From b481126ae27eb843e4da7e2683d501558fac132a Mon Sep 17 00:00:00 2001 From: Stefan Junker Date: Wed, 5 Jul 2023 15:55:04 +0200 Subject: [PATCH 1/5] feat: start migrating steveej-t14 and sj-vps-htz-0 to sops --- .sops.yaml | 37 +++ Justfile | 35 +-- flake.lock | 269 +++++++++++------- flake.nix | 28 +- nix/devShells.nix | 7 + .../configuration/graphical-fullblown.nix | 84 +++++- nix/home-manager/profiles/sway-desktop.nix | 105 ++++--- nix/home-manager/profiles/wayland-desktop.nix | 28 +- nix/home-manager/programs/espanso.nix | 7 +- nix/home-manager/programs/firefox.nix | 1 + nix/home-manager/programs/radicale.nix | 44 +-- nix/home-manager/programs/waybar.nix | 32 ++- nix/os/containers/mailserver.nix | 43 ++- nix/os/containers/mailserver_secrets.yaml | 38 +++ nix/os/devices/default.nix | 2 +- nix/os/devices/elias-e525/default.nix | 2 +- nix/os/devices/elias-e525/user.nix | 3 +- nix/os/devices/fwhost2/user.nix | 2 +- nix/os/devices/justyna-p300/default.nix | 2 +- nix/os/devices/justyna-p300/user.nix | 2 +- .../versions.nix | 36 --- .../versions.tmpl.nix | 41 --- .../README.md | 0 .../boot.nix | 0 .../configuration.nix | 0 .../default.nix | 20 +- .../flake.lock | 46 +-- .../flake.nix | 4 +- .../hw.nix | 0 .../pkg.nix | 0 .../system.nix | 11 +- nix/os/devices/steveej-nuc7pjyh-work/user.nix | 2 +- nix/os/devices/steveej-pa600/user.nix | 2 +- nix/os/devices/steveej-t14/boot.nix | 3 +- nix/os/devices/steveej-t14/configuration.nix | 1 + nix/os/devices/steveej-t14/default.nix | 11 +- nix/os/devices/steveej-t14/hw.nix | 44 +-- nix/os/devices/steveej-t14/pkg.nix | 3 + nix/os/devices/steveej-t14/secrets.nix | 7 + nix/os/devices/steveej-t14/system.nix | 79 ++++- nix/os/devices/steveej-t14/user.nix | 5 +- .../vmd102066.contaboserver.net/default.nix | 2 +- nix/os/lib/default.nix | 21 +- nix/os/modules/ddclient-ovh.nix | 9 +- nix/os/modules/opinionatedDisk.nix | 2 +- nix/os/profiles/common/boot.nix | 3 +- nix/os/profiles/common/configuration.nix | 18 +- nix/os/profiles/common/pkg.nix | 5 + nix/os/profiles/common/user.nix | 26 +- nix/os/profiles/graphical/system.nix | 2 +- nix/variables/passwords.crypt.nix | Bin 2437 -> 1498 bytes secrets/servers/dyndns.yaml | 47 +++ secrets/shared-users.yaml | 52 ++++ secrets/steveej-t14/radicale_htpasswd | 26 ++ secrets/zerotierone.txt | 30 ++ 55 files changed, 877 insertions(+), 452 deletions(-) create mode 100644 .sops.yaml create mode 100644 nix/os/containers/mailserver_secrets.yaml delete mode 100644 nix/os/devices/sj-vps-htz0.infra.stefanjunker.de/versions.nix delete mode 100644 nix/os/devices/sj-vps-htz0.infra.stefanjunker.de/versions.tmpl.nix rename nix/os/devices/{sj-vps-htz0.infra.stefanjunker.de => sj-vps-htz0}/README.md (100%) rename nix/os/devices/{sj-vps-htz0.infra.stefanjunker.de => sj-vps-htz0}/boot.nix (100%) rename nix/os/devices/{sj-vps-htz0.infra.stefanjunker.de => sj-vps-htz0}/configuration.nix (100%) rename nix/os/devices/{sj-vps-htz0.infra.stefanjunker.de => sj-vps-htz0}/default.nix (53%) rename nix/os/devices/{sj-vps-htz0.infra.stefanjunker.de => sj-vps-htz0}/flake.lock (53%) rename nix/os/devices/{sj-vps-htz0.infra.stefanjunker.de => sj-vps-htz0}/flake.nix (66%) rename nix/os/devices/{sj-vps-htz0.infra.stefanjunker.de => sj-vps-htz0}/hw.nix (100%) rename nix/os/devices/{sj-vps-htz0.infra.stefanjunker.de => sj-vps-htz0}/pkg.nix (100%) rename nix/os/devices/{sj-vps-htz0.infra.stefanjunker.de => sj-vps-htz0}/system.nix (94%) create mode 100644 nix/os/devices/steveej-t14/secrets.nix create mode 100644 secrets/servers/dyndns.yaml create mode 100644 secrets/shared-users.yaml create mode 100644 secrets/steveej-t14/radicale_htpasswd create mode 100644 secrets/zerotierone.txt diff --git a/.sops.yaml b/.sops.yaml new file mode 100644 index 0000000..776461a --- /dev/null +++ b/.sops.yaml @@ -0,0 +1,37 @@ +# This example uses YAML anchors which allows reuse of multiple keys +# without having to repeat yourself. +# Also see https://github.com/Mic92/dotfiles/blob/master/nixos/.sops.yaml +# for a more complex example. + +keys: + - &steveej 6F7069FE6B96E894E60EC45C6EEFA706CB17E89B + - &steveej-t14 age17jxphuql70wjkd84azn62ltx9ky69hyvkac23lm8f2j92lznf9hseqq0vl + - &sj-vps-htz0 age18dmqd7r7fanrfmdxsvwgv9psvhs3hw5ydpvw0na0dv3dlrg4rs3q2wpvgv + - &elias-e525 100206d53cf92f62efd9d6b2672bf3644233c763 + +creation_rules: + - path_regex: ^(.+/|)secrets/[^/]+$ + key_groups: + - pgp: + - *steveej + age: + - *steveej-t14 + - *sj-vps-htz0 + - path_regex: ^secrets/steveej-t14/.+$ + key_groups: + - pgp: + - *steveej + age: + - *steveej-t14 + - path_regex: ^secrets/servers/.+$ + key_groups: + - pgp: + - *steveej + age: + - *sj-vps-htz0 + - path_regex: ^nix/os/containers/.+_secrets.+$ + key_groups: + - pgp: + - *steveej + age: + - *sj-vps-htz0 \ No newline at end of file diff --git a/Justfile b/Justfile index 4dd9ebd..3278626 100755 --- a/Justfile +++ b/Justfile @@ -28,44 +28,29 @@ _render_templates: # nix/scripts/pre-eval-fixed.sh nix/home-manager/profiles/dotfiles/vcsh{.tmpl,}.nix fi -rebuild-remote-device device target rebuildarg="dry-activate" : +rebuild-remote-device device +rebuildargs="dry-activate": #!/usr/bin/env bash set -ex - just -v _rebuild-device nix/os/devices/{{device}} {{rebuildarg}} --argstr moreargs "'--target-host\ {{target}}'" + nix run .#colmena -- apply --on {{device}} {{rebuildargs}} # Rebuild this device's NixOS rebuild-this-device +rebuildargs="dry-activate": nix run .#colmena -- apply-local --sudo {{rebuildargs}} # Re-render the versions of a remote device and rebuild its environment -update-remote-device devicename target rebuildmode='switch': +update-remote-device devicename rebuildmode='build': #!/usr/bin/env bash set -e - template=nix/os/devices/{{ devicename }}/versions.tmpl.nix - outfile=nix/os/devices/{{ devicename }}/versions.nix - - if ! test -e ${template}; then - template="$(just _DEFAULT_VERSION_TMPL)" - fi + ( + set -xe + cd nix/os/devices/{{devicename}} + nix flake update + ) - esh -o ${outfile} ${template} - if ! test "$(git diff ${outfile})"; then - echo Already on latest versions - exit 0 - fi + just -v rebuild-remote-device {{devicename}} {{rebuildmode}} - just -v rebuild-remote-device {{ devicename }} {{target}} dry-activate || { - echo ERROR: rebuild in mode 'dry-active' failed after updating ${outfile} - exit 1 - } - - just -v rebuild-remote-device {{ devicename }} {{ target }} {{ rebuildmode }} || { - echo ERROR: rebuild in mode '{{ rebuildmode }}' failed after updating ${outfile} - exit 1 - } - - git commit -v ${outfile} -m "nix/os/devices/{{ devicename }}: bump versions" + git commit -v nix/os/devices/{{devicename}}/flake.{nix,lock} -m "nix/os/devices/{{devicename}}: bump versions" # Re-render the versions of the current device and rebuild its environment update-this-device rebuild-mode='switch': diff --git a/flake.lock b/flake.lock index 2c0e97f..c444a58 100644 --- a/flake.lock +++ b/flake.lock @@ -27,11 +27,11 @@ "stable": "stable" }, "locked": { - "lastModified": 1684127527, - "narHash": "sha256-tAzgb2jgmRaX9HETry38h2OvBf9YkHEH1fFvIJQV9A0=", + "lastModified": 1688224393, + "narHash": "sha256-rsAvFNhRFzTF7qyb6WprLFghJnRxMFjvD2e5/dqMp4I=", "owner": "zhaofengli", "repo": "colmena", - "rev": "caf33af7d854c8d9b88a8f3dae7adb1c24c1407b", + "rev": "19384f3ee2058c56021e4465a3ec57e84a47d8dd", "type": "github" }, "original": { @@ -50,11 +50,11 @@ "rust-overlay": "rust-overlay" }, "locked": { - "lastModified": 1684468982, - "narHash": "sha256-EoC1N5sFdmjuAP3UOkyQujSOT6EdcXTnRw8hPjJkEgc=", + "lastModified": 1688082682, + "narHash": "sha256-nMG/A7qYm9pyHJowKuaNmNYgo748xZrzMJPqtoGozSA=", "owner": "ipetkov", "repo": "crane", - "rev": "99de890b6ef4b4aab031582125b6056b792a4a30", + "rev": "4d350bb94fdf8ec9d2e22d68bb13e136d73aa9d8", "type": "github" }, "original": { @@ -71,11 +71,11 @@ ] }, "locked": { - "lastModified": 1684003056, - "narHash": "sha256-zl11zyRNKzAW7YLvTkxmFjSBqxZbEvfwZqNCT91ELfU=", + "lastModified": 1687747614, + "narHash": "sha256-KXspKgtdO2YRL12Jv0sUgkwOwHrAFwdIG/90pDx8Ydg=", "owner": "nix-community", "repo": "disko", - "rev": "8f95856432e091e5ac56fea2df81e905ddd02d27", + "rev": "fef67a1ddc293b595d62a660f57deabbcb70ff95", "type": "github" }, "original": { @@ -93,11 +93,11 @@ "rust-analyzer-src": "rust-analyzer-src" }, "locked": { - "lastModified": 1684650006, - "narHash": "sha256-cIWPr9nCddVu3DITyHBNWy9tBbfc86u+BxPEnRWslMM=", + "lastModified": 1688278950, + "narHash": "sha256-h3J/w3/hCeW6D+VsN/JBQ0Buz76g5wRFznUJF8JomT4=", "owner": "nix-community", "repo": "fenix", - "rev": "fb17fb7db07709d2aca1efc1000fb1cf60b00b4e", + "rev": "8e75b5c8506960b49fbc5618717d966d04ee0a7d", "type": "github" }, "original": { @@ -140,11 +140,11 @@ }, "flake-compat_3": { "locked": { - "lastModified": 1680531544, - "narHash": "sha256-8qbiDTYb1kGaDADRXTItpcMKQ1TeQVkuof6oEwHUvVA=", + "lastModified": 1688025799, + "narHash": "sha256-ktpB4dRtnksm9F5WawoIkEneh1nrEvuxb5lJFt1iOyw=", "owner": "nix-community", "repo": "flake-compat", - "rev": "95e78dc12268c5e4878621845c511077f3798729", + "rev": "8bf105319d44f6b9f0d764efa4fdef9f1cc9ba1c", "type": "github" }, "original": { @@ -158,11 +158,11 @@ "nixpkgs-lib": "nixpkgs-lib" }, "locked": { - "lastModified": 1683560683, - "narHash": "sha256-XAygPMN5Xnk/W2c1aW0jyEa6lfMDZWlQgiNtmHXytPc=", + "lastModified": 1688254665, + "narHash": "sha256-8FHEgBrr7gYNiS/NzCxIO3m4hvtLRW9YY1nYo1ivm3o=", "owner": "hercules-ci", "repo": "flake-parts", - "rev": "006c75898cf814ef9497252b022e91c946ba8e17", + "rev": "267149c58a14d15f7f81b4d737308421de9d7152", "type": "github" }, "original": { @@ -179,11 +179,11 @@ ] }, "locked": { - "lastModified": 1683560683, - "narHash": "sha256-XAygPMN5Xnk/W2c1aW0jyEa6lfMDZWlQgiNtmHXytPc=", + "lastModified": 1687762428, + "narHash": "sha256-DIf7mi45PKo+s8dOYF+UlXHzE0Wl/+k3tXUyAoAnoGE=", "owner": "hercules-ci", "repo": "flake-parts", - "rev": "006c75898cf814ef9497252b022e91c946ba8e17", + "rev": "37dd7bb15791c86d55c5121740a1887ab55ee836", "type": "github" }, "original": { @@ -201,11 +201,11 @@ ] }, "locked": { - "lastModified": 1680392223, - "narHash": "sha256-n3g7QFr85lDODKt250rkZj2IFS3i4/8HBU2yKHO3tqw=", + "lastModified": 1687762428, + "narHash": "sha256-DIf7mi45PKo+s8dOYF+UlXHzE0Wl/+k3tXUyAoAnoGE=", "owner": "hercules-ci", "repo": "flake-parts", - "rev": "dcc36e45d054d7bb554c9cdab69093debd91a0b5", + "rev": "37dd7bb15791c86d55c5121740a1887ab55ee836", "type": "github" }, "original": { @@ -234,11 +234,11 @@ "systems": "systems" }, "locked": { - "lastModified": 1681202837, - "narHash": "sha256-H+Rh19JDwRtpVPAWp64F+rlEtxUWBAQW28eAi3SRSzg=", + "lastModified": 1685518550, + "narHash": "sha256-o2d0KcvaXzTrPRIo0kOLV0/QXHhDQ5DTi+OxcjO8xqY=", "owner": "numtide", "repo": "flake-utils", - "rev": "cfacdce06f30d2b68473a46042957675eebb3401", + "rev": "a1720a10a6cfe8234c0e93907ffe81be440f4cef", "type": "github" }, "original": { @@ -252,11 +252,11 @@ "systems": "systems_2" }, "locked": { - "lastModified": 1681202837, - "narHash": "sha256-H+Rh19JDwRtpVPAWp64F+rlEtxUWBAQW28eAi3SRSzg=", + "lastModified": 1687709756, + "narHash": "sha256-Y5wKlQSkgEK2weWdOu4J3riRd+kV/VCgHsqLNTTWQ/0=", "owner": "numtide", "repo": "flake-utils", - "rev": "cfacdce06f30d2b68473a46042957675eebb3401", + "rev": "dbabf0ca0c0c4bce6ea5eaf65af5cb694d2082c7", "type": "github" }, "original": { @@ -317,11 +317,11 @@ "nixpkgs-lib": "nixpkgs-lib_2" }, "locked": { - "lastModified": 1681214977, - "narHash": "sha256-pBaG4iKzF/YJQA06f87IZokB15Z13DYd6zsT/wlbWfI=", + "lastModified": 1688299754, + "narHash": "sha256-ElNJ28wfORNv8JaCOFb/mniLiQe0cpuaj2DdD/dqdKw=", "owner": "nix-community", "repo": "lib-aggregate", - "rev": "19d70ca7a81956bd01a768297b84798f301e150f", + "rev": "6107c923522c233458760d0c7f31ad71bf1d2146", "type": "github" }, "original": { @@ -330,14 +330,26 @@ "type": "github" } }, + "logseqNightly": { + "flake": false, + "locked": { + "narHash": "sha256-d6xi4mKdjkX2JFicDIv5niSzpyI0m/Hnm8GGAIU04kY=", + "type": "file", + "url": "file:///dev/null" + }, + "original": { + "type": "file", + "url": "file:///dev/null" + } + }, "magmawm": { "flake": false, "locked": { - "lastModified": 1684662176, - "narHash": "sha256-jgTAHe4JYAHjm6araJlPJZoLlnz6q/Y21bKrx/kBetk=", + "lastModified": 1687543996, + "narHash": "sha256-S8vRKXCHF7OHestoGNe6fqqxJIc8slhaOFjvGS3oflc=", "owner": "MagmaWM", "repo": "MagmaWM", - "rev": "e228ed1ff6b6c6181a8b05e1c4e0d74f2634e14b", + "rev": "c16fa624b2c86328081a1647f483273e131df29d", "type": "github" }, "original": { @@ -349,14 +361,14 @@ "nix-eval-jobs": { "inputs": { "flake-parts": "flake-parts_3", - "nixpkgs": "nixpkgs_2" + "nixpkgs": "nixpkgs" }, "locked": { - "lastModified": 1682480188, - "narHash": "sha256-4LG8Vl/fLWsJg+QAb5/PvZTdLtPFsYFxuGDfEAR5szA=", + "lastModified": 1688002352, + "narHash": "sha256-jp6MOYWPsLbnDrk3ZWV98c6Z/PolEkfcuHXtAeKu66A=", "owner": "nix-community", "repo": "nix-eval-jobs", - "rev": "73ee1712faeb5db609fc9f991e2dc1de265acff5", + "rev": "db318eee754563269536c5e3513abbb9b130481a", "type": "github" }, "original": { @@ -365,18 +377,18 @@ "type": "github" } }, - "nixos-2211": { + "nixos-2305": { "locked": { - "lastModified": 1684141842, - "narHash": "sha256-sbdzOwBDcyzz/Dr1ztdF+tElMyM/cgx+4XxVgz+NLRM=", + "lastModified": 1687938137, + "narHash": "sha256-Z00c0Pk3aE1aw9x44lVcqHmvx+oX7dxCXCvKcUuE150=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "2eb0795720849ae19c068e39b17362d3ebcd585c", + "rev": "ba2ded3227a2992f2040fad4ba6f218a701884a5", "type": "github" }, "original": { "owner": "NixOS", - "ref": "release-22.11", + "ref": "release-23.05", "repo": "nixpkgs", "type": "github" } @@ -385,7 +397,7 @@ "inputs": { "disko": "disko", "flake-parts": "flake-parts_2", - "nixos-2211": "nixos-2211", + "nixos-2305": "nixos-2305", "nixos-images": "nixos-images", "nixpkgs": [ "nixpkgs" @@ -393,11 +405,11 @@ "treefmt-nix": "treefmt-nix" }, "locked": { - "lastModified": 1684473129, - "narHash": "sha256-Nmqas06HVswtASU0kwY4tD/dOtKgMIo7OlJaIGrHYwA=", + "lastModified": 1687941964, + "narHash": "sha256-/Gr4tOq+tMBbE46njUt1aJGbsB9lpwnK99/oeC9uTXE=", "owner": "numtide", "repo": "nixos-anywhere", - "rev": "0586b4da4f58f0d02d94fceb06fa7e15d8d03fff", + "rev": "22a2964bef34f92fe1c093ae54a8ab52eefdd5df", "type": "github" }, "original": { @@ -409,9 +421,9 @@ }, "nixos-images": { "inputs": { - "nixos-2211": [ + "nixos-2305": [ "nixos-anywhere", - "nixos-2211" + "nixos-2305" ], "nixos-unstable": [ "nixos-anywhere", @@ -419,11 +431,11 @@ ] }, "locked": { - "lastModified": 1684151031, - "narHash": "sha256-6bBOxHIRCn4WQBsjsnaLL7bwcHuCLQj1Xd3gnmbZ9LQ=", + "lastModified": 1686819168, + "narHash": "sha256-IbRVStbKoMC2fUX6TxNO82KgpVfI8LL4Cq0bTgdYhnY=", "owner": "nix-community", "repo": "nixos-images", - "rev": "3758c6481cd8ad9571c0401fc634eda05a86489b", + "rev": "ccc1a2c08ce2fc38bcece85d2a6e7bf17bac9e37", "type": "github" }, "original": { @@ -434,11 +446,27 @@ }, "nixpkgs": { "locked": { - "lastModified": 1684580438, - "narHash": "sha256-LUPswmDn6fXP3lEBJFA2Id8PkcYDgzUilevWackYVvQ=", + "lastModified": 1688001024, + "narHash": "sha256-Zf88j+DUj6rDgveWfdEyUo4fL1KZTowzPAN6gpeqzKg=", + "owner": "NixOS", + "repo": "nixpkgs", + "rev": "2c8591ad6a6f9d679817a94f847c59b0d1e3289e", + "type": "github" + }, + "original": { + "owner": "NixOS", + "ref": "master", + "repo": "nixpkgs", + "type": "github" + } + }, + "nixpkgs-2211": { + "locked": { + "lastModified": 1688043300, + "narHash": "sha256-UmpvFT0v4U4jxXhrfr+x1NuaOFULkIyCfS/WT6N6T7s=", "owner": "nixos", "repo": "nixpkgs", - "rev": "7dc71aef32e8faf065cb171700792cf8a65c152d", + "rev": "c6643a93d25abf3cf5d40a4e05bcf904b9f0e586", "type": "github" }, "original": { @@ -448,14 +476,30 @@ "type": "github" } }, + "nixpkgs-2305": { + "locked": { + "lastModified": 1688109178, + "narHash": "sha256-BSdeYp331G4b1yc7GIRgAnfUyaktW2nl7k0C577Tttk=", + "owner": "nixos", + "repo": "nixpkgs", + "rev": "b72aa95f7f096382bff3aea5f8fde645bca07422", + "type": "github" + }, + "original": { + "owner": "nixos", + "ref": "nixos-23.05", + "repo": "nixpkgs", + "type": "github" + } + }, "nixpkgs-lib": { "locked": { "dir": "lib", - "lastModified": 1682879489, - "narHash": "sha256-sASwo8gBt7JDnOOstnps90K1wxmVfyhsTPPNTGBPjjg=", + "lastModified": 1688049487, + "narHash": "sha256-100g4iaKC9MalDjUW9iN6Jl/OocTDtXdeAj7pEGIRh4=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "da45bf6ec7bbcc5d1e14d3795c025199f28e0de0", + "rev": "4bc72cae107788bf3f24f30db2e2f685c9298dc9", "type": "github" }, "original": { @@ -468,11 +512,11 @@ }, "nixpkgs-lib_2": { "locked": { - "lastModified": 1681001314, - "narHash": "sha256-5sDnCLdrKZqxLPK4KA8+f4A3YKO/u6ElpMILvX0g72c=", + "lastModified": 1688259758, + "narHash": "sha256-CYVbYQfIm3vwciCf6CCYE+WOOLE3vcfxfEfNHIfKUJQ=", "owner": "nix-community", "repo": "nixpkgs.lib", - "rev": "367c0e1086a4eb4502b24d872cea2c7acdd557f4", + "rev": "a92befce80a487380ea5e92ae515fe33cebd3ac6", "type": "github" }, "original": { @@ -481,19 +525,35 @@ "type": "github" } }, + "nixpkgs-stable": { + "locked": { + "lastModified": 1688256355, + "narHash": "sha256-/E+OSabu4ii5+ccWff2k4vxDsXYhpc4hwnm0s6JOz7Y=", + "owner": "NixOS", + "repo": "nixpkgs", + "rev": "f553c016a31277246f8d3724d3b1eee5e8c0842c", + "type": "github" + }, + "original": { + "owner": "NixOS", + "ref": "release-23.05", + "repo": "nixpkgs", + "type": "github" + } + }, "nixpkgs-wayland": { "inputs": { "flake-compat": "flake-compat_3", "lib-aggregate": "lib-aggregate", "nix-eval-jobs": "nix-eval-jobs", - "nixpkgs": "nixpkgs_3" + "nixpkgs": "nixpkgs_2" }, "locked": { - "lastModified": 1684595659, - "narHash": "sha256-B1NtPXWF3Xax1FDeMRYyUDr2e30blTiXLKaUSpegq0E=", + "lastModified": 1688301056, + "narHash": "sha256-UDkmgKP+hFY+s1k4xj+05GGCdBIYHDPBT0LprU4AdO4=", "owner": "nix-community", "repo": "nixpkgs-wayland", - "rev": "031ace86d48def582fb8f7e098dc9a94fc25c3f7", + "rev": "b948920571b72da0363d2e8c391af5cfead99a6a", "type": "github" }, "original": { @@ -504,27 +564,11 @@ }, "nixpkgs_2": { "locked": { - "lastModified": 1681347147, - "narHash": "sha256-B+hTioRc3Jdf4SJyeCiO0fW5ShIznJk2OTiW2vOV+mc=", - "owner": "NixOS", - "repo": "nixpkgs", - "rev": "1a9d9175ecc48ecd033062fa09b1834d13ae9c69", - "type": "github" - }, - "original": { - "owner": "NixOS", - "ref": "master", - "repo": "nixpkgs", - "type": "github" - } - }, - "nixpkgs_3": { - "locked": { - "lastModified": 1684570954, - "narHash": "sha256-FX5y4Sm87RWwfu9PI71XFvuRpZLowh00FQpIJ1WfXqE=", + "lastModified": 1688231357, + "narHash": "sha256-ZOn16X5jZ6X5ror58gOJAxPfFLAQhZJ6nOUeS4tfFwo=", "owner": "nixos", "repo": "nixpkgs", - "rev": "3005f20ce0aaa58169cdee57c8aa12e5f1b6e1b3", + "rev": "645ff62e09d294a30de823cb568e9c6d68e92606", "type": "github" }, "original": { @@ -537,11 +581,11 @@ "ofi-pass": { "flake": false, "locked": { - "lastModified": 1627767117, - "narHash": "sha256-JUXW1M4sYWL1Mahy4AXgNzIUM+3T0nshnoKPwBzAkis=", + "lastModified": 1687009458, + "narHash": "sha256-SgndtGEd3zDztqLJYSdun6IbOqgXsvw0Q8flicPHonY=", "owner": "sereinity", "repo": "ofi-pass", - "rev": "6dc6938b0d45f05e307539c6c5a4609427a2747c", + "rev": "e99b15857438bbb6013f7f65513c13ea3f5ebdfa", "type": "github" }, "original": { @@ -559,23 +603,29 @@ "flake-parts": "flake-parts", "get-flake": "get-flake", "jay": "jay", + "logseqNightly": "logseqNightly", "magmawm": "magmawm", "nixos-anywhere": "nixos-anywhere", - "nixpkgs": "nixpkgs", + "nixpkgs": [ + "nixpkgs-2305" + ], + "nixpkgs-2211": "nixpkgs-2211", + "nixpkgs-2305": "nixpkgs-2305", "nixpkgs-wayland": "nixpkgs-wayland", "ofi-pass": "ofi-pass", "salut": "salut", + "sops-nix": "sops-nix", "yofi": "yofi" } }, "rust-analyzer-src": { "flake": false, "locked": { - "lastModified": 1684616122, - "narHash": "sha256-PLQN+e93BC1Yiqt4QNCj3cJ4mHtsO7Xlgn0VprgxiX4=", + "lastModified": 1688245988, + "narHash": "sha256-0DlDUvMFCaFGHnxwyG68RJbKsJ8EM7xu3FiWb2Ry8+E=", "owner": "rust-lang", "repo": "rust-analyzer", - "rev": "a04d8456be1d289c814846178cc1ff63b4fc297b", + "rev": "f5f0c48ac37fb19705af2864cb50dd6d82e9134e", "type": "github" }, "original": { @@ -597,11 +647,11 @@ ] }, "locked": { - "lastModified": 1683080331, - "narHash": "sha256-nGDvJ1DAxZIwdn6ww8IFwzoHb2rqBP4wv/65Wt5vflk=", + "lastModified": 1685759304, + "narHash": "sha256-I3YBH6MS3G5kGzNuc1G0f9uYfTcNY9NYoRc3QsykLk4=", "owner": "oxalica", "repo": "rust-overlay", - "rev": "d59c3fa0cba8336e115b376c2d9e91053aa59e56", + "rev": "c535b4f3327910c96dcf21851bbdd074d0760290", "type": "github" }, "original": { @@ -626,6 +676,27 @@ "type": "gitlab" } }, + "sops-nix": { + "inputs": { + "nixpkgs": [ + "nixpkgs" + ], + "nixpkgs-stable": "nixpkgs-stable" + }, + "locked": { + "lastModified": 1688268466, + "narHash": "sha256-fArazqgYyEFiNcqa136zVYXihuqzRHNOOeVICayU2Yg=", + "owner": "Mic92", + "repo": "sops-nix", + "rev": "5ed3c22c1fa0515e037e36956a67fe7e32c92957", + "type": "github" + }, + "original": { + "owner": "Mic92", + "repo": "sops-nix", + "type": "github" + } + }, "stable": { "locked": { "lastModified": 1669735802, @@ -680,11 +751,11 @@ ] }, "locked": { - "lastModified": 1684070360, - "narHash": "sha256-WaXr9ayqjp0R2+j9MrE1Ufdujw0vEA0o1G/0CrTt4Ns=", + "lastModified": 1687940979, + "narHash": "sha256-D4ZFkgIG2s9Fyi78T3fVG9mqMD+/UnFDB62jS4gjZKY=", "owner": "numtide", "repo": "treefmt-nix", - "rev": "27107cf3dfdc3c809d2477954d92fc2cc68b4401", + "rev": "0a4f06c27610a99080b69433873885df82003aae", "type": "github" }, "original": { diff --git a/flake.nix b/flake.nix index b87ced2..76668b3 100644 --- a/flake.nix +++ b/flake.nix @@ -2,7 +2,9 @@ { inputs = { # flake and infra basics - nixpkgs.url = "github:nixos/nixpkgs/nixos-22.11"; + nixpkgs-2211.url = "github:nixos/nixpkgs/nixos-22.11"; + nixpkgs-2305.url = "github:nixos/nixpkgs/nixos-23.05"; + nixpkgs.follows = "nixpkgs-2305"; flake-parts.url = "github:hercules-ci/flake-parts"; get-flake.url = "github:ursi/get-flake"; nixos-anywhere.url = github:numtide/nixos-anywhere/main; @@ -25,6 +27,9 @@ inputs.nixpkgs.follows = "nixpkgs"; }; + sops-nix.url = "github:Mic92/sops-nix"; + sops-nix.inputs.nixpkgs.follows = "nixpkgs"; + # applications aphorme_launcher = { url = "github:Iaphetes/aphorme_launcher/main"; @@ -56,6 +61,12 @@ url = "gitlab:snakedye/salut"; flake = false; }; + + logseqNightly = { + url = "file:///dev/null"; + # url = "https://github.com/logseq/logseq/releases/download/nightly/Logseq-linux-x64-0.9.10-nightly.20230628.AppImage"; + flake = false; + }; }; outputs = inputs @ { @@ -71,7 +82,8 @@ "aarch64-linux" ]; in - flake-parts.lib.mkFlake {inherit inputs;} { + flake-parts.lib.mkFlake {inherit inputs;} + ({withSystem, ...