2019-03-20 11:28:18 +00:00
30 changed files with 482 additions and 65 deletions
--- a/56
+++ b/56
@ -1,3 +1,6 @@
 _DEFAULT_VERSION_TMPL:
 	echo "{{invocation_directory()}}/nix/variables/versions.tmpl.nix"
 _usage:
 	just -l
@ -21,12 +24,12 @@ _rebuild-device dir rebuildarg="dry-activate" +moreargs="": _render_templates
 	set -ex
 	just -v _device rebuild {{dir}} --argstr rebuildarg {{rebuildarg}} {{moreargs}}
-rebuild-remote-device dir target rebuildarg="dry-activate" :
+rebuild-remote-device device target rebuildarg="dry-activate" :
 	#!/usr/bin/env bash
 	set -ex
-	just -v _rebuild-device {{dir}} {{rebuildarg}} --argstr moreargs "'--target-host\ {{target}}'"
+	just -v _rebuild-device nix/os/devices/{{device}} {{rebuildarg}} --argstr moreargs "'--target-host\ {{target}}'"
-# Rebulid this device's NixOS
+# Rebuild this device's NixOS
 rebuild-this-device rebuildarg="dry-activate":
 	#!/usr/bin/env bash
 	set -e
@ -50,7 +53,8 @@ rebuild-this-device rebuildarg="dry-activate":
 		echo System rebuild successful
 	else
 		cat ${SYSREBUILD_LOG}
-		echo System rebuild failed
+		echo ERROR: system rebuild failed
 		exit 1
 	fi
 	if type home-manager > /dev/null 2>&1; then
@ -60,18 +64,44 @@ rebuild-this-device rebuildarg="dry-activate":
 			echo Home rebuild successful
 		else
 			cat ${HOMEREBUILD_LOG}
-			echo Home rebuild failed
+			echo ERROR: home rebuild failed
 			exit 1
 		fi
 	fi
-# This could be used to inject another channel
+update-remote-device device target rebuildmode='switch':
-# --argstr moreargs "\'-I nixos-unstable=https://nixos.org/channels/nixos-unstable/nixexprs.tar.xz\'"
+	#!/usr/bin/env bash
 	set -e
 	template=nix/os/devices/{{device}}/versions.tmpl.nix
 	outfile=nix/os/devices/{{device}}/versions.nix
 	if ! test -e ${template}; then
 		template="$(just _DEFAULT_VERSION_TMPL)"
 	fi
 	esh -o ${outfile} ${template}
 	if ! test "$(git diff ${outfile})"; then
 		echo Already on latest versions
 		exit 0
 	fi
 	just -v rebuild-remote-device {{device}} {{target}} dry-activate || {
 		echo ERROR: rebuild in mode 'dry-active' failed after updating ${outfile}
 		exit 1
 	}
 	just -v rebuild-remote-device {{ device }} {{ target }} {{ rebuildmode }} || {
 		echo ERROR: rebuild in mode '{{ rebuildmode }}' failed after updating ${outfile}
 		exit 1
 	}
 	git commit -v ${outfile} -m "nix/os/devices/{{ device }}: bump versions"
 # Update the channel versions and (by default) switch to new environment
 update-this-device rebuild-mode='switch':
 	#!/usr/bin/env bash
-	set -xe
+	set -e
 	template=nix/os/devices/$(hostname -s)/versions.tmpl.nix
 	outfile=nix/os/devices/$(hostname -s)/versions.nix
@ -85,16 +115,16 @@ update-this-device rebuild-mode='switch':
 	export SYSREBUILD_LOG=.$(hostname -s)_sysrebuild.log
 	just -v rebuild-this-device dry-activate || {
 		echo ERROR: Update failed, reverting ${outfile}...
