steveej/infra
1
0
Fork 0
Code Issues 2 Pull requests Projects Releases Packages Wiki Activity Actions

Compare commits

base: steveej:master
Branches Tags
steveej:master
steveej:WIP-router0-nfmnk-tunnels
steveej:wip
steveej:wip-bpir3
steveej:pr_htz0
steveej:evolution_decsync
steveej:t14_relabel
steveej:t14_new_drive
steveej:srv0_drivechange
steveej:staging-steveej
steveej:pa600-unused
steveej:pr/odroidh2p-0
..
compare: steveej:pr_htz0
Branches Tags
steveej:master
steveej:WIP-router0-nfmnk-tunnels
steveej:wip
steveej:wip-bpir3
steveej:pr_htz0
steveej:evolution_decsync
steveej:t14_relabel
steveej:t14_new_drive
steveej:srv0_drivechange
steveej:staging-steveej
steveej:pa600-unused
steveej:pr/odroidh2p-0

1 commit
master ... pr_htz0

Author SHA1 Message Date
Stefan Junker
693ae383ef WIP 2023-03-08 19:13:59 +01:00
313 changed files with 5450 additions and 15796 deletions
Download patch file Download diff file Expand all files Collapse all files

10
.envrc
View file

@ -1,5 +1,7 @@
if ! has nix_direnv_version || ! nix_direnv_version 3.0.6; then
source_url "https://raw.githubusercontent.com/nix-community/nix-direnv/3.0.6/direnvrc" "sha256-RYcUJaRMf8oF5LznDrlCXbkOQrywm0HDv1VjYGaJGdM="
fi
# if ! has nix_direnv_version || ! nix_direnv_version 1.5.1; then
# source_url "https://raw.githubusercontent.com/nix-community/nix-direnv/1.5.1/direnvrc" "sha256-p4CDMJjuBmEh9pkn2aoJrZqr0DlPZHPU7eXOSDzzcuo="
# fi
# use_flake . --impure
use nix
use flake .#develop

BIN
.git-crypt/keys/default/0/6F7069FE6B96E894E60EC45C6EEFA706CB17E89B.gpg
View file

Binary file not shown.

6
.gitignore vendored
View file

@ -3,9 +3,3 @@
.*.log
.env
**/result
.direnv/
# nixago: ignore-linked-files
/treefmt.toml
/debug-logs

10
.gitlab-ci.yml Normal file
View file

@ -0,0 +1,10 @@
stages:
- build
build:
stage: build
tags:
- nix
script:
# Test the nix-shell
- just run-with-channels 'nix-shell --run "echo OK"'

122
.sops.yaml
View file

@ -1,122 +0,0 @@
# This example uses YAML anchors which allows reuse of multiple keys
# without having to repeat yourself.
# Also see https://github.com/Mic92/dotfiles/blob/master/nixos/.sops.yaml
# for a more complex example.
# use `ssh-keyscan <IP> | ssh-to-age` to get the age key for a remote machine
# use `for file in $(grep -lr "sops:") secrets; do sops updatekeys -y $file; done` for updating
keys:
- &steveej 6F7069FE6B96E894E60EC45C6EEFA706CB17E89B
- &steveej-t14 age17jxphuql70wjkd84azn62ltx9ky69hyvkac23lm8f2j92lznf9hseqq0vl
- &steveej-x13s age1y9urllccdcemlv7g5z4peuzeh5ah0a8nu6cnkvym8v2vfhqjd5jql483c6
- &elias-e525 age1pmznn2tjpelpmxjxqef48rse5ujggf9kcr8x5vewuadqcw03aavqwy54zm
- &justyna-p300 age1ye4fa0v37shz8q4e5uf9cp2avygcp9jtetmnj2sv9y9mqc7gjyksq2cjy8
- &sj-vps-htz0 age18dmqd7r7fanrfmdxsvwgv9psvhs3hw5ydpvw0na0dv3dlrg4rs3q2wpvgv
- &sj-srv1 age18dmqd7r7fanrfmdxsvwgv9psvhs3hw5ydpvw0na0dv3dlrg4rs3q2wpvgv
- &srv0-dmz0 age13cyvxrd28j68f97q2dwsn62q5dy8tdxtq86ql2dxv2ncwfrf63dsmkj7n3
- &router0-dmz0 age1qju6ms625tlgcjwc9p447seu2p8gu0cr63e5gv5y0wx9mvgmre9slxzzs0
- &router0-ifog age1dktk5glcuu34u9t6kp3g2vqyj7dy0elray38t8n75mwa6l0s0vdst2cy00
- &router0-hosthatch age1v458x2q70yt0a6m6cq5ehemphtrzfzyhmeg3r872vsyyf65asgwstmqqk4
- &hstk0 age10xwq7a4y256yhv02j0u80te0vt4krgfjc68r0uw07t96z7ggmpwqtv38a0
creation_rules:
- path_regex: ^(.+/|)secrets/[^/]+$
key_groups:
- pgp:
- *steveej
age:
- *steveej-t14
- *steveej-x13s
- *elias-e525
- *justyna-p300
- *srv0-dmz0
- *router0-dmz0
- *sj-vps-htz0
- *sj-srv1
- *hstk0
- *router0-ifog
- *router0-hosthatch
- path_regex: ^secrets/steveej-t14/.+$
key_groups:
- pgp:
- *steveej
age:
- *steveej-t14
- path_regex: ^secrets/desktop/.+$
key_groups:
- pgp:
- *steveej
age:
- *steveej-t14
- *steveej-x13s
- path_regex: ^secrets/servers/.+$
key_groups:
- pgp:
- *steveej
age:
- *sj-vps-htz0
- *sj-srv1
- path_regex: ^nix/os/containers/.+_secrets.+$
key_groups:
- pgp:
- *steveej
age:
- *sj-vps-htz0
- *sj-srv1
- path_regex: ^secrets/holochain-infra/.+$
key_groups:
- pgp:
- *steveej
age:
- *srv0-dmz0
- path_regex: ^secrets/router0-dmz0/.+$
key_groups:
- pgp:
- *steveej
age:
- *router0-dmz0
- path_regex: ^secrets/router0-ifog/.+$
key_groups:
- pgp:
- *steveej
age:
- *router0-ifog
- path_regex: ^secrets/router0-hosthatch/.+$
key_groups:
- pgp:
- *steveej
age:
- *router0-hosthatch
- path_regex: ^secrets/sj-vps-htz0/.+$
key_groups:
- pgp:
- *steveej
age:
- *sj-vps-htz0
- path_regex: ^secrets/sj-srv1/.+$
key_groups:
- pgp:
- *steveej
age:
- *sj-srv1
- path_regex: ^secrets/hstk0/.+$
key_groups:
- pgp:
- *steveej
age:
- *hstk0
- path_regex: ^secrets/steveej-x13s/.+$
key_groups:
- pgp:
- *steveej
age:
- *steveej-x13s
- path_regex: ^secrets/work-holo/.+$
key_groups:
- pgp:
- *steveej
age:
- *steveej-x13s

19
.vscode/settings.json vendored
View file

@ -1,20 +1,3 @@
{
"editor.defaultFormatter": "ibecker.treefmt-vscode",
"editor.formatOnSave": true,
"nix.enableLanguageServer": true,
"nix.serverPath": "nil",
"nix.serverSettings": {
// settings for 'nil' LSP
"nil": {
"autoArchive": true,
"diagnostics": {
"ignored": ["unused_binding", "unused_with"]
},
"formatting": {
"command": ["treefmt", "--stdin", ".nil.nix"]
}
}
},
"treefmt.command": "treefmt",
"treefmt.config": ""
"nixEnvSelector.nixFile": "${workspaceRoot}/shell.nix"
}

144
Justfile
View file

@ -1,12 +1,18 @@
# _DEFAULT_VERSION_TMPL:
# echo "{{invocation_directory()}}/nix/variables/versions.tmpl.nix"
_DEFAULT_VERSION_TMPL:
echo "{{invocation_directory()}}/nix/variables/versions.tmpl.nix"
_DEFAULT_VERSION:
echo "{{invocation_directory()}}/nix/variables/versions.nix"
_usage:
just -l
# Re-render the default versions
update-default-versions:
nix flake update
#!/usr/bin/env bash
template="$(just _DEFAULT_VERSION_TMPL)"
outfile="$(just _DEFAULT_VERSION)"
esh -o ${outfile} ${template}
_get_nix_path versionsPath:
echo $(set -x; nix-build --no-link --show-trace {{invocation_directory()}}/nix/default.nix -A channelSources --argstr versionsPath {{versionsPath}})
@ -28,44 +34,116 @@ _render_templates:
# nix/scripts/pre-eval-fixed.sh nix/home-manager/profiles/dotfiles/vcsh{.tmpl,}.nix
fi
rebuild-remote-device device +rebuildargs="dry-activate":
_rebuild-device dir rebuildarg="dry-activate" +moreargs="": _render_templates
#!/usr/bin/env bash
set -ex
nix run .#colmena -- apply --impure --on {{ device }} {{ rebuildargs }}
just -v _device rebuild {{dir}} --argstr rebuildarg {{rebuildarg}} {{moreargs}}
rebuild-remote-device device target rebuildarg="dry-activate" :
#!/usr/bin/env bash
set -ex
just -v _rebuild-device nix/os/devices/{{device}} {{rebuildarg}} --argstr moreargs "'--target-host\ {{target}}'"
# Rebuild this device's NixOS
rebuild-this-device +rebuildargs="dry-activate":
nix run .#colmena -- apply-local --impure --sudo {{ rebuildargs }}
rebuild-this-device rebuildarg="dry-activate":
#!/usr/bin/env bash
set -e
function parse_hm_rebuildarg() {
case $1 in
switch)
echo switch
;;
*)
echo build
;;
esac
}
export SYSREBUILD_LOG=.$(hostname -s)_sysrebuild.log
export HOMEREBUILD_LOG=.$(hostname -s)_homerebuild.log
echo Rebuilding system in {{rebuildarg}}-mode...
if just -v _rebuild-device nix/os/devices/$(hostname -s) {{rebuildarg}} > ${SYSREBUILD_LOG} 2>&1 ; then
echo System rebuild successful
else
cat ${SYSREBUILD_LOG}
echo ERROR: system rebuild failed
exit 1
fi
if type home-manager > /dev/null 2>&1; then
echo Rebuilding home in $(parse_hm_rebuildarg {{rebuildarg}})-mode...
source $(just -v _get_nix_path {{invocation_directory()}}/nix/os/devices/$(hostname -s)/versions.nix)
if home-manager -v $(parse_hm_rebuildarg {{rebuildarg}}) > ${HOMEREBUILD_LOG} 2>&1 ; then
echo Home rebuild successful
else
cat ${HOMEREBUILD_LOG}
echo ERROR: home rebuild failed
exit 1
fi
fi
# Re-render the versions of a remote device and rebuild its environment
update-remote-device devicename +rebuildargs='build':
update-remote-device devicename target rebuildmode='switch':
#!/usr/bin/env bash
set -e
(
set -xe
cd nix/os/devices/{{ devicename }}
nix flake update
)
template=nix/os/devices/{{ devicename }}/versions.tmpl.nix
outfile=nix/os/devices/{{ devicename }}/versions.nix
just -v rebuild-remote-device {{ devicename }} {{ rebuildargs }}
if ! test -e ${template}; then
template="$(just _DEFAULT_VERSION_TMPL)"
fi
git commit -v nix/os/devices/{{ devicename }}/flake.{nix,lock} -m "nix/os/devices/{{ devicename }}: bump versions"
esh -o ${outfile} ${template}
if ! test "$(git diff ${outfile})"; then
echo Already on latest versions
exit 0
fi
just -v rebuild-remote-device {{ devicename }} {{target}} dry-activate || {
echo ERROR: rebuild in mode 'dry-active' failed after updating ${outfile}
exit 1
}
just -v rebuild-remote-device {{ devicename }} {{ target }} {{ rebuildmode }} || {
echo ERROR: rebuild in mode '{{ rebuildmode }}' failed after updating ${outfile}
exit 1
}
git commit -v ${outfile} -m "nix/os/devices/{{ devicename }}: bump versions"
# Re-render the versions of the current device and rebuild its environment
update-this-device rebuild-mode='switch' +moreargs='':
update-this-device rebuild-mode='switch':
#!/usr/bin/env bash
set -e
(
set -xe
cd nix/os/devices/$(hostname -s)
nix flake update
)
template=nix/os/devices/$(hostname -s)/versions.tmpl.nix
outfile=nix/os/devices/$(hostname -s)/versions.nix
just -v rebuild-this-device {{ rebuild-mode }} {{ moreargs }}
if ! test -e ${template}; then
template="$(just _DEFAULT_VERSION_TMPL)"
fi
git commit -v nix/os/devices/$(hostname -s)/flake.{nix,lock} -m "nix/os/devices/$(hostname -s): bump versions"
esh -o ${outfile} ${template}
if ! test "$(git diff ${outfile})"; then
echo Already on latest versions
exit 0
fi
export SYSREBUILD_LOG=.$(hostname -s)_sysrebuild.log
just -v rebuild-this-device dry-activate || {
echo ERROR: Update failed, reverting ${outfile}...
exit 1
}
just -v rebuild-this-device {{rebuild-mode}} || {
echo ERROR: Rebuilding in {{rebuild-mode}}-mode failed
exit 1
}
git commit -v ${outfile} -m "nix/os/devices/$(hostname -s): bump versions"
# Rebuild an offline system
rebuild-disk device:
@ -127,7 +205,6 @@ disk-relabel dir previous:
# Mount the target disk specified by device configuration directory. The 'dir' argument points to a device configuration, e.g. 'nix/os/devices/steveej-live-mmc-SL32G_0x259093f6'
disk-mount dir:
just -v _device diskMount {{dir}}
# Unmount target disk, specified by device configuration directory
disk-umount dir:
just -v _device diskUmount {{dir}}
@ -136,6 +213,7 @@ disk-umount dir:
disk-install dir: _render_templates
just -v _device diskInstall {{dir}}
verify-n-unlock sshserver attempts="10":
#!/usr/bin/env bash
set -e
@ -222,7 +300,7 @@ install-config config root:
sudo just run-with-channels nixos-install -I nixos-config={{invocation_directory()}}/{{config}} --root {{root}} --no-root-passwd
# Switch between gpg-card capable devices which have a copy of the same key
switch-gpg-card key-id="6EEFA706CB17E89B":
switch-gpg-card:
#!/usr/bin/env bash
#
# Derived from https://github.com/drduh/YubiKey-Guide/issues/19.
@ -230,11 +308,7 @@ switch-gpg-card key-id="6EEFA706CB17E89B":
# Connect the new device and then run this script to make it known to gnupg.
#
set -xe
if [[ -n "{{key-id}}" ]]; then
KEY_ID="{{key-id}}"
else
KEY_ID=$(gpg --card-status | rg sec | rg -o '[0-9A-Z]{16}')
fi
# export pubkey and ownertrust
gpg2 --output "${KEY_ID}".pubkey --export "${KEY_ID}"
@ -307,15 +381,3 @@ test-connection:
sleep 5
done
cachix-use name:
nix run nixpkgs/nixos-unstable#cachix -- use {{ name }} -m nixos -d nix/os/
update-sops-keys:
for file in $(egrep -lr '"?sops"?:') secrets; do sops updatekeys -y $file; done
deploy-router0-dmz0:
NIX_SSHOPTS="-o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null -o CheckHostIP=no" nixos-rebuild switch --impure --flake .\#router0-dmz0 --target-host root@192.168.20.1
ttyusb:
screen -fa /dev/ttyUSB0 115200

