6HJhuLNxKYiMfQkiLsDYv6KdZXUIVK/4BIDkZuQNnjhdOQBLnea0ANOhutA9gnjxnsd3UT6ovfazg5gud7n3u4yBtzjTkRrqWZ63eM1NmUVOgMWHQ715pV+hJfOFGqzRBEe3g/p3bWNgpROBYJbG1H8l9DN7emG4FGWsb1HeNFwQ5lS0Zsezb7qzahr4vSmHNugVw7w8ONt5dPbPI9wQnWvkkuHH76P/NYy6OC6lHrN1rXyA1okqdPr06YAZnCot+Pqdgn/ijxgp06J3dtkhin+Q7PoQbGff3ERIw== bkp"
];
packages = with pkgs; [btrfs-progs];
isSystemUser = true;
};
security.sudo = {
enable = true;
extraRules = [
{
users = ["bkp"];
commands = [
{
command = "/etc/profiles/per-user/bkp/bin/btrfs";
options = ["NOPASSWD"];
}
{
command = "/run/current-system/sw/bin/readlink";
options = ["NOPASSWD"];
}
{
command = "/run/current-system/sw/bin/test";
options = ["NOPASSWD"];
}
];
}
];
};
};
inherit autoStart;
bindMounts = {
"/${containerBackupCfg.targetPath}" = {
hostPath = "/var/lib/container-volumes/backup-target";
isReadOnly = false;
};
};
extraFlags = ["--resolv-conf=bind-host"];
privateNetwork = true;
forwardPorts = [
{
# ssh
containerPort = 22;
hostPort = sshPort;
protocol = "tcp";
}
];
inherit hostAddress localAddress;
}

43
nix/os/containers/backup.nix
View file

@ -5,23 +5,16 @@
subvolumes, subvolumes,
targetPathSuffix ? "", targetPathSuffix ? "",
autoStart ? false, autoStart ? false,
}: }: let
let
passwords = import ../../variables/passwords.crypt.nix; passwords = import ../../variables/passwords.crypt.nix;
subvolumeParentDir = "/var/lib/container-volumes"; subvolumeParentDir = "/var/lib/container-volumes";
in in {
{ config = {pkgs, ...}: {
config =
{ pkgs, ... }:
{
system.stateVersion = "20.03"; # Did you read the comment? system.stateVersion = "20.03"; # Did you read the comment?
imports = [../profiles/containers/configuration.nix]; imports = [../profiles/containers/configuration.nix];
environment.systemPackages = with pkgs; [ environment.systemPackages = with pkgs; [btrfs-progs btrbk];
btrfs-progs
btrbk
];
networking.firewall.enable = true; networking.firewall.enable = true;
@ -29,9 +22,7 @@ in
enable = true; enable = true;
description = "bkp-sync service"; description = "bkp-sync service";
serviceConfig = { serviceConfig = {Type = "oneshot";};
Type = "oneshot";
};
after = ["bkp-run.service"]; after = ["bkp-run.service"];
@ -48,20 +39,13 @@ in
enable = true; enable = true;
description = "bkp-run"; description = "bkp-run";
serviceConfig = { serviceConfig = {Type = "oneshot";};
Type = "oneshot";
};
partOf = ["bkp-sync.service"]; partOf = ["bkp-sync.service"];
path = with pkgs; [ path = with pkgs; [btrfs-progs btrbk coreutils];
btrfs-progs
btrbk
coreutils
];
script = script = let
let
btrbkConf = pkgs.writeText "cfg" '' btrbkConf = pkgs.writeText "cfg" ''
timestamp_format long timestamp_format long
ssh_identity ${passwords.storage.backupTarget.keyPath} ssh_identity ${passwords.storage.backupTarget.keyPath}
@ -78,10 +62,10 @@ in
volume ${subvolumeParentDir} volume ${subvolumeParentDir}
target ${passwords.storage.backupTarget.target}/container-volumes/${targetPathSuffix} target ${passwords.storage.backupTarget.target}/container-volumes/${targetPathSuffix}
${builtins.foldl' (sum: elem: sum + " subvolume " + elem + "\n") "" subvolumes} ${builtins.foldl' (sum: elem: sum + " subvolume " + elem + "\n") ""
subvolumes}
''; '';
in in ''
''
#! ${pkgs.bash}/bin/bash #! ${pkgs.bash}/bin/bash
set -Eeuxo pipefail set -Eeuxo pipefail
@ -92,10 +76,7 @@ in
systemd.timers."bkp" = { systemd.timers."bkp" = {
description = "Timer to trigger bkp periodically"; description = "Timer to trigger bkp periodically";
enable = true; enable = true;
wantedBy = [ wantedBy = ["timer.target" "multi-user.target"];
"timer.target"
"multi-user.target"
];
timerConfig = { timerConfig = {
# Obtained using `systemd-analyze calendar "Wed 23:00"` # Obtained using `systemd-analyze calendar "Wed 23:00"`
# OnCalendar = "Wed *-*-* 23:00:00"; # OnCalendar = "Wed *-*-* 23:00:00";

44
nix/os/containers/mailserver.nix
View file

@ -1,23 +1,18 @@
{ {
specialArgs, repoFlake,
hostBridge,
hostAddress, hostAddress,
localAddress, localAddress,
imapsPort ? 993, imapsPort ? 993,
sievePort ? 4190, sievePort ? 4190,
autoStart ? false, autoStart ? false,
}: }: {
{ config = {
inherit specialArgs;
config =
{
pkgs, pkgs,
config, config,
repoFlake, lib,
... ...
}: }: {
{ system.stateVersion = "21.11"; # Did you read the comment?
system.stateVersion = "22.05"; # Did you read the comment?
imports = [ imports = [
../profiles/containers/configuration.nix ../profiles/containers/configuration.nix
@ -26,11 +21,6 @@
../profiles/common/user.nix ../profiles/common/user.nix
]; ];
networking.firewall.allowedTCPPorts = [
imapsPort
sievePort
];
# FIXME: find out how to use the `defaultSopsFile` so i don't have to specify each secret separately # FIXME: find out how to use the `defaultSopsFile` so i don't have to specify each secret separately
# sops.defaultSopsFile = ./mailserver_secrets.yaml; # sops.defaultSopsFile = ./mailserver_secrets.yaml;
@ -109,8 +99,7 @@
serviceConfig.Restart = "always"; serviceConfig.Restart = "always";
description = "Getmail service"; description = "Getmail service";
path = [pkgs.getmail6]; path = [pkgs.getmail6];
script = script = let
let
rc = pkgs.writeText "mailATstefanjunker.de.getmail.rc" '' rc = pkgs.writeText "mailATstefanjunker.de.getmail.rc" ''
[options] [options]
verbose = 1 verbose = 1
@ -129,8 +118,7 @@
type = MDA_external type = MDA_external
path = ${pkgs.dovecot}/libexec/dovecot/dovecot-lda path = ${pkgs.dovecot}/libexec/dovecot/dovecot-lda
''; '';
in in ''
''
getmail --idle=INBOX --rcfile=${rc} getmail --idle=INBOX --rcfile=${rc}
''; '';
}; };
@ -144,8 +132,7 @@
serviceConfig.Restart = "always"; serviceConfig.Restart = "always";
description = "Getmail service"; description = "Getmail service";
path = [pkgs.getmail6]; path = [pkgs.getmail6];
script = script = let
let
rc = pkgs.writeText "mailATstefanjunker.de.getmail.rc" '' rc = pkgs.writeText "mailATstefanjunker.de.getmail.rc" ''
[options] [options]
verbose = 2 verbose = 2
@ -164,8 +151,7 @@
type = MDA_external type = MDA_external
path = ${pkgs.dovecot}/libexec/dovecot/dovecot-lda path = ${pkgs.dovecot}/libexec/dovecot/dovecot-lda
''; '';
in in ''
''
getmail --rcfile=${rc} --idle=INBOX getmail --rcfile=${rc} --idle=INBOX
''; '';
}; };
@ -179,8 +165,7 @@
path = [pkgs.getmail6]; path = [pkgs.getmail6];
serviceConfig.RestartSec = 1000; serviceConfig.RestartSec = 1000;
serviceConfig.Restart = "always"; serviceConfig.Restart = "always";
script = script = let
let
rc = pkgs.writeText "schtifATweb.de.getmail.rc" '' rc = pkgs.writeText "schtifATweb.de.getmail.rc" ''
[options] [options]
verbose = 1 verbose = 1
@ -199,8 +184,7 @@
type = Maildir type = Maildir
path = ~/.maildir/ path = ~/.maildir/
''; '';
in in ''
''
getmail --rcfile=${rc} --idle=INBOX getmail --rcfile=${rc} --idle=INBOX
''; '';
}; };
@ -219,6 +203,8 @@
}; };
}; };
# extraFlags = ["--resolv-conf=bind-host"];
privateNetwork = true; privateNetwork = true;
forwardPorts = [ forwardPorts = [
{ {
@ -236,5 +222,5 @@
} }
]; ];
inherit hostBridge hostAddress localAddress; inherit hostAddress localAddress;
} }

124
nix/os/containers/mycelium/flake.lock generated
View file

@ -1,124 +0,0 @@
{
"nodes": {
"flake-compat": {
"flake": false,
"locked": {
"lastModified": 1696426674,
"narHash": "sha256-kvjfFW7WAETZlt09AgDn1MrtKzP7t90Vf7vypd3OL1U=",
"owner": "edolstra",
"repo": "flake-compat",
"rev": "0f9255e01c2351cc7d116c072cb317785dd33b33",
"type": "github"
},
"original": {
"owner": "edolstra",
"repo": "flake-compat",
"type": "github"
}
},
"flake-parts": {
"inputs": {
"nixpkgs-lib": [
"nix-snapshotter",
"nixpkgs"
]
},
"locked": {
"lastModified": 1704152458,
"narHash": "sha256-DS+dGw7SKygIWf9w4eNBUZsK+4Ug27NwEWmn2tnbycg=",
"owner": "hercules-ci",
"repo": "flake-parts",
"rev": "88a2cd8166694ba0b6cb374700799cec53aef527",
"type": "github"
},
"original": {
"owner": "hercules-ci",
"repo": "flake-parts",
"type": "github"
}
},
"nix-snapshotter": {
"inputs": {
"flake-compat": "flake-compat",
"flake-parts": "flake-parts",
"nixpkgs": [
"nixpkgs"
]
},
"locked": {
"lastModified": 1723875769,
"narHash": "sha256-66GofByLJ+S4ZZphIC+vJKeL9VJ2bzH2VbcJ3OqteMM=",
"owner": "pdtpartners",
"repo": "nix-snapshotter",
"rev": "6eaadfd8f89e5e7d79b2013626bbd36e388159da",
"type": "github"
},
"original": {
"owner": "pdtpartners",
"repo": "nix-snapshotter",
"type": "github"
}
},
"nixlib": {
"locked": {
"lastModified": 1728781282,
"narHash": "sha256-hUP9oxmnOmNnKcDOf5Y55HQ+NnoT0+bLWHLQWLLw9Ks=",
"owner": "nix-community",
"repo": "nixpkgs.lib",
"rev": "16340f605f4e8e5cf07fd74dcbe692eee2d4f51b",
"type": "github"
},
"original": {
"owner": "nix-community",
"repo": "nixpkgs.lib",
"type": "github"
}
},
"nixos-generators": {
"inputs": {
"nixlib": "nixlib",
"nixpkgs": [
"nixpkgs"
]
},
"locked": {
"lastModified": 1728867876,
"narHash": "sha256-NCyOA8WZNoojmXH+kBDrQj3LwvakYNzSc0h+LTXkmPE=",
"owner": "nix-community",
"repo": "nixos-generators",
"rev": "fdf142111597f6c6283cf5ffe092b6293a3911d0",
"type": "github"
},
"original": {
"owner": "nix-community",
"repo": "nixos-generators",
"type": "github"
}
},
"nixpkgs": {
"locked": {
"lastModified": 1728897630,
"narHash": "sha256-0utJPs4o2Mody8GDwo4hnGuxc8dJqju4u9lLJY4d/Lw=",
"owner": "NixOS",
"repo": "nixpkgs",
"rev": "c9f0b4a395289ce18727e2a8e43cae6796693ccc",
"type": "github"
},
"original": {
"owner": "NixOS",
"ref": "nixos-unstable-small",
"repo": "nixpkgs",
"type": "github"
}
},
"root": {
"inputs": {
"nix-snapshotter": "nix-snapshotter",
"nixos-generators": "nixos-generators",
"nixpkgs": "nixpkgs"
}
}
},
"root": "root",
"version": 7
}