}: { flake.colmena = lib.lists.foldl (sum: cur: lib.attrsets.recursiveUpdate sum cur) { @@ -83,13 +95,15 @@ # try this instead: https://github.com/zhaofengli/colmena/issues/60#issuecomment-1510496861 (builtins.map (nodeName: import ./nix/os/devices/${nodeName} { + inherit nodeName; repoFlake = self; + repoFlakeWithSystem = withSystem; + nodeFlake = self.inputs.get-flake ./nix/os/devices/${nodeName}; }) [ + "sj-vps-htz0" "steveej-t14" - "elias-e525" - "vmd102066.contaboserver.net" - "sj-vps-htz0.infra.stefanjunker.de" - "justyna-p300" + # "elias-e525" + # "justyna-p300" ]); # this makes nixos-anywhere work @@ -165,5 +179,5 @@ packages' = packages; }; }; - }; + }); } diff --git a/nix/devShells.nix b/nix/devShells.nix index 7adf5ea..20569a6 100644 --- a/nix/devShells.nix +++ b/nix/devShells.nix @@ -20,6 +20,7 @@ pkgs.stdenv.mkDerivation { nixos-install-tools dconf2nix inputs'.nixos-anywhere.packages.nixos-anywhere + nurl just git-crypt @@ -36,6 +37,12 @@ pkgs.stdenv.mkDerivation { # packages'.aphorme_launcher packages'.yofi # packages'.ofi-pass + age + age-plugin-yubikey + ssh-to-age + yubico-piv-tool + inputs'.sops-nix.packages.default + sops apacheHttpd diff --git a/nix/home-manager/configuration/graphical-fullblown.nix b/nix/home-manager/configuration/graphical-fullblown.nix index 2fc9a60..3d10c4d 100644 --- a/nix/home-manager/configuration/graphical-fullblown.nix +++ b/nix/home-manager/configuration/graphical-fullblown.nix @@ -4,10 +4,14 @@ # these come in via home-manager.extraSpecialArgs and are specific to each node nodeFlake, packages', + repoFlake, + # repoFlakeInputs', ... }: let pkgsMaster = nodeFlake.inputs.nixpkgs-master.${pkgs.system}; pkgsUnstableSmall = nodeFlake.inputs.nixpkgs-unstable-small.legacyPackages.${pkgs.system}; + pkgs2211 = nodeFlake.inputs.nixpkgs-2211.legacyPackages.${pkgs.system}; + # pkgs2211 = repoFlakeInputs'.nixpkgs-2211.legacyPackages; in { imports = [ ../profiles/common.nix @@ -22,6 +26,7 @@ in { ../programs/redshift.nix ../programs/gpg-agent.nix + # ../programs/espanso.nix ../programs/firefox.nix ../programs/chromium.nix @@ -31,18 +36,16 @@ in { ../programs/pass.nix ../programs/vscode - # TODO: broken since nixos-23.05 - # ../programs/radicale.nix - # ../programs/espanso.nix + # TODO: bump these to 23.05 and make it work + (args: import ../programs/radicale.nix (args // {pkgs = pkgs2211;})) + # (args: import ../programs/espanso.nix (args // {pkgs = pkgs2211;})) ]; home.sessionVariables.HM_CONFIG = "graphical-fullblown"; home.sessionVariables.GOPATH = "$HOME/src/go"; home.sessionVariables.PATH = pkgs.lib.concatStringsSep ":" ["$HOME/.local/bin" "$PATH"]; - # required by logseq as of 2023-05-24 nixpkgs.config.permittedInsecurePackages = [ - "electron-20.3.11" ]; home.packages = @@ -89,8 +92,9 @@ in { yubikey-personalization yubikey-personalization-gui - # gnome.gnome-keyring - gcr gnome.seahorse + # gnome.gnome-keyring + gcr + gnome.seahorse # Language Support hunspellDicts.en-us @@ -110,6 +114,59 @@ in { # FIXME: depends on insecure openssl 1.1.1t # kotatogram-desktop tdesktop + (let + version = "6.20.0-beta.1"; + in + pkgsUnstableSmall.signal-desktop-beta.overrideAttrs (old: { + inherit version; + src = builtins.fetchurl { + url = "https://updates.signal.org/desktop/apt/pool/main/s/signal-desktop-beta/signal-desktop-beta_${version}_amd64.deb"; + sha256 = "0xkagnldagfxnpv4c23yd9w0kz1y719m1sj9vqn8mnr1zfn7j62a"; + }; + preFixup = + old.preFixup + + '' + gappsWrapperArgs+=( + --add-flags "\''${NIXOS_OZONE_WL:+\''${WAYLAND_DISPLAY:+--ozone-platform-hint=auto}}" + --add-flags "\''${NIXOS_OZONE_WL:+\''${WAYLAND_DISPLAY:+--enable-features=UseOzonePlatform}}" + ) + ''; + })) + + # --add-flags "--enable-features=UseOzonePlatform" + # --add-flags "--ozone-platform=wayland" + (pkgsUnstableSmall.session-desktop.overrideAttrs (old: { + nativeBuildInputs = + old.nativeBuildInputs + ++ [ + pkgs.wrapGAppsHook + ]; + + preFixup = + (old.preFixup or "") + + '' + gappsWrapperArgs+=( + --add-flags "--enable-features=UseOzonePlatform" + --add-flags "--ozone-platform=wayland" + # --add-flags "\''${NIXOS_OZONE_WL:+\''${WAYLAND_DISPLAY:+--ozone-platform-hint=auto}}" + # --add-flags "\''${NIXOS_OZONE_WL:+\''${WAYLAND_DISPLAY:+--enable-features=WaylandWindowDecorations}}" + # --add-flags "\''${NIXOS_OZONE_WL:+\''${WAYLAND_DISPLAY:+--enable-features=UseOzonePlatform}}" + ) + ''; + })) + + #(pkgsUnstableSmall.session-desktop.overrideAttrs(old: { + # nativeBuildInputs = old.nativeBuildInputs ++ [ + # pkgs.wrapGAppsHook + # ]; + # + # preFixup = (old.preFixup or "") + '' + # gappsWrapperArgs+=( + # --add-flags "\''${NIXOS_OZONE_WL:+\''${WAYLAND_DISPLAY:+--ozone-platform=wayland}}" + # --add-flags "\''${NIXOS_OZONE_WL:+\''${WAYLAND_DISPLAY:+--enable-features=UseOzonePlatform}}" + # ) + # ''; + # })) thunderbird # gnome.cheese @@ -129,7 +186,8 @@ in { vlc audacity spotify - # youtube-dl-light + yt-dlp + (writeShellScriptBin "youtube-dl-audio" "${yt-dlp}/bin/yt-dlp --extract-audio --audio-format best --audio-quality 9 \${@:?}") libwebcam # Network Tools @@ -177,9 +235,15 @@ in { cdrtools # Document Processing and Management - mendeley + xfce.thunar + # mendeley evince - (logseq.override (_: {electron = pkgs.electron_20;})) + ((logseq.overrideAttrs (attrs: { + version = "nightly"; + src = repoFlake.inputs.logseqNightly; + })).override (_: { + electron = pkgs.electron_24; + })) # File Synchronzation dropbox diff --git a/nix/home-manager/profiles/sway-desktop.nix b/nix/home-manager/profiles/sway-desktop.nix index d420014..62d3c22 100644 --- a/nix/home-manager/profiles/sway-desktop.nix +++ b/nix/home-manager/profiles/sway-desktop.nix @@ -11,12 +11,11 @@ displayOffCmd = "${pkgs.sway}/bin/swaymsg 'output * power off'"; displayOnCmd = "${pkgs.sway}/bin/swaymsg 'output * power on'"; swapOutputWorkspaces = ../../../scripts/sway-swapoutputworkspaces.sh; - in { imports = [ - ../profiles/wayland-desktop.nix - ../programs/waybar.nix - ../programs/salut.nix + ../profiles/wayland-desktop.nix + ../programs/waybar.nix + ../programs/salut.nix ]; # TODO: autostart @@ -44,7 +43,7 @@ in { pkgs.gnome-icon-theme ## fonts - pkgs.dejavu_fonts # just a basic good fond + pkgs.dejavu_fonts # just a basic good fond pkgs.font-awesome_5 # needed by i3status-rust pkgs.nerdfonts pkgs.font-awesome @@ -80,9 +79,10 @@ in { wayland.windowManager.sway = { enable = true; systemdIntegration = true; + # systemd.enable = true; xwayland = false; - config = let + config = let modifier = "Mod4"; inherit (config.wayland.windowManager.sway.config) left right up down; in { @@ -90,12 +90,14 @@ in { bars = []; input = { - "type:keyboard" = { - xkb_layout = config.home.keyboard.layout; - xkb_variant = config.home.keyboard.variant; - } // lib.attrsets.optionalAttrs (builtins.length (config.home.keyboard.options or []) > 0) { - xkb_options = builtins.concatStringsSep "," config.home.keyboard.options; - }; + "type:keyboard" = + { + xkb_layout = config.home.keyboard.layout; + xkb_variant = config.home.keyboard.variant; + } + // lib.attrsets.optionalAttrs (builtins.length (config.home.keyboard.options or []) > 0) { + xkb_options = builtins.concatStringsSep "," config.home.keyboard.options; + }; "type:touchpad" = { natural_scroll = "enabled"; @@ -105,8 +107,8 @@ in { keybindings = lib.mkOptionDefault { # as of 2023-05-21 the `!!` arg parsing mode was broken for me on yofi # "${modifier}+d" = "exec ${packages'.yofi}/bin/yofi binapps"; - "${modifier}+d" = "exec ${pkgs.fuzzel}/bin/fuzzel"; - + "${modifier}+d" = "exec ${pkgs.fuzzel}/bin/fuzzel --show-actions"; + # only 1-9 exist on the default config "${modifier}+0" = "workspace number 0"; "${modifier}+Shift+0" = "move container to workspace number 0"; @@ -118,15 +120,15 @@ in { # move workspace to output "${modifier}+Control+Shift+${left}" = "move workspace to output left"; "${modifier}+Control+Shift+${right}" = "move workspace to output right"; - "${modifier}+Control+Shift+${up}" = "move workspace to output up"; + "${modifier}+Control+Shift+${up}" = "move workspace to output up"; "${modifier}+Control+Shift+${down}" = "move workspace to output down"; # move workspace to output with arrow keys - "${modifier}+Control+Shift+Left" = "move workspace to output left"; + "${modifier}+Control+Shift+Left" = "move workspace to output left"; "${modifier}+Control+Shift+Right" = "move workspace to output right"; - "${modifier}+Control+Shift+Up" = "move workspace to output up"; - "${modifier}+Control+Shift+Down" = "move workspace to output down"; + "${modifier}+Control+Shift+Up" = "move workspace to output up"; + "${modifier}+Control+Shift+Down" = "move workspace to output down"; - "${modifier}+Shift+e" = "exec ${pkgs.sway}/bin/swaymsg exit"; + "${modifier}+Shift+e" = "exec ${pkgs.sway}/bin/swaymsg exit"; "${modifier}+q" = "kill"; "${modifier}+x" = "exec ${swapOutputWorkspaces}"; @@ -140,20 +142,31 @@ in { "XF86AudioLowerVolume" = "exec ${pkgs.pulsemixer}/bin/pulsemixer --change-volume -5"; "--locked XF86AudioMute" = "exec ${pkgs.pulsemixer}/bin/pulsemixer --toggle-mute"; - # TODO: screenshot util, flameshot doesn't work in the packaged version - "Print" = "exec ${pkgs.flameshot}/bin/flameshot gui"; + "Print" = "exec ${pkgs.shotman}/bin/shotman --capture region"; }; terminal = "alacritty"; - startup = [ - {command = builtins.toString(pkgs.writeShellScript "ensure-graphical-session" '' - ( - ${pkgs.coreutils}/bin/sleep 0.2 - ${pkgs.systemd}/bin/systemctl --user restart graphical-session.target - ) & - ''); - } - ]; + startup = + [ + { + command = builtins.toString (pkgs.writeShellScript "ensure-graphical-session" '' + ( + ${pkgs.coreutils}/bin/sleep 0.2 + ${pkgs.systemd}/bin/systemctl --user restart graphical-session.target + ) & + ''); + } + ] + ++ lib.optionals config.services.swayidle.enable [ + { + command = builtins.toString (pkgs.writeShellScript "ensure-graphical-session" '' + ( + ${pkgs.coreutils}/bin/sleep 0.2 + ${pkgs.systemd}/bin/systemctl --user restart swayidle + ) & + ''); + } + ]; colors.focused = lib.mkOptionDefault { childBorder = lib.mkForce "#ffa500"; @@ -166,19 +179,37 @@ in { services.swayidle = { enable = true; timeouts = [ - { timeout = 10; command = "if ${pkgs.procps}/bin/pgrep -x swaylock; then ${displayOffCmd}; fi"; resumeCommand = displayOnCmd; } - { timeout = 60 * 5; command = lockCmd; } - { timeout = 60 * 6; command = displayOffCmd; resumeCommand = displayOnCmd; } + { + timeout = 10; + command = "if ${pkgs.procps}/bin/pgrep -x swaylock; then ${displayOffCmd}; fi"; + resumeCommand = displayOnCmd; + } + { + timeout = 60 * 5; + command = lockCmd; + } + { + timeout = 60 * 6; + command = displayOffCmd; + resumeCommand = displayOnCmd; + } ]; events = [ - { event = "before-sleep"; + { + event = "before-sleep"; command = builtins.concatStringsSep "; " [ lockCmd "${pkgs.playerctl}/bin/playerctl pause" - ]; + ]; + } + { + event = "after-resume"; + command = displayOnCmd; + } + { + event = "lock"; + command = lockCmd; } - { event = "after-resume"; command = displayOnCmd; } - { event = "lock"; command = lockCmd; } ]; }; } diff --git a/nix/home-manager/profiles/wayland-desktop.nix b/nix/home-manager/profiles/wayland-desktop.nix index c213410..63d90c5 100644 --- a/nix/home-manager/profiles/wayland-desktop.nix +++ b/nix/home-manager/profiles/wayland-desktop.nix @@ -54,37 +54,13 @@ in { pavucontrol playerctl pasystray - qt5.qtwayland - qt6.qtwayland + # qt5.qtwayland + # qt6.qtwayland # probably required by flameshot # xdg-desktop-portal xdg-desktop-portal-wlr # grim - (nixpkgs-unstable-small.signal-desktop.overrideAttrs (old: { - preFixup = old.preFixup + '' - gappsWrapperArgs+=( - --add-flags "--enable-features=UseOzonePlatform" - --add-flags "--ozone-platform=wayland" - ) - ''; - })) - - ((nixpkgs-unstable-small.session-desktop.override (old: { - inherit (nixpkgs-2211) appimageTools; - })) - .overrideAttrs(old: { - nativeBuildInputs = old.nativeBuildInputs ++ [ - pkgs.wrapGAppsHook - ]; - - preFixup = (old.preFixup or "") + '' - gappsWrapperArgs+=( - --add-flags "--enable-features=UseOzonePlatform" - --add-flags "--ozone-platform=wayland" - ) - ''; - })) ]; home.sessionVariables = { diff --git a/nix/home-manager/programs/espanso.nix b/nix/home-manager/programs/espanso.nix index 7cd435a..7497432 100644 --- a/nix/home-manager/programs/espanso.nix +++ b/nix/home-manager/programs/espanso.nix @@ -2,10 +2,11 @@ pkgs, config, ... -}: let - passwords = import ../../variables/passwords.crypt.nix; -in { +}: { services.espanso = { + # package = pkgs.espanso.overrideAttrs(_: { + # # src = + # }) enable = true; settings = { matches = let diff --git a/nix/home-manager/programs/firefox.nix b/nix/home-manager/programs/firefox.nix index d635426..e690e84 100644 --- a/nix/home-manager/programs/firefox.nix +++ b/nix/home-manager/programs/firefox.nix @@ -1,4 +1,5 @@ {pkgs, ...}: { + programs.librewolf = {enable = true;}; programs.firefox = {enable = true;}; programs.browserpass = { diff --git a/nix/home-manager/programs/radicale.nix b/nix/home-manager/programs/radicale.nix index 88608da..a8e4eef 100644 --- a/nix/home-manager/programs/radicale.nix +++ b/nix/home-manager/programs/radicale.nix @@ -1,11 +1,10 @@ { config, - pkgs, lib, + pkgs, + osConfig, ... }: let - passwords = import ../../variables/passwords.crypt.nix; - libdecsync = pkgs.python3Packages.buildPythonPackage rec { pname = "libdecsync"; version = "2.2.1"; @@ -16,9 +15,8 @@ }; propagatedBuildInputs = [ - pkgs.libxcrypt-legacy + # pkgs.libxcrypt-legacy ]; - }; radicale-storage-decsync = pkgs.python3Packages.buildPythonPackage rec { pname = "radicale_storage_decsync"; @@ -31,13 +29,13 @@ buildInputs = [ pkgs.radicale - pkgs.libxcrypt-legacy - pkgs.libxcrypt + # pkgs.libxcrypt-legacy + # pkgs.libxcrypt ]; nativeCheckInputs = [ - pkgs.libxcrypt-legacy - pkgs.libxcrypt + # pkgs.libxcrypt-legacy + # pkgs.libxcrypt ]; propagatedBuildInputs = [libdecsync pkgs.python3Packages.setuptools]; @@ -48,18 +46,17 @@ ++ [radicale-storage-decsync]; }); - mkRadicaleService = { suffix, port }: let + mkRadicaleService = { + suffix, + port, + }: let radicale-config = pkgs.writeText "radicale-config-${suffix}" '' [server] - hosts = localhost:${builtins.toString(port)} + hosts = localhost:${builtins.toString port} [auth] type = htpasswd - htpasswd_filename = ${ - pkgs.writeText "radicale" '' - radicale:${passwords.users.radicale} - '' - } + htpasswd_filename = ${osConfig.sops.secrets.radicale_htpasswd.path} htpasswd_encryption = bcrypt [storage] @@ -77,7 +74,14 @@ Install.WantedBy = ["default.target"]; }; }; -in builtins.foldl' (sum: cur: lib.recursiveUpdate sum (mkRadicaleService cur)) {} [ - {suffix = "personal"; port = 5232;} - {suffix = "family"; port = 5233;} -] +in + builtins.foldl' (sum: cur: lib.recursiveUpdate sum (mkRadicaleService cur)) {} [ + { + suffix = "personal"; + port = 5232; + } + { + suffix = "family"; + port = 5233; + } + ] diff --git a/nix/home-manager/programs/waybar.nix b/nix/home-manager/programs/waybar.nix index 106e397..05392c5 100644 --- a/nix/home-manager/programs/waybar.nix +++ b/nix/home-manager/programs/waybar.nix @@ -1,6 +1,9 @@ -{ pkgs, config, repoFlake, ... }: - { + pkgs, + config, + repoFlake, + ... +}: { home.packages = [ # required by any bar that has a tray plugin pkgs.libappindicator-gtk3 @@ -10,8 +13,9 @@ programs.waybar = { enable = true; package = repoFlake.inputs.nixpkgs-wayland.outputs.packages.${pkgs.stdenv.hostPlatform.system}.waybar; - style = pkgs.lib.readFile "${pkgs.waybar.src}/resources/style.css" - + pkgs.lib.readFile ./waybar.css; + style = + pkgs.lib.readFile "${pkgs.waybar.src}/resources/style.css" + + pkgs.lib.readFile ./waybar.css; systemd.enable = true; settings = { mainBar = { @@ -35,12 +39,12 @@ all-outputs = false; }; - modules-center = [ + modules-center = [ "sway/window" # "custom/hello-from-waybar" ]; - modules-right = [ + modules-right = [ "tray" "cpu" @@ -55,22 +59,22 @@ tray.spacing = 10; - cpu.format = " {}%"; + cpu.format = " {usage}%"; memory.format = " {}%"; - "temperature" = { + "temperature" = { hwmon-path = "/sys/class/hwmon/hwmon3/temp1_input"; format = " {temperatureC} °C"; }; "custom/cputemp" = { - format = " {}"; - exec = "${pkgs.lm_sensors}/bin/sensors | ${pkgs.gawk}/bin/awk '/CPU:/ {print $2}'"; - interval = 2; + format = " {}"; + exec = "${pkgs.lm_sensors}/bin/sensors | ${pkgs.gawk}/bin/awk '/CPU:/ {print $2}'"; + interval = 2; }; "custom/fan" = { - format = "  {} rpm "; - exec = "${pkgs.lm_sensors}/bin/sensors | ${pkgs.gawk}/bin/awk '/fan1:/ {print $2}'"; - interval = 2; + format = "  {} rpm "; + exec = "${pkgs.lm_sensors}/bin/sensors | ${pkgs.gawk}/bin/awk '/fan1:/ {print $2}'"; + interval = 2; }; battery.format = "🔋 {}%"; pulseaudio = { diff --git a/nix/os/containers/mailserver.nix b/nix/os/containers/mailserver.nix index 1bde00d..3bf0b63 100644 --- a/nix/os/containers/mailserver.nix +++ b/nix/os/containers/mailserver.nix @@ -1,4 +1,5 @@ { + repoFlake, hostAddress, localAddress, imapsPort ? 993, @@ -7,10 +8,34 @@ }: let passwords = import ../../variables/passwords.crypt.nix; in { - config = {pkgs, ...