-		git checkout ${outfile}
+		exit 1
 	}
 	just -v rebuild-this-device {{rebuild-mode}} || {
 		echo ERROR: Rebuilding in {{rebuild-mode}}-mode failed
 		exit 1
 	}
 	git commit -v ${outfile} -m "nix/os/devices/$(hostname -s): bump versions"
 	just -v rebuild-this-device {{rebuild-mode}} || {
 		echo WARNING: Rebuilding in {{rebuild-mode}}-mode failed
 	}
 # Iterate on a qtile config by running it inside Xephyr. (un-/grab the mouse with Ctrl + Shift-L)
 hm-iterate-qtile:
 	#!/usr/bin/env bash
--- a/README.md
+++ b/README.md
@ -4,7 +4,7 @@ This is mostly achieved with the help of [Nix](https://nixos.org).
 In the unlikely case that you actually read this and have any questions please don't hesitate to reach out.
-## Roadmap
+## Initial Roadmap
 - All graphical systems (incl. install media) must have
  - [x] Full-disk encryption by default
@ -17,11 +17,10 @@ In the unlikely case that you actually read this and have any questions please d
  - [x] home-manager
  - [x] pkgs-configuration
  - [ ] development environments
- [ ] (Semi-) automatic synchronization of important repositories
+- [x] (Semi-) automatic synchronization of important repositories
  - [x] Modification strategy
      The approach is to use vcsh for the dotfiles
  - [x] dotfiles
  - [ ] password-store
  - [ ] this repo
 - [x] Toplevel Justfile for simple actions
  - [x] mount/umount disks
  - [x] install to mounted disk
@ -36,7 +35,7 @@ In the unlikely case that you actually read this and have any questions please d
 - [ ] Design disaster recovery
 - [ ] Automatic synchronization of other state files - see https://gitlab.com/steveeJ/nix-expressions/issues/2
 - [ ] Recycle *\_archived*
- [ ] Maybe make this a nix-overlay
+- [x] Maybe make this a nix-overlay
 ## Bugs
 - [ ] home-manager leaves ~/.gnupg at 0755
--- a/nix/default.nix
+++ b/nix/default.nix
@ -3,22 +3,26 @@
 {
  channelSources =
    let
      # channelVersions = (import ((builtins.getEnv "PWD")+"/${dir}/versions.nix"));
      channelVersions = (import versionsPath);
-      mkChannelSource = channel: builtins.fetchGit {
+      mkChannelSource = channel:
-        # Descriptive name to make the store path easier to identify
+        let
-        url = "https://github.com/NixOS/nixpkgs-channels/";
+          channelVersion = builtins.getAttr channel channelVersions;
-        # Commit hash for nixos-unstable as of 2018-09-12
+        in builtins.fetchGit {
-        # `git ls-remote https://github.com/nixos/nixpkgs-channels nixos-unstable`
+          # Descriptive name to make the store path easier to identify
-        ref = (builtins.getAttr channel channelVersions)."ref";
+          name = "nixpkgs-channels-${channel}";
-        rev = (builtins.getAttr channel channelVersions)."rev";
+          url = if builtins.hasAttr "url" channelVersion
-        name = "nixpkgs-channels-${channel}";
+            then channelVersion."url"
            else "https://github.com/NixOS/nixpkgs-channels/"
          ;
          ref = (builtins.getAttr channel channelVersions)."ref";
          rev = (builtins.getAttr channel channelVersions)."rev";
      };
      nix_path = builtins.foldl' (sum: elem: sum +":" + builtins.concatStringsSep "=" elem) "" [
        [ "nixpkgs" (mkChannelSource "channelsNixosStable") ]
        [ "nixos" (mkChannelSource "channelsNixosStable" + "/nixos") ]
        [ "channels-nixos-stable" (mkChannelSource "channelsNixosStable") ]
        [ "channels-nixos-unstable" (mkChannelSource "channelsNixosUnstable") ]