371
nix/os/containers/mycelium/flake.nix
View file

@ -1,371 +0,0 @@
{
inputs = {
nixpkgs.url = "github:NixOS/nixpkgs/nixos-unstable-small";
# nixpkgs-systemd256.url = "github:NixOS/nixpkgs/962cf03fb8c782c5e00f465397e03dc84284acc9";
nixos-generators = {
url = "github:nix-community/nixos-generators";
inputs.nixpkgs.follows = "nixpkgs";
};
nix-snapshotter = {
url = "github:pdtpartners/nix-snapshotter";
inputs.nixpkgs.follows = "nixpkgs";
};
};
outputs =
{ self, nixpkgs, ... }:
let
systems = [
"aarch64-linux"
"x86_64-linux"
];
forAllSystems = nixpkgs.lib.genAttrs systems;
in
{
nixosConfigurations.default = nixpkgs.lib.nixosSystem {
system = "aarch64-linux";
specialArgs = { };
modules = [
(
{
config,
modulesPath,
pkgs,
lib,
...
}:
{
nixpkgs.overlays = [
(_final: _previous: {
# inherit (self.inputs.nixpkgs-systemd256.legacyPackages.${pkgs.system}) systemd systemdMinimal;
# systemd =
# self.inputs.nixpkgs-systemd256.legacyPackages.${pkgs.system}.systemd.overrideAttrs (prevAttrs: {
# src = /home/steveej/src/others/systemd;
# withAppArmor = false;
# withRepart = false;
# withHomed = false;
# withAcl = false;
# withEfi = false;
# withBootloader = false;
# withCryptsetup = false;
# withLibBPF = false;
# withOomd = false;
# withFido2 = false;
# withApparmor = false;
# withDocumentation = false;
# withUtmp = false;
# withQrencode = false;
# withVmspawn = false;
# withMachined = false;
# withLogTrace = true;
# withArchive = false;
# # don't need these but cause errors for exampel files not found
# # withLogind = false;
# })
# pkgs.systemdMinimal.override {
# # getting errors with these disabled
# withCoredump = true;
# withCompression = true;
# withLogind = true;
# withSysusers = true;
# withUserDb = true;
# }
# pkgs.systemdMinimal
# pkgs.systemd.override {
# withRepart = false;
# withHomed = false;
# withAcl = false;
# withEfi = false;
# withBootloader = false;
# withCryptsetup = false;
# withLibBPF = false;
# withOomd = false;
# withFido2 = false;
# withApparmor = false;
# withDocumentation = false;
# withUtmp = false;
# withQrencode = false;
# withVmspawn = false;
# withMachined = false;
# withLogTrace = true;
# # don't need these but cause errors for exampel files not found
# # withLogind = false;
# }
# ;
})
];
imports = [ (modulesPath + "/profiles/minimal.nix") ];
system.stateVersion = "24.11";
# https://github.com/hercules-ci/arion/blob/c24c185e67f093298a081900b49ca18716077dec/src/nix/modules/nixos/container-systemd.nix
boot.isContainer = true;
# boot.tmp.useTmpfs = true;
boot.loader.grub.enable = lib.mkForce false;
boot.loader.systemd-boot.enable = lib.mkForce false;
services.journald.console = "/dev/console";
services.journald.storage = "none";
# boot.specialFileSystems = lib.mkForce {};
services.nscd.enable = false;
system.nssModules = lib.mkForce [ ];
systemd.services.systemd-logind.enable = false;
systemd.services.console-getty.enable = false;
systemd.sockets.nix-daemon.enable = false;
systemd.services.nix-daemon.enable = false;
systemd.oomd.enable = false;
networking.useDHCP = false;
networking.firewall.enable = false;
# system.build.earlyMountScript =
# lib.mkForce ''
# '';
# system.activationScripts.specialfs =
# lib.mkForce ''
# '';
boot.postBootCommands = ''
ls -lha /run
mkdir -p /run/wrappers
'';
boot.kernelParams = [ "systemd.log_level=debug" ];
# services.udev.enable = false;
# TODO: this is only needed because `/run/current-system` is missing
# environment.variables.PATH = "${lib.makeBinPath config.environment.systemPackages}:$PATH";
systemd.mounts = lib.mkForce [ ];
fileSystems = lib.mkForce { };
services.mycelium.enable = false;
services.mycelium.keyFile = "/var/lib/secrets/mycelium-keyfile";
systemd.services.mycelium.serviceConfig.DynamicUser = lib.mkForce false;
systemd.services.mycelium.serviceConfig.User = lib.mkForce "root";
systemd.services.mycelium.serviceConfig.ExecStart = lib.mkForce (
pkgs.writeShellScript "mycelium" ''
while true; do
ls -lha $CREDENTIALS_DIRECTORY
sleep 5
done
''
);
systemd.services.testing-credentials = {
wantedBy = [ "multi-user.target" ];
path = [ pkgs.coreutils ];
serviceConfig = {
# SyslogIdentifier = "testing-credentials";
# StateDirectory = "testing-credentials";
# DynamicUser = true;
# User = "tc";
# ProtectHome = true;
# ProtectSystem = true;
# LoadCredential = [
# "mycelium-keyfile:${self.nixosConfigurations.default.config.services.mycelium.keyFile}"
# "hosts:/etc/hosts"
# ];
SetCredential = "mycelium-keyfile:not secret string";
ExecStart = lib.mkForce (
pkgs.writeShellScript "mycelium" ''
cd $STATE_DIRECTORY
pwd
env
while true; do
ls -lha $CREDENTIALS_DIRECTORY
sleep 5
done
''
);
};
};
services.caddy = {
enable = true;
globalConfig = ''
auto_https off
'';
virtualHosts.":80" = {
extraConfig = ''
respond "hello from ${config.networking.hostName}"
'';
};
};
}
)
];
};
packages = forAllSystems (
system:
let
name = "mycelium";
inherit (self.inputs) nix-snapshotter;
config = {
entrypoint = "${self.nixosConfigurations.default.config.system.build.toplevel}/init";
# port = 2379;
args = [ ];
# nodePort = 30001;
};
myceliumPorts = {
tcp = [ 9651 ];
udp = [
9650
9651
];
};
inherit (config)
entrypoint
# port
args
# nodePort
;
pkgs = import nixpkgs { overlays = [ nix-snapshotter.overlays.default ]; };
image = pkgs.nix-snapshotter.buildImage {
inherit name;
resolvedByNix = true;
config = {
entrypoint = [ entrypoint ];
env = [
# this is read by the `/init` script and prevents various incompatible commands like mount, etc.
# the value of this doesn't seem to matter as long as it's not an empty string.
"container=nerd"
"SYSTEMD_LOG_LEVEL=debug"
];
volumes = {
# "/var/lib/private/mycelium/key.bin" = {};
# "/run" = {};
# "/tmp" = {};
# "/etc" = {};
};
copyToRoot = [
# self.nixosConfigurations.default.config.system.build.toplevel
];
};
};
in
{
k8s =
let
pod = pkgs.writeText "${name}-pod.json" (
builtins.toJSON {
apiVersion = "v1";
kind = "Pod";
metadata = {
inherit name;
labels = {
inherit name;
};
};
spec.containers = [
{
inherit name args;
image = "nix:0${image}";
ports = [
{
name = "mycelium-tcp-0";
containerPort = builtins.elemAt myceliumPorts.tcp 0;
}
{
name = "mycelium-udp-0";
protocol = "UDP";
containerPort = builtins.elemAt myceliumPorts.udp 0;
}
{
name = "mycelium-udp-1";
protocol = "UDP";
containerPort = builtins.elemAt myceliumPorts.udp 1;
}
];
}
];
}
);
service = pkgs.writeText "${name}-service.json" (
builtins.toJSON {
apiVersion = "v1";
kind = "Service";
metadata.name = "${name}-service";
spec = {
type = "NodePort";
selector = {
inherit name;
};
ports = [
{
name = "mycelium-tcp-0";
port = builtins.elemAt myceliumPorts.tcp 0 + 50000;
targetPort = "mycelium-tcp-0";
}
{
name = "mycelium-udp-0";
protocol = "UDP";
port = builtins.elemAt myceliumPorts.udp 0 + 50000;
targetPort = "mycelium-udp-0";
}
{
name = "mycelium-udp-1";
protocol = "UDP";
port = builtins.elemAt myceliumPorts.udp 1 + 50000;
targetPort = "mycelium-udp-1";
}
];
};
}
);
in
pkgs.runCommand "declarative-k8s" { } ''
mkdir -p $out/share/k8s
cp ${pod} $out/share/k8s/
cp ${service} $out/share/k8s/
'';
inherit image;
start = pkgs.writeShellApplication {
name = "start";
text = ''
set -x
rm -rf ./result
nix build --impure .#image
sudo nix2container load ./result
sudo -E nerdctl run --name ${name} --privileged -dt \
--cgroup-manager cgroupfs \
--volume "$PWD/key.bin.crypt:${self.nixosConfigurations.default.config.services.mycelium.keyFile}:ro" \
"nix:0$(readlink result):latest"
'';
};
stop = pkgs.writeShellApplication {
name = "stop";
text = ''
set +e
sudo -E nerdctl stop -t 60 ${name}
sudo -E nerdctl rm --force ${name}
sudo -E nerdctl system prune --all --force
sudo systemctl stop nix-snapshotter
sudo systemctl stop containerd
mount | rg -No '(/var/lib/container|/tmp/initial)[^ ]+' | tac | xargs sudo umount -l
sudo systemctl start containerd
sudo systemctl start nix-snapshotter
'';
# tmpfs on /run/credentials/mycelium.service type tmpfs (ro,nosuid,nodev,noexec,relatime,nosymfollow,size=1024k,nr_inodes=1024,mode=700,noswap)
# mount -t tmpfs tmpfs /run/credentials/mycelium.service -o ro,nosuid,nodev,noexec,relatime,nosymfollow,size=1024k,nr_inodes=1024,mode=700,noswap
};
}
);
};
}

73
nix/os/containers/syncthing.nix
View file

@ -1,22 +1,20 @@
{ {
specialArgs,
hostBridge,
hostAddress, hostAddress,
localAddress, localAddress,
syncthingPort ? 22000, syncthingPort ? 22000,
syncthingLocalAnnouncePort ? 21027, syncthingLocalAnnouncePort ? 21027,
smbTcpPort ? 445,
autoStart ? false, autoStart ? false,
}: }: {
{ config = {
inherit specialArgs; config,
config = pkgs,
{ ... }: ...
{ }: {
system.stateVersion = "20.05"; # Did you read the comment? system.stateVersion = "20.05"; # Did you read the comment?
imports = [../profiles/containers/configuration.nix]; imports = [../profiles/containers/configuration.nix];
networking.firewall.enable = true;
networking.firewall.allowedTCPPorts = [ networking.firewall.allowedTCPPorts = [
# syncthing gui # syncthing gui
8384 8384
@ -27,54 +25,6 @@
openDefaultPorts = true; openDefaultPorts = true;
guiAddress = "0.0.0.0:8384"; guiAddress = "0.0.0.0:8384";
}; };
services.samba = {
enable = true;
securityType = "user";
openFirewall = true;
settings = {
global = {
"workgroup" = "DMZ";
"server string" = "syncthing";
"netbios name" = "syncthing";
"security" = "user";
#"use sendfile" = "yes";
#"max protocol" = "smb2";
# note: localhost is the ipv6 localhost ::1
"hosts allow" = "192.168.23. 127.0.0.1 localhost";
"hosts deny" = "0.0.0.0/0";
"guest account" = "nobody";
"map to guest" = "bad user";
};
"scan-stefan" = {
"path" = "/var/lib/syncthing/Sync/Home::Scan::Stefan";
"browseable" = "yes";
"read only" = "no";
"guest ok" = "no";
"create mask" = "0644";
"directory mask" = "0755";
"force user" = "syncthing";
"force group" = "syncthing";
};
"scan-justyna" = {
"path" = "/var/lib/syncthing/Sync/Home::Scan::Justyna";
"browseable" = "yes";
"read only" = "no";
"guest ok" = "no";
"create mask" = "0644";
"directory mask" = "0755";
"force user" = "syncthing";
"force group" = "syncthing";
};
};
};
# TODO: find out if smbpasswd file is still used and set it here. or find an alternative
# sops.secrets.smbpasswd = {
# };
# environment.etc."samba/smbpasswd".source = config.sops.secrets.smbpasswd.text;
}; };
inherit autoStart; inherit autoStart;
@ -86,6 +36,8 @@
}; };
}; };
extraFlags = ["--resolv-conf=bind-host"];
privateNetwork = true; privateNetwork = true;
forwardPorts = [ forwardPorts = [
{ {
@ -103,12 +55,7 @@
hostPort = syncthingLocalAnnouncePort; hostPort = syncthingLocalAnnouncePort;
protocol = "udp"; protocol = "udp";
} }
{
containerPort = 445;
hostPort = smbTcpPort;
protocol = "tcp";
}
]; ];
inherit hostBridge hostAddress localAddress; inherit hostAddress localAddress;
} }

