steveej/infra
1
0
Fork 0
Code Issues 2 Pull requests Projects Releases Packages Wiki Activity Actions

Compare commits

base: steveej:master
Branches Tags
steveej:master
steveej:WIP-router0-nfmnk-tunnels
steveej:wip
steveej:wip-bpir3
steveej:pr_htz0
steveej:evolution_decsync
steveej:t14_relabel
steveej:t14_new_drive
steveej:srv0_drivechange
steveej:staging-steveej
steveej:pa600-unused
steveej:pr/odroidh2p-0
..
compare: steveej:wip-bpir3
Branches Tags
steveej:master
steveej:WIP-router0-nfmnk-tunnels
steveej:wip
steveej:wip-bpir3
steveej:pr_htz0
steveej:evolution_decsync
steveej:t14_relabel
steveej:t14_new_drive
steveej:srv0_drivechange
steveej:staging-steveej
steveej:pa600-unused
steveej:pr/odroidh2p-0

4 commits
master ... wip-bpir3

Author SHA1 Message Date
Stefan Junker
f7de354cbe chore(flake): comment router0-dmz0 deploy cmd 2023-08-11 18:54:56 +02:00
Stefan Junker
7ecc31cfcf feat(sj-vps-htz0): separate secrets 2023-08-11 18:51:47 +02:00
Stefan Junker
5de5e57518 feat(router0-dmz0): init bpir3 based router 2023-08-11 18:51:25 +02:00
Stefan Junker
742e432ce7 feat(common/users): init module and add customization options 2023-08-11 18:51:25 +02:00
291 changed files with 6275 additions and 12486 deletions
Download patch file Download diff file Expand all files Collapse all files

6
.envrc
View file

@ -1,5 +1 @@
if ! has nix_direnv_version || ! nix_direnv_version 3.0.6; then use_flake . --impure
source_url "https://raw.githubusercontent.com/nix-community/nix-direnv/3.0.6/direnvrc" "sha256-RYcUJaRMf8oF5LznDrlCXbkOQrywm0HDv1VjYGaJGdM="
fi
use flake .#develop

BIN
.git-crypt/keys/default/0/6F7069FE6B96E894E60EC45C6EEFA706CB17E89B.gpg
View file

Binary file not shown.

5
.gitignore vendored
View file

@ -4,8 +4,3 @@
.env .env
**/result **/result
.direnv/ .direnv/
# nixago: ignore-linked-files
/treefmt.toml
/debug-logs

10
.gitlab-ci.yml Normal file
View file

@ -0,0 +1,10 @@
stages:
- build
build:
stage: build
tags:
- nix
script:
# Test the nix-shell
- just run-with-channels 'nix-shell --run "echo OK"'

129
.sops.yaml
View file

@ -1,122 +1,65 @@
# This example uses YAML anchors which allows reuse of multiple keys # This example uses YAML anchors which allows reuse of multiple keys
# without having to repeat yourself. # without having to repeat yourself.
# Also see https://github.com/Mic92/dotfiles/blob/master/nixos/.sops.yaml # Also see https://github.com/Mic92/dotfiles/blob/master/nixos/.sops.yaml
# for a more complex example. # for a more complex example.
# use `ssh-keyscan <IP> | ssh-to-age` to get the age key for a remote machine
# use `for file in $(grep -lr "sops:") secrets; do sops updatekeys -y $file; done` for updating
keys: keys:
- &steveej 6F7069FE6B96E894E60EC45C6EEFA706CB17E89B - &steveej 6F7069FE6B96E894E60EC45C6EEFA706CB17E89B
- &steveej-t14 age17jxphuql70wjkd84azn62ltx9ky69hyvkac23lm8f2j92lznf9hseqq0vl - &steveej-t14 age17jxphuql70wjkd84azn62ltx9ky69hyvkac23lm8f2j92lznf9hseqq0vl
- &steveej-x13s age1y9urllccdcemlv7g5z4peuzeh5ah0a8nu6cnkvym8v2vfhqjd5jql483c6
- &elias-e525 age1pmznn2tjpelpmxjxqef48rse5ujggf9kcr8x5vewuadqcw03aavqwy54zm - &elias-e525 age1pmznn2tjpelpmxjxqef48rse5ujggf9kcr8x5vewuadqcw03aavqwy54zm
- &justyna-p300 age1ye4fa0v37shz8q4e5uf9cp2avygcp9jtetmnj2sv9y9mqc7gjyksq2cjy8 - &justyna-p300 age1ye4fa0v37shz8q4e5uf9cp2avygcp9jtetmnj2sv9y9mqc7gjyksq2cjy8
- &sj-vps-htz0 age18dmqd7r7fanrfmdxsvwgv9psvhs3hw5ydpvw0na0dv3dlrg4rs3q2wpvgv - &sj-vps-htz0 age18dmqd7r7fanrfmdxsvwgv9psvhs3hw5ydpvw0na0dv3dlrg4rs3q2wpvgv
- &sj-srv1 age18dmqd7r7fanrfmdxsvwgv9psvhs3hw5ydpvw0na0dv3dlrg4rs3q2wpvgv
- &srv0-dmz0 age13cyvxrd28j68f97q2dwsn62q5dy8tdxtq86ql2dxv2ncwfrf63dsmkj7n3 - &srv0-dmz0 age13cyvxrd28j68f97q2dwsn62q5dy8tdxtq86ql2dxv2ncwfrf63dsmkj7n3
- &router0-dmz0 age1qju6ms625tlgcjwc9p447seu2p8gu0cr63e5gv5y0wx9mvgmre9slxzzs0 # - &router0-dmz0 age1jetxwpmd9hc4crkjtrdle2qxn9dlq7vcmqhfslv0vlxctrk4u3xq8hcvkz
- &router0-ifog age1dktk5glcuu34u9t6kp3g2vqyj7dy0elray38t8n75mwa6l0s0vdst2cy00 - &router0-dmz0 age1k7cejd9tqz6a3expd63wkn7kmeawhhrp9vy5vevhjn6eavhdwywqeh7j86
- &router0-hosthatch age1v458x2q70yt0a6m6cq5ehemphtrzfzyhmeg3r872vsyyf65asgwstmqqk4
- &hstk0 age10xwq7a4y256yhv02j0u80te0vt4krgfjc68r0uw07t96z7ggmpwqtv38a0
creation_rules: creation_rules:
- path_regex: ^(.+/|)secrets/[^/]+$ - path_regex: ^(.+/|)secrets/[^/]+$
key_groups: key_groups:
- pgp: - pgp:
- *steveej - *steveej
age: age:
- *steveej-t14 - *steveej-t14
- *steveej-x13s - *elias-e525
- *elias-e525 - *justyna-p300
- *justyna-p300
- *srv0-dmz0 - *srv0-dmz0
- *router0-dmz0 - *router0-dmz0
- *sj-vps-htz0 - *sj-vps-htz0
- *sj-srv1
- *hstk0
- *router0-ifog
- *router0-hosthatch
- path_regex: ^secrets/steveej-t14/.+$ - path_regex: ^secrets/steveej-t14/.+$
key_groups: key_groups:
- pgp: - pgp:
- *steveej - *steveej
age: age:
- *steveej-t14 - *steveej-t14
- path_regex: ^secrets/desktop/.+$
key_groups:
- pgp:
- *steveej
age:
- *steveej-t14
- *steveej-x13s
- path_regex: ^secrets/servers/.+$ - path_regex: ^secrets/servers/.+$
key_groups: key_groups:
- pgp: - pgp:
- *steveej - *steveej
age: age:
- *sj-vps-htz0 - *sj-vps-htz0
- *sj-srv1
- path_regex: ^nix/os/containers/.+_secrets.+$ - path_regex: ^nix/os/containers/.+_secrets.+$
key_groups: key_groups:
- pgp: - pgp:
- *steveej - *steveej
age: age:
- *sj-vps-htz0 - *sj-vps-htz0
- *sj-srv1
- path_regex: ^secrets/holochain-infra/.+$ - path_regex: ^secrets/holochain-infra/.+$
key_groups: key_groups:
- pgp: - pgp:
- *steveej - *steveej
age: age:
- *srv0-dmz0 - *srv0-dmz0
- path_regex: ^secrets/router0-dmz0/.+$ - path_regex: ^secrets/router0-dmz0/.+$
key_groups: key_groups:
- pgp: - pgp:
- *steveej - *steveej
age: age:
- *router0-dmz0 - *router0-dmz0
- path_regex: ^secrets/router0-ifog/.+$
key_groups:
- pgp:
- *steveej
age:
- *router0-ifog
- path_regex: ^secrets/router0-hosthatch/.+$
key_groups:
- pgp:
- *steveej
age:
- *router0-hosthatch
- path_regex: ^secrets/sj-vps-htz0/.+$ - path_regex: ^secrets/sj-vps-htz0/.+$
key_groups: key_groups:
- pgp: - pgp:
- *steveej - *steveej
age: age:
- *sj-vps-htz0 - *sj-vps-htz0
- path_regex: ^secrets/sj-srv1/.+$
key_groups:
- pgp:
- *steveej
age:
- *sj-srv1
- path_regex: ^secrets/hstk0/.+$
key_groups:
- pgp:
- *steveej
age:
- *hstk0
- path_regex: ^secrets/steveej-x13s/.+$
key_groups:
- pgp:
- *steveej
age:
- *steveej-x13s
- path_regex: ^secrets/work-holo/.+$
key_groups:
- pgp:
- *steveej
age:
- *steveej-x13s

22
.vscode/settings.json vendored
View file

@ -1,20 +1,6 @@
{ {
"editor.defaultFormatter": "ibecker.treefmt-vscode", "nixEnvSelector.nixFile": "${workspaceRoot}/shell.nix",
"editor.formatOnSave": true, "[nix]": {
"nix.enableLanguageServer": true, "editor.defaultFormatter": "kamadorueda.alejandra"
"nix.serverPath": "nil", },
"nix.serverSettings": {
// settings for 'nil' LSP
"nil": {
"autoArchive": true,
"diagnostics": {
"ignored": ["unused_binding", "unused_with"]
},
"formatting": {
"command": ["treefmt", "--stdin", ".nil.nix"]
}
}
},
"treefmt.command": "treefmt",
"treefmt.config": ""
} }

447
Justfile
View file

@ -1,321 +1,308 @@
# _DEFAULT_VERSION_TMPL: _DEFAULT_VERSION_TMPL:
# echo "{{invocation_directory()}}/nix/variables/versions.tmpl.nix" echo "{{invocation_directory()}}/nix/variables/versions.tmpl.nix"
_usage: _usage:
just -l just -l
# Re-render the default versions # Re-render the default versions
update-default-versions: update-default-versions:
nix flake update nix flake update
_get_nix_path versionsPath: _get_nix_path versionsPath:
echo $(set -x; nix-build --no-link --show-trace {{ invocation_directory() }}/nix/default.nix -A channelSources --argstr versionsPath {{ versionsPath }}) echo $(set -x; nix-build --no-link --show-trace {{invocation_directory()}}/nix/default.nix -A channelSources --argstr versionsPath {{versionsPath}})
_device recipe dir +moreargs="": _device recipe dir +moreargs="":
#!/usr/bin/env bash #!/usr/bin/env bash
set -ex set -ex
unset NIX_PATH unset NIX_PATH
source $(just -v _get_nix_path {{ invocation_directory() }}/{{ dir }}/versions.nix) source $(just -v _get_nix_path {{invocation_directory()}}/{{dir}}/versions.nix)
$(set -x; nix-build --no-link --show-trace $(dirname {{ dir }})/default.nix -A recipes.{{ recipe }} --argstr dir {{ dir }} {{ moreargs }}) $(set -x; nix-build --no-link --show-trace $(dirname {{dir}})/default.nix -A recipes.{{recipe}} --argstr dir {{dir}} {{moreargs}})
_render_templates: _render_templates:
#!/usr/bin/env bash #!/usr/bin/env bash
set -ex set -ex
if ! ip route get 1.1.1.1; then if ! ip route get 1.1.1.1; then
echo No route to WAN. Skipping template rendering... echo No route to WAN. Skipping template rendering...
else else
source $(just -v _get_nix_path {{ invocation_directory() }}/nix/variables/versions.nix) source $(just -v _get_nix_path {{invocation_directory()}}/nix/variables/versions.nix)
# nix/scripts/pre-eval-fixed.sh nix/home-manager/profiles/dotfiles/vcsh{.tmpl,}.nix # nix/scripts/pre-eval-fixed.sh nix/home-manager/profiles/dotfiles/vcsh{.tmpl,}.nix
fi fi
rebuild-remote-device device +rebuildargs="dry-activate": rebuild-remote-device device +rebuildargs="dry-activate":
#!/usr/bin/env bash #!/usr/bin/env bash
set -ex set -ex
nix run .#colmena -- apply --impure --on {{ device }} {{ rebuildargs }} nix run .#colmena -- apply --on {{device}} {{rebuildargs}}
# Rebuild this device's NixOS # Rebuild this device's NixOS
rebuild-this-device +rebuildargs="dry-activate": rebuild-this-device +rebuildargs="dry-activate":
nix run .#colmena -- apply-local --impure --sudo {{ rebuildargs }} nix run .#colmena -- apply-local --sudo {{rebuildargs}}
# Re-render the versions of a remote device and rebuild its environment # Re-render the versions of a remote device and rebuild its environment
update-remote-device devicename +rebuildargs='build': update-remote-device devicename +rebuildargs='build':
#!/usr/bin/env bash #!/usr/bin/env bash
set -e set -e
( (
set -xe set -xe
cd nix/os/devices/{{ devicename }} cd nix/os/devices/{{devicename}}
nix flake update nix flake update
) )
just -v rebuild-remote-device {{ devicename }} {{ rebuildargs }} just -v rebuild-remote-device {{devicename}} {{rebuildargs}}
git commit -v nix/os/devices/{{ devicename }}/flake.{nix,lock} -m "nix/os/devices/{{ devicename }}: bump versions" git commit -v nix/os/devices/{{devicename}}/flake.{nix,lock} -m "nix/os/devices/{{devicename}}: bump versions"
# Re-render the versions of the current device and rebuild its environment # Re-render the versions of the current device and rebuild its environment
update-this-device rebuild-mode='switch' +moreargs='': update-this-device rebuild-mode='switch':
#!/usr/bin/env bash #!/usr/bin/env bash
set -e set -e
( (
set -xe set -xe
cd nix/os/devices/$(hostname -s) cd nix/os/devices/$(hostname -s)
nix flake update nix flake update
) )
just -v rebuild-this-device {{ rebuild-mode }} {{ moreargs }} just -v rebuild-this-device {{rebuild-mode}}
git commit -v nix/os/devices/$(hostname -s)/flake.{nix,lock} -m "nix/os/devices/$(hostname -s): bump versions" git commit -v nix/os/devices/$(hostname -s)/flake.{nix,lock} -m "nix/os/devices/$(hostname -s): bump versions"
# Rebuild an offline system # Rebuild an offline system
rebuild-disk device: rebuild-disk device:
#!/usr/bin/env bash #!/usr/bin/env bash
set -xe set -xe
just -v disk-mount {{ device }} just -v disk-mount {{device}}
trap "set +e; just -v disk-umount {{ device }}" EXIT trap "set +e; just -v disk-umount {{device}}" EXIT
just -v disk-install {{ device }} just -v disk-install {{device}}
# Re-render the versions of the given offline system and reinstall it in offline-mode # Re-render the versions of the given offline system and reinstall it in offline-mode
update-disk dir: update-disk dir:
#!/usr/bin/env bash #!/usr/bin/env bash
set -exuo pipefail set -exuo pipefail
dir={{ dir }} dir={{dir}}
template={{ dir }}/versions.tmpl.nix template={{dir}}/versions.tmpl.nix
outfile={{ dir }}/versions.nix outfile={{dir}}/versions.nix
if ! test -e ${template}; then if ! test -e ${template}; then
template="$(just _DEFAULT_VERSION_TMPL)" template="$(just _DEFAULT_VERSION_TMPL)"
fi fi
esh -o ${outfile} ${template} esh -o ${outfile} ${template}
if ! test "$(git diff ${outfile})"; then if ! test "$(git diff ${outfile})"; then
echo Already on latest versions echo Already on latest versions
exit 0 exit 0
fi fi
export SYSREBUILD_LOG=.{{ dir }}_sysrebuild.log export SYSREBUILD_LOG=.{{dir}}_sysrebuild.log
just -v rebuild-disk {{ dir }} || { just -v rebuild-disk {{dir}} || {
echo ERROR: Update of {{ dir }} failed, reverting ${outfile}... echo ERROR: Update of {{dir}} failed, reverting ${outfile}...
exit 1 exit 1
} }
git commit -v ${outfile} -m "${dir}: bump versions" git commit -v ${outfile} -m "${dir}: bump versions"
# Iterate on a qtile config by running it inside Xephyr. (un-/grab the mouse with Ctrl + Shift-L) # Iterate on a qtile config by running it inside Xephyr. (un-/grab the mouse with Ctrl + Shift-L)
hm-iterate-qtile: hm-iterate-qtile:
#!/usr/bin/env bash #!/usr/bin/env bash
set -xe set -xe
home-manager switch || just -v rebuild-this-device switch home-manager switch || just -v rebuild-this-device switch
Xephyr -ac -br -resizeable :1 & Xephyr -ac -br -resizeable :1 &
XEPHYR_PID=$! XEPHYR_PID=$!
echo ${XEPHYR_PID} echo ${XEPHYR_PID}
DISPLAY=:1 $(grep qtile ~/.xsession) & DISPLAY=:1 $(grep qtile ~/.xsession) &
echo "Xephyr started. un-/grab the mouse with Ctrl + Shift-L" echo "Xephyr started. un-/grab the mouse with Ctrl + Shift-L"
wait $! wait $!
kill ${XEPHYR_PID} kill ${XEPHYR_PID}
# !!! DANGERIOUS !!! This wipes the disk which is configured for the given device. # !!! DANGERIOUS !!! This wipes the disk which is configured for the given device.
disk-prepare dir: disk-prepare dir:
just -v _device diskPrepare {{ dir }} just -v _device diskPrepare {{dir}}
disk-relabel dir previous: disk-relabel dir previous:
just -v _device diskRelabel {{ dir }} --argstr previousDiskId {{ previous }} just -v _device diskRelabel {{dir}} --argstr previousDiskId {{previous}}
# Mount the target disk specified by device configuration directory. The 'dir' argument points to a device configuration, e.g. 'nix/os/devices/steveej-live-mmc-SL32G_0x259093f6' # Mount the target disk specified by device configuration directory. The 'dir' argument points to a device configuration, e.g. 'nix/os/devices/steveej-live-mmc-SL32G_0x259093f6'
disk-mount dir: disk-mount dir:
just -v _device diskMount {{ dir }} just -v _device diskMount {{dir}}
# Unmount target disk, specified by device configuration directory # Unmount target disk, specified by device configuration directory
disk-umount dir: disk-umount dir:
just -v _device diskUmount {{ dir }} just -v _device diskUmount {{dir}}
# Perform an offline installation on the mounted target disk, specified by device configuration directory # Perform an offline installation on the mounted target disk, specified by device configuration directory
disk-install dir: _render_templates disk-install dir: _render_templates
just -v _device diskInstall {{ dir }} just -v _device diskInstall {{dir}}
verify-n-unlock sshserver attempts="10": verify-n-unlock sshserver attempts="10":
#!/usr/bin/env bash #!/usr/bin/env bash
set -e set -e
env \ env \
GETPW="just _get_pass_entry Infrastructure/VPS/{{ sshserver }} DRIVE_PW" \ GETPW="just _get_pass_entry Infrastructure/VPS/{{sshserver}} DRIVE_PW" \
SSHOPTS="$(just _get_pass_entry Infrastructure/VPS/{{ sshserver }} SSHOPTS)" \ SSHOPTS="$(just _get_pass_entry Infrastructure/VPS/{{sshserver}} SSHOPTS)" \
VNCSOCK="$(just _get_pass_entry Infrastructure/VPS/{{ sshserver }} VNCSOCK)" \ VNCSOCK="$(just _get_pass_entry Infrastructure/VPS/{{sshserver}} VNCSOCK)" \
VNCPW="$(just _get_pass_entry Infrastructure/VPS/{{ sshserver }} VNCPW)" \ VNCPW="$(just _get_pass_entry Infrastructure/VPS/{{sshserver}} VNCPW)" \
\ \
just _verify-n-unlock {{ sshserver }} {{ attempts }} just _verify-n-unlock {{sshserver}} {{attempts}}
_verify-n-unlock sshserver attempts: _verify-n-unlock sshserver attempts:
#!/usr/bin/env bash #!/usr/bin/env bash
set -e set -e
: ${VNCSOCK:?VNCSOCK must be set} : ${VNCSOCK:?VNCSOCK must be set}
: ${VNCPW:?VNCPW must be set} : ${VNCPW:?VNCPW must be set}
export MAGICK_ARGS="-filter Catrom -density 72 -resample 300 -contrast -normalize -despeckle -type grayscale -sharpen 1 -posterize 3 -negate -gamma 100 -blur 1x65535" export MAGICK_ARGS="-filter Catrom -density 72 -resample 300 -contrast -normalize -despeckle -type grayscale -sharpen 1 -posterize 3 -negate -gamma 100 -blur 1x65535"
export TESS_ARGS="-c debug_file=/dev/null --psm 4" export TESS_ARGS="-c debug_file=/dev/null --psm 4"
function send() { function send() {
local what="${1:?need something to send}" local what="${1:?need something to send}"
ssh -4 ${SSHOPTS:?need sshopts} root@{{ sshserver }} "echo -e ${what}>> /dev/tty0" &>/dev/null ssh -4 ${SSHOPTS:?need sshopts} root@{{sshserver}} "echo -e ${what}>> /dev/tty0" &>/dev/null
} }
function expect() { function expect() {
local what="${1:?need something to expect}" local what="${1:?need something to expect}"
vncdo --server=${VNCSOCK} --password=${VNCPW} --disable-desktop-resizing --nocursor capture $PWD/screenshot.bmp vncdo --server=${VNCSOCK} --password=${VNCPW} --disable-desktop-resizing --nocursor capture $PWD/screenshot.bmp
convert ${MAGICK_ARGS} screenshot.bmp screenshot.tiff convert ${MAGICK_ARGS} screenshot.bmp screenshot.tiff
tesseract ${TESS_ARGS} screenshot.tiff screenshot tesseract ${TESS_ARGS} screenshot.tiff screenshot
grep --quiet "${what}" screenshot.txt grep --quiet "${what}" screenshot.txt
} }
function send_and_expect() { function send_and_expect() {
local send="${1:?need something to send}" local send="${1:?need something to send}"
local expect="${2:?need something to expect}" local expect="${2:?need something to expect}"
if ! send "${send}"; then if ! send "${send}"; then
echo warning: cannot send > /dev/stderr echo warning: cannot send > /dev/stderr
return -1 return -1
fi fi
expect "${expect}" expect "${expect}"
} }
trap 'E=$?; set +e; rm screenshot.*; echo Exiting...; kill $(jobs -p | cut -d " " -f 4); exit $E' EXIT trap 'E=$?; set +e; rm screenshot.*; echo Exiting...; kill $(jobs -p | cut -d " " -f 4); exit $E' EXIT
for i in `seq 1 {{ attempts }}`; do for i in `seq 1 {{attempts}}`; do
echo Attempt $i... echo Attempt $i...
expect="$(pwgen -0 12)" expect="$(pwgen -0 12)"
send="'\0033\0143'${expect}" send="'\0033\0143'${expect}"
if send_and_expect "${send}" "${expect}"; then if send_and_expect "${send}" "${expect}"; then
pipe=$(mktemp -u) pipe=$(mktemp -u)
mkfifo ${pipe} mkfifo ${pipe}
exec 3<>${pipe} exec 3<>${pipe}
rm ${pipe} rm ${pipe}
echo Verification succeeded at attempt $i. Unlocking remote drive... echo Verification succeeded at attempt $i. Unlocking remote drive...
ssh -4 ${SSHOPTS} root@{{ sshserver }} "cryptsetup-askpass" <&3 &>/dev/null & ssh -4 ${SSHOPTS} root@{{sshserver}} "cryptsetup-askpass" <&3 &>/dev/null &
eval ${GETPW} | head -n1 >&3 eval ${GETPW} | head -n1 >&3
for j in `seq 1 120`; do for j in `seq 1 120`; do
sleep 0.5 sleep 0.5
if expect '— success'; then if expect '— success'; then
echo Unlock successful. echo Unlock successful.
exit 0 exit 0
fi fi
done done
echo Unlock failed... echo Unlock failed...
exit 1 exit 1
fi fi
done done
echo Verification failed {{ attempts }} times. Giving up... echo Verification failed {{attempts}} times. Giving up...
exit 1 exit 1
_get_pass_entry path key: _get_pass_entry path key:
pass show {{ path }}| grep -E "^{{ key }}:" | sed -E 's/^[^:]+: *//g' pass show {{path}}| grep -E "^{{key}}:" | sed -E 's/^[^:]+: *//g'
run-with-channels +cmds: run-with-channels +cmds:
#!/usr/bin/env bash #!/usr/bin/env bash
source $(just -v _get_nix_path {{ invocation_directory() }}/nix/variables/versions.nix) source $(just -v _get_nix_path {{invocation_directory()}}/nix/variables/versions.nix)
{{ cmds }} {{cmds}}
install-config config root: install-config config root:
sudo just run-with-channels nixos-install -I nixos-config={{ invocation_directory() }}/{{ config }} --root {{ root }} --no-root-passwd sudo just run-with-channels nixos-install -I nixos-config={{invocation_directory()}}/{{config}} --root {{root}} --no-root-passwd
# Switch between gpg-card capable devices which have a copy of the same key # Switch between gpg-card capable devices which have a copy of the same key
switch-gpg-card key-id="6EEFA706CB17E89B": switch-gpg-card:
#!/usr/bin/env bash #!/usr/bin/env bash
# #
# Derived from https://github.com/drduh/YubiKey-Guide/issues/19. # Derived from https://github.com/drduh/YubiKey-Guide/issues/19.
# #
# Connect the new device and then run this script to make it known to gnupg. # Connect the new device and then run this script to make it known to gnupg.
# #
set -xe set -xe
if [[ -n "{{key-id}}" ]]; then KEY_ID=$(gpg --card-status | rg sec | rg -o '[0-9A-Z]{16}')
KEY_ID="{{key-id}}"
else
KEY_ID=$(gpg --card-status | rg sec | rg -o '[0-9A-Z]{16}')
fi
# export pubkey and ownertrust # export pubkey and ownertrust
gpg2 --output "${KEY_ID}".pubkey --export "${KEY_ID}" gpg2 --output "${KEY_ID}".pubkey --export "${KEY_ID}"
# if this fails the trust in the key is missing and can be fixed with `gpg --edit-key ${KEY_ID}` # if this fails the trust in the key is missing and can be fixed with `gpg --edit-key ${KEY_ID}`
gpg2 --export-ownertrust | rg "${KEY_ID}" > "${KEY_ID}".ownertrust gpg2 --export-ownertrust | rg "${KEY_ID}" > "${KEY_ID}".ownertrust
# delete the key # delete the key
gpg --yes --delete-secret-and-public-keys "${KEY_ID}" gpg --yes --delete-secret-and-public-keys "${KEY_ID}"
# import pubkey and ownertrust back and cleanup # import pubkey and ownertrust back and cleanup
gpg2 --import "${KEY_ID}".pubkey gpg2 --import "${KEY_ID}".pubkey
gpg2 --import-ownertrust < "${KEY_ID}".ownertrust gpg2 --import-ownertrust < "${KEY_ID}".ownertrust
rm "${KEY_ID}".{pubkey,ownertrust} rm "${KEY_ID}".{pubkey,ownertrust}
# refresh the gpg agent # refresh the gpg agent
gpg-connect-agent "scd serialno" "learn --force" /bye gpg-connect-agent "scd serialno" "learn --force" /bye
gpg --card-status gpg --card-status
# Connect to `remote` UUID, and turn it into a short name # Connect to `remote` UUID, and turn it into a short name
uuid-to-device-name remote: uuid-to-device-name remote:
#!/usr/bin/env bash #!/usr/bin/env bash
set -e -o pipefail set -e -o pipefail
ssh {{ remote }} 'nix run nixpkgs.dmidecode -c dmidecode -s system-uuid' | xxhsum --quiet -H1 | awk '{print $1}' ssh {{remote}} 'nix run nixpkgs.dmidecode -c dmidecode -s system-uuid' | xxhsum --quiet -H1 | awk '{print $1}'
test-connection: test-connection:
#! /usr/bin/env nix-shell #! /usr/bin/env nix-shell
#! nix-shell -p curl zsh #! nix-shell -p curl zsh
#! nix-shell -i zsh #! nix-shell -i zsh
#! nix-shell --pure #! nix-shell --pure
while true; do while true; do
FAILURE="false" FAILURE="false"
output=$( output=$(
echo "$(date)\n---" echo "$(date)\n---"
for url in \ for url in \
"https://172.16.0.1:65443/0.7/gui/#/login/" \ "https://172.16.0.1:65443/0.7/gui/#/login/" \
"https://192.168.0.1" \ "https://192.168.0.1" \
"http://172.172.171.9" \ "http://172.172.171.9" \
"https://172.172.171.10:65443" \ "https://172.172.171.10:65443" \
"https://172.172.171.11:65443" \ "https://172.172.171.11:65443" \
"https://172.172.171.13:443" \ "https://172.172.171.13:443" \
"https://172.172.171.14:443" \ "https://172.172.171.14:443" \
"http://172.172.171.15:22" \ "http://172.172.171.15:22" \
"http://172.172.171.16:22" \ "http://172.172.171.16:22" \
"https://crates.io" \ "https://crates.io" \
"https://holo.host" \ "https://holo.host" \
; \ ; \
do do
print "trying ${url}": $( print "trying ${url}": $(
curl_output=$(curl --http0.9 -k --head --connect-timeout 0.5 ${url} 2>&1) curl_output=$(curl --http0.9 -k --head --connect-timeout 0.5 ${url} 2>&1)
# if [ $? -ne 0 ]; then # if [ $? -ne 0 ]; then
if [[ "$curl_output" == *timeout* ]]; then if [[ "$curl_output" == *timeout* ]]; then
echo failure: $(echo ${curl_output} | tail -n1) echo failure: $(echo ${curl_output} | tail -n1)
# BUG: outer FAILURE is not set by this # BUG: outer FAILURE is not set by this
FAILURE="true" FAILURE="true"
else else
echo success echo success
fi fi
) )
done done
) )
clear clear
echo ${output} echo ${output}
if [[ ${FAILURE} == "true" ]]; then if [[ ${FAILURE} == "true" ]]; then
echo something failed echo something failed
tracepath -m5 -n1 172.16.0.1 tracepath -m5 -n1 172.16.0.1
tracepath -m5 -n1 192.168.0.1 tracepath -m5 -n1 192.168.0.1
fi fi
sleep 5 sleep 5
done done
cachix-use name: cachix-use name:
nix run nixpkgs/nixos-unstable#cachix -- use {{ name }} -m nixos -d nix/os/ nix run nixpkgs/nixos-unstable#cachix -- use {{name}} -m nixos -d nix/os/
update-sops-keys:
for file in $(egrep -lr '"?sops"?:') secrets; do sops updatekeys -y $file; done
deploy-router0-dmz0:
NIX_SSHOPTS="-o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null -o CheckHostIP=no" nixos-rebuild switch --impure --flake .\#router0-dmz0 --target-host root@192.168.20.1
ttyusb:
screen -fa /dev/ttyUSB0 115200

