steveej/infra
1
0
Fork 0
Code Issues 2 Pull requests Projects Releases Packages Wiki Activity Actions

Compare commits

base: steveej:master
Branches Tags
steveej:master
steveej:WIP-router0-nfmnk-tunnels
steveej:wip
steveej:wip-bpir3
steveej:pr_htz0
steveej:evolution_decsync
steveej:t14_relabel
steveej:t14_new_drive
steveej:srv0_drivechange
steveej:staging-steveej
steveej:pa600-unused
steveej:pr/odroidh2p-0
..
compare: steveej:wip
Branches Tags
steveej:master
steveej:WIP-router0-nfmnk-tunnels
steveej:wip
steveej:wip-bpir3
steveej:pr_htz0
steveej:evolution_decsync
steveej:t14_relabel
steveej:t14_new_drive
steveej:srv0_drivechange
steveej:staging-steveej
steveej:pa600-unused
steveej:pr/odroidh2p-0

42 commits
master ... wip

Author SHA1 Message Date
Stefan Junker
a1306114f7 WIP: x13s-rmvbl 
supposedly this will boot from USB
 2024-02-08 20:59:47 +01:00
Stefan Junker
45a283c7bd formatting 2024-02-08 20:59:31 +01:00
Stefan Junker
751bb82daf update x13s 2024-02-08 20:59:08 +01:00
Stefan Junker
8280b53865 remove obsolete nix/sources.* 2024-02-08 20:57:55 +01:00
Stefan Junker
b6d97d0581 nix fmt 2024-02-08 20:53:22 +01:00
Stefan Junker
028c57b0db zsh: unset empty TMP and TMPDIR 
this is a safety mechanism so that `/` is never used
 2024-02-08 13:58:05 +01:00
Stefan Junker
cbd73c7466 shift illum serivce around and enable on x13s 2024-02-07 11:15:16 +01:00
Stefan Junker
9b62708d32 x13s: enable ledger hw support 2024-02-07 11:08:46 +01:00
Stefan Junker
9e251bed9e update toplevel and nixos-x13s 2024-02-07 11:08:26 +01:00
Stefan Junker
40a165d541 nix/os/devices/steveej-x13s: bump versions 2024-02-01 21:46:57 +01:00
Stefan Junker
4716db6785 nix/os/devices/steveej-x13s: bump versions 2024-02-01 15:50:46 +01:00
Stefan Junker
8d23a787f1 graphical-fullblown: enable espanso 2024-01-31 09:42:30 +01:00
Stefan Junker
7f1d80176e fmt(espanso) 2024-01-31 09:42:16 +01:00
Stefan Junker
ff87988303 nix/os/devices/steveej-x13s: bump versions 2024-01-31 08:28:54 +01:00
Stefan Junker
9a9c912b77 steveej-x13s: switch to adamcstephens' repo 2024-01-30 14:14:49 +01:00
Stefan Junker
b3434c5ebb nix/os/devices/steveej-x13s: bump versions 2024-01-30 10:11:09 +01:00
Stefan Junker
80863e1bdf x13s-rmvbl: attempt to load msm with firmware 2024-01-28 21:54:43 +01:00
Stefan Junker
d97da5b9ac steveej-x13s-rmvbl: boring setup with copying the whole x13s flake 2024-01-28 21:18:08 +01:00
Stefan Junker
438793db87 fix duplicate luks name between x13s and x13s-rmvbl 2024-01-28 18:17:43 +01:00
Stefan Junker
a384026025 home-manager(vscode): use OSS vscodium 2024-01-28 17:49:13 +01:00
Stefan Junker
f243e0c2dc logseq on arm64, latest signal on arm, waydroid, radicale, vscode 2024-01-25 00:32:37 +01:00
Stefan Junker
a138ac20ac steveej-t14: disable radicale 2024-01-24 23:23:55 +00:00
Stefan Junker
eadfa1a28c radicale path updates and updatekey command 2024-01-25 00:09:06 +01:00
Stefan Junker
faf0818e00 clean up and refactor more into OS snippets; bluetooth works on x13s 2024-01-24 00:24:04 +00:00
Stefan Junker
13dcb13bac secrets: rename steveej-x13s{-rmvbl} and update key 2024-01-23 09:40:21 +00:00
Stefan Junker
bcaadcfb3d direnv,devShells: split into develop and install 2024-01-23 09:40:17 +00:00
Stefan Junker
d26e64452d mostly fix up stateVersions 2024-01-22 23:47:48 +00:00
Stefan Junker
82362958db refactor flaken.nix hive handling 2024-01-22 23:47:36 +00:00
Stefan Junker
ed4768a795 update commonUsers and refactor system config 2024-01-22 22:45:42 +00:00
Stefan Junker
255ca68af5 fixup! WIP: x13s: install to nvme, refactor into module 2024-01-22 23:05:23 +01:00
Stefan Junker
ea13703ea0 WIP: x13s: install to nvme, refactor into module 2024-01-22 22:50:51 +01:00
Stefan Junker
0d070589ef fmt 2024-01-22 19:02:32 +01:00
Stefan Junker
69b17e91f2 fmt 2024-01-22 15:01:36 +01:00
Stefan Junker
2ff952b3a3 x13s: fiddle with modules because of screen blanking issues 2024-01-22 14:51:46 +01:00
Stefan Junker
5af42df5a9 steveej-x13s-rmvbl: init with minimal setup 
this configures a standalone USB device that doesn't need configuration
of the firmware's EFI variables.
 2024-01-22 10:35:45 +01:00
Stefan Junker
93778b1f21 sj-srv1: set up restic backup 2024-01-19 22:21:14 +01:00
Stefan Junker
411896973a t14: disable thinkfan 2024-01-19 13:56:34 +01:00
Stefan Junker
d46eb4f3ab router0-dmz0: remove cname as it's not needed 2024-01-19 13:56:20 +01:00
Stefan Junker
2ab49e3de9 lib/default: add fuse to default groups 2024-01-19 11:49:49 +01:00
Stefan Junker
93282cdf6e lib/default: format 2024-01-19 11:49:33 +01:00
Stefan Junker
a7e2bc2c3b router0-dmz0: lots of formattign and exposed host fixes 2024-01-18 23:35:54 +01:00
Stefan Junker
a825e8eea9 sj-srv1 2024-01-18 21:06:45 +00:00
287 changed files with 7177 additions and 10088 deletions
Download patch file Download diff file Expand all files Collapse all files

6
.envrc
View file

@ -1,5 +1 @@
if ! has nix_direnv_version || ! nix_direnv_version 3.0.6; then use_flake .#develop --impure
source_url "https://raw.githubusercontent.com/nix-community/nix-direnv/3.0.6/direnvrc" "sha256-RYcUJaRMf8oF5LznDrlCXbkOQrywm0HDv1VjYGaJGdM="
fi
use flake .#develop

BIN
.git-crypt/keys/default/0/6F7069FE6B96E894E60EC45C6EEFA706CB17E89B.gpg
View file

Binary file not shown.

5
.gitignore vendored
View file

@ -4,8 +4,3 @@
.env .env
**/result **/result
.direnv/ .direnv/
# nixago: ignore-linked-files
/treefmt.toml
/debug-logs

10
.gitlab-ci.yml Normal file
View file

@ -0,0 +1,10 @@
stages:
- build
build:
stage: build
tags:
- nix
script:
# Test the nix-shell
- just run-with-channels 'nix-shell --run "echo OK"'

34
.sops.yaml
View file

@ -15,11 +15,9 @@ keys:
- &sj-vps-htz0 age18dmqd7r7fanrfmdxsvwgv9psvhs3hw5ydpvw0na0dv3dlrg4rs3q2wpvgv - &sj-vps-htz0 age18dmqd7r7fanrfmdxsvwgv9psvhs3hw5ydpvw0na0dv3dlrg4rs3q2wpvgv
- &sj-srv1 age18dmqd7r7fanrfmdxsvwgv9psvhs3hw5ydpvw0na0dv3dlrg4rs3q2wpvgv - &sj-srv1 age18dmqd7r7fanrfmdxsvwgv9psvhs3hw5ydpvw0na0dv3dlrg4rs3q2wpvgv
- &srv0-dmz0 age13cyvxrd28j68f97q2dwsn62q5dy8tdxtq86ql2dxv2ncwfrf63dsmkj7n3 - &srv0-dmz0 age13cyvxrd28j68f97q2dwsn62q5dy8tdxtq86ql2dxv2ncwfrf63dsmkj7n3
- &router0-dmz0 age1qju6ms625tlgcjwc9p447seu2p8gu0cr63e5gv5y0wx9mvgmre9slxzzs0 # - &router0-dmz0 age1jetxwpmd9hc4crkjtrdle2qxn9dlq7vcmqhfslv0vlxctrk4u3xq8hcvkz
- &router0-ifog age1dktk5glcuu34u9t6kp3g2vqyj7dy0elray38t8n75mwa6l0s0vdst2cy00 - &router0-dmz0 age1k7cejd9tqz6a3expd63wkn7kmeawhhrp9vy5vevhjn6eavhdwywqeh7j86
- &router0-hosthatch age1v458x2q70yt0a6m6cq5ehemphtrzfzyhmeg3r872vsyyf65asgwstmqqk4 - &sj-bm-hostkey0 age1dw43sxtdxptzgyhsxhrj36x5gn7376gqk45t7wtyt3s97v7ux39sdmdd44
- &hstk0 age10xwq7a4y256yhv02j0u80te0vt4krgfjc68r0uw07t96z7ggmpwqtv38a0
creation_rules: creation_rules:
- path_regex: ^(.+/|)secrets/[^/]+$ - path_regex: ^(.+/|)secrets/[^/]+$
key_groups: key_groups:
@ -36,9 +34,7 @@ creation_rules:
- *sj-vps-htz0 - *sj-vps-htz0
- *sj-srv1 - *sj-srv1
- *hstk0 - *sj-bm-hostkey0
- *router0-ifog
- *router0-hosthatch
- path_regex: ^secrets/steveej-t14/.+$ - path_regex: ^secrets/steveej-t14/.+$
key_groups: key_groups:
- pgp: - pgp:
@ -78,18 +74,6 @@ creation_rules:
- *steveej - *steveej
age: age:
- *router0-dmz0 - *router0-dmz0
- path_regex: ^secrets/router0-ifog/.+$
key_groups:
- pgp:
- *steveej
age:
- *router0-ifog
- path_regex: ^secrets/router0-hosthatch/.+$
key_groups:
- pgp:
- *steveej
age:
- *router0-hosthatch
- path_regex: ^secrets/sj-vps-htz0/.+$ - path_regex: ^secrets/sj-vps-htz0/.+$
key_groups: key_groups:
- pgp: - pgp:
@ -102,21 +86,15 @@ creation_rules:
- *steveej - *steveej
age: age:
- *sj-srv1 - *sj-srv1
- path_regex: ^secrets/hstk0/.+$ - path_regex: ^secrets/sj-bm-hostkey0/.+$
key_groups: key_groups:
- pgp: - pgp:
- *steveej - *steveej
age: age:
- *hstk0 - *sj-bm-hostkey0
- path_regex: ^secrets/steveej-x13s/.+$ - path_regex: ^secrets/steveej-x13s/.+$
key_groups: key_groups:
- pgp: - pgp:
- *steveej - *steveej
age: age:
- *steveej-x13s - *steveej-x13s
- path_regex: ^secrets/work-holo/.+$
key_groups:
- pgp:
- *steveej
age:
- *steveej-x13s

20
.vscode/settings.json vendored
View file

@ -1,20 +1,6 @@
{ {
"editor.defaultFormatter": "ibecker.treefmt-vscode", "nixEnvSelector.nixFile": "${workspaceRoot}/shell.nix",
"editor.formatOnSave": true, "[nix]": {
"nix.enableLanguageServer": true, "editor.defaultFormatter": "jnoortheen.nix-ide"
"nix.serverPath": "nil",
"nix.serverSettings": {
// settings for 'nil' LSP
"nil": {
"autoArchive": true,
"diagnostics": {
"ignored": ["unused_binding", "unused_with"]
}, },
"formatting": {
"command": ["treefmt", "--stdin", ".nil.nix"]
}
}
},
"treefmt.command": "treefmt",
"treefmt.config": ""
} }

92
Justfile
View file

@ -9,14 +9,14 @@ update-default-versions:
nix flake update nix flake update
_get_nix_path versionsPath: _get_nix_path versionsPath:
echo $(set -x; nix-build --no-link --show-trace {{ invocation_directory() }}/nix/default.nix -A channelSources --argstr versionsPath {{ versionsPath }}) echo $(set -x; nix-build --no-link --show-trace {{invocation_directory()}}/nix/default.nix -A channelSources --argstr versionsPath {{versionsPath}})
_device recipe dir +moreargs="": _device recipe dir +moreargs="":
#!/usr/bin/env bash #!/usr/bin/env bash
set -ex set -ex
unset NIX_PATH unset NIX_PATH
source $(just -v _get_nix_path {{ invocation_directory() }}/{{ dir }}/versions.nix) source $(just -v _get_nix_path {{invocation_directory()}}/{{dir}}/versions.nix)
$(set -x; nix-build --no-link --show-trace $(dirname {{ dir }})/default.nix -A recipes.{{ recipe }} --argstr dir {{ dir }} {{ moreargs }}) $(set -x; nix-build --no-link --show-trace $(dirname {{dir}})/default.nix -A recipes.{{recipe}} --argstr dir {{dir}} {{moreargs}})
_render_templates: _render_templates:
#!/usr/bin/env bash #!/usr/bin/env bash
@ -24,18 +24,18 @@ _render_templates:
if ! ip route get 1.1.1.1; then if ! ip route get 1.1.1.1; then
echo No route to WAN. Skipping template rendering... echo No route to WAN. Skipping template rendering...
else else
source $(just -v _get_nix_path {{ invocation_directory() }}/nix/variables/versions.nix) source $(just -v _get_nix_path {{invocation_directory()}}/nix/variables/versions.nix)
# nix/scripts/pre-eval-fixed.sh nix/home-manager/profiles/dotfiles/vcsh{.tmpl,}.nix # nix/scripts/pre-eval-fixed.sh nix/home-manager/profiles/dotfiles/vcsh{.tmpl,}.nix
fi fi
rebuild-remote-device device +rebuildargs="dry-activate": rebuild-remote-device device +rebuildargs="dry-activate":
#!/usr/bin/env bash #!/usr/bin/env bash
set -ex set -ex
nix run .#colmena -- apply --impure --on {{ device }} {{ rebuildargs }} nix run .#colmena -- apply --on {{device}} {{rebuildargs}}
# Rebuild this device's NixOS # Rebuild this device's NixOS
rebuild-this-device +rebuildargs="dry-activate": rebuild-this-device +rebuildargs="dry-activate":
nix run .#colmena -- apply-local --impure --sudo {{ rebuildargs }} nix run .#colmena -- apply-local --sudo {{rebuildargs}}
# Re-render the versions of a remote device and rebuild its environment # Re-render the versions of a remote device and rebuild its environment
update-remote-device devicename +rebuildargs='build': update-remote-device devicename +rebuildargs='build':
@ -44,13 +44,13 @@ update-remote-device devicename +rebuildargs='build':
( (
set -xe set -xe
cd nix/os/devices/{{ devicename }} cd nix/os/devices/{{devicename}}
nix flake update nix flake update
) )
just -v rebuild-remote-device {{ devicename }} {{ rebuildargs }} just -v rebuild-remote-device {{devicename}} {{rebuildargs}}
git commit -v nix/os/devices/{{ devicename }}/flake.{nix,lock} -m "nix/os/devices/{{ devicename }}: bump versions" git commit -v nix/os/devices/{{devicename}}/flake.{nix,lock} -m "nix/os/devices/{{devicename}}: bump versions"
# Re-render the versions of the current device and rebuild its environment # Re-render the versions of the current device and rebuild its environment
update-this-device rebuild-mode='switch' +moreargs='': update-this-device rebuild-mode='switch' +moreargs='':
@ -63,7 +63,7 @@ update-this-device rebuild-mode='switch' +moreargs='':
nix flake update nix flake update
) )
just -v rebuild-this-device {{ rebuild-mode }} {{ moreargs }} just -v rebuild-this-device {{rebuild-mode}} {{moreargs}}
git commit -v nix/os/devices/$(hostname -s)/flake.{nix,lock} -m "nix/os/devices/$(hostname -s): bump versions" git commit -v nix/os/devices/$(hostname -s)/flake.{nix,lock} -m "nix/os/devices/$(hostname -s): bump versions"
@ -72,19 +72,19 @@ rebuild-disk device:
#!/usr/bin/env bash #!/usr/bin/env bash
set -xe set -xe
just -v disk-mount {{ device }} just -v disk-mount {{device}}
trap "set +e; just -v disk-umount {{ device }}" EXIT trap "set +e; just -v disk-umount {{device}}" EXIT
just -v disk-install {{ device }} just -v disk-install {{device}}
# Re-render the versions of the given offline system and reinstall it in offline-mode # Re-render the versions of the given offline system and reinstall it in offline-mode
update-disk dir: update-disk dir:
#!/usr/bin/env bash #!/usr/bin/env bash
set -exuo pipefail set -exuo pipefail
dir={{ dir }} dir={{dir}}
template={{ dir }}/versions.tmpl.nix template={{dir}}/versions.tmpl.nix
outfile={{ dir }}/versions.nix outfile={{dir}}/versions.nix
if ! test -e ${template}; then if ! test -e ${template}; then
template="$(just _DEFAULT_VERSION_TMPL)" template="$(just _DEFAULT_VERSION_TMPL)"
@ -96,9 +96,9 @@ update-disk dir:
exit 0 exit 0
fi fi
export SYSREBUILD_LOG=.{{ dir }}_sysrebuild.log export SYSREBUILD_LOG=.{{dir}}_sysrebuild.log
just -v rebuild-disk {{ dir }} || { just -v rebuild-disk {{dir}} || {
echo ERROR: Update of {{ dir }} failed, reverting ${outfile}... echo ERROR: Update of {{dir}} failed, reverting ${outfile}...
exit 1 exit 1
} }
@ -119,33 +119,33 @@ hm-iterate-qtile:
# !!! DANGERIOUS !!! This wipes the disk which is configured for the given device. # !!! DANGERIOUS !!! This wipes the disk which is configured for the given device.
disk-prepare dir: disk-prepare dir:
just -v _device diskPrepare {{ dir }} just -v _device diskPrepare {{dir}}
disk-relabel dir previous: disk-relabel dir previous:
just -v _device diskRelabel {{ dir }} --argstr previousDiskId {{ previous }} just -v _device diskRelabel {{dir}} --argstr previousDiskId {{previous}}
# Mount the target disk specified by device configuration directory. The 'dir' argument points to a device configuration, e.g. 'nix/os/devices/steveej-live-mmc-SL32G_0x259093f6' # Mount the target disk specified by device configuration directory. The 'dir' argument points to a device configuration, e.g. 'nix/os/devices/steveej-live-mmc-SL32G_0x259093f6'
disk-mount dir: disk-mount dir:
just -v _device diskMount {{ dir }} just -v _device diskMount {{dir}}
# Unmount target disk, specified by device configuration directory # Unmount target disk, specified by device configuration directory
disk-umount dir: disk-umount dir:
just -v _device diskUmount {{ dir }} just -v _device diskUmount {{dir}}
# Perform an offline installation on the mounted target disk, specified by device configuration directory # Perform an offline installation on the mounted target disk, specified by device configuration directory
disk-install dir: _render_templates disk-install dir: _render_templates
just -v _device diskInstall {{ dir }} just -v _device diskInstall {{dir}}
verify-n-unlock sshserver attempts="10": verify-n-unlock sshserver attempts="10":
#!/usr/bin/env bash #!/usr/bin/env bash
set -e set -e
env \ env \
GETPW="just _get_pass_entry Infrastructure/VPS/{{ sshserver }} DRIVE_PW" \ GETPW="just _get_pass_entry Infrastructure/VPS/{{sshserver}} DRIVE_PW" \
SSHOPTS="$(just _get_pass_entry Infrastructure/VPS/{{ sshserver }} SSHOPTS)" \ SSHOPTS="$(just _get_pass_entry Infrastructure/VPS/{{sshserver}} SSHOPTS)" \
VNCSOCK="$(just _get_pass_entry Infrastructure/VPS/{{ sshserver }} VNCSOCK)" \ VNCSOCK="$(just _get_pass_entry Infrastructure/VPS/{{sshserver}} VNCSOCK)" \
VNCPW="$(just _get_pass_entry Infrastructure/VPS/{{ sshserver }} VNCPW)" \ VNCPW="$(just _get_pass_entry Infrastructure/VPS/{{sshserver}} VNCPW)" \
\ \
just _verify-n-unlock {{ sshserver }} {{ attempts }} just _verify-n-unlock {{sshserver}} {{attempts}}
_verify-n-unlock sshserver attempts: _verify-n-unlock sshserver attempts:
#!/usr/bin/env bash #!/usr/bin/env bash
@ -158,7 +158,7 @@ _verify-n-unlock sshserver attempts:
function send() { function send() {
local what="${1:?need something to send}" local what="${1:?need something to send}"
ssh -4 ${SSHOPTS:?need sshopts} root@{{ sshserver }} "echo -e ${what}>> /dev/tty0" &>/dev/null ssh -4 ${SSHOPTS:?need sshopts} root@{{sshserver}} "echo -e ${what}>> /dev/tty0" &>/dev/null
} }
function expect() { function expect() {
@ -181,7 +181,7 @@ _verify-n-unlock sshserver attempts:
trap 'E=$?; set +e; rm screenshot.*; echo Exiting...; kill $(jobs -p | cut -d " " -f 4); exit $E' EXIT trap 'E=$?; set +e; rm screenshot.*; echo Exiting...; kill $(jobs -p | cut -d " " -f 4); exit $E' EXIT
for i in `seq 1 {{ attempts }}`; do for i in `seq 1 {{attempts}}`; do
echo Attempt $i... echo Attempt $i...
expect="$(pwgen -0 12)" expect="$(pwgen -0 12)"
send="'\0033\0143'${expect}" send="'\0033\0143'${expect}"
@ -192,7 +192,7 @@ _verify-n-unlock sshserver attempts:
rm ${pipe} rm ${pipe}
echo Verification succeeded at attempt $i. Unlocking remote drive... echo Verification succeeded at attempt $i. Unlocking remote drive...
ssh -4 ${SSHOPTS} root@{{ sshserver }} "cryptsetup-askpass" <&3 &>/dev/null & ssh -4 ${SSHOPTS} root@{{sshserver}} "cryptsetup-askpass" <&3 &>/dev/null &
eval ${GETPW} | head -n1 >&3 eval ${GETPW} | head -n1 >&3
for j in `seq 1 120`; do for j in `seq 1 120`; do
@ -207,22 +207,22 @@ _verify-n-unlock sshserver attempts:
exit 1 exit 1
fi fi
done done
echo Verification failed {{ attempts }} times. Giving up... echo Verification failed {{attempts}} times. Giving up...
exit 1 exit 1
_get_pass_entry path key: _get_pass_entry path key:
pass show {{ path }}| grep -E "^{{ key }}:" | sed -E 's/^[^:]+: *//g' pass show {{path}}| grep -E "^{{key}}:" | sed -E 's/^[^:]+: *//g'
run-with-channels +cmds: run-with-channels +cmds:
#!/usr/bin/env bash #!/usr/bin/env bash
source $(just -v _get_nix_path {{ invocation_directory() }}/nix/variables/versions.nix) source $(just -v _get_nix_path {{invocation_directory()}}/nix/variables/versions.nix)
{{ cmds }} {{cmds}}
install-config config root: install-config config root:
sudo just run-with-channels nixos-install -I nixos-config={{ invocation_directory() }}/{{ config }} --root {{ root }} --no-root-passwd sudo just run-with-channels nixos-install -I nixos-config={{invocation_directory()}}/{{config}} --root {{root}} --no-root-passwd
# Switch between gpg-card capable devices which have a copy of the same key # Switch between gpg-card capable devices which have a copy of the same key
switch-gpg-card key-id="6EEFA706CB17E89B": switch-gpg-card:
#!/usr/bin/env bash #!/usr/bin/env bash
# #
# Derived from https://github.com/drduh/YubiKey-Guide/issues/19. # Derived from https://github.com/drduh/YubiKey-Guide/issues/19.
@ -230,11 +230,7 @@ switch-gpg-card key-id="6EEFA706CB17E89B":
# Connect the new device and then run this script to make it known to gnupg. # Connect the new device and then run this script to make it known to gnupg.
# #
set -xe set -xe
if [[ -n "{{key-id}}" ]]; then
KEY_ID="{{key-id}}"
else
KEY_ID=$(gpg --card-status | rg sec | rg -o '[0-9A-Z]{16}') KEY_ID=$(gpg --card-status | rg sec | rg -o '[0-9A-Z]{16}')
fi
# export pubkey and ownertrust # export pubkey and ownertrust
gpg2 --output "${KEY_ID}".pubkey --export "${KEY_ID}" gpg2 --output "${KEY_ID}".pubkey --export "${KEY_ID}"
@ -257,7 +253,7 @@ switch-gpg-card key-id="6EEFA706CB17E89B":
uuid-to-device-name remote: uuid-to-device-name remote:
#!/usr/bin/env bash #!/usr/bin/env bash
set -e -o pipefail set -e -o pipefail
ssh {{ remote }} 'nix run nixpkgs.dmidecode -c dmidecode -s system-uuid' | xxhsum --quiet -H1 | awk '{print $1}' ssh {{remote}} 'nix run nixpkgs.dmidecode -c dmidecode -s system-uuid' | xxhsum --quiet -H1 | awk '{print $1}'
test-connection: test-connection:
#! /usr/bin/env nix-shell #! /usr/bin/env nix-shell
@ -309,13 +305,7 @@ test-connection:
done done
cachix-use name: cachix-use name:
nix run nixpkgs/nixos-unstable#cachix -- use {{ name }} -m nixos -d nix/os/ nix run nixpkgs/nixos-unstable#cachix -- use {{name}} -m nixos -d nix/os/
update-sops-keys: update-sops-keys:
for file in $(egrep -lr '"?sops"?:') secrets; do sops updatekeys -y $file; done for file in $(egrep -lr '"?sops"?:') secrets; do sops updatekeys -y $file; done
deploy-router0-dmz0:
NIX_SSHOPTS="-o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null -o CheckHostIP=no" nixos-rebuild switch --impure --flake .\#router0-dmz0 --target-host root@192.168.20.1
ttyusb:
screen -fa /dev/ttyUSB0 115200

