diff --git a/Justfile b/Justfile index 8e8aac4..5b66483 100755 --- a/Justfile +++ b/Justfile @@ -1,3 +1,6 @@ +_DEFAULT_VERSION_TMPL: + echo "{{invocation_directory()}}/nix/variables/versions.tmpl.nix" + _usage: just -l @@ -21,12 +24,12 @@ _rebuild-device dir rebuildarg="dry-activate" +moreargs="": _render_templates set -ex just -v _device rebuild {{dir}} --argstr rebuildarg {{rebuildarg}} {{moreargs}} -rebuild-remote-device dir target rebuildarg="dry-activate" : +rebuild-remote-device device target rebuildarg="dry-activate" : #!/usr/bin/env bash set -ex - just -v _rebuild-device {{dir}} {{rebuildarg}} --argstr moreargs "'--target-host\ {{target}}'" + just -v _rebuild-device nix/os/devices/{{device}} {{rebuildarg}} --argstr moreargs "'--target-host\ {{target}}'" -# Rebulid this device's NixOS +# Rebuild this device's NixOS rebuild-this-device rebuildarg="dry-activate": #!/usr/bin/env bash set -e @@ -50,7 +53,8 @@ rebuild-this-device rebuildarg="dry-activate": echo System rebuild successful else cat ${SYSREBUILD_LOG} - echo System rebuild failed + echo ERROR: system rebuild failed + exit 1 fi if type home-manager > /dev/null 2>&1; then @@ -60,18 +64,44 @@ rebuild-this-device rebuildarg="dry-activate": echo Home rebuild successful else cat ${HOMEREBUILD_LOG} - echo Home rebuild failed + echo ERROR: home rebuild failed + exit 1 fi fi -# This could be used to inject another channel -# --argstr moreargs "\'-I nixos-unstable=https://nixos.org/channels/nixos-unstable/nixexprs.tar.xz\'" +update-remote-device device target rebuildmode='switch': + #!/usr/bin/env bash + set -e + template=nix/os/devices/{{device}}/versions.tmpl.nix + outfile=nix/os/devices/{{device}}/versions.nix + + if ! test -e ${template}; then + template="$(just _DEFAULT_VERSION_TMPL)" + fi + + esh -o ${outfile} ${template} + if ! test "$(git diff ${outfile})"; then + echo Already on latest versions + exit 0 + fi + + just -v rebuild-remote-device {{device}} {{target}} dry-activate || { + echo ERROR: rebuild in mode 'dry-active' failed after updating ${outfile} + exit 1 + } + + just -v rebuild-remote-device {{ device }} {{ target }} {{ rebuildmode }} || { + echo ERROR: rebuild in mode '{{ rebuildmode }}' failed after updating ${outfile} + exit 1 + } + + git commit -v ${outfile} -m "nix/os/devices/{{ device }}: bump versions" # Update the channel versions and (by default) switch to new environment update-this-device rebuild-mode='switch': #!/usr/bin/env bash - set -xe + set -e template=nix/os/devices/$(hostname -s)/versions.tmpl.nix outfile=nix/os/devices/$(hostname -s)/versions.nix @@ -85,16 +115,16 @@ update-this-device rebuild-mode='switch': export SYSREBUILD_LOG=.$(hostname -s)_sysrebuild.log just -v rebuild-this-device dry-activate || { echo ERROR: Update failed, reverting ${outfile}... - git checkout ${outfile} + exit 1 + } + + just -v rebuild-this-device {{rebuild-mode}} || { + echo ERROR: Rebuilding in {{rebuild-mode}}-mode failed exit 1 } git commit -v ${outfile} -m "nix/os/devices/$(hostname -s): bump versions" - just -v rebuild-this-device {{rebuild-mode}} || { - echo WARNING: Rebuilding in {{rebuild-mode}}-mode failed - } - # Iterate on a qtile config by running it inside Xephyr. (un-/grab the mouse with Ctrl + Shift-L) hm-iterate-qtile: #!