74
README.md
View file

@ -1,5 +1,4 @@
# steveej's infra
This repository helps me to manage all computer infrastructure.
This is mostly achieved with the help of [Nix](https://nixos.org).
@ -30,56 +29,23 @@ In the unlikely case that you actually read this and have any questions please d
- [x] annotate recipes with some documentation
- [x] declare shell.nix with runtime deps
- [x] partition/encrypt/format disks
- [x] Maybe make this a nix-overlay
- [x] refactor as a nix flake and adopt an existing framework
- [x] devShell version
- [x] ~~version templating~~ obsolete due to the usage of flakes
- [x] elias-e525
- [x] steveej-t14
- [x] contabo vps
- [x] sj-pve0
- [x] use an existing secret management framework
- [x] adapt (or abandon?) _just_ recipes
- [x] `rebuild-this-device`
- [x] `update-this-device`
- [x] `rebuild-remote-device`
- [x] `update-remote-device`
evaluate, and understand a path to using these tools in a pull-based fashion:
- [x] [colmena](https://github.com/zhaofengli/colmena)
- bootstrapping: https://github.com/zhaofengli/colmena/issues/68
- [ ] deploy-rs
- [x] 🚧 find a better alternative for the qtile-desktop
current issues:
- floating windows often get lost in the background
- plugging in-/out- screen crashes the desktop
evaluate:
- [x] ~~🚧 gnome3 + pop-shell~~
- [x] ~~leftwm + eww (+ wayland?)~~
- [ ] (Re-)document bootstrap process
- [ ] Document bootstrap process
- [ ] `apt install sudo cryptsetup` as a requirements on a deb admin machine
- [ ] a new machine
- [ ] an install media
- [ ] Design disaster recovery
- [ ] Automatic synchronization of other state files - see https://gitlab.com/steveeJ/nix-expressions/issues/2
- [ ] Recycle _\_archived_
- [ ] Recycle *\_archived*
- [x] Maybe make this a nix-overlay
- [ ] container migrations
- [ ] ensure DDNS is updated _before_ the containers are started
## Bugs
## Bugs
- [ ] home-manager leaves ~/.gnupg at 0755
## Usage
_(These are reminders for my future self)_
*(These are reminders for my future self)*
```
just --list
@ -88,17 +54,15 @@ just --list
## Bootstrap
### A new machine
* ensure the dotfiles repo has a branch with the new machine's hostname
- ensure the dotfiles repo has a branch with the new machine's hostname
- boot with an install media and go through setup
* boot with an install media and go through setup
#### Post-Install Setup
- `chmod --recursive g-rwx,o-rwx ~/.gnupg`
- `gpg2 --edit-card; fetch`
- clone password-manager and infra repositories
- gpg2: ultimately trust my own key
* `chmod --recursive g-rwx,o-rwx ~/.gnupg`
* `gpg2 --edit-card; fetch`
* clone password-manager and infra repositories
* gpg2: ultimately trust my own key
## Swapping out a disk
@ -107,18 +71,10 @@ just --list
3. replace the driveId in the device's hw.nix
4. run the `just disk-relabel nix/os/devices/<deviceName> <prevDiskId>` command to rename the filesystem and volume group
## Rebuilding an offline system
## Backup
### Copy existing subvolumes to new backup target
```
(
sudo cryptsetup open /dev/sdb3 steveej-t14s-cryptroot
sleep 5
sudo mkdir -p /mnt/root
sudo mount /dev/mapper/nvme--WD_BLACK_SN850X_4000GB_2227DT443901-root /mnt/root -o subvol=nixos
sudo mount /dev/sdb2 /mnt/root/boot
sudo mount /dev/mapper/nvme--WD_BLACK_SN850X_4000GB_2227DT443901-root /mnt/root/home -o subvol=home
sudo nixos-install -v --flake .#steveej-t14 --root /mnt/root/ --no-root-password
)
`systemctl cat bkp-run | grep ExecStart | awk -F '=' '{print $2}'` --verbose --progress archive /var/lib/container-volumes ssh://[IP]:[PORT]/mnt/backup/container-volumes/
```

90
_archive/environments/dev/cross.nix Normal file
View file

@ -0,0 +1,90 @@
import /home/steveej/src/github/NixOS/nixpkgs/default.nix {
crossSystem = rec {
config = "armv7l-unknown-linux-gnueabi";
bigEndian = false;
arch = "arm";
float = "hard";
fpu = "vfpv3-d16";
withTLS = true;
libc = "glibc";
platform = {
name = "armv7l-hf-multiplatform";
gcc = {
arch = "armv7-a";
fpu = "neon";
float = "hard";
};
kernelMajor = "2.6"; # Using "2.6" enables 2.6 kernel syscalls in glibc.
kernelHeadersBaseConfig = "multi_v7_defconfig";
kernelBaseConfig = "multi_v7_defconfig";
kernelArch = "arm";
kernelDTB = true;
kernelAutoModules = false;
kernelExtraConfig = ''
NAMESPACES y
BTRFS_FS y
BTRFS_FS_POSIX_ACL y
OVERLAY_FS y
FUSE_FS y
'';
kernelTarget = "zImage";
uboot = null;
};
openssl.system = "linux-generic32";
gcc = {
arch = "armv7-a";
fpu = "neon";
float = "hard";
};
};
}
# pkgs.config = {
# packageOverrides = super: let self = super.pkgs; in {
# linux_4_0 = super.linux_3_18.override {
# kernelPatches = super.linux_3_18.kernelPatches ++ [
# # we'll also add one of our own patches
# { patch = ./dts.patch; name = "dts-fix"; }
# ];
#
# # add "CONFIG_PPP_FILTER y" option to the set of kernel options
# extraConfig = ''
# HAVE_IMX_ANATOP y
# HAVE_IMX_GPC y
# HAVE_IMX_MMDC y
# HAVE_IMX_SRC y
# SOC_IMX6 y
# SOC_IMX6Q y
# SOC_IMX6SL y
# PCI_IMX6 y
# ARM_IMX6Q_CPUFREQ y
# IMX_WEIM y
# AHCI_IMX y
# SERIAL_IMX y
# SERIAL_IMX_CONSOLE y
# I2C_IMX y
# SPI_IMX y
# PINCTRL_IMX y
# PINCTRL_IMX6Q y
# PINCTRL_IMX6SL y
# POWER_RESET_IMX y
# IMX_THERMAL y
# IMX2_WDT y
# IMX_IPUV3_CORE y
# DRM_IMX y
# DRM_IMX_FB_HELPER y
# DRM_IMX_PARALLEL_DISPLAY y
# DRM_IMX_TVE y
# DRM_IMX_LDB y
# DRM_IMX_IPUV3 y
# DRM_IMX_HDMI y
# MMC_SDHCI_ESDHC_IMX y
# IMX_SDMA y
# PWM_IMX y
# DEBUG_IMX6Q_UART y
#
# PPP_FILTER y
# '';
# };
# };
# };

89
_archive/environments/dev/go/default.nix Normal file
View file

@ -0,0 +1,89 @@
{
gitpkgs ? import /home/steveej/src/github/NixOS/nixpkgs {},
pkgs ? gitpkgs,
name ? "generic",
version,
extraBuildInputs ? [],
extraShellHook ? "",
}: let
go = builtins.getAttr "go_${version}" pkgs;
commonVimRC = ''
let g:tagbar_type_go = {
\ 'ctagstype' : 'go',
\ 'kinds' : [
\ 'p:package',
\ 'i:imports:1',
\ 'c:constants',
\ 'v:variables',
\ 't:types',
\ 'n:interfaces',
\ 'w:fields',
\ 'e:embedded',
\ 'm:methods',
\ 'r:constructor',
\ 'f:functions'
\ ],
\ 'sro' : '.',
\ 'kind2scope' : {
\ 't' : 'ctype',
\ 'n' : 'ntype'
\ },
\ 'scope2kind' : {
\ 'ctype' : 't',
\ 'ntype' : 'n'
\ },
\ 'ctagsbin' : 'gotags',
\ 'ctagsargs' : '-sort -silent'
\ }
" vim-go {
let g:go_highlight_functions = 1
let g:go_highlight_methods = 1
let g:go_highlight_structs = 1
let g:go_highlight_interfaces = 1
let g:go_highlight_operators = 1
let g:go_highlight_build_constraints = 1
let g:go_fmt_command = 'gofmt'
let g:go_fmt_options= '-s'
let g:go_def_mode = 'godef'
let g:go_def_reuse_buffer = 0
au FileType go nmap <Leader>gds <Plug>(go-def-split)
au FileType go nmap <Leader>gdv <Plug>(go-def-vertical)
au FileType go nmap <Leader>gdt <Plug>(go-def-tab)
au FileType go nmap <Leader>gi <Plug>(go-imports)
" }
'';
buildInputs = with pkgs; [
glibc.out
glibc.static
go
gotools
#gotools.bin
#gocode.bin
#godef godef.bin
godep
#godep.bin
gox.bin
#ginkgo ginkgo.bin
#gomega
# ( import ./vim-go.nix { pkgs=gitpkgs; commonRC=commonVimRC; } )
# ( import ./neovim-go.nix { pkgs=gitpkgs; commonRC=commonVimRC; } )
];
in
pkgs.stdenv.mkDerivation {
inherit name;
buildInputs = extraBuildInputs ++ buildInputs;
shellHook = ''
goname=${go.version}_$name
# FIXME: setPS1 $goname
export GOROOT=${go}/share/go
export GOPATH="$HOME/.gopath_$goname"
export PATH="$HOME/.gopath_$goname/bin:$PATH"
unset name
unset SSL_CERT_FILE
${extraShellHook}
'';
}

12
_archive/environments/dev/go/neovim-go.nix Normal file
View file

@ -0,0 +1,12 @@
{commonRC, ...} @ args: (import ../../pkg-configuration/vim-derivates/neovim.nix args
// {
additionalRC =
commonRC
+ ''
" deoplete {
let g:deoplete#enable_at_startup = 1
let g:deoplete#enable_smart_case = 1
" }
'';
additionalPlugins = ["deoplete-go" "deoplete-nvim" "vim-go"];
})

31
_archive/environments/dev/pandoc.nix Normal file
View file

@ -0,0 +1,31 @@
{
gitpkgs ? import /home/steveej/src/github/NixOS/nixpkgs {},
pkgs ? gitpkgs,
name ? "generic",
version ? "Stable",
extraBuildInputs ? [],
}: let
commonVimRC = "";
in
pkgs.stdenv.mkDerivation {
inherit name;
buildInputs = with pkgs;
[
(import ./vim-pandoc.nix {
pkgs = gitpkgs;
commonRC = commonVimRC;
})
pandoc
texlive.combined.scheme-medium
python27Packages.pandocfilters
python27Packages.htmltreediff
python27Packages.html5lib
python27Packages.dbus-python
]
++ extraBuildInputs;
shellHook = ''
pandocname=pandoc_${pkgs.pandoc.version}
setPS1 $pandocname
unset name
'';
}

71
_archive/environments/dev/rkt.nix Normal file
View file

@ -0,0 +1,71 @@
{
pkgs ? import /home/steveej/src/github/NixOS/nixpkgs {},
mkGoEnv ? import ./go.nix,
rktPath,
}: let
rktBasebuildInputs = with pkgs; [
glibc.out
glibc.static
autoreconfHook
gnupg1
squashfsTools
cpio
tree
intltool
libtool
pkgconfig
libgcrypt
gperf
libcap
libseccomp
libzip
eject
iptables
bc
acl
trousers
systemd
];
extraShellHook = ''
TARGET=$GOPATH/src/github.com/coreos/rkt
if [[ -e ${rktPath}/rkt/rkt.go ]]; then
pushd ${rktPath}
else
echo rktPath must be run the rkt repository clone, but got '${rktPath}'
exit 1
fi
if ! [[ -e $TARGET/rkt/rkt.go ]]; then
mkdir -p $TARGET
echo $PWD
sudo -E mount -o bind $PWD $TARGET
fi
pushd $TARGET
'';
in {
go15 = mkGoEnv {
inherit pkgs;
name = "rktGo15";
version = "1_5";
extraBuildInputs = rktBasebuildInputs;
inherit extraShellHook;
};
go16 = mkGoEnv {
inherit pkgs;
name = "rktGo16";
version = "1_6";
extraBuildInputs = rktBasebuildInputs;
inherit extraShellHook;
};
go17 = mkGoEnv {
inherit pkgs;
name = "rktGo17";
version = "1_7";
extraBuildInputs = rktBasebuildInputs;
inherit extraShellHook;
};
}

1
_archive/environments/dev/rust/.envrc Normal file
View file

@ -0,0 +1 @@
eval "$(lorri direnv)"

39
_archive/environments/dev/rust/default.nix Normal file
View file

@ -0,0 +1,39 @@
{
gitpkgs ? import /home/steveej/src/github/NixOS/nixpkgs {},
pkgs ? gitpkgs,
name ? "generic",
version ? "Stable",
extraBuildInputs ? [],
}: let
rustPackages = builtins.getAttr "rust${version}" pkgs;
rustc = rustPackages.rustc;
rustShellHook = {
rustc,
name,
}: ''
rustname=rust_${rustc.version}_${name}
setPS1 $rustname
unset name
'';
commonVimRC = "";
in
pkgs.stdenv.mkDerivation {
inherit name;
buildInputs = with rustPackages;
[
(import ./vim-rust.nix {
pkgs = gitpkgs;
commonRC = commonVimRC;
inherit rustc;
racerd = pkgs.rustracerd;
})
rustc
cargo
]
++ [pkgs.rustfmt]
++ extraBuildInputs;
shellHook = rustShellHook {
inherit name;
inherit rustc;
};
}

19
_archive/environments/dev/vim-go.nix Normal file
View file

@ -0,0 +1,19 @@
{commonRC, ...} @ args:
import ../../pkg-configuration/vim-derivates/vim.nix (args
// {
name = "vim-for-go";
additionalRC =
commonRC
+ ''
" Disable AutoComplPop.
let g:acp_enableAtStartup = 0
" Use neocomplete.
let g:neocomplete#enable_at_startup = 1
" Use smartcase.
let g:neocomplete#enable_smart_case = 1
if !exists('g:neocomplete#sources#omni#input_patterns')
let g:neocomplete#sources#omni#input_patterns = {}
endif
'';
additionalPlugins = ["neocomplete" "vim-go"];
})

18
_archive/environments/dev/vim-pandoc.nix Normal file
View file

@ -0,0 +1,18 @@
{commonRC, ...} @ args:
import ../../pkg-configuration/vim-derivates/vim.nix (args
// {
name = "vim-for-pandoc";
additionalRC =
commonRC
+ ''
set statusline+=%#warningmsg#
set statusline+=%{SyntasticStatuslineFlag()}
set statusline+=%*
let g:syntastic_always_populate_loc_list = 1
let g:syntastic_auto_loc_list = 1
let g:syntastic_check_on_open = 1
let g:syntastic_check_on_wq = 0
'';
additionalPlugins = ["vim-pandoc" "vim-pandoc-syntax" "vimpreviewpandoc"];
})

48
_archive/environments/dev/vim-rust.nix Normal file
View file

@ -0,0 +1,48 @@
{
commonRC,
rustc,
racerd,
...
} @ args:
import ../../pkg-configuration/vim-derivates/vim.nix (args
// {
name = "vim-for-rust";
additionalRC =
commonRC
+ ''
set statusline+=%#warningmsg#
set statusline+=%{SyntasticStatuslineFlag()}
set statusline+=%*
let g:syntastic_always_populate_loc_list = 1
let g:syntastic_auto_loc_list = 1
let g:syntastic_check_on_open = 1
let g:syntastic_check_on_wq = 0
" tagbar
let g:tagbar_type_rust = {
\ 'ctagstype' : 'rust',
\ 'kinds' : [
\'T:types,type definitions',
\'f:functions,function definitions',
\'g:enum,enumeration names',
\'s:structure names',
\'m:modules,module names',
\'c:consts,static constants',
\'t:traits,traits',
\'i:impls,trait implementations',
\]
\}
let g:syntastic_rust_checkers = ["rustc"]
"rustfmt
let g:rustfmt_autosave = 1
let g:ycm_auto_trigger = 1
let g:ycm_rust_src_path = '${rustc.src}/src'
let g:ycm_racerd_binary_path = '${racerd.out}/bin/racerd'
'';
additionalPlugins = ["rust-vim"];
})

42
_archive/environments/fhs/android.nix Normal file
View file

@ -0,0 +1,42 @@
{pkgs ? import <nixpkgs> {}}:
(pkgs.buildFHSUserEnv {
name = "devfhs";
multiPkgs = pkgs: (with pkgs; [
android-udev-rules
sudo
gawk
bzip2
file
gcc
getopt
git
gnumake
ncurses
openssl
patch
perl
pkgconfig
python
openssh
subversion
unzip
wget
which
vim
zlib
libusb
libusb1
systemd
strace
swt
xorg.libXtst
glib
gtk2
gnome.gtk
]);
profile = ''
export LD_LIBRARY_PATH=$LD_LIBRARY_PATH:/lib:/lib64:/lib32:/usr/lib32:/usr/lib64:${pkgs.xorg.libXtst}/lib:${pkgs.glib}/lib:${pkgs.gtk2}/lib
'';
runScript = "bash";
})
.env

36
_archive/environments/fhs/vscode.nix Normal file
View file

@ -0,0 +1,36 @@
{pkgs ? import <nixpkgs> {}}:
(pkgs.buildFHSUserEnv {
name = "everydayFHS";
targetPkgs = pkgs: (with pkgs; [
which
gitFull
zsh
file
direnv
xdg_utils
xsel
vscode
# vscode live share
gnome3.gcr
libgnome_keyring3
liburcu
libunwind
lttng-ust
curl
openssl
libkrb5
libuuid
icu
zlib
libsecret
]);
multiPkgs = pkgs: (with pkgs; []);
profile = ''
export SHELL=/bin/zsh
'';
# FIXME runScript = "$SHELL";
})
.env

10
_archive/nixos-configuration/common/pkg/neovim.nix Normal file
View file

@ -0,0 +1,10 @@
{
config,
pkgs,
...
} @ args: {
environment.systemPackages = [
pkgs.xsel
(import ../../../pkg-configuration/vim-derivates/neovim.nix args)
];
}

7
_archive/nixos-configuration/common/pkg/vim.nix Normal file
View file

@ -0,0 +1,7 @@
{pkgs, ...} @ args: {
environment.systemPackages = [
pkgs.xsel
(import ../../../pkg-configuration/vim-derivates/vim.nix
(args // {name = "vim";}))
];
}

20
_archive/nixos-configuration/common/user/steveej.nix Normal file
View file

@ -0,0 +1,20 @@
{
config,
pkgs,
...
}: let
passwords = import ../passwords.crypt.nix;
keys = import ../keys.nix;
inherit (import ../lib) mkUser;
in {
users.mutableUsers = false;
users.defaultUserShell = pkgs.zsh;
users.extraUsers.steveej = mkUser {
uid = 1000;
hashedPassword = passwords.users.steveej;
};
security.pam.enableU2F = true;
security.pam.services.steveej.u2fAuth = true;
}

6
default.nix
View file

@ -4,9 +4,7 @@
# Having pkgs default to <nixpkgs> is fine though, and it lets you use short
# commands such as:
# nix-build -A mypackage
{
pkgs ? import <nixpkgs> { },
}:
{
{pkgs ? import <nixpkgs> {}}: {
overlays = import ./nix/overlays;
pkgs = import ./nix/pkgs {inherit pkgs;};
}

1614
flake.lock generated
View file

File diff suppressed because it is too large Load diff

428
flake.nix
View file

@ -1,428 +0,0 @@
# flake.nix
{
inputs = {
# TODO: where has this been used?
# dotfiles = {
# url = "git+https://forgejo.www.stefanjunker.de/steveej/dotfiles.git";
# flake = false;
# };
# flake and infra basics
nixpkgs-2211.url = "github:nixos/nixpkgs/nixos-22.11";
radicalePkgs.follows = "nixpkgs-2211";
nixpkgs-2411.url = "github:nixos/nixpkgs/nixos-24.11";
nixpkgs-unstable.url = "github:nixos/nixpkgs/nixos-unstable";
nixpkgs.follows = "nixpkgs-2411";
flake-parts.url = "github:hercules-ci/flake-parts";
get-flake.url = "github:ursi/get-flake";
srvos.url = "github:numtide/srvos";
srvos.inputs.nixpkgs.follows = "nixpkgs";
nixos-anywhere.url = "github:numtide/nixos-anywhere/main";
nixos-anywhere.inputs.nixpkgs.follows = "nixpkgs";
disko.follows = "nixos-anywhere/disko";
nixpkgs-wayland.url = "github:nix-community/nixpkgs-wayland";
nix-vscode-extensions.url = "github:nix-community/nix-vscode-extensions";
nixpkgs-vscodium.url = "github:nixos/nixpkgs/nixos-unstable";
# needs to be in sync with `vscodium --version` from `nixpkgs-vscodium`
openvscode-server.url = "github:gitpod-io/openvscode-server/openvscode-server-v1.88.1";
openvscode-server.flake = false;
colmena = {
url = "github:zhaofengli/colmena";
inputs.nixpkgs.follows = "nixpkgs";
};
# libraries for building applications
fenix = {
url = "github:nix-community/fenix";
inputs.nixpkgs.follows = "nixpkgs";
};
crane.url = "github:ipetkov/crane";
sops-nix = {
url = "github:Mic92/sops-nix";
inputs.nixpkgs.follows = "nixpkgs";
};
# applications
aphorme_launcher = {
url = "github:Iaphetes/aphorme_launcher/main";
flake = false;
};
yofi = {
url = "github:l4l/yofi/master";
flake = true;
inputs.nixpkgs.follows = "nixpkgs";
};
ofi-pass = {
url = "github:sereinity/ofi-pass";
flake = false;
};
jay = {
url = "github:mahkoh/jay";
flake = false;
};
prs = {
# url = "gitlab:timvisee/prs/v0.5.2";
url = "gitlab:timvisee/prs/07f17a93d19fb6bc92c9c7f3ae3f5cc750b1f973";
flake = false;
};
rperf = {
url = "github:steveej-forks/rperf";
flake = false;
};
# nixpkgs-logseq.url = "github:steveej-forks/nixpkgs/logseq-linux-arm64-selfbuilt-appimage";
espanso = {
flake = false;
url = "github:espanso/espanso/db97658d1d80697a635b57801696c594eacf057b";
};
nix4vscode = {
url = "github:nix-community/nix4vscode";
# inputs.nixpkgs.follows = "nixpkgs";
};
nixvim = {
# TODO: pin to nixos-24.11 once available
url = "github:nix-community/nixvim";
inputs.nixpkgs.follows = "nixpkgs";
};
treefmt-nix = {
url = "github:numtide/treefmt-nix";
inputs.nixpkgs.follows = "nixpkgs";
};
nixago = {
url = "github:jmgilman/nixago";
inputs.nixpkgs.follows = "nixpkgs";
};
nur = {
url = "github:nix-community/NUR";
inputs.nixpkgs.follows = "nixpkgs";
};
nixpkgs-gimp.url = "github:jtojnar/nixpkgs/gimp-meson";
};
outputs =
inputs@{
self,
flake-parts,
nixpkgs,
...
}:
let
inherit (nixpkgs) lib;
systems = [
"x86_64-linux"
"aarch64-linux"
];
in
flake-parts.lib.mkFlake { inherit inputs; } (
{ withSystem, ... }:
{
flake.colmena =
lib.lists.foldl (sum: cur: lib.attrsets.recursiveUpdate sum cur)
{ meta.nixpkgs = import inputs.nixpkgs.outPath { system = builtins.elemAt systems 0; }; }
# FIXME: this doesn't seem to work to apply overlays into a node's nixpkgs import
# try this instead: https://github.com/zhaofengli/colmena/issues/60#issuecomment-1510496861
(
builtins.map
(
nodeName:
import ./nix/os/devices/${nodeName} {
inherit nodeName;
repoFlake = self;
repoFlakeWithSystem = withSystem;
nodeFlake = self.inputs.get-flake (self + "/nix/os/devices/${nodeName}");
}
)
[
"steveej-t14"
"steveej-x13s"
"steveej-x13s-rmvbl"
# "elias-e525"
# "justyna-p300"
# "srv0-dmz0"
# "router0-dmz0"
"router0-ifog"
"router0-hosthatch"
"sj-srv1"
]
);
flake.lib = {
inherit withSystem;
};
# this makes nixos-anywhere work
flake.nixosConfigurations =
let
colmenaHive = (inputs.colmena.lib.makeHive self.outputs.colmena).nodes;
router0-dmz0 = (inputs.get-flake (self + "/nix/os/devices/router0-dmz0")).nixosConfigurations;
in
colmenaHive
// {
router0-dmz0 = router0-dmz0.native;
# for now deploy directly with:
# nixos-rebuild switch --flake .\#router0-dmz0_cross --build-host localhost --target-host root@192.168.10.1
router0-dmz0_cross = router0-dmz0.cross;
steveej-x13s_cross =
(inputs.get-flake (self + "./nix/os/devices/steveej-x13s")).nixosConfigurations.cross;
steveej-x13s-rmvbl_cross =
(inputs.get-flake ./nix/os/devices/steveej-x13s-rmvbl).nixosConfigurations.cross;
};
inherit systems;
perSystem =
{
self',
inputs',
system,
config,
lib,
pkgs,
...
}:
{
imports = [ ./nix/modules/flake-parts/perSystem/default.nix ];
packages =
let
dcpj4110dw = pkgs.callPackage (self + /nix/pkgs/dcpj4110dw) { };
craneLibFn = (inputs.crane.mkLib inputs.nixpkgs.legacyPackages.${system}).overrideToolchain;
craneLib = craneLibFn inputs'.fenix.packages.stable.toolchain;
_prsPackage =
{
lib,
rustPlatform,
installShellFiles,
pkg-config,
python3,
glib,
gpgme,
gtk3,
stdenv,
cargoHash ? "sha256-T57RqIzurpYLHyeFhvqxmC+DoB6zUf+iTu1YkMmwtp8=",
src,
version,
makeWrapper,
skim,
}:
rustPlatform.buildRustPackage rec {
pname = "prs";
inherit src version cargoHash;
nativeBuildInputs = [
gpgme
installShellFiles
pkg-config
python3
makeWrapper
];
cargoBuildFlags = [
"--no-default-features"
"--features=alias,backend-gpgme,clipboard,notify,select-fzf-bin,select-skim-bin,tomb,totp"
];
buildInputs = [
glib
gpgme
gtk3
];
postInstall = lib.optionalString (stdenv.buildPlatform.canExecute stdenv.hostPlatform) ''
for shell in bash fish zsh; do
installShellCompletion --cmd prs --$shell <($out/bin/prs internal completions $shell --stdout)
done
'';
postFixup = ''
wrapProgram $out/bin/prs \
--prefix PATH : ${lib.makeBinPath [ skim ]}
'';
meta = with lib; {
description = "Secure, fast & convenient password manager CLI using GPG and git to sync";
homepage = "https://gitlab.com/timvisee/prs";
changelog = "https://gitlab.com/timvisee/prs/-/blob/v${version}/CHANGELOG.md";
license = with licenses; [
lgpl3Only # lib
gpl3Only # everything else
];
maintainers = with maintainers; [ dotlambda ];
mainProgram = "prs";
};
};
local-xwayland = pkgs.writeShellScriptBin "local-xwayland" ''
set -x
${pkgs.wayland-proxy-virtwl}/bin/wayland-proxy-virtwl \
--wayland-display=wayland-3 \
--xwayland-binary=${pkgs.xwayland}/bin/Xwayland \
--x-display=0 \
# --x-unscale=3 \
--verbose
'';
in
{
dcpj4110dwDriver = dcpj4110dw.driver;
dcpj4110dwCupswrapper = dcpj4110dw.cupswrapper;
inherit (inputs'.colmena.packages) colmena;
prs = pkgs.callPackage _prsPackage {
src = inputs.prs;
version = inputs.prs.shortRev;
cargoHash = "sha256-oXuAKOHIfwUvcS0qXDTe68DN+MUNS4TAKV986vxdeh8=";
};
nomad = inputs'.nixpkgs-unstable.legacyPackages.nomad_1_6;
ledger-live-desktop-wrapped = pkgs.writeShellScriptBin "ledger-live-desktop-wrapped" ''
set -x
pkill -9 wayland-proxy-v
export NIXOS_OZONE_WL=""
${pkgs.wayland-proxy-virtwl}/bin/wayland-proxy-virtwl \
--wayland-display=wayland-3 \
--xwayland-binary=${pkgs.xwayland}/bin/Xwayland \
--x-display=3 \
&
# --x-unscale=3 \
#--verbose \
export PROXYPID="$!"
trap "kill -9 \$PROXYPID" EXIT
# trap "pkill -9 wayland-proxy-v" EXIT
env \
WAYLAND_DISPLAY=wayland-3 \
DISPLAY=:3 \
ledger-live-desktop
'';
syncthing-container-webui = pkgs.writeShellScriptBin "reverse-port-forward-syncthing-container" ''
ssh root@${self.colmena.sj-vps-htz0.deployment.targetHost} -L 8385:syncthing.containers:8384
'';
rperf = craneLib.buildPackage {
src = inputs.rperf;
nativeBuildInputs = [ pkgs.pkg-config ];
buildInputs = [ ];
};
inherit local-xwayland;
inherit (inputs'.nixpkgs-gimp.legacyPackages) gimp;
};
formatter =
let
settingsNix = {
projectRootFile = ".git/config";
package = inputs'.nixpkgs-unstable.legacyPackages.treefmt2;
programs = {
nixfmt.enable = true;
deadnix.enable = true;
statix.enable = true;
shfmt.enable = true;
shellcheck.enable = true;
prettier.enable = true;
just = {
enable = true;
includes = [
"*/Justfile"
"Justfile"
];
};
} // pkgs.lib.optionalAttrs (pkgs.system != "riscv64-linux") { shellcheck.enable = true; };
settings = {
global.excludes = [
"LICENSE"
"secrets/"
".git-crypt/"
# unsupported extensions
"*.{enc,gif,png,svg,tape,mts,lock,mod,sum,toml,env,envrc,gitignore}"
];
formatter = {
deadnix = {
priority = 1;
options = [ "--no-underscore" ];
};
nixfmt = {
priority = 2;
};
statix = {
priority = 3;
};
prettier = {
options = [
"--tab-width"
"2"
];
includes = [ "*.{css,html,js,json,jsx,md,mdx,scss,ts,yaml}" ];
};
};
};
};
eval = inputs.treefmt-nix.lib.evalModule pkgs settingsNix;
in
eval.config.build.wrapper.overrideAttrs (_: {
passthru = {
inherit (eval.config) package settings;
};
});
devShells =
let
all = import ./nix/devShells.nix {
inherit
self
self'
inputs'
pkgs
;
};
in
all
// {
default = all.develop;
};
};
}
);
}

BIN
misc/x13s_bt_firmware/hpnv21g.b8c.crypt.fw
View file

Binary file not shown.

2
nix/container-images/build.sh
View file

@ -1,6 +1,6 @@
#!/usr/bin/env bash
set -xe
[ -n "$NAME" ]
[ ! -z "$NAME" ]
nix-build . --show-trace -A "$NAME"
docker image rm "$NAME":latest --force

38
nix/container-images/default.nix
View file

@ -1,10 +1,6 @@
{
pkgs ? import <nixpkgs> { },
}:
let
{pkgs ? import <nixpkgs> {}}: let
baseEnv = ["SSL_CERT_FILE=${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt"];
in
rec {
in rec {
base = pkgs.dockerTools.buildImage rec {
name = "base";
@ -25,20 +21,12 @@ rec {
interactive_base = pkgs.dockerTools.buildImage {
name = "interactive_base";
fromImage = base;
contents = with pkgs; [
procps
zsh
coreutils
neovim
];
contents = with pkgs; [procps zsh coreutils neovim];
config = {
Cmd = [ "/bin/zsh" ];
};
config = {Cmd = ["/bin/zsh"];};
};
s3ql =
let
s3ql = let
entrypoint = pkgs.writeScript "entrypoint" ''
#!${pkgs.stdenv.shell}
@ -85,10 +73,7 @@ rec {
pkgs.dockerTools.buildImage {
name = "s3ql";
fromImage = interactive_base;
contents = [
pkgs.s3ql
pkgs.fuse
];
contents = [pkgs.s3ql pkgs.fuse];
runAsRoot = ''
#!${pkgs.stdenv.shell}
@ -99,7 +84,9 @@ rec {
'';
config = {
Env = baseEnv ++ [
Env =
baseEnv
++ [
"HOME=/home/s3ql"
"S3QL_CACHE_DIR=/var/cache/s3ql"
"S3QL_AUTHINFO2=/etc/s3ql/authinfo2"
@ -115,8 +102,7 @@ rec {
};
};
syncthing =
let
syncthing = let
entrypoint = pkgs.writeScript "entrypoint" ''
#!${pkgs.stdenv.shell}
set -x
@ -148,9 +134,7 @@ rec {
config = {
Env = baseEnv ++ ["SYNCTHING_HOME=/home/syncthing"];
Cmd = [entrypoint];
Volumes = {
"/data" = { };
};
Volumes = {"/data" = {};};
};
};
}

30
nix/default.nix
View file

@ -1,9 +1,6 @@
{ versionsPath }:
let
{versionsPath}: let
channelVersions = import versionsPath;
mkChannelSource =
name:
let
mkChannelSource = name: let
channelVersion = builtins.getAttr name channelVersions;
in
builtins.fetchGit {
@ -11,24 +8,19 @@ let
inherit name;
inherit (channelVersion) url ref rev;
};
nixPath = builtins.concatStringsSep ":" (
builtins.map (
elemName:
let
nixPath = builtins.concatStringsSep ":" (builtins.map
(elemName: let
elem = builtins.getAttr elemName channelVersions;
elemPath = mkChannelSource elemName;
suffix = if builtins.hasAttr "suffix" elem then elem.suffix else "";
suffix =
if builtins.hasAttr "suffix" elem
then elem.suffix
else "";
in
builtins.concatStringsSep "=" [
elemName
elemPath
]
+ suffix
) (builtins.attrNames channelVersions)
);
builtins.concatStringsSep "=" [elemName elemPath] + suffix)
(builtins.attrNames channelVersions));
pkgs = import (mkChannelSource "nixpkgs") {};
in
{
in {
inherit nixPath;
channelSources = pkgs.writeText "channels.rc" ''
export NIX_PATH=${nixPath}

103
nix/devShells.nix
View file

@ -1,103 +0,0 @@
{
self,
self',
inputs',
pkgs,
}:
{
install = pkgs.mkShell {
name = "infra-install";
packages = with pkgs; [
nixos-install-tools
inputs'.disko.packages.disko
just
git
git-crypt
gnupg
];
};
develop = pkgs.mkShell {
name = "infra-develop";
inputsFrom = [ self'.devShells.install ];
packages = with pkgs; [
self'.formatter # .package
inputs'.colmena.packages.colmena
dconf2nix
inputs'.nixos-anywhere.packages.nixos-anywhere
nurl
vcsh
ripgrep
# pass
age
age-plugin-yubikey
ssh-to-age
yubico-piv-tool
inputs'.sops-nix.packages.default
sops
nil
nix-index
apacheHttpd
# vncdo
# tesseract
# imagemagick
# lm_sensors
# nmap
# sysstat
# lshw
# xxHash
# linssid
# wavemon
# wirelesstools
# zathura
# xorg.xwininfo
# glxinfo
# autorandr
# arandr
# playerctl
# x11docker
# fwupd
# ntfy
# hedgedoc-cli
xwayland
pulsemixer
(pkgs.writeShellScriptBin "rflk" ''
exec nix run nixpkgs#$@
'')
(pkgs.writeShellScriptBin "r11" ''
exec env NIXOS_OZONE_WL="" WAYLAND_DISPLAY="" $@
'')
jq
yq
wireguard-tools
screen
inputs'.nixpkgs-unstable.legacyPackages.kanidm
];
# Set Environment Variables
RUST_BACKTRACE = 1;
KANIDM_URL =
self.nixosConfigurations.sj-srv1.config.containers.webserver.config.services.kanidm.serverSettings.origin;
shellHook = builtins.concatStringsSep "\n" [
# (self.inputs.nixago.lib.${pkgs.system}.make {
# data = self'.formatter.settings;
# output = "treefmt.toml";
# format = "toml";
# }).shellHook
];
};
}

367
nix/home-manager/configuration/graphical-fullblown.nix
View file

@ -1,102 +1,85 @@
{
pkgs,
lib,
config,
# these come in via home-manager.extraSpecialArgs and are specific to each node
nodeFlake,
repoFlake,
...
}:
let
pkgsUnstable =
pkgs.pkgsUnstable
or (import nodeFlake.inputs.nixpkgs-unstable { inherit (pkgs) system config overlays; });
{pkgs}: let
zshCurried = import ../programs/zsh.nix {inherit pkgs;};
in
{
pkgs,
config,
...
}: let
# gitpkgs = import /home/steveej/src/github/NixOS/nixpkgs {};
unstablepkgs =
import <channels-nixos-unstable-small> {config = config.nixpkgs.config;};
masterpkgs = import <nixpkgs-master> {config = config.nixpkgs.config;};
in {
imports = [
../profiles/common.nix
# ../profiles/dotfiles.nix
# FIXME: fix homeshick when no WAN connection is available
# ../programs/homeshick.nix
# ../profiles/gnome-desktop.nix
# ../profiles/experimental-desktop.nix
../programs/redshift.nix
../programs/gpg-agent.nix
../programs/pass.nix
../programs/espanso.nix
../profiles/qtile-desktop.nix
../profiles/dotfiles.nix
../programs/firefox.nix
../programs/chromium.nix
# FIXME: fix homeshick when no WAN connection is available
# ../programs/homeshick.nix
../programs/libreoffice.nix
../programs/neovim.nix
../programs/pass.nix
zshCurried
../programs/podman.nix
../programs/vscode
{ home.packages = [ pkgsUnstable.markdown-oxide ]; }
../programs/holochain-launcher.nix
../programs/radicale.nix
];
home.sessionVariables.HM_CONFIG = "graphical-fullblown";
home.sessionVariables.GOPATH = "$HOME/src/go";
home.sessionVariables.PATH = pkgs.lib.concatStringsSep ":" [
"$HOME/.local/bin"
"$PATH"
];
nixpkgs.config = {
pidgin = {
openssl = true;
gnutls = true;
};
nixpkgs.config.allowInsecurePredicate =
pkg:
builtins.elem (lib.getName pkg) [
"electron-28.3.3"
"electron-27.3.11"
];
packageOverrides = pkgs: with pkgs; {};
};
nixpkgs.config.permittedInsecurePackages = [
"electron-28.3.3"
"electron-27.3.11"
];
home.sessionVariables = {
# TODO: find a way to prevent using a store path for the current file
# HM_CONFIG_PATH=builtins.toString "${./.}";
HM_CONFIG = "graphical-fullblown";
nixpkgs.config.allowUnfree = [
"electron-28.3.3"
"electron-27.3.11"
];
GOPATH = "$HOME/src/go";
# nixpkgs.config.allowUnfreePredicate = pkg:
# builtins.elem (lib.getName pkg) [
# "smartgithg"
# "electron-27.3.11"
# ];
PATH = pkgs.lib.concatStringsSep ":" ["$HOME/.local/bin" "$PATH"];
};
home.packages =
(with pkgs; [
[]
++ (with pkgs; [
# Authentication
# cacert
# fprintd
# openssl
# mkpasswd
cacert
fprintd
openssl
mkpasswd
# Nix package related tools
patchelf
# nix-index
nix-index
nox
nix-prefetch-scripts
nix-tree
nix-prefetch-github
# Version Control Systems
gitFull
# gitless
pijul
gitless
gitRepo
git-lfs
# Process/System Administration
htop
# gnome.gnome-tweaks
gnome.gnome-tweaks
xorg.xhost
dmidecode
evtest
# Archive Managers
sshfs-fuse
xarchive
p7zip
zip
unzip
@ -106,74 +89,98 @@ in
# Password Management
gnupg
yubikey-manager
yubikey-manager-qt
yubikey-personalization
yubikey-personalization-gui
# gnome.gnome-keyring
gcr
seahorse
gnome.gnome-keyring
gnome.seahorse
# Language Support
hunspellDicts.en-us
hunspellDicts.de-de
# Messaging/Communication
# pidgin
# hexchat
pkgsUnstable.element-desktop
signal-desktop
pidgin
hexchat
aspellDicts.en
aspellDicts.de
# skypeforlinux
# pkgsUnstable.jitsi-meet-electron
thunderbird-128
# betterbird
# FIXME: depends on insecure openssl 1.1.1t
# kotatogram-desktop
pkgsUnstable.tdesktop
pkgsUnstable.signal-desktop-source
skypeforlinux
unstablepkgs.jitsi-meet-electron
thunderbird
evolution # gnome4.glib_networking
kotatogram-desktop
zoom-us
thunderbird
evolution # gnome4.glib_networking
gnome.cheese
masterpkgs.discord
# Virtualization
virt-manager
virtmanager
# (pkgs.lib.hiPrio qemu)
# virtualbox
# vagrant
# docker_compose
# unstablepkgs.kubernetes
# unstablepkgs.minikube
# unstablepkgs.openshift
# (unstablepkgs.minikube.overrideAttrs (oldAttrs: {
# patches = oldAttrs.patches ++ [
# (builtins.fetchurl { url ="https://patch-diff.githubusercontent.com/raw/kubernetes/minikube/pull/2517.diff"; })
# ];
# }))
appimage-run
# Remote Control Tools
remmina
# freerdp
freerdp
teamviewer
rustdesk
# Audio/Video Players
# ffmpeg
ffmpeg
vlc
# v4l-utils
# audacity
# spotify
yt-dlp
(writeShellScriptBin "youtube-dl-audio" "${yt-dlp}/bin/yt-dlp --extract-audio --audio-format best --audio-quality 9 \${@:?}")
audacity
spotify
youtube-dl-light
libwebcam
libcamera
snapshot
# Network Tools
openvpn
tcpdump
iftop
iperf
bind
socat
nethogs
# 2019-03-05: broken on 19.03 linssid
iptraf-ng
ipmitool
# Code Editing and Programming
# TODO(remove or use): pkgsUnstable.lapce
# TODO(remve or use): pkgsUnstable.helix
iptables
nftables
wireshark
wireguard-tools
# Code Editors
# unstablepkgs.atom
xclip
xsel
# Image/Graphic/Design Tools
eog
# gimp
# imagemagick
# exiv2
# graphviz
# inkscape
# qrencode
gnome.eog
gimp
imagemagick
exiv2
graphviz
inkscape
# barcode
qrencode
zbar
feh
# digikam
# TODO: remove or move these: Modelling Tools
# Modelling Tools
# plantuml
# umlet
# staruml
@ -182,46 +189,105 @@ in
# astah-community
# Misc Development Tools
# qrcode
# jq
# cdrtools
qrcode
# travis
jq
# prometheus
cdrtools
# Document Processing and Management
nautilus
pcmanfm
# mendeley
evince
xournalpp
# zathura
mendeley
# zotero
pandoc
unstablepkgs.logseq
# has an EOL version of electron
# obsidian
# LaTeX
perlPackages.YAMLTiny
perlPackages.FileHomeDir
perlPackages.UnicodeLineBreak
(texlive.combine {
inherit
(texlive)
scheme-small
texlive-de
texlive-en
texlive-scripts
collection-langgerman
latexindent
latexmk
algorithms
cm-super
preprint
enumitem
draftwatermark
everypage
ulem
placeins
minted
ifplatform
fvextra
xstring
framed
;
})
pdftk
# broken as of 2021-04-24
# masterpdfeditor
# File Synchronzation
maestral
# seafile-client
# grive2
dropbox
rsync
# Filesystem Tools
# ntfs3g
# ddrescue
# ncdu
# hdparm
# binwalk
# gptfdisk
# gparted
# smartmontools
ntfs3g
ddrescue
ncdu
woeusb
unetbootin
pcmanfm
hdparm
testdisk
binwalk
gptfdisk
gparted
smartmontools
## Android
androidenv.androidPkgs_9_0.platform-tools
## Python
# packages'.myPython
myPython
# Code generators
# unstablepkgs.swagger-codegen
# Misc Desktop Tools
# ltunify
# dex
# TODO: this may be required if brightness control isn't working
# brightnessctl
ltunify
# solaar # TODO: conflicts with solar over udev rules
dex
# kitty
busyboxStatic
xorg.xbacklight
coreutils
lsof
xdg-utils
x11_ssh_askpass
xdotool
xdg_utils
xdg-user-dirs
dconf
picocom
glib.dev # contains gdbus tool
alacritty
# wally-cli
unstablepkgs.wally-cli
man-pages
# Screen recording
@ -231,58 +297,11 @@ in
# shutter
# kazam # doesn't start
# xvidcap # doesn't keep the recording rectangle
obs-studio
screenkey
# shotcut
# openshot-qt
# introduces python: screenkey
# avidemux # broken
# handbrake
# snes9x
# snes9x-gtk
# this is a displaymanager!
# libretro.snes9x2010
# retroarchFull
# pkgs.logseq-bin
pkgs.logseq
# (pkgs.callPackage "${repoFlake.inputs.nixpkgs-logseq}/pkgs/by-name/lo/logseq-bin/package.nix" { })
])
++ (with repoFlake.packages.${pkgs.system}; [ gimp ])
++ (lib.lists.optionals (!pkgs.stdenv.targetPlatform.isAarch64) [
pkgsUnstable.ledger-live-desktop
# unsupported on aarch64-linux
pkgs.androidenv.androidPkgs_9_0.platform-tools
pkgs.teamviewer
pkgs.discord
pkgsUnstable.session-desktop
pkgsUnstable.rustdesk
unstablepkgs.ledger-live-desktop
]);
systemd.user.startServices = true;
services.syncthing.enable = true;
services.udiskie = {
enable = true;
automount = false;
notify = true;
};
# TODO: uncomment this when it's in stable home-manger
# programs.joshuto = {
# enable = true;
# };
# systemd.user.services.maestral = {
# Unit.Description = "Maestral daemon";
# Install.WantedBy = ["default.target"];
# Service = {
# ExecStart = "${pkgs.maestral}/bin/maestral start -f";
# ExecStop = "${pkgs.maestral}/bin/maestral stop";
# Restart = "on-failure";
# Nice = 10;
# };
# };
}

122
nix/home-manager/configuration/graphical-gnome3.nix
View file

@ -1,8 +1,124 @@
{ pkgs, ... }:
{pkgs}: let
zshCurried = import ../programs/zsh.nix {inherit pkgs;};
in
{
home.packages = with pkgs; [
pkgs,
config,
...
}: let
unstablepkgs =
import <channels-nixos-unstable> {config = config.nixpkgs.config;};
in {
imports = [
../profiles/common.nix
../programs/firefox.nix
# ../programs/chromium.nix
# FIXME: fix homeshick when no WAN connection is available
# ../programs/homeshick.nix
../programs/libreoffice.nix
../programs/neovim.nix
../programs/pass.nix
zshCurried
];
nixpkgs.config = {
pidgin = {
openssl = true;
gnutls = true;
};
packageOverrides = pkgs: with pkgs; {};
};
home.sessionVariables = {};
home.packages =
[]
++ (with pkgs; [
# Nix package related tools
patchelf
nix-index
nix-prefetch-scripts
# Version Control Systems
gitless
# Process/System Administration
htop
gnome.gnome-tweaks
xorg.xhost
dmidecode
evtest
# Archive Managers
sshfs-fuse
xarchive
p7zip
zip
unzip
gzip
lzop
# Password Management
gnome.gnome-keyring
gnome.seahorse
];
# Remote Control Tools
remmina
freerdp
# Network Tools
openvpn
tcpdump
iftop
iperf
bind
socat
# samba
iptables
nftables
wireshark
# Code Editors
xclip
xsel
unstablepkgs.vscode
# Image/Graphic/Design Tools
gnome.eog
gimp
inkscape
# Misc Development Tools
qrcode
jq
cdrtools
# Document Processing and Management
zathura
# File Synchronzation
rsync
# Filesystem Tools
ntfs3g
ddrescue
ncdu
unstablepkgs.woeusb
unetbootin
pcmanfm
hdparm
testdisk
python38Packages.binwalk
gptfdisk
## Python
myPython
busyboxStatic
# Virtualization
virtmanager
]);
}

37
nix/home-manager/configuration/graphical-removable.nix
View file

@ -1,5 +1,14 @@
{ pkgs, ... }:
{pkgs}: let
zshCurried = import ../programs/zsh.nix {inherit pkgs;};
in
{
pkgs,
config,
...
}: let
unstablepkgs =
import <channels-nixos-unstable> {config = config.nixpkgs.config;};
in {
imports = [
../profiles/common.nix
../profiles/qtile-desktop.nix
@ -11,9 +20,23 @@
../programs/libreoffice.nix
../programs/neovim.nix
../programs/pass.nix
zshCurried
];
home.packages = with pkgs; [
nixpkgs.config = {
pidgin = {
openssl = true;
gnutls = true;
};
packageOverrides = pkgs: with pkgs; {};
};
home.sessionVariables = {};
home.packages =
[]
++ (with pkgs; [
# Nix package related tools
patchelf
nix-index
@ -62,6 +85,7 @@
# Code Editors
xclip
xsel
unstablepkgs.vscode
# Image/Graphic/Design Tools
gnome.eog
@ -83,7 +107,7 @@
ntfs3g
ddrescue
ncdu
woeusb
unstablepkgs.woeusb
unetbootin
pcmanfm
hdparm
@ -91,9 +115,12 @@
binwalk
gptfdisk
packages'.myPython
## Python
myPython
busyboxStatic
# Virtualization
virtmanager
];
]);
}

27
nix/home-manager/configuration/text-minimal.nix Normal file
View file

@ -0,0 +1,27 @@
{
pkgs,
extraPackages ? [],
}: let
zshCurried = import ../programs/zsh.nix {inherit pkgs;};
in
{
pkgs,
config,
...
}: let
in {
imports = [
../profiles/common.nix
# ../profiles/nix-channels.nix
../programs/neovim.nix
zshCurried
];
nixpkgs.config = {packageOverrides = pkgs: with pkgs; {};};
home.sessionVariables = {};
home.packages =
extraPackages
++ (with pkgs; [iperf3 inetutils speedtest-cli]);
}

17
nix/home-manager/lib.nix
View file

@ -1,19 +1,14 @@
_: {
mkSimpleTrayService =
{ execStart }:
{
{}: let
in {
mkSimpleTrayService = {execStart}: {
Unit = {
Description = "";
Description = "pasystray applet";
After = ["graphical-session-pre.target"];
PartOf = ["graphical-session.target"];
};
Install = {
WantedBy = [ "graphical-session.target" ];
};
Install = {WantedBy = ["graphical-session.target"];};
Service = {
ExecStart = execStart;
};
Service = {ExecStart = execStart;};
};
}

83
nix/home-manager/profiles/common.nix
View file

@ -1,67 +1,49 @@
{ pkgs, lib, ... }:
{
home.stateVersion = lib.mkDefault "23.11";
# TODO: re-enable this with the appropriate version?
{pkgs, ...}: let
in {
# TODO: re-enable this with the appropriate version
# programs.home-manager.enable = true;
# programs.home-manager.path = https://github.com/rycee/home-manager/archive/445c0b1482c38172a9f8294ee16a7ca7462388e5.tar.gz;
# TODO: move this to an OS snippet?
nixpkgs.overlays = builtins.attrValues (import ../../overlays);
nixpkgs.config = {
allowBroken = false;
allowUnfree = true;
allowUnsupportedSystem = true;
allowInsecurePredicate =
pkg:
builtins.elem (lib.getName pkg) [
"electron-32.3.3"
"electron"
];
permittedInsecurePackages = [
"electron-32.3.3"
"electron"
];
allowUnfreePredicate =
pkg:
builtins.elem (lib.getName pkg) [
"obsidian"
"vivaldi"
"aspell-dict-en-science"
];
permittedInsecurePackages = [];
};
nix.settings.experimental-features = ["nix-command" "flakes" "impure-derivations" "ca-derivations" "recursive-nix"];
nix.settings.sandbox = "relaxed";
home.keyboard = {
layout = "us";
variant = "altgr-intl";
options = [
# nodeadkeys doesn't make sense with us layout: see https://man.archlinux.org/man/xkeyboard-config.7 for valid options
# "nodeadkeys"
"nodeadkeys"
# "caps:swapescape"
];
};
xdg.enable = true;
programs.direnv.enable = true;
services.lorri.enable = true;
home.sessionVariables = {
NIXPKGS_ALLOW_UNFREE = "1";
# Don't create .pyc files.
home.sessionVariables.PYTHONDONTWRITEBYTECODE = "1";
PYTHONDONTWRITEBYTECODE = "1";
};
programs.command-not-found.enable = true;
programs.fzf.enable = true;
home.packages = with pkgs; [
coreutils
home.packages =
[]
++ (with pkgs; [
# git helpers
git-crypt
vcsh
htop
iperf3
nethogs
# Authentication
cacert
openssl
@ -70,28 +52,7 @@
just
ripgrep
du-dust
]);
elfutils
exfat
file
tree
pwgen
proot
parted
pv
tmux
wget
curl
# git helpers
git-crypt
gitFull
pastebinit
gist
mr
usbutils
pciutils
];
home.stateVersion = "22.05";
}

8
nix/home-manager/profiles/dotfiles.nix
View file

@ -1,4 +1,10 @@
_: {
{
pkgs,
config,
...
}: let
vcshActivationScript = pkgs.callPackage ./dotfiles/vcsh.nix {};
in {
# TODO: fix the dotfiles
# home.activation.vcsh = config.lib.dag.entryAfter["linkGeneration"] ''
# $DRY_RUN_CMD ${vcshActivationScript}

6
nix/home-manager/profiles/dotfiles/vcsh.tmpl.nix
View file

@ -3,16 +3,14 @@
repoHttps ? "https://gitlab.com/steveeJ/dotfiles.git",
repoSsh ? "git@gitlab.com:/steveeJ/dotfiles.git",
...
}:
let
}: let
repoBareLocal =
pkgs.runCommand "fetchbare"
{
outputHashMode = "recursive";
outputHashAlgo = "sha256";
outputHash = "0000000000000000000000000000000000000000000000000000";
}
''
} ''
(
set -xe
export GIT_SSL_CAINFO=${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt

10
nix/home-manager/profiles/experimental-desktop.nix
View file

@ -1,10 +0,0 @@
{ packages', ... }:
{
imports = [ ../profiles/wayland-desktop.nix ];
home.packages = [
# experimental WMs
packages'.jay
packages'.magmawm
];
}

100
nix/home-manager/profiles/gnome-desktop.nix
View file

@ -1,100 +0,0 @@
{ pkgs, ... }:
{
imports = [ ../profiles/wayland-desktop.nix ];
services = {
gnome-keyring.enable = false;
blueman-applet.enable = true;
flameshot.enable = true;
pasystray.enable = true;
};
# TODO: remove this comment once i'm sure everything works
# xdg.configFile."autostart/gnome-keyring-ssh.desktop".text = ''
# [Desktop Entry]
# Type=Application
# Hidden=true
# '';
services.gpg-agent.pinentryPackage = pkgs.pinentry-gnome3;
dconf.settings =
let
manualKeybindings = [
{
binding = "Print";
command = "flameshot gui";
name = "flameshot";
}
{
binding = "<Super>t";
command = "alacritty";
name = "alacritty";
}
];
numWorkspaces = 10;
customKeybindingBaseName = "org/gnome/settings-daemon/plugins/media-keys/custom-keybindings/custom";
customKeybindingsNames = builtins.genList (i: "/${customKeybindingBaseName}${toString i}/") (
(builtins.length manualKeybindings) + numWorkspaces # for sending to the workspace
);
workspacesKeyBindingsOffset = builtins.length manualKeybindings;
# with this we can make use of all number keys [0-9]
mapToNumber =
i:
if i < 10 then
i
else if i == 10 then
0
else
throw "i exceeds 10: ${i}";
in
{
"org/gnome/settings-daemon/plugins/media-keys" = {
custom-keybindings = customKeybindingsNames;
screenreader = "@as []";
screensaver = [ "<Alt><Super>l" ];
};
# disable the builtin <Super>[1-9] functionality
"org/gnome/shell/keybindings" = builtins.listToAttrs (
(builtins.genList (i: {
name = "switch-to-application-${toString (i + 1)}";
value = [ ];
}) numWorkspaces)
++ [
{
name = "toggle-overview";
value = [ ];
}
]
);
# remap it to switching to the workspaces
"org/gnome/desktop/wm/keybindings" = builtins.listToAttrs (
builtins.genList (i: {
name = "switch-to-workspace-${toString (i + 1)}";
value = [ "<Super>${toString (mapToNumber (i + 1))}" ];
}) numWorkspaces
);
}
// builtins.listToAttrs (
builtins.genList (i: {
name = "${customKeybindingBaseName}${toString i}";
value = builtins.elemAt manualKeybindings i;
}) (builtins.length manualKeybindings)
)
// builtins.listToAttrs (
builtins.genList (i: {
name = "${customKeybindingBaseName}${toString (workspacesKeyBindingsOffset + i)}";
value = {
binding = "<Control><Super>${toString (mapToNumber (i + 1))}";
command = "wmctrl -r :ACTIVE: -t ${toString i}";
name = "Send to workspace ${toString (i + 1)}";
};
}) numWorkspaces
);
}

12
nix/home-manager/profiles/nix-channels.nix
View file

@ -1,9 +1,14 @@
{ pkgs, config, ... }:
{
pkgs,
config,
...
}: let
in {
home.file.".nix-channels".text = "";
home.activation.removeExistingNixChannels = config.lib.dag.entryBefore ["checkLinkTargets"] ''
$DRY_RUN_CMD ${pkgs.writeScript "activation-script" ''
$DRY_RUN_CMD ${
pkgs.writeScript "activation-script" ''
set -ex
if test -f $HOME/.nix-channels; then
echo Uninstalling available channels...
@ -17,6 +22,7 @@
mv --backup=numbered $HOME/.nix-channels.dummy $HOME/.nix-channels
rm $HOME/.nix-channels
fi
''};
''
};
'';
}

112
nix/home-manager/profiles/qtile-desktop.nix
View file

@ -1,14 +1,12 @@
{ pkgs, ... }:
let
{pkgs, ...}: let
passwords = import ../../variables/passwords.crypt.nix;
inherit (import ../lib.nix {}) mkSimpleTrayService;
audio = pkgs.writeShellScript "audio" ''
export PATH=${
with pkgs;
lib.makeBinPath [
pulseaudio
findutils
gnugrep
]
lib.makeBinPath [pulseaudio findutils gnugrep]
}:$PATH
export MUTEFILE=''${TEMPDIR:-/tmp}/.qtilemute
@ -251,8 +249,14 @@ let
def print_new_window(window):
print("new window: ", window)
'';
in
{
in {
systemd.user = {
startServices = true;
services = {};
};
# systemd.user.sockets.gpg-agent.Socket.Accept = true;
services = {
gnome-keyring.enable = true;
blueman-applet.enable = true;
@ -262,9 +266,93 @@ in
lockCmd = "${screenLockCommand}";
};
network-manager-applet.enable = true;
syncthing.enable = true;
gpg-agent = {
enable = true;
enableScDaemon = true;
enableSshSupport = true;
grabKeyboardAndMouse = true;
pinentryFlavor = "gtk2";
extraConfig = "";
defaultCacheTtl = 0;
maxCacheTtl = 0;
};
flameshot.enable = true;
pasystray.enable = true;
cbatticon.enable = true;
redshift = {
enable = true;
inherit (passwords.location.stefan) longitude latitude;
temperature = {
day = 6700;
night = 3700;
};
tray = true;
settings = {
redshift = {
brightness-day = 1.0;
brightness-night = 0.8;
adjustment-method = "randr";
};
};
};
espanso = {
enable = true;
settings = {
matches = let
playerctl = ''
${pkgs.coreutils}/bin/env DBUS_SESSION_BUS_ADDRESS="unix:path=/run/user/$(${pkgs.coreutils}/bin/id -u)/bus" ${pkgs.playerctl}/bin/playerctl'';
in [
{
trigger = ":vpos";
replace = "{{output}}";
vars = [
{
name = "output";
type = "script";
params = {
args = [
(pkgs.writeScript "espanso" ''
#! ${pkgs.python3}/bin/python
import subprocess, os, math, datetime
id=str(os.getuid())
result=subprocess.run(args=["${pkgs.playerctl}/bin/playerctl", "position"], env={"DBUS_SESSION_BUS_ADDRESS": "unix:path=/run/user/"+id+"/bus"},capture_output=True)
result.check_returncode()
position_secs = math.trunc(float(result.stdout))
position_human = datetime.timedelta(seconds=position_secs)
print("%s - %s" % (position_human, position_secs))
'')
];
};
}
];
}
{
trigger = ":vtit";
replace = "{{output}}";
vars = [
{
name = "output";
type = "script";
params = {
args = [
(pkgs.writeShellScript "espanso"
"${playerctl} metadata title")
];
};
}
];
}
{
trigger = ":dunno";
replace = "¯\\_()_/¯";
}
];
};
};
};
home.pointerCursor = {
@ -276,7 +364,7 @@ in
};
xsession = {
enable = false;
enable = true;
windowManager.command = "${pkgs.qtile}/bin/qtile start -c ${qtileConfig}";
initExtra = "${initScreen}";
};
@ -285,9 +373,11 @@ in
# X Tools/Libraries
lightdm
networkmanagerapplet
autorandr
arandr
gnome-icon-theme
gnome.gnome-themes-extra
adwaita-icon-theme
gnome.adwaita-icon-theme
lxappearance
xorg.xcursorthemes
pavucontrol

254
nix/home-manager/profiles/sway-desktop.nix
View file

@ -1,254 +0,0 @@
/*
TODO: create helper scripts for sharing of a screen portion
```
# this will create a new output named HEADLESS-<n>. <n> increments by 1 with each invocation even if the output is `unplug`ged.
swaymsg create_output
# find the name and the workspace number
swaymsg -t get_outputs | jq '.[] | select(.name | test("HEADLESS-.*")) | (.name, .current_workspace)'
swaymsg output HEADLESS-1 mode 1920@108060Hz
# mirror the headless workspace on the current one
nix run nixpkgs\#wl-mirror -- HEADLESS-1
# shift windows to the workspace and switch the focus to it
*/
{
pkgs,
config,
lib,
# packages',
...
}:
let
lockCmd = "${pkgs.swaylock}/bin/swaylock -efF --color '#000000'";
displayOffCmd = "${pkgs.sway}/bin/swaymsg 'output * power off'";
displayOnCmd = "${pkgs.sway}/bin/swaymsg 'output * power on'";
swapOutputWorkspaces = ../../../scripts/sway-swapoutputworkspaces.sh;
in
{
imports = [
../profiles/wayland-desktop.nix
../programs/waybar.nix
];
services.dunst = {
enable = true;
};
services.gpg-agent.pinentryPackage = pkgs.pinentry-gnome3;
home.packages = [
pkgs.swayidle
pkgs.swaylock
## themes
pkgs.adwaita-icon-theme
pkgs.hicolor-icon-theme
pkgs.gnome-icon-theme
## fonts
# pkgs.nerd-fonts # TODO: reinstall selected ones
pkgs.dejavu_fonts # just a basic good fond
pkgs.font-awesome_5 # needed by i3status-rust
pkgs.font-awesome
pkgs.roboto
pkgs.ttf_bitstream_vera
pkgs.noto-fonts
pkgs.noto-fonts-cjk-sans
pkgs.noto-fonts-cjk-serif
pkgs.noto-fonts-emoji
pkgs.noto-fonts-emoji-blob-bin
pkgs.noto-fonts-extra
pkgs.noto-fonts-lgc-plus
pkgs.liberation_ttf
pkgs.fira-code
pkgs.fira-code-symbols
pkgs.mplus-outline-fonts.githubRelease
pkgs.dina-font
pkgs.monoid
pkgs.hermit
### found on colemickens' repo
pkgs.gelasio # metric-compatible with Georgia
pkgs.powerline-symbols
pkgs.iosevka-comfy.comfy-fixed
## experimental stuff
pkgs.fuzzel
];
# TODO: configure kanshi to always set the 5K resolution
# DP-1 "Philips Consumer Electronics Company PHL 499P9 AU02419010010 (DP-1 via DP)"
# Make: Philips Consumer Electronics Company
# Model: PHL 499P9
# Serial: AU02419010010
# Physical size: 1190x340 mm
# Enabled: yes
# Modes:
# 3840x1080 px, 59.967999 Hz (preferred)
# 5120x1440 px, 59.977001 Hz (current)
wayland.windowManager.sway = {
enable = true;
systemd.enable = true;
xwayland = false;
config =
let
modifier = "Mod4";
inherit (config.wayland.windowManager.sway.config)
left
right
up
down
;
in
{
inherit modifier;
bars = [ ];
input = {
"type:keyboard" =
{
xkb_layout = config.home.keyboard.layout;
xkb_variant = config.home.keyboard.variant;
}
// lib.attrsets.optionalAttrs (builtins.length (config.home.keyboard.options or [ ]) > 0) {
xkb_options = builtins.concatStringsSep "," config.home.keyboard.options;
};
"type:touchpad" = {
natural_scroll = "enabled";
};
# alternatively run this command
# swaymsg input "1386:914:Wacom_Intuos_Pro_S_Pen" tool_mode "* relative"
# and then switch to a different VT (alt+ctrl+f2) and back
"1386:914:Wacom_Intuos_Pro_S_Pen" = {
tool_mode = "* relative";
};
};
keybindings = lib.mkOptionDefault {
# as of 2023-05-21 the `!!` arg parsing mode was broken for me on yofi
# "${modifier}+d" = "exec ${packages'.yofi}/bin/yofi binapps";
"${modifier}+d" = "exec ${pkgs.fuzzel}/bin/fuzzel --show-actions";
# only 1-9 exist on the default config
"${modifier}+0" = "workspace number 0";
"${modifier}+Shift+0" = "move container to workspace number 0";
# disable splitting for now as i sometimes trigger it accidentally and then get stuck with it
"${modifier}+b" = "nop";
"${modifier}+v" = "nop";
# move workspace to output
"${modifier}+Control+Shift+${left}" = "move workspace to output left";
"${modifier}+Control+Shift+${right}" = "move workspace to output right";
"${modifier}+Control+Shift+${up}" = "move workspace to output up";
"${modifier}+Control+Shift+${down}" = "move workspace to output down";
# move workspace to output with arrow keys
"${modifier}+Control+Shift+Left" = "move workspace to output left";
"${modifier}+Control+Shift+Right" = "move workspace to output right";
"${modifier}+Control+Shift+Up" = "move workspace to output up";
"${modifier}+Control+Shift+Down" = "move workspace to output down";
# TODO: i've been hitting this one accidentally way too often. find a better place.
# "${modifier}+Shift+e" = "exec ${pkgs.sway}/bin/swaymsg exit";
"${modifier}+q" = "kill";
"${modifier}+Shift+q" = "exec ${pkgs.sway}/bin/swaymsg -t get_tree | ${pkgs.jq}/bin/jq 'recurse(.nodes[], .floating_nodes[]) | select(.focused).pid' | ${pkgs.findutils}/bin/xargs -L1 kill -9";
"${modifier}+x" = "exec ${swapOutputWorkspaces}";
"${modifier}+Ctrl+l" = "exec ${lockCmd}";
"--locked XF86AudioPlay" = "exec ${pkgs.playerctl}/bin/playerctl play-pause";
"XF86AudioPrev" = "exec ${pkgs.playerctl}/bin/playerctl previous";
"XF86AudioNext" = "exec ${pkgs.playerctl}/bin/playerctl next";
"XF86AudioRaiseVolume" = "exec ${pkgs.pulsemixer}/bin/pulsemixer --change-volume +5";
"XF86AudioLowerVolume" = "exec ${pkgs.pulsemixer}/bin/pulsemixer --change-volume -5";
"--locked XF86AudioMute" = "exec ${pkgs.pulsemixer}/bin/pulsemixer --toggle-mute";
"Print" = "exec ${pkgs.shotman}/bin/shotman --capture region";
};
terminal = "alacritty";
startup =
[
{
command = builtins.toString (
pkgs.writeShellScript "ensure-graphical-session" ''
(
${pkgs.coreutils}/bin/sleep 0.2
${pkgs.systemd}/bin/systemctl --user restart graphical-session.target
) &
''
);
}
]
++ lib.optionals config.services.swayidle.enable [
{
command = builtins.toString (
pkgs.writeShellScript "ensure-graphical-session" ''
(
${pkgs.coreutils}/bin/sleep 0.2
${pkgs.systemd}/bin/systemctl --user restart swayidle
) &
''
);
}
];
colors.focused = lib.mkOptionDefault { childBorder = lib.mkForce "#ffa500"; };
window.titlebar = false;
window.border = 4;
# this maps to focus_on_window_activation
focus.newWindow = "urgent";
};
};
services.swayidle = {
enable = true;
timeouts = [
{
timeout = 10;
command = "if ${pkgs.procps}/bin/pgrep -x swaylock; then ${displayOffCmd}; fi";
resumeCommand = displayOnCmd;
}
{
timeout = 60 * 5;
command = lockCmd;
}
{
timeout = 60 * 6;
command = displayOffCmd;
resumeCommand = displayOnCmd;
}
];
events = [
{
event = "before-sleep";
command = builtins.concatStringsSep "; " [
lockCmd
"${pkgs.playerctl}/bin/playerctl pause"
];
}
{
event = "after-resume";
command = displayOnCmd;
}
{
event = "lock";
command = lockCmd;
}
];
};
}