75
README.md
View file

@ -1,5 +1,4 @@
# steveej's infra # steveej's infra
This repository helps me to manage all computer infrastructure. This repository helps me to manage all computer infrastructure.
This is mostly achieved with the help of [Nix](https://nixos.org). This is mostly achieved with the help of [Nix](https://nixos.org).
@ -20,7 +19,7 @@ In the unlikely case that you actually read this and have any questions please d
- [ ] development environments - [ ] development environments
- [x] (Semi-) automatic synchronization of important repositories - [x] (Semi-) automatic synchronization of important repositories
- [x] Modification strategy - [x] Modification strategy
The approach is to use vcsh for the dotfiles The approach is to use vcsh for the dotfiles
- [x] dotfiles - [x] dotfiles
- [x] Toplevel Justfile for simple actions - [x] Toplevel Justfile for simple actions
- [x] mount/umount disks - [x] mount/umount disks
@ -38,48 +37,42 @@ In the unlikely case that you actually read this and have any questions please d
- [x] steveej-t14 - [x] steveej-t14
- [x] contabo vps - [x] contabo vps
- [x] sj-pve0 - [x] sj-pve0
- [x] use an existing secret management framework - [ ] use an existing secret management framework
- [x] adapt (or abandon?) _just_ recipes - [ ] adapt (or abandon?) _just_ recipes
- [ ] `rebuild-this-device`
- [x] `rebuild-this-device` - [ ] `update-this-device`
- [x] `update-this-device` - [ ] `rebuild-remote-device`
- [x] `rebuild-remote-device` - [ ] `update-remote-device`
- [x] `update-remote-device`
evaluate, and understand a path to using these tools in a pull-based fashion:
evaluate, and understand a path to using these tools in a pull-based fashion:
- [x] [colmena](https://github.com/zhaofengli/colmena) - [x] [colmena](https://github.com/zhaofengli/colmena)
- bootstrapping: https://github.com/zhaofengli/colmena/issues/68 * bootstrapping: https://github.com/zhaofengli/colmena/issues/68
- [ ] deploy-rs - [ ] deploy-rs
- [ ] 🚧 find a better alternative for the qtile-desktop
- [x] 🚧 find a better alternative for the qtile-desktop current issues:
current issues: - floating windows often get lost in the background
- plugging in-/out- screen crashes the desktop
- floating windows often get lost in the background
- plugging in-/out- screen crashes the desktop
evaluate:
- [x] ~~🚧 gnome3 + pop-shell~~
- [x] ~~leftwm + eww (+ wayland?)~~
evaluate:
- [ ] 🚧 gnome3 + pop-shell
- [ ] leftwm + eww (+ wayland?)
- [ ] (Re-)document bootstrap process - [ ] (Re-)document bootstrap process
- [ ] `apt install sudo cryptsetup` as a requirements on a deb admin machine - [ ] `apt install sudo cryptsetup` as a requirements on a deb admin machine
- [ ] a new machine - [ ] a new machine
- [ ] an install media - [ ] an install media
- [ ] Design disaster recovery - [ ] Design disaster recovery
- [ ] Automatic synchronization of other state files - see https://gitlab.com/steveeJ/nix-expressions/issues/2 - [ ] Automatic synchronization of other state files - see https://gitlab.com/steveeJ/nix-expressions/issues/2
- [ ] Recycle _\_archived_ - [ ] Recycle *\_archived*
- [ ] container migrations - [ ] container migrations
- [ ] ensure DDNS is updated _before_ the containers are started - [ ] ensure DDNS is updated _before_ the containers are started
## Bugs
## Bugs
- [ ] home-manager leaves ~/.gnupg at 0755 - [ ] home-manager leaves ~/.gnupg at 0755
## Usage ## Usage
*(These are reminders for my future self)*
_(These are reminders for my future self)_
``` ```
just --list just --list
@ -88,17 +81,15 @@ just --list
## Bootstrap ## Bootstrap
### A new machine ### A new machine
* ensure the dotfiles repo has a branch with the new machine's hostname
- ensure the dotfiles repo has a branch with the new machine's hostname * boot with an install media and go through setup
- boot with an install media and go through setup
#### Post-Install Setup #### Post-Install Setup
* `chmod --recursive g-rwx,o-rwx ~/.gnupg`
- `chmod --recursive g-rwx,o-rwx ~/.gnupg` * `gpg2 --edit-card; fetch`
- `gpg2 --edit-card; fetch` * clone password-manager and infra repositories
- clone password-manager and infra repositories * gpg2: ultimately trust my own key
- gpg2: ultimately trust my own key
## Swapping out a disk ## Swapping out a disk
@ -107,18 +98,10 @@ just --list
3. replace the driveId in the device's hw.nix 3. replace the driveId in the device's hw.nix
4. run the `just disk-relabel nix/os/devices/<deviceName> <prevDiskId>` command to rename the filesystem and volume group 4. run the `just disk-relabel nix/os/devices/<deviceName> <prevDiskId>` command to rename the filesystem and volume group
## Rebuilding an offline system ## Backup
### Copy existing subvolumes to new backup target
``` ```
( `systemctl cat bkp-run | grep ExecStart | awk -F '=' '{print $2}'` --verbose --progress archive /var/lib/container-volumes ssh://[IP]:[PORT]/mnt/backup/container-volumes/
sudo cryptsetup open /dev/sdb3 steveej-t14s-cryptroot
sleep 5
sudo mkdir -p /mnt/root
sudo mount /dev/mapper/nvme--WD_BLACK_SN850X_4000GB_2227DT443901-root /mnt/root -o subvol=nixos
sudo mount /dev/sdb2 /mnt/root/boot
sudo mount /dev/mapper/nvme--WD_BLACK_SN850X_4000GB_2227DT443901-root /mnt/root/home -o subvol=home
sudo nixos-install -v --flake .#steveej-t14 --root /mnt/root/ --no-root-password
)
``` ```

90
_archive/environments/dev/cross.nix Normal file
View file

@ -0,0 +1,90 @@
import /home/steveej/src/github/NixOS/nixpkgs/default.nix {
crossSystem = rec {
config = "armv7l-unknown-linux-gnueabi";
bigEndian = false;
arch = "arm";
float = "hard";
fpu = "vfpv3-d16";
withTLS = true;
libc = "glibc";
platform = {
name = "armv7l-hf-multiplatform";
gcc = {
arch = "armv7-a";
fpu = "neon";
float = "hard";
};
kernelMajor = "2.6"; # Using "2.6" enables 2.6 kernel syscalls in glibc.
kernelHeadersBaseConfig = "multi_v7_defconfig";
kernelBaseConfig = "multi_v7_defconfig";
kernelArch = "arm";
kernelDTB = true;
kernelAutoModules = false;
kernelExtraConfig = ''
NAMESPACES y
BTRFS_FS y
BTRFS_FS_POSIX_ACL y
OVERLAY_FS y
FUSE_FS y
'';
kernelTarget = "zImage";
uboot = null;
};
openssl.system = "linux-generic32";
gcc = {
arch = "armv7-a";
fpu = "neon";
float = "hard";
};
};
}
# pkgs.config = {
# packageOverrides = super: let self = super.pkgs; in {
# linux_4_0 = super.linux_3_18.override {
# kernelPatches = super.linux_3_18.kernelPatches ++ [
# # we'll also add one of our own patches
# { patch = ./dts.patch; name = "dts-fix"; }
# ];
#
# # add "CONFIG_PPP_FILTER y" option to the set of kernel options
# extraConfig = ''
# HAVE_IMX_ANATOP y
# HAVE_IMX_GPC y
# HAVE_IMX_MMDC y
# HAVE_IMX_SRC y
# SOC_IMX6 y
# SOC_IMX6Q y
# SOC_IMX6SL y
# PCI_IMX6 y
# ARM_IMX6Q_CPUFREQ y
# IMX_WEIM y
# AHCI_IMX y
# SERIAL_IMX y
# SERIAL_IMX_CONSOLE y
# I2C_IMX y
# SPI_IMX y
# PINCTRL_IMX y
# PINCTRL_IMX6Q y
# PINCTRL_IMX6SL y
# POWER_RESET_IMX y
# IMX_THERMAL y
# IMX2_WDT y
# IMX_IPUV3_CORE y
# DRM_IMX y
# DRM_IMX_FB_HELPER y
# DRM_IMX_PARALLEL_DISPLAY y
# DRM_IMX_TVE y
# DRM_IMX_LDB y
# DRM_IMX_IPUV3 y
# DRM_IMX_HDMI y
# MMC_SDHCI_ESDHC_IMX y
# IMX_SDMA y
# PWM_IMX y
# DEBUG_IMX6Q_UART y
#
# PPP_FILTER y
# '';
# };
# };
# };

89
_archive/environments/dev/go/default.nix Normal file
View file

@ -0,0 +1,89 @@
{
gitpkgs ? import /home/steveej/src/github/NixOS/nixpkgs {},
pkgs ? gitpkgs,
name ? "generic",
version,
extraBuildInputs ? [],
extraShellHook ? "",
}: let
go = builtins.getAttr "go_${version}" pkgs;
commonVimRC = ''
let g:tagbar_type_go = {
\ 'ctagstype' : 'go',
\ 'kinds' : [
\ 'p:package',
\ 'i:imports:1',
\ 'c:constants',
\ 'v:variables',
\ 't:types',
\ 'n:interfaces',
\ 'w:fields',
\ 'e:embedded',
\ 'm:methods',
\ 'r:constructor',
\ 'f:functions'
\ ],
\ 'sro' : '.',
\ 'kind2scope' : {
\ 't' : 'ctype',
\ 'n' : 'ntype'
\ },
\ 'scope2kind' : {
\ 'ctype' : 't',
\ 'ntype' : 'n'
\ },
\ 'ctagsbin' : 'gotags',
\ 'ctagsargs' : '-sort -silent'
\ }
" vim-go {
let g:go_highlight_functions = 1
let g:go_highlight_methods = 1
let g:go_highlight_structs = 1
let g:go_highlight_interfaces = 1
let g:go_highlight_operators = 1
let g:go_highlight_build_constraints = 1
let g:go_fmt_command = 'gofmt'
let g:go_fmt_options= '-s'
let g:go_def_mode = 'godef'
let g:go_def_reuse_buffer = 0
au FileType go nmap <Leader>gds <Plug>(go-def-split)
au FileType go nmap <Leader>gdv <Plug>(go-def-vertical)
au FileType go nmap <Leader>gdt <Plug>(go-def-tab)
au FileType go nmap <Leader>gi <Plug>(go-imports)
" }
'';
buildInputs = with pkgs; [
glibc.out
glibc.static
go
gotools
#gotools.bin
#gocode.bin
#godef godef.bin
godep
#godep.bin
gox.bin
#ginkgo ginkgo.bin
#gomega
# ( import ./vim-go.nix { pkgs=gitpkgs; commonRC=commonVimRC; } )
# ( import ./neovim-go.nix { pkgs=gitpkgs; commonRC=commonVimRC; } )
];
in
pkgs.stdenv.mkDerivation {
inherit name;
buildInputs = extraBuildInputs ++ buildInputs;
shellHook = ''
goname=${go.version}_$name
# FIXME: setPS1 $goname
export GOROOT=${go}/share/go
export GOPATH="$HOME/.gopath_$goname"
export PATH="$HOME/.gopath_$goname/bin:$PATH"
unset name
unset SSL_CERT_FILE
${extraShellHook}
'';
}

12
_archive/environments/dev/go/neovim-go.nix Normal file
View file

@ -0,0 +1,12 @@
{commonRC, ...} @ args: (import ../../pkg-configuration/vim-derivates/neovim.nix args
// {
additionalRC =
commonRC
+ ''
" deoplete {
let g:deoplete#enable_at_startup = 1
let g:deoplete#enable_smart_case = 1
" }
'';
additionalPlugins = ["deoplete-go" "deoplete-nvim" "vim-go"];
})

31
_archive/environments/dev/pandoc.nix Normal file
View file

@ -0,0 +1,31 @@
{
gitpkgs ? import /home/steveej/src/github/NixOS/nixpkgs {},
pkgs ? gitpkgs,
name ? "generic",
version ? "Stable",
extraBuildInputs ? [],
}: let
commonVimRC = "";
in
pkgs.stdenv.mkDerivation {
inherit name;
buildInputs = with pkgs;
[
(import ./vim-pandoc.nix {
pkgs = gitpkgs;
commonRC = commonVimRC;
})
pandoc
texlive.combined.scheme-medium
python27Packages.pandocfilters
python27Packages.htmltreediff
python27Packages.html5lib
python27Packages.dbus-python
]
++ extraBuildInputs;
shellHook = ''
pandocname=pandoc_${pkgs.pandoc.version}
setPS1 $pandocname
unset name
'';
}

71
_archive/environments/dev/rkt.nix Normal file
View file

@ -0,0 +1,71 @@
{
pkgs ? import /home/steveej/src/github/NixOS/nixpkgs {},
mkGoEnv ? import ./go.nix,
rktPath,
}: let
rktBasebuildInputs = with pkgs; [
glibc.out
glibc.static
autoreconfHook
gnupg1
squashfsTools
cpio
tree
intltool
libtool
pkgconfig
libgcrypt
gperf
libcap
libseccomp
libzip
eject
iptables
bc
acl
trousers
systemd
];
extraShellHook = ''
TARGET=$GOPATH/src/github.com/coreos/rkt
if [[ -e ${rktPath}/rkt/rkt.go ]]; then
pushd ${rktPath}
else
echo rktPath must be run the rkt repository clone, but got '${rktPath}'
exit 1
fi
if ! [[ -e $TARGET/rkt/rkt.go ]]; then
mkdir -p $TARGET
echo $PWD
sudo -E mount -o bind $PWD $TARGET
fi
pushd $TARGET
'';
in {
go15 = mkGoEnv {
inherit pkgs;
name = "rktGo15";
version = "1_5";
extraBuildInputs = rktBasebuildInputs;
inherit extraShellHook;
};
go16 = mkGoEnv {
inherit pkgs;
name = "rktGo16";
version = "1_6";
extraBuildInputs = rktBasebuildInputs;
inherit extraShellHook;
};
go17 = mkGoEnv {
inherit pkgs;
name = "rktGo17";
version = "1_7";
extraBuildInputs = rktBasebuildInputs;
inherit extraShellHook;
};
}

1
_archive/environments/dev/rust/.envrc Normal file
View file

@ -0,0 +1 @@
eval "$(lorri direnv)"

39
_archive/environments/dev/rust/default.nix Normal file
View file

@ -0,0 +1,39 @@
{
gitpkgs ? import /home/steveej/src/github/NixOS/nixpkgs {},
pkgs ? gitpkgs,
name ? "generic",
version ? "Stable",
extraBuildInputs ? [],
}: let
rustPackages = builtins.getAttr "rust${version}" pkgs;
rustc = rustPackages.rustc;
rustShellHook = {
rustc,
name,
}: ''
rustname=rust_${rustc.version}_${name}
setPS1 $rustname
unset name
'';
commonVimRC = "";
in
pkgs.stdenv.mkDerivation {
inherit name;
buildInputs = with rustPackages;
[
(import ./vim-rust.nix {
pkgs = gitpkgs;
commonRC = commonVimRC;
inherit rustc;
racerd = pkgs.rustracerd;
})
rustc
cargo
]
++ [pkgs.rustfmt]
++ extraBuildInputs;
shellHook = rustShellHook {
inherit name;
inherit rustc;
};
}

19
_archive/environments/dev/vim-go.nix Normal file
View file

@ -0,0 +1,19 @@
{commonRC, ...} @ args:
import ../../pkg-configuration/vim-derivates/vim.nix (args
// {
name = "vim-for-go";
additionalRC =
commonRC
+ ''
" Disable AutoComplPop.
let g:acp_enableAtStartup = 0
" Use neocomplete.
let g:neocomplete#enable_at_startup = 1
" Use smartcase.
let g:neocomplete#enable_smart_case = 1
if !exists('g:neocomplete#sources#omni#input_patterns')
let g:neocomplete#sources#omni#input_patterns = {}
endif
'';
additionalPlugins = ["neocomplete" "vim-go"];
})

18
_archive/environments/dev/vim-pandoc.nix Normal file
View file

@ -0,0 +1,18 @@
{commonRC, ...} @ args:
import ../../pkg-configuration/vim-derivates/vim.nix (args
// {
name = "vim-for-pandoc";
additionalRC =
commonRC
+ ''
set statusline+=%#warningmsg#
set statusline+=%{SyntasticStatuslineFlag()}
set statusline+=%*
let g:syntastic_always_populate_loc_list = 1
let g:syntastic_auto_loc_list = 1
let g:syntastic_check_on_open = 1
let g:syntastic_check_on_wq = 0
'';
additionalPlugins = ["vim-pandoc" "vim-pandoc-syntax" "vimpreviewpandoc"];
})

48
_archive/environments/dev/vim-rust.nix Normal file
View file

@ -0,0 +1,48 @@
{
commonRC,
rustc,
racerd,
...
} @ args:
import ../../pkg-configuration/vim-derivates/vim.nix (args
// {
name = "vim-for-rust";
additionalRC =
commonRC
+ ''
set statusline+=%#warningmsg#
set statusline+=%{SyntasticStatuslineFlag()}
set statusline+=%*
let g:syntastic_always_populate_loc_list = 1
let g:syntastic_auto_loc_list = 1
let g:syntastic_check_on_open = 1
let g:syntastic_check_on_wq = 0
" tagbar
let g:tagbar_type_rust = {
\ 'ctagstype' : 'rust',
\ 'kinds' : [
\'T:types,type definitions',
\'f:functions,function definitions',
\'g:enum,enumeration names',
\'s:structure names',
\'m:modules,module names',
\'c:consts,static constants',
\'t:traits,traits',
\'i:impls,trait implementations',
\]
\}
let g:syntastic_rust_checkers = ["rustc"]
"rustfmt
let g:rustfmt_autosave = 1
let g:ycm_auto_trigger = 1
let g:ycm_rust_src_path = '${rustc.src}/src'
let g:ycm_racerd_binary_path = '${racerd.out}/bin/racerd'
'';
additionalPlugins = ["rust-vim"];
})

42
_archive/environments/fhs/android.nix Normal file
View file

@ -0,0 +1,42 @@
{pkgs ? import <nixpkgs> {}}:
(pkgs.buildFHSUserEnv {
name = "devfhs";
multiPkgs = pkgs: (with pkgs; [
android-udev-rules
sudo
gawk
bzip2
file
gcc
getopt
git
gnumake
ncurses
openssl
patch
perl
pkgconfig
python
openssh
subversion
unzip
wget
which
vim
zlib
libusb
libusb1
systemd
strace
swt
xorg.libXtst
glib
gtk2
gnome.gtk
]);
profile = ''
export LD_LIBRARY_PATH=$LD_LIBRARY_PATH:/lib:/lib64:/lib32:/usr/lib32:/usr/lib64:${pkgs.xorg.libXtst}/lib:${pkgs.glib}/lib:${pkgs.gtk2}/lib
'';
runScript = "bash";
})
.env

36
_archive/environments/fhs/vscode.nix Normal file
View file

@ -0,0 +1,36 @@
{pkgs ? import <nixpkgs> {}}:
(pkgs.buildFHSUserEnv {
name = "everydayFHS";
targetPkgs = pkgs: (with pkgs; [
which
gitFull
zsh
file
direnv
xdg_utils
xsel
vscode
# vscode live share
gnome3.gcr
libgnome_keyring3
liburcu
libunwind
lttng-ust
curl
openssl
libkrb5
libuuid
icu
zlib
libsecret
]);
multiPkgs = pkgs: (with pkgs; []);
profile = ''
export SHELL=/bin/zsh
'';
# FIXME runScript = "$SHELL";
})
.env

7
default.nix
View file

@ -4,9 +4,6 @@
# Having pkgs default to <nixpkgs> is fine though, and it lets you use short # Having pkgs default to <nixpkgs> is fine though, and it lets you use short
# commands such as: # commands such as:
# nix-build -A mypackage # nix-build -A mypackage
{ {pkgs ? import <nixpkgs> {}}: {
pkgs ? import <nixpkgs> { }, pkgs = import ./nix/pkgs {inherit pkgs;};
}:
{
pkgs = import ./nix/pkgs { inherit pkgs; };
} }

27
flake-sandbox/flake.lock generated Normal file
View file

@ -0,0 +1,27 @@
{
"nodes": {
"nixpkgs": {
"locked": {
"lastModified": 1681091990,
"narHash": "sha256-ifIzhksUBZKp5WgCuoVhDY32qaEplXp7khzrB6zkaFc=",
"owner": "nixos",
"repo": "nixpkgs",
"rev": "ea96b4af6148114421fda90df33cf236ff5ecf1d",
"type": "github"
},
"original": {
"owner": "nixos",
"ref": "nixos-22.11",
"repo": "nixpkgs",
"type": "github"
}
},
"root": {
"inputs": {
"nixpkgs": "nixpkgs"
}
}
},
"root": "root",
"version": 7
}

142
flake-sandbox/flake.nix Normal file
View file

@ -0,0 +1,142 @@
{
inputs = {
nixpkgs.url = "github:nixos/nixpkgs/nixos-22.11";
};
outputs = {
self,
nixpkgs,
}: let
system = "x86_64-linux";
pkgs = import nixpkgs {inherit system;};
in {
devShells."${system}".default = pkgs.mkShell {
packages = with pkgs;
with pkgs.gnome; [
hexchat
audacity
proot
yubikey-manager-qt
cheese
remmina
exiv2
wireshark-qt
seahorse
kotatogram-desktop
usbutils
networkmanagerapplet
sshfs-fuse
pavucontrol
libwebcam
just
eog
git-crypt
espanso
unetbootin
vcsh
skypeforlinux
du-dust
bind
teamviewer
gparted
neovim
inkscape
rustdesk
gnome-themes-extra
pass
xdg-user-dirs
cbatticon
yubikey-personalization-gui
zoom
signal-desktop
xorg.xbacklight
vscode
ripgrep
lightdm
nixpkgs-fmt
git-lfs
qtpass
gimp
lxappearance
flameshot
thunderbird
fprintd
chromium
evtest
alejandra
vlc
pastebinit
evolution
zbar
libreoffice
brave
pidgin
direnv
xorg.xhost
lorri
firefox
logseq
x11_ssh_askpass
xsel
feh
htop
openvpn
syncthing
ncdu
rofi-pass
testdisk
vanilla-dmz
wireguard-tools
xarchive
gnome-icon-theme
wget
nix-index
mr
passff-host
browserpass
xorg.xcursorthemes
gitRepo
gitSVN
androidenv.androidPkgs_9_0.platform-tools
# introduces python
(qtile.passthru.unwrapped.overrideAttrs (oldAttrs: {
propagatedBuildInputs =
[]
# ++ oldAttrs.passthru.unwrapped.propagatedBuildInputs
# ++ (with pkgs.python3Packages; [
# # python-wifi
# # iwlib
# keyring
# ])
;
makeWrapperArgs =
oldAttrs.makeWrapperArgs
++ [
"--prefix PATH : ${pkgs.lib.makeBinPath oldAttrs.propagatedBuildInputs}"
];
}))
# gi-docgen
# yelp-tools
# scons
# autorandr
# arandr
# meson
# mercurial
# unrar-wrapper
# orca
# radicale
# criu
# gnome-music
# gnome-browser-connector
# radicale
# hplip
# qtile
# gtk-doc
# asciidoc
# meson
];
};
};
}

1165
flake.lock generated
View file

File diff suppressed because it is too large Load diff

498
flake.nix
View file

@ -1,36 +1,23 @@
# flake.nix # flake.nix
{ {
inputs = { inputs = {
# TODO: where has this been used?
# dotfiles = {
# url = "git+https://forgejo.www.stefanjunker.de/steveej/dotfiles.git";
# flake = false;
# };
# flake and infra basics # flake and infra basics
nixpkgs-2211.url = "github:nixos/nixpkgs/nixos-22.11"; nixpkgs-2211.url = "github:nixos/nixpkgs/nixos-22.11";
radicalePkgs.follows = "nixpkgs-2211"; nixpkgs-2305.url = "github:nixos/nixpkgs/nixos-23.05";
nixpkgs-2411.url = "github:nixos/nixpkgs/nixos-24.11";
nixpkgs-unstable.url = "github:nixos/nixpkgs/nixos-unstable"; nixpkgs-unstable.url = "github:nixos/nixpkgs/nixos-unstable";
nixpkgs.follows = "nixpkgs-2411"; nixpkgs-unstable-small.url = "github:nixos/nixpkgs/nixos-unstable-small";
nixpkgs.follows = "nixpkgs-2305";
flake-parts.url = "github:hercules-ci/flake-parts"; flake-parts.url = "github:hercules-ci/flake-parts";
get-flake.url = "github:ursi/get-flake"; get-flake.url = "github:ursi/get-flake";
srvos.url = "github:numtide/srvos"; srvos.url = "github:numtide/srvos";
srvos.inputs.nixpkgs.follows = "nixpkgs"; srvos.inputs.nixpkgs.follows = "nixpkgs";
nixos-anywhere.url = "github:numtide/nixos-anywhere/main"; nixos-anywhere.url = github:numtide/nixos-anywhere/main;
nixos-anywhere.inputs.nixpkgs.follows = "nixpkgs"; nixos-anywhere.inputs.nixpkgs.follows = "nixpkgs";
disko.follows = "nixos-anywhere/disko"; disko.follows = "nixos-anywhere/disko";
nixpkgs-wayland.url = "github:nix-community/nixpkgs-wayland"; nixpkgs-wayland.url = "github:nix-community/nixpkgs-wayland";
nix-vscode-extensions.url = "github:nix-community/nix-vscode-extensions";
nixpkgs-vscodium.url = "github:nixos/nixpkgs/nixos-unstable";
# needs to be in sync with `vscodium --version` from `nixpkgs-vscodium`
openvscode-server.url = "github:gitpod-io/openvscode-server/openvscode-server-v1.88.1";
openvscode-server.flake = false;
colmena = { colmena = {
url = "github:zhaofengli/colmena"; url = "github:zhaofengli/colmena";
inputs.nixpkgs.follows = "nixpkgs"; inputs.nixpkgs.follows = "nixpkgs";
@ -41,13 +28,14 @@
url = "github:nix-community/fenix"; url = "github:nix-community/fenix";
inputs.nixpkgs.follows = "nixpkgs"; inputs.nixpkgs.follows = "nixpkgs";
}; };
crane.url = "github:ipetkov/crane"; crane = {
url = "github:ipetkov/crane";
sops-nix = {
url = "github:Mic92/sops-nix";
inputs.nixpkgs.follows = "nixpkgs"; inputs.nixpkgs.follows = "nixpkgs";
}; };
sops-nix.url = "github:Mic92/sops-nix";
sops-nix.inputs.nixpkgs.follows = "nixpkgs";
# applications # applications
aphorme_launcher = { aphorme_launcher = {
url = "github:Iaphetes/aphorme_launcher/main"; url = "github:Iaphetes/aphorme_launcher/main";
@ -70,359 +58,143 @@
flake = false; flake = false;
}; };
prs = { magmawm = {
# url = "gitlab:timvisee/prs/v0.5.2"; url = "github:MagmaWM/MagmaWM";
url = "gitlab:timvisee/prs/07f17a93d19fb6bc92c9c7f3ae3f5cc750b1f973";
flake = false; flake = false;
}; };
rperf = { salut = {
url = "github:steveej-forks/rperf"; url = "gitlab:snakedye/salut";
flake = false; flake = false;
}; };
# nixpkgs-logseq.url = "github:steveej-forks/nixpkgs/logseq-linux-arm64-selfbuilt-appimage";
espanso = {
flake = false;
url = "github:espanso/espanso/db97658d1d80697a635b57801696c594eacf057b";
};
nix4vscode = {
url = "github:nix-community/nix4vscode";
# inputs.nixpkgs.follows = "nixpkgs";
};
nixvim = {
# TODO: pin to nixos-24.11 once available
url = "github:nix-community/nixvim";
inputs.nixpkgs.follows = "nixpkgs";
};
treefmt-nix = {
url = "github:numtide/treefmt-nix";
inputs.nixpkgs.follows = "nixpkgs";
};
nixago = {
url = "github:jmgilman/nixago";
inputs.nixpkgs.follows = "nixpkgs";
};
nur = {
url = "github:nix-community/NUR";
inputs.nixpkgs.follows = "nixpkgs";
};
nixpkgs-gimp.url = "github:jtojnar/nixpkgs/gimp-meson";
}; };
outputs = outputs = inputs @ {
inputs@{ self,
self, flake-parts,
flake-parts, nixpkgs,
nixpkgs, ...
... }: let
}: inherit (nixpkgs) lib;
let
inherit (nixpkgs) lib;
systems = [ systems = [
"x86_64-linux" "x86_64-linux"
"aarch64-linux" "aarch64-linux"
]; ];
in in
flake-parts.lib.mkFlake { inherit inputs; } ( flake-parts.lib.mkFlake {inherit inputs;}
{ withSystem, ... }: ({withSystem, ...}: {
{ flake.colmena =
flake.colmena = lib.lists.foldl (sum: cur: lib.attrsets.recursiveUpdate sum cur)
lib.lists.foldl (sum: cur: lib.attrsets.recursiveUpdate sum cur) {
{ meta.nixpkgs = import inputs.nixpkgs.outPath { system = builtins.elemAt systems 0; }; } meta.nixpkgs = import inputs.nixpkgs.outPath {
# FIXME: this doesn't seem to work to apply overlays into a node's nixpkgs import system = builtins.elemAt systems 0;
# try this instead: https://github.com/zhaofengli/colmena/issues/60#issuecomment-1510496861 };
}
# FIXME: this doesn't seem to work to apply overlays into a node's nixpkgs import
# try this instead: https://github.com/zhaofengli/colmena/issues/60#issuecomment-1510496861
(builtins.map (nodeName:
import ./nix/os/devices/${nodeName} {
inherit nodeName;
repoFlake = self;
repoFlakeWithSystem = withSystem;
nodeFlake = self.inputs.get-flake ./nix/os/devices/${nodeName};
}) [
"steveej-t14"
"elias-e525"
"justyna-p300"
"srv0-dmz0"
"router0-dmz0"
"sj-vps-htz0"
]);
# this makes nixos-anywhere work
flake.nixosConfigurations =
(inputs.colmena.lib.makeHive self.outputs.colmena).nodes
// (let
router0-dmz0 = (inputs.get-flake ./nix/os/devices/router0-dmz0).nixosConfigurations;
in {
router0-dmz0 = router0-dmz0.native;
# for now deploy directly with:
# nixos-rebuild switch --flake .\#cross_router0-dmz0 --build-host localhost --target-host root@192.168.10.1
cross_router0-dmz0 = router0-dmz0.cross;
});
inherit systems;
perSystem = {
inputs',
system,
config,
lib,
pkgs,
...
}: rec {
imports = [
./nix/modules/flake-parts/perSystem/default.nix
];
packages = let
dcpj4110dw = pkgs.callPackage (self + /nix/pkgs/dcpj4110dw) {};
craneLib =
inputs.crane.lib.${system}.overrideToolchain
inputs'.fenix.packages.stable.toolchain;
craneLibOfiPass =
inputs.crane.lib.${system}.overrideToolchain
( (
builtins.map inputs'.fenix.packages.stable.toolchain
( # .override {
nodeName: # date = "1.60.0";
import ./nix/os/devices/${nodeName} { # }
inherit nodeName;
repoFlake = self;
repoFlakeWithSystem = withSystem;
nodeFlake = self.inputs.get-flake (self + "/nix/os/devices/${nodeName}");
}
)
[
"steveej-t14"
"steveej-x13s"
"steveej-x13s-rmvbl"
# "elias-e525"
# "justyna-p300"
# "srv0-dmz0"
# "router0-dmz0"
"router0-ifog"
"router0-hosthatch"
"sj-srv1"
]
); );
in {
dcpj4110dwDriver = dcpj4110dw.driver;
dcpj4110dwCupswrapper = dcpj4110dw.cupswrapper;
flake.lib = { # broken as of 2023-04-27 because it doesn't load without a config
inherit withSystem; # aphorme_launcher = craneLib.buildPackage {src = inputs.aphorme_launcher;};
# yofi = inputs'.yofi.packages.default;
# ofi-pass = craneLibOfiPass.buildPackage {src = inputs.ofi-pass;};
inherit (inputs'.colmena.packages) colmena;
# jay = pkgs.callPackage (self + /nix/pkgs/jay.nix) {
# src = inputs.jay;
# rustPlatform = pkgs.makeRustPlatform {
# cargo = inputs'.fenix.packages.stable.toolchain;
# rustc = inputs'.fenix.packages.stable.toolchain;
# };
# };
# magmawm = pkgs.callPackage (self + /nix/pkgs/magmawm.nix) {
# inherit craneLib;
# src = inputs.magmawm;
# };
salut = craneLib.buildPackage {
src = inputs.salut;
nativeBuildInputs = [
pkgs.pkg-config
];
buildInputs = [
pkgs.libxkbcommon
pkgs.fontconfig
];
};
nomad = inputs'.nixpkgs-unstable.legacyPackages.nomad_1_6;
}; };
# this makes nixos-anywhere work formatter = pkgs.alejandra;
flake.nixosConfigurations = devShells.default = import ./nix/devShells.nix {
let inherit inputs' pkgs;
colmenaHive = (inputs.colmena.lib.makeHive self.outputs.colmena).nodes; packages' = packages;
router0-dmz0 = (inputs.get-flake (self + "/nix/os/devices/router0-dmz0")).nixosConfigurations; };
in };
colmenaHive });
// {
router0-dmz0 = router0-dmz0.native;
# for now deploy directly with:
# nixos-rebuild switch --flake .\#router0-dmz0_cross --build-host localhost --target-host root@192.168.10.1
router0-dmz0_cross = router0-dmz0.cross;
steveej-x13s_cross =
(inputs.get-flake (self + "./nix/os/devices/steveej-x13s")).nixosConfigurations.cross;
steveej-x13s-rmvbl_cross =
(inputs.get-flake ./nix/os/devices/steveej-x13s-rmvbl).nixosConfigurations.cross;
};
inherit systems;
perSystem =
{
self',
inputs',
system,
config,
lib,
pkgs,
...
}:
{
imports = [ ./nix/modules/flake-parts/perSystem/default.nix ];
packages =
let
dcpj4110dw = pkgs.callPackage (self + /nix/pkgs/dcpj4110dw) { };
craneLibFn = (inputs.crane.mkLib inputs.nixpkgs.legacyPackages.${system}).overrideToolchain;
craneLib = craneLibFn inputs'.fenix.packages.stable.toolchain;
_prsPackage =
{
lib,
rustPlatform,
installShellFiles,
pkg-config,
python3,
glib,
gpgme,
gtk3,
stdenv,
cargoHash ? "sha256-T57RqIzurpYLHyeFhvqxmC+DoB6zUf+iTu1YkMmwtp8=",
src,
version,
makeWrapper,
skim,
}:
rustPlatform.buildRustPackage rec {
pname = "prs";
inherit src version cargoHash;
nativeBuildInputs = [
gpgme
installShellFiles
pkg-config
python3
makeWrapper
];
cargoBuildFlags = [
"--no-default-features"
"--features=alias,backend-gpgme,clipboard,notify,select-fzf-bin,select-skim-bin,tomb,totp"
];
buildInputs = [
glib
gpgme
gtk3
];
postInstall = lib.optionalString (stdenv.buildPlatform.canExecute stdenv.hostPlatform) ''
for shell in bash fish zsh; do
installShellCompletion --cmd prs --$shell <($out/bin/prs internal completions $shell --stdout)
done
'';
postFixup = ''
wrapProgram $out/bin/prs \
--prefix PATH : ${lib.makeBinPath [ skim ]}
'';
meta = with lib; {
description = "Secure, fast & convenient password manager CLI using GPG and git to sync";
homepage = "https://gitlab.com/timvisee/prs";
changelog = "https://gitlab.com/timvisee/prs/-/blob/v${version}/CHANGELOG.md";
license = with licenses; [
lgpl3Only # lib
gpl3Only # everything else
];
maintainers = with maintainers; [ dotlambda ];
mainProgram = "prs";
};
};
local-xwayland = pkgs.writeShellScriptBin "local-xwayland" ''
set -x
${pkgs.wayland-proxy-virtwl}/bin/wayland-proxy-virtwl \
--wayland-display=wayland-3 \
--xwayland-binary=${pkgs.xwayland}/bin/Xwayland \
--x-display=0 \
# --x-unscale=3 \
--verbose
'';
in
{
dcpj4110dwDriver = dcpj4110dw.driver;
dcpj4110dwCupswrapper = dcpj4110dw.cupswrapper;
inherit (inputs'.colmena.packages) colmena;
prs = pkgs.callPackage _prsPackage {
src = inputs.prs;
version = inputs.prs.shortRev;
cargoHash = "sha256-oXuAKOHIfwUvcS0qXDTe68DN+MUNS4TAKV986vxdeh8=";
};
nomad = inputs'.nixpkgs-unstable.legacyPackages.nomad_1_6;
ledger-live-desktop-wrapped = pkgs.writeShellScriptBin "ledger-live-desktop-wrapped" ''
set -x
pkill -9 wayland-proxy-v
export NIXOS_OZONE_WL=""
${pkgs.wayland-proxy-virtwl}/bin/wayland-proxy-virtwl \
--wayland-display=wayland-3 \
--xwayland-binary=${pkgs.xwayland}/bin/Xwayland \
--x-display=3 \
&
# --x-unscale=3 \
#--verbose \
export PROXYPID="$!"
trap "kill -9 \$PROXYPID" EXIT
# trap "pkill -9 wayland-proxy-v" EXIT
env \
WAYLAND_DISPLAY=wayland-3 \
DISPLAY=:3 \
ledger-live-desktop
'';
syncthing-container-webui = pkgs.writeShellScriptBin "reverse-port-forward-syncthing-container" ''
ssh root@${self.colmena.sj-vps-htz0.deployment.targetHost} -L 8385:syncthing.containers:8384
'';
rperf = craneLib.buildPackage {
src = inputs.rperf;
nativeBuildInputs = [ pkgs.pkg-config ];
buildInputs = [ ];
};
inherit local-xwayland;
inherit (inputs'.nixpkgs-gimp.legacyPackages) gimp;
};
formatter =
let
settingsNix = {
projectRootFile = ".git/config";
package = inputs'.nixpkgs-unstable.legacyPackages.treefmt2;
programs = {
nixfmt.enable = true;
deadnix.enable = true;
statix.enable = true;
shfmt.enable = true;
shellcheck.enable = true;
prettier.enable = true;
just = {
enable = true;
includes = [
"*/Justfile"
"Justfile"
];
};
} // pkgs.lib.optionalAttrs (pkgs.system != "riscv64-linux") { shellcheck.enable = true; };
settings = {
global.excludes = [
"LICENSE"
"secrets/"
".git-crypt/"
# unsupported extensions
"*.{enc,gif,png,svg,tape,mts,lock,mod,sum,toml,env,envrc,gitignore}"
];
formatter = {
deadnix = {
priority = 1;
options = [ "--no-underscore" ];
};
nixfmt = {
priority = 2;
};
statix = {
priority = 3;
};
prettier = {
options = [
"--tab-width"
"2"
];
includes = [ "*.{css,html,js,json,jsx,md,mdx,scss,ts,yaml}" ];
};
};
};
};
eval = inputs.treefmt-nix.lib.evalModule pkgs settingsNix;
in
eval.config.build.wrapper.overrideAttrs (_: {
passthru = {
inherit (eval.config) package settings;
};
});
devShells =
let
all = import ./nix/devShells.nix {
inherit
self
self'
inputs'
pkgs
;
};
in
all
// {
default = all.develop;
};
};
}
);
} }

BIN
misc/x13s_bt_firmware/hpnv21g.b8c.crypt.fw
View file

Binary file not shown.

4
nix/container-images/build.sh
View file

@ -1,7 +1,7 @@
#!/usr/bin/env bash #!/usr/bin/env bash
set -xe set -xe
[ -n "$NAME" ] [ ! -z "$NAME" ]
nix-build . --show-trace -A "$NAME" nix-build . --show-trace -A "$NAME"
docker image rm "$NAME":latest --force docker image rm "$NAME":latest --force
docker load -i result docker load -i result

176
nix/container-images/default.nix
View file

@ -1,10 +1,6 @@
{ {pkgs ? import <nixpkgs> {}}: let
pkgs ? import <nixpkgs> { }, baseEnv = ["SSL_CERT_FILE=${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt"];
}: in rec {
let
baseEnv = [ "SSL_CERT_FILE=${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt" ];
in
rec {
base = pkgs.dockerTools.buildImage rec { base = pkgs.dockerTools.buildImage rec {
name = "base"; name = "base";
@ -25,70 +21,59 @@ rec {
interactive_base = pkgs.dockerTools.buildImage { interactive_base = pkgs.dockerTools.buildImage {
name = "interactive_base"; name = "interactive_base";
fromImage = base; fromImage = base;
contents = with pkgs; [ contents = with pkgs; [procps zsh coreutils neovim];
procps
zsh
coreutils
neovim
];
config = { config = {Cmd = ["/bin/zsh"];};
Cmd = [ "/bin/zsh" ];
};
}; };
s3ql = s3ql = let
let entrypoint = pkgs.writeScript "entrypoint" ''
entrypoint = pkgs.writeScript "entrypoint" '' #!${pkgs.stdenv.shell}
#!${pkgs.stdenv.shell}
if [ -z "$S3QL_BUCKET" ]; then if [ -z "$S3QL_BUCKET" ]; then
echo S3QL_BUCKET not set echo S3QL_BUCKET not set
exit 1 exit 1
fi fi
if [ -z "$S3QL_STORAGE_URL" ]; then if [ -z "$S3QL_STORAGE_URL" ]; then
echo S3QL_STORAGE_URL not set echo S3QL_STORAGE_URL not set
exit 1 exit 1
fi fi
if [ -z "$S3QL_CACHESIZE" ]; then if [ -z "$S3QL_CACHESIZE" ]; then
echo S3QL_CACHESIZE not set echo S3QL_CACHESIZE not set
exit 1 exit 1
fi fi
set -x set -x
if [ "$S3QL_SKIP_FSCK" != "1" ]; then if [ "$S3QL_SKIP_FSCK" != "1" ]; then
fsck.s3ql \ fsck.s3ql \
--authfile $S3QL_AUTHINFO2 \ --authfile $S3QL_AUTHINFO2 \
--log none \
--cachedir $S3QL_CACHE_DIR \
$S3QL_STORAGE_URL
fi
exec mount.s3ql \
--cachedir "$S3QL_CACHE_DIR" \
--authfile "$S3QL_AUTHINFO2" \
--cachesize "$S3QL_CACHESIZE" \
--fg \
--compress lzma-6 \
--threads 4 \
--log none \ --log none \
--allow-root \ --cachedir $S3QL_CACHE_DIR \
"$S3QL_STORAGE_URL" \ $S3QL_STORAGE_URL
/bucket fi
# FIXME: touch .isbucket after mount exec mount.s3ql \
''; --cachedir "$S3QL_CACHE_DIR" \
in --authfile "$S3QL_AUTHINFO2" \
--cachesize "$S3QL_CACHESIZE" \
--fg \
--compress lzma-6 \
--threads 4 \
--log none \
--allow-root \
"$S3QL_STORAGE_URL" \
/bucket
# FIXME: touch .isbucket after mount
'';
in
pkgs.dockerTools.buildImage { pkgs.dockerTools.buildImage {
name = "s3ql"; name = "s3ql";
fromImage = interactive_base; fromImage = interactive_base;
contents = [ contents = [pkgs.s3ql pkgs.fuse];
pkgs.s3ql
pkgs.fuse
];
runAsRoot = '' runAsRoot = ''
#!${pkgs.stdenv.shell} #!${pkgs.stdenv.shell}
@ -99,58 +84,57 @@ rec {
''; '';
config = { config = {
Env = baseEnv ++ [ Env =
"HOME=/home/s3ql" baseEnv
"S3QL_CACHE_DIR=/var/cache/s3ql" ++ [
"S3QL_AUTHINFO2=/etc/s3ql/authinfo2" "HOME=/home/s3ql"
"CONTAINER_ENTRYPOINT=${entrypoint}" "S3QL_CACHE_DIR=/var/cache/s3ql"
]; "S3QL_AUTHINFO2=/etc/s3ql/authinfo2"
Cmd = [ entrypoint ]; "CONTAINER_ENTRYPOINT=${entrypoint}"
];
Cmd = [entrypoint];
Volumes = { Volumes = {
"/var/cache/s3ql" = { }; "/var/cache/s3ql" = {};
"/etc/s3ql/authinfo2" = { }; "/etc/s3ql/authinfo2" = {};
"/buckets" = { }; "/buckets" = {};
"/tmp" = { }; "/tmp" = {};
}; };
}; };
}; };
syncthing = syncthing = let
let entrypoint = pkgs.writeScript "entrypoint" ''
entrypoint = pkgs.writeScript "entrypoint" '' #!${pkgs.stdenv.shell}
#!${pkgs.stdenv.shell} set -x
set -x if [ ! -e /data/.isbucket ]; then
if [ ! -e /data/.isbucket ]; then echo ERROR: Bucket not mounted at /data
echo ERROR: Bucket not mounted at /data exit 1
exit 1 fi
fi
if [ -z "$SYNCTHING_GUI_ADDRESS" ]; then if [ -z "$SYNCTHING_GUI_ADDRESS" ]; then
echo ERROR: SYNCTHING_GUI_ADDRESS is not set echo ERROR: SYNCTHING_GUI_ADDRESS is not set
exit 1 exit 1
fi fi
if [ ! -w "$SYNCTHING_HOME" ]; then if [ ! -w "$SYNCTHING_HOME" ]; then
echo ERROR : SYNCTHING_HOME is not writable echo ERROR : SYNCTHING_HOME is not writable
fi fi
exec syncthing \ exec syncthing \
-home $SYNCTHING_HOME \ -home $SYNCTHING_HOME \
-gui-address=$SYNCTHING_GUI_ADDRESS \ -gui-address=$SYNCTHING_GUI_ADDRESS \
-no-browser -no-browser
''; '';
in in
pkgs.dockerTools.buildImage { pkgs.dockerTools.buildImage {
name = "syncthing"; name = "syncthing";
fromImage = interactive_base; fromImage = interactive_base;
contents = pkgs.syncthing; contents = pkgs.syncthing;
config = { config = {
Env = baseEnv ++ [ "SYNCTHING_HOME=/home/syncthing" ]; Env = baseEnv ++ ["SYNCTHING_HOME=/home/syncthing"];
Cmd = [ entrypoint ]; Cmd = [entrypoint];
Volumes = { Volumes = {"/data" = {};};
"/data" = { };
};
}; };
}; };
} }

42
nix/default.nix
View file

@ -1,34 +1,26 @@
{ versionsPath }: {versionsPath}: let
let
channelVersions = import versionsPath; channelVersions = import versionsPath;
mkChannelSource = mkChannelSource = name: let
name: channelVersion = builtins.getAttr name channelVersions;
let in
channelVersion = builtins.getAttr name channelVersions;
in
builtins.fetchGit { builtins.fetchGit {
# Descriptive name to make the store path easier to identify # Descriptive name to make the store path easier to identify
inherit name; inherit name;
inherit (channelVersion) url ref rev; inherit (channelVersion) url ref rev;
}; };
nixPath = builtins.concatStringsSep ":" ( nixPath = builtins.concatStringsSep ":" (builtins.map
builtins.map ( (elemName: let
elemName: elem = builtins.getAttr elemName channelVersions;
let elemPath = mkChannelSource elemName;
elem = builtins.getAttr elemName channelVersions; suffix =
elemPath = mkChannelSource elemName; if builtins.hasAttr "suffix" elem
suffix = if builtins.hasAttr "suffix" elem then elem.suffix else ""; then elem.suffix
in else "";
builtins.concatStringsSep "=" [ in
elemName builtins.concatStringsSep "=" [elemName elemPath] + suffix)
elemPath (builtins.attrNames channelVersions));
] pkgs = import (mkChannelSource "nixpkgs") {};
+ suffix in {
) (builtins.attrNames channelVersions)
);
pkgs = import (mkChannelSource "nixpkgs") { };
in
{
inherit nixPath; inherit nixPath;
channelSources = pkgs.writeText "channels.rc" '' channelSources = pkgs.writeText "channels.rc" ''
export NIX_PATH=${nixPath} export NIX_PATH=${nixPath}

144
nix/devShells.nix
View file

@ -1,103 +1,105 @@
{ {
self,
self',
inputs', inputs',
packages',
pkgs, pkgs,
}: }:
{ pkgs.stdenv.mkDerivation {
install = pkgs.mkShell { name = "infra-env";
name = "infra-install"; buildInputs =
packages = with pkgs; [ [
nixos-install-tools (with pkgs.callPackage (pkgs.path + "/nixos") {configuration = {};};
inputs'.disko.packages.disko with config.system.build; [
just nixos-generate-config
git nixos-install
git-crypt nixos-enter
gnupg manual.manpages
]; ])
}; ]
++ (with pkgs; [
develop = pkgs.mkShell {
name = "infra-develop";
inputsFrom = [ self'.devShells.install ];
packages = with pkgs; [
self'.formatter # .package
inputs'.colmena.packages.colmena inputs'.colmena.packages.colmena
nixos-install-tools
dconf2nix dconf2nix
inputs'.nixos-anywhere.packages.nixos-anywhere inputs'.nixos-anywhere.packages.nixos-anywhere
nurl nurl
just
git-crypt
vcsh vcsh
gnupg
git
ripgrep ripgrep
# pass lm_sensors
pass
prs
fuzzel
wofi
age age