        [ "home-manager-module" (mkChannelSource "homeManagerModule") ]
      ];
    in (import (mkChannelSource "channelsNixosStable") {}).writeText "channels.rc" ''
      export NIX_PATH=${nix_path}
--- a/nix/home-manager/configuration/graphical-fullblown.nix
+++ b/nix/home-manager/configuration/graphical-fullblown.nix
@ -27,8 +27,6 @@ in {
      gnutls = true;
    };
    android_sdk.accept_license = true;
    packageOverrides = pkgs: with pkgs; {
      myPython36 = python36Full.withPackages (ps: with ps; [
        pep8 yapf flake8
@ -152,7 +150,7 @@ in {
      # virtualbox
      vagrant
      rkt
-      python27Packages.docker_compose
+      docker_compose
      # unstablepkgs.kubernetes
      unstablepkgs.minikube
      unstablepkgs.openshift
@ -185,8 +183,9 @@ in {
      iperf
      bind
      socat
-      linssid
+      # 2019-03-05: broken on 19.03 linssid
      iptraf-ng
      ipmitool
      # samba
      iptables
@ -283,7 +282,6 @@ in {
      # File Synchronzation
      seafile-client
      syncthing
      grive2
      dropbox
      # gocryptfs
@ -291,7 +289,6 @@ in {
      # s3ql
      # rclone
      rsync
      duplicacy
      # Filesystem Tools
      ntfs3g
@ -325,7 +322,7 @@ in {
      bazel
      ## Android
-      androidsdk
+      androidenv.androidPkgs_9_0.platform-tools
      ## Java
      # jre
--- a/nix/home-manager/configuration/text-minimal.nix
+++ b/nix/home-manager/configuration/text-minimal.nix
@ -1,6 +1,6 @@
 { pkgs
-, config,
+, config
-... }:
+, ... }:
 let
@ -24,5 +24,6 @@ in {
    ++ (with pkgs; [
    iperf3
    telnet
    speedtest-cli
  ]);
 }
--- a/nix/home-manager/profiles/common.nix
+++ b/nix/home-manager/profiles/common.nix
@ -1,11 +1,12 @@
-{ pkgs,
+{ pkgs
-...
+, ...
 }:
 let 
 in {
-  programs.home-manager.enable = true;
+  # TODO: re-enable this with the appropriate version
-  programs.home-manager.path = https://github.com/rycee/home-manager/archive/master.tar.gz;
+  # programs.home-manager.enable = true;
  # programs.home-manager.path = https://github.com/rycee/home-manager/archive/445c0b1482c38172a9f8294ee16a7ca7462388e5.tar.gz;
  nixpkgs.overlays = [
    (import ../../overlay.nix)
--- a/nix/home-manager/programs/chromium.nix
+++ b/nix/home-manager/programs/chromium.nix
@ -9,7 +9,7 @@
  nixpkgs.config = {
    chromium = {
-      enablePepperPDF = true;
+      # 2019-03-05: missing on 19.03 enablePepperPDF = true;
      enablePepperFlash = false;
    };
  };
--- a/nix/home-manager/programs/neovim.nix
+++ b/nix/home-manager/programs/neovim.nix
@ -93,6 +93,8 @@ in {
              "sha256" = "181siphb87yzln9433159ssa6vmm1h2dd0kqhlx7bgsi51gng4rv";
            };
          };
          tlib = vimPlugins.tlib_vim;
        };
        pluginDictionaries = let 
@ -126,7 +128,7 @@ in {
            "git-blame"
            # Nix
-            "vim-addon-nix"
+            "vim-addon-nix" "tlib"
            "vim-addon-vim2nix"
            # LaTeX
@ -146,7 +148,7 @@ in {
            "vim-markdown-toc"
            # misc syntax support
-            "vim-bazel"
+            "vim-bazel" "maktaba"
          ];
        in [
          { names = default; }
--- a/nix/os/containers/backup.nix
+++ b/nix/os/containers/backup.nix
@ -0,0 +1,185 @@
 { config, ... } @ args:
 let
  unstablepkgs = import <channels-nixos-unstable> { config = config.nixpkgs.config; };
  passwords = import ../../variables/passwords.crypt.nix;
  bucket = "bkp";
  subvolumeParentDir = "/var/lib";
  subvolumeDir = "/var/lib/container-volumes";