87
nix/home-manager/profiles/wayland-desktop.nix
View file

@ -1,87 +0,0 @@
{
pkgs,
lib,
repoFlake,
...
}:
let
nixpkgs-wayland' = repoFlake.inputs.nixpkgs-wayland.packages.${pkgs.system};
in
{
fonts.fontconfig.enable = true;
# services.gpg-agent.pinentryFlavor = lib.mkForce null;
# services.gpg-agent.extraConfig = ''
# pinentry-program "${wayprompt}/bin/pinentry-wayprompt"
# '';
services = {
blueman-applet.enable = true;
network-manager-applet.enable = true;
};
systemd.user.targets.tray = {
Unit = {
Description = "Home Manager System Tray";
Requires = [ "graphical-session-pre.target" ];
};
};
home.packages =
with pkgs;
[
# required by network-manager-applet
networkmanagerapplet
wlr-randr
wayout
wl-clipboard
wmctrl
nixpkgs-wayland'.shotman
# identifies key input syms
wev
# TODO: whwat's this for?
# wltype
qt5.qtwayland
qt6.qtwayland
# libsForQt5.qt5.qtwayland
# libsForQt6.qt6.qtwayland
# audio
playerctl
helvum
pasystray
sonusmix
pwvucontrol
# probably required by flameshot
# xdg-desktop-portal xdg-desktop-portal-wlr
# grim
waypipe
]
++ (lib.lists.optionals (!pkgs.stdenv.isAarch64)
# TODO: broken on aarch64
[ ]
);
home.sessionVariables = {
XDG_SESSION_TYPE = "wayland";
NIXOS_OZONE_WL = "1";
MOZ_ENABLE_WAYLAND = "1";
WLR_NO_HARDWARE_CURSORS = "1";
};
home.pointerCursor = {
name = "Vanilla-DMZ";
package = pkgs.vanilla-dmz;
size = 32;
x11.enable = true;
gtk.enable = true;
};
}

85
nix/home-manager/programs/chromium.nix
View file

@ -1,81 +1,14 @@
{
name,
lib,
pkgs,
...
}:
let
extensions =
[
#undetectable adblocker
{ id = "gcfcpohokifjldeandkfjoboemihipmb"; }
{...}: {
programs.chromium = {enable = true;};
# ublock origin
{ id = "cjpalhdlnbpafiamejdnhcphjbkeiagm"; }
programs.brave = {enable = true;};
# # YT ad block
# {id = "cmedhionkhpnakcndndgjdbohmhepckk";}
# # Adblock Plus
# {id = "cfhdojbkjhnklbpkdaibdccddilifddb";}
# Cookie Notice Blocker
{ id = "odhmfmnoejhihkmfebnolljiibpnednn"; }
# i don't care about cookies
{ id = "fihnjjcciajhdojfnbdddfaoknhalnja"; }
# NopeCHA
{ id = "dknlfmjaanfblgfdfebhijalfmhmjjjo"; }
# h264ify
{ id = "aleakchihdccplidncghkekgioiakgal"; }
# clippy
# {id = "honbeilkanbghjimjoniipnnehlmhggk"}
{
id = "dcpihecpambacapedldabdbpakmachpb";
updateUrl = "https://raw.githubusercontent.com/iamadamdev/bypass-paywalls-chrome/master/updates.xml";
}
# cookie autodelete
{ id = "fhcgjolkccmbidfldomjliifgaodjagh"; }
# unhook
{ id = "khncfooichmfjbepaaaebmommgaepoid"; }
]
++ (lib.lists.optionals ((builtins.match "^steveej.*" name) != null) [
# polkadotjs
{ id = "mopnmbcafieddcagagdcbnhejhlodfdd"; }
# rabby wallet
{ id = "acmacodkjbdgmoleebolmdjonilkdbch"; }
# phantom wallet
{ id = "bfnaelmomeimhlpmgjnjophhpkkoljpa"; }
# Vimium C
{ id = "hfjbmagddngcpeloejdejnfgbamkjaeg"; }
# TODO: this causes scrolling the tab bar all the way to the end. look for a different one or report
# always right
{ id = "npjpaghfnndnnmjiliibnkmdfgbojokj"; }
# shazam music
{ id = "mmioliijnhnoblpgimnlajmefafdfilb"; }
]);
in
{
programs.chromium = {
enable = true;
inherit extensions;
# TODO: extensions currently don't work with ungoogled-chromium
package = pkgs.chromium;
nixpkgs.config = {
chromium = {
# 2019-03-05: missing on 19.03 enablePepperPDF = true;
# 2021-03-16: missing enablePepperFlash = false;
};
};
programs.brave = {
# TODO: enable this on aarch64-linux
enable = true && !pkgs.stdenv.targetPlatform.isAarch64;
inherit extensions;
};
programs.browserpass = {browsers = ["chromium" "brave"];};
}

22
nix/home-manager/programs/emacs.nix Normal file
View file

@ -0,0 +1,22 @@
{pkgs, ...}: {
programs.emacs = {
enable = true;
extraPackages = epkgs:
(with epkgs; [
nix-mode
magit # ; Integrate git <C-x g>
zerodark-theme # ; Nicolas' theme
undo-tree # ; <C-x u> to show the undo tree
# zoom-frm # ; increase/decrease font size for all buffers %lt;C-x C-+>
])
++ (with epkgs.melpaPackages; [evil])
++ (with epkgs.elpaPackages; [
auctex # ; LaTeX mode
beacon # ; highlight my cursor when scrolling
nameless # ; hide current package name everywhere in elisp code
])
++ (with pkgs; [
pkgs.notmuch # From main packages set
]);
};
}

82
nix/home-manager/programs/espanso.nix
View file

@ -1,82 +0,0 @@
{ pkgs, ... }:
{
services.espanso = {
package = pkgs.espanso-wayland;
# package = pkgs.espanso-wayland.overrideAttrs (_: {
# src = repoFlake.inputs.espanso;
# cargoLock = {
# # lockFile = "${repoFlake.inputs.espanso.outPath}/Cargo.lock";
# lockFile = repoFlake.inputs.espanso + "/Cargo.lock";
# outputHashes = {
# "yaml-rust-0.4.6" = "sha256-wXFy0/s4y6wB3UO19jsLwBdzMy7CGX4JoUt5V6cU7LU=";
# };
# };
# });
enable = false;
configs = {
default = {
# backend = "Inject";
# backend = "Clipboard";
};
};
matches =
let
playerctl = ''${pkgs.coreutils}/bin/env DBUS_SESSION_BUS_ADDRESS="unix:path=/run/user/$(${pkgs.coreutils}/bin/id -u)/bus" ${pkgs.playerctl}/bin/playerctl'';
in
{
default = {
matches = [
{
trigger = ":vpos";
replace = "{{output}}";
vars = [
{
name = "output";
type = "script";
params = {
args = [
(pkgs.writeScript "espanso" ''
#! ${pkgs.python3}/bin/python
import subprocess, os, math, datetime
id=str(os.getuid())
result=subprocess.run(args=["${pkgs.playerctl}/bin/playerctl", "position"], env={"DBUS_SESSION_BUS_ADDRESS": "unix:path=/run/user/"+id+"/bus"},capture_output=True)
result.check_returncode()
position_secs = math.trunc(float(result.stdout))
position_human = datetime.timedelta(seconds=position_secs)
print("%s - %s" % (position_human, position_secs))
'')
];
};
}
];
}
{
trigger = ":vtit";
replace = "{{output}}";
vars = [
{
name = "output";
type = "script";
params = {
args = [ (pkgs.writeShellScript "espanso" "${playerctl} metadata title") ];
};
}
];
}
{
trigger = ":dunno";
replace = "¯\\_()_/¯";
}
{
trigger = ":shrug";
replace = "¯\\_()_/¯";
}
];
};
};
};
}