age-plugin-yubikey age-plugin-yubikey
ssh-to-age ssh-to-age
yubico-piv-tool yubico-piv-tool
inputs'.sops-nix.packages.default inputs'.sops-nix.packages.default
sops sops
nil
nix-index
apacheHttpd apacheHttpd
# vncdo vncdo
# tesseract tesseract
# imagemagick imagemagick
# lm_sensors nmap
sysstat
lshw
xxHash
linssid
wavemon
wirelesstools
# nmap zathura
# sysstat xorg.xwininfo
# lshw glxinfo
# xxHash autorandr
# linssid arandr
# wavemon playerctl
# wirelesstools x11docker
fwupd
# zathura ntfy
# xorg.xwininfo
# glxinfo
# autorandr
# arandr
# playerctl
# x11docker
# fwupd
# ntfy hedgedoc-cli
# hedgedoc-cli
xwayland xwayland
pulsemixer (banana-accounting.overrideDerivation (attrs:
with inputs'.nixpkgs-2211.legacyPackages; {
# dontWrapGApps = true;
(pkgs.writeShellScriptBin "rflk" '' srcs = builtins.fetchurl {
exec nix run nixpkgs#$@ # hosted via https://web3.storage
'') url = "https://bafybeiabi4m2i4izummipbl5wzhwxjyjt2rylgsrahhkh7i63piwd37n4u.ipfs.w3s.link/mfpcksczayaqqx8fdacp0627zm36c001-bananaplus.tgz";
(pkgs.writeShellScriptBin "r11" '' sha256 = "09666iqzqdw2526pf6bg5kd0hfw0wblw8ag636ki72dsiw6bmbf1";
exec env NIXOS_OZONE_WL="" WAYLAND_DISPLAY="" $@ };
'')
jq # nativeBuildInputs =
yq # attrs.nativeBuildInputs
wireguard-tools # ++ [
# qt5.qtbase
# qt5.wrapQtAppsHook
# ];
screen # buildInputs =
# attrs.buildInputs
# ++ [
# qt5.qtwayland
# ];
inputs'.nixpkgs-unstable.legacyPackages.kanidm # preFixup =
]; # (attrs.preFixup or "")
# + ''
# qtWrapperArgs+=("''${gappsWrapperArgs[@]}")
# '';
}))
]);
# Set Environment Variables # Set Environment Variables
RUST_BACKTRACE = 1; RUST_BACKTRACE = 1;
KANIDM_URL =
self.nixosConfigurations.sj-srv1.config.containers.webserver.config.services.kanidm.serverSettings.origin;
shellHook = builtins.concatStringsSep "\n" [
# (self.inputs.nixago.lib.${pkgs.system}.make {
# data = self'.formatter.settings;
# output = "treefmt.toml";
# format = "toml";
# }).shellHook
];
};
} }

265
nix/home-manager/configuration/graphical-fullblown.nix
View file

@ -1,89 +1,71 @@
{ {
pkgs, pkgs,
lib,
config, config,
# these come in via home-manager.extraSpecialArgs and are specific to each node # these come in via home-manager.extraSpecialArgs and are specific to each node
nodeFlake, nodeFlake,
packages',
repoFlake, repoFlake,
# repoFlakeInputs',
... ...
}: }: let
let pkgsMaster = nodeFlake.inputs.nixpkgs-master.legacyPackages.${pkgs.system};
pkgsUnstable = pkgsUnstableSmall = nodeFlake.inputs.nixpkgs-unstable-small.legacyPackages.${pkgs.system};
pkgs.pkgsUnstable pkgs2211 = nodeFlake.inputs.nixpkgs-2211.legacyPackages.${pkgs.system};
or (import nodeFlake.inputs.nixpkgs-unstable { inherit (pkgs) system config overlays; }); pkgsUnstableSmallRepo = repoFlake.nixpkgs-unstable-small.${pkgs.system}.legacyPackages;
in in {
{
imports = [ imports = [
../profiles/common.nix ../profiles/common.nix
# ../profiles/dotfiles.nix ../profiles/dotfiles.nix
# FIXME: fix homeshick when no WAN connection is available # FIXME: fix homeshick when no WAN connection is available
# ../programs/homeshick.nix # ../programs/homeshick.nix
# ../profiles/gnome-desktop.nix # ../profiles/gnome-desktop.nix
../profiles/sway-desktop.nix
# ../profiles/experimental-desktop.nix # ../profiles/experimental-desktop.nix
../programs/redshift.nix ../programs/redshift.nix
../programs/gpg-agent.nix ../programs/gpg-agent.nix
../programs/pass.nix
../programs/espanso.nix # ../programs/espanso.nix
../programs/firefox.nix ../programs/firefox.nix
../programs/chromium.nix ../programs/chromium.nix
../programs/libreoffice.nix ../programs/libreoffice.nix
../programs/neovim.nix ../programs/neovim.nix
../programs/pass.nix
../programs/vscode ../programs/vscode
{ home.packages = [ pkgsUnstable.markdown-oxide ]; }
# TODO: bump these to 23.05 and make it work
(args: import ../programs/radicale.nix (args // {pkgs = pkgs2211;}))
# (args: import ../programs/espanso.nix (args // {pkgs = pkgs2211;}))
]; ];
home.sessionVariables.HM_CONFIG = "graphical-fullblown"; home.sessionVariables.HM_CONFIG = "graphical-fullblown";
home.sessionVariables.GOPATH = "$HOME/src/go"; home.sessionVariables.GOPATH = "$HOME/src/go";
home.sessionVariables.PATH = pkgs.lib.concatStringsSep ":" [ home.sessionVariables.PATH = pkgs.lib.concatStringsSep ":" ["$HOME/.local/bin" "$PATH"];
"$HOME/.local/bin"
"$PATH"
];
nixpkgs.config.allowInsecurePredicate =
pkg:
builtins.elem (lib.getName pkg) [
"electron-28.3.3"
"electron-27.3.11"
];
nixpkgs.config.permittedInsecurePackages = [ nixpkgs.config.permittedInsecurePackages = [
"electron-28.3.3"
"electron-27.3.11"
]; ];
nixpkgs.config.allowUnfree = [
"electron-28.3.3"
"electron-27.3.11"
];
# nixpkgs.config.allowUnfreePredicate = pkg:
# builtins.elem (lib.getName pkg) [
# "smartgithg"
# "electron-27.3.11"
# ];
home.packages = home.packages =
(with pkgs; [ []
++ (with pkgs; [
# Authentication # Authentication
# cacert cacert
# fprintd fprintd
# openssl openssl
# mkpasswd mkpasswd
# Nix package related tools # Nix package related tools
patchelf patchelf
# nix-index nix-index
nix-prefetch-scripts nix-prefetch-scripts
nix-tree # nix-prefetch-github
# Version Control Systems # Version Control Systems
gitFull gitFull
pijul
# gitless # gitless
gitRepo gitRepo
git-lfs git-lfs
@ -105,13 +87,14 @@ in
# Password Management # Password Management
gnupg gnupg
yubikey-manager # yubikey-manager
yubikey-manager-qt
yubikey-personalization yubikey-personalization
yubikey-personalization-gui yubikey-personalization-gui
# gnome.gnome-keyring # gnome.gnome-keyring
gcr gcr
seahorse gnome.seahorse
# Language Support # Language Support
hunspellDicts.en-us hunspellDicts.en-us
@ -119,59 +102,124 @@ in
# Messaging/Communication # Messaging/Communication
# pidgin # pidgin
# hexchat hexchat
pkgsUnstable.element-desktop schildichat-desktop
aspellDicts.en aspellDicts.en
aspellDicts.de aspellDicts.de
# skypeforlinux # skypeforlinux
# pkgsUnstable.jitsi-meet-electron # pkgsUnstable.jitsi-meet-electron
thunderbird-128 thunderbird
# betterbird evolution # gnome4.glib_networking
# FIXME: depends on insecure openssl 1.1.1t # FIXME: depends on insecure openssl 1.1.1t
# kotatogram-desktop # kotatogram-desktop
pkgsUnstable.tdesktop tdesktop
pkgsUnstable.signal-desktop-source (let
version = "6.20.0-beta.1";
in
pkgsUnstableSmall.signal-desktop-beta.overrideAttrs (old: {
inherit version;
src = builtins.fetchurl {
url = "https://updates.signal.org/desktop/apt/pool/main/s/signal-desktop-beta/signal-desktop-beta_${version}_amd64.deb";
sha256 = "0xkagnldagfxnpv4c23yd9w0kz1y719m1sj9vqn8mnr1zfn7j62a";
};
preFixup =
old.preFixup
+ ''
gappsWrapperArgs+=(
--add-flags "\''${NIXOS_OZONE_WL:+\''${WAYLAND_DISPLAY:+--ozone-platform-hint=auto}}"
--add-flags "\''${NIXOS_OZONE_WL:+\''${WAYLAND_DISPLAY:+--enable-features=UseOzonePlatform}}"
)
'';
}))
# --add-flags "--enable-features=UseOzonePlatform"
# --add-flags "--ozone-platform=wayland"
(pkgsUnstableSmall.session-desktop.overrideAttrs (old: {
nativeBuildInputs =
old.nativeBuildInputs
++ [
pkgs.wrapGAppsHook
];
preFixup =
(old.preFixup or "")
+ ''
gappsWrapperArgs+=(
--add-flags "--enable-features=UseOzonePlatform"
--add-flags "--ozone-platform=wayland"
# --add-flags "\''${NIXOS_OZONE_WL:+\''${WAYLAND_DISPLAY:+--ozone-platform-hint=auto}}"
# --add-flags "\''${NIXOS_OZONE_WL:+\''${WAYLAND_DISPLAY:+--enable-features=WaylandWindowDecorations}}"
# --add-flags "\''${NIXOS_OZONE_WL:+\''${WAYLAND_DISPLAY:+--enable-features=UseOzonePlatform}}"
)
'';
}))
#(pkgsUnstableSmall.session-desktop.overrideAttrs(old: {
# nativeBuildInputs = old.nativeBuildInputs ++ [
# pkgs.wrapGAppsHook
# ];
#
# preFixup = (old.preFixup or "") + ''
# gappsWrapperArgs+=(
# --add-flags "\''${NIXOS_OZONE_WL:+\''${WAYLAND_DISPLAY:+--ozone-platform=wayland}}"
# --add-flags "\''${NIXOS_OZONE_WL:+\''${WAYLAND_DISPLAY:+--enable-features=UseOzonePlatform}}"
# )
# '';
# }))
thunderbird
# gnome.cheese
discord
# Virtualization # Virtualization
virt-manager # virtmanager
# Remote Control Tools # Remote Control Tools
remmina remmina
# freerdp freerdp
teamviewer
rustdesk
# Audio/Video Players # Audio/Video Players
# ffmpeg ffmpeg
vlc vlc
# v4l-utils audacity
# audacity spotify
# spotify
yt-dlp yt-dlp
(writeShellScriptBin "youtube-dl-audio" "${yt-dlp}/bin/yt-dlp --extract-audio --audio-format best --audio-quality 9 \${@:?}") (writeShellScriptBin "youtube-dl-audio" "${yt-dlp}/bin/yt-dlp --extract-audio --audio-format best --audio-quality 9 \${@:?}")
libwebcam libwebcam
libcamera
snapshot
# Network Tools # Network Tools
openvpn
tcpdump tcpdump
iftop iftop
iperf iperf
bind bind
socat socat
nethogs # 2019-03-05: broken on 19.03 linssid
iptraf-ng
ipmitool
# Code Editing and Programming iptables
# TODO(remove or use): pkgsUnstable.lapce nftables
# TODO(remve or use): pkgsUnstable.helix wireshark
wireguard-tools
# Code Editors
xclip
xsel
# Image/Graphic/Design Tools # Image/Graphic/Design Tools
eog gnome.eog
# gimp gimp
# imagemagick imagemagick
# exiv2 exiv2
# graphviz graphviz
# inkscape inkscape
# qrencode qrencode
zbar
feh
# TODO: remove or move these: Modelling Tools # TODO: remove or move these: Modelling Tools
# plantuml # plantuml
@ -182,46 +230,55 @@ in
# astah-community # astah-community
# Misc Development Tools # Misc Development Tools
# qrcode qrcode
# jq jq
# cdrtools cdrtools
# Document Processing and Management # Document Processing and Management
nautilus gnome.nautilus
xfce.thunar
pcmanfm pcmanfm
# mendeley # mendeley
evince evince
xournalpp pkgsUnstableSmall.logseq
# File Synchronzation # File Synchronzation
maestral maestral
maestral-gui
rsync rsync
# Filesystem Tools # Filesystem Tools
# ntfs3g ntfs3g
# ddrescue ddrescue
# ncdu ncdu
# hdparm unetbootin
hdparm
testdisk
# binwalk # binwalk
# gptfdisk gptfdisk
# gparted gparted
# smartmontools smartmontools
## Android
androidenv.androidPkgs_9_0.platform-tools
## Python ## Python
# packages'.myPython packages'.myPython
# Misc Desktop Tools # Misc Desktop Tools
# ltunify ltunify
# dex # dex
xorg.xbacklight
coreutils coreutils
lsof lsof
xdg-utils xdotool
xdg_utils
xdg-user-dirs xdg-user-dirs
dconf dconf
picocom picocom
glib.dev # contains gdbus tool glib.dev # contains gdbus tool
alacritty alacritty
# wally-cli wally-cli
man-pages man-pages
# Screen recording # Screen recording
@ -231,45 +288,29 @@ in
# shutter # shutter
# kazam # doesn't start # kazam # doesn't start
# xvidcap # doesn't keep the recording rectangle # xvidcap # doesn't keep the recording rectangle
# obs-studio
# shotcut # shotcut
# openshot-qt # openshot-qt
# introduces python: screenkey # introduces python: screenkey
# avidemux # broken pkgsUnstableSmall.ledger-live-desktop
# handbrake
# snes9x
# snes9x-gtk
# this is a displaymanager!
# libretro.snes9x2010
# retroarchFull
# pkgs.logseq-bin
pkgs.logseq
# (pkgs.callPackage "${repoFlake.inputs.nixpkgs-logseq}/pkgs/by-name/lo/logseq-bin/package.nix" { })
])
++ (with repoFlake.packages.${pkgs.system}; [ gimp ])
++ (lib.lists.optionals (!pkgs.stdenv.targetPlatform.isAarch64) [
pkgsUnstable.ledger-live-desktop
# unsupported on aarch64-linux
pkgs.androidenv.androidPkgs_9_0.platform-tools
pkgs.teamviewer
pkgs.discord
pkgsUnstable.session-desktop
pkgsUnstable.rustdesk
]); ]);
systemd.user.startServices = true; systemd.user.startServices = true;
services.syncthing.enable = true; services.syncthing.enable = true;
services.udiskie = { services.udiskie = {
enable = true; enable = true;
automount = false; automount = true;
notify = true; notify = true;
}; };
# FIXME: doesn't work as the service can't seem to control its started PID
services.dropbox = {
enable = false;
path = "${config.home.homeDirectory}/Dropbox-Hm";
};
# TODO: uncomment this when it's in stable home-manger # TODO: uncomment this when it's in stable home-manger
# programs.joshuto = { # programs.joshuto = {
# enable = true; # enable = true;

17
nix/home-manager/configuration/graphical-gnome3.nix
View file

@ -1,8 +1,13 @@
{ pkgs, ... }:
{ {
home.packages = with pkgs; [ pkgs,
gnome.gnome-tweaks config,
gnome.gnome-keyring ...
gnome.seahorse }: {
]; home.packages =
[]
++ (with pkgs; [
gnome.gnome-tweaks
gnome.gnome-keyring
gnome.seahorse
]);
} }

143
nix/home-manager/configuration/graphical-removable.nix
View file

@ -1,5 +1,8 @@
{ pkgs, ... }:
{ {
pkgs,
config,
...
}: {
imports = [ imports = [
../profiles/common.nix ../profiles/common.nix
../profiles/qtile-desktop.nix ../profiles/qtile-desktop.nix
@ -13,87 +16,89 @@
../programs/pass.nix ../programs/pass.nix
]; ];
home.packages = with pkgs; [ home.packages =
# Nix package related tools []
patchelf ++ (with pkgs; [
nix-index # Nix package related tools
nix-prefetch-scripts patchelf
nix-index
nix-prefetch-scripts
# Version Control Systems # Version Control Systems
gitless gitless
# Process/System Administration # Process/System Administration
htop htop
gnome.gnome-tweaks gnome.gnome-tweaks
xorg.xhost xorg.xhost
dmidecode dmidecode
evtest evtest
# Archive Managers # Archive Managers
sshfs-fuse sshfs-fuse
xarchive xarchive
p7zip p7zip
zip zip
unzip unzip
gzip gzip
lzop lzop
# Password Management # Password Management
gnome.gnome-keyring gnome.gnome-keyring
gnome.seahorse gnome.seahorse
# Remote Control Tools # Remote Control Tools
remmina remmina
freerdp freerdp
# Network Tools # Network Tools
openvpn openvpn
tcpdump tcpdump
iftop iftop
iperf iperf
bind bind
socat socat
# samba # samba
iptables iptables
nftables nftables
wireshark wireshark
# Code Editors # Code Editors
xclip xclip
xsel xsel
# Image/Graphic/Design Tools # Image/Graphic/Design Tools
gnome.eog gnome.eog
gimp gimp
inkscape inkscape
# Misc Development Tools # Misc Development Tools
qrcode qrcode
jq jq
cdrtools cdrtools
# Document Processing and Management # Document Processing and Management
zathura zathura
# File Synchronzation # File Synchronzation
rsync rsync
# Filesystem Tools # Filesystem Tools
ntfs3g ntfs3g
ddrescue ddrescue
ncdu ncdu
woeusb woeusb
unetbootin unetbootin
pcmanfm pcmanfm
hdparm hdparm
testdisk testdisk
binwalk binwalk
gptfdisk gptfdisk
packages'.myPython packages'.myPython
# Virtualization # Virtualization
virtmanager virtmanager
]; ]);
} }

12
nix/home-manager/configuration/text-minimal.nix Normal file
View file

@ -0,0 +1,12 @@
{pkgs, ...}: {
imports = [
../profiles/common.nix
../programs/neovim.nix
];
home.packages = with pkgs; [
iperf3
inetutils
speedtest-cli
];
}

29
nix/home-manager/lib.nix
View file

@ -1,19 +1,14 @@
_: { {}: let
mkSimpleTrayService = in {
{ execStart }: mkSimpleTrayService = {execStart}: {
{ Unit = {
Unit = { Description = "";
Description = ""; After = ["graphical-session-pre.target"];
After = [ "graphical-session-pre.target" ]; PartOf = ["graphical-session.target"];
PartOf = [ "graphical-session.target" ];
};
Install = {
WantedBy = [ "graphical-session.target" ];
};
Service = {
ExecStart = execStart;
};
}; };
Install = {WantedBy = ["graphical-session.target"];};
Service = {ExecStart = execStart;};
};
} }

103
nix/home-manager/profiles/common.nix
View file

@ -1,38 +1,22 @@
{ pkgs, lib, ... }: {pkgs, ...}: {
{
home.stateVersion = lib.mkDefault "23.11";
# TODO: re-enable this with the appropriate version? # TODO: re-enable this with the appropriate version?
# programs.home-manager.enable = true; # programs.home-manager.enable = true;
# programs.home-manager.path = https://github.com/rycee/home-manager/archive/445c0b1482c38172a9f8294ee16a7ca7462388e5.tar.gz; # programs.home-manager.path = https://github.com/rycee/home-manager/archive/445c0b1482c38172a9f8294ee16a7ca7462388e5.tar.gz;
# TODO: move this to an OS snippet? imports = [
../programs/zsh.nix
];
nixpkgs.config = { nixpkgs.config = {
allowBroken = false; allowBroken = false;
allowUnfree = true; allowUnfree = true;
allowUnsupportedSystem = true;
allowInsecurePredicate = permittedInsecurePackages = [];
pkg:
builtins.elem (lib.getName pkg) [
"electron-32.3.3"
"electron"
];
permittedInsecurePackages = [
"electron-32.3.3"
"electron"
];
allowUnfreePredicate =
pkg:
builtins.elem (lib.getName pkg) [
"obsidian"
"vivaldi"
"aspell-dict-en-science"
];
}; };
nix.settings.experimental-features = ["nix-command" "flakes" "impure-derivations" "ca-derivations" "recursive-nix"];
nix.settings.sandbox = "relaxed";
home.keyboard = { home.keyboard = {
layout = "us"; layout = "us";
variant = "altgr-intl"; variant = "altgr-intl";
@ -46,52 +30,53 @@
xdg.enable = true; xdg.enable = true;
programs.direnv.enable = true; programs.direnv.enable = true;
services.lorri.enable = true;
home.sessionVariables.NIXPKGS_ALLOW_UNFREE = "1";
# Don't create .pyc files. # Don't create .pyc files.
home.sessionVariables.PYTHONDONTWRITEBYTECODE = "1"; home.sessionVariables.PYTHONDONTWRITEBYTECODE = "1";
programs.command-not-found.enable = true; programs.command-not-found.enable = true;
programs.fzf.enable = true; programs.fzf.enable = true;
home.packages = with pkgs; [ home.packages =
coreutils []
++ (with pkgs; [
htop
vcsh
vcsh # Authentication
cacert
openssl
mkpasswd
htop just
iperf3 ripgrep
nethogs du-dust
# Authentication elfutils
cacert exfat
openssl file
mkpasswd tree
pwgen
proot
just parted
ripgrep pv
du-dust tmux
wget
curl
elfutils # git helpers
exfat git-crypt
file gitFull
tree pastebinit
pwgen gist
proot mr
parted usbutils
pv pciutils
tmux ]);
wget
curl
# git helpers home.stateVersion = "22.05";
git-crypt
gitFull
pastebinit
gist
mr
usbutils
pciutils
];
} }

8
nix/home-manager/profiles/dotfiles.nix
View file

@ -1,4 +1,10 @@
_: { {
pkgs,
config,
...
}: let
vcshActivationScript = pkgs.callPackage ./dotfiles/vcsh.nix {};
in {
# TODO: fix the dotfiles # TODO: fix the dotfiles
# home.activation.vcsh = config.lib.dag.entryAfter["linkGeneration"] '' # home.activation.vcsh = config.lib.dag.entryAfter["linkGeneration"] ''
# $DRY_RUN_CMD ${vcshActivationScript} # $DRY_RUN_CMD ${vcshActivationScript}

62
nix/home-manager/profiles/dotfiles/vcsh.tmpl.nix
View file

@ -3,40 +3,38 @@
repoHttps ? "https://gitlab.com/steveeJ/dotfiles.git", repoHttps ? "https://gitlab.com/steveeJ/dotfiles.git",
repoSsh ? "git@gitlab.com:/steveeJ/dotfiles.git", repoSsh ? "git@gitlab.com:/steveeJ/dotfiles.git",
... ...
}: }: let
let
repoBareLocal = repoBareLocal =
pkgs.runCommand "fetchbare" pkgs.runCommand "fetchbare"
{ {
outputHashMode = "recursive"; outputHashMode = "recursive";
outputHashAlgo = "sha256"; outputHashAlgo = "sha256";
outputHash = "0000000000000000000000000000000000000000000000000000"; outputHash = "0000000000000000000000000000000000000000000000000000";
} } ''
'' (
( set -xe
set -xe export GIT_SSL_CAINFO=${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt
export GIT_SSL_CAINFO=${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt export SSL_CERT_FILE=${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt
export SSL_CERT_FILE=${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt ${pkgs.git}/bin/git clone --mirror ${repoHttps} $out
${pkgs.git}/bin/git clone --mirror ${repoHttps} $out )
) '';
'';
in in
pkgs.writeScript "activation-script" '' pkgs.writeScript "activation-script" ''
export HOST=$(hostname -s) export HOST=$(hostname -s)
function set_remotes { function set_remotes {
${pkgs.vcsh}/bin/vcsh dotfiles remote set-url origin $1 ${pkgs.vcsh}/bin/vcsh dotfiles remote set-url origin $1
${pkgs.vcsh}/bin/vcsh dotfiles remote set-url --push origin $2 ${pkgs.vcsh}/bin/vcsh dotfiles remote set-url --push origin $2
} }
if ! test -d $HOME/.config/vcsh/repo.d/dotfiles.git; then if ! test -d $HOME/.config/vcsh/repo.d/dotfiles.git; then
echo Cloning dotfiles for $HOST... echo Cloning dotfiles for $HOST...
${pkgs.vcsh}/bin/vcsh clone -b $HOST ${repoBareLocal} dotfiles ${pkgs.vcsh}/bin/vcsh clone -b $HOST ${repoBareLocal} dotfiles
set_remotes ${repoHttps} ${repoSsh} set_remotes ${repoHttps} ${repoSsh}
else else
set_remotes ${repoBareLocal} ${repoSsh} set_remotes ${repoBareLocal} ${repoSsh}
echo Updating dotfiles for $HOST... echo Updating dotfiles for $HOST...
${pkgs.vcsh}/bin/vcsh pull $HOST || true ${pkgs.vcsh}/bin/vcsh pull $HOST || true
set_remotes ${repoHttps} ${repoSsh} set_remotes ${repoHttps} ${repoSsh}
fi fi
'' ''

14
nix/home-manager/profiles/experimental-desktop.nix
View file

@ -1,6 +1,16 @@
{ packages', ... }:
{ {
imports = [ ../profiles/wayland-desktop.nix ]; pkgs,
config,
lib,
nodeFlake,
packages',
...
}: let
pkgsUnstable = pkgs.callPackage nodeFlake.inputs.nixpkgs-unstable.outPath {};
in {
imports = [
../profiles/wayland-desktop.nix
];
home.packages = [ home.packages = [
# experimental WMs # experimental WMs

116
nix/home-manager/profiles/gnome-desktop.nix
View file

@ -1,6 +1,13 @@
{ pkgs, ... }:
{ {
imports = [ ../profiles/wayland-desktop.nix ]; pkgs,
config,
lib,
...
}: let
in {
imports = [
../profiles/wayland-desktop.nix
];
services = { services = {
gnome-keyring.enable = false; gnome-keyring.enable = false;
@ -16,85 +23,86 @@
# Hidden=true # Hidden=true
# ''; # '';
services.gpg-agent.pinentryPackage = pkgs.pinentry-gnome3; services.gpg-agent.pinentryFlavor = "gnome3";
dconf.settings = dconf.settings = let
let manualKeybindings = [
manualKeybindings = [ {
{ binding = "Print";
binding = "Print"; command = "flameshot gui";
command = "flameshot gui"; name = "flameshot";
name = "flameshot"; }
}
{ {
binding = "<Super>t"; binding = "<Super>t";
command = "alacritty"; command = "alacritty";
name = "alacritty"; name = "alacritty";
} }
]; ];
numWorkspaces = 10; numWorkspaces = 10;
customKeybindingBaseName = "org/gnome/settings-daemon/plugins/media-keys/custom-keybindings/custom"; customKeybindingBaseName = "org/gnome/settings-daemon/plugins/media-keys/custom-keybindings/custom";
customKeybindingsNames = builtins.genList (i: "/${customKeybindingBaseName}${toString i}/") ( customKeybindingsNames =
(builtins.length manualKeybindings) + numWorkspaces # for sending to the workspace builtins.genList (i: "/${customKeybindingBaseName}${toString i}/")
(
(builtins.length manualKeybindings)
+ numWorkspaces # for sending to the workspace
); );
workspacesKeyBindingsOffset = builtins.length manualKeybindings; workspacesKeyBindingsOffset = builtins.length manualKeybindings;
# with this we can make use of all number keys [0-9] # with this we can make use of all number keys [0-9]
mapToNumber = mapToNumber = i:
i: if i < 10
if i < 10 then then i
i else if i == 10
else if i == 10 then then 0
0 else throw "i exceeds 10: ${i}";
else in
throw "i exceeds 10: ${i}";
in
{ {
"org/gnome/settings-daemon/plugins/media-keys" = { "org/gnome/settings-daemon/plugins/media-keys" = {
custom-keybindings = customKeybindingsNames; custom-keybindings = customKeybindingsNames;
screenreader = "@as []"; screenreader = "@as []";
screensaver = [ "<Alt><Super>l" ]; screensaver = ["<Alt><Super>l"];
}; };
# disable the builtin <Super>[1-9] functionality # disable the builtin <Super>[1-9] functionality
"org/gnome/shell/keybindings" = builtins.listToAttrs ( "org/gnome/shell/keybindings" = builtins.listToAttrs ((builtins.genList
(builtins.genList (i: { (i: {
name = "switch-to-application-${toString (i + 1)}"; name = "switch-to-application-${toString (i + 1)}";
value = [ ]; value = [];
}) numWorkspaces) })
++ [ numWorkspaces) ++ [
{ {
name = "toggle-overview"; name = "toggle-overview";
value = [ ]; value = [];
} }
] ]);
);
# remap it to switching to the workspaces # remap it to switching to the workspaces
"org/gnome/desktop/wm/keybindings" = builtins.listToAttrs ( "org/gnome/desktop/wm/keybindings" = builtins.listToAttrs (builtins.genList
builtins.genList (i: { (i: {
name = "switch-to-workspace-${toString (i + 1)}"; name = "switch-to-workspace-${toString (i + 1)}";
value = [ "<Super>${toString (mapToNumber (i + 1))}" ]; value = [
}) numWorkspaces "<Super>${toString (mapToNumber (i + 1))}"
); ];
})
numWorkspaces);
} }
// builtins.listToAttrs ( // builtins.listToAttrs (builtins.genList
builtins.genList (i: { (i: {
name = "${customKeybindingBaseName}${toString i}"; name = "${customKeybindingBaseName}${toString i}";
value = builtins.elemAt manualKeybindings i; value = builtins.elemAt manualKeybindings i;
}) (builtins.length manualKeybindings) })
) (builtins.length manualKeybindings))
// builtins.listToAttrs ( // builtins.listToAttrs (builtins.genList
builtins.genList (i: { (i: {
name = "${customKeybindingBaseName}${toString (workspacesKeyBindingsOffset + i)}"; name = "${customKeybindingBaseName}${toString (workspacesKeyBindingsOffset + i)}";
value = { value = {
binding = "<Control><Super>${toString (mapToNumber (i + 1))}"; binding = "<Control><Super>${toString (mapToNumber (i + 1))}";
command = "wmctrl -r :ACTIVE: -t ${toString i}"; command = "wmctrl -r :ACTIVE: -t ${toString i}";
name = "Send to workspace ${toString (i + 1)}"; name = "Send to workspace ${toString (i + 1)}";
}; };
}) numWorkspaces })
); numWorkspaces);
} }

38
nix/home-manager/profiles/nix-channels.nix
View file

@ -1,22 +1,28 @@
{ pkgs, config, ... }:
{ {
pkgs,
config,
...
}: let
in {
home.file.".nix-channels".text = ""; home.file.".nix-channels".text = "";
home.activation.removeExistingNixChannels = config.lib.dag.entryBefore [ "checkLinkTargets" ] '' home.activation.removeExistingNixChannels = config.lib.dag.entryBefore ["checkLinkTargets"] ''
$DRY_RUN_CMD ${pkgs.writeScript "activation-script" '' $DRY_RUN_CMD ${
set -ex pkgs.writeScript "activation-script" ''
if test -f $HOME/.nix-channels; then set -ex
echo Uninstalling available channels... if test -f $HOME/.nix-channels; then
if test -f $HOME/.nix-channel; then echo Uninstalling available channels...
while read url channel; do if test -f $HOME/.nix-channel; then
nix-channel --remove $channel while read url channel; do
done < $HOME/.nix-channel nix-channel --remove $channel
done < $HOME/.nix-channel
fi
echo Moving existing file away...
touch $HOME/.nix-channels.dummy
mv --backup=numbered $HOME/.nix-channels.dummy $HOME/.nix-channels
rm $HOME/.nix-channels
fi fi
echo Moving existing file away... ''
touch $HOME/.nix-channels.dummy };
mv --backup=numbered $HOME/.nix-channels.dummy $HOME/.nix-channels
rm $HOME/.nix-channels
fi
''};
''; '';
} }

23
nix/home-manager/profiles/qtile-desktop.nix
View file

@ -1,14 +1,14 @@
{ pkgs, ... }: {
let pkgs,
config,
...
}: let
inherit (import ../lib.nix {}) mkSimpleTrayService;
audio = pkgs.writeShellScript "audio" '' audio = pkgs.writeShellScript "audio" ''
export PATH=${ export PATH=${
with pkgs; with pkgs;
lib.makeBinPath [ lib.makeBinPath [pulseaudio findutils gnugrep]
pulseaudio
findutils
gnugrep
]
}:$PATH }:$PATH
export MUTEFILE=''${TEMPDIR:-/tmp}/.qtilemute export MUTEFILE=''${TEMPDIR:-/tmp}/.qtilemute
@ -33,7 +33,7 @@ let
terminalCommand = "${pkgs.alacritty}/bin/alacritty"; terminalCommand = "${pkgs.alacritty}/bin/alacritty";
dpmsScript = pkgs.writeShellScript "dpmsScript" '' dpmsScript = pkgs.writeShellScript "dpmsScript" ''
export PATH=${with pkgs; lib.makeBinPath [ xorg.xset ]}:$PATH export PATH=${with pkgs; lib.makeBinPath [xorg.xset]}:$PATH
set -xe set -xe
@ -56,7 +56,7 @@ let
''; '';
screenLockCommand = pkgs.writeShellScript "screenLock" '' screenLockCommand = pkgs.writeShellScript "screenLock" ''
export PATH=${with pkgs; lib.makeBinPath [ i3lock ]}:$PATH export PATH=${with pkgs; lib.makeBinPath [i3lock]}:$PATH
revert() { revert() {
${dpmsScript} default ${dpmsScript} default
@ -251,8 +251,7 @@ let
def print_new_window(window): def print_new_window(window):
print("new window: ", window) print("new window: ", window)
''; '';
in in {
{
services = { services = {
gnome-keyring.enable = true; gnome-keyring.enable = true;
blueman-applet.enable = true; blueman-applet.enable = true;
@ -287,7 +286,7 @@ in
networkmanagerapplet networkmanagerapplet
gnome-icon-theme gnome-icon-theme
gnome.gnome-themes-extra gnome.gnome-themes-extra
adwaita-icon-theme gnome.adwaita-icon-theme
lxappearance lxappearance
xorg.xcursorthemes xorg.xcursorthemes
pavucontrol pavucontrol

264
nix/home-manager/profiles/sway-desktop.nix
View file

@ -1,64 +1,57 @@
/*
TODO: create helper scripts for sharing of a screen portion
```
# this will create a new output named HEADLESS-<n>. <n> increments by 1 with each invocation even if the output is `unplug`ged.
swaymsg create_output
# find the name and the workspace number
swaymsg -t get_outputs | jq '.[] | select(.name | test("HEADLESS-.*")) | (.name, .current_workspace)'
swaymsg output HEADLESS-1 mode 1920@108060Hz
# mirror the headless workspace on the current one
nix run nixpkgs\#wl-mirror -- HEADLESS-1
# shift windows to the workspace and switch the focus to it
*/
{ {
pkgs, pkgs,
config, config,
lib, lib,
# packages', packages',
... ...
}: }: let
let inherit (import ../lib.nix {}) mkSimpleTrayService;
lockCmd = "${pkgs.swaylock}/bin/swaylock -efF --color '#000000'"; lockCmd = "${pkgs.swaylock}/bin/swaylock -efF --color '#000000'";
displayOffCmd = "${pkgs.sway}/bin/swaymsg 'output * power off'"; displayOffCmd = "${pkgs.sway}/bin/swaymsg 'output * power off'";
displayOnCmd = "${pkgs.sway}/bin/swaymsg 'output * power on'"; displayOnCmd = "${pkgs.sway}/bin/swaymsg 'output * power on'";
swapOutputWorkspaces = ../../../scripts/sway-swapoutputworkspaces.sh; swapOutputWorkspaces = ../../../scripts/sway-swapoutputworkspaces.sh;
in in {
{
imports = [ imports = [
../profiles/wayland-desktop.nix ../profiles/wayland-desktop.nix
../programs/waybar.nix ../programs/waybar.nix
../programs/salut.nix
]; ];
services.dunst = { # TODO: autostart
enable = true; # environment.loginShellInit = ''
# if [[ "$(tty)" == /dev/tty1 ]]; then
# echo starting sway..
# exec sway
# fi
# '';
services = {
# TODO: doesn't work with 2 screens
# flameshot.enable = true;
}; };
services.gpg-agent.pinentryPackage = pkgs.pinentry-gnome3; services.gpg-agent.pinentryFlavor = "gnome3";
home.packages = [ home.packages = [
pkgs.swayidle pkgs.swayidle
pkgs.swaylock pkgs.swaylock
## themes ## themes
pkgs.adwaita-icon-theme pkgs.gnome.adwaita-icon-theme
pkgs.hicolor-icon-theme pkgs.hicolor-icon-theme
pkgs.gnome-icon-theme pkgs.gnome-icon-theme
## fonts ## fonts
# pkgs.nerd-fonts # TODO: reinstall selected ones
pkgs.dejavu_fonts # just a basic good fond pkgs.dejavu_fonts # just a basic good fond
pkgs.font-awesome_5 # needed by i3status-rust pkgs.font-awesome_5 # needed by i3status-rust
pkgs.nerdfonts
pkgs.font-awesome pkgs.font-awesome
pkgs.roboto pkgs.roboto
pkgs.ttf_bitstream_vera pkgs.ttf_bitstream_vera
pkgs.noto-fonts pkgs.noto-fonts
pkgs.noto-fonts-cjk
pkgs.noto-fonts-cjk-sans pkgs.noto-fonts-cjk-sans
pkgs.noto-fonts-cjk-serif pkgs.noto-fonts-cjk-serif
pkgs.noto-fonts-emoji pkgs.noto-fonts-emoji
@ -73,146 +66,115 @@ in
pkgs.dina-font pkgs.dina-font
pkgs.monoid pkgs.monoid
pkgs.hermit pkgs.hermit
### found on colemickens' repo # found on colemickens' repo
pkgs.gelasio # metric-compatible with Georgia pkgs.gelasio # metric-compatible with Georgia
pkgs.powerline-symbols pkgs.powerline-symbols
pkgs.iosevka-comfy.comfy-fixed pkgs.iosevka-comfy.comfy-fixed
## experimental stuff # experimental stuff
pkgs.fuzzel pkgs.fuzzel
]; ];
# TODO: configure kanshi to always set the 5K resolution
# DP-1 "Philips Consumer Electronics Company PHL 499P9 AU02419010010 (DP-1 via DP)"
# Make: Philips Consumer Electronics Company
# Model: PHL 499P9
# Serial: AU02419010010
# Physical size: 1190x340 mm
# Enabled: yes
# Modes:
# 3840x1080 px, 59.967999 Hz (preferred)
# 5120x1440 px, 59.977001 Hz (current)
wayland.windowManager.sway = { wayland.windowManager.sway = {
enable = true; enable = true;
systemd.enable = true; systemdIntegration = true;
# systemd.enable = true;
xwayland = false; xwayland = false;
config = config = let
let modifier = "Mod4";
modifier = "Mod4"; inherit (config.wayland.windowManager.sway.config) left right up down;
inherit (config.wayland.windowManager.sway.config) in {
left inherit modifier;
right bars = [];
up
down
;
in
{
inherit modifier;
bars = [ ];
input = { input = {
"type:keyboard" = "type:keyboard" =
{ {
xkb_layout = config.home.keyboard.layout; xkb_layout = config.home.keyboard.layout;
xkb_variant = config.home.keyboard.variant; xkb_variant = config.home.keyboard.variant;
} }
// lib.attrsets.optionalAttrs (builtins.length (config.home.keyboard.options or [ ]) > 0) { // lib.attrsets.optionalAttrs (builtins.length (config.home.keyboard.options or []) > 0) {
xkb_options = builtins.concatStringsSep "," config.home.keyboard.options; xkb_options = builtins.concatStringsSep "," config.home.keyboard.options;
};
"type:touchpad" = {
natural_scroll = "enabled";
}; };
# alternatively run this command "type:touchpad" = {
# swaymsg input "1386:914:Wacom_Intuos_Pro_S_Pen" tool_mode "* relative" natural_scroll = "enabled";
# and then switch to a different VT (alt+ctrl+f2) and back
"1386:914:Wacom_Intuos_Pro_S_Pen" = {
tool_mode = "* relative";
};
}; };
keybindings = lib.mkOptionDefault {
# as of 2023-05-21 the `!!` arg parsing mode was broken for me on yofi
# "${modifier}+d" = "exec ${packages'.yofi}/bin/yofi binapps";
"${modifier}+d" = "exec ${pkgs.fuzzel}/bin/fuzzel --show-actions";
# only 1-9 exist on the default config
"${modifier}+0" = "workspace number 0";
"${modifier}+Shift+0" = "move container to workspace number 0";
# disable splitting for now as i sometimes trigger it accidentally and then get stuck with it
"${modifier}+b" = "nop";
"${modifier}+v" = "nop";
# move workspace to output
"${modifier}+Control+Shift+${left}" = "move workspace to output left";
"${modifier}+Control+Shift+${right}" = "move workspace to output right";
"${modifier}+Control+Shift+${up}" = "move workspace to output up";
"${modifier}+Control+Shift+${down}" = "move workspace to output down";
# move workspace to output with arrow keys
"${modifier}+Control+Shift+Left" = "move workspace to output left";
"${modifier}+Control+Shift+Right" = "move workspace to output right";
"${modifier}+Control+Shift+Up" = "move workspace to output up";
"${modifier}+Control+Shift+Down" = "move workspace to output down";
# TODO: i've been hitting this one accidentally way too often. find a better place.
# "${modifier}+Shift+e" = "exec ${pkgs.sway}/bin/swaymsg exit";
"${modifier}+q" = "kill";
"${modifier}+Shift+q" = "exec ${pkgs.sway}/bin/swaymsg -t get_tree | ${pkgs.jq}/bin/jq 'recurse(.nodes[], .floating_nodes[]) | select(.focused).pid' | ${pkgs.findutils}/bin/xargs -L1 kill -9";
"${modifier}+x" = "exec ${swapOutputWorkspaces}";
"${modifier}+Ctrl+l" = "exec ${lockCmd}";
"--locked XF86AudioPlay" = "exec ${pkgs.playerctl}/bin/playerctl play-pause";
"XF86AudioPrev" = "exec ${pkgs.playerctl}/bin/playerctl previous";
"XF86AudioNext" = "exec ${pkgs.playerctl}/bin/playerctl next";
"XF86AudioRaiseVolume" = "exec ${pkgs.pulsemixer}/bin/pulsemixer --change-volume +5";
"XF86AudioLowerVolume" = "exec ${pkgs.pulsemixer}/bin/pulsemixer --change-volume -5";
"--locked XF86AudioMute" = "exec ${pkgs.pulsemixer}/bin/pulsemixer --toggle-mute";
"Print" = "exec ${pkgs.shotman}/bin/shotman --capture region";
};
terminal = "alacritty";
startup =
[
{
command = builtins.toString (
pkgs.writeShellScript "ensure-graphical-session" ''
(
${pkgs.coreutils}/bin/sleep 0.2
${pkgs.systemd}/bin/systemctl --user restart graphical-session.target
) &
''
);
}
]
++ lib.optionals config.services.swayidle.enable [
{
command = builtins.toString (
pkgs.writeShellScript "ensure-graphical-session" ''
(
${pkgs.coreutils}/bin/sleep 0.2
${pkgs.systemd}/bin/systemctl --user restart swayidle
) &
''
);
}
];
colors.focused = lib.mkOptionDefault { childBorder = lib.mkForce "#ffa500"; };
window.titlebar = false;
window.border = 4;
# this maps to focus_on_window_activation
focus.newWindow = "urgent";
}; };
keybindings = lib.mkOptionDefault {
# as of 2023-05-21 the `!!` arg parsing mode was broken for me on yofi
# "${modifier}+d" = "exec ${packages'.yofi}/bin/yofi binapps";
"${modifier}+d" = "exec ${pkgs.fuzzel}/bin/fuzzel --show-actions";
# only 1-9 exist on the default config
"${modifier}+0" = "workspace number 0";
"${modifier}+Shift+0" = "move container to workspace number 0";
# disable splitting for now as i sometimes trigger it accidentally and then get stuck with it
"${modifier}+b" = "nop";
"${modifier}+v" = "nop";
# move workspace to output
"${modifier}+Control+Shift+${left}" = "move workspace to output left";
"${modifier}+Control+Shift+${right}" = "move workspace to output right";
"${modifier}+Control+Shift+${up}" = "move workspace to output up";
"${modifier}+Control+Shift+${down}" = "move workspace to output down";
# move workspace to output with arrow keys
"${modifier}+Control+Shift+Left" = "move workspace to output left";
"${modifier}+Control+Shift+Right" = "move workspace to output right";
"${modifier}+Control+Shift+Up" = "move workspace to output up";
"${modifier}+Control+Shift+Down" = "move workspace to output down";
"${modifier}+Shift+e" = "exec ${pkgs.sway}/bin/swaymsg exit";
"${modifier}+q" = "kill";
"${modifier}+Shift+q" = "exec ${pkgs.sway}/bin/swaymsg -t get_tree | ${pkgs.jq}/bin/jq 'recurse(.nodes[], .floating_nodes[]) | select(.focused).pid' | ${pkgs.findutils}/bin/xargs -L1 kill -9";
"${modifier}+x" = "exec ${swapOutputWorkspaces}";
"${modifier}+Ctrl+l" = "exec ${lockCmd}";
"--locked XF86AudioPlay" = "exec ${pkgs.playerctl}/bin/playerctl play-pause";
"XF86AudioPrev" = "exec ${pkgs.playerctl}/bin/playerctl previous";
"XF86AudioNext" = "exec ${pkgs.playerctl}/bin/playerctl next";
"XF86AudioRaiseVolume" = "exec ${pkgs.pulsemixer}/bin/pulsemixer --change-volume +5";
"XF86AudioLowerVolume" = "exec ${pkgs.pulsemixer}/bin/pulsemixer --change-volume -5";
"--locked XF86AudioMute" = "exec ${pkgs.pulsemixer}/bin/pulsemixer --toggle-mute";
"Print" = "exec ${pkgs.shotman}/bin/shotman --capture region";
};
terminal = "alacritty";
startup =
[
{
command = builtins.toString (pkgs.writeShellScript "ensure-graphical-session" ''
(
${pkgs.coreutils}/bin/sleep 0.2
${pkgs.systemd}/bin/systemctl --user restart graphical-session.target
) &
'');
}
]
++ lib.optionals config.services.swayidle.enable [
{
command = builtins.toString (pkgs.writeShellScript "ensure-graphical-session" ''
(
${pkgs.coreutils}/bin/sleep 0.2
${pkgs.systemd}/bin/systemctl --user restart swayidle
) &
'');
}
];
colors.focused = lib.mkOptionDefault {
childBorder = lib.mkForce "#ffa500";
};
window.border = 4;
};
}; };
services.swayidle = { services.swayidle = {

