diff --git a/.envrc b/.envrc index 6a37c4f..3140b68 100644 --- a/.envrc +++ b/.envrc @@ -1,5 +1,3 @@ -#!/bin/sh - watch_file devshell.nix use flake diff --git a/.github/dependabot.yml b/.github/dependabot.yml index 512e01e..49f19df 100644 --- a/.github/dependabot.yml +++ b/.github/dependabot.yml @@ -4,4 +4,4 @@ updates: directory: "/" schedule: interval: "weekly" - assignees: ["dadada"] + assignees: [ "dadada" ] diff --git a/.github/workflows/nix-flake-check.yml b/.github/workflows/nix-flake-check.yml index 28b1d3c..73c5ad9 100644 --- a/.github/workflows/nix-flake-check.yml +++ b/.github/workflows/nix-flake-check.yml @@ -1,24 +1,26 @@ name: Continuous Integration + on: pull_request: push: branches: [main] + jobs: checks: name: "Checks" runs-on: ubuntu-latest steps: - - uses: actions/checkout@v4 - - uses: cachix/install-nix-action@v26 - with: - nix_path: nixpkgs=channel:nixos-stable - extra_nix_config: | - experimental-features = nix-command flakes - access-tokens = github.com=${{ secrets.GITHUB_TOKEN }} - system-features = nixos-test benchmark big-parallel kvm - - uses: cachix/cachix-action@v14 - with: - name: dadada - signingKey: '${{ secrets.CACHIX_SIGNING_KEY }}' - authToken: '${{ secrets.CACHIX_AUTH_TOKEN }}' - - run: nix flake check + - uses: actions/checkout@v4 + - uses: cachix/install-nix-action@V27 + with: + nix_path: nixpkgs=channel:nixos-stable + extra_nix_config: | + experimental-features = nix-command flakes + access-tokens = github.com=${{ secrets.GITHUB_TOKEN }} + system-features = nixos-test benchmark big-parallel kvm + - uses: cachix/cachix-action@v14 + with: + name: dadada + signingKey: '${{ secrets.CACHIX_SIGNING_KEY }}' + authToken: '${{ secrets.CACHIX_AUTH_TOKEN }}' + - run: nix flake check diff --git a/.github/workflows/nix-flake-update.yml b/.github/workflows/nix-flake-update.yml index 33843d1..9045f91 100644 --- a/.github/workflows/nix-flake-update.yml +++ b/.github/workflows/nix-flake-update.yml @@ -3,6 +3,7 @@ on: workflow_dispatch: # allows manual triggering schedule: - cron: '0 0 * * 0' # runs weekly on Sunday at 00:00 + jobs: lockfile: runs-on: ubuntu-latest @@ -15,6 +16,6 @@ jobs: uses: DeterminateSystems/update-flake-lock@v21 with: pr-title: "Update flake.lock" # Title of PR to be created - pr-labels: | # Labels to be set on the PR + pr-labels: | # Labels to be set on the PR dependencies automated diff --git a/admins.nix b/admins.nix index e5e29ba..82f6cef 100644 --- a/admins.nix +++ b/admins.nix @@ -2,7 +2,7 @@ dadada = { shell = "zsh"; keys = [ - "sk-ssh-ed25519@openssh.com AAAAGnNrLXNzaC1lZDI1NTE5QG9wZW5zc2guY29tAAAAIHrT9sQhJWrTPIMOEsZ8UzkY7BKJYYK2Aj/Q3NZu2z7uAAAABHNzaDo= dadada@gorgon" + "sk-ssh-ed25519@openssh.com AAAAGnNrLXNzaC1lZDI1NTE5QG9wZW5zc2guY29tAAAAIE2JWU+BuWSvoiGFSTDQ9/1SCvfJEnkFQsFLYPNlY6wcAAAABHNzaDo= dadada " "sk-ssh-ed25519@openssh.com AAAAGnNrLXNzaC1lZDI1NTE5QG9wZW5zc2guY29tAAAAIOFHB9T6fjkuIU8jW9gGiYGSEFSfrnY/6GJUfmfMx10HAAAABHNzaDo= Backup dadada " ]; }; diff --git a/checks.nix b/checks.nix new file mode 100644 index 0000000..65d3493 --- /dev/null +++ b/checks.nix @@ -0,0 +1,20 @@ +{ self +, flake-utils +, nixpkgs +, ... +}: +(flake-utils.lib.eachDefaultSystem (system: + let + pkgs = nixpkgs.legacyPackages.${system}; + formatter = self.formatter.${system}; + in + { + checks = { + format = pkgs.runCommand + "check-format" + { + buildInputs = [ formatter ]; + } + "${formatter}/bin/nixpkgs-fmt --check ${./.} && touch $out"; + }; + })).checks diff --git a/devshell.nix b/devshell.nix index 3931494..27b9799 100644 --- a/devshell.nix +++ b/devshell.nix @@ -6,7 +6,9 @@ packages = with pkgs; [ agenix + nixpkgs-fmt nixos-rebuild + nil ]; commands = [ @@ -23,7 +25,7 @@ name = "format"; help = "Format the project"; command = '' - treefmt . + nixpkgs-fmt . ''; category = "dev"; } diff --git a/flake.lock b/flake.lock index 3d0d3f2..3e67b2c 100644 --- a/flake.lock +++ b/flake.lock @@ -3,43 +3,26 @@ "agenix": { "inputs": { "darwin": "darwin", - "home-manager": [ - "home-manager" - ], + "home-manager": "home-manager", "nixpkgs": [ "nixpkgs" - ], - "systems": "systems" + ] }, "locked": { - "lastModified": 1750173260, - "narHash": "sha256-9P1FziAwl5+3edkfFcr5HeGtQUtrSdk/MksX39GieoA=", + "lastModified": 1703089996, + "narHash": "sha256-ipqShkBmHKC9ft1ZAsA6aeKps32k7+XZSPwfxeHLsAU=", "owner": "ryantm", "repo": "agenix", - "rev": "531beac616433bac6f9e2a19feb8e99a22a66baf", + "rev": "564595d0ad4be7277e07fa63b5a991b3c645655d", "type": "github" }, "original": { "owner": "ryantm", + "ref": "0.15.0", "repo": "agenix", "type": "github" } }, - "crane": { - "locked": { - "lastModified": 1731098351, - "narHash": "sha256-HQkYvKvaLQqNa10KEFGgWHfMAbWBfFp+4cAgkut+NNE=", - "owner": "ipetkov", - "repo": "crane", - "rev": "ef80ead953c1b28316cc3f8613904edc2eb90c28", - "type": "github" - }, - "original": { - "owner": "ipetkov", - "repo": "crane", - "type": "github" - } - }, "darwin": { "inputs": { "nixpkgs": [ @@ -48,11 +31,11 @@ ] }, "locked": { - "lastModified": 1744478979, - "narHash": "sha256-dyN+teG9G82G+m+PX/aSAagkC+vUv0SgUw3XkPhQodQ=", + "lastModified": 1673295039, + "narHash": "sha256-AsdYgE8/GPwcelGgrntlijMg4t3hLFJFCRF3tL5WVjA=", "owner": "lnl7", "repo": "nix-darwin", - "rev": "43975d782b418ebf4969e9ccba82466728c2851b", + "rev": "87b9d090ad39b25b2400029c64825fc2a8868943", "type": "github" }, "original": { @@ -64,16 +47,17 @@ }, "devshell": { "inputs": { + "flake-utils": "flake-utils", "nixpkgs": [ "nixpkgs" ] }, "locked": { - "lastModified": 1741473158, - "narHash": "sha256-kWNaq6wQUbUMlPgw8Y+9/9wP0F8SHkjy24/mN3UAppg=", + "lastModified": 1713532798, + "narHash": "sha256-wtBhsdMJA3Wa32Wtm1eeo84GejtI43pMrFrmwLXrsEc=", "owner": "numtide", "repo": "devshell", - "rev": "7c9e793ebe66bcba8292989a68c0419b737a22a0", + "rev": "12e914740a25ea1891ec619bb53cf5e6ca922e40", "type": "github" }, "original": { @@ -82,71 +66,14 @@ "type": "github" } }, - "disko": { - "inputs": { - "nixpkgs": [ - "nixpkgs" - ] - }, - "locked": { - "lastModified": 1753140376, - "narHash": "sha256-7lrVrE0jSvZHrxEzvnfHFE/Wkk9DDqb+mYCodI5uuB8=", - "owner": "nix-community", - "repo": "disko", - "rev": "545aba02960caa78a31bd9a8709a0ad4b6320a5c", - "type": "github" - }, - "original": { - "owner": "nix-community", - "repo": "disko", - "type": "github" - } - }, - "flake-compat": { - "flake": false, - "locked": { - "lastModified": 1696426674, - "narHash": "sha256-kvjfFW7WAETZlt09AgDn1MrtKzP7t90Vf7vypd3OL1U=", - "owner": "edolstra", - "repo": "flake-compat", - "rev": "0f9255e01c2351cc7d116c072cb317785dd33b33", - "type": "github" - }, - "original": { - "owner": "edolstra", - "repo": "flake-compat", - "type": "github" - } - }, - "flake-parts": { - "inputs": { - "nixpkgs-lib": [ - "lanzaboote", - "nixpkgs" - ] - }, - "locked": { - "lastModified": 1730504689, - "narHash": "sha256-hgmguH29K2fvs9szpq2r3pz2/8cJd2LPS+b4tfNFCwE=", - "owner": "hercules-ci", - "repo": "flake-parts", - "rev": "506278e768c2a08bec68eb62932193e341f55c90", - "type": "github" - }, - "original": { - "owner": "hercules-ci", - "repo": "flake-parts", - "type": "github" - } - }, "flake-registry": { "flake": false, "locked": { - "lastModified": 1744623129, - "narHash": "sha256-nlQTQrHqM+ywXN0evDXnYEV6z6WWZB5BFQ2TkXsduKw=", + "lastModified": 1705308826, + "narHash": "sha256-Z3xTYZ9EcRIqZAufZbci912MUKB0sD+qxi/KTGMFVwY=", "owner": "NixOS", "repo": "flake-registry", - "rev": "1322f33d5836ae757d2e6190239252cf8402acf6", + "rev": "9c69f7bd2363e71fe5cd7f608113290c7614dcdd", "type": "github" }, "original": { @@ -157,16 +84,14 @@ }, "flake-utils": { "inputs": { - "systems": [ - "systems" - ] + "systems": "systems" }, "locked": { - "lastModified": 1731533236, - "narHash": "sha256-l0KFg5HjrsfsO/JpG+r7fRrqm12kzFHyUHqHCVpMMbI=", + "lastModified": 1701680307, + "narHash": "sha256-kAuep2h5ajznlPMD9rnQyffWG8EM/C73lejGofXvdM8=", "owner": "numtide", "repo": "flake-utils", - "rev": "11707dc2f618dd54ca8739b309ec4fc024de578b", + "rev": "4022d587cbbfd70fe950c1e2083a02621806a725", "type": "github" }, "original": { @@ -175,40 +100,39 @@ "type": "github" } }, - "gitignore": { + "flake-utils_2": { "inputs": { - "nixpkgs": [ - "lanzaboote", - "pre-commit-hooks-nix", - "nixpkgs" + "systems": [ + "systems" ] }, "locked": { - "lastModified": 1709087332, - "narHash": "sha256-HG2cCnktfHsKV0s4XW83gU3F57gaTljL9KNSuG6bnQs=", - "owner": "hercules-ci", - "repo": "gitignore.nix", - "rev": "637db329424fd7e46cf4185293b9cc8c88c95394", + "lastModified": 1710146030, + "narHash": "sha256-SZ5L6eA7HJ/nmkzGG7/ISclqe6oZdOZTNoesiInkXPQ=", + "owner": "numtide", + "repo": "flake-utils", + "rev": "b1d9ab70662946ef0850d488da1c9019f3a9752a", "type": "github" }, "original": { - "owner": "hercules-ci", - "repo": "gitignore.nix", + "owner": "numtide", + "repo": "flake-utils", "type": "github" } }, "home-manager": { "inputs": { "nixpkgs": [ + "agenix", "nixpkgs" ] }, "locked": { - "lastModified": 1753470191, - "narHash": "sha256-hOUWU5L62G9sm8NxdiLWlLIJZz9H52VuFiDllHdwmVA=", + "lastModified": 1682203081, + "narHash": "sha256-kRL4ejWDhi0zph/FpebFYhzqlOBrk0Pl3dzGEKSAlEw=", "owner": "nix-community", "repo": "home-manager", - "rev": "a1817d1c0e5eabe7dfdfe4caa46c94d9d8f3fdb6", + "rev": "32d3e39c491e2f91152c84f8ad8b003420eab0a1", "type": "github" }, "original": { @@ -217,53 +141,50 @@ "type": "github" } }, + "home-manager_2": { + "inputs": { + "nixpkgs": [ + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1715381426, + "narHash": "sha256-wPuqrAQGdv3ISs74nJfGb+Yprm23U/rFpcHFFNWgM94=", + "owner": "nix-community", + "repo": "home-manager", + "rev": "ab5542e9dbd13d0100f8baae2bc2d68af901f4b4", + "type": "github" + }, + "original": { + "owner": "nix-community", + "ref": "release-23.11", + "repo": "home-manager", + "type": "github" + } + }, "homepage": { "flake": false, "locked": { - "lastModified": 1727338449, - "narHash": "sha256-VwOGtT1WB+isk0z/D/Be05GgeaTFfsXTGt7aScCAfec=", - "rev": "60398d3d728a0057b4cad49879ef637c06b28371", - "type": "tarball", - "url": "https://git.dadada.li/api/v1/repos/dadada/dadada.li/archive/60398d3d728a0057b4cad49879ef637c06b28371.tar.gz?rev=60398d3d728a0057b4cad49879ef637c06b28371" - }, - "original": { - "type": "tarball", - "url": "https://git.dadada.li/dadada/dadada.li/archive/main.tar.gz" - } - }, - "lanzaboote": { - "inputs": { - "crane": "crane", - "flake-compat": "flake-compat", - "flake-parts": "flake-parts", - "nixpkgs": [ - "nixpkgs" - ], - "pre-commit-hooks-nix": "pre-commit-hooks-nix", - "rust-overlay": "rust-overlay" - }, - "locked": { - "lastModified": 1737639419, - "narHash": "sha256-AEEDktApTEZ5PZXNDkry2YV2k6t0dTgLPEmAZbnigXU=", - "owner": "nix-community", - "repo": "lanzaboote", - "rev": "a65905a09e2c43ff63be8c0e86a93712361f871e", + "lastModified": 1714328013, + "narHash": "sha256-nA/7hKv8qz2+ru84rXiMa52+gyvyIhLWP9tJB6Q/DLQ=", + "owner": "dadada", + "repo": "dadada.li", + "rev": "b971b5905b38be19b4fa4e7d99a70df0aebfba28", "type": "github" }, "original": { - "owner": "nix-community", - "ref": "v0.4.2", - "repo": "lanzaboote", + "owner": "dadada", + "repo": "dadada.li", "type": "github" } }, "nixlib": { "locked": { - "lastModified": 1736643958, - "narHash": "sha256-tmpqTSWVRJVhpvfSN9KXBvKEXplrwKnSZNAoNPf/S/s=", + "lastModified": 1712450863, + "narHash": "sha256-K6IkdtMtq9xktmYPj0uaYc8NsIqHuaAoRBaMgu9Fvrw=", "owner": "nix-community", "repo": "nixpkgs.lib", - "rev": "1418bc28a52126761c02dd3d89b2d8ca0f521181", + "rev": "3c62b6a12571c9a7f65ab037173ee153d539905f", "type": "github" }, "original": { @@ -280,11 +201,11 @@ ] }, "locked": { - "lastModified": 1751903740, - "narHash": "sha256-PeSkNMvkpEvts+9DjFiop1iT2JuBpyknmBUs0Un0a4I=", + "lastModified": 1713783234, + "narHash": "sha256-3yh0nqI1avYUmmtqqTW3EVfwaLE+9ytRWxsA5aWtmyI=", "owner": "nix-community", "repo": "nixos-generators", - "rev": "032decf9db65efed428afd2fa39d80f7089085eb", + "rev": "722b512eb7e6915882f39fff0e4c9dd44f42b77e", "type": "github" }, "original": { @@ -295,11 +216,11 @@ }, "nixos-hardware": { "locked": { - "lastModified": 1753122741, - "narHash": "sha256-nFxE8lk9JvGelxClCmwuJYftbHqwnc01dRN4DVLUroM=", + "lastModified": 1715881357, + "narHash": "sha256-hOveC1aYL4tInMYw4gBxwctYqLrlqrkppW82752ZhOA=", "owner": "NixOS", "repo": "nixos-hardware", - "rev": "cc66fddc6cb04ab479a1bb062f4d4da27c936a22", + "rev": "d68be3e5e21d829ebce080d96747508fc27ea4e3", "type": "github" }, "original": { @@ -311,73 +232,28 @@ }, "nixpkgs": { "locked": { - "lastModified": 1753429684, - "narHash": "sha256-9h7+4/53cSfQ/uA3pSvCaBepmZaz/dLlLVJnbQ+SJjk=", + "lastModified": 1715668745, + "narHash": "sha256-xp62OkRkbUDNUc6VSqH02jB0FbOS+MsfMb7wL1RJOfA=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "7fd36ee82c0275fb545775cc5e4d30542899511d", + "rev": "9ddcaffecdf098822d944d4147dd8da30b4e6843", "type": "github" }, "original": { "owner": "NixOS", - "ref": "nixos-unstable", + "ref": "nixos-23.11", "repo": "nixpkgs", "type": "github" } }, - "nixpkgs-stable": { - "locked": { - "lastModified": 1730741070, - "narHash": "sha256-edm8WG19kWozJ/GqyYx2VjW99EdhjKwbY3ZwdlPAAlo=", - "owner": "NixOS", - "repo": "nixpkgs", - "rev": "d063c1dd113c91ab27959ba540c0d9753409edf3", - "type": "github" - }, - "original": { - "owner": "NixOS", - "ref": "nixos-24.05", - "repo": "nixpkgs", - "type": "github" - } - }, - "pre-commit-hooks-nix": { - "inputs": { - "flake-compat": [ - "lanzaboote", - "flake-compat" - ], - "gitignore": "gitignore", - "nixpkgs": [ - "lanzaboote", - "nixpkgs" - ], - "nixpkgs-stable": "nixpkgs-stable" - }, - "locked": { - "lastModified": 1731363552, - "narHash": "sha256-vFta1uHnD29VUY4HJOO/D6p6rxyObnf+InnSMT4jlMU=", - "owner": "cachix", - "repo": "pre-commit-hooks.nix", - "rev": "cd1af27aa85026ac759d5d3fccf650abe7e1bbf0", - "type": "github" - }, - "original": { - "owner": "cachix", - "repo": "pre-commit-hooks.nix", - "type": "github" - } - }, "root": { "inputs": { "agenix": "agenix", "devshell": "devshell", - "disko": "disko", "flake-registry": "flake-registry", - "flake-utils": "flake-utils", - "home-manager": "home-manager", + "flake-utils": "flake-utils_2", + "home-manager": "home-manager_2", "homepage": "homepage", - "lanzaboote": "lanzaboote", "nixos-generators": "nixos-generators", "nixos-hardware": "nixos-hardware", "nixpkgs": "nixpkgs", @@ -385,27 +261,6 @@ "treefmt-nix": "treefmt-nix" } }, - "rust-overlay": { - "inputs": { - "nixpkgs": [ - "lanzaboote", - "nixpkgs" - ] - }, - "locked": { - "lastModified": 1731897198, - "narHash": "sha256-Ou7vLETSKwmE/HRQz4cImXXJBr/k9gp4J4z/PF8LzTE=", - "owner": "oxalica", - "repo": "rust-overlay", - "rev": "0be641045af6d8666c11c2c40e45ffc9667839b5", - "type": "github" - }, - "original": { - "owner": "oxalica", - "repo": "rust-overlay", - "type": "github" - } - }, "systems": { "locked": { "lastModified": 1681028828, @@ -443,11 +298,11 @@ ] }, "locked": { - "lastModified": 1753439394, - "narHash": "sha256-Bv9h1AJegLI8uAhiJ1sZ4XAndYxhgf38tMgCQwiEpmc=", + "lastModified": 1714058656, + "narHash": "sha256-Qv4RBm4LKuO4fNOfx9wl40W2rBbv5u5m+whxRYUMiaA=", "owner": "numtide", "repo": "treefmt-nix", - "rev": "2673921c03d6e75fdf4aa93e025772608d1482cf", + "rev": "c6aaf729f34a36c445618580a9f95a48f5e4e03f", "type": "github" }, "original": { diff --git a/flake.nix b/flake.nix index 151f1b5..a75d27e 100644 --- a/flake.nix +++ b/flake.nix @@ -2,32 +2,23 @@ description = "dadada's nix flake"; inputs = { - nixpkgs.url = "github:NixOS/nixpkgs/nixos-unstable"; - disko = { - url = "github:nix-community/disko"; - inputs.nixpkgs.follows = "nixpkgs"; - }; + nixpkgs.url = "github:NixOS/nixpkgs/nixos-23.11"; flake-utils = { url = "github:numtide/flake-utils"; inputs.systems.follows = "systems"; }; home-manager = { - url = "github:nix-community/home-manager"; - inputs.nixpkgs.follows = "nixpkgs"; - }; - lanzaboote = { - url = "github:nix-community/lanzaboote/v0.4.2"; + url = "github:nix-community/home-manager/release-23.11"; inputs.nixpkgs.follows = "nixpkgs"; }; nixos-hardware.url = "github:NixOS/nixos-hardware/master"; homepage = { - url = "https://git.dadada.li/dadada/dadada.li/archive/main.tar.gz"; + url = "github:dadada/dadada.li"; flake = false; }; agenix = { - url = "github:ryantm/agenix"; + url = "github:ryantm/agenix/0.15.0"; inputs.nixpkgs.follows = "nixpkgs"; - inputs.home-manager.follows = "home-manager"; }; devshell = { url = "github:numtide/devshell"; @@ -48,5 +39,5 @@ }; }; - outputs = { ... }@args: import ./outputs.nix args; + outputs = { ... } @ args: import ./outputs.nix args; } diff --git a/home/dconf.nix b/home/dconf.nix index 5238c97..ac29248 100644 --- a/home/dconf.nix +++ b/home/dconf.nix @@ -1,11 +1,6 @@ -{ lib, pkgs, ... }: +{ lib, ... }: with lib.hm.gvariant; { - home.packages = [ - pkgs.adwaita-icon-theme - pkgs.adwaita-qt - ]; - dconf.settings = with lib.hm.gvariant; { "org/gnome/shell" = { favorite-apps = [ @@ -18,11 +13,7 @@ with lib.hm.gvariant; }; "org/gnome/shell" = { - disable-user-extensions = false; - enabled-extensions = [ - "system-monitor@gnome-shell-extensions.gcampax.github.com" - "switcher@landau.fi" - ]; + disable-user-extensions = true; }; "org/gnome/desktop/calendar" = { @@ -33,41 +24,27 @@ with lib.hm.gvariant; current = mkUint32 0; per-window = false; show-all-sources = true; - sources = [ - (mkTuple [ - "xkb" - "eu" - ]) - (mkTuple [ - "xkb" - "de" - ]) - ]; - xkb-options = [ - "lv3:ralt_switch" - "caps:escape" - ]; + sources = [ (mkTuple [ "xkb" "eu" ]) (mkTuple [ "xkb" "de" ]) ]; + xkb-options = [ "lv3:ralt_switch" "caps:escape" ]; }; "org/gnome/desktop/interface" = { clock-show-date = true; clock-show-seconds = false; clock-show-weekday = true; - cursor-theme = "Adwaita"; enable-animations = true; enable-hot-corners = false; font-antialiasing = "grayscale"; font-hinting = "slight"; - font-name = "Cantarell 10"; + font-name = "Cantarell"; gtk-enable-primary-paste = false; gtk-key-theme = "Emacs"; gtk-theme = "Adwaita"; - color-scheme = "prefer-light"; icon-theme = "Adwaita"; locate-pointer = false; monospace-font-name = "JetBrains Mono 10"; show-battery-percentage = false; - #text-scaling-factor = 1.0; + text-scaling-factor = 1.0; toolkit-accessibility = false; }; @@ -139,10 +116,7 @@ with lib.hm.gvariant; composer-attribution-language = "de_DE"; composer-reply-start-bottom = false; composer-signature-in-new-only = true; - composer-spell-languages = [ - "de" - "en_US" - ]; + composer-spell-languages = [ "de" "en_US" ]; composer-top-signature = false; composer-unicode-smileys = false; composer-visually-wrap-long-lines = true; @@ -194,11 +168,11 @@ with lib.hm.gvariant; }; "org/gnome/settings-daemon/plugins/power" = { - idle-dim = true; - power-button-action = "interactive"; + idle-dim = false; + power-button-action = "hibernate"; power-saver-profile-on-low-battery = true; - sleep-inactive-ac-type = "blank"; - sleep-inactive-battery-timeout = 600; + sleep-inactive-ac-type = "nothing"; + sleep-inactive-battery-timeout = 3600; sleep-inactive-battery-type = "suspend"; }; diff --git a/home/default.nix b/home/default.nix index a21362c..0bd95fb 100644 --- a/home/default.nix +++ b/home/default.nix @@ -1,7 +1,6 @@ -{ - pkgs, - lib, - ... +{ pkgs +, lib +, ... }: let useFeatures = [ @@ -10,34 +9,14 @@ let "direnv" "git" "gpg" - #"gtk" - #"keyring" + "gtk" + "keyring" "syncthing" "tmux" "xdg" "zsh" "helix" ]; - colors = { - background = "fdf6e3"; - foreground = "657b83"; - regular0 = "eee8d5"; # background darker - regular1 = "dc322f"; # red - regular2 = "859900"; # green - regular3 = "b58900"; # dark orange - regular4 = "268bd2"; # azure blue - regular5 = "d33682"; # hot pink - regular6 = "2aa198"; # petrol - regular7 = "073642"; # navy - bright0 = "cb4b16"; # orange - bright1 = "fdf6e3"; # foreground - bright2 = "93a1a1"; # grey - bright3 = "839496"; # slightly darker grey - bright4 = "657b83"; # even slightly darker grey - bright5 = "6c71c4"; # purple - bright6 = "586e75"; # pretty dark grey - bright7 = "002b36"; # dark navy blue - }; in { imports = [ @@ -49,9 +28,7 @@ in programs.gpg.settings.default-key = "99658A3EB5CD7C13"; dadada.home = - lib.attrsets.genAttrs useFeatures (useFeatures: { - enable = true; - }) + lib.attrsets.genAttrs useFeatures (useFeatures: { enable = true; }) // { session = { enable = true; @@ -79,9 +56,7 @@ in Restart = "always"; }; - Install = { - WantedBy = [ "graphical-session.target" ]; - }; + Install = { WantedBy = [ "graphical-session.target" ]; }; }; programs.offlineimap.enable = false; @@ -136,304 +111,6 @@ in Install.WantedBy = [ "multi-user.target" ]; }; - systemd.user.timers."backup-keepassxc-ninurta" = { - Unit.Description = "Backup password DB to ninurta"; - Timer = { - OnBootSec = "15min"; - OnUnitActiveSec = "1d"; - }; - Install.WantedBy = [ "timers.target" ]; - }; - - systemd.user.services."backup-keepassxc-ninurta" = { - Unit.Description = "Backup password DB to ninurta"; - Unit.Type = "oneshot"; - Service.ExecStart = "${pkgs.openssh}/bin/scp -P 22 -i /home/dadada/.ssh/keepassxc-backup /home/dadada/lib/sync/Personal.kdbx backup-keepassxc@ninurta.bs.dadada.li:/mnt/storage/backups/backup-keepassxc/Personal.kdbx"; - Install.WantedBy = [ "multi-user.target" ]; - }; - - programs.foot = { - enable = true; - server.enable = false; - settings = { - inherit colors; - main = { - shell = "tmux"; - font = "Jetbrains Mono:size=8"; - dpi-aware = false; - }; - mouse.hide-when-typing = true; - csd.preferred = "none"; - cursor.color = "fdf6e3 586e75"; - bell = { - urgent = true; - visual = false; - }; - }; - }; - - home.file.".config/sway/config".text = with colors; '' - # Read `man 5 sway` for a complete reference. - - ### Variables - # - # Logo key. Use Mod1 for Alt. - set $mod Mod4 - # Home row direction keys, like vim - set $left h - set $down j - set $up k - set $right l - # Your preferred terminal emulator - set $term foot - # Your preferred application launcher - # Note: pass the final command to swaymsg so that the resulting window can be opened - # on the original workspace that the command was run on. - set $menu fuzzel - set $wallpaper "~/lib/pictures/wallpaper.jpg" - - ### Idle configuration - # - # Example configuration: - # - exec swayidle -w \ - timeout 300 'swaylock -f -i $wallpaper -s fill' \ - timeout 600 'swaymsg "output * power off"' resume 'swaymsg "output * power on"' \ - before-sleep 'swaylock -f -i $wallpaper -s fill' - # - # This will lock your screen after 300 seconds of inactivity, then turn off - # your displays after another 300 seconds, and turn your screens back on when - # resumed. It will also lock your screen before your computer goes to sleep. - - input * { - xkb_layout eu - xkb_model pc105+inet - xkb_options caps:escape - drag_lock enabled - drag enabled - dwt enabled - tap enabled - tap_button_map lrm - natural_scroll enabled - } - - ### Key bindings - # - # Basics: - # - # Start a terminal - bindsym $mod+Return exec $term - - # Kill focused window - bindsym $mod+Shift+q kill - - # Start your launcher - bindsym $mod+d exec $menu - - # Drag floating windows by holding down $mod and left mouse button. - # Resize them with right mouse button + $mod. - # Despite the name, also works for non-floating windows. - # Change normal to inverse to use left mouse button for resizing and right - # mouse button for dragging. - floating_modifier $mod normal - - # Lock the screen - bindsym XF86Sleep exec 'swaylock -f -c ${background}' - bindsym $mod+End exec 'swaylock -f -c ${background}' - - # Reload the configuration file - bindsym $mod+Shift+c reload - - # Exit sway (logs you out of your Wayland session) - bindsym $mod+Shift+e exec swaynag -t warning -m 'You pressed the exit shortcut. Do you really want to exit sway? This will end your Wayland session.' -B 'Yes, exit sway' 'swaymsg exit' - - # Brightness - bindsym --locked XF86MonBrightnessDown exec light -U 10 - bindsym --locked XF86MonBrightnessUp exec light -A 10 - - # Volume - bindsym --locked XF86AudioRaiseVolume exec 'pactl set-sink-volume @DEFAULT_SINK@ +1%' - bindsym --locked XF86AudioLowerVolume exec 'pactl set-sink-volume @DEFAULT_SINK@ -1%' - bindsym --locked XF86AudioMute exec 'pactl set-sink-mute @DEFAULT_SINK@ toggle' - - # - # Moving around: - # - # Move your focus around - bindsym $mod+$left focus left - bindsym $mod+$down focus down - bindsym $mod+$up focus up - bindsym $mod+$right focus right - # Or use $mod+[up|down|left|right] - bindsym $mod+Left focus left - bindsym $mod+Down focus down - bindsym $mod+Up focus up - bindsym $mod+Right focus right - - # Move the focused window with the same, but add Shift - bindsym $mod+Shift+$left move left - bindsym $mod+Shift+$down move down - bindsym $mod+Shift+$up move up - bindsym $mod+Shift+$right move right - # Ditto, with arrow keys - bindsym $mod+Shift+Left move left - bindsym $mod+Shift+Down move down - bindsym $mod+Shift+Up move up - bindsym $mod+Shift+Right move right - - # - # Workspaces: - # - # Switch to workspace - bindsym $mod+1 workspace number 1 - bindsym $mod+2 workspace number 2 - bindsym $mod+3 workspace number 3 - bindsym $mod+4 workspace number 4 - bindsym $mod+5 workspace number 5 - bindsym $mod+6 workspace number 6 - bindsym $mod+7 workspace number 7 - bindsym $mod+8 workspace number 8 - bindsym $mod+9 workspace number 9 - bindsym $mod+0 workspace number 10 - # Move focused container to workspace - bindsym $mod+Shift+1 move container to workspace number 1 - bindsym $mod+Shift+2 move container to workspace number 2 - bindsym $mod+Shift+3 move container to workspace number 3 - bindsym $mod+Shift+4 move container to workspace number 4 - bindsym $mod+Shift+5 move container to workspace number 5 - bindsym $mod+Shift+6 move container to workspace number 6 - bindsym $mod+Shift+7 move container to workspace number 7 - bindsym $mod+Shift+8 move container to workspace number 8 - bindsym $mod+Shift+9 move container to workspace number 9 - bindsym $mod+Shift+0 move container to workspace number 10 - # Note: workspaces can have any name you want, not just numbers. - # We just use 1-10 as the default. - - # - # Layout stuff: - # - # You can "split" the current object of your focus with - # $mod+b or $mod+v, for horizontal and vertical splits - # respectively. - bindsym $mod+b splith - bindsym $mod+v splitv - - # Switch the current container between different layout styles - bindsym $mod+s layout stacking - bindsym $mod+w layout tabbed - bindsym $mod+e layout toggle split - - # Make the current focus fullscreen - bindsym $mod+f fullscreen - - # Toggle the current focus between tiling and floating mode - bindsym $mod+Shift+space floating toggle - - # Swap focus between the tiling area and the floating area - bindsym $mod+space focus mode_toggle - - # Move focus to the parent container - bindsym $mod+a focus parent - - # - # Font - # - font "pango:Jetbrains Mono 8" - - # - # Scratchpad: - # - # Sway has a "scratchpad", which is a bag of holding for windows. - # You can send windows there and get them back later. - - # Move the currently focused window to the scratchpad - bindsym $mod+Shift+minus move scratchpad - - # Show the next scratchpad window or hide the focused scratchpad window. - # If there are multiple scratchpad windows, this command cycles through them. - bindsym $mod+minus scratchpad show - - # - # Resizing containers: - # - mode "resize" { - # left will shrink the containers width - # right will grow the containers width - # up will shrink the containers height - # down will grow the containers height - bindsym $left resize shrink width 10px - bindsym $down resize grow height 10px - bindsym $up resize shrink height 10px - bindsym $right resize grow width 10px - - # Ditto, with arrow keys - bindsym Left resize shrink width 10px - bindsym Down resize grow height 10px - bindsym Up resize shrink height 10px - bindsym Right resize grow width 10px - - # Return to default mode - bindsym Return mode "default" - bindsym Escape mode "default" - } - bindsym $mod+r mode "resize" - - # - # Status Bar: - # - # Read `man 5 sway-bar` for more information about this section. - bar { - position bottom - - # When the status_command prints a new line to stdout, swaybar updates. - # The default just shows the current date and time. - status_command ~/.config/sway/status - - colors { - statusline ${foreground} - background ${background} - inactive_workspace ${background}ee ${background}ee ${foreground}ee - } - } - - # Gaps between multiple tiling windows - gaps inner 10 - smart_gaps on - - bindsym $mod+grave exec busctl --user call org.keepassxc.KeePassXC.MainWindow /keepassxc org.keepassxc.KeePassXC.MainWindow lockAllDatabases && swaylock -c #fdf6e3 - - # class border backgr. text indicator child_border - client.focused #${bright6} #${foreground} #${background} #${bright5} #${regular4} - client.focused_inactive #${regular0} #${regular0} #${foreground} #${bright5} #${regular0} - client.unfocused #${regular0} #${background} #${bright2} #${bright5} #${regular0} - client.urgent #${bright1} #${bright0} #${regular4} #${background} #${bright0} - client.placeholder #${background} #${bright2} #${foreground} #${background} #${bright2} - - client.background #${foreground} - - include /etc/sway/config.d/* - - exec sleep 5; systemctl --user restart kanshi.service - exec sleep 5; swaymsg output '*' bg $wallpaper fill - ''; - home.file.".config/sway/status".source = ./status; - home.file.".config/kanshi/config".text = '' - profile Laptop { - output eDP-1 enable - } - - profile Docked { - output eDP-1 disable - output "LG Electronics LG HDR 4K 0x000354D1" { - enable - scale 1.4 - position 0,0 - } - } - ''; - - #services.poweralertd.enable = true; - # Let Home Manager install and manage itself. programs.home-manager.enable = true; diff --git a/home/modules.nix b/home/modules.nix index 0a6c961..0e295c9 100644 --- a/home/modules.nix +++ b/home/modules.nix @@ -1,13 +1,8 @@ { lib, ... }: -with lib; -let - modules' = - dir: - filterAttrs (name: type: (hasSuffix ".nix" name) || (type == "directory")) (builtins.readDir dir); - modules = - dir: - mapAttrs' (name: _: nameValuePair (removeSuffix ".nix" name) (import (dir + "/${name}"))) ( - modules' dir - ); +with lib; let + modules' = dir: filterAttrs (name: type: (hasSuffix ".nix" name) || (type == "directory")) + (builtins.readDir dir); + modules = dir: mapAttrs' (name: _: nameValuePair (removeSuffix ".nix" name) (import (dir + "/${name}"))) + (modules' dir); in (modules ./modules) diff --git a/home/modules/alacritty/default.nix b/home/modules/alacritty/default.nix index da9f503..0b84642 100644 --- a/home/modules/alacritty/default.nix +++ b/home/modules/alacritty/default.nix @@ -1,11 +1,9 @@ -{ - pkgs, - lib, - config, - ... +{ pkgs +, lib +, config +, ... }: -with lib; -let +with lib; let cfg = config.dadada.home.alacritty; in { @@ -13,6 +11,7 @@ in enable = mkEnableOption "Enable alacritty config"; }; config = mkIf cfg.enable { + fonts.fontconfig.enable = true; home.packages = [ pkgs.jetbrains-mono ]; diff --git a/home/modules/colors.nix b/home/modules/colors.nix index a4dc5c7..5c197a1 100644 --- a/home/modules/colors.nix +++ b/home/modules/colors.nix @@ -1,10 +1,8 @@ -{ - config, - lib, - ... +{ config +, lib +, ... }: -with lib; -{ +with lib; { options.dadada.home.colors = mkOption { type = types.attrs; description = "Color scheme"; diff --git a/home/modules/direnv.nix b/home/modules/direnv.nix index 27a0907..cf36bf1 100644 --- a/home/modules/direnv.nix +++ b/home/modules/direnv.nix @@ -1,11 +1,9 @@ -{ - config, - pkgs, - lib, - ... +{ config +, pkgs +, lib +, ... }: -with lib; -let +with lib; let cfg = config.dadada.home.direnv; in { diff --git a/home/modules/git.nix b/home/modules/git.nix index 92c4c12..3b575b7 100644 --- a/home/modules/git.nix +++ b/home/modules/git.nix @@ -1,17 +1,14 @@ -{ - config, - lib, - pkgs, - ... +{ config +, lib +, pkgs +, ... }: -with lib; -let +with lib; let cfg = config.dadada.home.git; allowedSigners = pkgs.writeTextFile { name = "allowed-signers"; text = '' dadada@dadada.li sk-ssh-ed25519@openssh.com AAAAGnNrLXNzaC1lZDI1NTE5QG9wZW5zc2guY29tAAAAIKu+pA5Vy0QPHJMjn2S5DCsqKg2UvDhOsBwvvJLf4HbyAAAABHNzaDo= dadada - dadada@dadada.li ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFKRuecjbtDh4jyDZH3ccU9t0QFcAgZDBFO8ZWZBA9iT dadada@gorgon ''; }; in @@ -30,13 +27,12 @@ in gpg = { format = "ssh"; ssh.allowedSignersFile = "${allowedSigners}"; - ssh.program = "ssh-keygen"; }; tag.gpgSign = true; user = { email = "dadada@dadada.li"; name = "Tim Schubert"; - signingKey = "key::ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFKRuecjbtDh4jyDZH3ccU9t0QFcAgZDBFO8ZWZBA9iT dadada@gorgon"; + signingKey = "key::sk-ssh-ed25519@openssh.com AAAAGnNrLXNzaC1lZDI1NTE5QG9wZW5zc2guY29tAAAAIKu+pA5Vy0QPHJMjn2S5DCsqKg2UvDhOsBwvvJLf4HbyAAAABHNzaDo= dadada "; }; core = { whitespace = { diff --git a/home/modules/gpg.nix b/home/modules/gpg.nix index baa17dd..2e77ad0 100644 --- a/home/modules/gpg.nix +++ b/home/modules/gpg.nix @@ -1,10 +1,8 @@ -{ - config, - lib, - ... +{ config +, lib +, ... }: -with lib; -let +with lib; let cfg = config.dadada.home.gpg; in { @@ -29,6 +27,7 @@ in enable = true; defaultCacheTtl = 1800; enableSshSupport = false; + pinentryFlavor = "gnome3"; }; }; } diff --git a/home/modules/gtk.nix b/home/modules/gtk.nix index 5dcd2e6..eb6dae8 100644 --- a/home/modules/gtk.nix +++ b/home/modules/gtk.nix @@ -1,11 +1,9 @@ -{ - config, - lib, - pkgs, - ... +{ config +, lib +, pkgs +, ... }: -with lib; -let +with lib; let cfg = config.dadada.home.gtk; in { diff --git a/home/modules/helix/config/languages.toml b/home/modules/helix/config/languages.toml index 070bf61..772a9f8 100644 --- a/home/modules/helix/config/languages.toml +++ b/home/modules/helix/config/languages.toml @@ -1,5 +1,5 @@ [language-server.rust-analyzer] -config = { rust-analyzer = { checkOnSave = { command = "clippy" }, procMacro.enable = true } } +config = { rust-analyzer = { checkOnSave = { command = "clippy" } } } [language-server.nixd] command = "nixd" diff --git a/home/modules/helix/default.nix b/home/modules/helix/default.nix index 7717423..2ffdc51 100644 --- a/home/modules/helix/default.nix +++ b/home/modules/helix/default.nix @@ -1,9 +1,4 @@ -{ - config, - pkgs, - lib, - ... -}: +{ config, pkgs, lib, ... }: let cfg = config.dadada.home.helix; in diff --git a/home/modules/keyring.nix b/home/modules/keyring.nix index 48b8b54..e82d476 100644 --- a/home/modules/keyring.nix +++ b/home/modules/keyring.nix @@ -1,10 +1,8 @@ -{ - config, - lib, - ... +{ config +, lib +, ... }: -with lib; -let +with lib; let cfg = config.dadada.home.keyring; in { diff --git a/home/modules/session.nix b/home/modules/session.nix index ba5c941..879400d 100644 --- a/home/modules/session.nix +++ b/home/modules/session.nix @@ -1,10 +1,8 @@ -{ - config, - lib, - ... +{ config +, lib +, ... }: -with lib; -let +with lib; let cfg = config.dadada.home.session; in { diff --git a/home/modules/ssh.nix b/home/modules/ssh.nix index b8aab54..96f4ed3 100644 --- a/home/modules/ssh.nix +++ b/home/modules/ssh.nix @@ -1,10 +1,8 @@ -{ - config, - lib, - ... +{ config +, lib +, ... }: -with lib; -let +with lib; let cfg = config.dadada.home.ssh; in { diff --git a/home/modules/syncthing.nix b/home/modules/syncthing.nix index 8095904..fd566b4 100644 --- a/home/modules/syncthing.nix +++ b/home/modules/syncthing.nix @@ -1,11 +1,9 @@ -{ - config, - pkgs, - lib, - ... +{ config +, pkgs +, lib +, ... }: -with lib; -let +with lib; let cfg = config.dadada.home.syncthing; in { diff --git a/home/modules/tmux.nix b/home/modules/tmux.nix index 063b8f2..70f2974 100644 --- a/home/modules/tmux.nix +++ b/home/modules/tmux.nix @@ -1,10 +1,8 @@ -{ - config, - lib, - ... +{ config +, lib +, ... }: -with lib; -let +with lib; let cfg = config.dadada.home.tmux; in { diff --git a/home/modules/xdg.nix b/home/modules/xdg.nix index 02cadaf..e252d60 100644 --- a/home/modules/xdg.nix +++ b/home/modules/xdg.nix @@ -1,11 +1,9 @@ -{ - config, - pkgs, - lib, - ... +{ config +, pkgs +, lib +, ... }: -with lib; -let +with lib; let apps = { "x-scheme-handler/mailto" = "evolution.desktop"; "message/rfc822" = "evolution.desktop"; @@ -31,25 +29,24 @@ in config = mkIf cfg.enable { xdg = { enable = true; - configHome = "${config.home.homeDirectory}/.config"; mimeApps = { enable = false; associations.added = apps; defaultApplications = apps; }; userDirs = { - desktop = "\$HOME/.desktop"; download = "\$HOME/tmp"; music = "\$HOME/lib/music"; videos = "\$HOME/lib/videos"; pictures = "\$HOME/lib/pictures"; documents = "\$HOME/lib"; + desktop = "$HOME/tmp"; }; }; home.packages = with pkgs; [ evince firefox - xdg-utils + xdg_utils ]; }; } diff --git a/home/modules/zsh.nix b/home/modules/zsh.nix index 7a0cd6c..5e054b7 100644 --- a/home/modules/zsh.nix +++ b/home/modules/zsh.nix @@ -1,11 +1,9 @@ -{ - config, - pkgs, - lib, - ... +{ config +, pkgs +, lib +, ... }: -with lib; -let +with lib; let cfg = config.dadada.home.zsh; in { @@ -16,9 +14,9 @@ in programs.fzf.enableZshIntegration = true; programs.zsh = { enable = true; + enableAutosuggestions = true; enableCompletion = true; enableVteIntegration = true; - autosuggestion.enable = true; autocd = true; sessionVariables = { EDITOR = "hx"; @@ -28,13 +26,11 @@ in ignoreDups = true; ignoreSpace = true; save = 100000; - # FIXME https://github.com/junegunn/fzf/issues/4061 - #share = true; - share = false; + share = true; }; plugins = [ ]; - initContent = '' + initExtra = '' source ${pkgs.zsh-git-prompt}/share/zsh-git-prompt/zshrc.sh source ${pkgs.fzf}/share/fzf/key-bindings.zsh source ${pkgs.fzf}/share/fzf/completion.zsh @@ -44,10 +40,12 @@ in preexec() { echo -n -e "\033]0;$1\007" } - PROMPT="%F{red}%?%f %F{green}%m%f:%F{blue}%~%f"$'\n'"╰─> " + PROMPT="%F{red}%?%f %F{green}%m%f:%F{blue}%~%f " RPROMPT='$(git_super_status)' + #NIX_BUILD_SHELL="${pkgs.zsh}/bin/zsh" + ''; + profileExtra = '' ''; - profileExtra = ''''; shellAliases = { ga = "git add"; gc = "git commit"; diff --git a/home/nixpkgs-config.nix b/home/nixpkgs-config.nix new file mode 100644 index 0000000..83fcdbc --- /dev/null +++ b/home/nixpkgs-config.nix @@ -0,0 +1,6 @@ +{ pkgs }: { + allowUnfree = true; + allowUnfreePredicate = pkg: true; + allowBroken = false; + android_sdk.accept_license = true; +} diff --git a/home/pkgs.nix b/home/pkgs.nix index e980614..afdb1b0 100644 --- a/home/pkgs.nix +++ b/home/pkgs.nix @@ -1,6 +1,5 @@ { pkgs }: -with pkgs; -[ +with pkgs; [ anki aqbanking aria2 @@ -15,21 +14,19 @@ with pkgs; bluez-tools btop # htop choose # alternative to cut and awk with more readable syntax - chromium colordiff darcs delta # feature-rich diff viewer dig direnv + dstat duf # disk usage - dune3d dyff # diff tool for YAML element-desktop evince evolution ffmpeg file - fuzzel fx # themable json viewer fzf fzf @@ -39,6 +36,7 @@ with pkgs; gimp glow glow # render markdown + gnome.gnome-tweaks gnumake gnupg gping # ping with graphs @@ -48,6 +46,7 @@ with pkgs; h # Manage git repos hexyl # hex viewer htop + http-prompt httpie hub hyperfine # A command-line benchmarking tool. @@ -62,11 +61,13 @@ with pkgs; jameica jc # convert output to json josm + jujutsu jq - kanshi + jq + #jupyter + kcachegrind keepassxc kubetail - krita ldns liboping # oping, ping multiple hosts at once libreoffice @@ -79,11 +80,8 @@ with pkgs; mpv mtr mumble - nix-output-monitor ncurses newsflash - nixd - nixfmt-rfc-style nfs-utils niv nix-index @@ -100,50 +98,49 @@ with pkgs; pass pavucontrol picocom + pinentry-gnome playerctl procs # ps in rust prusa-slicer pv pwgen - (python3.withPackages (pkgs: [ - pkgs.pandas - pkgs.requests - ])) + python3 + python38Packages.dateutil + python38Packages.managesieve ranger + recipemd reptyr ripgrep ripgrep + rustup saleae-logic-2 sd # search and displace like sed but with better syntax - sieveshell signal-desktop silver-searcher skim # fzf in Rust slurp socat - solvespace spotify sqlite sshfs-fuse + steam taplo tcpdump tdesktop - thunderbird tmux ttyd unzip usbutils - vegur virt-manager viu # view images from the terminal vscodium whois wireshark - xdg-utils + xdg_utils xmlstarlet - unixtools.xxd + xsv # cut for csv xxh # portable shells - yt-dlp + youtube-dl # zotero Marked as insecure zeal zk diff --git a/home/status b/home/status deleted file mode 100755 index e24816b..0000000 --- a/home/status +++ /dev/null @@ -1,138 +0,0 @@ -#!/usr/bin/env python3 - -import json -import sys -import time -import requests -import logging -import subprocess - -from datetime import datetime - -logger = logging.getLogger(__name__) - - -class Status: - def status(self): - return None - - -class Cat(Status): - index = 0 - - def status(self): - cat_width = 200 - index = self.index - catwalk = "🐈🏳️‍🌈" + " " * index - self.index = (index + 1) % cat_width - - return {"full_text": catwalk} - - -class Space(Status): - backoff = 0 - c_status = None - - def status(self): - backoff = self.backoff - if self.backoff == 0: - self.update() - - return {"full_text": self.c_status} - - def update(self): - spacestatus_url = "https://status.stratum0.org/status.json" - resp = requests.get(url=spacestatus_url) - self.backoff = (self.backoff + 1) % 120 - data = resp.json() - if data["isOpen"]: - since = datetime.strptime(data["since"], "%Y-%m-%dT%H:%M:%S.%f").strftime("%A at %H:%M") - spacestatus = f"Space is open since {since}" - else: - spacestatus = "Space is closed" - self.c_status = spacestatus - - -class Battery(Status): - capacity_file = open('/sys/class/power_supply/BAT0/capacity', 'r') - status_file = open('/sys/class/power_supply/BAT0/status', 'r') - - def status(self): - self.status_file.seek(0) - status = self.status_file.read().rstrip() - - self.capacity_file.seek(0) - capacity = self.capacity_file.read().rstrip() - - battery = f"{status} {capacity}%" - - return {"full_text": battery} - - -class Time(Status): - def status(self): - now = datetime.now() - match now.isocalendar().week % 10: - case 1: - th = "st" - case 2: - th = "nd" - case 3: - th = "rd" - case _: - th = "th" - return {"full_text": now.strftime(f"%V{th} %A %H:%M") } - - -class FailedUnits(Status): - def status(self): - proc = subprocess.run(["systemctl", "list-units", "--failed"], capture_output = True) - stdout = proc.stdout.decode('utf-8') - failed = 0 - for line in stdout: - if 'failed' in line: - failed += 1 - if failed == 0: - return {"full_text": f"No failed units"} - else: - return {"full_text": f"There are {failed} failed units", "color": "#ff0000"} - - -def print_header(): - header = { - "version": 1, - "click_events": False, - } - print(json.dumps(header)) - print("[") - - -def run(interval, widgets): - print_header() - - while True: - body = [] - - for widget in widgets: - try: - status = widget.status() - except Exception as e: - logger.error(e) - if status: - body += status, - - print(json.dumps(body), ",", flush=True) - - ts = interval - (time.time() % interval) - time.sleep(ts) - - -if __name__ == "__main__": - logging.basicConfig(level=logging.INFO) - - # Interval in seconds - interval = 1.0 - - widgets = [Cat(), FailedUnits(), Space(), Battery(), Time()] - - run(interval, widgets) diff --git a/hydra-jobs.nix b/hydra-jobs.nix new file mode 100644 index 0000000..1d7dde7 --- /dev/null +++ b/hydra-jobs.nix @@ -0,0 +1,5 @@ +{ self, nixpkgs, ... }: +(nixpkgs.lib.mapAttrs' + (name: config: nixpkgs.lib.nameValuePair name config.config.system.build.toplevel) + self.nixosConfigurations +) diff --git a/nixos/agares/configuration.nix b/nixos/agares/configuration.nix new file mode 100644 index 0000000..c8ab058 --- /dev/null +++ b/nixos/agares/configuration.nix @@ -0,0 +1,97 @@ +{ config +, modulesPath +, pkgs +, ... +}: +{ + imports = [ + (modulesPath + "/installer/scan/not-detected.nix") + ./ddns.nix + ./dns.nix + ./firewall.nix + ../modules/profiles/server.nix + ./network.nix + ./ntp.nix + ./ppp.nix + ]; + + fileSystems."/" = { + device = "/dev/sda1"; + fsType = "btrfs"; + options = [ "subvol=root" ]; + }; + + #fileSystems."/nix/store" = { + # device = "/dev/sda1"; + # fsType = "btrfs"; + # options = [ "subvol=/root/nix" "noatime" ]; + #}; + + fileSystems."/swap" = { + device = "/dev/sda1"; + fsType = "btrfs"; + options = [ "subvol=/root/swap" "noatime" ]; + }; + + #swapDevices = [{ + # device = "/swap/swapfile"; + # size = 32 * 1024; # 32 GByte + #}]; + + hardware.cpu.amd.updateMicrocode = config.hardware.enableRedistributableFirmware; + + dadada = { + admin.enable = true; + }; + + services.smartd.enable = true; + + networking.hostName = "agares"; + networking.domain = "bs.dadada.li"; + + boot.initrd.availableKernelModules = [ "xhci_pci" "ahci" "ehci_pci" "usb_storage" "sd_mod" "sdhci_pci" ]; + boot.initrd.kernelModules = [ "dm-snapshot" ]; + + # Use the GRUB 2 boot loader. + boot.loader.grub.enable = true; + boot.loader.grub.device = "/dev/sda"; + boot.loader.grub.extraConfig = " + serial --speed=115200 --unit=0 --word=8 --parity=no --stop=1 + terminal_input serial + terminal_output serial + "; + + boot.kernelParams = [ + "console=ttyS0,115200" + "amd_iommu=on" + "iommu=pt" + ]; + + boot.kernelModules = [ + "kvm-amd" + "vfio" + "vfio_iommu_type1" + "vfio_pci" + "vfio_virqfd" + ]; + + environment.systemPackages = with pkgs; [ + curl + flashrom + dmidecode + tcpdump + ]; + + services.munin-node = { + enable = true; + extraConfig = '' + host_name ${config.networking.hostName} + cidr_allow 10.3.3.3/32 + ''; + }; + + # Running router VM. They have to be restarted in the right order, so network comes up cleanly. Not ideal. + system.autoUpgrade.allowReboot = false; + + system.stateVersion = "23.05"; +} diff --git a/nixos/agares/ddns.nix b/nixos/agares/ddns.nix new file mode 100644 index 0000000..9a5948f --- /dev/null +++ b/nixos/agares/ddns.nix @@ -0,0 +1,13 @@ +{ config, ... }: +{ + dadada.ddns = { + domains = [ "vpn.dadada.li" ]; + credentialsPath = config.age.secrets."ddns-credentials".path; + interface = "ppp0"; + }; + + age.secrets."ddns-credentials" = { + file = "${config.dadada.secrets.path}/ddns-credentials.age"; + mode = "400"; + }; +} diff --git a/nixos/agares/dns.nix b/nixos/agares/dns.nix new file mode 100644 index 0000000..7e52d8b --- /dev/null +++ b/nixos/agares/dns.nix @@ -0,0 +1,78 @@ +{ ... }: +{ + services.unbound = { + enable = true; + localControlSocketPath = "/run/unbound/unbound.ctl"; + settings = { + server = { + access-control = [ + "127.0.0.0/8 allow" + "127.0.0.1/32 allow_snoop" + "192.168.96.0/19 allow" + "192.168.1.0/24 allow" + "172.16.128.0/24 allow" + "::1/128 allow_snoop" + "fd42:9c3b:f96d::/48 allow" + ]; + interface = [ + "127.0.0.1" + "192.168.1.1" + "192.168.100.1" + "192.168.101.1" + "192.168.102.1" + "192.168.103.1" + "192.168.120.1" + "::1" + "fd42:9c3b:f96d:100::1" + "fd42:9c3b:f96d:101::1" + "fd42:9c3b:f96d:102::1" + "fd42:9c3b:f96d:103::1" + "fd42:9c3b:f96d:120::1" + ]; + prefer-ip6 = true; + prefetch = true; + prefetch-key = true; + serve-expired = false; + aggressive-nsec = true; + hide-identity = true; + hide-version = true; + use-caps-for-id = true; + val-permissive-mode = true; + local-data = [ + "\"agares.bs.dadada.li. 10800 IN A 192.168.101.1\"" + "\"danjal.bs.dadada.li. 10800 IN A 192.168.100.108\"" + "\"legion.bs.dadada.li. 10800 IN A 192.168.100.107\"" + "\"ninurta.bs.dadada.li. 10800 IN A 192.168.101.184\"" + "\"agares.bs.dadada.li. 10800 IN AAAA fd42:9c3b:f96d:101::1\"" + "\"ninurta.bs.dadada.li. 10800 IN AAAA fd42:9c3b:f96d:101:4a21:bff:fe3e:9cfe\"" + "\"backup1.dadada.li. 10800 IN AAAA fd42:9c3b:f96d:101:4a21:bff:fe3e:9cfe\"" + ]; + local-zone = [ + "\"168.192.in-addr.arpa.\" nodefault" + "\"d.f.ip6.arpa.\" nodefault" + ]; + }; + forward-zone = [ + { + name = "."; + forward-tls-upstream = "yes"; + forward-addr = [ + "2620:fe::fe@853#dns.quad9.net" + "2620:fe::9@853#dns.quad9.net" + "9.9.9.9@853#dns.quad9.net" + "149.112.112.112@853#dns.quad9.net" + ]; + } + ]; + stub-zone = + let + stubZone = name: addrs: { name = "${name}"; stub-addr = addrs; }; + in + [ + #(stubZone "li.dadada.bs" ["192.168.128.220" "2a01:4f8:c010:a710::1"]) + #(stubZone "d.6.9.f.b.3.c.9.2.4.d.f.ip6.arpa" ["192.168.101.220" "2a01:4f8:c010:a710::1"]) + #(stubZone "168.192.in-addr.arpa" ["192.168.128.220" "2a01:4f8:c010:a710::1"]) + ]; + }; + }; +} diff --git a/nixos/agares/firewall.nix b/nixos/agares/firewall.nix new file mode 100644 index 0000000..569259f --- /dev/null +++ b/nixos/agares/firewall.nix @@ -0,0 +1,13 @@ +{ ... }: +{ + networking = { + useDHCP = false; + nat.enable = false; + firewall.enable = false; + nftables = { + enable = true; + checkRuleset = true; + ruleset = builtins.readFile ./rules.nft; + }; + }; +} diff --git a/nixos/agares/network.nix b/nixos/agares/network.nix new file mode 100644 index 0000000..af15e05 --- /dev/null +++ b/nixos/agares/network.nix @@ -0,0 +1,300 @@ +{ config, lib, ... }: +let + ulaPrefix = "fd42:9c3b:f96d"; # fd42:9c3b:f96d::/48 + ipv4Prefix = "192.168"; # 192.168.96.0/19 + domain = "bs.dadada.li"; +in +{ + networking.useDHCP = false; + systemd.network = { + enable = true; + links = { + "10-persistent" = { + matchConfig.OriginalName = [ "enp1s0" "enp2s0" ]; # takes search domains from the [Network] + linkConfig.MACAddressPolicy = "persistent"; + }; + }; + netdevs = { + # QoS concentrator + "ifb4ppp0" = { + netdevConfig = { + Kind = "ifb"; + Name = "ifb4ppp0"; + }; + }; + "20-lan" = { + netdevConfig = { + Kind = "vlan"; + Name = "lan.10"; + }; + vlanConfig = { + Id = 10; + }; + }; + "20-freifunk" = { + netdevConfig = { + Kind = "vlan"; + Name = "ff.11"; + }; + vlanConfig = { + Id = 11; + }; + }; + "20-roadw" = { + netdevConfig = { + Kind = "wireguard"; + Name = "roadw"; + }; + wireguardConfig = { + PrivateKeyFile = config.age.secrets."wg-privkey-vpn-dadada-li".path; + ListenPort = 51234; + }; + wireguardPeers = [{ + wireguardPeerConfig = + let + peerAddresses = i: [ + "${ipv4Prefix}.120.