30
README.md
View file

@ -1,5 +1,4 @@
# steveej's infra # steveej's infra
This repository helps me to manage all computer infrastructure. This repository helps me to manage all computer infrastructure.
This is mostly achieved with the help of [Nix](https://nixos.org). This is mostly achieved with the help of [Nix](https://nixos.org).
@ -40,46 +39,39 @@ In the unlikely case that you actually read this and have any questions please d
- [x] sj-pve0 - [x] sj-pve0
- [x] use an existing secret management framework - [x] use an existing secret management framework
- [x] adapt (or abandon?) _just_ recipes - [x] adapt (or abandon?) _just_ recipes
- [x] `rebuild-this-device` - [x] `rebuild-this-device`
- [x] `update-this-device` - [x] `update-this-device`
- [x] `rebuild-remote-device` - [x] `rebuild-remote-device`
- [x] `update-remote-device` - [x] `update-remote-device`
evaluate, and understand a path to using these tools in a pull-based fashion: evaluate, and understand a path to using these tools in a pull-based fashion:
- [x] [colmena](https://github.com/zhaofengli/colmena) - [x] [colmena](https://github.com/zhaofengli/colmena)
- bootstrapping: https://github.com/zhaofengli/colmena/issues/68 * bootstrapping: https://github.com/zhaofengli/colmena/issues/68
- [ ] deploy-rs - [ ] deploy-rs
- [x] 🚧 find a better alternative for the qtile-desktop - [x] 🚧 find a better alternative for the qtile-desktop
current issues: current issues:
- floating windows often get lost in the background - floating windows often get lost in the background
- plugging in-/out- screen crashes the desktop - plugging in-/out- screen crashes the desktop
evaluate: evaluate:
- [x] ~~🚧 gnome3 + pop-shell~~ - [x] ~~🚧 gnome3 + pop-shell~~
- [x] ~~leftwm + eww (+ wayland?)~~ - [x] ~~leftwm + eww (+ wayland?)~~
- [ ] (Re-)document bootstrap process - [ ] (Re-)document bootstrap process
- [ ] `apt install sudo cryptsetup` as a requirements on a deb admin machine - [ ] `apt install sudo cryptsetup` as a requirements on a deb admin machine
- [ ] a new machine - [ ] a new machine
- [ ] an install media - [ ] an install media
- [ ] Design disaster recovery - [ ] Design disaster recovery
- [ ] Automatic synchronization of other state files - see https://gitlab.com/steveeJ/nix-expressions/issues/2 - [ ] Automatic synchronization of other state files - see https://gitlab.com/steveeJ/nix-expressions/issues/2
- [ ] Recycle _\_archived_ - [ ] Recycle *\_archived*
- [ ] container migrations - [ ] container migrations
- [ ] ensure DDNS is updated _before_ the containers are started - [ ] ensure DDNS is updated _before_ the containers are started
## Bugs
## Bugs
- [ ] home-manager leaves ~/.gnupg at 0755 - [ ] home-manager leaves ~/.gnupg at 0755
## Usage ## Usage
*(These are reminders for my future self)*
_(These are reminders for my future self)_
``` ```
just --list just --list
@ -88,17 +80,15 @@ just --list
## Bootstrap ## Bootstrap
### A new machine ### A new machine
* ensure the dotfiles repo has a branch with the new machine's hostname
- ensure the dotfiles repo has a branch with the new machine's hostname * boot with an install media and go through setup
- boot with an install media and go through setup
#### Post-Install Setup #### Post-Install Setup
* `chmod --recursive g-rwx,o-rwx ~/.gnupg`
- `chmod --recursive g-rwx,o-rwx ~/.gnupg` * `gpg2 --edit-card; fetch`
- `gpg2 --edit-card; fetch` * clone password-manager and infra repositories
- clone password-manager and infra repositories * gpg2: ultimately trust my own key
- gpg2: ultimately trust my own key
## Swapping out a disk ## Swapping out a disk

90
_archive/environments/dev/cross.nix Normal file
View file

@ -0,0 +1,90 @@
import /home/steveej/src/github/NixOS/nixpkgs/default.nix {
crossSystem = rec {
config = "armv7l-unknown-linux-gnueabi";
bigEndian = false;
arch = "arm";
float = "hard";
fpu = "vfpv3-d16";
withTLS = true;
libc = "glibc";
platform = {
name = "armv7l-hf-multiplatform";
gcc = {
arch = "armv7-a";
fpu = "neon";
float = "hard";
};
kernelMajor = "2.6"; # Using "2.6" enables 2.6 kernel syscalls in glibc.
kernelHeadersBaseConfig = "multi_v7_defconfig";
kernelBaseConfig = "multi_v7_defconfig";
kernelArch = "arm";
kernelDTB = true;
kernelAutoModules = false;
kernelExtraConfig = ''
NAMESPACES y
BTRFS_FS y
BTRFS_FS_POSIX_ACL y
OVERLAY_FS y
FUSE_FS y
'';
kernelTarget = "zImage";
uboot = null;
};
openssl.system = "linux-generic32";
gcc = {
arch = "armv7-a";
fpu = "neon";
float = "hard";
};
};
}
# pkgs.config = {
# packageOverrides = super: let self = super.pkgs; in {
# linux_4_0 = super.linux_3_18.override {
# kernelPatches = super.linux_3_18.kernelPatches ++ [
# # we'll also add one of our own patches
# { patch = ./dts.patch; name = "dts-fix"; }
# ];
#
# # add "CONFIG_PPP_FILTER y" option to the set of kernel options
# extraConfig = ''
# HAVE_IMX_ANATOP y
# HAVE_IMX_GPC y
# HAVE_IMX_MMDC y
# HAVE_IMX_SRC y
# SOC_IMX6 y
# SOC_IMX6Q y
# SOC_IMX6SL y
# PCI_IMX6 y
# ARM_IMX6Q_CPUFREQ y
# IMX_WEIM y
# AHCI_IMX y
# SERIAL_IMX y
# SERIAL_IMX_CONSOLE y
# I2C_IMX y
# SPI_IMX y
# PINCTRL_IMX y
# PINCTRL_IMX6Q y
# PINCTRL_IMX6SL y
# POWER_RESET_IMX y
# IMX_THERMAL y
# IMX2_WDT y
# IMX_IPUV3_CORE y
# DRM_IMX y
# DRM_IMX_FB_HELPER y
# DRM_IMX_PARALLEL_DISPLAY y
# DRM_IMX_TVE y
# DRM_IMX_LDB y
# DRM_IMX_IPUV3 y
# DRM_IMX_HDMI y
# MMC_SDHCI_ESDHC_IMX y
# IMX_SDMA y
# PWM_IMX y
# DEBUG_IMX6Q_UART y
#
# PPP_FILTER y
# '';
# };
# };
# };

89
_archive/environments/dev/go/default.nix Normal file
View file

@ -0,0 +1,89 @@
{
gitpkgs ? import /home/steveej/src/github/NixOS/nixpkgs {},
pkgs ? gitpkgs,
name ? "generic",
version,
extraBuildInputs ? [],
extraShellHook ? "",
}: let
go = builtins.getAttr "go_${version}" pkgs;
commonVimRC = ''
let g:tagbar_type_go = {
\ 'ctagstype' : 'go',
\ 'kinds' : [
\ 'p:package',
\ 'i:imports:1',
\ 'c:constants',
\ 'v:variables',
\ 't:types',
\ 'n:interfaces',
\ 'w:fields',
\ 'e:embedded',
\ 'm:methods',
\ 'r:constructor',
\ 'f:functions'
\ ],
\ 'sro' : '.',
\ 'kind2scope' : {
\ 't' : 'ctype',
\ 'n' : 'ntype'
\ },
\ 'scope2kind' : {
\ 'ctype' : 't',
\ 'ntype' : 'n'
\ },
\ 'ctagsbin' : 'gotags',
\ 'ctagsargs' : '-sort -silent'
\ }
" vim-go {
let g:go_highlight_functions = 1
let g:go_highlight_methods = 1
let g:go_highlight_structs = 1
let g:go_highlight_interfaces = 1
let g:go_highlight_operators = 1
let g:go_highlight_build_constraints = 1
let g:go_fmt_command = 'gofmt'
let g:go_fmt_options= '-s'
let g:go_def_mode = 'godef'
let g:go_def_reuse_buffer = 0
au FileType go nmap <Leader>gds <Plug>(go-def-split)
au FileType go nmap <Leader>gdv <Plug>(go-def-vertical)
au FileType go nmap <Leader>gdt <Plug>(go-def-tab)
au FileType go nmap <Leader>gi <Plug>(go-imports)
" }
'';
buildInputs = with pkgs; [
glibc.out
glibc.static
go
gotools
#gotools.bin
#gocode.bin
#godef godef.bin
godep
#godep.bin
gox.bin
#ginkgo ginkgo.bin
#gomega
# ( import ./vim-go.nix { pkgs=gitpkgs; commonRC=commonVimRC; } )
# ( import ./neovim-go.nix { pkgs=gitpkgs; commonRC=commonVimRC; } )
];
in
pkgs.stdenv.mkDerivation {
inherit name;
buildInputs = extraBuildInputs ++ buildInputs;
shellHook = ''
goname=${go.version}_$name
# FIXME: setPS1 $goname
export GOROOT=${go}/share/go
export GOPATH="$HOME/.gopath_$goname"
export PATH="$HOME/.gopath_$goname/bin:$PATH"
unset name
unset SSL_CERT_FILE
${extraShellHook}
'';
}

12
_archive/environments/dev/go/neovim-go.nix Normal file
View file

@ -0,0 +1,12 @@
{commonRC, ...} @ args: (import ../../pkg-configuration/vim-derivates/neovim.nix args
// {
additionalRC =
commonRC
+ ''
" deoplete {
let g:deoplete#enable_at_startup = 1
let g:deoplete#enable_smart_case = 1
" }
'';
additionalPlugins = ["deoplete-go" "deoplete-nvim" "vim-go"];
})

31
_archive/environments/dev/pandoc.nix Normal file
View file

@ -0,0 +1,31 @@
{
gitpkgs ? import /home/steveej/src/github/NixOS/nixpkgs {},
pkgs ? gitpkgs,
name ? "generic",
version ? "Stable",
extraBuildInputs ? [],
}: let
commonVimRC = "";
in
pkgs.stdenv.mkDerivation {
inherit name;
buildInputs = with pkgs;
[
(import ./vim-pandoc.nix {
pkgs = gitpkgs;
commonRC = commonVimRC;
})
pandoc
texlive.combined.scheme-medium
python27Packages.pandocfilters
python27Packages.htmltreediff
python27Packages.html5lib
python27Packages.dbus-python
]
++ extraBuildInputs;
shellHook = ''
pandocname=pandoc_${pkgs.pandoc.version}
setPS1 $pandocname
unset name
'';
}

71
_archive/environments/dev/rkt.nix Normal file
View file

@ -0,0 +1,71 @@
{
pkgs ? import /home/steveej/src/github/NixOS/nixpkgs {},
mkGoEnv ? import ./go.nix,
rktPath,
}: let
rktBasebuildInputs = with pkgs; [
glibc.out
glibc.static
autoreconfHook
gnupg1
squashfsTools
cpio
tree
intltool
libtool
pkgconfig
libgcrypt
gperf
libcap
libseccomp
libzip
eject
iptables
bc
acl
trousers
systemd
];
extraShellHook = ''
TARGET=$GOPATH/src/github.com/coreos/rkt
if [[ -e ${rktPath}/rkt/rkt.go ]]; then
pushd ${rktPath}
else
echo rktPath must be run the rkt repository clone, but got '${rktPath}'
exit 1
fi
if ! [[ -e $TARGET/rkt/rkt.go ]]; then
mkdir -p $TARGET
echo $PWD
sudo -E mount -o bind $PWD $TARGET
fi
pushd $TARGET
'';
in {
go15 = mkGoEnv {
inherit pkgs;
name = "rktGo15";
version = "1_5";
extraBuildInputs = rktBasebuildInputs;
inherit extraShellHook;
};
go16 = mkGoEnv {
inherit pkgs;
name = "rktGo16";
version = "1_6";
extraBuildInputs = rktBasebuildInputs;
inherit extraShellHook;
};
go17 = mkGoEnv {
inherit pkgs;
name = "rktGo17";
version = "1_7";
extraBuildInputs = rktBasebuildInputs;
inherit extraShellHook;
};
}

1
_archive/environments/dev/rust/.envrc Normal file
View file

@ -0,0 +1 @@
eval "$(lorri direnv)"

39
_archive/environments/dev/rust/default.nix Normal file
View file

@ -0,0 +1,39 @@
{
gitpkgs ? import /home/steveej/src/github/NixOS/nixpkgs {},
pkgs ? gitpkgs,
name ? "generic",
version ? "Stable",
extraBuildInputs ? [],
}: let
rustPackages = builtins.getAttr "rust${version}" pkgs;
rustc = rustPackages.rustc;
rustShellHook = {
rustc,
name,
}: ''
rustname=rust_${rustc.version}_${name}
setPS1 $rustname
unset name
'';
commonVimRC = "";
in
pkgs.stdenv.mkDerivation {
inherit name;
buildInputs = with rustPackages;
[
(import ./vim-rust.nix {
pkgs = gitpkgs;
commonRC = commonVimRC;
inherit rustc;
racerd = pkgs.rustracerd;
})
rustc
cargo
]
++ [pkgs.rustfmt]
++ extraBuildInputs;
shellHook = rustShellHook {
inherit name;
inherit rustc;
};
}

19
_archive/environments/dev/vim-go.nix Normal file
View file

@ -0,0 +1,19 @@
{commonRC, ...} @ args:
import ../../pkg-configuration/vim-derivates/vim.nix (args
// {
name = "vim-for-go";
additionalRC =
commonRC
+ ''
" Disable AutoComplPop.
let g:acp_enableAtStartup = 0
" Use neocomplete.
let g:neocomplete#enable_at_startup = 1
" Use smartcase.
let g:neocomplete#enable_smart_case = 1
if !exists('g:neocomplete#sources#omni#input_patterns')
let g:neocomplete#sources#omni#input_patterns = {}
endif
'';
additionalPlugins = ["neocomplete" "vim-go"];
})

18
_archive/environments/dev/vim-pandoc.nix Normal file
View file

@ -0,0 +1,18 @@
{commonRC, ...} @ args:
import ../../pkg-configuration/vim-derivates/vim.nix (args
// {
name = "vim-for-pandoc";
additionalRC =
commonRC
+ ''
set statusline+=%#warningmsg#
set statusline+=%{SyntasticStatuslineFlag()}
set statusline+=%*
let g:syntastic_always_populate_loc_list = 1
let g:syntastic_auto_loc_list = 1
let g:syntastic_check_on_open = 1
let g:syntastic_check_on_wq = 0
'';
additionalPlugins = ["vim-pandoc" "vim-pandoc-syntax" "vimpreviewpandoc"];
})

48
_archive/environments/dev/vim-rust.nix Normal file
View file

@ -0,0 +1,48 @@
{
commonRC,
rustc,
racerd,
...
} @ args:
import ../../pkg-configuration/vim-derivates/vim.nix (args
// {
name = "vim-for-rust";
additionalRC =
commonRC
+ ''
set statusline+=%#warningmsg#
set statusline+=%{SyntasticStatuslineFlag()}
set statusline+=%*
let g:syntastic_always_populate_loc_list = 1
let g:syntastic_auto_loc_list = 1
let g:syntastic_check_on_open = 1
let g:syntastic_check_on_wq = 0
" tagbar
let g:tagbar_type_rust = {
\ 'ctagstype' : 'rust',
\ 'kinds' : [
\'T:types,type definitions',
\'f:functions,function definitions',
\'g:enum,enumeration names',
\'s:structure names',
\'m:modules,module names',
\'c:consts,static constants',
\'t:traits,traits',
\'i:impls,trait implementations',
\]
\}
let g:syntastic_rust_checkers = ["rustc"]
"rustfmt
let g:rustfmt_autosave = 1
let g:ycm_auto_trigger = 1
let g:ycm_rust_src_path = '${rustc.src}/src'
let g:ycm_racerd_binary_path = '${racerd.out}/bin/racerd'
'';
additionalPlugins = ["rust-vim"];
})

42
_archive/environments/fhs/android.nix Normal file
View file

@ -0,0 +1,42 @@
{pkgs ? import <nixpkgs> {}}:
(pkgs.buildFHSUserEnv {
name = "devfhs";
multiPkgs = pkgs: (with pkgs; [
android-udev-rules
sudo
gawk
bzip2
file
gcc
getopt
git
gnumake
ncurses
openssl
patch
perl
pkgconfig
python
openssh
subversion
unzip
wget
which
vim
zlib
libusb
libusb1
systemd
strace
swt
xorg.libXtst
glib
gtk2
gnome.gtk
]);
profile = ''
export LD_LIBRARY_PATH=$LD_LIBRARY_PATH:/lib:/lib64:/lib32:/usr/lib32:/usr/lib64:${pkgs.xorg.libXtst}/lib:${pkgs.glib}/lib:${pkgs.gtk2}/lib
'';
runScript = "bash";
})
.env

36
_archive/environments/fhs/vscode.nix Normal file
View file

@ -0,0 +1,36 @@
{pkgs ? import <nixpkgs> {}}:
(pkgs.buildFHSUserEnv {
name = "everydayFHS";
targetPkgs = pkgs: (with pkgs; [
which
gitFull
zsh
file
direnv
xdg_utils
xsel
vscode
# vscode live share
gnome3.gcr
libgnome_keyring3
liburcu
libunwind
lttng-ust
curl
openssl
libkrb5
libuuid
icu
zlib
libsecret
]);
multiPkgs = pkgs: (with pkgs; []);
profile = ''
export SHELL=/bin/zsh
'';
# FIXME runScript = "$SHELL";
})
.env

7
default.nix
View file

@ -4,9 +4,6 @@
# Having pkgs default to <nixpkgs> is fine though, and it lets you use short # Having pkgs default to <nixpkgs> is fine though, and it lets you use short
# commands such as: # commands such as:
# nix-build -A mypackage # nix-build -A mypackage
{ {pkgs ? import <nixpkgs> {}}: {
pkgs ? import <nixpkgs> { }, pkgs = import ./nix/pkgs {inherit pkgs;};
}:
{
pkgs = import ./nix/pkgs { inherit pkgs; };
} }

27
flake-sandbox/flake.lock generated Normal file
View file

@ -0,0 +1,27 @@
{
"nodes": {
"nixpkgs": {
"locked": {
"lastModified": 1681091990,
"narHash": "sha256-ifIzhksUBZKp5WgCuoVhDY32qaEplXp7khzrB6zkaFc=",
"owner": "nixos",
"repo": "nixpkgs",
"rev": "ea96b4af6148114421fda90df33cf236ff5ecf1d",
"type": "github"
},
"original": {
"owner": "nixos",
"ref": "nixos-22.11",
"repo": "nixpkgs",
"type": "github"
}
},
"root": {
"inputs": {
"nixpkgs": "nixpkgs"
}
}
},
"root": "root",
"version": 7
}

142
flake-sandbox/flake.nix Normal file
View file

@ -0,0 +1,142 @@
{
inputs = {
nixpkgs.url = "github:nixos/nixpkgs/nixos-22.11";
};
outputs = {
self,
nixpkgs,
}: let
system = "x86_64-linux";
pkgs = import nixpkgs {inherit system;};
in {
devShells."${system}".default = pkgs.mkShell {
packages = with pkgs;
with pkgs.gnome; [
hexchat
audacity
proot
yubikey-manager-qt
cheese
remmina
exiv2
wireshark-qt
seahorse
kotatogram-desktop
usbutils
networkmanagerapplet
sshfs-fuse
pavucontrol
libwebcam
just
eog
git-crypt
espanso
unetbootin
vcsh
skypeforlinux
du-dust
bind
teamviewer
gparted
neovim
inkscape
rustdesk
gnome-themes-extra
pass
xdg-user-dirs
cbatticon
yubikey-personalization-gui
zoom
signal-desktop
xorg.xbacklight
vscode
ripgrep
lightdm
nixpkgs-fmt
git-lfs
qtpass
gimp
lxappearance
flameshot
thunderbird
fprintd
chromium
evtest
alejandra
vlc
pastebinit
evolution
zbar
libreoffice
brave
pidgin
direnv
xorg.xhost
lorri
firefox
logseq
x11_ssh_askpass
xsel
feh
htop
openvpn
syncthing
ncdu
rofi-pass
testdisk
vanilla-dmz
wireguard-tools
xarchive
gnome-icon-theme
wget
nix-index
mr
passff-host
browserpass
xorg.xcursorthemes
gitRepo
gitSVN
androidenv.androidPkgs_9_0.platform-tools
# introduces python
(qtile.passthru.unwrapped.overrideAttrs (oldAttrs: {
propagatedBuildInputs =
[]
# ++ oldAttrs.passthru.unwrapped.propagatedBuildInputs
# ++ (with pkgs.python3Packages; [
# # python-wifi
# # iwlib
# keyring
# ])
;
makeWrapperArgs =
oldAttrs.makeWrapperArgs
++ [
"--prefix PATH : ${pkgs.lib.makeBinPath oldAttrs.propagatedBuildInputs}"
];
}))
# gi-docgen
# yelp-tools
# scons
# autorandr
# arandr
# meson
# mercurial
# unrar-wrapper
# orca
# radicale
# criu
# gnome-music
# gnome-browser-connector
# radicale
# hplip
# qtile
# gtk-doc
# asciidoc
# meson
];
};
};
}

1179
flake.lock generated
View file

File diff suppressed because it is too large Load diff

399
flake.nix
View file

@ -1,18 +1,19 @@
# flake.nix # flake.nix
{ {
inputs = { inputs = {
# TODO: where has this been used? dotfiles = {
# dotfiles = { url = "gitlab:steveeJ/dotfiles";
# url = "git+https://forgejo.www.stefanjunker.de/steveej/dotfiles.git"; flake = false;
# flake = false; };
# };
# flake and infra basics # flake and infra basics
nixpkgs-2211.url = "github:nixos/nixpkgs/nixos-22.11"; nixpkgs-2211.url = "github:nixos/nixpkgs/nixos-22.11";
radicalePkgs.follows = "nixpkgs-2211"; radicalePkgs.follows = "nixpkgs-2211";
nixpkgs-2411.url = "github:nixos/nixpkgs/nixos-24.11"; nixpkgs-2305.url = "github:nixos/nixpkgs/nixos-23.05";
nixpkgs-unstable.url = "github:nixos/nixpkgs/nixos-unstable"; nixpkgs-2311.url = "github:nixos/nixpkgs/nixos-23.11";
nixpkgs.follows = "nixpkgs-2411"; nixpkgs-unstable-small.url = "github:nixos/nixpkgs/nixos-unstable-small";
nixpkgs-unstable.follows = "nixpkgs-unstable-small";
nixpkgs.follows = "nixpkgs-2311";
flake-parts.url = "github:hercules-ci/flake-parts"; flake-parts.url = "github:hercules-ci/flake-parts";
get-flake.url = "github:ursi/get-flake"; get-flake.url = "github:ursi/get-flake";
@ -24,13 +25,6 @@
nixpkgs-wayland.url = "github:nix-community/nixpkgs-wayland"; nixpkgs-wayland.url = "github:nix-community/nixpkgs-wayland";
nix-vscode-extensions.url = "github:nix-community/nix-vscode-extensions";
nixpkgs-vscodium.url = "github:nixos/nixpkgs/nixos-unstable";
# needs to be in sync with `vscodium --version` from `nixpkgs-vscodium`
openvscode-server.url = "github:gitpod-io/openvscode-server/openvscode-server-v1.88.1";
openvscode-server.flake = false;
colmena = { colmena = {
url = "github:zhaofengli/colmena"; url = "github:zhaofengli/colmena";
inputs.nixpkgs.follows = "nixpkgs"; inputs.nixpkgs.follows = "nixpkgs";
@ -41,13 +35,14 @@
url = "github:nix-community/fenix"; url = "github:nix-community/fenix";
inputs.nixpkgs.follows = "nixpkgs"; inputs.nixpkgs.follows = "nixpkgs";
}; };
crane.url = "github:ipetkov/crane"; crane = {
url = "github:ipetkov/crane";
sops-nix = {
url = "github:Mic92/sops-nix";
inputs.nixpkgs.follows = "nixpkgs"; inputs.nixpkgs.follows = "nixpkgs";
}; };
sops-nix.url = "github:Mic92/sops-nix";
sops-nix.inputs.nixpkgs.follows = "nixpkgs";
# applications # applications
aphorme_launcher = { aphorme_launcher = {
url = "github:Iaphetes/aphorme_launcher/main"; url = "github:Iaphetes/aphorme_launcher/main";
@ -70,58 +65,48 @@
flake = false; flake = false;
}; };
salut = {
url = "gitlab:snakedye/salut";
flake = false;
};
prs = { prs = {
# url = "gitlab:timvisee/prs/v0.5.2"; url = "gitlab:timvisee/prs/master";
url = "gitlab:timvisee/prs/07f17a93d19fb6bc92c9c7f3ae3f5cc750b1f973";
flake = false; flake = false;
}; };
rperf = { ### inputs for thinkpad x13s
url = "github:steveej-forks/rperf"; # see https://github.com/jhovold/linux/wiki/X13s for status updates
linux_x13s.url = "github:jhovold/linux/wip/sc8280xp-v6.7";
linux_x13s.flake = false;
brainwart_x13s-nixos = {
url = "github:BrainWart/x13s-nixos/flake";
flake = false; flake = false;
}; };
# nixpkgs-logseq.url = "github:steveej-forks/nixpkgs/logseq-linux-arm64-selfbuilt-appimage"; adamcstephens_stop-export = {
espanso = {
flake = false; flake = false;
url = "github:espanso/espanso/db97658d1d80697a635b57801696c594eacf057b"; url = "git+https://codeberg.org/adamcstephens/stop-export.git";
}; };
nix4vscode = { # alsa-ucm-conf = {
url = "github:nix-community/nix4vscode"; # flake = false;
# inputs.nixpkgs.follows = "nixpkgs"; # url = "github:alsa-project/alsa-ucm-conf/master";
# };
logseq_0_10_5_aarch64_appimage = {
flake = false;
url = "https://www.stefanjunker.de/downloads/Logseq-0.10.5.AppImage";
}; };
nixvim = {
# TODO: pin to nixos-24.11 once available
url = "github:nix-community/nixvim";
inputs.nixpkgs.follows = "nixpkgs";
};
treefmt-nix = {
url = "github:numtide/treefmt-nix";
inputs.nixpkgs.follows = "nixpkgs";
};
nixago = {
url = "github:jmgilman/nixago";
inputs.nixpkgs.follows = "nixpkgs";
}; };
nur = { outputs = inputs @ {
url = "github:nix-community/NUR";
inputs.nixpkgs.follows = "nixpkgs";
};
nixpkgs-gimp.url = "github:jtojnar/nixpkgs/gimp-meson";
};
outputs =
inputs@{
self, self,
flake-parts, flake-parts,
nixpkgs, nixpkgs,
... ...
}: }: let
let
inherit (nixpkgs) lib; inherit (nixpkgs) lib;
systems = [ systems = [
@ -129,26 +114,25 @@
"aarch64-linux" "aarch64-linux"
]; ];
in in
flake-parts.lib.mkFlake { inherit inputs; } ( flake-parts.lib.mkFlake {inherit inputs;}
{ withSystem, ... }: ({withSystem, ...}: {
{
flake.colmena = flake.colmena =
lib.lists.foldl (sum: cur: lib.attrsets.recursiveUpdate sum cur) lib.lists.foldl (sum: cur: lib.attrsets.recursiveUpdate sum cur)
{ meta.nixpkgs = import inputs.nixpkgs.outPath { system = builtins.elemAt systems 0; }; } {
meta.nixpkgs = import inputs.nixpkgs.outPath {
system = builtins.elemAt systems 0;
};
}
# FIXME: this doesn't seem to work to apply overlays into a node's nixpkgs import # FIXME: this doesn't seem to work to apply overlays into a node's nixpkgs import
# try this instead: https://github.com/zhaofengli/colmena/issues/60#issuecomment-1510496861 # try this instead: https://github.com/zhaofengli/colmena/issues/60#issuecomment-1510496861
( (builtins.map
builtins.map (nodeName:
(
nodeName:
import ./nix/os/devices/${nodeName} { import ./nix/os/devices/${nodeName} {
inherit nodeName; inherit nodeName;
repoFlake = self; repoFlake = self;
repoFlakeWithSystem = withSystem; repoFlakeWithSystem = withSystem;
nodeFlake = self.inputs.get-flake (self + "/nix/os/devices/${nodeName}"); nodeFlake = self.inputs.get-flake ./nix/os/devices/${nodeName};
} }) [
)
[
"steveej-t14" "steveej-t14"
"steveej-x13s" "steveej-x13s"
"steveej-x13s-rmvbl" "steveej-x13s-rmvbl"
@ -156,24 +140,20 @@
# "justyna-p300" # "justyna-p300"
# "srv0-dmz0" # "srv0-dmz0"
# "router0-dmz0" # # "router0-dmz0"
"router0-ifog"
"router0-hosthatch"
"sj-srv1" "sj-srv1"
] "sj-bm-hostkey0"
);
flake.lib = { # "retro"
inherit withSystem; ]);
};
# this makes nixos-anywhere work # this makes nixos-anywhere work
flake.nixosConfigurations = flake.nixosConfigurations = let
let
colmenaHive = (inputs.colmena.lib.makeHive self.outputs.colmena).nodes; colmenaHive = (inputs.colmena.lib.makeHive self.outputs.colmena).nodes;
router0-dmz0 = (inputs.get-flake (self + "/nix/os/devices/router0-dmz0")).nixosConfigurations; router0-dmz0 = (inputs.get-flake ./nix/os/devices/router0-dmz0).nixosConfigurations;
in retro = (inputs.get-flake ./nix/os/devices/retro).nixosConfigurations;
in (
colmenaHive colmenaHive
// { // {
router0-dmz0 = router0-dmz0.native; router0-dmz0 = router0-dmz0.native;
@ -182,16 +162,17 @@
# nixos-rebuild switch --flake .\#router0-dmz0_cross --build-host localhost --target-host root@192.168.10.1 # nixos-rebuild switch --flake .\#router0-dmz0_cross --build-host localhost --target-host root@192.168.10.1
router0-dmz0_cross = router0-dmz0.cross; router0-dmz0_cross = router0-dmz0.cross;
steveej-x13s_cross = # nixos-install --flake .\#retro_cross
(inputs.get-flake (self + "./nix/os/devices/steveej-x13s")).nixosConfigurations.cross; retro_cross = retro.cross;
steveej-x13s-rmvbl_cross =
(inputs.get-flake ./nix/os/devices/steveej-x13s-rmvbl).nixosConfigurations.cross; steveej-x13s_cross = (inputs.get-flake ./nix/os/devices/steveej-x13s).nixosConfigurations.cross;
}; steveej-x13s-rmvbl_cross = (inputs.get-flake ./nix/os/devices/steveej-x13s-rmvbl).nixosConfigurations.cross;
}
);
inherit systems; inherit systems;
perSystem = perSystem = {
{
self', self',
inputs', inputs',
system, system,
@ -199,107 +180,96 @@
lib, lib,
pkgs, pkgs,
... ...
}: }: {
{ imports = [
imports = [ ./nix/modules/flake-parts/perSystem/default.nix ]; ./nix/modules/flake-parts/perSystem/default.nix
];
packages = packages = let
let dcpj4110dw = pkgs.callPackage (self + /nix/pkgs/dcpj4110dw) {};
dcpj4110dw = pkgs.callPackage (self + /nix/pkgs/dcpj4110dw) { };
craneLibFn = (inputs.crane.mkLib inputs.nixpkgs.legacyPackages.${system}).overrideToolchain; craneLib =
inputs.crane.lib.${system}.overrideToolchain
inputs'.fenix.packages.stable.toolchain;
craneLib = craneLibFn inputs'.fenix.packages.stable.toolchain; craneLibOfiPass =
inputs.crane.lib.${system}.overrideToolchain
(
inputs'.fenix.packages.stable.toolchain
# .override {
# date = "1.60.0";
# }
);
in {
dcpj4110dwDriver = dcpj4110dw.driver;
dcpj4110dwCupswrapper = dcpj4110dw.cupswrapper;
_prsPackage = # broken as of 2023-04-27 because it doesn't load without a config
{ # aphorme_launcher = craneLib.buildPackage {src = inputs.aphorme_launcher;};
lib, # yofi = inputs'.yofi.packages.default;
rustPlatform, # ofi-pass = craneLibOfiPass.buildPackage {src = inputs.ofi-pass;};
installShellFiles,
pkg-config, inherit (inputs'.colmena.packages) colmena;
python3,
# jay = pkgs.callPackage (self + /nix/pkgs/jay.nix) {
# src = inputs.jay;
# rustPlatform = pkgs.makeRustPlatform {
# cargo = inputs'.fenix.packages.stable.toolchain;
# rustc = inputs'.fenix.packages.stable.toolchain;
# };
# };
salut = craneLib.buildPackage {
src = inputs.salut;
nativeBuildInputs = [
pkgs.pkg-config
];
buildInputs = [
pkgs.libxkbcommon
pkgs.fontconfig
];
};
prs =
pkgs.callPackage
({
pkgs,
dbus,
glib, glib,
gpgme, gpgme,
gtk3, gtk3,
stdenv, libxcb,
cargoHash ? "sha256-T57RqIzurpYLHyeFhvqxmC+DoB6zUf+iTu1YkMmwtp8=", libxkbcommon,
src, installShellFiles,
version, pkg-config,
makeWrapper, python3,
skim,
}: }:
craneLib.buildPackage {
rustPlatform.buildRustPackage rec {
pname = "prs"; pname = "prs";
version = inputs.prs.shortRev;
inherit src version cargoHash; src = inputs.prs;
nativeBuildInputs = [gpgme installShellFiles pkg-config python3];
nativeBuildInputs = [
gpgme
installShellFiles
pkg-config
python3
makeWrapper
];
cargoBuildFlags = [
"--no-default-features"
"--features=alias,backend-gpgme,clipboard,notify,select-fzf-bin,select-skim-bin,tomb,totp"
];
buildInputs = [ buildInputs = [
dbus
glib glib
gpgme gpgme
gtk3 gtk3
libxcb
libxkbcommon
]; ];
postInstall = lib.optionalString (stdenv.buildPlatform.canExecute stdenv.hostPlatform) '' cargoExtraArgs = "--features backend-gpgme";
postInstall = ''
for shell in bash fish zsh; do for shell in bash fish zsh; do
installShellCompletion --cmd prs --$shell <($out/bin/prs internal completions $shell --stdout) installShellCompletion --cmd prs --$shell <($out/bin/prs internal completions $shell --stdout)
done done
''; '';
})
{};
postFixup = '' nomad = inputs'.nixpkgs-unstable-small.legacyPackages.nomad_1_6;
wrapProgram $out/bin/prs \
--prefix PATH : ${lib.makeBinPath [ skim ]}
'';
meta = with lib; {
description = "Secure, fast & convenient password manager CLI using GPG and git to sync";
homepage = "https://gitlab.com/timvisee/prs";
changelog = "https://gitlab.com/timvisee/prs/-/blob/v${version}/CHANGELOG.md";
license = with licenses; [
lgpl3Only # lib
gpl3Only # everything else
];
maintainers = with maintainers; [ dotlambda ];
mainProgram = "prs";
};
};
local-xwayland = pkgs.writeShellScriptBin "local-xwayland" ''
set -x
${pkgs.wayland-proxy-virtwl}/bin/wayland-proxy-virtwl \
--wayland-display=wayland-3 \
--xwayland-binary=${pkgs.xwayland}/bin/Xwayland \
--x-display=0 \
# --x-unscale=3 \
--verbose
'';
in
{
dcpj4110dwDriver = dcpj4110dw.driver;
dcpj4110dwCupswrapper = dcpj4110dw.cupswrapper;
inherit (inputs'.colmena.packages) colmena;
prs = pkgs.callPackage _prsPackage {
src = inputs.prs;
version = inputs.prs.shortRev;
cargoHash = "sha256-oXuAKOHIfwUvcS0qXDTe68DN+MUNS4TAKV986vxdeh8=";
};
nomad = inputs'.nixpkgs-unstable.legacyPackages.nomad_1_6;
ledger-live-desktop-wrapped = pkgs.writeShellScriptBin "ledger-live-desktop-wrapped" '' ledger-live-desktop-wrapped = pkgs.writeShellScriptBin "ledger-live-desktop-wrapped" ''
set -x set -x
@ -328,101 +298,28 @@
ssh root@${self.colmena.sj-vps-htz0.deployment.targetHost} -L 8385:syncthing.containers:8384 ssh root@${self.colmena.sj-vps-htz0.deployment.targetHost} -L 8385:syncthing.containers:8384
''; '';
rperf = craneLib.buildPackage { logseq =
src = inputs.rperf; pkgs.callPackage ./nix/pkgs/logseq
nativeBuildInputs = [ pkgs.pkg-config ]; (lib.attrsets.optionalAttrs pkgs.stdenv.isAarch64 {
buildInputs = [ ]; overrideSrc = self.inputs.logseq_0_10_5_aarch64_appimage;
};
inherit local-xwayland;
inherit (inputs'.nixpkgs-gimp.legacyPackages) gimp;
};
formatter =
let
settingsNix = {
projectRootFile = ".git/config";
package = inputs'.nixpkgs-unstable.legacyPackages.treefmt2;
programs = {
nixfmt.enable = true;
deadnix.enable = true;
statix.enable = true;
shfmt.enable = true;
shellcheck.enable = true;
prettier.enable = true;
just = {
enable = true;
includes = [
"*/Justfile"
"Justfile"
];
};
} // pkgs.lib.optionalAttrs (pkgs.system != "riscv64-linux") { shellcheck.enable = true; };
settings = {
global.excludes = [
"LICENSE"
"secrets/"
".git-crypt/"
# unsupported extensions
"*.{enc,gif,png,svg,tape,mts,lock,mod,sum,toml,env,envrc,gitignore}"
];
formatter = {
deadnix = {
priority = 1;
options = [ "--no-underscore" ];
};
nixfmt = {
priority = 2;
};
statix = {
priority = 3;
};
prettier = {
options = [
"--tab-width"
"2"
];
includes = [ "*.{css,html,js,json,jsx,md,mdx,scss,ts,yaml}" ];
};
};
};
};
eval = inputs.treefmt-nix.lib.evalModule pkgs settingsNix;
in
eval.config.build.wrapper.overrideAttrs (_: {
passthru = {
inherit (eval.config) package settings;
};
}); });
};
devShells = formatter = pkgs.alejandra;
let
devShells = let
all = import ./nix/devShells.nix { all = import ./nix/devShells.nix {
inherit inherit
self
self' self'
inputs' inputs'
pkgs pkgs
; ;
}; };
in in (all // {default = all.develop;});
all
// {
default = all.develop;
}; };
flake.nixosModules = {
# thinkpad-x13s = { pkgs, config, lib, options, ... } @ args: (import ./nix/os/modules/hardware.thinkpad-x13s.nix (args // { inherit self; }));
}; };
} });
);
} }

BIN
misc/x13s_bt_firmware/hpnv21g.b8c.crypt.fw
View file

Binary file not shown.

2
nix/container-images/build.sh
View file

@ -1,6 +1,6 @@
#!/usr/bin/env bash #!/usr/bin/env bash
set -xe set -xe
[ -n "$NAME" ] [ ! -z "$NAME" ]
nix-build . --show-trace -A "$NAME" nix-build . --show-trace -A "$NAME"
docker image rm "$NAME":latest --force docker image rm "$NAME":latest --force

54
nix/container-images/default.nix
View file

@ -1,10 +1,6 @@
{ {pkgs ? import <nixpkgs> {}}: let
pkgs ? import <nixpkgs> { }, baseEnv = ["SSL_CERT_FILE=${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt"];
}: in rec {
let
baseEnv = [ "SSL_CERT_FILE=${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt" ];
in
rec {
base = pkgs.dockerTools.buildImage rec { base = pkgs.dockerTools.buildImage rec {
name = "base"; name = "base";
@ -25,20 +21,12 @@ rec {
interactive_base = pkgs.dockerTools.buildImage { interactive_base = pkgs.dockerTools.buildImage {
name = "interactive_base"; name = "interactive_base";
fromImage = base; fromImage = base;
contents = with pkgs; [ contents = with pkgs; [procps zsh coreutils neovim];
procps
zsh
coreutils
neovim
];
config = { config = {Cmd = ["/bin/zsh"];};
Cmd = [ "/bin/zsh" ];
};
}; };
s3ql = s3ql = let
let
entrypoint = pkgs.writeScript "entrypoint" '' entrypoint = pkgs.writeScript "entrypoint" ''
#!${pkgs.stdenv.shell} #!${pkgs.stdenv.shell}
@ -85,10 +73,7 @@ rec {
pkgs.dockerTools.buildImage { pkgs.dockerTools.buildImage {
