2019-12-04 18:40:10 +00:00
26 changed files with 239 additions and 94 deletions
--- a/4
+++ b/4
@ -7,6 +7,7 @@ _DEFAULT_VERSION:
 _usage:
 	just -l

+# Re-render the default versions
 update-default-versions:
 	#!/usr/bin/env bash
 	template="$(just _DEFAULT_VERSION_TMPL)"
@ -82,6 +83,7 @@ rebuild-this-device rebuildarg="dry-activate":
 		fi
 	fi

+# Re-render the versions of a remote device and rebuild its environment
 update-remote-device device target rebuildmode='switch':
 	#!/usr/bin/env bash
 	set -e
@ -111,7 +113,7 @@ update-remote-device device target rebuildmode='switch':

 	git commit -v ${outfile} -m "nix/os/devices/{{ device }}: bump versions"

-# Update the channel versions and (by default) switch to new environment
+# Re-render the versions of the current device and rebuild its environment
 update-this-device rebuild-mode='switch':
 	#!/usr/bin/env bash
 	set -e
--- a/README.md
+++ b/README.md
@ -50,6 +50,9 @@ just --list
 ## Bootstrap

 ### A new machine
+* ensure the dotfiles repo has a branch with the new machine's hostname

-1. boot with an install media
-2. clone infra repository
+* boot with an install media and go through setup
+
+#### Post-Install Setup
+* `gpg2 --edit-card; fetch`
--- a/nix/home-manager/configuration/graphical-fullblown.nix
+++ b/nix/home-manager/configuration/graphical-fullblown.nix
@ -90,18 +90,18 @@ in {
      nix-prefetch-github

      # Version Control Systems
-      unstablepkgs.pijul
+      pijul
      gitless
      gitRepo
      git-lfs

-      # Cloud/Remote System Management
-      google-cloud-sdk
-      ansible
-      nixops
-      unstablepkgs.terraform
-      awscli
-      hcloud
+      # TODO: move Cloud/Remote System Management to a dev environment
+      # google-cloud-sdk
+      # ansible
+      # nixops
+      # terraform
+      # awscli
+      # hcloud

      # Process/System Administration
      htop
@ -139,7 +139,7 @@ in {
      aspellDicts.en
      aspellDicts.de
      unstablepkgs.skype
-      zoom-us
+      zoom-us # broken as of 2019-10-30
      unstablepkgs.bluejeans-gui
      thunderbird
      gnome3.evolution # gnome4.glib_networking
@ -338,16 +338,17 @@ in {
      pypi2nix

      ## Webdev
-      nodejs-8_x
-      npm2nix
-      emscripten
+      # TODO: move this to dev environment
+      # nodejs-8_x
+      # npm2nix
+      # emscripten

      # Code generators
      unstablepkgs.swagger-codegen

      # Misc Desktop Tools
      ltunify
-      solaar
+      # solaar # TODO: conflicts with solar over udev rules
      dex
      # kitty
      busyboxStatic
--- a/nix/home-manager/configuration/graphical-removable.nix
+++ b/nix/home-manager/configuration/graphical-removable.nix
@ -26,8 +26,6 @@ in {
      gnutls = true;
    };

-    android_sdk.accept_license = true;
-
    packageOverrides = pkgs: with pkgs; {
      myPython36 = python36Full.withPackages (ps: with ps; [
        pylint pep8 yapf flake8
@ -141,8 +139,6 @@ in {
      python27Packages.binwalk
      gptfdisk

-      androidsdk
-
      ## Python
      myPython36

--- a/nix/os/devices/disk.nix
+++ b/nix/os/devices/disk.nix
@ -28,11 +28,11 @@ in rec {

  diskUmount = pkgs.writeScript "script" ''
    #!/usr/bin/env bash
-    set -xe
-    sudo umount -R ${mntRootVol}
+    set -x
+    sudo umount -Rl ${mntRootVol}
    sudo rmdir ${mntRootVol}
    sudo vgchange -an ${ownLib.disk.volumeGroup diskId}
-    sudo cryptsetup luksClose ${ownLib.disk.luksName diskId}
+    sudo cryptsetup close ${ownLib.disk.luksName diskId}
    sync
  '';