${i}/32" + "${ulaPrefix}:120::${i}/128" + ]; + in + { + PublicKey = "0eWP1hzkyoXlrjPSOq+6Y1u8tnFH+SejBJs8f8lf+iU="; + AllowedIPs = peerAddresses "3"; + }; + }]; + }; + "20-wg0" = { + netdevConfig = { + Kind = "wireguard"; + Name = "wg0"; + }; + wireguardConfig = { + PrivateKeyFile = config.age.secrets."wg-privkey-wg0".path; + ListenPort = 51235; + }; + wireguardPeers = lib.singleton { + wireguardPeerConfig = { + PublicKey = "Kw2HVRb1zeA7NAzBvI3UzmOj45VqM358EBuZWdlAUDE="; + AllowedIPs = [ + "10.3.3.3/32" + "fd42:9c3b:f96d:121::3/128" + "fd42:9c3b:f96d:101:4a21:bff:fe3e:9cfe/128" + ]; + }; + }; + }; + }; + networks = + let + subnet = name: subnetId: { + matchConfig.Name = name; + addresses = [ + { addressConfig.Address = "${ipv4Prefix}.${subnetId}.1/24"; } + { addressConfig.Address = "${ulaPrefix}:${subnetId}::1/64"; } + ]; + dhcpPrefixDelegationConfig = { + SubnetId = "auto"; + }; + ipv6Prefixes = [ + { + ipv6PrefixConfig.Prefix = "${ulaPrefix}:${subnetId}::/64"; + } + ]; + dhcpServerConfig = { + DNS = "_server_address"; + NTP = "_server_address"; + EmitDNS = true; + EmitNTP = true; + EmitRouter = true; + PoolOffset = 100; + PoolSize = 100; + }; + ipv6SendRAConfig = { + EmitDNS = true; + DNS = "_link_local"; + EmitDomains = true; # takes search domains from the [Network] + }; + linkConfig = { + RequiredForOnline = false; + }; + networkConfig = { + Domains = domain; + EmitLLDP = "yes"; + IPv6SendRA = true; + IPv6AcceptRA = false; + DHCPPrefixDelegation = true; + DHCPServer = true; + }; + extraConfig = '' + [CAKE] + OverheadBytes = 38 + Bandwidth = 1G + RTT = lan + ''; + }; + in + { + "10-mgmt" = lib.mkMerge [ + (subnet "enp1s0" "100") + { + networkConfig.VLAN = [ "lan.10" "ff.11" ]; + dhcpServerStaticLeases = [ + { + # legion + dhcpServerStaticLeaseConfig = { + Address = "192.168.100.107"; + MACAddress = "80:CC:9C:95:4A:60"; + }; + } + { + # danyal + dhcpServerStaticLeaseConfig = { + Address = "192.168.100.108"; + MACAddress = "c8:9e:43:a3:3d:7f"; + }; + } + ]; + } + ]; + "30-wg0" = { + matchConfig.Name = "wg0"; + address = [ "10.3.3.2/32" "fd42:9c3b:f96d:121::2/128" ]; + DHCP = "no"; + networkConfig.IPv6AcceptRA = false; + linkConfig.RequiredForOnline = false; + routes = [ + { routeConfig = { Destination = "10.3.3.1/24"; }; } + { routeConfig = { Destination = "fd42:9c3b:f96d:121::1/64"; }; } + ]; + }; + "30-lan" = subnet "lan.10" "101" // { + dhcpServerStaticLeases = [ + { + # ninurta + dhcpServerStaticLeaseConfig = { + Address = "192.168.101.184"; + MACAddress = "48:21:0B:3E:9C:FE"; + }; + } + { + # crocell + dhcpServerStaticLeaseConfig = { + Address = "192.168.101.122"; + MACAddress = "9C:C9:EB:4F:3F:0E"; + }; + } + { + # gorgon + dhcpServerStaticLeaseConfig = { + Address = "192.168.101.205"; + MACAddress = "8C:C6:81:6A:39:2F"; + }; + } + ]; + }; + + "30-ff" = subnet "ff.11" "102"; + + "30-ifb4ppp0" = { + name = "ifb4ppp0"; + extraConfig = '' + [CAKE] + OverheadBytes = 65 + Bandwidth = 100M + FlowIsolationMode = triple + RTT = internet + ''; + linkConfig = { + RequiredForOnline = false; + }; + }; + + "30-ppp0" = { + name = "ppp*"; + linkConfig = { + RequiredForOnline = "routable"; + }; + networkConfig = { + KeepConfiguration = "static"; + DefaultRouteOnDevice = true; + LinkLocalAddressing = "ipv6"; + DHCP = "ipv6"; + }; + extraConfig = '' + [CAKE] + OverheadBytes = 65 + Bandwidth = 40M + FlowIsolationMode = triple + NAT=true + RTT = internet + + [DHCPv6] + PrefixDelegationHint= ::/56 + UseAddress = false + UseDelegatedPrefix = true + WithoutRA = solicit + + [DHCPPrefixDelegation] + UplinkInterface=:self + ''; + ipv6SendRAConfig = { + # Let networkd know that we would very much like to use DHCPv6 + # to obtain the "managed" information. Not sure why they can't + # just take that from the upstream RAs. + Managed = true; + }; + }; + # Talk to modem for management + "enp2s0" = { + name = "enp2s0"; + linkConfig = { + RequiredForOnline = false; + }; + networkConfig = { + Address = "192.168.1.254/24"; + EmitLLDP = "yes"; + }; + }; + "10-roadw" = { + matchConfig.Name = "roadw"; + addresses = [ + { addressConfig.Address = "${ipv4Prefix}.120.1/24"; } + { addressConfig.Address = "${ulaPrefix}:120::1/64"; } + ]; + DHCP = "no"; + networkConfig.IPv6AcceptRA = false; + linkConfig.RequiredForOnline = false; + routes = [ + { + routeConfig = { Destination = "${ipv4Prefix}.120.1/24"; }; + } + { + routeConfig = { Destination = "${ulaPrefix}::120:1/64"; }; + } + ]; + }; + }; + }; + + age.secrets."wg-privkey-vpn-dadada-li" = { + file = "${config.dadada.secrets.path}/wg-privkey-vpn-dadada-li.age"; + owner = "systemd-network"; + }; + + age.secrets."wg-privkey-wg0" = { + file = "${config.dadada.secrets.path}/agares-wg0-key.age"; + owner = "systemd-network"; + }; + + boot.kernel.sysctl = { + # Enable forwarding for interface + "net.ipv4.conf.all.forwarding" = "1"; + "net.ipv6.conf.all.forwarding" = "1"; + "net.ipv6.conf.all.accept_ra" = "0"; + "net.ipv6.conf.all.autoconf" = "0"; + # Set via systemd-networkd + #"net.ipv6.conf.${intf}.use_tempaddr" = "0"; + }; + + powerManagement.cpuFreqGovernor = lib.mkDefault "schedutil"; +} diff --git a/nixos/agares/ntp.nix b/nixos/agares/ntp.nix new file mode 100644 index 0000000..c3ec49b --- /dev/null +++ b/nixos/agares/ntp.nix @@ -0,0 +1,12 @@ +{ ... }: +{ + services.chrony = { + enable = true; + extraConfig = '' + allow 192.168.1 + allow 192.168.100 + allow 192.168.101 + allow 192.168.102 + ''; + }; +} diff --git a/nixos/agares/ppp.nix b/nixos/agares/ppp.nix new file mode 100644 index 0000000..dc26e46 --- /dev/null +++ b/nixos/agares/ppp.nix @@ -0,0 +1,63 @@ +{ pkgs, lib, config, ... }: +let + secretsPath = config.dadada.secrets.path; +in +{ + # PPPoE + services.pppd = { + enable = true; + peers = { + telekom = { + enable = true; + autostart = true; + config = '' + debug + + plugin pppoe.so enp2s0 + + noauth + hide-password + call telekom-secret + + linkname ppp0 + + persist + maxfail 0 + holdoff 5 + + noipdefault + defaultroute + + lcp-echo-interval 15 + lcp-echo-failure 3 + ''; + }; + }; + }; + + age.secrets."etc-ppp-telekom-secret" = { + file = "${secretsPath}/etc-ppp-telekom-secret.age"; + owner = "root"; + mode = "700"; + path = "/etc/ppp/peers/telekom-secret"; + }; + + age.secrets."etc-ppp-pap-secrets" = { + # format: client server passphrase + file = "${secretsPath}/etc-ppp-chap-secrets.age"; + owner = "root"; + mode = "700"; + path = "/etc/ppp/pap-secrets"; + }; + + # Hook for QoS via Intermediate Functional Block + environment.etc."ppp/ip-up" = { + mode = "755"; + text = with lib; '' + #!/usr/bin/env sh + ${getBin pkgs.iproute2}/bin/tc qdisc del dev $1 ingress + ${getBin pkgs.iproute2}/bin/tc qdisc add dev $1 handle ffff: ingress + ${getBin pkgs.iproute2}/bin/tc filter add dev $1 parent ffff: matchall action mirred egress redirect dev ifb4ppp0 + ''; + }; +} diff --git a/nixos/agares/rules.nft b/nixos/agares/rules.nft new file mode 100644 index 0000000..4b41bea --- /dev/null +++ b/nixos/agares/rules.nft @@ -0,0 +1,136 @@ +flush ruleset + +define IF_MGMT = "enp1s0" +define IF_FF = "ff.11" +define IF_LAN = "lan.10" +define IF_WAN = "ppp0" + +# Modem uses this for internet uplink via our WAN +define IF_MODEM = "enp2s0" + +define IF_ROADW = "roadw" + +table inet filter { + # Will give "no such file or directory if hardware does not support flow offloading" + # flowtable f { + # hook ingress priority 0; devices = { enp1s0, enp2s0 }; flags offload; + # } + + chain input_local { + ip6 saddr != ::1/128 log prefix "Dropped IPv6 nonlocalhost packet on loopback:" drop + accept comment "Accept traffic to loopback interface" + } + + chain input_icmp_untrusted { + # Allow ICMP echo + ip protocol icmp icmp type { echo-request } limit rate 1000/second burst 5 packets accept comment "Accept echo request" + + # Allow some ICMPv6 + icmpv6 type { destination-unreachable, packet-too-big, time-exceeded, echo-request, echo-reply, parameter-problem, mld-listener-query, mld-listener-report, mld-listener-done, mld-listener-reduction, nd-router-solicit, nd-router-advert, nd-neighbor-solicit, nd-neighbor-advert, mld2-listener-report } limit rate 1000/second burst 5 packets accept comment "Allow some ICMPv6" + } + + chain input_modem { + jump input_icmp_untrusted + } + + chain input_wan { + # DHCPv6 client + meta nfproto ipv6 udp sport 547 accept comment "Allow DHCPv6 client" + + jump input_icmp_untrusted + + udp dport 51234 accept comment "Wireguard roadwarriors" + } + + chain input_lan { + counter accept comment "Accept all traffic from LAN" + } + + chain input_mgmt { + counter accept comment "Accept all traffic from MGMT" + } + + chain input_roadw { + counter accept comment "Accept all traffic from roadwarriors" + } + + chain input_ff { + jump input_icmp_untrusted + + # DHCP + meta nfproto ipv6 udp dport 547 accept comment "Allow DHCPv6 client" + + # Allow DNS and DHCP from Freifunk + udp dport { 53, 67 } accept comment "Allow DNS and DHCP from Freifunk" + } + + chain input_wg0 { + tcp dport 4949 accept comment "Munin node" + } + + chain input { + type filter hook input priority filter; policy drop; + + ct state {established, related} counter accept comment "Accept packets from established and related connections" + ct state invalid counter drop comment "Early drop of invalid packets" + + iifname vmap { lo : accept, $IF_WAN : jump input_wan, $IF_LAN : jump input_lan, $IF_FF : jump input_ff, $IF_ROADW : jump input_roadw, $IF_MODEM : jump input_modem, $IF_MGMT : jump input_mgmt, wg0 : jump input_wg0 } + } + +# Only works if hardware flow offloading is available +# chain offload { +# type filter hook forward priority -100; policy accept; +# ip protocol tcp flow add @f +# counter packets 0 bytes 0 +# } + + chain forward { + type filter hook forward priority filter; policy drop; + + # Accept connections tracked by destination NAT + ct status dnat counter accept comment "Accept connections tracked by DNAT" + + # TCP options + tcp flags syn tcp option maxseg size set rt mtu comment "Remove TCP maximum segment size and set a size based on route information" + + # ICMPv6 + icmpv6 type { destination-unreachable, packet-too-big, time-exceeded, echo-request, echo-reply, parameter-problem } limit rate 5/second counter accept comment "Forward up to five ICMP messages of allowed types per second" + meta l4proto ipv6-icmp accept comment "Forward ICMP in IPv6" + + # mgmt <-> * + iifname { $IF_LAN, $IF_ROADW } oifname $IF_MGMT counter reject comment "Reject traffic from LAN and roadwarrior to MGMT" + iifname $IF_MGMT oifname { $IF_LAN, $IF_ROADW } counter reject comment "Reject traffic from MGMT to LAN and roadwarrior" + # drop (instead of reject) everything else to MGMT + + # LAN, ROADW -> * (except mgmt) + iifname { $IF_LAN, $IF_ROADW } counter accept comment "Allow all traffic forwarding from LAN and roadwarrior to all interfaces, except to mgmt" + + # FF -> WAN + iifname { $IF_FF } oifname $IF_WAN counter accept comment "Allow all traffic forwarding from Freifunk and services to WAN" + + # { WAN } -> { FF, LAN, RW } + iifname { $IF_WAN } oifname { $IF_FF, $IF_LAN, $IF_ROADW } ct state established,related counter accept comment "Allow established back from WAN" + } + + chain output { + type filter hook output priority 100; policy accept; + } +} + +table ip nat { + chain prerouting { + type nat hook prerouting priority dstnat; policy accept; + } + + chain postrouting { + type nat hook postrouting priority srcnat; policy accept; + ip saddr { 192.168.96.0/19 } oifname { $IF_WAN } masquerade comment "Masquerade traffic from LANs" + } +} + +table arp filter { + chain input { + type filter hook input priority filter; policy drop; + iifname { $IF_MGMT, $IF_LAN, $IF_FF, $IF_MODEM } limit rate 1/second burst 2 packets accept comment "Limit number of ARP messages from LAN, FF, MGMT, modem" + } +} diff --git a/nixos/configurations.nix b/nixos/configurations.nix index 877c6a9..15d1619 100644 --- a/nixos/configurations.nix +++ b/nixos/configurations.nix @@ -1,109 +1,89 @@ -{ - self, - agenix, - disko, - home-manager, - homepage, - lanzaboote, - nixos-hardware, - nixos-generators, - nixpkgs, - ... +{ self +, agenix +, nixpkgs +, home-manager +, homepage +, nixos-hardware +, nixos-generators +, ... }@inputs: let - # create a new instance allowing some unfree packages - nixpkgsx86 = import nixpkgs { - system = "x86_64-linux"; - config.allowUnfreePredicate = - pkg: - builtins.elem (nixpkgs.lib.getName pkg) [ - "aspell-dict-en-science" - "brgenml1lpr" - "saleae-logic-2" - "spotify" - ]; + nixosSystem = { system ? "x86_64-linux", extraModules ? [ ] }: nixpkgs.lib.nixosSystem { + inherit system; + + modules = [{ + # Add flakes to registry and nix path. + dadada.inputs = inputs // { dadada = self; }; + nixpkgs.overlays = nixpkgs.lib.attrValues self.overlays; + }] ++ (nixpkgs.lib.attrValues self.nixosModules) ++ [ agenix.nixosModules.age ] ++ extraModules; }; - nixosSystem = nixpkgs.lib.nixosSystem; - baseModule = - { lib, ... }: - { - _module.args.inputs = inputs; - imports = [ - inputs.agenix.nixosModules.age - inputs.disko.nixosModules.disko - inputs.home-manager.nixosModules.home-manager - ( - { pkgs, ... }: - { - dadada.homepage.package = homepage; - dadada.pkgs = inputs.self.packages.${pkgs.system}; - dadada.inputs = inputs // { - dadada = inputs.self; - }; - } - ) - inputs.lanzaboote.nixosModules.lanzaboote - ] - ++ (lib.attrValues inputs.self.nixosModules); - }; - homeModule = ./modules/profiles/home.nix; in { - stolas = nixosSystem { - modules = [ - { nixpkgs.pkgs = nixpkgsx86; } - baseModule - nixos-hardware.nixosModules.framework-amd-ai-300-series - homeModule - ./stolas - ]; - }; + gorgon = nixosSystem rec { + system = "x86_64-linux"; + + extraModules = [ + { + nixpkgs.overlays = nixpkgs.lib.attrValues self.overlays; + dadada.pkgs = self.packages.${system}; + } - gorgon = nixosSystem { - modules = [ - { nixpkgs.pkgs = nixpkgsx86; } - baseModule nixos-hardware.nixosModules.lenovo-thinkpad-t14s-amd-gen1 - homeModule + + home-manager.nixosModules.home-manager + ({ pkgs, lib, ... }: + { + home-manager.useGlobalPkgs = true; + home-manager.useUserPackages = true; + home-manager.sharedModules = (nixpkgs.lib.attrValues self.hmModules) ++ [ + { dadada.home.helix.package = pkgs.helix; } + { manual.manpages.enable = false; } + ]; + home-manager.users.dadada = import ../home; + }) ./gorgon/configuration.nix ]; }; surgat = nixosSystem { - modules = [ - { nixpkgs.pkgs = nixpkgsx86; } - baseModule + system = "x86_64-linux"; + extraModules = [ + { + dadada.homepage.package = homepage; + } + ./modules/profiles/server.nix ./surgat/configuration.nix ]; }; - installer = nixosSystem { + agares = nixosSystem { + extraModules = [ + ./agares/configuration.nix + ]; + }; + + installer = nixpkgs.lib.nixosSystem { + system = "x86_64-linux"; modules = [ nixos-generators.nixosModules.install-iso - inputs.self.nixosModules.admin - ( - { lib, ... }: - { - nixpkgs.pkgs = nixpkgs.legacyPackages."x86_64-linux"; - isoImage.isoName = lib.mkForce "dadada-nixos-installer.iso"; - networking.tempAddresses = "disabled"; - dadada.admin.enable = true; - documentation.enable = true; - documentation.nixos.enable = true; - i18n.defaultLocale = "en_US.UTF-8"; - console = { - font = "Lat2-Terminus16"; - keyMap = "us"; - }; - } - ) + self.nixosModules.admin + { + isoImage.isoName = nixpkgs.lib.mkForce "dadada-nixos-installer.iso"; + networking.tempAddresses = "disabled"; + dadada.admin.enable = true; + documentation.enable = true; + documentation.nixos.enable = true; + i18n.defaultLocale = "en_US.UTF-8"; + console = { + font = "Lat2-Terminus16"; + keyMap = "us"; + }; + } ]; }; ninurta = nixosSystem { - modules = [ - { nixpkgs.pkgs = nixpkgsx86; } - baseModule + extraModules = [ ./ninurta/configuration.nix ]; }; diff --git a/nixos/gorgon/configuration.nix b/nixos/gorgon/configuration.nix index 69e7588..c4d0af0 100644 --- a/nixos/gorgon/configuration.nix +++ b/nixos/gorgon/configuration.nix @@ -1,11 +1,9 @@ -{ - config, - pkgs, - lib, - ... +{ config +, pkgs +, lib +, ... }: let - secretsPath = config.dadada.secrets.path; xilinxJtag = pkgs.writeTextFile { name = "xilinx-jtag"; text = '' @@ -36,23 +34,12 @@ in ./hardware-configuration.nix ]; - dadada.backupClient.bs.enable = false; - dadada.backupClient.backup1.enable = true; dadada.backupClient.backup2 = { enable = true; passphrasePath = config.age.secrets."${config.networking.hostName}-backup-passphrase".path; sshIdentityFile = config.age.secrets."