417
nix/home-manager/programs/firefox.nix
View file

@ -1,417 +1,10 @@
{
repoFlake,
pkgs,
config,
lib,
...
}:
let
# Search extension names with below command:
# nix flake show --json "gitlab:rycee/nur-expressions?dir=pkgs/firefox-addons" --all-systems | jq -r '.packages."x86_64-linux" | keys[]' | rg QUERY
ryceeAddons = with pkgs.nur.repos.rycee.firefox-addons; [
ublock-origin
{pkgs, ...}: {
programs.firefox = {enable = true;};
# bypass-paywalls-clean (can't use, was creating popups)
consent-o-matic
terms-of-service-didnt-read
auto-tab-discard
# redirector # For nixos wiki
# darkreader
facebook-container
control-panel-for-twitter
# containerise
facebook-tracking-removal
vimium
cookie-autodelete
auto-tab-discard
istilldontcareaboutcookies
youtube-recommended-videos
display-_anchors
];
customAddons = [
];
search = {
force = true;
default = "DuckDuckGo";
privateDefault = "DuckDuckGo";
};
mkProfile =
override:
lib.recursiveUpdate {
extensions = ryceeAddons ++ customAddons;
inherit search;
settings = {
# automatically enable extensions
"extensions.autoDisableScopes" = 0;
"middlemouse.paste" = false;
"browser.download.useDownloadDir" = false;
"browser.tabs.insertAfterCurrent" = true;
"browser.tabs.warnOnClose" = true;
"browser.toolbars.bookmarks.visibility" = "never";
"browser.quitShortcut.disabled" = false;
# restore the previous session automatically
"browser.startup.page" = 3;
"browser.sessionstore.resume_from_crash" = true;
"browser.sessionstore.restore_pinned_tabs_on_demand" = true;
"browser.sessionstore.restore_on_demand" = true;
"browser.urlbar.suggest.bookmark" = true;
"browser.urlbar.suggest.engines" = true;
"browser.urlbar.suggest.history" = true;
"browser.urlbar.suggest.openpage" = true;
"browser.urlbar.suggest.topsites" = false;
"browser.urlbar.trimHttps" = true;
"sidebar.position_start" = false;
"findbar.highlightAll" = true;
"browser.tabs.hoverPreview.enabled" = true;
# Disable fx accounts
"identity.fxaccounts.enabled" = false;
# Disable "save password" prompt
"signon.rememberSignons" = false;
# Harden
"privacy.trackingprotection.enabled" = true;
"dom.security.https_only_mode" = true;
# Disable irritating first-run stuff
"browser.disableResetPrompt" = true;
"browser.download.panel.shown" = true;
"browser.feeds.showFirstRunUI" = false;
"browser.messaging-system.whatsNewPanel.enabled" = false;
"browser.rights.3.shown" = true;
"browser.shell.checkDefaultBrowser" = false;
"browser.shell.defaultBrowserCheckCount" = 1;
"browser.startup.homepage_override.mstone" = "ignore";
"browser.uitour.enabled" = false;
"startup.homepage_override_url" = "";
"trailhead.firstrun.didSeeAboutWelcome" = true;
"browser.bookmarks.restore_default_bookmarks" = false;
"browser.bookmarks.addedImportButton" = true;
# Disable "Save to Pocket" or Pocket entirely
"extensions.pocket.enabled" = false;
# Disable telemetry
"toolkit.telemetry.enabled" = false;
"toolkit.telemetry.unified" = false;
"toolkit.telemetry.archive.enabled" = false;
"datareporting.healthreport.uploadEnabled" = false;
"app.shield.optoutstudies.enabled" = false;
"browser.discovery.enabled" = false;
"browser.newtabpage.activity-stream.feeds.telemetry" = false;
"browser.newtabpage.activity-stream.telemetry" = false;
"browser.ping-centre.telemetry" = false;
"datareporting.healthreport.service.enabled" = false;
"datareporting.policy.dataSubmissionEnabled" = false;
"datareporting.sessions.current.clean" = true;
"devtools.onboarding.telemetry.logged" = false;
"toolkit.telemetry.bhrPing.enabled" = false;
"toolkit.telemetry.firstShutdownPing.enabled" = false;
"toolkit.telemetry.hybridContent.enabled" = false;
"toolkit.telemetry.newProfilePing.enabled" = false;
"toolkit.telemetry.prompted" = 2;
"toolkit.telemetry.rejected" = true;
"toolkit.telemetry.reportingpolicy.firstRun" = false;
"toolkit.telemetry.server" = "";
"toolkit.telemetry.shutdownPingSender.enabled" = false;
"toolkit.telemetry.unifiedIsOptIn" = false;
"toolkit.telemetry.updatePing.enabled" = false;
# Disable any feeds on the new tab page
"browser.newtabpage.activity-stream.showTopSites" = false;
"browser.newtabpage.activity-stream.default.sites" = lib.mkForce [ ];
"browser.newtabpage.activity-stream.discoverystream.enabled" = false;
"browser.newtabpage.activity-stream.feeds.topsites" = false;
"browser.newtabpage.activity-stream.showSponsoredTopSites" = false;
"browser.newtabpage.activity-stream.improvesearch.topSiteSearchShortcuts" = false;
"browser.newtabpage.blocked" = lib.genAttrs [
# Youtube
"26UbzFJ7qT9/4DhodHKA1Q=="
# Facebook
"4gPpjkxgZzXPVtuEoAL9Ig=="
# Wikipedia
"eV8/WsSLxHadrTL1gAxhug=="
# Reddit
"gLv0ja2RYVgxKdp0I5qwvA=="
# Amazon
"K00ILysCaEq8+bEqV/3nuw=="
# Twitter
"T9nJot5PurhJSy8n038xGA=="
] (_: 1);
"browser.topsites.blockedSponsors" = [
"adidas"
"temuaffiliateprogram.pxf"
"s.click.aliexpress"
];
# enable userChrome
"toolkit.legacyUserProfileCustomizations.stylesheets" = true;
"devtools.chrome.enabled" = true;
"devtools.debugger.remote-enabled" = true;
# disable translations for some languages
"browser.translations.neverTranslateLanguages" = [
"en"
"de"
];
"browser.translations.automaticallyPopup" = false;
# enable pipewire (and libcamera) sources
"media.webrtc.camera.allow-pipewire" = true;
};
userChrome =
let
name = override.color or colors.grey;
value = colorValues."${name}".normal;
valueBright = colorValues."${name}".highlight;
valueDark = colorValues."${name}".inactive;
in
''
@namespace url("http://www.mozilla.org/keymaster/gatekeeper/there.is.only.xul"); /* only needed once */
#nav-bar {
background-color: ${value} !important;
color: black !important;
}
/* don't show close button on background tabs */
#tabbrowser-tabs[closebuttons="activetab"] .tabbrowser-tab:not([selected]):not([pinned]):not([hover]) .tab-close-button {
display: none !important;
}
/* show close button on hover */
#tabbrowser-tabs[closebuttons="activetab"] .tabbrowser-tab:not([selected]):not([pinned]):hover .tab-close-button {
display: -moz-inline-box !important;
}
/* default */
#TabsToolbar {
background: ${valueDark} !important;
}
/* default tab */
#TabsToolbar #tabbrowser-tabs .tabbrowser-tab .tab-content {
background: ${value} !important;
opacity: 0.8
}
/* selected tab */
#TabsToolbar #tabbrowser-tabs .tabbrowser-tab[selected] .tab-content {
background: ${valueBright} !important;
box-shadow: 0 8px 16px 0 rgba(0,0,0,0.2), 0 6px 20px 0 rgba(0,0,0,0.19);
}
/* hovered tab */
#TabsToolbar #tabbrowser-tabs .tabbrowser-tab:hover:not([selected]) .tab-content {
background: ${valueBright} !important;
}
/* unloaded/pending tab */
#TabsToolbar #tabbrowser-tabs .tabbrowser-tab[pending] .tab-content {
background: ${valueDark} !important;
}
'';
# /* new tab */
# #TabsToolbar #tabbrowser-tabs #tabs-newtab-button .toolbarbutton-icon {
# background: unset !important;
# }
# #TabsToolbar #tabbrowser-tabs #tabs-newtab-button {
# /* background: var(--default_tabs_bg_newtab) !important;
# }
# /* hovered new tab */
# #TabsToolbar #tabbrowser-tabs #tabs-newtab-button:hover {
# background: var(--default_tabs_bg_newtab_hovered) !important;
# }
} (builtins.removeAttrs override [ "color" ]);
# TODO: insert the id automatically
mkProfiles = attrs: builtins.mapAttrs (_k: v: v) attrs;
colors = builtins.mapAttrs (name: _: name) colorValues;
colorValues = {
blue = {
normal = "#49b1fc";
highlight = "#05a9fc"; # Brighter blue
inactive = "#1f81c6"; # Darker blue
};
green = {
normal = "#51cd00";
highlight = "#5ae200"; # Brighter green
inactive = "#45ad00"; # Darker green
};
orange = {
normal = "#ff9800";
highlight = "#ffb74d"; # Brighter orange
inactive = "#c76a00"; # Darker orange
};
red = {
normal = "#f6685e";
highlight = "#ff4336"; # Brighter red
inactive = "#aa463f"; # Darker red
};
yellow = {
normal = "#fced4b";
highlight = "#fce705"; # Brighter yellow
inactive = "#dbbe00"; # Darker yellow
};
purple = {
normal = "#9c27b0";
highlight = "#ab47bc"; # Brighter purple
inactive = "#7b1fa2"; # Darker purple
};
pink = {
normal = "#e91e63";
highlight = "#ff6090"; # Brighter pink
inactive = "#c2185b"; # Darker pink
};
brown = {
normal = "#795548";
highlight = "#a88b6f"; # Brighter brown
inactive = "#4e3b30"; # Darker brown
};
grey = {
normal = "#9e9e9e";
highlight = "#bdbdbd"; # Brighter grey
inactive = "#757575"; # Darker grey
};
teal = {
normal = "#009688";
highlight = "#26c6da"; # Brighter teal
inactive = "#00796b"; # Darker teal
};
};
in
{
nixpkgs.overlays = [
repoFlake.inputs.nur.overlays.default
];
nixpkgs.config.allowUnfreePredicate =
pkg:
builtins.elem (lib.getName pkg) [
"youtube-recommended-videos"
];
programs.librewolf = {
enable = false;
};
programs.firefox = {
programs.browserpass = {
enable = true;
package = pkgs.firefox-esr;
profiles = mkProfiles {
"personal" = mkProfile {
id = 0;
isDefault = true;
color = colors.blue;
};
"comms" = mkProfile {
id = 1;
color = colors.blue;
};
"admin" = mkProfile {
id = 2;
color = colors.blue;
};
"infra" = mkProfile {
id = 3;
color = colors.blue;
};
"finance" = mkProfile {
id = 4;
color = colors.yellow;
};
"business-admin" = mkProfile {
id = 5;
color = colors.teal;
};
"business-comms" = mkProfile {
id = 6;
color = colors.teal;
};
"business-dev" = mkProfile {
id = 7;
color = colors.teal;
};
"holo-dev" = mkProfile {
id = 8;
color = colors.green;
};
"holo-infra" = mkProfile {
id = 9;
color = colors.green;
};
"holo-comms" = mkProfile {
id = 10;
color = colors.green;
};
"justyna" = mkProfile {
id = 11;
color = colors.pink;
};
"justyna-office" = mkProfile {
id = 12;
color = colors.pink;
};
browsers = ["firefox"];
};
};
# create one desktop entry for each profile
xdg.desktopEntries = lib.mapAttrs' (
k: _v:
lib.nameValuePair "firefox-profile-${k}" {
categories = [
"Network"
"WebBrowser"
];
exec = "${lib.getExe config.programs.firefox.package} -P ${k}";
genericName = "Web Browser";
icon =
builtins.replaceStrings [ ".desktop" ] [ "" ]
config.programs.firefox.package.desktopItem.name;
mimeType = [
"text/html"
"text/xml"
"application/xhtml+xml"
"application/vnd.mozilla.xul+xml"
"x-scheme-handler/http"
"x-scheme-handler/https"
];
name = "Firefox: ${k}";
startupNotify = true;
settings.StartupWMClass =
# To group windows of different profiles.
# Set WM_CLASS on Xorg using --class, set app-id on Wayland using --name.
#if profile.name == "default"
#then "firefox"
#else "firefox-${profile.name}";
"firefox";
terminal = false;
type = "Application";
}
) config.programs.firefox.profiles;
home.file.".mozilla/native-messaging-hosts/passff.json".source = "${pkgs.passff-host}/share/passff-host/passff.json";
}

19
nix/home-manager/programs/gpg-agent.nix
View file

@ -1,19 +0,0 @@
{ lib, pkgs, osConfig, ... }:
{
home.packages = [ pkgs.gcr ];
programs.gpg.enable = true;
services.gpg-agent = {
enable = true;
enableScDaemon = !osConfig.services.pcscd.enable;
enableSshSupport = true;
grabKeyboardAndMouse = true;
pinentryPackage = lib.mkDefault pkgs.pinentry-gtk2;
extraConfig = ''
no-allow-external-cache
'';
defaultCacheTtl = 0;
maxCacheTtl = 0;
};
}

3
nix/home-manager/programs/holochain-launcher.nix Normal file
View file

@ -0,0 +1,3 @@
{pkgs, ...}: {
home.packages = [pkgs.holochain-launcher];
}

19
nix/home-manager/programs/homeshick.nix
View file

@ -1,9 +1,15 @@
{ pkgs, config, ... }:
{
home.sessionVariables.HOMESHICK_DIR = "${pkgs.homeshick}";
pkgs,
config,
...
}: let
# TODO: clean up the impurity in here
in {
home.sessionVariables = {HOMESHICK_DIR = "${pkgs.homeshick}";};
home.activation.bootstrapRepos = config.lib.dag.entryAfter ["writeBoundary"] ''
$DRY_RUN_CMD ${pkgs.writeScript "activation-script" ''
$DRY_RUN_CMD ${
pkgs.writeScript "activation-script" ''
set -e
echo home-manager path is ${config.home.path}
echo home is $HOME
@ -14,12 +20,13 @@
# echo Updating homeshick
# ln -sfT ${pkgs.homeshick} "$HOMESICK_REPOS"/.homeshick
# mv -Tf "$HOMESICK_REPOS"/{.,}homeshick
''};
''
};
'';
nixpkgs.config = {
packageOverrides =
pkgs: with pkgs; {
packageOverrides = pkgs:
with pkgs; {
homeshick = builtins.fetchGit {
url = "https://github.com/andsens/homeshick.git";
ref = "master";

12
nix/home-manager/programs/libreoffice.nix
View file

@ -1,8 +1,8 @@
{ pkgs, nodeFlake, ... }:
{pkgs, ...}: {
home.sessionVariables = {
# Workaround for Libreoffice to force gtk3
SAL_USE_VCLPLUGIN = "gtk3";
};
let
pkgsStable = nodeFlake.inputs.nixpkgs-stable.legacyPackages.${pkgs.system};
in
{
home.packages = [ pkgsStable.libreoffice ];
home.packages = with pkgs; [libreoffice-fresh];
}

269
nix/home-manager/programs/neovim.nix
View file

@ -1,161 +1,126 @@
{ repoFlake, pkgs, ... }:
{
imports = [ repoFlake.inputs.nixvim.homeManagerModules.nixvim ];
{pkgs, ...}: let
in {
home.sessionVariables = {EDITOR = "nvim";};
programs.nixvim = {
programs.neovim = {
enable = true;
defaultEditor = true;
vimdiffAlias = true;
vimAlias = true;
extraPython3Packages = ps: with ps; [];
# extraConfigVim = builtins.readFile ./neovim/vimrc;
extraConfig = builtins.readFile ./neovim/vimrc;
clipboard = {
register = "unnamedplus";
providers.wl-copy.enable = true;
plugins = with pkgs;
[
# yaml-folds
{
plugin = vimUtils.buildVimPlugin {
name = "vim-yaml-folds";
src = fetchFromGitHub {
owner = "pedrohdz";
repo = "vim-yaml-folds";
rev = "890ccd8e5370808d569e96dbb06cbeca2cf5993a";
sha256 = "018z6xcwrq58q6lj6gwhrifjaxkmrlkkg0n86s6mjjlwkbs2qa4m";
};
plugins = {
airline = {
enable = true;
settings = {
powerline_fonts = 1;
skip_empty_sections = 1;
theme = "papercolor";
};
};
fugitive.enable = true;
gitblame.enable = true;
lsp = {
enable = true;
};
nix.enable = true;
# TODO: enable in next release
# numbertoggle.enable = true;
# successfor to ctrlp and fzf
telescope.enable = true;
todo-comments.enable = true;
toggleterm.enable = true;
treesitter = {
enable = true;
grammarPackages = with pkgs.vimPlugins.nvim-treesitter.builtGrammars; [
bash
json
lua
make
markdown
nix
regex
toml
vim
vimdoc
xml
yaml
];
};
treesitter-context.enable = true;
treesitter-refactor.enable = true;
# This plugin trims trailing whitespace and lines.
trim.enable = true;
};
# plugins = with pkgs;
# [
# # yaml-folds
# {
# plugin = vimUtils.buildVimPlugin {
# name = "vim-yaml-folds";
# src = fetchFromGitHub {
# owner = "pedrohdz";
# repo = "vim-yaml-folds";
# rev = "890ccd8e5370808d569e96dbb06cbeca2cf5993a";
# sha256 = "018z6xcwrq58q6lj6gwhrifjaxkmrlkkg0n86s6mjjlwkbs2qa4m";
# };
# buildInputs = [zip vim];
# };
# }
# {
# plugin = vimUtils.buildVimPlugin {
# name = "vim-yaml";
# src = fetchFromGitHub {
# owner = "stephpy";
# repo = "vim-yaml";
# rev = "e97e063b16eba4e593d620676a0a15fa98613979";
# sha256 = "0vqahbrnr43lxanpziyrmzaqqb3cmyny8ry1xvmy2xyd1larzfrk";
# };
# };
# }
# {
# plugin = vimUtils.buildVimPlugin {
# name = "git-blame";
# src = fetchFromGitHub {
# "owner" = "zivyangll";
# "repo" = "git-blame.vim";
# "rev" = "9d144b7bed5d8f1c9259551768b7f3b3d1294917";
# "sha256" = "06zb5xcc59k25rpwl46j82fcqckiznmj97v6i0mwlb8jhqqrhy9j";
# };
# };
# }
# ]
# ++ (with pkgs.vimPlugins; [
# delimitMate
# vim-airline
# vim-airline-themes
# ctrlp
# vim-css-color
# rainbow_parentheses
# vim-colorschemes
# vim-colorstepper
# vim-signify
# fugitive
# vim-indent-guides
# UltiSnips
# fzfWrapper
# ncm2
# ncm2-bufword
# ncm2-path
# ncm2-tmux
# ncm2-ultisnips
# nvim-yarp
# LanguageClient-neovim
# Improved-AnsiEsc
# tabular
# # Nix
# vim-addon-nix
# tlib
# vim-addon-vim2nix
# # LaTeX
# vim-latex-live-preview
# vimtex
# # YAML
# vim-yaml
# # markdown
# vim-markdown
# vim-markdown-toc
# # misc syntax support
# vim-bazel
# maktaba
# ]);
buildInputs = [zip vim];
};
}
{
plugin = vimUtils.buildVimPlugin {
name = "vim-yaml";
src = fetchFromGitHub {
owner = "stephpy";
repo = "vim-yaml";
rev = "e97e063b16eba4e593d620676a0a15fa98613979";
sha256 = "0vqahbrnr43lxanpziyrmzaqqb3cmyny8ry1xvmy2xyd1larzfrk";
};
};
}
# broken 2021-06-08
# {
# plugin = vimUtils.buildVimPlugin {
# name = "vim-markdown-toc";
# src = fetchFromGitHub {
# owner = "mzlogin";
# repo = "vim-markdown-toc";
# rev = "b7bb6c37033d3a6c93906af48dc0e689bd948638";
# sha256 = "026xf2gid4qivwawh7if3nfk7zja9di0flhdzdx82lvil9x48lyz";
# };
# };
# }
# broken 2021-06-08
# {
# plugin = vimUtils.buildVimPlugin {
# name = "vim-perl";
# src = fetchFromGitHub {
# owner = "vim-perl";
# repo = "vim-perl";
# rev = "f330b5d474c44e6cfae22ba50868093dea3e9adb";
# sha256 = "1dy40ixgixj0536c5ggra51b4yd1lbw4j6l0j5zc3diasb7m2gvr";
# };
# };
# }
{
plugin = vimUtils.buildVimPlugin {
name = "git-blame";
src = fetchFromGitHub {
"owner" = "zivyangll";
"repo" = "git-blame.vim";
"rev" = "9d144b7bed5d8f1c9259551768b7f3b3d1294917";
"sha256" = "06zb5xcc59k25rpwl46j82fcqckiznmj97v6i0mwlb8jhqqrhy9j";
};
};
}
]
++ (with pkgs.vimPlugins; [
delimitMate
vim-airline
vim-airline-themes
ctrlp
vim-css-color
rainbow_parentheses
vim-colorschemes
vim-colorstepper
vim-signify
fugitive
vim-indent-guides
UltiSnips
fzfWrapper
ncm2
ncm2-bufword
ncm2-path
ncm2-tmux
ncm2-ultisnips
nvim-yarp
LanguageClient-neovim
Improved-AnsiEsc
tabular
# Nix
vim-addon-nix
tlib
vim-addon-vim2nix
# LaTeX
vim-latex-live-preview
vimtex
# YAML
vim-yaml
# markdown
vim-markdown
vim-markdown-toc
# misc syntax support
vim-bazel
maktaba
]);
};
}

4
nix/home-manager/programs/neovim/vimrc
View file

@ -49,8 +49,8 @@ let g:ctrlp_custom_ignore = {
\ 'dir': '\v[\/]\.(git|hg|svn)$$',
\ 'file': '\v\.(exe|so|dll)$$',
\ }
"let g:ctrlp_max_files=0
"let g:ctrlp_max_depth=1000
let g:ctrlp_max_files=0
let g:ctrlp_max_depth=1000
"let g:ctrlp_match_func = { 'match': 'pymatcher#PyMatch' }
"let g:pydiction_location = '~/.vim/bundle/pydiction/complete-dict'

25
nix/home-manager/programs/obs-studio.nix
View file

@ -1,25 +0,0 @@
{ pkgs, lib, ... }:
{
programs.obs-studio = {
enable = true;
plugins =
builtins.map
(
plugin:
(plugin.overrideAttrs (attrs: {
meta = lib.mkMerge [
{ inherit (attrs) meta; }
{ meta.platforms = [ pkgs.stdenv.system ]; }
];
}))
)
(
with pkgs.obs-studio-plugins;
[
# wlrobs
obs-backgroundremoval
obs-pipewire-audio-capture
]
);
};
}

37
nix/home-manager/programs/openvscode-server.nix
View file

@ -1,37 +0,0 @@
{ pkgs, repoFlake, ... }:
let
pkgsVscodium = import repoFlake.inputs.nixpkgs-vscodium { inherit (pkgs) system config; };
in
{
home.packages = [
pkgs.nil
pkgs.nixd
pkgs.nixfmt-rfc-style
# TODO: automate linking this
# 1. get the commit with: `codium --version`
# 2. create the binary directory: `mkdir -p /home/steveej/.vscodium-server/bin/c8ce3ba4bc6b30b3b10edc61481cb85b1d2396bc/bin/`
# 3. link the binary. this relies on the client-side setting `"remote.SSH.experimental.serverBinaryName": "openvscode-server"` : ln -s $(which openvscode-server) /home/steveej/.vscodium-server/bin/c8ce3ba4bc6b30b3b10edc61481cb85b1d2396bc/bin/
/*
e.g.:
```
(
set -e
export COMMIT=$(codium --version | rg '^[0-9a-f]{40}$')
ssh bm-hostkey0 "pkill -9 openvscode; rm -rf /home/steveej/.vscodium-server/bin/$COMMIT; mkdir -p /home/steveej/.vscodium-server/bin/$COMMIT/bin/; ln -s \$(which openvscode-server) /home/steveej/.vscodium-server/bin/$COMMIT/bin/"
)
```
*/
(pkgsVscodium.openvscode-server.overrideAttrs (attrs: {
src = repoFlake.inputs.openvscode-server;
version = "1.94.2";
yarnCache = attrs.yarnCache.overrideAttrs (_: {
outputHash = "sha256-89c6GYLT2RzHqwxBKegYqB6g5rEJ6/nH53cnfV7b0Tt=";
});
}))
pkgs.waypipe
];
}

19
nix/home-manager/programs/pass.nix
View file

@ -1,16 +1,11 @@
{ repoFlake, pkgs, ... }:
{
{pkgs, ...}: {
home.sessionVariables = {
# required by pass-otp
# home.sessionVariables.PASSWORD_STORE_EXTENSIONS_DIR = "$HOME/.nix-profile/lib/password-store/extensions";
# home.sessionVariables.PASSWORD_STORE_ENABLE_EXTENSIONS = "true";
# programs.browserpass.enable = true;
PASSWORD_STORE_EXTENSIONS_DIR = "$HOME/.nix-profile/lib/password-store/extensions";
PASSWORD_STORE_ENABLE_EXTENSIONS = "true";
};
home.packages = with pkgs; [
gnupg
programs.browserpass = {enable = true;};
# broken on wayland
# rofi-pass
repoFlake.packages.${pkgs.system}.prs
];
home.packages = with pkgs; [pass qtpass rofi-pass gnupg];
}

144
nix/home-manager/programs/podman.nix Normal file
View file

@ -0,0 +1,144 @@
{pkgs, ...}: let
cniConfigDir = let
loopback = pkgs.writeText "00-loopback.conf" ''
{
"cniVersion": "0.3.0",
"type": "loopback"
}
'';
podman-bridge = pkgs.writeText "87-podman-bridge.conflist" ''
{
"cniVersion": "0.3.0",
"name": "podman",
"plugins": [
{
"type": "bridge",
"bridge": "cni0",
"isGateway": true,
"ipMasq": true,
"ipam": {
"type": "host-local",
"subnet": "10.88.0.0/16",
"routes": [
{ "dst": "0.0.0.0/0" }
]
}
},
{
"type": "portmap",
"capabilities": {
"portMappings": true
}
}
]
}
'';
in
pkgs.runCommand "cniConfig" {} ''
set -x
mkdir $out;
ln -s ${loopback} $out/${loopback.name}
ln -s ${podman-bridge} $out/${podman-bridge.name}
'';
containersConf = pkgs.writeText "containers.conf" ''
# containers.conf is the default configuration file for all tools using libpod to
# manage containers
[containers]
# Maximum size of log files (in bytes)
# -1 is unlimited
log_size_max = -1
[engine]
# Default transport method for pulling and pushing for images
image_default_transport = "docker://"
# Paths to search for the conmon container manager binary. If the paths are empty or no valid path was found, then the $PATH environment variable will be used as the fallback.
conmon_path = [
"${pkgs.conmon}/bin/conmon"
]
# --runtime ${pkgs.crun}/bin/crun \
runtime = "crun"
# Environment variables to pass into conmon
conmon_env_vars = [
]
# CGroup Manager - valid values are "systemd" and "cgroupfs"
cgroup_manager = "systemd"
# Whether to use chroot instead of pivot_root in the runtime
no_pivot_root = false
# Determines whether libpod will reserve ports on the host when they are
# forwarded to containers. When enabled, when ports are forwarded to containers,
# they are held open by conmon as long as the container is running, ensuring that
# they cannot be reused by other programs on the host. However, this can cause
# significant memory usage if a container has many ports forwarded to it.
# Disabling this can save memory.
enable_port_reservation = true
[network]
# Directory containing CNI plugin configuration files
network_config_dir = "${cniConfigDir}"
# Directories where the CNI plugin binaries may be located
cni_plugin_dirs = [
"${pkgs.cni-plugins}/bin"
]
# Default CNI network for libpod.
# If multiple CNI network configs are present, libpod will use the network with
# the name given here for containers unless explicitly overridden.
# The default here is set to the name we set in the
# 87-podman-bridge.conflist included in the repository.
# Not setting this, or setting it to the empty string, will use normal CNI
# precedence rules for selecting between multiple networks.
default_network = "podman"
'';
in {
home.packages = with pkgs; [podman];
home.file.".config/containers/containers.conf".source = containersConf;
home.file.".config/containers/registries.conf".text = ''
[registries.search]
registries = ['docker.io', 'quay.io', 'registry.fedoraproject.org']
[registries.insecure]
registries = []
#blocked (docker only)
[registries.block]
registries = []
'';
home.file.".config/containers/storage.conf".text = ''
[storage]
driver = "btrfs"
'';
home.file.".config/containers/policy.json".text = ''
{
"default": [
{
"type": "insecureAcceptAnything"
}
],
"transports":
{
"docker-daemon":
{
"": [{"type":"insecureAcceptAnything"}]
}
}
}
'';
}

70
nix/home-manager/programs/radicale.nix
View file

@ -1,11 +1,11 @@
{
config,
lib,
pkgs,
osConfig,
lib,
...
}:
let
}: let
passwords = import ../../variables/passwords.crypt.nix;
libdecsync = pkgs.python3Packages.buildPythonPackage rec {
pname = "libdecsync";
version = "2.2.1";
@ -14,10 +14,6 @@ let
inherit pname version;
hash = "sha256-Mukjzjumv9VL+A0maU0K/SliWrgeRjAeiEdN5a83G0I=";
};
propagatedBuildInputs = [
# pkgs.libxcrypt-legacy
];
};
radicale-storage-decsync = pkgs.python3Packages.buildPythonPackage rec {
pname = "radicale_storage_decsync";
@ -28,62 +24,36 @@ let
hash = "sha256-X+0MT5o2PjsKxca5EDI+rYyQDmUtbRoELDr6e4YXKCg=";
};
buildInputs = [
pkgs.radicale
# pkgs.libxcrypt-legacy
# pkgs.libxcrypt
];
nativeCheckInputs = [
# pkgs.libxcrypt-legacy
# pkgs.libxcrypt
];
propagatedBuildInputs = [
libdecsync
pkgs.python3Packages.setuptools
];
buildInputs = [pkgs.radicale];
propagatedBuildInputs = [libdecsync pkgs.python3Packages.setuptools];
};
radicale-decsync = pkgs.radicale.overrideAttrs (old: {
propagatedBuildInputs = old.propagatedBuildInputs ++ [ radicale-storage-decsync ];
propagatedBuildInputs =
old.propagatedBuildInputs
++ [radicale-storage-decsync];
});
mkRadicaleService =
{ suffix, port }:
let
radicale-config = pkgs.writeText "radicale-config-${suffix}" ''
[server]
hosts = localhost:${builtins.toString port}
radicale-config = pkgs.writeText "radicale-config" ''
[auth]
type = htpasswd
htpasswd_filename = ${osConfig.sops.secrets.radicale_htpasswd.path}
htpasswd_filename = ${
pkgs.writeText "radicale" ''
radicale:${passwords.users.radicale}
''
}
htpasswd_encryption = bcrypt
[storage]
type = radicale_storage_decsync
filesystem_folder = ${config.xdg.dataHome}/radicale/radicale-${suffix}
decsync_dir = ${config.xdg.dataHome}/decsync/decsync-${suffix}
filesystem_folder = ${config.xdg.dataHome}/radicale
decsync_dir = ${config.xdg.dataHome}/decsync
'';
in
{
systemd.user.services."radicale-${suffix}" = {
Unit.Description = "Radicale with DecSync (${suffix})";
in {
systemd.user.services.radicale = {
Unit.Description = "Radicale with DecSync";
Service = {
ExecStart = "${radicale-decsync}/bin/radicale -C ${radicale-config}";
Restart = "on-failure";
};
Install.WantedBy = ["default.target"];
};
};
in
builtins.foldl' (sum: cur: lib.recursiveUpdate sum (mkRadicaleService cur)) { } [
{
suffix = "personal";
port = 5232;
}
{
suffix = "family";
port = 5233;
}
]

28
nix/home-manager/programs/redshift.nix
View file

@ -1,28 +0,0 @@
_:
let
passwords = import ../../variables/passwords.crypt.nix;
in
{
services.gammastep = {
enable = true;
provider = "manual";
enableVerboseLogging = true;
inherit (passwords.location.stefan) longitude latitude;
temperature = {
# day = 6700;
day = 3000;
night = 3000;
};
tray = true;
settings = {
general = {
adjustment-method = "wayland";
};
gammastep = {
# brightness-day = 1.0;
brightness-day = 0.5;
brightness-night = 0.5;
};
};
};
}

31
nix/home-manager/programs/salut.nix
View file

@ -1,31 +0,0 @@
{ pkgs, packages', ... }:
# useful testing command:
# for i in `seq 0 10`; do nix shell nixpkgs#libnotify --command notify-send notifiiiiiii "$i"; sleep 1; done
let
inherit (import ../lib.nix { }) mkSimpleTrayService;
in
{
home.packages = [ packages'.salut ];
xdg.configFile."salut/config.ini" = {
enable = true;
text = ''
[notifications]
timeout = 5000
[window]
auto-hide = true
anchor = bottom-right
transition = slidebottom
[mode]
single = true
[style]
preference = dark
'';
onChange = "${pkgs.systemd}/bin/systemctl --user restart salut";
};
systemd.user.services.salut = mkSimpleTrayService { execStart = "${packages'.salut}/bin/salut"; };
}