@ -66,7 +66,7 @@ in rec {
    # Partition
    sync
    {
-    fdisk -w always -W always ${ownLib.disk.bootGrubDevice diskId} <<EOF
+    sudo fdisk -w always -W always ${ownLib.disk.bootGrubDevice diskId} <<EOF
    g
    n
    1
@ -95,30 +95,32 @@ in rec {
    EOF
    } || {
      sync
-      partprobe  ${ownLib.disk.bootGrubDevice diskId}
+      sudo partprobe  ${ownLib.disk.bootGrubDevice diskId}
    }

+    sleep 1
+
    # Encrypt
-    cryptsetup luksFormat ${ownLib.disk.bootLuksDevice diskId} -
-    cryptsetup luksOpen ${ownLib.disk.bootLuksDevice diskId} ${ownLib.disk.luksName diskId}
+    sudo cryptsetup luksFormat ${ownLib.disk.bootLuksDevice diskId} -
+    sudo cryptsetup luksOpen ${ownLib.disk.bootLuksDevice diskId} ${ownLib.disk.luksName diskId}

    # LVM
-    vgcreate ${ownLib.disk.volumeGroup diskId} ${ownLib.disk.luksPhysicalVolume diskId}
-    lvcreate ${ownLib.disk.volumeGroup diskId} -L 2G -n swap
-    lvcreate ${ownLib.disk.volumeGroup diskId} -l 100%FREE -n root
+    sudo vgcreate ${ownLib.disk.volumeGroup diskId} ${ownLib.disk.luksPhysicalVolume diskId}
+    sudo lvcreate ${ownLib.disk.volumeGroup diskId} -L 2G -n swap
+    sudo lvcreate ${ownLib.disk.volumeGroup diskId} -l 100%FREE -n root

    # Filesystem
-    mkfs.vfat -F32 ${ownLib.disk.bootFsDevice diskId}
-    mkfs.btrfs ${ownLib.disk.rootFsDevice diskId}
-    mkswap ${ownLib.disk.swapFsDevice diskId}
+    sudo mkfs.vfat -F32 ${ownLib.disk.bootFsDevice diskId}
+    sudo mkfs.btrfs ${ownLib.disk.rootFsDevice diskId}
+    sudo mkswap ${ownLib.disk.swapFsDevice diskId}

    # Subvolume and FS hierharchy
-    mkdir -p /mnt
-    mkdir ${mntRootVol}
-    mount ${ownLib.disk.rootFsDevice diskId} ${mntRootVol}
-    btrfs subvolume create ${mntRootVol}/nixos
-    btrfs subvolume create ${mntRootVol}/home
-    mkdir ${mntRootVol}/nixos/{boot,home}
+    sudo mkdir -p /mnt
+    sudo mkdir ${mntRootVol}
+    sudo mount ${ownLib.disk.rootFsDevice diskId} ${mntRootVol}
+    sudo btrfs subvolume create ${mntRootVol}/nixos
+    sudo btrfs subvolume create ${mntRootVol}/home
+    sudo mkdir ${mntRootVol}/nixos/{boot,home}