75
nix/home-manager/profiles/wayland-desktop.nix
View file

@ -1,14 +1,19 @@
{ {
pkgs, pkgs,
config,
lib, lib,
repoFlake, repoFlake,
nodeFlake,
... ...
}: }: let
let inherit (import ../lib.nix {}) mkSimpleTrayService;
nixpkgs-2211 = nodeFlake.inputs.nixpkgs-2211.legacyPackages.${pkgs.system};
nixpkgs-unstable-small = nodeFlake.inputs.nixpkgs-unstable-small.legacyPackages.${pkgs.system};
nixpkgs-wayland' = repoFlake.inputs.nixpkgs-wayland.packages.${pkgs.system}; nixpkgs-wayland' = repoFlake.inputs.nixpkgs-wayland.packages.${pkgs.system};
in
{ wayprompt = nixpkgs-wayland'.wayprompt;
in {
fonts.fontconfig.enable = true; fonts.fontconfig.enable = true;
# services.gpg-agent.pinentryFlavor = lib.mkForce null; # services.gpg-agent.pinentryFlavor = lib.mkForce null;
@ -24,57 +29,45 @@ in
systemd.user.targets.tray = { systemd.user.targets.tray = {
Unit = { Unit = {
Description = "Home Manager System Tray"; Description = "Home Manager System Tray";
Requires = [ "graphical-session-pre.target" ]; Requires = ["graphical-session-pre.target"];
}; };
}; };
home.packages = home.packages = with pkgs; [
with pkgs; # required by network-manager-applet
[ pkgs.networkmanagerapplet
# required by network-manager-applet
networkmanagerapplet
wlr-randr wlr-randr
wayout wayout
wl-clipboard wl-clipboard
wmctrl wmctrl
nixpkgs-wayland'.shotman wayprompt
nixpkgs-wayland'.shotman
# identifies key input syms # identifies key input syms
wev wev
# TODO: whwat's this for? # TODO: whwat's this for?
# wltype # wltype
qt5.qtwayland pavucontrol
qt6.qtwayland playerctl
# libsForQt5.qt5.qtwayland pasystray
# libsForQt6.qt6.qtwayland qt5.qtwayland
qt6.qtwayland
# libsForQt5.qt5.qtwayland
# libsForQt6.qt6.qtwayland
# audio # probably required by flameshot
playerctl # xdg-desktop-portal xdg-desktop-portal-wlr
helvum # grim
pasystray ];
sonusmix
pwvucontrol
# probably required by flameshot
# xdg-desktop-portal xdg-desktop-portal-wlr
# grim
waypipe
]
++ (lib.lists.optionals (!pkgs.stdenv.isAarch64)
# TODO: broken on aarch64
[ ]
);
home.sessionVariables = { home.sessionVariables = {
XDG_SESSION_TYPE = "wayland"; XDG_SESSION_TYPE = "wayland";
NIXOS_OZONE_WL = "1"; NIXOS_OZONE_WL = "1";
MOZ_ENABLE_WAYLAND = "1"; MOZ_ENABLE_WAYLAND = "1";
WLR_NO_HARDWARE_CURSORS = "1";
}; };
home.pointerCursor = { home.pointerCursor = {

94
nix/home-manager/programs/chromium.nix
View file

@ -1,81 +1,59 @@
{ {
name, name,
lib, lib,
pkgs,
... ...
}: }: let
let extensions =
extensions = [
[ #undetectable adblocker
#undetectable adblocker {id = "gcfcpohokifjldeandkfjoboemihipmb";}
{ id = "gcfcpohokifjldeandkfjoboemihipmb"; }
# ublock origin # ublock origin
{ id = "cjpalhdlnbpafiamejdnhcphjbkeiagm"; } {id = "cjpalhdlnbpafiamejdnhcphjbkeiagm";}
# # YT ad block # # YT ad block
# {id = "cmedhionkhpnakcndndgjdbohmhepckk";} # {id = "cmedhionkhpnakcndndgjdbohmhepckk";}
# # Adblock Plus # # Adblock Plus
# {id = "cfhdojbkjhnklbpkdaibdccddilifddb";} # {id = "cfhdojbkjhnklbpkdaibdccddilifddb";}
# Cookie Notice Blocker # Cookie Notice Blocker
{ id = "odhmfmnoejhihkmfebnolljiibpnednn"; } {id = "odhmfmnoejhihkmfebnolljiibpnednn";}
# i don't care about cookies # i don't care about cookies
{ id = "fihnjjcciajhdojfnbdddfaoknhalnja"; } {id = "fihnjjcciajhdojfnbdddfaoknhalnja";}
# NopeCHA # NopeCHA
{ id = "dknlfmjaanfblgfdfebhijalfmhmjjjo"; } {id = "dknlfmjaanfblgfdfebhijalfmhmjjjo";}
# h264ify # h264ify
{ id = "aleakchihdccplidncghkekgioiakgal"; } {id = "aleakchihdccplidncghkekgioiakgal";}
# clippy # clippy
# {id = "honbeilkanbghjimjoniipnnehlmhggk"} # {id = "honbeilkanbghjimjoniipnnehlmhggk"}
{ {
id = "dcpihecpambacapedldabdbpakmachpb"; id = "dcpihecpambacapedldabdbpakmachpb";
updateUrl = "https://raw.githubusercontent.com/iamadamdev/bypass-paywalls-chrome/master/updates.xml"; updateUrl = "https://raw.githubusercontent.com/iamadamdev/bypass-paywalls-chrome/master/updates.xml";
} }
# cookie autodelete # cookie autodelete
{ id = "fhcgjolkccmbidfldomjliifgaodjagh"; } {id = "fhcgjolkccmbidfldomjliifgaodjagh";}
]
++ (lib.lists.optionals ((builtins.match "^steveej.*" name) != null) [
# Vimium C
{id = "hfjbmagddngcpeloejdejnfgbamkjaeg";}
]);
# unhook in {
{ id = "khncfooichmfjbepaaaebmommgaepoid"; }
]
++ (lib.lists.optionals ((builtins.match "^steveej.*" name) != null) [
# polkadotjs
{ id = "mopnmbcafieddcagagdcbnhejhlodfdd"; }
# rabby wallet
{ id = "acmacodkjbdgmoleebolmdjonilkdbch"; }
# phantom wallet
{ id = "bfnaelmomeimhlpmgjnjophhpkkoljpa"; }
# Vimium C
{ id = "hfjbmagddngcpeloejdejnfgbamkjaeg"; }
# TODO: this causes scrolling the tab bar all the way to the end. look for a different one or report
# always right
{ id = "npjpaghfnndnnmjiliibnkmdfgbojokj"; }
# shazam music
{ id = "mmioliijnhnoblpgimnlajmefafdfilb"; }
]);
in
{
programs.chromium = { programs.chromium = {
enable = true; enable = true;
inherit extensions; inherit extensions;
# TODO: extensions currently don't work with ungoogled-chromium
package = pkgs.chromium;
}; };
programs.brave = { programs.brave = {
# TODO: enable this on aarch64-linux enable = true;
enable = true && !pkgs.stdenv.targetPlatform.isAarch64;
inherit extensions; inherit extensions;
}; };
programs.browserpass = {browsers = ["chromium" "brave"];};
} }

129
nix/home-manager/programs/espanso.nix
View file

@ -1,82 +1,65 @@
{ pkgs, ... }:
{ {
pkgs,
config,
...
}: {
services.espanso = { services.espanso = {
package = pkgs.espanso-wayland; # package = pkgs.espanso.overrideAttrs(_: {
# package = pkgs.espanso-wayland.overrideAttrs (_: { # # src =
# src = repoFlake.inputs.espanso; # })
enable = true;
# cargoLock = { settings = {
# # lockFile = "${repoFlake.inputs.espanso.outPath}/Cargo.lock"; matches = let
# lockFile = repoFlake.inputs.espanso + "/Cargo.lock"; playerctl = ''
# outputHashes = { ${pkgs.coreutils}/bin/env DBUS_SESSION_BUS_ADDRESS="unix:path=/run/user/$(${pkgs.coreutils}/bin/id -u)/bus" ${pkgs.playerctl}/bin/playerctl'';
# "yaml-rust-0.4.6" = "sha256-wXFy0/s4y6wB3UO19jsLwBdzMy7CGX4JoUt5V6cU7LU="; in [
# }; {
# }; trigger = ":vpos";
# }); replace = "{{output}}";
vars = [
enable = false;
configs = {
default = {
# backend = "Inject";
# backend = "Clipboard";
};
};
matches =
let
playerctl = ''${pkgs.coreutils}/bin/env DBUS_SESSION_BUS_ADDRESS="unix:path=/run/user/$(${pkgs.coreutils}/bin/id -u)/bus" ${pkgs.playerctl}/bin/playerctl'';
in
{
default = {
matches = [
{ {
trigger = ":vpos"; name = "output";
replace = "{{output}}"; type = "script";
vars = [ params = {
{ args = [
name = "output"; (pkgs.writeScript "espanso" ''
type = "script"; #! ${pkgs.python3}/bin/python
params = { import subprocess, os, math, datetime
args = [
(pkgs.writeScript "espanso" ''
#! ${pkgs.python3}/bin/python
import subprocess, os, math, datetime
id=str(os.getuid()) id=str(os.getuid())
result=subprocess.run(args=["${pkgs.playerctl}/bin/playerctl", "position"], env={"DBUS_SESSION_BUS_ADDRESS": "unix:path=/run/user/"+id+"/bus"},capture_output=True) result=subprocess.run(args=["${pkgs.playerctl}/bin/playerctl", "position"], env={"DBUS_SESSION_BUS_ADDRESS": "unix:path=/run/user/"+id+"/bus"},capture_output=True)
result.check_returncode() result.check_returncode()
position_secs = math.trunc(float(result.stdout)) position_secs = math.trunc(float(result.stdout))
position_human = datetime.timedelta(seconds=position_secs) position_human = datetime.timedelta(seconds=position_secs)
print("%s - %s" % (position_human, position_secs)) print("%s - %s" % (position_human, position_secs))
'') '')
]; ];
}; };
}
];
}
{
trigger = ":vtit";
replace = "{{output}}";
vars = [
{
name = "output";
type = "script";
params = {
args = [ (pkgs.writeShellScript "espanso" "${playerctl} metadata title") ];
};
}
];
}
{
trigger = ":dunno";
replace = "¯\\_()_/¯";
}
{
trigger = ":shrug";
replace = "¯\\_()_/¯";
} }
]; ];
}; }
}; {
trigger = ":vtit";
replace = "{{output}}";
vars = [
{
name = "output";
type = "script";
params = {
args = [
(pkgs.writeShellScript "espanso"
"${playerctl} metadata title")
];
};
}
];
}
{
trigger = ":dunno";
replace = "¯\\_()_/¯";
}
];
};
}; };
} }

419
nix/home-manager/programs/firefox.nix
View file

@ -1,417 +1,6 @@
{ {pkgs, ...}: {
repoFlake, # programs.librewolf = {enable = true;};
pkgs, programs.firefox = {enable = true;};
config,
lib,
...
}:
let
# Search extension names with below command:
# nix flake show --json "gitlab:rycee/nur-expressions?dir=pkgs/firefox-addons" --all-systems | jq -r '.packages."x86_64-linux" | keys[]' | rg QUERY
ryceeAddons = with pkgs.nur.repos.rycee.firefox-addons; [
ublock-origin
# bypass-paywalls-clean (can't use, was creating popups) home.file.".mozilla/native-messaging-hosts/passff.json".source = "${pkgs.passff-host}/share/passff-host/passff.json";
consent-o-matic
terms-of-service-didnt-read
auto-tab-discard
# redirector # For nixos wiki
# darkreader
facebook-container
control-panel-for-twitter
# containerise
facebook-tracking-removal
vimium
cookie-autodelete
auto-tab-discard
istilldontcareaboutcookies
youtube-recommended-videos
display-_anchors
];
customAddons = [
];
search = {
force = true;
default = "DuckDuckGo";
privateDefault = "DuckDuckGo";
};
mkProfile =
override:
lib.recursiveUpdate {
extensions = ryceeAddons ++ customAddons;
inherit search;
settings = {
# automatically enable extensions
"extensions.autoDisableScopes" = 0;
"middlemouse.paste" = false;
"browser.download.useDownloadDir" = false;
"browser.tabs.insertAfterCurrent" = true;
"browser.tabs.warnOnClose" = true;
"browser.toolbars.bookmarks.visibility" = "never";
"browser.quitShortcut.disabled" = false;
# restore the previous session automatically
"browser.startup.page" = 3;
"browser.sessionstore.resume_from_crash" = true;
"browser.sessionstore.restore_pinned_tabs_on_demand" = true;
"browser.sessionstore.restore_on_demand" = true;
"browser.urlbar.suggest.bookmark" = true;
"browser.urlbar.suggest.engines" = true;
"browser.urlbar.suggest.history" = true;
"browser.urlbar.suggest.openpage" = true;
"browser.urlbar.suggest.topsites" = false;
"browser.urlbar.trimHttps" = true;
"sidebar.position_start" = false;
"findbar.highlightAll" = true;
"browser.tabs.hoverPreview.enabled" = true;
# Disable fx accounts
"identity.fxaccounts.enabled" = false;
# Disable "save password" prompt
"signon.rememberSignons" = false;
# Harden
"privacy.trackingprotection.enabled" = true;
"dom.security.https_only_mode" = true;
# Disable irritating first-run stuff
"browser.disableResetPrompt" = true;
"browser.download.panel.shown" = true;
"browser.feeds.showFirstRunUI" = false;
"browser.messaging-system.whatsNewPanel.enabled" = false;
"browser.rights.3.shown" = true;
"browser.shell.checkDefaultBrowser" = false;
"browser.shell.defaultBrowserCheckCount" = 1;
"browser.startup.homepage_override.mstone" = "ignore";
"browser.uitour.enabled" = false;
"startup.homepage_override_url" = "";
"trailhead.firstrun.didSeeAboutWelcome" = true;
"browser.bookmarks.restore_default_bookmarks" = false;
"browser.bookmarks.addedImportButton" = true;
# Disable "Save to Pocket" or Pocket entirely
"extensions.pocket.enabled" = false;
# Disable telemetry
"toolkit.telemetry.enabled" = false;
"toolkit.telemetry.unified" = false;
"toolkit.telemetry.archive.enabled" = false;
"datareporting.healthreport.uploadEnabled" = false;
"app.shield.optoutstudies.enabled" = false;
"browser.discovery.enabled" = false;
"browser.newtabpage.activity-stream.feeds.telemetry" = false;
"browser.newtabpage.activity-stream.telemetry" = false;
"browser.ping-centre.telemetry" = false;
"datareporting.healthreport.service.enabled" = false;
"datareporting.policy.dataSubmissionEnabled" = false;
"datareporting.sessions.current.clean" = true;
"devtools.onboarding.telemetry.logged" = false;
"toolkit.telemetry.bhrPing.enabled" = false;
"toolkit.telemetry.firstShutdownPing.enabled" = false;
"toolkit.telemetry.hybridContent.enabled" = false;
"toolkit.telemetry.newProfilePing.enabled" = false;
"toolkit.telemetry.prompted" = 2;
"toolkit.telemetry.rejected" = true;
"toolkit.telemetry.reportingpolicy.firstRun" = false;
"toolkit.telemetry.server" = "";
"toolkit.telemetry.shutdownPingSender.enabled" = false;
"toolkit.telemetry.unifiedIsOptIn" = false;
"toolkit.telemetry.updatePing.enabled" = false;
# Disable any feeds on the new tab page
"browser.newtabpage.activity-stream.showTopSites" = false;
"browser.newtabpage.activity-stream.default.sites" = lib.mkForce [ ];
"browser.newtabpage.activity-stream.discoverystream.enabled" = false;
"browser.newtabpage.activity-stream.feeds.topsites" = false;
"browser.newtabpage.activity-stream.showSponsoredTopSites" = false;
"browser.newtabpage.activity-stream.improvesearch.topSiteSearchShortcuts" = false;
"browser.newtabpage.blocked" = lib.genAttrs [
# Youtube
"26UbzFJ7qT9/4DhodHKA1Q=="
# Facebook
"4gPpjkxgZzXPVtuEoAL9Ig=="
# Wikipedia
"eV8/WsSLxHadrTL1gAxhug=="
# Reddit
"gLv0ja2RYVgxKdp0I5qwvA=="
# Amazon
"K00ILysCaEq8+bEqV/3nuw=="
# Twitter
"T9nJot5PurhJSy8n038xGA=="
] (_: 1);
"browser.topsites.blockedSponsors" = [
"adidas"
"temuaffiliateprogram.pxf"
"s.click.aliexpress"
];
# enable userChrome
"toolkit.legacyUserProfileCustomizations.stylesheets" = true;
"devtools.chrome.enabled" = true;
"devtools.debugger.remote-enabled" = true;
# disable translations for some languages
"browser.translations.neverTranslateLanguages" = [
"en"
"de"
];
"browser.translations.automaticallyPopup" = false;
# enable pipewire (and libcamera) sources
"media.webrtc.camera.allow-pipewire" = true;
};
userChrome =
let
name = override.color or colors.grey;
value = colorValues."${name}".normal;
valueBright = colorValues."${name}".highlight;
valueDark = colorValues."${name}".inactive;
in
''
@namespace url("http://www.mozilla.org/keymaster/gatekeeper/there.is.only.xul"); /* only needed once */
#nav-bar {
background-color: ${value} !important;
color: black !important;
}
/* don't show close button on background tabs */
#tabbrowser-tabs[closebuttons="activetab"] .tabbrowser-tab:not([selected]):not([pinned]):not([hover]) .tab-close-button {
display: none !important;
}
/* show close button on hover */
#tabbrowser-tabs[closebuttons="activetab"] .tabbrowser-tab:not([selected]):not([pinned]):hover .tab-close-button {
display: -moz-inline-box !important;
}
/* default */
#TabsToolbar {
background: ${valueDark} !important;
}
/* default tab */
#TabsToolbar #tabbrowser-tabs .tabbrowser-tab .tab-content {
background: ${value} !important;
opacity: 0.8
}
/* selected tab */
#TabsToolbar #tabbrowser-tabs .tabbrowser-tab[selected] .tab-content {
background: ${valueBright} !important;
box-shadow: 0 8px 16px 0 rgba(0,0,0,0.2), 0 6px 20px 0 rgba(0,0,0,0.19);
}
/* hovered tab */
#TabsToolbar #tabbrowser-tabs .tabbrowser-tab:hover:not([selected]) .tab-content {
background: ${valueBright} !important;
}
/* unloaded/pending tab */
#TabsToolbar #tabbrowser-tabs .tabbrowser-tab[pending] .tab-content {
background: ${valueDark} !important;
}
'';
# /* new tab */
# #TabsToolbar #tabbrowser-tabs #tabs-newtab-button .toolbarbutton-icon {
# background: unset !important;
# }
# #TabsToolbar #tabbrowser-tabs #tabs-newtab-button {
# /* background: var(--default_tabs_bg_newtab) !important;
# }
# /* hovered new tab */
# #TabsToolbar #tabbrowser-tabs #tabs-newtab-button:hover {
# background: var(--default_tabs_bg_newtab_hovered) !important;
# }
} (builtins.removeAttrs override [ "color" ]);
# TODO: insert the id automatically
mkProfiles = attrs: builtins.mapAttrs (_k: v: v) attrs;
colors = builtins.mapAttrs (name: _: name) colorValues;
colorValues = {
blue = {
normal = "#49b1fc";
highlight = "#05a9fc"; # Brighter blue
inactive = "#1f81c6"; # Darker blue
};
green = {
normal = "#51cd00";
highlight = "#5ae200"; # Brighter green
inactive = "#45ad00"; # Darker green
};
orange = {
normal = "#ff9800";
highlight = "#ffb74d"; # Brighter orange
inactive = "#c76a00"; # Darker orange
};
red = {
normal = "#f6685e";
highlight = "#ff4336"; # Brighter red
inactive = "#aa463f"; # Darker red
};
yellow = {
normal = "#fced4b";
highlight = "#fce705"; # Brighter yellow
inactive = "#dbbe00"; # Darker yellow
};
purple = {
normal = "#9c27b0";
highlight = "#ab47bc"; # Brighter purple
inactive = "#7b1fa2"; # Darker purple
};
pink = {
normal = "#e91e63";
highlight = "#ff6090"; # Brighter pink
inactive = "#c2185b"; # Darker pink
};
brown = {
normal = "#795548";
highlight = "#a88b6f"; # Brighter brown
inactive = "#4e3b30"; # Darker brown
};
grey = {
normal = "#9e9e9e";
highlight = "#bdbdbd"; # Brighter grey
inactive = "#757575"; # Darker grey
};
teal = {
normal = "#009688";
highlight = "#26c6da"; # Brighter teal
inactive = "#00796b"; # Darker teal
};
};
in
{
nixpkgs.overlays = [
repoFlake.inputs.nur.overlays.default
];
nixpkgs.config.allowUnfreePredicate =
pkg:
builtins.elem (lib.getName pkg) [
"youtube-recommended-videos"
];
programs.librewolf = {
enable = false;
};
programs.firefox = {
enable = true;
package = pkgs.firefox-esr;
profiles = mkProfiles {
"personal" = mkProfile {
id = 0;
isDefault = true;
color = colors.blue;
};
"comms" = mkProfile {
id = 1;
color = colors.blue;
};
"admin" = mkProfile {
id = 2;
color = colors.blue;
};
"infra" = mkProfile {
id = 3;
color = colors.blue;
};
"finance" = mkProfile {
id = 4;
color = colors.yellow;
};
"business-admin" = mkProfile {
id = 5;
color = colors.teal;
};
"business-comms" = mkProfile {
id = 6;
color = colors.teal;
};
"business-dev" = mkProfile {
id = 7;
color = colors.teal;
};
"holo-dev" = mkProfile {
id = 8;
color = colors.green;
};
"holo-infra" = mkProfile {
id = 9;
color = colors.green;
};
"holo-comms" = mkProfile {
id = 10;
color = colors.green;
};
"justyna" = mkProfile {
id = 11;
color = colors.pink;
};
"justyna-office" = mkProfile {
id = 12;
color = colors.pink;
};
};
};
# create one desktop entry for each profile
xdg.desktopEntries = lib.mapAttrs' (
k: _v:
lib.nameValuePair "firefox-profile-${k}" {
categories = [
"Network"
"WebBrowser"
];
exec = "${lib.getExe config.programs.firefox.package} -P ${k}";
genericName = "Web Browser";
icon =
builtins.replaceStrings [ ".desktop" ] [ "" ]
config.programs.firefox.package.desktopItem.name;
mimeType = [
"text/html"
"text/xml"
"application/xhtml+xml"
"application/vnd.mozilla.xul+xml"
"x-scheme-handler/http"
"x-scheme-handler/https"
];
name = "Firefox: ${k}";
startupNotify = true;
settings.StartupWMClass =
# To group windows of different profiles.
# Set WM_CLASS on Xorg using --class, set app-id on Wayland using --name.
#if profile.name == "default"
#then "firefox"
#else "firefox-${profile.name}";
"firefox";
terminal = false;
type = "Application";
}
) config.programs.firefox.profiles;
} }

19
nix/home-manager/programs/gpg-agent.nix
View file

@ -1,17 +1,20 @@
{ lib, pkgs, osConfig, ... }: {lib, pkgs, config, ...}: {
{ home.packages = [
home.packages = [ pkgs.gcr ]; pkgs.gcr
] ++
(if config.services.gpg-agent.pinentryFlavor == "gtk2" then [pkgs.pinentry-gtk2]
else if config.services.gpg-agent.pinentryFlavor == "gnome3" then [pkgs.pinentry-gnome]
else [])
;
programs.gpg.enable = true; programs.gpg.enable = true;
services.gpg-agent = { services.gpg-agent = {
enable = true; enable = true;
enableScDaemon = !osConfig.services.pcscd.enable; enableScDaemon = true;
enableSshSupport = true; enableSshSupport = true;
grabKeyboardAndMouse = true; grabKeyboardAndMouse = true;
pinentryPackage = lib.mkDefault pkgs.pinentry-gtk2; pinentryFlavor = lib.mkDefault "gtk2";
extraConfig = '' extraConfig = "";
no-allow-external-cache
'';
defaultCacheTtl = 0; defaultCacheTtl = 0;
maxCacheTtl = 0; maxCacheTtl = 0;

35
nix/home-manager/programs/homeshick.nix
View file

@ -1,25 +1,32 @@
{ pkgs, config, ... }:
{ {
pkgs,
config,
...
}: let
# TODO: clean up the impurity in here
in {
home.sessionVariables.HOMESHICK_DIR = "${pkgs.homeshick}"; home.sessionVariables.HOMESHICK_DIR = "${pkgs.homeshick}";
home.activation.bootstrapRepos = config.lib.dag.entryAfter [ "writeBoundary" ] '' home.activation.bootstrapRepos = config.lib.dag.entryAfter ["writeBoundary"] ''
$DRY_RUN_CMD ${pkgs.writeScript "activation-script" '' $DRY_RUN_CMD ${
set -e pkgs.writeScript "activation-script" ''
echo home-manager path is ${config.home.path} set -e
echo home is $HOME echo home-manager path is ${config.home.path}
echo home is $HOME
source ${pkgs.homeshick}/homeshick.sh source ${pkgs.homeshick}/homeshick.sh
type homeshick type homeshick
# echo Updating homeshick # echo Updating homeshick
# ln -sfT ${pkgs.homeshick} "$HOMESICK_REPOS"/.homeshick # ln -sfT ${pkgs.homeshick} "$HOMESICK_REPOS"/.homeshick
# mv -Tf "$HOMESICK_REPOS"/{.,}homeshick # mv -Tf "$HOMESICK_REPOS"/{.,}homeshick
''}; ''
};
''; '';
nixpkgs.config = { nixpkgs.config = {
packageOverrides = packageOverrides = pkgs:
pkgs: with pkgs; { with pkgs; {
homeshick = builtins.fetchGit { homeshick = builtins.fetchGit {
url = "https://github.com/andsens/homeshick.git"; url = "https://github.com/andsens/homeshick.git";
ref = "master"; ref = "master";

9
nix/home-manager/programs/libreoffice.nix
View file

@ -1,8 +1,3 @@
{ pkgs, nodeFlake, ... }: {pkgs, ...}: {
home.packages = with pkgs; [libreoffice-fresh];
let
pkgsStable = nodeFlake.inputs.nixpkgs-stable.legacyPackages.${pkgs.system};
in
{
home.packages = [ pkgsStable.libreoffice ];
} }

252
nix/home-manager/programs/neovim.nix
View file

@ -1,161 +1,131 @@
{ repoFlake, pkgs, ... }:
{ {
imports = [ repoFlake.inputs.nixvim.homeManagerModules.nixvim ]; pkgs,
lib,
...
}: let
in {
# FIXME: this doesn't work
home.sessionVariables.EDITOR = "nvim";
programs.nixvim = { programs.neovim = {
enable = true; enable = true;
defaultEditor = true;
vimdiffAlias = true;
vimAlias = true;
extraPython3Packages = ps: with ps; [ ]; extraPython3Packages = ps: with ps; [];
# extraConfigVim = builtins.readFile ./neovim/vimrc; extraConfig = builtins.readFile ./neovim/vimrc;
clipboard = { plugins = with pkgs;
register = "unnamedplus"; [
providers.wl-copy.enable = true; # yaml-folds
}; {
plugin = vimUtils.buildVimPlugin {
name = "vim-yaml-folds";
src = fetchFromGitHub {
owner = "pedrohdz";
repo = "vim-yaml-folds";
rev = "890ccd8e5370808d569e96dbb06cbeca2cf5993a";
sha256 = "018z6xcwrq58q6lj6gwhrifjaxkmrlkkg0n86s6mjjlwkbs2qa4m";
};
buildInputs = [zip vim];
};
}
plugins = { {
airline = { plugin = vimUtils.buildVimPlugin {
enable = true; name = "vim-yaml";
settings = { src = fetchFromGitHub {
powerline_fonts = 1; owner = "stephpy";
skip_empty_sections = 1; repo = "vim-yaml";
theme = "papercolor"; rev = "e97e063b16eba4e593d620676a0a15fa98613979";
}; sha256 = "0vqahbrnr43lxanpziyrmzaqqb3cmyny8ry1xvmy2xyd1larzfrk";
}; };
fugitive.enable = true; };
gitblame.enable = true; }
lsp = {
enable = true;
};
nix.enable = true; # broken 2021-06-08
# {
# plugin = vimUtils.buildVimPlugin {
# name = "vim-markdown-toc";
# src = fetchFromGitHub {
# owner = "mzlogin";
# repo = "vim-markdown-toc";
# rev = "b7bb6c37033d3a6c93906af48dc0e689bd948638";
# sha256 = "026xf2gid4qivwawh7if3nfk7zja9di0flhdzdx82lvil9x48lyz";
# };
# };
# }
# TODO: enable in next release # broken 2021-06-08
# numbertoggle.enable = true; # {
# plugin = vimUtils.buildVimPlugin {
# name = "vim-perl";
# src = fetchFromGitHub {
# owner = "vim-perl";
# repo = "vim-perl";
# rev = "f330b5d474c44e6cfae22ba50868093dea3e9adb";
# sha256 = "1dy40ixgixj0536c5ggra51b4yd1lbw4j6l0j5zc3diasb7m2gvr";
# };
# };
# }
# successfor to ctrlp and fzf {
telescope.enable = true; plugin = vimUtils.buildVimPlugin {
name = "git-blame";
src = fetchFromGitHub {
"owner" = "zivyangll";
"repo" = "git-blame.vim";
"rev" = "9d144b7bed5d8f1c9259551768b7f3b3d1294917";
"sha256" = "06zb5xcc59k25rpwl46j82fcqckiznmj97v6i0mwlb8jhqqrhy9j";
};
};
}
]
++ (with pkgs.vimPlugins; [
delimitMate
vim-airline
vim-airline-themes
ctrlp
vim-css-color
rainbow_parentheses
vim-colorschemes
vim-colorstepper
vim-signify
fugitive
vim-indent-guides
UltiSnips
fzfWrapper
todo-comments.enable = true; ncm2
ncm2-bufword
ncm2-path
ncm2-tmux
ncm2-ultisnips
nvim-yarp
toggleterm.enable = true; LanguageClient-neovim
treesitter = { Improved-AnsiEsc
enable = true; tabular
grammarPackages = with pkgs.vimPlugins.nvim-treesitter.builtGrammars; [ # Nix
bash vim-addon-nix
json tlib
lua vim-addon-vim2nix
make
markdown
nix
regex
toml
vim
vimdoc
xml
yaml
];
};
treesitter-context.enable = true; # LaTeX
treesitter-refactor.enable = true; vim-latex-live-preview
vimtex
# This plugin trims trailing whitespace and lines. # YAML
trim.enable = true; vim-yaml
};
# plugins = with pkgs; # markdown
# [ vim-markdown
# # yaml-folds vim-markdown-toc
# {
# plugin = vimUtils.buildVimPlugin {
# name = "vim-yaml-folds";
# src = fetchFromGitHub {
# owner = "pedrohdz";
# repo = "vim-yaml-folds";
# rev = "890ccd8e5370808d569e96dbb06cbeca2cf5993a";
# sha256 = "018z6xcwrq58q6lj6gwhrifjaxkmrlkkg0n86s6mjjlwkbs2qa4m";
# };
# buildInputs = [zip vim];
# };
# }
# { # misc syntax support
# plugin = vimUtils.buildVimPlugin { vim-bazel
# name = "vim-yaml"; maktaba
# src = fetchFromGitHub { ]);
# owner = "stephpy";
# repo = "vim-yaml";
# rev = "e97e063b16eba4e593d620676a0a15fa98613979";
# sha256 = "0vqahbrnr43lxanpziyrmzaqqb3cmyny8ry1xvmy2xyd1larzfrk";
# };
# };
# }
# {
# plugin = vimUtils.buildVimPlugin {
# name = "git-blame";
# src = fetchFromGitHub {
# "owner" = "zivyangll";
# "repo" = "git-blame.vim";
# "rev" = "9d144b7bed5d8f1c9259551768b7f3b3d1294917";
# "sha256" = "06zb5xcc59k25rpwl46j82fcqckiznmj97v6i0mwlb8jhqqrhy9j";
# };
# };
# }
# ]
# ++ (with pkgs.vimPlugins; [
# delimitMate
# vim-airline
# vim-airline-themes
# ctrlp
# vim-css-color
# rainbow_parentheses
# vim-colorschemes
# vim-colorstepper
# vim-signify
# fugitive
# vim-indent-guides
# UltiSnips
# fzfWrapper
# ncm2
# ncm2-bufword
# ncm2-path
# ncm2-tmux
# ncm2-ultisnips
# nvim-yarp
# LanguageClient-neovim
# Improved-AnsiEsc
# tabular
# # Nix
# vim-addon-nix
# tlib
# vim-addon-vim2nix
# # LaTeX
# vim-latex-live-preview
# vimtex
# # YAML
# vim-yaml
# # markdown
# vim-markdown
# vim-markdown-toc
# # misc syntax support
# vim-bazel
# maktaba
# ]);
}; };
} }

4
nix/home-manager/programs/neovim/vimrc
View file

@ -49,8 +49,8 @@ let g:ctrlp_custom_ignore = {
\ 'dir': '\v[\/]\.(git|hg|svn)$$', \ 'dir': '\v[\/]\.(git|hg|svn)$$',
\ 'file': '\v\.(exe|so|dll)$$', \ 'file': '\v\.(exe|so|dll)$$',
\ } \ }
"let g:ctrlp_max_files=0 let g:ctrlp_max_files=0
"let g:ctrlp_max_depth=1000 let g:ctrlp_max_depth=1000
"let g:ctrlp_match_func = { 'match': 'pymatcher#PyMatch' } "let g:ctrlp_match_func = { 'match': 'pymatcher#PyMatch' }
"let g:pydiction_location = '~/.vim/bundle/pydiction/complete-dict' "let g:pydiction_location = '~/.vim/bundle/pydiction/complete-dict'