name = "s3ql"; name = "s3ql";
fromImage = interactive_base; fromImage = interactive_base;
contents = [ contents = [pkgs.s3ql pkgs.fuse];
pkgs.s3ql
pkgs.fuse
];
runAsRoot = '' runAsRoot = ''
#!${pkgs.stdenv.shell} #!${pkgs.stdenv.shell}
@ -99,24 +84,25 @@ rec {
''; '';
config = { config = {
Env = baseEnv ++ [ Env =
baseEnv
++ [
"HOME=/home/s3ql" "HOME=/home/s3ql"
"S3QL_CACHE_DIR=/var/cache/s3ql" "S3QL_CACHE_DIR=/var/cache/s3ql"
"S3QL_AUTHINFO2=/etc/s3ql/authinfo2" "S3QL_AUTHINFO2=/etc/s3ql/authinfo2"
"CONTAINER_ENTRYPOINT=${entrypoint}" "CONTAINER_ENTRYPOINT=${entrypoint}"
]; ];
Cmd = [ entrypoint ]; Cmd = [entrypoint];
Volumes = { Volumes = {
"/var/cache/s3ql" = { }; "/var/cache/s3ql" = {};
"/etc/s3ql/authinfo2" = { }; "/etc/s3ql/authinfo2" = {};
"/buckets" = { }; "/buckets" = {};
"/tmp" = { }; "/tmp" = {};
}; };
}; };
}; };
syncthing = syncthing = let
let
entrypoint = pkgs.writeScript "entrypoint" '' entrypoint = pkgs.writeScript "entrypoint" ''
#!${pkgs.stdenv.shell} #!${pkgs.stdenv.shell}
set -x set -x
@ -146,11 +132,9 @@ rec {
contents = pkgs.syncthing; contents = pkgs.syncthing;
config = { config = {
Env = baseEnv ++ [ "SYNCTHING_HOME=/home/syncthing" ]; Env = baseEnv ++ ["SYNCTHING_HOME=/home/syncthing"];
Cmd = [ entrypoint ]; Cmd = [entrypoint];
Volumes = { Volumes = {"/data" = {};};
"/data" = { };
};
}; };
}; };
} }

32
nix/default.nix
View file

@ -1,9 +1,6 @@
{ versionsPath }: {versionsPath}: let
let
channelVersions = import versionsPath; channelVersions = import versionsPath;
mkChannelSource = mkChannelSource = name: let
name:
let
channelVersion = builtins.getAttr name channelVersions; channelVersion = builtins.getAttr name channelVersions;
in in
builtins.fetchGit { builtins.fetchGit {
@ -11,24 +8,19 @@ let
inherit name; inherit name;
inherit (channelVersion) url ref rev; inherit (channelVersion) url ref rev;
}; };
nixPath = builtins.concatStringsSep ":" ( nixPath = builtins.concatStringsSep ":" (builtins.map
builtins.map ( (elemName: let
elemName:
let
elem = builtins.getAttr elemName channelVersions; elem = builtins.getAttr elemName channelVersions;
elemPath = mkChannelSource elemName; elemPath = mkChannelSource elemName;
suffix = if builtins.hasAttr "suffix" elem then elem.suffix else ""; suffix =
if builtins.hasAttr "suffix" elem
then elem.suffix
else "";
in in
builtins.concatStringsSep "=" [ builtins.concatStringsSep "=" [elemName elemPath] + suffix)
elemName (builtins.attrNames channelVersions));
elemPath pkgs = import (mkChannelSource "nixpkgs") {};
] in {
+ suffix
) (builtins.attrNames channelVersions)
);
pkgs = import (mkChannelSource "nixpkgs") { };
in
{
inherit nixPath; inherit nixPath;
channelSources = pkgs.writeText "channels.rc" '' channelSources = pkgs.writeText "channels.rc" ''
export NIX_PATH=${nixPath} export NIX_PATH=${nixPath}

30
nix/devShells.nix
View file

@ -1,10 +1,8 @@
{ {
self,
self', self',
inputs', inputs',
pkgs, pkgs,
}: }: {
{
install = pkgs.mkShell { install = pkgs.mkShell {
name = "infra-install"; name = "infra-install";
packages = with pkgs; [ packages = with pkgs; [
@ -19,9 +17,10 @@
develop = pkgs.mkShell { develop = pkgs.mkShell {
name = "infra-develop"; name = "infra-develop";
inputsFrom = [ self'.devShells.install ]; inputsFrom = [
self'.devShells.install
];
packages = with pkgs; [ packages = with pkgs; [
self'.formatter # .package
inputs'.colmena.packages.colmena inputs'.colmena.packages.colmena
dconf2nix dconf2nix
inputs'.nixos-anywhere.packages.nixos-anywhere inputs'.nixos-anywhere.packages.nixos-anywhere
@ -36,7 +35,6 @@
inputs'.sops-nix.packages.default inputs'.sops-nix.packages.default
sops sops
nil nil
nix-index
apacheHttpd apacheHttpd
@ -67,7 +65,6 @@
# hedgedoc-cli # hedgedoc-cli
xwayland xwayland
pulsemixer
(pkgs.writeShellScriptBin "rflk" '' (pkgs.writeShellScriptBin "rflk" ''
exec nix run nixpkgs#$@ exec nix run nixpkgs#$@
@ -76,28 +73,9 @@
(pkgs.writeShellScriptBin "r11" '' (pkgs.writeShellScriptBin "r11" ''
exec env NIXOS_OZONE_WL="" WAYLAND_DISPLAY="" $@ exec env NIXOS_OZONE_WL="" WAYLAND_DISPLAY="" $@
'') '')
jq
yq
wireguard-tools
screen
inputs'.nixpkgs-unstable.legacyPackages.kanidm
]; ];
# Set Environment Variables # Set Environment Variables
RUST_BACKTRACE = 1; RUST_BACKTRACE = 1;
KANIDM_URL =
self.nixosConfigurations.sj-srv1.config.containers.webserver.config.services.kanidm.serverSettings.origin;
shellHook = builtins.concatStringsSep "\n" [
# (self.inputs.nixago.lib.${pkgs.system}.make {
# data = self'.formatter.settings;
# output = "treefmt.toml";
# format = "toml";
# }).shellHook
];
}; };
} }

152
nix/home-manager/configuration/graphical-fullblown.nix
View file

@ -4,15 +4,12 @@
config, config,
# these come in via home-manager.extraSpecialArgs and are specific to each node # these come in via home-manager.extraSpecialArgs and are specific to each node
nodeFlake, nodeFlake,
repoFlake, packages',
... ...
}: }: let
let # pkgsMaster = nodeFlake.inputs.nixpkgs-master.legacyPackages.${pkgs.system};
pkgsUnstable = pkgsUnstableSmall = import nodeFlake.inputs.nixpkgs-unstable-small {inherit (pkgs) system config;};
pkgs.pkgsUnstable in {
or (import nodeFlake.inputs.nixpkgs-unstable { inherit (pkgs) system config overlays; });
in
{
imports = [ imports = [
../profiles/common.nix ../profiles/common.nix
# ../profiles/dotfiles.nix # ../profiles/dotfiles.nix
@ -35,41 +32,19 @@ in
../programs/libreoffice.nix ../programs/libreoffice.nix
../programs/neovim.nix ../programs/neovim.nix
../programs/vscode ../programs/vscode
{ home.packages = [ pkgsUnstable.markdown-oxide ]; }
]; ];
home.sessionVariables.HM_CONFIG = "graphical-fullblown"; home.sessionVariables.HM_CONFIG = "graphical-fullblown";
home.sessionVariables.GOPATH = "$HOME/src/go"; home.sessionVariables.GOPATH = "$HOME/src/go";
home.sessionVariables.PATH = pkgs.lib.concatStringsSep ":" [ home.sessionVariables.PATH = pkgs.lib.concatStringsSep ":" ["$HOME/.local/bin" "$PATH"];
"$HOME/.local/bin"
"$PATH"
];
nixpkgs.config.allowInsecurePredicate =
pkg:
builtins.elem (lib.getName pkg) [
"electron-28.3.3"
"electron-27.3.11"
];
nixpkgs.config.permittedInsecurePackages = [ nixpkgs.config.permittedInsecurePackages = [
"electron-28.3.3" "electron-25.9.0"
"electron-27.3.11"
]; ];
nixpkgs.config.allowUnfree = [
"electron-28.3.3"
"electron-27.3.11"
];
# nixpkgs.config.allowUnfreePredicate = pkg:
# builtins.elem (lib.getName pkg) [
# "smartgithg"
# "electron-27.3.11"
# ];
home.packages = home.packages =
(with pkgs; [ []
++ (with pkgs; [
# Authentication # Authentication
# cacert # cacert
# fprintd # fprintd
@ -105,13 +80,14 @@ in
# Password Management # Password Management
gnupg gnupg
yubikey-manager # yubikey-manager
yubikey-manager-qt
yubikey-personalization yubikey-personalization
yubikey-personalization-gui yubikey-personalization-gui
# gnome.gnome-keyring # gnome.gnome-keyring
gcr gcr
seahorse gnome.seahorse
# Language Support # Language Support
hunspellDicts.en-us hunspellDicts.en-us
@ -120,28 +96,49 @@ in
# Messaging/Communication # Messaging/Communication
# pidgin # pidgin
# hexchat # hexchat
pkgsUnstable.element-desktop # schildichat-desktop # insecure as of 2023-12-16
aspellDicts.en aspellDicts.en
aspellDicts.de aspellDicts.de
# skypeforlinux # skypeforlinux
# pkgsUnstable.jitsi-meet-electron # pkgsUnstable.jitsi-meet-electron
thunderbird-128 thunderbird
# betterbird evolution # gnome4.glib_networking
# FIXME: depends on insecure openssl 1.1.1t # FIXME: depends on insecure openssl 1.1.1t
# kotatogram-desktop # kotatogram-desktop
pkgsUnstable.tdesktop tdesktop
pkgsUnstable.signal-desktop-source
(
let
version = "6.44.0";
in
pkgsUnstableSmall.signal-desktop.overrideAttrs (old:
lib.attrsets.optionalAttrs pkgs.stdenv.isAarch64 {
inherit version;
src =
builtins.fetchurl
{
url = "https://github.com/0mniteck/Signal-Desktop-Mobian/raw/master/builds/release/signal-desktop_${version}_arm64.deb";
sha256 =
# lib.fakeSha256
"sha256:0svb5vz08n3j4lx4kdjmx5lw9619kvvxg981rs6chh83qz5y519k";
};
})
)
thunderbird
# gnome.cheese
# Virtualization # Virtualization
virt-manager # virtmanager
# Remote Control Tools # Remote Control Tools
remmina remmina
# freerdp # freerdp
# Audio/Video Players # Audio/Video Players
# ffmpeg ffmpeg
vlc vlc
# v4l-utils # v4l-utils
# audacity # audacity
@ -149,8 +146,6 @@ in
yt-dlp yt-dlp
(writeShellScriptBin "youtube-dl-audio" "${yt-dlp}/bin/yt-dlp --extract-audio --audio-format best --audio-quality 9 \${@:?}") (writeShellScriptBin "youtube-dl-audio" "${yt-dlp}/bin/yt-dlp --extract-audio --audio-format best --audio-quality 9 \${@:?}")
libwebcam libwebcam
libcamera
snapshot
# Network Tools # Network Tools
tcpdump tcpdump
@ -161,11 +156,11 @@ in
nethogs nethogs
# Code Editing and Programming # Code Editing and Programming
# TODO(remove or use): pkgsUnstable.lapce # pkgsUnstableSmall.lapce
# TODO(remve or use): pkgsUnstable.helix # pkgsUnstableSmall.helix
# Image/Graphic/Design Tools # Image/Graphic/Design Tools
eog gnome.eog
# gimp # gimp
# imagemagick # imagemagick
# exiv2 # exiv2
@ -187,11 +182,10 @@ in
# cdrtools # cdrtools
# Document Processing and Management # Document Processing and Management
nautilus gnome.nautilus
pcmanfm pcmanfm
# mendeley # mendeley
evince evince
xournalpp
# File Synchronzation # File Synchronzation
maestral maestral
@ -215,7 +209,7 @@ in
# dex # dex
coreutils coreutils
lsof lsof
xdg-utils xdg_utils
xdg-user-dirs xdg-user-dirs
dconf dconf
picocom picocom
@ -231,6 +225,7 @@ in
# shutter # shutter
# kazam # doesn't start # kazam # doesn't start
# xvidcap # doesn't keep the recording rectangle # xvidcap # doesn't keep the recording rectangle
# obs-studio
# shotcut # shotcut
# openshot-qt # openshot-qt
# introduces python: screenkey # introduces python: screenkey
@ -244,24 +239,63 @@ in
# libretro.snes9x2010 # libretro.snes9x2010
# retroarchFull # retroarchFull
# pkgs.logseq-bin packages'.logseq
pkgs.logseq # (pkgs.runCommand "logseq-wrapper"
# (pkgs.callPackage "${repoFlake.inputs.nixpkgs-logseq}/pkgs/by-name/lo/logseq-bin/package.nix" { }) # {
# nativeBuildInputs = [ pkgs.makeWrapper ];
# } ''
# makeWrapper ${pkgs.logseq}/bin/logseq $out/bin/logseq \
# --set NIXOS_OZONE_WL ""
# '')
]) ])
++ (with repoFlake.packages.${pkgs.system}; [ gimp ])
++ (lib.lists.optionals (!pkgs.stdenv.targetPlatform.isAarch64) [ ++ (lib.lists.optionals (!pkgs.stdenv.targetPlatform.isAarch64) [
pkgsUnstable.ledger-live-desktop ])
++ (lib.lists.optionals (!pkgs.stdenv.targetPlatform.isAarch64) [
(
pkgs.banana-accounting.overrideDerivation
(attrs:
with nodeFlake.inputs'.nixpkgs-2211.legacyPackages; {
# dontWrapGApps = true;
srcs = builtins.fetchurl {
# hosted via https://web3.storage
url = "https://bafybeiabi4m2i4izummipbl5wzhwxjyjt2rylgsrahhkh7i63piwd37n4u.ipfs.w3s.link/mfpcksczayaqqx8fdacp0627zm36c001-bananaplus.tgz";
sha256 = "09666iqzqdw2526pf6bg5kd0hfw0wblw8ag636ki72dsiw6bmbf1";
};
# nativeBuildInputs =
# attrs.nativeBuildInputs
# ++ [
# qt5.qtbase
# qt5.wrapQtAppsHook
# ];
# buildInputs =
# attrs.buildInputs
# ++ [
# qt5.qtwayland
# ];
# preFixup =
# (attrs.preFixup or "")
# + ''
# qtWrapperArgs+=("''${gappsWrapperArgs[@]}")
# '';
})
)
pkgsUnstableSmall.ledger-live-desktop
# unsupported on aarch64-linux # unsupported on aarch64-linux
pkgs.androidenv.androidPkgs_9_0.platform-tools pkgs.androidenv.androidPkgs_9_0.platform-tools
pkgs.teamviewer pkgs.teamviewer
pkgs.discord pkgs.discord
pkgsUnstable.session-desktop pkgsUnstableSmall.session-desktop
pkgsUnstable.rustdesk pkgsUnstableSmall.rustdesk
]); ]);
systemd.user.startServices = true; systemd.user.startServices = true;
services.syncthing.enable = true; services.syncthing.enable = true;
services.udiskie = { services.udiskie = {

11
nix/home-manager/configuration/graphical-gnome3.nix
View file

@ -1,8 +1,13 @@
{ pkgs, ... }:
{ {
home.packages = with pkgs; [ pkgs,
config,
...
}: {
home.packages =
[]
++ (with pkgs; [
gnome.gnome-tweaks gnome.gnome-tweaks
gnome.gnome-keyring gnome.gnome-keyring
gnome.seahorse gnome.seahorse
]; ]);
} }

11
nix/home-manager/configuration/graphical-removable.nix
View file

@ -1,5 +1,8 @@
{ pkgs, ... }:
{ {
pkgs,
config,
...
}: {
imports = [ imports = [
../profiles/common.nix ../profiles/common.nix
../profiles/qtile-desktop.nix ../profiles/qtile-desktop.nix
@ -13,7 +16,9 @@
../programs/pass.nix ../programs/pass.nix
]; ];
home.packages = with pkgs; [ home.packages =
[]
++ (with pkgs; [
# Nix package related tools # Nix package related tools
patchelf patchelf
nix-index nix-index
@ -95,5 +100,5 @@
# Virtualization # Virtualization
virtmanager virtmanager
]; ]);
} }

19
nix/home-manager/lib.nix
View file

@ -1,19 +1,14 @@
_: { {}: let
mkSimpleTrayService = in {
{ execStart }: mkSimpleTrayService = {execStart}: {
{
Unit = { Unit = {
Description = ""; Description = "";
After = [ "graphical-session-pre.target" ]; After = ["graphical-session-pre.target"];
PartOf = [ "graphical-session.target" ]; PartOf = ["graphical-session.target"];
}; };
Install = { Install = {WantedBy = ["graphical-session.target"];};
WantedBy = [ "graphical-session.target" ];
};
Service = { Service = {ExecStart = execStart;};
ExecStart = execStart;
};
}; };
} }

34
nix/home-manager/profiles/common.nix
View file

@ -1,7 +1,8 @@
{ pkgs, lib, ... }:
{ {
home.stateVersion = lib.mkDefault "23.11"; pkgs,
lib,
...
}: {
# TODO: re-enable this with the appropriate version? # TODO: re-enable this with the appropriate version?
# programs.home-manager.enable = true; # programs.home-manager.enable = true;
# programs.home-manager.path = https://github.com/rycee/home-manager/archive/445c0b1482c38172a9f8294ee16a7ca7462388e5.tar.gz; # programs.home-manager.path = https://github.com/rycee/home-manager/archive/445c0b1482c38172a9f8294ee16a7ca7462388e5.tar.gz;
@ -10,27 +11,8 @@
nixpkgs.config = { nixpkgs.config = {
allowBroken = false; allowBroken = false;
allowUnfree = true; allowUnfree = true;
allowUnsupportedSystem = true;
allowInsecurePredicate = permittedInsecurePackages = [];
pkg:
builtins.elem (lib.getName pkg) [
"electron-32.3.3"
"electron"
];
permittedInsecurePackages = [
"electron-32.3.3"
"electron"
];
allowUnfreePredicate =
pkg:
builtins.elem (lib.getName pkg) [
"obsidian"
"vivaldi"
"aspell-dict-en-science"
];
}; };
home.keyboard = { home.keyboard = {
@ -53,7 +35,9 @@
programs.command-not-found.enable = true; programs.command-not-found.enable = true;
programs.fzf.enable = true; programs.fzf.enable = true;
home.packages = with pkgs; [ home.packages =
[]
++ (with pkgs; [
coreutils coreutils
vcsh vcsh
@ -93,5 +77,5 @@
usbutils usbutils
pciutils pciutils
]; ]);
} }

43
nix/home-manager/profiles/dotfiles.nix
View file

@ -1,4 +1,45 @@
_: { {
repoFlake,
pkgs,
config,
repoHttps ? "https://gitlab.com/steveeJ/dotfiles.git",
repoSsh ? "git@gitlab.com:/steveeJ/dotfiles.git",
...
}: let
repoBareLocal =
pkgs.runCommand "fetchbare"
{
outputHashMode = "recursive";
outputHashAlgo = "sha256";
outputHash = "0000000000000000000000000000000000000000000000000000";
} ''
(
set -xe
export GIT_SSL_CAINFO=${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt
export SSL_CERT_FILE=${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt
${pkgs.git}/bin/git clone --mirror ${repoHttps} $out
)
'';
vcshActivationScript = pkgs.writeScript "activation-script" ''
export HOST=$(hostname -s)
function set_remotes {
${pkgs.vcsh}/bin/vcsh dotfiles remote set-url origin $1
${pkgs.vcsh}/bin/vcsh dotfiles remote set-url --push origin $2
}
if ! test -d $HOME/.config/vcsh/repo.d/dotfiles.git; then
echo Cloning dotfiles for $HOST...
${pkgs.vcsh}/bin/vcsh clone -b $HOST ${repoBareLocal} dotfiles
set_remotes ${repoHttps} ${repoSsh}
else
set_remotes ${repoBareLocal} ${repoSsh}
echo Updating dotfiles for $HOST...
${pkgs.vcsh}/bin/vcsh pull $HOST || true
set_remotes ${repoHttps} ${repoSsh}
fi
'';
in {
# TODO: fix the dotfiles # TODO: fix the dotfiles
# home.activation.vcsh = config.lib.dag.entryAfter["linkGeneration"] '' # home.activation.vcsh = config.lib.dag.entryAfter["linkGeneration"] ''
# $DRY_RUN_CMD ${vcshActivationScript} # $DRY_RUN_CMD ${vcshActivationScript}

10
nix/home-manager/profiles/dotfiles/vcsh.tmpl.nix
View file

@ -3,16 +3,14 @@
repoHttps ? "https://gitlab.com/steveeJ/dotfiles.git", repoHttps ? "https://gitlab.com/steveeJ/dotfiles.git",
repoSsh ? "git@gitlab.com:/steveeJ/dotfiles.git", repoSsh ? "git@gitlab.com:/steveeJ/dotfiles.git",
... ...
}: }: let
let
repoBareLocal = repoBareLocal =
pkgs.runCommand "fetchbare" pkgs.runCommand "fetchbare"
{ {
outputHashMode = "recursive"; outputHashMode = "recursive";
outputHashAlgo = "sha256"; outputHashAlgo = "sha256";
outputHash = "0000000000000000000000000000000000000000000000000000"; outputHash = "0000000000000000000000000000000000000000000000000000";
} } ''
''
( (
set -xe set -xe
export GIT_SSL_CAINFO=${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt export GIT_SSL_CAINFO=${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt
@ -21,7 +19,7 @@ let
) )
''; '';
in in
pkgs.writeScript "activation-script" '' pkgs.writeScript "activation-script" ''
export HOST=$(hostname -s) export HOST=$(hostname -s)
function set_remotes { function set_remotes {
@ -39,4 +37,4 @@ pkgs.writeScript "activation-script" ''
${pkgs.vcsh}/bin/vcsh pull $HOST || true ${pkgs.vcsh}/bin/vcsh pull $HOST || true
set_remotes ${repoHttps} ${repoSsh} set_remotes ${repoHttps} ${repoSsh}
fi fi
'' ''

14
nix/home-manager/profiles/experimental-desktop.nix
View file

@ -1,6 +1,16 @@
{ packages', ... }:
{ {
imports = [ ../profiles/wayland-desktop.nix ]; pkgs,
config,
lib,
nodeFlake,
packages',
...
}: let
pkgsUnstable = pkgs.callPackage nodeFlake.inputs.nixpkgs-unstable.outPath {};
in {
imports = [
../profiles/wayland-desktop.nix
];
home.packages = [ home.packages = [
# experimental WMs # experimental WMs

81
nix/home-manager/profiles/gnome-desktop.nix
View file

@ -1,6 +1,13 @@
{ pkgs, ... }:
{ {
imports = [ ../profiles/wayland-desktop.nix ]; pkgs,
config,
lib,
...
}: let
in {
imports = [
../profiles/wayland-desktop.nix
];
services = { services = {
gnome-keyring.enable = false; gnome-keyring.enable = false;
@ -16,10 +23,9 @@
# Hidden=true # Hidden=true
# ''; # '';
services.gpg-agent.pinentryPackage = pkgs.pinentry-gnome3; services.gpg-agent.pinentryFlavor = "gnome3";
dconf.settings = dconf.settings = let
let
manualKeybindings = [ manualKeybindings = [
{ {
binding = "Print"; binding = "Print";
@ -36,65 +42,68 @@
numWorkspaces = 10; numWorkspaces = 10;
customKeybindingBaseName = "org/gnome/settings-daemon/plugins/media-keys/custom-keybindings/custom"; customKeybindingBaseName = "org/gnome/settings-daemon/plugins/media-keys/custom-keybindings/custom";
customKeybindingsNames = builtins.genList (i: "/${customKeybindingBaseName}${toString i}/") ( customKeybindingsNames =
(builtins.length manualKeybindings) + numWorkspaces # for sending to the workspace builtins.genList (i: "/${customKeybindingBaseName}${toString i}/")
(
(builtins.length manualKeybindings)
+ numWorkspaces # for sending to the workspace
); );
workspacesKeyBindingsOffset = builtins.length manualKeybindings; workspacesKeyBindingsOffset = builtins.length manualKeybindings;
# with this we can make use of all number keys [0-9] # with this we can make use of all number keys [0-9]
mapToNumber = mapToNumber = i:
i: if i < 10
if i < 10 then then i
i else if i == 10
else if i == 10 then then 0
0 else throw "i exceeds 10: ${i}";
else
throw "i exceeds 10: ${i}";
in in
{ {
"org/gnome/settings-daemon/plugins/media-keys" = { "org/gnome/settings-daemon/plugins/media-keys" = {
custom-keybindings = customKeybindingsNames; custom-keybindings = customKeybindingsNames;
screenreader = "@as []"; screenreader = "@as []";
screensaver = [ "<Alt><Super>l" ]; screensaver = ["<Alt><Super>l"];
}; };
# disable the builtin <Super>[1-9] functionality # disable the builtin <Super>[1-9] functionality
"org/gnome/shell/keybindings" = builtins.listToAttrs ( "org/gnome/shell/keybindings" = builtins.listToAttrs ((builtins.genList
(builtins.genList (i: { (i: {
name = "switch-to-application-${toString (i + 1)}"; name = "switch-to-application-${toString (i + 1)}";
value = [ ]; value = [];
}) numWorkspaces) })
numWorkspaces)
++ [ ++ [
{ {
name = "toggle-overview"; name = "toggle-overview";
value = [ ]; value = [];
} }
] ]);
);
# remap it to switching to the workspaces # remap it to switching to the workspaces
"org/gnome/desktop/wm/keybindings" = builtins.listToAttrs ( "org/gnome/desktop/wm/keybindings" = builtins.listToAttrs (builtins.genList
builtins.genList (i: { (i: {
name = "switch-to-workspace-${toString (i + 1)}"; name = "switch-to-workspace-${toString (i + 1)}";
value = [ "<Super>${toString (mapToNumber (i + 1))}" ]; value = [
}) numWorkspaces "<Super>${toString (mapToNumber (i + 1))}"
); ];
})
numWorkspaces);
} }
// builtins.listToAttrs ( // builtins.listToAttrs (builtins.genList
builtins.genList (i: { (i: {
name = "${customKeybindingBaseName}${toString i}"; name = "${customKeybindingBaseName}${toString i}";
value = builtins.elemAt manualKeybindings i; value = builtins.elemAt manualKeybindings i;
}) (builtins.length manualKeybindings) })
) (builtins.length manualKeybindings))
// builtins.listToAttrs ( // builtins.listToAttrs (builtins.genList
builtins.genList (i: { (i: {
name = "${customKeybindingBaseName}${toString (workspacesKeyBindingsOffset + i)}"; name = "${customKeybindingBaseName}${toString (workspacesKeyBindingsOffset + i)}";
value = { value = {
binding = "<Control><Super>${toString (mapToNumber (i + 1))}"; binding = "<Control><Super>${toString (mapToNumber (i + 1))}";
command = "wmctrl -r :ACTIVE: -t ${toString i}"; command = "wmctrl -r :ACTIVE: -t ${toString i}";
name = "Send to workspace ${toString (i + 1)}"; name = "Send to workspace ${toString (i + 1)}";
}; };
}) numWorkspaces })
); numWorkspaces);
} }

14
nix/home-manager/profiles/nix-channels.nix
View file

@ -1,9 +1,14 @@
{ pkgs, config, ... }:
{ {
pkgs,
config,
...
}: let
in {
home.file.".nix-channels".text = ""; home.file.".nix-channels".text = "";
home.activation.removeExistingNixChannels = config.lib.dag.entryBefore [ "checkLinkTargets" ] '' home.activation.removeExistingNixChannels = config.lib.dag.entryBefore ["checkLinkTargets"] ''
$DRY_RUN_CMD ${pkgs.writeScript "activation-script" '' $DRY_RUN_CMD ${
pkgs.writeScript "activation-script" ''
set -ex set -ex
if test -f $HOME/.nix-channels; then if test -f $HOME/.nix-channels; then
echo Uninstalling available channels... echo Uninstalling available channels...
@ -17,6 +22,7 @@
mv --backup=numbered $HOME/.nix-channels.dummy $HOME/.nix-channels mv --backup=numbered $HOME/.nix-channels.dummy $HOME/.nix-channels
rm $HOME/.nix-channels rm $HOME/.nix-channels
fi fi
''}; ''
};
''; '';
} }

23
nix/home-manager/profiles/qtile-desktop.nix
View file

@ -1,14 +1,14 @@
{ pkgs, ... }: {
let pkgs,
config,
...
}: let
inherit (import ../lib.nix {}) mkSimpleTrayService;
audio = pkgs.writeShellScript "audio" '' audio = pkgs.writeShellScript "audio" ''
export PATH=${ export PATH=${
with pkgs; with pkgs;
lib.makeBinPath [ lib.makeBinPath [pulseaudio findutils gnugrep]
pulseaudio
findutils
gnugrep
]
}:$PATH }:$PATH
export MUTEFILE=''${TEMPDIR:-/tmp}/.qtilemute export MUTEFILE=''${TEMPDIR:-/tmp}/.qtilemute
@ -33,7 +33,7 @@ let
terminalCommand = "${pkgs.alacritty}/bin/alacritty"; terminalCommand = "${pkgs.alacritty}/bin/alacritty";
dpmsScript = pkgs.writeShellScript "dpmsScript" '' dpmsScript = pkgs.writeShellScript "dpmsScript" ''
export PATH=${with pkgs; lib.makeBinPath [ xorg.xset ]}:$PATH export PATH=${with pkgs; lib.makeBinPath [xorg.xset]}:$PATH
set -xe set -xe
@ -56,7 +56,7 @@ let
''; '';
screenLockCommand = pkgs.writeShellScript "screenLock" '' screenLockCommand = pkgs.writeShellScript "screenLock" ''
export PATH=${with pkgs; lib.makeBinPath [ i3lock ]}:$PATH export PATH=${with pkgs; lib.makeBinPath [i3lock]}:$PATH
revert() { revert() {
${dpmsScript} default ${dpmsScript} default
@ -251,8 +251,7 @@ let
def print_new_window(window): def print_new_window(window):
print("new window: ", window) print("new window: ", window)
''; '';
in in {
{
services = { services = {
gnome-keyring.enable = true; gnome-keyring.enable = true;
blueman-applet.enable = true; blueman-applet.enable = true;
@ -287,7 +286,7 @@ in
networkmanagerapplet networkmanagerapplet
gnome-icon-theme gnome-icon-theme
gnome.gnome-themes-extra gnome.gnome-themes-extra
adwaita-icon-theme gnome.adwaita-icon-theme
lxappearance lxappearance
xorg.xcursorthemes xorg.xcursorthemes
pavucontrol pavucontrol

106
nix/home-manager/profiles/sway-desktop.nix
View file

@ -1,64 +1,62 @@
/*
TODO: create helper scripts for sharing of a screen portion
```
# this will create a new output named HEADLESS-<n>. <n> increments by 1 with each invocation even if the output is `unplug`ged.
swaymsg create_output
# find the name and the workspace number
swaymsg -t get_outputs | jq '.[] | select(.name | test("HEADLESS-.*")) | (.name, .current_workspace)'
swaymsg output HEADLESS-1 mode 1920@108060Hz
# mirror the headless workspace on the current one
nix run nixpkgs\#wl-mirror -- HEADLESS-1
# shift windows to the workspace and switch the focus to it
*/
{ {
pkgs, pkgs,
config, config,
lib, lib,
# packages', # packages',
repoFlakeInputs',
... ...
}: }: let
let inherit (import ../lib.nix {}) mkSimpleTrayService;
lockCmd = "${pkgs.swaylock}/bin/swaylock -efF --color '#000000'"; lockCmd = "${pkgs.swaylock}/bin/swaylock -efF --color '#000000'";
displayOffCmd = "${pkgs.sway}/bin/swaymsg 'output * power off'"; displayOffCmd = "${pkgs.sway}/bin/swaymsg 'output * power off'";
displayOnCmd = "${pkgs.sway}/bin/swaymsg 'output * power on'"; displayOnCmd = "${pkgs.sway}/bin/swaymsg 'output * power on'";
swapOutputWorkspaces = ../../../scripts/sway-swapoutputworkspaces.sh; swapOutputWorkspaces = ../../../scripts/sway-swapoutputworkspaces.sh;
in in {
{
imports = [ imports = [
../profiles/wayland-desktop.nix ../profiles/wayland-desktop.nix
../programs/waybar.nix ../programs/waybar.nix
# ../programs/salut.nix
]; ];
# TODO: autostart
# environment.loginShellInit = ''
# if [[ "$(tty)" == /dev/tty1 ]]; then
# echo starting sway..
# exec sway
# fi
# '';
services = {
# TODO: doesn't work with 2 screens
# flameshot.enable = true;
};
services.dunst = { services.dunst = {
enable = true; enable = true;
}; };
services.gpg-agent.pinentryPackage = pkgs.pinentry-gnome3; services.gpg-agent.pinentryFlavor = "gnome3";
home.packages = [ home.packages = [
pkgs.swayidle pkgs.swayidle
pkgs.swaylock pkgs.swaylock
## themes ## themes
pkgs.adwaita-icon-theme pkgs.gnome.adwaita-icon-theme
pkgs.hicolor-icon-theme pkgs.hicolor-icon-theme
pkgs.gnome-icon-theme pkgs.gnome-icon-theme
## fonts ## fonts
# pkgs.nerd-fonts # TODO: reinstall selected ones
pkgs.dejavu_fonts # just a basic good fond pkgs.dejavu_fonts # just a basic good fond
pkgs.font-awesome_5 # needed by i3status-rust pkgs.font-awesome_5 # needed by i3status-rust
pkgs.nerdfonts
pkgs.font-awesome pkgs.font-awesome
pkgs.roboto pkgs.roboto
pkgs.ttf_bitstream_vera pkgs.ttf_bitstream_vera
pkgs.noto-fonts pkgs.noto-fonts
pkgs.noto-fonts-cjk
pkgs.noto-fonts-cjk-sans pkgs.noto-fonts-cjk-sans
pkgs.noto-fonts-cjk-serif pkgs.noto-fonts-cjk-serif
pkgs.noto-fonts-emoji pkgs.noto-fonts-emoji
@ -73,44 +71,26 @@ in
pkgs.dina-font pkgs.dina-font
pkgs.monoid pkgs.monoid
pkgs.hermit pkgs.hermit
### found on colemickens' repo # found on colemickens' repo
pkgs.gelasio # metric-compatible with Georgia pkgs.gelasio # metric-compatible with Georgia
pkgs.powerline-symbols pkgs.powerline-symbols
pkgs.iosevka-comfy.comfy-fixed pkgs.iosevka-comfy.comfy-fixed
## experimental stuff # experimental stuff
pkgs.fuzzel pkgs.fuzzel
]; ];
# TODO: configure kanshi to always set the 5K resolution
# DP-1 "Philips Consumer Electronics Company PHL 499P9 AU02419010010 (DP-1 via DP)"
# Make: Philips Consumer Electronics Company
# Model: PHL 499P9
# Serial: AU02419010010
# Physical size: 1190x340 mm
# Enabled: yes
# Modes:
# 3840x1080 px, 59.967999 Hz (preferred)
# 5120x1440 px, 59.977001 Hz (current)
wayland.windowManager.sway = { wayland.windowManager.sway = {
enable = true; enable = true;
systemd.enable = true; systemd.enable = true;
xwayland = false; xwayland = true;
config = config = let
let
modifier = "Mod4"; modifier = "Mod4";
inherit (config.wayland.windowManager.sway.config) inherit (config.wayland.windowManager.sway.config) left right up down;
left in {
right
up
down
;
in
{
inherit modifier; inherit modifier;
bars = [ ]; bars = [];
input = { input = {
"type:keyboard" = "type:keyboard" =
@ -118,20 +98,13 @@ in
xkb_layout = config.home.keyboard.layout; xkb_layout = config.home.keyboard.layout;
xkb_variant = config.home.keyboard.variant; xkb_variant = config.home.keyboard.variant;
} }
// lib.attrsets.optionalAttrs (builtins.length (config.home.keyboard.options or [ ]) > 0) { // lib.attrsets.optionalAttrs (builtins.length (config.home.keyboard.options or []) > 0) {
xkb_options = builtins.concatStringsSep "," config.home.keyboard.options; xkb_options = builtins.concatStringsSep "," config.home.keyboard.options;
}; };
"type:touchpad" = { "type:touchpad" = {
natural_scroll = "enabled"; natural_scroll = "enabled";
}; };
# alternatively run this command
# swaymsg input "1386:914:Wacom_Intuos_Pro_S_Pen" tool_mode "* relative"
# and then switch to a different VT (alt+ctrl+f2) and back
"1386:914:Wacom_Intuos_Pro_S_Pen" = {
tool_mode = "* relative";
};
}; };
keybindings = lib.mkOptionDefault { keybindings = lib.mkOptionDefault {
@ -158,8 +131,7 @@ in
"${modifier}+Control+Shift+Up" = "move workspace to output up"; "${modifier}+Control+Shift+Up" = "move workspace to output up";
"${modifier}+Control+Shift+Down" = "move workspace to output down"; "${modifier}+Control+Shift+Down" = "move workspace to output down";
# TODO: i've been hitting this one accidentally way too often. find a better place. "${modifier}+Shift+e" = "exec ${pkgs.sway}/bin/swaymsg exit";
# "${modifier}+Shift+e" = "exec ${pkgs.sway}/bin/swaymsg exit";
"${modifier}+q" = "kill"; "${modifier}+q" = "kill";
"${modifier}+Shift+q" = "exec ${pkgs.sway}/bin/swaymsg -t get_tree | ${pkgs.jq}/bin/jq 'recurse(.nodes[], .floating_nodes[]) | select(.focused).pid' | ${pkgs.findutils}/bin/xargs -L1 kill -9"; "${modifier}+Shift+q" = "exec ${pkgs.sway}/bin/swaymsg -t get_tree | ${pkgs.jq}/bin/jq 'recurse(.nodes[], .floating_nodes[]) | select(.focused).pid' | ${pkgs.findutils}/bin/xargs -L1 kill -9";
@ -182,30 +154,28 @@ in
startup = startup =
[ [
{ {
command = builtins.toString ( command = builtins.toString (pkgs.writeShellScript "ensure-graphical-session" ''
pkgs.writeShellScript "ensure-graphical-session" ''
( (
${pkgs.coreutils}/bin/sleep 0.2 ${pkgs.coreutils}/bin/sleep 0.2
${pkgs.systemd}/bin/systemctl --user restart graphical-session.target ${pkgs.systemd}/bin/systemctl --user restart graphical-session.target
) & ) &
'' '');
);
} }
] ]
++ lib.optionals config.services.swayidle.enable [ ++ lib.optionals config.services.swayidle.enable [
{ {
command = builtins.toString ( command = builtins.toString (pkgs.writeShellScript "ensure-graphical-session" ''
pkgs.writeShellScript "ensure-graphical-session" ''
( (
${pkgs.coreutils}/bin/sleep 0.2 ${pkgs.coreutils}/bin/sleep 0.2
${pkgs.systemd}/bin/systemctl --user restart swayidle ${pkgs.systemd}/bin/systemctl --user restart swayidle
) & ) &
'' '');
);
} }
]; ];
colors.focused = lib.mkOptionDefault { childBorder = lib.mkForce "#ffa500"; }; colors.focused = lib.mkOptionDefault {
childBorder = lib.mkForce "#ffa500";
};
window.titlebar = false; window.titlebar = false;
window.border = 4; window.border = 4;