    ${diskUmount}
  '';
--- a/nix/os/devices/steveej-nuc7pjyh-work/configuration.nix
+++ b/nix/os/devices/steveej-nuc7pjyh-work/configuration.nix
@ -0,0 +1,13 @@
+{ ... }:
+
+{
+  imports = [
+    ../../profiles/common/configuration.nix
+    ../../profiles/graphical/configuration.nix
+    ../../modules/encryptedDisk.nix
+
+    ./system.nix
+    ./hw.nix
+    ../../profiles/removable-medium/pkg.nix
+  ];
+}
--- a/nix/os/devices/steveej-rmvbl-sduusb3128g/hw.nix
+++ b/nix/os/devices/steveej-rmvbl-sduusb3128g/hw.nix
@ -4,6 +4,6 @@
  # TASK: new device
  hardware.encryptedDisk = {
    enable = true;
-    diskId = "usb-SanDisk_Ultra_USB_3.0_4C530001280509108321-0:0";
+    diskId = "ata-KINGSTON_SV100S2128G_08BAB0020855";
  };
 }
--- a/nix/os/devices/steveej-nuc7pjyh-work/system.nix
+++ b/nix/os/devices/steveej-nuc7pjyh-work/system.nix
@ -0,0 +1,29 @@
+{ pkgs, lib, ... }:
+
+let
+  sgx_linuxpackages = let
+      linux_sgx_pkg = { fetchurl, buildLinux, ... } @ args:
+
+        buildLinux (args // rec {
+          version = "5.4.0-rc3";
+          modDirVersion = version;
+
+          src = fetchurl {
+            url = "https://github.com/jsakkine-intel/linux-sgx/archive/v23.tar.gz";
+            sha256 = "11rwlwv7s071ia889dk1dgrxprxiwgi7djhg47vi56dj81jgib20";
+          };
+          kernelPatches = [];
+
+          extraConfig = ''
+            INTEL_SGX y
+          '';
+
+          extraMeta.branch = "5.4";
+        } // (args.argsOverride or {}));
+      linux_sgx = pkgs.callPackage linux_sgx_pkg{};
+    in 
+      pkgs.recurseIntoAttrs (pkgs.linuxPackagesFor linux_sgx);
+in {
+  networking.hostName = "steveej-nuc7pjyh-work"; # Define your hostname.
+  boot.kernelPackages = lib.mkForce sgx_linuxpackages;
+}
--- a/nix/os/devices/steveej-nuc7pjyh-work/versions.nix
+++ b/nix/os/devices/steveej-nuc7pjyh-work/versions.nix
@ -0,0 +1,20 @@
+{
+  channelsNixosStable = {
+    ref = "nixos-19.09";
+    rev = "4ad6f1404a8cd69a11f16edba09cc569e5012e42";
+  };
+  channelsNixosUnstable = {
+    ref = "nixos-unstable";
+    rev = "e89b21504f3e61e535229afa0b121defb52d2a50";
+  };
+  nixpkgsMaster = {
+    url = "https://github.com/NixOS/nixpkgs/";
+    ref = "master";
+    rev = "35d99698aecce66f5b6597d3b8efa2b23e120636";
+  };
+  homeManagerModule = {
+    url = "https://github.com/rycee/home-manager";
+    ref = "master";
+    rev = "9781f3766de7293a67aa8098edb5dbe367939b36";
+  };
+}
--- a/nix/os/devices/steveej-rmvbl-sduusb3128g/configuration.nix
+++ b/nix/os/devices/steveej-rmvbl-sduusb3128g/configuration.nix
--- a/nix/os/devices/steveej-rmvbl-sdep0/hw.nix
+++ b/nix/os/devices/steveej-rmvbl-sdep0/hw.nix
@ -0,0 +1,9 @@
+{ ... }:
+
+{
+  # TASK: new device
+  hardware.encryptedDisk = {
+    enable = true;
+    diskId = "usb-SanDisk_Extreme_Pro_12345978EC62-0:0";
+  };
+}
--- a/nix/os/devices/steveej-rmvbl-sdep0/system.nix
+++ b/nix/os/devices/steveej-rmvbl-sdep0/system.nix
@ -0,0 +1,5 @@
+{ ... }:
+
+{
+  networking.hostName = "steveej-rmvbl-sdep0"; # Define your hostname.
+}
--- a/nix/os/devices/steveej-rmvbl-sdep0/versions.nix
+++ b/nix/os/devices/steveej-rmvbl-sdep0/versions.nix
@ -0,0 +1,20 @@
+{
+  channelsNixosStable = {
+    ref = "nixos-19.09";
+    rev = "e6d584f6dd22b587d5cdf5019f5e7dd2be370f61";
+  };
+  channelsNixosUnstable = {
+    ref = "nixos-unstable";
+    rev = "41d921292e922a6cd1aba64259341c244d4c2cc7";
+  };
+  nixpkgsMaster = {
+    url = "https://github.com/NixOS/nixpkgs/";
+    ref = "master";
+    rev = "a6934e36534f8a87a78f877eee65c08fa9867ba5";
+  };
+  homeManagerModule = {
+    url = "https://github.com/rycee/home-manager";
+    ref = "master";
+    rev = "286dd9b3088298e5a4625b517f8e72b1c62e4f74";
+  };
+}
--- a/nix/os/devices/steveej-rmvbl-sduusb3128g/system.nix
+++ b/nix/os/devices/steveej-rmvbl-sduusb3128g/system.nix
@ -1,5 +0,0 @@
-{ ... }:
-
-{
-  networking.hostName = "steveej-rmvbl-sduusb3128g"; # Define your hostname.
-}
--- a/nix/os/devices/steveej-rmvbl-sduusb3128g/versions.nix
+++ b/nix/os/devices/steveej-rmvbl-sduusb3128g/versions.nix
@ -1,10 +0,0 @@
-{
-  channelsNixosStable = {
-    ref = "nixos-18.09";
-    rev = "c2950341d038995bf46a7b72db961bb3d3e9ac12";
-  };
-  channelsNixosUnstable = {
-    ref = "nixos-unstable";
-    rev = "eebd1a9263716a04689a37b6537e50801d376b5e";
-  };
-}
--- a/nix/os/devices/steveej-t480s-work/configuration.nix
+++ b/nix/os/devices/steveej-t480s-work/configuration.nix
@ -15,6 +15,7 @@
    ./system.nix
    ./hw.nix
    ./pkg.nix
+    ./user.nix