/usr/bin/env bash diff --git a/README.md b/README.md index 0e2c277..342fe55 100644 --- a/README.md +++ b/README.md @@ -4,7 +4,7 @@ This is mostly achieved with the help of [Nix](https://nixos.org). In the unlikely case that you actually read this and have any questions please don't hesitate to reach out. -## Roadmap +## Initial Roadmap - All graphical systems (incl. install media) must have - [x] Full-disk encryption by default @@ -17,11 +17,10 @@ In the unlikely case that you actually read this and have any questions please d - [x] home-manager - [x] pkgs-configuration - [ ] development environments -- [ ] (Semi-) automatic synchronization of important repositories +- [x] (Semi-) automatic synchronization of important repositories - [x] Modification strategy + The approach is to use vcsh for the dotfiles - [x] dotfiles - - [ ] password-store - - [ ] this repo - [x] Toplevel Justfile for simple actions - [x] mount/umount disks - [x] install to mounted disk @@ -36,7 +35,7 @@ In the unlikely case that you actually read this and have any questions please d - [ ] Design disaster recovery - [ ] Automatic synchronization of other state files - see https://gitlab.com/steveeJ/nix-expressions/issues/2 - [ ] Recycle *\_archived* -- [ ] Maybe make this a nix-overlay +- [x] Maybe make this a nix-overlay ## Bugs - [ ] home-manager leaves ~/.gnupg at 0755 diff --git a/nix/default.nix b/nix/default.nix index 038994e..1bead1c 100644 --- a/nix/default.nix +++ b/nix/default.nix @@ -3,22 +3,26 @@ { channelSources = let - # channelVersions = (import ((builtins.getEnv "PWD")+"/${dir}/versions.nix")); channelVersions = (import versionsPath); - mkChannelSource = channel: builtins.fetchGit { - # Descriptive name to make the store path easier to identify - url = "https://github.com/NixOS/nixpkgs-channels/"; - # Commit hash for nixos-unstable as of 2018-09-12 - # `git ls-remote https://github.com/nixos/nixpkgs-channels nixos-unstable` - ref = (builtins.getAttr channel channelVersions)."ref"; - rev = (builtins.getAttr channel channelVersions)."rev"; - name = "nixpkgs-channels-${channel}"; + mkChannelSource = channel: + let + channelVersion = builtins.getAttr channel channelVersions; + in builtins.fetchGit { + # Descriptive name to make the store path easier to identify + name = "nixpkgs-channels-${channel}"; + url = if builtins.hasAttr "url" channelVersion + then channelVersion."url" + else "https://github.com/NixOS/nixpkgs-channels/" + ; + ref = (builtins.getAttr channel channelVersions)."ref"; + rev = (builtins.getAttr channel channelVersions)."rev"; }; nix_path = builtins.foldl' (sum: elem: sum +":" + builtins.concatStringsSep "=" elem) "" [ [ "nixpkgs" (mkChannelSource "channelsNixosStable") ] [ "nixos" (mkChannelSource "channelsNixosStable" + "/nixos") ] [ "channels-nixos-stable" (mkChannelSource "channelsNixosStable") ] [ "channels-nixos-unstable" (mkChannelSource "channelsNixosUnstable") ] + [ "home-manager-module" (mkChannelSource "homeManagerModule") ] ]; in (import (mkChannelSource "channelsNixosStable") {}).writeText "channels.rc" '' export NIX_PATH=${nix_path} diff --git a/nix/home-manager/configuration/graphical-fullblown.nix b/nix/home-manager/configuration/graphical-fullblown.nix index 9f2b880..9ce39a0 100644 --- a/nix/home-manager/configuration/graphical-fullblown.nix +++ b/nix/home-manager/configuration/graphical-fullblown.nix @@ -27,8 +27,6 @@ in { gnutls = true; }; - android_sdk.accept_license = true; - packageOverrides = pkgs: with pkgs; { myPython36 = python36Full.withPackages (ps: with ps; [ pep8 yapf flake8 @@ -152,7 +150,7 @@ in { # virtualbox vagrant