36
nix/home-manager/profiles/wayland-desktop.nix
View file

@ -1,14 +1,16 @@
{ {
pkgs, pkgs,
config,
lib, lib,
repoFlake, repoFlake,
nodeFlake,
... ...
}: }: let
let inherit (import ../lib.nix {}) mkSimpleTrayService;
nixpkgs-wayland' = repoFlake.inputs.nixpkgs-wayland.packages.${pkgs.system}; nixpkgs-wayland' = repoFlake.inputs.nixpkgs-wayland.packages.${pkgs.system};
in wayprompt = nixpkgs-wayland'.wayprompt;
{ in {
fonts.fontconfig.enable = true; fonts.fontconfig.enable = true;
# services.gpg-agent.pinentryFlavor = lib.mkForce null; # services.gpg-agent.pinentryFlavor = lib.mkForce null;
@ -24,15 +26,14 @@ in
systemd.user.targets.tray = { systemd.user.targets.tray = {
Unit = { Unit = {
Description = "Home Manager System Tray"; Description = "Home Manager System Tray";
Requires = [ "graphical-session-pre.target" ]; Requires = ["graphical-session-pre.target"];
}; };
}; };
home.packages = home.packages = with pkgs;
with pkgs;
[ [
# required by network-manager-applet # required by network-manager-applet
networkmanagerapplet pkgs.networkmanagerapplet
wlr-randr wlr-randr
wayout wayout
@ -47,34 +48,29 @@ in
# TODO: whwat's this for? # TODO: whwat's this for?
# wltype # wltype
pavucontrol
playerctl
pasystray
qt5.qtwayland qt5.qtwayland
qt6.qtwayland qt6.qtwayland
# libsForQt5.qt5.qtwayland # libsForQt5.qt5.qtwayland
# libsForQt6.qt6.qtwayland # libsForQt6.qt6.qtwayland
# audio
playerctl
helvum
pasystray
sonusmix
pwvucontrol
# probably required by flameshot # probably required by flameshot
# xdg-desktop-portal xdg-desktop-portal-wlr # xdg-desktop-portal xdg-desktop-portal-wlr
# grim # grim
waypipe
] ]
++ (lib.lists.optionals (!pkgs.stdenv.isAarch64) ++ (
lib.lists.optionals (!pkgs.stdenv.isAarch64)
# TODO: broken on aarch64 # TODO: broken on aarch64
[ ] [
]
); );
home.sessionVariables = { home.sessionVariables = {
XDG_SESSION_TYPE = "wayland"; XDG_SESSION_TYPE = "wayland";
NIXOS_OZONE_WL = "1"; NIXOS_OZONE_WL = "1";
MOZ_ENABLE_WAYLAND = "1"; MOZ_ENABLE_WAYLAND = "1";
WLR_NO_HARDWARE_CURSORS = "1";
}; };
home.pointerCursor = { home.pointerCursor = {

47
nix/home-manager/programs/chromium.nix
View file

@ -3,15 +3,14 @@
lib, lib,
pkgs, pkgs,
... ...
}: }: let
let
extensions = extensions =
[ [
#undetectable adblocker #undetectable adblocker
{ id = "gcfcpohokifjldeandkfjoboemihipmb"; } {id = "gcfcpohokifjldeandkfjoboemihipmb";}
# ublock origin # ublock origin
{ id = "cjpalhdlnbpafiamejdnhcphjbkeiagm"; } {id = "cjpalhdlnbpafiamejdnhcphjbkeiagm";}
# # YT ad block # # YT ad block
# {id = "cmedhionkhpnakcndndgjdbohmhepckk";} # {id = "cmedhionkhpnakcndndgjdbohmhepckk";}
@ -20,15 +19,15 @@ let
# {id = "cfhdojbkjhnklbpkdaibdccddilifddb";} # {id = "cfhdojbkjhnklbpkdaibdccddilifddb";}
# Cookie Notice Blocker # Cookie Notice Blocker
{ id = "odhmfmnoejhihkmfebnolljiibpnednn"; } {id = "odhmfmnoejhihkmfebnolljiibpnednn";}
# i don't care about cookies # i don't care about cookies
{ id = "fihnjjcciajhdojfnbdddfaoknhalnja"; } {id = "fihnjjcciajhdojfnbdddfaoknhalnja";}
# NopeCHA # NopeCHA
{ id = "dknlfmjaanfblgfdfebhijalfmhmjjjo"; } {id = "dknlfmjaanfblgfdfebhijalfmhmjjjo";}
# h264ify # h264ify
{ id = "aleakchihdccplidncghkekgioiakgal"; } {id = "aleakchihdccplidncghkekgioiakgal";}
# clippy # clippy
# {id = "honbeilkanbghjimjoniipnnehlmhggk"} # {id = "honbeilkanbghjimjoniipnnehlmhggk"}
@ -39,43 +38,31 @@ let
} }
# cookie autodelete # cookie autodelete
{ id = "fhcgjolkccmbidfldomjliifgaodjagh"; } {id = "fhcgjolkccmbidfldomjliifgaodjagh";}
# unhook # unhook
{ id = "khncfooichmfjbepaaaebmommgaepoid"; } {id = "khncfooichmfjbepaaaebmommgaepoid";}
] ]
++ (lib.lists.optionals ((builtins.match "^steveej.*" name) != null) [ ++ (lib.lists.optionals ((builtins.match "^steveej.*" name) != null) [
# polkadotjs
{ id = "mopnmbcafieddcagagdcbnhejhlodfdd"; }
# rabby wallet
{ id = "acmacodkjbdgmoleebolmdjonilkdbch"; }
# phantom wallet
{ id = "bfnaelmomeimhlpmgjnjophhpkkoljpa"; }
# Vimium C # Vimium C
{ id = "hfjbmagddngcpeloejdejnfgbamkjaeg"; } {id = "hfjbmagddngcpeloejdejnfgbamkjaeg";}
# TODO: this causes scrolling the tab bar all the way to the end. look for a different one or report
# always right # always right
{ id = "npjpaghfnndnnmjiliibnkmdfgbojokj"; } {id = "npjpaghfnndnnmjiliibnkmdfgbojokj";}
# shazam music
{ id = "mmioliijnhnoblpgimnlajmefafdfilb"; }
]); ]);
in in {
{
programs.chromium = { programs.chromium = {
enable = true; enable = true;
inherit extensions; inherit extensions;
# TODO: extensions currently don't work with ungoogled-chromium
package = pkgs.chromium;
}; };
programs.brave = { programs.brave = {
# TODO: enable this on aarch64-linux # TODO: enable this on aarch64-linux
enable = true && !pkgs.stdenv.targetPlatform.isAarch64; enable =
true
&& !pkgs.stdenv.targetPlatform.isAarch64;
inherit extensions; inherit extensions;
}; };
programs.browserpass = {browsers = ["chromium" "brave"];};
} }

35
nix/home-manager/programs/espanso.nix
View file

@ -1,31 +1,19 @@
{ pkgs, ... }: {pkgs, ...}: {
{
services.espanso = { services.espanso = {
package = pkgs.espanso-wayland; # package = pkgs.espanso.overrideAttrs(_: {
# package = pkgs.espanso-wayland.overrideAttrs (_: { # # src =
# src = repoFlake.inputs.espanso; # })
enable = true;
# cargoLock = {
# # lockFile = "${repoFlake.inputs.espanso.outPath}/Cargo.lock";
# lockFile = repoFlake.inputs.espanso + "/Cargo.lock";
# outputHashes = {
# "yaml-rust-0.4.6" = "sha256-wXFy0/s4y6wB3UO19jsLwBdzMy7CGX4JoUt5V6cU7LU=";
# };
# };
# });
enable = false;
configs = { configs = {
default = { default = {
# backend = "Inject"; # backend = "Inject";
# backend = "Clipboard"; # backend = "Clipboard";
}; };
}; };
matches = matches = let
let playerctl = ''
playerctl = ''${pkgs.coreutils}/bin/env DBUS_SESSION_BUS_ADDRESS="unix:path=/run/user/$(${pkgs.coreutils}/bin/id -u)/bus" ${pkgs.playerctl}/bin/playerctl''; ${pkgs.coreutils}/bin/env DBUS_SESSION_BUS_ADDRESS="unix:path=/run/user/$(${pkgs.coreutils}/bin/id -u)/bus" ${pkgs.playerctl}/bin/playerctl'';
in in {
{
default = { default = {
matches = [ matches = [
{ {
@ -62,7 +50,10 @@
name = "output"; name = "output";
type = "script"; type = "script";
params = { params = {
args = [ (pkgs.writeShellScript "espanso" "${playerctl} metadata title") ]; args = [
(pkgs.writeShellScript "espanso"
"${playerctl} metadata title")
];
}; };
} }
]; ];