592
nix/home-manager/programs/vscode/default.nix
View file

@ -1,134 +1,481 @@
{pkgs, ...}: let
packagedExtensions = with pkgs.vscode-extensions; [
# bbenoist.Nix
ms-vscode-remote.remote-ssh
vscodevim.vim
];
marketPlaceExtensions = pkgs.vscode-utils.extensionsFromVscodeMarketplace [
# {
# name = "vim";
# publisher = "vscodevim";
# version = "1.17.1";
# sha256 = "10f8jz52gr6k2553awa66m006wszj9z2rnshsic6h2aawxiz3zq1";
# }
# {
# name = "remote-ssh-edit";
# publisher = "ms-vscode-remote";
# version = "0.56.0";
# sha256 = "1gy03ff2xqg7q3y4j47z2l94x5gbw0mjd5h4cl3n0q3iaswk1c1r";
# }
{
config,
pkgs,
repoFlake,
lib,
...
}:
let
pkgsVscodium = import repoFlake.inputs.nixpkgs-vscodium { inherit (pkgs) system config; };
in
name = "Theme-NaturalContrast-With-HC";
publisher = "74th";
version = "1.0.0";
sha256 = "1wxwk059znkflip0c8hyqdfq0h15n4idmff4bnnfdggiqjwhr5rm";
}
{
name = "markdown-toc";
publisher = "AlanWalk";
version = "1.5.6";
sha256 = "0hh38i2dpmrm2akcd4jkxchp6b374m5jzcqm1jqqmkqjmlig7qm5";
}
{
name = "Paper-tmTheme";
publisher = "DiryoX";
version = "0.4.0";
sha256 = "0l8hgbwwg87ysfb22rvwgmkk91i4vjd0kgi30c1bn26bm2pd1gw0";
}
{
name = "Monokai-Polished";
publisher = "Mit";
version = "0.3.1";
sha256 = "11h7sfwp9ikwc8z6bkyxk1678ymfpff8i2p876b208yrq8dy2kr1";
}
{
name = "dot";
publisher = "Stephanvs";
version = "0.0.1";
sha256 = "0rq0wvnbcggg4zb4swxym77knfjma0v9lwf3x45p22qsqx2crvgf";
}
{
name = "rust-snippets";
publisher = "ZakCodes";
version = "0.0.1";
sha256 = "152i23mh8j2l26zpwid3hllxc2abkhr3g939rvxk8bry137vryy2";
}
{
name = "better-comments";
publisher = "aaron-bond";
version = "2.1.0";
sha256 = "0kmmk6bpsdrvbb7dqf0d3annpg41n9g6ljzc1dh0akjzpbchdcwp";
}
{
name = "vscode-icalendar";
publisher = "af4jm";
version = "1.0.1";
sha256 = "0g15f2595ayy9ch4f2ccd8prc51q1mwslilk8sk2ldsmdksaya79";
}
{
name = "hugofy";
publisher = "akmittal";
version = "0.1.1";
sha256 = "02rjwmy7z4qfxws8lgdki53q4b2hjklxn2nlxx3w04kahr759dlg";
}
{
name = "asciidoctor-vscode";
publisher = "asciidoctor";
version = "2.8.4";
sha256 = "0j019vwmd83mbc75kfcqzmpvqzsp3s595cgh6n9978k9q0zjrqad";
}
{
name = "markdown-preview-github-styles";
publisher = "bierner";
version = "0.1.6";
sha256 = "1plj6a1hgbhb740zbw4pbnk7919cx1s6agf5xiiqbb9485x2pqiw";
}
{
name = "made-of-code";
publisher = "brian-yu";
version = "0.0.5";
sha256 = "1cmw63vrpzxv8vkgq674xa2wqqag0a8spr623ngi87925f17p965";
}
{
name = "better-toml";
publisher = "bungcip";
version = "0.3.2";
sha256 = "08lhzhrn6p0xwi0hcyp6lj9bvpfj87vr99klzsiy8ji7621dzql3";
}
{
name = "tabulous";
publisher = "bwildeman";
version = "1.2.0";
sha256 = "0hbp345i19ncvn1v792nr257gmw0nz09nhjniiypnzvz9wszw2j9";
}
{
name = "bracket-pair-colorizer";
publisher = "CoenraadS";
version = "1.0.61";
sha256 = "0r3bfp8kvhf9zpbiil7acx7zain26grk133f0r0syxqgml12i652";
}
{
name = "mustache";
publisher = "dawhite";
version = "1.1.1";
sha256 = "1j8qn5grg8v3n3v66d8c77slwpdr130xzpv06z1wp2bmxhqsck1y";
}
{
name = "vscode-nomnoml";
publisher = "doctorrustynelson";
version = "0.3.0";
sha256 = "07nr6n5ai8m6rap8av47mqi3vv6zchymiqfw8jlbl4hsryszyr43";
}
{
name = "gitlens";
publisher = "eamodio";
version = "11.0.5";
sha256 = "1fi8j5r6cd82a50hv2lwzqnvyvhxf9waamkviyh0wyqi5i1k4q88";
}
{
name = "monokai-light";
publisher = "ethansugar";
version = "0.2.1";
sha256 = "1xn74arpv58hwdywaxvv9xhljl23wsqdpyfrgn9nvd29gsiz71w0";
}
{
name = "Theme-Monokai-Contrast";
publisher = "gerane";
version = "0.0.5";
sha256 = "1m1n1izdjgng0q3yljccwjxj0s60p5nfw3hlw7hb467a1wz479pm";
}
{
name = "Theme-snappy-light";
publisher = "gerane";
version = "0.0.5";
sha256 = "0syrm921l4lka6dmg258c2zi0a758acvcs8y0qm0kjim7h7xxf0w";
}
{
name = "vscode-pull-request-github";
publisher = "GitHub";
version = "0.21.3";
sha256 = "0p03v6y1gh62jby74vkhi897mzj8dg9xb561v0b99x81r9zhwqw0";
}
{
name = "go";
publisher = "golang";
version = "0.19.0";
sha256 = "1xr2c4xn0w68fdcbm8d2wqfb9dxf03w38367ghycrzmz2p4syr98";
}
{
name = "terraform";
publisher = "hashicorp";
version = "2.3.0";
sha256 = "0696q8nr6kb5q08295zvbqwj7lr98z18gz1chf0adgrh476zm6qq";
}
{
name = "bonsai";
publisher = "hawkeyegold";
version = "1.4.0";
sha256 = "0r7bxx1lgbg6p97xwd2wr8j7slz720a1v6vzpd0fhcq83vqzkl89";
}
{
name = "live-html-previewer";
publisher = "hdg";
version = "0.3.0";
sha256 = "0hv5plh44q97355j5la83r8hjsxpv9d173mba34xr4p82a3pcq5p";
}
{
name = "yuml";
publisher = "JaimeOlivares";
version = "3.5.1";
sha256 = "01phwj8kn2zmzpjk97wacnc8iiby0szv40b1030fkcm3szafnya0";
}
{
name = "latex-workshop";
publisher = "James-Yu";
version = "8.14.0";
sha256 = "12bh2gpmak7vgzhjnvk2hw0yqm6wkd7vsm4ki4zbqa6lpriscjyi";
}
{
name = "plantuml";
publisher = "jebbs";
version = "2.13.16";
sha256 = "0672x0a1c9yk0g4vka40f4amgxir2bs25zg6qsims9plj0x2s4si";
}
{
name = "tasks-chooser";
publisher = "jeremyfa";
version = "0.3.0";
sha256 = "0bq80wv7zf94cgn94ll3jj68z35p13r0zw5by62dnlnj1sv7dghi";
}
{
name = "asciidoctor-vscode";
publisher = "joaompinto";
version = "2.8.0";
sha256 = "06nx627fik3c3x4gsq01rj0v59ckd4byvxffwmmigy3q2ljzsp0x";
}
{
name = "contrast-theme";
publisher = "johndugan";
version = "1.1.10";
sha256 = "0hib85318940ajfbzqrpgqh4jr39w18aq6babargbf64yxg94mbw";
}
{
name = "theme-dark-plus-contrast";
publisher = "k3a";
version = "0.1.101";
sha256 = "137kq6i6xn394msjrhj7v6c8shrvw9yf8i01mf4yl4aan2bw3419";
}
{
name = "vscode-gist";
publisher = "kenhowardpdx";
version = "3.0.3";
sha256 = "033iry115hbd5jbdr04frbrcgfpfnsc2z551nlfsaczbg4j9dydw";
}
{
name = "quick-open";
publisher = "leizongmin";
version = "1.1.0";
sha256 = "03avjgkvl2w51f0lvvfksa6lxqb4i9jgz2c74hw686yaydj8mfsp";
}
{
name = "rainbow-csv";
publisher = "mechatroner";
version = "1.7.1";
sha256 = "0w5mijs4ll5qjkpyw7qpn1k40pq8spm0b3q72x150ydbcini5hxw";
}
{
name = "openapi-lint";
publisher = "mermade";
version = "1.2.0";
sha256 = "0q81ifgr211apymbs21y0l3x8n324k6mh7p8kykz2xz38cslyq49";
}
{
name = "swagger-doc-viewer";
publisher = "mimarec";
version = "1.0.4";
sha256 = "1vvqwmfav6c2r1xkyfczm564bi2cpa9nklj35w3h3hrp4f6dnvpx";
}
{
name = "vscode-clang";
publisher = "mitaki28";
version = "0.2.3";
sha256 = "0xbg2frb4dxv7zl43gi25w2mkkh4xq2aidcf5i8b4imys9h720yr";
}
{
name = "prettify-json";
publisher = "mohsen1";
version = "0.0.3";
sha256 = "1spj01dpfggfchwly3iyfm2ak618q2wqd90qx5ndvkj3a7x6rxwn";
}
{
name = "vscode-docker";
publisher = "ms-azuretools";
version = "1.8.1";
sha256 = "08691mwb3kgmk5fnjpw1g3a5i7qwalw1yrv2skm519wh62w6nmw8";
}
{
name = "python";
publisher = "ms-python";
version = "2020.11.371526539";
sha256 = "0iavy4c209k53jkqsbhsvibzjj3fjxa500rv72fywgb2vxsi9fc3";
}
{
name = "jupyter";
publisher = "ms-toolsai";
version = "2020.11.372831992";
sha256 = "0r39xqrbkzcfkz6rca039s87ibx79a983y8lbiglhkmw3bp4p658";
}
# fails to download C/C++ tools
# {
# name = "cpptools";
# publisher = "ms-vscode";
# version = "1.1.2";
# sha256 = "09z1vrshvwimdrpsnfs4lyzca2qixp3h85xib8jf2fpxdjl3r5vg";
# }
{
name = "vscode-quick-open-create";
publisher = "nocksock";
version = "0.6.0";
sha256 = "0ipkjm74xpx44h130rmbnkjwsi63kcvq6fr0b0nxqqc9aa9jk22j";
}
{
name = "indent-rainbow";
publisher = "oderwat";
version = "7.4.0";
sha256 = "1xnsdwrcx24vlbpd2igjaqlk3ck5d6jzcfmxaisrgk7sac1aa81p";
}
{
name = "phantypist";
publisher = "paulofallon";
version = "1.0.3";
sha256 = "0rsaklwsd9i25p9j82ivblkbsk5cwjm22afzc2cq5klkbz9vxg62";
}
{
name = "swaggitor";
publisher = "qnsolutions";
version = "0.1.1";
sha256 = "0dhygxawxjhm0q1nmxwwcyhnk4hm1yzadnhc5ha7amdg7gddlrc1";
}
{
name = "vscode-yaml";
publisher = "redhat";
version = "0.13.0";
sha256 = "046kdk73a5xbrwq16ff0l64271c6q6ygjvxaph58z29gyiszfkig";
}
{
name = "papercolor-vscode";
publisher = "rozbo";
version = "0.4.0";
sha256 = "0fla4dfxm6ppqgfvp9rc2izhnv0909yk3r38xmh15ald84i1jhzm";
}
{
name = "iferrblocks";
publisher = "rstuven";
version = "1.1.1";
sha256 = "0ncj1g2dqa1wwqmj27w1356f4b9nlk2narvgyjn208axfwifz1lw";
}
{
name = "rust";
publisher = "rust-lang";
version = "0.7.8";
sha256 = "039ns854v1k4jb9xqknrjkj8lf62nfcpfn0716ancmjc4f0xlzb3";
}
{
name = "bracket-jumper";
publisher = "sashaweiss";
version = "1.1.8";
sha256 = "11sj7h13yjcpd94x07wlmck7cmidk1kla00kjq7wfw2xc1143rqs";
}
{
name = "just";
publisher = "skellock";
version = "2.0.0";
sha256 = "1ph869zl757a11f8iq643f79h8gry7650a9i03mlxyxlqmspzshl";
}
{
name = "line-endings";
publisher = "steditor";
version = "1.0.3";
sha256 = "1mdybbhs771w8r9xqy1n7x2is2vhh6axkssarb2yy7gps3v81ik7";
}
{
name = "code-spell-checker";
publisher = "streetsidesoftware";
version = "1.10.0";
sha256 = "1172wcw1a1mbx8nrlnh1hyizs9abzvqmhwgc6bmp8wvxk8hk4x3i";
}
{
name = "code-spell-checker-german";
publisher = "streetsidesoftware";
version = "0.1.8";
sha256 = "117ba1m427d7nqh2p4djjswbksz1nvy2zkgdnm2iis17gzxscbmz";
}
{
name = "code-spell-checker-german";
publisher = "streetsidesoftware";
version = "0.1.8";
sha256 = "117ba1m427d7nqh2p4djjswbksz1nvy2zkgdnm2iis17gzxscbmz";
}
{
name = "code-spell-checker";
publisher = "streetsidesoftware";
version = "1.10.0";
sha256 = "1172wcw1a1mbx8nrlnh1hyizs9abzvqmhwgc6bmp8wvxk8hk4x3i";
}
{
name = "vscode-open-in-github";
publisher = "sysoev";
version = "1.14.0";
sha256 = "1whyrsckx0gikgjj1812dlsykck7cs696wz9fn4fhcishp9479hp";
}
{
name = "html-preview-vscode";
publisher = "tht13";
version = "0.2.5";
sha256 = "0k75ivigzjfq8y4xwwrgs2iy913plkwp2a68f0i4bkz9kx39wq6v";
}
{
name = "scrolloff";
publisher = "tickleforce";
version = "0.0.4";
sha256 = "1n5xcbcwdj54c9dlscd5igdbga6v9wv5j1qbhjb7p2mf7sbps3cq";
}
{
name = "shellcheck";
publisher = "timonwong";
version = "0.12.1";
sha256 = "0apvbs90mdjk5y6vy2v4azwxhdjqfypqp5d5hh9rlgxyq4m0azz2";
}
{
name = "sort-lines";
publisher = "Tyriar";
version = "1.9.0";
sha256 = "0l4wibsjnlbzbrl1wcj18vnm1q4ygvxmh347jvzziv8f1l790qjl";
}
# slow and currently not needed
# {
# name = "vscode-lldb";
# publisher = "vadimcn";
# version = "1.6.0";
# sha256 = "15m0idk75bvbzfxipdxwz2vpdklr15zv92h4mxxpr8db9jjr32vi";
# }
# {
# name = "vim";
# publisher = "vscodevim";
# version = "1.17.1";
# sha256 = "10f8jz52gr6k2553awa66m006wszj9z2rnshsic6h2aawxiz3zq1";
# }
{
name = "prettify-selected-json";
publisher = "vthiery";
version = "1.0.3";
sha256 = "0g2svrls7x4w75fj6rr839mrwd3sn912vn6ysiy0sasnnc55rpgb";
}
{
name = "debug";
publisher = "webfreak";
version = "0.25.0";
sha256 = "0qm2jgkj17a0ca5z21xbqzfjpi0hzxw4h8y2hm8c4kk2bnw02sh1";
}
{
name = "clang-format";
publisher = "xaver";
version = "1.9.0";
sha256 = "0bwc4lpcjq1x73kwd6kxr674v3rb0d2cjj65g3r69y7gfs8yzl5b";
}
{
name = "vscode-capnp";
publisher = "xmonader";
version = "1.0.0";
sha256 = "0z2shl6qvr3y3m5y63v69x94rzyb2cmf5046afx2yswnll6j52fc";
}
{
name = "plsql-language";
publisher = "xyz";
version = "1.8.2";
sha256 = "16xxa6w03wzd95v1cycmjvw9hfg3chvpclrn28v0qsa3lir1mxrr";
}
{
name = "markdown-pdf";
publisher = "yzane";
version = "1.4.4";
sha256 = "00cjwjwzsv3wx2qy0faqxryirr2hp60yhkrlzsk0avmvb0bm9paf";
}
{
name = "vscode-proto3";
publisher = "zxh404";
version = "0.5.2";
sha256 = "1jmmbz3i0hxq5ka4rsk07mynxh3pkh5g736d9ryv1czhnrb06lwf";
}
];
in {
programs.vscode = {
enable = true;
package = pkgsVscodium.vscodium;
extensions =
with pkgsVscodium.vscode-extensions;
[
eamodio.gitlens
mkhl.direnv
tomoki1207.pdf
vscodevim.vim
# bbenoist.nix
jnoortheen.nix-ide
ms-vscode.theme-tomorrowkit
nonylene.dark-molokai-theme
ms-python.vscode-pylance
# TODO: these are not in nixpkgs
# fredwangwang.vscode-hcl-format
# hashicorp.hcl
# mindaro-dev.file-downloader
# ms-vscode.remote-explorer
# TODO: not compatible with vscodium
# ms-vscode-remote.remote-ssh
]
++ (
let
extensions = repoFlake.inputs.nix-vscode-extensions.extensions.${pkgs.system};
in
with extensions.vscode-marketplace;
with extensions.vscode-marketplace-release;
[
serayuzgur.crates
rust-lang.rust-analyzer
swellaby.vscode-rust-test-adapter
tamasfe.even-better-toml
golang.go
jeff-hykin.better-go-syntax
blueglassblock.better-json5
nefrob.vscode-just-syntax
# fabianlauer.vs-code-xml-format
bierner.emojisense
]
)
++ (
let
nix4vscodeToml = pkgs.writeText "nix4vscode.toml" ''
vscode_version = "${config.programs.vscode.package.version}"
[[extensions]]
publisher_name = "FelixZeller"
extension_name = "markdown-oxide"
[[extensions]]
publisher_name = "ibecker"
extension_name = "treefmt-vscode"
[[extensions]]
publisher_name = "AntiAntiSepticeye"
extension_name = "vscode-color-picker"
# [[extensions]]
# publisher_name = "nefrob"
# extension_name = "vscode-just-syntax"
[[extensions]]
publisher_name = "fabianlauer"
extension_name = "vs-code-xml-format"
'';
nix4vscodeNix =
pkgs.runCommand "nix4vscode.nix"
{
# nix4vscode needs internet access
__noChroot = true;
requiredSystemFeatures = [ "recursive-nix" ];
buildInputs = [
pkgs.nix
pkgs.cacert
(pkgs.callPackage "${repoFlake.inputs.nix4vscode.outPath}/nix/package.nix" { })
# pkgs.strace
];
# outputHashAlgo = "sha256";
# outputHashMode = "recursive";
# outputHash = lib.fakeSha256;
}
''
# set -x
# export RUST_BACKTRACE=full
# export RUST_LOG=trace
export HOME=$(mktemp -d)
# strace -ffZyyY
nix4vscode ${nix4vscodeToml} > $out
'';
nix4vscodeExtensions = builtins.removeAttrs (pkgs.callPackage nix4vscodeNix { }) [
"override"
"overrideDerivation"
];
nix4vscodeExtensions' = lib.attrsets.mapAttrsToList (
_: v: builtins.head (builtins.attrValues v)
) nix4vscodeExtensions;
in
nix4vscodeExtensions'
);
mutableExtensionsDir = true;
[] ++ packagedExtensions
# ++ marketPlaceExtensions
;
};
home.packages = [
pkgs.nil
pkgs.nixfmt-rfc-style
];
home.packages = [pkgs.nixpkgs-fmt pkgs.alejandra];
}
# TODO: automate
# rustup install stable
# rustup component add rust-analysis --toolchain stable
# rustup component add rust-src --toolchain stable
# rustup component add rls --toolchain stable
### original list:
# 74th.Theme-NaturalContrast-With-HC
# AlanWalk.markdown-toc
@ -202,3 +549,4 @@ in
# xyz.plsql-language
# yzane.markdown-pdf
# zxh404.vscode-proto3

5
nix/home-manager/programs/waybar.css
View file

@ -1,5 +0,0 @@
#custom-cputemp {
padding: 0 10px;
background-color: #f0932b;
color: #ffffff;
}

86
nix/home-manager/programs/waybar.nix
View file

@ -1,86 +0,0 @@
{ pkgs, repoFlake, ... }:
{
home.packages = [
# required by any bar that has a tray plugin
pkgs.libappindicator-gtk3
pkgs.libdbusmenu-gtk3
];
programs.waybar = {
enable = true;
package =
repoFlake.inputs.nixpkgs-wayland.outputs.packages.${pkgs.stdenv.hostPlatform.system}.waybar;
style = pkgs.lib.readFile "${pkgs.waybar.src}/resources/style.css" + pkgs.lib.readFile ./waybar.css;
systemd.enable = true;
settings = {
mainBar = {
layer = "top";
position = "bottom";
height = 30;
output =
# hide the bar on HEADDLESS displays as i use them only for screensharing
(builtins.genList (i: "!HEADLESS-${builtins.toString i}") 99) ++ [ "*" ];
# output = [
# "eDP-1"
# "DP-*"
# ];
modules-left = [
"sway/workspaces"
"sway/mode"
# "wlr/taskbar"
];
"sway/workspaces" = {
disable-scroll = true;
all-outputs = false;
};
modules-center = [
"sway/window"
# "custom/hello-from-waybar"
];
modules-right = [
"tray"
"cpu"
"memory"
"custom/cputemp"
"custom/fan"
"battery"
"pulseaudio"
"clock"
"clock#date"
];
tray.spacing = 10;
cpu.format = " {usage}%";
memory.format = " {}%";
"temperature" = {
hwmon-path = "/sys/class/hwmon/hwmon3/temp1_input";
format = " {temperatureC} °C";
};
"custom/cputemp" = {
format = " {}";
exec = "${pkgs.lm_sensors}/bin/sensors | ${pkgs.gawk}/bin/awk '/CPU:/ {print $2}'";
interval = 2;
};
"custom/fan" = {
format = " {} rpm ";
exec = "${pkgs.lm_sensors}/bin/sensors | ${pkgs.gawk}/bin/awk '/fan1:/ {print $2}'";
interval = 2;
};
battery.format = "🔋 {}%";
pulseaudio = {
format = "🔉 {volume}%";
# on-click-middle = ''${pkgs.sway}/bin/swaymsg exec "${pkgs.pavucontrol}/bin/pavucontrol"'';
};
clock.format = "{:%H:%M %p}";
"clock#date".format = "{:%a, %d %b '%y}";
};
};
};
}

71
nix/home-manager/programs/zsh.nix
View file

@ -1,12 +1,5 @@
{
config,
lib,
pkgs,
...
}:
let
just-plugin =
let
{pkgs}: {...}: let
just-plugin = let
plugin_file = pkgs.writeText "_just" ''
#compdef just
#autload
@ -37,32 +30,16 @@ let
chmod --recursive a-w $out
'';
};
in
{
in {
programs.zsh = {
enable = true;
profileExtra = ''
. "${config.home.profileDirectory}/etc/profile.d/hm-session-vars.sh"
'';
# will be called again by oh-my-zsh
enableCompletion = false;
enableAutosuggestions = true;
initExtra =
let
initExtra = let
inNixShell = ''$([[ -n "$IN_NIX_SHELL" ]] && printf " 🐚")'';
in
''
if test ! -n "$TMPDIR" -a -z "$TMPDIR"; then
unset TMPDIR
fi
if test ! -n "$TMP" -a -z "$TMP"; then
unset TMP
fi
in ''
PROMPT='%F{%(!.red.green)}%n%f@%m %(?.%F{green}%f.%F{red} ($?%))%f %F{blue}%~%f${inNixShell}%F{magenta}$(git_prompt_info)%f$prompt_newline%_%F{%(!.red.green)}$(prompt_char)%f '
RPROMPT=""
@ -74,13 +51,12 @@ in
fi
${
if builtins.hasAttr "homeshick" pkgs then
''
if builtins.hasAttr "homeshick" pkgs
then ''
source ${pkgs.homeshick}/homeshick.sh
fpath=(${pkgs.homeshick}/completions $fpath)
''
else
""
else ""
}
# Disable intercepting of ctrl-s and ctrl-q as flow control.
@ -89,24 +65,28 @@ in
# don't cd into directories when executed
unsetopt AUTO_CD
export NIX_PATH="${pkgs.nixPath}"
# print lines without termination
setopt PROMPT_CR
setopt PROMPT_SP
export PROMPT_EOL_MARK=""
${lib.optionalString config.services.gpg-agent.enable ''
export SSH_AUTH_SOCK="$XDG_RUNTIME_DIR/gnupg/S.gpg-agent.ssh"
''}
${lib.optionalString config.programs.neovim.enable ''
export EDITOR="nvim"
''}
'';
sessionVariables = {
# Add more envrionment variables here
};
plugins = [
{
# will source zsh-autosuggestions.plugin.zsh
name = "zsh-autosuggestions";
src = pkgs.zsh-autosuggestions;
src = pkgs.fetchFromGitHub {
owner = "zsh-users";
repo = "zsh-autosuggestions";
rev = "v0.6.3";
sha256 = "1h8h2mz9wpjpymgl2p7pc146c1jgb3dggpvzwm9ln3in336wl95c";
};
}
{
name = "enhancd";
@ -114,8 +94,8 @@ in
src = pkgs.fetchFromGitHub {
owner = "b4b4r07";
repo = "enhancd";
rev = "v2.5.1";
sha256 = "sha256-kaintLXSfLH7zdLtcoZfVNobCJCap0S/Ldq85wd3krI=";
rev = "v2.2.4";
sha256 = "1smskx9vkx78yhwspjq2c5r5swh9fc5xxa40ib4753f00wk4dwpp";
};
}
{
@ -134,10 +114,7 @@ in
oh-my-zsh = {
enable = true;
theme = "tjkirch";
plugins = [
"git"
"sudo"
];
plugins = ["git" "sudo"];
};
};
}

8
nix/modules/flake-parts/colmena.nix
View file

@ -1,8 +0,0 @@
{ lib, ... }:
{
options.flake.colmena = lib.mkOption {
# type = lib.types.attrsOf lib.types.unspecified;
type = lib.types.raw;
default = { };
};
}

37
nix/modules/flake-parts/perSystem/default.nix
View file

@ -1,37 +0,0 @@
{ pkgs, ... }:
{
packages = {
myPython = pkgs.python310.withPackages (
ps:
with ps;
[
pep8
yapf
flake8
# autopep8 (broken)
# pylint (broken)
ipython
llfuse
dugong
defusedxml
wheel
pip
virtualenv
cffi
# pyopenssl
urllib3
# mistune (insecure)
sympy
flask
pyaml
requests
]
++ [
pkgs.pypi2nix
pkgs.libffi
]
);
};
}

12
nix/os/cachix.nix
View file

@ -1,12 +0,0 @@
# WARN: this file will get overwritten by $ cachix use <name>
{ lib, ... }:
let
folder = ./cachix;
toImport = name: _value: folder + ("/" + name);
filterCaches = key: value: value == "regular" && lib.hasSuffix ".nix" key;
imports = lib.mapAttrsToList toImport (lib.filterAttrs filterCaches (builtins.readDir folder));
in
{
inherit imports;
nix.settings.substituters = [ "https://cache.nixos.org/" ];
}

8
nix/os/cachix/nixpkgs-wayland.nix
View file

@ -1,8 +0,0 @@
{
nix = {
settings.substituters = [ "https://nixpkgs-wayland.cachix.org" ];
settings.trusted-public-keys = [
"nixpkgs-wayland.cachix.org-1:3lwxaILxMRkVhehr5StQprHdEo4IrE8sRho9R9HOLYA="
];
};
}

87
nix/os/containers/backup-target.nix Normal file
View file

@ -0,0 +1,87 @@
{
hostAddress,
localAddress,
containerBackupCfg,
sshPort ? containerBackupCfg.portInt,
autoStart ? false,
}: {
config = {
config,
pkgs,
lib,
...
}: {
system.stateVersion = "22.05"; # Did you read the comment?
imports = [../profiles/containers/configuration.nix];
networking.firewall.enable = false;
services.ddclientovh = {
enable = true;
domain = containerBackupCfg.addr;
};
services.openssh.enable = true;
users.extraUsers."${containerBackupCfg.user}" = {
uid = 2000;
group = containerBackupCfg.group;
shell = pkgs.bashInteractive;
home = "/${containerBackupCfg.targetPath}";
openssh.authorizedKeys.keys = [
"ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDNI3H0BRSYOZ/MbTs9J80doJwSd1HymFOP5quNt0J48vxZ5FPVrT2FHpQiNrCcYbCKRsU4X8AiGUHiXC0PapQQ3JDkqp6WZoqBNDx6BI7RadyH1TqVQPlou3pQmCAogzfBInruR53YTDmQqXiPwfM0okPOXgiBNjDfZXOX4+CyUfkmZZwASoicTInqWGkn1sFnh4tyXIkgWflg0njlVmfkVvH71+evvKLYHtoNpVXazkQ0SXbyuW5f3mSta7TNkpC3HbBm+4n+WxYGySrlRLWQhTo+aoWUKk9h5zvECDNpwRtbqzt+bA9nKrdg180ceu8hruwvWNiC6PPA2GW9Z1+VKROviGu1C3dliE/pPCBtK+ZoRVv2CGE+pmAuQsB9Nif9tk5tY6HJhuLNxKYiMfQkiLsDYv6KdZXUIVK/4BIDkZuQNnjhdOQBLnea0ANOhutA9gnjxnsd3UT6ovfazg5gud7n3u4yBtzjTkRrqWZ63eM1NmUVOgMWHQ715pV+hJfOFGqzRBEe3g/p3bWNgpROBYJbG1H8l9DN7emG4FGWsb1HeNFwQ5lS0Zsezb7qzahr4vSmHNugVw7w8ONt5dPbPI9wQnWvkkuHH76P/NYy6OC6lHrN1rXyA1okqdPr06YAZnCot+Pqdgn/ijxgp06J3dtkhin+Q7PoQbGff3ERIw== bkp"
];
packages = with pkgs; [btrfs-progs];
isSystemUser = true;
};
security.sudo = {
enable = true;
extraRules = [
{
users = ["bkp"];
commands = [
{
command = "/etc/profiles/per-user/bkp/bin/btrfs";
options = ["NOPASSWD"];
}
{
command = "/run/current-system/sw/bin/readlink";
options = ["NOPASSWD"];
}
{
command = "/run/current-system/sw/bin/test";
options = ["NOPASSWD"];
}
];
}
];
};
};
inherit autoStart;
bindMounts = {
"/${containerBackupCfg.targetPath}" = {
hostPath = "/var/lib/container-volumes/backup-target";
isReadOnly = false;
};
};
extraFlags = ["--resolv-conf=bind-host"];
privateNetwork = true;
forwardPorts = [
{
# ssh
containerPort = 22;
hostPort = sshPort;
protocol = "tcp";
}
];
inherit hostAddress localAddress;
}

43
nix/os/containers/backup.nix
View file

@ -5,23 +5,16 @@
subvolumes,
targetPathSuffix ? "",
autoStart ? false,
}:
let
}: let
passwords = import ../../variables/passwords.crypt.nix;
subvolumeParentDir = "/var/lib/container-volumes";
in
{
config =
{ pkgs, ... }:
{
in {
config = {pkgs, ...}: {
system.stateVersion = "20.03"; # Did you read the comment?
imports = [../profiles/containers/configuration.nix];
environment.systemPackages = with pkgs; [
btrfs-progs
btrbk
];
environment.systemPackages = with pkgs; [btrfs-progs btrbk];
networking.firewall.enable = true;
@ -29,9 +22,7 @@ in
enable = true;
description = "bkp-sync service";
serviceConfig = {
Type = "oneshot";
};
serviceConfig = {Type = "oneshot";};
after = ["bkp-run.service"];
@ -48,20 +39,13 @@ in
enable = true;
description = "bkp-run";
serviceConfig = {
Type = "oneshot";
};
serviceConfig = {Type = "oneshot";};
partOf = ["bkp-sync.service"];
path = with pkgs; [
btrfs-progs
btrbk
coreutils
];
path = with pkgs; [btrfs-progs btrbk coreutils];
script =
let
script = let
btrbkConf = pkgs.writeText "cfg" ''
timestamp_format long
ssh_identity ${passwords.storage.backupTarget.keyPath}
@ -78,10 +62,10 @@ in
volume ${subvolumeParentDir}
target ${passwords.storage.backupTarget.target}/container-volumes/${targetPathSuffix}
${builtins.foldl' (sum: elem: sum + " subvolume " + elem + "\n") "" subvolumes}
${builtins.foldl' (sum: elem: sum + " subvolume " + elem + "\n") ""
subvolumes}
'';
in
''
in ''
#! ${pkgs.bash}/bin/bash
set -Eeuxo pipefail
@ -92,10 +76,7 @@ in
systemd.timers."bkp" = {
description = "Timer to trigger bkp periodically";
enable = true;
wantedBy = [
"timer.target"
"multi-user.target"
];
wantedBy = ["timer.target" "multi-user.target"];
timerConfig = {
# Obtained using `systemd-analyze calendar "Wed 23:00"`
# OnCalendar = "Wed *-*-* 23:00:00";