25
nix/home-manager/programs/obs-studio.nix
View file

@ -1,25 +0,0 @@
{ pkgs, lib, ... }:
{
programs.obs-studio = {
enable = true;
plugins =
builtins.map
(
plugin:
(plugin.overrideAttrs (attrs: {
meta = lib.mkMerge [
{ inherit (attrs) meta; }
{ meta.platforms = [ pkgs.stdenv.system ]; }
];
}))
)
(
with pkgs.obs-studio-plugins;
[
# wlrobs
obs-backgroundremoval
obs-pipewire-audio-capture
]
);
};
}

37
nix/home-manager/programs/openvscode-server.nix
View file

@ -1,37 +0,0 @@
{ pkgs, repoFlake, ... }:
let
pkgsVscodium = import repoFlake.inputs.nixpkgs-vscodium { inherit (pkgs) system config; };
in
{
home.packages = [
pkgs.nil
pkgs.nixd
pkgs.nixfmt-rfc-style
# TODO: automate linking this
# 1. get the commit with: `codium --version`
# 2. create the binary directory: `mkdir -p /home/steveej/.vscodium-server/bin/c8ce3ba4bc6b30b3b10edc61481cb85b1d2396bc/bin/`
# 3. link the binary. this relies on the client-side setting `"remote.SSH.experimental.serverBinaryName": "openvscode-server"` : ln -s $(which openvscode-server) /home/steveej/.vscodium-server/bin/c8ce3ba4bc6b30b3b10edc61481cb85b1d2396bc/bin/
/*
e.g.:
```
(
set -e
export COMMIT=$(codium --version | rg '^[0-9a-f]{40}$')
ssh bm-hostkey0 "pkill -9 openvscode; rm -rf /home/steveej/.vscodium-server/bin/$COMMIT; mkdir -p /home/steveej/.vscodium-server/bin/$COMMIT/bin/; ln -s \$(which openvscode-server) /home/steveej/.vscodium-server/bin/$COMMIT/bin/"
)
```
*/
(pkgsVscodium.openvscode-server.overrideAttrs (attrs: {
src = repoFlake.inputs.openvscode-server;
version = "1.94.2";
yarnCache = attrs.yarnCache.overrideAttrs (_: {
outputHash = "sha256-89c6GYLT2RzHqwxBKegYqB6g5rEJ6/nH53cnfV7b0Tt=";
});
}))
pkgs.waypipe
];
}

19
nix/home-manager/programs/pass.nix
View file

@ -1,16 +1,17 @@
{ repoFlake, pkgs, ... }: {pkgs, ...}: {
{
# required by pass-otp # required by pass-otp
# home.sessionVariables.PASSWORD_STORE_EXTENSIONS_DIR = "$HOME/.nix-profile/lib/password-store/extensions"; home.sessionVariables.PASSWORD_STORE_EXTENSIONS_DIR = "$HOME/.nix-profile/lib/password-store/extensions";
# home.sessionVariables.PASSWORD_STORE_ENABLE_EXTENSIONS = "true"; home.sessionVariables.PASSWORD_STORE_ENABLE_EXTENSIONS = "true";
# programs.browserpass.enable = true;
programs.browserpass.enable = true;
home.packages = with pkgs; [ home.packages = with pkgs; [
gnupg gnupg
pass
# broken on wayland # broken on wayland
# rofi-pass # rofi-pass
repoFlake.packages.${pkgs.system}.prs prs
]; ];
} }

80
nix/home-manager/programs/radicale.nix
View file

@ -4,8 +4,7 @@
pkgs, pkgs,
osConfig, osConfig,
... ...
}: }: let
let
libdecsync = pkgs.python3Packages.buildPythonPackage rec { libdecsync = pkgs.python3Packages.buildPythonPackage rec {
pname = "libdecsync"; pname = "libdecsync";
version = "2.2.1"; version = "2.2.1";
@ -39,51 +38,50 @@ let
# pkgs.libxcrypt # pkgs.libxcrypt
]; ];
propagatedBuildInputs = [ propagatedBuildInputs = [libdecsync pkgs.python3Packages.setuptools];
libdecsync
pkgs.python3Packages.setuptools
];
}; };
radicale-decsync = pkgs.radicale.overrideAttrs (old: { radicale-decsync = pkgs.radicale.overrideAttrs (old: {
propagatedBuildInputs = old.propagatedBuildInputs ++ [ radicale-storage-decsync ]; propagatedBuildInputs =
old.propagatedBuildInputs
++ [radicale-storage-decsync];
}); });
mkRadicaleService = mkRadicaleService = {
{ suffix, port }: suffix,
let port,
radicale-config = pkgs.writeText "radicale-config-${suffix}" '' }: let
[server] radicale-config = pkgs.writeText "radicale-config-${suffix}" ''
hosts = localhost:${builtins.toString port} [server]
hosts = localhost:${builtins.toString port}
[auth] [auth]
type = htpasswd type = htpasswd
htpasswd_filename = ${osConfig.sops.secrets.radicale_htpasswd.path} htpasswd_filename = ${osConfig.sops.secrets.radicale_htpasswd.path}
htpasswd_encryption = bcrypt htpasswd_encryption = bcrypt
[storage] [storage]
type = radicale_storage_decsync type = radicale_storage_decsync
filesystem_folder = ${config.xdg.dataHome}/radicale/radicale-${suffix} filesystem_folder = ${config.xdg.dataHome}/radicale-${suffix}
decsync_dir = ${config.xdg.dataHome}/decsync/decsync-${suffix} decsync_dir = ${config.xdg.dataHome}/decsync-${suffix}
''; '';
in in {
{ systemd.user.services."radicale-${suffix}" = {
systemd.user.services."radicale-${suffix}" = { Unit.Description = "Radicale with DecSync (${suffix})";
Unit.Description = "Radicale with DecSync (${suffix})"; Service = {
Service = { ExecStart = "${radicale-decsync}/bin/radicale -C ${radicale-config}";
ExecStart = "${radicale-decsync}/bin/radicale -C ${radicale-config}"; Restart = "on-failure";
Restart = "on-failure";
};
Install.WantedBy = [ "default.target" ];
}; };
Install.WantedBy = ["default.target"];
}; };
};
in in
builtins.foldl' (sum: cur: lib.recursiveUpdate sum (mkRadicaleService cur)) { } [ builtins.foldl' (sum: cur: lib.recursiveUpdate sum (mkRadicaleService cur)) {} [
{ {
suffix = "personal"; suffix = "personal";
port = 5232; port = 5232;
} }
{ {
suffix = "family"; suffix = "family";
port = 5233; port = 5233;
} }
] ]

21
nix/home-manager/programs/redshift.nix
View file

@ -1,26 +1,21 @@
_:
let
passwords = import ../../variables/passwords.crypt.nix;
in
{ {
pkgs,
config,
...
}: let
passwords = import ../../variables/passwords.crypt.nix;
in {
services.gammastep = { services.gammastep = {
enable = true; enable = true;
provider = "manual";
enableVerboseLogging = true;
inherit (passwords.location.stefan) longitude latitude; inherit (passwords.location.stefan) longitude latitude;
temperature = { temperature = {
# day = 6700; day = 6700;
day = 3000;
night = 3000; night = 3000;
}; };
tray = true; tray = true;
settings = { settings = {
general = {
adjustment-method = "wayland";
};
gammastep = { gammastep = {
# brightness-day = 1.0; brightness-day = 1.0;
brightness-day = 0.5;
brightness-night = 0.5; brightness-night = 0.5;
}; };
}; };

19
nix/home-manager/programs/salut.nix
View file

@ -1,11 +1,20 @@
{ pkgs, packages', ... }: {
pkgs,
config,
lib,
packages',
...
}:
# useful testing command: # useful testing command:
# for i in `seq 0 10`; do nix shell nixpkgs#libnotify --command notify-send notifiiiiiii "$i"; sleep 1; done # for i in `seq 0 10`; do nix shell nixpkgs#libnotify --command notify-send notifiiiiiii "$i"; sleep 1; done
let let
inherit (import ../lib.nix { }) mkSimpleTrayService; inherit (import ../lib.nix {}) mkSimpleTrayService;
in in
{ {
home.packages = [ packages'.salut ]; home.packages = [
packages'.salut
];
xdg.configFile."salut/config.ini" = { xdg.configFile."salut/config.ini" = {
enable = true; enable = true;
@ -27,5 +36,7 @@ in
onChange = "${pkgs.systemd}/bin/systemctl --user restart salut"; onChange = "${pkgs.systemd}/bin/systemctl --user restart salut";
}; };
systemd.user.services.salut = mkSimpleTrayService { execStart = "${packages'.salut}/bin/salut"; }; systemd.user.services.salut = mkSimpleTrayService {
execStart = "${packages'.salut}/bin/salut";
};
} }

597
nix/home-manager/programs/vscode/default.nix
View file

@ -1,134 +1,482 @@
{ {pkgs, ...}: let
config, packagedExtensions = with pkgs.vscode-extensions; [
pkgs, # bbenoist.Nix
repoFlake, ms-vscode-remote.remote-ssh
lib,
... vscodevim.vim
}: ];
let
pkgsVscodium = import repoFlake.inputs.nixpkgs-vscodium { inherit (pkgs) system config; }; marketPlaceExtensions = pkgs.vscode-utils.extensionsFromVscodeMarketplace [
in # {
{ # name = "vim";
# publisher = "vscodevim";
# version = "1.17.1";
# sha256 = "10f8jz52gr6k2553awa66m006wszj9z2rnshsic6h2aawxiz3zq1";
# }
# {
# name = "remote-ssh-edit";
# publisher = "ms-vscode-remote";
# version = "0.56.0";
# sha256 = "1gy03ff2xqg7q3y4j47z2l94x5gbw0mjd5h4cl3n0q3iaswk1c1r";
# }
{
name = "Theme-NaturalContrast-With-HC";
publisher = "74th";
version = "1.0.0";
sha256 = "1wxwk059znkflip0c8hyqdfq0h15n4idmff4bnnfdggiqjwhr5rm";
}
{
name = "markdown-toc";
publisher = "AlanWalk";
version = "1.5.6";
sha256 = "0hh38i2dpmrm2akcd4jkxchp6b374m5jzcqm1jqqmkqjmlig7qm5";
}
{
name = "Paper-tmTheme";
publisher = "DiryoX";
version = "0.4.0";
sha256 = "0l8hgbwwg87ysfb22rvwgmkk91i4vjd0kgi30c1bn26bm2pd1gw0";
}
{
name = "Monokai-Polished";
publisher = "Mit";
version = "0.3.1";
sha256 = "11h7sfwp9ikwc8z6bkyxk1678ymfpff8i2p876b208yrq8dy2kr1";
}
{
name = "dot";
publisher = "Stephanvs";
version = "0.0.1";
sha256 = "0rq0wvnbcggg4zb4swxym77knfjma0v9lwf3x45p22qsqx2crvgf";
}
{
name = "rust-snippets";
publisher = "ZakCodes";
version = "0.0.1";
sha256 = "152i23mh8j2l26zpwid3hllxc2abkhr3g939rvxk8bry137vryy2";
}
{
name = "better-comments";
publisher = "aaron-bond";
version = "2.1.0";
sha256 = "0kmmk6bpsdrvbb7dqf0d3annpg41n9g6ljzc1dh0akjzpbchdcwp";
}
{
name = "vscode-icalendar";
publisher = "af4jm";
version = "1.0.1";
sha256 = "0g15f2595ayy9ch4f2ccd8prc51q1mwslilk8sk2ldsmdksaya79";
}
{
name = "hugofy";
publisher = "akmittal";
version = "0.1.1";
sha256 = "02rjwmy7z4qfxws8lgdki53q4b2hjklxn2nlxx3w04kahr759dlg";
}
{
name = "asciidoctor-vscode";
publisher = "asciidoctor";
version = "2.8.4";
sha256 = "0j019vwmd83mbc75kfcqzmpvqzsp3s595cgh6n9978k9q0zjrqad";
}
{
name = "markdown-preview-github-styles";
publisher = "bierner";
version = "0.1.6";
sha256 = "1plj6a1hgbhb740zbw4pbnk7919cx1s6agf5xiiqbb9485x2pqiw";
}
{
name = "made-of-code";
publisher = "brian-yu";
version = "0.0.5";
sha256 = "1cmw63vrpzxv8vkgq674xa2wqqag0a8spr623ngi87925f17p965";
}
{
name = "better-toml";
publisher = "bungcip";
version = "0.3.2";
sha256 = "08lhzhrn6p0xwi0hcyp6lj9bvpfj87vr99klzsiy8ji7621dzql3";
}
{
name = "tabulous";
publisher = "bwildeman";
version = "1.2.0";
sha256 = "0hbp345i19ncvn1v792nr257gmw0nz09nhjniiypnzvz9wszw2j9";
}
{
name = "bracket-pair-colorizer";
publisher = "CoenraadS";
version = "1.0.61";
sha256 = "0r3bfp8kvhf9zpbiil7acx7zain26grk133f0r0syxqgml12i652";
}
{
name = "mustache";
publisher = "dawhite";
version = "1.1.1";
sha256 = "1j8qn5grg8v3n3v66d8c77slwpdr130xzpv06z1wp2bmxhqsck1y";
}
{
name = "vscode-nomnoml";
publisher = "doctorrustynelson";
version = "0.3.0";
sha256 = "07nr6n5ai8m6rap8av47mqi3vv6zchymiqfw8jlbl4hsryszyr43";
}
{
name = "gitlens";
publisher = "eamodio";
version = "11.0.5";
sha256 = "1fi8j5r6cd82a50hv2lwzqnvyvhxf9waamkviyh0wyqi5i1k4q88";
}
{
name = "monokai-light";
publisher = "ethansugar";
version = "0.2.1";
sha256 = "1xn74arpv58hwdywaxvv9xhljl23wsqdpyfrgn9nvd29gsiz71w0";
}
{
name = "Theme-Monokai-Contrast";
publisher = "gerane";
version = "0.0.5";
sha256 = "1m1n1izdjgng0q3yljccwjxj0s60p5nfw3hlw7hb467a1wz479pm";
}
{
name = "Theme-snappy-light";
publisher = "gerane";
version = "0.0.5";
sha256 = "0syrm921l4lka6dmg258c2zi0a758acvcs8y0qm0kjim7h7xxf0w";
}
{
name = "vscode-pull-request-github";
publisher = "GitHub";
version = "0.21.3";
sha256 = "0p03v6y1gh62jby74vkhi897mzj8dg9xb561v0b99x81r9zhwqw0";
}
{
name = "go";
publisher = "golang";
version = "0.19.0";
sha256 = "1xr2c4xn0w68fdcbm8d2wqfb9dxf03w38367ghycrzmz2p4syr98";
}
{
name = "terraform";
publisher = "hashicorp";
version = "2.3.0";
sha256 = "0696q8nr6kb5q08295zvbqwj7lr98z18gz1chf0adgrh476zm6qq";
}
{
name = "bonsai";
publisher = "hawkeyegold";
version = "1.4.0";
sha256 = "0r7bxx1lgbg6p97xwd2wr8j7slz720a1v6vzpd0fhcq83vqzkl89";
}
{
name = "live-html-previewer";
publisher = "hdg";
version = "0.3.0";
sha256 = "0hv5plh44q97355j5la83r8hjsxpv9d173mba34xr4p82a3pcq5p";
}
{
name = "yuml";
publisher = "JaimeOlivares";
version = "3.5.1";
sha256 = "01phwj8kn2zmzpjk97wacnc8iiby0szv40b1030fkcm3szafnya0";
}
{
name = "latex-workshop";
publisher = "James-Yu";
version = "8.14.0";
sha256 = "12bh2gpmak7vgzhjnvk2hw0yqm6wkd7vsm4ki4zbqa6lpriscjyi";
}
{
name = "plantuml";
publisher = "jebbs";
version = "2.13.16";
sha256 = "0672x0a1c9yk0g4vka40f4amgxir2bs25zg6qsims9plj0x2s4si";
}
{
name = "tasks-chooser";
publisher = "jeremyfa";
version = "0.3.0";
sha256 = "0bq80wv7zf94cgn94ll3jj68z35p13r0zw5by62dnlnj1sv7dghi";
}
{
name = "asciidoctor-vscode";
publisher = "joaompinto";
version = "2.8.0";
sha256 = "06nx627fik3c3x4gsq01rj0v59ckd4byvxffwmmigy3q2ljzsp0x";
}
{
name = "contrast-theme";
publisher = "johndugan";
version = "1.1.10";
sha256 = "0hib85318940ajfbzqrpgqh4jr39w18aq6babargbf64yxg94mbw";
}
{
name = "theme-dark-plus-contrast";
publisher = "k3a";
version = "0.1.101";
sha256 = "137kq6i6xn394msjrhj7v6c8shrvw9yf8i01mf4yl4aan2bw3419";
}
{
name = "vscode-gist";
publisher = "kenhowardpdx";
version = "3.0.3";
sha256 = "033iry115hbd5jbdr04frbrcgfpfnsc2z551nlfsaczbg4j9dydw";
}
{
name = "quick-open";
publisher = "leizongmin";
version = "1.1.0";
sha256 = "03avjgkvl2w51f0lvvfksa6lxqb4i9jgz2c74hw686yaydj8mfsp";
}
{
name = "rainbow-csv";
publisher = "mechatroner";
version = "1.7.1";
sha256 = "0w5mijs4ll5qjkpyw7qpn1k40pq8spm0b3q72x150ydbcini5hxw";
}
{
name = "openapi-lint";
publisher = "mermade";
version = "1.2.0";
sha256 = "0q81ifgr211apymbs21y0l3x8n324k6mh7p8kykz2xz38cslyq49";
}
{
name = "swagger-doc-viewer";
publisher = "mimarec";
version = "1.0.4";
sha256 = "1vvqwmfav6c2r1xkyfczm564bi2cpa9nklj35w3h3hrp4f6dnvpx";
}
{
name = "vscode-clang";
publisher = "mitaki28";
version = "0.2.3";
sha256 = "0xbg2frb4dxv7zl43gi25w2mkkh4xq2aidcf5i8b4imys9h720yr";
}
{
name = "prettify-json";
publisher = "mohsen1";
version = "0.0.3";
sha256 = "1spj01dpfggfchwly3iyfm2ak618q2wqd90qx5ndvkj3a7x6rxwn";
}
{
name = "vscode-docker";
publisher = "ms-azuretools";
version = "1.8.1";
sha256 = "08691mwb3kgmk5fnjpw1g3a5i7qwalw1yrv2skm519wh62w6nmw8";
}
{
name = "python";
publisher = "ms-python";
version = "2020.11.371526539";
sha256 = "0iavy4c209k53jkqsbhsvibzjj3fjxa500rv72fywgb2vxsi9fc3";
}
{
name = "jupyter";
publisher = "ms-toolsai";
version = "2020.11.372831992";
sha256 = "0r39xqrbkzcfkz6rca039s87ibx79a983y8lbiglhkmw3bp4p658";
}
# fails to download C/C++ tools
# {
# name = "cpptools";
# publisher = "ms-vscode";
# version = "1.1.2";
# sha256 = "09z1vrshvwimdrpsnfs4lyzca2qixp3h85xib8jf2fpxdjl3r5vg";
# }
{
name = "vscode-quick-open-create";
publisher = "nocksock";
version = "0.6.0";
sha256 = "0ipkjm74xpx44h130rmbnkjwsi63kcvq6fr0b0nxqqc9aa9jk22j";
}
{
name = "indent-rainbow";
publisher = "oderwat";
version = "7.4.0";
sha256 = "1xnsdwrcx24vlbpd2igjaqlk3ck5d6jzcfmxaisrgk7sac1aa81p";
}
{
name = "phantypist";
publisher = "paulofallon";
version = "1.0.3";
sha256 = "0rsaklwsd9i25p9j82ivblkbsk5cwjm22afzc2cq5klkbz9vxg62";
}
{
name = "swaggitor";
publisher = "qnsolutions";
version = "0.1.1";
sha256 = "0dhygxawxjhm0q1nmxwwcyhnk4hm1yzadnhc5ha7amdg7gddlrc1";
}
{
name = "vscode-yaml";
publisher = "redhat";
version = "0.13.0";
sha256 = "046kdk73a5xbrwq16ff0l64271c6q6ygjvxaph58z29gyiszfkig";
}
{
name = "papercolor-vscode";
publisher = "rozbo";
version = "0.4.0";
sha256 = "0fla4dfxm6ppqgfvp9rc2izhnv0909yk3r38xmh15ald84i1jhzm";
}
{
name = "iferrblocks";
publisher = "rstuven";
version = "1.1.1";
sha256 = "0ncj1g2dqa1wwqmj27w1356f4b9nlk2narvgyjn208axfwifz1lw";
}
{
name = "rust";
publisher = "rust-lang";
version = "0.7.8";
sha256 = "039ns854v1k4jb9xqknrjkj8lf62nfcpfn0716ancmjc4f0xlzb3";
}
{
name = "bracket-jumper";
publisher = "sashaweiss";
version = "1.1.8";
sha256 = "11sj7h13yjcpd94x07wlmck7cmidk1kla00kjq7wfw2xc1143rqs";
}
{
name = "just";
publisher = "skellock";
version = "2.0.0";
sha256 = "1ph869zl757a11f8iq643f79h8gry7650a9i03mlxyxlqmspzshl";
}
{
name = "line-endings";
publisher = "steditor";
version = "1.0.3";
sha256 = "1mdybbhs771w8r9xqy1n7x2is2vhh6axkssarb2yy7gps3v81ik7";
}
{
name = "code-spell-checker";
publisher = "streetsidesoftware";
version = "1.10.0";
sha256 = "1172wcw1a1mbx8nrlnh1hyizs9abzvqmhwgc6bmp8wvxk8hk4x3i";
}
{
name = "code-spell-checker-german";
publisher = "streetsidesoftware";
version = "0.1.8";
sha256 = "117ba1m427d7nqh2p4djjswbksz1nvy2zkgdnm2iis17gzxscbmz";
}
{
name = "code-spell-checker-german";
publisher = "streetsidesoftware";
version = "0.1.8";
sha256 = "117ba1m427d7nqh2p4djjswbksz1nvy2zkgdnm2iis17gzxscbmz";
}
{
name = "code-spell-checker";
publisher = "streetsidesoftware";
version = "1.10.0";
sha256 = "1172wcw1a1mbx8nrlnh1hyizs9abzvqmhwgc6bmp8wvxk8hk4x3i";
}
{
name = "vscode-open-in-github";
publisher = "sysoev";
version = "1.14.0";
sha256 = "1whyrsckx0gikgjj1812dlsykck7cs696wz9fn4fhcishp9479hp";
}
{
name = "html-preview-vscode";
publisher = "tht13";
version = "0.2.5";
sha256 = "0k75ivigzjfq8y4xwwrgs2iy913plkwp2a68f0i4bkz9kx39wq6v";
}
{
name = "scrolloff";
publisher = "tickleforce";
version = "0.0.4";
sha256 = "1n5xcbcwdj54c9dlscd5igdbga6v9wv5j1qbhjb7p2mf7sbps3cq";
}
{
name = "shellcheck";
publisher = "timonwong";
version = "0.12.1";
sha256 = "0apvbs90mdjk5y6vy2v4azwxhdjqfypqp5d5hh9rlgxyq4m0azz2";
}
{
name = "sort-lines";
publisher = "Tyriar";
version = "1.9.0";
sha256 = "0l4wibsjnlbzbrl1wcj18vnm1q4ygvxmh347jvzziv8f1l790qjl";
}
# slow and currently not needed
# {
# name = "vscode-lldb";
# publisher = "vadimcn";
# version = "1.6.0";
# sha256 = "15m0idk75bvbzfxipdxwz2vpdklr15zv92h4mxxpr8db9jjr32vi";
# }
# {
# name = "vim";
# publisher = "vscodevim";
# version = "1.17.1";
# sha256 = "10f8jz52gr6k2553awa66m006wszj9z2rnshsic6h2aawxiz3zq1";
# }
{
name = "prettify-selected-json";
publisher = "vthiery";
version = "1.0.3";
sha256 = "0g2svrls7x4w75fj6rr839mrwd3sn912vn6ysiy0sasnnc55rpgb";
}
{
name = "debug";
publisher = "webfreak";
version = "0.25.0";
sha256 = "0qm2jgkj17a0ca5z21xbqzfjpi0hzxw4h8y2hm8c4kk2bnw02sh1";
}
{
name = "clang-format";
publisher = "xaver";
version = "1.9.0";
sha256 = "0bwc4lpcjq1x73kwd6kxr674v3rb0d2cjj65g3r69y7gfs8yzl5b";
}
{
name = "vscode-capnp";
publisher = "xmonader";
version = "1.0.0";
sha256 = "0z2shl6qvr3y3m5y63v69x94rzyb2cmf5046afx2yswnll6j52fc";
}
{
name = "plsql-language";
publisher = "xyz";
version = "1.8.2";
sha256 = "16xxa6w03wzd95v1cycmjvw9hfg3chvpclrn28v0qsa3lir1mxrr";
}
{
name = "markdown-pdf";
publisher = "yzane";
version = "1.4.4";
sha256 = "00cjwjwzsv3wx2qy0faqxryirr2hp60yhkrlzsk0avmvb0bm9paf";
}
{
name = "vscode-proto3";
publisher = "zxh404";
version = "0.5.2";
sha256 = "1jmmbz3i0hxq5ka4rsk07mynxh3pkh5g736d9ryv1czhnrb06lwf";
}
];
in {
programs.vscode = { programs.vscode = {
enable = true; enable = true;
package = pkgsVscodium.vscodium; package = pkgs.vscodium;
extensions = extensions =
with pkgsVscodium.vscode-extensions; [] ++ packagedExtensions
[ # ++ marketPlaceExtensions
eamodio.gitlens ;
mkhl.direnv
tomoki1207.pdf
vscodevim.vim
# bbenoist.nix
jnoortheen.nix-ide
ms-vscode.theme-tomorrowkit
nonylene.dark-molokai-theme
ms-python.vscode-pylance
# TODO: these are not in nixpkgs
# fredwangwang.vscode-hcl-format
# hashicorp.hcl
# mindaro-dev.file-downloader
# ms-vscode.remote-explorer
# TODO: not compatible with vscodium
# ms-vscode-remote.remote-ssh
]
++ (
let
extensions = repoFlake.inputs.nix-vscode-extensions.extensions.${pkgs.system};
in
with extensions.vscode-marketplace;
with extensions.vscode-marketplace-release;
[
serayuzgur.crates
rust-lang.rust-analyzer
swellaby.vscode-rust-test-adapter
tamasfe.even-better-toml
golang.go
jeff-hykin.better-go-syntax
blueglassblock.better-json5
nefrob.vscode-just-syntax
# fabianlauer.vs-code-xml-format
bierner.emojisense
]
)
++ (
let
nix4vscodeToml = pkgs.writeText "nix4vscode.toml" ''
vscode_version = "${config.programs.vscode.package.version}"
[[extensions]]
publisher_name = "FelixZeller"
extension_name = "markdown-oxide"
[[extensions]]
publisher_name = "ibecker"
extension_name = "treefmt-vscode"
[[extensions]]
publisher_name = "AntiAntiSepticeye"
extension_name = "vscode-color-picker"
# [[extensions]]
# publisher_name = "nefrob"
# extension_name = "vscode-just-syntax"
[[extensions]]
publisher_name = "fabianlauer"
extension_name = "vs-code-xml-format"
'';
nix4vscodeNix =
pkgs.runCommand "nix4vscode.nix"
{
# nix4vscode needs internet access
__noChroot = true;
requiredSystemFeatures = [ "recursive-nix" ];
buildInputs = [
pkgs.nix
pkgs.cacert
(pkgs.callPackage "${repoFlake.inputs.nix4vscode.outPath}/nix/package.nix" { })
# pkgs.strace
];
# outputHashAlgo = "sha256";
# outputHashMode = "recursive";
# outputHash = lib.fakeSha256;
}
''
# set -x
# export RUST_BACKTRACE=full
# export RUST_LOG=trace
export HOME=$(mktemp -d)
# strace -ffZyyY
nix4vscode ${nix4vscodeToml} > $out
'';
nix4vscodeExtensions = builtins.removeAttrs (pkgs.callPackage nix4vscodeNix { }) [
"override"
"overrideDerivation"
];
nix4vscodeExtensions' = lib.attrsets.mapAttrsToList (
_: v: builtins.head (builtins.attrValues v)
) nix4vscodeExtensions;
in
nix4vscodeExtensions'
);
mutableExtensionsDir = true;
}; };
home.packages = [ home.packages = [pkgs.nixpkgs-fmt pkgs.alejandra];
pkgs.nil
pkgs.nixfmt-rfc-style
];
} }
# TODO: automate # TODO: automate
# rustup install stable
# rustup component add rust-analysis --toolchain stable
# rustup component add rust-src --toolchain stable
# rustup component add rls --toolchain stable
### original list: ### original list:
# 74th.Theme-NaturalContrast-With-HC # 74th.Theme-NaturalContrast-With-HC
# AlanWalk.markdown-toc # AlanWalk.markdown-toc
@ -202,3 +550,4 @@ in
# xyz.plsql-language # xyz.plsql-language
# yzane.markdown-pdf # yzane.markdown-pdf
# zxh404.vscode-proto3 # zxh404.vscode-proto3

7
nix/home-manager/programs/waybar.css
View file

@ -1,5 +1,6 @@
#custom-cputemp { #custom-cputemp {
padding: 0 10px; padding: 0 10px;
background-color: #f0932b; background-color: #f0932b;
color: #ffffff; color: #ffffff;
} }

17
nix/home-manager/programs/waybar.nix
View file

@ -1,5 +1,9 @@
{ pkgs, repoFlake, ... }:
{ {
pkgs,
config,
repoFlake,
...
}: {
home.packages = [ home.packages = [
# required by any bar that has a tray plugin # required by any bar that has a tray plugin
pkgs.libappindicator-gtk3 pkgs.libappindicator-gtk3
@ -8,18 +12,17 @@
programs.waybar = { programs.waybar = {
enable = true; enable = true;
package = package = repoFlake.inputs.nixpkgs-wayland.outputs.packages.${pkgs.stdenv.hostPlatform.system}.waybar;
repoFlake.inputs.nixpkgs-wayland.outputs.packages.${pkgs.stdenv.hostPlatform.system}.waybar; style =
style = pkgs.lib.readFile "${pkgs.waybar.src}/resources/style.css" + pkgs.lib.readFile ./waybar.css; pkgs.lib.readFile "${pkgs.waybar.src}/resources/style.css"
+ pkgs.lib.readFile ./waybar.css;
systemd.enable = true; systemd.enable = true;
settings = { settings = {
mainBar = { mainBar = {
layer = "top"; layer = "top";
position = "bottom"; position = "bottom";
height = 30; height = 30;
output = output = ["*"];
# hide the bar on HEADDLESS displays as i use them only for screensharing
(builtins.genList (i: "!HEADLESS-${builtins.toString i}") 99) ++ [ "*" ];
# output = [ # output = [
# "eDP-1" # "eDP-1"
# "DP-*" # "DP-*"

134
nix/home-manager/programs/zsh.nix
View file

@ -3,29 +3,27 @@
lib, lib,
pkgs, pkgs,
... ...
}: }: let
let just-plugin = let
just-plugin = plugin_file = pkgs.writeText "_just" ''
let #compdef just
plugin_file = pkgs.writeText "_just" '' #autload
#compdef just
#autload
alias justl="\just --list" alias justl="\just --list"
alias juste="\just --evaluate" alias juste="\just --evaluate"
local subcmds=() local subcmds=()
while read -r line ; do while read -r line ; do
if [[ ! $line == Available* ]] ; if [[ ! $line == Available* ]] ;
then then
subcmds+=(''${line/[[:space:]]*\#/:}) subcmds+=(''${line/[[:space:]]*\#/:})
fi fi
done < <(just --list) done < <(just --list)
_describe 'command' subcmds _describe 'command' subcmds
''; '';
in in
pkgs.stdenv.mkDerivation { pkgs.stdenv.mkDerivation {
name = "just-completions"; name = "just-completions";
version = "0.1.0"; version = "0.1.0";
@ -37,8 +35,7 @@ let
chmod --recursive a-w $out chmod --recursive a-w $out
''; '';
}; };
in in {
{
programs.zsh = { programs.zsh = {
enable = true; enable = true;
@ -49,64 +46,60 @@ in
# will be called again by oh-my-zsh # will be called again by oh-my-zsh
enableCompletion = false; enableCompletion = false;
enableAutosuggestions = true; enableAutosuggestions = true;
initExtra = initExtra = let
let inNixShell = ''$([[ -n "$IN_NIX_SHELL" ]] && printf " 🐚")'';
inNixShell = ''$([[ -n "$IN_NIX_SHELL" ]] && printf " 🐚")''; in ''
in PROMPT='%F{%(!.red.green)}%n%f@%m %(?.%F{green}%f.%F{red} ($?%))%f %F{blue}%~%f${inNixShell}%F{magenta}$(git_prompt_info)%f$prompt_newline%_%F{%(!.red.green)}$(prompt_char)%f '
'' RPROMPT=""
if test ! -n "$TMPDIR" -a -z "$TMPDIR"; then
unset TMPDIR
fi
if test ! -n "$TMP" -a -z "$TMP"; then # Automatic rehash
unset TMP zstyle ':completion:*' rehash true
fi
if [ -f $HOME/.shrc.d/sh_aliases ]; then
. $HOME/.shrc.d/sh_aliases
fi
PROMPT='%F{%(!.red.green)}%n%f@%m %(?.%F{green}%f.%F{red} ($?%))%f %F{blue}%~%f${inNixShell}%F{magenta}$(git_prompt_info)%f$prompt_newline%_%F{%(!.red.green)}$(prompt_char)%f ' ${
RPROMPT="" if builtins.hasAttr "homeshick" pkgs
then ''
source ${pkgs.homeshick}/homeshick.sh
fpath=(${pkgs.homeshick}/completions $fpath)
''
else ""
}
# Automatic rehash # Disable intercepting of ctrl-s and ctrl-q as flow control.
zstyle ':completion:*' rehash true stty stop ''' -ixoff -ixon
if [ -f $HOME/.shrc.d/sh_aliases ]; then # don't cd into directories when executed
. $HOME/.shrc.d/sh_aliases unsetopt AUTO_CD
fi
${ export NIX_PATH="nixpkgs=${pkgs.path}"
if builtins.hasAttr "homeshick" pkgs then
''
source ${pkgs.homeshick}/homeshick.sh
fpath=(${pkgs.homeshick}/completions $fpath)
''
else
""
}
# Disable intercepting of ctrl-s and ctrl-q as flow control. # print lines without termination
stty stop ''' -ixoff -ixon setopt PROMPT_CR
setopt PROMPT_SP
export PROMPT_EOL_MARK=""
# don't cd into directories when executed ${lib.optionalString config.services.gpg-agent.enable ''
unsetopt AUTO_CD export SSH_AUTH_SOCK="$XDG_RUNTIME_DIR/gnupg/S.gpg-agent.ssh"
''}
# print lines without termination ${lib.optionalString config.programs.neovim.enable ''
setopt PROMPT_CR export EDITOR="nvim"
setopt PROMPT_SP ''}
export PROMPT_EOL_MARK="" '';
${lib.optionalString config.services.gpg-agent.enable ''
export SSH_AUTH_SOCK="$XDG_RUNTIME_DIR/gnupg/S.gpg-agent.ssh"
''}
${lib.optionalString config.programs.neovim.enable ''
export EDITOR="nvim"
''}
'';
plugins = [ plugins = [
{ {
# will source zsh-autosuggestions.plugin.zsh
name = "zsh-autosuggestions"; name = "zsh-autosuggestions";
src = pkgs.zsh-autosuggestions; src = pkgs.fetchFromGitHub {
owner = "zsh-users";
repo = "zsh-autosuggestions";
rev = "v0.6.3";
sha256 = "1h8h2mz9wpjpymgl2p7pc146c1jgb3dggpvzwm9ln3in336wl95c";
};
} }
{ {
name = "enhancd"; name = "enhancd";
@ -114,8 +107,8 @@ in
src = pkgs.fetchFromGitHub { src = pkgs.fetchFromGitHub {
owner = "b4b4r07"; owner = "b4b4r07";
repo = "enhancd"; repo = "enhancd";
rev = "v2.5.1"; rev = "v2.2.4";
sha256 = "sha256-kaintLXSfLH7zdLtcoZfVNobCJCap0S/Ldq85wd3krI="; sha256 = "1smskx9vkx78yhwspjq2c5r5swh9fc5xxa40ib4753f00wk4dwpp";
}; };
} }
{ {
@ -134,10 +127,7 @@ in
oh-my-zsh = { oh-my-zsh = {
enable = true; enable = true;
theme = "tjkirch"; theme = "tjkirch";
plugins = [ plugins = ["git" "sudo"];
"git"
"sudo"
];
}; };
}; };
} }

5
nix/modules/flake-parts/colmena.nix
View file

@ -1,8 +1,7 @@
{ lib, ... }: {lib, ...}: {
{
options.flake.colmena = lib.mkOption { options.flake.colmena = lib.mkOption {
# type = lib.types.attrsOf lib.types.unspecified; # type = lib.types.attrsOf lib.types.unspecified;
type = lib.types.raw; type = lib.types.raw;
default = { }; default = {};
}; };
} }

61
nix/modules/flake-parts/perSystem/default.nix
View file

@ -1,37 +1,38 @@
{ pkgs, ... }:
{ {
inputs',
system,
config,
lib,
pkgs,
...
}: {
packages = { packages = {
myPython = pkgs.python310.withPackages ( myPython = pkgs.python310.withPackages (ps:
ps:
with ps; with ps;
[ [
pep8 pep8
yapf yapf
flake8 flake8
# autopep8 (broken) # autopep8 (broken)
# pylint (broken) # pylint (broken)
ipython ipython
llfuse llfuse
dugong dugong
defusedxml defusedxml
wheel wheel
pip pip
virtualenv virtualenv
cffi cffi
# pyopenssl # pyopenssl
urllib3 urllib3
# mistune (insecure) # mistune (insecure)
sympy sympy
flask flask
pyaml pyaml
requests requests
] ]
++ [ ++ [pkgs.pypi2nix pkgs.libffi]);
pkgs.pypi2nix
pkgs.libffi
]
);
}; };
} }

12
nix/os/cachix.nix
View file

@ -1,12 +1,14 @@
# WARN: this file will get overwritten by $ cachix use <name> # WARN: this file will get overwritten by $ cachix use <name>
{ lib, ... }: { pkgs, lib, ... }:
let let
folder = ./cachix; folder = ./cachix;
toImport = name: _value: folder + ("/" + name); toImport = name: value: folder + ("/" + name);
filterCaches = key: value: value == "regular" && lib.hasSuffix ".nix" key; filterCaches = key: value: value == "regular" && lib.hasSuffix ".nix" key;
imports = lib.mapAttrsToList toImport (lib.filterAttrs filterCaches (builtins.readDir folder)); imports = lib.mapAttrsToList toImport (lib.filterAttrs filterCaches (builtins.readDir folder));
in in {
{
inherit imports; inherit imports;
nix.settings.substituters = [ "https://cache.nixos.org/" ]; nix.settings.substituters = ["https://cache.nixos.org/"];
} }

6
nix/os/cachix/nixpkgs-wayland.nix
View file

@ -1,8 +1,12 @@
{ {
nix = { nix = {
settings.substituters = [ "https://nixpkgs-wayland.cachix.org" ]; settings.substituters = [
"https://nixpkgs-wayland.cachix.org"
];
settings.trusted-public-keys = [ settings.trusted-public-keys = [
"nixpkgs-wayland.cachix.org-1:3lwxaILxMRkVhehr5StQprHdEo4IrE8sRho9R9HOLYA=" "nixpkgs-wayland.cachix.org-1:3lwxaILxMRkVhehr5StQprHdEo4IrE8sRho9R9HOLYA="
]; ];
}; };
} }