250
nix/os/containers/webserver.nix
View file

@ -1,55 +1,28 @@
{ {
specialArgs, repoFlake,
hostBridge,
hostAddress, hostAddress,
localAddress, localAddress,
httpPort, httpPort ? 80,
httpsPort, httpsPort ? 443,
forgejoSshPort,
autoStart ? false, autoStart ? false,
}: }: let
let
domain = "www.stefanjunker.de"; domain = "www.stefanjunker.de";
in in {
{ config = {
inherit specialArgs;
config =
{
config, config,
pkgs, pkgs,
lib, lib,
repoFlake,
nodeFlake,
system,
... ...
}: }: {
let
nixpkgs-kanidm = nodeFlake.inputs.nixpkgs-unstable;
in
{
system.stateVersion = "22.05"; # Did you read the comment? system.stateVersion = "22.05"; # Did you read the comment?
disabledModules = [
"services/misc/forgejo.nix"
"services/security/kanidm.nix"
];
imports = [ imports = [
"${nodeFlake.inputs.nixpkgs-unstable}/nixos/modules/services/misc/forgejo.nix"
"${nixpkgs-kanidm}/nixos/modules/services/security/kanidm.nix"
../profiles/containers/configuration.nix ../profiles/containers/configuration.nix
repoFlake.inputs.sops-nix.nixosModules.sops repoFlake.inputs.sops-nix.nixosModules.sops
]; ];
sops.defaultSopsFile = ./webserver_secrets.yaml; networking.firewall.enable = false;
networking.firewall.allowedTCPPorts = [
httpPort
httpsPort
forgejoSshPort
];
sops.age.sshKeyPaths = ["/etc/ssh/ssh_host_ed25519_key"]; sops.age.sshKeyPaths = ["/etc/ssh/ssh_host_ed25519_key"];
sops.secrets.hedgedoc_environment_file = { sops.secrets.hedgedoc_environment_file = {
@ -59,11 +32,11 @@ in
services.caddy = { services.caddy = {
enable = true; enable = true;
logFormat = ''
level ERROR
'';
virtualHosts."${domain}" = { virtualHosts."${domain}" = {
extraConfig = '' extraConfig = let
port = "${builtins.toString config.services.authelia.instances.default.settings.server.port}";
path = "${config.services.authelia.instances.default.settings.server.path}";
in ''
redir /hedgedoc* https://hedgedoc.${domain} redir /hedgedoc* https://hedgedoc.${domain}
file_server /*/* { file_server /*/* {
@ -94,22 +67,6 @@ in
reverse_proxy http://127.0.0.1:${builtins.toString config.services.lldap.settings.http_port} reverse_proxy http://127.0.0.1:${builtins.toString config.services.lldap.settings.http_port}
''; '';
}; };
virtualHosts."forgejo.${domain}" = {
extraConfig = ''
reverse_proxy http://127.0.0.1:${builtins.toString config.services.forgejo.settings.server.HTTP_PORT}
'';
};
virtualHosts."kanidm.${domain}" = {
extraConfig = ''
reverse_proxy https://${builtins.toString config.services.kanidm.serverSettings.bindaddress} {
transport http {
tls_server_name ${config.services.kanidm.serverSettings.domain}
}
}
'';
};
}; };
services.hedgedoc = { services.hedgedoc = {
@ -136,36 +93,12 @@ in
url = "ldap://127.0.0.1:${builtins.toString config.services.lldap.settings.ldap_port}"; url = "ldap://127.0.0.1:${builtins.toString config.services.lldap.settings.ldap_port}";
bindDn = "uid=admin,ou=people,dc=stefanjunker,dc=de"; bindDn = "uid=admin,ou=people,dc=stefanjunker,dc=de";
# these are set via the `environmentFile` # these are set via the `environmentFile`
# bindCredentials = "$LDAP_ADMIN_PASSWORD"; bindCredentials = "$LDAP_ADMIN_PASSWORD";
searchBase = "ou=people,dc=stefanjunker,dc=de"; searchBase = "ou=people,dc=stefanjunker,dc=de";
searchFilter = "(&(memberOf=cn=hedgedoc,ou=groups,dc=stefanjunker,dc=de)(uid={{username}}))"; searchFilter = "(&(memberOf=cn=hedgedoc,ou=groups,dc=stefanjunker,dc=de)(uid={{username}}))";
useridField = "uid"; useridField = "uid";
}; };
oauth2 =
let
originURL = config.services.kanidm.serverSettings.origin;
in
{
providerName = "kanidm (${originURL})";
authorizationURL = "${originURL}/ui/oauth2";
tokenURL = "${originURL}/oauth2/token";
userProfileURL = "${originURL}/oauth2/openid/hedgedoc/userinfo";
scope = "openid email profile";
# rolesClaim = "roles";
# accessRole = "role/hedgedoc";
userProfileUsernameAttr = "name";
userProfileDisplayNameAttr = "displayname";
userProfileEmailAttr = "email";
clientID = "hedgedoc";
# set via the `environmentFile`
# clientSecret = "$CMD_OAUTH2_CLIENT_SECRET";
};
uploadsPath = "/var/lib/hedgedoc/uploads"; uploadsPath = "/var/lib/hedgedoc/uploads";
}; };
@ -192,11 +125,9 @@ in
owner = config.users.users.authelia-default.name; owner = config.users.users.authelia-default.name;
}; };
services.authelia.instances.default = services.authelia.instances.default = let
let
baseDir = "/var/lib/authelia-default"; baseDir = "/var/lib/authelia-default";
in in {
{
enable = true; enable = true;
secrets.storageEncryptionKeyFile = config.sops.secrets.authelia_storageEncryptionKey.path; secrets.storageEncryptionKeyFile = config.sops.secrets.authelia_storageEncryptionKey.path;
secrets.jwtSecretFile = config.sops.secrets.authelia_jwtSecret.path; secrets.jwtSecretFile = config.sops.secrets.authelia_jwtSecret.path;
@ -286,140 +217,9 @@ in
}; };
}; };
sops.secrets.FORGEJO_JWT_SECRET = { };
sops.secrets.FORGEJO_INTERNAL_TOKEN = { };
sops.secrets.FORGEJO_SECRET_KEY = { };
services.forgejo = {
enable = true;
package = nodeFlake.inputs.nixpkgs-unstable.legacyPackages.${pkgs.system}.forgejo;
settings = {
service.DISABLE_REGISTRATION = true;
server.HTTP_ADDR = "127.0.0.1";
server.START_SSH_SERVER = true;
server.SSH_PORT = forgejoSshPort;
server.ROOT_URL = "https://forgejo.${domain}";
server.HTTP_PORT = 3001;
# TODO: how do i get a 3072 length SSH key with the yubikey?
"ssh.minimum_key_sizes".RSA = 2048;
};
secrets = {
oauth2.JWT_SECRET = lib.mkForce config.sops.secrets.FORGEJO_JWT_SECRET.path;
security.INTERNAL_TOKEN = lib.mkForce config.sops.secrets.FORGEJO_INTERNAL_TOKEN.path;
security.SECRET_KEY = lib.mkForce config.sops.secrets.FORGEJO_SECRET_KEY.path;
};
};
systemd.services.lldap.serviceConfig.User = config.users.users.lldap.name; systemd.services.lldap.serviceConfig.User = config.users.users.lldap.name;
systemd.services.lldap.serviceConfig.Group = config.users.groups.lldap.name; systemd.services.lldap.serviceConfig.Group = config.users.groups.lldap.name;
systemd.services.lldap.serviceConfig.DynamicUser = lib.mkForce false; systemd.services.lldap.serviceConfig.DynamicUser = lib.mkForce false;
# combine a path watcher with a service that transfers the certs by caddy to kanidm
# TODO: had an issue where the certificate in kanidm was expired, despite caddy having a refreshed certificate
systemd.paths.kanidm-tls-watch = {
enable = true;
requiredBy = [ "kanidm.service" ];
pathConfig = {
PathChanged = [
"${config.services.caddy.dataDir}/.local/share/caddy/certificates/acme-v02.api.letsencrypt.org-directory/${config.services.kanidm.serverSettings.domain}/${config.services.kanidm.serverSettings.domain}.key"
"${config.services.caddy.dataDir}/.local/share/caddy/certificates/acme-v02.api.letsencrypt.org-directory/${config.services.kanidm.serverSettings.domain}/${config.services.kanidm.serverSettings.domain}.crt"
];
Unit = "kanidm-tls-update.service";
};
};
systemd.services.kanidm-tls-update =
let
dbDir = builtins.dirOf config.services.kanidm.serverSettings.db_path;
in
{
enable = true;
requiredBy = [ "kanidm.service" ];
unitConfig = {
# ConditionPathExists = [
# "${config.services.caddy.dataDir}/.local/share/caddy/certificates/acme-v02.api.letsencrypt.org-directory/${config.services.kanidm.serverSettings.domain}/${config.services.kanidm.serverSettings.domain}.key"
# "${config.services.caddy.dataDir}/.local/share/caddy/certificates/acme-v02.api.letsencrypt.org-directory/${config.services.kanidm.serverSettings.domain}/${config.services.kanidm.serverSettings.domain}.crt"
# ];
};
serviceConfig.Type = "oneshot";
script =
let
tlsDir = builtins.dirOf config.services.kanidm.serverSettings.tls_key;
in
''
set -xe
cat "${config.services.caddy.dataDir}/.local/share/caddy/certificates/acme-v02.api.letsencrypt.org-directory/${config.services.kanidm.serverSettings.domain}/${config.services.kanidm.serverSettings.domain}.key" > tls.key
cat "${config.services.caddy.dataDir}/.local/share/caddy/certificates/acme-v02.api.letsencrypt.org-directory/${config.services.kanidm.serverSettings.domain}/${config.services.kanidm.serverSettings.domain}.crt" > tls.chain
chown ${config.systemd.services.kanidm.serviceConfig.User}:${config.systemd.services.kanidm.serviceConfig.Group} tls.{key,chain}
chmod 400 tls.{key,chain}
# create the kanidm directory in case it's missing
if [[ ! -d ${tlsDir} ]]; then
mkdir -p ${tlsDir}
chown -R ${config.systemd.services.kanidm.serviceConfig.User}:${config.systemd.services.kanidm.serviceConfig.Group} ${tlsDir}
chmod 700 ${tlsDir}
fi
mv tls.key ${config.services.kanidm.serverSettings.tls_key}
mv tls.chain ${config.services.kanidm.serverSettings.tls_chain}
if [[ ! -d ${dbDir} ]]; then
mkdir -p ${dbDir}
chown -R ${config.systemd.services.kanidm.serviceConfig.User}:${config.systemd.services.kanidm.serviceConfig.Group} ${dbDir}
chmod 700 ${dbDir}
fi
'';
};
systemd.services.kanidm.serviceConfig =
let
dbDir = builtins.dirOf config.services.kanidm.serverSettings.db_path;
in
# stateDir = "/var/lib/${config.systemd.services.kanidm.serviceConfig.StateDirectory}";
{
# ExecStartPre = ''
# mkdir -p ${dbDir}
# '';
BindPaths = [
dbDir
# stateDir
];
};
services.kanidm =
let
dataDir = "/var/lib/kanidm";
in
{
package = nixpkgs-kanidm.legacyPackages.${pkgs.system}.kanidm;
enablePam = false;
enableClient = false;
enableServer = true;
serverSettings = {
role = "WriteReplica";
log_level = "debug";
domain = "kanidm.${domain}";
origin = "https://kanidm.${domain}";
bindaddress = "127.0.0.1:8444";
# don't expose ldap
# ldapbindaddress = "[::1]:6636";
tls_key = "${dataDir}/tls/tls.key";
tls_chain = "${dataDir}/tls/tls.chain";
online_backup = {
schedule = "00 06 * * *";
};
};
};
}; };
inherit autoStart; inherit autoStart;
@ -453,17 +253,10 @@ in
hostPath = "/var/lib/container-volumes/webserver/var-lib-lldap"; hostPath = "/var/lib/container-volumes/webserver/var-lib-lldap";
isReadOnly = false; isReadOnly = false;
}; };
"/var/lib/forgejo" = {
hostPath = "/var/lib/container-volumes/webserver/var-lib-forgejo";
isReadOnly = false;
}; };
"/var/lib/kanidm" = { # extraFlags = ["--resolv-conf=bind-host"];
hostPath = "/var/lib/container-volumes/webserver/var-lib-kanidm"; # networking.useHostResolvConf = true;
isReadOnly = false;
};
};
privateNetwork = true; privateNetwork = true;
forwardPorts = [ forwardPorts = [
@ -479,14 +272,7 @@ in
hostPort = httpsPort; hostPort = httpsPort;
protocol = "tcp"; protocol = "tcp";
} }
{
# forgejo ssh
containerPort = forgejoSshPort;
hostPort = forgejoSshPort;
protocol = "tcp";
}
]; ];
inherit hostBridge hostAddress localAddress; inherit hostAddress localAddress;
} }