${config.networking.hostName}-backup-ssh-key".path; repo = "u355513-sub1@u355513-sub1.your-storagebox.de:/home/backup"; }; - dadada.backupClient.gs = { - enable = true; - passphrasePath = config.age.secrets."${config.networking.hostName}-backup-passphrase-gs".path; - }; - - age.secrets."${config.networking.hostName}-backup-passphrase-gs".file = - "${secretsPath}/${config.networking.hostName}-backup-passphrase-gs.age"; - - programs.ssh.startAgent = true; nix.extraOptions = '' experimental-features = nix-command flakes @@ -63,7 +50,6 @@ in boot = { kernelModules = [ "kvm-amd" ]; - extraModulePackages = [ pkgs.linuxPackages.v4l2loopback ]; kernelParams = [ "resume=/dev/disk/by-label/swap" ]; initrd = { systemd.enable = true; @@ -76,14 +62,15 @@ in }; }; }; + kernel.sysctl = { + "vm.swappiness" = 90; + }; }; - zramSwap.enable = true; - networking.hostName = "gorgon"; dadada = { - steam.enable = false; + steam.enable = true; yubikey.enable = true; }; @@ -110,18 +97,13 @@ in passwordFile = config.age.secrets.paperless.path; }; - systemd.tmpfiles.rules = - let - cfg = config.services.paperless; - in - [ - ( - if cfg.consumptionDirIsPublic then - "d '${cfg.consumptionDir}' 777 - - - -" - else - "d '${cfg.consumptionDir}' 770 ${cfg.user} ${config.users.users.${cfg.user}.group} - -" - ) - ]; + systemd.tmpfiles.rules = let cfg = config.services.paperless; in [ + (if cfg.consumptionDirIsPublic then + "d '${cfg.consumptionDir}' 777 - - - -" + else + "d '${cfg.consumptionDir}' 770 ${cfg.user} ${config.users.users.${cfg.user}.group} - -" + ) + ]; age.secrets.paperless = { file = "${config.dadada.secrets.path}/paperless.age"; @@ -134,7 +116,6 @@ in enable = true; browsing = true; drivers = with pkgs; [ - config.dadada.pkgs.citizen-cups hplip brlaser brgenml1lpr @@ -142,28 +123,10 @@ in ]; }; - #hardware.printers.ensurePrinters = [ - # { - # name = "Brother_HL-L2300D"; - # model = "everywhere"; - # location = "BS"; - # deviceUri = "ipp://192.168.101.29:631/printers/Brother_HL-L2300D"; - # } - #]; - environment.systemPackages = with pkgs; [ + chromium ghostscript smartmontools - - dmenu - grim # screenshot functionality - slurp # screenshot functionality - #mako # notification system developed by swaywm maintainer - pulseaudio - - # KDE apps - kdePackages.kmail - kdePackages.kmail-account-wizard ]; networking.firewall = { @@ -179,16 +142,7 @@ in systemd.services.modem-manager.enable = lib.mkForce false; systemd.services."dbus-org.freedesktop.ModemManager1".enable = lib.mkForce false; - systemd.sleep.extraConfig = '' - HibernateDelaySec=1h - ''; - - services.udev.packages = [ - xilinxJtag - saleaeLogic - keychron - pkgs.libsigrok - ]; # noMtpUdevRules ]; + services.udev.packages = [ xilinxJtag saleaeLogic keychron ]; #noMtpUdevRules ]; virtualisation.libvirtd.enable = true; @@ -200,20 +154,7 @@ in users.users = { dadada = { isNormalUser = true; - extraGroups = [ - "wheel" - "networkmanager" - "libvirtd" - "adbusers" - "kvm" - "video" - "scanner" - "lp" - "docker" - "dialout" - "wireshark" - "paperless" - ]; + extraGroups = [ "wheel" "networkmanager" "libvirtd" "adbusers" "kvm" "video" "scanner" "lp" "docker" "dialout" "wireshark" "paperless" ]; shell = "/run/current-system/sw/bin/zsh"; }; }; @@ -222,46 +163,39 @@ in "127.0.0.2" = [ "kanboard.dadada.li" ]; }; - services.gnome.gnome-keyring.enable = lib.mkForce false; - programs.gnupg.agent.enable = true; + # https://lists.zx2c4.com/pipermail/wireguard/2017-November/002028.html + systemd.timers.wg-reresolve-dns = { + wantedBy = [ "timers.target" ]; + partOf = [ "wg-reresolve-dns.service" ]; + timerConfig.OnCalendar = "hourly"; + }; - # KDE - services = { - desktopManager.plasma6.enable = true; - displayManager.sddm.enable = true; - displayManager.sddm.wayland.enable = true; - }; - services.greetd = { - enable = false; - settings = { - default_session = { - command = "${pkgs.greetd.tuigreet}/bin/tuigreet --time --cmd sway"; - user = "greeter"; - }; + systemd.services.wg-reresolve-dns = + let + vpnPubKey = "x/y6I59buVzv9Lfzl+b17mGWbzxU+3Ke9mQNa1DLsDI="; + in + { + serviceConfig.Type = "oneshot"; + script = '' + ${pkgs.wireguard-tools}/bin/wg set dadada peer ${vpnPubKey} endpoint vpn.dadada.li:51234 persistent-keepalive 25 allowed-ips fd42:9c3b:f96d::/48 + ''; }; - }; - systemd.user.services.kanshi = { - enable = false; - description = "kanshi daemon"; - environment = { - WAYLAND_DISPLAY = "wayland-1"; - DISPLAY = ":0"; - }; - serviceConfig = { - Type = "simple"; - ExecStart = ''${pkgs.kanshi}/bin/kanshi''; - }; - }; - # enable Sway window manager - programs.sway = { - enable = false; - wrapperFeatures.gtk = true; - }; - programs.light.enable = true; - xdg.portal.wlr.enable = false; - hardware.bluetooth.enable = true; - hardware.graphics = { + #networking.wg-quick.interfaces.mullvad = { + # address = [ "10.68.15.202/32" "fc00:bbbb:bbbb:bb01::5:fc9/128" ]; + # privateKeyFile = "/var/lib/wireguard/mullvad"; + # peers = [ + # { + # publicKey = "Ec/wwcosVal9Kjc97ZuTTV7Dy5c0/W5iLet7jrSEm2k="; + # allowedIPs = [ "0.0.0.0/0" "::0/0" ]; + # endpoint = "193.27.14.66:51820"; + # persistentKeepalive = 25; + # } + # ]; + # postUp = "${pkgs.iproute2}/bin/ip rule add to 193.27.14.66 lookup main"; + #}; + + hardware.opengl = { enable = true; extraPackages = with pkgs; [ vaapiVdpau @@ -269,16 +203,5 @@ in ]; }; - powerManagement = { - enable = true; - powertop.enable = true; - cpuFreqGovernor = "schedutil"; - powerUpCommands = '' - echo 40 > /sys/class/power_supply/BAT0/charge_control_start_threshold - echo 80 > /sys/class/power_supply/BAT0/charge_control_stop_threshold - ''; - }; - services.tlp.enable = false; - system.stateVersion = "23.11"; } diff --git a/nixos/gorgon/hardware-configuration.nix b/nixos/gorgon/hardware-configuration.nix index 30d7447..4155fae 100644 --- a/nixos/gorgon/hardware-configuration.nix +++ b/nixos/gorgon/hardware-configuration.nix @@ -1,26 +1,17 @@ # Do not modify this file! It was generated by ‘nixos-generate-config’ # and may be overwritten by future invocations. Please make changes # to /etc/nixos/configuration.nix instead. -{ - config, - lib, - pkgs, - modulesPath, - ... -}: -{ +{ config +, lib +, pkgs +, modulesPath +, ... +}: { imports = [ (modulesPath + "/installer/scan/not-detected.nix") ]; - boot.initrd.availableKernelModules = [ - "nvme" - "ehci_pci" - "xhci_pci" - "usb_storage" - "sd_mod" - "rtsx_pci_sdmmc" - ]; + boot.initrd.availableKernelModules = [ "nvme" "ehci_pci" "xhci_pci" "usb_storage" "sd_mod" "rtsx_pci_sdmmc" ]; boot.initrd.kernelModules = [ "dm-snapshot" ]; boot.kernelModules = [ "kvm-amd" ]; boot.extraModulePackages = [ ]; diff --git a/nixos/modules/admin.nix b/nixos/modules/admin.nix index bd03ba7..873832d 100644 --- a/nixos/modules/admin.nix +++ b/nixos/modules/admin.nix @@ -1,16 +1,11 @@ -{ - config, - pkgs, - lib, - ... +{ config +, pkgs +, lib +, ... }: -with lib; -let +with lib; let cfg = config.dadada.admin; - extraGroups = [ - "wheel" - "libvirtd" - ]; + extraGroups = [ "wheel" "libvirtd" ]; shells = { "bash" = pkgs.bashInteractive; @@ -21,32 +16,22 @@ let shellNames = builtins.attrNames shells; adminOpts = - { - name, - config, - ... - }: - { + { name + , config + , ... + }: { options = { keys = mkOption { type = types.listOf types.str; default = [ ]; - apply = - x: - assert (builtins.length x > 0 || abort "Please specify at least one key to be able to log in"); - x; + apply = x: assert (builtins.length x > 0 || abort "Please specify at least one key to be able to log in"); x; description = '' The keys that should be able to access the account. ''; }; shell = mkOption { type = types.nullOr types.str; - apply = - x: - assert ( - builtins.elem x shellNames || abort "Please specify one of ${builtins.toString shellNames}" - ); - x; + apply = x: assert (builtins.elem x shellNames || abort "Please specify one of ${builtins.toString shellNames}"); x; default = "zsh"; defaultText = literalExpression "zsh"; example = literalExpression "bash"; @@ -93,15 +78,18 @@ in services.sshd.enable = true; services.openssh.settings.PasswordAuthentication = false; - security.sudo.wheelNeedsPassword = lib.mkDefault false; + security.sudo.wheelNeedsPassword = false; services.openssh.openFirewall = true; - users.users = mapAttrs (user: keys: { - shell = shells."${keys.shell}"; - extraGroups = lib.mkDefault extraGroups; - isNormalUser = true; - openssh.authorizedKeys.keys = keys.keys; - }) cfg.users; + users.users = + mapAttrs + (user: keys: { + shell = shells."${keys.shell}"; + extraGroups = extraGroups; + isNormalUser = true; + openssh.authorizedKeys.keys = keys.keys; + }) + cfg.users; nix.settings.trusted-users = builtins.attrNames cfg.users; @@ -115,7 +103,7 @@ in services.tor.relay.onionServices = { "rat" = mkIf cfg.rat.enable { name = "rat"; - map = [ { port = 22; } ]; + map = [{ port = 22; }]; }; }; }; diff --git a/nixos/modules/backup.nix b/nixos/modules/backup.nix index 095fd35..c18aeb8 100644 --- a/nixos/modules/backup.nix +++ b/nixos/modules/backup.nix @@ -1,11 +1,9 @@ -{ - config, - pkgs, - lib, - ... +{ config +, pkgs +, lib +, ... }: -with lib; -let +with lib; let backupExcludes = [ "/backup" "/dev" @@ -158,7 +156,7 @@ in }; }; - services.borgbackup.jobs.backup1 = mkIf cfg.backup1.enable { + services.borgbackup.jobs.backup1 = mkIf cfg.bs.enable { paths = "/"; exclude = backupExcludes; repo = "borg@backup1.dadada.li:/mnt/storage/backups/${config.networking.hostName}"; diff --git a/nixos/modules/borg-server.nix b/nixos/modules/borg-server.nix index e498cd1..c1aceeb 100644 --- a/nixos/modules/borg-server.nix +++ b/nixos/modules/borg-server.nix @@ -1,11 +1,6 @@ { config, lib, ... }: let - inherit (lib) - mkEnableOption - mkIf - mkOption - types - ; + inherit (lib) mkEnableOption mkIf mkOption types; cfg = config.dadada.borgServer; in { @@ -25,49 +20,31 @@ in services.borgbackup.repos = { "metis" = { allowSubRepos = false; - authorizedKeysAppendOnly = [ - "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDnc1gCi8lbhlLmPKvaExtCxVaAni8RrOuHUQO6wTbzR root@metis" - ]; + authorizedKeysAppendOnly = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDnc1gCi8lbhlLmPKvaExtCxVaAni8RrOuHUQO6wTbzR root@metis" ]; path = "${cfg.path}/metis"; quota = "1T"; }; "gorgon" = { allowSubRepos = false; - authorizedKeysAppendOnly = [ - "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIP6p9b2D7y2W+9BGee2yk2xsCRewNNaE6oS3CqlW61ti root@gorgon" - ]; + authorizedKeysAppendOnly = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIP6p9b2D7y2W+9BGee2yk2xsCRewNNaE6oS3CqlW61ti root@gorgon" ]; path = "${cfg.path}/gorgon"; quota = "1T"; }; - "stolas" = { - allowSubRepos = false; - authorizedKeysAppendOnly = [ - "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINC/mVYd3o7oA0dsA58CgkqR40CSfeuU+rikleSrSXFz dadada@gorgon" - ]; - path = "${cfg.path}/stolas"; - quota = "1T"; - }; "surgat" = { allowSubRepos = false; - authorizedKeysAppendOnly = [ - "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINGhatanrNG+M6jAkU7Yi44mJmTreJkqyZ6Z+qiEgV7O root@surgat" - ]; + authorizedKeysAppendOnly = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINGhatanrNG+M6jAkU7Yi44mJmTreJkqyZ6Z+qiEgV7O root@surgat" ]; path = "${cfg.path}/surgat"; quota = "50G"; }; "pruflas" = { allowSubRepos = false; - authorizedKeysAppendOnly = [ - "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBk7f9DSnXCOIUsxFsjCKG23vHShV4TSzzPJunPOwa1I root@pruflas" - ]; + authorizedKeysAppendOnly = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBk7f9DSnXCOIUsxFsjCKG23vHShV4TSzzPJunPOwa1I root@pruflas" ]; path = "${cfg.path}/pruflas"; quota = "50G"; }; "wohnzimmerpi" = { allowSubRepos = false; - authorizedKeysAppendOnly = [ - "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIK6uZ8mPQJWOL984gZKKPyxp7VLcxk42TpTh5iPP6N6k root@wohnzimmerpi" - ]; + authorizedKeysAppendOnly = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIK6uZ8mPQJWOL984gZKKPyxp7VLcxk42TpTh5iPP6N6k root@wohnzimmerpi" ]; path = "${cfg.path}/wohnzimmerpi"; quota = "50G"; }; diff --git a/nixos/modules/ddns.nix b/nixos/modules/ddns.nix index 594be6d..807949e 100644 --- a/nixos/modules/ddns.nix +++ b/nixos/modules/ddns.nix @@ -1,70 +1,51 @@ -{ - config, - pkgs, - lib, - ... +{ config +, pkgs +, lib +, ... }: -with lib; -let +with lib; let cfg = config.dadada.ddns; - ddnsConfig = - { - domains, - credentialsPath, - interface, - }: - { - systemd.timers = listToAttrs ( - forEach domains ( - domain: - nameValuePair "ddns-${domain}" { - wantedBy = [ "timers.target" ]; - partOf = [ "ddns-${domain}.service" ]; - timerConfig.OnCalendar = "hourly"; - } - ) - ); + ddnsConfig = { domains, credentialsPath, interface }: { + systemd.timers = listToAttrs (forEach domains (domain: + nameValuePair "ddns-${domain}" + { + wantedBy = [ "timers.target" ]; + partOf = [ "ddns-${domain}.service" ]; + timerConfig.OnCalendar = "hourly"; + })); - systemd.services = listToAttrs ( - forEach domains ( - domain: - nameValuePair "ddns-${domain}" { - serviceConfig = { - Type = "oneshot"; - PrivateTmp = true; - PrivateDevices = true; - PrivateUsers = true; - PrivateMounts = true; - PrivateIPC = true; - ProtectHome = true; - ProtectSystem = "strict"; - ProtectKernelTunables = true; - BindReadOnlyPaths = [ credentialsPath ]; - NoNewPrivileges = true; - CapabilitBoundingSet = [ ]; - }; - script = '' - function url() { - echo "https://svc.joker.com/nic/update?username=$1&password=$2&hostname=$3" - } + systemd.services = listToAttrs (forEach domains (domain: + nameValuePair "ddns-${domain}" + { + serviceConfig = { + Type = "oneshot"; + PrivateTmp = true; + PrivateDevices = true; + PrivateUsers = true; + PrivateMounts = true; + PrivateIPC = true; + ProtectHome = true; + ProtectSystem = "strict"; + ProtectKernelTunables = true; + BindReadOnlyPaths = [ credentialsPath ]; + NoNewPrivileges = true; + CapabilitBoundingSet = [ ]; + }; + script = '' + function url() { + echo "https://svc.joker.com/nic/update?username=$1&password=$2&hostname=$3" + } - IFS=':' - read -r user password < ${credentialsPath} - unset IFS + IFS=':' + read -r user password < ${credentialsPath} + unset IFS - curl_url=$(url "$user" "$password" ${domain}) + curl_url=$(url "$user" "$password" ${domain}) - ${pkgs.curl}/bin/curl --ipv4 "$curl_url" ${ - if interface == null then "" else "--interface ${interface}" - } || true - ${pkgs.curl}/bin/curl --ipv6 "$curl_url" ${ - if interface == null then "" else "--interface ${interface}" - } - ''; - } - ) - ); - }; + ${pkgs.curl}/bin/curl -6 "$curl_url" ${if interface == null then "" else "--interface ${interface}"} + ''; + })); + }; in { options = { diff --git a/nixos/modules/default.nix b/nixos/modules/default.nix index fa94c8c..c2b27dc 100644 --- a/nixos/modules/default.nix +++ b/nixos/modules/default.nix @@ -1,16 +1,22 @@ -{ lib, ... }: -with lib; -let - modules' = - dir: - filterAttrs ( - name: type: - (name != "default.nix" && name != "profiles" && ((hasSuffix ".nix" name) || (type == "directory"))) - ) (builtins.readDir dir); - modules = - dir: - mapAttrs' (name: _: nameValuePair (removeSuffix ".nix" name) (import (dir + "/${name}"))) ( - modules' dir - ); -in -(modules ./.) +{ + admin = import ./admin.nix; + backup = import ./backup.nix; + borgServer = import ./borg-server.nix; + ddns = import ./ddns.nix; + element = import ./element.nix; + fileShare = import ./fileShare.nix; + gitea = import ./gitea.nix; + headphones = import ./headphones.nix; + homepage = import ./homepage.nix; + miniflux = import ./miniflux.nix; + inputs = import ./inputs.nix; + nixpkgs = import ./nixpkgs.nix; + packages = import ./packages.nix; + secrets = import ./secrets.nix; + share = import ./share.nix; + steam = import ./steam.nix; + sway = import ./sway.nix; + vpnServer = import ./vpnServer.nix; + weechat = import ./weechat.nix; + yubikey = import ./yubikey.nix; +} diff --git a/nixos/modules/element.nix b/nixos/modules/element.nix index 2fcefec..2a45da1 100644 --- a/nixos/modules/element.nix +++ b/nixos/modules/element.nix @@ -1,8 +1,7 @@ -{ - config, - pkgs, - lib, - ... +{ config +, pkgs +, lib +, ... }: let cfg = config.dadada.element; diff --git a/nixos/modules/fileShare.nix b/nixos/modules/fileShare.nix index a3a72ba..5b6a0f2 100644 --- a/nixos/modules/fileShare.nix +++ b/nixos/modules/fileShare.nix @@ -1,10 +1,8 @@ -{ - config, - lib, - ... +{ config +, lib +, ... }: -with lib; -let +with lib; let cfg = config.dadada.fileShare; sharePath = "/mnt/storage/share"; ipv6 = "fd42:dead:beef::/48"; diff --git a/nixos/modules/gitea.nix b/nixos/modules/gitea.nix index 783bf6f..f566024 100644 --- a/nixos/modules/gitea.nix +++ b/nixos/modules/gitea.nix @@ -1,31 +1,24 @@ -{ - config, - pkgs, - lib, - ... +{ config +, pkgs +, lib +, ... }: let - cfg = config.dadada.forgejo; + cfg = config.dadada.gitea; in { - options.dadada.forgejo = { - enable = lib.mkEnableOption "Enable forgejo"; + options.dadada.gitea = { + enable = lib.mkEnableOption "Enable gitea"; }; config = lib.mkIf cfg.enable { - services.forgejo = { + services.gitea = { enable = true; - user = "gitea"; - group = "gitea"; - stateDir = "/var/lib/gitea"; - + appName = "dadada Gitea"; database = { type = "postgres"; - name = "gitea"; - user = "gitea"; }; settings = { - DEFAULT.APP_NAME = "dadada forgejo"; service = { DISABLE_REGISTRATION = true; }; @@ -38,11 +31,6 @@ in LANDING_PAGE = "explore"; OFFLINE_MODE = true; DISABLE_SSH = false; - - # Use built-in SSH server - START_SSH_SERVER = true; - SSH_PORT = 22; - DOMAIN = "git.dadada.li"; }; picture = { @@ -62,41 +50,26 @@ in cache = { ENABLE = true; ADAPTER = "redis"; - HOST = "network=unix,addr=${config.services.redis.servers.forgejo.unixSocket},db=0,pool_size=100,idle_timeout=180"; + HOST = "network=unix,addr=${config.services.redis.servers.gitea.unixSocket},db=0,pool_size=100,idle_timeout=180"; }; }; }; services.redis = { - servers.forgejo = { + servers.gitea = { enable = true; - user = config.services.forgejo.user; + user = config.services.gitea.user; }; vmOverCommit = true; }; - systemd.services.forgejo.serviceConfig = { - AmbientCapabilities = lib.mkForce "CAP_NET_BIND_SERVICE"; - CapabilityBoundingSet = lib.mkForce "CAP_NET_BIND_SERVICE"; - PrivateUsers = lib.mkForce false; - }; - services.nginx.virtualHosts."git.