170
nix/os/containers/ipxe.nix Normal file
View file

@ -0,0 +1,170 @@
{
hostAddress,
localAddress,
httpPort ? 80,
httpsPort ? 443,
}: let
passwords = import ../../variables/passwords.crypt.nix;
in {
config = {
config,
pkgs,
lib,
...
}: {
imports = [../profiles/containers/configuration.nix];
networking.firewall.enable = false;
services.ddclientovh = {
enable = true;
domain = "www.stefanjunker.de";
};
security.acme = {
acceptTerms = true;
certs."www.stefanjunker.de".email = "mail@stefanjunker.de";
preliminarySelfsigned = true;
# can be used for debugging
# server = "https://acme-staging-v02.api.letsencrypt.org/directory";
};
services.nginx.enable = true;
services.nginx.recommendedProxySettings = true;
services.nginx.virtualHosts."www.stefanjunker.de" = {
default = true;
addSSL = true;
listen = [
{
addr = "0.0.0.0";
port = httpPort;
ssl = false;
}
{
addr = "0.0.0.0";
port = httpsPort;
ssl = true;
}
];
root = "/var/www/stefanjunker.de/htdocs";
enableACME = true;
# serverAliases = [
# "www.stefanjunker.de"
# ];
# sslCertificate = "/etc/secrets/stefanjunker.de/nginx/nginx.crt";
# sslCertificateKey = "/etc/secrets/stefanjunker.de/nginx/nginx.key";
locations."/fi" = {index = "index.php";};
locations."~ ^(.+.php)(.*)$".extraConfig = ''
fastcgi_split_path_info ^(.+\.php)(.*)$;
fastcgi_pass unix:${config.services.phpfpm.pools.mypool.socket};
fastcgi_index index.php;
'';
locations."/hedgedoc/" = {proxyPass = "http://127.0.0.1:3000/";};
locations."/hedgedoc/socket.io/" = {
proxyPass = "http://127.0.0.1:3000/socket.io/";
proxyWebsockets = true;
};
};
services.phpfpm.pools.mypool = {
user = "nobody";
phpPackage = pkgs.php5;
settings = {
"listen.owner" = config.services.nginx.user;
"pm" = "dynamic";
"pm.max_children" = 5;
"pm.start_servers" = 2;
"pm.min_spare_servers" = 1;
"pm.max_spare_servers" = 3;
"pm.max_requests" = 500;
"php_admin_value[error_reporting]" = "E_ALL & ~E_NOTICE & ~E_WARNING & ~E_STRICT & ~E_DEPRECATED";
};
};
# the custom php5 we're using here has no fpm-systemd, so the default `Type = "notify"` won't work
systemd.services."phpfpm-mypool" = {
serviceConfig = {Type = lib.mkForce "simple";};
};
services.mysql = {
enable = true;
package = pkgs.mariadb;
};
services.hedgedoc = {
enable = true;
configuration = {
domain = "www.stefanjunker.de";
urlPath = "hedgedoc";
protocolUseSSL = true;
db = {
dialect = "sqlite";
storage = "/var/lib/codimd/db.codimd.sqlite";
};
allowAnonymous = false;
allowAnonymousEdits = false;
allowGravatar = false;
allowFreeURL = false;
defaultPermission = "private";
allowEmailRegister = false;
# oauth2 provider config
inherit (passwords.www_stefanjunker_de_hedgedoc) dropbox;
uploadsPath = "/var/lib/codimd/uploads";
};
};
};
autoStart = true;
bindMounts = {
"/etc/secrets/" = {
hostPath = "/var/lib/container-volumes/webserver/etc-secrets";
isReadOnly = true;
};
"/var/www" = {
hostPath = "/var/lib/container-volumes/webserver/var-www";
isReadOnly = false;
};
"/var/lib/mysql" = {
hostPath = "/var/lib/container-volumes/webserver/var-lib-mysql";
isReadOnly = false;
};
"/var/lib/codimd" = {
hostPath = "/var/lib/container-volumes/webserver/var-lib-codimd";
isReadOnly = false;
};
};
privateNetwork = true;
forwardPorts = [
{
# http
containerPort = 80;
hostPort = httpPort;
protocol = "tcp";
}
{
# https
containerPort = 443;
hostPort = httpsPort;
protocol = "tcp";
}
];
inherit hostAddress localAddress;
}

136
nix/os/containers/mailserver.nix
View file

@ -1,68 +1,24 @@
{
specialArgs,
hostBridge,
hostAddress,
localAddress,
imapsPort ? 993,
sievePort ? 4190,
autoStart ? false,
}:
{
inherit specialArgs;
config =
{
pkgs,
config,
repoFlake,
...
}:
{
system.stateVersion = "22.05"; # Did you read the comment?
}: let
passwords = import ../../variables/passwords.crypt.nix;
in {
config = {pkgs, ...}: {
system.stateVersion = "21.11"; # Did you read the comment?
imports = [
../profiles/containers/configuration.nix
imports = [../profiles/containers/configuration.nix ../profiles/common/user.nix];
repoFlake.inputs.sops-nix.nixosModules.sops
../profiles/common/user.nix
];
networking.firewall.enable = false;
networking.firewall.allowedTCPPorts = [
imapsPort
sievePort
];
# FIXME: find out how to use the `defaultSopsFile` so i don't have to specify each secret separately
# sops.defaultSopsFile = ./mailserver_secrets.yaml;
sops.age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];
sops.secrets.email_mailStefanjunkerDe = {
sopsFile = ./mailserver_secrets.yaml;
owner = config.users.users.steveej.name;
};
sops.secrets.email_mailStefanjunkerDeHetzner = {
sopsFile = ./mailserver_secrets.yaml;
owner = config.users.users.steveej.name;
};
sops.secrets.email_schtifATwebDe = {
sopsFile = ./mailserver_secrets.yaml;
owner = config.users.users.steveej.name;
};
sops.secrets.email_dovecot_steveej = {
sopsFile = ./mailserver_secrets.yaml;
owner = config.users.users.dovecot2.name;
services.ddclientovh = {
enable = true;
domain = "mailserver.svc.stefanjunker.de";
};
# TODO: switch to something other than ddclient as it's no longer maintained
# TODO: switch to a let's encrypt certificate
sops.secrets.dovecotSslServerCert = {
sopsFile = ./mailserver_secrets.yaml;
owner = config.users.users.dovecot2.name;
};
sops.secrets.dovecotSslServerKey = {
sopsFile = ./mailserver_secrets.yaml;
owner = config.users.users.dovecot2.name;
};
services.dovecot2 = {
enable = true;
@ -74,8 +30,8 @@
enablePAM = true;
showPAMFailure = true;
mailLocation = "maildir:~/.maildir";
sslServerCert = config.sops.secrets.dovecotSslServerCert.path;
sslServerKey = config.sops.secrets.dovecotSslServerKey.path;
sslServerCert = "/etc/secrets/server.pem";
sslServerKey = "/etc/secrets/server.key";
#configFile = "/etc/dovecot/dovecot2_manual.conf";
extraConfig = ''
@ -98,7 +54,9 @@
'';
};
environment.etc."dovecot/users".source = config.sops.secrets.email_dovecot_steveej.path;
environment.etc."dovecot/users".text = ''
steveej:${passwords.email.steveej}
'';
systemd.services.steveej-getmail-stefanjunker = {
enable = true;
@ -109,8 +67,7 @@
serviceConfig.Restart = "always";
description = "Getmail service";
path = [pkgs.getmail6];
script =
let
script = let
rc = pkgs.writeText "mailATstefanjunker.de.getmail.rc" ''
[options]
verbose = 1
@ -122,50 +79,14 @@
server = ssl0.ovh.net
port = 993
username = mail@stefanjunker.de
password_command = ("${pkgs.coreutils}/bin/cat", "${config.sops.secrets.email_mailStefanjunkerDe.path}")
password = ${passwords.email.mailStefanjunkerDe}
mailboxes = ('INBOX',)
[destination]
type = MDA_external
path = ${pkgs.dovecot}/libexec/dovecot/dovecot-lda
'';
in
''
getmail --idle=INBOX --rcfile=${rc}
'';
};
systemd.services.steveej-getmail-stefanjunker-hetzner = {
enable = true;
wantedBy = [ "multi-user.target" ];
serviceConfig.User = "steveej";
serviceConfig.Group = "dovecot2";
serviceConfig.RestartSec = 60;
serviceConfig.Restart = "always";
description = "Getmail service";
path = [ pkgs.getmail6 ];
script =
let
rc = pkgs.writeText "mailATstefanjunker.de.getmail.rc" ''
[options]
verbose = 2
read_all = 0
delete_after = 30
[retriever]
type = SimpleIMAPSSLRetriever
server = mail.your-server.de
port = 993
username = mail@stefanjunker.de
password_command = ("${pkgs.coreutils}/bin/cat", "${config.sops.secrets.email_mailStefanjunkerDeHetzner.path}")
mailboxes = ('INBOX',)
[destination]
type = MDA_external
path = ${pkgs.dovecot}/libexec/dovecot/dovecot-lda
'';
in
''
in ''
getmail --rcfile=${rc} --idle=INBOX
'';
};
@ -179,8 +100,7 @@
path = [pkgs.getmail6];
serviceConfig.RestartSec = 1000;
serviceConfig.Restart = "always";
script =
let
script = let
rc = pkgs.writeText "schtifATweb.de.getmail.rc" ''
[options]
verbose = 1
@ -192,16 +112,15 @@
server = imap.web.de
port = 993
username = schtif
password_command = ("${pkgs.coreutils}/bin/cat", "${config.sops.secrets.email_schtifATwebDe.path}")
password = ${passwords.email.schtifATwebDe}
mailboxes = ('INBOX',)
[destination]
type = Maildir
path = ~/.maildir/
'';
in
''
getmail --rcfile=${rc} --idle=INBOX
in ''
getmail --rcfile=${rc}
'';
};
};
@ -209,9 +128,10 @@
inherit autoStart;
bindMounts = {
# FIXME/REMINDER: this is used so that the container can decrypt the secrets that are deployed to the host
"/etc/ssh/ssh_host_ed25519_key".isReadOnly = true;
"/etc/ssh/ssh_host_ed25519_key.pub".isReadOnly = true;
"/etc/secrets/" = {
hostPath = "/var/lib/container-volumes/mailserver/etc-secrets";
isReadOnly = false;
};
"/home" = {
hostPath = "/var/lib/container-volumes/mailserver/home";
@ -219,6 +139,8 @@
};
};
extraFlags = ["--resolv-conf=bind-host"];
privateNetwork = true;
forwardPorts = [
{
@ -236,5 +158,5 @@
}
];
inherit hostBridge hostAddress localAddress;
inherit hostAddress localAddress;
}

43
nix/os/containers/mailserver_secrets.yaml
View file

@ -1,43 +0,0 @@
email_mailStefanjunkerDe: ENC[AES256_GCM,data:sSBunuv4wipvl720vBrObPVlwMqf8MCWPA==,iv:57SPbRgdO1OtCunFbRJ9rLadWfrCF072lv27ond6qQ0=,tag:DpTeij/rGCK2NQMre5xBsw==,type:str]
email_mailStefanjunkerDeHetzner: ENC[AES256_GCM,data:HvPU/tV2uwutE8q6BzMjkw==,iv:sxERmGojxJhTre2XhslD/B3hesJaP8Cn6TJ7G2WygQw=,tag:JeRI3a2oc/cMJWqyiICgYw==,type:str]
email_schtifATwebDe: ENC[AES256_GCM,data:OOmxkHcM25A+rSmPE1lmvUylv0TT2qWWeA==,iv:ysnRyv4WwbnovgEZcwmk1Rdo6U7gBWDFvGIxgF/m/5A=,tag:9b7q+mceiDx5y8qVVHjBhw==,type:str]
email_dovecot_steveej: ENC[AES256_GCM,data:nZJX2ZIe2pJTzBIU/XRZaiiy9NmUtJydaOvSAQT3icCEeLTvgah48mgrz14eGPuOEupVqKII5jpHw3Xid+QWzdIels0B9M4+GgVT85yVAaPQKw==,iv:vb2bKtgeJI4fvRfKoR8AoBpv9WOkAAKQ3DzMInGF4SA=,tag:p6q0rfyG0g1hF8PR476TZQ==,type:str]
email_postmasterStefanjunkerDe: ENC[AES256_GCM,data:mUe2SbT1aj6yCav0X0lZ04rxYjJjQfKOqw==,iv:ZtOca09m2ne36cmLem/dNnmrsTV6fWaluuoPS85HdGc=,tag:2Z8RwuKJteXUKyuzpFzyfg==,type:str]
dovecotSslServerCert: ENC[AES256_GCM,data:ylK0IIj2vdY0mXOqSgA5zYmFYGote/uMtDWy2rwHhuSoirnADu+k6pYrH4UUTB9BQsDpCzuU4vb4Rz2pQuB0PJ9iZ3XI2fTxft+UxZI4wwAkvHXeJWxLnEvySQW3mnk2uJBaeAxhkXZ55SrKA0h1u/luiXlCoLD197yqJsaR7ldlTImfiIwZPoSRJvo33/UsEIfxlmNMrJk6kgWp9Ay1pT+K3ymWTzBaxzMypUM+Wb4BulgR62qCBxoVjXPP4tVsBwRN6LREeKpP6zIZSjNNU5SWkf2GVDuRl6AMfh8UUq5aRQqNrorRm0p9FR5CXvJZH6gOxh1jSaXGFRbyfEwlaBrzU3NYqXA4tVTh6jKeRy6tmkw3KHhV3kOeJhJ5YQy4IM4Tv03zp5M/rCCIDoZLZsmNKYpLHYKfKORBYt/XlOfnXFVW/dp+q7lMiy2vPPNaVzH6aFrlzIEUyQBfawbHPBnIN09rmW9cIzZC5n3owzq8jj8aWDILqgun7RFOnBWBaG2JE9imXoS66cKAvzGf1wpjN2pELQOpSI1dVuENxMC+K8dTu/2RN2Xe0t6x6FlHK7PHB+JNGsGOHjrga+Z2rWTqcOtY30XZpBSqoZ4XxhcFtp+gxwBuW6zjzS4hEBz1/BJTYLD0dolTp3Vzo93bsezAr+iUfNrfzESTfg8fRH89tdPCeSPv4lfi+Bo4un41x6+x14Kf66Sz5AR7dBQzypNC3ChGCKtp29ZBBee+5oQWvrYBVybbOdD+uaS6pRC/Uydubx+cDGyU1vn50Iq4XTkmiy0m8joHa7gwgOggSeDoZK8lSnwCEwssWZaxzWfO8/8gxEDJD74ki+0GzkGCSIW7EIDiEEBSuL971bqgmKOgKmzqeHYxMpO3DbrFSQVIBUzlcPMoL9GuMHnF9UWT8u3Oo4eIh8rgwJQ4tbIdIbOop1LKLSKjtt/ny4+fGjrF1gzYWHu6RDMHkl9h/AplsHH6r8x3L3rM40O8mOG/SVgqA2GTN+0pviLAPzvQ+Xb0xRQH3vfXXMkufpQtb2o0xlh4pgJw+6a4QrjSq6ZJ3saA8TeC3F6BzIEr6nAwljBMSY4v8wBQivquENBCbqo4St5h+eleKpqbpyLJQYgCyvrUST8kNa014eZjNMLnJ1XBmPO9vpUk/2FJkSpaPAPQ7thqhRBEhe+GsnkScqqrq7gLpNIX4o/HR2b70T/8/4G7uZ3KPScW25TX9D9cI7LFON3Sfprn5LK6hm2nxTmjhaD0rWNnDCkfqDfzRJeQV9kW5Hfn0rBOIsmUoQEcgeCqNKenr/lalRRiifsHDdTUwzSJLgHm09RJI4CVZ+ovPHENRW02VPP9YBupemrZazN3ttj3pin8QRRcOM0w7jeGjfSyih0E4JfiC8NzLWhBpFtBSSxi79QD2vkz17ububf37p5XMg0KfClubQgnNKxlbQ/Me7xxp1X0JlmyxpwIhaaLoz9f+268/9n4RKBGDjAY9D0jZ2zcNm+MpkoG1IIWzPBtBiGTfs+HZPH3GKiEcnkEVcUbDZis9zERamYKDMMPqfAm3KsQLXxUVyuy3cuikGxg7ab+41b1s4MtyoeoUIeRruc60Gg+rSv+d0Jl/YP9Lb5/WBGwNKzm/1R70hJnbTWRt/kKZRKsVY2rcb+FH6vXBjFAHgiszFns5oXS0Q3jhVHH4i3IUn+M6HsbqDIaJ4t4Jvtcx+ESNC2NHKCSxKe4UePng8xJ+91jB04DxdJFlTrZ7RBgjmmiMR8DPF6XiYi+awZtUaTKjZev8SPl4vSobu5aqnct0F5O6aPGB/T8nHlXevdkuQ//7BXc0RwN1ZBZzGqzc8+NzIBa9aB96XnlXPDek1C5Cc9/yVWelM9dWwTzUECBWanTRFt1uz7hpoeemGI0X7IV4DXe26yZot2PlRLFBGL/5lnoSZcjfjym1yyjd5guLdRSHOihPoDDV0JR88BDzDSS/Fx4tRCxKCuaQos+QiMlZ+yJnY9v/K88NtX9X+cRr1ZFS9Li1+uBhbJamWgtWpSJireAGZkLFSEu5GpmfcofuzDsuSYsG6wDLMpJGgRvGJeDuZ4pJTMz1dhjjWUw3blpoJW99zHVDwuSMUNEOFnFgu9BNsoq2caoDcNcm7yA0dsNl1sS3ECsBAg18KsMHA5bL6gXhAkCGOzUVBzW0NRUm8SvHloB73LvfBiFHkpqkqS8KsQZkGts+vBcVAjfDYHYy+TvcaiO0I7xEOUZMdkjuZFOkh2Q0x7pQzCarYs=,iv:6zMCqVVdsbJmEr9YDQ5FqYhRcV36aM585YZz/Dd+b3c=,tag:LCDn6L/VJvW8St1CHXcObw==,type:str]
dovecotSslServerKey: ENC[AES256_GCM,data:KYpQZbioLGrp/6R6j/c4uJhBpoDT2aj7UffQQug8Otzr/0rk51tavsjg4YRQGIv+ZpFYpWAuHbhW4O8AsRgpi0AX3hKsZICEdNubfK5zfd+SInXveaVFbHHjOuzcqftraUrqx9APu+omk4LlpxpWTbj/bAcRnRBn0C093AeJNi1giaCZd4NxmmkYqwYzrjUc6LYHvICEnjA87ZVpeOKE/6B2Ng5QWDKhZNmjy7YDXAk4DS+P2grLmoGvnz6ubtaypSzaKXYTFz/uxEvtCCPlIaJHm3Nz0i0j1rjX3S/w3c26zuIFtwCmAQzGnHyQwbx7ILwCXfnyQnpM7+R5+fxcYvcK2GEJyTGzg/JFa++TI1YO+wpknjzxK3Sa8aX0pUbx/TEjnY3+tRnx7YNuih2ZNZrPHy8uJJtO9Aef84Sq5vLQG5n1/ya0pVhjCbs1pgpeK/qT3ikLbkcJg6NxAq3hqqQdR4TTkZBwKLVfzcMXLDZB0GphhVvtO0W7afRCE+nA/FPDT2NN6WLD15cN5F8w6USi0iQlwFb+TE8nt1ghhoGmwCMx+lX1Bk/jdIlYtJ62T8+T3nRVJ6ZRlUa1rkbAADaWZVvLR2/ylaEkeYFo/CC6lUg4DWPCVoGFxaWaU+ZaIDjbiYcqGQFBwq8JZ44hAOyJQpb7N1zgDVyPh/xr+ukmjutFuu97FY55VTn+8eipRiR4TZpPRH+KvB/FmlLNaim76YZCRH9Dv2ENbz9fXpWv7P+yh06+ci9HKvjNAzR6NRr368tK2srEEhWzFv+nAsRetzc2VcfwNMcg5/mvlWHVZSmONXC5adEo/W5XgJgUnH/fkz5IRPY/1iteq8PTCPUkubzF+qT2+suzEDnvgXlaKsqHkrk+n8YySl+GRABnasmnBYdb8vboDM41ptw3PXDoL+l07o6KxTwPOWWl9BVNMT8VzL7gAl+dlxjkEUSqn53OrsYDluxefBa3c0rfvk8CCvOMjgLkagK9O+VavqJEo00zd3f0ZzMcIoRebuDzYILw3DTrG/qyLXGsRoybBr+qcuSVBzM5RnjcToFJO4W/0EIdH1drZmqHdNgSNwPPRSNCivrhV25syUCrTee/xkDVUr47z67pK/5Mh0ewlwq0hcl/dBoA0YP/PptntK0CHfistD8chNtdMk3PyzqSiFaDPQ3T4wdc3zTNUjXeQ5643k5weJXFPg4tUuCCa8HxUJHd5sLnNY0OaRBwh2SLkQlcXYFQDzVHSoVscR3tf+57L7aF2hVQT2QtJKdZQjOyMg5YK0UlVc3tkyPZzyjOVaP7eTCRKwXI1NminHmmy1ZzZ+w+8+oX8cfvE9HdbqDoDp0MnkicS0+5S0lZwkRWrjUx/gS4aMWLbCHUQHY8wm+fmyDLJ/oI4ukdUI5YLOutlCsIY+aotnVMoORgdd/EPeZVYJmci/pvMjPF9Eard0aD4rLA7z/HwGgc3VEGmNluE+20BXO3bFIqwa9tzMqzOJB0qglP35MjVGiUe6Svq13DAmSOnzN+WqcVbTMJG8J1bwKqvmaN8AEpO0zU94ZhHspUtGyQQ0D6sMsw9jqJ1WyLE7aXeFR6OHrpw3DC2mCpr/qX8QFsveeyB83Za2+CuVVi2sqGAKYzkwlUPkeuaxfBak0apwJsF2trT1uMvPOuIda8k4XhtYLxah2BDJZIoMqUVz2xcN4OuW8bdSX/lepsyZZO34VEQDLBa2dxCCHJmCKf6io/0YlswNKGDQh+DI935KTdqBnHSJ9IjvADQuu+K37aS0L9V0ZLXiM5SBQtbB7kQpHjvivq97ru7QpFqJf8HCl1vDs4gJ/NV+J0+CX6dQTQOtHvwxD2CPGiiSv40ycoJAcwiqTh5T+hRPtca6bSes/jGN5iQjfLCRbwvL/ItLLAK3F2cEIdKZnfhJkdEAIwWFLvR4R5I7ZcCK5GgKz5dPROup8BAONA8XxcJWXaXV0YkfEmCDbZYMFC7pcx4NAnGp881RyAaG/HlstBHHVagpP2fwZ8K0J/2KPillOq/Die+vNc2++hx4EuftvNkZhSd+7zIYNKHQd0M4Ea74flgmmW5lG73bE1BkhVd2DsgEDihH19/vJjFH4PxKINKp0ij4jMyq9w+WsGiUqSDaQz/MZJ8wjzaSjvmSj4qlOAitr/s3f041e77rMb0W2ieCtYEy7IsebIqIWgKn/crm5FhyUtBCPEqFZgAKS313bXUio8LktqXCrZjZ0ZG8DmQG6hnK4PstKlIUQoNuFnb8Bp1zDgY4i2hb6Zmu7NnqnOaJJTjSGwaZOav0oMousn67BuFtwoMaGp+OjCopZ3HPfg19usnjvWpOgccXWYlQc0HOlGXUq+otKlXtQwAjUvz50GmV+lY3t4rpCgqk+pj9iH62xuzDQ01FOXl+v3Ehnw97mNJk9YarueG0Hl/1f6dhwXnjeEv35LLyWUjQolOoYgycEkgQ/cCCOSm7zgK1VT0oTLFISai8IG0qDP9HCszteHZhp+y4bsXQfAJTY11QLr7hx9/nQmVlHksDN5Wsno4wbkT+D2xb5EaDU2RBqZfTVcbRBWRtAhQcRPxdaUXyI7oKEaFg8fvQZ8wK/Ae+L18ub+Latb5W69dUVT6I13tPleXDl1oen9BXzaX7sygSpY4lJoXlu+SCKyNTMrC36PrB39QUWosw03ZsiKT5xjgN5+1m32yv4cg8lAwNCR4xxShrnhSbZ328yifaAuTnSawZmUGBVxPx4glVcvNUOXW2UvVtmeKU0SG1E+UGBAq7/UfaadMM7BsjyaaKpBa/tXZTm0rn8UiFqujvgNjQ3F/3ybRdlO5d6eMI9Na+1gqg6qxYSGR0H0wAdPhtyGRxpumehAQGeMKd49Sg6jspaf3NAjjuZ0Yp+eJV9652WqVZ7xtCNqRURV353h+XPGR+ZZ9siHRDQ+NcbxPkfbHw0/RTvZvEIdaDi5+DLh6tgIxMEtOpwTlfFrOUDaIcmWvzk92VtBFuafvoGzTipryTnMszjCsUTvyEPN8jPd6r8UmOFGXF2aVNksmn/bI97i4s1kYLgY8XsEOyx+Q9pUTkTEMn2JWgnEcSOAtaX1ZskHnfueKzUPb+/YWb+z8SNCgnUqHqa42qBqwlhdshzYhhfKhEisUptirzzp1kcbyHrug5PzHxh8Qri2pjHxSHYQ5sjig6K6B1YEuHP6uo19fL6BdgGlhKroiOF/6TMAcE9V3+yqvDdsW/IC0QXLHIBKC7wlDgLc25ltGogD/76P6tViDAb6+HNSSXJO056Ovq0z2BrXhnq1AmWa99mVnOLJwafRWPZC,iv:XxnAsh6yx9gICi3N6oTttpGXvguGZImWNIMp9srDJLM=,tag:M9gFSD5PNIfoCLet6Vy6QA==,type:str]
hetznerDnsApiToken: ENC[AES256_GCM,data:JfL4Xg9TZu4Og35g0SwfrI1uxiqgdFa7p5AQcfiPwLY=,iv:yOak3uXX7CNglu8O2UW/1sOI7BGZxpRQAFJCvRbzU0Y=,tag:6orkQIy7BxACziLWpYoS5Q==,type:str]
sops:
kms: []
gcp_kms: []
azure_kv: []
hc_vault: []
age:
- recipient: age18dmqd7r7fanrfmdxsvwgv9psvhs3hw5ydpvw0na0dv3dlrg4rs3q2wpvgv
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBWaE9nNytUbXhWeWZYWndn
R3pMV3N1NjJPK2gzUDl2YitxWEU4NUFPRUJ3Cm1tMGhGcU56bSs5SUIzRmhqVHN2
dXIzYlkvS1JnWnladGdXTnRKMXNOWncKLS0tIGhyRFhFV1VRVXVYN1pJWjNFd1Rj
bENCWmVNUEJyZFBpRmYwbWVndFJGcUEKzvkGz3WycSrU4qPcBhs4cSCn/9TQ62sl
T6TuDra97qJJ1Pg9VZGHT/OoSleLA4s0qpNlAxnAnNaO0conTsREZQ==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2023-07-17T12:01:21Z"
mac: ENC[AES256_GCM,data:003nzaNWdXLscJy9XZcwAb93M9Eo3Bdg9s5MHHiv4/TitaaZE7VghWHKv5DrcoA0GGdN9SnIVqHd+o6OPVER91XLVxoiX7ixtlu1RIRfqdama3RRPtSki5wP5wPz6qF4vRBIKfrTpZK7thXLYs2NhCB9HJYljNhcgLtzEG5bWgY=,iv:tEP530Pij3bt3hc5PCYGjFFyPiKgo34dHm23Xtmrxt8=,tag:macr/U8R5+wktTBJ9OqI/w==,type:str]
pgp:
- created_at: "2023-07-02T20:30:30Z"
enc: |-
-----BEGIN PGP MESSAGE-----
wcBMA0SHG/zF3227AQgAli6PQTNwh9N5Oo1LJvHysQNdxdZAq4QbfcwcIfpJIDds
0TQs28EeSttv47P2ga4Nb1O5dVUnlvwbP+uV9RbioYF4LfZ2/uNlS1lSGwsLbPcf
SsY+U2WvpJgyo3EWQRusR/OXLFg0EdqDPDseH1w1u8tGALDrewre5oBjrMa0GRbb
5F8lK/FVxSJxz70UkHgE7c6pSqPpznlgVduUwoOWnlhTw4aet7lLik+/C9K7LBDc
Q04sW1W2yqYr2882xPAUwfBhgfZQ1Uld5aDwqwPH+1Ttx26e7JrGSFaIX8GTVVpc
RJqN6uman5at3lOaEKXS1qf7T9ZI003CvdFwHS1G89JRAemdeK4bur5wS3VXBhDx
44fHgmDcOohHilTahwmyXCT70KjjHbd9665vAhsl0N9aOrOBdOgq0HmLjNzAQkz5
uGcEfsNiUXPngkNrh/Nvhh9w
=yHDZ
-----END PGP MESSAGE-----
fp: 6F7069FE6B96E894E60EC45C6EEFA706CB17E89B
unencrypted_suffix: _unencrypted
version: 3.7.3

124
nix/os/containers/mycelium/flake.lock generated
View file

@ -1,124 +0,0 @@
{
"nodes": {
"flake-compat": {
"flake": false,
"locked": {
"lastModified": 1696426674,
"narHash": "sha256-kvjfFW7WAETZlt09AgDn1MrtKzP7t90Vf7vypd3OL1U=",
"owner": "edolstra",
"repo": "flake-compat",
"rev": "0f9255e01c2351cc7d116c072cb317785dd33b33",
"type": "github"
},
"original": {
"owner": "edolstra",
"repo": "flake-compat",
"type": "github"
}
},
"flake-parts": {
"inputs": {
"nixpkgs-lib": [
"nix-snapshotter",
"nixpkgs"
]
},
"locked": {
"lastModified": 1704152458,
"narHash": "sha256-DS+dGw7SKygIWf9w4eNBUZsK+4Ug27NwEWmn2tnbycg=",
"owner": "hercules-ci",
"repo": "flake-parts",
"rev": "88a2cd8166694ba0b6cb374700799cec53aef527",
"type": "github"
},
"original": {
"owner": "hercules-ci",
"repo": "flake-parts",
"type": "github"
}
},
"nix-snapshotter": {
"inputs": {
"flake-compat": "flake-compat",
"flake-parts": "flake-parts",
"nixpkgs": [
"nixpkgs"
]
},
"locked": {
"lastModified": 1723875769,
"narHash": "sha256-66GofByLJ+S4ZZphIC+vJKeL9VJ2bzH2VbcJ3OqteMM=",
"owner": "pdtpartners",
"repo": "nix-snapshotter",
"rev": "6eaadfd8f89e5e7d79b2013626bbd36e388159da",
"type": "github"
},
"original": {
"owner": "pdtpartners",
"repo": "nix-snapshotter",
"type": "github"
}
},
"nixlib": {
"locked": {
"lastModified": 1728781282,
"narHash": "sha256-hUP9oxmnOmNnKcDOf5Y55HQ+NnoT0+bLWHLQWLLw9Ks=",
"owner": "nix-community",
"repo": "nixpkgs.lib",
"rev": "16340f605f4e8e5cf07fd74dcbe692eee2d4f51b",
"type": "github"
},
"original": {
"owner": "nix-community",
"repo": "nixpkgs.lib",
"type": "github"
}
},
"nixos-generators": {
"inputs": {
"nixlib": "nixlib",
"nixpkgs": [
"nixpkgs"
]
},
"locked": {
"lastModified": 1728867876,
"narHash": "sha256-NCyOA8WZNoojmXH+kBDrQj3LwvakYNzSc0h+LTXkmPE=",
"owner": "nix-community",
"repo": "nixos-generators",
"rev": "fdf142111597f6c6283cf5ffe092b6293a3911d0",
"type": "github"
},
"original": {
"owner": "nix-community",
"repo": "nixos-generators",
"type": "github"
}
},
"nixpkgs": {
"locked": {
"lastModified": 1728897630,
"narHash": "sha256-0utJPs4o2Mody8GDwo4hnGuxc8dJqju4u9lLJY4d/Lw=",
"owner": "NixOS",
"repo": "nixpkgs",
"rev": "c9f0b4a395289ce18727e2a8e43cae6796693ccc",
"type": "github"
},
"original": {
"owner": "NixOS",
"ref": "nixos-unstable-small",
"repo": "nixpkgs",
"type": "github"
}
},
"root": {
"inputs": {
"nix-snapshotter": "nix-snapshotter",
"nixos-generators": "nixos-generators",
"nixpkgs": "nixpkgs"
}
}
},
"root": "root",
"version": 7
}