  subvolumeSnapshot = "/var/lib/container-volumes.snapshot";
  bkpSource = subvolumeSnapshot;
  bkpDestination = "/container/backup";
  cacheDir = "/var/lib/rclone-cachedir";
  wasabiRc = pkgs: pkgs.writeText "rc" ''
    [wasabi-${bucket}]
    type = s3
    provider = Wasabi
    env_auth = false
    #bkp user
    access_key_id = ${passwords.storage.wasabi.bkp.key}
    secret_access_key = ${passwords.storage.wasabi.bkp.secret}
    region = us-east-1
    endpoint = s3.wasabisys.com
    location_constraint =
    acl =
    server_side_encryption =
    storage_class =
  '';
  bkp-mount-rclone-manual = pkgs: {
      enable = true;
      description = "bkp-mount-rclone-manual service";
      path = with pkgs; [ unstablepkgs.rclone utillinux ];
      serviceConfig = {
        Type = "notify";
      };
      script = ''
        export PATH="$PATH:/run/wrappers/bin"
        exec rclone --config ${wasabiRc pkgs} mount wasabi-${bucket}:${bucket} ${bkpDestination} \
                    --stats=1m --stats-log-level=NOTICE \
                    --cache-dir=${cacheDir} \
                    --vfs-cache-mode=full
      '';
      preStart  = ''
          mkdir -p ${bkpDestination}
          mkdir -p ${cacheDir}
      '';
      postStop = ''
          sync
          umount ${bkpDestination} \
            || umount -l ${bkpDestination} \
            || :
          rmdir ${bkpDestination}
      '';
    };
 in args // {
  config = { pkgs, ... }: {
    imports = [
      ../profiles/containers/configuration.nix
    ];
    environment.systemPackages = with pkgs; [
      btrfs-progs
      rdup rdedup
      iptraf-ng nethogs
      rclone
    ];
    networking.firewall.enable = true;
    systemd.services."bkp-mount-rclone-manual" = bkp-mount-rclone-manual pkgs;
    systemd.services."bkp-sync-rclone" = {
      enable = true;
      description = "bkp-sync-rclone service";
      serviceConfig = {
        Type = "oneshot";
      };
      after = [
        "bkp-run.service"
      ];
      requires = [
        "bkp-run.service"
      ];
      path = with pkgs; [ unstablepkgs.rclone utillinux ];
      script = ''
        set -x
        echo Starting rclone sync...
        rclone --config ${wasabiRc pkgs} sync \
          ${bkpDestination}/rdedup/ wasabi-${bucket}:${bucket}/rdedup/  \
            --stats=1m --stats-log-level=NOTICE
        echo Finished rclone sync...
      '';
    };
    systemd.services."bkp-run" = {
      enable = true;
      description = "bkp-run";
      serviceConfig = {
        Type = "oneshot";
      };
      partOf = [
        "bkp-sync-rclone.service"
      ];
      path = with pkgs; [ btrfs-progs rdup rdedup coreutils ];
      preStart = ''
        echo Creating new btrfs snapshot of ${subvolumeDir} at ${subvolumeSnapshot}
        btrfs subvolume snapshot -r ${subvolumeDir} ${subvolumeSnapshot}
      '';
      script = ''
        #! ${pkgs.bash}/bin/bash
        export RUST_BACKTRACE=1
        export TIMESTAMP=$(date +"%Y%m%d.%H%M%S")
        echo Starting rdup/rdedup backup...
        for d in `ls -1 ${bkpSource}`; do
          echo Determining backup source size ${bkpSource}/$d...
          du -hs ${bkpSource}/$d
          set -x
          rdup -x /dev/null ${bkpSource}/$d | rdedup -v -ttt --dir=${bkpDestination}/rdedup store $d-''${TIMESTAMP}
          set +x
        done
        sync
        echo Finished rdup/rdedup backup...
        echo Determining backup destination size ${bkpDestination}/rdedup...