}: { + config = { + pkgs, + config, + ... + }: { system.stateVersion = "21.11"; # Did you read the comment? - imports = [../profiles/containers/configuration.nix ../profiles/common/user.nix]; + imports = [ + ../profiles/containers/configuration.nix + + repoFlake.inputs.sops-nix.nixosModules.sops + ../profiles/common/user.nix + ]; + + # sops.defaultSopsFile = ./mailserver_secrets.yaml; + sops.age.sshKeyPaths = ["/etc/ssh/ssh_host_ed25519_key"]; + sops.secrets.email_mailStefanjunkerDe = { + sopsFile = ./mailserver_secrets.yaml; + owner = config.users.users.steveej.name; + }; + sops.secrets.email_schtifATwebDe = { + sopsFile = ./mailserver_secrets.yaml; + owner = config.users.users.steveej.name; + }; + sops.secrets.email_dovecot_steveej = { + sopsFile = ./mailserver_secrets.yaml; + owner = config.users.users.dovecot2.name; + }; networking.firewall.enable = false; @@ -54,9 +79,10 @@ in { ''; }; - environment.etc."dovecot/users".text = '' - steveej:${passwords.email.steveej} - ''; + # environment.etc."dovecot/users".text = '' + # steveej:${passwords.email.steveej} + # ''; + environment.etc."dovecot/users".source = config.sops.secrets.email_dovecot_steveej.path; systemd.services.steveej-getmail-stefanjunker = { enable = true; @@ -79,7 +105,7 @@ in { server = ssl0.ovh.net port = 993 username = mail@stefanjunker.de - password = ${passwords.email.mailStefanjunkerDe} + password_command = ("${pkgs.coreutils}/bin/cat", "${config.sops.secrets.email_mailStefanjunkerDe.path}") mailboxes = ('INBOX',) [destination] @@ -112,7 +138,7 @@ in { server = imap.web.de port = 993 username = schtif - password = ${passwords.email.schtifATwebDe} + password_command = ("${pkgs.coreutils}/bin/cat", "${config.sops.secrets.email_schtifATwebDe.path}") mailboxes = ('INBOX',) [destination] @@ -128,6 +154,9 @@ in { inherit autoStart; bindMounts = { + "/etc/ssh/ssh_host_ed25519_key".isReadOnly = true; + "/etc/ssh/ssh_host_ed25519_key.pub".isReadOnly = true; + "/etc/secrets/" = { hostPath = "/var/lib/container-volumes/mailserver/etc-secrets"; isReadOnly = false; diff --git a/nix/os/containers/mailserver_secrets.yaml b/nix/os/containers/mailserver_secrets.yaml new file mode 100644 index 0000000..b6c0363 --- /dev/null +++ b/nix/os/containers/mailserver_secrets.yaml @@ -0,0 +1,38 @@ +email_mailStefanjunkerDe: ENC[AES256_GCM,data:DsPwNMahaSKFF8mof2qGxj6cIdYZeL6uRr4=,iv:2lamFXYKrGkHey5QCXBlEODYksDuJDyW3MYpz/7qj7s=,tag:2L34qD0XSbfsl0djvgYJYw==,type:str] +email_schtifATwebDe: ENC[AES256_GCM,data:OOmxkHcM25A+rSmPE1lmvUylv0TT2qWWeA==,iv:ysnRyv4WwbnovgEZcwmk1Rdo6U7gBWDFvGIxgF/m/5A=,tag:9b7q+mceiDx5y8qVVHjBhw==,type:str] +email_dovecot_steveej: ENC[AES256_GCM,data:nZJX2ZIe2pJTzBIU/XRZaiiy9NmUtJydaOvSAQT3icCEeLTvgah48mgrz14eGPuOEupVqKII5jpHw3Xid+QWzdIels0B9M4+GgVT85yVAaPQKw==,iv:vb2bKtgeJI4fvRfKoR8AoBpv9WOkAAKQ3DzMInGF4SA=,tag:p6q0rfyG0g1hF8PR476TZQ==,type:str] +sops: + kms: [] + gcp_kms: [] + azure_kv: [] + hc_vault: [] + age: + - recipient: age18dmqd7r7fanrfmdxsvwgv9psvhs3hw5ydpvw0na0dv3dlrg4rs3q2wpvgv + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBWaE9nNytUbXhWeWZYWndn + R3pMV3N1NjJPK2gzUDl2YitxWEU4NUFPRUJ3Cm1tMGhGcU56bSs5SUIzRmhqVHN2 + dXIzYlkvS1JnWnladGdXTnRKMXNOWncKLS0tIGhyRFhFV1VRVXVYN1pJWjNFd1Rj + bENCWmVNUEJyZFBpRmYwbWVndFJGcUEKzvkGz3WycSrU4qPcBhs4cSCn/9TQ62sl + T6TuDra97qJJ1Pg9VZGHT/OoSleLA4s0qpNlAxnAnNaO0conTsREZQ== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2023-07-02T21:16:00Z" + mac: ENC[AES256_GCM,data:bDHu/9Hz2lyzoA92yA4K9/oaO6gxDjog8OSoEduE4Q8KE6VObzkHHvMwsPR46LE74dtRy9LNEXcMTWQzJBYoaKGi+wz0IJ/wy8Japrbu0Kiwx3dIeY0mg/OvBGlsAybvbDpfSjCsxVpgg7g1jQNntejljv1WHp4zD0hKn9hdYm0=,iv:MUaGwoPaHEZQgoTHXxkhMHdTGaIgk0UYx9qwfpt4Uds=,tag:qLa2QBTFbs/BdOH8TJWVxw==,type:str] + pgp: + - created_at: "2023-07-02T20:30:30Z" + enc: |- + -----BEGIN PGP MESSAGE----- + + wcBMA0SHG/zF3227AQgAli6PQTNwh9N5Oo1LJvHysQNdxdZAq4QbfcwcIfpJIDds + 0TQs28EeSttv47P2ga4Nb1O5dVUnlvwbP+uV9RbioYF4LfZ2/uNlS1lSGwsLbPcf + SsY+U2WvpJgyo3EWQRusR/OXLFg0EdqDPDseH1w1u8tGALDrewre5oBjrMa0GRbb + 5F8lK/FVxSJxz70UkHgE7c6pSqPpznlgVduUwoOWnlhTw4aet7lLik+/C9K7LBDc + Q04sW1W2yqYr2882xPAUwfBhgfZQ1Uld5aDwqwPH+1Ttx26e7JrGSFaIX8GTVVpc + RJqN6uman5at3lOaEKXS1qf7T9ZI003CvdFwHS1G89JRAemdeK4bur5wS3VXBhDx + 44fHgmDcOohHilTahwmyXCT70KjjHbd9665vAhsl0N9aOrOBdOgq0HmLjNzAQkz5 + uGcEfsNiUXPngkNrh/Nvhh9w + =yHDZ + -----END PGP MESSAGE----- + fp: 6F7069FE6B96E894E60EC45C6EEFA706CB17E89B + unencrypted_suffix: _unencrypted + version: 3.7.3 diff --git a/nix/os/devices/default.nix b/nix/os/devices/default.nix index 82f3009..bc8e0ad 100644 --- a/nix/os/devices/default.nix +++ b/nix/os/devices/default.nix @@ -1,7 +1,7 @@ { dir, pkgs ? import {}, - ownLib ? import ../lib/default.nix {}, + ownLib ? import ../lib/default.nix {inherit (pkgs) lib;}, gitRoot ? "$(git rev-parse --show-toplevel)", # FIXME: why do these need explicit mentioning? moreargs ? "", diff --git a/nix/os/devices/elias-e525/default.nix b/nix/os/devices/elias-e525/default.nix index 537efdd..7896d56 100644 --- a/nix/os/devices/elias-e525/default.nix +++ b/nix/os/devices/elias-e525/default.nix @@ -1,4 +1,4 @@ -{repoFlake}: let +{repoFlake, ...}: let nodeName = "elias-e525"; system = "x86_64-linux"; diff --git a/nix/os/devices/elias-e525/user.nix b/nix/os/devices/elias-e525/user.nix index 1fe7f71..564151e 100644 --- a/nix/os/devices/elias-e525/user.nix +++ b/nix/os/devices/elias-e525/user.nix @@ -1,11 +1,12 @@ { config, pkgs, + lib, ... }: let passwords = import ../../../variables/passwords.crypt.nix; keys = import ../../../variables/keys.nix; - inherit (import ../../lib/default.nix {}) mkUser; + inherit (import ../../lib/default.nix {inherit (pkgs) lib;}) mkUser; in { users.extraUsers.elias = mkUser { uid = 1001; diff --git a/nix/os/devices/fwhost2/user.nix b/nix/os/devices/fwhost2/user.nix index 8210554..d7dc0dc 100644 --- a/nix/os/devices/fwhost2/user.nix +++ b/nix/os/devices/fwhost2/user.nix @@ -5,7 +5,7 @@ }: let passwords = import ../../../variables/passwords.crypt.nix; keys = import ../../../variables/keys.nix; - inherit (import ../../lib/default.nix {}) mkUser; + inherit (import ../../lib/default.nix {inherit (pkgs) lib;}) mkUser; in { # users.extraUsers.steveej2 = mkUser { # uid = 1001; diff --git a/nix/os/devices/justyna-p300/default.nix b/nix/os/devices/justyna-p300/default.nix index 1d73e8e..639a8cc 100644 --- a/nix/os/devices/justyna-p300/default.nix +++ b/nix/os/devices/justyna-p300/default.nix @@ -1,4 +1,4 @@ -{repoFlake}: let +{repoFlake, ...}: let nodeName = "justyna-p300"; # system = "i686-linux"; system = "x86_64-linux"; diff --git a/nix/os/devices/justyna-p300/user.nix b/nix/os/devices/justyna-p300/user.nix index 1fe7f71..9e8226e 100644 --- a/nix/os/devices/justyna-p300/user.nix +++ b/nix/os/devices/justyna-p300/user.nix @@ -5,7 +5,7 @@ }: let passwords = import ../../../variables/passwords.crypt.nix; keys = import ../../../variables/keys.nix; - inherit (import ../../lib/default.nix {}) mkUser; + inherit (import ../../lib/default.nix {inherit (pkgs) lib;}) mkUser; in { users.extraUsers.elias = mkUser { uid = 1001; diff --git a/nix/os/devices/sj-vps-htz0.infra.stefanjunker.de/versions.nix b/nix/os/devices/sj-vps-htz0.infra.stefanjunker.de/versions.nix deleted file mode 100644 index 265e21a..0000000 --- a/nix/os/devices/sj-vps-htz0.infra.stefanjunker.de/versions.nix +++ /dev/null @@ -1,36 +0,0 @@ -let - nixpkgs = { - url = "https://github.com/NixOS/nixpkgs/"; - ref = "nixos-22.11"; - rev = '' - a7cc81913bb3cd1ef05ed0ece048b773e1839e51''; - }; -in { - inherit nixpkgs; - nixos = nixpkgs // {suffix = "/nixos";}; - "channels-nixos-stable" = nixpkgs; - "channels-nixos-unstable" = { - url = "https://github.com/NixOS/nixpkgs/"; - ref = "nixos-unstable"; - rev = '' - c707238dc262923da5a53a5a11914117caac07a2''; - }; - "channels-nixos-unstable-small" = { - url = "https://github.com/NixOS/nixpkgs/"; - ref = "nixos-unstable-small"; - rev = '' - 09c509a5075931382582dee69f3e44bf1535c092''; - }; - "nixpkgs-master" = { - url = "https://github.com/NixOS/nixpkgs/"; - ref = "master"; - rev = '' - 3d57138bd9abe31bae25704cebaab7527010cc5e''; - }; - "home-manager-module" = { - url = "https://github.com/nix-community/home-manager"; - ref = "release-22.11"; - rev = '' - b0be47978de5cfd729a79c3f57ace4c86364ff45''; - }; -} diff --git a/nix/os/devices/sj-vps-htz0.infra.stefanjunker.de/versions.tmpl.nix b/nix/os/devices/sj-vps-htz0.infra.stefanjunker.de/versions.tmpl.nix deleted file mode 100644 index a0fa34a..0000000 --- a/nix/os/devices/sj-vps-htz0.infra.stefanjunker.de/versions.tmpl.nix +++ /dev/null @@ -1,41 +0,0 @@ -let - nixpkgs = { - url = "https://github.com/NixOS/nixpkgs/"; - ref = "nixos-22.11"; - rev = '' - <% git ls-remote https://github.com/nixos/nixpkgs nixos-22.11 | awk '{ print $1 }' | tr -d ' - ' -%>''; - }; -in { - inherit nixpkgs; - nixos = nixpkgs // {suffix = "/nixos";}; - "channels-nixos-stable" = nixpkgs; - "channels-nixos-unstable" = { - url = "https://github.com/NixOS/nixpkgs/"; - ref = "nixos-unstable"; - rev = '' - <% git ls-remote https://github.com/nixos/nixpkgs nixos-unstable | awk '{ print $1 }' | tr -d ' - ' -%>''; - }; - "channels-nixos-unstable-small" = { - url = "https://github.com/NixOS/nixpkgs/"; - ref = "nixos-unstable-small"; - rev = '' - <% git ls-remote https://github.com/nixos/nixpkgs nixos-unstable-small | awk '{ print $1 }' | tr -d ' - ' -%>''; - }; - "nixpkgs-master" = { - url = "https://github.com/NixOS/nixpkgs/"; - ref = "master"; - rev = '' - <% git ls-remote https://github.com/NixOS/nixpkgs.git master | head -n1 | awk '{ print $1 }' | tr -d ' - ' -%>''; - }; - "home-manager-module" = { - url = "https://github.com/nix-community/home-manager"; - ref = "release-22.11"; - rev = '' - <% git ls-remote https://github.com/nix-community/home-manager.git release-22.11 | awk '{ print $1 }' | tr -d ' - ' -%>''; - }; -} diff --git a/nix/os/devices/sj-vps-htz0.infra.stefanjunker.de/README.md b/nix/os/devices/sj-vps-htz0/README.md similarity index 100% rename from nix/os/devices/sj-vps-htz0.infra.stefanjunker.de/README.md rename to nix/os/devices/sj-vps-htz0/README.md diff --git a/nix/os/devices/sj-vps-htz0.infra.stefanjunker.de/boot.nix b/nix/os/devices/sj-vps-htz0/boot.nix similarity index 100% rename from nix/os/devices/sj-vps-htz0.infra.stefanjunker.de/boot.nix rename to nix/os/devices/sj-vps-htz0/boot.nix diff --git a/nix/os/devices/sj-vps-htz0.infra.stefanjunker.de/configuration.nix b/nix/os/devices/sj-vps-htz0/configuration.nix similarity index 100% rename from nix/os/devices/sj-vps-htz0.infra.stefanjunker.de/configuration.nix rename to nix/os/devices/sj-vps-htz0/configuration.nix diff --git a/nix/os/devices/sj-vps-htz0.infra.stefanjunker.de/default.nix b/nix/os/devices/sj-vps-htz0/default.nix similarity index 53% rename from nix/os/devices/sj-vps-htz0.infra.stefanjunker.de/default.nix rename to nix/os/devices/sj-vps-htz0/default.nix index 3c9621d..12e0271 100644 --- a/nix/os/devices/sj-vps-htz0.infra.stefanjunker.de/default.nix +++ b/nix/os/devices/sj-vps-htz0/default.nix @@ -1,11 +1,13 @@ -{repoFlake}: let - nodeName = "sj-vps-htz0.infra.stefanjunker.de"; +{ + nodeName, + repoFlake, + nodeFlake, + ... +}: let system = "x86_64-linux"; - - nodeFlake = repoFlake.inputs.get-flake ./.; in { meta.nodeSpecialArgs.${nodeName} = { - inherit nodeName nodeFlake; + inherit repoFlake nodeName nodeFlake; packages' = repoFlake.packages.${system}; }; @@ -14,13 +16,13 @@ in { }; ${nodeName} = { - deployment.targetHost = nodeName; - deployment.replaceUnknownProfiles = true; + deployment.targetHost = "${nodeName}.infra.stefanjunker.de"; + deployment.replaceUnknownProfiles = false; imports = [ - (repoFlake + "/nix/os/devices/${nodeName}/configuration.nix") - nodeFlake.inputs.home-manager.nixosModules.home-manager + + ./configuration.nix ]; }; } diff --git a/nix/os/devices/sj-vps-htz0.infra.stefanjunker.de/flake.lock b/nix/os/devices/sj-vps-htz0/flake.lock similarity index 53% rename from nix/os/devices/sj-vps-htz0.infra.stefanjunker.de/flake.lock rename to nix/os/devices/sj-vps-htz0/flake.lock index 2a1267e..422bef4 100644 --- a/nix/os/devices/sj-vps-htz0.infra.stefanjunker.de/flake.lock +++ b/nix/os/devices/sj-vps-htz0/flake.lock @@ -4,47 +4,46 @@ "inputs": { "nixpkgs": [ "nixpkgs" - ], - "utils": "utils" + ] }, "locked": { - "lastModified": 1681092193, - "narHash": "sha256-JerCqqOqbT2tBnXQW4EqwFl0hHnuZp21rIQ6lu/N4rI=", + "lastModified": 1687871164, + "narHash": "sha256-bBFlPthuYX322xOlpJvkjUBz0C+MOBjZdDOOJJ+G2jU=", "owner": "nix-community", "repo": "home-manager", - "rev": "f9edbedaf015013eb35f8caacbe0c9666bbc16af", + "rev": "07c347bb50994691d7b0095f45ebd8838cf6bc38", "type": "github" }, "original": { "owner": "nix-community", - "ref": "release-22.11", + "ref": "release-23.05", "repo": "home-manager", "type": "github" } }, "nixpkgs": { "locked": { - "lastModified": 1681759395, - "narHash": "sha256-7aaRtLxLAy8qFVIA26ulB+Q5nDVzuQ71qi0s0wMjAws=", + "lastModified": 1688109178, + "narHash": "sha256-BSdeYp331G4b1yc7GIRgAnfUyaktW2nl7k0C577Tttk=", "owner": "nixos", "repo": "nixpkgs", - "rev": "cd749f58ba83f7155b7062dd49d08e5e47e44d50", + "rev": "b72aa95f7f096382bff3aea5f8fde645bca07422", "type": "github" }, "original": { "owner": "nixos", - "ref": "nixos-22.11", + "ref": "nixos-23.05", "repo": "nixpkgs", "type": "github" } }, "nixpkgs-master": { "locked": { - "lastModified": 1681895322, - "narHash": "sha256-dtduardGFljEIh0Whlnhzda7Au0s1WnnSdzh2ZhCu9c=", + "lastModified": 1688246754, + "narHash": "sha256-OuUvCCMrJgN9K/L1j2ADMxu/nuJhplFjIZFFtelnymc=", "owner": "nixos", "repo": "nixpkgs", - "rev": "57aad37a2eab85fb5522cbc8568fe27872071a1c", + "rev": "b9b176f8b8155c122e01a336b439ce57b2485b40", "type": "github" }, "original": { @@ -56,11 +55,11 @@ }, "nixpkgs-unstable": { "locked": { - "lastModified": 1681770396, - "narHash": "sha256-tq+GZOkRA3uF3I/jIzuBGfnTRQFT4QnnRCWJ8DKSaMg=", + "lastModified": 1688180391, + "narHash": "sha256-oTUSZepWQ7AYQKvNPkf8QyxkfoVpEhGioVji0hd3p8U=", "owner": "nixos", "repo": "nixpkgs", - "rev": "4df48038a44e9f3a3da8e9b42ca182726b743de4", + "rev": "1353de5923daba8462cfc3624d8c2d70cbafafcd", "type": "github" }, "original": { @@ -77,21 +76,6 @@ "nixpkgs-master": "nixpkgs-master", "nixpkgs-unstable": "nixpkgs-unstable" } - }, - "utils": { - "locked": { - "lastModified": 1667395993, - "narHash": "sha256-nuEHfE/LcWyuSWnS8t12N1wc105Qtau+/OdUAjtQ0rA=", - "owner": "numtide", - "repo": "flake-utils", - "rev": "5aed5285a952e0b949eb3ba02c12fa4fcfef535f", - "type": "github" - }, - "original": { - "owner": "numtide", - "repo": "flake-utils", - "type": "github" - } } }, "root": "root", diff --git a/nix/os/devices/sj-vps-htz0.infra.stefanjunker.de/flake.nix b/nix/os/devices/sj-vps-htz0/flake.nix similarity index 66% rename from nix/os/devices/sj-vps-htz0.infra.stefanjunker.de/flake.nix rename to nix/os/devices/sj-vps-htz0/flake.nix index d432f24..c315b8e 100644 --- a/nix/os/devices/sj-vps-htz0.infra.stefanjunker.de/flake.nix +++ b/nix/os/devices/sj-vps-htz0/flake.nix @@ -1,10 +1,10 @@ { - inputs.nixpkgs.url = "github:nixos/nixpkgs/nixos-22.11"; + inputs.nixpkgs.url = "github:nixos/nixpkgs/nixos-23.05"; inputs.nixpkgs-unstable.url = "github:nixos/nixpkgs/nixos-unstable-small"; inputs.nixpkgs-master.url = "github:nixos/nixpkgs/master"; inputs.home-manager = { - url = "github:nix-community/home-manager/release-22.11"; + url = "github:nix-community/home-manager/release-23.05"; inputs.nixpkgs.follows = "nixpkgs"; }; diff --git a/nix/os/devices/sj-vps-htz0.infra.stefanjunker.de/hw.nix b/nix/os/devices/sj-vps-htz0/hw.nix similarity index 100% rename from nix/os/devices/sj-vps-htz0.infra.stefanjunker.de/hw.nix rename to nix/os/devices/sj-vps-htz0/hw.nix diff --git a/nix/os/devices/sj-vps-htz0.infra.stefanjunker.de/pkg.nix b/nix/os/devices/sj-vps-htz0/pkg.nix similarity index 100% rename from nix/os/devices/sj-vps-htz0.infra.stefanjunker.de/pkg.nix rename to nix/os/devices/sj-vps-htz0/pkg.nix diff --git a/nix/os/devices/sj-vps-htz0.infra.stefanjunker.de/system.nix b/nix/os/devices/sj-vps-htz0/system.nix similarity index 94% rename from nix/os/devices/sj-vps-htz0.infra.stefanjunker.de/system.nix rename to nix/os/devices/sj-vps-htz0/system.nix index bb37d96..0efc091 100644 --- a/nix/os/devices/sj-vps-htz0.infra.stefanjunker.de/system.nix +++ b/nix/os/devices/sj-vps-htz0/system.nix @@ -2,10 +2,9 @@ pkgs, lib, config, + repoFlake, ... -}: let - keys = import ../../../variables/keys.nix; -in { +}: { networking.firewall.enable = true; networking.firewall.allowedTCPPorts = [ # iperf3 @@ -58,12 +57,10 @@ in { nix.gc = {automatic = true;}; - # networking.useHostResolvConf = true; - - services.openssh.forwardX11 = true; - containers = { mailserver = import ../../containers/mailserver.nix { + inherit repoFlake; + autoStart = true; hostAddress = "192.168.100.10"; diff --git a/nix/os/devices/steveej-nuc7pjyh-work/user.nix b/nix/os/devices/steveej-nuc7pjyh-work/user.nix index bf0d943..2b72309 100644 --- a/nix/os/devices/steveej-nuc7pjyh-work/user.nix +++ b/nix/os/devices/steveej-nuc7pjyh-work/user.nix @@ -5,7 +5,7 @@ }: let passwords = import ../../../variables/passwords.crypt.nix; keys = import ../../../variables/keys.nix; - inherit (import ../../lib/default.nix {}) mkUser; + inherit (import ../../lib/default.nix {inherit (pkgs) lib;}) mkUser; in { users.extraUsers.sjunker = mkUser { uid = 1001; diff --git a/nix/os/devices/steveej-pa600/user.nix b/nix/os/devices/steveej-pa600/user.nix index 04e5489..4b85fea 100644 --- a/nix/os/devices/steveej-pa600/user.nix +++ b/nix/os/devices/steveej-pa600/user.nix @@ -5,7 +5,7 @@ }: let passwords = import ../../../variables/passwords.crypt.nix; keys = import ../../../variables/keys.nix; - inherit (import ../../lib/default.nix {}) mkUser; + inherit (import ../../lib/default.nix {inherit (pkgs) lib;}) mkUser; in { users.extraUsers.steveej2 = mkUser { uid = 1001; diff --git a/nix/os/devices/steveej-t14/boot.nix b/nix/os/devices/steveej-t14/boot.nix index c48bdc6..281d09e 100644 --- a/nix/os/devices/steveej-t14/boot.nix +++ b/nix/os/devices/steveej-t14/boot.nix @@ -8,7 +8,8 @@ boot.kernelPackages = lib.mkForce pkgs.linuxPackages_latest; # boot.tmpOnTmpfs = lib.mkForce false; - boot.tmpOnTmpfsSize = "100%"; + boot.tmp.tmpfsSize = "100%"; + # TODO: make this work # systemd.tmpfiles.rules = lib.mkForce [ "d /tmp 1777 root root 1d" ]; } diff --git a/nix/os/devices/steveej-t14/configuration.nix b/nix/os/devices/steveej-t14/configuration.nix index 8a2785c..8d578b7 100644 --- a/nix/os/devices/steveej-t14/configuration.nix +++ b/nix/os/devices/steveej-t14/configuration.nix @@ -10,5 +10,6 @@ ./pkg.nix ./user.nix ./boot.nix + ./secrets.nix ]; } diff --git a/nix/os/devices/steveej-t14/default.nix b/nix/os/devices/steveej-t14/default.nix index be964d0..739065b 100644 --- a/nix/os/devices/steveej-t14/default.nix +++ b/nix/os/devices/steveej-t14/default.nix @@ -1,12 +1,15 @@ -{repoFlake}: let - nodeName = "steveej-t14"; +{ + nodeName, + repoFlake, + repoFlakeWithSystem, + nodeFlake, +}: let system = "x86_64-linux"; - - nodeFlake = repoFlake.inputs.get-flake ./.; in { meta.nodeSpecialArgs.${nodeName} = { inherit repoFlake nodeName nodeFlake; packages' = repoFlake.packages.${system}; + repoFlakeInputs' = repoFlakeWithSystem system ({inputs', ...}: inputs'); }; meta.nodeNixpkgs.