12
nix/os/containers/webserver_secrets.yaml
View file

@ -1,13 +1,9 @@
hedgedoc_environment_file: ENC[AES256_GCM,data:gPTokPMGBAN/lGGeUs95vg45yVrrSmFCKWTjlMV4V+YnflcqiaZvifX9+0fe3DELwNL4kY4st4N0MadhLkTiSieyp46fP8Dujk4Prhi7JWweBDsN4WtxcwJfAdowgh5LTzqM3zggC/J9NGR/zgJGLYraOqsFueXycxDxntE+8MlepYFGsND4WbFHNRvsVd7xUWerZZD+JFhws2sjwC9DqoJ+mBX4u9J2faSrL3okBGwRpEZlJhe6/8pT0l1aVxI0b/9UsLUL/him/vVqY8ygMP8O95gzuDEaCtwSXw08ylhb3g3YHdMh9ZOe9dPNVocVFrB15HfxeY4KzRCVfvgmBsSiUrgUAZQ8aav2ZWHPKQ==,iv:AVtx/43MK5KVxP59olEmbkUzLhd0cBjPpVeiAJGELfM=,tag:Hd3edeUzLgHnwAwPiMGp4A==,type:str] hedgedoc_environment_file: ENC[AES256_GCM,data:uBaATOTIkCkboAfaB7d6G2G4AfKszipQe+mc0XPJHik30wLppCKpEc61ELLbiZ1xGaOEWKUSMHc0GyBapykrgEe0UUYJ0Ukpq9bj9/J2VC7BLu1ABbr+pWpJR68+IOKY2GWlioSDIL6JwaGIjLV5sLrUjJgtwzAYrqAU13VS5RVHtGtz+7TgwHIJADoec+jSRhkh82g198eaAUbKyAFB9yhXFWgq6ozh8RgtkYKAP7LXIuyJt9BYJoNQ,iv:MCMJph0W1PC0n9h7xhPMxtJINQP+QRBf2anzXEzydwc=,tag:zj2o+/JpBRTYgYpSMJedPw==,type:str]
authelia_storageEncryptionKey: ENC[AES256_GCM,data:BLj2+w0jUOiiqljd4WcYt90I1Y/tm6vYRn9IPvv7k+ykjeWeafDcb9LpAbYZ82iAbCDZ6cDnTIJSH50TYFM1Bw==,iv:DfrFuTMS6rzWS1F7hIloD7Eb9N6LV6MDsPGEidTCIkM=,tag:4TxiUuWj8LLCAe+3SQWthA==,type:str] authelia_storageEncryptionKey: ENC[AES256_GCM,data:BLj2+w0jUOiiqljd4WcYt90I1Y/tm6vYRn9IPvv7k+ykjeWeafDcb9LpAbYZ82iAbCDZ6cDnTIJSH50TYFM1Bw==,iv:DfrFuTMS6rzWS1F7hIloD7Eb9N6LV6MDsPGEidTCIkM=,tag:4TxiUuWj8LLCAe+3SQWthA==,type:str]
authelia_jwtSecret: ENC[AES256_GCM,data:CtvhPJDlM8kZDh3MWI6jBEIK5P/Rc0ZY3JfQ/1qn2FyZ0kOE9CMznRQdzi125Mlh+LgfhS00aeY/esuSJ1YKnw==,iv:o29+Ja4E4USpxD5Bgg4nGpj1WdK+uJJeuyqa3c92Pys=,tag:Ko/6PqIM7FyvqMJAepTNKw==,type:str] authelia_jwtSecret: ENC[AES256_GCM,data:CtvhPJDlM8kZDh3MWI6jBEIK5P/Rc0ZY3JfQ/1qn2FyZ0kOE9CMznRQdzi125Mlh+LgfhS00aeY/esuSJ1YKnw==,iv:o29+Ja4E4USpxD5Bgg4nGpj1WdK+uJJeuyqa3c92Pys=,tag:Ko/6PqIM7FyvqMJAepTNKw==,type:str]
lldap_jwtSecret: ENC[AES256_GCM,data:Jd05K5zZZcdFY9P+PM1ycpl4eKr7THXzlEC2gxhfq0kZ0c7NrmqpnxLFyMOoq0oZwFXQ3aE29N+dYYCbWgEs0g==,iv:k9Y4XZcFSUaaOvooMzH1AlHaI/RiZZ0cpSqTU6jzsUU=,tag:EHwIMQ00Z+IrXAKgugMbmQ==,type:str] lldap_jwtSecret: ENC[AES256_GCM,data:Jd05K5zZZcdFY9P+PM1ycpl4eKr7THXzlEC2gxhfq0kZ0c7NrmqpnxLFyMOoq0oZwFXQ3aE29N+dYYCbWgEs0g==,iv:k9Y4XZcFSUaaOvooMzH1AlHaI/RiZZ0cpSqTU6jzsUU=,tag:EHwIMQ00Z+IrXAKgugMbmQ==,type:str]
lldap_adminPassword: ENC[AES256_GCM,data:qZviC+/V25iHWS2d5KKrMfCLmmWKAkXoiLW3NJyZWIvMRbFPtfJGv/5e++idcKNLdPHRgvGpdeTpOdZNK7ETSQ==,iv:jX8bzgYVXZfMQ8Qxa7WaUiQFE/mBmQWZ3o000njeEC8=,tag:4Rd3WVGIw1rBLKND4xPbMg==,type:str] lldap_adminPassword: ENC[AES256_GCM,data:qZviC+/V25iHWS2d5KKrMfCLmmWKAkXoiLW3NJyZWIvMRbFPtfJGv/5e++idcKNLdPHRgvGpdeTpOdZNK7ETSQ==,iv:jX8bzgYVXZfMQ8Qxa7WaUiQFE/mBmQWZ3o000njeEC8=,tag:4Rd3WVGIw1rBLKND4xPbMg==,type:str]
lldap_environmentFile: ENC[AES256_GCM,data:TpdO1N2MgHWI4TipvlwfVjnKppzpluI9WA3ejbgT8jrRXXTCA94PS734wDHLtEAIwKdIQd/JGDS+1kbdvgDL3F3HIOX5HLz9h7CtkDBYT6qOy0Zb0tNHjmJco6dL/iMwuzglXxu2460nadO+lHoTs3DA3lesghzpJzm41hgElzcxXS2sa/hsV+kjmbyfu6Xi94kbqcHBLA/mppWmLSgJN6wu/bO07XfaSB1ghHnAR7BL9XZDjoNDzljZAXDpDBw3WD6mwoZeIjGbkEuL4nUnkS6CkA+y7IORA24XGGAczRxZp4vLfUOnnlFCPGIHBsRTbrTB4bcEDBK4+5gHfNhXxvD5VlNMb4TPqYdcEIxkgMxZNLV5U2LTlzn18HNOCvsPb9XOOtY21j6qHMMQDXZREmn5NsW0HXM4gNZ0fC9UEe1MYBhyE3gGEGDzzDUrrQCGLm7/1OC7NRlzuI7M/5DlgcREwK1PkjPDmfRCAq86l0N5lMP/A7MMq2SJWcZvf+ot3fInugq485773vgWWl2Rodl08SZ8YHnzj0L6anPu856v2BsIotE0iRJSCpzA2ZgOJ9RViBfoq6F3beJKLnGN7oGb8XBviRTnXrTN6BTuFyv3dIZ7qcuTGTY+ucjRXfGJ1TVlVQBbiqhQDz5c9D5e0RVnRe3AkMXeDMOd4GlWW5gsJSuZtlYq1aMEf/Bx+4WMyY/Wh+Jk1xxf30bth5L1dW82p6fNFhEuKabtkBALOg/CQzYczMeGP9ai6BWgZL8QPlQoEUpHh59Vz91V6unQSOJ2PNr5wzC6j75IKInVjcp4d1S9K2UAxg+HETn5p9T1sBRdAAVz0YgO5902FwDTsA+2x6Q=,iv:U94CNFxQ8kyIYdH0EyqQIJ3s7QKaLlMa+5coO0dQnto=,tag:KZEizL99W5BtcaXSnYXFhg==,type:str] lldap_environmentFile: ENC[AES256_GCM,data:TpdO1N2MgHWI4TipvlwfVjnKppzpluI9WA3ejbgT8jrRXXTCA94PS734wDHLtEAIwKdIQd/JGDS+1kbdvgDL3F3HIOX5HLz9h7CtkDBYT6qOy0Zb0tNHjmJco6dL/iMwuzglXxu2460nadO+lHoTs3DA3lesghzpJzm41hgElzcxXS2sa/hsV+kjmbyfu6Xi94kbqcHBLA/mppWmLSgJN6wu/bO07XfaSB1ghHnAR7BL9XZDjoNDzljZAXDpDBw3WD6mwoZeIjGbkEuL4nUnkS6CkA+y7IORA24XGGAczRxZp4vLfUOnnlFCPGIHBsRTbrTB4bcEDBK4+5gHfNhXxvD5VlNMb4TPqYdcEIxkgMxZNLV5U2LTlzn18HNOCvsPb9XOOtY21j6qHMMQDXZREmn5NsW0HXM4gNZ0fC9UEe1MYBhyE3gGEGDzzDUrrQCGLm7/1OC7NRlzuI7M/5DlgcREwK1PkjPDmfRCAq86l0N5lMP/A7MMq2SJWcZvf+ot3fInugq485773vgWWl2Rodl08SZ8YHnzj0L6anPu856v2BsIotE0iRJSCpzA2ZgOJ9RViBfoq6F3beJKLnGN7oGb8XBviRTnXrTN6BTuFyv3dIZ7qcuTGTY+ucjRXfGJ1TVlVQBbiqhQDz5c9D5e0RVnRe3AkMXeDMOd4GlWW5gsJSuZtlYq1aMEf/Bx+4WMyY/Wh+Jk1xxf30bth5L1dW82p6fNFhEuKabtkBALOg/CQzYczMeGP9ai6BWgZL8QPlQoEUpHh59Vz91V6unQSOJ2PNr5wzC6j75IKInVjcp4d1S9K2UAxg+HETn5p9T1sBRdAAVz0YgO5902FwDTsA+2x6Q=,iv:U94CNFxQ8kyIYdH0EyqQIJ3s7QKaLlMa+5coO0dQnto=,tag:KZEizL99W5BtcaXSnYXFhg==,type:str]
#ENC[AES256_GCM,data:uNqahO8WF6QFNkbPnQq2UDKn/gFt0H56keUb,iv:CDVKC3ER5rsKoMmBi2g5g+F3ZfKc3+Rs8bjxFhgSPZ4=,tag:oGPl6TB/nghGwWvVBLFlGQ==,type:comment]
FORGEJO_JWT_SECRET: ENC[AES256_GCM,data:nVz9x7+K+rBIZxuQP7o0WNFHUz89eR9cwBjfSAx9/WH5PF+/aWazZOJpVg==,iv:4qpHo143fe/sVhKfYDwxr+YiBZ2q/WWViYSwoxz0i/k=,tag:smSsJsqa6uZKarcoOMUjwQ==,type:str]
FORGEJO_INTERNAL_TOKEN: ENC[AES256_GCM,data:EIono9HSyvp1nQM0ij3ln3IUXO4moFbRgVddeV0BZBXmZG05jdjZ1SIXo/BxoSmRKnjllR7P00CpajNM5zORldlsBId5oAYL5GZtY3/nmxeXucJidknuow22G7Z8wRJJGBdishbgQhmc,iv:1D93gTUF1+DUR8qLJgML+oUhvSslhxEjGnbBC/PWHXw=,tag:NZB+mwba4TzLcUANZLDRTw==,type:str]
FORGEJO_SECRET_KEY: ENC[AES256_GCM,data:CewYFZtcXKUD5/oSM0Q32rhw+urdA0eQhdYp8EFHUXxEtL6f5NWK6IOwIlMuEv1/FjtTWlqxWekOZpmxBRzwnw==,iv:qLyVB7Nc+rDbBoO5g82/vPdykwOATHCSDLhvS+fK9PM=,tag:4NMhUvKmrRd6qrcQq3R8wA==,type:str]
sops: sops:
kms: [] kms: []
gcp_kms: [] gcp_kms: []
@ -23,8 +19,8 @@ sops:
eWdXVHg5MTlQQU9GeElPeUZXUlBlaTgKceDu3tLbQM/DxY0tJYJTPy2Dl/SBYaoc eWdXVHg5MTlQQU9GeElPeUZXUlBlaTgKceDu3tLbQM/DxY0tJYJTPy2Dl/SBYaoc
KfMZOkc322/NvgWu/3Ke0hV1/eMk8EICwXbSwHhXr5a0+cwPZ9xV4A== KfMZOkc322/NvgWu/3Ke0hV1/eMk8EICwXbSwHhXr5a0+cwPZ9xV4A==
-----END AGE ENCRYPTED FILE----- -----END AGE ENCRYPTED FILE-----
lastmodified: "2024-10-16T12:28:51Z" lastmodified: "2023-07-17T11:48:04Z"
mac: ENC[AES256_GCM,data:nrd2czzJlBcFfwn6lzh4qqco+/XsU2J6BqvQqMtskh3mL4Xx25IAzxiCno0KlNGr6o4YsuZP5anOX9RvrDq76Us3JQ7pDi3iQGPhmg+SE9u3Rwqn1/3YConvdfPV2DNB+tuyG3UVoRqpA4d+HdcYjN9n1UKk54R6UdSm9UrA+zc=,iv:Juupyet09zUAMu7bmVxq+/Q0bXJAzR0wAyt6vKNns3w=,tag:owdUWuXrQcDdiWi+1geY9A==,type:str] mac: ENC[AES256_GCM,data:Bgmm5+IrFdnTG907cZe0cnSmbWLyNDVYyABFj5eRuGsYCthclRM9WEKktvJg2RVYcND39IEH/FiFR/Hxf5YgrUcU7HKEXKzn7U4AGcREh2tb5EVTELjAJ4e00omNoD1gmFOklRS9AWce1g03AGzfbzM68enpDUkxWWTU2FOPei8=,iv:A9V4EsMAIoEs7j/eWy06Y9RExz+N/PT70TBNSViswKc=,tag:287n8ygaEj/40vh1x2IQig==,type:str]
pgp: pgp:
- created_at: "2023-07-09T17:51:27Z" - created_at: "2023-07-09T17:51:27Z"
enc: |- enc: |-
@ -42,4 +38,4 @@ sops:
-----END PGP MESSAGE----- -----END PGP MESSAGE-----
fp: 6F7069FE6B96E894E60EC45C6EEFA706CB17E89B fp: 6F7069FE6B96E894E60EC45C6EEFA706CB17E89B
unencrypted_suffix: _unencrypted unencrypted_suffix: _unencrypted
version: 3.8.1 version: 3.7.3