        du -hs ${bkpDestination}/rdedup
      '';
      postStop = ''
        btrfs subvolume delete ${subvolumeSnapshot}
      '';
    };
    systemd.timers."bkp" = {
      description = "Timer to trigger bkp periodically";
      enable = true;
      wantedBy = [ "timer.target" "multi-user.target" ];
      timerConfig = {
        OnCalendar = "23:00";
        Unit = "bkp-sync-rclone.service";
        # OnActiveSec="1s";
        # OnUnitInactiveSec="12h";
        # AccuracySec="5s";
      };
    };
  };
  autoStart = true;
  bindMounts = {
    "${subvolumeParentDir}" = {
      hostPath = "/var/lib/";
      isReadOnly = false;
    };
    "/dev/fuse" = {
      hostPath = "/dev/fuse";
      isReadOnly = false;
    };
  };
  allowedDevices = [
    { node = "/dev/fuse"; modifier = "rw"; }
  ];
  privateNetwork = true;
  forwardPorts = [
  ];
 }
--- a/nix/os/containers/mailserver.nix
+++ b/nix/os/containers/mailserver.nix
@ -41,6 +41,10 @@ in args // {
          args = scheme=CRYPT username_format=%u /etc/dovecot/users
        }
        protocol lda {
          postmaster_address = "mail@stefanjunker.de"
          mail_plugins = $mail_plugins sieve
        }
      '';
    };
@ -53,7 +57,9 @@ in args // {
      enable = true;
      wantedBy = [ "multi-user.target" ];
      serviceConfig.User = "steveej";
-      serviceConfig.Group = "users";
+      serviceConfig.Group = "dovecot2";
      serviceConfig.RestartSec = 600;
      serviceConfig.Restart = "always";
      description = "Getmail service";
      path = [ pkgs.getmail ];
      script = let
@ -72,8 +78,8 @@ in args // {
            mailboxes = ('INBOX',)
            [destination]
-            type = Maildir
+            type = MDA_external
-            path = ~/.maildir/
+            path = ${pkgs.dovecot}/libexec/dovecot/dovecot-lda
          '';
        in ''
          getmail --rcfile=${rc} --idle=INBOX
@ -84,10 +90,10 @@ in args // {
      enable = true;
      wantedBy = [ "multi-user.target" ];
      serviceConfig.User = "steveej";
-      serviceConfig.Group = "users";
+      serviceConfig.Group = "dovecot2";
      description = "Getmail service";
      path = [ pkgs.getmail ];
-      serviceConfig.RestartSec = 900;
+      serviceConfig.RestartSec = 1000;
      serviceConfig.Restart = "always";
      script = let
          rc = pkgs.writeText "schtifATweb.de.getmail.rc" ''
--- a/nix/os/containers/syncthing.nix
+++ b/nix/os/containers/syncthing.nix
@ -0,0 +1,41 @@
 { ... } @ args:
 let
 in args // {
  config = { config, pkgs, ... }: {
    imports = [
      ../profiles/containers/configuration.nix
    ];
    networking.firewall.enable = true;
    networking.firewall.allowedTCPPorts = [
      # syncthing gui
      8384
    ];
    services.syncthing = {
      enable = true;
      openDefaultPorts = true;
      guiAddress = "0.0.0.0:8384";
    };
  };
  autoStart = true;
  bindMounts = {
    "/var/lib/syncthing/" = {
      hostPath = "/var/lib/container-volumes/syncthing/var-lib-syncthing";
      isReadOnly = false;
    };
  };
  privateNetwork = true;
  forwardPorts = [
    {
      containerPort = 22000;
      hostPort = 22000;
      protocol = "tcp";
    }
  ];
 }
--- a/nix/os/devices/steveej-t480s-work/versions.nix
+++ b/nix/os/devices/steveej-t480s-work/versions.nix