419
nix/home-manager/programs/firefox.nix
View file

@ -1,417 +1,6 @@
{ {pkgs, ...}: {
repoFlake, programs.librewolf = {enable = true;};
pkgs, programs.firefox = {enable = true;};
config,
lib,
...
}:
let
# Search extension names with below command:
# nix flake show --json "gitlab:rycee/nur-expressions?dir=pkgs/firefox-addons" --all-systems | jq -r '.packages."x86_64-linux" | keys[]' | rg QUERY
ryceeAddons = with pkgs.nur.repos.rycee.firefox-addons; [
ublock-origin
# bypass-paywalls-clean (can't use, was creating popups) # home.file.".mozilla/native-messaging-hosts/passff.json".source = "${pkgs.passff-host}/share/passff-host/passff.json";
consent-o-matic
terms-of-service-didnt-read
auto-tab-discard
# redirector # For nixos wiki
# darkreader
facebook-container
control-panel-for-twitter
# containerise
facebook-tracking-removal
vimium
cookie-autodelete
auto-tab-discard
istilldontcareaboutcookies
youtube-recommended-videos
display-_anchors
];
customAddons = [
];
search = {
force = true;
default = "DuckDuckGo";
privateDefault = "DuckDuckGo";
};
mkProfile =
override:
lib.recursiveUpdate {
extensions = ryceeAddons ++ customAddons;
inherit search;
settings = {
# automatically enable extensions
"extensions.autoDisableScopes" = 0;
"middlemouse.paste" = false;
"browser.download.useDownloadDir" = false;
"browser.tabs.insertAfterCurrent" = true;
"browser.tabs.warnOnClose" = true;
"browser.toolbars.bookmarks.visibility" = "never";
"browser.quitShortcut.disabled" = false;
# restore the previous session automatically
"browser.startup.page" = 3;
"browser.sessionstore.resume_from_crash" = true;
"browser.sessionstore.restore_pinned_tabs_on_demand" = true;
"browser.sessionstore.restore_on_demand" = true;
"browser.urlbar.suggest.bookmark" = true;
"browser.urlbar.suggest.engines" = true;
"browser.urlbar.suggest.history" = true;
"browser.urlbar.suggest.openpage" = true;
"browser.urlbar.suggest.topsites" = false;
"browser.urlbar.trimHttps" = true;
"sidebar.position_start" = false;
"findbar.highlightAll" = true;
"browser.tabs.hoverPreview.enabled" = true;
# Disable fx accounts
"identity.fxaccounts.enabled" = false;
# Disable "save password" prompt
"signon.rememberSignons" = false;
# Harden
"privacy.trackingprotection.enabled" = true;
"dom.security.https_only_mode" = true;
# Disable irritating first-run stuff
"browser.disableResetPrompt" = true;
"browser.download.panel.shown" = true;
"browser.feeds.showFirstRunUI" = false;
"browser.messaging-system.whatsNewPanel.enabled" = false;
"browser.rights.3.shown" = true;
"browser.shell.checkDefaultBrowser" = false;
"browser.shell.defaultBrowserCheckCount" = 1;
"browser.startup.homepage_override.mstone" = "ignore";
"browser.uitour.enabled" = false;
"startup.homepage_override_url" = "";
"trailhead.firstrun.didSeeAboutWelcome" = true;
"browser.bookmarks.restore_default_bookmarks" = false;
"browser.bookmarks.addedImportButton" = true;
# Disable "Save to Pocket" or Pocket entirely
"extensions.pocket.enabled" = false;
# Disable telemetry
"toolkit.telemetry.enabled" = false;
"toolkit.telemetry.unified" = false;
"toolkit.telemetry.archive.enabled" = false;
"datareporting.healthreport.uploadEnabled" = false;
"app.shield.optoutstudies.enabled" = false;
"browser.discovery.enabled" = false;
"browser.newtabpage.activity-stream.feeds.telemetry" = false;
"browser.newtabpage.activity-stream.telemetry" = false;
"browser.ping-centre.telemetry" = false;
"datareporting.healthreport.service.enabled" = false;
"datareporting.policy.dataSubmissionEnabled" = false;
"datareporting.sessions.current.clean" = true;
"devtools.onboarding.telemetry.logged" = false;
"toolkit.telemetry.bhrPing.enabled" = false;
"toolkit.telemetry.firstShutdownPing.enabled" = false;
"toolkit.telemetry.hybridContent.enabled" = false;
"toolkit.telemetry.newProfilePing.enabled" = false;
"toolkit.telemetry.prompted" = 2;
"toolkit.telemetry.rejected" = true;
"toolkit.telemetry.reportingpolicy.firstRun" = false;
"toolkit.telemetry.server" = "";
"toolkit.telemetry.shutdownPingSender.enabled" = false;
"toolkit.telemetry.unifiedIsOptIn" = false;
"toolkit.telemetry.updatePing.enabled" = false;
# Disable any feeds on the new tab page
"browser.newtabpage.activity-stream.showTopSites" = false;
"browser.newtabpage.activity-stream.default.sites" = lib.mkForce [ ];
"browser.newtabpage.activity-stream.discoverystream.enabled" = false;
"browser.newtabpage.activity-stream.feeds.topsites" = false;
"browser.newtabpage.activity-stream.showSponsoredTopSites" = false;
"browser.newtabpage.activity-stream.improvesearch.topSiteSearchShortcuts" = false;
"browser.newtabpage.blocked" = lib.genAttrs [
# Youtube
"26UbzFJ7qT9/4DhodHKA1Q=="
# Facebook
"4gPpjkxgZzXPVtuEoAL9Ig=="
# Wikipedia
"eV8/WsSLxHadrTL1gAxhug=="
# Reddit
"gLv0ja2RYVgxKdp0I5qwvA=="
# Amazon
"K00ILysCaEq8+bEqV/3nuw=="
# Twitter
"T9nJot5PurhJSy8n038xGA=="
] (_: 1);
"browser.topsites.blockedSponsors" = [
"adidas"
"temuaffiliateprogram.pxf"
"s.click.aliexpress"
];
# enable userChrome
"toolkit.legacyUserProfileCustomizations.stylesheets" = true;
"devtools.chrome.enabled" = true;
"devtools.debugger.remote-enabled" = true;
# disable translations for some languages
"browser.translations.neverTranslateLanguages" = [
"en"
"de"
];
"browser.translations.automaticallyPopup" = false;
# enable pipewire (and libcamera) sources
"media.webrtc.camera.allow-pipewire" = true;
};
userChrome =
let
name = override.color or colors.grey;
value = colorValues."${name}".normal;
valueBright = colorValues."${name}".highlight;
valueDark = colorValues."${name}".inactive;
in
''
@namespace url("http://www.mozilla.org/keymaster/gatekeeper/there.is.only.xul"); /* only needed once */
#nav-bar {
background-color: ${value} !important;
color: black !important;
}
/* don't show close button on background tabs */
#tabbrowser-tabs[closebuttons="activetab"] .tabbrowser-tab:not([selected]):not([pinned]):not([hover]) .tab-close-button {
display: none !important;
}
/* show close button on hover */
#tabbrowser-tabs[closebuttons="activetab"] .tabbrowser-tab:not([selected]):not([pinned]):hover .tab-close-button {
display: -moz-inline-box !important;
}
/* default */
#TabsToolbar {
background: ${valueDark} !important;
}
/* default tab */
#TabsToolbar #tabbrowser-tabs .tabbrowser-tab .tab-content {
background: ${value} !important;
opacity: 0.8
}
/* selected tab */
#TabsToolbar #tabbrowser-tabs .tabbrowser-tab[selected] .tab-content {
background: ${valueBright} !important;
box-shadow: 0 8px 16px 0 rgba(0,0,0,0.2), 0 6px 20px 0 rgba(0,0,0,0.19);
}
/* hovered tab */
#TabsToolbar #tabbrowser-tabs .tabbrowser-tab:hover:not([selected]) .tab-content {
background: ${valueBright} !important;
}
/* unloaded/pending tab */
#TabsToolbar #tabbrowser-tabs .tabbrowser-tab[pending] .tab-content {
background: ${valueDark} !important;
}
'';
# /* new tab */
# #TabsToolbar #tabbrowser-tabs #tabs-newtab-button .toolbarbutton-icon {
# background: unset !important;
# }
# #TabsToolbar #tabbrowser-tabs #tabs-newtab-button {
# /* background: var(--default_tabs_bg_newtab) !important;
# }
# /* hovered new tab */
# #TabsToolbar #tabbrowser-tabs #tabs-newtab-button:hover {
# background: var(--default_tabs_bg_newtab_hovered) !important;
# }
} (builtins.removeAttrs override [ "color" ]);
# TODO: insert the id automatically
mkProfiles = attrs: builtins.mapAttrs (_k: v: v) attrs;
colors = builtins.mapAttrs (name: _: name) colorValues;
colorValues = {
blue = {
normal = "#49b1fc";
highlight = "#05a9fc"; # Brighter blue
inactive = "#1f81c6"; # Darker blue
};
green = {
normal = "#51cd00";
highlight = "#5ae200"; # Brighter green
inactive = "#45ad00"; # Darker green
};
orange = {
normal = "#ff9800";
highlight = "#ffb74d"; # Brighter orange
inactive = "#c76a00"; # Darker orange
};
red = {
normal = "#f6685e";
highlight = "#ff4336"; # Brighter red
inactive = "#aa463f"; # Darker red
};
yellow = {
normal = "#fced4b";
highlight = "#fce705"; # Brighter yellow
inactive = "#dbbe00"; # Darker yellow
};
purple = {
normal = "#9c27b0";
highlight = "#ab47bc"; # Brighter purple
inactive = "#7b1fa2"; # Darker purple
};
pink = {
normal = "#e91e63";
highlight = "#ff6090"; # Brighter pink
inactive = "#c2185b"; # Darker pink
};
brown = {
normal = "#795548";
highlight = "#a88b6f"; # Brighter brown
inactive = "#4e3b30"; # Darker brown
};
grey = {
normal = "#9e9e9e";
highlight = "#bdbdbd"; # Brighter grey
inactive = "#757575"; # Darker grey
};
teal = {
normal = "#009688";
highlight = "#26c6da"; # Brighter teal
inactive = "#00796b"; # Darker teal
};
};
in
{
nixpkgs.overlays = [
repoFlake.inputs.nur.overlays.default
];
nixpkgs.config.allowUnfreePredicate =
pkg:
builtins.elem (lib.getName pkg) [
"youtube-recommended-videos"
];
programs.librewolf = {
enable = false;
};
programs.firefox = {
enable = true;
package = pkgs.firefox-esr;
profiles = mkProfiles {
"personal" = mkProfile {
id = 0;
isDefault = true;
color = colors.blue;
};
"comms" = mkProfile {
id = 1;
color = colors.blue;
};
"admin" = mkProfile {
id = 2;
color = colors.blue;
};
"infra" = mkProfile {
id = 3;
color = colors.blue;
};
"finance" = mkProfile {
id = 4;
color = colors.yellow;
};
"business-admin" = mkProfile {
id = 5;
color = colors.teal;
};
"business-comms" = mkProfile {
id = 6;
color = colors.teal;
};
"business-dev" = mkProfile {
id = 7;
color = colors.teal;
};
"holo-dev" = mkProfile {
id = 8;
color = colors.green;
};
"holo-infra" = mkProfile {
id = 9;
color = colors.green;
};
"holo-comms" = mkProfile {
id = 10;
color = colors.green;
};
"justyna" = mkProfile {
id = 11;
color = colors.pink;
};
"justyna-office" = mkProfile {
id = 12;
color = colors.pink;
};
};
};
# create one desktop entry for each profile
xdg.desktopEntries = lib.mapAttrs' (
k: _v:
lib.nameValuePair "firefox-profile-${k}" {
categories = [
"Network"
"WebBrowser"
];
exec = "${lib.getExe config.programs.firefox.package} -P ${k}";
genericName = "Web Browser";
icon =
builtins.replaceStrings [ ".desktop" ] [ "" ]
config.programs.firefox.package.desktopItem.name;
mimeType = [
"text/html"
"text/xml"
"application/xhtml+xml"
"application/vnd.mozilla.xul+xml"
"x-scheme-handler/http"
"x-scheme-handler/https"
];
name = "Firefox: ${k}";
startupNotify = true;
settings.StartupWMClass =
# To group windows of different profiles.
# Set WM_CLASS on Xorg using --class, set app-id on Wayland using --name.
#if profile.name == "default"
#then "firefox"
#else "firefox-${profile.name}";
"firefox";
terminal = false;
type = "Application";
}
) config.programs.firefox.profiles;
} }

26
nix/home-manager/programs/gpg-agent.nix
View file

@ -1,17 +1,29 @@
{ lib, pkgs, osConfig, ... }:
{ {
home.packages = [ pkgs.gcr ]; lib,
pkgs,
config,
...
}: {
home.packages =
[
pkgs.gcr
]
++ (
if config.services.gpg-agent.pinentryFlavor == "gtk2"
then [pkgs.pinentry-gtk2]
else if config.services.gpg-agent.pinentryFlavor == "gnome3"
then [pkgs.pinentry-gnome]
else []
);
programs.gpg.enable = true; programs.gpg.enable = true;
services.gpg-agent = { services.gpg-agent = {
enable = true; enable = true;
enableScDaemon = !osConfig.services.pcscd.enable; enableScDaemon = true;
enableSshSupport = true; enableSshSupport = true;
grabKeyboardAndMouse = true; grabKeyboardAndMouse = true;
pinentryPackage = lib.mkDefault pkgs.pinentry-gtk2; pinentryFlavor = lib.mkDefault "gtk2";
extraConfig = '' extraConfig = "";
no-allow-external-cache
'';
defaultCacheTtl = 0; defaultCacheTtl = 0;
maxCacheTtl = 0; maxCacheTtl = 0;

19
nix/home-manager/programs/homeshick.nix
View file

@ -1,9 +1,15 @@
{ pkgs, config, ... }:
{ {
pkgs,
config,
...
}: let
# TODO: clean up the impurity in here
in {
home.sessionVariables.HOMESHICK_DIR = "${pkgs.homeshick}"; home.sessionVariables.HOMESHICK_DIR = "${pkgs.homeshick}";
home.activation.bootstrapRepos = config.lib.dag.entryAfter [ "writeBoundary" ] '' home.activation.bootstrapRepos = config.lib.dag.entryAfter ["writeBoundary"] ''
$DRY_RUN_CMD ${pkgs.writeScript "activation-script" '' $DRY_RUN_CMD ${
pkgs.writeScript "activation-script" ''
set -e set -e
echo home-manager path is ${config.home.path} echo home-manager path is ${config.home.path}
echo home is $HOME echo home is $HOME
@ -14,12 +20,13 @@
# echo Updating homeshick # echo Updating homeshick
# ln -sfT ${pkgs.homeshick} "$HOMESICK_REPOS"/.homeshick # ln -sfT ${pkgs.homeshick} "$HOMESICK_REPOS"/.homeshick
# mv -Tf "$HOMESICK_REPOS"/{.,}homeshick # mv -Tf "$HOMESICK_REPOS"/{.,}homeshick
''}; ''
};
''; '';
nixpkgs.config = { nixpkgs.config = {
packageOverrides = packageOverrides = pkgs:
pkgs: with pkgs; { with pkgs; {
homeshick = builtins.fetchGit { homeshick = builtins.fetchGit {
url = "https://github.com/andsens/homeshick.git"; url = "https://github.com/andsens/homeshick.git";
ref = "master"; ref = "master";

9
nix/home-manager/programs/libreoffice.nix
View file

@ -1,8 +1,3 @@
{ pkgs, nodeFlake, ... }: {pkgs, ...}: {
home.packages = with pkgs; [libreoffice-fresh];
let
pkgsStable = nodeFlake.inputs.nixpkgs-stable.legacyPackages.${pkgs.system};
in
{
home.packages = [ pkgsStable.libreoffice ];
} }

232
nix/home-manager/programs/neovim.nix
View file

@ -1,161 +1,131 @@
{ repoFlake, pkgs, ... }:
{ {
imports = [ repoFlake.inputs.nixvim.homeManagerModules.nixvim ]; pkgs,
lib,
...
}: let
in {
# FIXME: this doesn't work
home.sessionVariables.EDITOR = "nvim";
programs.nixvim = { programs.neovim = {
enable = true;
defaultEditor = true;
vimdiffAlias = true;
vimAlias = true;
extraPython3Packages = ps: with ps; [ ];
# extraConfigVim = builtins.readFile ./neovim/vimrc;
clipboard = {
register = "unnamedplus";
providers.wl-copy.enable = true;
};
plugins = {
airline = {
enable = true;
settings = {
powerline_fonts = 1;
skip_empty_sections = 1;
theme = "papercolor";
};
};
fugitive.enable = true;
gitblame.enable = true;
lsp = {
enable = true;
};
nix.enable = true;
# TODO: enable in next release
# numbertoggle.enable = true;
# successfor to ctrlp and fzf
telescope.enable = true;
todo-comments.enable = true;
toggleterm.enable = true;
treesitter = {
enable = true; enable = true;
grammarPackages = with pkgs.vimPlugins.nvim-treesitter.builtGrammars; [ extraPython3Packages = ps: with ps; [];
bash
json extraConfig = builtins.readFile ./neovim/vimrc;
lua
make plugins = with pkgs;
markdown [
nix # yaml-folds
regex {
toml plugin = vimUtils.buildVimPlugin {
vim name = "vim-yaml-folds";
vimdoc src = fetchFromGitHub {
xml owner = "pedrohdz";
yaml repo = "vim-yaml-folds";
]; rev = "890ccd8e5370808d569e96dbb06cbeca2cf5993a";
sha256 = "018z6xcwrq58q6lj6gwhrifjaxkmrlkkg0n86s6mjjlwkbs2qa4m";
}; };
buildInputs = [zip vim];
treesitter-context.enable = true;
treesitter-refactor.enable = true;
# This plugin trims trailing whitespace and lines.
trim.enable = true;
}; };
}
# plugins = with pkgs; {
# [ plugin = vimUtils.buildVimPlugin {
# # yaml-folds name = "vim-yaml";
src = fetchFromGitHub {
owner = "stephpy";
repo = "vim-yaml";
rev = "e97e063b16eba4e593d620676a0a15fa98613979";
sha256 = "0vqahbrnr43lxanpziyrmzaqqb3cmyny8ry1xvmy2xyd1larzfrk";
};
};
}
# broken 2021-06-08
# { # {
# plugin = vimUtils.buildVimPlugin { # plugin = vimUtils.buildVimPlugin {
# name = "vim-yaml-folds"; # name = "vim-markdown-toc";
# src = fetchFromGitHub { # src = fetchFromGitHub {
# owner = "pedrohdz"; # owner = "mzlogin";
# repo = "vim-yaml-folds"; # repo = "vim-markdown-toc";
# rev = "890ccd8e5370808d569e96dbb06cbeca2cf5993a"; # rev = "b7bb6c37033d3a6c93906af48dc0e689bd948638";
# sha256 = "018z6xcwrq58q6lj6gwhrifjaxkmrlkkg0n86s6mjjlwkbs2qa4m"; # sha256 = "026xf2gid4qivwawh7if3nfk7zja9di0flhdzdx82lvil9x48lyz";
# };
# buildInputs = [zip vim];
# };
# }
# {
# plugin = vimUtils.buildVimPlugin {
# name = "vim-yaml";
# src = fetchFromGitHub {
# owner = "stephpy";
# repo = "vim-yaml";
# rev = "e97e063b16eba4e593d620676a0a15fa98613979";
# sha256 = "0vqahbrnr43lxanpziyrmzaqqb3cmyny8ry1xvmy2xyd1larzfrk";
# }; # };
# }; # };
# } # }
# broken 2021-06-08
# { # {
# plugin = vimUtils.buildVimPlugin { # plugin = vimUtils.buildVimPlugin {
# name = "git-blame"; # name = "vim-perl";
# src = fetchFromGitHub { # src = fetchFromGitHub {
# "owner" = "zivyangll"; # owner = "vim-perl";
# "repo" = "git-blame.vim"; # repo = "vim-perl";
# "rev" = "9d144b7bed5d8f1c9259551768b7f3b3d1294917"; # rev = "f330b5d474c44e6cfae22ba50868093dea3e9adb";
# "sha256" = "06zb5xcc59k25rpwl46j82fcqckiznmj97v6i0mwlb8jhqqrhy9j"; # sha256 = "1dy40ixgixj0536c5ggra51b4yd1lbw4j6l0j5zc3diasb7m2gvr";
# }; # };
# }; # };
# } # }
# ]
# ++ (with pkgs.vimPlugins; [
# delimitMate
# vim-airline
# vim-airline-themes
# ctrlp
# vim-css-color
# rainbow_parentheses
# vim-colorschemes
# vim-colorstepper
# vim-signify
# fugitive
# vim-indent-guides
# UltiSnips
# fzfWrapper
# ncm2 {
# ncm2-bufword plugin = vimUtils.buildVimPlugin {
# ncm2-path name = "git-blame";
# ncm2-tmux src = fetchFromGitHub {
# ncm2-ultisnips "owner" = "zivyangll";
# nvim-yarp "repo" = "git-blame.vim";
"rev" = "9d144b7bed5d8f1c9259551768b7f3b3d1294917";
"sha256" = "06zb5xcc59k25rpwl46j82fcqckiznmj97v6i0mwlb8jhqqrhy9j";
};
};
}
]
++ (with pkgs.vimPlugins; [
delimitMate
vim-airline
vim-airline-themes
ctrlp
vim-css-color
rainbow_parentheses
vim-colorschemes
vim-colorstepper
vim-signify
fugitive
vim-indent-guides
UltiSnips
fzfWrapper
# LanguageClient-neovim ncm2
ncm2-bufword
ncm2-path
ncm2-tmux
ncm2-ultisnips
nvim-yarp
# Improved-AnsiEsc LanguageClient-neovim
# tabular
# # Nix Improved-AnsiEsc
# vim-addon-nix tabular
# tlib
# vim-addon-vim2nix
# # LaTeX # Nix
# vim-latex-live-preview vim-addon-nix
# vimtex tlib
vim-addon-vim2nix
# # YAML # LaTeX
# vim-yaml vim-latex-live-preview
vimtex
# # markdown # YAML
# vim-markdown vim-yaml
# vim-markdown-toc
# # misc syntax support # markdown
# vim-bazel vim-markdown
# maktaba vim-markdown-toc
# ]);
# misc syntax support
vim-bazel
maktaba
]);
}; };
} }

4
nix/home-manager/programs/neovim/vimrc
View file

@ -49,8 +49,8 @@ let g:ctrlp_custom_ignore = {
\ 'dir': '\v[\/]\.(git|hg|svn)$$', \ 'dir': '\v[\/]\.(git|hg|svn)$$',
\ 'file': '\v\.(exe|so|dll)$$', \ 'file': '\v\.(exe|so|dll)$$',
\ } \ }
"let g:ctrlp_max_files=0 let g:ctrlp_max_files=0
"let g:ctrlp_max_depth=1000 let g:ctrlp_max_depth=1000
"let g:ctrlp_match_func = { 'match': 'pymatcher#PyMatch' } "let g:ctrlp_match_func = { 'match': 'pymatcher#PyMatch' }
"let g:pydiction_location = '~/.vim/bundle/pydiction/complete-dict' "let g:pydiction_location = '~/.vim/bundle/pydiction/complete-dict'

25
nix/home-manager/programs/obs-studio.nix
View file

@ -1,25 +0,0 @@
{ pkgs, lib, ... }:
{
programs.obs-studio = {
enable = true;
plugins =
builtins.map
(
plugin:
(plugin.overrideAttrs (attrs: {
meta = lib.mkMerge [
{ inherit (attrs) meta; }
{ meta.platforms = [ pkgs.stdenv.system ]; }
];
}))
)
(
with pkgs.obs-studio-plugins;
[
# wlrobs
obs-backgroundremoval
obs-pipewire-audio-capture
]
);
};
}

37
nix/home-manager/programs/openvscode-server.nix
View file

@ -1,37 +0,0 @@
{ pkgs, repoFlake, ... }:
let
pkgsVscodium = import repoFlake.inputs.nixpkgs-vscodium { inherit (pkgs) system config; };
in
{
home.packages = [
pkgs.nil
pkgs.nixd
pkgs.nixfmt-rfc-style
# TODO: automate linking this
# 1. get the commit with: `codium --version`
# 2. create the binary directory: `mkdir -p /home/steveej/.vscodium-server/bin/c8ce3ba4bc6b30b3b10edc61481cb85b1d2396bc/bin/`
# 3. link the binary. this relies on the client-side setting `"remote.SSH.experimental.serverBinaryName": "openvscode-server"` : ln -s $(which openvscode-server) /home/steveej/.vscodium-server/bin/c8ce3ba4bc6b30b3b10edc61481cb85b1d2396bc/bin/
/*
e.g.:
```
(
set -e
export COMMIT=$(codium --version | rg '^[0-9a-f]{40}$')
ssh bm-hostkey0 "pkill -9 openvscode; rm -rf /home/steveej/.vscodium-server/bin/$COMMIT; mkdir -p /home/steveej/.vscodium-server/bin/$COMMIT/bin/; ln -s \$(which openvscode-server) /home/steveej/.vscodium-server/bin/$COMMIT/bin/"
)
```
*/
(pkgsVscodium.openvscode-server.overrideAttrs (attrs: {
src = repoFlake.inputs.openvscode-server;
version = "1.94.2";
yarnCache = attrs.yarnCache.overrideAttrs (_: {
outputHash = "sha256-89c6GYLT2RzHqwxBKegYqB6g5rEJ6/nH53cnfV7b0Tt=";
});
}))
pkgs.waypipe
];
}

6
nix/home-manager/programs/pass.nix
View file

@ -1,5 +1,8 @@
{ repoFlake, pkgs, ... }:
{ {
repoFlake,
pkgs,
...
}: {
# required by pass-otp # required by pass-otp
# home.sessionVariables.PASSWORD_STORE_EXTENSIONS_DIR = "$HOME/.nix-profile/lib/password-store/extensions"; # home.sessionVariables.PASSWORD_STORE_EXTENSIONS_DIR = "$HOME/.nix-profile/lib/password-store/extensions";
# home.sessionVariables.PASSWORD_STORE_ENABLE_EXTENSIONS = "true"; # home.sessionVariables.PASSWORD_STORE_ENABLE_EXTENSIONS = "true";
@ -7,6 +10,7 @@
home.packages = with pkgs; [ home.packages = with pkgs; [
gnupg gnupg
pass
# broken on wayland # broken on wayland
# rofi-pass # rofi-pass

28
nix/home-manager/programs/radicale.nix
View file

@ -4,8 +4,7 @@
pkgs, pkgs,
osConfig, osConfig,
... ...
}: }: let
let
libdecsync = pkgs.python3Packages.buildPythonPackage rec { libdecsync = pkgs.python3Packages.buildPythonPackage rec {
pname = "libdecsync"; pname = "libdecsync";
version = "2.2.1"; version = "2.2.1";
@ -39,18 +38,18 @@ let
# pkgs.libxcrypt # pkgs.libxcrypt
]; ];
propagatedBuildInputs = [ propagatedBuildInputs = [libdecsync pkgs.python3Packages.setuptools];
libdecsync
pkgs.python3Packages.setuptools
];
}; };
radicale-decsync = pkgs.radicale.overrideAttrs (old: { radicale-decsync = pkgs.radicale.overrideAttrs (old: {
propagatedBuildInputs = old.propagatedBuildInputs ++ [ radicale-storage-decsync ]; propagatedBuildInputs =
old.propagatedBuildInputs
++ [radicale-storage-decsync];
}); });
mkRadicaleService = mkRadicaleService = {
{ suffix, port }: suffix,
let port,
}: let
radicale-config = pkgs.writeText "radicale-config-${suffix}" '' radicale-config = pkgs.writeText "radicale-config-${suffix}" ''
[server] [server]
hosts = localhost:${builtins.toString port} hosts = localhost:${builtins.toString port}
@ -65,19 +64,18 @@ let
filesystem_folder = ${config.xdg.dataHome}/radicale/radicale-${suffix} filesystem_folder = ${config.xdg.dataHome}/radicale/radicale-${suffix}
decsync_dir = ${config.xdg.dataHome}/decsync/decsync-${suffix} decsync_dir = ${config.xdg.dataHome}/decsync/decsync-${suffix}
''; '';
in in {
{
systemd.user.services."radicale-${suffix}" = { systemd.user.services."radicale-${suffix}" = {
Unit.Description = "Radicale with DecSync (${suffix})"; Unit.Description = "Radicale with DecSync (${suffix})";
Service = { Service = {
ExecStart = "${radicale-decsync}/bin/radicale -C ${radicale-config}"; ExecStart = "${radicale-decsync}/bin/radicale -C ${radicale-config}";
Restart = "on-failure"; Restart = "on-failure";
}; };
Install.WantedBy = [ "default.target" ]; Install.WantedBy = ["default.target"];
}; };
}; };
in in
builtins.foldl' (sum: cur: lib.recursiveUpdate sum (mkRadicaleService cur)) { } [ builtins.foldl' (sum: cur: lib.recursiveUpdate sum (mkRadicaleService cur)) {} [
{ {
suffix = "personal"; suffix = "personal";
port = 5232; port = 5232;
@ -86,4 +84,4 @@ builtins.foldl' (sum: cur: lib.recursiveUpdate sum (mkRadicaleService cur)) { }
suffix = "family"; suffix = "family";
port = 5233; port = 5233;
} }
] ]

21
nix/home-manager/programs/redshift.nix
View file

@ -1,26 +1,21 @@
_:
let
passwords = import ../../variables/passwords.crypt.nix;
in
{ {
pkgs,
config,
...
}: let
passwords = import ../../variables/passwords.crypt.nix;
in {
services.gammastep = { services.gammastep = {
enable = true; enable = true;
provider = "manual";
enableVerboseLogging = true;
inherit (passwords.location.stefan) longitude latitude; inherit (passwords.location.stefan) longitude latitude;
temperature = { temperature = {
# day = 6700; day = 6700;
day = 3000;
night = 3000; night = 3000;
}; };
tray = true; tray = true;
settings = { settings = {
general = {
adjustment-method = "wayland";
};
gammastep = { gammastep = {
# brightness-day = 1.0; brightness-day = 1.0;
brightness-day = 0.5;
brightness-night = 0.5; brightness-night = 0.5;
}; };
}; };

21
nix/home-manager/programs/salut.nix
View file

@ -1,11 +1,18 @@
{ pkgs, packages', ... }: {
pkgs,
config,
lib,
packages',
...
}:
# useful testing command: # useful testing command:
# for i in `seq 0 10`; do nix shell nixpkgs#libnotify --command notify-send notifiiiiiii "$i"; sleep 1; done # for i in `seq 0 10`; do nix shell nixpkgs#libnotify --command notify-send notifiiiiiii "$i"; sleep 1; done
let let
inherit (import ../lib.nix { }) mkSimpleTrayService; inherit (import ../lib.nix {}) mkSimpleTrayService;
in in {
{ home.packages = [
home.packages = [ packages'.salut ]; packages'.salut
];
xdg.configFile."salut/config.ini" = { xdg.configFile."salut/config.ini" = {
enable = true; enable = true;
@ -27,5 +34,7 @@ in
onChange = "${pkgs.systemd}/bin/systemctl --user restart salut"; onChange = "${pkgs.systemd}/bin/systemctl --user restart salut";
}; };
systemd.user.services.salut = mkSimpleTrayService { execStart = "${packages'.salut}/bin/salut"; }; systemd.user.services.salut = mkSimpleTrayService {
execStart = "${packages'.salut}/bin/salut";
};
} }

119
nix/home-manager/programs/vscode/default.nix
View file

@ -1,35 +1,32 @@
{ {
config,
pkgs, pkgs,
repoFlake, nodeFlake,
lib,
... ...
}: }: {
let
pkgsVscodium = import repoFlake.inputs.nixpkgs-vscodium { inherit (pkgs) system config; };
in
{
programs.vscode = { programs.vscode = {
enable = true; enable = true;
package = pkgsVscodium.vscodium; package = pkgs.vscodium;
extensions = extensions =
with pkgsVscodium.vscode-extensions;
[ [
# TODO: how can i install (this) vsix(s) directly?
# (builtins.fetchurl {
# # https://open-vsx.org/extension/jeanp413/open-remote-ssh
# url = "https://open-vsx.org/api/jeanp413/open-remote-ssh/0.0.45/file/jeanp413.open-remote-ssh-0.0.45.vsix";
# sha256 = "1qc1qsahfx1nvznq4adplx63w5d94xhafngv76vnqjjbzhv991v2";
# })
]
++ (with pkgs.vscode-extensions; [
bbenoist.nix
eamodio.gitlens eamodio.gitlens
mkhl.direnv mkhl.direnv
jnoortheen.nix-ide
tomoki1207.pdf tomoki1207.pdf
vscodevim.vim vscodevim.vim
# bbenoist.nix
jnoortheen.nix-ide
ms-vscode.theme-tomorrowkit ms-vscode.theme-tomorrowkit
nonylene.dark-molokai-theme nonylene.dark-molokai-theme
ms-python.vscode-pylance
# TODO: these are not in nixpkgs # TODO: these are not in nixpkgs
# fredwangwang.vscode-hcl-format # fredwangwang.vscode-hcl-format
# hashicorp.hcl # hashicorp.hcl
# mindaro-dev.file-downloader # mindaro-dev.file-downloader
@ -37,96 +34,11 @@ in
# TODO: not compatible with vscodium # TODO: not compatible with vscodium
# ms-vscode-remote.remote-ssh # ms-vscode-remote.remote-ssh
] ]);
++ (
let
extensions = repoFlake.inputs.nix-vscode-extensions.extensions.${pkgs.system};
in
with extensions.vscode-marketplace;
with extensions.vscode-marketplace-release;
[
serayuzgur.crates
rust-lang.rust-analyzer
swellaby.vscode-rust-test-adapter
tamasfe.even-better-toml
golang.go
jeff-hykin.better-go-syntax
blueglassblock.better-json5
nefrob.vscode-just-syntax
# fabianlauer.vs-code-xml-format
bierner.emojisense
]
)
++ (
let
nix4vscodeToml = pkgs.writeText "nix4vscode.toml" ''
vscode_version = "${config.programs.vscode.package.version}"
[[extensions]]
publisher_name = "FelixZeller"
extension_name = "markdown-oxide"
[[extensions]]
publisher_name = "ibecker"
extension_name = "treefmt-vscode"
[[extensions]]
publisher_name = "AntiAntiSepticeye"
extension_name = "vscode-color-picker"
# [[extensions]]
# publisher_name = "nefrob"
# extension_name = "vscode-just-syntax"
[[extensions]]
publisher_name = "fabianlauer"
extension_name = "vs-code-xml-format"
'';
nix4vscodeNix =
pkgs.runCommand "nix4vscode.nix"
{
# nix4vscode needs internet access
__noChroot = true;
requiredSystemFeatures = [ "recursive-nix" ];
buildInputs = [
pkgs.nix
pkgs.cacert
(pkgs.callPackage "${repoFlake.inputs.nix4vscode.outPath}/nix/package.nix" { })
# pkgs.strace
];
# outputHashAlgo = "sha256";
# outputHashMode = "recursive";
# outputHash = lib.fakeSha256;
}
''
# set -x
# export RUST_BACKTRACE=full
# export RUST_LOG=trace
export HOME=$(mktemp -d)
# strace -ffZyyY
nix4vscode ${nix4vscodeToml} > $out
'';
nix4vscodeExtensions = builtins.removeAttrs (pkgs.callPackage nix4vscodeNix { }) [
"override"
"overrideDerivation"
];
nix4vscodeExtensions' = lib.attrsets.mapAttrsToList (
_: v: builtins.head (builtins.attrValues v)
) nix4vscodeExtensions;
in
nix4vscodeExtensions'
);
mutableExtensionsDir = true; mutableExtensionsDir = true;
}; };
home.packages = [ home.packages = [pkgs.nixpkgs-fmt pkgs.alejandra];
pkgs.nil
pkgs.nixfmt-rfc-style
];
} }
# TODO: automate # TODO: automate
### original list: ### original list:
@ -202,3 +114,4 @@ in
# xyz.plsql-language # xyz.plsql-language
# yzane.markdown-pdf # yzane.markdown-pdf
# zxh404.vscode-proto3 # zxh404.vscode-proto3