371
nix/os/containers/mycelium/flake.nix
View file

@ -1,371 +0,0 @@
{
inputs = {
nixpkgs.url = "github:NixOS/nixpkgs/nixos-unstable-small";
# nixpkgs-systemd256.url = "github:NixOS/nixpkgs/962cf03fb8c782c5e00f465397e03dc84284acc9";
nixos-generators = {
url = "github:nix-community/nixos-generators";
inputs.nixpkgs.follows = "nixpkgs";
};
nix-snapshotter = {
url = "github:pdtpartners/nix-snapshotter";
inputs.nixpkgs.follows = "nixpkgs";
};
};
outputs =
{ self, nixpkgs, ... }:
let
systems = [
"aarch64-linux"
"x86_64-linux"
];
forAllSystems = nixpkgs.lib.genAttrs systems;
in
{
nixosConfigurations.default = nixpkgs.lib.nixosSystem {
system = "aarch64-linux";
specialArgs = { };
modules = [
(
{
config,
modulesPath,
pkgs,
lib,
...
}:
{
nixpkgs.overlays = [
(_final: _previous: {
# inherit (self.inputs.nixpkgs-systemd256.legacyPackages.${pkgs.system}) systemd systemdMinimal;
# systemd =
# self.inputs.nixpkgs-systemd256.legacyPackages.${pkgs.system}.systemd.overrideAttrs (prevAttrs: {
# src = /home/steveej/src/others/systemd;
# withAppArmor = false;
# withRepart = false;
# withHomed = false;
# withAcl = false;
# withEfi = false;
# withBootloader = false;
# withCryptsetup = false;
# withLibBPF = false;
# withOomd = false;
# withFido2 = false;
# withApparmor = false;
# withDocumentation = false;
# withUtmp = false;
# withQrencode = false;
# withVmspawn = false;
# withMachined = false;
# withLogTrace = true;
# withArchive = false;
# # don't need these but cause errors for exampel files not found
# # withLogind = false;
# })
# pkgs.systemdMinimal.override {
# # getting errors with these disabled
# withCoredump = true;
# withCompression = true;
# withLogind = true;
# withSysusers = true;
# withUserDb = true;
# }
# pkgs.systemdMinimal
# pkgs.systemd.override {
# withRepart = false;
# withHomed = false;
# withAcl = false;
# withEfi = false;
# withBootloader = false;
# withCryptsetup = false;
# withLibBPF = false;
# withOomd = false;
# withFido2 = false;
# withApparmor = false;
# withDocumentation = false;
# withUtmp = false;
# withQrencode = false;
# withVmspawn = false;
# withMachined = false;
# withLogTrace = true;
# # don't need these but cause errors for exampel files not found
# # withLogind = false;
# }
# ;
})
];
imports = [ (modulesPath + "/profiles/minimal.nix") ];
system.stateVersion = "24.11";
# https://github.com/hercules-ci/arion/blob/c24c185e67f093298a081900b49ca18716077dec/src/nix/modules/nixos/container-systemd.nix
boot.isContainer = true;
# boot.tmp.useTmpfs = true;
boot.loader.grub.enable = lib.mkForce false;
boot.loader.systemd-boot.enable = lib.mkForce false;
services.journald.console = "/dev/console";
services.journald.storage = "none";
# boot.specialFileSystems = lib.mkForce {};
services.nscd.enable = false;
system.nssModules = lib.mkForce [ ];
systemd.services.systemd-logind.enable = false;
systemd.services.console-getty.enable = false;
systemd.sockets.nix-daemon.enable = false;
systemd.services.nix-daemon.enable = false;
systemd.oomd.enable = false;
networking.useDHCP = false;
networking.firewall.enable = false;
# system.build.earlyMountScript =
# lib.mkForce ''
# '';
# system.activationScripts.specialfs =
# lib.mkForce ''
# '';
boot.postBootCommands = ''
ls -lha /run
mkdir -p /run/wrappers
'';
boot.kernelParams = [ "systemd.log_level=debug" ];
# services.udev.enable = false;
# TODO: this is only needed because `/run/current-system` is missing
# environment.variables.PATH = "${lib.makeBinPath config.environment.systemPackages}:$PATH";
systemd.mounts = lib.mkForce [ ];
fileSystems = lib.mkForce { };
services.mycelium.enable = false;
services.mycelium.keyFile = "/var/lib/secrets/mycelium-keyfile";
systemd.services.mycelium.serviceConfig.DynamicUser = lib.mkForce false;
systemd.services.mycelium.serviceConfig.User = lib.mkForce "root";
systemd.services.mycelium.serviceConfig.ExecStart = lib.mkForce (
pkgs.writeShellScript "mycelium" ''
while true; do
ls -lha $CREDENTIALS_DIRECTORY
sleep 5
done
''
);
systemd.services.testing-credentials = {
wantedBy = [ "multi-user.target" ];
path = [ pkgs.coreutils ];
serviceConfig = {
# SyslogIdentifier = "testing-credentials";
# StateDirectory = "testing-credentials";
# DynamicUser = true;
# User = "tc";
# ProtectHome = true;
# ProtectSystem = true;
# LoadCredential = [
# "mycelium-keyfile:${self.nixosConfigurations.default.config.services.mycelium.keyFile}"
# "hosts:/etc/hosts"
# ];
SetCredential = "mycelium-keyfile:not secret string";
ExecStart = lib.mkForce (
pkgs.writeShellScript "mycelium" ''
cd $STATE_DIRECTORY
pwd
env
while true; do
ls -lha $CREDENTIALS_DIRECTORY
sleep 5
done
''
);
};
};
services.caddy = {
enable = true;
globalConfig = ''
auto_https off
'';
virtualHosts.":80" = {
extraConfig = ''
respond "hello from ${config.networking.hostName}"
'';
};
};
}
)
];
};
packages = forAllSystems (
system:
let
name = "mycelium";
inherit (self.inputs) nix-snapshotter;
config = {
entrypoint = "${self.nixosConfigurations.default.config.system.build.toplevel}/init";
# port = 2379;
args = [ ];
# nodePort = 30001;
};
myceliumPorts = {
tcp = [ 9651 ];
udp = [
9650
9651
];
};
inherit (config)
entrypoint
# port
args
# nodePort
;
pkgs = import nixpkgs { overlays = [ nix-snapshotter.overlays.default ]; };
image = pkgs.nix-snapshotter.buildImage {
inherit name;
resolvedByNix = true;
config = {
entrypoint = [ entrypoint ];
env = [
# this is read by the `/init` script and prevents various incompatible commands like mount, etc.
# the value of this doesn't seem to matter as long as it's not an empty string.
"container=nerd"
"SYSTEMD_LOG_LEVEL=debug"
];
volumes = {
# "/var/lib/private/mycelium/key.bin" = {};
# "/run" = {};
# "/tmp" = {};
# "/etc" = {};
};
copyToRoot = [
# self.nixosConfigurations.default.config.system.build.toplevel
];
};
};
in
{
k8s =
let
pod = pkgs.writeText "${name}-pod.json" (
builtins.toJSON {
apiVersion = "v1";
kind = "Pod";
metadata = {
inherit name;
labels = {
inherit name;
};
};
spec.containers = [
{
inherit name args;
image = "nix:0${image}";
ports = [
{
name = "mycelium-tcp-0";
containerPort = builtins.elemAt myceliumPorts.tcp 0;
}
{
name = "mycelium-udp-0";
protocol = "UDP";
containerPort = builtins.elemAt myceliumPorts.udp 0;
}
{
name = "mycelium-udp-1";
protocol = "UDP";
containerPort = builtins.elemAt myceliumPorts.udp 1;
}
];
}
];
}
);
service = pkgs.writeText "${name}-service.json" (
builtins.toJSON {
apiVersion = "v1";
kind = "Service";
metadata.name = "${name}-service";
spec = {
type = "NodePort";
selector = {
inherit name;
};
ports = [
{
name = "mycelium-tcp-0";
port = builtins.elemAt myceliumPorts.tcp 0 + 50000;
targetPort = "mycelium-tcp-0";
}
{
name = "mycelium-udp-0";
protocol = "UDP";
port = builtins.elemAt myceliumPorts.udp 0 + 50000;
targetPort = "mycelium-udp-0";
}
{
name = "mycelium-udp-1";
protocol = "UDP";
port = builtins.elemAt myceliumPorts.udp 1 + 50000;
targetPort = "mycelium-udp-1";
}
];
};
}
);
in
pkgs.runCommand "declarative-k8s" { } ''
mkdir -p $out/share/k8s
cp ${pod} $out/share/k8s/
cp ${service} $out/share/k8s/
'';
inherit image;
start = pkgs.writeShellApplication {
name = "start";
text = ''
set -x
rm -rf ./result
nix build --impure .#image
sudo nix2container load ./result
sudo -E nerdctl run --name ${name} --privileged -dt \
--cgroup-manager cgroupfs \
--volume "$PWD/key.bin.crypt:${self.nixosConfigurations.default.config.services.mycelium.keyFile}:ro" \
"nix:0$(readlink result):latest"
'';
};
stop = pkgs.writeShellApplication {
name = "stop";
text = ''
set +e
sudo -E nerdctl stop -t 60 ${name}
sudo -E nerdctl rm --force ${name}
sudo -E nerdctl system prune --all --force
sudo systemctl stop nix-snapshotter
sudo systemctl stop containerd
mount | rg -No '(/var/lib/container|/tmp/initial)[^ ]+' | tac | xargs sudo umount -l
sudo systemctl start containerd
sudo systemctl start nix-snapshotter
'';
# tmpfs on /run/credentials/mycelium.service type tmpfs (ro,nosuid,nodev,noexec,relatime,nosymfollow,size=1024k,nr_inodes=1024,mode=700,noswap)
# mount -t tmpfs tmpfs /run/credentials/mycelium.service -o ro,nosuid,nodev,noexec,relatime,nosymfollow,size=1024k,nr_inodes=1024,mode=700,noswap
};
}
);
};
}

78
nix/os/containers/syncthing.nix
View file

@ -1,22 +1,20 @@
{
specialArgs,
hostBridge,
hostAddress,
localAddress,
syncthingPort ? 22000,
syncthingLocalAnnouncePort ? 21027,
smbTcpPort ? 445,
autoStart ? false,
}:
{
inherit specialArgs;
config =
{ ... }:
{
}: {
config = {
config,
pkgs,
...
}: {
system.stateVersion = "20.05"; # Did you read the comment?
imports = [../profiles/containers/configuration.nix];
networking.firewall.enable = true;
networking.firewall.allowedTCPPorts = [
# syncthing gui
8384
@ -27,54 +25,6 @@
openDefaultPorts = true;
guiAddress = "0.0.0.0:8384";
};
services.samba = {
enable = true;
securityType = "user";
openFirewall = true;
settings = {
global = {
"workgroup" = "DMZ";
"server string" = "syncthing";
"netbios name" = "syncthing";
"security" = "user";
#"use sendfile" = "yes";
#"max protocol" = "smb2";
# note: localhost is the ipv6 localhost ::1
"hosts allow" = "192.168.23. 127.0.0.1 localhost";
"hosts deny" = "0.0.0.0/0";
"guest account" = "nobody";
"map to guest" = "bad user";
};
"scan-stefan" = {
"path" = "/var/lib/syncthing/Sync/Home::Scan::Stefan";
"browseable" = "yes";
"read only" = "no";
"guest ok" = "no";
"create mask" = "0644";
"directory mask" = "0755";
"force user" = "syncthing";
"force group" = "syncthing";
};
"scan-justyna" = {
"path" = "/var/lib/syncthing/Sync/Home::Scan::Justyna";
"browseable" = "yes";
"read only" = "no";
"guest ok" = "no";
"create mask" = "0644";
"directory mask" = "0755";
"force user" = "syncthing";
"force group" = "syncthing";
};
};
};
# TODO: find out if smbpasswd file is still used and set it here. or find an alternative
# sops.secrets.smbpasswd = {
# };
# environment.etc."samba/smbpasswd".source = config.sops.secrets.smbpasswd.text;
};
inherit autoStart;
@ -86,6 +36,8 @@
};
};
extraFlags = ["--resolv-conf=bind-host"];
privateNetwork = true;
forwardPorts = [
{
@ -93,22 +45,12 @@
hostPort = syncthingPort;
protocol = "tcp";
}
{
containerPort = 22000;
hostPort = syncthingPort;
protocol = "udp";
}
{
containerPort = 21027;
hostPort = syncthingLocalAnnouncePort;
protocol = "udp";
}
{
containerPort = 445;
hostPort = smbTcpPort;
protocol = "tcp";
}
];
inherit hostBridge hostAddress localAddress;
inherit hostAddress localAddress;
}

511
nix/os/containers/webserver.nix
View file

@ -1,122 +1,113 @@
{
specialArgs,
hostBridge,
hostAddress,
localAddress,
httpPort,
httpsPort,
forgejoSshPort,
httpPort ? 80,
httpsPort ? 443,
autoStart ? false,
}:
let
domain = "www.stefanjunker.de";
in
{
inherit specialArgs;
config =
{
}: let
passwords = import ../../variables/passwords.crypt.nix;
in {
config = {
config,
pkgs,
lib,
repoFlake,
nodeFlake,
system,
...
}:
let
nixpkgs-kanidm = nodeFlake.inputs.nixpkgs-unstable;
in
{
}: {
system.stateVersion = "22.05"; # Did you read the comment?
disabledModules = [
"services/misc/forgejo.nix"
"services/security/kanidm.nix"
];
imports = [../profiles/containers/configuration.nix];
imports = [
"${nodeFlake.inputs.nixpkgs-unstable}/nixos/modules/services/misc/forgejo.nix"
"${nixpkgs-kanidm}/nixos/modules/services/security/kanidm.nix"
networking.firewall.enable = false;
../profiles/containers/configuration.nix
repoFlake.inputs.sops-nix.nixosModules.sops
];
sops.defaultSopsFile = ./webserver_secrets.yaml;
networking.firewall.allowedTCPPorts = [
httpPort
httpsPort
forgejoSshPort
];
sops.age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];
sops.secrets.hedgedoc_environment_file = {
sopsFile = ./webserver_secrets.yaml;
owner = config.users.users.hedgedoc.name;
};
services.caddy = {
services.ddclientovh = {
enable = true;
logFormat = ''
level ERROR
'';
virtualHosts."${domain}" = {
extraConfig = ''
redir /hedgedoc* https://hedgedoc.${domain}
domain = "www.stefanjunker.de";
};
file_server /*/* {
browse
root /var/www/stefanjunker.de/htdocs/caddy
pass_thru
}
# respond "Hi"
# respond (not /*/*) "Hi"
'';
};
virtualHosts."hedgedoc.${domain}" = {
extraConfig = ''
reverse_proxy http://[::1]:3000
'';
};
virtualHosts."authelia.${domain}" = {
extraConfig = ''
reverse_proxy http://127.0.0.1:${builtins.toString config.services.authelia.instances.default.settings.server.port}
'';
};
virtualHosts."lldap.${domain}" = {
extraConfig = ''
reverse_proxy http://127.0.0.1:${builtins.toString config.services.lldap.settings.http_port}
'';
};
virtualHosts."forgejo.${domain}" = {
extraConfig = ''
reverse_proxy http://127.0.0.1:${builtins.toString config.services.forgejo.settings.server.HTTP_PORT}
'';
};
virtualHosts."kanidm.${domain}" = {
extraConfig = ''
reverse_proxy https://${builtins.toString config.services.kanidm.serverSettings.bindaddress} {
transport http {
tls_server_name ${config.services.kanidm.serverSettings.domain}
security.acme = {
acceptTerms = true;
certs."www.stefanjunker.de".email = "mail@stefanjunker.de";
preliminarySelfsigned = true;
# can be used for debugging
# server = "https://acme-staging-v02.api.letsencrypt.org/directory";
};
services.nginx.enable = true;
services.nginx.recommendedProxySettings = true;
services.nginx.virtualHosts."www.stefanjunker.de" = {
default = true;
addSSL = true;
listen = [
{
addr = "0.0.0.0";
port = httpPort;
ssl = false;
}
{
addr = "0.0.0.0";
port = httpsPort;
ssl = true;
}
];
root = "/var/www/stefanjunker.de/htdocs";
enableACME = true;
# serverAliases = [
# "www.stefanjunker.de"
# ];
# sslCertificate = "/etc/secrets/stefanjunker.de/nginx/nginx.crt";
# sslCertificateKey = "/etc/secrets/stefanjunker.de/nginx/nginx.key";
locations."/fi" = {index = "index.php";};
locations."~ ^(.+.php)(.*)$".extraConfig = ''
fastcgi_split_path_info ^(.+\.php)(.*)$;
fastcgi_pass unix:${config.services.phpfpm.pools.mypool.socket};
fastcgi_index index.php;
'';
locations."/hedgedoc/" = {proxyPass = "http://127.0.0.1:3000/";};
locations."/hedgedoc/socket.io/" = {
proxyPass = "http://127.0.0.1:3000/socket.io/";
proxyWebsockets = true;
};
};
services.phpfpm.pools.mypool = {
user = "nobody";
phpPackage = pkgs.php5;
settings = {
"listen.owner" = config.services.nginx.user;
"pm" = "dynamic";
"pm.max_children" = 5;
"pm.start_servers" = 2;
"pm.min_spare_servers" = 1;
"pm.max_spare_servers" = 3;
"pm.max_requests" = 500;
"php_admin_value[error_reporting]" = "E_ALL & ~E_NOTICE & ~E_WARNING & ~E_STRICT & ~E_DEPRECATED";
};
};
# the custom php5 we're using here has no fpm-systemd, so the default `Type = "notify"` won't work
systemd.services."phpfpm-mypool" = {
serviceConfig = {Type = lib.mkForce "simple";};
};
services.mysql = {
enable = true;
package = pkgs.mariadb_104;
};
services.hedgedoc = {
enable = true;
settings = {
domain = "hedgedoc.${domain}";
urlPath = "";
configuration = {
domain = "www.stefanjunker.de";
urlPath = "hedgedoc";
protocolUseSSL = true;
db = {
dialect = "sqlite";
@ -128,296 +119,12 @@ in
allowGravatar = false;
allowFreeURL = false;
defaultPermission = "private";
allowEmailRegister = false;
email = false;
ldap = {
url = "ldap://127.0.0.1:${builtins.toString config.services.lldap.settings.ldap_port}";
bindDn = "uid=admin,ou=people,dc=stefanjunker,dc=de";
# these are set via the `environmentFile`
# bindCredentials = "$LDAP_ADMIN_PASSWORD";
searchBase = "ou=people,dc=stefanjunker,dc=de";
searchFilter = "(&(memberOf=cn=hedgedoc,ou=groups,dc=stefanjunker,dc=de)(uid={{username}}))";
useridField = "uid";
};
# oauth2 provider config
inherit (passwords.www_stefanjunker_de_hedgedoc) dropbox;
oauth2 =
let
originURL = config.services.kanidm.serverSettings.origin;
in
{
providerName = "kanidm (${originURL})";
authorizationURL = "${originURL}/ui/oauth2";
tokenURL = "${originURL}/oauth2/token";
userProfileURL = "${originURL}/oauth2/openid/hedgedoc/userinfo";
scope = "openid email profile";
# rolesClaim = "roles";
# accessRole = "role/hedgedoc";
userProfileUsernameAttr = "name";
userProfileDisplayNameAttr = "displayname";
userProfileEmailAttr = "email";
clientID = "hedgedoc";
# set via the `environmentFile`
# clientSecret = "$CMD_OAUTH2_CLIENT_SECRET";
};
uploadsPath = "/var/lib/hedgedoc/uploads";
};
environmentFile = config.sops.secrets.hedgedoc_environment_file.path;
};
services.jitsi-meet = {
enable = false;
hostName = "meet.${domain}";
config = {
prejoinPageEnabled = true;
};
caddy.enable = true;
nginx.enable = false;
};
sops.secrets.authelia_storageEncryptionKey = {
sopsFile = ./webserver_secrets.yaml;
owner = config.users.users.authelia-default.name;
};
sops.secrets.authelia_jwtSecret = {
sopsFile = ./webserver_secrets.yaml;
owner = config.users.users.authelia-default.name;
};
services.authelia.instances.default =
let
baseDir = "/var/lib/authelia-default";
in
{
enable = true;
secrets.storageEncryptionKeyFile = config.sops.secrets.authelia_storageEncryptionKey.path;
secrets.jwtSecretFile = config.sops.secrets.authelia_jwtSecret.path;
settings = {
theme = "auto";
default_2fa_method = "totp";
log.level = "debug";
server = {
disable_healthcheck = true;
host = "127.0.0.1";
port = 9091;
# path = "authelia";
};
storage = {
local.path = "${baseDir}/authelia.sqlite";
};
authentication_backend = {
file.path = "${baseDir}/first_factor.yaml";
file.search.email = true;
file.search.case_insensitive = false;
};
access_control = {
default_policy = "one_factor";
};
session.domain = "stefanjunker.de";
notifier = {
disable_startup_check = true;
filesystem.filename = "${baseDir}/notification.txt";
};
};
};
users.groups.lldap = { };
users.users.lldap = {
isSystemUser = true;
group = "lldap";
};
sops.secrets.lldap_jwtSecret = {
sopsFile = ./webserver_secrets.yaml;
owner = config.users.users.lldap.name;
};
sops.secrets.lldap_adminPassword = {
sopsFile = ./webserver_secrets.yaml;
owner = config.users.users.lldap.name;
};
sops.secrets.lldap_environmentFile = {
sopsFile = ./webserver_secrets.yaml;
owner = config.users.users.lldap.name;
};
services.lldap = {
enable = true;
environment = {
LLDAP_JWT_SECRET_FILE = config.sops.secrets.lldap_jwtSecret.path;
LLDAP_LDAP_USER_PASS_FILE = config.sops.secrets.lldap_adminPassword.path;
};
environmentFile = config.sops.secrets.lldap_environmentFile.path;
settings = {
verbose = true;
ldap_base_dn = "dc=stefanjunker,dc=de";
http_url = "https://lldap.${domain}";
## Options to configure SMTP parameters, to send password reset emails.
## To set these options from environment variables, use the following format
## (example with "password"): LLDAP_SMTP_OPTIONS__PASSWORD
smtp_options = {
## Whether to enabled password reset via email, from LLDAP.
enable_password_reset = true;
# port = 465;
## How the connection is encrypted, either "NONE" (no encryption), "TLS" or "STARTTLS".
# smtp_encryption = "TLS";
};
# database_url = "sqlite:///var/lib/lldap/users.db?mode=rwc";
};
};
sops.secrets.FORGEJO_JWT_SECRET = { };
sops.secrets.FORGEJO_INTERNAL_TOKEN = { };
sops.secrets.FORGEJO_SECRET_KEY = { };
services.forgejo = {
enable = true;
package = nodeFlake.inputs.nixpkgs-unstable.legacyPackages.${pkgs.system}.forgejo;
settings = {
service.DISABLE_REGISTRATION = true;
server.HTTP_ADDR = "127.0.0.1";
server.START_SSH_SERVER = true;
server.SSH_PORT = forgejoSshPort;
server.ROOT_URL = "https://forgejo.${domain}";
server.HTTP_PORT = 3001;
# TODO: how do i get a 3072 length SSH key with the yubikey?
"ssh.minimum_key_sizes".RSA = 2048;
};
secrets = {
oauth2.JWT_SECRET = lib.mkForce config.sops.secrets.FORGEJO_JWT_SECRET.path;
security.INTERNAL_TOKEN = lib.mkForce config.sops.secrets.FORGEJO_INTERNAL_TOKEN.path;
security.SECRET_KEY = lib.mkForce config.sops.secrets.FORGEJO_SECRET_KEY.path;
};
};
systemd.services.lldap.serviceConfig.User = config.users.users.lldap.name;
systemd.services.lldap.serviceConfig.Group = config.users.groups.lldap.name;
systemd.services.lldap.serviceConfig.DynamicUser = lib.mkForce false;
# combine a path watcher with a service that transfers the certs by caddy to kanidm
# TODO: had an issue where the certificate in kanidm was expired, despite caddy having a refreshed certificate
systemd.paths.kanidm-tls-watch = {
enable = true;
requiredBy = [ "kanidm.service" ];
pathConfig = {
PathChanged = [
"${config.services.caddy.dataDir}/.local/share/caddy/certificates/acme-v02.api.letsencrypt.org-directory/${config.services.kanidm.serverSettings.domain}/${config.services.kanidm.serverSettings.domain}.key"
"${config.services.caddy.dataDir}/.local/share/caddy/certificates/acme-v02.api.letsencrypt.org-directory/${config.services.kanidm.serverSettings.domain}/${config.services.kanidm.serverSettings.domain}.crt"
];
Unit = "kanidm-tls-update.service";
};
};
systemd.services.kanidm-tls-update =
let
dbDir = builtins.dirOf config.services.kanidm.serverSettings.db_path;
in
{
enable = true;
requiredBy = [ "kanidm.service" ];
unitConfig = {
# ConditionPathExists = [
# "${config.services.caddy.dataDir}/.local/share/caddy/certificates/acme-v02.api.letsencrypt.org-directory/${config.services.kanidm.serverSettings.domain}/${config.services.kanidm.serverSettings.domain}.key"
# "${config.services.caddy.dataDir}/.local/share/caddy/certificates/acme-v02.api.letsencrypt.org-directory/${config.services.kanidm.serverSettings.domain}/${config.services.kanidm.serverSettings.domain}.crt"
# ];
};
serviceConfig.Type = "oneshot";
script =
let
tlsDir = builtins.dirOf config.services.kanidm.serverSettings.tls_key;
in
''
set -xe
cat "${config.services.caddy.dataDir}/.local/share/caddy/certificates/acme-v02.api.letsencrypt.org-directory/${config.services.kanidm.serverSettings.domain}/${config.services.kanidm.serverSettings.domain}.key" > tls.key
cat "${config.services.caddy.dataDir}/.local/share/caddy/certificates/acme-v02.api.letsencrypt.org-directory/${config.services.kanidm.serverSettings.domain}/${config.services.kanidm.serverSettings.domain}.crt" > tls.chain
chown ${config.systemd.services.kanidm.serviceConfig.User}:${config.systemd.services.kanidm.serviceConfig.Group} tls.{key,chain}
chmod 400 tls.{key,chain}
# create the kanidm directory in case it's missing
if [[ ! -d ${tlsDir} ]]; then
mkdir -p ${tlsDir}
chown -R ${config.systemd.services.kanidm.serviceConfig.User}:${config.systemd.services.kanidm.serviceConfig.Group} ${tlsDir}
chmod 700 ${tlsDir}
fi
mv tls.key ${config.services.kanidm.serverSettings.tls_key}
mv tls.chain ${config.services.kanidm.serverSettings.tls_chain}
if [[ ! -d ${dbDir} ]]; then
mkdir -p ${dbDir}
chown -R ${config.systemd.services.kanidm.serviceConfig.User}:${config.systemd.services.kanidm.serviceConfig.Group} ${dbDir}
chmod 700 ${dbDir}
fi
'';
};
systemd.services.kanidm.serviceConfig =
let
dbDir = builtins.dirOf config.services.kanidm.serverSettings.db_path;
in
# stateDir = "/var/lib/${config.systemd.services.kanidm.serviceConfig.StateDirectory}";
{
# ExecStartPre = ''
# mkdir -p ${dbDir}
# '';
BindPaths = [
dbDir
# stateDir
];
};
services.kanidm =
let
dataDir = "/var/lib/kanidm";
in
{
package = nixpkgs-kanidm.legacyPackages.${pkgs.system}.kanidm;
enablePam = false;
enableClient = false;
enableServer = true;
serverSettings = {
role = "WriteReplica";
log_level = "debug";
domain = "kanidm.${domain}";
origin = "https://kanidm.${domain}";
bindaddress = "127.0.0.1:8444";
# don't expose ldap
# ldapbindaddress = "[::1]:6636";
tls_key = "${dataDir}/tls/tls.key";
tls_chain = "${dataDir}/tls/tls.chain";
online_backup = {
schedule = "00 06 * * *";
};
uploadsPath = "/var/lib/codimd/uploads";
};
};
};
@ -425,9 +132,10 @@ in
inherit autoStart;
bindMounts = {
# FIXME/REMINDER: this is used so that the container can decrypt the secrets that are deployed to the host
"/etc/ssh/ssh_host_ed25519_key".isReadOnly = true;
"/etc/ssh/ssh_host_ed25519_key.pub".isReadOnly = true;
"/etc/secrets/" = {
hostPath = "/var/lib/container-volumes/webserver/etc-secrets";
isReadOnly = true;
};
"/var/www" = {
hostPath = "/var/lib/container-volumes/webserver/var-www";
@ -443,27 +151,9 @@ in
hostPath = "/var/lib/container-volumes/webserver/var-lib-hedgedoc";
isReadOnly = false;
};
"/var/lib/authelia-default" = {
hostPath = "/var/lib/container-volumes/webserver/var-lib-authelia-default";
isReadOnly = false;
};
"/var/lib/lldap" = {
hostPath = "/var/lib/container-volumes/webserver/var-lib-lldap";
isReadOnly = false;
};
"/var/lib/forgejo" = {
hostPath = "/var/lib/container-volumes/webserver/var-lib-forgejo";
isReadOnly = false;
};
"/var/lib/kanidm" = {
hostPath = "/var/lib/container-volumes/webserver/var-lib-kanidm";
isReadOnly = false;
};
};
extraFlags = ["--resolv-conf=bind-host"];
privateNetwork = true;
forwardPorts = [
@ -479,14 +169,7 @@ in
hostPort = httpsPort;
protocol = "tcp";
}
{
# forgejo ssh
containerPort = forgejoSshPort;
hostPort = forgejoSshPort;
protocol = "tcp";
}
];
inherit hostBridge hostAddress localAddress;
inherit hostAddress localAddress;
}