30
nix/os/devices/default.nix
View file

@ -7,14 +7,9 @@
moreargs ? "", moreargs ? "",
rebuildarg ? "", rebuildarg ? "",
... ...
}@args: } @ args: let
let rebuildargsSudo = ["switch" "boot"];
rebuildargsSudo = [ rebuild = {
"switch"
"boot"
];
rebuild =
{
gitRoot, gitRoot,
rebuildarg ? "dry-activate", rebuildarg ? "dry-activate",
moreargs ? "", moreargs ? "",
@ -35,18 +30,18 @@ let
${ ${
if if
(builtins.elem rebuildarg rebuildargsSudo) && (builtins.match ".*--target-host.*" moreargs) == null (builtins.elem rebuildarg rebuildargsSudo)
then && (builtins.match ".*--target-host.*" moreargs) == null
"sudo -E \\" then "sudo -E \\"
else else ""
""
} }
nixos-rebuild --show-trace -I nixos-config=''${NIXOS_CONFIG} ${rebuildarg} ${moreargs} nixos-rebuild --show-trace -I nixos-config=''${NIXOS_CONFIG} ${rebuildarg} ${moreargs}
''; '';
in in {
recipes =
{ {
recipes = { rebuild =
rebuild = rebuild { rebuild {
inherit gitRoot; inherit gitRoot;
inherit moreargs; inherit moreargs;
inherit rebuildarg; inherit rebuildarg;
@ -54,5 +49,6 @@ in
# // pkgs.lib.attrsets.optionalAttrs (moreargs != "") { inherit moreargs; } # // pkgs.lib.attrsets.optionalAttrs (moreargs != "") { inherit moreargs; }
# // pkgs.lib.attrsets.optionalAttrs (rebuildarg != "") { inherit rebuildarg; } # // pkgs.lib.attrsets.optionalAttrs (rebuildarg != "") { inherit rebuildarg; }
; ;
} // (import ./disk.nix (args // { inherit pkgs ownLib gitRoot; })); }
// (import ./disk.nix (args // {inherit pkgs ownLib gitRoot;}));
} }

53
nix/os/devices/disk.nix
View file

@ -3,29 +3,40 @@
ownLib, ownLib,
dir, dir,
gitRoot, gitRoot,
diskId ? (import ((builtins.getEnv "PWD") + "/${dir}/hw.nix") { }).hardware.opinionatedDisk.diskId, diskId ?
(import ((builtins.getEnv "PWD") + "/${dir}/hw.nix")
{})
.hardware
.opinionatedDisk
.diskId,
encrypted ? encrypted ?
(import ((builtins.getEnv "PWD") + "/${dir}/hw.nix") { }).hardware.opinionatedDisk.encrypted, (import ((builtins.getEnv "PWD") + "/${dir}/hw.nix")
{})
.hardware
.opinionatedDisk
.encrypted,
previousDiskId ? "", previousDiskId ? "",
... ...
}: }: let
let
mntRootVol = "/mnt/${diskId}-root"; mntRootVol = "/mnt/${diskId}-root";
in in rec {
rec {
diskMount = pkgs.writeScript "script" '' diskMount = pkgs.writeScript "script" ''
#!/usr/bin/env bash #!/usr/bin/env bash
set -xe set -xe
echo Mounting ${diskId} echo Mounting ${diskId}
${pkgs.lib.strings.optionalString encrypted '' ${pkgs.lib.strings.optionalString encrypted ''
sudo cryptsetup luksOpen ${ownLib.disk.bootLuksDevice diskId} ${ownLib.disk.luksName diskId} sudo cryptsetup luksOpen ${ownLib.disk.bootLuksDevice diskId} ${
ownLib.disk.luksName diskId
}
''} ''}
sleep 1 sleep 1
sudo vgchange -ay ${ownLib.disk.volumeGroup diskId} sudo vgchange -ay ${ownLib.disk.volumeGroup diskId}
sudo mkdir -p /mnt sudo mkdir -p /mnt
sudo mkdir ${mntRootVol} sudo mkdir ${mntRootVol}
sudo mount ${ownLib.disk.rootFsDevice diskId} ${mntRootVol} sudo mount ${ownLib.disk.rootFsDevice diskId} ${mntRootVol}
sudo mount ${ownLib.disk.rootFsDevice diskId} ${mntRootVol}/nixos/home -o subvol=home sudo mount ${
ownLib.disk.rootFsDevice diskId
} ${mntRootVol}/nixos/home -o subvol=home
sudo mount ${ownLib.disk.bootFsDevice diskId} ${mntRootVol}/nixos/boot sudo mount ${ownLib.disk.bootFsDevice diskId} ${mntRootVol}/nixos/boot
''; '';
@ -62,7 +73,9 @@ rec {
#!/usr/bin/env bash #!/usr/bin/env bash
set -xe set -xe
read -p "Continue to format ${ownLib.disk.bootGrubDevice diskId} (YES/n)? " choice read -p "Continue to format ${
ownLib.disk.bootGrubDevice diskId
} (YES/n)? " choice
case "$choice" in case "$choice" in
YES ) echo "Continuing in 3 seconds..."; sleep 3;; YES ) echo "Continuing in 3 seconds..."; sleep 3;;
n|N ) echo "Exiting..."; exit 0;; n|N ) echo "Exiting..."; exit 0;;
@ -109,11 +122,15 @@ rec {
${pkgs.lib.strings.optionalString encrypted '' ${pkgs.lib.strings.optionalString encrypted ''
# Encrypt # Encrypt
sudo cryptsetup luksFormat ${ownLib.disk.bootLuksDevice diskId} - sudo cryptsetup luksFormat ${ownLib.disk.bootLuksDevice diskId} -
sudo cryptsetup luksOpen ${ownLib.disk.bootLuksDevice diskId} ${ownLib.disk.luksName diskId} sudo cryptsetup luksOpen ${ownLib.disk.bootLuksDevice diskId} ${
ownLib.disk.luksName diskId
}
''} ''}
# LVM # LVM
sudo vgcreate ${ownLib.disk.volumeGroup diskId} ${ownLib.disk.lvmPv diskId encrypted} sudo vgcreate ${ownLib.disk.volumeGroup diskId} ${
ownLib.disk.lvmPv diskId encrypted
}
sudo lvcreate ${ownLib.disk.volumeGroup diskId} -L 2G -n swap sudo lvcreate ${ownLib.disk.volumeGroup diskId} -L 2G -n swap
sudo lvcreate ${ownLib.disk.volumeGroup diskId} -l 100%FREE -n root sudo lvcreate ${ownLib.disk.volumeGroup diskId} -l 100%FREE -n root
@ -137,7 +154,9 @@ rec {
#!/usr/bin/env bash #!/usr/bin/env bash
set -xe set -xe
read -p "Continue to relabel ${ownLib.disk.bootGrubDevice diskId} (YES/n)?" choice read -p "Continue to relabel ${
ownLib.disk.bootGrubDevice diskId
} (YES/n)?" choice
case "$choice" in case "$choice" in
YES ) echo "Continuing in 3 seconds..."; sleep 3;; YES ) echo "Continuing in 3 seconds..."; sleep 3;;
n|N ) echo "Exiting..."; exit 0;; n|N ) echo "Exiting..."; exit 0;;
@ -168,9 +187,13 @@ rec {
if test "${previousDiskId}"; then if test "${previousDiskId}"; then
${pkgs.lib.strings.optionalString encrypted '' ${
sudo cryptsetup luksOpen ${ownLib.disk.bootLuksDevice diskId} ${ownLib.disk.luksName diskId} pkgs.lib.strings.optionalString encrypted ''
''} sudo cryptsetup luksOpen ${ownLib.disk.bootLuksDevice diskId} ${
ownLib.disk.luksName diskId
}
''
}
sync sync
sleep 1 sleep 1
if sudo vgs ${previousDiskId}; then if sudo vgs ${previousDiskId}; then

3
nix/os/devices/elias-e525/boot.nix
View file

@ -1,5 +1,4 @@
{ lib, ... }: {lib, ...}: {
{
boot.loader.grub.efiSupport = lib.mkForce false; boot.loader.grub.efiSupport = lib.mkForce false;
boot.loader.efi.canTouchEfiVariables = lib.mkForce false; boot.loader.efi.canTouchEfiVariables = lib.mkForce false;
} }

3
nix/os/devices/elias-e525/configuration.nix
View file

@ -1,5 +1,4 @@
{ ... }: {...}: {
{
imports = [ imports = [
../../profiles/common/configuration.nix ../../profiles/common/configuration.nix
../../profiles/graphical/configuration.nix ../../profiles/graphical/configuration.nix

10
nix/os/devices/elias-e525/default.nix
View file

@ -3,17 +3,17 @@
repoFlake, repoFlake,
nodeFlake, nodeFlake,
... ...
}: }: let
let
system = "x86_64-linux"; system = "x86_64-linux";
in in {
{
meta.nodeSpecialArgs.${nodeName} = { meta.nodeSpecialArgs.${nodeName} = {
inherit repoFlake nodeName nodeFlake; inherit repoFlake nodeName nodeFlake;
packages' = repoFlake.packages.${system}; packages' = repoFlake.packages.${system};
}; };
meta.nodeNixpkgs.${nodeName} = import nodeFlake.inputs.nixpkgs.outPath { inherit system; }; meta.nodeNixpkgs.${nodeName} = import nodeFlake.inputs.nixpkgs.outPath {
inherit system;
};
${nodeName} = { ${nodeName} = {
deployment.targetHost = "elias-e525.lan"; deployment.targetHost = "elias-e525.lan";

2
nix/os/devices/elias-e525/hw.nix
View file

@ -1,4 +1,4 @@
_: { {...}: {
# TASK: new device # TASK: new device
hardware.opinionatedDisk = { hardware.opinionatedDisk = {
enable = true; enable = true;

12
nix/os/devices/elias-e525/pkg.nix
View file

@ -1,5 +1,8 @@
{ pkgs, lib, ... }: {
let pkgs,
lib,
...
}: let
homeEnv = keyboard: { homeEnv = keyboard: {
imports = [ imports = [
../../../home-manager/profiles/common.nix ../../../home-manager/profiles/common.nix
@ -19,9 +22,8 @@ let
rustdesk rustdesk
]; ];
}; };
in in {
{ services.gnome = builtins.mapAttrs (attr: value: lib.mkForce value) {
services.gnome = builtins.mapAttrs (_attr: value: lib.mkForce value) {
gnome-remote-desktop.enable = true; gnome-remote-desktop.enable = true;
}; };

11
nix/os/devices/elias-e525/system.nix
View file

@ -1,5 +1,10 @@
{ pkgs, lib, ... }:
{ {
pkgs,
lib,
config,
...
}: let
in {
# TASK: new device # TASK: new device
networking.hostName = "elias-e525"; # Define your hostname. networking.hostName = "elias-e525"; # Define your hostname.
@ -39,7 +44,5 @@
boot.kernelPackages = lib.mkForce pkgs.linuxPackages_latest; boot.kernelPackages = lib.mkForce pkgs.linuxPackages_latest;
nix.gc = { nix.gc = {automatic = true;};
automatic = true;
};
} }

11
nix/os/devices/elias-e525/user.nix
View file

@ -1,9 +1,12 @@
{ config, pkgs, ... }: {
let config,
pkgs,
lib,
...
}: let
keys = import ../../../variables/keys.nix; keys = import ../../../variables/keys.nix;
inherit (pkgs.callPackage ../../lib/default.nix {}) mkUser; inherit (pkgs.callPackage ../../lib/default.nix {}) mkUser;
in in {
{
sops.secrets.sharedUsers-elias = { sops.secrets.sharedUsers-elias = {
sopsFile = ../../../../secrets/shared-users.yaml; sopsFile = ../../../../secrets/shared-users.yaml;
neededForUsers = true; neededForUsers = true;