1
nix/home-manager/programs/waybar.css
View file

@ -1,3 +1,4 @@
#custom-cputemp { #custom-cputemp {
padding: 0 10px; padding: 0 10px;
background-color: #f0932b; background-color: #f0932b;

17
nix/home-manager/programs/waybar.nix
View file

@ -1,5 +1,9 @@
{ pkgs, repoFlake, ... }:
{ {
pkgs,
config,
repoFlake,
...
}: {
home.packages = [ home.packages = [
# required by any bar that has a tray plugin # required by any bar that has a tray plugin
pkgs.libappindicator-gtk3 pkgs.libappindicator-gtk3
@ -8,18 +12,17 @@
programs.waybar = { programs.waybar = {
enable = true; enable = true;
package = package = repoFlake.inputs.nixpkgs-wayland.outputs.packages.${pkgs.stdenv.hostPlatform.system}.waybar;
repoFlake.inputs.nixpkgs-wayland.outputs.packages.${pkgs.stdenv.hostPlatform.system}.waybar; style =
style = pkgs.lib.readFile "${pkgs.waybar.src}/resources/style.css" + pkgs.lib.readFile ./waybar.css; pkgs.lib.readFile "${pkgs.waybar.src}/resources/style.css"
+ pkgs.lib.readFile ./waybar.css;
systemd.enable = true; systemd.enable = true;
settings = { settings = {
mainBar = { mainBar = {
layer = "top"; layer = "top";
position = "bottom"; position = "bottom";
height = 30; height = 30;
output = output = ["*"];
# hide the bar on HEADDLESS displays as i use them only for screensharing
(builtins.genList (i: "!HEADLESS-${builtins.toString i}") 99) ++ [ "*" ];
# output = [ # output = [
# "eDP-1" # "eDP-1"
# "DP-*" # "DP-*"

27
nix/home-manager/programs/zsh.nix
View file

@ -3,10 +3,8 @@
lib, lib,
pkgs, pkgs,
... ...
}: }: let
let just-plugin = let
just-plugin =
let
plugin_file = pkgs.writeText "_just" '' plugin_file = pkgs.writeText "_just" ''
#compdef just #compdef just
#autload #autload
@ -37,8 +35,7 @@ let
chmod --recursive a-w $out chmod --recursive a-w $out
''; '';
}; };
in in {
{
programs.zsh = { programs.zsh = {
enable = true; enable = true;
@ -49,11 +46,9 @@ in
# will be called again by oh-my-zsh # will be called again by oh-my-zsh
enableCompletion = false; enableCompletion = false;
enableAutosuggestions = true; enableAutosuggestions = true;
initExtra = initExtra = let
let
inNixShell = ''$([[ -n "$IN_NIX_SHELL" ]] && printf " 🐚")''; inNixShell = ''$([[ -n "$IN_NIX_SHELL" ]] && printf " 🐚")'';
in in ''
''
if test ! -n "$TMPDIR" -a -z "$TMPDIR"; then if test ! -n "$TMPDIR" -a -z "$TMPDIR"; then
unset TMPDIR unset TMPDIR
fi fi
@ -74,13 +69,12 @@ in
fi fi
${ ${
if builtins.hasAttr "homeshick" pkgs then if builtins.hasAttr "homeshick" pkgs
'' then ''
source ${pkgs.homeshick}/homeshick.sh source ${pkgs.homeshick}/homeshick.sh
fpath=(${pkgs.homeshick}/completions $fpath) fpath=(${pkgs.homeshick}/completions $fpath)
'' ''
else else ""
""
} }
# Disable intercepting of ctrl-s and ctrl-q as flow control. # Disable intercepting of ctrl-s and ctrl-q as flow control.
@ -134,10 +128,7 @@ in
oh-my-zsh = { oh-my-zsh = {
enable = true; enable = true;
theme = "tjkirch"; theme = "tjkirch";
plugins = [ plugins = ["git" "sudo"];
"git"
"sudo"
];
}; };
}; };
} }

5
nix/modules/flake-parts/colmena.nix
View file

@ -1,8 +1,7 @@
{ lib, ... }: {lib, ...}: {
{
options.flake.colmena = lib.mkOption { options.flake.colmena = lib.mkOption {
# type = lib.types.attrsOf lib.types.unspecified; # type = lib.types.attrsOf lib.types.unspecified;
type = lib.types.raw; type = lib.types.raw;
default = { }; default = {};
}; };
} }

17
nix/modules/flake-parts/perSystem/default.nix
View file

@ -1,8 +1,13 @@
{ pkgs, ... }:
{ {
inputs',
system,
config,
lib,
pkgs,
...
}: {
packages = { packages = {
myPython = pkgs.python310.withPackages ( myPython = pkgs.python310.withPackages (ps:
ps:
with ps; with ps;
[ [
pep8 pep8
@ -28,10 +33,6 @@
pyaml pyaml
requests requests
] ]
++ [ ++ [pkgs.pypi2nix pkgs.libffi]);
pkgs.pypi2nix
pkgs.libffi
]
);
}; };
} }

14
nix/os/cachix.nix
View file

@ -1,12 +1,14 @@
# WARN: this file will get overwritten by $ cachix use <name> # WARN: this file will get overwritten by $ cachix use <name>
{ lib, ... }: {
let pkgs,
lib,
...
}: let
folder = ./cachix; folder = ./cachix;
toImport = name: _value: folder + ("/" + name); toImport = name: value: folder + ("/" + name);
filterCaches = key: value: value == "regular" && lib.hasSuffix ".nix" key; filterCaches = key: value: value == "regular" && lib.hasSuffix ".nix" key;
imports = lib.mapAttrsToList toImport (lib.filterAttrs filterCaches (builtins.readDir folder)); imports = lib.mapAttrsToList toImport (lib.filterAttrs filterCaches (builtins.readDir folder));
in in {
{
inherit imports; inherit imports;
nix.settings.substituters = [ "https://cache.nixos.org/" ]; nix.settings.substituters = ["https://cache.nixos.org/"];
} }

4
nix/os/cachix/nixpkgs-wayland.nix
View file

@ -1,6 +1,8 @@
{ {
nix = { nix = {
settings.substituters = [ "https://nixpkgs-wayland.cachix.org" ]; settings.substituters = [
"https://nixpkgs-wayland.cachix.org"
];
settings.trusted-public-keys = [ settings.trusted-public-keys = [
"nixpkgs-wayland.cachix.org-1:3lwxaILxMRkVhehr5StQprHdEo4IrE8sRho9R9HOLYA=" "nixpkgs-wayland.cachix.org-1:3lwxaILxMRkVhehr5StQprHdEo4IrE8sRho9R9HOLYA="
]; ];

87
nix/os/containers/backup-target.nix Normal file
View file

@ -0,0 +1,87 @@
{
hostAddress,
localAddress,
containerBackupCfg,
sshPort ? containerBackupCfg.portInt,
autoStart ? false,
}: {
config = {
config,
pkgs,
lib,
...
}: {
system.stateVersion = "22.05"; # Did you read the comment?
imports = [../profiles/containers/configuration.nix];
networking.firewall.enable = false;
# services.ddclientovh = {
# enable = true;
# domain = containerBackupCfg.addr;
# };
services.openssh.enable = true;
users.extraUsers."${containerBackupCfg.user}" = {
uid = 2000;
group = containerBackupCfg.group;
shell = pkgs.bashInteractive;
home = "/${containerBackupCfg.targetPath}";
openssh.authorizedKeys.keys = [
"ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDNI3H0BRSYOZ/MbTs9J80doJwSd1HymFOP5quNt0J48vxZ5FPVrT2FHpQiNrCcYbCKRsU4X8AiGUHiXC0PapQQ3JDkqp6WZoqBNDx6BI7RadyH1TqVQPlou3pQmCAogzfBInruR53YTDmQqXiPwfM0okPOXgiBNjDfZXOX4+CyUfkmZZwASoicTInqWGkn1sFnh4tyXIkgWflg0njlVmfkVvH71+evvKLYHtoNpVXazkQ0SXbyuW5f3mSta7TNkpC3HbBm+4n+WxYGySrlRLWQhTo+aoWUKk9h5zvECDNpwRtbqzt+bA9nKrdg180ceu8hruwvWNiC6PPA2GW9Z1+VKROviGu1C3dliE/pPCBtK+ZoRVv2CGE+pmAuQsB9Nif9tk5tY6HJhuLNxKYiMfQkiLsDYv6KdZXUIVK/4BIDkZuQNnjhdOQBLnea0ANOhutA9gnjxnsd3UT6ovfazg5gud7n3u4yBtzjTkRrqWZ63eM1NmUVOgMWHQ715pV+hJfOFGqzRBEe3g/p3bWNgpROBYJbG1H8l9DN7emG4FGWsb1HeNFwQ5lS0Zsezb7qzahr4vSmHNugVw7w8ONt5dPbPI9wQnWvkkuHH76P/NYy6OC6lHrN1rXyA1okqdPr06YAZnCot+Pqdgn/ijxgp06J3dtkhin+Q7PoQbGff3ERIw== bkp"
];
packages = with pkgs; [btrfs-progs];
isSystemUser = true;
};
security.sudo = {
enable = true;
extraRules = [
{
users = ["bkp"];
commands = [
{
command = "/etc/profiles/per-user/bkp/bin/btrfs";
options = ["NOPASSWD"];
}
{
command = "/run/current-system/sw/bin/readlink";
options = ["NOPASSWD"];
}
{
command = "/run/current-system/sw/bin/test";
options = ["NOPASSWD"];
}
];
}
];
};
};
inherit autoStart;
bindMounts = {
"/${containerBackupCfg.targetPath}" = {
hostPath = "/var/lib/container-volumes/backup-target";
isReadOnly = false;
};
};
extraFlags = ["--resolv-conf=bind-host"];
privateNetwork = true;
forwardPorts = [
{
# ssh
containerPort = 22;
hostPort = sshPort;
protocol = "tcp";
}
];
inherit hostAddress localAddress;
}

57
nix/os/containers/backup.nix
View file

@ -5,23 +5,16 @@
subvolumes, subvolumes,
targetPathSuffix ? "", targetPathSuffix ? "",
autoStart ? false, autoStart ? false,
}: }: let
let
passwords = import ../../variables/passwords.crypt.nix; passwords = import ../../variables/passwords.crypt.nix;
subvolumeParentDir = "/var/lib/container-volumes"; subvolumeParentDir = "/var/lib/container-volumes";
in in {
{ config = {pkgs, ...}: {
config =
{ pkgs, ... }:
{
system.stateVersion = "20.03"; # Did you read the comment? system.stateVersion = "20.03"; # Did you read the comment?
imports = [ ../profiles/containers/configuration.nix ]; imports = [../profiles/containers/configuration.nix];
environment.systemPackages = with pkgs; [ environment.systemPackages = with pkgs; [btrfs-progs btrbk];
btrfs-progs
btrbk
];
networking.firewall.enable = true; networking.firewall.enable = true;
@ -29,15 +22,13 @@ in
enable = true; enable = true;
description = "bkp-sync service"; description = "bkp-sync service";
serviceConfig = { serviceConfig = {Type = "oneshot";};
Type = "oneshot";
};
after = [ "bkp-run.service" ]; after = ["bkp-run.service"];
requires = [ "bkp-run.service" ]; requires = ["bkp-run.service"];
path = with pkgs; [ utillinux ]; path = with pkgs; [utillinux];
script = '' script = ''
set -x set -x
true true
@ -48,20 +39,13 @@ in
enable = true; enable = true;
description = "bkp-run"; description = "bkp-run";
serviceConfig = { serviceConfig = {Type = "oneshot";};
Type = "oneshot";
};
partOf = [ "bkp-sync.service" ]; partOf = ["bkp-sync.service"];
path = with pkgs; [ path = with pkgs; [btrfs-progs btrbk coreutils];
btrfs-progs
btrbk
coreutils
];
script = script = let
let
btrbkConf = pkgs.writeText "cfg" '' btrbkConf = pkgs.writeText "cfg" ''
timestamp_format long timestamp_format long
ssh_identity ${passwords.storage.backupTarget.keyPath} ssh_identity ${passwords.storage.backupTarget.keyPath}
@ -78,10 +62,10 @@ in
volume ${subvolumeParentDir} volume ${subvolumeParentDir}
target ${passwords.storage.backupTarget.target}/container-volumes/${targetPathSuffix} target ${passwords.storage.backupTarget.target}/container-volumes/${targetPathSuffix}
${builtins.foldl' (sum: elem: sum + " subvolume " + elem + "\n") "" subvolumes} ${builtins.foldl' (sum: elem: sum + " subvolume " + elem + "\n") ""
subvolumes}
''; '';
in in ''
''
#! ${pkgs.bash}/bin/bash #! ${pkgs.bash}/bin/bash
set -Eeuxo pipefail set -Eeuxo pipefail
@ -92,10 +76,7 @@ in
systemd.timers."bkp" = { systemd.timers."bkp" = {
description = "Timer to trigger bkp periodically"; description = "Timer to trigger bkp periodically";
enable = true; enable = true;
wantedBy = [ wantedBy = ["timer.target" "multi-user.target"];
"timer.target"
"multi-user.target"
];
timerConfig = { timerConfig = {
# Obtained using `systemd-analyze calendar "Wed 23:00"` # Obtained using `systemd-analyze calendar "Wed 23:00"`
# OnCalendar = "Wed *-*-* 23:00:00"; # OnCalendar = "Wed *-*-* 23:00:00";
@ -133,10 +114,10 @@ in
} }
]; ];
extraFlags = [ "--resolv-conf=bind-host" ]; extraFlags = ["--resolv-conf=bind-host"];
privateNetwork = true; privateNetwork = true;
forwardPorts = [ ]; forwardPorts = [];
inherit hostAddress localAddress; inherit hostAddress localAddress;
} }

62
nix/os/containers/mailserver.nix
View file

@ -1,23 +1,18 @@
{ {
specialArgs, repoFlake,
hostBridge,
hostAddress, hostAddress,
localAddress, localAddress,
imapsPort ? 993, imapsPort ? 993,
sievePort ? 4190, sievePort ? 4190,
autoStart ? false, autoStart ? false,
}: }: {
{ config = {
inherit specialArgs;
config =
{
pkgs, pkgs,
config, config,
repoFlake, lib,
... ...
}: }: {
{ system.stateVersion = "21.11"; # Did you read the comment?
system.stateVersion = "22.05"; # Did you read the comment?
imports = [ imports = [
../profiles/containers/configuration.nix ../profiles/containers/configuration.nix
@ -26,15 +21,10 @@
../profiles/common/user.nix ../profiles/common/user.nix
]; ];
networking.firewall.allowedTCPPorts = [
imapsPort
sievePort
];
# FIXME: find out how to use the `defaultSopsFile` so i don't have to specify each secret separately # FIXME: find out how to use the `defaultSopsFile` so i don't have to specify each secret separately
# sops.defaultSopsFile = ./mailserver_secrets.yaml; # sops.defaultSopsFile = ./mailserver_secrets.yaml;
sops.age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ]; sops.age.sshKeyPaths = ["/etc/ssh/ssh_host_ed25519_key"];
sops.secrets.email_mailStefanjunkerDe = { sops.secrets.email_mailStefanjunkerDe = {
sopsFile = ./mailserver_secrets.yaml; sopsFile = ./mailserver_secrets.yaml;
owner = config.users.users.steveej.name; owner = config.users.users.steveej.name;
@ -66,8 +56,8 @@
services.dovecot2 = { services.dovecot2 = {
enable = true; enable = true;
modules = [ pkgs.dovecot_pigeonhole ]; modules = [pkgs.dovecot_pigeonhole];
protocols = [ "sieve" ]; protocols = ["sieve"];
enableImap = true; enableImap = true;
enableLmtp = true; enableLmtp = true;
@ -102,15 +92,14 @@
systemd.services.steveej-getmail-stefanjunker = { systemd.services.steveej-getmail-stefanjunker = {
enable = true; enable = true;
wantedBy = [ "multi-user.target" ]; wantedBy = ["multi-user.target"];
serviceConfig.User = "steveej"; serviceConfig.User = "steveej";
serviceConfig.Group = "dovecot2"; serviceConfig.Group = "dovecot2";
serviceConfig.RestartSec = 600; serviceConfig.RestartSec = 600;
serviceConfig.Restart = "always"; serviceConfig.Restart = "always";
description = "Getmail service"; description = "Getmail service";
path = [ pkgs.getmail6 ]; path = [pkgs.getmail6];
script = script = let
let
rc = pkgs.writeText "mailATstefanjunker.de.getmail.rc" '' rc = pkgs.writeText "mailATstefanjunker.de.getmail.rc" ''
[options] [options]
verbose = 1 verbose = 1
@ -129,23 +118,21 @@
type = MDA_external type = MDA_external
path = ${pkgs.dovecot}/libexec/dovecot/dovecot-lda path = ${pkgs.dovecot}/libexec/dovecot/dovecot-lda
''; '';
in in ''
''
getmail --idle=INBOX --rcfile=${rc} getmail --idle=INBOX --rcfile=${rc}
''; '';
}; };
systemd.services.steveej-getmail-stefanjunker-hetzner = { systemd.services.steveej-getmail-stefanjunker-hetzner = {
enable = true; enable = true;
wantedBy = [ "multi-user.target" ]; wantedBy = ["multi-user.target"];
serviceConfig.User = "steveej"; serviceConfig.User = "steveej";
serviceConfig.Group = "dovecot2"; serviceConfig.Group = "dovecot2";
serviceConfig.RestartSec = 60; serviceConfig.RestartSec = 60;
serviceConfig.Restart = "always"; serviceConfig.Restart = "always";
description = "Getmail service"; description = "Getmail service";
path = [ pkgs.getmail6 ]; path = [pkgs.getmail6];
script = script = let
let
rc = pkgs.writeText "mailATstefanjunker.de.getmail.rc" '' rc = pkgs.writeText "mailATstefanjunker.de.getmail.rc" ''
[options] [options]
verbose = 2 verbose = 2
@ -164,23 +151,21 @@
type = MDA_external type = MDA_external
path = ${pkgs.dovecot}/libexec/dovecot/dovecot-lda path = ${pkgs.dovecot}/libexec/dovecot/dovecot-lda
''; '';
in in ''
''
getmail --rcfile=${rc} --idle=INBOX getmail --rcfile=${rc} --idle=INBOX
''; '';
}; };
systemd.services.steveej-getmail-webde = { systemd.services.steveej-getmail-webde = {
enable = true; enable = true;
wantedBy = [ "multi-user.target" ]; wantedBy = ["multi-user.target"];
serviceConfig.User = "steveej"; serviceConfig.User = "steveej";
serviceConfig.Group = "dovecot2"; serviceConfig.Group = "dovecot2";
description = "Getmail service"; description = "Getmail service";
path = [ pkgs.getmail6 ]; path = [pkgs.getmail6];
serviceConfig.RestartSec = 1000; serviceConfig.RestartSec = 1000;
serviceConfig.Restart = "always"; serviceConfig.Restart = "always";
script = script = let
let
rc = pkgs.writeText "schtifATweb.de.getmail.rc" '' rc = pkgs.writeText "schtifATweb.de.getmail.rc" ''
[options] [options]
verbose = 1 verbose = 1
@ -199,8 +184,7 @@
type = Maildir type = Maildir
path = ~/.maildir/ path = ~/.maildir/
''; '';
in in ''
''
getmail --rcfile=${rc} --idle=INBOX getmail --rcfile=${rc} --idle=INBOX
''; '';
}; };
@ -219,6 +203,8 @@
}; };
}; };
# extraFlags = ["--resolv-conf=bind-host"];
privateNetwork = true; privateNetwork = true;
forwardPorts = [ forwardPorts = [
{ {
@ -236,5 +222,5 @@
} }
]; ];
inherit hostBridge hostAddress localAddress; inherit hostAddress localAddress;
} }

124
nix/os/containers/mycelium/flake.lock generated
View file

@ -1,124 +0,0 @@
{
"nodes": {
"flake-compat": {
"flake": false,
"locked": {
"lastModified": 1696426674,
"narHash": "sha256-kvjfFW7WAETZlt09AgDn1MrtKzP7t90Vf7vypd3OL1U=",
"owner": "edolstra",
"repo": "flake-compat",
"rev": "0f9255e01c2351cc7d116c072cb317785dd33b33",
"type": "github"
},
"original": {
"owner": "edolstra",
"repo": "flake-compat",
"type": "github"
}
},
"flake-parts": {
"inputs": {
"nixpkgs-lib": [
"nix-snapshotter",
"nixpkgs"
]
},
"locked": {
"lastModified": 1704152458,
"narHash": "sha256-DS+dGw7SKygIWf9w4eNBUZsK+4Ug27NwEWmn2tnbycg=",
"owner": "hercules-ci",
"repo": "flake-parts",
"rev": "88a2cd8166694ba0b6cb374700799cec53aef527",
"type": "github"
},
"original": {
"owner": "hercules-ci",
"repo": "flake-parts",
"type": "github"
}
},
"nix-snapshotter": {
"inputs": {
"flake-compat": "flake-compat",
"flake-parts": "flake-parts",
"nixpkgs": [
"nixpkgs"
]
},
"locked": {
"lastModified": 1723875769,
"narHash": "sha256-66GofByLJ+S4ZZphIC+vJKeL9VJ2bzH2VbcJ3OqteMM=",
"owner": "pdtpartners",
"repo": "nix-snapshotter",
"rev": "6eaadfd8f89e5e7d79b2013626bbd36e388159da",
"type": "github"
},
"original": {
"owner": "pdtpartners",
"repo": "nix-snapshotter",
"type": "github"
}
},
"nixlib": {
"locked": {
"lastModified": 1728781282,
"narHash": "sha256-hUP9oxmnOmNnKcDOf5Y55HQ+NnoT0+bLWHLQWLLw9Ks=",
"owner": "nix-community",
"repo": "nixpkgs.lib",
"rev": "16340f605f4e8e5cf07fd74dcbe692eee2d4f51b",
"type": "github"
},
"original": {
"owner": "nix-community",
"repo": "nixpkgs.lib",
"type": "github"
}
},
"nixos-generators": {
"inputs": {
"nixlib": "nixlib",
"nixpkgs": [
"nixpkgs"
]
},
"locked": {
"lastModified": 1728867876,
"narHash": "sha256-NCyOA8WZNoojmXH+kBDrQj3LwvakYNzSc0h+LTXkmPE=",
"owner": "nix-community",
"repo": "nixos-generators",
"rev": "fdf142111597f6c6283cf5ffe092b6293a3911d0",
"type": "github"
},
"original": {
"owner": "nix-community",
"repo": "nixos-generators",
"type": "github"
}
},
"nixpkgs": {
"locked": {
"lastModified": 1728897630,
"narHash": "sha256-0utJPs4o2Mody8GDwo4hnGuxc8dJqju4u9lLJY4d/Lw=",
"owner": "NixOS",
"repo": "nixpkgs",
"rev": "c9f0b4a395289ce18727e2a8e43cae6796693ccc",
"type": "github"
},
"original": {
"owner": "NixOS",
"ref": "nixos-unstable-small",
"repo": "nixpkgs",
"type": "github"
}
},
"root": {
"inputs": {
"nix-snapshotter": "nix-snapshotter",
"nixos-generators": "nixos-generators",
"nixpkgs": "nixpkgs"
}
}
},
"root": "root",
"version": 7
}

371
nix/os/containers/mycelium/flake.nix
View file

@ -1,371 +0,0 @@
{
inputs = {
nixpkgs.url = "github:NixOS/nixpkgs/nixos-unstable-small";
# nixpkgs-systemd256.url = "github:NixOS/nixpkgs/962cf03fb8c782c5e00f465397e03dc84284acc9";
nixos-generators = {
url = "github:nix-community/nixos-generators";
inputs.nixpkgs.follows = "nixpkgs";
};
nix-snapshotter = {
url = "github:pdtpartners/nix-snapshotter";
inputs.nixpkgs.follows = "nixpkgs";
};
};
outputs =
{ self, nixpkgs, ... }:
let
systems = [
"aarch64-linux"
"x86_64-linux"
];
forAllSystems = nixpkgs.lib.genAttrs systems;
in
{
nixosConfigurations.default = nixpkgs.lib.nixosSystem {
system = "aarch64-linux";
specialArgs = { };
modules = [
(
{
config,
modulesPath,
pkgs,
lib,
...
}:
{
nixpkgs.overlays = [
(_final: _previous: {
# inherit (self.inputs.nixpkgs-systemd256.legacyPackages.${pkgs.system}) systemd systemdMinimal;
# systemd =
# self.inputs.nixpkgs-systemd256.legacyPackages.${pkgs.system}.systemd.overrideAttrs (prevAttrs: {
# src = /home/steveej/src/others/systemd;
# withAppArmor = false;
# withRepart = false;
# withHomed = false;
# withAcl = false;
# withEfi = false;
# withBootloader = false;
# withCryptsetup = false;
# withLibBPF = false;
# withOomd = false;
# withFido2 = false;
# withApparmor = false;
# withDocumentation = false;
# withUtmp = false;
# withQrencode = false;
# withVmspawn = false;
# withMachined = false;
# withLogTrace = true;
# withArchive = false;
# # don't need these but cause errors for exampel files not found
# # withLogind = false;
# })
# pkgs.systemdMinimal.override {
# # getting errors with these disabled
# withCoredump = true;
# withCompression = true;
# withLogind = true;
# withSysusers = true;
# withUserDb = true;
# }
# pkgs.systemdMinimal
# pkgs.systemd.override {
# withRepart = false;
# withHomed = false;
# withAcl = false;
# withEfi = false;
# withBootloader = false;
# withCryptsetup = false;
# withLibBPF = false;
# withOomd = false;
# withFido2 = false;
# withApparmor = false;
# withDocumentation = false;
# withUtmp = false;
# withQrencode = false;
# withVmspawn = false;
# withMachined = false;
# withLogTrace = true;
# # don't need these but cause errors for exampel files not found
# # withLogind = false;
# }
# ;
})
];
imports = [ (modulesPath + "/profiles/minimal.nix") ];
system.stateVersion = "24.11";
# https://github.com/hercules-ci/arion/blob/c24c185e67f093298a081900b49ca18716077dec/src/nix/modules/nixos/container-systemd.nix
boot.isContainer = true;
# boot.tmp.useTmpfs = true;
boot.loader.grub.enable = lib.mkForce false;
boot.loader.systemd-boot.enable = lib.mkForce false;
services.journald.console = "/dev/console";
services.journald.storage = "none";
# boot.specialFileSystems = lib.mkForce {};
services.nscd.enable = false;
system.nssModules = lib.mkForce [ ];
systemd.services.systemd-logind.enable = false;
systemd.services.console-getty.enable = false;
systemd.sockets.nix-daemon.enable = false;
systemd.services.nix-daemon.enable = false;
systemd.oomd.enable = false;
networking.useDHCP = false;
networking.firewall.enable = false;
# system.build.earlyMountScript =
# lib.mkForce ''
# '';
# system.activationScripts.specialfs =
# lib.mkForce ''
# '';
boot.postBootCommands = ''
ls -lha /run
mkdir -p /run/wrappers
'';
boot.kernelParams = [ "systemd.log_level=debug" ];
# services.udev.enable = false;
# TODO: this is only needed because `/run/current-system` is missing
# environment.variables.PATH = "${lib.makeBinPath config.environment.systemPackages}:$PATH";
systemd.mounts = lib.mkForce [ ];
fileSystems = lib.mkForce { };
services.mycelium.enable = false;
services.mycelium.keyFile = "/var/lib/secrets/mycelium-keyfile";
systemd.services.mycelium.serviceConfig.DynamicUser = lib.mkForce false;
systemd.services.mycelium.serviceConfig.User = lib.mkForce "root";
systemd.services.mycelium.serviceConfig.ExecStart = lib.mkForce (
pkgs.writeShellScript "mycelium" ''
while true; do
ls -lha $CREDENTIALS_DIRECTORY
sleep 5
done
''
);
systemd.services.testing-credentials = {
wantedBy = [ "multi-user.target" ];
path = [ pkgs.coreutils ];
serviceConfig = {
# SyslogIdentifier = "testing-credentials";
# StateDirectory = "testing-credentials";
# DynamicUser = true;
# User = "tc";
# ProtectHome = true;
# ProtectSystem = true;
# LoadCredential = [
# "mycelium-keyfile:${self.nixosConfigurations.default.config.services.mycelium.keyFile}"
# "hosts:/etc/hosts"
# ];
SetCredential = "mycelium-keyfile:not secret string";
ExecStart = lib.mkForce (
pkgs.writeShellScript "mycelium" ''
cd $STATE_DIRECTORY
pwd
env
while true; do
ls -lha $CREDENTIALS_DIRECTORY
sleep 5
done
''
);
};
};
services.caddy = {
enable = true;
globalConfig = ''
auto_https off
'';
virtualHosts.":80" = {
extraConfig = ''
respond "hello from ${config.networking.hostName}"
'';
};
};
}
)
];
};
packages = forAllSystems (
system:
let
name = "mycelium";
inherit (self.inputs) nix-snapshotter;
config = {
entrypoint = "${self.nixosConfigurations.default.config.system.build.toplevel}/init";
# port = 2379;
args = [ ];
# nodePort = 30001;
};
myceliumPorts = {
tcp = [ 9651 ];
udp = [
9650
9651
];
};
inherit (config)
entrypoint
# port
args
# nodePort
;
pkgs = import nixpkgs { overlays = [ nix-snapshotter.overlays.default ]; };
image = pkgs.nix-snapshotter.buildImage {
inherit name;
resolvedByNix = true;
config = {
entrypoint = [ entrypoint ];
env = [
# this is read by the `/init` script and prevents various incompatible commands like mount, etc.
# the value of this doesn't seem to matter as long as it's not an empty string.
"container=nerd"
"SYSTEMD_LOG_LEVEL=debug"
];
volumes = {
# "/var/lib/private/mycelium/key.bin" = {};
# "/run" = {};
# "/tmp" = {};
# "/etc" = {};
};
copyToRoot = [
# self.nixosConfigurations.default.config.system.build.toplevel
];
};
};
in
{
k8s =
let
pod = pkgs.writeText "${name}-pod.json" (
builtins.toJSON {
apiVersion = "v1";
kind = "Pod";
metadata = {
inherit name;
labels = {
inherit name;
};
};
spec.containers = [
{
inherit name args;
image = "nix:0${image}";
ports = [
{
name = "mycelium-tcp-0";
containerPort = builtins.elemAt myceliumPorts.tcp 0;
}
{
name = "mycelium-udp-0";
protocol = "UDP";
containerPort = builtins.elemAt myceliumPorts.udp 0;
}
{
name = "mycelium-udp-1";
protocol = "UDP";
containerPort = builtins.elemAt myceliumPorts.udp 1;
}
];
}
];
}
);
service = pkgs.writeText "${name}-service.json" (
builtins.toJSON {
apiVersion = "v1";
kind = "Service";
metadata.name = "${name}-service";
spec = {
type = "NodePort";
selector = {
inherit name;
};
ports = [
{
name = "mycelium-tcp-0";
port = builtins.elemAt myceliumPorts.tcp 0 + 50000;
targetPort = "mycelium-tcp-0";
}
{
name = "mycelium-udp-0";
protocol = "UDP";
port = builtins.elemAt myceliumPorts.udp 0 + 50000;
targetPort = "mycelium-udp-0";
}
{
name = "mycelium-udp-1";
protocol = "UDP";
port = builtins.elemAt myceliumPorts.udp 1 + 50000;
targetPort = "mycelium-udp-1";
}
];
};
}
);
in
pkgs.runCommand "declarative-k8s" { } ''
mkdir -p $out/share/k8s
cp ${pod} $out/share/k8s/
cp ${service} $out/share/k8s/
'';
inherit image;
start = pkgs.writeShellApplication {
name = "start";
text = ''
set -x
rm -rf ./result
nix build --impure .#image
sudo nix2container load ./result
sudo -E nerdctl run --name ${name} --privileged -dt \
--cgroup-manager cgroupfs \
--volume "$PWD/key.bin.crypt:${self.nixosConfigurations.default.config.services.mycelium.keyFile}:ro" \
"nix:0$(readlink result):latest"
'';
};
stop = pkgs.writeShellApplication {
name = "stop";
text = ''
set +e
sudo -E nerdctl stop -t 60 ${name}
sudo -E nerdctl rm --force ${name}
sudo -E nerdctl system prune --all --force
sudo systemctl stop nix-snapshotter
sudo systemctl stop containerd
mount | rg -No '(/var/lib/container|/tmp/initial)[^ ]+' | tac | xargs sudo umount -l
sudo systemctl start containerd
sudo systemctl start nix-snapshotter
'';
# tmpfs on /run/credentials/mycelium.service type tmpfs (ro,nosuid,nodev,noexec,relatime,nosymfollow,size=1024k,nr_inodes=1024,mode=700,noswap)
# mount -t tmpfs tmpfs /run/credentials/mycelium.service -o ro,nosuid,nodev,noexec,relatime,nosymfollow,size=1024k,nr_inodes=1024,mode=700,noswap
};
}
);
};
}