rkt - python27Packages.docker_compose + docker_compose # unstablepkgs.kubernetes unstablepkgs.minikube unstablepkgs.openshift @@ -185,8 +183,9 @@ in { iperf bind socat - linssid + # 2019-03-05: broken on 19.03 linssid iptraf-ng + ipmitool # samba iptables @@ -283,7 +282,6 @@ in { # File Synchronzation seafile-client - syncthing grive2 dropbox # gocryptfs @@ -291,7 +289,6 @@ in { # s3ql # rclone rsync - duplicacy # Filesystem Tools ntfs3g @@ -325,7 +322,7 @@ in { bazel ## Android - androidsdk + androidenv.androidPkgs_9_0.platform-tools ## Java # jre diff --git a/nix/home-manager/configuration/text-minimal.nix b/nix/home-manager/configuration/text-minimal.nix index c049f24..42d19d5 100644 --- a/nix/home-manager/configuration/text-minimal.nix +++ b/nix/home-manager/configuration/text-minimal.nix @@ -1,6 +1,6 @@ { pkgs -, config, -... }: +, config +, ... }: let @@ -24,5 +24,6 @@ in { ++ (with pkgs; [ iperf3 telnet + speedtest-cli ]); } diff --git a/nix/home-manager/profiles/common.nix b/nix/home-manager/profiles/common.nix index ed3daed..3db0a6a 100644 --- a/nix/home-manager/profiles/common.nix +++ b/nix/home-manager/profiles/common.nix @@ -1,11 +1,12 @@ -{ pkgs, -... +{ pkgs +, ... }: let in { - programs.home-manager.enable = true; - programs.home-manager.path = https://github.com/rycee/home-manager/archive/master.tar.gz; + # TODO: re-enable this with the appropriate version + # programs.home-manager.enable = true; + # programs.home-manager.path = https://github.com/rycee/home-manager/archive/445c0b1482c38172a9f8294ee16a7ca7462388e5.tar.gz; nixpkgs.overlays = [ (import ../../overlay.nix) diff --git a/nix/home-manager/programs/chromium.nix b/nix/home-manager/programs/chromium.nix index 95f161f..0585746 100644 --- a/nix/home-manager/programs/chromium.nix +++ b/nix/home-manager/programs/chromium.nix @@ -9,7 +9,7 @@ nixpkgs.config = { chromium = { - enablePepperPDF = true; + # 2019-03-05: missing on 19.03 enablePepperPDF = true; enablePepperFlash = false; }; }; diff --git a/nix/home-manager/programs/neovim.nix b/nix/home-manager/programs/neovim.nix index 1c250ae..3e599ec 100644 --- a/nix/home-manager/programs/neovim.nix +++ b/nix/home-manager/programs/neovim.nix @@ -93,6 +93,8 @@ in { "sha256" = "181siphb87yzln9433159ssa6vmm1h2dd0kqhlx7bgsi51gng4rv"; }; }; + + tlib = vimPlugins.tlib_vim; }; pluginDictionaries = let @@ -126,7 +128,7 @@ in { "git-blame" # Nix - "vim-addon-nix" + "vim-addon-nix" "tlib" "vim-addon-vim2nix" # LaTeX @@ -146,7 +148,7 @@ in { "vim-markdown-toc" # misc syntax support - "vim-bazel" + "vim-bazel" "maktaba" ]; in [ { names = default; } diff --git a/nix/os/containers/backup.nix b/nix/os/containers/backup.nix new file mode 100644 index 0000000..426979b --- /dev/null +++ b/nix/os/containers/backup.nix @@ -0,0 +1,185 @@ +{ config, ... } @ args: + +let + unstablepkgs = import { config = config.nixpkgs.config; }; + + passwords = import ../../variables/passwords.crypt.nix; + bucket = "bkp"; + subvolumeParentDir = "/var/lib"; + + subvolumeDir = "/var/lib/container-volumes"; + subvolumeSnapshot = "/var/lib/container-volumes.snapshot"; + + bkpSource = subvolumeSnapshot; + bkpDestination = "/container/backup"; + cacheDir = "/var/lib/rclone-cachedir"; + + wasabiRc = pkgs: pkgs.writeText "rc" '' + [wasabi-${bucket}] + type = s3 + provider = Wasabi + env_auth = false + + #bkp user + access_key_id = ${passwords.storage.wasabi.bkp.key} + secret_access_key = ${passwords.storage.wasabi.bkp.secret} + + region = us-east-1 + endpoint = s3.wasabisys.com + location_constraint = + acl = + server_side_encryption = + storage_class = + ''; + + + bkp-mount-rclone-manual = pkgs: { + enable = true; + description = "bkp-mount-rclone-manual service"; + path = with pkgs; [ unstablepkgs.rclone utillinux ]; + serviceConfig = { + Type = "notify"; + }; + script = '' + export PATH="$PATH:/run/wrappers/bin" + exec rclone --config ${wasabiRc pkgs} mount wasabi-${bucket}:${bucket} ${bkpDestination} \ + --stats=1m --stats-log-level=NOTICE \ + --cache-dir=${cacheDir} \ + --vfs-cache-mode=full + + ''; + preStart = '' + mkdir -p ${bkpDestination} + mkdir -p ${cacheDir} + ''; + postStop = '' + sync + umount ${bkpDestination} \ + || umount -l ${bkpDestination} \ + || : + + rmdir ${bkpDestination} + ''; + }; + + +in args // { + config = { pkgs, ... }: { + imports = [ + ../profiles/containers/configuration.nix + ]; + + environment.systemPackages = with pkgs; [ + btrfs-progs + rdup rdedup + iptraf-ng nethogs + rclone + ]; + + networking.firewall.enable = true; + + systemd.services."bkp-mount-rclone-manual" = bkp-mount-rclone-manual pkgs; + + systemd.services."bkp-sync-rclone" = { + enable = true; + description = "bkp-sync-rclone service"; + + serviceConfig = { + Type = "oneshot"; + }; + + after = [ + "bkp-run.service" + ]; + + requires = [ + "bkp-run.service" + ]; + + path = with pkgs; [ unstablepkgs.rclone utillinux ]; + script = '' + set -x + echo Starting rclone sync... + rclone --config ${wasabiRc pkgs} sync \ + ${bkpDestination}/rdedup/ wasabi-${bucket}:${bucket}/rdedup/ \ + --stats=1m --stats-log-level=NOTICE + echo Finished rclone sync... + ''; + }; + + systemd.services."bkp-run" = { + enable = true; + description = "bkp-run"; + + serviceConfig = { + Type = "oneshot"; + }; + + partOf = [ + "bkp-sync-rclone.service" + ]; + + path = with pkgs; [ btrfs-progs rdup rdedup coreutils ]; + preStart = '' + echo Creating new btrfs snapshot of ${subvolumeDir} at ${subvolumeSnapshot} + btrfs subvolume snapshot -r ${subvolumeDir} ${subvolumeSnapshot} + ''; + script = '' + #! ${pkgs.bash}/bin/bash + export RUST_BACKTRACE=1 + export TIMESTAMP=$(date +"%Y%m%d.%H%M%S") + + echo Starting rdup/rdedup backup... + for d in `ls -1 ${bkpSource}`; do + echo Determining backup source size ${bkpSource}/$d... + du -hs ${bkpSource}/$d + set -x + rdup -x /dev/null ${bkpSource}/$d | rdedup -v -ttt --dir=${bkpDestination}/rdedup store $d-''${TIMESTAMP} + set +x + done + sync + echo Finished rdup/rdedup backup... + echo Determining backup destination size ${bkpDestination}/rdedup... + du -hs ${bkpDestination}/rdedup + ''; + postStop = '' + btrfs subvolume delete ${subvolumeSnapshot} + ''; + }; + + systemd.timers."bkp" = { + description = "Timer to trigger bkp periodically"; + enable = true; + wantedBy = [ "timer.target" "multi-user.target" ]; + timerConfig = { + OnCalendar = "23:00"; + Unit = "bkp-sync-rclone.service"; + # OnActiveSec="1s"; + # OnUnitInactiveSec="12h"; + # AccuracySec="5s"; + }; + }; + }; + + autoStart = true; + + bindMounts = { + "${subvolumeParentDir}" = { + hostPath = "/var/lib/"; + isReadOnly = false; + }; + + "/dev/fuse" = { + hostPath = "/dev/fuse"; + isReadOnly = false; + }; + }; + + allowedDevices = [ + { node = "/dev/fuse"; modifier = "rw"; } + ]; + + privateNetwork = true; + forwardPorts = [ + ]; +} diff --git a/nix/os/containers/mailserver.nix b/nix/os/containers/mailserver.nix index