87
nix/os/containers/backup-target.nix Normal file
View file

@ -0,0 +1,87 @@
{
hostAddress,
localAddress,
containerBackupCfg,
sshPort ? containerBackupCfg.portInt,
autoStart ? false,
}: {
config = {
config,
pkgs,
lib,
...
}: {
system.stateVersion = "22.05"; # Did you read the comment?
imports = [../profiles/containers/configuration.nix];
networking.firewall.enable = false;
# services.ddclientovh = {
# enable = true;
# domain = containerBackupCfg.addr;
# };
services.openssh.enable = true;
users.extraUsers."${containerBackupCfg.user}" = {
uid = 2000;
group = containerBackupCfg.group;
shell = pkgs.bashInteractive;
home = "/${containerBackupCfg.targetPath}";
openssh.authorizedKeys.keys = [
"ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDNI3H0BRSYOZ/MbTs9J80doJwSd1HymFOP5quNt0J48vxZ5FPVrT2FHpQiNrCcYbCKRsU4X8AiGUHiXC0PapQQ3JDkqp6WZoqBNDx6BI7RadyH1TqVQPlou3pQmCAogzfBInruR53YTDmQqXiPwfM0okPOXgiBNjDfZXOX4+CyUfkmZZwASoicTInqWGkn1sFnh4tyXIkgWflg0njlVmfkVvH71+evvKLYHtoNpVXazkQ0SXbyuW5f3mSta7TNkpC3HbBm+4n+WxYGySrlRLWQhTo+aoWUKk9h5zvECDNpwRtbqzt+bA9nKrdg180ceu8hruwvWNiC6PPA2GW9Z1+VKROviGu1C3dliE/pPCBtK+ZoRVv2CGE+pmAuQsB9Nif9tk5tY6HJhuLNxKYiMfQkiLsDYv6KdZXUIVK/4BIDkZuQNnjhdOQBLnea0ANOhutA9gnjxnsd3UT6ovfazg5gud7n3u4yBtzjTkRrqWZ63eM1NmUVOgMWHQ715pV+hJfOFGqzRBEe3g/p3bWNgpROBYJbG1H8l9DN7emG4FGWsb1HeNFwQ5lS0Zsezb7qzahr4vSmHNugVw7w8ONt5dPbPI9wQnWvkkuHH76P/NYy6OC6lHrN1rXyA1okqdPr06YAZnCot+Pqdgn/ijxgp06J3dtkhin+Q7PoQbGff3ERIw== bkp"
];
packages = with pkgs; [btrfs-progs];
isSystemUser = true;
};
security.sudo = {
enable = true;
extraRules = [
{
users = ["bkp"];
commands = [
{
command = "/etc/profiles/per-user/bkp/bin/btrfs";
options = ["NOPASSWD"];
}
{
command = "/run/current-system/sw/bin/readlink";
options = ["NOPASSWD"];
}
{
command = "/run/current-system/sw/bin/test";
options = ["NOPASSWD"];
}
];
}
];
};
};
inherit autoStart;
bindMounts = {
"/${containerBackupCfg.targetPath}" = {
hostPath = "/var/lib/container-volumes/backup-target";
isReadOnly = false;
};
};
extraFlags = ["--resolv-conf=bind-host"];
privateNetwork = true;
forwardPorts = [
{
# ssh
containerPort = 22;
hostPort = sshPort;
protocol = "tcp";
}
];
inherit hostAddress localAddress;
}

157
nix/os/containers/backup.nix
View file

@ -5,107 +5,88 @@
subvolumes, subvolumes,
targetPathSuffix ? "", targetPathSuffix ? "",
autoStart ? false, autoStart ? false,
}: }: let
let
passwords = import ../../variables/passwords.crypt.nix; passwords = import ../../variables/passwords.crypt.nix;
subvolumeParentDir = "/var/lib/container-volumes"; subvolumeParentDir = "/var/lib/container-volumes";
in in {
{ config = {pkgs, ...}: {
config = system.stateVersion = "20.03"; # Did you read the comment?
{ pkgs, ... }:
{
system.stateVersion = "20.03"; # Did you read the comment?
imports = [ ../profiles/containers/configuration.nix ]; imports = [../profiles/containers/configuration.nix];
environment.systemPackages = with pkgs; [ environment.systemPackages = with pkgs; [btrfs-progs btrbk];
btrfs-progs
btrbk
];
networking.firewall.enable = true; networking.firewall.enable = true;
systemd.services."bkp-sync" = { systemd.services."bkp-sync" = {
enable = true; enable = true;
description = "bkp-sync service"; description = "bkp-sync service";
serviceConfig = { serviceConfig = {Type = "oneshot";};
Type = "oneshot";
};
after = [ "bkp-run.service" ]; after = ["bkp-run.service"];
requires = [ "bkp-run.service" ]; requires = ["bkp-run.service"];
path = with pkgs; [ utillinux ]; path = with pkgs; [utillinux];
script = '' script = ''
set -x set -x
true true
'';
};
systemd.services."bkp-run" = {
enable = true;
description = "bkp-run";
serviceConfig = {Type = "oneshot";};
partOf = ["bkp-sync.service"];
path = with pkgs; [btrfs-progs btrbk coreutils];
script = let
btrbkConf = pkgs.writeText "cfg" ''
timestamp_format long
ssh_identity ${passwords.storage.backupTarget.keyPath}
ssh_user ${passwords.storage.backupTarget.user}
ssh_compression no
backend_remote btrfs-progs-sudo
compat_remote busybox
btrfs_commit_delete each
snapshot_create onchange
snapshot_preserve_min latest
snapshot_preserve 7d 4w
target_preserve_min latest
target_preserve 7d 4w 12m *y
volume ${subvolumeParentDir}
target ${passwords.storage.backupTarget.target}/container-volumes/${targetPathSuffix}
${builtins.foldl' (sum: elem: sum + " subvolume " + elem + "\n") ""
subvolumes}
''; '';
}; in ''
#! ${pkgs.bash}/bin/bash
set -Eeuxo pipefail
systemd.services."bkp-run" = { btrbk -c ${btrbkConf} --progress ''${@:-run}
enable = true; '';
description = "bkp-run"; };
serviceConfig = { systemd.timers."bkp" = {
Type = "oneshot"; description = "Timer to trigger bkp periodically";
}; enable = true;
wantedBy = ["timer.target" "multi-user.target"];
partOf = [ "bkp-sync.service" ]; timerConfig = {
# Obtained using `systemd-analyze calendar "Wed 23:00"`
path = with pkgs; [ # OnCalendar = "Wed *-*-* 23:00:00";
btrfs-progs OnStartupSec = "1m";
btrbk Unit = "bkp-sync.service";
coreutils OnUnitInactiveSec = "2h";
]; Persistent = "true";
script =
let
btrbkConf = pkgs.writeText "cfg" ''
timestamp_format long
ssh_identity ${passwords.storage.backupTarget.keyPath}
ssh_user ${passwords.storage.backupTarget.user}
ssh_compression no
backend_remote btrfs-progs-sudo
compat_remote busybox
btrfs_commit_delete each
snapshot_create onchange
snapshot_preserve_min latest
snapshot_preserve 7d 4w
target_preserve_min latest
target_preserve 7d 4w 12m *y
volume ${subvolumeParentDir}
target ${passwords.storage.backupTarget.target}/container-volumes/${targetPathSuffix}
${builtins.foldl' (sum: elem: sum + " subvolume " + elem + "\n") "" subvolumes}
'';
in
''
#! ${pkgs.bash}/bin/bash
set -Eeuxo pipefail
btrbk -c ${btrbkConf} --progress ''${@:-run}
'';
};
systemd.timers."bkp" = {
description = "Timer to trigger bkp periodically";
enable = true;
wantedBy = [
"timer.target"
"multi-user.target"
];
timerConfig = {
# Obtained using `systemd-analyze calendar "Wed 23:00"`
# OnCalendar = "Wed *-*-* 23:00:00";
OnStartupSec = "1m";
Unit = "bkp-sync.service";
OnUnitInactiveSec = "2h";
Persistent = "true";
};
}; };
}; };
};
inherit autoStart; inherit autoStart;
@ -133,10 +114,10 @@ in
} }
]; ];
extraFlags = [ "--resolv-conf=bind-host" ]; extraFlags = ["--resolv-conf=bind-host"];
privateNetwork = true; privateNetwork = true;
forwardPorts = [ ]; forwardPorts = [];
inherit hostAddress localAddress; inherit hostAddress localAddress;
} }

380
nix/os/containers/mailserver.nix
View file

@ -1,210 +1,194 @@
{ {
specialArgs, repoFlake,
hostBridge,
hostAddress, hostAddress,
localAddress, localAddress,
imapsPort ? 993, imapsPort ? 993,
sievePort ? 4190, sievePort ? 4190,
autoStart ? false, autoStart ? false,
}: }: {
{ config = {
inherit specialArgs; pkgs,
config = config,
{ lib,
pkgs, ...
config, }: {
repoFlake, system.stateVersion = "21.11"; # Did you read the comment?
...
}:
{
system.stateVersion = "22.05"; # Did you read the comment?
imports = [ imports = [
../profiles/containers/configuration.nix ../profiles/containers/configuration.nix
repoFlake.inputs.sops-nix.nixosModules.sops repoFlake.inputs.sops-nix.nixosModules.sops
../profiles/common/user.nix ../profiles/common/user.nix
]; ];
networking.firewall.allowedTCPPorts = [ # FIXME: find out how to use the `defaultSopsFile` so i don't have to specify each secret separately
imapsPort # sops.defaultSopsFile = ./mailserver_secrets.yaml;
sievePort
];
# FIXME: find out how to use the `defaultSopsFile` so i don't have to specify each secret separately sops.age.sshKeyPaths = ["/etc/ssh/ssh_host_ed25519_key"];
# sops.defaultSopsFile = ./mailserver_secrets.yaml; sops.secrets.email_mailStefanjunkerDe = {
sopsFile = ./mailserver_secrets.yaml;
sops.age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ]; owner = config.users.users.steveej.name;
sops.secrets.email_mailStefanjunkerDe = {
sopsFile = ./mailserver_secrets.yaml;
owner = config.users.users.steveej.name;
};
sops.secrets.email_mailStefanjunkerDeHetzner = {
sopsFile = ./mailserver_secrets.yaml;
owner = config.users.users.steveej.name;
};
sops.secrets.email_schtifATwebDe = {
sopsFile = ./mailserver_secrets.yaml;
owner = config.users.users.steveej.name;
};
sops.secrets.email_dovecot_steveej = {
sopsFile = ./mailserver_secrets.yaml;
owner = config.users.users.dovecot2.name;
};
# TODO: switch to something other than ddclient as it's no longer maintained
# TODO: switch to a let's encrypt certificate
sops.secrets.dovecotSslServerCert = {
sopsFile = ./mailserver_secrets.yaml;
owner = config.users.users.dovecot2.name;
};
sops.secrets.dovecotSslServerKey = {
sopsFile = ./mailserver_secrets.yaml;
owner = config.users.users.dovecot2.name;
};
services.dovecot2 = {
enable = true;
modules = [ pkgs.dovecot_pigeonhole ];
protocols = [ "sieve" ];
enableImap = true;
enableLmtp = true;
enablePAM = true;
showPAMFailure = true;
mailLocation = "maildir:~/.maildir";
sslServerCert = config.sops.secrets.dovecotSslServerCert.path;
sslServerKey = config.sops.secrets.dovecotSslServerKey.path;
#configFile = "/etc/dovecot/dovecot2_manual.conf";
extraConfig = ''
auth_mechanisms = cram-md5 digest-md5
auth_verbose = yes
passdb {
driver = passwd-file
args = scheme=CRYPT username_format=%u /etc/dovecot/users
}
protocol lda {
postmaster_address = "mail@stefanjunker.de"
mail_plugins = $mail_plugins sieve
}
protocol imap {
mail_max_userip_connections = 64
}
'';
};
environment.etc."dovecot/users".source = config.sops.secrets.email_dovecot_steveej.path;
systemd.services.steveej-getmail-stefanjunker = {
enable = true;
wantedBy = [ "multi-user.target" ];
serviceConfig.User = "steveej";
serviceConfig.Group = "dovecot2";
serviceConfig.RestartSec = 600;
serviceConfig.Restart = "always";
description = "Getmail service";
path = [ pkgs.getmail6 ];
script =
let
rc = pkgs.writeText "mailATstefanjunker.de.getmail.rc" ''
[options]
verbose = 1
read_all = 0
delete_after = 30
[retriever]
type = SimpleIMAPSSLRetriever
server = ssl0.ovh.net
port = 993
username = mail@stefanjunker.de
password_command = ("${pkgs.coreutils}/bin/cat", "${config.sops.secrets.email_mailStefanjunkerDe.path}")
mailboxes = ('INBOX',)
[destination]
type = MDA_external
path = ${pkgs.dovecot}/libexec/dovecot/dovecot-lda
'';
in
''
getmail --idle=INBOX --rcfile=${rc}
'';
};
systemd.services.steveej-getmail-stefanjunker-hetzner = {
enable = true;
wantedBy = [ "multi-user.target" ];
serviceConfig.User = "steveej";
serviceConfig.Group = "dovecot2";
serviceConfig.RestartSec = 60;
serviceConfig.Restart = "always";
description = "Getmail service";
path = [ pkgs.getmail6 ];
script =
let
rc = pkgs.writeText "mailATstefanjunker.de.getmail.rc" ''
[options]
verbose = 2
read_all = 0
delete_after = 30
[retriever]
type = SimpleIMAPSSLRetriever
server = mail.your-server.de
port = 993
username = mail@stefanjunker.de
password_command = ("${pkgs.coreutils}/bin/cat", "${config.sops.secrets.email_mailStefanjunkerDeHetzner.path}")
mailboxes = ('INBOX',)
[destination]
type = MDA_external
path = ${pkgs.dovecot}/libexec/dovecot/dovecot-lda
'';
in
''
getmail --rcfile=${rc} --idle=INBOX
'';
};
systemd.services.steveej-getmail-webde = {
enable = true;
wantedBy = [ "multi-user.target" ];
serviceConfig.User = "steveej";
serviceConfig.Group = "dovecot2";
description = "Getmail service";
path = [ pkgs.getmail6 ];
serviceConfig.RestartSec = 1000;
serviceConfig.Restart = "always";
script =
let
rc = pkgs.writeText "schtifATweb.de.getmail.rc" ''
[options]
verbose = 1
read_all = 0
delete_after = 30
[retriever]
type = SimpleIMAPSSLRetriever
server = imap.web.de
port = 993
username = schtif
password_command = ("${pkgs.coreutils}/bin/cat", "${config.sops.secrets.email_schtifATwebDe.path}")
mailboxes = ('INBOX',)
[destination]
type = Maildir
path = ~/.maildir/
'';
in
''
getmail --rcfile=${rc} --idle=INBOX
'';
};
}; };
sops.secrets.email_mailStefanjunkerDeHetzner = {
sopsFile = ./mailserver_secrets.yaml;
owner = config.users.users.steveej.name;
};
sops.secrets.email_schtifATwebDe = {
sopsFile = ./mailserver_secrets.yaml;
owner = config.users.users.steveej.name;
};
sops.secrets.email_dovecot_steveej = {
sopsFile = ./mailserver_secrets.yaml;
owner = config.users.users.dovecot2.name;
};
# TODO: switch to something other than ddclient as it's no longer maintained
# TODO: switch to a let's encrypt certificate
sops.secrets.dovecotSslServerCert = {
sopsFile = ./mailserver_secrets.yaml;
owner = config.users.users.dovecot2.name;
};
sops.secrets.dovecotSslServerKey = {
sopsFile = ./mailserver_secrets.yaml;
owner = config.users.users.dovecot2.name;
};
services.dovecot2 = {
enable = true;
modules = [pkgs.dovecot_pigeonhole];
protocols = ["sieve"];
enableImap = true;
enableLmtp = true;
enablePAM = true;
showPAMFailure = true;
mailLocation = "maildir:~/.maildir";
sslServerCert = config.sops.secrets.dovecotSslServerCert.path;
sslServerKey = config.sops.secrets.dovecotSslServerKey.path;
#configFile = "/etc/dovecot/dovecot2_manual.conf";
extraConfig = ''
auth_mechanisms = cram-md5 digest-md5
auth_verbose = yes
passdb {
driver = passwd-file
args = scheme=CRYPT username_format=%u /etc/dovecot/users
}
protocol lda {
postmaster_address = "mail@stefanjunker.de"
mail_plugins = $mail_plugins sieve
}
protocol imap {
mail_max_userip_connections = 64
}
'';
};
environment.etc."dovecot/users".source = config.sops.secrets.email_dovecot_steveej.path;
systemd.services.steveej-getmail-stefanjunker = {
enable = true;
wantedBy = ["multi-user.target"];
serviceConfig.User = "steveej";
serviceConfig.Group = "dovecot2";
serviceConfig.RestartSec = 600;
serviceConfig.Restart = "always";
description = "Getmail service";
path = [pkgs.getmail6];
script = let
rc = pkgs.writeText "mailATstefanjunker.de.getmail.rc" ''
[options]
verbose = 1
read_all = 0
delete_after = 30
[retriever]
type = SimpleIMAPSSLRetriever
server = ssl0.ovh.net
port = 993
username = mail@stefanjunker.de
password_command = ("${pkgs.coreutils}/bin/cat", "${config.sops.secrets.email_mailStefanjunkerDe.path}")
mailboxes = ('INBOX',)
[destination]
type = MDA_external
path = ${pkgs.dovecot}/libexec/dovecot/dovecot-lda
'';
in ''
getmail --idle=INBOX --rcfile=${rc}
'';
};
systemd.services.steveej-getmail-stefanjunker-hetzner = {
enable = true;
wantedBy = ["multi-user.target"];
serviceConfig.User = "steveej";
serviceConfig.Group = "dovecot2";
serviceConfig.RestartSec = 60;
serviceConfig.Restart = "always";
description = "Getmail service";
path = [pkgs.getmail6];
script = let
rc = pkgs.writeText "mailATstefanjunker.de.getmail.rc" ''
[options]
verbose = 2
read_all = 0
delete_after = 30
[retriever]
type = SimpleIMAPSSLRetriever
server = mail.your-server.de
port = 993
username = mail@stefanjunker.de
password_command = ("${pkgs.coreutils}/bin/cat", "${config.sops.secrets.email_mailStefanjunkerDeHetzner.path}")
mailboxes = ('INBOX',)
[destination]
type = MDA_external
path = ${pkgs.dovecot}/libexec/dovecot/dovecot-lda
'';
in ''
getmail --rcfile=${rc} --idle=INBOX
'';
};
systemd.services.steveej-getmail-webde = {
enable = true;
wantedBy = ["multi-user.target"];
serviceConfig.User = "steveej";
serviceConfig.Group = "dovecot2";
description = "Getmail service";
path = [pkgs.getmail6];
serviceConfig.RestartSec = 1000;
serviceConfig.Restart = "always";
script = let
rc = pkgs.writeText "schtifATweb.de.getmail.rc" ''
[options]
verbose = 1
read_all = 0
delete_after = 30
[retriever]
type = SimpleIMAPSSLRetriever
server = imap.web.de
port = 993
username = schtif
password_command = ("${pkgs.coreutils}/bin/cat", "${config.sops.secrets.email_schtifATwebDe.path}")
mailboxes = ('INBOX',)
[destination]
type = Maildir
path = ~/.maildir/
'';
in ''
getmail --rcfile=${rc} --idle=INBOX
'';
};
};
inherit autoStart; inherit autoStart;
@ -219,6 +203,8 @@
}; };
}; };
# extraFlags = ["--resolv-conf=bind-host"];
privateNetwork = true; privateNetwork = true;
forwardPorts = [ forwardPorts = [
{ {
@ -236,5 +222,5 @@
} }
]; ];
inherit hostBridge hostAddress localAddress; inherit hostAddress localAddress;
} }

66
nix/os/containers/mailserver_secrets.yaml
View file

@ -7,37 +7,37 @@ dovecotSslServerCert: ENC[AES256_GCM,data:ylK0IIj2vdY0mXOqSgA5zYmFYGote/uMtDWy2r
dovecotSslServerKey: ENC[AES256_GCM,data:KYpQZbioLGrp/6R6j/c4uJhBpoDT2aj7UffQQug8Otzr/0rk51tavsjg4YRQGIv+ZpFYpWAuHbhW4O8AsRgpi0AX3hKsZICEdNubfK5zfd+SInXveaVFbHHjOuzcqftraUrqx9APu+omk4LlpxpWTbj/bAcRnRBn0C093AeJNi1giaCZd4NxmmkYqwYzrjUc6LYHvICEnjA87ZVpeOKE/6B2Ng5QWDKhZNmjy7YDXAk4DS+P2grLmoGvnz6ubtaypSzaKXYTFz/uxEvtCCPlIaJHm3Nz0i0j1rjX3S/w3c26zuIFtwCmAQzGnHyQwbx7ILwCXfnyQnpM7+R5+fxcYvcK2GEJyTGzg/JFa++TI1YO+wpknjzxK3Sa8aX0pUbx/TEjnY3+tRnx7YNuih2ZNZrPHy8uJJtO9Aef84Sq5vLQG5n1/ya0pVhjCbs1pgpeK/qT3ikLbkcJg6NxAq3hqqQdR4TTkZBwKLVfzcMXLDZB0GphhVvtO0W7afRCE+nA/FPDT2NN6WLD15cN5F8w6USi0iQlwFb+TE8nt1ghhoGmwCMx+lX1Bk/jdIlYtJ62T8+T3nRVJ6ZRlUa1rkbAADaWZVvLR2/ylaEkeYFo/CC6lUg4DWPCVoGFxaWaU+ZaIDjbiYcqGQFBwq8JZ44hAOyJQpb7N1zgDVyPh/xr+ukmjutFuu97FY55VTn+8eipRiR4TZpPRH+KvB/FmlLNaim76YZCRH9Dv2ENbz9fXpWv7P+yh06+ci9HKvjNAzR6NRr368tK2srEEhWzFv+nAsRetzc2VcfwNMcg5/mvlWHVZSmONXC5adEo/W5XgJgUnH/fkz5IRPY/1iteq8PTCPUkubzF+qT2+suzEDnvgXlaKsqHkrk+n8YySl+GRABnasmnBYdb8vboDM41ptw3PXDoL+l07o6KxTwPOWWl9BVNMT8VzL7gAl+dlxjkEUSqn53OrsYDluxefBa3c0rfvk8CCvOMjgLkagK9O+VavqJEo00zd3f0ZzMcIoRebuDzYILw3DTrG/qyLXGsRoybBr+qcuSVBzM5RnjcToFJO4W/0EIdH1drZmqHdNgSNwPPRSNCivrhV25syUCrTee/xkDVUr47z67pK/5Mh0ewlwq0hcl/dBoA0YP/PptntK0CHfistD8chNtdMk3PyzqSiFaDPQ3T4wdc3zTNUjXeQ5643k5weJXFPg4tUuCCa8HxUJHd5sLnNY0OaRBwh2SLkQlcXYFQDzVHSoVscR3tf+57L7aF2hVQT2QtJKdZQjOyMg5YK0UlVc3tkyPZzyjOVaP7eTCRKwXI1NminHmmy1ZzZ+w+8+oX8cfvE9HdbqDoDp0MnkicS0+5S0lZwkRWrjUx/gS4aMWLbCHUQHY8wm+fmyDLJ/oI4ukdUI5YLOutlCsIY+aotnVMoORgdd/EPeZVYJmci/pvMjPF9Eard0aD4rLA7z/HwGgc3VEGmNluE+20BXO3bFIqwa9tzMqzOJB0qglP35MjVGiUe6Svq13DAmSOnzN+WqcVbTMJG8J1bwKqvmaN8AEpO0zU94ZhHspUtGyQQ0D6sMsw9jqJ1WyLE7aXeFR6OHrpw3DC2mCpr/qX8QFsveeyB83Za2+CuVVi2sqGAKYzkwlUPkeuaxfBak0apwJsF2trT1uMvPOuIda8k4XhtYLxah2BDJZIoMqUVz2xcN4OuW8bdSX/lepsyZZO34VEQDLBa2dxCCHJmCKf6io/0YlswNKGDQh+DI935KTdqBnHSJ9IjvADQuu+K37aS0L9V0ZLXiM5SBQtbB7kQpHjvivq97ru7QpFqJf8HCl1vDs4gJ/NV+J0+CX6dQTQOtHvwxD2CPGiiSv40ycoJAcwiqTh5T+hRPtca6bSes/jGN5iQjfLCRbwvL/ItLLAK3F2cEIdKZnfhJkdEAIwWFLvR4R5I7ZcCK5GgKz5dPROup8BAONA8XxcJWXaXV0YkfEmCDbZYMFC7pcx4NAnGp881RyAaG/HlstBHHVagpP2fwZ8K0J/2KPillOq/Die+vNc2++hx4EuftvNkZhSd+7zIYNKHQd0M4Ea74flgmmW5lG73bE1BkhVd2DsgEDihH19/vJjFH4PxKINKp0ij4jMyq9w+WsGiUqSDaQz/MZJ8wjzaSjvmSj4qlOAitr/s3f041e77rMb0W2ieCtYEy7IsebIqIWgKn/crm5FhyUtBCPEqFZgAKS313bXUio8LktqXCrZjZ0ZG8DmQG6hnK4PstKlIUQoNuFnb8Bp1zDgY4i2hb6Zmu7NnqnOaJJTjSGwaZOav0oMousn67BuFtwoMaGp+OjCopZ3HPfg19usnjvWpOgccXWYlQc0HOlGXUq+otKlXtQwAjUvz50GmV+lY3t4rpCgqk+pj9iH62xuzDQ01FOXl+v3Ehnw97mNJk9YarueG0Hl/1f6dhwXnjeEv35LLyWUjQolOoYgycEkgQ/cCCOSm7zgK1VT0oTLFISai8IG0qDP9HCszteHZhp+y4bsXQfAJTY11QLr7hx9/nQmVlHksDN5Wsno4wbkT+D2xb5EaDU2RBqZfTVcbRBWRtAhQcRPxdaUXyI7oKEaFg8fvQZ8wK/Ae+L18ub+Latb5W69dUVT6I13tPleXDl1oen9BXzaX7sygSpY4lJoXlu+SCKyNTMrC36PrB39QUWosw03ZsiKT5xjgN5+1m32yv4cg8lAwNCR4xxShrnhSbZ328yifaAuTnSawZmUGBVxPx4glVcvNUOXW2UvVtmeKU0SG1E+UGBAq7/UfaadMM7BsjyaaKpBa/tXZTm0rn8UiFqujvgNjQ3F/3ybRdlO5d6eMI9Na+1gqg6qxYSGR0H0wAdPhtyGRxpumehAQGeMKd49Sg6jspaf3NAjjuZ0Yp+eJV9652WqVZ7xtCNqRURV353h+XPGR+ZZ9siHRDQ+NcbxPkfbHw0/RTvZvEIdaDi5+DLh6tgIxMEtOpwTlfFrOUDaIcmWvzk92VtBFuafvoGzTipryTnMszjCsUTvyEPN8jPd6r8UmOFGXF2aVNksmn/bI97i4s1kYLgY8XsEOyx+Q9pUTkTEMn2JWgnEcSOAtaX1ZskHnfueKzUPb+/YWb+z8SNCgnUqHqa42qBqwlhdshzYhhfKhEisUptirzzp1kcbyHrug5PzHxh8Qri2pjHxSHYQ5sjig6K6B1YEuHP6uo19fL6BdgGlhKroiOF/6TMAcE9V3+yqvDdsW/IC0QXLHIBKC7wlDgLc25ltGogD/76P6tViDAb6+HNSSXJO056Ovq0z2BrXhnq1AmWa99mVnOLJwafRWPZC,iv:XxnAsh6yx9gICi3N6oTttpGXvguGZImWNIMp9srDJLM=,tag:M9gFSD5PNIfoCLet6Vy6QA==,type:str] dovecotSslServerKey: ENC[AES256_GCM,data:KYpQZbioLGrp/6R6j/c4uJhBpoDT2aj7UffQQug8Otzr/0rk51tavsjg4YRQGIv+ZpFYpWAuHbhW4O8AsRgpi0AX3hKsZICEdNubfK5zfd+SInXveaVFbHHjOuzcqftraUrqx9APu+omk4LlpxpWTbj/bAcRnRBn0C093AeJNi1giaCZd4NxmmkYqwYzrjUc6LYHvICEnjA87ZVpeOKE/6B2Ng5QWDKhZNmjy7YDXAk4DS+P2grLmoGvnz6ubtaypSzaKXYTFz/uxEvtCCPlIaJHm3Nz0i0j1rjX3S/w3c26zuIFtwCmAQzGnHyQwbx7ILwCXfnyQnpM7+R5+fxcYvcK2GEJyTGzg/JFa++TI1YO+wpknjzxK3Sa8aX0pUbx/TEjnY3+tRnx7YNuih2ZNZrPHy8uJJtO9Aef84Sq5vLQG5n1/ya0pVhjCbs1pgpeK/qT3ikLbkcJg6NxAq3hqqQdR4TTkZBwKLVfzcMXLDZB0GphhVvtO0W7afRCE+nA/FPDT2NN6WLD15cN5F8w6USi0iQlwFb+TE8nt1ghhoGmwCMx+lX1Bk/jdIlYtJ62T8+T3nRVJ6ZRlUa1rkbAADaWZVvLR2/ylaEkeYFo/CC6lUg4DWPCVoGFxaWaU+ZaIDjbiYcqGQFBwq8JZ44hAOyJQpb7N1zgDVyPh/xr+ukmjutFuu97FY55VTn+8eipRiR4TZpPRH+KvB/FmlLNaim76YZCRH9Dv2ENbz9fXpWv7P+yh06+ci9HKvjNAzR6NRr368tK2srEEhWzFv+nAsRetzc2VcfwNMcg5/mvlWHVZSmONXC5adEo/W5XgJgUnH/fkz5IRPY/1iteq8PTCPUkubzF+qT2+suzEDnvgXlaKsqHkrk+n8YySl+GRABnasmnBYdb8vboDM41ptw3PXDoL+l07o6KxTwPOWWl9BVNMT8VzL7gAl+dlxjkEUSqn53OrsYDluxefBa3c0rfvk8CCvOMjgLkagK9O+VavqJEo00zd3f0ZzMcIoRebuDzYILw3DTrG/qyLXGsRoybBr+qcuSVBzM5RnjcToFJO4W/0EIdH1drZmqHdNgSNwPPRSNCivrhV25syUCrTee/xkDVUr47z67pK/5Mh0ewlwq0hcl/dBoA0YP/PptntK0CHfistD8chNtdMk3PyzqSiFaDPQ3T4wdc3zTNUjXeQ5643k5weJXFPg4tUuCCa8HxUJHd5sLnNY0OaRBwh2SLkQlcXYFQDzVHSoVscR3tf+57L7aF2hVQT2QtJKdZQjOyMg5YK0UlVc3tkyPZzyjOVaP7eTCRKwXI1NminHmmy1ZzZ+w+8+oX8cfvE9HdbqDoDp0MnkicS0+5S0lZwkRWrjUx/gS4aMWLbCHUQHY8wm+fmyDLJ/oI4ukdUI5YLOutlCsIY+aotnVMoORgdd/EPeZVYJmci/pvMjPF9Eard0aD4rLA7z/HwGgc3VEGmNluE+20BXO3bFIqwa9tzMqzOJB0qglP35MjVGiUe6Svq13DAmSOnzN+WqcVbTMJG8J1bwKqvmaN8AEpO0zU94ZhHspUtGyQQ0D6sMsw9jqJ1WyLE7aXeFR6OHrpw3DC2mCpr/qX8QFsveeyB83Za2+CuVVi2sqGAKYzkwlUPkeuaxfBak0apwJsF2trT1uMvPOuIda8k4XhtYLxah2BDJZIoMqUVz2xcN4OuW8bdSX/lepsyZZO34VEQDLBa2dxCCHJmCKf6io/0YlswNKGDQh+DI935KTdqBnHSJ9IjvADQuu+K37aS0L9V0ZLXiM5SBQtbB7kQpHjvivq97ru7QpFqJf8HCl1vDs4gJ/NV+J0+CX6dQTQOtHvwxD2CPGiiSv40ycoJAcwiqTh5T+hRPtca6bSes/jGN5iQjfLCRbwvL/ItLLAK3F2cEIdKZnfhJkdEAIwWFLvR4R5I7ZcCK5GgKz5dPROup8BAONA8XxcJWXaXV0YkfEmCDbZYMFC7pcx4NAnGp881RyAaG/HlstBHHVagpP2fwZ8K0J/2KPillOq/Die+vNc2++hx4EuftvNkZhSd+7zIYNKHQd0M4Ea74flgmmW5lG73bE1BkhVd2DsgEDihH19/vJjFH4PxKINKp0ij4jMyq9w+WsGiUqSDaQz/MZJ8wjzaSjvmSj4qlOAitr/s3f041e77rMb0W2ieCtYEy7IsebIqIWgKn/crm5FhyUtBCPEqFZgAKS313bXUio8LktqXCrZjZ0ZG8DmQG6hnK4PstKlIUQoNuFnb8Bp1zDgY4i2hb6Zmu7NnqnOaJJTjSGwaZOav0oMousn67BuFtwoMaGp+OjCopZ3HPfg19usnjvWpOgccXWYlQc0HOlGXUq+otKlXtQwAjUvz50GmV+lY3t4rpCgqk+pj9iH62xuzDQ01FOXl+v3Ehnw97mNJk9YarueG0Hl/1f6dhwXnjeEv35LLyWUjQolOoYgycEkgQ/cCCOSm7zgK1VT0oTLFISai8IG0qDP9HCszteHZhp+y4bsXQfAJTY11QLr7hx9/nQmVlHksDN5Wsno4wbkT+D2xb5EaDU2RBqZfTVcbRBWRtAhQcRPxdaUXyI7oKEaFg8fvQZ8wK/Ae+L18ub+Latb5W69dUVT6I13tPleXDl1oen9BXzaX7sygSpY4lJoXlu+SCKyNTMrC36PrB39QUWosw03ZsiKT5xjgN5+1m32yv4cg8lAwNCR4xxShrnhSbZ328yifaAuTnSawZmUGBVxPx4glVcvNUOXW2UvVtmeKU0SG1E+UGBAq7/UfaadMM7BsjyaaKpBa/tXZTm0rn8UiFqujvgNjQ3F/3ybRdlO5d6eMI9Na+1gqg6qxYSGR0H0wAdPhtyGRxpumehAQGeMKd49Sg6jspaf3NAjjuZ0Yp+eJV9652WqVZ7xtCNqRURV353h+XPGR+ZZ9siHRDQ+NcbxPkfbHw0/RTvZvEIdaDi5+DLh6tgIxMEtOpwTlfFrOUDaIcmWvzk92VtBFuafvoGzTipryTnMszjCsUTvyEPN8jPd6r8UmOFGXF2aVNksmn/bI97i4s1kYLgY8XsEOyx+Q9pUTkTEMn2JWgnEcSOAtaX1ZskHnfueKzUPb+/YWb+z8SNCgnUqHqa42qBqwlhdshzYhhfKhEisUptirzzp1kcbyHrug5PzHxh8Qri2pjHxSHYQ5sjig6K6B1YEuHP6uo19fL6BdgGlhKroiOF/6TMAcE9V3+yqvDdsW/IC0QXLHIBKC7wlDgLc25ltGogD/76P6tViDAb6+HNSSXJO056Ovq0z2BrXhnq1AmWa99mVnOLJwafRWPZC,iv:XxnAsh6yx9gICi3N6oTttpGXvguGZImWNIMp9srDJLM=,tag:M9gFSD5PNIfoCLet6Vy6QA==,type:str]
hetznerDnsApiToken: ENC[AES256_GCM,data:JfL4Xg9TZu4Og35g0SwfrI1uxiqgdFa7p5AQcfiPwLY=,iv:yOak3uXX7CNglu8O2UW/1sOI7BGZxpRQAFJCvRbzU0Y=,tag:6orkQIy7BxACziLWpYoS5Q==,type:str] hetznerDnsApiToken: ENC[AES256_GCM,data:JfL4Xg9TZu4Og35g0SwfrI1uxiqgdFa7p5AQcfiPwLY=,iv:yOak3uXX7CNglu8O2UW/1sOI7BGZxpRQAFJCvRbzU0Y=,tag:6orkQIy7BxACziLWpYoS5Q==,type:str]
sops: sops:
kms: [] kms: []
gcp_kms: [] gcp_kms: []
azure_kv: [] azure_kv: []
hc_vault: [] hc_vault: []
age: age:
- recipient: age18dmqd7r7fanrfmdxsvwgv9psvhs3hw5ydpvw0na0dv3dlrg4rs3q2wpvgv - recipient: age18dmqd7r7fanrfmdxsvwgv9psvhs3hw5ydpvw0na0dv3dlrg4rs3q2wpvgv
enc: | enc: |
-----BEGIN AGE ENCRYPTED FILE----- -----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBWaE9nNytUbXhWeWZYWndn YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBWaE9nNytUbXhWeWZYWndn
R3pMV3N1NjJPK2gzUDl2YitxWEU4NUFPRUJ3Cm1tMGhGcU56bSs5SUIzRmhqVHN2 R3pMV3N1NjJPK2gzUDl2YitxWEU4NUFPRUJ3Cm1tMGhGcU56bSs5SUIzRmhqVHN2
dXIzYlkvS1JnWnladGdXTnRKMXNOWncKLS0tIGhyRFhFV1VRVXVYN1pJWjNFd1Rj dXIzYlkvS1JnWnladGdXTnRKMXNOWncKLS0tIGhyRFhFV1VRVXVYN1pJWjNFd1Rj
bENCWmVNUEJyZFBpRmYwbWVndFJGcUEKzvkGz3WycSrU4qPcBhs4cSCn/9TQ62sl bENCWmVNUEJyZFBpRmYwbWVndFJGcUEKzvkGz3WycSrU4qPcBhs4cSCn/9TQ62sl
T6TuDra97qJJ1Pg9VZGHT/OoSleLA4s0qpNlAxnAnNaO0conTsREZQ== T6TuDra97qJJ1Pg9VZGHT/OoSleLA4s0qpNlAxnAnNaO0conTsREZQ==
-----END AGE ENCRYPTED FILE----- -----END AGE ENCRYPTED FILE-----
lastmodified: "2023-07-17T12:01:21Z" lastmodified: "2023-07-17T12:01:21Z"
mac: ENC[AES256_GCM,data:003nzaNWdXLscJy9XZcwAb93M9Eo3Bdg9s5MHHiv4/TitaaZE7VghWHKv5DrcoA0GGdN9SnIVqHd+o6OPVER91XLVxoiX7ixtlu1RIRfqdama3RRPtSki5wP5wPz6qF4vRBIKfrTpZK7thXLYs2NhCB9HJYljNhcgLtzEG5bWgY=,iv:tEP530Pij3bt3hc5PCYGjFFyPiKgo34dHm23Xtmrxt8=,tag:macr/U8R5+wktTBJ9OqI/w==,type:str] mac: ENC[AES256_GCM,data:003nzaNWdXLscJy9XZcwAb93M9Eo3Bdg9s5MHHiv4/TitaaZE7VghWHKv5DrcoA0GGdN9SnIVqHd+o6OPVER91XLVxoiX7ixtlu1RIRfqdama3RRPtSki5wP5wPz6qF4vRBIKfrTpZK7thXLYs2NhCB9HJYljNhcgLtzEG5bWgY=,iv:tEP530Pij3bt3hc5PCYGjFFyPiKgo34dHm23Xtmrxt8=,tag:macr/U8R5+wktTBJ9OqI/w==,type:str]
pgp: pgp:
- created_at: "2023-07-02T20:30:30Z" - created_at: "2023-07-02T20:30:30Z"
enc: |- enc: |-
-----BEGIN PGP MESSAGE----- -----BEGIN PGP MESSAGE-----
wcBMA0SHG/zF3227AQgAli6PQTNwh9N5Oo1LJvHysQNdxdZAq4QbfcwcIfpJIDds wcBMA0SHG/zF3227AQgAli6PQTNwh9N5Oo1LJvHysQNdxdZAq4QbfcwcIfpJIDds
0TQs28EeSttv47P2ga4Nb1O5dVUnlvwbP+uV9RbioYF4LfZ2/uNlS1lSGwsLbPcf 0TQs28EeSttv47P2ga4Nb1O5dVUnlvwbP+uV9RbioYF4LfZ2/uNlS1lSGwsLbPcf
SsY+U2WvpJgyo3EWQRusR/OXLFg0EdqDPDseH1w1u8tGALDrewre5oBjrMa0GRbb SsY+U2WvpJgyo3EWQRusR/OXLFg0EdqDPDseH1w1u8tGALDrewre5oBjrMa0GRbb
5F8lK/FVxSJxz70UkHgE7c6pSqPpznlgVduUwoOWnlhTw4aet7lLik+/C9K7LBDc 5F8lK/FVxSJxz70UkHgE7c6pSqPpznlgVduUwoOWnlhTw4aet7lLik+/C9K7LBDc
Q04sW1W2yqYr2882xPAUwfBhgfZQ1Uld5aDwqwPH+1Ttx26e7JrGSFaIX8GTVVpc Q04sW1W2yqYr2882xPAUwfBhgfZQ1Uld5aDwqwPH+1Ttx26e7JrGSFaIX8GTVVpc
RJqN6uman5at3lOaEKXS1qf7T9ZI003CvdFwHS1G89JRAemdeK4bur5wS3VXBhDx RJqN6uman5at3lOaEKXS1qf7T9ZI003CvdFwHS1G89JRAemdeK4bur5wS3VXBhDx
44fHgmDcOohHilTahwmyXCT70KjjHbd9665vAhsl0N9aOrOBdOgq0HmLjNzAQkz5 44fHgmDcOohHilTahwmyXCT70KjjHbd9665vAhsl0N9aOrOBdOgq0HmLjNzAQkz5
uGcEfsNiUXPngkNrh/Nvhh9w uGcEfsNiUXPngkNrh/Nvhh9w
=yHDZ =yHDZ
-----END PGP MESSAGE----- -----END PGP MESSAGE-----
fp: 6F7069FE6B96E894E60EC45C6EEFA706CB17E89B fp: 6F7069FE6B96E894E60EC45C6EEFA706CB17E89B
unencrypted_suffix: _unencrypted unencrypted_suffix: _unencrypted
version: 3.7.3 version: 3.7.3