@ -1,10 +1,15 @@
 {
  channelsNixosStable = {
-    ref = "nixos-18.09";
+    ref = "nixos-19.03";
-    rev = "97e0d53d669cd07f0750a42fd535524b3cdd46d1";
+    rev = "07e2b59812de95deeedde95fb6ba22d581d12fbc";
  };
  channelsNixosUnstable = {
    ref = "nixos-unstable";
-    rev = "be445a9074f139d63e704fa82610d25456562c3d";
+    rev = "34aa254f9ebf5899636a9927ceefbc9df80230f4";
  };
  homeManagerModule = {
    url = "https://github.com/rycee/home-manager";
    ref = "master";
    rev = "52fdf5b7ecab93eaf2a2ee83777b73f8ee126614";
  };
 }
--- a/nix/os/devices/steveej-t480s-work/versions.tmpl.nix
+++ b/nix/os/devices/steveej-t480s-work/versions.tmpl.nix
@ -1,10 +1,15 @@
 {
  channelsNixosStable = {
-    ref = "nixos-18.09";
+    ref = "nixos-19.03";
-    rev = "<% git ls-remote https://github.com/nixos/nixpkgs-channels nixos-18.09 | awk '{ print $1 }' | tr -d '\n' -%>";
+    rev = "<% git ls-remote https://github.com/nixos/nixpkgs-channels nixos-19.03 | awk '{ print $1 }' | tr -d '\n' -%>";
  };
  channelsNixosUnstable = {
    ref = "nixos-unstable";
    rev = "<% git ls-remote https://github.com/nixos/nixpkgs-channels nixos-unstable | awk '{ print $1 }' | tr -d '\n' -%>";
  };
  homeManagerModule = {
    url = "https://github.com/rycee/home-manager";
    ref = "master";
    rev = "<% git ls-remote https://github.com/rycee/home-manager.git master | awk '{ print $1 }' | tr -d '\n' -%>";
  };
 }
--- a/nix/os/devices/vmd32387.contaboserver.net/pkg.nix
+++ b/nix/os/devices/vmd32387.contaboserver.net/pkg.nix
@ -7,11 +7,6 @@
 {
  home-manager.users.steveej = import ../../../home-manager/configuration/text-minimal.nix;
  services.syncthing = {
    enable = true;
    openDefaultPorts = true;
  };
 services.hydra = {
    enable = false;
    hydraURL = "http://localhost:3000"; # externally visible URL
--- a/nix/os/devices/vmd32387.contaboserver.net/system.nix
+++ b/nix/os/devices/vmd32387.contaboserver.net/system.nix
@ -52,6 +52,31 @@ in {
  services.spice-vdagentd.enable = true;
  services.qemuGuest.enable = true;
  systemd.services."sshd-status" = {
    enable = true;
    description = "sshd-status service";
    path = [ pkgs.systemd ];
    script = ''
      systemctl status sshd | grep -i tasks
    '';
  };
  systemd.services.sshd.serviceConfig = {
    TasksMax = 32;
  };
  systemd.timers."sshd-status" = {
    description = "Timer to trigger sshd-status periodically";
    enable = true;
    wantedBy = [ "timer.target" "multi-user.target" ];
    timerConfig = {
      OnActiveSec="5s";
      OnUnitActiveSec="5s";
      AccuracySec="1s";
      Unit = "sshd-status.service";
    };
  };
  boot.initrd.network = {
    enable = true;
    udhcpc.extraArgs = [ "-x hostname:${config.networking.hostName}" ];
@ -80,5 +105,16 @@ in {
      hostAddress = "192.168.100.12";
      localAddress = "192.168.100.13";
    };
    syncthing = import ../../containers/syncthing.nix {
      hostAddress = "192.168.100.14";
      localAddress = "192.168.100.15";
    };
    backup = import ../../containers/backup.nix {
      inherit config;
      hostAddress = "192.168.100.16";
      localAddress = "192.168.100.17";
    };
  };
 }
--- a/nix/os/devices/vmd32387.contaboserver.net/versions.nix
+++ b/nix/os/devices/vmd32387.contaboserver.net/versions.nix
@ -1,10 +1,15 @@
 {