3
nix/os/devices/fwhost1/boot.nix
View file

@ -1,5 +1,4 @@
{ lib, ... }: {lib, ...}: {
{
boot.loader.grub.efiInstallAsRemovable = lib.mkForce true; boot.loader.grub.efiInstallAsRemovable = lib.mkForce true;
boot.loader.efi.canTouchEfiVariables = lib.mkForce false; boot.loader.efi.canTouchEfiVariables = lib.mkForce false;
} }

3
nix/os/devices/fwhost1/configuration.nix
View file

@ -1,5 +1,4 @@
{ ... }: {...}: {
{
imports = [ imports = [
../../profiles/common/configuration.nix ../../profiles/common/configuration.nix
../../modules/opinionatedDisk.nix ../../modules/opinionatedDisk.nix

3
nix/os/devices/fwhost1/hw.nix
View file

@ -1,4 +1,5 @@
_: { {...}: let
in {
# TASK: new device # TASK: new device
hardware.opinionatedDisk = { hardware.opinionatedDisk = {
enable = true; enable = true;

18
nix/os/devices/fwhost1/pkg.nix
View file

@ -1,17 +1,17 @@
{ pkgs, ... }: {pkgs, ...}: {
{ nixpkgs.config.packageOverrides = pkgs:
nixpkgs.config.packageOverrides = with pkgs; {
pkgs: with pkgs; { nixPath =
inherit ((import ../../../default.nix { versionsPath = ./versions.nix; })) nixPath; (import ../../../default.nix {
versionsPath = ./versions.nix;
})
.nixPath;
}; };
home-manager.users.steveej = import ../../../home-manager/configuration/text-minimal.nix { home-manager.users.steveej = import ../../../home-manager/configuration/text-minimal.nix {
inherit pkgs; inherit pkgs;
}; };
environment.systemPackages = with pkgs; [ environment.systemPackages = with pkgs; [iw wirelesstools];
iw
wirelesstools
];
system.stateVersion = "21.11"; system.stateVersion = "21.11";
} }

17
nix/os/devices/fwhost1/system.nix
View file

@ -1,8 +1,12 @@
{ pkgs, lib, ... }:
let
passwords = import ../../../variables/passwords.crypt.nix;
in
{ {
pkgs,
lib,
config,
...
}: let
keys = import ../../../variables/keys.nix;
passwords = import ../../../variables/passwords.crypt.nix;
in {
# TASK: new device # TASK: new device
networking.hostName = "fwhost1"; # Define your hostname. networking.hostName = "fwhost1"; # Define your hostname.
@ -17,10 +21,7 @@ in
networking.firewall.logRefusedConnections = false; networking.firewall.logRefusedConnections = false;
networking.usePredictableInterfaceNames = false; networking.usePredictableInterfaceNames = false;
networking.bridges.breth.interfaces = [ networking.bridges.breth.interfaces = ["eth0" "eth1"];
"eth0"
"eth1"
];
networking.bridges.breth.rstp = true; networking.bridges.breth.rstp = true;
networking.defaultGateway.address = "172.172.171.10"; networking.defaultGateway.address = "172.172.171.10";

10
nix/os/devices/fwhost1/user.nix
View file

@ -1 +1,9 @@
_: { } {
config,
pkgs,
...
}: let
passwords = import ../../../variables/passwords.crypt.nix;
keys = import ../../../variables/keys.nix;
inherit (import ../../lib/default.nix {}) mkUser;
in {}

7
nix/os/devices/fwhost1/versions.nix
View file

@ -4,12 +4,9 @@ let
ref = "nixos-21.11"; ref = "nixos-21.11";
rev = "386234e2a61e1e8acf94dfa3a3d3ca19a6776efb"; rev = "386234e2a61e1e8acf94dfa3a3d3ca19a6776efb";
}; };
in in {
{
inherit nixpkgs; inherit nixpkgs;
nixos = nixpkgs // { nixos = nixpkgs // {suffix = "/nixos";};
suffix = "/nixos";
};
"channels-nixos-stable" = nixpkgs; "channels-nixos-stable" = nixpkgs;
"channels-nixos-unstable" = { "channels-nixos-unstable" = {

7
nix/os/devices/fwhost1/versions.tmpl.nix
View file

@ -6,12 +6,9 @@ let
<% git ls-remote https://github.com/nixos/nixpkgs nixos-21.11 | awk '{ print $1 }' | tr -d ' <% git ls-remote https://github.com/nixos/nixpkgs nixos-21.11 | awk '{ print $1 }' | tr -d '
' -%>''; ' -%>'';
}; };
in in {
{
inherit nixpkgs; inherit nixpkgs;
nixos = nixpkgs // { nixos = nixpkgs // {suffix = "/nixos";};
suffix = "/nixos";
};
"channels-nixos-stable" = nixpkgs; "channels-nixos-stable" = nixpkgs;
"channels-nixos-unstable" = { "channels-nixos-unstable" = {

3
nix/os/devices/fwhost2/boot.nix
View file

@ -1,5 +1,4 @@
{ lib, ... }: {lib, ...}: {
{
boot.loader.grub.efiInstallAsRemovable = lib.mkForce true; boot.loader.grub.efiInstallAsRemovable = lib.mkForce true;
boot.loader.efi.canTouchEfiVariables = lib.mkForce false; boot.loader.efi.canTouchEfiVariables = lib.mkForce false;
} }

3
nix/os/devices/fwhost2/configuration.nix
View file

@ -1,5 +1,4 @@
{ ... }: {...}: {
{
imports = [ imports = [
../../profiles/common/configuration.nix ../../profiles/common/configuration.nix
../../modules/opinionatedDisk.nix ../../modules/opinionatedDisk.nix

3
nix/os/devices/fwhost2/hw.nix
View file

@ -1,4 +1,5 @@
_: { {...}: let
in {
# TASK: new device # TASK: new device
hardware.opinionatedDisk = { hardware.opinionatedDisk = {
enable = true; enable = true;

18
nix/os/devices/fwhost2/pkg.nix
View file

@ -1,17 +1,17 @@
{ pkgs, ... }: {pkgs, ...}: {
{ nixpkgs.config.packageOverrides = pkgs:
nixpkgs.config.packageOverrides = with pkgs; {
pkgs: with pkgs; { nixPath =
inherit ((import ../../../default.nix { versionsPath = ./versions.nix; })) nixPath; (import ../../../default.nix {
versionsPath = ./versions.nix;
})
.nixPath;
}; };
home-manager.users.steveej = import ../../../home-manager/configuration/text-minimal.nix { home-manager.users.steveej = import ../../../home-manager/configuration/text-minimal.nix {
inherit pkgs; inherit pkgs;
}; };
environment.systemPackages = with pkgs; [ environment.systemPackages = with pkgs; [iw wirelesstools];
iw
wirelesstools
];
system.stateVersion = "21.11"; system.stateVersion = "21.11";
} }

18
nix/os/devices/fwhost2/system.nix
View file

@ -1,8 +1,13 @@
{ pkgs, lib, ... }:
let
passwords = import ../../../variables/passwords.crypt.nix;
in
{ {
pkgs,
lib,
config,
utils,
...
}: let
keys = import ../../../variables/keys.nix;
passwords = import ../../../variables/passwords.crypt.nix;
in {
# TASK: new device # TASK: new device
networking.hostName = "fwhost2"; # Define your hostname. networking.hostName = "fwhost2"; # Define your hostname.
@ -17,10 +22,7 @@ in
networking.firewall.logRefusedConnections = false; networking.firewall.logRefusedConnections = false;
networking.usePredictableInterfaceNames = false; networking.usePredictableInterfaceNames = false;
networking.bridges.breth.interfaces = [ networking.bridges.breth.interfaces = ["eth0" "eth1"];
"eth0"
"eth1"
];
networking.bridges.breth.rstp = true; networking.bridges.breth.rstp = true;
networking.defaultGateway.address = "172.172.171.10"; networking.defaultGateway.address = "172.172.171.10";

10
nix/os/devices/fwhost2/user.nix
View file

@ -1,4 +1,12 @@
_: { {
config,
pkgs,
...
}: let
passwords = import ../../../variables/passwords.crypt.nix;
keys = import ../../../variables/keys.nix;
inherit (import ../../lib/default.nix {inherit (pkgs) lib;}) mkUser;
in {
# users.extraUsers.steveej2 = mkUser { # users.extraUsers.steveej2 = mkUser {
# uid = 1001; # uid = 1001;
# openssh.authorizedKeys.keys = keys.users.steveej.openssh; # openssh.authorizedKeys.keys = keys.users.steveej.openssh;

7
nix/os/devices/fwhost2/versions.nix
View file

@ -4,12 +4,9 @@ let
ref = "nixos-21.11"; ref = "nixos-21.11";
rev = "386234e2a61e1e8acf94dfa3a3d3ca19a6776efb"; rev = "386234e2a61e1e8acf94dfa3a3d3ca19a6776efb";
}; };
in in {
{
inherit nixpkgs; inherit nixpkgs;
nixos = nixpkgs // { nixos = nixpkgs // {suffix = "/nixos";};
suffix = "/nixos";
};
"channels-nixos-stable" = nixpkgs; "channels-nixos-stable" = nixpkgs;
"channels-nixos-unstable" = { "channels-nixos-unstable" = {

7
nix/os/devices/fwhost2/versions.tmpl.nix
View file

@ -6,12 +6,9 @@ let
<% git ls-remote https://github.com/nixos/nixpkgs nixos-21.11 | awk '{ print $1 }' | tr -d ' <% git ls-remote https://github.com/nixos/nixpkgs nixos-21.11 | awk '{ print $1 }' | tr -d '
' -%>''; ' -%>'';
}; };
in in {
{
inherit nixpkgs; inherit nixpkgs;
nixos = nixpkgs // { nixos = nixpkgs // {suffix = "/nixos";};
suffix = "/nixos";
};
"channels-nixos-stable" = nixpkgs; "channels-nixos-stable" = nixpkgs;
"channels-nixos-unstable" = { "channels-nixos-unstable" = {

146
nix/os/devices/hstk0/configuration.nix
View file

@ -1,146 +0,0 @@
{
repoFlake,
pkgs,
lib,
nodeFlake,
nodeName,
system,
...
}:
{
disabledModules = [ ];
imports = [
nodeFlake.inputs.disko.nixosModules.disko
repoFlake.inputs.sops-nix.nixosModules.sops
nodeFlake.inputs.srvos.nixosModules.roles-nix-remote-builder
{
roles.nix-remote-builder.schedulerPublicKeys = [
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINQ22z5rDdCLYH+MEoEt+tXJXTJqoeZNqvJl2n4aB+Kn steveej@steveej-x13s"
# TODO: make this a reference to the private key's secret
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIC8FHuK0k86iBWq41+NAhVwJqH1ZpGJe+q01m7iLviz6 root@steveej-t14"
];
}
../../snippets/nix-settings.nix
{ nix.settings.sandbox = lib.mkForce "relaxed"; }
../../snippets/mycelium.nix
# user config
../../profiles/common/user.nix
{
users.commonUsers = {
enable = true;
enableNonRoot = true;
};
}
../../snippets/home-manager-with-zsh.nix
# {
# home-manager.users.steveej = {pkgs, ...}: {
# imports = [
# ../../../home-manager/programs/pass.nix
# ../../../home-manager/programs/openvscode-server.nix
# ];
# };
# }
];
services.openssh = {
enable = true;
openFirewall = true;
settings.PermitRootLogin = "yes";
extraConfig = ''
StreamLocalBindUnlink yes
'';
};
boot = {
kernel = {
sysctl = {
"net.ipv4.conf.all.forwarding" = true;
"net.ipv6.conf.all.forwarding" = true;
};
};
};
networking = {
hostName = nodeName;
useNetworkd = true;
useDHCP = true;
nat.enable = true;
firewall.enable = true;
firewall.allowedTCPPorts = [ 5201 ];
firewall.allowedUDPPorts = [ 5201 ];
};
disko.devices =
let
disk = id: {
type = "disk";
device = "/dev/${id}";
content = {
type = "gpt";
partitions = {
boot = {
size = "1M";
type = "EF02"; # for grub MBR
};
mdadm = {
size = "100%";
content = {
type = "mdraid";
name = "raid0";
};
};
};
};
};
in
{
disk = {
sda = disk "sda";
sdb = disk "sdb";
};
mdadm = {
raid0 = {
type = "mdadm";
level = 0;
content = {
type = "gpt";
partitions = {
primary = {
size = "100%";
content = {
type = "filesystem";
format = "btrfs";
mountpoint = "/";
};
};
};
};
};
};
};
system.stateVersion = "24.05";
boot.kernelPackages = pkgs.linuxPackages_latest;
boot.initrd.includeDefaultModules = true;
boot.initrd.kernelModules = [
"dm-raid"
"dm-integrity"
"xhci_pci_renesas"
];
hardware.enableRedistributableFirmware = true;
virtualisation.libvirtd.enable = true;
boot.binfmt.emulatedSystems = [ "aarch64-linux" ];
}