124
nix/os/containers/mycelium/flake.lock generated
View file

@ -1,124 +0,0 @@
{
"nodes": {
"flake-compat": {
"flake": false,
"locked": {
"lastModified": 1696426674,
"narHash": "sha256-kvjfFW7WAETZlt09AgDn1MrtKzP7t90Vf7vypd3OL1U=",
"owner": "edolstra",
"repo": "flake-compat",
"rev": "0f9255e01c2351cc7d116c072cb317785dd33b33",
"type": "github"
},
"original": {
"owner": "edolstra",
"repo": "flake-compat",
"type": "github"
}
},
"flake-parts": {
"inputs": {
"nixpkgs-lib": [
"nix-snapshotter",
"nixpkgs"
]
},
"locked": {
"lastModified": 1704152458,
"narHash": "sha256-DS+dGw7SKygIWf9w4eNBUZsK+4Ug27NwEWmn2tnbycg=",
"owner": "hercules-ci",
"repo": "flake-parts",
"rev": "88a2cd8166694ba0b6cb374700799cec53aef527",
"type": "github"
},
"original": {
"owner": "hercules-ci",
"repo": "flake-parts",
"type": "github"
}
},
"nix-snapshotter": {
"inputs": {
"flake-compat": "flake-compat",
"flake-parts": "flake-parts",
"nixpkgs": [
"nixpkgs"
]
},
"locked": {
"lastModified": 1723875769,
"narHash": "sha256-66GofByLJ+S4ZZphIC+vJKeL9VJ2bzH2VbcJ3OqteMM=",
"owner": "pdtpartners",
"repo": "nix-snapshotter",
"rev": "6eaadfd8f89e5e7d79b2013626bbd36e388159da",
"type": "github"
},
"original": {
"owner": "pdtpartners",
"repo": "nix-snapshotter",
"type": "github"
}
},
"nixlib": {
"locked": {
"lastModified": 1728781282,
"narHash": "sha256-hUP9oxmnOmNnKcDOf5Y55HQ+NnoT0+bLWHLQWLLw9Ks=",
"owner": "nix-community",
"repo": "nixpkgs.lib",
"rev": "16340f605f4e8e5cf07fd74dcbe692eee2d4f51b",
"type": "github"
},
"original": {
"owner": "nix-community",
"repo": "nixpkgs.lib",
"type": "github"
}
},
"nixos-generators": {
"inputs": {
"nixlib": "nixlib",
"nixpkgs": [
"nixpkgs"
]
},
"locked": {
"lastModified": 1728867876,
"narHash": "sha256-NCyOA8WZNoojmXH+kBDrQj3LwvakYNzSc0h+LTXkmPE=",
"owner": "nix-community",
"repo": "nixos-generators",
"rev": "fdf142111597f6c6283cf5ffe092b6293a3911d0",
"type": "github"
},
"original": {
"owner": "nix-community",
"repo": "nixos-generators",
"type": "github"
}
},
"nixpkgs": {
"locked": {
"lastModified": 1728897630,
"narHash": "sha256-0utJPs4o2Mody8GDwo4hnGuxc8dJqju4u9lLJY4d/Lw=",
"owner": "NixOS",
"repo": "nixpkgs",
"rev": "c9f0b4a395289ce18727e2a8e43cae6796693ccc",
"type": "github"
},
"original": {
"owner": "NixOS",
"ref": "nixos-unstable-small",
"repo": "nixpkgs",
"type": "github"
}
},
"root": {
"inputs": {
"nix-snapshotter": "nix-snapshotter",
"nixos-generators": "nixos-generators",
"nixpkgs": "nixpkgs"
}
}
},
"root": "root",
"version": 7
}

371
nix/os/containers/mycelium/flake.nix
View file

@ -1,371 +0,0 @@
{
inputs = {
nixpkgs.url = "github:NixOS/nixpkgs/nixos-unstable-small";
# nixpkgs-systemd256.url = "github:NixOS/nixpkgs/962cf03fb8c782c5e00f465397e03dc84284acc9";
nixos-generators = {
url = "github:nix-community/nixos-generators";
inputs.nixpkgs.follows = "nixpkgs";
};
nix-snapshotter = {
url = "github:pdtpartners/nix-snapshotter";
inputs.nixpkgs.follows = "nixpkgs";
};
};
outputs =
{ self, nixpkgs, ... }:
let
systems = [
"aarch64-linux"
"x86_64-linux"
];
forAllSystems = nixpkgs.lib.genAttrs systems;
in
{
nixosConfigurations.default = nixpkgs.lib.nixosSystem {
system = "aarch64-linux";
specialArgs = { };
modules = [
(
{
config,
modulesPath,
pkgs,
lib,
...
}:
{
nixpkgs.overlays = [
(_final: _previous: {
# inherit (self.inputs.nixpkgs-systemd256.legacyPackages.${pkgs.system}) systemd systemdMinimal;
# systemd =
# self.inputs.nixpkgs-systemd256.legacyPackages.${pkgs.system}.systemd.overrideAttrs (prevAttrs: {
# src = /home/steveej/src/others/systemd;
# withAppArmor = false;
# withRepart = false;
# withHomed = false;
# withAcl = false;
# withEfi = false;
# withBootloader = false;
# withCryptsetup = false;
# withLibBPF = false;
# withOomd = false;
# withFido2 = false;
# withApparmor = false;
# withDocumentation = false;
# withUtmp = false;
# withQrencode = false;
# withVmspawn = false;
# withMachined = false;
# withLogTrace = true;
# withArchive = false;
# # don't need these but cause errors for exampel files not found
# # withLogind = false;
# })
# pkgs.systemdMinimal.override {
# # getting errors with these disabled
# withCoredump = true;
# withCompression = true;
# withLogind = true;
# withSysusers = true;
# withUserDb = true;
# }
# pkgs.systemdMinimal
# pkgs.systemd.override {
# withRepart = false;
# withHomed = false;
# withAcl = false;
# withEfi = false;
# withBootloader = false;
# withCryptsetup = false;
# withLibBPF = false;
# withOomd = false;
# withFido2 = false;
# withApparmor = false;
# withDocumentation = false;
# withUtmp = false;
# withQrencode = false;
# withVmspawn = false;
# withMachined = false;
# withLogTrace = true;
# # don't need these but cause errors for exampel files not found
# # withLogind = false;
# }
# ;
})
];
imports = [ (modulesPath + "/profiles/minimal.nix") ];
system.stateVersion = "24.11";
# https://github.com/hercules-ci/arion/blob/c24c185e67f093298a081900b49ca18716077dec/src/nix/modules/nixos/container-systemd.nix
boot.isContainer = true;
# boot.tmp.useTmpfs = true;
boot.loader.grub.enable = lib.mkForce false;
boot.loader.systemd-boot.enable = lib.mkForce false;
services.journald.console = "/dev/console";
services.journald.storage = "none";
# boot.specialFileSystems = lib.mkForce {};
services.nscd.enable = false;
system.nssModules = lib.mkForce [ ];
systemd.services.systemd-logind.enable = false;
systemd.services.console-getty.enable = false;
systemd.sockets.nix-daemon.enable = false;
systemd.services.nix-daemon.enable = false;
systemd.oomd.enable = false;
networking.useDHCP = false;
networking.firewall.enable = false;
# system.build.earlyMountScript =
# lib.mkForce ''
# '';
# system.activationScripts.specialfs =
# lib.mkForce ''
# '';
boot.postBootCommands = ''
ls -lha /run
mkdir -p /run/wrappers
'';
boot.kernelParams = [ "systemd.log_level=debug" ];
# services.udev.enable = false;
# TODO: this is only needed because `/run/current-system` is missing
# environment.variables.PATH = "${lib.makeBinPath config.environment.systemPackages}:$PATH";
systemd.mounts = lib.mkForce [ ];
fileSystems = lib.mkForce { };
services.mycelium.enable = false;
services.mycelium.keyFile = "/var/lib/secrets/mycelium-keyfile";
systemd.services.mycelium.serviceConfig.DynamicUser = lib.mkForce false;
systemd.services.mycelium.serviceConfig.User = lib.mkForce "root";
systemd.services.mycelium.serviceConfig.ExecStart = lib.mkForce (
pkgs.writeShellScript "mycelium" ''
while true; do
ls -lha $CREDENTIALS_DIRECTORY
sleep 5
done
''
);
systemd.services.testing-credentials = {
wantedBy = [ "multi-user.target" ];
path = [ pkgs.coreutils ];
serviceConfig = {
# SyslogIdentifier = "testing-credentials";
# StateDirectory = "testing-credentials";
# DynamicUser = true;
# User = "tc";
# ProtectHome = true;
# ProtectSystem = true;
# LoadCredential = [
# "mycelium-keyfile:${self.nixosConfigurations.default.config.services.mycelium.keyFile}"
# "hosts:/etc/hosts"
# ];
SetCredential = "mycelium-keyfile:not secret string";
ExecStart = lib.mkForce (
pkgs.writeShellScript "mycelium" ''
cd $STATE_DIRECTORY
pwd
env
while true; do
ls -lha $CREDENTIALS_DIRECTORY
sleep 5
done
''
);
};
};
services.caddy = {
enable = true;
globalConfig = ''
auto_https off
'';
virtualHosts.":80" = {
extraConfig = ''
respond "hello from ${config.networking.hostName}"
'';
};
};
}
)
];
};
packages = forAllSystems (
system:
let
name = "mycelium";
inherit (self.inputs) nix-snapshotter;
config = {
entrypoint = "${self.nixosConfigurations.default.config.system.build.toplevel}/init";
# port = 2379;
args = [ ];
# nodePort = 30001;
};
myceliumPorts = {
tcp = [ 9651 ];
udp = [
9650
9651
];
};
inherit (config)
entrypoint
# port
args
# nodePort
;
pkgs = import nixpkgs { overlays = [ nix-snapshotter.overlays.default ]; };
image = pkgs.nix-snapshotter.buildImage {
inherit name;
resolvedByNix = true;
config = {
entrypoint = [ entrypoint ];
env = [
# this is read by the `/init` script and prevents various incompatible commands like mount, etc.
# the value of this doesn't seem to matter as long as it's not an empty string.
"container=nerd"
"SYSTEMD_LOG_LEVEL=debug"
];
volumes = {
# "/var/lib/private/mycelium/key.bin" = {};
# "/run" = {};
# "/tmp" = {};
# "/etc" = {};
};
copyToRoot = [
# self.nixosConfigurations.default.config.system.build.toplevel
];
};
};
in
{
k8s =
let
pod = pkgs.writeText "${name}-pod.json" (
builtins.toJSON {
apiVersion = "v1";
kind = "Pod";
metadata = {
inherit name;
labels = {
inherit name;
};
};
spec.containers = [
{
inherit name args;
image = "nix:0${image}";
ports = [
{
name = "mycelium-tcp-0";
containerPort = builtins.elemAt myceliumPorts.tcp 0;
}
{
name = "mycelium-udp-0";
protocol = "UDP";
containerPort = builtins.elemAt myceliumPorts.udp 0;
}
{
name = "mycelium-udp-1";
protocol = "UDP";
containerPort = builtins.elemAt myceliumPorts.udp 1;
}
];
}
];
}
);
service = pkgs.writeText "${name}-service.json" (
builtins.toJSON {
apiVersion = "v1";
kind = "Service";
metadata.name = "${name}-service";
spec = {
type = "NodePort";
selector = {
inherit name;
};
ports = [
{
name = "mycelium-tcp-0";
port = builtins.elemAt myceliumPorts.tcp 0 + 50000;
targetPort = "mycelium-tcp-0";
}
{
name = "mycelium-udp-0";
protocol = "UDP";
port = builtins.elemAt myceliumPorts.udp 0 + 50000;
targetPort = "mycelium-udp-0";
}
{
name = "mycelium-udp-1";
protocol = "UDP";
port = builtins.elemAt myceliumPorts.udp 1 + 50000;
targetPort = "mycelium-udp-1";
}
];
};
}
);
in
pkgs.runCommand "declarative-k8s" { } ''
mkdir -p $out/share/k8s
cp ${pod} $out/share/k8s/
cp ${service} $out/share/k8s/
'';
inherit image;
start = pkgs.writeShellApplication {
name = "start";
text = ''
set -x
rm -rf ./result
nix build --impure .#image
sudo nix2container load ./result
sudo -E nerdctl run --name ${name} --privileged -dt \
--cgroup-manager cgroupfs \
--volume "$PWD/key.bin.crypt:${self.nixosConfigurations.default.config.services.mycelium.keyFile}:ro" \
"nix:0$(readlink result):latest"
'';
};
stop = pkgs.writeShellApplication {
name = "stop";
text = ''
set +e
sudo -E nerdctl stop -t 60 ${name}
sudo -E nerdctl rm --force ${name}
sudo -E nerdctl system prune --all --force
sudo systemctl stop nix-snapshotter
sudo systemctl stop containerd
mount | rg -No '(/var/lib/container|/tmp/initial)[^ ]+' | tac | xargs sudo umount -l
sudo systemctl start containerd
sudo systemctl start nix-snapshotter
'';
# tmpfs on /run/credentials/mycelium.service type tmpfs (ro,nosuid,nodev,noexec,relatime,nosymfollow,size=1024k,nr_inodes=1024,mode=700,noswap)
# mount -t tmpfs tmpfs /run/credentials/mycelium.service -o ro,nosuid,nodev,noexec,relatime,nosymfollow,size=1024k,nr_inodes=1024,mode=700,noswap
};
}
);
};
}

95
nix/os/containers/syncthing.nix
View file

@ -1,81 +1,31 @@
{ {
specialArgs,
hostBridge,
hostAddress, hostAddress,
localAddress, localAddress,
syncthingPort ? 22000, syncthingPort ? 22000,
syncthingLocalAnnouncePort ? 21027, syncthingLocalAnnouncePort ? 21027,
smbTcpPort ? 445,
autoStart ? false, autoStart ? false,
}: }: {
{ config = {
inherit specialArgs; config,
config = pkgs,
{ ... }: ...
{ }: {
system.stateVersion = "20.05"; # Did you read the comment? system.stateVersion = "20.05"; # Did you read the comment?
imports = [ ../profiles/containers/configuration.nix ]; imports = [../profiles/containers/configuration.nix];
networking.firewall.allowedTCPPorts = [ networking.firewall.enable = true;
# syncthing gui networking.firewall.allowedTCPPorts = [
8384 # syncthing gui
]; 8384
];
services.syncthing = { services.syncthing = {
enable = true; enable = true;
openDefaultPorts = true; openDefaultPorts = true;
guiAddress = "0.0.0.0:8384"; guiAddress = "0.0.0.0:8384";
};
services.samba = {
enable = true;
securityType = "user";
openFirewall = true;
settings = {
global = {
"workgroup" = "DMZ";
"server string" = "syncthing";
"netbios name" = "syncthing";
"security" = "user";
#"use sendfile" = "yes";
#"max protocol" = "smb2";
# note: localhost is the ipv6 localhost ::1
"hosts allow" = "192.168.23. 127.0.0.1 localhost";
"hosts deny" = "0.0.0.0/0";
"guest account" = "nobody";
"map to guest" = "bad user";
};
"scan-stefan" = {
"path" = "/var/lib/syncthing/Sync/Home::Scan::Stefan";
"browseable" = "yes";
"read only" = "no";
"guest ok" = "no";
"create mask" = "0644";
"directory mask" = "0755";
"force user" = "syncthing";
"force group" = "syncthing";
};
"scan-justyna" = {
"path" = "/var/lib/syncthing/Sync/Home::Scan::Justyna";
"browseable" = "yes";
"read only" = "no";
"guest ok" = "no";
"create mask" = "0644";
"directory mask" = "0755";
"force user" = "syncthing";
"force group" = "syncthing";
};
};
};
# TODO: find out if smbpasswd file is still used and set it here. or find an alternative
# sops.secrets.smbpasswd = {
# };
# environment.etc."samba/smbpasswd".source = config.sops.secrets.smbpasswd.text;
}; };
};
inherit autoStart; inherit autoStart;
@ -86,6 +36,8 @@
}; };
}; };
extraFlags = ["--resolv-conf=bind-host"];
privateNetwork = true; privateNetwork = true;
forwardPorts = [ forwardPorts = [
{ {
@ -103,12 +55,7 @@
hostPort = syncthingLocalAnnouncePort; hostPort = syncthingLocalAnnouncePort;
protocol = "udp"; protocol = "udp";
} }
{
containerPort = 445;
hostPort = smbTcpPort;
protocol = "tcp";
}
]; ];
inherit hostBridge hostAddress localAddress; inherit hostAddress localAddress;
} }

639
nix/os/containers/webserver.nix
View file

@ -1,427 +1,210 @@
{ {
specialArgs, repoFlake,
hostBridge,
hostAddress, hostAddress,
localAddress, localAddress,
httpPort, httpPort ? 80,
httpsPort, httpsPort ? 443,
forgejoSshPort,
autoStart ? false, autoStart ? false,
}: }: let
let
domain = "www.stefanjunker.de"; domain = "www.stefanjunker.de";
in in {
{ config = {
inherit specialArgs; config,
config = pkgs,
{ lib,
config, ...
pkgs, }: {
lib, system.stateVersion = "22.05"; # Did you read the comment?
repoFlake,
nodeFlake, imports = [
system, ../profiles/containers/configuration.nix
...
}: repoFlake.inputs.sops-nix.nixosModules.sops
let ];
nixpkgs-kanidm = nodeFlake.inputs.nixpkgs-unstable;
in networking.firewall.enable = false;
{
system.stateVersion = "22.05"; # Did you read the comment? sops.age.sshKeyPaths = ["/etc/ssh/ssh_host_ed25519_key"];
sops.secrets.hedgedoc_environment_file = {
disabledModules = [ sopsFile = ./webserver_secrets.yaml;
"services/misc/forgejo.nix" owner = config.users.users.hedgedoc.name;
"services/security/kanidm.nix"
];
imports = [
"${nodeFlake.inputs.nixpkgs-unstable}/nixos/modules/services/misc/forgejo.nix"
"${nixpkgs-kanidm}/nixos/modules/services/security/kanidm.nix"
../profiles/containers/configuration.nix
repoFlake.inputs.sops-nix.nixosModules.sops
];
sops.defaultSopsFile = ./webserver_secrets.yaml;
networking.firewall.allowedTCPPorts = [
httpPort
httpsPort
forgejoSshPort
];
sops.age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];
sops.secrets.hedgedoc_environment_file = {
sopsFile = ./webserver_secrets.yaml;
owner = config.users.users.hedgedoc.name;
};
services.caddy = {
enable = true;
logFormat = ''
level ERROR
'';
virtualHosts."${domain}" = {
extraConfig = ''
redir /hedgedoc* https://hedgedoc.${domain}
file_server /*/* {
browse
root /var/www/stefanjunker.de/htdocs/caddy
pass_thru
}
# respond "Hi"
# respond (not /*/*) "Hi"
'';
};
virtualHosts."hedgedoc.${domain}" = {
extraConfig = ''
reverse_proxy http://[::1]:3000
'';
};
virtualHosts."authelia.${domain}" = {
extraConfig = ''
reverse_proxy http://127.0.0.1:${builtins.toString config.services.authelia.instances.default.settings.server.port}
'';
};
virtualHosts."lldap.${domain}" = {
extraConfig = ''
reverse_proxy http://127.0.0.1:${builtins.toString config.services.lldap.settings.http_port}
'';
};
virtualHosts."forgejo.${domain}" = {
extraConfig = ''
reverse_proxy http://127.0.0.1:${builtins.toString config.services.forgejo.settings.server.HTTP_PORT}
'';
};
virtualHosts."kanidm.${domain}" = {
extraConfig = ''
reverse_proxy https://${builtins.toString config.services.kanidm.serverSettings.bindaddress} {
transport http {
tls_server_name ${config.services.kanidm.serverSettings.domain}
}
}
'';
};
};
services.hedgedoc = {
enable = true;
settings = {
domain = "hedgedoc.${domain}";
urlPath = "";
protocolUseSSL = true;
db = {
dialect = "sqlite";
storage = "/var/lib/hedgedoc/db.hedgedoc.sqlite";
};
allowAnonymous = false;
allowAnonymousEdits = false;
allowGravatar = false;
allowFreeURL = false;
defaultPermission = "private";
allowEmailRegister = false;
email = false;
ldap = {
url = "ldap://127.0.0.1:${builtins.toString config.services.lldap.settings.ldap_port}";
bindDn = "uid=admin,ou=people,dc=stefanjunker,dc=de";
# these are set via the `environmentFile`
# bindCredentials = "$LDAP_ADMIN_PASSWORD";
searchBase = "ou=people,dc=stefanjunker,dc=de";
searchFilter = "(&(memberOf=cn=hedgedoc,ou=groups,dc=stefanjunker,dc=de)(uid={{username}}))";
useridField = "uid";
};
oauth2 =
let
originURL = config.services.kanidm.serverSettings.origin;
in
{
providerName = "kanidm (${originURL})";
authorizationURL = "${originURL}/ui/oauth2";
tokenURL = "${originURL}/oauth2/token";
userProfileURL = "${originURL}/oauth2/openid/hedgedoc/userinfo";
scope = "openid email profile";
# rolesClaim = "roles";
# accessRole = "role/hedgedoc";
userProfileUsernameAttr = "name";
userProfileDisplayNameAttr = "displayname";
userProfileEmailAttr = "email";
clientID = "hedgedoc";
# set via the `environmentFile`
# clientSecret = "$CMD_OAUTH2_CLIENT_SECRET";
};
uploadsPath = "/var/lib/hedgedoc/uploads";
};
environmentFile = config.sops.secrets.hedgedoc_environment_file.path;
};
services.jitsi-meet = {
enable = false;
hostName = "meet.${domain}";
config = {
prejoinPageEnabled = true;
};
caddy.enable = true;
nginx.enable = false;
};
sops.secrets.authelia_storageEncryptionKey = {
sopsFile = ./webserver_secrets.yaml;
owner = config.users.users.authelia-default.name;
};
sops.secrets.authelia_jwtSecret = {
sopsFile = ./webserver_secrets.yaml;
owner = config.users.users.authelia-default.name;
};
services.authelia.instances.default =
let
baseDir = "/var/lib/authelia-default";
in
{
enable = true;
secrets.storageEncryptionKeyFile = config.sops.secrets.authelia_storageEncryptionKey.path;
secrets.jwtSecretFile = config.sops.secrets.authelia_jwtSecret.path;
settings = {
theme = "auto";
default_2fa_method = "totp";
log.level = "debug";
server = {
disable_healthcheck = true;
host = "127.0.0.1";
port = 9091;
# path = "authelia";
};
storage = {
local.path = "${baseDir}/authelia.sqlite";
};
authentication_backend = {
file.path = "${baseDir}/first_factor.yaml";
file.search.email = true;
file.search.case_insensitive = false;
};
access_control = {
default_policy = "one_factor";
};
session.domain = "stefanjunker.de";
notifier = {
disable_startup_check = true;
filesystem.filename = "${baseDir}/notification.txt";
};
};
};
users.groups.lldap = { };
users.users.lldap = {
isSystemUser = true;
group = "lldap";
};
sops.secrets.lldap_jwtSecret = {
sopsFile = ./webserver_secrets.yaml;
owner = config.users.users.lldap.name;
};
sops.secrets.lldap_adminPassword = {
sopsFile = ./webserver_secrets.yaml;
owner = config.users.users.lldap.name;
};
sops.secrets.lldap_environmentFile = {
sopsFile = ./webserver_secrets.yaml;
owner = config.users.users.lldap.name;
};
services.lldap = {
enable = true;
environment = {
LLDAP_JWT_SECRET_FILE = config.sops.secrets.lldap_jwtSecret.path;
LLDAP_LDAP_USER_PASS_FILE = config.sops.secrets.lldap_adminPassword.path;
};
environmentFile = config.sops.secrets.lldap_environmentFile.path;
settings = {
verbose = true;
ldap_base_dn = "dc=stefanjunker,dc=de";
http_url = "https://lldap.${domain}";
## Options to configure SMTP parameters, to send password reset emails.
## To set these options from environment variables, use the following format
## (example with "password"): LLDAP_SMTP_OPTIONS__PASSWORD
smtp_options = {
## Whether to enabled password reset via email, from LLDAP.
enable_password_reset = true;
# port = 465;
## How the connection is encrypted, either "NONE" (no encryption), "TLS" or "STARTTLS".
# smtp_encryption = "TLS";
};
# database_url = "sqlite:///var/lib/lldap/users.db?mode=rwc";
};
};
sops.secrets.FORGEJO_JWT_SECRET = { };
sops.secrets.FORGEJO_INTERNAL_TOKEN = { };
sops.secrets.FORGEJO_SECRET_KEY = { };
services.forgejo = {
enable = true;
package = nodeFlake.inputs.nixpkgs-unstable.legacyPackages.${pkgs.system}.forgejo;
settings = {
service.DISABLE_REGISTRATION = true;
server.HTTP_ADDR = "127.0.0.1";
server.START_SSH_SERVER = true;
server.SSH_PORT = forgejoSshPort;
server.ROOT_URL = "https://forgejo.${domain}";
server.HTTP_PORT = 3001;
# TODO: how do i get a 3072 length SSH key with the yubikey?
"ssh.minimum_key_sizes".RSA = 2048;
};
secrets = {
oauth2.JWT_SECRET = lib.mkForce config.sops.secrets.FORGEJO_JWT_SECRET.path;
security.INTERNAL_TOKEN = lib.mkForce config.sops.secrets.FORGEJO_INTERNAL_TOKEN.path;
security.SECRET_KEY = lib.mkForce config.sops.secrets.FORGEJO_SECRET_KEY.path;
};
};
systemd.services.lldap.serviceConfig.User = config.users.users.lldap.name;
systemd.services.lldap.serviceConfig.Group = config.users.groups.lldap.name;
systemd.services.lldap.serviceConfig.DynamicUser = lib.mkForce false;
# combine a path watcher with a service that transfers the certs by caddy to kanidm
# TODO: had an issue where the certificate in kanidm was expired, despite caddy having a refreshed certificate
systemd.paths.kanidm-tls-watch = {
enable = true;
requiredBy = [ "kanidm.service" ];
pathConfig = {
PathChanged = [
"${config.services.caddy.dataDir}/.local/share/caddy/certificates/acme-v02.api.letsencrypt.org-directory/${config.services.kanidm.serverSettings.domain}/${config.services.kanidm.serverSettings.domain}.key"
"${config.services.caddy.dataDir}/.local/share/caddy/certificates/acme-v02.api.letsencrypt.org-directory/${config.services.kanidm.serverSettings.domain}/${config.services.kanidm.serverSettings.domain}.crt"
];
Unit = "kanidm-tls-update.service";
};
};
systemd.services.kanidm-tls-update =
let
dbDir = builtins.dirOf config.services.kanidm.serverSettings.db_path;
in
{
enable = true;
requiredBy = [ "kanidm.service" ];
unitConfig = {
# ConditionPathExists = [
# "${config.services.caddy.dataDir}/.local/share/caddy/certificates/acme-v02.api.letsencrypt.org-directory/${config.services.kanidm.serverSettings.domain}/${config.services.kanidm.serverSettings.domain}.key"
# "${config.services.caddy.dataDir}/.local/share/caddy/certificates/acme-v02.api.letsencrypt.org-directory/${config.services.kanidm.serverSettings.domain}/${config.services.kanidm.serverSettings.domain}.crt"
# ];
};
serviceConfig.Type = "oneshot";
script =
let
tlsDir = builtins.dirOf config.services.kanidm.serverSettings.tls_key;
in
''
set -xe
cat "${config.services.caddy.dataDir}/.local/share/caddy/certificates/acme-v02.api.letsencrypt.org-directory/${config.services.kanidm.serverSettings.domain}/${config.services.kanidm.serverSettings.domain}.key" > tls.key
cat "${config.services.caddy.dataDir}/.local/share/caddy/certificates/acme-v02.api.letsencrypt.org-directory/${config.services.kanidm.serverSettings.domain}/${config.services.kanidm.serverSettings.domain}.crt" > tls.chain
chown ${config.systemd.services.kanidm.serviceConfig.User}:${config.systemd.services.kanidm.serviceConfig.Group} tls.{key,chain}
chmod 400 tls.{key,chain}
# create the kanidm directory in case it's missing
if [[ ! -d ${tlsDir} ]]; then
mkdir -p ${tlsDir}
chown -R ${config.systemd.services.kanidm.serviceConfig.User}:${config.systemd.services.kanidm.serviceConfig.Group} ${tlsDir}
chmod 700 ${tlsDir}
fi
mv tls.key ${config.services.kanidm.serverSettings.tls_key}
mv tls.chain ${config.services.kanidm.serverSettings.tls_chain}
if [[ ! -d ${dbDir} ]]; then
mkdir -p ${dbDir}
chown -R ${config.systemd.services.kanidm.serviceConfig.User}:${config.systemd.services.kanidm.serviceConfig.Group} ${dbDir}
chmod 700 ${dbDir}
fi
'';
};
systemd.services.kanidm.serviceConfig =
let
dbDir = builtins.dirOf config.services.kanidm.serverSettings.db_path;
in
# stateDir = "/var/lib/${config.systemd.services.kanidm.serviceConfig.StateDirectory}";
{
# ExecStartPre = ''
# mkdir -p ${dbDir}
# '';
BindPaths = [
dbDir
# stateDir
];
};
services.kanidm =
let
dataDir = "/var/lib/kanidm";
in
{
package = nixpkgs-kanidm.legacyPackages.${pkgs.system}.kanidm;
enablePam = false;
enableClient = false;
enableServer = true;
serverSettings = {
role = "WriteReplica";
log_level = "debug";
domain = "kanidm.${domain}";
origin = "https://kanidm.${domain}";
bindaddress = "127.0.0.1:8444";
# don't expose ldap
# ldapbindaddress = "[::1]:6636";
tls_key = "${dataDir}/tls/tls.key";
tls_chain = "${dataDir}/tls/tls.chain";
online_backup = {
schedule = "00 06 * * *";
};
};
};
}; };
services.caddy = {
enable = true;
virtualHosts."${domain}" = {
extraConfig = let
port = "${builtins.toString config.services.authelia.instances.default.settings.server.port}";
path = "${config.services.authelia.instances.default.settings.server.path}";
in ''
redir /hedgedoc* https://hedgedoc.${domain}
respond "Hi!"
'';
};
virtualHosts."hedgedoc.${domain}" = {
extraConfig = ''
reverse_proxy http://[::1]:3000
'';
};
virtualHosts."authelia.${domain}" = {
extraConfig = ''
reverse_proxy http://127.0.0.1:${builtins.toString config.services.authelia.instances.default.settings.server.port}
'';
};
virtualHosts."lldap.${domain}" = {
extraConfig = ''
reverse_proxy http://127.0.0.1:${builtins.toString config.services.lldap.settings.http_port}
'';
};
};
services.hedgedoc = {
enable = true;
settings = {
domain = "hedgedoc.${domain}";
urlPath = "";
protocolUseSSL = true;
db = {
dialect = "sqlite";
storage = "/var/lib/hedgedoc/db.hedgedoc.sqlite";
};
allowAnonymous = false;
allowAnonymousEdits = false;
allowGravatar = false;
allowFreeURL = false;
defaultPermission = "private";
allowEmailRegister = false;
email = false;
ldap = {
url = "ldap://127.0.0.1:${builtins.toString config.services.lldap.settings.ldap_port}";
bindDn = "uid=admin,ou=people,dc=stefanjunker,dc=de";
# these are set via the `environmentFile`
bindCredentials = "$LDAP_ADMIN_PASSWORD";
searchBase = "ou=people,dc=stefanjunker,dc=de";
searchFilter = "(&(memberOf=cn=hedgedoc,ou=groups,dc=stefanjunker,dc=de)(uid={{username}}))";
useridField = "uid";
};
uploadsPath = "/var/lib/hedgedoc/uploads";
};
environmentFile = config.sops.secrets.hedgedoc_environment_file.path;
};
sops.secrets.authelia_storageEncryptionKey = {
sopsFile = ./webserver_secrets.yaml;
owner = config.users.users.authelia-default.name;
};
sops.secrets.authelia_jwtSecret = {
sopsFile = ./webserver_secrets.yaml;
owner = config.users.users.authelia-default.name;
};
services.authelia.instances.default = let
baseDir = "/var/lib/authelia-default";
in {
enable = true;
secrets.storageEncryptionKeyFile = config.sops.secrets.authelia_storageEncryptionKey.path;
secrets.jwtSecretFile = config.sops.secrets.authelia_jwtSecret.path;
settings = {
theme = "auto";
default_2fa_method = "totp";
log.level = "debug";
server = {
disable_healthcheck = true;
host = "127.0.0.1";
port = 9091;
# path = "authelia";
};
storage = {
local.path = "${baseDir}/authelia.sqlite";
};
authentication_backend = {
file.path = "${baseDir}/first_factor.yaml";
file.search.email = true;
file.search.case_insensitive = false;
};
access_control = {
default_policy = "one_factor";
};
session.domain = "stefanjunker.de";
notifier = {
disable_startup_check = true;
filesystem.filename = "${baseDir}/notification.txt";
};
};
};
users.groups.lldap = {};
users.users.lldap = {
isSystemUser = true;
group = "lldap";
};
sops.secrets.lldap_jwtSecret = {
sopsFile = ./webserver_secrets.yaml;
owner = config.users.users.lldap.name;
};
sops.secrets.lldap_adminPassword = {
sopsFile = ./webserver_secrets.yaml;
owner = config.users.users.lldap.name;
};
sops.secrets.lldap_environmentFile = {
sopsFile = ./webserver_secrets.yaml;
owner = config.users.users.lldap.name;
};
services.lldap = {
enable = true;
environment = {
LLDAP_JWT_SECRET_FILE = config.sops.secrets.lldap_jwtSecret.path;
LLDAP_LDAP_USER_PASS_FILE = config.sops.secrets.lldap_adminPassword.path;
};
environmentFile = config.sops.secrets.lldap_environmentFile.path;
settings = {
verbose = true;
ldap_base_dn = "dc=stefanjunker,dc=de";
http_url = "https://lldap.${domain}";
## Options to configure SMTP parameters, to send password reset emails.
## To set these options from environment variables, use the following format
## (example with "password"): LLDAP_SMTP_OPTIONS__PASSWORD
smtp_options = {
## Whether to enabled password reset via email, from LLDAP.
enable_password_reset = true;
# port = 465;
## How the connection is encrypted, either "NONE" (no encryption), "TLS" or "STARTTLS".
# smtp_encryption = "TLS";
};
# database_url = "sqlite:///var/lib/lldap/users.db?mode=rwc";
};
};
systemd.services.lldap.serviceConfig.User = config.users.users.lldap.name;
systemd.services.lldap.serviceConfig.Group = config.users.groups.lldap.name;
systemd.services.lldap.serviceConfig.DynamicUser = lib.mkForce false;
};
inherit autoStart; inherit autoStart;
bindMounts = { bindMounts = {
@ -453,18 +236,11 @@ in
hostPath = "/var/lib/container-volumes/webserver/var-lib-lldap"; hostPath = "/var/lib/container-volumes/webserver/var-lib-lldap";
isReadOnly = false; isReadOnly = false;
}; };
"/var/lib/forgejo" = {
hostPath = "/var/lib/container-volumes/webserver/var-lib-forgejo";
isReadOnly = false;
};
"/var/lib/kanidm" = {
hostPath = "/var/lib/container-volumes/webserver/var-lib-kanidm";
isReadOnly = false;
};
}; };
# extraFlags = ["--resolv-conf=bind-host"];
# networking.useHostResolvConf = true;
privateNetwork = true; privateNetwork = true;
forwardPorts = [ forwardPorts = [
{ {
@ -479,14 +255,7 @@ in
hostPort = httpsPort; hostPort = httpsPort;
protocol = "tcp"; protocol = "tcp";
} }
{
# forgejo ssh
containerPort = forgejoSshPort;
hostPort = forgejoSshPort;
protocol = "tcp";
}
]; ];
inherit hostBridge hostAddress localAddress; inherit hostAddress localAddress;
} }