${nodeName} = import nodeFlake.inputs.nixpkgs.outPath { diff --git a/nix/os/devices/steveej-t14/hw.nix b/nix/os/devices/steveej-t14/hw.nix index 01b8e7b..9f7d778 100644 --- a/nix/os/devices/steveej-t14/hw.nix +++ b/nix/os/devices/steveej-t14/hw.nix @@ -20,48 +20,47 @@ in { services.tlp = { enable = true; settings = { - CPU_SCALING_GOVERNOR_ON_AC = "schedutil"; + # CPU_SCALING_GOVERNOR_ON_AC = "schedutil"; CPU_SCALING_GOVERNOR_ON_BAT = "schedutil"; - CPU_ENERGY_PERF_POLICY_ON_AC="balance_power"; + # CPU_ENERGY_PERF_POLICY_ON_AC="balance_power"; CPU_ENERGY_PERF_POLICY_ON_BAT="power"; - SCHED_POWERSAVE_ON_AC="1"; + # SCHED_POWERSAVE_ON_AC="1"; SCHED_POWERSAVE_ON_BAT="1"; CPU_BOOST_ON_AC="0"; CPU_BOOST_ON_BAT="0"; - - RADEON_DPM_PERF_LEVEL_ON_AC="auto"; + # RADEON_DPM_PERF_LEVEL_ON_AC="auto"; RADEON_DPM_PERF_LEVEL_ON_BAT="low"; - RADEON_DPM_STATE_ON_AC="balanced"; + # RADEON_DPM_STATE_ON_AC="balanced"; RADEON_DPM_STATE_ON_BAT="battery"; - SOUND_POWER_SAVE_ON_AC="1"; + # SOUND_POWER_SAVE_ON_AC="1"; SOUND_POWER_SAVE_ON_BAT="1"; - # PLATFORM_PROFILE_ON_AC="low-power"; - # PLATFORM_PROFILE_ON_BAT="low-power"; - PLATFORM_PROFILE_ON_AC="balanced"; + # # PLATFORM_PROFILE_ON_AC="low-power"; + # # PLATFORM_PROFILE_ON_BAT="low-power"; + # PLATFORM_PROFILE_ON_AC="balanced"; PLATFORM_PROFILE_ON_BAT="low-power"; - RUNTIME_PM_ON_AC = "auto"; + # RUNTIME_PM_ON_AC = "auto"; RUNTIME_PM_ON_BAT = "auto"; - PCIE_ASPM_ON_AC="default"; + # PCIE_ASPM_ON_AC="default"; PCIE_ASPM_ON_BAT="powersave"; START_CHARGE_THRESH_BAT0 = "75"; STOP_CHARGE_THRESH_BAT0 = "80"; WOL_DISABLE="Y"; - WIFI_PWR_ON_AC="on"; + # WIFI_PWR_ON_AC="on"; WIFI_PWR_ON_BAT="on"; DEVICES_TO_DISABLE_ON_STARTUP="wwan"; - #DEVICES_TO_DISABLE_ON_LAN_CONNECT="wifi wwan"; - #DEVICES_TO_DISABLE_ON_WIFI_CONNECT="wwan"; - #DEVICES_TO_DISABLE_ON_WWAN_CONNECT="wifi"; + # #DEVICES_TO_DISABLE_ON_LAN_CONNECT="wifi wwan"; + # #DEVICES_TO_DISABLE_ON_WIFI_CONNECT="wwan"; + # #DEVICES_TO_DISABLE_ON_WWAN_CONNECT="wifi"; }; }; @@ -71,12 +70,13 @@ in { [0 0 55] [1 55 65] [1 65 75] - [3 75 78] - [4 78 80] - [5 80 82] - [6 82 84] - [7 84 86] - ["level full-speed" 86 999] + [2 75 78] + [3 78 80] + [4 80 82] + [5 82 84] + [6 84 86] + [7 86 88] + ["level full-speed" 88 999] ]; }; diff --git a/nix/os/devices/steveej-t14/pkg.nix b/nix/os/devices/steveej-t14/pkg.nix index b52eff3..fb55f03 100644 --- a/nix/os/devices/steveej-t14/pkg.nix +++ b/nix/os/devices/steveej-t14/pkg.nix @@ -9,6 +9,9 @@ ]; }) ]; + + home.sessionVariables = { + }; }; # TODO: fix the following errors with regreet diff --git a/nix/os/devices/steveej-t14/secrets.nix b/nix/os/devices/steveej-t14/secrets.nix new file mode 100644 index 0000000..a97d67d --- /dev/null +++ b/nix/os/devices/steveej-t14/secrets.nix @@ -0,0 +1,7 @@ +{config, ...}: { + sops.secrets.radicale_htpasswd = { + sopsFile = ../../../../secrets/steveej-t14/radicale_htpasswd; + format = "binary"; + owner = config.users.users.steveej.name; + }; +} diff --git a/nix/os/devices/steveej-t14/system.nix b/nix/os/devices/steveej-t14/system.nix index e91c806..6327ecd 100644 --- a/nix/os/devices/steveej-t14/system.nix +++ b/nix/os/devices/steveej-t14/system.nix @@ -3,6 +3,7 @@ lib, config, nodeName, + repoFlake, ... }: let passwords = import ../../../variables/passwords.crypt.nix; @@ -10,18 +11,37 @@ in { nix.settings = { substituters = [ "https://holochain-ci.cachix.org" - # "https://cache.holo.host/" + "https://cache.holo.host/" ]; trusted-public-keys = [ "holochain-ci.cachix.org-1:5IUSkZc0aoRS53rfkvH9Kid40NpyjwCMCzwRTXy+QN8=" - # "cache.holo.host-1:lNXIXtJgS9Iuw4Cu6X0HINLu9sTfcjEntnrgwMQIMcE=" - # "cache.holo.host-2:ZJCkX3AUYZ8soxTLfTb60g+F3MkWD7hkH9y8CgqwhDQ=" + "cache.holo.host-1:lNXIXtJgS9Iuw4Cu6X0HINLu9sTfcjEntnrgwMQIMcE=" + "cache.holo.host-2:ZJCkX3AUYZ8soxTLfTb60g+F3MkWD7hkH9y8CgqwhDQ=" ]; extra-experimental-features = ["impure-derivations"]; system-features = ["recursive-nix" "big-parallel"]; }; + networking.extraHosts = '' + # qemu box + 172.24.40.13 steveej-qemu.infra.holochain.org + 172.24.40.13 steveej-qemu.d.dweb.city + + # bare metal + 192.168.14.117 steveej-hw1.infra.holochain.org + 192.168.14.117 steveej-hw1.d.dweb.city + 192.168.14.117 steveej-hw2.infra.holochain.org + 192.168.14.117 steveej-hw2.d.dweb.city + 192.168.14.117 steveej-hw3.infra.holochain.org + 192.168.14.117 steveej-hw3.d.dweb.city + 192.168.14.117 steveej-hw4.infra.holochain.org + 192.168.14.117 steveej-hw4.d.dweb.city + + 172.24.135.11 emerge3.d.dweb.city + 172.24.74.194 emerge4.d.dweb.city + ''; + networking.bridges."virbr1".interfaces = []; networking.interfaces."virbr1".ipv4.addresses = [ { @@ -35,7 +55,7 @@ in { # TODO: upstream feature for inverse rule to work: `! --in-interface zt+` networking.firewall.interfaces."eth+".allowedTCPPorts = [ - 22 + 22 # syncthing 22000 @@ -43,9 +63,10 @@ in { # iperf3 5201 ]; - networking.firewall.interfaces."eth+".allowedUDPPorts = [ + networking.firewall.interfaces."eth+".allowedUDPPorts = [ # syncthing - 22000 21027 + 22000 + 21027 ]; networking.firewall.logRefusedConnections = false; @@ -96,8 +117,50 @@ in { services.zerotierone = { enable = true; joinNetworks = [ - "93afae5963c547f1" - passwords.zerotier.dweb2023.networkId + # moved to the service below as it's now secret ]; }; + + systemd.services.zerotieroneSecretNetworks = { + enable = true; + requiredBy = ["zerotierone.service"]; + partOf = ["zerotierone.service"]; + + serviceConfig.Type = "oneshot"; + serviceConfig.RemainAfterExit = true; + + script = let + secret = config.sops.secrets.zerotieroneNetworks; + in '' + # include the secret's hash to trigger a restart on change + # ${builtins.hashString "sha256" (builtins.toJSON secret)} + + ${config.systemd.services.zerotierone.preStart} + + rm -rf /var/lib/zerotier-one/networks.d/*.conf + for network in `grep -v '#' ${secret.path}`; do + touch /var/lib/zerotier-one/networks.d/''${network}.conf + done + ''; + }; + + sops.secrets.zerotieroneNetworks = { + sopsFile = ../../../../secrets/zerotierone.txt; + format = "binary"; + }; + + sops.secrets.nomad-holochain-agent-ca = { + sopsFile = ../../../../secrets/steveej-t14/nomad-holochain-infra.yaml; + owner = config.users.extraUsers.steveej.name; + }; + + sops.secrets.nomad-holochain-cli-cert = { + sopsFile = ../../../../secrets/steveej-t14/nomad-holochain-infra.yaml; + owner = config.users.extraUsers.steveej.name; + }; + + sops.secrets.nomad-holochain-cli-key = { + sopsFile = ../../../../secrets/steveej-t14/nomad-holochain-infra.yaml; + owner = config.users.extraUsers.steveej.name; + }; } diff --git a/nix/os/devices/steveej-t14/user.nix b/nix/os/devices/steveej-t14/user.nix index e284b53..bf5ff0b 100644 --- a/nix/os/devices/steveej-t14/user.nix +++ b/nix/os/devices/steveej-t14/user.nix @@ -1,15 +1,16 @@ { config, pkgs, + lib, ... }: let - passwords = import ../../../variables/passwords.crypt.nix; keys = import ../../../variables/keys.nix; - inherit (import ../../lib/default.nix {}) mkUser; + inherit (import ../../lib/default.nix {inherit (pkgs) lib;}) mkUser; in { users.extraUsers.steveej2 = mkUser { uid = 1001; openssh.authorizedKeys.keys = keys.users.steveej.openssh; + passwordFile = config.sops.secrets.sharedUsers-steveej.path; }; nix.settings.trusted-users = ["steveej"]; diff --git a/nix/os/devices/vmd102066.contaboserver.net/default.nix b/nix/os/devices/vmd102066.contaboserver.net/default.nix index 77a6b95..db025f1 100644 --- a/nix/os/devices/vmd102066.contaboserver.net/default.nix +++ b/nix/os/devices/vmd102066.contaboserver.net/default.nix @@ -1,4 +1,4 @@ -{repoFlake}: let +{repoFlake, ...}: let nodeName = "vmd102066.contaboserver.net"; system = "x86_64-linux"; diff --git a/nix/os/lib/default.nix b/nix/os/lib/default.nix index caa0738..5f8c424 100644 --- a/nix/os/lib/default.nix +++ b/nix/os/lib/default.nix @@ -1,21 +1,9 @@ { + lib, keys ? import ../../variables/keys.nix, - passwords ? import ../../variables/passwords.crypt.nix, }: { - mkRoot = {} @ args: - { - hashedPassword = passwords.users.root; - openssh.authorizedKeys.keys = keys.users.steveej.openssh; - } - // args; - - mkUser = { - uid, - hashedPassword ? passwords.users.steveej, - ... - } @ args: - { - inherit uid hashedPassword; + mkUser = args: ( + lib.attrsets.recursiveUpdate { isNormalUser = true; extraGroups = [ "docker" @@ -32,7 +20,8 @@ ]; openssh.authorizedKeys.keys = keys.users.steveej.openssh; } - // args; + args + ); disk = rec { # TODO: verify the GPT PARTLABEL cap at 36 chars diff --git a/nix/os/modules/ddclient-ovh.nix b/nix/os/modules/ddclient-ovh.nix index d12383a..c694a35 100644 --- a/nix/os/modules/ddclient-ovh.nix +++ b/nix/os/modules/ddclient-ovh.nix @@ -4,8 +4,7 @@ ... }: let cfg = config.services.ddclientovh; - - passwords = import ../../variables/passwords.crypt.nix; + # passwords = import ../../variables/passwords.crypt.nix; in { options.services.ddclientovh = with lib; { enable = mkEnableOption "Enable ddclient-ovh"; @@ -20,10 +19,8 @@ in { ssl = true; domains = [cfg.domain]; use = "web"; - inherit (passwords.dyndns.${cfg.domain}) username; - passwordFile = - builtins.toFile passwords.dyndns._filename - passwords.dyndns.${cfg.domain}.password; + # inherit (passwords.dyndns.${cfg.domain}) username; + # passwordFile = config.sops.secrets."dyndns_${cfg.domain}".path; }; }; } diff --git a/nix/os/modules/opinionatedDisk.nix b/nix/os/modules/opinionatedDisk.nix index 22b4b4e..b8430c4 100644 --- a/nix/os/modules/opinionatedDisk.nix +++ b/nix/os/modules/opinionatedDisk.nix @@ -5,7 +5,7 @@ }: with lib; let cfg = config.hardware.opinionatedDisk; - ownLib = import ../lib/default.nix {}; + ownLib = import ../lib/default.nix {inherit lib;}; in { options.hardware.opinionatedDisk = { enable = mkEnableOption "Enable opinionated filesystem layout"; diff --git a/nix/os/profiles/common/boot.nix b/nix/os/profiles/common/boot.nix index 7946772..21fa70c 100644 --- a/nix/os/profiles/common/boot.nix +++ b/nix/os/profiles/common/boot.nix @@ -4,12 +4,11 @@ enable = true; efiSupport = true; efiInstallAsRemovable = false; - version = 2; }; boot.loader.systemd-boot.enable = false; boot.loader.efi.canTouchEfiVariables = true; - boot.tmpOnTmpfs = true; + boot.tmp.useTmpfs = true; # Workaround for nm-pptp to enforce module load boot.kernelModules = ["nf_conntrack_proto_gre" "nf_conntrack_pptp"]; diff --git a/nix/os/profiles/common/configuration.nix b/nix/os/profiles/common/configuration.nix index ba5da40..d68a694 100644 --- a/nix/os/profiles/common/configuration.nix +++ b/nix/os/profiles/common/configuration.nix @@ -1,3 +1,17 @@ -{...}: { - imports = [./boot.nix ./pkg.nix ./user.nix ./system.nix ./hw.nix]; +{ + config, + pkgs, + repoFlake, + ... +}: { + imports = [ + ./boot.nix + ./pkg.nix + ./system.nix + ./hw.nix + + ./user.nix + + repoFlake.inputs.sops-nix.nixosModules.sops + ]; } diff --git a/nix/os/profiles/common/pkg.nix b/nix/os/profiles/common/pkg.nix index 7a726eb..7cd1dfb 100644 --- a/nix/os/profiles/common/pkg.nix +++ b/nix/os/profiles/common/pkg.nix @@ -1,7 +1,9 @@ { + config, pkgs, # these come in via nodeSpecialArgs and are expected to be defined for every node repoFlake, + repoFlakeInputs', nodeFlake, packages', ... @@ -20,9 +22,12 @@ home-manager.extraSpecialArgs = { inherit repoFlake + repoFlakeInputs' packages' nodeFlake ; + + osConfig = config; }; nixpkgs.config = { diff --git a/nix/os/profiles/common/user.nix b/nix/os/profiles/common/user.nix index d93de5e..5bf314e 100644 --- a/nix/os/profiles/common/user.nix +++ b/nix/os/profiles/common/user.nix @@ -3,13 +3,31 @@ pkgs, ... }: let - passwords = import ../../../variables/passwords.crypt.nix; - inherit (import ../../lib/default.nix {}) mkUser mkRoot; + keys = import ../../../variables/keys.nix; + inherit (import ../../lib/default.nix {inherit (pkgs) lib;}) mkUser; in { + sops.secrets.sharedUsers-root = { + sopsFile = ../../../../secrets/shared-users.yaml; + neededForUsers = true; + }; + + sops.secrets.sharedUsers-steveej = { + sopsFile = ../../../../secrets/shared-users.yaml; + neededForUsers = true; + format = "yaml"; + }; + users.mutableUsers = false; - users.extraUsers.root = mkRoot {}; - users.extraUsers.steveej = mkUser {uid = 1000;}; + users.extraUsers.root = { + passwordFile = config.sops.secrets.sharedUsers-root.path; + openssh.authorizedKeys.keys = keys.users.steveej.openssh; + }; + + users.extraUsers.steveej = mkUser { + uid = 1000; + passwordFile = config.sops.secrets.sharedUsers-steveej.path; + }; security.pam.u2f.enable = true; security.pam.services.steveej.u2fAuth = true; diff --git a/nix/os/profiles/graphical/system.nix b/nix/os/profiles/graphical/system.nix index 72c13c1..2e125c0 100644 --- a/nix/os/profiles/graphical/system.nix +++ b/nix/os/profiles/graphical/system.nix @@ -21,7 +21,7 @@ # hardware related services services.illum.enable = true; - services.pcscd.enable = false; + services.pcscd.enable = true; hardware.opengl.enable = true; hardware.bluetooth.enable = true; # required for running blueman-applet in user sessions diff --git a/nix/variables/passwords.crypt.nix b/nix/variables/passwords.crypt.nix index c86ddb12f0d0ed45d0767a431016ad4f33e7b7b7..9d7b45b0588e7d7301cb27adfc555010de8a1322 100644 GIT binary patch literal 1498 zcmZQ@_Y83kiVO&0IPvz&mz|l*HFUb;x?V+>Y$w5@z!v+~O>T8nKz_BnUTt6RH_*q+;!>~iS)yWMER7yo;oK7RV{ z$-d#AQEhlcDnr>E>5%(vvxB8u9`WAdTd04^k}d6@VE+8Ae|HpS%|505{_}52|Tr3lhV0NDMhVBf5!SPulkPkl*nH{5$E>3@!g4SuW#4Q zm|KzGpzWNT?*Dc6{Q6s8#08~x801xz<`hJp`h53ciJ`&wS&GW-18m3$|%Oa7%L@A+QB;r*$F>+%W44`1^69cF!byM2xi zuS@SydB6CJ&!>s4yL@=|mi>vp58V0FlyrCHvtv%b${ezeovqobP+zg%Y3_?j2{+@q z?w6|A<{KYG+ylVE)mysM>o~~ruW(>Y&SjA`CZd#QvW8I3u3O@A1wZs_vxLV z&G!TGkIzK--LPj9aY*{{>hIH6m|(bR1{ zXO)|P&xwP()fSblS-FO$2-}hHb?2%eYqaFpq%T~z2a>LF6d4EWBj@Hb$*4Qo0E6*w}qNfKH|1Y_S<)7 zdYkXueD%Dcq2TTPZ13ia?VQB9vMQpI>EqL<$*=nkKfF94XxpVtUv72EO;R;H&AIw! zjQQo2hHipTf96xgS;>dMi_Pr7clzll#4nj!z$??v*R$d@kzuh-gg?T8S)AEEEG+t!!+ zo05>-m5CdE^%_PvJ(AI%^dUXuc!ew1{_g?x4~3S@6MHDpWD)l6?>%8trR?`M4yTNa zw5ADVD!XN!PVFt2n(4J{=b~R8t!>jcoXR>~pI&Erxx{}*;I4Ul3NHy6Rz(%Ftc-kd zdo#B*%e)31fqN$WS^s+$9S>Uj_4_~dl#E*eC1H<_OcXegd*E{DB|M9w~<>tsp zSsDlIUYxYqX&$3^irjN-q03z(dvqgUBnn-}&>A^5BGS)n;gj)WX{Kd=96 z7VnI*=Ms@VYf5_FoiY`*_`>XaaG=XoFXt*RoHUb@B2GeR}FP*Y&xn*{4fy)@zje?N^-soOSot(%PT}ZI%3M zrt|aX<;-6C(`}BGl3ILKrjbonW1ODD$2n(srZSWiyQ+QWU6-e}!S`~_-&KrPB(I3A zbQA14JVo4;=|*e6gMp9fjqPHOEVj?tDB>=VU&39_+G)G}_Fkrh1!{}Do}NDD=qM=e by+vY&)Uyu#Wns@hv)ueVoA>fAHcm$X;+E|~ literal 2437 zcmZQ@_Y83kiVO&0@I8Ck+o`>JZWoBES3tEb(sD+`R1RG$`e%Dmus#+ zevDs8*Stn-VovPQ&0+}~Ts|G?6Zt;t?_q}Cbgr5oOY2;k5*KGaKf1)|g`JN3bAg^8 zTD$npd)gJHEmyeX!P--#6uhGGv7Wm|!Hmili(UcltVQcr+WzjzyrL6-KIPd$scZfx zYy`X8Z(aGVd}PlorT2W zLIR#!d@z}&&%XQITb=zsH13#n>Ps6iw12;?6#hWFO8D39*H?@MK9^6I&6p!yViUN1 z{_?xGbHx(wZMuGGx7x#N)AD|X7MEWQmso#9Dsw-t`k%^anx;Ydx?2{XoMNh=aeC1M zyNBCtRc&vDe5#x9d4k`E2kSCKrrv0_Ll__C7FlzC|11W>GhlIQs6pMcK4AT-OpZC zIHdBQ?B$*NnLW(kp1G;ADDJmrUgY*Cr}d6;Yb*`C>9}a4#+@&D;yyE{G1gRBKk2nq zxVPZL`IF8kUx{#seM-N=88~;s;#cRqF8*O^Sg@b%*2Q&iN^IBuUKsd+kI#*z)+az# zIObEsw&yEjwpzTI6dU+y*|OyZ&tp9l&%`~}blEyFL;m5<6}O%XpG+=Q@!Pa9Tkc(N zf!l@kiO*HySZY81n(+GDH?!q=QL|J^+4{=Pt@?5ATgSro-m03VGYZb`xcvXBWz{az z7i+xbABPmYog;nk-6kFRhc2%5OJeL8OLZ^rw7k9dVn?~ote8#O4kdYaeVVxC9&dSG z=-B7HW4cO@MBL&<3zZESW3xXz3yrA%R1>IsZr{1ciB838tM~gm`gYgw^l79q7@ZHg znEL;(x>2%%aa&!*(gmNt)E}tZyx>9a)=M?vMkm&=9=TC)_JM8EBLklJ_05g^J~Q7x z^qsFY`R9i0Q1xXMkuLwQIOTWr>xCZqolzqp!Yvvp5f7rb*>HZ15V+jve@pQQC znX+YzMRtR`U(!(t&6vrX);o&3nlRU%UvzC%m*As`Yv*v-M-SRZ_KNBwolr1#MRn~@$QG1iP2w{ z9?0OWwv*^R!ND)#7n^cU>!QoQJC0ZVSEnalc_d<#{e&mR#$?+jvX}Y zbM|KM9}l}cSwFpL=qWDF?z-Nn7Wt{yTak#zU80jyqGD|jv358l&U&?O1a~9CNb0B>)vn$YRWt~ z)>oFtH)CqvhTXT#CndTqjQ7%(b#jlrZS%`{$+OMjDSP_e_q&y;2W<~r&($$`?S#d# z9_k{Yr3FV{O?%!r>1E3q-9N9wmKd=%ZsyFN_IRR>*Szon!`PZ_9b)v={i5z0fuLipm8Z7<0#{H+z?4!4}xI{98PQG9;TsBGW zx}SjOn-8uLYi7PI5erehc~8ziwuUQNROeiHTEc=LmFZ^kz12~@h0mVU&aoJO>PVwGi5c901WKCJM`RR{IQm=bXiTrhQaL?7VFSu4xyJm95y)Fk)ojEF= zdE3QyW_rAyF!}hS4i~`>*MBD*cpH)WJ?5c+nm~NDuXShPTeGfR@#c-c<~LO=JLLXn z*@R}h^amfEY}Pq_*Pc-rWh0O&!e9Bjh}-c`#u7o1484kL@ptQN8)T*=%RTDOQa$yP zeTTyGNKU=5zHpz5M|s;?CiBVd+!<)S&QF|IeCF?Lx$5G=)nVc+6W)4wIcay4{JZGs z{NnSZBhP<4at^Z%{8yr%Q!THM8flnrZYS(7-9@yLXKR zW_fBs@snog=(%25Vfu-Qp<3=p(u#_+S8mG5C9Re`v!G10{=l;h+c=)H`5!-X zDxm3jVnpnUwN~@wKHFAp@mt}aS#?)XK{iF{jKJLqDVeM7*Lq&uQD+uBcb<>YtzM4F zYo45}DxI}^-2ti7+Kz`cgSCtNiz^zxyx*~ar>3?;sF7ud^+CHoo0T8T-ZhPVa(c+u ze*TYtc00>_oAvwIY3Fx#t=ue@24~qe*}i>$?2hn-z|<37e!m27N40+6`AD Date: Thu, 6 Jul 2023 22:42:24 +0200 Subject: [PATCH 2/5] feat: init srv0-dmz0 --- .sops.yaml | 5 +- Justfile | 4 +- flake.lock | 103 ++++++++++------ flake.nix | 5 + nix/os/devices/srv0-dmz0/README.md | 7 ++ nix/os/devices/srv0-dmz0/configuration.nix | 133 +++++++++++++++++++++ nix/os/devices/srv0-dmz0/default.nix | 30 +++++ nix/os/devices/srv0-dmz0/flake.lock | 83 +++++++++++++ nix/os/devices/srv0-dmz0/flake.nix | 12 ++ nix/os/devices/steveej-t14/system.nix | 22 +--- nix/os/devices/steveej-t14/user.nix | 5 +- nix/os/lib/default.nix | 11 +- nix/os/modules/opinionatedDisk.nix | 3 +- nix/os/profiles/common/user.nix | 23 +++- secrets/holochain-infra/nomad.yaml | 38 ++++++ secrets/shared-users.yaml | 54 +++++---- 16 files changed, 447 insertions(+), 91 deletions(-) create mode 100644 nix/os/devices/srv0-dmz0/README.md create mode 100644 nix/os/devices/srv0-dmz0/configuration.nix create mode 100644 nix/os/devices/srv0-dmz0/default.nix create mode 100644 nix/os/devices/srv0-dmz0/flake.lock create mode 100644 nix/os/devices/srv0-dmz0/flake.nix create mode 100644 secrets/holochain-infra/nomad.yaml diff --git a/.sops.yaml b/.sops.yaml index 776461a..13faa67 100644 --- a/.sops.yaml +++ b/.sops.yaml @@ -6,9 +6,11 @@ keys: - &steveej 6F7069FE6B96E894E60EC45C6EEFA706CB17E89B - &steveej-t14 age17jxphuql70wjkd84azn62ltx9ky69hyvkac23lm8f2j92lznf9hseqq0vl - - &sj-vps-htz0 age18dmqd7r7fanrfmdxsvwgv9psvhs3hw5ydpvw0na0dv3dlrg4rs3q2wpvgv - &elias-e525 100206d53cf92f62efd9d6b2672bf3644233c763 + - &sj-vps-htz0 age18dmqd7r7fanrfmdxsvwgv9psvhs3hw5ydpvw0na0dv3dlrg4rs3q2wpvgv + - &srv0-dmz0 age13cyvxrd28j68f97q2dwsn62q5dy8tdxtq86ql2dxv2ncwfrf63dsmkj7n3 + creation_rules: - path_regex: ^(.+/|)secrets/[^/]+$ key_groups: @@ -17,6 +19,7 @@ creation_rules: age: - *steveej-t14 - *sj-vps-htz0 + - *srv0-dmz0 - path_regex: ^secrets/steveej-t14/.+$ key_groups: - pgp: diff --git a/Justfile b/Justfile index 3278626..e9cbfd7 100755 --- a/Justfile +++ b/Justfile @@ -38,7 +38,7 @@ rebuild-this-device +rebuildargs="dry-activate": nix run .#colmena -- apply-local --sudo {{rebuildargs}} # Re-render the versions of a remote device and rebuild its environment -update-remote-device devicename rebuildmode='build': +update-remote-device devicename +rebuildargs='build': #!/usr/bin/env bash set -e @@ -48,7 +48,7 @@ update-remote-device devicename rebuildmode='build': nix flake update ) - just -v rebuild-remote-device {{devicename}} {{rebuildmode}} + just -v rebuild-remote-device {{devicename}} {{rebuildargs}} git commit -v nix/os/devices/{{devicename}}/flake.