124
nix/os/devices/hstk0/flake.lock generated
View file

@ -1,124 +0,0 @@
{
"nodes": {
"disko": {
"inputs": {
"nixpkgs": [
"nixpkgs"
]
},
"locked": {
"lastModified": 1719401812,
"narHash": "sha256-QONBQ/arBsKZNJuSd3sMIkSYFlBoRJpvf1jGlMfcOuI=",
"owner": "nix-community",
"repo": "disko",
"rev": "b6a1262796b2990ec3cc60bb2ec23583f35b2f43",
"type": "github"
},
"original": {
"owner": "nix-community",
"repo": "disko",
"type": "github"
}
},
"get-flake": {
"locked": {
"lastModified": 1714237590,
"narHash": "sha256-9gtHdGbzFHaR20xORN8IYd67ROWS+1nqQ5CsPf9MD8I=",
"owner": "ursi",
"repo": "get-flake",
"rev": "a6c57417d1b857b8be53aba4095869a0f438c502",
"type": "github"
},
"original": {
"owner": "ursi",
"repo": "get-flake",
"type": "github"
}
},
"home-manager": {
"inputs": {
"nixpkgs": [
"nixpkgs"
]
},
"locked": {
"lastModified": 1718530513,
"narHash": "sha256-BmO8d0r+BVlwWtMLQEYnwmngqdXIuyFzMwvmTcLMee8=",
"owner": "nix-community",
"repo": "home-manager",
"rev": "a1fddf0967c33754271761d91a3d921772b30d0e",
"type": "github"
},
"original": {
"owner": "nix-community",
"ref": "release-24.05",
"repo": "home-manager",
"type": "github"
}
},
"nixpkgs": {
"locked": {
"lastModified": 1719253556,
"narHash": "sha256-A/76RFUVxZ/7Y8+OMVL1Lc8LRhBxZ8ZE2bpMnvZ1VpY=",
"owner": "nixos",
"repo": "nixpkgs",
"rev": "fc07dc3bdf2956ddd64f24612ea7fc894933eb2e",
"type": "github"
},
"original": {
"owner": "nixos",
"ref": "nixos-24.05",
"repo": "nixpkgs",
"type": "github"
}
},
"nixpkgs-unstable": {
"locked": {
"lastModified": 1719254875,
"narHash": "sha256-ECni+IkwXjusHsm9Sexdtq8weAq/yUyt1TWIemXt3Ko=",
"owner": "nixos",
"repo": "nixpkgs",
"rev": "2893f56de08021cffd9b6b6dfc70fd9ccd51eb60",
"type": "github"
},
"original": {
"owner": "nixos",
"ref": "nixos-unstable",
"repo": "nixpkgs",
"type": "github"
}
},
"root": {
"inputs": {
"disko": "disko",
"get-flake": "get-flake",
"home-manager": "home-manager",
"nixpkgs": "nixpkgs",
"nixpkgs-unstable": "nixpkgs-unstable",
"srvos": "srvos"
}
},
"srvos": {
"inputs": {
"nixpkgs": [
"nixpkgs"
]
},
"locked": {
"lastModified": 1719189969,
"narHash": "sha256-6MSZrWvXSvUKIr0iC9eSbQ09NSm+j1Oh4o9Gentu1CU=",
"owner": "numtide",
"repo": "srvos",
"rev": "4f314be1307c8d5f1fb3d882a67e09dbdf285850",
"type": "github"
},
"original": {
"owner": "numtide",
"repo": "srvos",
"type": "github"
}
}
},
"root": "root",
"version": 7
}

52
nix/os/devices/hstk0/flake.nix
View file

@ -1,52 +0,0 @@
{
inputs = {
nixpkgs.url = "github:nixos/nixpkgs/nixos-24.05";
nixpkgs-unstable.url = "github:nixos/nixpkgs/nixos-unstable";
get-flake.url = "github:ursi/get-flake";
home-manager.url = "github:nix-community/home-manager/release-24.05";
home-manager.inputs.nixpkgs.follows = "nixpkgs";
disko.url = "github:nix-community/disko";
disko.inputs.nixpkgs.follows = "nixpkgs";
srvos.url = "github:numtide/srvos";
srvos.inputs.nixpkgs.follows = "nixpkgs";
};
# outputs = _: {};
outputs =
{
self,
get-flake,
nixpkgs,
...
}:
let
system = "x86_64-linux";
nodeName = "hostkey-0";
mkNixosConfiguration =
{
extraModules ? [ ],
...
}@attrs:
nixpkgs.lib.nixosSystem (
nixpkgs.lib.attrsets.recursiveUpdate attrs {
specialArgs = {
nodeFlake = self;
repoFlake = get-flake ../../../..;
inherit nodeName;
};
modules = [ ./configuration.nix ] ++ extraModules;
}
);
in
{
nixosConfigurations = {
native = mkNixosConfiguration { inherit system; };
};
};
}

12
nix/os/devices/hydra.json
View file

@ -10,15 +10,7 @@
"emailoverride": "", "emailoverride": "",
"keepnr": 3, "keepnr": 3,
"inputs": { "inputs": {
"src": { "src": { "type": "git", "value": "git://github.com/shlevy/declarative-hydra-example.git", "emailresponsible": false },
"type": "git", "nixpkgs": { "type": "git", "value": "git://github.com/NixOS/nixpkgs.git release-16.03", "emailresponsible": false }
"value": "git://github.com/shlevy/declarative-hydra-example.git",
"emailresponsible": false
},
"nixpkgs": {
"type": "git",
"value": "git://github.com/NixOS/nixpkgs.git release-16.03",
"emailresponsible": false
}
} }
} }

3
nix/os/devices/justyna-p300/boot.nix
View file

@ -1,5 +1,4 @@
{ lib, ... }: {lib, ...}: {
{
boot.loader.grub.efiInstallAsRemovable = lib.mkForce false; boot.loader.grub.efiInstallAsRemovable = lib.mkForce false;
boot.loader.efi.canTouchEfiVariables = lib.mkForce false; boot.loader.efi.canTouchEfiVariables = lib.mkForce false;
boot.loader.grub.efiSupport = lib.mkForce false; boot.loader.grub.efiSupport = lib.mkForce false;

3
nix/os/devices/justyna-p300/configuration.nix
View file

@ -1,5 +1,4 @@
{ ... }: {...}: {
{
imports = [ imports = [
../../profiles/common/configuration.nix ../../profiles/common/configuration.nix
../../profiles/graphical/configuration.nix ../../profiles/graphical/configuration.nix

10
nix/os/devices/justyna-p300/default.nix
View file

@ -3,17 +3,17 @@
repoFlake, repoFlake,
nodeFlake, nodeFlake,
... ...
}: }: let
let
system = "x86_64-linux"; system = "x86_64-linux";
in in {
{
meta.nodeSpecialArgs.${nodeName} = { meta.nodeSpecialArgs.${nodeName} = {
inherit repoFlake nodeName nodeFlake; inherit repoFlake nodeName nodeFlake;
packages' = repoFlake.packages.${system}; packages' = repoFlake.packages.${system};
}; };
meta.nodeNixpkgs.${nodeName} = import nodeFlake.inputs.nixpkgs.outPath { inherit system; }; meta.nodeNixpkgs.${nodeName} = import nodeFlake.inputs.nixpkgs.outPath {
inherit system;
};
${nodeName} = { ${nodeName} = {
deployment.targetHost = nodeName; deployment.targetHost = nodeName;

2
nix/os/devices/justyna-p300/flake.nix
View file

@ -6,7 +6,7 @@
inputs.nixpkgs.follows = "nixpkgs"; inputs.nixpkgs.follows = "nixpkgs";
}; };
inputs.disko.url = "github:nix-community/disko"; inputs.disko.url = github:nix-community/disko;
inputs.disko.inputs.nixpkgs.follows = "nixpkgs"; inputs.disko.inputs.nixpkgs.follows = "nixpkgs";
outputs = _: {}; outputs = _: {};

10
nix/os/devices/justyna-p300/hw.nix
View file

@ -1,6 +1,12 @@
{ nodeFlake, ... }:
{ {
imports = [ nodeFlake.inputs.disko.nixosModules.disko ]; repoFlake,
nodeFlake,
lib,
...
}: {
imports = [
nodeFlake.inputs.disko.nixosModules.disko
];
disko.devices.disk.sda = { disko.devices.disk.sda = {
device = "/dev/sda"; device = "/dev/sda";

19
nix/os/devices/justyna-p300/pkg.nix
View file

@ -3,8 +3,7 @@
lib, lib,
packages', packages',
... ...
}: }: let
let
homeEnv = keyboard: { homeEnv = keyboard: {
imports = [ imports = [
../../../home-manager/profiles/common.nix ../../../home-manager/profiles/common.nix
@ -24,19 +23,15 @@ let
rustdesk rustdesk
]; ];
}; };
in in {
{ services.gnome = builtins.mapAttrs (attr: value: lib.mkForce value) {
services.gnome = builtins.mapAttrs (_attr: value: lib.mkForce value) {
gnome-remote-desktop.enable = true; gnome-remote-desktop.enable = true;
}; };
services.printing.drivers = lib.mkForce ( services.printing.drivers = lib.mkForce (with packages'; [
with packages';
[
dcpj4110dwDriver dcpj4110dwDriver
dcpj4110dwCupswrapper dcpj4110dwCupswrapper
] ]);
);
services.printing.extraConf = '' services.printing.extraConf = ''
LogLevel debug LogLevel debug
@ -65,7 +60,9 @@ in
services.syncthing.enable = true; services.syncthing.enable = true;
services.syncthing.tray = true; services.syncthing.tray = true;
home.packages = with pkgs; [ session-desktop ]; home.packages = with pkgs; [
session-desktop
];
}; };
system.stateVersion = "21.11"; system.stateVersion = "21.11";

15
nix/os/devices/justyna-p300/system.nix
View file

@ -1,8 +1,11 @@
{ pkgs, lib, ... }:
let
passwords = import ../../../variables/passwords.crypt.nix;
in
{ {
pkgs,
lib,
config,
...
}: let
passwords = import ../../../variables/passwords.crypt.nix;
in {
networking.firewall.enable = true; networking.firewall.enable = true;
networking.firewall.allowedTCPPorts = [ networking.firewall.allowedTCPPorts = [
# iperf3 # iperf3
@ -42,7 +45,5 @@ in
boot.kernelPackages = lib.mkForce pkgs.linuxPackages_latest; boot.kernelPackages = lib.mkForce pkgs.linuxPackages_latest;
nix.gc = { nix.gc = {automatic = true;};
automatic = true;
};
} }

10
nix/os/devices/justyna-p300/user.nix
View file

@ -1,9 +1,11 @@
{ config, pkgs, ... }: {
let config,
pkgs,
...
}: let
keys = import ../../../variables/keys.nix; keys = import ../../../variables/keys.nix;
inherit (pkgs.callPackage ../../lib/default.nix {}) mkUser; inherit (pkgs.callPackage ../../lib/default.nix {}) mkUser;
in in {
{
sops.secrets.sharedUsers-elias = { sops.secrets.sharedUsers-elias = {
sopsFile = ../../../../secrets/shared-users.yaml; sopsFile = ../../../../secrets/shared-users.yaml;
neededForUsers = true; neededForUsers = true;

1033
nix/os/devices/router0-dmz0/configuration.nix
View file

File diff suppressed because it is too large Load diff

21
nix/os/devices/router0-dmz0/default.nix
View file

@ -5,24 +5,25 @@
nodeFlake, nodeFlake,
localDomainName ? "internal", localDomainName ? "internal",
... ...
}: }: {
{
meta.nodeSpecialArgs.${nodeName} = { meta.nodeSpecialArgs.${nodeName} = {
inherit inherit repoFlake nodeName nodeFlake system;
repoFlake
nodeName
nodeFlake
system
;
packages' = repoFlake.packages.${system}; packages' = repoFlake.packages.${system};
nodePackages' = nodeFlake.packages.${system}; nodePackages' = nodeFlake.packages.${system};
inherit (nodeFlake.inputs.bpir3.packages.${system}) armTrustedFirmwareMT7986; inherit
(nodeFlake.inputs.bpir3.packages.${system})
armTrustedFirmwareMT7986
;
inherit localDomainName; inherit localDomainName;
}; };
meta.nodeNixpkgs.${nodeName} = import nodeFlake.inputs.nixpkgs.outPath { inherit system; }; meta.nodeNixpkgs.${nodeName} =
import nodeFlake.inputs.nixpkgs.outPath
{
inherit system;
};
${nodeName} = { ${nodeName} = {
deployment.targetHost = "${nodeName}.${localDomainName}"; deployment.targetHost = "${nodeName}.${localDomainName}";