75
nix/os/containers/syncthing.nix
View file

@ -1,22 +1,20 @@
{ {
specialArgs,
hostBridge,
hostAddress, hostAddress,
localAddress, localAddress,
syncthingPort ? 22000, syncthingPort ? 22000,
syncthingLocalAnnouncePort ? 21027, syncthingLocalAnnouncePort ? 21027,
smbTcpPort ? 445,
autoStart ? false, autoStart ? false,
}: }: {
{ config = {
inherit specialArgs; config,
config = pkgs,
{ ... }: ...
{ }: {
system.stateVersion = "20.05"; # Did you read the comment? system.stateVersion = "20.05"; # Did you read the comment?
imports = [ ../profiles/containers/configuration.nix ]; imports = [../profiles/containers/configuration.nix];
networking.firewall.enable = true;
networking.firewall.allowedTCPPorts = [ networking.firewall.allowedTCPPorts = [
# syncthing gui # syncthing gui
8384 8384
@ -27,54 +25,6 @@
openDefaultPorts = true; openDefaultPorts = true;
guiAddress = "0.0.0.0:8384"; guiAddress = "0.0.0.0:8384";
}; };
services.samba = {
enable = true;
securityType = "user";
openFirewall = true;
settings = {
global = {
"workgroup" = "DMZ";
"server string" = "syncthing";
"netbios name" = "syncthing";
"security" = "user";
#"use sendfile" = "yes";
#"max protocol" = "smb2";
# note: localhost is the ipv6 localhost ::1
"hosts allow" = "192.168.23. 127.0.0.1 localhost";
"hosts deny" = "0.0.0.0/0";
"guest account" = "nobody";
"map to guest" = "bad user";
};
"scan-stefan" = {
"path" = "/var/lib/syncthing/Sync/Home::Scan::Stefan";
"browseable" = "yes";
"read only" = "no";
"guest ok" = "no";
"create mask" = "0644";
"directory mask" = "0755";
"force user" = "syncthing";
"force group" = "syncthing";
};
"scan-justyna" = {
"path" = "/var/lib/syncthing/Sync/Home::Scan::Justyna";
"browseable" = "yes";
"read only" = "no";
"guest ok" = "no";
"create mask" = "0644";
"directory mask" = "0755";
"force user" = "syncthing";
"force group" = "syncthing";
};
};
};
# TODO: find out if smbpasswd file is still used and set it here. or find an alternative
# sops.secrets.smbpasswd = {
# };
# environment.etc."samba/smbpasswd".source = config.sops.secrets.smbpasswd.text;
}; };
inherit autoStart; inherit autoStart;
@ -86,6 +36,8 @@
}; };
}; };
extraFlags = ["--resolv-conf=bind-host"];
privateNetwork = true; privateNetwork = true;
forwardPorts = [ forwardPorts = [
{ {
@ -103,12 +55,7 @@
hostPort = syncthingLocalAnnouncePort; hostPort = syncthingLocalAnnouncePort;
protocol = "udp"; protocol = "udp";
} }
{
containerPort = 445;
hostPort = smbTcpPort;
protocol = "tcp";
}
]; ];
inherit hostBridge hostAddress localAddress; inherit hostAddress localAddress;
} }

254
nix/os/containers/webserver.nix
View file

@ -1,57 +1,30 @@
{ {
specialArgs, repoFlake,
hostBridge,
hostAddress, hostAddress,
localAddress, localAddress,
httpPort, httpPort ? 80,
httpsPort, httpsPort ? 443,
forgejoSshPort,
autoStart ? false, autoStart ? false,
}: }: let
let
domain = "www.stefanjunker.de"; domain = "www.stefanjunker.de";
in in {
{ config = {
inherit specialArgs;
config =
{
config, config,
pkgs, pkgs,
lib, lib,
repoFlake,
nodeFlake,
system,
... ...
}: }: {
let
nixpkgs-kanidm = nodeFlake.inputs.nixpkgs-unstable;
in
{
system.stateVersion = "22.05"; # Did you read the comment? system.stateVersion = "22.05"; # Did you read the comment?
disabledModules = [
"services/misc/forgejo.nix"
"services/security/kanidm.nix"
];
imports = [ imports = [
"${nodeFlake.inputs.nixpkgs-unstable}/nixos/modules/services/misc/forgejo.nix"
"${nixpkgs-kanidm}/nixos/modules/services/security/kanidm.nix"
../profiles/containers/configuration.nix ../profiles/containers/configuration.nix
repoFlake.inputs.sops-nix.nixosModules.sops repoFlake.inputs.sops-nix.nixosModules.sops
]; ];
sops.defaultSopsFile = ./webserver_secrets.yaml; networking.firewall.enable = false;
networking.firewall.allowedTCPPorts = [ sops.age.sshKeyPaths = ["/etc/ssh/ssh_host_ed25519_key"];
httpPort
httpsPort
forgejoSshPort
];
sops.age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];
sops.secrets.hedgedoc_environment_file = { sops.secrets.hedgedoc_environment_file = {
sopsFile = ./webserver_secrets.yaml; sopsFile = ./webserver_secrets.yaml;
owner = config.users.users.hedgedoc.name; owner = config.users.users.hedgedoc.name;
@ -59,11 +32,11 @@ in
services.caddy = { services.caddy = {
enable = true; enable = true;
logFormat = ''
level ERROR
'';
virtualHosts."${domain}" = { virtualHosts."${domain}" = {
extraConfig = '' extraConfig = let
port = "${builtins.toString config.services.authelia.instances.default.settings.server.port}";
path = "${config.services.authelia.instances.default.settings.server.path}";
in ''
redir /hedgedoc* https://hedgedoc.${domain} redir /hedgedoc* https://hedgedoc.${domain}
file_server /*/* { file_server /*/* {
@ -94,22 +67,6 @@ in
reverse_proxy http://127.0.0.1:${builtins.toString config.services.lldap.settings.http_port} reverse_proxy http://127.0.0.1:${builtins.toString config.services.lldap.settings.http_port}
''; '';
}; };
virtualHosts."forgejo.${domain}" = {
extraConfig = ''
reverse_proxy http://127.0.0.1:${builtins.toString config.services.forgejo.settings.server.HTTP_PORT}
'';
};
virtualHosts."kanidm.${domain}" = {
extraConfig = ''
reverse_proxy https://${builtins.toString config.services.kanidm.serverSettings.bindaddress} {
transport http {
tls_server_name ${config.services.kanidm.serverSettings.domain}
}
}
'';
};
}; };
services.hedgedoc = { services.hedgedoc = {
@ -136,36 +93,12 @@ in
url = "ldap://127.0.0.1:${builtins.toString config.services.lldap.settings.ldap_port}"; url = "ldap://127.0.0.1:${builtins.toString config.services.lldap.settings.ldap_port}";
bindDn = "uid=admin,ou=people,dc=stefanjunker,dc=de"; bindDn = "uid=admin,ou=people,dc=stefanjunker,dc=de";
# these are set via the `environmentFile` # these are set via the `environmentFile`
# bindCredentials = "$LDAP_ADMIN_PASSWORD"; bindCredentials = "$LDAP_ADMIN_PASSWORD";
searchBase = "ou=people,dc=stefanjunker,dc=de"; searchBase = "ou=people,dc=stefanjunker,dc=de";
searchFilter = "(&(memberOf=cn=hedgedoc,ou=groups,dc=stefanjunker,dc=de)(uid={{username}}))"; searchFilter = "(&(memberOf=cn=hedgedoc,ou=groups,dc=stefanjunker,dc=de)(uid={{username}}))";
useridField = "uid"; useridField = "uid";
}; };
oauth2 =
let
originURL = config.services.kanidm.serverSettings.origin;
in
{
providerName = "kanidm (${originURL})";
authorizationURL = "${originURL}/ui/oauth2";
tokenURL = "${originURL}/oauth2/token";
userProfileURL = "${originURL}/oauth2/openid/hedgedoc/userinfo";
scope = "openid email profile";
# rolesClaim = "roles";
# accessRole = "role/hedgedoc";
userProfileUsernameAttr = "name";
userProfileDisplayNameAttr = "displayname";
userProfileEmailAttr = "email";
clientID = "hedgedoc";
# set via the `environmentFile`
# clientSecret = "$CMD_OAUTH2_CLIENT_SECRET";
};
uploadsPath = "/var/lib/hedgedoc/uploads"; uploadsPath = "/var/lib/hedgedoc/uploads";
}; };
@ -192,11 +125,9 @@ in
owner = config.users.users.authelia-default.name; owner = config.users.users.authelia-default.name;
}; };
services.authelia.instances.default = services.authelia.instances.default = let
let
baseDir = "/var/lib/authelia-default"; baseDir = "/var/lib/authelia-default";
in in {
{
enable = true; enable = true;
secrets.storageEncryptionKeyFile = config.sops.secrets.authelia_storageEncryptionKey.path; secrets.storageEncryptionKeyFile = config.sops.secrets.authelia_storageEncryptionKey.path;
secrets.jwtSecretFile = config.sops.secrets.authelia_jwtSecret.path; secrets.jwtSecretFile = config.sops.secrets.authelia_jwtSecret.path;
@ -235,7 +166,7 @@ in
}; };
}; };
users.groups.lldap = { }; users.groups.lldap = {};
users.users.lldap = { users.users.lldap = {
isSystemUser = true; isSystemUser = true;
group = "lldap"; group = "lldap";
@ -286,140 +217,9 @@ in
}; };
}; };
sops.secrets.FORGEJO_JWT_SECRET = { };
sops.secrets.FORGEJO_INTERNAL_TOKEN = { };
sops.secrets.FORGEJO_SECRET_KEY = { };
services.forgejo = {
enable = true;
package = nodeFlake.inputs.nixpkgs-unstable.legacyPackages.${pkgs.system}.forgejo;
settings = {
service.DISABLE_REGISTRATION = true;
server.HTTP_ADDR = "127.0.0.1";
server.START_SSH_SERVER = true;
server.SSH_PORT = forgejoSshPort;
server.ROOT_URL = "https://forgejo.${domain}";
server.HTTP_PORT = 3001;
# TODO: how do i get a 3072 length SSH key with the yubikey?
"ssh.minimum_key_sizes".RSA = 2048;
};
secrets = {
oauth2.JWT_SECRET = lib.mkForce config.sops.secrets.FORGEJO_JWT_SECRET.path;
security.INTERNAL_TOKEN = lib.mkForce config.sops.secrets.FORGEJO_INTERNAL_TOKEN.path;
security.SECRET_KEY = lib.mkForce config.sops.secrets.FORGEJO_SECRET_KEY.path;
};
};
systemd.services.lldap.serviceConfig.User = config.users.users.lldap.name; systemd.services.lldap.serviceConfig.User = config.users.users.lldap.name;
systemd.services.lldap.serviceConfig.Group = config.users.groups.lldap.name; systemd.services.lldap.serviceConfig.Group = config.users.groups.lldap.name;
systemd.services.lldap.serviceConfig.DynamicUser = lib.mkForce false; systemd.services.lldap.serviceConfig.DynamicUser = lib.mkForce false;
# combine a path watcher with a service that transfers the certs by caddy to kanidm
# TODO: had an issue where the certificate in kanidm was expired, despite caddy having a refreshed certificate
systemd.paths.kanidm-tls-watch = {
enable = true;
requiredBy = [ "kanidm.service" ];
pathConfig = {
PathChanged = [
"${config.services.caddy.dataDir}/.local/share/caddy/certificates/acme-v02.api.letsencrypt.org-directory/${config.services.kanidm.serverSettings.domain}/${config.services.kanidm.serverSettings.domain}.key"
"${config.services.caddy.dataDir}/.local/share/caddy/certificates/acme-v02.api.letsencrypt.org-directory/${config.services.kanidm.serverSettings.domain}/${config.services.kanidm.serverSettings.domain}.crt"
];
Unit = "kanidm-tls-update.service";
};
};
systemd.services.kanidm-tls-update =
let
dbDir = builtins.dirOf config.services.kanidm.serverSettings.db_path;
in
{
enable = true;
requiredBy = [ "kanidm.service" ];
unitConfig = {
# ConditionPathExists = [
# "${config.services.caddy.dataDir}/.local/share/caddy/certificates/acme-v02.api.letsencrypt.org-directory/${config.services.kanidm.serverSettings.domain}/${config.services.kanidm.serverSettings.domain}.key"
# "${config.services.caddy.dataDir}/.local/share/caddy/certificates/acme-v02.api.letsencrypt.org-directory/${config.services.kanidm.serverSettings.domain}/${config.services.kanidm.serverSettings.domain}.crt"
# ];
};
serviceConfig.Type = "oneshot";
script =
let
tlsDir = builtins.dirOf config.services.kanidm.serverSettings.tls_key;
in
''
set -xe
cat "${config.services.caddy.dataDir}/.local/share/caddy/certificates/acme-v02.api.letsencrypt.org-directory/${config.services.kanidm.serverSettings.domain}/${config.services.kanidm.serverSettings.domain}.key" > tls.key
cat "${config.services.caddy.dataDir}/.local/share/caddy/certificates/acme-v02.api.letsencrypt.org-directory/${config.services.kanidm.serverSettings.domain}/${config.services.kanidm.serverSettings.domain}.crt" > tls.chain
chown ${config.systemd.services.kanidm.serviceConfig.User}:${config.systemd.services.kanidm.serviceConfig.Group} tls.{key,chain}
chmod 400 tls.{key,chain}
# create the kanidm directory in case it's missing
if [[ ! -d ${tlsDir} ]]; then
mkdir -p ${tlsDir}
chown -R ${config.systemd.services.kanidm.serviceConfig.User}:${config.systemd.services.kanidm.serviceConfig.Group} ${tlsDir}
chmod 700 ${tlsDir}
fi
mv tls.key ${config.services.kanidm.serverSettings.tls_key}
mv tls.chain ${config.services.kanidm.serverSettings.tls_chain}
if [[ ! -d ${dbDir} ]]; then
mkdir -p ${dbDir}
chown -R ${config.systemd.services.kanidm.serviceConfig.User}:${config.systemd.services.kanidm.serviceConfig.Group} ${dbDir}
chmod 700 ${dbDir}
fi
'';
};
systemd.services.kanidm.serviceConfig =
let
dbDir = builtins.dirOf config.services.kanidm.serverSettings.db_path;
in
# stateDir = "/var/lib/${config.systemd.services.kanidm.serviceConfig.StateDirectory}";
{
# ExecStartPre = ''
# mkdir -p ${dbDir}
# '';
BindPaths = [
dbDir
# stateDir
];
};
services.kanidm =
let
dataDir = "/var/lib/kanidm";
in
{
package = nixpkgs-kanidm.legacyPackages.${pkgs.system}.kanidm;
enablePam = false;
enableClient = false;
enableServer = true;
serverSettings = {
role = "WriteReplica";
log_level = "debug";
domain = "kanidm.${domain}";
origin = "https://kanidm.${domain}";
bindaddress = "127.0.0.1:8444";
# don't expose ldap
# ldapbindaddress = "[::1]:6636";
tls_key = "${dataDir}/tls/tls.key";
tls_chain = "${dataDir}/tls/tls.chain";
online_backup = {
schedule = "00 06 * * *";
};
};
};
}; };
inherit autoStart; inherit autoStart;
@ -453,17 +253,10 @@ in
hostPath = "/var/lib/container-volumes/webserver/var-lib-lldap"; hostPath = "/var/lib/container-volumes/webserver/var-lib-lldap";
isReadOnly = false; isReadOnly = false;
}; };
"/var/lib/forgejo" = {
hostPath = "/var/lib/container-volumes/webserver/var-lib-forgejo";
isReadOnly = false;
}; };
"/var/lib/kanidm" = { # extraFlags = ["--resolv-conf=bind-host"];
hostPath = "/var/lib/container-volumes/webserver/var-lib-kanidm"; # networking.useHostResolvConf = true;
isReadOnly = false;
};
};
privateNetwork = true; privateNetwork = true;
forwardPorts = [ forwardPorts = [
@ -479,14 +272,7 @@ in
hostPort = httpsPort; hostPort = httpsPort;
protocol = "tcp"; protocol = "tcp";
} }
{
# forgejo ssh
containerPort = forgejoSshPort;
hostPort = forgejoSshPort;
protocol = "tcp";
}
]; ];
inherit hostBridge hostAddress localAddress; inherit hostAddress localAddress;
} }

12
nix/os/containers/webserver_secrets.yaml
View file

@ -1,13 +1,9 @@
hedgedoc_environment_file: ENC[AES256_GCM,data:gPTokPMGBAN/lGGeUs95vg45yVrrSmFCKWTjlMV4V+YnflcqiaZvifX9+0fe3DELwNL4kY4st4N0MadhLkTiSieyp46fP8Dujk4Prhi7JWweBDsN4WtxcwJfAdowgh5LTzqM3zggC/J9NGR/zgJGLYraOqsFueXycxDxntE+8MlepYFGsND4WbFHNRvsVd7xUWerZZD+JFhws2sjwC9DqoJ+mBX4u9J2faSrL3okBGwRpEZlJhe6/8pT0l1aVxI0b/9UsLUL/him/vVqY8ygMP8O95gzuDEaCtwSXw08ylhb3g3YHdMh9ZOe9dPNVocVFrB15HfxeY4KzRCVfvgmBsSiUrgUAZQ8aav2ZWHPKQ==,iv:AVtx/43MK5KVxP59olEmbkUzLhd0cBjPpVeiAJGELfM=,tag:Hd3edeUzLgHnwAwPiMGp4A==,type:str] hedgedoc_environment_file: ENC[AES256_GCM,data:uBaATOTIkCkboAfaB7d6G2G4AfKszipQe+mc0XPJHik30wLppCKpEc61ELLbiZ1xGaOEWKUSMHc0GyBapykrgEe0UUYJ0Ukpq9bj9/J2VC7BLu1ABbr+pWpJR68+IOKY2GWlioSDIL6JwaGIjLV5sLrUjJgtwzAYrqAU13VS5RVHtGtz+7TgwHIJADoec+jSRhkh82g198eaAUbKyAFB9yhXFWgq6ozh8RgtkYKAP7LXIuyJt9BYJoNQ,iv:MCMJph0W1PC0n9h7xhPMxtJINQP+QRBf2anzXEzydwc=,tag:zj2o+/JpBRTYgYpSMJedPw==,type:str]
authelia_storageEncryptionKey: ENC[AES256_GCM,data:BLj2+w0jUOiiqljd4WcYt90I1Y/tm6vYRn9IPvv7k+ykjeWeafDcb9LpAbYZ82iAbCDZ6cDnTIJSH50TYFM1Bw==,iv:DfrFuTMS6rzWS1F7hIloD7Eb9N6LV6MDsPGEidTCIkM=,tag:4TxiUuWj8LLCAe+3SQWthA==,type:str] authelia_storageEncryptionKey: ENC[AES256_GCM,data:BLj2+w0jUOiiqljd4WcYt90I1Y/tm6vYRn9IPvv7k+ykjeWeafDcb9LpAbYZ82iAbCDZ6cDnTIJSH50TYFM1Bw==,iv:DfrFuTMS6rzWS1F7hIloD7Eb9N6LV6MDsPGEidTCIkM=,tag:4TxiUuWj8LLCAe+3SQWthA==,type:str]
authelia_jwtSecret: ENC[AES256_GCM,data:CtvhPJDlM8kZDh3MWI6jBEIK5P/Rc0ZY3JfQ/1qn2FyZ0kOE9CMznRQdzi125Mlh+LgfhS00aeY/esuSJ1YKnw==,iv:o29+Ja4E4USpxD5Bgg4nGpj1WdK+uJJeuyqa3c92Pys=,tag:Ko/6PqIM7FyvqMJAepTNKw==,type:str] authelia_jwtSecret: ENC[AES256_GCM,data:CtvhPJDlM8kZDh3MWI6jBEIK5P/Rc0ZY3JfQ/1qn2FyZ0kOE9CMznRQdzi125Mlh+LgfhS00aeY/esuSJ1YKnw==,iv:o29+Ja4E4USpxD5Bgg4nGpj1WdK+uJJeuyqa3c92Pys=,tag:Ko/6PqIM7FyvqMJAepTNKw==,type:str]
lldap_jwtSecret: ENC[AES256_GCM,data:Jd05K5zZZcdFY9P+PM1ycpl4eKr7THXzlEC2gxhfq0kZ0c7NrmqpnxLFyMOoq0oZwFXQ3aE29N+dYYCbWgEs0g==,iv:k9Y4XZcFSUaaOvooMzH1AlHaI/RiZZ0cpSqTU6jzsUU=,tag:EHwIMQ00Z+IrXAKgugMbmQ==,type:str] lldap_jwtSecret: ENC[AES256_GCM,data:Jd05K5zZZcdFY9P+PM1ycpl4eKr7THXzlEC2gxhfq0kZ0c7NrmqpnxLFyMOoq0oZwFXQ3aE29N+dYYCbWgEs0g==,iv:k9Y4XZcFSUaaOvooMzH1AlHaI/RiZZ0cpSqTU6jzsUU=,tag:EHwIMQ00Z+IrXAKgugMbmQ==,type:str]
lldap_adminPassword: ENC[AES256_GCM,data:qZviC+/V25iHWS2d5KKrMfCLmmWKAkXoiLW3NJyZWIvMRbFPtfJGv/5e++idcKNLdPHRgvGpdeTpOdZNK7ETSQ==,iv:jX8bzgYVXZfMQ8Qxa7WaUiQFE/mBmQWZ3o000njeEC8=,tag:4Rd3WVGIw1rBLKND4xPbMg==,type:str] lldap_adminPassword: ENC[AES256_GCM,data:qZviC+/V25iHWS2d5KKrMfCLmmWKAkXoiLW3NJyZWIvMRbFPtfJGv/5e++idcKNLdPHRgvGpdeTpOdZNK7ETSQ==,iv:jX8bzgYVXZfMQ8Qxa7WaUiQFE/mBmQWZ3o000njeEC8=,tag:4Rd3WVGIw1rBLKND4xPbMg==,type:str]
lldap_environmentFile: ENC[AES256_GCM,data:TpdO1N2MgHWI4TipvlwfVjnKppzpluI9WA3ejbgT8jrRXXTCA94PS734wDHLtEAIwKdIQd/JGDS+1kbdvgDL3F3HIOX5HLz9h7CtkDBYT6qOy0Zb0tNHjmJco6dL/iMwuzglXxu2460nadO+lHoTs3DA3lesghzpJzm41hgElzcxXS2sa/hsV+kjmbyfu6Xi94kbqcHBLA/mppWmLSgJN6wu/bO07XfaSB1ghHnAR7BL9XZDjoNDzljZAXDpDBw3WD6mwoZeIjGbkEuL4nUnkS6CkA+y7IORA24XGGAczRxZp4vLfUOnnlFCPGIHBsRTbrTB4bcEDBK4+5gHfNhXxvD5VlNMb4TPqYdcEIxkgMxZNLV5U2LTlzn18HNOCvsPb9XOOtY21j6qHMMQDXZREmn5NsW0HXM4gNZ0fC9UEe1MYBhyE3gGEGDzzDUrrQCGLm7/1OC7NRlzuI7M/5DlgcREwK1PkjPDmfRCAq86l0N5lMP/A7MMq2SJWcZvf+ot3fInugq485773vgWWl2Rodl08SZ8YHnzj0L6anPu856v2BsIotE0iRJSCpzA2ZgOJ9RViBfoq6F3beJKLnGN7oGb8XBviRTnXrTN6BTuFyv3dIZ7qcuTGTY+ucjRXfGJ1TVlVQBbiqhQDz5c9D5e0RVnRe3AkMXeDMOd4GlWW5gsJSuZtlYq1aMEf/Bx+4WMyY/Wh+Jk1xxf30bth5L1dW82p6fNFhEuKabtkBALOg/CQzYczMeGP9ai6BWgZL8QPlQoEUpHh59Vz91V6unQSOJ2PNr5wzC6j75IKInVjcp4d1S9K2UAxg+HETn5p9T1sBRdAAVz0YgO5902FwDTsA+2x6Q=,iv:U94CNFxQ8kyIYdH0EyqQIJ3s7QKaLlMa+5coO0dQnto=,tag:KZEizL99W5BtcaXSnYXFhg==,type:str] lldap_environmentFile: ENC[AES256_GCM,data:TpdO1N2MgHWI4TipvlwfVjnKppzpluI9WA3ejbgT8jrRXXTCA94PS734wDHLtEAIwKdIQd/JGDS+1kbdvgDL3F3HIOX5HLz9h7CtkDBYT6qOy0Zb0tNHjmJco6dL/iMwuzglXxu2460nadO+lHoTs3DA3lesghzpJzm41hgElzcxXS2sa/hsV+kjmbyfu6Xi94kbqcHBLA/mppWmLSgJN6wu/bO07XfaSB1ghHnAR7BL9XZDjoNDzljZAXDpDBw3WD6mwoZeIjGbkEuL4nUnkS6CkA+y7IORA24XGGAczRxZp4vLfUOnnlFCPGIHBsRTbrTB4bcEDBK4+5gHfNhXxvD5VlNMb4TPqYdcEIxkgMxZNLV5U2LTlzn18HNOCvsPb9XOOtY21j6qHMMQDXZREmn5NsW0HXM4gNZ0fC9UEe1MYBhyE3gGEGDzzDUrrQCGLm7/1OC7NRlzuI7M/5DlgcREwK1PkjPDmfRCAq86l0N5lMP/A7MMq2SJWcZvf+ot3fInugq485773vgWWl2Rodl08SZ8YHnzj0L6anPu856v2BsIotE0iRJSCpzA2ZgOJ9RViBfoq6F3beJKLnGN7oGb8XBviRTnXrTN6BTuFyv3dIZ7qcuTGTY+ucjRXfGJ1TVlVQBbiqhQDz5c9D5e0RVnRe3AkMXeDMOd4GlWW5gsJSuZtlYq1aMEf/Bx+4WMyY/Wh+Jk1xxf30bth5L1dW82p6fNFhEuKabtkBALOg/CQzYczMeGP9ai6BWgZL8QPlQoEUpHh59Vz91V6unQSOJ2PNr5wzC6j75IKInVjcp4d1S9K2UAxg+HETn5p9T1sBRdAAVz0YgO5902FwDTsA+2x6Q=,iv:U94CNFxQ8kyIYdH0EyqQIJ3s7QKaLlMa+5coO0dQnto=,tag:KZEizL99W5BtcaXSnYXFhg==,type:str]
#ENC[AES256_GCM,data:uNqahO8WF6QFNkbPnQq2UDKn/gFt0H56keUb,iv:CDVKC3ER5rsKoMmBi2g5g+F3ZfKc3+Rs8bjxFhgSPZ4=,tag:oGPl6TB/nghGwWvVBLFlGQ==,type:comment]
FORGEJO_JWT_SECRET: ENC[AES256_GCM,data:nVz9x7+K+rBIZxuQP7o0WNFHUz89eR9cwBjfSAx9/WH5PF+/aWazZOJpVg==,iv:4qpHo143fe/sVhKfYDwxr+YiBZ2q/WWViYSwoxz0i/k=,tag:smSsJsqa6uZKarcoOMUjwQ==,type:str]
FORGEJO_INTERNAL_TOKEN: ENC[AES256_GCM,data:EIono9HSyvp1nQM0ij3ln3IUXO4moFbRgVddeV0BZBXmZG05jdjZ1SIXo/BxoSmRKnjllR7P00CpajNM5zORldlsBId5oAYL5GZtY3/nmxeXucJidknuow22G7Z8wRJJGBdishbgQhmc,iv:1D93gTUF1+DUR8qLJgML+oUhvSslhxEjGnbBC/PWHXw=,tag:NZB+mwba4TzLcUANZLDRTw==,type:str]
FORGEJO_SECRET_KEY: ENC[AES256_GCM,data:CewYFZtcXKUD5/oSM0Q32rhw+urdA0eQhdYp8EFHUXxEtL6f5NWK6IOwIlMuEv1/FjtTWlqxWekOZpmxBRzwnw==,iv:qLyVB7Nc+rDbBoO5g82/vPdykwOATHCSDLhvS+fK9PM=,tag:4NMhUvKmrRd6qrcQq3R8wA==,type:str]
sops: sops:
kms: [] kms: []
gcp_kms: [] gcp_kms: []
@ -23,8 +19,8 @@ sops:
eWdXVHg5MTlQQU9GeElPeUZXUlBlaTgKceDu3tLbQM/DxY0tJYJTPy2Dl/SBYaoc eWdXVHg5MTlQQU9GeElPeUZXUlBlaTgKceDu3tLbQM/DxY0tJYJTPy2Dl/SBYaoc
KfMZOkc322/NvgWu/3Ke0hV1/eMk8EICwXbSwHhXr5a0+cwPZ9xV4A== KfMZOkc322/NvgWu/3Ke0hV1/eMk8EICwXbSwHhXr5a0+cwPZ9xV4A==
-----END AGE ENCRYPTED FILE----- -----END AGE ENCRYPTED FILE-----
lastmodified: "2024-10-16T12:28:51Z" lastmodified: "2023-07-17T11:48:04Z"
mac: ENC[AES256_GCM,data:nrd2czzJlBcFfwn6lzh4qqco+/XsU2J6BqvQqMtskh3mL4Xx25IAzxiCno0KlNGr6o4YsuZP5anOX9RvrDq76Us3JQ7pDi3iQGPhmg+SE9u3Rwqn1/3YConvdfPV2DNB+tuyG3UVoRqpA4d+HdcYjN9n1UKk54R6UdSm9UrA+zc=,iv:Juupyet09zUAMu7bmVxq+/Q0bXJAzR0wAyt6vKNns3w=,tag:owdUWuXrQcDdiWi+1geY9A==,type:str] mac: ENC[AES256_GCM,data:Bgmm5+IrFdnTG907cZe0cnSmbWLyNDVYyABFj5eRuGsYCthclRM9WEKktvJg2RVYcND39IEH/FiFR/Hxf5YgrUcU7HKEXKzn7U4AGcREh2tb5EVTELjAJ4e00omNoD1gmFOklRS9AWce1g03AGzfbzM68enpDUkxWWTU2FOPei8=,iv:A9V4EsMAIoEs7j/eWy06Y9RExz+N/PT70TBNSViswKc=,tag:287n8ygaEj/40vh1x2IQig==,type:str]
pgp: pgp:
- created_at: "2023-07-09T17:51:27Z" - created_at: "2023-07-09T17:51:27Z"
enc: |- enc: |-
@ -42,4 +38,4 @@ sops:
-----END PGP MESSAGE----- -----END PGP MESSAGE-----
fp: 6F7069FE6B96E894E60EC45C6EEFA706CB17E89B fp: 6F7069FE6B96E894E60EC45C6EEFA706CB17E89B
unencrypted_suffix: _unencrypted unencrypted_suffix: _unencrypted
version: 3.8.1 version: 3.7.3