${config.networking.domain}" = { enableACME = true; forceSSL = true; locations."/".extraConfig = '' - proxy_pass http://unix:/run/forgejo/forgejo.sock:/; + proxy_pass http://unix:/run/gitea/gitea.sock:/; ''; }; - - users.users.gitea = { - home = "/var/lib/gitea"; - useDefaultShell = true; - group = "gitea"; - isSystemUser = true; - }; - - users.groups.gitea = { }; }; } diff --git a/nixos/modules/headphones.nix b/nixos/modules/headphones.nix index 877be07..585a5dd 100644 --- a/nixos/modules/headphones.nix +++ b/nixos/modules/headphones.nix @@ -1,11 +1,9 @@ -{ - config, - pkgs, - lib, - ... +{ config +, pkgs +, lib +, ... }: -with lib; -let +with lib; let cfg = config.dadada.headphones; in { diff --git a/nixos/modules/homepage.nix b/nixos/modules/homepage.nix index 193e71e..b04c3b2 100644 --- a/nixos/modules/homepage.nix +++ b/nixos/modules/homepage.nix @@ -1,13 +1,11 @@ -{ - config, - lib, - ... +{ config +, lib +, ... }: let cfg = config.dadada.homepage; in -with lib; -{ +with lib; { options.dadada.homepage = { enable = mkEnableOption "Enable home page"; package = mkOption { diff --git a/nixos/modules/inputs.nix b/nixos/modules/inputs.nix index 9d18883..4db219c 100644 --- a/nixos/modules/inputs.nix +++ b/nixos/modules/inputs.nix @@ -1,8 +1,7 @@ -{ - config, - pkgs, - lib, - ... +{ config +, pkgs +, lib +, ... }: let cfg = config.dadada.inputs; diff --git a/nixos/modules/nixpkgs.nix b/nixos/modules/nixpkgs.nix new file mode 100644 index 0000000..2c5849f --- /dev/null +++ b/nixos/modules/nixpkgs.nix @@ -0,0 +1,3 @@ +{ + nixpkgs.config.allowUnfreePredicate = pkg: true; +} diff --git a/nixos/modules/profiles/backup.nix b/nixos/modules/profiles/backup.nix index d333804..a69a89c 100644 --- a/nixos/modules/profiles/backup.nix +++ b/nixos/modules/profiles/backup.nix @@ -4,7 +4,7 @@ let in { dadada.backupClient.bs = { - enable = lib.mkDefault false; + enable = lib.mkDefault true; passphrasePath = config.age.secrets."${config.networking.hostName}-backup-passphrase".path; sshIdentityFile = config.age.secrets."${config.networking.hostName}-backup-ssh-key".path; }; @@ -21,8 +21,6 @@ in sshIdentityFile = config.age.secrets."${config.networking.hostName}-backup-ssh-key".path; }; - age.secrets."${config.networking.hostName}-backup-passphrase".file = - "${secretsPath}/${config.networking.hostName}-backup-passphrase.age"; - age.secrets."${config.networking.hostName}-backup-ssh-key".file = - "${secretsPath}/${config.networking.hostName}-backup-ssh-key.age"; + age.secrets."${config.networking.hostName}-backup-passphrase".file = "${secretsPath}/${config.networking.hostName}-backup-passphrase.age"; + age.secrets."${config.networking.hostName}-backup-ssh-key".file = "${secretsPath}/${config.networking.hostName}-backup-ssh-key.age"; } diff --git a/nixos/modules/profiles/base.nix b/nixos/modules/profiles/base.nix index 0976788..d2930a7 100644 --- a/nixos/modules/profiles/base.nix +++ b/nixos/modules/profiles/base.nix @@ -1,9 +1,4 @@ -{ - config, - lib, - pkgs, - ... -}: +{ config, lib, ... }: let mkDefault = lib.mkDefault; inputs = config.dadada.inputs; @@ -13,26 +8,19 @@ in ./upgrade-pg-cluster.nix ]; - boot.tmp.useTmpfs = lib.mkDefault true; - boot.tmp.tmpfsSize = lib.mkDefault "50%"; - i18n.defaultLocale = mkDefault "en_US.UTF-8"; console = mkDefault { font = "Lat2-Terminus16"; keyMap = "us"; }; - i18n.supportedLocales = mkDefault [ - "C.UTF-8/UTF-8" - "en_US.UTF-8/UTF-8" - "de_DE.UTF-8/UTF-8" - ]; - time.timeZone = mkDefault "Europe/Berlin"; - nix.package = pkgs.lix; + nix.nixPath = lib.mapAttrsToList (name: value: "${name}=${value}") inputs; + nix.registry = lib.mapAttrs' (name: value: lib.nameValuePair name { flake = value; }) inputs; + nix.settings.flake-registry = "${config.dadada.inputs.flake-registry}/flake-registry.json"; - nix.settings.substituters = [ "https://cache.nixos.org/" ]; + nix.settings.substituters = [ https://cache.nixos.org/ ]; nix.settings.trusted-public-keys = [ "cache.nixos.org-1:6NCHdD59X431o0gWypbMrAURkbJ16ZPMQFGspcDShjY=" @@ -53,6 +41,18 @@ in experimental-features = nix-command flakes ''; + programs.zsh = mkDefault { + enable = true; + autosuggestions.enable = true; + enableCompletion = true; + histSize = 100000; + vteIntegration = true; + syntaxHighlighting = { + enable = true; + highlighters = [ "main" "brackets" "pattern" "root" "line" ]; + }; + }; + networking.networkmanager.dns = mkDefault "systemd-resolved"; networking.hosts = { @@ -61,14 +61,7 @@ in services.resolved = { enable = mkDefault true; - fallbackDns = [ - "9.9.9.9#dns.quad9.net" - "2620:fe::fe:11#dns11.quad9.net" - ]; + fallbackDns = [ "9.9.9.9#dns.quad9.net" "2620:fe::fe:11#dns11.quad9.net" ]; }; - - programs.zsh.enable = mkDefault true; - - # Avoid some bots - services.openssh.ports = [ 2222 ]; } + diff --git a/nixos/modules/profiles/cloud.nix b/nixos/modules/profiles/cloud.nix index 1ddbb1e..98314c7 100644 --- a/nixos/modules/profiles/cloud.nix +++ b/nixos/modules/profiles/cloud.nix @@ -4,49 +4,31 @@ let initrdHostKey = "${config.networking.hostName}-ssh_host_ed25519_key"; in { - imports = [ - ./server.nix - ]; - boot.initrd.availableKernelModules = [ "virtio-pci" ]; - - boot.kernelParams = [ - # Wait forever for the filesystem root to show up - "rootflags=x-systemd.device-timeout=0" - - # Wait forever to enter the LUKS passphrase via SSH - "rd.luks.options=timeout=0" - ]; boot.initrd.network = { enable = true; ssh = { enable = true; - port = 2223; + port = 22; hostKeys = [ config.age.secrets."${initrdHostKey}".path ]; - authorizedKeys = - with lib; - concatLists ( - mapAttrsToList ( - name: user: if elem "wheel" user.extraGroups then user.openssh.authorizedKeys.keys else [ ] - ) config.users.users - ); + authorizedKeys = with lib; + concatLists (mapAttrsToList + (name: user: + if elem "wheel" user.extraGroups then + user.openssh.authorizedKeys.keys + else + [ ]) + config.users.users); }; postCommands = '' echo 'cryptsetup-askpass' >> /root/.profile ''; }; - assertions = lib.singleton { - assertion = - (config.boot.initrd.network.ssh.hostKeys != [ ]) - -> config.boot.loader.supportsInitrdSecrets == true; - message = "Refusing to store private keys in store"; - }; - age.secrets."${initrdHostKey}" = { - file = "${secretsPath}/initrd-${initrdHostKey}.age"; + file = "${secretsPath}/${initrdHostKey}.age"; mode = "600"; path = "/etc/initrd/${initrdHostKey}"; symlink = false; diff --git a/nixos/modules/profiles/home.nix b/nixos/modules/profiles/home.nix deleted file mode 100644 index a695e8b..0000000 --- a/nixos/modules/profiles/home.nix +++ /dev/null @@ -1,7 +0,0 @@ -{ pkgs, inputs, ... }: -{ - home-manager.useGlobalPkgs = true; - home-manager.useUserPackages = true; - home-manager.sharedModules = pkgs.lib.attrValues inputs.self.hmModules; - home-manager.users.dadada = inputs.self.hmConfigurations.dadada; -} diff --git a/nixos/modules/profiles/laptop.nix b/nixos/modules/profiles/laptop.nix index 7089f4e..551cfc2 100644 --- a/nixos/modules/profiles/laptop.nix +++ b/nixos/modules/profiles/laptop.nix @@ -1,13 +1,12 @@ -{ - config, - lib, - ... +{ config +, pkgs +, lib +, ... }: let - inputs = config.dadada.inputs; + secretsPath = config.dadada.secrets.path; in -with lib; -{ +with lib; { imports = [ ./backup.nix ./base.nix @@ -16,16 +15,16 @@ with lib; networking.domain = mkDefault "dadada.li"; services.fwupd.enable = mkDefault true; + programs.ssh.startAgent = true; programs.ssh.enableAskPassword = true; - programs.nix-ld.enable = true; - - nix.nixPath = mapAttrsToList (name: value: "${name}=${value}") inputs; - nix.registry = mkForce (mapAttrs' (name: value: nameValuePair name { flake = value; }) inputs); - nix.settings.flake-registry = "${config.dadada.inputs.flake-registry}/flake-registry.json"; age.identityPaths = [ "/etc/ssh/ssh_host_ed25519_key" ]; - users.mutableUsers = true; + fonts.packages = mkDefault (with pkgs; [ + source-code-pro + ]); + + users.mutableUsers = mkDefault true; # Use the systemd-boot EFI boot loader. boot.loader.systemd-boot.enable = mkDefault true; @@ -38,6 +37,10 @@ with lib; networking.networkmanager.enable = mkDefault true; networking.firewall.enable = mkDefault true; + services.xserver.enable = mkDefault true; + services.xserver.displayManager.gdm.enable = mkDefault true; + services.xserver.desktopManager.gnome.enable = mkDefault true; + xdg.mime.enable = mkDefault true; security.rtkit.enable = true; @@ -47,6 +50,12 @@ with lib; alsa.support32Bit = true; pulse.enable = true; }; - services.pulseaudio.enable = false; - security.sudo.wheelNeedsPassword = true; + hardware.pulseaudio.enable = false; + + dadada.backupClient.gs = { + enable = true; + passphrasePath = config.age.secrets."${config.networking.hostName}-backup-passphrase-gs".path; + }; + + age.secrets."${config.networking.hostName}-backup-passphrase-gs".file = "${secretsPath}/${config.networking.hostName}-backup-passphrase-gs.age"; } diff --git a/nixos/modules/profiles/server.nix b/nixos/modules/profiles/server.nix index 724655f..a7e28fb 100644 --- a/nixos/modules/profiles/server.nix +++ b/nixos/modules/profiles/server.nix @@ -1,11 +1,9 @@ -{ - config, - pkgs, - lib, - ... +{ config +, pkgs +, lib +, ... }: -with lib; -{ +with lib; { imports = [ ./backup.nix ./base.nix @@ -18,18 +16,13 @@ with lib; documentation.enable = mkDefault false; documentation.nixos.enable = mkDefault false; - services.btrfs.autoScrub.enable = mkDefault ( - (filterAttrs (name: fs: fs.fsType == "btrfs") config.fileSystems) != { } - ); - services.journald.extraConfig = '' SystemKeepFree = 2G - MaxRetentionSec = 100days ''; system.autoUpgrade = { enable = true; - flake = "https://git.dadada.li/dadada/nix-config/archive/main.tar.gz#${config.networking.hostName}"; + flake = "github:dadada/nix-config#${config.networking.hostName}"; allowReboot = mkDefault false; randomizedDelaySec = "45min"; }; diff --git a/nixos/modules/profiles/upgrade-pg-cluster.nix b/nixos/modules/profiles/upgrade-pg-cluster.nix index 486bf29..3042265 100644 --- a/nixos/modules/profiles/upgrade-pg-cluster.nix +++ b/nixos/modules/profiles/upgrade-pg-cluster.nix @@ -1,9 +1,4 @@ -{ - config, - pkgs, - lib, - ... -}: +{ config, pkgs, lib, ... }: { environment.systemPackages = lib.mkIf config.services.postgresql.enable [ ( diff --git a/nixos/modules/share.nix b/nixos/modules/share.nix index 7c7410b..a4e5f9c 100644 --- a/nixos/modules/share.nix +++ b/nixos/modules/share.nix @@ -1,11 +1,9 @@ -{ - config, - pkgs, - lib, - ... +{ config +, pkgs +, lib +, ... }: -with lib; -let +with lib; let cfg = config.dadada.share; in { diff --git a/nixos/modules/steam.nix b/nixos/modules/steam.nix index e14add3..82944eb 100644 --- a/nixos/modules/steam.nix +++ b/nixos/modules/steam.nix @@ -1,11 +1,9 @@ -{ - config, - pkgs, - lib, - ... +{ config +, pkgs +, lib +, ... }: -with lib; -let +with lib; let cfg = config.dadada.steam; in { @@ -15,8 +13,11 @@ in }; }; config = mkIf cfg.enable { - hardware.graphics = { + nixpkgs.config.allowUnfree = true; + + hardware.opengl = { enable = true; + driSupport32Bit = true; extraPackages32 = with pkgs.pkgsi686Linux; [ libva ]; }; diff --git a/nixos/modules/sway.nix b/nixos/modules/sway.nix new file mode 100644 index 0000000..190d13e --- /dev/null +++ b/nixos/modules/sway.nix @@ -0,0 +1,40 @@ +{ config, pkgs, lib, ... }: +let + cfg = config.dadada.sway; +in +{ + options = { + dadada.sway.enable = lib.mkEnableOption "Enable sway"; + }; + + config = lib.mkIf cfg.enable { + programs.sway = { + enable = true; + wrapperFeatures.gtk = true; + wrapperFeatures.base = true; + extraPackages = with pkgs; [ + qt5.qtwayland + swayidle + xwayland + mako + kanshi + kitty + i3status + bemenu + xss-lock + swaylock + brightnessctl + playerctl + ]; + extraSessionCommands = '' + export SDL_VIDEODRIVER=wayland + # needs qt5.qtwayland in systemPackages + export QT_QPA_PLATFORM=wayland + export QT_WAYLAND_DISABLE_WINDOWDECORATION="1" + # Fix for some Java AWT applications (e.g. Android Studio), + # use this if they aren't displayed properly: + export _JAVA_AWT_WM_NONREPARENTING=1 + ''; + }; + }; +} diff --git a/nixos/modules/vpnServer.nix b/nixos/modules/vpnServer.nix index ee2298e..6c0513f 100644 --- a/nixos/modules/vpnServer.nix +++ b/nixos/modules/vpnServer.nix @@ -1,32 +1,28 @@ -{ - config, - pkgs, - lib, - ... +{ config +, pkgs +, lib +, ... }: -with lib; -let +with lib; let cfg = config.dadada.vpnServer; - wgPeer = - { name, ... }: - { - options = { - name = mkOption { - internal = true; - default = name; - }; - id = mkOption { - description = "VPN client id"; - default = 0; - type = types.str; - }; - key = mkOption { - description = "VPN client public key"; - default = ""; - type = types.str; - }; + wgPeer = { name, ... }: { + options = { + name = mkOption { + internal = true; + default = name; + }; + id = mkOption { + description = "VPN client id"; + default = 0; + type = types.str; + }; + key = mkOption { + description = "VPN client public key"; + default = ""; + type = types.str; }; }; + }; in { options.dadada.vpnServer = { @@ -45,10 +41,13 @@ in privateKeyFile = "/var/lib/wireguard/wg0-key"; ips = [ "fd42:9c3b:f96d:0201::0/64" ]; listenPort = 51234; - peers = map (peer: { - allowedIPs = [ "fd42:9c3b:f96d:0201::${peer.id}/128" ]; - publicKey = peer.key; - }) (attrValues cfg.peers); + peers = + map + (peer: { + allowedIPs = [ "fd42:9c3b:f96d:0201::${peer.id}/128" ]; + publicKey = peer.key; + }) + (attrValues cfg.peers); postSetup = '' wg set wg0 fwmark 51234 ip -6 route add table 2468 fd42:9c3b:f96d::/48 dev ens3 diff --git a/nixos/modules/weechat.nix b/nixos/modules/weechat.nix index 6ff0106..340f64c 100644 --- a/nixos/modules/weechat.nix +++ b/nixos/modules/weechat.nix @@ -1,11 +1,9 @@ -{ - config, - pkgs, - lib, - ... +{ config +, pkgs +, lib +, ... }: -with lib; -let +with lib; let cfg = config.dadada.weechat; in { @@ -36,7 +34,7 @@ in }; }; services.nginx.virtualHosts."weechat.dadada.li" = { - enableACME = true; + useACMEHost = "webchat.dadada.li"; forceSSL = true; root = "${pkgs.nginx}/html"; diff --git a/nixos/modules/yubikey.nix b/nixos/modules/yubikey.nix index 47699e1..3df9499 100644 --- a/nixos/modules/yubikey.nix +++ b/nixos/modules/yubikey.nix @@ -1,11 +1,9 @@ -{ - config, - pkgs, - lib, - ... +{ config +, pkgs +, lib +, ... }: -with lib; -let +with lib; let yubikey = config.dadada.yubikey; in { @@ -34,7 +32,7 @@ in }; u2f = { control = "sufficient"; - settings.cue = true; + cue = true; }; }; @@ -47,7 +45,8 @@ in #linuxPackages.acpi_call pam_u2f pamtester - yubioath-flutter + yubikey-manager + yubikey-manager-qt ]; }; } diff --git a/nixos/modules/zsh.nix b/nixos/modules/zsh.nix new file mode 100644 index 0000000..90e32bb --- /dev/null +++ b/nixos/modules/zsh.nix @@ -0,0 +1,17 @@ +{ config +, pkgs +, lib +, ... +}: { + programs.zsh = { + enable = true; + autosuggestions.enable = true; + enableCompletion = true; + histSize = 100000; + vteIntegration = true; + syntaxHighlighting = { + enable = true; + highlighters = [ "main" "brackets" "pattern" "root" "line" ]; + }; + }; +} diff --git a/nixos/ninurta/configuration.nix b/nixos/ninurta/configuration.nix index d4a7bb9..16b629f 100644 --- a/nixos/ninurta/configuration.nix +++ b/nixos/ninurta/configuration.nix @@ -1,9 +1,4 @@ -{ - config, - pkgs, - lib, - ... -}: +{ config, pkgs, lib, ... }: let hostAliases = [ "ifrit.dadada.li" @@ -14,6 +9,7 @@ let uwuPrivKey = "pruflas-wg0-key"; wgHydraPrivKey = "pruflas-wg-hydra-key"; uwuPresharedKey = "pruflas-wg0-preshared-key"; + hydraGitHubAuth = "hydra-github-authorization"; initrdSshKey = "/etc/ssh/ssh_initrd_ed25519_key"; softServePort = 23231; in @@ -41,11 +37,6 @@ in }; }; - services.openssh.ports = [ - 22 - 2222 - ]; - dadada.backupClient.bs.enable = false; dadada.backupClient.backup1.enable = false; @@ -66,9 +57,7 @@ in boot.loader.efi.canTouchEfiVariables = true; assertions = lib.singleton { - assertion = - (config.boot.initrd.network.ssh.hostKeys != [ ]) - -> config.boot.loader.supportsInitrdSecrets == true; + assertion = (config.boot.initrd.network.ssh.hostKeys != [ ]) -> config.boot.loader.supportsInitrdSecrets == true; message = "Refusing to store private keys in store"; }; @@ -148,21 +137,51 @@ in startAt = "daily"; }; + services.postgresqlBackup = { + enable = true; + backupAll = true; + compression = "zstd"; + location = "/var/backup/postgresql"; + }; + age.secrets."ninurta-backup-passphrase" = { file = "${secretsPath}/ninurta-backup-passphrase.age"; mode = "400"; }; + age.secrets.