{nix,lock} -m "nix/os/devices/{{devicename}}: bump versions" diff --git a/flake.lock b/flake.lock index c444a58..ba38cbc 100644 --- a/flake.lock +++ b/flake.lock @@ -50,11 +50,11 @@ "rust-overlay": "rust-overlay" }, "locked": { - "lastModified": 1688082682, - "narHash": "sha256-nMG/A7qYm9pyHJowKuaNmNYgo748xZrzMJPqtoGozSA=", + "lastModified": 1688425221, + "narHash": "sha256-DhZnju72DuX9GhOnCOBIE94aCGKC2BOaF+kGxbnP/K0=", "owner": "ipetkov", "repo": "crane", - "rev": "4d350bb94fdf8ec9d2e22d68bb13e136d73aa9d8", + "rev": "fc6a236548b31aef0be3b0a0377c4459bb39d923", "type": "github" }, "original": { @@ -93,11 +93,11 @@ "rust-analyzer-src": "rust-analyzer-src" }, "locked": { - "lastModified": 1688278950, - "narHash": "sha256-h3J/w3/hCeW6D+VsN/JBQ0Buz76g5wRFznUJF8JomT4=", + "lastModified": 1688624761, + "narHash": "sha256-VMvhdWPCLUFhyssTSZXCxFkA9bZ05VgXZVsuYlJcZBg=", "owner": "nix-community", "repo": "fenix", - "rev": "8e75b5c8506960b49fbc5618717d966d04ee0a7d", + "rev": "a2ea120926a1234ec804c090f90312e0ec2d4541", "type": "github" }, "original": { @@ -158,11 +158,11 @@ "nixpkgs-lib": "nixpkgs-lib" }, "locked": { - "lastModified": 1688254665, - "narHash": "sha256-8FHEgBrr7gYNiS/NzCxIO3m4hvtLRW9YY1nYo1ivm3o=", + "lastModified": 1688466019, + "narHash": "sha256-VeM2akYrBYMsb4W/MmBo1zmaMfgbL4cH3Pu8PGyIwJ0=", "owner": "hercules-ci", "repo": "flake-parts", - "rev": "267149c58a14d15f7f81b4d737308421de9d7152", + "rev": "8e8d955c22df93dbe24f19ea04f47a74adbdc5ec", "type": "github" }, "original": { @@ -201,11 +201,11 @@ ] }, "locked": { - "lastModified": 1687762428, - "narHash": "sha256-DIf7mi45PKo+s8dOYF+UlXHzE0Wl/+k3tXUyAoAnoGE=", + "lastModified": 1688466019, + "narHash": "sha256-VeM2akYrBYMsb4W/MmBo1zmaMfgbL4cH3Pu8PGyIwJ0=", "owner": "hercules-ci", "repo": "flake-parts", - "rev": "37dd7bb15791c86d55c5121740a1887ab55ee836", + "rev": "8e8d955c22df93dbe24f19ea04f47a74adbdc5ec", "type": "github" }, "original": { @@ -234,11 +234,11 @@ "systems": "systems" }, "locked": { - "lastModified": 1685518550, - "narHash": "sha256-o2d0KcvaXzTrPRIo0kOLV0/QXHhDQ5DTi+OxcjO8xqY=", + "lastModified": 1687709756, + "narHash": "sha256-Y5wKlQSkgEK2weWdOu4J3riRd+kV/VCgHsqLNTTWQ/0=", "owner": "numtide", "repo": "flake-utils", - "rev": "a1720a10a6cfe8234c0e93907ffe81be440f4cef", + "rev": "dbabf0ca0c0c4bce6ea5eaf65af5cb694d2082c7", "type": "github" }, "original": { @@ -364,11 +364,11 @@ "nixpkgs": "nixpkgs" }, "locked": { - "lastModified": 1688002352, - "narHash": "sha256-jp6MOYWPsLbnDrk3ZWV98c6Z/PolEkfcuHXtAeKu66A=", + "lastModified": 1688608231, + "narHash": "sha256-RQeR/tirHIa5jhZYLCK7KnQiYTG/kq/vWdgDFLi+4+g=", "owner": "nix-community", "repo": "nix-eval-jobs", - "rev": "db318eee754563269536c5e3513abbb9b130481a", + "rev": "477d7196a493dd011f05704fc7b42cbe95f5b30d", "type": "github" }, "original": { @@ -446,11 +446,11 @@ }, "nixpkgs": { "locked": { - "lastModified": 1688001024, - "narHash": "sha256-Zf88j+DUj6rDgveWfdEyUo4fL1KZTowzPAN6gpeqzKg=", + "lastModified": 1688607075, + "narHash": "sha256-KDWpwZ4xl4au5R+A+Ka+uVbyiwMDVczjwRTSqBOyqWM=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "2c8591ad6a6f9d679817a94f847c59b0d1e3289e", + "rev": "ff81c24d1dd4dc3698aeb27d2cc3991124e627e6", "type": "github" }, "original": { @@ -462,11 +462,11 @@ }, "nixpkgs-2211": { "locked": { - "lastModified": 1688043300, - "narHash": "sha256-UmpvFT0v4U4jxXhrfr+x1NuaOFULkIyCfS/WT6N6T7s=", + "lastModified": 1688392541, + "narHash": "sha256-lHrKvEkCPTUO+7tPfjIcb7Trk6k31rz18vkyqmkeJfY=", "owner": "nixos", "repo": "nixpkgs", - "rev": "c6643a93d25abf3cf5d40a4e05bcf904b9f0e586", + "rev": "ea4c80b39be4c09702b0cb3b42eab59e2ba4f24b", "type": "github" }, "original": { @@ -478,11 +478,11 @@ }, "nixpkgs-2305": { "locked": { - "lastModified": 1688109178, - "narHash": "sha256-BSdeYp331G4b1yc7GIRgAnfUyaktW2nl7k0C577Tttk=", + "lastModified": 1688566749, + "narHash": "sha256-3Og5xbNk1qncLWl2zrrL/k80UqRI/nEGPEbzz306Izk=", "owner": "nixos", "repo": "nixpkgs", - "rev": "b72aa95f7f096382bff3aea5f8fde645bca07422", + "rev": "c99004f75fd28cc10b9d2e01f51a412d768269c8", "type": "github" }, "original": { @@ -549,11 +549,11 @@ "nixpkgs": "nixpkgs_2" }, "locked": { - "lastModified": 1688301056, - "narHash": "sha256-UDkmgKP+hFY+s1k4xj+05GGCdBIYHDPBT0LprU4AdO4=", + "lastModified": 1688646970, + "narHash": "sha256-EIcr3n0YKjJdH9F3JFyhlObbSDXQji8nEzNWxYqep1g=", "owner": "nix-community", "repo": "nixpkgs-wayland", - "rev": "b948920571b72da0363d2e8c391af5cfead99a6a", + "rev": "57c2057b4817ecce059fb3cd941ba53ee70c6f5d", "type": "github" }, "original": { @@ -564,11 +564,11 @@ }, "nixpkgs_2": { "locked": { - "lastModified": 1688231357, - "narHash": "sha256-ZOn16X5jZ6X5ror58gOJAxPfFLAQhZJ6nOUeS4tfFwo=", + "lastModified": 1688590700, + "narHash": "sha256-ZF055rIUP89cVwiLpG5xkJzx00gEuuGFF60Bs/LM3wc=", "owner": "nixos", "repo": "nixpkgs", - "rev": "645ff62e09d294a30de823cb568e9c6d68e92606", + "rev": "f292b4964cb71f9dfbbd30dc9f511d6165cd109b", "type": "github" }, "original": { @@ -599,6 +599,10 @@ "aphorme_launcher": "aphorme_launcher", "colmena": "colmena", "crane": "crane", + "disko": [ + "nixos-anywhere", + "disko" + ], "fenix": "fenix", "flake-parts": "flake-parts", "get-flake": "get-flake", @@ -615,17 +619,18 @@ "ofi-pass": "ofi-pass", "salut": "salut", "sops-nix": "sops-nix", + "srvos": "srvos", "yofi": "yofi" } }, "rust-analyzer-src": { "flake": false, "locked": { - "lastModified": 1688245988, - "narHash": "sha256-0DlDUvMFCaFGHnxwyG68RJbKsJ8EM7xu3FiWb2Ry8+E=", + "lastModified": 1688576197, + "narHash": "sha256-flxGk5OXBfXqlS/ZWNyT23slfPjTCkza3CV/EIfvdSU=", "owner": "rust-lang", "repo": "rust-analyzer", - "rev": "f5f0c48ac37fb19705af2864cb50dd6d82e9134e", + "rev": "aa91eda9028758839487ad0f0eb120944a549ff3", "type": "github" }, "original": { @@ -647,11 +652,11 @@ ] }, "locked": { - "lastModified": 1685759304, - "narHash": "sha256-I3YBH6MS3G5kGzNuc1G0f9uYfTcNY9NYoRc3QsykLk4=", + "lastModified": 1688351637, + "narHash": "sha256-CLTufJ29VxNOIZ8UTg0lepsn3X03AmopmaLTTeHDCL4=", "owner": "oxalica", "repo": "rust-overlay", - "rev": "c535b4f3327910c96dcf21851bbdd074d0760290", + "rev": "f9b92316727af9e6c7fee4a761242f7f46880329", "type": "github" }, "original": { @@ -697,6 +702,26 @@ "type": "github" } }, + "srvos": { + "inputs": { + "nixpkgs": [ + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1688619474, + "narHash": "sha256-mPPR4iZxOoq3LB2EZTgo72UunV4UWdtaBTiTc3x+iPI=", + "owner": "numtide", + "repo": "srvos", + "rev": "bf8ce44e0d1a380565c51bd6a707a75ac21c1a9a", + "type": "github" + }, + "original": { + "owner": "numtide", + "repo": "srvos", + "type": "github" + } + }, "stable": { "locked": { "lastModified": 1669735802, diff --git a/flake.nix b/flake.nix index 76668b3..63a16da 100644 --- a/flake.nix +++ b/flake.nix @@ -7,8 +7,12 @@ nixpkgs.follows = "nixpkgs-2305"; flake-parts.url = "github:hercules-ci/flake-parts"; get-flake.url = "github:ursi/get-flake"; + + srvos.url = "github:numtide/srvos"; + srvos.inputs.nixpkgs.follows = "nixpkgs"; nixos-anywhere.url = github:numtide/nixos-anywhere/main; nixos-anywhere.inputs.nixpkgs.follows = "nixpkgs"; + disko.follows = "nixos-anywhere/disko"; nixpkgs-wayland.url = "github:nix-community/nixpkgs-wayland"; @@ -102,6 +106,7 @@ }) [ "sj-vps-htz0" "steveej-t14" + "srv0-dmz0" # "elias-e525" # "justyna-p300" ]); diff --git a/nix/os/devices/srv0-dmz0/README.md b/nix/os/devices/srv0-dmz0/README.md new file mode 100644 index 0000000..92893b6 --- /dev/null +++ b/nix/os/devices/srv0-dmz0/README.md @@ -0,0 +1,7 @@ +## bootstrapping + +``` +# TODO: generate an SSH host-key and deploy it via --extra-files +nixos-anywhere --flake .\#srv0-dmz0 root@srv0.dmz0.noosphere.life +``` + diff --git a/nix/os/devices/srv0-dmz0/configuration.nix b/nix/os/devices/srv0-dmz0/configuration.nix new file mode 100644 index 0000000..3fb80da --- /dev/null +++ b/nix/os/devices/srv0-dmz0/configuration.nix @@ -0,0 +1,133 @@ +{ + modulesPath, + repoFlake, + pkgs, + config, + ... +}: let + disk = "/dev/disk/by-id/ata-Corsair_Voyager_GTX_21488170000126002051"; +in { + disabledModules = []; + imports = [ + repoFlake.inputs.disko.nixosModules.disko + repoFlake.inputs.srvos.nixosModules.server + (modulesPath + "/profiles/all-hardware.nix") + + repoFlake.inputs.srvos.nixosModules.mixins-terminfo + repoFlake.inputs.srvos.nixosModules.mixins-systemd-boot + + repoFlake.inputs.sops-nix.nixosModules.sops + + ../../profiles/common/user.nix + ]; + + ## bare-metal machines + srvos.boot.consoles = ["tty0"]; + boot.loader.grub.enable = false; + boot.loader.efi.canTouchEfiVariables = false; + + disko.devices.disk.main = { + device = disk; + type = "disk"; + content = { + type = "table"; + format = "gpt"; + partitions = [ + { + name = "boot"; + start = "0"; + end = "1M"; + part-type = "primary"; + flags = ["bios_grub"]; + } + { + name = "ESP"; + start = "1M"; + end = "512M"; + bootable = true; + content = { + type = "filesystem"; + format = "vfat"; + mountpoint = "/boot"; + }; + } + { + name = "root"; + start = "512M"; + end = "100%"; + part-type = "primary"; + bootable = true; + content = { + type = "btrfs"; + extraArgs = ["-f"]; # Override existing partition + subvolumes = { + # Subvolume name is different from mountpoint + "/rootfs" = { + mountpoint = "/"; + }; + "/nix" = { + mountOptions = ["noatime"]; + }; + }; + }; + } + ]; + }; + }; + + hardware.enableAllFirmware = true; + nixpkgs.config.allowUnfree = true; + + hardware.enableRedistributableFirmware = true; + hardware.cpu.intel.updateMicrocode = true; + + services.openssh.enable = true; + + systemd.network.enable = true; + systemd.network.networks."10-lan" = { + matchConfig.Name = "eth*"; + networkConfig = { + # enable DHCP for IPv4 *and* IPv6 + DHCP = "yes"; + + # accept Router Advertisements for Stateless IPv6 Autoconfiguraton (SLAAC) + IPv6AcceptRA = true; + }; + }; + networking.dhcpcd.enable = false; + + networking.firewall.enable = true; + networking.firewall.allowedTCPPorts = [ + 22 + + # iperf3 + 5201 + ]; + networking.firewall.logRefusedConnections = false; + networking.usePredictableInterfaceNames = false; + + networking.nat = { + enable = true; + internalInterfaces = ["ve-+"]; + externalInterface = "eth0"; + }; + + # Kubernetes + # services.kubernetes.roles = ["master" "node"]; + + # virtualization + # virtualisation = {docker.enable = true;}; + + nix.gc = {automatic = true;}; + + containers = { + }; + + # This value determines the NixOS release from which the default + # settings for stateful data, like file locations and database versions + # on your system were taken. It‘s perfectly fine and recommended to leave + # this value at the release version of the first install of this system. + # Before changing this value read the documentation for this option + # (e.g. man configuration.nix or on https://nixos.org/nixos/options.html). + system.stateVersion = "23.05"; # Did you read the comment? +} diff --git a/nix/os/devices/srv0-dmz0/default.nix b/nix/os/devices/srv0-dmz0/default.nix new file mode 100644 index 0000000..5c0b7bb --- /dev/null +++ b/nix/os/devices/srv0-dmz0/default.nix @@ -0,0 +1,30 @@ +{ + nodeName, + repoFlake, + nodeFlake, + ... +}: let + system = "x86_64-linux"; +in { + meta.nodeSpecialArgs.${nodeName} = { + inherit repoFlake nodeName nodeFlake; + packages' = repoFlake.packages.${system}; + }; + + meta.nodeNixpkgs.${nodeName} = import nodeFlake.inputs.nixpkgs.outPath { + inherit system; + }; + + ${nodeName} = { + deployment.targetHost = "srv0.dmz0.noosphere.life"; + deployment.replaceUnknownProfiles = false; + + imports = [ + nodeFlake.inputs.home-manager.nixosModules.home-manager + + ./configuration.nix + ]; + + networking.hostName = nodeName; + }; +} diff --git a/nix/os/devices/srv0-dmz0/flake.lock b/nix/os/devices/srv0-dmz0/flake.lock new file mode 100644 index 0000000..38508fd --- /dev/null +++ b/nix/os/devices/srv0-dmz0/flake.lock @@ -0,0 +1,83 @@ +{ + "nodes": { + "home-manager": { + "inputs": { + "nixpkgs": [ + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1687871164, + "narHash": "sha256-bBFlPthuYX322xOlpJvkjUBz0C+MOBjZdDOOJJ+G2jU=", + "owner": "nix-community", + "repo": "home-manager", + "rev": "07c347bb50994691d7b0095f45ebd8838cf6bc38", + "type": "github" + }, + "original": { + "owner": "nix-community", + "ref": "release-23.05", + "repo": "home-manager", + "type": "github" + } + }, + "nixpkgs": { + "locked": { + "lastModified": 1688594934, + "narHash": "sha256-3dUo20PsmUd57jVZRx5vgKyIN1tv+v/JQweZsve5q/A=", + "owner": "nixos", + "repo": "nixpkgs", + "rev": "e11142026e2cef35ea52c9205703823df225c947", + "type": "github" + }, + "original": { + "owner": "nixos", + "ref": "nixos-23.05", + "repo": "nixpkgs", + "type": "github" + } + }, + "nixpkgs-master": { + "locked": { + "lastModified": 1688668881, + "narHash": "sha256-q5QIxsX5UR+P2uq8RyaJA/GI5z3yZiKl3Q35gVyr9UM=", + "owner": "nixos", + "repo": "nixpkgs", + "rev": "0ffe9cc640d092e6abd8c0adec483acfd2ed7cda", + "type": "github" + }, + "original": { + "owner": "nixos", + "ref": "master", + "repo": "nixpkgs", + "type": "github" + } + }, + "nixpkgs-unstable": { + "locked": { + "lastModified": 1688640665, + "narHash": "sha256-bpNl3nTFDZqrLiRU0bO6vdIT5Ww13nNCVsOLLKEqGuE=", + "owner": "nixos", + "repo": "nixpkgs", + "rev": "88faf206ce0d5cfda760539a367daf6cde5b3712", + "type": "github" + }, + "original": { + "owner": "nixos", + "ref": "nixos-unstable-small", + "repo": "nixpkgs", + "type": "github" + } + }, + "root": { + "inputs": { + "home-manager": "home-manager", + "nixpkgs": "nixpkgs", + "nixpkgs-master": "nixpkgs-master", + "nixpkgs-unstable": "nixpkgs-unstable" + } + } + }, + "root": "root", + "version": 7 +} diff --git a/nix/os/devices/srv0-dmz0/flake.nix b/nix/os/devices/srv0-dmz0/flake.nix new file mode 100644 index 0000000..c315b8e --- /dev/null +++ b/nix/os/devices/srv0-dmz0/flake.nix @@ -0,0 +1,12 @@ +{ + inputs.nixpkgs.url = "github:nixos/nixpkgs/nixos-23.05"; + inputs.nixpkgs-unstable.url = "github:nixos/nixpkgs/nixos-unstable-small"; + inputs.nixpkgs-master.url = "github:nixos/nixpkgs/master"; + + inputs.home-manager = { + url = "github:nix-community/home-manager/release-23.05"; + inputs.nixpkgs.follows = "nixpkgs"; + }; + + outputs = _: {}; +} diff --git a/nix/os/devices/steveej-t14/system.nix b/nix/os/devices/steveej-t14/system.nix index 6327ecd..4f768f2 100644 --- a/nix/os/devices/steveej-t14/system.nix +++ b/nix/os/devices/steveej-t14/system.nix @@ -24,22 +24,6 @@ in { }; networking.extraHosts = '' - # qemu box - 172.24.40.13 steveej-qemu.infra.holochain.org - 172.24.40.13 steveej-qemu.d.dweb.city - - # bare metal - 192.168.14.117 steveej-hw1.infra.holochain.org - 192.168.14.117 steveej-hw1.d.dweb.city - 192.168.14.117 steveej-hw2.infra.holochain.org - 192.168.14.117 steveej-hw2.d.dweb.city - 192.168.14.117 steveej-hw3.infra.holochain.org - 192.168.14.117 steveej-hw3.d.dweb.city - 192.168.14.117 steveej-hw4.infra.holochain.org - 192.168.14.117 steveej-hw4.d.dweb.city - - 172.24.135.11 emerge3.d.dweb.city - 172.24.74.194 emerge4.d.dweb.city ''; networking.bridges."virbr1".interfaces = []; @@ -150,17 +134,17 @@ in { }; sops.secrets.nomad-holochain-agent-ca = { - sopsFile = ../../../../secrets/steveej-t14/nomad-holochain-infra.yaml; + sopsFile = ../../../../secrets/holochain-infra/nomad.yaml; owner = config.users.extraUsers.steveej.name; }; sops.secrets.nomad-holochain-cli-cert = { - sopsFile = ../../../../secrets/steveej-t14/nomad-holochain-infra.yaml; + sopsFile = ../../../../secrets/holochain-infra/nomad.yaml; owner = config.users.extraUsers.steveej.name; }; sops.secrets.nomad-holochain-cli-key = { - sopsFile = ../../../../secrets/steveej-t14/nomad-holochain-infra.yaml; + sopsFile = ../../../../secrets/holochain-infra/nomad.yaml; owner = config.users.extraUsers.steveej.name; }; } diff --git a/nix/os/devices/steveej-t14/user.nix b/nix/os/devices/steveej-t14/user.nix index bf5ff0b..ece9cec 100644 --- a/nix/os/devices/steveej-t14/user.nix +++ b/nix/os/devices/steveej-t14/user.nix @@ -5,7 +5,7 @@ ... }: let keys = import ../../../variables/keys.nix; - inherit (import ../../lib/default.nix {inherit (pkgs) lib;}) mkUser; + inherit (pkgs.callPackage ../../lib/default.nix {}) mkUser; in { users.extraUsers.steveej2 = mkUser { uid = 1001; @@ -14,4 +14,7 @@ in { }; nix.settings.trusted-users = ["steveej"]; + + security.pam.u2f.enable = true; + security.pam.services.steveej.u2fAuth = true; } diff --git a/nix/os/lib/default.nix b/nix/os/lib/default.nix index 5f8c424..0554d6e 100644 --- a/nix/os/lib/default.nix +++ b/nix/os/lib/default.nix @@ -1,7 +1,9 @@ { lib, - keys ? import ../../variables/keys.nix, -}: { + config, +}: let + keys = import ../../variables/keys.nix; +in { mkUser = args: ( lib.attrsets.recursiveUpdate { isNormalUser = true; @@ -19,6 +21,11 @@ "adbusers" ]; openssh.authorizedKeys.keys = keys.users.steveej.openssh; + + # TODO: investigate why this secret cannot be found + # openssh.authorizedKeys.keyFiles = [ + # config.sops.secrets.sharedSshKeys-steveej.path + # ]; } args ); diff --git a/nix/os/modules/opinionatedDisk.nix b/nix/os/modules/opinionatedDisk.nix index b8430c4..758c50e 100644 --- a/nix/os/modules/opinionatedDisk.nix +++ b/nix/os/modules/opinionatedDisk.nix @@ -1,11 +1,12 @@ { lib, config, + pkgs, ... }: with lib; let cfg = config.hardware.opinionatedDisk; - ownLib = import ../lib/default.nix {inherit lib;}; + ownLib = pkgs.callPackage ../lib/default.nix {}; in { options.hardware.opinionatedDisk = { enable = mkEnableOption "Enable opinionated filesystem layout"; diff --git a/nix/os/profiles/common/user.nix b/nix/os/profiles/common/user.nix index 5bf314e..a2447f9 100644 --- a/nix/os/profiles/common/user.nix +++ b/nix/os/profiles/common/user.nix @@ -4,11 +4,18 @@ ... }: let keys = import ../../../variables/keys.nix; - inherit (import ../../lib/default.nix {inherit (pkgs) lib;}) mkUser; + inherit + (import ../../lib/default.nix { + inherit (pkgs) lib; + inherit config; + }) + mkUser + ; in { sops.secrets.sharedUsers-root = { sopsFile = ../../../../secrets/shared-users.yaml; neededForUsers = true; + format = "yaml"; }; sops.secrets.sharedUsers-steveej = { @@ -17,18 +24,26 @@ in { format = "yaml"; }; + sops.secrets.sharedSshKeys-steveej = { + sopsFile = ../../../../secrets/shared-users.yaml; + # neededForUsers = true; + format = "yaml"; + }; + users.mutableUsers = false; users.extraUsers.root = { passwordFile = config.sops.secrets.sharedUsers-root.path; openssh.authorizedKeys.keys = keys.users.steveej.openssh; + + # TODO: investigate why this secret cannot be found + # openssh.authorizedKeys.keyFiles = [ + # config.sops.secrets.sharedSshKeys-steveej.path + # ]; }; users.extraUsers.steveej = mkUser { uid = 1000; passwordFile = config.sops.secrets.sharedUsers-steveej.path; }; - - security.pam.u2f.enable = true; - security.pam.services.steveej.u2fAuth = true; } diff --git a/secrets/holochain-infra/nomad.yaml b/secrets/holochain-infra/nomad.yaml new file mode 100644 index 0000000..a203484 --- /dev/null +++ b/secrets/holochain-infra/nomad.yaml @@ -0,0 +1,38 @@ +nomad-holochain-agent-ca: ENC[AES256_GCM,data:1nJmWFCt+HflrX3W+8mpxprH9XjaC8194z8QX0PCPeh+CbmF3oOvXNInGpoI4FQx6tFY7vFVkDoDQv7ap5f3y/6o1j7LKEKbUeWixzIiOEi7+Gop3lewjoF7UrHPl8ulRVnZSXZvEQXmaE0upwqXmmEBBocunIl0D43Umkf7g6GZ2mYQ6lPIVVcQ6lOccshjuLHZ+RjvrlMSqmpkLey1lICfTci2+S/rJp9QHclkKyU53JnCoDLchEZE4gVlDE2BJ8RUe5VWZoQoBJbw08KoUtk1zr0MdHwe0RWCoYLCaJ6+U7JUVBiT5QIT2tK8vLFY8v4p517KFb8b651Tmy/W1Zt2nEKoQUyFv101xyAp6ctlWuxvXj/2ilWgm1RtEwW5Iy54/Lkolk9NzKW3niS5zxH9PaX6Qu8bUT7HYrbTGgYPIgP7CVnjAWtCCNIy30dzAW5KUqGLvuDaQq4mfps/Mp5K8rwAJ9vg/Tof08kurc2kqyjFFaJgaOlDq5/neNjuwKsitx6drdN6pzuufclojPbULqkTiWEXeEAyaGs61Ht2/SLfMC/l9E+4kvKXYg2RMo/PAk5j/KS3D87L6xCLU1s+1JSZ/FeYAFpaBaenCQtnPiYHgmZu7PeY9If/KAjI7lFsA2SP7g2dftr9utIOzRL5YtAYvBU6LEnhi97jq7Gpq6pXxDV4On0s//ZxlVV1IuuFpu+guFexrWyfebHYxMpnmo4TyB0ZCGZbIY1z2ECaMWAtZjN9ov4lpgMmTm/Gdhovf2+0uYuedCqyqfu+3rxGoxuiyZ7W5IOWpK48KkgZZ0hPifFWXPmb9Q5JLPZdkIIRkOL/GMTsFOrrc75jDavbM1mBM0ta7kVBSYIlk4ER/ntY2HETDT86eMiHz7vmmzas5s5gfL8d5BJ+/49zPC5H8C05QCPlPdqE+UTtNGJnZ+n8lgepxpoTR2x2kKTaaeWUsWhiUQe98YAI3itWe1ZcmEqSZlMp6st2Mvu3O/p89DT+CaCKkZKNZVgr/XCoHJL23CHoPzLpBmKAtpHXJdAiY6cHYA4EQLNGx7E2IgOH8WzZ24MulcOs1yqW0+NxKB0JYbmVu4O1oyBTkcOUZLl/QfUW7B8bFgVLT//KFLUBjyOfNU7bT0Mbdsh++ipBwWs61+78dqk5ITaF92kXXE+ZcPLFe7wpQAPm80UNMRuAmabWcAiT708cs4t+h894txyr07s6JrSRUQnDhI0LvhqEvKEJH6TsbwcwFXZaqup8vHifF52FR4bXM/Xeo2Jk2731Nnhicj/VajVWQ/UKpJBiPD0H6b3c5E5s8k/du8jnwI9yh/RdaCs1mkoTL+67pL/BXzDcTlvSfZFD/bn/Mp5fziCqJrjL74TskxhVCW9077SH/hVGWupLRxek4xCUn3Zqc64ENEOSt1aogc/4uDxj,iv:QgOfg6sSs1zYtqHFCKy+94qx6edQ3iEt/JtCIoUEqGI=,tag:vSzK1bNTRZA0ytKLITXF9Q==,type:str] +nomad-holochain-cli-cert: ENC[AES256_GCM,data:+SMQfO1zyJ6EW44IIe3uouLJ4lkwlX5y1PFpNMFLXVySsAQpwlLLXCRvTlt8r53xXJglQ4vI+CpNyaE++0A+a7/cXa0rOmxweJjN+LNI9kRR+DdAtR0tGPDiSge+tc7/penx1LJd81SIahoMjZj8Q0Ua3YO8VKKLZKq+jCfTYsWWkGYFVmrUjBZMc6X6l49mo8efmKUbOVvhZ350qfTKDuXjRewcI5vJdW1tm7Gcb5nMA+31lgXgWPOURJIOHnicuHLEYLUEEspRYy3IRuonQHrCeydrKTjRW7YTDr8GgjVBz/HwuoFdCSZ3iqf4YkxSloYfxAzG1y9/FEf2xNF2xOp3w3Pygkb8YtN6ZBX3UJOcisouyYmLc7s7FXfnrDyOlozQmb0IYBUUfrtFWTE/uvWKsRiyaWBkqgfPkf1BH/zFuhwm0nPFH5meC7ILaD71mCXG7cESo2en52AGe3i1fec+kLmtpeGAad6iET9nZxXE13bHI3WycfgpAnBjyyWVwQ6zblZMz6f0U3PgJ/l0HydgFuWE275ClE5M4o/IN+HJNk9/ehM7V/aII7v3eKVhFljNI1elF2OsDag995CyyipZ8gw2PU10XVVBBW4UZuwRpJDkKyoQI9+IR8iC4JHJ7dZpV+Wsv08KY1HHWqtW63bVrrgh7fruMZJ2OX1bgAWwTyeYkCljjm+h3A+xvhoG8Hu4FjBAb0k6FD2emwR5YkjZA9hw1gYZjvDt71X0N2Zz9n/LHZdgNvK6iVN9XRgF7h4w5oRTCVX9wjCASuTE/K01HNMOFBZZA2PdE+dCRgg4ybvtCwvmOQWE/GEzOZ1PRVdxmc3YEru/rUNDRqeTaje/buQCk7RM3mg/s+y6Gl0nrQ05UnUNKPn802bR2fyRi6SohES39O7Xp8IERFOqhzZMqliKvmamAbk4oQ0sfWnp61gGOOpd79hI9Cecxcr+AMlCeIF9RJeywgMbONGrt6uONsd92aMKr9zCaltiWa8A9dH2D3c5rNB5l/qvQVU5RVSDAwo6sCulbpmy6tn+6EAWLjxrTjciK3li/GT6bfO1HVlx+V32YgZ3pPdkH3VQzpDOaCEqpX0gkgbXWIRWQoFBNp6jgLHcB7+DBgV9DFrmThqQsqQzB3PY1s+Kyeejo8xTRmKf6YwjfbP3z3ZhUfkbP1Au7xw5/baSPf7+2u49aUNSa6j46DPzahIym9wT,iv:Spx29A5n1kLZqE6EHw+3N3Om7V1kgnM2PVk7d7wJzqM=,tag:LCvfCpldN29iRPhxzbsU0Q==,type:str] +nomad-holochain-cli-key: ENC[AES256_GCM,data:G633C4SWwAoM9NyBEX7+xGzEondw/FY5XXqbRZxPtO8if+pWHnLRSkc9/fIs4mmCJxB89C2RAxb4tvuwCXJUZyWVQ1xEMwYXCDvJ56ggtrcDyw48iRnF/kNTIIkkHO3mWbpf6OALekcSNRZlznCUcq5K6gSgYECGuVeqcTA/NVH7q8mmBxEicUEyeO6bHopge4bz0o5Bnbpy86Ux2aw2HzSS1qreMpzEVcXIPgo4vlhaeaHj37rUHos2gKGD+GR/wD1n/D12qMsxRXlSz9N0vC50BI2QkqKtlVsv0PNib/MqjiA=,iv:SrPwR1EGCYh846luAX3RMJq+vG88NO3g/IqcjKcFi+o=,tag:ytA4ZwZ2wXz9K2trL6MU+Q==,type:str] +sops: + kms: [] + gcp_kms: [] + azure_kv: [] + hc_vault: [] + age: + - recipient: age17jxphuql70wjkd84azn62ltx9ky69hyvkac23lm8f2j92lznf9hseqq0vl + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAwVTlaZTA2WVZWWXIwMkFu + d0lMN0tEaUVMeHY1SnBwTVVFbnVPRlFEalVRClliR05oclI5eDVnclBrY2tKK3JS + NjhTOG11Nkh0UWF5Z2g5SzdFT2NpaUUKLS0tIENPU3RHSEVVdzhKV2lQYkR3RnM1 + c2tjQjk0TG1IeTRYdjlPeER2ZlNHMlEKMlWrDV9aNY9AbLp3BsIUZ8W1b94ue4dh + uBPpeMLHB0T2q3C1MxnfBa8h9lZyePd3L4zYFUAX+I8CGECZNx9C3A== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2023-07-05T08:26:42Z" + mac: ENC[AES256_GCM,data:g3wOkP8M9eLwhccPLV2WbpsnNUyYxILstOqkmyPQ5JPaOQJpGLr0AesN8E+wVPb2cVuUJ38+/xVdWubuFXx0ptZtLoEItnXEwmTxfvRk1veyknxMvX9f4XGfeSunoOFCMNnD+C5tZncJuIeHPcSz4bObHBRbCflMblmz0cthF78=,iv:oxEeAiHqZHEkvs7OxGwO+quxj+yD8nAH2pTGSs/eNes=,tag:VFgDVJOt9qYd4k6j1t0GdA==,type:str] + pgp: + - created_at: "2023-07-05T08:19:26Z" + enc: |- + -----BEGIN PGP MESSAGE----- + + wcBMA0SHG/zF3227AQf+M3metU+UqXIGIVmdw5qLqw6H1h4JPk0DFWzJRZqtt5U7 + BBdvoGr6COYFjYx3CRzXVkC/0ldNTsCnM1D2QZTbnqivP5P7L5Bp/y6jHxacBtq/ + erv3doofU54weKBFvm0xh564P7uL5+IRxbSidJhYAKAwYzvptuhEA3R1Y6szzlKY + l6kYgROiRnOfWk8iOKBYCbcxZ8VrmRoohuky6PKaCewESNRiOR3vzkumDE8mbnLH + /QuufFhZbg2wA8ZkG54tSBIRz8gjanQDNhh9sYtPp+PWnuDiyyZhSJef6ruT9v1f + IUP1ybuVsMyRmMKAL0NAbW3UleoIY/GcH9nVaeT+TNJRAXS5BVX/guduIFWqqbwQ + 3fbN7k5JS/VwKCIf8kI6DOVee78F0o/C7rA02CZU9PqeX0hc47wEFvlgNn/TepON + eFWOScb0W7O0Ug+3lRnVdLHO + =8m42 + -----END PGP MESSAGE----- + fp: 6F7069FE6B96E894E60EC45C6EEFA706CB17E89B + unencrypted_suffix: _unencrypted + version: 3.7.3 diff --git a/secrets/shared-users.yaml b/secrets/shared-users.yaml index 72a0cdf..bbd501f 100644 --- a/secrets/shared-users.yaml +++ b/secrets/shared-users.yaml @@ -1,6 +1,7 @@ #ENC[AES256_GCM,data:aqlLlXgwwtjBYxytS2H33KbN0z8pHijFXKBAPQyQ7cxE8iO6tDfn/3kEVaEa1YaiYUMXACX2Ow==,iv:uKTUsccWAqrBkdG/ymCZB1pcumRreGv/2rIn6YG8Y7c=,tag:NWDO4dPRA45Ki4ymGblGIg==,type:comment] sharedUsers-root: ENC[AES256_GCM,data:RhMqzHmMzsPZnskGAKQ5GEagkAmtCqbp3FI4XPWweq6U8WcML+XEOKBfRoemK6yMHpSobBUPEHudNDeVxhGLH1VREmO6+JVZ/3dz44qWudhyuAj2CHiVkVgMlSfOKIbY9FLLxXxfySnEsQ==,iv:EYWeRKI+nFpEkxtBJ57xH6V4arE+hVAHy5ht9v8P1oQ=,tag:I5WA5+FjJ3lF30dth3H2ug==,type:str] sharedUsers-steveej: ENC[AES256_GCM,data:vuvklQJFb0kziB/qr7LNiTB30T/1UmZUV3YE3fFpKLZSlxqwYR7e8pnj94hFMhCtPquw3qdtB8vFAIQSb2LxXUgsfNo1bmkGJU86vz3Vy9Js7oua7KlLyZjoFNpMBgbD7swyXns=,iv:nsymZS1wQ7QSL5ZqoVx/ygaP4UR/e0cYIXHg+UyhbYs=,tag:+/N1QRESOUUK/XJXgiyFfg==,type:str] +sharedSshKeys-steveej: ENC[AES256_GCM,data:Cj8aoHYN95kOuFwMIr+gYTtvE2MNMT6WhHg+r5cEvfgLbI6EJQdMBU30nhJZ8S7uRwJwyVEnqw9qgaZYVorXrIh4oZoQBT6g0UGQ5b5lhtfj86omP7w/NukvpjUPBJEUL+JgvaNGsAbAmExPb1yQY9f/kn2QuyY31pTywcV6qeSHHlK8I2cpei5RxtuG2IX+EjvDXZ3CtQwLY7YrhLvv0K+N8XlEusnytNkXLfjRgd0dJqNLQdkuzrjFPQnuzkxoBBmwfheO8CaTpmH1C5z/dbmeIP5H9GY2gnBCu5xB2zp8ZerVi2E3teW5EZ+Sh+lz/5DOuVpPn3G8W7l4fTM8iX2IHeakjlpYewx1wmW9SZdV/zxyt5rQUtmMj3F+IVktbOWsOyXwSz0CDUlKkVKJdvzATlWdIjteKTwKEgS8RWjg5H7mGylfxyg6YrHYAHTZjC4J1Qz2CwWmAFxzpFCkHvF6QwAOUg+ST+crfw4DiSamb6SKjIg7LNz6VZTOeji6+71Q59u6g2RcdgNowzgrrQCAw7qHnewbFX/2IOW+pdASCB/q9/7218yM6fzMtcPHPiDpZ2tLHQd+45zxZpbUXXCNdNm5v9OTjjK+uA0ARLOVCw5gtd2FbKsJcwyMhXY/h028tgdRhsXIalLolorrYBPx9hR+UHU0TNihspajoNYJCTuJccMiwo8N9AT1DIdUXcOxrQL80RvWY0S6rBzES3q7a91aC/lGEmS/beO7MDgOKaEV+qwPZOLOZXWAesqsR3sKzpOdPx1gFrLvX6vIhAtzuteH0KvKujIAhCg0sEz3Ct/A1S2uNtohz8CstvEEqP6GiR6/X+sQRgxOcXGPQglz68FFKOErIz5XZJBz5+14u/lady1jxhXnVW0cxZDgmqmAvNbrQ9JjNgBvremaDUvuO5R5V5K4MHAMsNQ5yxE9iScXEfwmEvo+Gj4huJwXvwLDE/1TqIaQWX6LfZKOOZ93ivhj7eEiAz7TsLojdNUeDhnWGOYcWbEkMNzYyPb7obN/HgKzcuSixpYm+IZu4sOzXyoO5Lblzd7OObtG4P9jIj4cdxF+vm/s6MYYxtst7jRwzcv9vMLETDXx40IOSqTo2e8New2e/D003T4jx2sis0+68Iyg9m8ltEYb85v6oGFshIdafIGKBaNHm/zIL4Dw03M8kxxfuVuWZD8S2P3bnfryfA4lbOZttv2DnlPZf/Dfb+Ax5qTe5yn4uzLYDTqq9rIqdoNYUmx1OaxGa69oTIqCpL7FC6xe+9NnTEdojl9svZUhtGfThiphYcK72lryqrTyYVuAOa3WjZtHgUJ5lU8x79eExXyDexmC4RNDszar+qMiwlzMC977qsKczfTGe2audm5PLaLTYhWSOZ1p83d/xhFWhLmqjqHrPF5kYrnG+W4ZuVIqxJOrLHQhseKc4fFZrF/XCusgIcoDEq81M/EmHeEDcuWEYldn1pjbE8yzb2ZgfG8mycNh8z41lKsalKmesyZs0k0IvWmrdCpLXqWl/TgsPSO1q+zbQHyfiNewoZec3GC8k1k64zrG3CNI8bP40L6i4Uo/GFPS/y0OjgQhww+He0bWY7yP9MKqdbahpdYQE9kYU5yoJTUG+ZYRir6h6o/JmTJQy4QIvwmcx2jiiA5XXpj3cYAJ9/3eHDFCeg==,iv:QeYNlLR97tdC9i5N909GnoNyBwNNiuljF/eVbdhvGXg=,tag:lBWDaaZMQRPX/4Ln+oUQPA==,type:str] #ENC[AES256_GCM,data:8u2UAE6lXi0e6qKJxB3VP1k7hmfUYRcejXoR7K6NIQ9E7AqOlMiLDyQFw77NBlqpy0G6mPVOnC+XskGAscm3TLFzs7+o+/i0IxH7uDPwoh+U,iv:n4wheHkpPbnKeXb4DTxwks2bph4LO6xQW6LcrlA4jKU=,tag:mgwa7rYvqoubFdQDXJADZQ==,type:comment] sharedUsers-radicale: ENC[AES256_GCM,data:Mn1QIwQDX0ZnZ0Jbk1RYY60k+XbbGPYYf+NG3xQz3oR14CqSVy3hjQEkqcezwj/v2ELrLWid2hK+lDtY,iv:TNoJ7Kq3WDkkPBLG3a+N/A8yBZcx7Gc0jaBToYX3Y5M=,tag:VU5P4YtzMv1FVc3ugig8TA==,type:str] #ENC[AES256_GCM,data:685Grzm+Qw==,iv:sswI1QEvU3nXgQCJcF/O4n3a1z3r6fAVAOSF7W24PZw=,tag:cH/AroGEBfCnnepyqtjt0Q==,type:comment] @@ -15,37 +16,46 @@ sops: - recipient: age17jxphuql70wjkd84azn62ltx9ky69hyvkac23lm8f2j92lznf9hseqq0vl enc: | -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBBRmJhRHBxU1VnaEQ2eEpG - N3NyYmtBTCtJU3FGUmJRckhoQUxQK0p2SldnCmJiZnlLS0tEOEg2a3NOYXAwQWhT - eTlWMDc3YlpqRDJyMWpKWTlINS9Gck0KLS0tIFg0V3RkSENqRzhRWEZxUGZZTGRo - b0VJcm0vbVNqWEt2TSt0RW5zcXgzbGcKkKul4wrLfQ/mP9o1KfJ3w/hrlyuD2K/h - 4i8d8q7Yr3ULXpPPrYNWJ+1u5yPrKtj/YjkvsbCR5sQLPe8EcTK15w== + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBNUGxsbitMNnlTZlRZQVJl + RVc3TUtHaWpQdk5RVFkvS0MxSkVxWHQ1MFZvCmw0M2M4VGRxb21nVzkrNWIzK3Aw + dVB6bWEvQ0dtbjZobTVCeE9DUEpGV2sKLS0tIGhya2RMM2w5VHlHNUdGK1FNZit3 + OWUyYnZhSEhtMzhTenZMRU1yRis0WkkK/iDe1XgGJumprZU23G/Imhbqpp5ehfMe + I+XlSGn0/ry1SpEV0bQi7ZMzFxEfhX0avLsmxTeoxQJuN2m7ZOQCdQ== -----END AGE ENCRYPTED FILE----- - recipient: age18dmqd7r7fanrfmdxsvwgv9psvhs3hw5ydpvw0na0dv3dlrg4rs3q2wpvgv enc: | -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB2bkhNaDZoUFplSC9SZ09a - aENIa0NYVkQ4ZGhzdE4vSS9zeER4L1Y2dkFFCnQ5SlZTQ0NKN1Q0WWR0S1hHZmxi - Q2pPUHRHb3VyQmFPQW1wVllkR0pva2cKLS0tIGphY0lUTENCVG1PcVo5SldaRVpy - RnJYK1hXUWhPZjdkV2FUeThTZmlJS1kKmmoKeEKRQEHtgfXAd7x6VtfZm2nLWxle - 2k1N0N77p8QzoDIkUY5I8RjQS0V8wOLwOSVYDe8j3erw9e9GhDqEbQ== + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB0OVJ5d1p1RURkTjdzaWpv + OXViZkhzZEZwYzNIZHdpeUVNWlM5SWJGYkFjCnRrQWV6UUM0akIzaFVxY1dzaUNa + OVFRczZaUjRXSGphcTJ5TGtZOHlSeHcKLS0tIG5QTWMyTzFlZkdIdnVGT2lpTXR4 + TXJybjNjdmwxRVMxdERIS25wRTRCV0UKy/N8YBkxD3f5qTBOPj/iysFr/Ona1p9H + JYhjZCojB4Ua1b2Tv4Gz2Fvi9B2fOWBy0/LSPA6CRchG3IWgKm/B6g== -----END AGE ENCRYPTED FILE----- - lastmodified: "2023-07-02T16:39:58Z" - mac: ENC[AES256_GCM,data:2aw294lkCFt3Yhf3I3Py+mSgQNcFKjyQSJiCvS3+iiraR6ukT6gN3eIwPk9AmUgCDBJBhOe8Nlx3gq9lYz3SI+B2sVnt27Fxe3kp1Ip894Lg2XyA7TynTJJp2eIrFmSO11FhQaMDO8D8+kraJFzLspQ5/j/67f+smkiIFlpXx6g=,iv:DPjOin99RR6EoG1FA4f5BexpYeyb4xy1iWiiq4y+JEA=,tag:i1CQI182/VILveC8Qw8rWQ==,type:str] + - recipient: age13cyvxrd28j68f97q2dwsn62q5dy8tdxtq86ql2dxv2ncwfrf63dsmkj7n3 + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBYNVJBRlptQ2hWVy9MRGhj + MVduVkl3YXZEVlMzNksybkZjR1Z6VnQ1MGdRCjRTWjY3RTlpY096c3UrMHlaUms0 + MDc3V0dTUnpWTjcxcGZNSmVkUElLMjgKLS0tIGFkMzZ1eVh1a1ZzckxseFh5T1VK + eDZSbXdzSmJ3dkJHSkU2R3JTRjlxNDAK1k/SYCf1nWEHKRzlJbvx1U5NKYSEzi0/ + wE4SdLjMi4io2ThNif4gqVRCiRQupiILx4VnlM4lN6Fk924zATUUYA== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2023-07-06T20:14:22Z" + mac: ENC[AES256_GCM,data:GPWu5DjjJ1ki+HRuedGdDCt+2V0RPbOsD/yWJxPIkgu5923vnF8y9y4V6e6+ZsTqHv4hsKeCjKtUnh2Ldn+xadwJmqrIxyJ8NzH5TOvcBxAab9cJCp/yKENw0O1WMUTlDPelvQKMDwbgiebaVVfxbQPUEfJGOgkHkyXrgqN94FU=,iv:h9YALYahUl7mRJmZKjArEfaMrfW9YZkVYd2CEooF13Q=,tag:wotqxup/ouG/bEVOZCs19w==,type:str] pgp: - - created_at: "2023-07-01T20:51:41Z" + - created_at: "2023-07-06T18:55:17Z" enc: |- -----BEGIN PGP MESSAGE----- - wcBMA0SHG/zF3227AQf9F7sIYPoz5fsqe8an9+suc5OSoZI/tA/+UMWO++Nn4VSA - ZEmxqyDvnc/KxHyFwHjISyOJkbd8L23ZdO6Fgn0wjm+z3houqMQoaKdYgjpOBFrI - 3nq86WkdKKVy/8RzrDCQ5gKIy4P1zeiyOio12n8G4cUt0B3uo596qKoWc6duUiEt - Z6wSPDEaciihTrbZCYYDXvElXO6uY5S8fBRdhsY8aNKLgh0vIYlQw/aflN4EiuC/ - OiQkRwp8CHcsdkUo/pngmBaRVlW4uOlv/QpZ3/zXTqx5UazQlb+xmilBCFt6jgWs - +VhemXci16j6S6myw/heSP2Z+Gv02cRiFcpz64Z0QNJRAQsRJTjdB5OS/IcaqXs3 - SwgOL9ga8vd4OZW7Jc2LQ1TJCarKUCGT0YcfOjv4CmtLn+2MDCLr+syg535/clbK - VXC10xjRrhlBaCQ9vR1N2gBp - =TJW7 + wcBMA0SHG/zF3227AQgAo5WdFio56L/EtWKV590N9QQ9Gjm9IWm0G+H6YHTNlpfO + erhl1AZds+MNrInw0uSW7Mx/wZ4awv8+JVkMN43qupmDIcgHmWmVoqB2SaUA60qd + gkFYP2fWlmgzihl/DnWUn1M4WrD8sGJIwkulg8FX9h40f7mEhb0MsftsUuhmxOBp + GTJDtT/A7wHMRY71mEzIyem8XOA7nAIO7r802Tyni6H7zP1qG00vF/sastbbzB26 + +7MTpSZz8AuNPG/P7rue7J2BL0S8ldwcPsGX9XGt2qFbeNbsOUfJn12miPSEZHWU + jIYC1rWLVJ110O0ZDDMJXyfBW5XrFAkA6XkCzzPgodJRAYKzTD+bMg44vuwTCRmG + wcdv71+hBJeXtF1g8/YueaTWpPJ5j8m6Ntp1d5pYPetlRmhwLzfSoY1BUXA6YkGb + Qeqr3q7oGL91sjasjZQorc3h + =6rU4 -----END PGP MESSAGE----- fp: 6F7069FE6B96E894E60EC45C6EEFA706CB17E89B unencrypted_suffix: _unencrypted -- 2.49.0 From fb11753620e5274b97d60ee812caaef103eb1821 Mon Sep 17 00:00:00 2001 From: Stefan Junker Date: Fri, 7 Jul 2023 11:54:40 +0200 Subject: [PATCH 3/5] nix/os/devices/steveej-t14: bump versions --- nix/os/devices/steveej-t14/flake.lock | 30 +++++++++++++-------------- 1 file changed, 15 insertions(+), 15 deletions(-) diff --git a/nix/os/devices/steveej-t14/flake.lock b/nix/os/devices/steveej-t14/flake.lock index 4778828..5c8b195 100644 --- a/nix/os/devices/steveej-t14/flake.lock +++ b/nix/os/devices/steveej-t14/flake.lock @@ -23,11 +23,11 @@ }, "nixpkgs-2211": { "locked": { - "lastModified": 1688043300, - "narHash": "sha256-UmpvFT0v4U4jxXhrfr+x1NuaOFULkIyCfS/WT6N6T7s=", + "lastModified": 1688392541, + "narHash": "sha256-lHrKvEkCPTUO+7tPfjIcb7Trk6k31rz18vkyqmkeJfY=", "owner": "nixos", "repo": "nixpkgs", - "rev": "c6643a93d25abf3cf5d40a4e05bcf904b9f0e586", + "rev": "ea4c80b39be4c09702b0cb3b42eab59e2ba4f24b", "type": "github" }, "original": { @@ -39,11 +39,11 @@ }, "nixpkgs-2305": { "locked": { - "lastModified": 1688109178, - "narHash": "sha256-BSdeYp331G4b1yc7GIRgAnfUyaktW2nl7k0C577Tttk=", + "lastModified": 1688594934, + "narHash": "sha256-3dUo20PsmUd57jVZRx5vgKyIN1tv+v/JQweZsve5q/A=", "owner": "nixos", "repo": "nixpkgs", - "rev": "b72aa95f7f096382bff3aea5f8fde645bca07422", + "rev": "e11142026e2cef35ea52c9205703823df225c947", "type": "github" }, "original": { @@ -55,11 +55,11 @@ }, "nixpkgs-master": { "locked": { - "lastModified": 1688203387, - "narHash": "sha256-2xQBKKoSTdGPubp7M000aP9ccO+Z3DMcpq2ZX5Hj6XQ=", + "lastModified": 1688722718, + "narHash": "sha256-Uralooke0g1EgrNDjboSiqc0BHOCgiugL43JAA1ncDA=", "owner": "nixos", "repo": "nixpkgs", - "rev": "cbb87f134682b20dc218b529fe95030468d67a0d", + "rev": "5cbff28ae66e5a98386bcbea29f5a7252c33c808", "type": "github" }, "original": { @@ -71,11 +71,11 @@ }, "nixpkgs-unstable": { "locked": { - "lastModified": 1688049487, - "narHash": "sha256-100g4iaKC9MalDjUW9iN6Jl/OocTDtXdeAj7pEGIRh4=", + "lastModified": 1688590700, + "narHash": "sha256-ZF055rIUP89cVwiLpG5xkJzx00gEuuGFF60Bs/LM3wc=", "owner": "nixos", "repo": "nixpkgs", - "rev": "4bc72cae107788bf3f24f30db2e2f685c9298dc9", + "rev": "f292b4964cb71f9dfbbd30dc9f511d6165cd109b", "type": "github" }, "original": { @@ -87,11 +87,11 @@ }, "nixpkgs-unstable-small": { "locked": { - "lastModified": 1688180391, - "narHash": "sha256-oTUSZepWQ7AYQKvNPkf8QyxkfoVpEhGioVji0hd3p8U=", + "lastModified": 1688640665, + "narHash": "sha256-bpNl3nTFDZqrLiRU0bO6vdIT5Ww13nNCVsOLLKEqGuE=", "owner": "nixos", "repo": "nixpkgs", - "rev": "1353de5923daba8462cfc3624d8c2d70cbafafcd", + "rev": "88faf206ce0d5cfda760539a367daf6cde5b3712", "type": "github" }, "original": { -- 2.49.0 From 4e0d0c3abd0b7ce1b6ece3d987c216eb2d371160 Mon Sep 17 00:00:00 2001 From: Stefan Junker Date: Fri, 7 Jul 2023 22:20:39 +0200 Subject: [PATCH 4/5] feat(graphical-fullblown,sway): dropbox->maestral, cleanup, add udiskie --- flake.lock | 24 +++++----- flake.nix | 33 ++++++------- nix/devShells.nix | 4 -- .../configuration/graphical-fullblown.nix | 48 +++++++++++++++---- nix/home-manager/profiles/sway-desktop.nix | 1 - 5 files changed, 69 insertions(+), 41 deletions(-) diff --git a/flake.lock b/flake.lock index ba38cbc..9e2fc58 100644 --- a/flake.lock +++ b/flake.lock @@ -50,11 +50,11 @@ "rust-overlay": "rust-overlay" }, "locked": { - "lastModified": 1688425221, - "narHash": "sha256-DhZnju72DuX9GhOnCOBIE94aCGKC2BOaF+kGxbnP/K0=", + "lastModified": 1688690832, + "narHash": "sha256-RJIYuOn9FaQWVzj6ytaKsHyur0KsYO9tOgaMz1XHtpQ=", "owner": "ipetkov", "repo": "crane", - "rev": "fc6a236548b31aef0be3b0a0377c4459bb39d923", + "rev": "bfc1c3dca576e2f9e02eb0176e4058305192afe3", "type": "github" }, "original": { @@ -333,13 +333,13 @@ "logseqNightly": { "flake": false, "locked": { - "narHash": "sha256-d6xi4mKdjkX2JFicDIv5niSzpyI0m/Hnm8GGAIU04kY=", + "narHash": "sha256-nVE7Ke2sNYK7dOZCkzABm7OFQQ3V1vcj/y5QJteacTI=", "type": "file", - "url": "file:///dev/null" + "url": "https://github.com/logseq/logseq/releases/download/nightly/Logseq-linux-x64-0.9.10-nightly.20230706.AppImage" }, "original": { "type": "file", - "url": "file:///dev/null" + "url": "https://github.com/logseq/logseq/releases/download/nightly/Logseq-linux-x64-0.9.10-nightly.20230706.AppImage" } }, "magmawm": { @@ -478,11 +478,11 @@ }, "nixpkgs-2305": { "locked": { - "lastModified": 1688566749, - "narHash": "sha256-3Og5xbNk1qncLWl2zrrL/k80UqRI/nEGPEbzz306Izk=", + "lastModified": 1688594934, + "narHash": "sha256-3dUo20PsmUd57jVZRx5vgKyIN1tv+v/JQweZsve5q/A=", "owner": "nixos", "repo": "nixpkgs", - "rev": "c99004f75fd28cc10b9d2e01f51a412d768269c8", + "rev": "e11142026e2cef35ea52c9205703823df225c947", "type": "github" }, "original": { @@ -549,11 +549,11 @@ "nixpkgs": "nixpkgs_2" }, "locked": { - "lastModified": 1688646970, - "narHash": "sha256-EIcr3n0YKjJdH9F3JFyhlObbSDXQji8nEzNWxYqep1g=", + "lastModified": 1688653033, + "narHash": "sha256-iRtkfin+7PLWd0ce/pQ8bDSo1v6N+nfgjFDFCFEKUCA=", "owner": "nix-community", "repo": "nixpkgs-wayland", - "rev": "57c2057b4817ecce059fb3cd941ba53ee70c6f5d", + "rev": "bc84572c913933dbb49df2746dc8669f562da454", "type": "github" }, "original": { diff --git a/flake.nix b/flake.nix index 63a16da..2777c01 100644 --- a/flake.nix +++ b/flake.nix @@ -67,8 +67,8 @@ }; logseqNightly = { - url = "file:///dev/null"; - # url = "https://github.com/logseq/logseq/releases/download/nightly/Logseq-linux-x64-0.9.10-nightly.20230628.AppImage"; + # url = "file:///dev/null"; + url = "https://github.com/logseq/logseq/releases/download/nightly/Logseq-linux-x64-0.9.10-nightly.20230706.AppImage"; flake = false; }; }; @@ -147,24 +147,25 @@ dcpj4110dwDriver = dcpj4110dw.driver; dcpj4110dwCupswrapper = dcpj4110dw.cupswrapper; - aphorme_launcher = craneLib.buildPackage {src = inputs.aphorme_launcher;}; - yofi = inputs'.yofi.packages.default; - ofi-pass = craneLibOfiPass.buildPackage {src = inputs.ofi-pass;}; + # broken as of 2023-04-27 because it doesn't load without a config + # aphorme_launcher = craneLib.buildPackage {src = inputs.aphorme_launcher;}; + # yofi = inputs'.yofi.packages.default; + # ofi-pass = craneLibOfiPass.buildPackage {src = inputs.ofi-pass;}; inherit (inputs'.colmena.packages) colmena; - jay = pkgs.callPackage (self + /nix/pkgs/jay.nix) { - src = inputs.jay; - rustPlatform = pkgs.makeRustPlatform { - cargo = inputs'.fenix.packages.stable.toolchain; - rustc = inputs'.fenix.packages.stable.toolchain; - }; - }; + # jay = pkgs.callPackage (self + /nix/pkgs/jay.nix) { + # src = inputs.jay; + # rustPlatform = pkgs.makeRustPlatform { + # cargo = inputs'.fenix.packages.stable.toolchain; + # rustc = inputs'.fenix.packages.stable.toolchain; + # }; + # }; - magmawm = pkgs.callPackage (self + /nix/pkgs/magmawm.nix) { - inherit craneLib; - src = inputs.magmawm; - }; + # magmawm = pkgs.callPackage (self + /nix/pkgs/magmawm.nix) { + # inherit craneLib; + # src = inputs.magmawm; + # }; salut = craneLib.buildPackage { src = inputs.salut; diff --git a/nix/devShells.nix b/nix/devShells.nix index 20569a6..d896815 100644 --- a/nix/devShells.nix +++ b/nix/devShells.nix @@ -33,10 +33,6 @@ pkgs.stdenv.mkDerivation { prs fuzzel wofi - # broken as of 2023-04-27 because it doesn't load without a config - # packages'.aphorme_launcher - packages'.yofi - # packages'.ofi-pass age age-plugin-yubikey ssh-to-age diff --git a/nix/home-manager/configuration/graphical-fullblown.nix b/nix/home-manager/configuration/graphical-fullblown.nix index 3d10c4d..215c5a7 100644 --- a/nix/home-manager/configuration/graphical-fullblown.nix +++ b/nix/home-manager/configuration/graphical-fullblown.nix @@ -8,7 +8,7 @@ # repoFlakeInputs', ... }: let - pkgsMaster = nodeFlake.inputs.nixpkgs-master.${pkgs.system}; + pkgsMaster = nodeFlake.inputs.nixpkgs-master.legacyPackages.${pkgs.system}; pkgsUnstableSmall = nodeFlake.inputs.nixpkgs-unstable-small.legacyPackages.${pkgs.system}; pkgs2211 = nodeFlake.inputs.nixpkgs-2211.legacyPackages.${pkgs.system}; # pkgs2211 = repoFlakeInputs'.nixpkgs-2211.legacyPackages; @@ -235,18 +235,22 @@ in { cdrtools # Document Processing and Management + gnome.nautilus xfce.thunar + pcmanfm # mendeley evince - ((logseq.overrideAttrs (attrs: { - version = "nightly"; - src = repoFlake.inputs.logseqNightly; - })).override (_: { - electron = pkgs.electron_24; - })) + ((pkgsMaster.logseq.overrideAttrs (finalAttrs: previousAttrs: { + version = "nightly"; + src = repoFlake.inputs.logseqNightly; + })) + .override (_: { + electron = pkgs.electron_24; + })) # File Synchronzation - dropbox + maestral + maestral-gui rsync # Filesystem Tools @@ -300,4 +304,32 @@ in { systemd.user.startServices = true; services.syncthing.enable = true; + + services.udiskie = { + enable = true; + automount = true; + notify = true; + }; + + # FIXME: doesn't work as the service can't seem to control its started PID + services.dropbox = { + enable = false; + path = "${config.home.homeDirectory}/Dropbox-Hm"; + }; + + # TODO: uncomment this when it's in stable home-manger + # programs.joshuto = { + # enable = true; + # }; + + # systemd.user.services.maestral = { + # Unit.Description = "Maestral daemon"; + # Install.WantedBy = ["default.target"]; + # Service = { + # ExecStart = "${pkgs.maestral}/bin/maestral start -f"; + # ExecStop = "${pkgs.maestral}/bin/maestral stop"; + # Restart = "on-failure"; + # Nice = 10; + # }; + # }; } diff --git a/nix/home-manager/profiles/sway-desktop.nix b/nix/home-manager/profiles/sway-desktop.nix index 62d3c22..0f2d9d0 100644 --- a/nix/home-manager/profiles/sway-desktop.nix +++ b/nix/home-manager/profiles/sway-desktop.nix @@ -72,7 +72,6 @@ in { pkgs.iosevka-comfy.comfy-fixed # experimental stuff - packages'.yofi pkgs.fuzzel ]; -- 2.49.0 From ea7caae2264457e07bb538d1500b4facac9fe98b Mon Sep 17 00:00:00 2001 From: Stefan Junker Date: Sun, 9 Jul 2023 20:15:06 +0200 Subject: [PATCH 5/5] feat: migrate all containers and hosts to sops nix/os/devices/sj-vps-htz0: bump versions nix/os/devices/elias-e525: bump versions nix/os/devices/steveej-t14: bump versions nix/os/devices/justyna-p300: bump versions --- .sops.yaml | 5 +- flake.nix | 4 +- nix/os/containers/mailserver.nix | 28 ++++---- nix/os/containers/mailserver_secrets.yaml | 8 ++- nix/os/containers/webserver.nix | 34 ++++++--- nix/os/containers/webserver_secrets.yaml | 36 ++++++++++ nix/os/devices/elias-e525/default.nix | 20 +++--- nix/os/devices/elias-e525/flake.lock | 34 +++------ nix/os/devices/elias-e525/flake.nix | 4 +- nix/os/devices/elias-e525/pkg.nix | 6 -- nix/os/devices/elias-e525/system.nix | 2 + nix/os/devices/elias-e525/user.nix | 19 +++-- nix/os/devices/justyna-p300/default.nix | 19 +++-- nix/os/devices/justyna-p300/flake.lock | 40 ++++------- nix/os/devices/justyna-p300/flake.nix | 4 +- nix/os/devices/justyna-p300/pkg.nix | 20 +++--- nix/os/devices/justyna-p300/system.nix | 2 + nix/os/devices/justyna-p300/user.nix | 19 +++-- nix/os/devices/sj-vps-htz0/flake.lock | 18 ++--- nix/os/devices/sj-vps-htz0/system.nix | 2 + nix/os/devices/steveej-t14/flake.lock | 24 +++---- .../steveej-utilitepro/configuration.nix | 2 + nix/os/modules/ddclient-ovh.nix | 3 - nix/variables/passwords.crypt.nix | Bin 1498 -> 963 bytes secrets/shared-users.yaml | 68 +++++++++++------- 25 files changed, 241 insertions(+), 180 deletions(-) create mode 100644 nix/os/containers/webserver_secrets.yaml diff --git a/.sops.yaml b/.sops.yaml index 13faa67..8f66ba8 100644 --- a/.sops.yaml +++ b/.sops.yaml @@ -6,7 +6,8 @@ keys: - &steveej 6F7069FE6B96E894E60EC45C6EEFA706CB17E89B - &steveej-t14 age17jxphuql70wjkd84azn62ltx9ky69hyvkac23lm8f2j92lznf9hseqq0vl - - &elias-e525 100206d53cf92f62efd9d6b2672bf3644233c763 + - &elias-e525 age1pmznn2tjpelpmxjxqef48rse5ujggf9kcr8x5vewuadqcw03aavqwy54zm + - &justyna-p300 age1ye4fa0v37shz8q4e5uf9cp2avygcp9jtetmnj2sv9y9mqc7gjyksq2cjy8 - &sj-vps-htz0 age18dmqd7r7fanrfmdxsvwgv9psvhs3hw5ydpvw0na0dv3dlrg4rs3q2wpvgv - &srv0-dmz0 age13cyvxrd28j68f97q2dwsn62q5dy8tdxtq86ql2dxv2ncwfrf63dsmkj7n3 @@ -20,6 +21,8 @@ creation_rules: - *steveej-t14 - *sj-vps-htz0 - *srv0-dmz0 + - *elias-e525 + - *justyna-p300 - path_regex: ^secrets/steveej-t14/.