d750eed..8d59611 100644 --- a/nix/os/containers/mailserver.nix +++ b/nix/os/containers/mailserver.nix @@ -41,6 +41,10 @@ in args // { args = scheme=CRYPT username_format=%u /etc/dovecot/users } + protocol lda { + postmaster_address = "mail@stefanjunker.de" + mail_plugins = $mail_plugins sieve + } ''; }; @@ -53,7 +57,9 @@ in args // { enable = true; wantedBy = [ "multi-user.target" ]; serviceConfig.User = "steveej"; - serviceConfig.Group = "users"; + serviceConfig.Group = "dovecot2"; + serviceConfig.RestartSec = 600; + serviceConfig.Restart = "always"; description = "Getmail service"; path = [ pkgs.getmail ]; script = let @@ -72,8 +78,8 @@ in args // { mailboxes = ('INBOX',) [destination] - type = Maildir - path = ~/.maildir/ + type = MDA_external + path = ${pkgs.dovecot}/libexec/dovecot/dovecot-lda ''; in '' getmail --rcfile=${rc} --idle=INBOX @@ -84,10 +90,10 @@ in args // { enable = true; wantedBy = [ "multi-user.target" ]; serviceConfig.User = "steveej"; - serviceConfig.Group = "users"; + serviceConfig.Group = "dovecot2"; description = "Getmail service"; path = [ pkgs.getmail ]; - serviceConfig.RestartSec = 900; + serviceConfig.RestartSec = 1000; serviceConfig.Restart = "always"; script = let rc = pkgs.writeText "schtifATweb.de.getmail.rc" '' diff --git a/nix/os/containers/syncthing.nix b/nix/os/containers/syncthing.nix new file mode 100644 index 0000000..4798ba6 --- /dev/null +++ b/nix/os/containers/syncthing.nix @@ -0,0 +1,41 @@ +{ ... } @ args: + +let + +in args // { + config = { config, pkgs, ... }: { + imports = [ + ../profiles/containers/configuration.nix + ]; + + networking.firewall.enable = true; + networking.firewall.allowedTCPPorts = [ + # syncthing gui + 8384 + ]; + + services.syncthing = { + enable = true; + openDefaultPorts = true; + guiAddress = "0.0.0.0:8384"; + }; + }; + + autoStart = true; + + bindMounts = { + "/var/lib/syncthing/" = { + hostPath = "/var/lib/container-volumes/syncthing/var-lib-syncthing"; + isReadOnly = false; + }; + }; + + privateNetwork = true; + forwardPorts = [ + { + containerPort = 22000; + hostPort = 22000; + protocol = "tcp"; + } + ]; +} diff --git a/nix/os/devices/steveej-t480s-work/versions.nix b/nix/os/devices/steveej-t480s-work/versions.nix index 027884a..d9b6e17 100644 --- a/nix/os/devices/steveej-t480s-work/versions.nix +++ b/nix/os/devices/steveej-t480s-work/versions.nix @@ -1,10 +1,15 @@ { channelsNixosStable = { - ref = "nixos-18.09"; - rev = "97e0d53d669cd07f0750a42fd535524b3cdd46d1"; + ref = "nixos-19.03"; + rev = "07e2b59812de95deeedde95fb6ba22d581d12fbc"; }; channelsNixosUnstable = { ref = "nixos-unstable"; - rev = "be445a9074f139d63e704fa82610d25456562c3d"; + rev = "34aa254f9ebf5899636a9927ceefbc9df80230f4"; + }; + homeManagerModule = { + url = "https://github.com/rycee/home-manager"; + ref = "master"; + rev = "52fdf5b7ecab93eaf2a2ee83777b73f8ee126614"; }; } diff --git a/nix/os/devices/steveej-t480s-work/versions.tmpl.nix b/nix/os/devices/steveej-t480s-work/versions.tmpl.nix index 655e1b1..93b44b8 100644 --- a/nix/os/devices/steveej-t480s-work/versions.tmpl.nix +++ b/nix/os/devices/steveej-t480s-work/versions.tmpl.nix @@ -1,10 +1,15 @@ { channelsNixosStable = { - ref = "nixos-18.09"; - rev = "<% git ls-remote https://github.com/nixos/nixpkgs-channels nixos-18.09 | awk '{ print $1 }' | tr -d '\n' -%>"; + ref = "nixos-19.03"; + rev = "<% git ls-remote https://github.com/nixos/nixpkgs-channels nixos-19.03 | awk '{ print $1 }' | tr -d '\n' -%>"; }; channelsNixosUnstable = { ref = "nixos-unstable"; rev = "<% git ls-remote https://github.com/nixos/nixpkgs-channels nixos-unstable | awk '{ print $1 }' | tr -d '\n' -%>"; }; + homeManagerModule = { + url = "https://github.com/rycee/home-manager"; + ref = "master"; + rev = "<% git ls-remote https://github.com/rycee/home-manager.git master | awk '{ print $1 }' | tr -d '\n' -%>"; + }; } diff --git a/nix/os/devices/vmd32387.contaboserver.net/pkg.nix b/nix/os/devices/vmd32387.contaboserver.net/pkg.nix index 277d01a..3ba136a 100644 --- a/nix/os/devices/vmd32387.contaboserver.net/pkg.nix +++ b/nix/os/devices/vmd32387.contaboserver.net/pkg.nix @@ -7,11 +7,6 @@ { home-manager.users.steveej = import ../../../home-manager/configuration/text-minimal.nix; - services.syncthing = { - enable = true; - openDefaultPorts = true; - }; - services.hydra = { enable = false; hydraURL = "http://localhost:3000"; # externally visible URL diff --git a/nix/os/devices/vmd32387.contaboserver.net/system.nix b/nix/os/devices/vmd32387.contaboserver.net/system.nix index 51dc7b4..de83e04 100644 --- a/nix/os/devices/vmd32387.contaboserver.net/system.nix +++ b/nix/os/devices/vmd32387.contaboserver.net/system.nix @@ -52,6 +52,31 @@ in { services.spice-vdagentd.enable = true; services.qemuGuest.enable = true; + systemd.services."sshd-status" = { + enable = true; + description = "sshd-status service"; + path = [ pkgs.systemd ]; + script = '' + systemctl status sshd | grep -i tasks + ''; + }; + + systemd.services.sshd.serviceConfig = { + TasksMax = 32; + }; + + systemd.timers."sshd-status" = { + description = "Timer to trigger sshd-status periodically"; + enable = true; + wantedBy = [ "timer.target" "multi-user.target" ]; + timerConfig = { + OnActiveSec="5s"; + OnUnitActiveSec="5s"; + AccuracySec="1s"; + Unit = "sshd-status.service"; + }; + }; + boot.initrd.network = { enable = true; udhcpc.extraArgs = [ "-x hostname:${config.networking.hostName}" ]; @@ -80,5 +105,16 @@ in { hostAddress = "192.168.100.12"; localAddress = "192.168.100.13"; }; + + syncthing = import ../../containers/syncthing.nix { + hostAddress = "192.168.100.14"; + localAddress = "192.168.100.15"; + }; + + backup = import ../../containers/backup.nix { + inherit config; + hostAddress = "192.168.100.16"; + localAddress = "192.168.100.17"; + }; }; } diff --git a/nix/os/devices/vmd32387.contaboserver.net/versions.nix b/nix/os/devices/vmd32387.contaboserver.net/versions.nix index 207c7c8..4db49e8 100644 --- a/nix/os/devices/vmd32387.contaboserver.net/versions.nix +++ b/nix/os/devices/vmd32387.contaboserver.net/versions.nix @@ -1,10 +1,15 @@ { channelsNixosStable = { - ref = "nixos-18.09"; - rev = "c2950341d038995bf46a7b72db961bb3d3e9ac12"; + ref = "nixos-19.03"; + rev = "07e2b59812de95deeedde95fb6ba22d581d12fbc"; }; channelsNixosUnstable = { ref = "nixos-unstable"; - rev = "44b02b52ea6a49674f124f50009299f192ed78bb"; + rev = "34aa254f9ebf5899636a9927ceefbc9df80230f4"; + }; + homeManagerModule = { + url = "https://github.com/rycee/home-manager"; + ref = "master"; + rev = "465d08d99f5b72b38cecb7ca1865b7255de3ee86"; }; } diff --git a/nix/os/lib/default.nix b/nix/os/lib/default.nix index 48aeb39..566ccb9 100644 --- a/nix/os/lib/default.nix +++ b/nix/os/lib/default.nix @@ -22,6 +22,7 @@ "audio" "video" "cdrom" + "adbusers" ]; openssh.authorizedKeys.keys = keys.users.steveej.openssh; } // args; diff --git a/nix/os/profiles/common/pkg.nix