${hydraGitHubAuth} = { + file = "${secretsPath}/${hydraGitHubAuth}.age"; + mode = "440"; + owner = "hydra-www"; + group = "hydra"; + }; + + services.hydra = { + enable = true; + package = pkgs.hydra-unstable; + hydraURL = "https://hydra.dadada.li"; + notificationSender = "hydra@localhost"; + buildMachinesFiles = [ ]; + useSubstitutes = true; + port = 3000; + listenHost = "10.3.3.3"; + extraConfig = '' + Include ${config.age.secrets."${hydraGitHubAuth}".path} + + + jobs = nix-config:main.* + inputs = nix-config + excludeBuildFromContext = 1 + useShortContext = 1 + + ''; + }; + nix.buildMachines = [ { hostName = "localhost"; system = "x86_64-linux"; - supportedFeatures = [ - "kvm" - "nixos-test" - "big-parallel" - "benchmark" - ]; + supportedFeatures = [ "kvm" "nixos-test" "big-parallel" "benchmark" ]; maxJobs = 16; } ]; @@ -201,38 +220,33 @@ in services.snapper = { cleanupInterval = "1d"; - snapshotInterval = "daily"; + snapshotInterval = "hourly"; configs.home = { SUBVOLUME = "/home"; TIMELINE_CREATE = true; TIMELINE_CLEANUP = true; - TIMELINE_MIN_AGE = "1800"; - TIMELINE_LIMIT_HOURLY = "5"; - TIMELINE_LIMIT_DAILY = "7"; - TIMELINE_LIMIT_WEEKLY = "0"; - TIMELINE_LIMIT_MONTHLY = "0"; - TIMELINE_LIMIT_YEARLY = "0"; + TIMELINE_LIMIT_HOURLY = 24; + TIMELINE_LIMIT_DAILY = 13; + TIMELINE_LIMIT_WEEKLY = 6; + TIMELINE_LIMIT_MONTHLY = 3; }; configs.var = { SUBVOLUME = "/var"; TIMELINE_CREATE = true; TIMELINE_CLEANUP = true; - TIMELINE_MIN_AGE = "1800"; - TIMELINE_LIMIT_HOURLY = "5"; - TIMELINE_LIMIT_DAILY = "7"; - TIMELINE_LIMIT_WEEKLY = "0"; - TIMELINE_LIMIT_MONTHLY = "0"; - TIMELINE_LIMIT_YEARLY = "0"; + TIMELINE_LIMIT_HOURLY = 24; + TIMELINE_LIMIT_DAILY = 13; + TIMELINE_LIMIT_WEEKLY = 6; + TIMELINE_LIMIT_MONTHLY = 3; }; configs.storage = { SUBVOLUME = "/mnt/storage"; TIMELINE_CREATE = true; TIMELINE_CLEANUP = true; - TIMELINE_LIMIT_HOURLY = "10"; - TIMELINE_LIMIT_DAILY = "10"; - TIMELINE_LIMIT_WEEKLY = "10"; - TIMELINE_LIMIT_MONTHLY = "10"; - TIMELINE_LIMIT_YEARLY = "10"; + TIMELINE_LIMIT_HOURLY = 24; + TIMELINE_LIMIT_DAILY = 13; + TIMELINE_LIMIT_WEEKLY = 6; + TIMELINE_LIMIT_MONTHLY = 3; }; }; @@ -257,48 +271,6 @@ in }; "10-lan" = { matchConfig.Name = "enp*"; - bridge = [ "br0" ]; - }; - "30-wg0" = { - matchConfig.Name = "wg0"; - address = [ - "10.3.3.3/32" - "fd42:9c3b:f96d:121::3/128" - ]; - DHCP = "no"; - networkConfig.IPv6AcceptRA = false; - linkConfig.RequiredForOnline = false; - routes = [ - { - Destination = "10.3.3.1/24"; - } - { - Destination = "fd42:9c3b:f96d:121::1/64"; - } - ]; - }; - "30-uwu" = { - matchConfig.Name = "uwu"; - address = [ - "10.11.0.39/24" - "fc00:1337:dead:beef::10.11.0.39/128" - ]; - dns = [ "10.11.0.1%uwu#uwu" ]; - domains = [ "uwu" ]; - DHCP = "no"; - networkConfig.IPv6AcceptRA = false; - linkConfig.RequiredForOnline = false; - routes = [ - { - Destination = "10.11.0.0/22"; - } - { - Destination = "fc00:1337:dead:beef::10.11.0.0/118"; - } - ]; - }; - "20-br0" = { - matchConfig.Name = "br0"; networkConfig.DHCP = "ipv4"; networkConfig.Domains = [ "bs.dadada.li" ]; networkConfig.VLAN = [ ]; @@ -314,14 +286,32 @@ in UseDNS = true; }; }; + "30-wg0" = { + matchConfig.Name = "wg0"; + address = [ "10.3.3.3/32" "fd42:9c3b:f96d:121::3/128" ]; + DHCP = "no"; + networkConfig.IPv6AcceptRA = false; + linkConfig.RequiredForOnline = false; + routes = [ + { routeConfig = { Destination = "10.3.3.1/24"; }; } + { routeConfig = { Destination = "fd42:9c3b:f96d:121::1/64"; }; } + ]; + }; + "30-uwu" = { + matchConfig.Name = "uwu"; + address = [ "10.11.0.39/24" "fc00:1337:dead:beef::10.11.0.39/128" ]; + dns = [ "10.11.0.1%uwu#uwu" ]; + domains = [ "uwu" ]; + DHCP = "no"; + networkConfig.IPv6AcceptRA = false; + linkConfig.RequiredForOnline = false; + routes = [ + { routeConfig = { Destination = "10.11.0.0/22"; }; } + { routeConfig = { Destination = "fc00:1337:dead:beef::10.11.0.0/118"; }; } + ]; + }; }; netdevs = { - "20-br0" = { - netdevConfig = { - Kind = "bridge"; - Name = "br0"; - }; - }; "20-wg0" = { netdevConfig = { Kind = "wireguard"; @@ -333,21 +323,19 @@ in }; wireguardPeers = [ { - PublicKey = "KzL+PKlv4LktIqqTqC9Esw8dkSZN2qSn/vq76UHbOlY="; - AllowedIPs = [ - "10.3.3.1/32" - "fd42:9c3b:f96d:121::1/128" - ]; - PersistentKeepalive = 25; - Endpoint = "surgat.dadada.li:51235"; + wireguardPeerConfig = { + PublicKey = "KzL+PKlv4LktIqqTqC9Esw8dkSZN2qSn/vq76UHbOlY="; + AllowedIPs = [ "10.3.3.1/32" "fd42:9c3b:f96d:121::1/128" ]; + PersistentKeepalive = 25; + Endpoint = "surgat.dadada.li:51235"; + }; } { - PublicKey = "INfv++4R+Kd2jdh/3CooM70ZeeoN6aeU6mo+T4C8gWU="; - AllowedIPs = [ - "10.3.3.2/32" - "fd42:9c3b:f96d:121::2/128" - ]; - Endpoint = "192.168.101.1:51235"; + wireguardPeerConfig = { + PublicKey = "INfv++4R+Kd2jdh/3CooM70ZeeoN6aeU6mo+T4C8gWU="; + AllowedIPs = [ "10.3.3.2/32" "fd42:9c3b:f96d:121::2/128" ]; + Endpoint = "192.168.101.1:51235"; + }; } ]; }; @@ -359,19 +347,15 @@ in wireguardConfig = { PrivateKeyFile = config.age.secrets.${uwuPrivKey}.path; }; - wireguardPeers = [ - { + wireguardPeers = [{ + wireguardPeerConfig = { PublicKey = "tuoiOWqgHz/lrgTcLjX+xIhvxh9jDH6gmDw2ZMvX5T8="; - AllowedIPs = [ - "10.11.0.0/22" - "fc00:1337:dead:beef::10.11.0.0/118" - "192.168.178.0/23" - ]; + AllowedIPs = [ "10.11.0.0/22" "fc00:1337:dead:beef::10.11.0.0/118" "192.168.178.0/23" ]; PersistentKeepalive = 25; PresharedKeyFile = config.age.secrets.${uwuPresharedKey}.path; Endpoint = "53c70r.de:51820"; - } - ]; + }; + }]; }; }; }; @@ -380,21 +364,16 @@ in enable = true; allowPing = true; allowedTCPPorts = [ - 2222 # SSH + 22 # SSH + 80 # munin web + 631 # Printing ]; allowedUDPPorts = [ + 631 # Printing 51234 # Wireguard 51235 # Wireguard ]; interfaces = { - br0.allowedTCPPorts = [ - 22 # SSH - 80 # munin web - 631 # IPP - ]; - br0.allowedUDPPorts = [ - 631 # IPP - ]; uwu.allowedTCPPorts = [ softServePort ]; @@ -409,6 +388,30 @@ in networking.networkmanager.enable = false; networking.useDHCP = false; + # Desktop things for media playback + + services.xserver.enable = true; + services.xserver.displayManager.gdm.enable = true; + services.xserver.desktopManager.gnome = { + enable = true; + extraGSettingsOverridePackages = with pkgs; [ gnome3.gnome-settings-daemon ]; + extraGSettingsOverrides = '' + [org.gnome.desktop.screensaver] + lock-delay=uint32 30 + lock-enabled=true + + [org.gnome.desktop.session] + idle-delay=uint32 0 + + [org.gnome.settings-daemon.plugins.power] + idle-dim=false + power-button-action='interactive' + power-saver-profile-on-low-battery=false + sleep-inactive-ac-type='nothing' + sleep-inactive-battery-type='nothing' + ''; + }; + powerManagement = { enable = true; cpuFreqGovernor = "powersave"; @@ -419,6 +422,15 @@ in # Configure the disks to spin down after 10 min of inactivity. }; + security.rtkit.enable = true; + + services.pipewire = { + enable = true; + alsa.enable = true; + alsa.support32Bit = true; + pulse.enable = true; + }; + services.udev.packages = [ (pkgs.writeTextFile { name = "60-hdparm"; @@ -429,21 +441,22 @@ in }) ]; - services.pulseaudio.enable = false; + hardware.pulseaudio.enable = false; environment.systemPackages = with pkgs; [ + firefox + spotify + mpv smartmontools hdparm ]; - users.users."backup-keepassxc" = { - home = "/mnt/storage/backups/backup-keepassxc"; + users.users."media" = { isNormalUser = true; - description = "Backup KeepassXC database"; - extraGroups = [ ]; - openssh.authorizedKeys.keys = [ - "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIirODQlcTJ8e9OcFuMlYlGekrUMtDpD5HhbTmuQ+jDW KeepassXC DB backup " - ]; + description = "Media playback user"; + extraGroups = [ "users" "video" ]; + # allow anyone with physical access to log in + password = "media"; }; virtualisation.libvirtd.enable = true; diff --git a/nixos/ninurta/hardware-configuration.nix b/nixos/ninurta/hardware-configuration.nix index cd6b64b..8de34e8 100644 --- a/nixos/ninurta/hardware-configuration.nix +++ b/nixos/ninurta/hardware-configuration.nix @@ -1,115 +1,89 @@ # Do not modify this file! It was generated by ‘nixos-generate-config’ # and may be overwritten by future invocations. Please make changes # to /etc/nixos/configuration.nix instead. -{ - config, - lib, - modulesPath, - ... -}: +{ config, lib, modulesPath, ... }: { - imports = [ - (modulesPath + "/installer/scan/not-detected.nix") - ]; + imports = + [ + (modulesPath + "/installer/scan/not-detected.nix") + ]; - boot.initrd.availableKernelModules = [ - "igc" - "xhci_pci" - "thunderbolt" - "ahci" - "nvme" - "usbhid" - "usb_storage" - "sd_mod" - ]; + boot.initrd.availableKernelModules = [ "igc" "xhci_pci" "thunderbolt" "ahci" "nvme" "usbhid" "usb_storage" "sd_mod" ]; boot.initrd.kernelModules = [ ]; boot.kernelModules = [ "kvm-intel" ]; boot.extraModulePackages = [ ]; - fileSystems."/" = { - device = "/dev/disk/by-uuid/7ca5fd2a-2a56-48fe-bd48-1e51b6a66714"; - fsType = "btrfs"; - options = [ "compress=zstd" ]; - }; + fileSystems."/" = + { + device = "/dev/disk/by-uuid/7ca5fd2a-2a56-48fe-bd48-1e51b6a66714"; + fsType = "btrfs"; + options = [ "compress=zstd" ]; + }; boot.initrd.luks.devices."luks".device = "/dev/disk/by-uuid/bac4ee0e-e393-414f-ac3e-1ec20739abae"; - fileSystems."/swap" = { - device = "/dev/disk/by-uuid/7ca5fd2a-2a56-48fe-bd48-1e51b6a66714"; - fsType = "btrfs"; - options = [ - "subvol=swap" - "noatime" - ]; - }; - - fileSystems."/nix" = { - device = "/dev/disk/by-uuid/7ca5fd2a-2a56-48fe-bd48-1e51b6a66714"; - fsType = "btrfs"; - options = [ - "subvol=nix" - "noatime" - "compress=zstd" - ]; - }; - - fileSystems."/var" = { - device = "/dev/disk/by-uuid/7ca5fd2a-2a56-48fe-bd48-1e51b6a66714"; - fsType = "btrfs"; - options = [ - "subvol=var" - "compress=zstd" - ]; - }; - - fileSystems."/home" = { - device = "/dev/disk/by-uuid/7ca5fd2a-2a56-48fe-bd48-1e51b6a66714"; - fsType = "btrfs"; - options = [ - "subvol=home" - "compress=zstd" - ]; - }; - - fileSystems."/root" = { - device = "/dev/disk/by-uuid/7ca5fd2a-2a56-48fe-bd48-1e51b6a66714"; - fsType = "btrfs"; - options = [ - "subvol=root" - "compress=zstd" - ]; - }; - - fileSystems."/boot" = { - device = "/dev/disk/by-uuid/2E20-49CB"; - fsType = "vfat"; - }; - - swapDevices = [ + fileSystems."/swap" = { - device = "/swap/swapfile"; - size = 32 * 1024; # 32 GByte - } - ]; + device = "/dev/disk/by-uuid/7ca5fd2a-2a56-48fe-bd48-1e51b6a66714"; + fsType = "btrfs"; + options = [ "subvol=swap" "noatime" ]; + }; - fileSystems."/mnt/storage" = { - device = "/dev/disk/by-uuid/ce483e75-5886-4b03-a3f9-675b80560ac9"; - fsType = "btrfs"; - options = [ - "subvol=root" - "compress=zstd" - ]; - }; + fileSystems."/nix" = + { + device = "/dev/disk/by-uuid/7ca5fd2a-2a56-48fe-bd48-1e51b6a66714"; + fsType = "btrfs"; + options = [ "subvol=nix" "noatime" "compress=zstd" ]; + }; - fileSystems."/mnt/storage/backups" = { - device = "/dev/disk/by-uuid/ce483e75-5886-4b03-a3f9-675b80560ac9"; - fsType = "btrfs"; - options = [ - "subvol=backups" - "noatime" - ]; - }; + fileSystems."/var" = + { + device = "/dev/disk/by-uuid/7ca5fd2a-2a56-48fe-bd48-1e51b6a66714"; + fsType = "btrfs"; + options = [ "subvol=var" "compress=zstd" ]; + }; + + fileSystems."/home" = + { + device = "/dev/disk/by-uuid/7ca5fd2a-2a56-48fe-bd48-1e51b6a66714"; + fsType = "btrfs"; + options = [ "subvol=home" "compress=zstd" ]; + }; + + fileSystems."/root" = + { + device = "/dev/disk/by-uuid/7ca5fd2a-2a56-48fe-bd48-1e51b6a66714"; + fsType = "btrfs"; + options = [ "subvol=root" "compress=zstd" ]; + }; + + fileSystems."/boot" = + { + device = "/dev/disk/by-uuid/2E20-49CB"; + fsType = "vfat"; + }; + + swapDevices = [{ + device = "/swap/swapfile"; + size = 32 * 1024; # 32 GByte + }]; + + + fileSystems."/mnt/storage" = + { + device = "/dev/disk/by-uuid/ce483e75-5886-4b03-a3f9-675b80560ac9"; + fsType = "btrfs"; + options = [ "subvol=root" "compress=zstd" ]; + }; + + + fileSystems."/mnt/storage/backups" = + { + device = "/dev/disk/by-uuid/ce483e75-5886-4b03-a3f9-675b80560ac9"; + fsType = "btrfs"; + options = [ "subvol=backups" "noatime" ]; + }; nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux"; powerManagement.cpuFreqGovernor = lib.mkDefault "powersave"; diff --git a/nixos/ninurta/monitoring.nix b/nixos/ninurta/monitoring.nix index c8bee05..9a0b983 100644 --- a/nixos/ninurta/monitoring.nix +++ b/nixos/ninurta/monitoring.nix @@ -19,6 +19,9 @@ [surgat] address 10.3.3.1 + + [agares] + address 10.3.3.2 ''; }; services.munin-node.enable = true; diff --git a/nixos/ninurta/printing.nix b/nixos/ninurta/printing.nix index c1d2aa8..bb71739 100644 --- a/nixos/ninurta/printing.nix +++ b/nixos/ninurta/printing.nix @@ -1,4 +1,4 @@ -{ cfg, pkgs, ... }: +{ pkgs, ... }: { hardware = { printers = { @@ -19,7 +19,7 @@ services.avahi = { enable = true; - nssmdns4 = true; + nssmdns = true; openFirewall = true; publish = { enable = true; @@ -29,13 +29,10 @@ services.printing = { enable = true; - drivers = [ - pkgs.brlaser - pkgs.gutenprint - ]; + drivers = [ pkgs.brlaser ]; # Remove all state at the start of the service stateless = true; - listenAddresses = [ "192.168.101.29:631" ]; + listenAddresses = [ "192.168.101.184:631" "fd42:9c3b:f96d:101:4a21:bff:fe3e:9cfe:631" ]; allowFrom = [ "from 192.168.101.0/24" ]; browsing = true; defaultShared = true; diff --git a/nixos/stolas/default.nix b/nixos/stolas/default.nix deleted file mode 100644 index 1c5cc9b..0000000 --- a/nixos/stolas/default.nix +++ /dev/null @@ -1,205 +0,0 @@ -{ - config, - lib, - pkgs, - ... -}: -{ - - imports = [ - ../modules/profiles/laptop.nix - ./disks.nix - ./paperless.nix - ]; - - boot = { - lanzaboote = { - enable = true; - pkiBundle = "/var/lib/sbctl"; - }; - kernelModules = [ "kvm-amd" ]; - # Hopefully fixes suspend issues with wifi card - kernelPackages = pkgs.linuxPackages_latest; - kernelParams = [ - "resume=UUID=81dfbfa5-d578-479c-b11c-3ee5abd6848a" - "resume_offset=79859524" - "zswap.enabled=1" - ]; - extraModulePackages = [ config.boot.kernelPackages.v4l2loopback ]; - # Lanzaboote currently replaces the systemd-boot module. - # This setting is usually set to true in configuration.nix - # generated at installation time. So we force it to false - # for now. - loader.systemd-boot.enable = lib.mkForce false; - initrd = { - availableKernelModules = [ - "nvme" - "xhci_pci" - "thunderbolt" - "usb_storage" - "sd_mod" - ]; - # Ensure that TPM module is loaded - kernelModules = [ "tpm" ]; - }; - }; - - environment.systemPackages = [ - # For debugging and troubleshooting Secure Boot. - pkgs.sbctl - ]; - - hardware = { - # NOTE: hardware.framework.enableKmod requires kernel patching, but enables access to some EC features - bluetooth.enable = true; - cpu.amd.