  channelsNixosStable = {
-    ref = "nixos-18.09";
+    ref = "nixos-19.03";
-    rev = "c2950341d038995bf46a7b72db961bb3d3e9ac12";
+    rev = "07e2b59812de95deeedde95fb6ba22d581d12fbc";
  };
  channelsNixosUnstable = {
    ref = "nixos-unstable";
-    rev = "44b02b52ea6a49674f124f50009299f192ed78bb";
+    rev = "34aa254f9ebf5899636a9927ceefbc9df80230f4";
  };
  homeManagerModule = {
    url = "https://github.com/rycee/home-manager";
    ref = "master";
    rev = "465d08d99f5b72b38cecb7ca1865b7255de3ee86";
  };
 }
--- a/nix/os/lib/default.nix
+++ b/nix/os/lib/default.nix
@ -22,6 +22,7 @@
      "audio"
      "video"
      "cdrom"
      "adbusers"
    ];
    openssh.authorizedKeys.keys = keys.users.steveej.openssh;
  } // args;
--- a/nix/os/profiles/common/pkg.nix
+++ b/nix/os/profiles/common/pkg.nix
@ -1,8 +1,10 @@
-{ config, pkgs, ... }:
+{ config
 , pkgs
 , ... }:
 {
  imports = [
-    "${builtins.fetchGit { url = "https://github.com/rycee/home-manager.git"; ref = "master"; }}/nixos"
+    "${<home-manager-module>}/nixos"
  ];
  home-manager.users.root = import ../../../home-manager/configuration/text-minimal.nix;
--- a/nix/os/profiles/common/user.nix
+++ b/nix/os/profiles/common/user.nix
@ -13,6 +13,6 @@ in {
    uid = 1000;
  };
-  security.pam.enableU2F = true;
+  security.pam.u2f.enable = true;
  security.pam.services.steveej.u2fAuth = true;
 }
--- a/nix/os/profiles/graphical/system.nix
+++ b/nix/os/profiles/graphical/system.nix
@ -91,6 +91,7 @@
  services.udev.packages = [
    pkgs.libu2f-host
    pkgs.yubikey-personalization
    pkgs.android-udev-rules
  ];
  services.udev.extraRules = ''
    # OnePlusOne
--- a/nix/overlay.nix
+++ b/nix/overlay.nix
@ -48,4 +48,6 @@ in {
        inherit sha256;
      };
    });
  rdedup = super.callPackages ./pkgs/rdedup {};
 }
--- a/nix/pkgs/rdedup/default.nix
+++ b/nix/pkgs/rdedup/default.nix
@ -0,0 +1,35 @@
 { stdenv, fetchFromGitHub, rustPlatform, pkgconfig, openssl, libsodium
 , llvmPackages, clang_39, lzma }:
 rustPlatform.buildRustPackage rec {
  name = "rdedup-${version}";
  version = "3.1.1";
  src = fetchFromGitHub {
    owner = "dpc";
    repo = "rdedup";
    rev = "rdedup-v${version}";
    sha256 = "0y34a3mpghdmcb2rx4z62q0s351bfmy1287d75mm07ryfgglgsd7";
  };
  patches = [
    ./v3.1.1-fix-Cargo.lock.patch
  ];
  cargoSha256 = "0p19qcz2ph6axfccjwc6z72hrlb48l7sf1n0hc1gfq8hj2s3k2s1";
  nativeBuildInputs = [ pkgconfig llvmPackages.libclang clang_39 ];
  buildInputs = [ openssl libsodium lzma ];
  configurePhase = ''
    export LIBCLANG_PATH="${llvmPackages.libclang}/lib"
  '';
  meta = with stdenv.lib; {
    description = "Data deduplication with compression and public key encryption";
    homepage = https://github.com/dpc/rdedup;
    license = licenses.mpl20;
    maintainers = with maintainers; [ dywedir ];
    platforms = platforms.all;
  };
 }
--- a/nix/pkgs/rdedup/v3.1.1-fix-Cargo.lock.patch
+++ b/nix/pkgs/rdedup/v3.1.1-fix-Cargo.lock.patch
@ -0,0 +1,28 @@
 diff --git a/Cargo.lock b/Cargo.lock
 index 96be83a..fe07471 100644
 --- a/Cargo.lock
 +++ b/Cargo.lock
@@ -880,12 +880,12 @@ dependencies = [
 [[package]]
 name = "rdedup"
 -version = "3.1.0"
 +version = "3.1.1"
 dependencies = [
  "clap 2.32.0 (registry+https://github.com/rust-lang/crates.io-index)",