b/nix/os/profiles/common/pkg.nix index 720fcd8..4c2e87c 100644 --- a/nix/os/profiles/common/pkg.nix +++ b/nix/os/profiles/common/pkg.nix @@ -1,8 +1,10 @@ -{ config, pkgs, ... }: +{ config +, pkgs +, ... }: { imports = [ - "${builtins.fetchGit { url = "https://github.com/rycee/home-manager.git"; ref = "master"; }}/nixos" + "${}/nixos" ]; home-manager.users.root = import ../../../home-manager/configuration/text-minimal.nix; diff --git a/nix/os/profiles/common/user.nix b/nix/os/profiles/common/user.nix index 97294ee..673bc49 100644 --- a/nix/os/profiles/common/user.nix +++ b/nix/os/profiles/common/user.nix @@ -13,6 +13,6 @@ in { uid = 1000; }; - security.pam.enableU2F = true; + security.pam.u2f.enable = true; security.pam.services.steveej.u2fAuth = true; } diff --git a/nix/os/profiles/graphical/system.nix b/nix/os/profiles/graphical/system.nix index 5a23113..ee322df 100644 --- a/nix/os/profiles/graphical/system.nix +++ b/nix/os/profiles/graphical/system.nix @@ -91,6 +91,7 @@ services.udev.packages = [ pkgs.libu2f-host pkgs.yubikey-personalization + pkgs.android-udev-rules ]; services.udev.extraRules = '' # OnePlusOne diff --git a/nix/overlay.nix b/nix/overlay.nix index de75f52..3394b5c 100644 --- a/nix/overlay.nix +++ b/nix/overlay.nix @@ -48,4 +48,6 @@ in { inherit sha256; }; }); + + rdedup = super.callPackages ./pkgs/rdedup {}; } diff --git a/nix/pkgs/rdedup/default.nix b/nix/pkgs/rdedup/default.nix new file mode 100644 index 0000000..6ac542e --- /dev/null +++ b/nix/pkgs/rdedup/default.nix @@ -0,0 +1,35 @@ +{ stdenv, fetchFromGitHub, rustPlatform, pkgconfig, openssl, libsodium +, llvmPackages, clang_39, lzma }: + +rustPlatform.buildRustPackage rec { + name = "rdedup-${version}"; + version = "3.1.1"; + + src = fetchFromGitHub { + owner = "dpc"; + repo = "rdedup"; + rev = "rdedup-v${version}"; + sha256 = "0y34a3mpghdmcb2rx4z62q0s351bfmy1287d75mm07ryfgglgsd7"; + }; + + patches = [ + ./v3.1.1-fix-Cargo.lock.patch + ]; + + cargoSha256 = "0p19qcz2ph6axfccjwc6z72hrlb48l7sf1n0hc1gfq8hj2s3k2s1"; + + nativeBuildInputs = [ pkgconfig llvmPackages.libclang clang_39 ]; + buildInputs = [ openssl libsodium lzma ]; + + configurePhase = '' + export LIBCLANG_PATH="${llvmPackages.libclang}/lib" + ''; + + meta = with stdenv.lib; { + description = "Data deduplication with compression and public key encryption"; + homepage = https://github.com/dpc/rdedup; + license = licenses.mpl20; + maintainers = with maintainers; [ dywedir ]; + platforms = platforms.all; + }; +} diff --git a/nix/pkgs/rdedup/v3.1.1-fix-Cargo.lock.patch b/nix/pkgs/rdedup/v3.1.1-fix-Cargo.lock.patch new file mode 100644 index 0000000..7dafc77 --- /dev/null +++ b/nix/pkgs/rdedup/v3.1.1-fix-Cargo.lock.patch @@ -0,0 +1,28 @@ +diff --git a/Cargo.lock b/Cargo.lock +index 96be83a..fe07471 100644 +--- a/Cargo.lock ++++ b/Cargo.lock +@@ -880,12 +880,12 @@ dependencies = [ + + [[package]] + name = "rdedup" +-version = "3.1.0" ++version = "3.1.1" + dependencies = [ + "clap 2.32.0 (registry+https://github.com/rust-lang/crates.io-index)", + "hex 0.3.2 (registry+https://github.com/rust-lang/crates.io-index)", + "log 0.3.9 (registry+https://github.com/rust-lang/crates.io-index)", +- "rdedup-lib 3.0.0", ++ "rdedup-lib 3.1.0", + "rpassword 2.0.0 (registry+https://github.com/rust-lang/crates.io-index)", + "slog 2.3.2 (registry+https://github.com/rust-lang/crates.io-index)", + "slog-async 2.3.0 (registry+https://github.com/rust-lang/crates.io-index)", +@@ -900,7 +900,7 @@ source = "registry+https://github.com/rust-lang/crates.io-index" + + [[package]] + name = "rdedup-lib" +-version = "3.0.0" ++version = "3.1.0" + dependencies = [ + "backblaze-b2 0.1.8 (registry+https://github.com/rust-lang/crates.io-index)", + "base64 0.9.2 (registry+https://github.com/rust-lang/crates.io-index)", diff --git a/nix/scripts/pre-eval-fixed.sh b/nix/scripts/pre-eval-fixed.sh index 314346f..e6bc4a0 100755 --- a/nix/scripts/pre-eval-fixed.sh +++ b/nix/scripts/pre-eval-fixed.sh @@ -2,5 +2,5 @@ set -xe INFILE="${1:?Please set arg1 to INFILE}" OUTFILE="${2:?Please set arg2 to OUTFILE}" -hash=$(nix-build ${INFILE} --arg pkgs 'import {}' --arg config 'null' 2>&1 | grep -oE '[0-9a-z]{52}' | head -n1) +hash=$(nix-build ${INFILE} --arg pkgs 'import {}' --arg config 'null' 2>&1 | rg -o 'got.*sha256:([0-9a-z]{52})' -r '$1') sed -E "s/0{52}/${hash}/" ${INFILE} > ${OUTFILE} diff --git a/nix/variables/passwords.crypt.nix b/nix/variables/passwords.crypt.nix index f2d3a02..92f89d2 100644 Binary files a/nix/variables/passwords.crypt.nix and b/nix/variables/passwords.crypt.nix differ diff --git a/nix/variables/versions.nix b/nix/variables/versions.nix index 52734ca..75928de 100644 --- a/nix/variables/versions.nix +++ b/nix/variables/versions.nix @@ -7,4 +7,9 @@ ref = "nixos-unstable"; rev = "44b02b52ea6a49674f124f50009299f192ed78bb"; }; + homeManagerModule = { + url = "https://github.com/rycee/home-manager/"; + ref = "release-18.09"; + rev = "dd94a849df69fe62fe2cb23a74c2b9330f1189ed"; + }; } diff --git a/nix/variables/versions.tmpl.nix b/nix/variables/versions.tmpl.nix new file mode 100644 index 0000000..93b44b8 --- /dev/null +++ b/nix/variables/versions.tmpl.nix @@ -0,0 +1,15 @@ +{ + channelsNixosStable = { + ref = "nixos-19.03"; + rev = "<% git ls-remote https://github.com/nixos/nixpkgs-channels nixos-19.03 | awk '{ print $1 }' | tr -d '\n' -%>"; + }; + channelsNixosUnstable = { + ref = "nixos-unstable"; + rev = "<% git ls-remote https://github.com/nixos/nixpkgs-channels nixos-unstable | awk '{ print $1 }' | tr -d '\n' -%>"; + }; + homeManagerModule = { + url = "https://github.com/rycee/home-manager"; + ref = "master"; + rev = "<% git ls-remote https://github.com/rycee/home-manager.git master | awk '{ print $1 }' | tr -d '\n' -%>"; + }; +} diff --git a/services/ffld/router-wan.lan/Justfile b/services/ffld/router-wan.lan/Justfile new file mode 100644 index 0000000..322435d --- /dev/null +++ b/services/ffld/router-wan.lan/Justfile @@ -0,0 +1,2 @@ +post-setup: + ansible-playbook -i hosts openwrt-post-setup.yaml --verbose diff --git a/services/ffld/router-wan.lan/hosts b/services/ffld/router-wan.lan/hosts new file mode 100644 index 0000000..d31ee02 --- /dev/null +++ b/services/ffld/router-wan.lan/hosts @@ -0,0 +1 @@ +router-wan.lan ansible_ssh_user=root diff --git a/services/ffld/router-wan.lan/openwrt-post-setup.yaml b/services/ffld/router-wan.lan/openwrt-post-setup.yaml new file mode 100644 index 0000000..45d89be --- /dev/null +++ b/services/ffld/router-wan.lan/openwrt-post-setup.yaml @@ -0,0 +1,13 @@ +# * https://openwrt.org/docs/guide-user/services/nas/usb-storage-samba-webinterface + +- hosts: router-wan.lan + gather_facts: no + tasks: + - name: udpate pkg database + raw: opkg update + - name: install packages + raw: opkg install {{ item }} + loop: + - luci-ssl + - luci-app-samba samba36-server + - block-mount blockd kmod-fs-vmod kmod-fs-vfat kmod-usb-storage usbutils