    ../../profiles/podman/configuration.nix
  ];
--- a/nix/os/devices/steveej-t480s-work/system.nix
+++ b/nix/os/devices/steveej-t480s-work/system.nix
@ -65,9 +65,13 @@ in {
    };
    virtualbox.host.enable = true;
    virtualbox.host.addNetworkInterface = true;
-    docker.enable = true;
+    docker = {
+      enable = true;
+      extraOptions = "--experimental";
+    };
  };

+
  boot.initrd.network = {
    enable = true;
    useDHCP = true;
--- a/nix/os/devices/steveej-t480s-work/user.nix
+++ b/nix/os/devices/steveej-t480s-work/user.nix
@ -0,0 +1,27 @@
+{ config
+, pkgs
+, ... }:
+
+let
+  passwords = import ../../../variables/passwords.crypt.nix;
+  keys = import ../../../variables/keys.nix;
+  inherit (import ../../lib/default.nix { }) mkUser;
+
+in {
+  users.extraUsers.steveej2 = mkUser {
+    uid = 1001;
+    openssh.authorizedKeys.keys = keys.users.steveej.openssh;
+
+    subUidRanges = [{ startUid = 200000; count = 100000; }];
+    subGidRanges = [{ startGid = 200000; count = 100000; }];
+  };
+
+  users.extraUsers.steveej3 = mkUser {
+    uid = 1002;
+    openssh.authorizedKeys.keys = keys.users.steveej.openssh;
+    shell = pkgs.posh { image = "quay.io/enarx/fedora"; };
+
+    subUidRanges = [{ startUid = 300000; count = 100000; }];
+    subGidRanges = [{ startGid = 300000; count = 100000; }];
+  };
+}
--- a/nix/os/devices/steveej-t480s-work/versions.nix
+++ b/nix/os/devices/steveej-t480s-work/versions.nix
@ -1,20 +1,20 @@
 {
  channelsNixosStable = {
-    ref = "nixos-19.03";
-    rev = "aef662d2eb532eeb9976068fd1705e3cf3663054";
+    ref = "nixos-19.09";
+    rev = "e6d584f6dd22b587d5cdf5019f5e7dd2be370f61";
  };
  channelsNixosUnstable = {
    ref = "nixos-unstable";
-    rev = "73392e79aa62e406683d6a732eb4f4101f4732be";
+    rev = "41d921292e922a6cd1aba64259341c244d4c2cc7";
  };
  nixpkgsMaster = {
    url = "https://github.com/NixOS/nixpkgs/";
    ref = "master";
-    rev = "51aa3cc4855c5964a6e71adcf7b79c1a0c23f322";
+    rev = "a6934e36534f8a87a78f877eee65c08fa9867ba5";
  };
  homeManagerModule = {
    url = "https://github.com/rycee/home-manager";
    ref = "master";
-    rev = "95382060ebaa19ec49a861921216b1db8460b314";
+    rev = "286dd9b3088298e5a4625b517f8e72b1c62e4f74";
  };
 }
--- a/nix/os/profiles/common/user.nix
+++ b/nix/os/profiles/common/user.nix
@ -11,6 +11,9 @@ in {
  users.extraUsers.root = mkRoot { };
  users.extraUsers.steveej = mkUser {
    uid = 1000;
+
+    subUidRanges = [{ startUid = 100000; count = 100000; }];
+    subGidRanges = [{ startGid = 100000; count = 100000; }];
  };