36
nix/os/devices/default.nix
View file

@ -1,20 +1,15 @@
{ {
dir, dir,
pkgs ? import <channels-nixos-stable> { }, pkgs ? import <channels-nixos-stable> {},
ownLib ? import ../lib/default.nix { inherit (pkgs) lib; }, ownLib ? import ../lib/default.nix {inherit (pkgs) lib;},
gitRoot ? "$(git rev-parse --show-toplevel)", gitRoot ? "$(git rev-parse --show-toplevel)",
# FIXME: why do these need explicit mentioning? # FIXME: why do these need explicit mentioning?
moreargs ? "", moreargs ? "",
rebuildarg ? "", rebuildarg ? "",
... ...
}@args: } @ args: let
let rebuildargsSudo = ["switch" "boot"];
rebuildargsSudo = [ rebuild = {
"switch"
"boot"
];
rebuild =
{
gitRoot, gitRoot,
rebuildarg ? "dry-activate", rebuildarg ? "dry-activate",
moreargs ? "", moreargs ? "",
@ -35,18 +30,18 @@ let
${ ${
if if
(builtins.elem rebuildarg rebuildargsSudo) && (builtins.match ".*--target-host.*" moreargs) == null (builtins.elem rebuildarg rebuildargsSudo)
then && (builtins.match ".*--target-host.*" moreargs) == null
"sudo -E \\" then "sudo -E \\"
else else ""
""
} }
nixos-rebuild --show-trace -I nixos-config=''${NIXOS_CONFIG} ${rebuildarg} ${moreargs} nixos-rebuild --show-trace -I nixos-config=''${NIXOS_CONFIG} ${rebuildarg} ${moreargs}
''; '';
in in {
{ recipes =
recipes = { {
rebuild = rebuild { rebuild =
rebuild {
inherit gitRoot; inherit gitRoot;
inherit moreargs; inherit moreargs;
inherit rebuildarg; inherit rebuildarg;
@ -54,5 +49,6 @@ in
# // pkgs.lib.attrsets.optionalAttrs (moreargs != "") { inherit moreargs; } # // pkgs.lib.attrsets.optionalAttrs (moreargs != "") { inherit moreargs; }
# // pkgs.lib.attrsets.optionalAttrs (rebuildarg != "") { inherit rebuildarg; } # // pkgs.lib.attrsets.optionalAttrs (rebuildarg != "") { inherit rebuildarg; }
; ;
} // (import ./disk.nix (args // { inherit pkgs ownLib gitRoot; })); }
// (import ./disk.nix (args // {inherit pkgs ownLib gitRoot;}));
} }

53
nix/os/devices/disk.nix
View file

@ -3,29 +3,40 @@
ownLib, ownLib,
dir, dir,
gitRoot, gitRoot,
diskId ? (import ((builtins.getEnv "PWD") + "/${dir}/hw.nix") { }).hardware.opinionatedDisk.diskId, diskId ?
(import ((builtins.getEnv "PWD") + "/${dir}/hw.nix")
{})
.hardware
.opinionatedDisk
.diskId,
encrypted ? encrypted ?
(import ((builtins.getEnv "PWD") + "/${dir}/hw.nix") { }).hardware.opinionatedDisk.encrypted, (import ((builtins.getEnv "PWD") + "/${dir}/hw.nix")
{})
.hardware
.opinionatedDisk
.encrypted,
previousDiskId ? "", previousDiskId ? "",
... ...
}: }: let
let
mntRootVol = "/mnt/${diskId}-root"; mntRootVol = "/mnt/${diskId}-root";
in in rec {
rec {
diskMount = pkgs.writeScript "script" '' diskMount = pkgs.writeScript "script" ''
#!/usr/bin/env bash #!/usr/bin/env bash
set -xe set -xe
echo Mounting ${diskId} echo Mounting ${diskId}
${pkgs.lib.strings.optionalString encrypted '' ${pkgs.lib.strings.optionalString encrypted ''
sudo cryptsetup luksOpen ${ownLib.disk.bootLuksDevice diskId} ${ownLib.disk.luksName diskId} sudo cryptsetup luksOpen ${ownLib.disk.bootLuksDevice diskId} ${
ownLib.disk.luksName diskId
}
''} ''}
sleep 1 sleep 1
sudo vgchange -ay ${ownLib.disk.volumeGroup diskId} sudo vgchange -ay ${ownLib.disk.volumeGroup diskId}
sudo mkdir -p /mnt sudo mkdir -p /mnt
sudo mkdir ${mntRootVol} sudo mkdir ${mntRootVol}
sudo mount ${ownLib.disk.rootFsDevice diskId} ${mntRootVol} sudo mount ${ownLib.disk.rootFsDevice diskId} ${mntRootVol}
sudo mount ${ownLib.disk.rootFsDevice diskId} ${mntRootVol}/nixos/home -o subvol=home sudo mount ${
ownLib.disk.rootFsDevice diskId
} ${mntRootVol}/nixos/home -o subvol=home
sudo mount ${ownLib.disk.bootFsDevice diskId} ${mntRootVol}/nixos/boot sudo mount ${ownLib.disk.bootFsDevice diskId} ${mntRootVol}/nixos/boot
''; '';
@ -62,7 +73,9 @@ rec {
#!/usr/bin/env bash #!/usr/bin/env bash
set -xe set -xe
read -p "Continue to format ${ownLib.disk.bootGrubDevice diskId} (YES/n)? " choice read -p "Continue to format ${
ownLib.disk.bootGrubDevice diskId
} (YES/n)? " choice
case "$choice" in case "$choice" in
YES ) echo "Continuing in 3 seconds..."; sleep 3;; YES ) echo "Continuing in 3 seconds..."; sleep 3;;
n|N ) echo "Exiting..."; exit 0;; n|N ) echo "Exiting..."; exit 0;;
@ -109,11 +122,15 @@ rec {
${pkgs.lib.strings.optionalString encrypted '' ${pkgs.lib.strings.optionalString encrypted ''
# Encrypt # Encrypt
sudo cryptsetup luksFormat ${ownLib.disk.bootLuksDevice diskId} - sudo cryptsetup luksFormat ${ownLib.disk.bootLuksDevice diskId} -
sudo cryptsetup luksOpen ${ownLib.disk.bootLuksDevice diskId} ${ownLib.disk.luksName diskId} sudo cryptsetup luksOpen ${ownLib.disk.bootLuksDevice diskId} ${
ownLib.disk.luksName diskId
}
''} ''}
# LVM # LVM
sudo vgcreate ${ownLib.disk.volumeGroup diskId} ${ownLib.disk.lvmPv diskId encrypted} sudo vgcreate ${ownLib.disk.volumeGroup diskId} ${
ownLib.disk.lvmPv diskId encrypted
}
sudo lvcreate ${ownLib.disk.volumeGroup diskId} -L 2G -n swap sudo lvcreate ${ownLib.disk.volumeGroup diskId} -L 2G -n swap
sudo lvcreate ${ownLib.disk.volumeGroup diskId} -l 100%FREE -n root sudo lvcreate ${ownLib.disk.volumeGroup diskId} -l 100%FREE -n root
@ -137,7 +154,9 @@ rec {
#!/usr/bin/env bash #!/usr/bin/env bash
set -xe set -xe
read -p "Continue to relabel ${ownLib.disk.bootGrubDevice diskId} (YES/n)?" choice read -p "Continue to relabel ${
ownLib.disk.bootGrubDevice diskId
} (YES/n)?" choice
case "$choice" in case "$choice" in
YES ) echo "Continuing in 3 seconds..."; sleep 3;; YES ) echo "Continuing in 3 seconds..."; sleep 3;;
n|N ) echo "Exiting..."; exit 0;; n|N ) echo "Exiting..."; exit 0;;
@ -168,9 +187,13 @@ rec {
if test "${previousDiskId}"; then if test "${previousDiskId}"; then
${pkgs.lib.strings.optionalString encrypted '' ${
sudo cryptsetup luksOpen ${ownLib.disk.bootLuksDevice diskId} ${ownLib.disk.luksName diskId} pkgs.lib.strings.optionalString encrypted ''
''} sudo cryptsetup luksOpen ${ownLib.disk.bootLuksDevice diskId} ${
ownLib.disk.luksName diskId
}
''
}
sync sync
sleep 1 sleep 1
if sudo vgs ${previousDiskId}; then if sudo vgs ${previousDiskId}; then

3
nix/os/devices/elias-e525/boot.nix
View file

@ -1,5 +1,4 @@
{ lib, ... }: {lib, ...}: {
{
boot.loader.grub.efiSupport = lib.mkForce false; boot.loader.grub.efiSupport = lib.mkForce false;
boot.loader.efi.canTouchEfiVariables = lib.mkForce false; boot.loader.efi.canTouchEfiVariables = lib.mkForce false;
} }

3
nix/os/devices/elias-e525/configuration.nix
View file

@ -1,5 +1,4 @@
{ ... }: {...}: {
{
imports = [ imports = [
../../profiles/common/configuration.nix ../../profiles/common/configuration.nix
../../profiles/graphical/configuration.nix ../../profiles/graphical/configuration.nix

10
nix/os/devices/elias-e525/default.nix
View file

@ -3,17 +3,17 @@
repoFlake, repoFlake,
nodeFlake, nodeFlake,
... ...
}: }: let
let
system = "x86_64-linux"; system = "x86_64-linux";
in in {
{
meta.nodeSpecialArgs.${nodeName} = { meta.nodeSpecialArgs.${nodeName} = {
inherit repoFlake nodeName nodeFlake; inherit repoFlake nodeName nodeFlake;
packages' = repoFlake.packages.${system}; packages' = repoFlake.packages.${system};
}; };
meta.nodeNixpkgs.${nodeName} = import nodeFlake.inputs.nixpkgs.outPath { inherit system; }; meta.nodeNixpkgs.${nodeName} = import nodeFlake.inputs.nixpkgs.outPath {
inherit system;
};
${nodeName} = { ${nodeName} = {
deployment.targetHost = "elias-e525.lan"; deployment.targetHost = "elias-e525.lan";

2
nix/os/devices/elias-e525/flake.nix
View file

@ -6,5 +6,5 @@
inputs.nixpkgs.follows = "nixpkgs"; inputs.nixpkgs.follows = "nixpkgs";
}; };
outputs = _: { }; outputs = _: {};
} }

2
nix/os/devices/elias-e525/hw.nix
View file

@ -1,4 +1,4 @@
_: { {...}: {
# TASK: new device # TASK: new device
hardware.opinionatedDisk = { hardware.opinionatedDisk = {
enable = true; enable = true;

18
nix/os/devices/elias-e525/pkg.nix
View file

@ -1,5 +1,8 @@
{ pkgs, lib, ... }: {
let pkgs,
lib,
...
}: let
homeEnv = keyboard: { homeEnv = keyboard: {
imports = [ imports = [
../../../home-manager/profiles/common.nix ../../../home-manager/profiles/common.nix
@ -19,27 +22,26 @@ let
rustdesk rustdesk
]; ];
}; };
in in {
{ services.gnome = builtins.mapAttrs (attr: value: lib.mkForce value) {
services.gnome = builtins.mapAttrs (_attr: value: lib.mkForce value) {
gnome-remote-desktop.enable = true; gnome-remote-desktop.enable = true;
}; };
home-manager.users.steveej = homeEnv { home-manager.users.steveej = homeEnv {
layout = "en"; layout = "en";
options = [ "nodeadkey" ]; options = ["nodeadkey"];
variant = "altgr-intl"; variant = "altgr-intl";
}; };
home-manager.users.elias = homeEnv { home-manager.users.elias = homeEnv {
layout = "de"; layout = "de";
options = [ ]; options = [];
variant = ""; variant = "";
}; };
home-manager.users.justyna = homeEnv { home-manager.users.justyna = homeEnv {
layout = "de"; layout = "de";
options = [ ]; options = [];
variant = ""; variant = "";
}; };

15
nix/os/devices/elias-e525/system.nix
View file

@ -1,5 +1,10 @@
{ pkgs, lib, ... }:
{ {
pkgs,
lib,
config,
...
}: let
in {
# TASK: new device # TASK: new device
networking.hostName = "elias-e525"; # Define your hostname. networking.hostName = "elias-e525"; # Define your hostname.
@ -33,13 +38,11 @@
# udev.packages = [ pkgs.gnome3.gnome-settings-daemon ]; # udev.packages = [ pkgs.gnome3.gnome-settings-daemon ];
}; };
security.pki.certificateFiles = [ "${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt" ]; security.pki.certificateFiles = ["${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt"];
services.xserver.videoDrivers = [ "modesetting" ]; services.xserver.videoDrivers = ["modesetting"];
boot.kernelPackages = lib.mkForce pkgs.linuxPackages_latest; boot.kernelPackages = lib.mkForce pkgs.linuxPackages_latest;
nix.gc = { nix.gc = {automatic = true;};
automatic = true;
};
} }

13
nix/os/devices/elias-e525/user.nix
View file

@ -1,9 +1,12 @@
{ config, pkgs, ... }:
let
keys = import ../../../variables/keys.nix;
inherit (pkgs.callPackage ../../lib/default.nix { }) mkUser;
in
{ {
config,
pkgs,
lib,
...
}: let
keys = import ../../../variables/keys.nix;
inherit (pkgs.callPackage ../../lib/default.nix {}) mkUser;
in {
sops.secrets.sharedUsers-elias = { sops.secrets.sharedUsers-elias = {
sopsFile = ../../../../secrets/shared-users.yaml; sopsFile = ../../../../secrets/shared-users.yaml;
neededForUsers = true; neededForUsers = true;

3
nix/os/devices/fwhost1/boot.nix
View file

@ -1,5 +1,4 @@
{ lib, ... }: {lib, ...}: {
{
boot.loader.grub.efiInstallAsRemovable = lib.mkForce true; boot.loader.grub.efiInstallAsRemovable = lib.mkForce true;
boot.loader.efi.canTouchEfiVariables = lib.mkForce false; boot.loader.efi.canTouchEfiVariables = lib.mkForce false;
} }

3
nix/os/devices/fwhost1/configuration.nix
View file

@ -1,5 +1,4 @@
{ ... }: {...}: {
{
imports = [ imports = [
../../profiles/common/configuration.nix ../../profiles/common/configuration.nix
../../modules/opinionatedDisk.nix ../../modules/opinionatedDisk.nix

3
nix/os/devices/fwhost1/hw.nix
View file

@ -1,4 +1,5 @@
_: { {...}: let
in {
# TASK: new device # TASK: new device
hardware.opinionatedDisk = { hardware.opinionatedDisk = {
enable = true; enable = true;

18
nix/os/devices/fwhost1/pkg.nix
View file

@ -1,17 +1,17 @@
{ pkgs, ... }: {pkgs, ...}: {
{ nixpkgs.config.packageOverrides = pkgs:
nixpkgs.config.packageOverrides = with pkgs; {
pkgs: with pkgs; { nixPath =
inherit ((import ../../../default.nix { versionsPath = ./versions.nix; })) nixPath; (import ../../../default.nix {
versionsPath = ./versions.nix;
})
.nixPath;
}; };
home-manager.users.steveej = import ../../../home-manager/configuration/text-minimal.nix { home-manager.users.steveej = import ../../../home-manager/configuration/text-minimal.nix {
inherit pkgs; inherit pkgs;
}; };
environment.systemPackages = with pkgs; [ environment.systemPackages = with pkgs; [iw wirelesstools];
iw
wirelesstools
];
system.stateVersion = "21.11"; system.stateVersion = "21.11";
} }

19
nix/os/devices/fwhost1/system.nix
View file

@ -1,8 +1,12 @@
{ pkgs, lib, ... }:
let
passwords = import ../../../variables/passwords.crypt.nix;
in
{ {
pkgs,
lib,
config,
...
}: let
keys = import ../../../variables/keys.nix;
passwords = import ../../../variables/passwords.crypt.nix;
in {
# TASK: new device # TASK: new device
networking.hostName = "fwhost1"; # Define your hostname. networking.hostName = "fwhost1"; # Define your hostname.
@ -17,14 +21,11 @@ in
networking.firewall.logRefusedConnections = false; networking.firewall.logRefusedConnections = false;
networking.usePredictableInterfaceNames = false; networking.usePredictableInterfaceNames = false;
networking.bridges.breth.interfaces = [ networking.bridges.breth.interfaces = ["eth0" "eth1"];
"eth0"
"eth1"
];
networking.bridges.breth.rstp = true; networking.bridges.breth.rstp = true;
networking.defaultGateway.address = "172.172.171.10"; networking.defaultGateway.address = "172.172.171.10";
networking.nameservers = [ "172.172.171.10" ]; networking.nameservers = ["172.172.171.10"];
# WAN interfaces, currently unused because the OPNsense guest acts as a router. # WAN interfaces, currently unused because the OPNsense guest acts as a router.
networking.vlans.wan1.id = 3; networking.vlans.wan1.id = 3;

10
nix/os/devices/fwhost1/user.nix
View file

@ -1 +1,9 @@
_: { } {
config,
pkgs,
...
}: let
passwords = import ../../../variables/passwords.crypt.nix;
keys = import ../../../variables/keys.nix;
inherit (import ../../lib/default.nix {}) mkUser;
in {}

7
nix/os/devices/fwhost1/versions.nix
View file

@ -4,12 +4,9 @@ let
ref = "nixos-21.11"; ref = "nixos-21.11";
rev = "386234e2a61e1e8acf94dfa3a3d3ca19a6776efb"; rev = "386234e2a61e1e8acf94dfa3a3d3ca19a6776efb";
}; };
in in {
{
inherit nixpkgs; inherit nixpkgs;
nixos = nixpkgs // { nixos = nixpkgs // {suffix = "/nixos";};
suffix = "/nixos";
};
"channels-nixos-stable" = nixpkgs; "channels-nixos-stable" = nixpkgs;
"channels-nixos-unstable" = { "channels-nixos-unstable" = {

7
nix/os/devices/fwhost1/versions.tmpl.nix
View file

@ -6,12 +6,9 @@ let
<% git ls-remote https://github.com/nixos/nixpkgs nixos-21.11 | awk '{ print $1 }' | tr -d ' <% git ls-remote https://github.com/nixos/nixpkgs nixos-21.11 | awk '{ print $1 }' | tr -d '
' -%>''; ' -%>'';
}; };
in in {
{
inherit nixpkgs; inherit nixpkgs;
nixos = nixpkgs // { nixos = nixpkgs // {suffix = "/nixos";};
suffix = "/nixos";
};
"channels-nixos-stable" = nixpkgs; "channels-nixos-stable" = nixpkgs;
"channels-nixos-unstable" = { "channels-nixos-unstable" = {

3
nix/os/devices/fwhost2/boot.nix
View file

@ -1,5 +1,4 @@
{ lib, ... }: {lib, ...}: {
{
boot.loader.grub.efiInstallAsRemovable = lib.mkForce true; boot.loader.grub.efiInstallAsRemovable = lib.mkForce true;
boot.loader.efi.canTouchEfiVariables = lib.mkForce false; boot.loader.efi.canTouchEfiVariables = lib.mkForce false;
} }

3
nix/os/devices/fwhost2/configuration.nix
View file

@ -1,5 +1,4 @@
{ ... }: {...}: {
{
imports = [ imports = [
../../profiles/common/configuration.nix ../../profiles/common/configuration.nix
../../modules/opinionatedDisk.nix ../../modules/opinionatedDisk.nix

3
nix/os/devices/fwhost2/hw.nix
View file

@ -1,4 +1,5 @@
_: { {...}: let
in {
# TASK: new device # TASK: new device
hardware.opinionatedDisk = { hardware.opinionatedDisk = {
enable = true; enable = true;

18
nix/os/devices/fwhost2/pkg.nix
View file

@ -1,17 +1,17 @@
{ pkgs, ... }: {pkgs, ...}: {
{ nixpkgs.config.packageOverrides = pkgs:
nixpkgs.config.packageOverrides = with pkgs; {
pkgs: with pkgs; { nixPath =
inherit ((import ../../../default.nix { versionsPath = ./versions.nix; })) nixPath; (import ../../../default.nix {
versionsPath = ./versions.nix;
})
.nixPath;
}; };
home-manager.users.steveej = import ../../../home-manager/configuration/text-minimal.nix { home-manager.users.steveej = import ../../../home-manager/configuration/text-minimal.nix {
inherit pkgs; inherit pkgs;
}; };
environment.systemPackages = with pkgs; [ environment.systemPackages = with pkgs; [iw wirelesstools];
iw
wirelesstools
];
system.stateVersion = "21.11"; system.stateVersion = "21.11";
} }

20
nix/os/devices/fwhost2/system.nix
View file

@ -1,8 +1,13 @@
{ pkgs, lib, ... }:
let
passwords = import ../../../variables/passwords.crypt.nix;
in
{ {
pkgs,
lib,
config,
utils,
...
}: let
keys = import ../../../variables/keys.nix;
passwords = import ../../../variables/passwords.crypt.nix;
in {
# TASK: new device # TASK: new device
networking.hostName = "fwhost2"; # Define your hostname. networking.hostName = "fwhost2"; # Define your hostname.
@ -17,14 +22,11 @@ in
networking.firewall.logRefusedConnections = false; networking.firewall.logRefusedConnections = false;
networking.usePredictableInterfaceNames = false; networking.usePredictableInterfaceNames = false;
networking.bridges.breth.interfaces = [ networking.bridges.breth.interfaces = ["eth0" "eth1"];
"eth0"
"eth1"
];
networking.bridges.breth.rstp = true; networking.bridges.breth.rstp = true;
networking.defaultGateway.address = "172.172.171.10"; networking.defaultGateway.address = "172.172.171.10";
networking.nameservers = [ "172.172.171.10" ]; networking.nameservers = ["172.172.171.10"];
# WAN interfaces, currently unused because the OPNsense guest acts as a router. # WAN interfaces, currently unused because the OPNsense guest acts as a router.
networking.vlans.wan1.id = 3; networking.vlans.wan1.id = 3;

10
nix/os/devices/fwhost2/user.nix
View file

@ -1,4 +1,12 @@
_: { {
config,
pkgs,
...
}: let
passwords = import ../../../variables/passwords.crypt.nix;
keys = import ../../../variables/keys.nix;
inherit (import ../../lib/default.nix {inherit (pkgs) lib;}) mkUser;
in {
# users.extraUsers.steveej2 = mkUser { # users.extraUsers.steveej2 = mkUser {
# uid = 1001; # uid = 1001;
# openssh.authorizedKeys.keys = keys.users.steveej.openssh; # openssh.authorizedKeys.keys = keys.users.steveej.openssh;

7
nix/os/devices/fwhost2/versions.nix
View file

@ -4,12 +4,9 @@ let
ref = "nixos-21.11"; ref = "nixos-21.11";
rev = "386234e2a61e1e8acf94dfa3a3d3ca19a6776efb"; rev = "386234e2a61e1e8acf94dfa3a3d3ca19a6776efb";
}; };
in in {
{
inherit nixpkgs; inherit nixpkgs;
nixos = nixpkgs // { nixos = nixpkgs // {suffix = "/nixos";};
suffix = "/nixos";
};
"channels-nixos-stable" = nixpkgs; "channels-nixos-stable" = nixpkgs;
"channels-nixos-unstable" = { "channels-nixos-unstable" = {

7
nix/os/devices/fwhost2/versions.tmpl.nix
View file

@ -6,12 +6,9 @@ let
<% git ls-remote https://github.com/nixos/nixpkgs nixos-21.11 | awk '{ print $1 }' | tr -d ' <% git ls-remote https://github.com/nixos/nixpkgs nixos-21.11 | awk '{ print $1 }' | tr -d '
' -%>''; ' -%>'';
}; };
in in {
{
inherit nixpkgs; inherit nixpkgs;
nixos = nixpkgs // { nixos = nixpkgs // {suffix = "/nixos";};
suffix = "/nixos";
};
"channels-nixos-stable" = nixpkgs; "channels-nixos-stable" = nixpkgs;
"channels-nixos-unstable" = { "channels-nixos-unstable" = {

146
nix/os/devices/hstk0/configuration.nix
View file

@ -1,146 +0,0 @@
{
repoFlake,
pkgs,
lib,
nodeFlake,
nodeName,
system,
...
}:
{
disabledModules = [ ];
imports = [
nodeFlake.inputs.disko.nixosModules.disko
repoFlake.inputs.sops-nix.nixosModules.sops
nodeFlake.inputs.srvos.nixosModules.roles-nix-remote-builder
{
roles.nix-remote-builder.schedulerPublicKeys = [
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINQ22z5rDdCLYH+MEoEt+tXJXTJqoeZNqvJl2n4aB+Kn steveej@steveej-x13s"
# TODO: make this a reference to the private key's secret
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIC8FHuK0k86iBWq41+NAhVwJqH1ZpGJe+q01m7iLviz6 root@steveej-t14"
];
}
../../snippets/nix-settings.nix
{ nix.settings.sandbox = lib.mkForce "relaxed"; }
../../snippets/mycelium.nix
# user config
../../profiles/common/user.nix
{
users.commonUsers = {
enable = true;
enableNonRoot = true;
};
}
../../snippets/home-manager-with-zsh.nix
# {
# home-manager.users.steveej = {pkgs, ...}: {
# imports = [
# ../../../home-manager/programs/pass.nix
# ../../../home-manager/programs/openvscode-server.nix
# ];
# };
# }
];
services.openssh = {
enable = true;
openFirewall = true;
settings.PermitRootLogin = "yes";
extraConfig = ''
StreamLocalBindUnlink yes
'';
};
boot = {
kernel = {
sysctl = {
"net.ipv4.conf.all.forwarding" = true;
"net.ipv6.conf.all.forwarding" = true;
};
};
};
networking = {
hostName = nodeName;
useNetworkd = true;
useDHCP = true;
nat.enable = true;
firewall.enable = true;
firewall.allowedTCPPorts = [ 5201 ];
firewall.allowedUDPPorts = [ 5201 ];
};
disko.devices =
let
disk = id: {
type = "disk";
device = "/dev/${id}";
content = {
type = "gpt";
partitions = {
boot = {
size = "1M";
type = "EF02"; # for grub MBR
};
mdadm = {
size = "100%";
content = {
type = "mdraid";
name = "raid0";
};
};
};
};
};
in
{
disk = {
sda = disk "sda";
sdb = disk "sdb";
};
mdadm = {
raid0 = {
type = "mdadm";
level = 0;
content = {
type = "gpt";
partitions = {
primary = {
size = "100%";
content = {
type = "filesystem";
format = "btrfs";
mountpoint = "/";
};
};
};
};
};
};
};
system.stateVersion = "24.05";
boot.kernelPackages = pkgs.linuxPackages_latest;
boot.initrd.includeDefaultModules = true;
boot.initrd.kernelModules = [
"dm-raid"
"dm-integrity"
"xhci_pci_renesas"
];
hardware.enableRedistributableFirmware = true;
virtualisation.libvirtd.enable = true;
boot.binfmt.emulatedSystems = [ "aarch64-linux" ];
}

Some files were not shown because too many files have changed in this diff Show more