45
nix/os/containers/webserver_secrets.yaml
View file

@ -1,45 +0,0 @@
hedgedoc_environment_file: ENC[AES256_GCM,data:gPTokPMGBAN/lGGeUs95vg45yVrrSmFCKWTjlMV4V+YnflcqiaZvifX9+0fe3DELwNL4kY4st4N0MadhLkTiSieyp46fP8Dujk4Prhi7JWweBDsN4WtxcwJfAdowgh5LTzqM3zggC/J9NGR/zgJGLYraOqsFueXycxDxntE+8MlepYFGsND4WbFHNRvsVd7xUWerZZD+JFhws2sjwC9DqoJ+mBX4u9J2faSrL3okBGwRpEZlJhe6/8pT0l1aVxI0b/9UsLUL/him/vVqY8ygMP8O95gzuDEaCtwSXw08ylhb3g3YHdMh9ZOe9dPNVocVFrB15HfxeY4KzRCVfvgmBsSiUrgUAZQ8aav2ZWHPKQ==,iv:AVtx/43MK5KVxP59olEmbkUzLhd0cBjPpVeiAJGELfM=,tag:Hd3edeUzLgHnwAwPiMGp4A==,type:str]
authelia_storageEncryptionKey: ENC[AES256_GCM,data:BLj2+w0jUOiiqljd4WcYt90I1Y/tm6vYRn9IPvv7k+ykjeWeafDcb9LpAbYZ82iAbCDZ6cDnTIJSH50TYFM1Bw==,iv:DfrFuTMS6rzWS1F7hIloD7Eb9N6LV6MDsPGEidTCIkM=,tag:4TxiUuWj8LLCAe+3SQWthA==,type:str]
authelia_jwtSecret: ENC[AES256_GCM,data:CtvhPJDlM8kZDh3MWI6jBEIK5P/Rc0ZY3JfQ/1qn2FyZ0kOE9CMznRQdzi125Mlh+LgfhS00aeY/esuSJ1YKnw==,iv:o29+Ja4E4USpxD5Bgg4nGpj1WdK+uJJeuyqa3c92Pys=,tag:Ko/6PqIM7FyvqMJAepTNKw==,type:str]
lldap_jwtSecret: ENC[AES256_GCM,data:Jd05K5zZZcdFY9P+PM1ycpl4eKr7THXzlEC2gxhfq0kZ0c7NrmqpnxLFyMOoq0oZwFXQ3aE29N+dYYCbWgEs0g==,iv:k9Y4XZcFSUaaOvooMzH1AlHaI/RiZZ0cpSqTU6jzsUU=,tag:EHwIMQ00Z+IrXAKgugMbmQ==,type:str]
lldap_adminPassword: ENC[AES256_GCM,data:qZviC+/V25iHWS2d5KKrMfCLmmWKAkXoiLW3NJyZWIvMRbFPtfJGv/5e++idcKNLdPHRgvGpdeTpOdZNK7ETSQ==,iv:jX8bzgYVXZfMQ8Qxa7WaUiQFE/mBmQWZ3o000njeEC8=,tag:4Rd3WVGIw1rBLKND4xPbMg==,type:str]
lldap_environmentFile: ENC[AES256_GCM,data:TpdO1N2MgHWI4TipvlwfVjnKppzpluI9WA3ejbgT8jrRXXTCA94PS734wDHLtEAIwKdIQd/JGDS+1kbdvgDL3F3HIOX5HLz9h7CtkDBYT6qOy0Zb0tNHjmJco6dL/iMwuzglXxu2460nadO+lHoTs3DA3lesghzpJzm41hgElzcxXS2sa/hsV+kjmbyfu6Xi94kbqcHBLA/mppWmLSgJN6wu/bO07XfaSB1ghHnAR7BL9XZDjoNDzljZAXDpDBw3WD6mwoZeIjGbkEuL4nUnkS6CkA+y7IORA24XGGAczRxZp4vLfUOnnlFCPGIHBsRTbrTB4bcEDBK4+5gHfNhXxvD5VlNMb4TPqYdcEIxkgMxZNLV5U2LTlzn18HNOCvsPb9XOOtY21j6qHMMQDXZREmn5NsW0HXM4gNZ0fC9UEe1MYBhyE3gGEGDzzDUrrQCGLm7/1OC7NRlzuI7M/5DlgcREwK1PkjPDmfRCAq86l0N5lMP/A7MMq2SJWcZvf+ot3fInugq485773vgWWl2Rodl08SZ8YHnzj0L6anPu856v2BsIotE0iRJSCpzA2ZgOJ9RViBfoq6F3beJKLnGN7oGb8XBviRTnXrTN6BTuFyv3dIZ7qcuTGTY+ucjRXfGJ1TVlVQBbiqhQDz5c9D5e0RVnRe3AkMXeDMOd4GlWW5gsJSuZtlYq1aMEf/Bx+4WMyY/Wh+Jk1xxf30bth5L1dW82p6fNFhEuKabtkBALOg/CQzYczMeGP9ai6BWgZL8QPlQoEUpHh59Vz91V6unQSOJ2PNr5wzC6j75IKInVjcp4d1S9K2UAxg+HETn5p9T1sBRdAAVz0YgO5902FwDTsA+2x6Q=,iv:U94CNFxQ8kyIYdH0EyqQIJ3s7QKaLlMa+5coO0dQnto=,tag:KZEizL99W5BtcaXSnYXFhg==,type:str]
#ENC[AES256_GCM,data:uNqahO8WF6QFNkbPnQq2UDKn/gFt0H56keUb,iv:CDVKC3ER5rsKoMmBi2g5g+F3ZfKc3+Rs8bjxFhgSPZ4=,tag:oGPl6TB/nghGwWvVBLFlGQ==,type:comment]
FORGEJO_JWT_SECRET: ENC[AES256_GCM,data:nVz9x7+K+rBIZxuQP7o0WNFHUz89eR9cwBjfSAx9/WH5PF+/aWazZOJpVg==,iv:4qpHo143fe/sVhKfYDwxr+YiBZ2q/WWViYSwoxz0i/k=,tag:smSsJsqa6uZKarcoOMUjwQ==,type:str]
FORGEJO_INTERNAL_TOKEN: ENC[AES256_GCM,data:EIono9HSyvp1nQM0ij3ln3IUXO4moFbRgVddeV0BZBXmZG05jdjZ1SIXo/BxoSmRKnjllR7P00CpajNM5zORldlsBId5oAYL5GZtY3/nmxeXucJidknuow22G7Z8wRJJGBdishbgQhmc,iv:1D93gTUF1+DUR8qLJgML+oUhvSslhxEjGnbBC/PWHXw=,tag:NZB+mwba4TzLcUANZLDRTw==,type:str]
FORGEJO_SECRET_KEY: ENC[AES256_GCM,data:CewYFZtcXKUD5/oSM0Q32rhw+urdA0eQhdYp8EFHUXxEtL6f5NWK6IOwIlMuEv1/FjtTWlqxWekOZpmxBRzwnw==,iv:qLyVB7Nc+rDbBoO5g82/vPdykwOATHCSDLhvS+fK9PM=,tag:4NMhUvKmrRd6qrcQq3R8wA==,type:str]
sops:
kms: []
gcp_kms: []
azure_kv: []
hc_vault: []
age:
- recipient: age18dmqd7r7fanrfmdxsvwgv9psvhs3hw5ydpvw0na0dv3dlrg4rs3q2wpvgv
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA0SkxFSkJQb29UeVRnZnFh
U3BJeGZ1NUVzMk0ycXBvWExyZDcveXZrd2pJCmpCeS80VE5McWVHQnZpaHFERmNh
YWZIMHRtQkd5Vm54MWR3bkhUUDRvejQKLS0tIG9NSkpCSkEyZFRyOXorWE1KLytP
eWdXVHg5MTlQQU9GeElPeUZXUlBlaTgKceDu3tLbQM/DxY0tJYJTPy2Dl/SBYaoc
KfMZOkc322/NvgWu/3Ke0hV1/eMk8EICwXbSwHhXr5a0+cwPZ9xV4A==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2024-10-16T12:28:51Z"
mac: ENC[AES256_GCM,data:nrd2czzJlBcFfwn6lzh4qqco+/XsU2J6BqvQqMtskh3mL4Xx25IAzxiCno0KlNGr6o4YsuZP5anOX9RvrDq76Us3JQ7pDi3iQGPhmg+SE9u3Rwqn1/3YConvdfPV2DNB+tuyG3UVoRqpA4d+HdcYjN9n1UKk54R6UdSm9UrA+zc=,iv:Juupyet09zUAMu7bmVxq+/Q0bXJAzR0wAyt6vKNns3w=,tag:owdUWuXrQcDdiWi+1geY9A==,type:str]
pgp:
- created_at: "2023-07-09T17:51:27Z"
enc: |-
-----BEGIN PGP MESSAGE-----
wcBMA0SHG/zF3227AQgAs92CvegZAcuyNllIp9zHUp7jFqfXhuoAOKKmOZvN4TBD
gQM7jKAXXwbMy90gGWF9EkdMzeBqG4S9ZM8gPAYcZkt98F0PGu6wBSvvYnUdDOcO
8tvhEhBSE19xCIR7BeG9bhooEJ1V3LSZzrwyikeHUHAqDQLrwM7jrPOef22PIzH+
XPtwWMVwVzwRJTZ/uV11vIV60b0zfnB8ZJzv7RbXsob8octy4LRe6Vb0BUd5ON3w
YULnyMlFFGekiqAPBk0K5Xib35qBu6mtnmxWzVUqT4pgiShoZsRQs3At1Onm7Cku
bqIDMoCYTvSzwDCOYp2+ni/ZOIuDvBiRCPoNuLjkD9JRAcCbjuxA6w0eaJKFTzoI
F1olIecBtQOQQn+iXya/rx69wDtR9965gecWRMbRg6tYncumpdQB//MWALhVmr6i
g+ZF+9NNqOTKsBzEnuGsZRnI
=iXfo
-----END PGP MESSAGE-----
fp: 6F7069FE6B96E894E60EC45C6EEFA706CB17E89B
unencrypted_suffix: _unencrypted
version: 3.8.1

3
nix/os/devices/sj-vps-htz0/boot.nix → nix/os/devices/167.233.1.14/boot.nix
View file

@ -1,5 +1,4 @@
{ lib, ... }:
{
{lib, ...}: {
boot.loader.grub.efiSupport = lib.mkForce false;
boot.extraModulePackages = [];
}

7
nix/os/devices/justyna-p300/configuration.nix → nix/os/devices/167.233.1.14/configuration.nix
View file

@ -1,14 +1,11 @@
{ ... }:
{
{...}: {
disabledModules = [];
imports = [
../../profiles/common/configuration.nix
../../profiles/graphical/configuration.nix
../../profiles/graphical-gnome-xorg.nix
./system.nix
./hw.nix
./pkg.nix
./user.nix
./boot.nix
];
}

53
nix/os/devices/167.233.1.14/hw.nix Normal file
View file

@ -0,0 +1,53 @@
{ ... }:
let
stage1Modules = [
"virtio_balloon"
"virtio_scsi"
"virtio_net"
"virtio_pci"
"virtio_ring"
"virtio"
"scsi_mod"
"virtio_blk"
"virtio_ring"
"bochs_drm"
"ata_piix"
"pata_acpi"
"ata_generic"
];
in
{
hardware.opinionatedDisk = {
enable = true;
encrypted = false;
diskId = "virtio-virtio-paeNi8Fof9Oe";
};
# fileSystems."/boot" = {
# device = "/dev/disk/by-uuid/354fb107-2f4a-42ad-80dd-9dddb61bfd02";
# fsType = "ext4";
# };
# fileSystems."/" = {
# device = "/dev/disk/by-uuid/993cce35-cc1f-40cc-b07a-5ea58b99fb5b";
# fsType = "btrfs";
# options = [ "subvol=root" ];
# neededForBoot = true;
# };
# fileSystems."/home" = {
# device = "/dev/disk/by-uuid/993cce35-cc1f-40cc-b07a-5ea58b99fb5b";
# fsType = "btrfs";
# options = [ "subvol=home" ];
# neededForBoot = true;
# };
# swapDevices = [{ device = "/dev/disk/by-uuid/d16b5f4a-f38c-41c6-8aae-1625be815f9d"; }];
# boot.loader.grub = { device = "/dev/vda"; };
boot.initrd.availableKernelModules = stage1Modules;
boot.initrd.kernelModules = stage1Modules;
boot.extraModprobeConfig = "";
}

33
nix/os/devices/167.233.1.14/pkg.nix Normal file
View file

@ -0,0 +1,33 @@
{ config
, pkgs
, lib
, ...
}: {
nixpkgs.config.packageOverrides = pkgs:
with pkgs; {
nixPath =
(import ../../../default.nix {
versionsPath = ./versions.nix;
}).nixPath;
};
home-manager.users.steveej = import ../../../home-manager/configuration/text-minimal.nix {
inherit pkgs;
extraPackages = [
# required by vscode's remote-ssh plugin
pkgs.nodejs
# allow clipboard exchanges
pkgs.xsel
pkgs.xclip
];
};
nix.buildMachines = [
# {
# hostName = "localhost";
# system = "x86_64-linux";
# supportedFeatures = ["kvm" "nixos-test" "big-parallel" "benchmark"];
# maxJobs = 4;
# }
];
}

75
nix/os/devices/167.233.1.14/system.nix Normal file
View file

@ -0,0 +1,75 @@
{ pkgs
, lib
, config
, ...
}:
let
keys = import ../../../variables/keys.nix;
in
{
# TASK: new device
networking.hostName = "sj-pvehtz0"; # Define your hostname.
# networking.domain = "";
networking.firewall.enable = true;
networking.firewall.allowedTCPPorts = [
# iperf3
5201
];
networking.firewall.logRefusedConnections = false;
networking.usePredictableInterfaceNames = false;
networking.interfaces.eth0 = {
mtu = 1400;
useDHCP = false;
ipv4.addresses = [
{
"address" = "167.233.1.14";
"prefixLength" = 29;
}
];
ipv6.addresses = [ ];
};
networking.defaultGateway = {
address = "167.233.1.9";
interface = "eth0";
};
networking.defaultGateway6 = {
address = "fe80::1";
interface = "eth0";
};
networking.nameservers = [ "1.1.1.1" ];
networking.nat = {
enable = true;
internalInterfaces = [ "ve-+" ];
externalInterface = "eth0";
};
# Kubernetes
# services.kubernetes.roles = ["master" "node"];
# virtualization
virtualisation = { docker.enable = true; };
services.spice-vdagentd.enable = true;
services.qemuGuest.enable = true;
nix.gc = { automatic = true; };
networking.useHostResolvConf = true;
services.openssh.forwardX11 = true;
# This value determines the NixOS release from which the default
# settings for stateful data, like file locations and database versions
# on your system were taken. Its perfectly fine and recommended to leave
# this value at the release version of the first install of this system.
# Before changing this value read the documentation for this option
# (e.g. man configuration.nix or on https://nixos.org/nixos/options.html).
system.stateVersion = "22.11"; # Did you read the comment?
}

26
nix/os/devices/167.233.1.14/versions.nix Normal file
View file

@ -0,0 +1,26 @@
let
nixpkgs = {
url = "https://github.com/NixOS/nixpkgs/";
ref = "nixos-22.11";
rev = "e34c5379866833f41e2a36f309912fa675d687c7";
};
in
{
inherit nixpkgs;
"channels-nixos-stable" = nixpkgs;
"channels-nixos-22.11" = {
url = "https://github.com/NixOS/nixpkgs/";
ref = "nixos-22.11";
rev = "";
};
"nixpkgs-master" = {
url = "https://github.com/NixOS/nixpkgs/";
ref = "master";
rev = "fb881b80f64d1b672135533a8c2fbc86e6ed8898";
};
"home-manager-module" = {
url = "https://github.com/nix-community/home-manager";
ref = "release-21.05";
rev = "7329ffc6e911106494183557fc249180d5422929";
};
}

62
nix/os/devices/167.233.1.14/versions.tmpl.nix Normal file
View file

@ -0,0 +1,62 @@
let
nixpkgs = {
url = "https://github.com/NixOS/nixpkgs/";
ref = "nixos-22.11";
rev = ''
<% git ls-remote https://github.com/nixos/nixpkgs nixos-21.11 | awk '{ print $1 }' | tr -d '
' -%>'';
};
in
{
inherit nixpkgs;
"channels-nixos-stable" = nixpkgs;
"channels-nixos-22.11" = {
url = "https://github.com/NixOS/nixpkgs/";
ref = "nixos-22.11";
rev = ''
<% git ls-remote https://github.com/nixos/nixpkgs nixos-20.05 | awk '{ print $1 }' | tr -d '
' -%>'';
};
"channels-nixos-20.09" = {
url = "https://github.com/NixOS/nixpkgs/";
ref = "nixos-20.09";
rev = ''
<% git ls-remote https://github.com/nixos/nixpkgs nixos-20.09 | awk '{ print $1 }' | tr -d '
' -%>'';
};
"channels-nixos-20.03" = {
url = "https://github.com/NixOS/nixpkgs/";
ref = "nixos-20.03";
rev = ''
<% git ls-remote https://github.com/nixos/nixpkgs nixos-20.03 | awk '{ print $1 }' | tr -d '
' -%>'';
};
"channels-nixos-19.09" = {
url = "https://github.com/NixOS/nixpkgs/";
ref = "nixos-19.09";
rev = ''
<% git ls-remote https://github.com/nixos/nixpkgs nixos-19.09 | awk '{ print $1 }' | tr -d '
' -%>'';
};
"channels-nixos-unstable" = {
url = "https://github.com/NixOS/nixpkgs/";
ref = "nixos-unstable";
rev = ''
<% git ls-remote https://github.com/nixos/nixpkgs nixos-unstable | awk '{ print $1 }' | tr -d '
' -%>'';
};
"nixpkgs-master" = {
url = "https://github.com/NixOS/nixpkgs/";
ref = "master";
rev = ''
<% git ls-remote https://github.com/NixOS/nixpkgs.git master | head -n1 | awk '{ print $1 }' | tr -d '
' -%>'';
};
"home-manager-module" = {
url = "https://github.com/nix-community/home-manager";
ref = "release-21.05";
rev = ''
<% git ls-remote https://github.com/nix-community/home-manager.git release-21.05 | awk '{ print $1 }' | tr -d '
' -%>'';
};
}

32
nix/os/devices/default.nix
View file

@ -1,20 +1,15 @@
{
dir,
pkgs ? import <channels-nixos-stable> {},
ownLib ? import ../lib/default.nix { inherit (pkgs) lib; },
ownLib ? import ../lib/default.nix {},
gitRoot ? "$(git rev-parse --show-toplevel)",
# FIXME: why do these need explicit mentioning?
moreargs ? "",
rebuildarg ? "",
...
}@args:
let
rebuildargsSudo = [
"switch"
"boot"
];
rebuild =
{
} @ args: let
rebuildargsSudo = ["switch" "boot"];
rebuild = {
gitRoot,
rebuildarg ? "dry-activate",
moreargs ? "",
@ -35,18 +30,18 @@ let
${
if
(builtins.elem rebuildarg rebuildargsSudo) && (builtins.match ".*--target-host.*" moreargs) == null
then
"sudo -E \\"
else
""
(builtins.elem rebuildarg rebuildargsSudo)
&& (builtins.match ".*--target-host.*" moreargs) == null
then "sudo -E \\"
else ""
}
nixos-rebuild --show-trace -I nixos-config=''${NIXOS_CONFIG} ${rebuildarg} ${moreargs}
'';
in
in {
recipes =
{
recipes = {
rebuild = rebuild {
rebuild =
rebuild {
inherit gitRoot;
inherit moreargs;
inherit rebuildarg;
@ -54,5 +49,6 @@ in
# // pkgs.lib.attrsets.optionalAttrs (moreargs != "") { inherit moreargs; }
# // pkgs.lib.attrsets.optionalAttrs (rebuildarg != "") { inherit rebuildarg; }
;
} // (import ./disk.nix (args // { inherit pkgs ownLib gitRoot; }));
}
// (import ./disk.nix (args // {inherit pkgs ownLib gitRoot;}));
}

53
nix/os/devices/disk.nix
View file

@ -3,29 +3,40 @@
ownLib,
dir,
gitRoot,
diskId ? (import ((builtins.getEnv "PWD") + "/${dir}/hw.nix") { }).hardware.opinionatedDisk.diskId,
diskId ?
(import ((builtins.getEnv "PWD") + "/${dir}/hw.nix")
{})
.hardware
.opinionatedDisk
.diskId,
encrypted ?
(import ((builtins.getEnv "PWD") + "/${dir}/hw.nix") { }).hardware.opinionatedDisk.encrypted,
(import ((builtins.getEnv "PWD") + "/${dir}/hw.nix")
{})
.hardware
.opinionatedDisk
.encrypted,
previousDiskId ? "",
...
}:
let
}: let
mntRootVol = "/mnt/${diskId}-root";
in
rec {
in rec {
diskMount = pkgs.writeScript "script" ''
#!/usr/bin/env bash
set -xe
echo Mounting ${diskId}
${pkgs.lib.strings.optionalString encrypted ''
sudo cryptsetup luksOpen ${ownLib.disk.bootLuksDevice diskId} ${ownLib.disk.luksName diskId}
sudo cryptsetup luksOpen ${ownLib.disk.bootLuksDevice diskId} ${
ownLib.disk.luksName diskId
}
''}
sleep 1
sudo vgchange -ay ${ownLib.disk.volumeGroup diskId}
sudo mkdir -p /mnt
sudo mkdir ${mntRootVol}
sudo mount ${ownLib.disk.rootFsDevice diskId} ${mntRootVol}
sudo mount ${ownLib.disk.rootFsDevice diskId} ${mntRootVol}/nixos/home -o subvol=home
sudo mount ${
ownLib.disk.rootFsDevice diskId
} ${mntRootVol}/nixos/home -o subvol=home
sudo mount ${ownLib.disk.bootFsDevice diskId} ${mntRootVol}/nixos/boot
'';
@ -62,7 +73,9 @@ rec {
#!/usr/bin/env bash
set -xe
read -p "Continue to format ${ownLib.disk.bootGrubDevice diskId} (YES/n)? " choice
read -p "Continue to format ${
ownLib.disk.bootGrubDevice diskId
} (YES/n)? " choice
case "$choice" in
YES ) echo "Continuing in 3 seconds..."; sleep 3;;
n|N ) echo "Exiting..."; exit 0;;
@ -109,11 +122,15 @@ rec {
${pkgs.lib.strings.optionalString encrypted ''
# Encrypt
sudo cryptsetup luksFormat ${ownLib.disk.bootLuksDevice diskId} -
sudo cryptsetup luksOpen ${ownLib.disk.bootLuksDevice diskId} ${ownLib.disk.luksName diskId}
sudo cryptsetup luksOpen ${ownLib.disk.bootLuksDevice diskId} ${
ownLib.disk.luksName diskId
}
''}
# LVM
sudo vgcreate ${ownLib.disk.volumeGroup diskId} ${ownLib.disk.lvmPv diskId encrypted}
sudo vgcreate ${ownLib.disk.volumeGroup diskId} ${
ownLib.disk.lvmPv diskId encrypted
}
sudo lvcreate ${ownLib.disk.volumeGroup diskId} -L 2G -n swap
sudo lvcreate ${ownLib.disk.volumeGroup diskId} -l 100%FREE -n root
@ -137,7 +154,9 @@ rec {
#!/usr/bin/env bash
set -xe
read -p "Continue to relabel ${ownLib.disk.bootGrubDevice diskId} (YES/n)?" choice
read -p "Continue to relabel ${
ownLib.disk.bootGrubDevice diskId
} (YES/n)?" choice
case "$choice" in
YES ) echo "Continuing in 3 seconds..."; sleep 3;;
n|N ) echo "Exiting..."; exit 0;;
@ -168,9 +187,13 @@ rec {
if test "${previousDiskId}"; then
${pkgs.lib.strings.optionalString encrypted ''
sudo cryptsetup luksOpen ${ownLib.disk.bootLuksDevice diskId} ${ownLib.disk.luksName diskId}
''}
${
pkgs.lib.strings.optionalString encrypted ''
sudo cryptsetup luksOpen ${ownLib.disk.bootLuksDevice diskId} ${
ownLib.disk.luksName diskId
}
''
}
sync
sleep 1
if sudo vgs ${previousDiskId}; then

5
nix/os/devices/elias-e525/boot.nix
View file

@ -1,5 +1,4 @@
{ lib, ... }:
{
boot.loader.grub.efiSupport = lib.mkForce false;
{lib, ...}: {
boot.loader.grub.efiInstallAsRemovable = lib.mkForce true;
boot.loader.efi.canTouchEfiVariables = lib.mkForce false;
}

5
nix/os/devices/elias-e525/configuration.nix
View file

@ -1,15 +1,12 @@
{ ... }:
{
{...}: {
imports = [
../../profiles/common/configuration.nix
../../profiles/graphical/configuration.nix
../../profiles/graphical-gnome-xorg.nix
../../modules/opinionatedDisk.nix
./system.nix
./hw.nix
./pkg.nix
./user.nix
./boot.nix
];
}

29
nix/os/devices/elias-e525/default.nix
View file

@ -1,29 +0,0 @@
{
nodeName,
repoFlake,
nodeFlake,
...
}:
let
system = "x86_64-linux";
in
{
meta.nodeSpecialArgs.${nodeName} = {
inherit repoFlake nodeName nodeFlake;
packages' = repoFlake.packages.${system};
};
meta.nodeNixpkgs.${nodeName} = import nodeFlake.inputs.nixpkgs.outPath { inherit system; };
${nodeName} = {
deployment.targetHost = "elias-e525.lan";
deployment.replaceUnknownProfiles = false;
# deployment.allowLocalDeployment = true;
imports = [
nodeFlake.inputs.home-manager.nixosModules.home-manager
./configuration.nix
];
};
}

49
nix/os/devices/elias-e525/flake.lock generated
View file

@ -1,49 +0,0 @@
{
"nodes": {
"home-manager": {
"inputs": {
"nixpkgs": [
"nixpkgs"
]
},
"locked": {
"lastModified": 1703113038,
"narHash": "sha256-oxkyzjpD+mNT7arzU/zHrkNHLuY9tKwmnD2MNaZiSDw=",
"owner": "nix-community",
"repo": "home-manager",
"rev": "0c2353d5d930c3d93724df6858aef064a31b3c00",
"type": "github"
},
"original": {
"owner": "nix-community",
"ref": "release-23.11",
"repo": "home-manager",
"type": "github"
}
},
"nixpkgs": {
"locked": {
"lastModified": 1703068421,
"narHash": "sha256-WSw5Faqlw75McIflnl5v7qVD/B3S2sLh+968bpOGrWA=",
"owner": "nixos",
"repo": "nixpkgs",
"rev": "d65bceaee0fb1e64363f7871bc43dc1c6ecad99f",
"type": "github"
},
"original": {
"owner": "nixos",
"ref": "nixos-23.11",
"repo": "nixpkgs",
"type": "github"
}
},
"root": {
"inputs": {
"home-manager": "home-manager",
"nixpkgs": "nixpkgs"
}
}
},
"root": "root",
"version": 7
}

10
nix/os/devices/elias-e525/flake.nix
View file

@ -1,10 +0,0 @@
{
inputs.nixpkgs.url = "github:nixos/nixpkgs/nixos-23.11";
inputs.home-manager = {
url = "github:nix-community/home-manager/release-23.11";
inputs.nixpkgs.follows = "nixpkgs";
};
outputs = _: { };
}

2
nix/os/devices/elias-e525/hw.nix
View file

@ -1,4 +1,4 @@
_: {
{...}: {
# TASK: new device
hardware.opinionatedDisk = {
enable = true;

44
nix/os/devices/elias-e525/pkg.nix
View file

@ -1,28 +1,43 @@
{ pkgs, lib, ... }:
let
{
pkgs,
lib,
...
}: let
homeEnv = keyboard: {
imports = [
../../../home-manager/profiles/common.nix
../../../home-manager/configuration/graphical-gnome3.nix
../../../home-manager/programs/firefox.nix
../../../home-manager/programs/libreoffice.nix
../../../home-manager/programs/neovim.nix
(import ../../../home-manager/configuration/graphical-gnome3.nix {
inherit pkgs;
})
];
home.keyboard = keyboard;
home.packages = with pkgs; [
rhythmbox
lollypop
dia
rustdesk
kotatogram-desktop
jitsi
];
};
in
{
services.gnome = builtins.mapAttrs (_attr: value: lib.mkForce value) {
in {
nixpkgs.config.packageOverrides = pkgs:
with pkgs; {
nixPath =
(import ../../../default.nix {
versionsPath = ./versions.nix;
})
.nixPath;
};
services.gnome = builtins.mapAttrs (attr: value: lib.mkForce value) {
games.enable = true;
gnome-remote-desktop.enable = true;
gnome-user-share.enable = true;
rygel.enable = true;
sushi.enable = true;
tracker.enable = true;
tracker-miners.enable = true;
};
home-manager.users.steveej = homeEnv {
@ -43,5 +58,6 @@ in
variant = "";
};
services.teamviewer.enable = true;
system.stateVersion = "21.11";
}

16
nix/os/devices/elias-e525/system.nix
View file

@ -1,5 +1,10 @@
{ pkgs, lib, ... }:
{
pkgs,
lib,
config,
...
}: let
in {
# TASK: new device
networking.hostName = "elias-e525"; # Define your hostname.
@ -12,6 +17,11 @@
networking.firewall.logRefusedConnections = false;
networking.usePredictableInterfaceNames = false;
services.printing = {
enable = true;
drivers = with pkgs; [mfcl3770cdw.driver mfcl3770cdw.cupswrapper];
};
services.fprintd.enable = true;
security.pam.services = {
login.fprintAuth = true;
@ -38,8 +48,4 @@
services.xserver.videoDrivers = ["modesetting"];
boot.kernelPackages = lib.mkForce pkgs.linuxPackages_latest;
nix.gc = {
automatic = true;
};
}

29
nix/os/devices/elias-e525/user.nix
View file

@ -1,30 +1,21 @@
{ config, pkgs, ... }:
let
keys = import ../../../variables/keys.nix;
inherit (pkgs.callPackage ../../lib/default.nix { }) mkUser;
in
{
sops.secrets.sharedUsers-elias = {
sopsFile = ../../../../secrets/shared-users.yaml;
neededForUsers = true;
format = "yaml";
};
sops.secrets.sharedUsers-justyna = {
sopsFile = ../../../../secrets/shared-users.yaml;
neededForUsers = true;
format = "yaml";
};
config,
pkgs,
...
}: let
passwords = import ../../../variables/passwords.crypt.nix;
keys = import ../../../variables/keys.nix;
inherit (import ../../lib/default.nix {}) mkUser;
in {
users.extraUsers.elias = mkUser {
uid = 1001;
openssh.authorizedKeys.keys = keys.users.steveej.openssh;
passwordFile = config.sops.secrets.sharedUsers-elias.path;
hashedPassword = passwords.users.elias;
};
users.extraUsers.justyna = mkUser {
uid = 1002;
openssh.authorizedKeys.keys = keys.users.steveej.openssh;
passwordFile = config.sops.secrets.sharedUsers-justyna.path;
hashedPassword = passwords.users.justyna;
};
}

26
nix/os/devices/elias-e525/versions.nix Normal file
View file

@ -0,0 +1,26 @@
let
nixpkgs = {
url = "https://github.com/NixOS/nixpkgs/";
ref = "nixos-21.11";
rev = "386234e2a61e1e8acf94dfa3a3d3ca19a6776efb";
};
in {
inherit nixpkgs;
nixos = nixpkgs // {suffix = "/nixos";};
"channels-nixos-stable" = nixpkgs;
"channels-nixos-unstable" = {
url = "https://github.com/NixOS/nixpkgs/";
ref = "nixos-unstable";
rev = "5aaed40d22f0d9376330b6fa413223435ad6fee5";
};
"nixpkgs-master" = {
url = "https://github.com/NixOS/nixpkgs/";
ref = "master";
rev = "c4d1eff44eb12cb5500fb2ab05a1a7303711254e";
};
"home-manager-module" = {
url = "https://github.com/nix-community/home-manager";
ref = "release-21.11";
rev = "697cc8c68ed6a606296efbbe9614c32537078756";
};
}

34
nix/os/devices/elias-e525/versions.tmpl.nix Normal file
View file

@ -0,0 +1,34 @@
let
nixpkgs = {
url = "https://github.com/NixOS/nixpkgs/";
ref = "nixos-21.11";
rev = ''
<% git ls-remote https://github.com/nixos/nixpkgs nixos-21.11 | awk '{ print $1 }' | tr -d '
' -%>'';
};
in {
inherit nixpkgs;
nixos = nixpkgs // {suffix = "/nixos";};
"channels-nixos-stable" = nixpkgs;
"channels-nixos-unstable" = {
url = "https://github.com/NixOS/nixpkgs/";
ref = "nixos-unstable";
rev = ''
<% git ls-remote https://github.com/nixos/nixpkgs nixos-unstable | awk '{ print $1 }' | tr -d '
' -%>'';
};
"nixpkgs-master" = {
url = "https://github.com/NixOS/nixpkgs/";
ref = "master";
rev = ''
<% git ls-remote https://github.com/NixOS/nixpkgs.git master | head -n1 | awk '{ print $1 }' | tr -d '
' -%>'';
};
"home-manager-module" = {
url = "https://github.com/nix-community/home-manager";
ref = "release-21.11";
rev = ''
<% git ls-remote https://github.com/nix-community/home-manager.git release-21.11 | awk '{ print $1 }' | tr -d '
' -%>'';
};
}

Some files were not shown because too many files have changed in this diff Show more