+$ key_groups: - pgp: diff --git a/flake.nix b/flake.nix index 2777c01..6e57bee 100644 --- a/flake.nix +++ b/flake.nix @@ -107,8 +107,8 @@ "sj-vps-htz0" "steveej-t14" "srv0-dmz0" - # "elias-e525" - # "justyna-p300" + "elias-e525" + "justyna-p300" ]); # this makes nixos-anywhere work diff --git a/nix/os/containers/mailserver.nix b/nix/os/containers/mailserver.nix index 3bf0b63..6ebd687 100644 --- a/nix/os/containers/mailserver.nix +++ b/nix/os/containers/mailserver.nix @@ -5,9 +5,7 @@ imapsPort ? 993, sievePort ? 4190, autoStart ? false, -}: let - passwords = import ../../variables/passwords.crypt.nix; -in { +}: { config = { pkgs, config, @@ -22,7 +20,9 @@ in { ../profiles/common/user.nix ]; + # FIXME: find out how to use the `defaultSopsFile` so i don't have to specify each secret separately # sops.defaultSopsFile = ./mailserver_secrets.yaml; + sops.age.sshKeyPaths = ["/etc/ssh/ssh_host_ed25519_key"]; sops.secrets.email_mailStefanjunkerDe = { sopsFile = ./mailserver_secrets.yaml; @@ -44,6 +44,15 @@ in { domain = "mailserver.svc.stefanjunker.de"; }; + # TODO: switch to a let's encrypt certificate + sops.secrets.dovecotSslServerCert = { + sopsFile = ./mailserver_secrets.yaml; + owner = config.users.users.dovecot2.name; + }; + sops.secrets.dovecotSslServerKey = { + sopsFile = ./mailserver_secrets.yaml; + owner = config.users.users.dovecot2.name; + }; services.dovecot2 = { enable = true; @@ -55,8 +64,8 @@ in { enablePAM = true; showPAMFailure = true; mailLocation = "maildir:~/.maildir"; - sslServerCert = "/etc/secrets/server.pem"; - sslServerKey = "/etc/secrets/server.key"; + sslServerCert = config.sops.secrets.dovecotSslServerCert.path; + sslServerKey = config.sops.secrets.dovecotSslServerKey.path; #configFile = "/etc/dovecot/dovecot2_manual.conf"; extraConfig = '' @@ -79,9 +88,6 @@ in { ''; }; - # environment.etc."dovecot/users".text = '' - # steveej:${passwords.email.steveej} - # ''; environment.etc."dovecot/users".source = config.sops.secrets.email_dovecot_steveej.path; systemd.services.steveej-getmail-stefanjunker = { @@ -154,14 +160,10 @@ in { inherit autoStart; bindMounts = { + # FIXME/REMINDER: this is used so that the container can decrypt the secrets that are deployed to the host "/etc/ssh/ssh_host_ed25519_key".isReadOnly = true; "/etc/ssh/ssh_host_ed25519_key.pub".isReadOnly = true; - "/etc/secrets/" = { - hostPath = "/var/lib/container-volumes/mailserver/etc-secrets"; - isReadOnly = false; - }; - "/home" = { hostPath = "/var/lib/container-volumes/mailserver/home"; isReadOnly = false; diff --git a/nix/os/containers/mailserver_secrets.yaml b/nix/os/containers/mailserver_secrets.yaml index b6c0363..fc19f84 100644 --- a/nix/os/containers/mailserver_secrets.yaml +++ b/nix/os/containers/mailserver_secrets.yaml @@ -1,6 +1,8 @@ -email_mailStefanjunkerDe: ENC[AES256_GCM,data:DsPwNMahaSKFF8mof2qGxj6cIdYZeL6uRr4=,iv:2lamFXYKrGkHey5QCXBlEODYksDuJDyW3MYpz/7qj7s=,tag:2L34qD0XSbfsl0djvgYJYw==,type:str] +email_mailStefanjunkerDe: ENC[AES256_GCM,data:sSBunuv4wipvl720vBrObPVlwMqf8MCWPA==,iv:57SPbRgdO1OtCunFbRJ9rLadWfrCF072lv27ond6qQ0=,tag:DpTeij/rGCK2NQMre5xBsw==,type:str] email_schtifATwebDe: ENC[AES256_GCM,data:OOmxkHcM25A+rSmPE1lmvUylv0TT2qWWeA==,iv:ysnRyv4WwbnovgEZcwmk1Rdo6U7gBWDFvGIxgF/m/5A=,tag:9b7q+mceiDx5y8qVVHjBhw==,type:str] email_dovecot_steveej: ENC[AES256_GCM,data:nZJX2ZIe2pJTzBIU/XRZaiiy9NmUtJydaOvSAQT3icCEeLTvgah48mgrz14eGPuOEupVqKII5jpHw3Xid+QWzdIels0B9M4+GgVT85yVAaPQKw==,iv:vb2bKtgeJI4fvRfKoR8AoBpv9WOkAAKQ3DzMInGF4SA=,tag:p6q0rfyG0g1hF8PR476TZQ==,type:str] +dovecotSslServerCert: ENC[AES256_GCM,data:ylK0IIj2vdY0mXOqSgA5zYmFYGote/uMtDWy2rwHhuSoirnADu+k6pYrH4UUTB9BQsDpCzuU4vb4Rz2pQuB0PJ9iZ3XI2fTxft+UxZI4wwAkvHXeJWxLnEvySQW3mnk2uJBaeAxhkXZ55SrKA0h1u/luiXlCoLD197yqJsaR7ldlTImfiIwZPoSRJvo33/UsEIfxlmNMrJk6kgWp9Ay1pT+K3ymWTzBaxzMypUM+Wb4BulgR62qCBxoVjXPP4tVsBwRN6LREeKpP6zIZSjNNU5SWkf2GVDuRl6AMfh8UUq5aRQqNrorRm0p9FR5CXvJZH6gOxh1jSaXGFRbyfEwlaBrzU3NYqXA4tVTh6jKeRy6tmkw3KHhV3kOeJhJ5YQy4IM4Tv03zp5M/rCCIDoZLZsmNKYpLHYKfKORBYt/XlOfnXFVW/dp+q7lMiy2vPPNaVzH6aFrlzIEUyQBfawbHPBnIN09rmW9cIzZC5n3owzq8jj8aWDILqgun7RFOnBWBaG2JE9imXoS66cKAvzGf1wpjN2pELQOpSI1dVuENxMC+K8dTu/2RN2Xe0t6x6FlHK7PHB+JNGsGOHjrga+Z2rWTqcOtY30XZpBSqoZ4XxhcFtp+gxwBuW6zjzS4hEBz1/BJTYLD0dolTp3Vzo93bsezAr+iUfNrfzESTfg8fRH89tdPCeSPv4lfi+Bo4un41x6+x14Kf66Sz5AR7dBQzypNC3ChGCKtp29ZBBee+5oQWvrYBVybbOdD+uaS6pRC/Uydubx+cDGyU1vn50Iq4XTkmiy0m8joHa7gwgOggSeDoZK8lSnwCEwssWZaxzWfO8/8gxEDJD74ki+0GzkGCSIW7EIDiEEBSuL971bqgmKOgKmzqeHYxMpO3DbrFSQVIBUzlcPMoL9GuMHnF9UWT8u3Oo4eIh8rgwJQ4tbIdIbOop1LKLSKjtt/ny4+fGjrF1gzYWHu6RDMHkl9h/AplsHH6r8x3L3rM40O8mOG/SVgqA2GTN+0pviLAPzvQ+Xb0xRQH3vfXXMkufpQtb2o0xlh4pgJw+6a4QrjSq6ZJ3saA8TeC3F6BzIEr6nAwljBMSY4v8wBQivquENBCbqo4St5h+eleKpqbpyLJQYgCyvrUST8kNa014eZjNMLnJ1XBmPO9vpUk/2FJkSpaPAPQ7thqhRBEhe+GsnkScqqrq7gLpNIX4o/HR2b70T/8/4G7uZ3KPScW25TX9D9cI7LFON3Sfprn5LK6hm2nxTmjhaD0rWNnDCkfqDfzRJeQV9kW5Hfn0rBOIsmUoQEcgeCqNKenr/lalRRiifsHDdTUwzSJLgHm09RJI4CVZ+ovPHENRW02VPP9YBupemrZazN3ttj3pin8QRRcOM0w7jeGjfSyih0E4JfiC8NzLWhBpFtBSSxi79QD2vkz17ububf37p5XMg0KfClubQgnNKxlbQ/Me7xxp1X0JlmyxpwIhaaLoz9f+268/9n4RKBGDjAY9D0jZ2zcNm+MpkoG1IIWzPBtBiGTfs+HZPH3GKiEcnkEVcUbDZis9zERamYKDMMPqfAm3KsQLXxUVyuy3cuikGxg7ab+41b1s4MtyoeoUIeRruc60Gg+rSv+d0Jl/YP9Lb5/WBGwNKzm/1R70hJnbTWRt/kKZRKsVY2rcb+FH6vXBjFAHgiszFns5oXS0Q3jhVHH4i3IUn+M6HsbqDIaJ4t4Jvtcx+ESNC2NHKCSxKe4UePng8xJ+91jB04DxdJFlTrZ7RBgjmmiMR8DPF6XiYi+awZtUaTKjZev8SPl4vSobu5aqnct0F5O6aPGB/T8nHlXevdkuQ//7BXc0RwN1ZBZzGqzc8+NzIBa9aB96XnlXPDek1C5Cc9/yVWelM9dWwTzUECBWanTRFt1uz7hpoeemGI0X7IV4DXe26yZot2PlRLFBGL/5lnoSZcjfjym1yyjd5guLdRSHOihPoDDV0JR88BDzDSS/Fx4tRCxKCuaQos+QiMlZ+yJnY9v/K88NtX9X+cRr1ZFS9Li1+uBhbJamWgtWpSJireAGZkLFSEu5GpmfcofuzDsuSYsG6wDLMpJGgRvGJeDuZ4pJTMz1dhjjWUw3blpoJW99zHVDwuSMUNEOFnFgu9BNsoq2caoDcNcm7yA0dsNl1sS3ECsBAg18KsMHA5bL6gXhAkCGOzUVBzW0NRUm8SvHloB73LvfBiFHkpqkqS8KsQZkGts+vBcVAjfDYHYy+TvcaiO0I7xEOUZMdkjuZFOkh2Q0x7pQzCarYs=,iv:6zMCqVVdsbJmEr9YDQ5FqYhRcV36aM585YZz/Dd+b3c=,tag:LCDn6L/VJvW8St1CHXcObw==,type:str] +dovecotSslServerKey: ENC[AES256_GCM,data:KYpQZbioLGrp/6R6j/c4uJhBpoDT2aj7UffQQug8Otzr/0rk51tavsjg4YRQGIv+ZpFYpWAuHbhW4O8AsRgpi0AX3hKsZICEdNubfK5zfd+SInXveaVFbHHjOuzcqftraUrqx9APu+omk4LlpxpWTbj/bAcRnRBn0C093AeJNi1giaCZd4NxmmkYqwYzrjUc6LYHvICEnjA87ZVpeOKE/6B2Ng5QWDKhZNmjy7YDXAk4DS+P2grLmoGvnz6ubtaypSzaKXYTFz/uxEvtCCPlIaJHm3Nz0i0j1rjX3S/w3c26zuIFtwCmAQzGnHyQwbx7ILwCXfnyQnpM7+R5+fxcYvcK2GEJyTGzg/JFa++TI1YO+wpknjzxK3Sa8aX0pUbx/TEjnY3+tRnx7YNuih2ZNZrPHy8uJJtO9Aef84Sq5vLQG5n1/ya0pVhjCbs1pgpeK/qT3ikLbkcJg6NxAq3hqqQdR4TTkZBwKLVfzcMXLDZB0GphhVvtO0W7afRCE+nA/FPDT2NN6WLD15cN5F8w6USi0iQlwFb+TE8nt1ghhoGmwCMx+lX1Bk/jdIlYtJ62T8+T3nRVJ6ZRlUa1rkbAADaWZVvLR2/ylaEkeYFo/CC6lUg4DWPCVoGFxaWaU+ZaIDjbiYcqGQFBwq8JZ44hAOyJQpb7N1zgDVyPh/xr+ukmjutFuu97FY55VTn+8eipRiR4TZpPRH+KvB/FmlLNaim76YZCRH9Dv2ENbz9fXpWv7P+yh06+ci9HKvjNAzR6NRr368tK2srEEhWzFv+nAsRetzc2VcfwNMcg5/mvlWHVZSmONXC5adEo/W5XgJgUnH/fkz5IRPY/1iteq8PTCPUkubzF+qT2+suzEDnvgXlaKsqHkrk+n8YySl+GRABnasmnBYdb8vboDM41ptw3PXDoL+l07o6KxTwPOWWl9BVNMT8VzL7gAl+dlxjkEUSqn53OrsYDluxefBa3c0rfvk8CCvOMjgLkagK9O+VavqJEo00zd3f0ZzMcIoRebuDzYILw3DTrG/qyLXGsRoybBr+qcuSVBzM5RnjcToFJO4W/0EIdH1drZmqHdNgSNwPPRSNCivrhV25syUCrTee/xkDVUr47z67pK/5Mh0ewlwq0hcl/dBoA0YP/PptntK0CHfistD8chNtdMk3PyzqSiFaDPQ3T4wdc3zTNUjXeQ5643k5weJXFPg4tUuCCa8HxUJHd5sLnNY0OaRBwh2SLkQlcXYFQDzVHSoVscR3tf+57L7aF2hVQT2QtJKdZQjOyMg5YK0UlVc3tkyPZzyjOVaP7eTCRKwXI1NminHmmy1ZzZ+w+8+oX8cfvE9HdbqDoDp0MnkicS0+5S0lZwkRWrjUx/gS4aMWLbCHUQHY8wm+fmyDLJ/oI4ukdUI5YLOutlCsIY+aotnVMoORgdd/EPeZVYJmci/pvMjPF9Eard0aD4rLA7z/HwGgc3VEGmNluE+20BXO3bFIqwa9tzMqzOJB0qglP35MjVGiUe6Svq13DAmSOnzN+WqcVbTMJG8J1bwKqvmaN8AEpO0zU94ZhHspUtGyQQ0D6sMsw9jqJ1WyLE7aXeFR6OHrpw3DC2mCpr/qX8QFsveeyB83Za2+CuVVi2sqGAKYzkwlUPkeuaxfBak0apwJsF2trT1uMvPOuIda8k4XhtYLxah2BDJZIoMqUVz2xcN4OuW8bdSX/lepsyZZO34VEQDLBa2dxCCHJmCKf6io/0YlswNKGDQh+DI935KTdqBnHSJ9IjvADQuu+K37aS0L9V0ZLXiM5SBQtbB7kQpHjvivq97ru7QpFqJf8HCl1vDs4gJ/NV+J0+CX6dQTQOtHvwxD2CPGiiSv40ycoJAcwiqTh5T+hRPtca6bSes/jGN5iQjfLCRbwvL/ItLLAK3F2cEIdKZnfhJkdEAIwWFLvR4R5I7ZcCK5GgKz5dPROup8BAONA8XxcJWXaXV0YkfEmCDbZYMFC7pcx4NAnGp881RyAaG/HlstBHHVagpP2fwZ8K0J/2KPillOq/Die+vNc2++hx4EuftvNkZhSd+7zIYNKHQd0M4Ea74flgmmW5lG73bE1BkhVd2DsgEDihH19/vJjFH4PxKINKp0ij4jMyq9w+WsGiUqSDaQz/MZJ8wjzaSjvmSj4qlOAitr/s3f041e77rMb0W2ieCtYEy7IsebIqIWgKn/crm5FhyUtBCPEqFZgAKS313bXUio8LktqXCrZjZ0ZG8DmQG6hnK4PstKlIUQoNuFnb8Bp1zDgY4i2hb6Zmu7NnqnOaJJTjSGwaZOav0oMousn67BuFtwoMaGp+OjCopZ3HPfg19usnjvWpOgccXWYlQc0HOlGXUq+otKlXtQwAjUvz50GmV+lY3t4rpCgqk+pj9iH62xuzDQ01FOXl+v3Ehnw97mNJk9YarueG0Hl/1f6dhwXnjeEv35LLyWUjQolOoYgycEkgQ/cCCOSm7zgK1VT0oTLFISai8IG0qDP9HCszteHZhp+y4bsXQfAJTY11QLr7hx9/nQmVlHksDN5Wsno4wbkT+D2xb5EaDU2RBqZfTVcbRBWRtAhQcRPxdaUXyI7oKEaFg8fvQZ8wK/Ae+L18ub+Latb5W69dUVT6I13tPleXDl1oen9BXzaX7sygSpY4lJoXlu+SCKyNTMrC36PrB39QUWosw03ZsiKT5xjgN5+1m32yv4cg8lAwNCR4xxShrnhSbZ328yifaAuTnSawZmUGBVxPx4glVcvNUOXW2UvVtmeKU0SG1E+UGBAq7/UfaadMM7BsjyaaKpBa/tXZTm0rn8UiFqujvgNjQ3F/3ybRdlO5d6eMI9Na+1gqg6qxYSGR0H0wAdPhtyGRxpumehAQGeMKd49Sg6jspaf3NAjjuZ0Yp+eJV9652WqVZ7xtCNqRURV353h+XPGR+ZZ9siHRDQ+NcbxPkfbHw0/RTvZvEIdaDi5+DLh6tgIxMEtOpwTlfFrOUDaIcmWvzk92VtBFuafvoGzTipryTnMszjCsUTvyEPN8jPd6r8UmOFGXF2aVNksmn/bI97i4s1kYLgY8XsEOyx+Q9pUTkTEMn2JWgnEcSOAtaX1ZskHnfueKzUPb+/YWb+z8SNCgnUqHqa42qBqwlhdshzYhhfKhEisUptirzzp1kcbyHrug5PzHxh8Qri2pjHxSHYQ5sjig6K6B1YEuHP6uo19fL6BdgGlhKroiOF/6TMAcE9V3+yqvDdsW/IC0QXLHIBKC7wlDgLc25ltGogD/76P6tViDAb6+HNSSXJO056Ovq0z2BrXhnq1AmWa99mVnOLJwafRWPZC,iv:XxnAsh6yx9gICi3N6oTttpGXvguGZImWNIMp9srDJLM=,tag:M9gFSD5PNIfoCLet6Vy6QA==,type:str] sops: kms: [] gcp_kms: [] @@ -16,8 +18,8 @@ sops: bENCWmVNUEJyZFBpRmYwbWVndFJGcUEKzvkGz3WycSrU4qPcBhs4cSCn/9TQ62sl T6TuDra97qJJ1Pg9VZGHT/OoSleLA4s0qpNlAxnAnNaO0conTsREZQ== -----END AGE ENCRYPTED FILE----- - lastmodified: "2023-07-02T21:16:00Z" - mac: ENC[AES256_GCM,data:bDHu/9Hz2lyzoA92yA4K9/oaO6gxDjog8OSoEduE4Q8KE6VObzkHHvMwsPR46LE74dtRy9LNEXcMTWQzJBYoaKGi+wz0IJ/wy8Japrbu0Kiwx3dIeY0mg/OvBGlsAybvbDpfSjCsxVpgg7g1jQNntejljv1WHp4zD0hKn9hdYm0=,iv:MUaGwoPaHEZQgoTHXxkhMHdTGaIgk0UYx9qwfpt4Uds=,tag:qLa2QBTFbs/BdOH8TJWVxw==,type:str] + lastmodified: "2023-07-09T17:29:20Z" + mac: ENC[AES256_GCM,data:EUW7B78IB2vRGOwPM4bRoz7kYO9xHGMepF0aCOUVBFL0JCmzZyP9/bWWHYVR2SrQ29P8YgvpF32gWPEdidPReW59QRU1IXpMxnZ20Xoa+8y8H2Pj5w9cs+km6jXtphTcxDdZhQVJfXVyQH6qNb9Ypc9myhVypA2Dp/GLQ8SokoY=,iv:PDhP1TGvSS73RhkjsM2Zc0cGT8o06QVsxwO6tPKFzuQ=,tag:cy6fi3BHIN0c/c2sLVVmhg==,type:str] pgp: - created_at: "2023-07-02T20:30:30Z" enc: |- diff --git a/nix/os/containers/webserver.nix b/nix/os/containers/webserver.nix index 80a714d..0ae87c4 100644 --- a/nix/os/containers/webserver.nix +++ b/nix/os/containers/webserver.nix @@ -1,12 +1,11 @@ { + repoFlake, hostAddress, localAddress, httpPort ? 80, httpsPort ? 443, autoStart ? false, -}: let - passwords = import ../../variables/passwords.crypt.nix; -in { +}: { config = { config, pkgs, @@ -15,7 +14,11 @@ in { }: { system.stateVersion = "22.05"; # Did you read the comment? - imports = [../profiles/containers/configuration.nix]; + imports = [ + ../profiles/containers/configuration.nix + + repoFlake.inputs.sops-nix.nixosModules.sops + ]; networking.firewall.enable = false; @@ -33,6 +36,12 @@ in { # server = "https://acme-staging-v02.api.letsencrypt.org/directory"; }; + sops.age.sshKeyPaths = ["/etc/ssh/ssh_host_ed25519_key"]; + sops.secrets.hedgedoc_environment_file = { + sopsFile = ./webserver_secrets.yaml; + owner = config.users.users.hedgedoc.name; + }; + services.nginx.enable = true; services.nginx.recommendedProxySettings = true; services.nginx.virtualHosts."www.stefanjunker.de" = { @@ -81,21 +90,26 @@ in { defaultPermission = "private"; allowEmailRegister = false; - # oauth2 provider config - inherit (passwords.www_stefanjunker_de_hedgedoc) dropbox; + # these are set via the `environmentFile` + dropbox = { + appKey = "$DROPBOX_APPKEY"; + clientID = "$DROPBOX_CLIENTID"; + clientSecret = "$DROPBOX_CLIENTSECRET"; + }; uploadsPath = "/var/lib/hedgedoc/uploads"; }; + + environmentFile = config.sops.secrets.hedgedoc_environment_file.path; }; }; inherit autoStart; bindMounts = { - "/etc/secrets/" = { - hostPath = "/var/lib/container-volumes/webserver/etc-secrets"; - isReadOnly = true; - }; + # FIXME/REMINDER: this is used so that the container can decrypt the secrets that are deployed to the host + "/etc/ssh/ssh_host_ed25519_key".isReadOnly = true; + "/etc/ssh/ssh_host_ed25519_key.pub".isReadOnly = true; "/var/www" = { hostPath = "/var/lib/container-volumes/webserver/var-www"; diff --git a/nix/os/containers/webserver_secrets.yaml b/nix/os/containers/webserver_secrets.yaml new file mode 100644 index 0000000..9f8e118 --- /dev/null +++ b/nix/os/containers/webserver_secrets.yaml @@ -0,0 +1,36 @@ +hedgedoc_environment_file: ENC[AES256_GCM,data:yPR7lnSssSTc3lvN4fSI5UXIfZHL8bMS0lcHC61aBz2ozjkSOTVUgYOD5XJbijfMCW9UWKLvItboo/nd8iLb3S+/DX4XZfAq8Bt+ootKsneIj9rJgw7bH3HYQnzmtWoFjoXSmLM=,iv:CVbXTlAafaXpo5G6F5CtJiq2LDa/48972kRnGOmhDJI=,tag:FaoL/8SdspZWXbATXPOazg==,type:str] +sops: + kms: [] + gcp_kms: [] + azure_kv: [] + hc_vault: [] + age: + - recipient: age18dmqd7r7fanrfmdxsvwgv9psvhs3hw5ydpvw0na0dv3dlrg4rs3q2wpvgv + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA0SkxFSkJQb29UeVRnZnFh + U3BJeGZ1NUVzMk0ycXBvWExyZDcveXZrd2pJCmpCeS80VE5McWVHQnZpaHFERmNh + YWZIMHRtQkd5Vm54MWR3bkhUUDRvejQKLS0tIG9NSkpCSkEyZFRyOXorWE1KLytP + eWdXVHg5MTlQQU9GeElPeUZXUlBlaTgKceDu3tLbQM/DxY0tJYJTPy2Dl/SBYaoc + KfMZOkc322/NvgWu/3Ke0hV1/eMk8EICwXbSwHhXr5a0+cwPZ9xV4A== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2023-07-09T17:55:21Z" + mac: ENC[AES256_GCM,data:RIJuExrlGxcMMY2oofqyC9tZxqi/Tnt548cfrVe6UZ7HthlkaU/XkzGH/tw7kk28iiV5fbDRycg3xuOsh30BuHwVzguEdOH5RU8GivAOxRbEr1vxdCUs6x5Zs7PcQktRXXIv6rjJ70uVIO34f15oVE8Ag5nlUHc3lZLabCWs7Ag=,iv:lVD903ph9Mx/wbwsPIcqJi9yfgmX97XNgGB7F6N7xOE=,tag:IhdYpIgV4UzVRtwUs4wf+Q==,type:str] + pgp: + - created_at: "2023-07-09T17:51:27Z" + enc: |- + -----BEGIN PGP MESSAGE----- + + wcBMA0SHG/zF3227AQgAs92CvegZAcuyNllIp9zHUp7jFqfXhuoAOKKmOZvN4TBD + gQM7jKAXXwbMy90gGWF9EkdMzeBqG4S9ZM8gPAYcZkt98F0PGu6wBSvvYnUdDOcO + 8tvhEhBSE19xCIR7BeG9bhooEJ1V3LSZzrwyikeHUHAqDQLrwM7jrPOef22PIzH+ + XPtwWMVwVzwRJTZ/uV11vIV60b0zfnB8ZJzv7RbXsob8octy4LRe6Vb0BUd5ON3w + YULnyMlFFGekiqAPBk0K5Xib35qBu6mtnmxWzVUqT4pgiShoZsRQs3At1Onm7Cku + bqIDMoCYTvSzwDCOYp2+ni/ZOIuDvBiRCPoNuLjkD9JRAcCbjuxA6w0eaJKFTzoI + F1olIecBtQOQQn+iXya/rx69wDtR9965gecWRMbRg6tYncumpdQB//MWALhVmr6i + g+ZF+9NNqOTKsBzEnuGsZRnI + =iXfo + -----END PGP MESSAGE----- + fp: 6F7069FE6B96E894E60EC45C6EEFA706CB17E89B + unencrypted_suffix: _unencrypted + version: 3.7.3 diff --git a/nix/os/devices/elias-e525/default.nix b/nix/os/devices/elias-e525/default.nix index 7896d56..c169019 100644 --- a/nix/os/devices/elias-e525/default.nix +++ b/nix/os/devices/elias-e525/default.nix @@ -1,11 +1,13 @@ -{repoFlake, ...}: let - nodeName = "elias-e525"; +{ + nodeName, + repoFlake, + nodeFlake, + ... +}: let system = "x86_64-linux"; - - nodeFlake = repoFlake.inputs.get-flake ./.; in { meta.nodeSpecialArgs.${nodeName} = { - inherit nodeName nodeFlake; + inherit repoFlake nodeName nodeFlake; packages' = repoFlake.packages.${system}; }; @@ -13,17 +15,15 @@ in { inherit system; }; - # TODO: build a module with "meta" and "freeformtype" for all the others - ${nodeName} = { - deployment.targetHost = nodeName; + deployment.targetHost = "192.168.15.198"; deployment.replaceUnknownProfiles = false; # deployment.allowLocalDeployment = true; imports = [ - (repoFlake + "/nix/os/devices/${nodeName}/configuration.nix") - nodeFlake.inputs.home-manager.nixosModules.home-manager + + ./configuration.nix ]; }; } diff --git a/nix/os/devices/elias-e525/flake.lock b/nix/os/devices/elias-e525/flake.lock index fc1b46a..dc66cc4 100644 --- a/nix/os/devices/elias-e525/flake.lock +++ b/nix/os/devices/elias-e525/flake.lock @@ -4,36 +4,35 @@ "inputs": { "nixpkgs": [ "nixpkgs" - ], - "utils": "utils" + ] }, "locked": { - "lastModified": 1681092193, - "narHash": "sha256-JerCqqOqbT2tBnXQW4EqwFl0hHnuZp21rIQ6lu/N4rI=", + "lastModified": 1687871164, + "narHash": "sha256-bBFlPthuYX322xOlpJvkjUBz0C+MOBjZdDOOJJ+G2jU=", "owner": "nix-community", "repo": "home-manager", - "rev": "f9edbedaf015013eb35f8caacbe0c9666bbc16af", + "rev": "07c347bb50994691d7b0095f45ebd8838cf6bc38", "type": "github" }, "original": { "owner": "nix-community", - "ref": "release-22.11", + "ref": "release-23.05", "repo": "home-manager", "type": "github" } }, "nixpkgs": { "locked": { - "lastModified": 1681696129, - "narHash": "sha256-Ba2y1lmsWmmAOAoTD5G9UnTS/UqV0ZFyzysgdfu7qag=", + "lastModified": 1688868408, + "narHash": "sha256-RR9N5XTAxSBhK8MCvLq9uxfdkd7etC//seVXldy0k48=", "owner": "nixos", "repo": "nixpkgs", - "rev": "de66115c552acc4e0c0f92c5a5efb32e37dfa216", + "rev": "510d721ce097150ae3b80f84b04b13b039186571", "type": "github" }, "original": { "owner": "nixos", - "ref": "nixos-22.11", + "ref": "nixos-23.05", "repo": "nixpkgs", "type": "github" } @@ -43,21 +42,6 @@ "home-manager": "home-manager", "nixpkgs": "nixpkgs" } - }, - "utils": { - "locked": { - "lastModified": 1667395993, - "narHash": "sha256-nuEHfE/LcWyuSWnS8t12N1wc105Qtau+/OdUAjtQ0rA=", - "owner": "numtide", - "repo": "flake-utils", - "rev": "5aed5285a952e0b949eb3ba02c12fa4fcfef535f", - "type": "github" - }, - "original": { - "owner": "numtide", - "repo": "flake-utils", - "type": "github" - } } }, "root": "root", diff --git a/nix/os/devices/elias-e525/flake.nix b/nix/os/devices/elias-e525/flake.nix index 7e29283..81d8a95 100644 --- a/nix/os/devices/elias-e525/flake.nix +++ b/nix/os/devices/elias-e525/flake.nix @@ -1,8 +1,8 @@ { - inputs.nixpkgs.url = "github:nixos/nixpkgs/nixos-22.11"; + inputs.nixpkgs.url = "github:nixos/nixpkgs/nixos-23.05"; inputs.home-manager = { - url = "github:nix-community/home-manager/release-22.11"; + url = "github:nix-community/home-manager/release-23.05"; inputs.nixpkgs.follows = "nixpkgs"; }; diff --git a/nix/os/devices/elias-e525/pkg.nix b/nix/os/devices/elias-e525/pkg.nix index 851f526..e119032 100644 --- a/nix/os/devices/elias-e525/pkg.nix +++ b/nix/os/devices/elias-e525/pkg.nix @@ -17,15 +17,9 @@ home.keyboard = keyboard; home.packages = with pkgs; [ - rhythmbox - lollypop dia rustdesk - - kotatogram-desktop - jitsi-meet-electron - signal-desktop ]; }; in { diff --git a/nix/os/devices/elias-e525/system.nix b/nix/os/devices/elias-e525/system.nix index c2087da..6763062 100644 --- a/nix/os/devices/elias-e525/system.nix +++ b/nix/os/devices/elias-e525/system.nix @@ -43,4 +43,6 @@ in { services.xserver.videoDrivers = ["modesetting"]; boot.kernelPackages = lib.mkForce pkgs.linuxPackages_latest; + + nix.gc = {automatic = true;}; } diff --git a/nix/os/devices/elias-e525/user.nix b/nix/os/devices/elias-e525/user.nix index 564151e..196c96a 100644 --- a/nix/os/devices/elias-e525/user.nix +++ b/nix/os/devices/elias-e525/user.nix @@ -4,19 +4,30 @@ lib, ... }: let - passwords = import ../../../variables/passwords.crypt.nix; keys = import ../../../variables/keys.nix; - inherit (import ../../lib/default.nix {inherit (pkgs) lib;}) mkUser; + inherit (pkgs.callPackage ../../lib/default.nix {}) mkUser; in { + sops.secrets.sharedUsers-elias = { + sopsFile = ../../../../secrets/shared-users.yaml; + neededForUsers = true; + format = "yaml"; + }; + + sops.secrets.sharedUsers-justyna = { + sopsFile = ../../../../secrets/shared-users.yaml; + neededForUsers = true; + format = "yaml"; + }; + users.extraUsers.elias = mkUser { uid = 1001; openssh.authorizedKeys.keys = keys.users.steveej.openssh; - hashedPassword = passwords.users.elias; + passwordFile = config.sops.secrets.sharedUsers-elias.path; }; users.extraUsers.justyna = mkUser { uid = 1002; openssh.authorizedKeys.keys = keys.users.steveej.openssh; - hashedPassword = passwords.users.justyna; + passwordFile = config.sops.secrets.sharedUsers-justyna.path; }; } diff --git a/nix/os/devices/justyna-p300/default.nix b/nix/os/devices/justyna-p300/default.nix index 639a8cc..907e60b 100644 --- a/nix/os/devices/justyna-p300/default.nix +++ b/nix/os/devices/justyna-p300/default.nix @@ -1,12 +1,13 @@ -{repoFlake, ...