102
nix/os/devices/router0-dmz0/flake.lock generated
View file

@ -1,5 +1,26 @@
{ {
"nodes": { "nodes": {
"bpir3": {
"inputs": {
"nixpkgs": [
"nixpkgs"
]
},
"locked": {
"lastModified": 1712309414,
"narHash": "sha256-Z1bK3rlZhI1qVDU3qS4cqZBIQL2xomtUPYHdxQgRuw0=",
"owner": "steveej-forks",
"repo": "nixos-bpir3",
"rev": "4cfe402142e6ef76d83fcd7c92d75029a39d3997",
"type": "github"
},
"original": {
"owner": "steveej-forks",
"ref": "pr_kernel_config_for_nixpkgs_update",
"repo": "nixos-bpir3",
"type": "github"
}
},
"dependencyDagOfSubmodule": { "dependencyDagOfSubmodule": {
"inputs": { "inputs": {
"nixpkgs": [ "nixpkgs": [
@ -28,11 +49,11 @@
] ]
}, },
"locked": { "locked": {
"lastModified": 1738148035, "lastModified": 1714405407,
"narHash": "sha256-KYOATYEwaKysL3HdHdS5kbQMXvzS4iPJzJrML+3TKAo=", "narHash": "sha256-h3pOvHCXkSdp1KOZqtkQmHgkR7VaOJXDhqhumk7sZLY=",
"owner": "nix-community", "owner": "nix-community",
"repo": "disko", "repo": "disko",
"rev": "18d0a984cc2bc82cf61df19523a34ad463aa7f54", "rev": "5eaf747af38dd272e1ab28a8ec4bd972424b07cf",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -63,16 +84,16 @@
] ]
}, },
"locked": { "locked": {
"lastModified": 1736373539, "lastModified": 1714043624,
"narHash": "sha256-dinzAqCjenWDxuy+MqUQq0I4zUSfaCvN9rzuCmgMZJY=", "narHash": "sha256-Xn2r0Jv95TswvPlvamCC46wwNo8ALjRCMBJbGykdhcM=",
"owner": "nix-community", "owner": "nix-community",
"repo": "home-manager", "repo": "home-manager",
"rev": "bd65bc3cde04c16755955630b344bc9e35272c56", "rev": "86853e31dc1b62c6eeed11c667e8cdd0285d4411",
"type": "github" "type": "github"
}, },
"original": { "original": {
"owner": "nix-community", "owner": "nix-community",
"ref": "release-24.11", "ref": "release-23.11",
"repo": "home-manager", "repo": "home-manager",
"type": "github" "type": "github"
} }
@ -80,11 +101,11 @@
"hostapd": { "hostapd": {
"flake": false, "flake": false,
"locked": { "locked": {
"lastModified": 1738518662, "lastModified": 1713985129,
"narHash": "sha256-MeE2FTG7Jh4BqchSvevJH7IsqTotjemndLzev8TkiRk=", "narHash": "sha256-TBC+vZMFPApHAlw5FDPGqgZeYNskdvF56mJsSBoAm1M=",
"ref": "refs/heads/main", "ref": "refs/heads/main",
"rev": "c12fc97e3b59742e0c5743fceae6a87a8b13a576", "rev": "1dda619ed291edddf979d4513ddc59abf0a30c9e",
"revCount": 20282, "revCount": 19546,
"type": "git", "type": "git",
"url": "git://w1.fi/hostap.git?branch=main" "url": "git://w1.fi/hostap.git?branch=main"
}, },
@ -101,11 +122,11 @@
] ]
}, },
"locked": { "locked": {
"lastModified": 1715521768, "lastModified": 1709392539,
"narHash": "sha256-BQkkBqDemoPRd2a4G94I9w9fNE0IxWtVsQ9SalnNqCQ=", "narHash": "sha256-cZ7vOO5KmvVQMHnpi1hBX+bUJlVL6cK8I3m2SPHANtg=",
"owner": "thelegy", "owner": "thelegy",
"repo": "nixos-nftables-firewall", "repo": "nixos-nftables-firewall",
"rev": "2c5a19966b4dfc5ca92df7eb250c68f90be653c8", "rev": "412ea84967cd087fc668ef6994f419bd16ac1174",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -114,54 +135,18 @@
"type": "github" "type": "github"
} }
}, },
"nixos-sbc": {
"inputs": {
"nixpkgs": [
"nixpkgs"
]
},
"locked": {
"lastModified": 1738254353,
"narHash": "sha256-SYpvOn0v/wi8lrgEBhobjKFvFWPlJ3gP7SZPfyw9td0=",
"owner": "nakato",
"repo": "nixos-sbc",
"rev": "21be4ab012197a2eea4bbff8315c40f26f715a18",
"type": "github"
},
"original": {
"owner": "nakato",
"repo": "nixos-sbc",
"type": "github"
}
},
"nixpkgs": { "nixpkgs": {
"locked": { "locked": {
"lastModified": 1738702386, "lastModified": 1714409183,
"narHash": "sha256-nJj8f78AYAxl/zqLiFGXn5Im1qjFKU8yBPKoWEeZN5M=", "narHash": "sha256-Wacm/DrzLD7mjFGnSxxyGkJgg2unU/dNdNgdngBH+RU=",
"owner": "nixos", "owner": "nixos",
"repo": "nixpkgs", "repo": "nixpkgs",
"rev": "030ba1976b7c0e1a67d9716b17308ccdab5b381e", "rev": "576ecd43d3b864966b4423a853412d6177775e8b",
"type": "github" "type": "github"
}, },
"original": { "original": {
"owner": "nixos", "owner": "nixos",
"ref": "nixos-24.11", "ref": "nixos-23.11",
"repo": "nixpkgs",
"type": "github"
}
},
"nixpkgs-unstable": {
"locked": {
"lastModified": 1738680400,
"narHash": "sha256-ooLh+XW8jfa+91F1nhf9OF7qhuA/y1ChLx6lXDNeY5U=",
"owner": "nixos",
"repo": "nixpkgs",
"rev": "799ba5bffed04ced7067a91798353d360788b30d",
"type": "github"
},
"original": {
"owner": "nixos",
"ref": "nixos-unstable",
"repo": "nixpkgs", "repo": "nixpkgs",
"type": "github" "type": "github"
} }
@ -186,14 +171,13 @@
}, },
"root": { "root": {
"inputs": { "inputs": {
"bpir3": "bpir3",
"disko": "disko", "disko": "disko",
"get-flake": "get-flake", "get-flake": "get-flake",
"home-manager": "home-manager", "home-manager": "home-manager",
"hostapd": "hostapd", "hostapd": "hostapd",
"nixos-nftables-firewall": "nixos-nftables-firewall", "nixos-nftables-firewall": "nixos-nftables-firewall",
"nixos-sbc": "nixos-sbc",
"nixpkgs": "nixpkgs", "nixpkgs": "nixpkgs",
"nixpkgs-unstable": "nixpkgs-unstable",
"openwrt": "openwrt", "openwrt": "openwrt",
"srvos": "srvos" "srvos": "srvos"
} }
@ -205,11 +189,11 @@
] ]
}, },
"locked": { "locked": {
"lastModified": 1738198321, "lastModified": 1714444742,
"narHash": "sha256-lhnHBXO9Y8xEn92JqxjancdL8Gh16ONuxZp60iZfmX4=", "narHash": "sha256-FOWYXEEtwYKAGmXgKVYli/VsA8XpeR+4wNKt+3M/9b4=",
"owner": "numtide", "owner": "numtide",
"repo": "srvos", "repo": "srvos",
"rev": "7d5a4aaadac9ff63f9ed4347df95175aceee5079", "rev": "b18e74f2245eaae150bc753821079c2512fe1516",
"type": "github" "type": "github"
}, },
"original": { "original": {

97
nix/os/devices/router0-dmz0/flake.nix
View file

@ -1,11 +1,10 @@
{ {
inputs = { inputs = {
nixpkgs.url = "github:nixos/nixpkgs/nixos-24.11"; nixpkgs.url = "github:nixos/nixpkgs/nixos-23.11";
nixpkgs-unstable.url = "github:nixos/nixpkgs/nixos-unstable";
get-flake.url = "github:ursi/get-flake"; get-flake.url = "github:ursi/get-flake";
home-manager.url = "github:nix-community/home-manager/release-24.11"; home-manager.url = "github:nix-community/home-manager/release-23.11";
home-manager.inputs.nixpkgs.follows = "nixpkgs"; home-manager.inputs.nixpkgs.follows = "nixpkgs";
disko.url = "github:nix-community/disko"; disko.url = "github:nix-community/disko";
@ -13,14 +12,12 @@
srvos.url = "github:numtide/srvos"; srvos.url = "github:numtide/srvos";
srvos.inputs.nixpkgs.follows = "nixpkgs"; srvos.inputs.nixpkgs.follows = "nixpkgs";
nixos-sbc.url = "github:nakato/nixos-sbc" bpir3.url =
# "github:steveej-forks/nakato_nixos-sbc//bpi-r3_kernel-6.12" "github:steveej-forks/nixos-bpir3/pr_kernel_config_for_nixpkgs_update"
# "github:steveej-forks/nakato_nixos-sbc//bpi-r3_kernel-6.13" # "/home/steveej/src/steveej/nixos-bpir3"
# "github:steveej-forks/nakato_nixos-sbc/kernel-6.9_and_cross-compile"
# "github:steveej-forks/nakato_nixos-sbc/kernel-6.10_and_cross-compile"
# "git+file:///home/steveej/src/others/nakato_nixos-sbc/"
; ;
nixos-sbc.inputs.nixpkgs.follows = "nixpkgs";
bpir3.inputs.nixpkgs.follows = "nixpkgs";
nixos-nftables-firewall.url = "github:thelegy/nixos-nftables-firewall"; nixos-nftables-firewall.url = "github:thelegy/nixos-nftables-firewall";
nixos-nftables-firewall.inputs.nixpkgs.follows = "nixpkgs"; nixos-nftables-firewall.inputs.nixpkgs.follows = "nixpkgs";
@ -37,54 +34,75 @@
# url = "file+https://raw.githubusercontent.com/openwrt/openwrt/847984c773d819d5579d5abae4b80a4983103ed9/package/network/services/hostapd/patches/710-vlan_no_bridge.patch"; # url = "file+https://raw.githubusercontent.com/openwrt/openwrt/847984c773d819d5579d5abae4b80a4983103ed9/package/network/services/hostapd/patches/710-vlan_no_bridge.patch";
# flake = false; # flake = false;
# }; # };
# repoFlake.url = "path:../../../..";
}; };
outputs = outputs = {
{
self, self,
get-flake, get-flake,
nixpkgs, nixpkgs,
bpir3,
... ...
}: }: let
let
nativeSystem = "aarch64-linux"; nativeSystem = "aarch64-linux";
nodeName = "router0-dmz0"; nodeName = "router0-dmz0";
mkNixosConfiguration = pkgs = nixpkgs.legacyPackages.${nativeSystem};
{ pkgsCross = import self.inputs.nixpkgs {
extraModules ? [ ], system = "x86_64-linux";
... crossSystem = {
}@attrs: config = "aarch64-unknown-linux-gnu";
};
};
mkNixosConfiguration = {extraModules ? [], ...} @ attrs:
nixpkgs.lib.nixosSystem ( nixpkgs.lib.nixosSystem (
nixpkgs.lib.attrsets.recursiveUpdate attrs { nixpkgs.lib.attrsets.recursiveUpdate
attrs
{
specialArgs = specialArgs =
(import ./default.nix { (import ./default.nix {
system = nativeSystem; system = nativeSystem;
inherit nodeName; inherit nodeName;
repoFlake = get-flake ../../../..; repoFlake = get-flake ../../../..;
# repoFlake = get-flake ./.;
# repoFlake = self.inputs.repoFlake;
nodeFlake = self; nodeFlake = self;
}).meta.nodeSpecialArgs.${nodeName}; })
.meta
.nodeSpecialArgs
.${nodeName};
modules = [ modules =
[
./configuration.nix ./configuration.nix
# flake registry # flake registry
{ {
nixpkgs.overlays = builtins.attrValues self.overlays;
nix.registry.nixpkgs.flake = nixpkgs; nix.registry.nixpkgs.flake = nixpkgs;
} }
] ++ extraModules;
{
nixpkgs.overlays = [
(final: previous: let
bpir3Pkgs = previous.callPackage "${bpir3}/pkgs" {};
in {
inherit
(bpir3Pkgs)
linuxPackages_bpir3
linuxPackages_bpir3_6_6
linuxPackages_bpir3_latest
;
})
];
}
]
++ extraModules;
} }
); );
in in {
{
nixosConfigurations = { nixosConfigurations = {
native = mkNixosConfiguration { system = nativeSystem; }; native = mkNixosConfiguration {
system = nativeSystem;
};
cross = mkNixosConfiguration { cross = mkNixosConfiguration {
extraModules = [ extraModules = [
@ -96,12 +114,23 @@
}; };
}; };
overlays.default = _final: previous: { packages = let
hostapd = previous.hostapd.overrideDerivation (attrs: { mkPatchedHostapd = pkgs:
patches = attrs.patches ++ [ pkgs.hostapd.overrideDerivation (attrs: {
patches =
attrs.patches
++ [
"${self.inputs.openwrt}/package/network/services/hostapd/patches/710-vlan_no_bridge.patch" "${self.inputs.openwrt}/package/network/services/hostapd/patches/710-vlan_no_bridge.patch"
]; ];
}); });
in {
"${nativeSystem}" = {
hostapd_patched = mkPatchedHostapd pkgs;
};
cross = {
hostapd_patched = mkPatchedHostapd pkgsCross;
};
}; };
}; };
} }

Some files were not shown because too many files have changed in this diff Show more