  "hex 0.3.2 (registry+https://github.com/rust-lang/crates.io-index)",
  "log 0.3.9 (registry+https://github.com/rust-lang/crates.io-index)",
 - "rdedup-lib 3.0.0",
 + "rdedup-lib 3.1.0",
  "rpassword 2.0.0 (registry+https://github.com/rust-lang/crates.io-index)",
  "slog 2.3.2 (registry+https://github.com/rust-lang/crates.io-index)",
  "slog-async 2.3.0 (registry+https://github.com/rust-lang/crates.io-index)",
@@ -900,7 +900,7 @@ source = "registry+https://github.com/rust-lang/crates.io-index"
 [[package]]
 name = "rdedup-lib"
 -version = "3.0.0"
 +version = "3.1.0"
 dependencies = [
  "backblaze-b2 0.1.8 (registry+https://github.com/rust-lang/crates.io-index)",
  "base64 0.9.2 (registry+https://github.com/rust-lang/crates.io-index)",
--- a/nix/scripts/pre-eval-fixed.sh
+++ b/nix/scripts/pre-eval-fixed.sh
@ -2,5 +2,5 @@
 set -xe
 INFILE="${1:?Please set arg1 to INFILE}"
 OUTFILE="${2:?Please set arg2 to OUTFILE}"
-hash=$(nix-build ${INFILE} --arg pkgs 'import <channels-nixos-stable> {}' --arg config 'null' 2>&1 | grep -oE '[0-9a-z]{52}' | head -n1)
+hash=$(nix-build ${INFILE} --arg pkgs 'import <channels-nixos-stable> {}' --arg config 'null' 2>&1 | rg -o 'got.*sha256:([0-9a-z]{52})' -r '$1')
 sed -E "s/0{52}/${hash}/" ${INFILE} > ${OUTFILE}
--- a/nix/variables/passwords.crypt.nix
+++ b/nix/variables/passwords.crypt.nix
--- a/nix/variables/versions.nix
+++ b/nix/variables/versions.nix
@ -7,4 +7,9 @@
    ref = "nixos-unstable";
    rev = "44b02b52ea6a49674f124f50009299f192ed78bb";
  };
  homeManagerModule = {
    url = "https://github.com/rycee/home-manager/";
    ref = "release-18.09";
    rev = "dd94a849df69fe62fe2cb23a74c2b9330f1189ed";
  };
 }
--- a/nix/variables/versions.tmpl.nix
+++ b/nix/variables/versions.tmpl.nix
@ -0,0 +1,15 @@
 {
  channelsNixosStable = {
    ref = "nixos-19.03";
    rev = "<% git ls-remote https://github.com/nixos/nixpkgs-channels nixos-19.03 | awk '{ print $1 }' | tr -d '\n' -%>";
  };
  channelsNixosUnstable = {
    ref = "nixos-unstable";
    rev = "<% git ls-remote https://github.com/nixos/nixpkgs-channels nixos-unstable | awk '{ print $1 }' | tr -d '\n' -%>";
  };
  homeManagerModule = {
    url = "https://github.com/rycee/home-manager";
    ref = "master";
    rev = "<% git ls-remote https://github.com/rycee/home-manager.git master | awk '{ print $1 }' | tr -d '\n' -%>";
  };
 }
--- a/services/ffld/router-wan.lan/Justfile
+++ b/services/ffld/router-wan.lan/Justfile
@ -0,0 +1,2 @@
 post-setup:
 	ansible-playbook -i hosts openwrt-post-setup.yaml --verbose
--- a/services/ffld/router-wan.lan/hosts
+++ b/services/ffld/router-wan.lan/hosts
@ -0,0 +1 @@
 router-wan.lan ansible_ssh_user=root
--- a/services/ffld/router-wan.lan/openwrt-post-setup.yaml
+++ b/services/ffld/router-wan.lan/openwrt-post-setup.yaml
@ -0,0 +1,13 @@
 # * https://openwrt.org/docs/guide-user/services/nas/usb-storage-samba-webinterface
 - hosts: router-wan.lan
  gather_facts: no
  tasks:
  - name: udpate pkg database
    raw: opkg update
  - name: install packages
    raw: opkg install {{ item }}
    loop:
      - luci-ssl
      - luci-app-samba samba36-server
      - block-mount blockd kmod-fs-vmod kmod-fs-vfat kmod-usb-storage usbutils
		`@ -0,0 +1,2 @@`
							`post-setup:`
							`ansible-playbook -i hosts openwrt-post-setup.yaml --verbose`