}: let - nodeName = "justyna-p300"; - # system = "i686-linux"; +{ + nodeName, + repoFlake, + nodeFlake, + ... +}: let system = "x86_64-linux"; - - nodeFlake = repoFlake.inputs.get-flake ./.; in { meta.nodeSpecialArgs.${nodeName} = { - inherit nodeName nodeFlake; + inherit repoFlake nodeName nodeFlake; packages' = repoFlake.packages.${system}; }; @@ -14,17 +15,15 @@ in { inherit system; }; - # TODO: build a module with "meta" and "freeformtype" for all the others - ${nodeName} = { deployment.targetHost = nodeName; deployment.replaceUnknownProfiles = false; # deployment.allowLocalDeployment = true; imports = [ - (repoFlake + "/nix/os/devices/${nodeName}/configuration.nix") - nodeFlake.inputs.home-manager.nixosModules.home-manager + + ./configuration.nix ]; }; } diff --git a/nix/os/devices/justyna-p300/flake.lock b/nix/os/devices/justyna-p300/flake.lock index 3a1d8b0..87729c0 100644 --- a/nix/os/devices/justyna-p300/flake.lock +++ b/nix/os/devices/justyna-p300/flake.lock @@ -7,11 +7,11 @@ ] }, "locked": { - "lastModified": 1682299489, - "narHash": "sha256-bqHo0/82KB+IyBMyjBd6QdyZWJl/YZeGggjBsAgRFlY=", + "lastModified": 1688544596, + "narHash": "sha256-/rbDM71Qpj4gMp54r9mQ2AdD10jEMtnrQ3b2Xf+HYTU=", "owner": "nix-community", "repo": "disko", - "rev": "8ab9e5609929379ab15f03fd3bdc1f85419e5a3a", + "rev": "fc3c3817c9f1fcd405463c6a7f0f98baab97c692", "type": "github" }, "original": { @@ -24,36 +24,35 @@ "inputs": { "nixpkgs": [ "nixpkgs" - ], - "utils": "utils" + ] }, "locked": { - "lastModified": 1681092193, - "narHash": "sha256-JerCqqOqbT2tBnXQW4EqwFl0hHnuZp21rIQ6lu/N4rI=", + "lastModified": 1687871164, + "narHash": "sha256-bBFlPthuYX322xOlpJvkjUBz0C+MOBjZdDOOJJ+G2jU=", "owner": "nix-community", "repo": "home-manager", - "rev": "f9edbedaf015013eb35f8caacbe0c9666bbc16af", + "rev": "07c347bb50994691d7b0095f45ebd8838cf6bc38", "type": "github" }, "original": { "owner": "nix-community", - "ref": "release-22.11", + "ref": "release-23.05", "repo": "home-manager", "type": "github" } }, "nixpkgs": { "locked": { - "lastModified": 1682303062, - "narHash": "sha256-x+KAADp27lbxeoPXLUMxKcRsUUHDlg+qVjt5PjgBw9A=", + "lastModified": 1688939073, + "narHash": "sha256-jYhYjeK5s6k8QS3i+ovq9VZqBJaWbxm7awTKNhHL9d0=", "owner": "nixos", "repo": "nixpkgs", - "rev": "f5364316e314436f6b9c8fd50592b18920ab18f9", + "rev": "8df7a67abaf8aefc8a2839e0b48f92fdcf69a38b", "type": "github" }, "original": { "owner": "nixos", - "ref": "nixos-22.11", + "ref": "nixos-23.05", "repo": "nixpkgs", "type": "github" } @@ -64,21 +63,6 @@ "home-manager": "home-manager", "nixpkgs": "nixpkgs" } - }, - "utils": { - "locked": { - "lastModified": 1667395993, - "narHash": "sha256-nuEHfE/LcWyuSWnS8t12N1wc105Qtau+/OdUAjtQ0rA=", - "owner": "numtide", - "repo": "flake-utils", - "rev": "5aed5285a952e0b949eb3ba02c12fa4fcfef535f", - "type": "github" - }, - "original": { - "owner": "numtide", - "repo": "flake-utils", - "type": "github" - } } }, "root": "root", diff --git a/nix/os/devices/justyna-p300/flake.nix b/nix/os/devices/justyna-p300/flake.nix index a64a7ba..3e68abe 100644 --- a/nix/os/devices/justyna-p300/flake.nix +++ b/nix/os/devices/justyna-p300/flake.nix @@ -1,8 +1,8 @@ { - inputs.nixpkgs.url = "github:nixos/nixpkgs/nixos-22.11"; + inputs.nixpkgs.url = "github:nixos/nixpkgs/nixos-23.05"; inputs.home-manager = { - url = "github:nix-community/home-manager/release-22.11"; + url = "github:nix-community/home-manager/release-23.05"; inputs.nixpkgs.follows = "nixpkgs"; }; diff --git a/nix/os/devices/justyna-p300/pkg.nix b/nix/os/devices/justyna-p300/pkg.nix index 3e86629..d8f2d52 100644 --- a/nix/os/devices/justyna-p300/pkg.nix +++ b/nix/os/devices/justyna-p300/pkg.nix @@ -18,15 +18,9 @@ home.keyboard = keyboard; home.packages = with pkgs; [ - rhythmbox - lollypop dia rustdesk - - kotatogram-desktop - jitsi-meet-electron - signal-desktop ]; }; in { @@ -55,11 +49,15 @@ in { variant = ""; }; - home-manager.users.justyna = homeEnv { - layout = "de"; - options = []; - variant = ""; - }; + home-manager.users.justyna = + lib.attrsets.recursiveUpdate (homeEnv { + layout = "de"; + options = []; + variant = ""; + }) { + services.syncthing.enable = true; + services.syncthing.tray = true; + }; system.stateVersion = "21.11"; } diff --git a/nix/os/devices/justyna-p300/system.nix b/nix/os/devices/justyna-p300/system.nix index 8b27cb7..e5b3100 100644 --- a/nix/os/devices/justyna-p300/system.nix +++ b/nix/os/devices/justyna-p300/system.nix @@ -41,4 +41,6 @@ in { services.xserver.videoDrivers = ["modesetting"]; boot.kernelPackages = lib.mkForce pkgs.linuxPackages_latest; + + nix.gc = {automatic = true;}; } diff --git a/nix/os/devices/justyna-p300/user.nix b/nix/os/devices/justyna-p300/user.nix index 9e8226e..6d86c59 100644 --- a/nix/os/devices/justyna-p300/user.nix +++ b/nix/os/devices/justyna-p300/user.nix @@ -3,19 +3,30 @@ pkgs, ... }: let - passwords = import ../../../variables/passwords.crypt.nix; keys = import ../../../variables/keys.nix; - inherit (import ../../lib/default.nix {inherit (pkgs) lib;}) mkUser; + inherit (pkgs.callPackage ../../lib/default.nix {}) mkUser; in { + sops.secrets.sharedUsers-elias = { + sopsFile = ../../../../secrets/shared-users.yaml; + neededForUsers = true; + format = "yaml"; + }; + + sops.secrets.sharedUsers-justyna = { + sopsFile = ../../../../secrets/shared-users.yaml; + neededForUsers = true; + format = "yaml"; + }; + users.extraUsers.elias = mkUser { uid = 1001; openssh.authorizedKeys.keys = keys.users.steveej.openssh; - hashedPassword = passwords.users.elias; + passwordFile = config.sops.secrets.sharedUsers-elias.path; }; users.extraUsers.justyna = mkUser { uid = 1002; openssh.authorizedKeys.keys = keys.users.steveej.openssh; - hashedPassword = passwords.users.justyna; + passwordFile = config.sops.secrets.sharedUsers-justyna.path; }; } diff --git a/nix/os/devices/sj-vps-htz0/flake.lock b/nix/os/devices/sj-vps-htz0/flake.lock index 422bef4..7bca561 100644 --- a/nix/os/devices/sj-vps-htz0/flake.lock +++ b/nix/os/devices/sj-vps-htz0/flake.lock @@ -23,11 +23,11 @@ }, "nixpkgs": { "locked": { - "lastModified": 1688109178, - "narHash": "sha256-BSdeYp331G4b1yc7GIRgAnfUyaktW2nl7k0C577Tttk=", + "lastModified": 1688868408, + "narHash": "sha256-RR9N5XTAxSBhK8MCvLq9uxfdkd7etC//seVXldy0k48=", "owner": "nixos", "repo": "nixpkgs", - "rev": "b72aa95f7f096382bff3aea5f8fde645bca07422", + "rev": "510d721ce097150ae3b80f84b04b13b039186571", "type": "github" }, "original": { @@ -39,11 +39,11 @@ }, "nixpkgs-master": { "locked": { - "lastModified": 1688246754, - "narHash": "sha256-OuUvCCMrJgN9K/L1j2ADMxu/nuJhplFjIZFFtelnymc=", + "lastModified": 1688925019, + "narHash": "sha256-281HjmJycKt8rZ0/vpYTtJuZrQl6mpGNlUFf8cebmeA=", "owner": "nixos", "repo": "nixpkgs", - "rev": "b9b176f8b8155c122e01a336b439ce57b2485b40", + "rev": "2b356dae6208d422236c4cdc48f3bed749f9daea", "type": "github" }, "original": { @@ -55,11 +55,11 @@ }, "nixpkgs-unstable": { "locked": { - "lastModified": 1688180391, - "narHash": "sha256-oTUSZepWQ7AYQKvNPkf8QyxkfoVpEhGioVji0hd3p8U=", + "lastModified": 1688891216, + "narHash": "sha256-ZUQs8C5N6aw/QeBhUFGcX89OoYoP9jbdmbR6aSbvaHg=", "owner": "nixos", "repo": "nixpkgs", - "rev": "1353de5923daba8462cfc3624d8c2d70cbafafcd", + "rev": "e4a12fdac2a313b18e7f66a097108412b07c5f00", "type": "github" }, "original": { diff --git a/nix/os/devices/sj-vps-htz0/system.nix b/nix/os/devices/sj-vps-htz0/system.nix index 0efc091..8a38227 100644 --- a/nix/os/devices/sj-vps-htz0/system.nix +++ b/nix/os/devices/sj-vps-htz0/system.nix @@ -73,6 +73,8 @@ webserver = import ../../containers/webserver.nix { + inherit repoFlake; + autoStart = true; hostAddress = "192.168.100.12"; diff --git a/nix/os/devices/steveej-t14/flake.lock b/nix/os/devices/steveej-t14/flake.lock index 5c8b195..ec2c263 100644 --- a/nix/os/devices/steveej-t14/flake.lock +++ b/nix/os/devices/steveej-t14/flake.lock @@ -39,11 +39,11 @@ }, "nixpkgs-2305": { "locked": { - "lastModified": 1688594934, - "narHash": "sha256-3dUo20PsmUd57jVZRx5vgKyIN1tv+v/JQweZsve5q/A=", + "lastModified": 1688868408, + "narHash": "sha256-RR9N5XTAxSBhK8MCvLq9uxfdkd7etC//seVXldy0k48=", "owner": "nixos", "repo": "nixpkgs", - "rev": "e11142026e2cef35ea52c9205703823df225c947", + "rev": "510d721ce097150ae3b80f84b04b13b039186571", "type": "github" }, "original": { @@ -55,11 +55,11 @@ }, "nixpkgs-master": { "locked": { - "lastModified": 1688722718, - "narHash": "sha256-Uralooke0g1EgrNDjboSiqc0BHOCgiugL43JAA1ncDA=", + "lastModified": 1688969282, + "narHash": "sha256-Ti0dejGXXvhEDATY5nJB0GdKM6AdVwJNTp6LWx8pHyw=", "owner": "nixos", "repo": "nixpkgs", - "rev": "5cbff28ae66e5a98386bcbea29f5a7252c33c808", + "rev": "9d6e454b857fb472fa35fc8b098fa5ac307a0d7d", "type": "github" }, "original": { @@ -71,11 +71,11 @@ }, "nixpkgs-unstable": { "locked": { - "lastModified": 1688590700, - "narHash": "sha256-ZF055rIUP89cVwiLpG5xkJzx00gEuuGFF60Bs/LM3wc=", + "lastModified": 1688918189, + "narHash": "sha256-f8ZlJ67LgEUDnN7ZsAyd1/Fyby1VdOXWg4XY/irSGrQ=", "owner": "nixos", "repo": "nixpkgs", - "rev": "f292b4964cb71f9dfbbd30dc9f511d6165cd109b", + "rev": "408c0e8c15a1c9cf5c3226931b6f283c9867c484", "type": "github" }, "original": { @@ -87,11 +87,11 @@ }, "nixpkgs-unstable-small": { "locked": { - "lastModified": 1688640665, - "narHash": "sha256-bpNl3nTFDZqrLiRU0bO6vdIT5Ww13nNCVsOLLKEqGuE=", + "lastModified": 1688951312, + "narHash": "sha256-0oG4uv60m5+oOMqgYYQ3ao3OK3YP3n3t7nWFtuyR/uQ=", "owner": "nixos", "repo": "nixpkgs", - "rev": "88faf206ce0d5cfda760539a367daf6cde5b3712", + "rev": "2a5f6cac357616d2596167d0631b4ca729e9a3ea", "type": "github" }, "original": { diff --git a/nix/os/devices/steveej-utilitepro/configuration.nix b/nix/os/devices/steveej-utilitepro/configuration.nix index 7762fab..06cc7d1 100644 --- a/nix/os/devices/steveej-utilitepro/configuration.nix +++ b/nix/os/devices/steveej-utilitepro/configuration.nix @@ -269,6 +269,7 @@ in { users.mutableUsers = false; users.extraUsers.root = { + # FIXME: this is deprecated but so is this device probably hashedPassword = passwords.users.root; openssh.authorizedKeys.keys = [ "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQD3niN5KcIYikRhXTYZCSehI1ZQs+vvG/dZ7KxNVHslfsS+p1yTycXcZFtDDn5vtG2fAo3yksxCk+G10/AWQ+NMOcFKuAi5qTOYSLbEcHVlZ4ko8sDUe3fF79vrCqY7IWbKKjZ4DH77Qs6SXk5GIlNaIzxut8Dpv8qHnkPiPuFgrJC4oGk60ZKmCPvOEpgg9twcdI6ykIxD4Fg+hHgG1p07uSEcm9EADli8RsU3UJ1UBhXMohMC6HrKVBkBX9wTo+zY+xqXxxem6xGNnkNiZLACfhCnjXv39zh85pgFuNv7R8SzVZQ9iRoCmax/w3JtWdDjqoTGgLfJyhMMjNdjVHOx steveej@steveej-laptop" @@ -279,6 +280,7 @@ in { isNormalUser = true; home = "/home/steveej"; extraGroups = ["wheel" "libvirtd"]; + # FIXME: this is deprecated but so is this device probably hashedPassword = passwords.users.steveej; openssh.authorizedKeys.keys = [ "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQD3niN5KcIYikRhXTYZCSehI1ZQs+vvG/dZ7KxNVHslfsS+p1yTycXcZFtDDn5vtG2fAo3yksxCk+G10/AWQ+NMOcFKuAi5qTOYSLbEcHVlZ4ko8sDUe3fF79vrCqY7IWbKKjZ4DH77Qs6SXk5GIlNaIzxut8Dpv8qHnkPiPuFgrJC4oGk60ZKmCPvOEpgg9twcdI6ykIxD4Fg+hHgG1p07uSEcm9EADli8RsU3UJ1UBhXMohMC6HrKVBkBX9wTo+zY+xqXxxem6xGNnkNiZLACfhCnjXv39zh85pgFuNv7R8SzVZQ9iRoCmax/w3JtWdDjqoTGgLfJyhMMjNdjVHOx steveej@steveej-laptop" diff --git a/nix/os/modules/ddclient-ovh.nix b/nix/os/modules/ddclient-ovh.nix index c694a35..7ac124c 100644 --- a/nix/os/modules/ddclient-ovh.nix +++ b/nix/os/modules/ddclient-ovh.nix @@ -4,7 +4,6 @@ ... }: let cfg = config.services.ddclientovh; - # passwords = import ../../variables/passwords.crypt.nix; in { options.services.ddclientovh = with lib; { enable = mkEnableOption "Enable ddclient-ovh"; @@ -19,8 +18,6 @@ in { ssl = true; domains = [cfg.domain]; use = "web"; - # inherit (passwords.dyndns.${cfg.domain}) username; - # passwordFile = config.sops.secrets."dyndns_${cfg.domain}".path; }; }; } diff --git a/nix/variables/passwords.crypt.nix b/nix/variables/passwords.crypt.nix index 9d7b45b0588e7d7301cb27adfc555010de8a1322..bed6c264b6effe58e13428ba5cf7e32085fd7eab 100644 GIT binary patch literal 963 zcmZQ@_Y83kiVO&0U9%*@1?;|r|?4~#lFBarY0{iF<5-fZ@alJH;2Qj8m? zZM^-I-7Y*`)BMwpC+ty z;t$!>Cp4!#ySL$JVeOsR@RtkR?42i^tyJstv*|6cd9%>;j4-P~Qq}xzZ+={Q@*{tD zNb;AD?aw3pUDj-PVbFPBI9&T#;WI9!>Fl@P{9G|-^X3!U)nZ#J9~Oj_OjFqXZT0Q# z!nGXhBpl;+s=KK3?~HNdeQXzB*gEB%&93jU4#)jMp7S+)U3($)Yi-${b=Tk7al6gY zUK?E{__)4ny;st_0PAYui`~oSxoz2ZaKW0t_uB$buXf~JJ7ZH#v)}cAgnK(S1Q}cv zXY4sDZZD^BFW_qK9KNoz6Y`IW^oS;{n6)m+dBQOk<6{?lkDR~H*7WPW%gK7NcF)DE zi|_AzIzQxFefzY8oenN?SLLUMpDOPY%ob61U(I9TP{#1EKYy+6g`d>TG`! zHTU7+(sf$5X9ykYI?;Pq@XDfX4{v@uRCOmqt4;afB#r_$r@2-S)ER$YvELxAb@fi- zge}Zg&YQ2UtxW6AFy7WPrKjr(%U{pj!W8KvYTrci5}sD^oi=nR_@+O-Gi+7n!s?DH zYr9EpZ0}WaWYiKOZbk_oT^2a4`Vt@Wv3D$T97nGNmN-6}n=vo={@dP;t`m2a7tHaS zUYfaiXZk+Y9nv-{?w^<&`gv)w1w(G+k*;hl$CYx<0kz`3)lv@O*OId)7&WeqUmRm- zqB=EPYmGj~<(r!izvoX=*_Cp7caB+d)bGYG9_4q|d7R!+7Oh^fD~FVC^F{YoCARy209CPQID{)An^6CwCk-lZ2b# z@(MkT^tjj?58i&6lNtW_&CMJJmu|g}@|q#DYuUmi74`46g}-xWW?7$9e_osMx6IBY z!6!9}(R(+>ZJu!CW-Y_s+8u?Nn|?(-S)~xkb9lDujoXi2?6T&%bh)DH`K9FP{4U2M iq&6L>`G5E7j~8?DTdqu=ZM0#1xA4}B=N#@DNC5ywJKO*O literal 1498 zcmZQ@_Y83kiVO&0IPvz&mz|l*HFUb;x?V+>Y$w5@z!v+~O>T8nKz_BnUTt6RH_*q+;!>~iS)yWMER7yo;oK7RV{ z$-d#AQEhlcDnr>E>5%(vvxB8u9`WAdTd04^k}d6@VE+8Ae|HpS%|505{_}52|Tr3lhV0NDMhVBf5!SPulkPkl*nH{5$E>3@!g4SuW#4Q zm|KzGpzWNT?*Dc6{Q6s8#08~x801xz<`hJp`h53ciJ`&wS&GW-18m3$|%Oa7%L@A+QB;r*$F>+%W44`1^69cF!byM2xi zuS@SydB6CJ&!>s4yL@=|mi>vp58V0FlyrCHvtv%b${ezeovqobP+zg%Y3_?j2{+@q z?w6|A<{KYG+ylVE)mysM>o~~ruW(>Y&SjA`CZd#QvW8I3u3O@A1wZs_vxLV z&G!TGkIzK--LPj9aY*{{>hIH6m|(bR1{ zXO)|P&xwP()fSblS-FO$2-}hHb?2%eYqaFpq%T~z2a>LF6d4EWBj@Hb$*4Qo0E6*w}qNfKH|1Y_S<)7 zdYkXueD%Dcq2TTPZ13ia?VQB9vMQpI>EqL<$*=nkKfF94XxpVtUv72EO;R;H&AIw! zjQQo2hHipTf96xgS;>dMi_Pr7clzll#4nj!z$??v*R$d@kzuh-gg?T8S)AEEEG+t!!+ zo05>-m5CdE^%_PvJ(AI%^dUXuc!ew1{_g?x4~3S@6MHDpWD)l6?>%8trR?`M4yTNa zw5ADVD!XN!PVFt2n(4J{=b~R8t!>jcoXR>~pI&Erxx{}*;I4Ul3NHy6Rz(%Ftc-kd zdo#B*%e)31fqN$WS^s+$9S>Uj_4_~dl#E*eC1H<_OcXegd*E{DB|M9w~<>tsp zSsDlIUYxYqX&$3^irjN-q03z(dvqgUBnn-}&>A^5BGS)n;gj)WX{Kd=96 z7VnI*=Ms@VYf5_FoiY`*_`>XaaG=XoFXt*RoHUb@B2GeR}FP*Y&xn*{4fy)@zje?N^-soOSot(%PT}ZI%3M zrt|aX<;-6C(`}BGl3ILKrjbonW1ODD$2n(srZSWiyQ+QWU6-e}!S`~_-&KrPB(I3A zbQA14JVo4;=|*e6gMp9fjqPHOEVj?tDB>=VU&39_+G)G}_Fkrh1!{}Do}NDD=qM=e by+vY&)Uyu#Wns@hv)ueVoA>fAHcm$X;+E|~ diff --git a/secrets/shared-users.yaml b/secrets/shared-users.yaml index bbd501f..f64bef7 100644 --- a/secrets/shared-users.yaml +++ b/secrets/shared-users.yaml @@ -16,46 +16,64 @@ sops: - recipient: age17jxphuql70wjkd84azn62ltx9ky69hyvkac23lm8f2j92lznf9hseqq0vl enc: | -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBNUGxsbitMNnlTZlRZQVJl - RVc3TUtHaWpQdk5RVFkvS0MxSkVxWHQ1MFZvCmw0M2M4VGRxb21nVzkrNWIzK3Aw - dVB6bWEvQ0dtbjZobTVCeE9DUEpGV2sKLS0tIGhya2RMM2w5VHlHNUdGK1FNZit3 - OWUyYnZhSEhtMzhTenZMRU1yRis0WkkK/iDe1XgGJumprZU23G/Imhbqpp5ehfMe - I+XlSGn0/ry1SpEV0bQi7ZMzFxEfhX0avLsmxTeoxQJuN2m7ZOQCdQ== + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA1RUdSYmxFdXI2R25OZ0ov + TlEwOStVeUxkbE1sbTJWZG5VZFRPNkNOeWlnCm0xMWFCdm4zMjVlcjB1ZXFZVVho + TCtVYW84WGh2ZmdsWHBlUFJVcm8vZFkKLS0tIGFYaWptakozYVVvQ0ZmbUFjMFR3 + b0VBVTV3R2tlckJLQzlvWFVKK1h6aGsKCekGZ/RZ7nNa5yXHfgXGpSrh3J3C95mh + 7YFgjgd9ey3BGNoMNxm5E++JzxBN0d2tY7sW/G6ub+kOJIt0rAEAkg== -----END AGE ENCRYPTED FILE----- - recipient: age18dmqd7r7fanrfmdxsvwgv9psvhs3hw5ydpvw0na0dv3dlrg4rs3q2wpvgv enc: | -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB0OVJ5d1p1RURkTjdzaWpv - OXViZkhzZEZwYzNIZHdpeUVNWlM5SWJGYkFjCnRrQWV6UUM0akIzaFVxY1dzaUNa - OVFRczZaUjRXSGphcTJ5TGtZOHlSeHcKLS0tIG5QTWMyTzFlZkdIdnVGT2lpTXR4 - TXJybjNjdmwxRVMxdERIS25wRTRCV0UKy/N8YBkxD3f5qTBOPj/iysFr/Ona1p9H - JYhjZCojB4Ua1b2Tv4Gz2Fvi9B2fOWBy0/LSPA6CRchG3IWgKm/B6g== + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSArYy9FL3pnNmdUa0VEdlV4 + aFVNTkhGWTZJcUo0YTlORmdINGkxMTlVdHkwClVyakJoZTdxVlF6UTVBbm45d1Bo + RUl2S3BaU0NYYmtsSGhHWGxrWjVuemcKLS0tIHlqbXhXN0RUbm9sL09mbjhaSnBP + V0hQTUJuUnlOQ1hycDJ4RlY1aCtjOFEKuDt6KRxX7+yYIHxtD0prLdxJSlHwQtxH + 8U/Q8hoE+L3lBFSE3+syMt1/pu5vHrreIOVTXAxSENsDxcE6noxQvA== -----END AGE ENCRYPTED FILE----- - recipient: age13cyvxrd28j68f97q2dwsn62q5dy8tdxtq86ql2dxv2ncwfrf63dsmkj7n3 enc: | -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBYNVJBRlptQ2hWVy9MRGhj - MVduVkl3YXZEVlMzNksybkZjR1Z6VnQ1MGdRCjRTWjY3RTlpY096c3UrMHlaUms0 - MDc3V0dTUnpWTjcxcGZNSmVkUElLMjgKLS0tIGFkMzZ1eVh1a1ZzckxseFh5T1VK - eDZSbXdzSmJ3dkJHSkU2R3JTRjlxNDAK1k/SYCf1nWEHKRzlJbvx1U5NKYSEzi0/ - wE4SdLjMi4io2ThNif4gqVRCiRQupiILx4VnlM4lN6Fk924zATUUYA== + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBDK080NlJKYkZyREFpc1JM + ZWxlV2Z5YjZRSnBFMy9CbUs2aHJkcjNVR2dJCjN5SXQzbWtiZlZBK0g0Y1ZPcHJK + cXRCTStRSG1lamUvOFBxSFViWmFVeW8KLS0tIDFUNlRkS2RLMGdULzhzdSt5Uk02 + TjZZN1lFZ3g3YzVxQUlyQ1Y5S1NWeFEKGjqEPuxaUR/WQc+4OhUzLgtSCatVmtx+ + q4Y/wC1eqUKJHzqIMa3qeWXwrGbf6ScL3s0bNc9sxvPmWQ3NLvjUfg== + -----END AGE ENCRYPTED FILE----- + - recipient: age1pmznn2tjpelpmxjxqef48rse5ujggf9kcr8x5vewuadqcw03aavqwy54zm + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB3Uk9zWHJCY2dnamN1S1hU + ZWhoTkptaVArOGlHZ01Nd0ZkaGpFQ2dUU0hzCnR3WGtCVkJtSzlncVVhVU11K2d1 + SVpHa1RXN1dWMDE4cExiV2ordkhTSTAKLS0tIFBkV3oyS2VVVU92b0hnRG1nQytW + QU5IR2FaVGswZkhIOWhzWGh4YmUyMk0KVJEFNmm57SSUreilhuzLofZIlnILnO7F + rWASlGDi4YSGquM3lEfdn5rwqqJ3d77hSeRQEnaGhnClDYSH3nzjZQ== + -----END AGE ENCRYPTED FILE----- + - recipient: age1ye4fa0v37shz8q4e5uf9cp2avygcp9jtetmnj2sv9y9mqc7gjyksq2cjy8 + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBldnVDczdmVUd3OS9jTnpB + dDkrQS9JcUY5b3YxY0lzVFEyUTlPNk5rM1VVCk9qMzJHWitrY0pjU0NCMWI0ODhG + S29DL0tPNWtkTStPTWRZdzlQWFJsTWcKLS0tIDdWZ1lVejcyVW5mcTgyR3ZMWlJq + RTdBNkRINWN3MTZOSXdPMXovNDNSQUEKJZhJFN6zmdCtzoCdKiKfYQf4vU8AXRvz + wHnPO2H8SAMK8XqjdXvIrRK6iXQIjonHO2ilTDxAGNPAFN5BpbGrWQ== -----END AGE ENCRYPTED FILE----- lastmodified: "2023-07-06T20:14:22Z" mac: ENC[AES256_GCM,data:GPWu5DjjJ1ki+HRuedGdDCt+2V0RPbOsD/yWJxPIkgu5923vnF8y9y4V6e6+ZsTqHv4hsKeCjKtUnh2Ldn+xadwJmqrIxyJ8NzH5TOvcBxAab9cJCp/yKENw0O1WMUTlDPelvQKMDwbgiebaVVfxbQPUEfJGOgkHkyXrgqN94FU=,iv:h9YALYahUl7mRJmZKjArEfaMrfW9YZkVYd2CEooF13Q=,tag:wotqxup/ouG/bEVOZCs19w==,type:str] pgp: - - created_at: "2023-07-06T18:55:17Z" + - created_at: "2023-07-10T08:17:16Z" enc: |- -----BEGIN PGP MESSAGE----- - wcBMA0SHG/zF3227AQgAo5WdFio56L/EtWKV590N9QQ9Gjm9IWm0G+H6YHTNlpfO - erhl1AZds+MNrInw0uSW7Mx/wZ4awv8+JVkMN43qupmDIcgHmWmVoqB2SaUA60qd - gkFYP2fWlmgzihl/DnWUn1M4WrD8sGJIwkulg8FX9h40f7mEhb0MsftsUuhmxOBp - GTJDtT/A7wHMRY71mEzIyem8XOA7nAIO7r802Tyni6H7zP1qG00vF/sastbbzB26 - +7MTpSZz8AuNPG/P7rue7J2BL0S8ldwcPsGX9XGt2qFbeNbsOUfJn12miPSEZHWU - jIYC1rWLVJ110O0ZDDMJXyfBW5XrFAkA6XkCzzPgodJRAYKzTD+bMg44vuwTCRmG - wcdv71+hBJeXtF1g8/YueaTWpPJ5j8m6Ntp1d5pYPetlRmhwLzfSoY1BUXA6YkGb - Qeqr3q7oGL91sjasjZQorc3h - =6rU4 + wcBMA0SHG/zF3227AQf8DDe0qysI5DL1xc6IbIQ+a2oKtiNyL0P4pwrdfsCcudMm + dfhnap8JHPfVssucbA7Gicpg8iZxy9+M1o5E4es1EUBWun+tf+9utHmRKLkAJb98 + OPm+vvp/fzRU0bAtvwchskCc4REWbsq82UQdQl8uPhGoCweyWDusmAmXjjECBWmP + sW1pSb0tGvtHM7m0cpLYepWHUZ/VOcNBeuv3fGDuI3M0fv+lCTgYQJOtIrJv+xFf + q9dB1HGJaePsKLxmQTJW1gFdoWkc3ndfBwytY00iho1xPbrKAPSZojE0Wj227DPx + YynEy8ruLWIVcFZsjfEm961kRiwb8MwK1xB7ov/d79JRAXrovFTT3EfFZ+2pY2FW + w8TKQjGol/+vJ2mzlQV0LFtAxjUvgNgoAC/cJgl5c+N4qXz4ChgiT38yZ7JW2e2c + OUwOtIhmRp4PNBU+402xfgYI + =X23Q -----END PGP MESSAGE----- fp: 6F7069FE6B96E894E60EC45C6EEFA706CB17E89B unencrypted_suffix: _unencrypted -- 2.49.0