72
nix/os/containers/webserver_secrets.yaml
View file

@ -1,45 +1,41 @@
hedgedoc_environment_file: ENC[AES256_GCM,data:gPTokPMGBAN/lGGeUs95vg45yVrrSmFCKWTjlMV4V+YnflcqiaZvifX9+0fe3DELwNL4kY4st4N0MadhLkTiSieyp46fP8Dujk4Prhi7JWweBDsN4WtxcwJfAdowgh5LTzqM3zggC/J9NGR/zgJGLYraOqsFueXycxDxntE+8MlepYFGsND4WbFHNRvsVd7xUWerZZD+JFhws2sjwC9DqoJ+mBX4u9J2faSrL3okBGwRpEZlJhe6/8pT0l1aVxI0b/9UsLUL/him/vVqY8ygMP8O95gzuDEaCtwSXw08ylhb3g3YHdMh9ZOe9dPNVocVFrB15HfxeY4KzRCVfvgmBsSiUrgUAZQ8aav2ZWHPKQ==,iv:AVtx/43MK5KVxP59olEmbkUzLhd0cBjPpVeiAJGELfM=,tag:Hd3edeUzLgHnwAwPiMGp4A==,type:str] hedgedoc_environment_file: ENC[AES256_GCM,data:uBaATOTIkCkboAfaB7d6G2G4AfKszipQe+mc0XPJHik30wLppCKpEc61ELLbiZ1xGaOEWKUSMHc0GyBapykrgEe0UUYJ0Ukpq9bj9/J2VC7BLu1ABbr+pWpJR68+IOKY2GWlioSDIL6JwaGIjLV5sLrUjJgtwzAYrqAU13VS5RVHtGtz+7TgwHIJADoec+jSRhkh82g198eaAUbKyAFB9yhXFWgq6ozh8RgtkYKAP7LXIuyJt9BYJoNQ,iv:MCMJph0W1PC0n9h7xhPMxtJINQP+QRBf2anzXEzydwc=,tag:zj2o+/JpBRTYgYpSMJedPw==,type:str]
authelia_storageEncryptionKey: ENC[AES256_GCM,data:BLj2+w0jUOiiqljd4WcYt90I1Y/tm6vYRn9IPvv7k+ykjeWeafDcb9LpAbYZ82iAbCDZ6cDnTIJSH50TYFM1Bw==,iv:DfrFuTMS6rzWS1F7hIloD7Eb9N6LV6MDsPGEidTCIkM=,tag:4TxiUuWj8LLCAe+3SQWthA==,type:str] authelia_storageEncryptionKey: ENC[AES256_GCM,data:BLj2+w0jUOiiqljd4WcYt90I1Y/tm6vYRn9IPvv7k+ykjeWeafDcb9LpAbYZ82iAbCDZ6cDnTIJSH50TYFM1Bw==,iv:DfrFuTMS6rzWS1F7hIloD7Eb9N6LV6MDsPGEidTCIkM=,tag:4TxiUuWj8LLCAe+3SQWthA==,type:str]
authelia_jwtSecret: ENC[AES256_GCM,data:CtvhPJDlM8kZDh3MWI6jBEIK5P/Rc0ZY3JfQ/1qn2FyZ0kOE9CMznRQdzi125Mlh+LgfhS00aeY/esuSJ1YKnw==,iv:o29+Ja4E4USpxD5Bgg4nGpj1WdK+uJJeuyqa3c92Pys=,tag:Ko/6PqIM7FyvqMJAepTNKw==,type:str] authelia_jwtSecret: ENC[AES256_GCM,data:CtvhPJDlM8kZDh3MWI6jBEIK5P/Rc0ZY3JfQ/1qn2FyZ0kOE9CMznRQdzi125Mlh+LgfhS00aeY/esuSJ1YKnw==,iv:o29+Ja4E4USpxD5Bgg4nGpj1WdK+uJJeuyqa3c92Pys=,tag:Ko/6PqIM7FyvqMJAepTNKw==,type:str]
lldap_jwtSecret: ENC[AES256_GCM,data:Jd05K5zZZcdFY9P+PM1ycpl4eKr7THXzlEC2gxhfq0kZ0c7NrmqpnxLFyMOoq0oZwFXQ3aE29N+dYYCbWgEs0g==,iv:k9Y4XZcFSUaaOvooMzH1AlHaI/RiZZ0cpSqTU6jzsUU=,tag:EHwIMQ00Z+IrXAKgugMbmQ==,type:str] lldap_jwtSecret: ENC[AES256_GCM,data:Jd05K5zZZcdFY9P+PM1ycpl4eKr7THXzlEC2gxhfq0kZ0c7NrmqpnxLFyMOoq0oZwFXQ3aE29N+dYYCbWgEs0g==,iv:k9Y4XZcFSUaaOvooMzH1AlHaI/RiZZ0cpSqTU6jzsUU=,tag:EHwIMQ00Z+IrXAKgugMbmQ==,type:str]
lldap_adminPassword: ENC[AES256_GCM,data:qZviC+/V25iHWS2d5KKrMfCLmmWKAkXoiLW3NJyZWIvMRbFPtfJGv/5e++idcKNLdPHRgvGpdeTpOdZNK7ETSQ==,iv:jX8bzgYVXZfMQ8Qxa7WaUiQFE/mBmQWZ3o000njeEC8=,tag:4Rd3WVGIw1rBLKND4xPbMg==,type:str] lldap_adminPassword: ENC[AES256_GCM,data:qZviC+/V25iHWS2d5KKrMfCLmmWKAkXoiLW3NJyZWIvMRbFPtfJGv/5e++idcKNLdPHRgvGpdeTpOdZNK7ETSQ==,iv:jX8bzgYVXZfMQ8Qxa7WaUiQFE/mBmQWZ3o000njeEC8=,tag:4Rd3WVGIw1rBLKND4xPbMg==,type:str]
lldap_environmentFile: ENC[AES256_GCM,data:TpdO1N2MgHWI4TipvlwfVjnKppzpluI9WA3ejbgT8jrRXXTCA94PS734wDHLtEAIwKdIQd/JGDS+1kbdvgDL3F3HIOX5HLz9h7CtkDBYT6qOy0Zb0tNHjmJco6dL/iMwuzglXxu2460nadO+lHoTs3DA3lesghzpJzm41hgElzcxXS2sa/hsV+kjmbyfu6Xi94kbqcHBLA/mppWmLSgJN6wu/bO07XfaSB1ghHnAR7BL9XZDjoNDzljZAXDpDBw3WD6mwoZeIjGbkEuL4nUnkS6CkA+y7IORA24XGGAczRxZp4vLfUOnnlFCPGIHBsRTbrTB4bcEDBK4+5gHfNhXxvD5VlNMb4TPqYdcEIxkgMxZNLV5U2LTlzn18HNOCvsPb9XOOtY21j6qHMMQDXZREmn5NsW0HXM4gNZ0fC9UEe1MYBhyE3gGEGDzzDUrrQCGLm7/1OC7NRlzuI7M/5DlgcREwK1PkjPDmfRCAq86l0N5lMP/A7MMq2SJWcZvf+ot3fInugq485773vgWWl2Rodl08SZ8YHnzj0L6anPu856v2BsIotE0iRJSCpzA2ZgOJ9RViBfoq6F3beJKLnGN7oGb8XBviRTnXrTN6BTuFyv3dIZ7qcuTGTY+ucjRXfGJ1TVlVQBbiqhQDz5c9D5e0RVnRe3AkMXeDMOd4GlWW5gsJSuZtlYq1aMEf/Bx+4WMyY/Wh+Jk1xxf30bth5L1dW82p6fNFhEuKabtkBALOg/CQzYczMeGP9ai6BWgZL8QPlQoEUpHh59Vz91V6unQSOJ2PNr5wzC6j75IKInVjcp4d1S9K2UAxg+HETn5p9T1sBRdAAVz0YgO5902FwDTsA+2x6Q=,iv:U94CNFxQ8kyIYdH0EyqQIJ3s7QKaLlMa+5coO0dQnto=,tag:KZEizL99W5BtcaXSnYXFhg==,type:str] lldap_environmentFile: ENC[AES256_GCM,data:TpdO1N2MgHWI4TipvlwfVjnKppzpluI9WA3ejbgT8jrRXXTCA94PS734wDHLtEAIwKdIQd/JGDS+1kbdvgDL3F3HIOX5HLz9h7CtkDBYT6qOy0Zb0tNHjmJco6dL/iMwuzglXxu2460nadO+lHoTs3DA3lesghzpJzm41hgElzcxXS2sa/hsV+kjmbyfu6Xi94kbqcHBLA/mppWmLSgJN6wu/bO07XfaSB1ghHnAR7BL9XZDjoNDzljZAXDpDBw3WD6mwoZeIjGbkEuL4nUnkS6CkA+y7IORA24XGGAczRxZp4vLfUOnnlFCPGIHBsRTbrTB4bcEDBK4+5gHfNhXxvD5VlNMb4TPqYdcEIxkgMxZNLV5U2LTlzn18HNOCvsPb9XOOtY21j6qHMMQDXZREmn5NsW0HXM4gNZ0fC9UEe1MYBhyE3gGEGDzzDUrrQCGLm7/1OC7NRlzuI7M/5DlgcREwK1PkjPDmfRCAq86l0N5lMP/A7MMq2SJWcZvf+ot3fInugq485773vgWWl2Rodl08SZ8YHnzj0L6anPu856v2BsIotE0iRJSCpzA2ZgOJ9RViBfoq6F3beJKLnGN7oGb8XBviRTnXrTN6BTuFyv3dIZ7qcuTGTY+ucjRXfGJ1TVlVQBbiqhQDz5c9D5e0RVnRe3AkMXeDMOd4GlWW5gsJSuZtlYq1aMEf/Bx+4WMyY/Wh+Jk1xxf30bth5L1dW82p6fNFhEuKabtkBALOg/CQzYczMeGP9ai6BWgZL8QPlQoEUpHh59Vz91V6unQSOJ2PNr5wzC6j75IKInVjcp4d1S9K2UAxg+HETn5p9T1sBRdAAVz0YgO5902FwDTsA+2x6Q=,iv:U94CNFxQ8kyIYdH0EyqQIJ3s7QKaLlMa+5coO0dQnto=,tag:KZEizL99W5BtcaXSnYXFhg==,type:str]
#ENC[AES256_GCM,data:uNqahO8WF6QFNkbPnQq2UDKn/gFt0H56keUb,iv:CDVKC3ER5rsKoMmBi2g5g+F3ZfKc3+Rs8bjxFhgSPZ4=,tag:oGPl6TB/nghGwWvVBLFlGQ==,type:comment]
FORGEJO_JWT_SECRET: ENC[AES256_GCM,data:nVz9x7+K+rBIZxuQP7o0WNFHUz89eR9cwBjfSAx9/WH5PF+/aWazZOJpVg==,iv:4qpHo143fe/sVhKfYDwxr+YiBZ2q/WWViYSwoxz0i/k=,tag:smSsJsqa6uZKarcoOMUjwQ==,type:str]
FORGEJO_INTERNAL_TOKEN: ENC[AES256_GCM,data:EIono9HSyvp1nQM0ij3ln3IUXO4moFbRgVddeV0BZBXmZG05jdjZ1SIXo/BxoSmRKnjllR7P00CpajNM5zORldlsBId5oAYL5GZtY3/nmxeXucJidknuow22G7Z8wRJJGBdishbgQhmc,iv:1D93gTUF1+DUR8qLJgML+oUhvSslhxEjGnbBC/PWHXw=,tag:NZB+mwba4TzLcUANZLDRTw==,type:str]
FORGEJO_SECRET_KEY: ENC[AES256_GCM,data:CewYFZtcXKUD5/oSM0Q32rhw+urdA0eQhdYp8EFHUXxEtL6f5NWK6IOwIlMuEv1/FjtTWlqxWekOZpmxBRzwnw==,iv:qLyVB7Nc+rDbBoO5g82/vPdykwOATHCSDLhvS+fK9PM=,tag:4NMhUvKmrRd6qrcQq3R8wA==,type:str]
sops: sops:
kms: [] kms: []
gcp_kms: [] gcp_kms: []
azure_kv: [] azure_kv: []
hc_vault: [] hc_vault: []
age: age:
- recipient: age18dmqd7r7fanrfmdxsvwgv9psvhs3hw5ydpvw0na0dv3dlrg4rs3q2wpvgv - recipient: age18dmqd7r7fanrfmdxsvwgv9psvhs3hw5ydpvw0na0dv3dlrg4rs3q2wpvgv
enc: | enc: |
-----BEGIN AGE ENCRYPTED FILE----- -----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA0SkxFSkJQb29UeVRnZnFh YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA0SkxFSkJQb29UeVRnZnFh
U3BJeGZ1NUVzMk0ycXBvWExyZDcveXZrd2pJCmpCeS80VE5McWVHQnZpaHFERmNh U3BJeGZ1NUVzMk0ycXBvWExyZDcveXZrd2pJCmpCeS80VE5McWVHQnZpaHFERmNh
YWZIMHRtQkd5Vm54MWR3bkhUUDRvejQKLS0tIG9NSkpCSkEyZFRyOXorWE1KLytP YWZIMHRtQkd5Vm54MWR3bkhUUDRvejQKLS0tIG9NSkpCSkEyZFRyOXorWE1KLytP
eWdXVHg5MTlQQU9GeElPeUZXUlBlaTgKceDu3tLbQM/DxY0tJYJTPy2Dl/SBYaoc eWdXVHg5MTlQQU9GeElPeUZXUlBlaTgKceDu3tLbQM/DxY0tJYJTPy2Dl/SBYaoc
KfMZOkc322/NvgWu/3Ke0hV1/eMk8EICwXbSwHhXr5a0+cwPZ9xV4A== KfMZOkc322/NvgWu/3Ke0hV1/eMk8EICwXbSwHhXr5a0+cwPZ9xV4A==
-----END AGE ENCRYPTED FILE----- -----END AGE ENCRYPTED FILE-----
lastmodified: "2024-10-16T12:28:51Z" lastmodified: "2023-07-17T11:48:04Z"
mac: ENC[AES256_GCM,data:nrd2czzJlBcFfwn6lzh4qqco+/XsU2J6BqvQqMtskh3mL4Xx25IAzxiCno0KlNGr6o4YsuZP5anOX9RvrDq76Us3JQ7pDi3iQGPhmg+SE9u3Rwqn1/3YConvdfPV2DNB+tuyG3UVoRqpA4d+HdcYjN9n1UKk54R6UdSm9UrA+zc=,iv:Juupyet09zUAMu7bmVxq+/Q0bXJAzR0wAyt6vKNns3w=,tag:owdUWuXrQcDdiWi+1geY9A==,type:str] mac: ENC[AES256_GCM,data:Bgmm5+IrFdnTG907cZe0cnSmbWLyNDVYyABFj5eRuGsYCthclRM9WEKktvJg2RVYcND39IEH/FiFR/Hxf5YgrUcU7HKEXKzn7U4AGcREh2tb5EVTELjAJ4e00omNoD1gmFOklRS9AWce1g03AGzfbzM68enpDUkxWWTU2FOPei8=,iv:A9V4EsMAIoEs7j/eWy06Y9RExz+N/PT70TBNSViswKc=,tag:287n8ygaEj/40vh1x2IQig==,type:str]
pgp: pgp:
- created_at: "2023-07-09T17:51:27Z" - created_at: "2023-07-09T17:51:27Z"
enc: |- enc: |-
-----BEGIN PGP MESSAGE----- -----BEGIN PGP MESSAGE-----
wcBMA0SHG/zF3227AQgAs92CvegZAcuyNllIp9zHUp7jFqfXhuoAOKKmOZvN4TBD wcBMA0SHG/zF3227AQgAs92CvegZAcuyNllIp9zHUp7jFqfXhuoAOKKmOZvN4TBD
gQM7jKAXXwbMy90gGWF9EkdMzeBqG4S9ZM8gPAYcZkt98F0PGu6wBSvvYnUdDOcO gQM7jKAXXwbMy90gGWF9EkdMzeBqG4S9ZM8gPAYcZkt98F0PGu6wBSvvYnUdDOcO
8tvhEhBSE19xCIR7BeG9bhooEJ1V3LSZzrwyikeHUHAqDQLrwM7jrPOef22PIzH+ 8tvhEhBSE19xCIR7BeG9bhooEJ1V3LSZzrwyikeHUHAqDQLrwM7jrPOef22PIzH+
XPtwWMVwVzwRJTZ/uV11vIV60b0zfnB8ZJzv7RbXsob8octy4LRe6Vb0BUd5ON3w XPtwWMVwVzwRJTZ/uV11vIV60b0zfnB8ZJzv7RbXsob8octy4LRe6Vb0BUd5ON3w
YULnyMlFFGekiqAPBk0K5Xib35qBu6mtnmxWzVUqT4pgiShoZsRQs3At1Onm7Cku YULnyMlFFGekiqAPBk0K5Xib35qBu6mtnmxWzVUqT4pgiShoZsRQs3At1Onm7Cku
bqIDMoCYTvSzwDCOYp2+ni/ZOIuDvBiRCPoNuLjkD9JRAcCbjuxA6w0eaJKFTzoI bqIDMoCYTvSzwDCOYp2+ni/ZOIuDvBiRCPoNuLjkD9JRAcCbjuxA6w0eaJKFTzoI
F1olIecBtQOQQn+iXya/rx69wDtR9965gecWRMbRg6tYncumpdQB//MWALhVmr6i F1olIecBtQOQQn+iXya/rx69wDtR9965gecWRMbRg6tYncumpdQB//MWALhVmr6i
g+ZF+9NNqOTKsBzEnuGsZRnI g+ZF+9NNqOTKsBzEnuGsZRnI
=iXfo =iXfo
-----END PGP MESSAGE----- -----END PGP MESSAGE-----
fp: 6F7069FE6B96E894E60EC45C6EEFA706CB17E89B fp: 6F7069FE6B96E894E60EC45C6EEFA706CB17E89B
unencrypted_suffix: _unencrypted unencrypted_suffix: _unencrypted
version: 3.8.1 version: 3.7.3

58
nix/os/devices/default.nix
View file

@ -1,25 +1,20 @@
{ {
dir, dir,
pkgs ? import <channels-nixos-stable> { }, pkgs ? import <channels-nixos-stable> {},
ownLib ? import ../lib/default.nix { inherit (pkgs) lib; }, ownLib ? import ../lib/default.nix {inherit (pkgs) lib;},
gitRoot ? "$(git rev-parse --show-toplevel)", gitRoot ? "$(git rev-parse --show-toplevel)",
# FIXME: why do these need explicit mentioning? # FIXME: why do these need explicit mentioning?
moreargs ? "", moreargs ? "",
rebuildarg ? "", rebuildarg ? "",
... ...
}@args: } @ args: let
let rebuildargsSudo = ["switch" "boot"];
rebuildargsSudo = [ rebuild = {
"switch" gitRoot,
"boot" rebuildarg ? "dry-activate",
]; moreargs ? "",
rebuild = ...
{ }:
gitRoot,
rebuildarg ? "dry-activate",
moreargs ? "",
...
}:
pkgs.writeScript "script" '' pkgs.writeScript "script" ''
#!/usr/bin/env bash #!/usr/bin/env bash
set -xe set -xe
@ -35,24 +30,25 @@ let
${ ${
if if
(builtins.elem rebuildarg rebuildargsSudo) && (builtins.match ".*--target-host.*" moreargs) == null (builtins.elem rebuildarg rebuildargsSudo)
then && (builtins.match ".*--target-host.*" moreargs) == null
"sudo -E \\" then "sudo -E \\"
else else ""
""
} }
nixos-rebuild --show-trace -I nixos-config=''${NIXOS_CONFIG} ${rebuildarg} ${moreargs} nixos-rebuild --show-trace -I nixos-config=''${NIXOS_CONFIG} ${rebuildarg} ${moreargs}
''; '';
in in {
{ recipes =
recipes = { {
rebuild = rebuild { rebuild =
inherit gitRoot; rebuild {
inherit moreargs; inherit gitRoot;
inherit rebuildarg; inherit moreargs;
inherit rebuildarg;
}
# // pkgs.lib.attrsets.optionalAttrs (moreargs != "") { inherit moreargs; }
# // pkgs.lib.attrsets.optionalAttrs (rebuildarg != "") { inherit rebuildarg; }
;
} }
# // pkgs.lib.attrsets.optionalAttrs (moreargs != "") { inherit moreargs; } // (import ./disk.nix (args // {inherit pkgs ownLib gitRoot;}));
# // pkgs.lib.attrsets.optionalAttrs (rebuildarg != "") { inherit rebuildarg; }
;
} // (import ./disk.nix (args // { inherit pkgs ownLib gitRoot; }));
} }

53
nix/os/devices/disk.nix
View file

@ -3,29 +3,40 @@
ownLib, ownLib,
dir, dir,
gitRoot, gitRoot,
diskId ? (import ((builtins.getEnv "PWD") + "/${dir}/hw.nix") { }).hardware.opinionatedDisk.diskId, diskId ?
(import ((builtins.getEnv "PWD") + "/${dir}/hw.nix")
{})
.hardware
.opinionatedDisk
.diskId,
encrypted ? encrypted ?
(import ((builtins.getEnv "PWD") + "/${dir}/hw.nix") { }).hardware.opinionatedDisk.encrypted, (import ((builtins.getEnv "PWD") + "/${dir}/hw.nix")
{})
.hardware
.opinionatedDisk
.encrypted,
previousDiskId ? "", previousDiskId ? "",
... ...
}: }: let
let
mntRootVol = "/mnt/${diskId}-root"; mntRootVol = "/mnt/${diskId}-root";
in in rec {
rec {
diskMount = pkgs.writeScript "script" '' diskMount = pkgs.writeScript "script" ''
#!/usr/bin/env bash #!/usr/bin/env bash
set -xe set -xe
echo Mounting ${diskId} echo Mounting ${diskId}
${pkgs.lib.strings.optionalString encrypted '' ${pkgs.lib.strings.optionalString encrypted ''
sudo cryptsetup luksOpen ${ownLib.disk.bootLuksDevice diskId} ${ownLib.disk.luksName diskId} sudo cryptsetup luksOpen ${ownLib.disk.bootLuksDevice diskId} ${
ownLib.disk.luksName diskId
}
''} ''}
sleep 1 sleep 1
sudo vgchange -ay ${ownLib.disk.volumeGroup diskId} sudo vgchange -ay ${ownLib.disk.volumeGroup diskId}
sudo mkdir -p /mnt sudo mkdir -p /mnt
sudo mkdir ${mntRootVol} sudo mkdir ${mntRootVol}
sudo mount ${ownLib.disk.rootFsDevice diskId} ${mntRootVol} sudo mount ${ownLib.disk.rootFsDevice diskId} ${mntRootVol}
sudo mount ${ownLib.disk.rootFsDevice diskId} ${mntRootVol}/nixos/home -o subvol=home sudo mount ${
ownLib.disk.rootFsDevice diskId
} ${mntRootVol}/nixos/home -o subvol=home
sudo mount ${ownLib.disk.bootFsDevice diskId} ${mntRootVol}/nixos/boot sudo mount ${ownLib.disk.bootFsDevice diskId} ${mntRootVol}/nixos/boot
''; '';
@ -62,7 +73,9 @@ rec {
#!/usr/bin/env bash #!/usr/bin/env bash
set -xe set -xe
read -p "Continue to format ${ownLib.disk.bootGrubDevice diskId} (YES/n)? " choice read -p "Continue to format ${
ownLib.disk.bootGrubDevice diskId
} (YES/n)? " choice
case "$choice" in case "$choice" in
YES ) echo "Continuing in 3 seconds..."; sleep 3;; YES ) echo "Continuing in 3 seconds..."; sleep 3;;
n|N ) echo "Exiting..."; exit 0;; n|N ) echo "Exiting..."; exit 0;;
@ -109,11 +122,15 @@ rec {
${pkgs.lib.strings.optionalString encrypted '' ${pkgs.lib.strings.optionalString encrypted ''
# Encrypt # Encrypt
sudo cryptsetup luksFormat ${ownLib.disk.bootLuksDevice diskId} - sudo cryptsetup luksFormat ${ownLib.disk.bootLuksDevice diskId} -
sudo cryptsetup luksOpen ${ownLib.disk.bootLuksDevice diskId} ${ownLib.disk.luksName diskId} sudo cryptsetup luksOpen ${ownLib.disk.bootLuksDevice diskId} ${
ownLib.disk.luksName diskId
}
''} ''}
# LVM # LVM
sudo vgcreate ${ownLib.disk.volumeGroup diskId} ${ownLib.disk.lvmPv diskId encrypted} sudo vgcreate ${ownLib.disk.volumeGroup diskId} ${
ownLib.disk.lvmPv diskId encrypted
}
sudo lvcreate ${ownLib.disk.volumeGroup diskId} -L 2G -n swap sudo lvcreate ${ownLib.disk.volumeGroup diskId} -L 2G -n swap
sudo lvcreate ${ownLib.disk.volumeGroup diskId} -l 100%FREE -n root sudo lvcreate ${ownLib.disk.volumeGroup diskId} -l 100%FREE -n root
@ -137,7 +154,9 @@ rec {
#!/usr/bin/env bash #!/usr/bin/env bash
set -xe set -xe
read -p "Continue to relabel ${ownLib.disk.bootGrubDevice diskId} (YES/n)?" choice read -p "Continue to relabel ${
ownLib.disk.bootGrubDevice diskId
} (YES/n)?" choice
case "$choice" in case "$choice" in
YES ) echo "Continuing in 3 seconds..."; sleep 3;; YES ) echo "Continuing in 3 seconds..."; sleep 3;;
n|N ) echo "Exiting..."; exit 0;; n|N ) echo "Exiting..."; exit 0;;
@ -168,9 +187,13 @@ rec {
if test "${previousDiskId}"; then if test "${previousDiskId}"; then
${pkgs.lib.strings.optionalString encrypted '' ${
sudo cryptsetup luksOpen ${ownLib.disk.bootLuksDevice diskId} ${ownLib.disk.luksName diskId} pkgs.lib.strings.optionalString encrypted ''
''} sudo cryptsetup luksOpen ${ownLib.disk.bootLuksDevice diskId} ${
ownLib.disk.luksName diskId
}
''
}
sync sync
sleep 1 sleep 1
if sudo vgs ${previousDiskId}; then if sudo vgs ${previousDiskId}; then

5
nix/os/devices/elias-e525/boot.nix
View file

@ -1,5 +1,4 @@
{ lib, ... }: {lib, ...}: {
{ boot.loader.grub.efiInstallAsRemovable = lib.mkForce true;
boot.loader.grub.efiSupport = lib.mkForce false;
boot.loader.efi.canTouchEfiVariables = lib.mkForce false; boot.loader.efi.canTouchEfiVariables = lib.mkForce false;
} }

4
nix/os/devices/elias-e525/configuration.nix
View file

@ -1,5 +1,4 @@
{ ... }: {...}: {
{
imports = [ imports = [
../../profiles/common/configuration.nix ../../profiles/common/configuration.nix
../../profiles/graphical/configuration.nix ../../profiles/graphical/configuration.nix
@ -10,6 +9,5 @@
./hw.nix ./hw.nix
./pkg.nix ./pkg.nix
./user.nix ./user.nix
./boot.nix
]; ];
} }

12
nix/os/devices/elias-e525/default.nix
View file

@ -3,20 +3,20 @@
repoFlake, repoFlake,
nodeFlake, nodeFlake,
... ...
}: }: let
let
system = "x86_64-linux"; system = "x86_64-linux";
in in {
{
meta.nodeSpecialArgs.${nodeName} = { meta.nodeSpecialArgs.${nodeName} = {
inherit repoFlake nodeName nodeFlake; inherit repoFlake nodeName nodeFlake;
packages' = repoFlake.packages.${system}; packages' = repoFlake.packages.${system};
}; };
meta.nodeNixpkgs.${nodeName} = import nodeFlake.inputs.nixpkgs.outPath { inherit system; }; meta.nodeNixpkgs.${nodeName} = import nodeFlake.inputs.nixpkgs.outPath {
inherit system;
};
${nodeName} = { ${nodeName} = {
deployment.targetHost = "elias-e525.lan"; deployment.targetHost = "192.168.15.198";
deployment.replaceUnknownProfiles = false; deployment.replaceUnknownProfiles = false;
# deployment.allowLocalDeployment = true; # deployment.allowLocalDeployment = true;

16
nix/os/devices/elias-e525/flake.lock generated
View file

@ -7,32 +7,32 @@
] ]
}, },
"locked": { "locked": {
"lastModified": 1703113038, "lastModified": 1687871164,
"narHash": "sha256-oxkyzjpD+mNT7arzU/zHrkNHLuY9tKwmnD2MNaZiSDw=", "narHash": "sha256-bBFlPthuYX322xOlpJvkjUBz0C+MOBjZdDOOJJ+G2jU=",
"owner": "nix-community", "owner": "nix-community",
"repo": "home-manager", "repo": "home-manager",
"rev": "0c2353d5d930c3d93724df6858aef064a31b3c00", "rev": "07c347bb50994691d7b0095f45ebd8838cf6bc38",
"type": "github" "type": "github"
}, },
"original": { "original": {
"owner": "nix-community", "owner": "nix-community",
"ref": "release-23.11", "ref": "release-23.05",
"repo": "home-manager", "repo": "home-manager",
"type": "github" "type": "github"
} }
}, },
"nixpkgs": { "nixpkgs": {
"locked": { "locked": {
"lastModified": 1703068421, "lastModified": 1688868408,
"narHash": "sha256-WSw5Faqlw75McIflnl5v7qVD/B3S2sLh+968bpOGrWA=", "narHash": "sha256-RR9N5XTAxSBhK8MCvLq9uxfdkd7etC//seVXldy0k48=",
"owner": "nixos", "owner": "nixos",
"repo": "nixpkgs", "repo": "nixpkgs",
"rev": "d65bceaee0fb1e64363f7871bc43dc1c6ecad99f", "rev": "510d721ce097150ae3b80f84b04b13b039186571",
"type": "github" "type": "github"
}, },
"original": { "original": {
"owner": "nixos", "owner": "nixos",
"ref": "nixos-23.11", "ref": "nixos-23.05",
"repo": "nixpkgs", "repo": "nixpkgs",
"type": "github" "type": "github"
} }

6
nix/os/devices/elias-e525/flake.nix
View file

@ -1,10 +1,10 @@
{ {
inputs.nixpkgs.url = "github:nixos/nixpkgs/nixos-23.11"; inputs.nixpkgs.url = "github:nixos/nixpkgs/nixos-23.05";
inputs.home-manager = { inputs.home-manager = {
url = "github:nix-community/home-manager/release-23.11"; url = "github:nix-community/home-manager/release-23.05";
inputs.nixpkgs.follows = "nixpkgs"; inputs.nixpkgs.follows = "nixpkgs";
}; };
outputs = _: { }; outputs = _: {};
} }

2
nix/os/devices/elias-e525/hw.nix
View file

@ -1,4 +1,4 @@
_: { {...}: {
# TASK: new device # TASK: new device
hardware.opinionatedDisk = { hardware.opinionatedDisk = {
enable = true; enable = true;

18
nix/os/devices/elias-e525/pkg.nix
View file

@ -1,5 +1,8 @@
{ pkgs, lib, ... }: {
let pkgs,
lib,
...
}: let
homeEnv = keyboard: { homeEnv = keyboard: {
imports = [ imports = [
../../../home-manager/profiles/common.nix ../../../home-manager/profiles/common.nix
@ -19,27 +22,26 @@ let
rustdesk rustdesk
]; ];
}; };
in in {
{ services.gnome = builtins.mapAttrs (attr: value: lib.mkForce value) {
services.gnome = builtins.mapAttrs (_attr: value: lib.mkForce value) {
gnome-remote-desktop.enable = true; gnome-remote-desktop.enable = true;
}; };
home-manager.users.steveej = homeEnv { home-manager.users.steveej = homeEnv {
layout = "en"; layout = "en";
options = [ "nodeadkey" ]; options = ["nodeadkey"];
variant = "altgr-intl"; variant = "altgr-intl";
}; };
home-manager.users.elias = homeEnv { home-manager.users.elias = homeEnv {
layout = "de"; layout = "de";
options = [ ]; options = [];
variant = ""; variant = "";
}; };
home-manager.users.justyna = homeEnv { home-manager.users.justyna = homeEnv {
layout = "de"; layout = "de";
options = [ ]; options = [];
variant = ""; variant = "";
}; };

15
nix/os/devices/elias-e525/system.nix
View file

@ -1,5 +1,10 @@
{ pkgs, lib, ... }:
{ {
pkgs,
lib,
config,
...
}: let
in {
# TASK: new device # TASK: new device
networking.hostName = "elias-e525"; # Define your hostname. networking.hostName = "elias-e525"; # Define your hostname.
@ -33,13 +38,11 @@
# udev.packages = [ pkgs.gnome3.gnome-settings-daemon ]; # udev.packages = [ pkgs.gnome3.gnome-settings-daemon ];
}; };
security.pki.certificateFiles = [ "${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt" ]; security.pki.certificateFiles = ["${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt"];
services.xserver.videoDrivers = [ "modesetting" ]; services.xserver.videoDrivers = ["modesetting"];
boot.kernelPackages = lib.mkForce pkgs.linuxPackages_latest; boot.kernelPackages = lib.mkForce pkgs.linuxPackages_latest;
nix.gc = { nix.gc = {automatic = true;};
automatic = true;
};
} }

13
nix/os/devices/elias-e525/user.nix
View file

@ -1,9 +1,12 @@
{ config, pkgs, ... }:
let
keys = import ../../../variables/keys.nix;
inherit (pkgs.callPackage ../../lib/default.nix { }) mkUser;
in
{ {
config,
pkgs,
lib,
...
}: let
keys = import ../../../variables/keys.nix;
inherit (pkgs.callPackage ../../lib/default.nix {}) mkUser;
in {
sops.secrets.sharedUsers-elias = { sops.secrets.sharedUsers-elias = {
sopsFile = ../../../../secrets/shared-users.yaml; sopsFile = ../../../../secrets/shared-users.yaml;
neededForUsers = true; neededForUsers = true;

3
nix/os/devices/fwhost1/boot.nix
View file

@ -1,5 +1,4 @@
{ lib, ... }: {lib, ...}: {
{
boot.loader.grub.efiInstallAsRemovable = lib.mkForce true; boot.loader.grub.efiInstallAsRemovable = lib.mkForce true;
boot.loader.efi.canTouchEfiVariables = lib.mkForce false; boot.loader.efi.canTouchEfiVariables = lib.mkForce false;
} }

3
nix/os/devices/fwhost1/configuration.nix
View file

@ -1,5 +1,4 @@
{ ... }: {...}: {
{
imports = [ imports = [
../../profiles/common/configuration.nix ../../profiles/common/configuration.nix
../../modules/opinionatedDisk.nix ../../modules/opinionatedDisk.nix

3
nix/os/devices/fwhost1/hw.nix
View file

@ -1,4 +1,5 @@
_: { {...}: let
in {
# TASK: new device # TASK: new device
hardware.opinionatedDisk = { hardware.opinionatedDisk = {
enable = true; enable = true;

18
nix/os/devices/fwhost1/pkg.nix
View file

@ -1,17 +1,17 @@
{ pkgs, ... }: {pkgs, ...}: {
{ nixpkgs.config.packageOverrides = pkgs:
nixpkgs.config.packageOverrides = with pkgs; {
pkgs: with pkgs; { nixPath =
inherit ((import ../../../default.nix { versionsPath = ./versions.nix; })) nixPath; (import ../../../default.nix {
versionsPath = ./versions.nix;
})
.nixPath;
}; };
home-manager.users.steveej = import ../../../home-manager/configuration/text-minimal.nix { home-manager.users.steveej = import ../../../home-manager/configuration/text-minimal.nix {
inherit pkgs; inherit pkgs;
}; };
environment.systemPackages = with pkgs; [ environment.systemPackages = with pkgs; [iw wirelesstools];
iw
wirelesstools
];
system.stateVersion = "21.11"; system.stateVersion = "21.11";
} }

19
nix/os/devices/fwhost1/system.nix
View file

@ -1,8 +1,12 @@
{ pkgs, lib, ... }:
let
passwords = import ../../../variables/passwords.crypt.nix;
in
{ {
pkgs,
lib,
config,
...
}: let
keys = import ../../../variables/keys.nix;
passwords = import ../../../variables/passwords.crypt.nix;
in {
# TASK: new device # TASK: new device
networking.hostName = "fwhost1"; # Define your hostname. networking.hostName = "fwhost1"; # Define your hostname.
@ -17,14 +21,11 @@ in
networking.firewall.logRefusedConnections = false; networking.firewall.logRefusedConnections = false;
networking.usePredictableInterfaceNames = false; networking.usePredictableInterfaceNames = false;
networking.bridges.breth.interfaces = [ networking.bridges.breth.interfaces = ["eth0" "eth1"];
"eth0"
"eth1"
];
networking.bridges.breth.rstp = true; networking.bridges.breth.rstp = true;
networking.defaultGateway.address = "172.172.171.10"; networking.defaultGateway.address = "172.172.171.10";
networking.nameservers = [ "172.172.171.10" ]; networking.nameservers = ["172.172.171.10"];
# WAN interfaces, currently unused because the OPNsense guest acts as a router. # WAN interfaces, currently unused because the OPNsense guest acts as a router.
networking.vlans.wan1.id = 3; networking.vlans.wan1.id = 3;

10
nix/os/devices/fwhost1/user.nix
View file

@ -1 +1,9 @@
_: { } {
config,
pkgs,
...
}: let
passwords = import ../../../variables/passwords.crypt.nix;
keys = import ../../../variables/keys.nix;
inherit (import ../../lib/default.nix {}) mkUser;
in {}

7
nix/os/devices/fwhost1/versions.nix
View file

@ -4,12 +4,9 @@ let
ref = "nixos-21.11"; ref = "nixos-21.11";
rev = "386234e2a61e1e8acf94dfa3a3d3ca19a6776efb"; rev = "386234e2a61e1e8acf94dfa3a3d3ca19a6776efb";
}; };
in in {
{
inherit nixpkgs; inherit nixpkgs;
nixos = nixpkgs // { nixos = nixpkgs // {suffix = "/nixos";};
suffix = "/nixos";
};
"channels-nixos-stable" = nixpkgs; "channels-nixos-stable" = nixpkgs;
"channels-nixos-unstable" = { "channels-nixos-unstable" = {

7
nix/os/devices/fwhost1/versions.tmpl.nix
View file

@ -6,12 +6,9 @@ let
<% git ls-remote https://github.com/nixos/nixpkgs nixos-21.11 | awk '{ print $1 }' | tr -d ' <% git ls-remote https://github.com/nixos/nixpkgs nixos-21.11 | awk '{ print $1 }' | tr -d '
' -%>''; ' -%>'';
}; };
in in {
{
inherit nixpkgs; inherit nixpkgs;
nixos = nixpkgs // { nixos = nixpkgs // {suffix = "/nixos";};
suffix = "/nixos";
};
"channels-nixos-stable" = nixpkgs; "channels-nixos-stable" = nixpkgs;
"channels-nixos-unstable" = { "channels-nixos-unstable" = {

3
nix/os/devices/fwhost2/boot.nix
View file

@ -1,5 +1,4 @@
{ lib, ... }: {lib, ...}: {
{
boot.loader.grub.efiInstallAsRemovable = lib.mkForce true; boot.loader.grub.efiInstallAsRemovable = lib.mkForce true;
boot.loader.efi.canTouchEfiVariables = lib.mkForce false; boot.loader.efi.canTouchEfiVariables = lib.mkForce false;
} }

3
nix/os/devices/fwhost2/configuration.nix
View file

@ -1,5 +1,4 @@
{ ... }: {...}: {
{
imports = [ imports = [
../../profiles/common/configuration.nix ../../profiles/common/configuration.nix
../../modules/opinionatedDisk.nix ../../modules/opinionatedDisk.nix

3
nix/os/devices/fwhost2/hw.nix
View file

@ -1,4 +1,5 @@
_: { {...}: let
in {
# TASK: new device # TASK: new device
hardware.opinionatedDisk = { hardware.opinionatedDisk = {
enable = true; enable = true;

18
nix/os/devices/fwhost2/pkg.nix
View file

@ -1,17 +1,17 @@
{ pkgs, ... }: {pkgs, ...}: {
{ nixpkgs.config.packageOverrides = pkgs:
nixpkgs.config.packageOverrides = with pkgs; {
pkgs: with pkgs; { nixPath =
inherit ((import ../../../default.nix { versionsPath = ./versions.nix; })) nixPath; (import ../../../default.nix {
versionsPath = ./versions.nix;
})
.nixPath;
}; };
home-manager.users.steveej = import ../../../home-manager/configuration/text-minimal.nix { home-manager.users.steveej = import ../../../home-manager/configuration/text-minimal.nix {
inherit pkgs; inherit pkgs;
}; };
environment.systemPackages = with pkgs; [ environment.systemPackages = with pkgs; [iw wirelesstools];
iw
wirelesstools
];
system.stateVersion = "21.11"; system.stateVersion = "21.11";
} }

20
nix/os/devices/fwhost2/system.nix
View file

@ -1,8 +1,13 @@
{ pkgs, lib, ... }:
let
passwords = import ../../../variables/passwords.crypt.nix;
in
{ {
pkgs,
lib,
config,
utils,
...
}: let
keys = import ../../../variables/keys.nix;
passwords = import ../../../variables/passwords.crypt.nix;
in {
# TASK: new device # TASK: new device
networking.hostName = "fwhost2"; # Define your hostname. networking.hostName = "fwhost2"; # Define your hostname.
@ -17,14 +22,11 @@ in
networking.firewall.logRefusedConnections = false; networking.firewall.logRefusedConnections = false;
networking.usePredictableInterfaceNames = false; networking.usePredictableInterfaceNames = false;
networking.bridges.breth.interfaces = [ networking.bridges.breth.interfaces = ["eth0" "eth1"];
"eth0"
"eth1"
];
networking.bridges.breth.rstp = true; networking.bridges.breth.rstp = true;
networking.defaultGateway.address = "172.172.171.10"; networking.defaultGateway.address = "172.172.171.10";
networking.nameservers = [ "172.172.171.10" ]; networking.nameservers = ["172.172.171.10"];
# WAN interfaces, currently unused because the OPNsense guest acts as a router. # WAN interfaces, currently unused because the OPNsense guest acts as a router.
networking.vlans.wan1.id = 3; networking.vlans.wan1.id = 3;

10
nix/os/devices/fwhost2/user.nix
View file

@ -1,4 +1,12 @@
_: { {
config,
pkgs,
...
}: let
passwords = import ../../../variables/passwords.crypt.nix;
keys = import ../../../variables/keys.nix;
inherit (import ../../lib/default.nix {inherit (pkgs) lib;}) mkUser;
in {
# users.extraUsers.steveej2 = mkUser { # users.extraUsers.steveej2 = mkUser {
# uid = 1001; # uid = 1001;
# openssh.authorizedKeys.keys = keys.users.steveej.openssh; # openssh.authorizedKeys.keys = keys.users.steveej.openssh;

Some files were not shown because too many files have changed in this diff Show more