  security.pam.u2f.enable = true;
--- a/nix/os/profiles/graphical/system.nix
+++ b/nix/os/profiles/graphical/system.nix
@ -1,5 +1,5 @@
 { pkgs
-, ... 
+, ...
 }:

 {
@ -30,7 +30,7 @@
    };
  };
  # required for running blueman-applet in user sessions
-  services.dbus.packages = with pkgs; [ 
+  services.dbus.packages = with pkgs; [
    blueman
  ];

@ -68,19 +68,24 @@
    };
  };

+  services.gvfs.enable = true;
+  programs.seahorse.enable = true;
+  programs.gpaste.enable = false;
+  programs.gnome-terminal.enable = false;
+  programs.gnome-documents.enable = false;
+  programs.gnome-disks.enable = false;
+
  services.gnome3 = {
-    gnome-disks.enable = false;
-    gnome-documents.enable = false;
-    gnome-online-miners.enable = false;
+    # gnome-online-miners.enable = false; TODO: enable this again
+    games.enable = false;
+    gnome-remote-desktop.enable = false;
    gnome-user-share.enable = false;
-    gnome-terminal-server.enable = false;
-    gpaste.enable = false;
+    rygel.enable = false;
    sushi.enable = false;
    tracker.enable = false;
+    tracker-miners.enable = false;

    # FIXME: gnome should be moved to user session
-    seahorse.enable = true;
-    gvfs.enable = true;
    at-spi2-core.enable = true;
    evolution-data-server.enable = true;
    gnome-online-accounts.enable = true;
--- a/nix/os/profiles/podman/configuration.nix
+++ b/nix/os/profiles/podman/configuration.nix
@ -177,11 +177,4 @@
      "${pkgs.runc}/bin/runc"
    ]
 '';
-
-  environment.etc."subuid".text = ''
-    steveej:10000:65536
-  '';
-  environment.etc."subgid".text = ''
-    steveej:10000:65536
-  '';
 }
--- a/nix/overlay.nix
+++ b/nix/overlay.nix
@ -23,15 +23,9 @@ in {
    '';
  };

-
-
-  podman = nixpkgs-master.podman;
-  conmon = nixpkgs-master.conmon;
-
  duplicacy = super.callPackage ./pkgs/duplicacy {};
  just = super.callPackage ./pkgs/just.nix {};
  mfcl3770cdw = super.callPackage ./pkgs/mfcl3770cdw.nix {};
-  slirp4netns = super.callPackage ./pkgs/slirp4netns.nix {};
  staruml = super.callPackage ./pkgs/staruml.nix { inherit (super.gnome2) GConf; libgcrypt = super.libgcrypt_1_5; };

  roxterm = super.stdenv.mkDerivation {
@ -71,4 +65,41 @@ in {
    });

  rdedup = super.callPackages ./pkgs/rdedup {};
+
+  # TODO: facetimehd is currfently broken (https://github.com/NixOS/nixpkgs/pull/72804)
+  facetimehd-firmware = super.hello;
+
+  qtile = nixpkgs-master.qtile;
+
+  inherit (nixpkgs-master) podman conmon slirp4netns;
+
+  # posh makes use of podman to run an encapsulated shell session
+  posh = { image, pull ? "always", global_args ? "", run_args ? "" }:
+    (super.writeScriptBin "posh" ''
+      #! ${super.bash}/bin/bash
+      source /etc/profile
+
+      test -S "$SSH_AUTH_SOCK" && ssh="-v $SSH_AUTH_SOCK:$SSH_AUTH_SOCK -e SSH_AUTH_SOCK"
+      tty -s && tty="-t" || quiet="-q"
+
+      # define these as variables so we can override them at runtime
+      POSH_IMAGE=${image}
+      POSH_PULL=${pull}
+
+      if [ "$1" == "-c" ]; then
+        # We've most likely been spawned by sshd and are interested in $2 whitch contains the command string
+        shift
+        # TODO parse the beginning of the command for POSH_* overrides
+      fi
+
+      exec ${self.podman}/bin/podman \
+        ${global_args} run --rm -i $tty $ssh -v ~/:/root -w /root --network host --pull=''${POSH_PULL} \
+        ${run_args} ''${POSH_IMAGE} $@
+    '')
+    .overrideAttrs(attrs: attrs // {
+        passthru = {
+          shellPath = "/bin/posh";
+        };
+    });
+
 }
--- a/nix/variables/versions.nix
+++ b/nix/variables/versions.nix
@ -1,20 +1,20 @@
 {
  channelsNixosStable = {
-    ref = "nixos-19.03";
-    rev = "3a4ffdd38b56801ce616aa08791121d36769e884";
+    ref = "nixos-19.09";
+    rev = "c5aabb0d603e2c1ea05f5a93b3be82437f5ebf31";
  };
  channelsNixosUnstable = {
    ref = "nixos-unstable";
-    rev = "07b42ccf2de451342982b550657636d891c4ba35";
+    rev = "7827d3f4497ed722fedca57fd4d5ca1a65c38256";
  };
  nixpkgsMaster = {
    url = "https://github.com/NixOS/nixpkgs/";
    ref = "master";
-    rev = "d8c7f0bd3f42bc9e687b12ce7f0a4ef747f27933";
+    rev = "abe853b84c58ddbb7c5c07e80090d47480d56c11";
  };
  homeManagerModule = {
    url = "https://github.com/rycee/home-manager";
    ref = "master";
-    rev = "03162970cd6dadfac58f169cd50aed5a5aeec14f";
+    rev = "450571056552c9311fcb2894328696b535265593";
  };
 }
--- a/nix/variables/versions.tmpl.nix
+++ b/nix/variables/versions.tmpl.nix
@ -1,7 +1,7 @@
 {
  channelsNixosStable = {
-    ref = "nixos-19.03";
-    rev = "<% git ls-remote https://github.com/nixos/nixpkgs-channels nixos-19.03 | awk '{ print $1 }' | tr -d '\n' -%>";
+    ref = "nixos-19.09";
+    rev = "<% git ls-remote https://github.com/nixos/nixpkgs-channels nixos-19.09 | awk '{ print $1 }' | tr -d '\n' -%>";
  };
  channelsNixosUnstable = {
    ref = "nixos-unstable";
--- a/shell.nix
+++ b/shell.nix
@ -22,10 +22,6 @@ stdenv.mkDerivation {
    esh

    xorg.xwininfo
-
-
-    # testing
-    alacritty
  ];

  # Set Environment Variables