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware; - enableRedistributableFirmware = true; - framework.laptop13.audioEnhancement.enable = true; - graphics = { - enable = true; - extraPackages = with pkgs; [ - vaapiVdpau - libvdpau-va-gl - ]; - }; - }; - - powerManagement = { - enable = true; - cpuFreqGovernor = "schedutil"; - }; - - networking = { - hostName = "stolas"; - firewall = { - enable = true; - allowedTCPPorts = [ - 22000 # Syncthing - ]; - allowedUDPPorts = [ - 21027 # Syncthing - ]; - }; - }; - - nix = { - settings.max-jobs = lib.mkDefault 16; - }; - - dadada = { - admin.enable = true; - backupClient.gs.enable = false; - backupClient.backup1.enable = true; - backupClient.backup2 = { - enable = true; - repo = "u355513-sub5@u355513-sub5.your-storagebox.de:/home/backup"; - }; - }; - - programs = { - adb.enable = true; - firefox = { - enable = true; - package = pkgs.firefox-wayland; - }; - gnupg.agent.enable = true; - ssh.startAgent = true; - wireshark.enable = true; - }; - - services = { - avahi.enable = true; - desktopManager.plasma6.enable = true; - displayManager = { - sddm.enable = true; - sddm.wayland.enable = true; - }; - gnome.gnome-keyring.enable = lib.mkForce false; - smartd.enable = true; - printing = { - enable = true; - browsing = true; - }; - tlp.enable = false; - snapper = { - cleanupInterval = "1d"; - snapshotInterval = "hourly"; - configs = { - home = { - SUBVOLUME = "/home/dadada"; - ALLOW_USERS = [ "dadada" ]; - TIMELINE_CREATE = true; - TIMELINE_CLEANUP = true; - TIMELINE_MIN_AGE = "1800"; - TIMELINE_LIMIT_HOURLY = "5"; - TIMELINE_LIMIT_DAILY = "7"; - TIMELINE_LIMIT_WEEKLY = "0"; - TIMELINE_LIMIT_MONTHLY = "0"; - TIMELINE_LIMIT_YEARLY = "0"; - }; - var = { - SUBVOLUME = "/var"; - TIMELINE_CREATE = true; - TIMELINE_CLEANUP = true; - TIMELINE_MIN_AGE = "1800"; - TIMELINE_LIMIT_HOURLY = "5"; - TIMELINE_LIMIT_DAILY = "7"; - TIMELINE_LIMIT_WEEKLY = "0"; - TIMELINE_LIMIT_MONTHLY = "0"; - TIMELINE_LIMIT_YEARLY = "0"; - }; - paperless = { - SUBVOLUME = "/var/lib/paperless"; - TIMELINE_CREATE = true; - TIMELINE_CLEANUP = true; - TIMELINE_MIN_AGE = "3600"; - TIMELINE_LIMIT_HOURLY = "10"; - TIMELINE_LIMIT_DAILY = "10"; - TIMELINE_LIMIT_WEEKLY = "10"; - TIMELINE_LIMIT_MONTHLY = "10"; - TIMELINE_LIMIT_YEARLY = "10"; - }; - }; - }; - }; - - system = { - stateVersion = "25.05"; - }; - - systemd.services = { - modem-manager.enable = lib.mkForce false; - "dbus-org.freedesktop.ModemManager1".enable = lib.mkForce false; - }; - - systemd.tmpfiles.rules = [ - "v /var/.snapshots 0755 root root - -" - "v /var/paperless/.snapshots 0755 root root - -" - "v /home/dadada/.snapshots 0755 root root - -" - ]; - - virtualisation.libvirtd.enable = true; - - users = { - users = { - dadada = { - initialHashedPassword = "$y$j9T$43qGBeY6hg6AXQmcVkS131$6AeRDOe6XAnmgA/AkJGaSIYTj5dbQLd9vrQ7zSyi5TA"; - isNormalUser = true; - extraGroups = [ - "wheel" - "networkmanager" - "libvirtd" - "adbusers" - "kvm" - "video" - "scanner" - "lp" - "docker" - "dialout" - "wireshark" - "paperless" - ]; - }; - }; - }; -} diff --git a/nixos/stolas/disks.nix b/nixos/stolas/disks.nix deleted file mode 100644 index eff5680..0000000 --- a/nixos/stolas/disks.nix +++ /dev/null @@ -1,100 +0,0 @@ -{ - disko.devices = { - nodev."/nix/var/nix/builds" = { - fsType = "tmpfs"; - mountOptions = [ - "size=80%" - "defaults" - "mode=755" - ]; - }; - disk = { - main = { - type = "disk"; - device = "/dev/nvme0n1"; - content = { - type = "gpt"; - partitions = { - ESP = { - size = "1G"; - type = "EF00"; - content = { - type = "filesystem"; - format = "vfat"; - mountpoint = "/boot"; - mountOptions = [ "umask=0077" ]; - }; - }; - luks = { - size = "100%"; - content = { - type = "luks"; - name = "crypted"; - settings = { - allowDiscards = true; - crypttabExtraOpts = [ - "tpm2-device=auto" - "tpm2-pin=true" - ]; - }; - #additionalKeyFiles = [ "/tmp/additionalSecret.key" ]; - content = { - type = "btrfs"; - extraArgs = [ "-f" ]; - subvolumes = { - "/root" = { - mountpoint = "/"; - mountOptions = [ - "compress=zstd" - "relatime" - ]; - }; - "/home" = { - mountpoint = "/home"; - mountOptions = [ - "compress=zstd" - "noatime" - ]; - }; - "/dadada" = { - mountpoint = "/home/dadada"; - mountOptions = [ - "compress=zstd" - "relatime" - ]; - }; - "/nix" = { - mountpoint = "/nix"; - mountOptions = [ - "compress=zstd" - "noatime" - ]; - }; - "/var" = { - mountpoint = "/var"; - mountOptions = [ - "compress=zstd" - "noatime" - ]; - }; - "/paperless" = { - mountpoint = "/var/lib/paperless"; - mountOptions = [ - "compress=zstd" - "noatime" - ]; - }; - "/swap" = { - mountpoint = "/.swapvol"; - swap.swapfile.size = "128G"; - }; - }; - }; - }; - }; - }; - }; - }; - }; - }; -} diff --git a/nixos/stolas/paperless.nix b/nixos/stolas/paperless.nix deleted file mode 100644 index a5fa69f..0000000 --- a/nixos/stolas/paperless.nix +++ /dev/null @@ -1,28 +0,0 @@ -{ config, ... }: -{ - services.paperless = { - # TODO migrate DB - enable = true; - passwordFile = config.age.secrets.paperless.path; - }; - systemd.tmpfiles.rules = - let - cfg = config.services.paperless; - in - [ - ( - if cfg.consumptionDirIsPublic then - "d '${cfg.consumptionDir}' 777 - - - -" - else - "d '${cfg.consumptionDir}' 770 ${cfg.user} ${config.users.users.${cfg.user}.group} - -" - ) - ]; - - age.secrets = { - paperless = { - file = "${config.dadada.secrets.path}/paperless.age"; - mode = "700"; - owner = "paperless"; - }; - }; -} diff --git a/nixos/surgat/configuration.nix b/nixos/surgat/configuration.nix index 5ddef7f..1522855 100644 --- a/nixos/surgat/configuration.nix +++ b/nixos/surgat/configuration.nix @@ -1,7 +1,6 @@ -{ - config, - pkgs, - ... +{ config +, pkgs +, ... }: let hostName = "surgat"; @@ -41,9 +40,9 @@ in }; dadada.element.enable = true; - dadada.forgejo.enable = true; + dadada.gitea.enable = true; dadada.miniflux.enable = true; - dadada.weechat.enable = false; + dadada.weechat.enable = true; dadada.homepage.enable = true; dadada.share.enable = true; dadada.backupClient = { @@ -74,33 +73,26 @@ in "2a01:4f8:c17:1d70::/64" ]; routes = [ - { Gateway = "fe80::1"; } + { routeConfig.Gateway = "fe80::1"; } { - Gateway = "172.31.1.1"; - GatewayOnLink = true; + routeConfig = { + Gateway = "172.31.1.1"; + GatewayOnLink = true; + }; } ]; linkConfig.RequiredForOnline = "routable"; }; "10-ninurta" = { matchConfig.Name = "ninurta"; - address = [ - "10.3.3.1/32" - "fd42:9c3b:f96d:121::1/128" - ]; + address = [ "10.3.3.1/32" "fd42:9c3b:f96d:121::1/128" ]; DHCP = "no"; networkConfig.IPv6AcceptRA = false; linkConfig.RequiredForOnline = "no"; routes = [ - { - Destination = "10.3.3.3/24"; - } - { - Destination = "fd42:9c3b:f96d:121::/64"; - } - { - Destination = "fd42:9c3b:f96d:101::/64"; - } + { routeConfig = { Destination = "10.3.3.3/24"; }; } + { routeConfig = { Destination = "fd42:9c3b:f96d:121::/64"; }; } + { routeConfig = { Destination = "fd42:9c3b:f96d:101::/64"; }; } ]; }; }; @@ -114,16 +106,12 @@ in PrivateKeyFile = "/var/lib/wireguard/hydra"; ListenPort = 51235; }; - wireguardPeers = [ - { + wireguardPeers = [{ + wireguardPeerConfig = { PublicKey = "Kw2HVRb1zeA7NAzBvI3UzmOj45VqM358EBuZWdlAUDE="; - AllowedIPs = [ - "10.3.3.3/32" - "fd42:9c3b:f96d:121::3/128" - "fd42:9c3b:f96d:101:4a21:bff:fe3e:9cfe/128" - ]; - } - ]; + AllowedIPs = [ "10.3.3.3/32" "fd42:9c3b:f96d:121::3/128" "fd42:9c3b:f96d:101:4a21:bff:fe3e:9cfe/128" ]; + }; + }]; }; }; }; @@ -149,16 +137,16 @@ in boot.loader.grub.enable = true; boot.loader.grub.device = "/dev/sda"; - boot.kernelParams = [ - "ip=49.12.3.98::172.31.1.1:255.255.255.255:surgat::dhcp" + swapDevices = [ + { + device = "/var/swapfile"; + size = 4096; + } ]; services.resolved = { enable = true; - fallbackDns = [ - "9.9.9.9" - "2620:fe::fe" - ]; + fallbackDns = [ "9.9.9.9" "2620:fe::fe" ]; }; system.autoUpgrade.allowReboot = false; diff --git a/nixos/surgat/hardware-configuration.nix b/nixos/surgat/hardware-configuration.nix index 8476779..71b7257 100644 --- a/nixos/surgat/hardware-configuration.nix +++ b/nixos/surgat/hardware-configuration.nix @@ -1,25 +1,17 @@ # Do not modify this file! It was generated by ‘nixos-generate-config’ # and may be overwritten by future invocations. Please make changes # to /etc/nixos/configuration.nix instead. -{ - config, - lib, - pkgs, - modulesPath, - ... -}: -{ +{ config +, lib +, pkgs +, modulesPath +, ... +}: { imports = [ (modulesPath + "/profiles/qemu-guest.nix") ]; - boot.initrd.availableKernelModules = [ - "ata_piix" - "virtio_pci" - "xhci_pci" - "sd_mod" - "sr_mod" - ]; + boot.initrd.availableKernelModules = [ "ata_piix" "virtio_pci" "xhci_pci" "sd_mod" "sr_mod" ]; boot.initrd.kernelModules = [ ]; boot.kernelModules = [ ]; boot.extraModulePackages = [ ]; diff --git a/outputs.nix b/outputs.nix index ef7a742..11461ee 100644 --- a/outputs.nix +++ b/outputs.nix @@ -1,17 +1,18 @@ -{ - self, - flake-utils, - nixpkgs, - agenix, - devshell, - treefmt-nix, - ... -}@inputs: -(flake-utils.lib.eachDefaultSystem ( - system: +# Adapted from Mic92/dotfiles +{ self +, flake-utils +, flake-registry +, homepage +, nixpkgs +, home-manager +, nixos-hardware +, agenix +, devshell +, ... +} @ inputs: +(flake-utils.lib.eachDefaultSystem (system: let - pkgs = nixpkgs.legacyPackages.${system}; - treefmtEval = treefmt-nix.lib.evalModule pkgs ./treefmt.nix; + pkgs = import nixpkgs { inherit system; }; in { devShells.default = @@ -27,22 +28,23 @@ in import ./devshell.nix { inherit pkgs extraModules; }; - checks = { - formatting = treefmtEval.config.build.check self; - }; - - formatter = treefmtEval.config.build.wrapper; + formatter = pkgs.nixpkgs-fmt; packages = import ./pkgs { inherit pkgs; } // { - installer-iso = inputs.self.nixosConfigurations.installer.config.system.build.isoImage; + installer-iso = self.nixosConfigurations.installer.config.system.build.isoImage; }; - } -)) -// { + })) + // { + hmModules = import ./home/modules.nix { lib = nixpkgs.lib; }; - hmConfigurations = { - dadada = import ./home; - }; + nixosConfigurations = import ./nixos/configurations.nix inputs; - nixosModules = import ./nixos/modules { lib = nixpkgs.lib; }; + + nixosModules = import ./nixos/modules; + + overlays = import ./overlays.nix; + + hydraJobs = import ./hydra-jobs.nix inputs; + + checks = import ./checks.nix inputs; } diff --git a/overlays.nix b/overlays.nix new file mode 100644 index 0000000..bf0588c --- /dev/null +++ b/overlays.nix @@ -0,0 +1,23 @@ +{ + kanboard = final: prev: { + kanboard = prev.kanboard.overrideAttrs (oldAttrs: { + src = prev.fetchFromGitHub { + owner = "kanboard"; + repo = "kanboard"; + rev = "v${oldAttrs.version}"; + sha256 = "sha256-WG2lTPpRG9KQpRdb+cS7CqF4ZDV7JZ8XtNqAI6eVzm0="; + }; + }); + }; + + recipemd = final: prev: { + pythonPackagesExtensions = prev.pythonPackagesExtensions ++ [ + ( + python-final: python-prev: { + recipemd = python-final.callPackage ./pkgs/recipemd.nix { }; + } + ) + ]; + recipemd = prev.python3Packages.toPythonApplication final.python3Packages.recipemd; + }; +} diff --git a/pkgs/citizen-cups.nix b/pkgs/citizen-cups.nix deleted file mode 100644 index 9a63bdd..0000000 --- a/pkgs/citizen-cups.nix +++ /dev/null @@ -1,70 +0,0 @@ -{ - cups, - fetchzip, - lib, - stdenv, - rpm, -}: - -let - version = "1.2.8"; -in -stdenv.mkDerivation { - inherit version; - name = "citizen-cups"; - pname = "citizen-cups"; - - src = fetchzip { - url = "https://www.citizen-systems.com/resource/support/POS/Generic_Printer_Files/CUPS_Linux_Driver/CUPS_Linux_Driver.zip"; - hash = "sha256-2ha24/7oS/rINKmYxyVryX66kkc6niCChxhw/2KOPSw="; - }; - - nativeBuildInputs = [ - rpm - ]; - - buildInputs = [ - cups - ]; - - postUnpack = '' - pushd source - ls -la - rpm2archive ctzpos-cups-1.2.8-0.src.rpm - tar xvf ctzpos-cups-1.2.8-0.src.rpm.tgz - tar xvf ctzpos-cups-1.2.8.tar.bz2 - popd - ''; - - buildPhase = '' - runHook preBuild - pushd "ctzpos-cups-${version}"; - gcc -Wl,-rpath,/usr/lib -Wall -fPIC -O2 -o rastertocbm1k rastertocbm1k.c -lcupsimage -lcups - gcc -Wl,-rpath,/usr/lib -Wall -fPIC -O2 -o rastertocds500 rastertocds500.c -lcupsimage -lcups - gcc -Wl,-rpath,/usr/lib -Wall -fPIC -O2 -o rastertocts2kl rastertocts2kl.c -lcupsimage -lcups - popd - runHook postBuild - ''; - - installPhase = '' - runHook preInstall - - mkdir -p $out/lib/cups/filter - install -D -m 755 ./ctzpos-cups-${version}/rastertocbm1k $out/lib/cups/filter/rastertocbm1k - install -D -m 755 ./ctzpos-cups-${version}/rastertocds500 $out/lib/cups/filter/rastertocds500 - install -D -m 755 ./ctzpos-cups-${version}/rastertocts2kl $out/lib/cups/filter/rastertocts2kl - - mkdir -p $out/share/cups/model/citizen - install -D -m 644 ./ctzpos-cups-${version}/*.ppd $out/share/cups/model/citizen - - runHook postInstall - ''; - - meta = with lib; { - description = "Citizen CUPS drivers and filters"; - homepage = "https://www.citizen-systems.com"; - #license = licenses.unfreeRedistributable; - maintainers = with maintainers; [ dadada ]; - platforms = platforms.linux; - }; -} diff --git a/pkgs/default.nix b/pkgs/default.nix index 9f52a8a..c78fe50 100644 --- a/pkgs/default.nix +++ b/pkgs/default.nix @@ -1,4 +1,2 @@ { pkgs }: -{ - citizen-cups = pkgs.callPackage ./citizen-cups.nix { }; -} +{ } diff --git a/pkgs/recipemd.nix b/pkgs/recipemd.nix new file mode 100644 index 0000000..4879a9a --- /dev/null +++ b/pkgs/recipemd.nix @@ -0,0 +1,58 @@ +{ lib +, buildPythonPackage +, fetchFromGitHub +, pytestCheckHook +, pythonPackages +, installShellFiles +, pythonOlder +, pythonAtLeast +}: +buildPythonPackage rec { + pname = "recipemd"; + version = "4.0.8"; + + disabled = pythonOlder "3.7" || pythonAtLeast "4"; + + src = fetchFromGitHub { + owner = "tstehr"; + repo = "RecipeMD"; + rev = "v${version}"; + hash = "sha256-eumV2zm7TIJcTPRtWSckYz7jiyH3Ek4nIAVtuJs3sJc="; + }; + + propagatedBuildInputs = with pythonPackages; [ + dataclasses-json + yarl + CommonMark + argcomplete + pyparsing + ]; + + nativeBuildInputs = [ installShellFiles ]; + + postInstall = '' + ${pythonPackages.argcomplete}/bin/register-python-argcomplete -s bash ${pname} > $out/completions.bash + installShellCompletion --bash --name recipemd.bash $out/completions.bash + + ${pythonPackages.argcomplete}/bin/register-python-argcomplete -s fish ${pname} > $out/completions.fish + installShellCompletion --fish --name recipemd.fish $out/completions.fish + + # The version of argcomplete in nixpkgs-stable does not have support for zsh + #${pythonPackages.argcomplete}/bin/register-python-argcomplete -s zsh ${pname} > $out/completions.zsh + #installShellCompletion --zsh --name _recipemd $out/completions.zsh + ''; + + checkInputs = [ + pytestCheckHook + pythonPackages.pytestcov + ]; + + doCheck = true; + + meta = with lib; { + description = "Markdown recipe manager, reference implementation of RecipeMD"; + homepage = "https://recipemd.org"; + license = [ licenses.lgpl3Only ]; + maintainers = [ maintainers.dadada ]; + }; +} diff --git a/secrets/agares-backup-passphrase.age b/secrets/agares-backup-passphrase.age index d710a45..d538c5a 100644 --- a/secrets/agares-backup-passphrase.age +++ b/secrets/agares-backup-passphrase.age @@ -1,7 +1,10 @@ age-encryption.org/v1 --> ssh-ed25519 L7f05w Sof4o2JYLqx59paPpBJWFek1IwCHb4VhuOcPpBkut20 -QNsXS0H2z5NCnKcDuxDVvY+AnTV27/Ijeo/kd12nkoQ --> ssh-ed25519 Otklkw WZt99A5jBrb7MNqzpCuGiJ8wJ/NxZrJE5Q02hvcVEVo -yYlAifPMGC01CGpke5ABasi/sJ8O4r3+5SyoVpbpmM4 ---- vIe/LRs2QxPpZJUrdOFuTBNanHcMyzh7iAFRalWd2dU -+]GHuUʈQ&3'Eg܃Z‘\~e) 1׻ya \ No newline at end of file +-> ssh-ed25519 L7f05w RayKtknLNvFu88aFp4QL7ZMLAh5VmHmlr1DWVsWBziE +rckeFrazZJ3TxY/yD2wlzRVLh9L4x1bV2Nk7Q0S/RWM +-> ssh-ed25519 Otklkw oub7OICQalIkCqAZh4/FfXB9PPBe7j2IpBP7WF/UXGk +gAwxU97b0Js6UPv59/1389/qdPGQb4koa49R14c3UjA +-> mU.rG&?F-grease V? d a}mj5 ^&dc?\ +B0k6BjXmH0cm74+rjQrzJwKa1dcFwTdmlgltZ70oHctwA3+E4/CQ1ChH9UHzkHGG +Fb62klB5XYePywsvxLo2nIGVIvhBgsfIvUpq +--- ONLpuXfKtuCB+VD5IQ5KeSPyqgEb4a2y26+n5E8Ph3E +uD{r ژR9P j?hD -u#F2N +Ys\ \ No newline at end of file diff --git a/secrets/agares-backup-ssh-key.age b/secrets/agares-backup-ssh-key.age index 32c7885..15eab18 100644 Binary files a/secrets/agares-backup-ssh-key.age and b/secrets/agares-backup-ssh-key.age differ diff --git a/secrets/agares-wg0-key.age b/secrets/agares-wg0-key.age index 5e12fbe..9938b85 100644 --- a/secrets/agares-wg0-key.age +++ b/secrets/agares-wg0-key.age @@ -1,7 +1,10 @@ age-encryption.org/v1 --> ssh-ed25519 L7f05w Nj0zjzK+5vf4YfUxLPNcBBY4ZC57tH9+rEVCv/ycNWo -5Sk99vaYclDFwTnVKB6IOcTVYJ3SGTuLVJxyjb1W4tM --> ssh-ed25519 Otklkw ogKGpgcz0Gekw7p4LnmIKU2CEdhlkjypRGVZmFda8TI -nkOU/yc7F5BCBRakevYDXyD8akGqYwD67C+9VDxUgyE ---- zuz8UjdxI+CbMr33Z4P5ga1UoRe+oDXzVWgFUhUH1qE -b#sPDF%|Ul e9f_UZ5oeeK}M`aM!5R@j}~3ZҾ͒\ \ No newline at end of file +-> ssh-ed25519 L7f05w ENcdsQ43v/xIe1Ej4BYjb/nTjIk76N2DR/zj754Puz0 +vIDFk+A/m8rOnBNXcvfBX4SJNxT6LP64s674v5pJtcQ +-> ssh-ed25519 Otklkw lLwVf/2E67Bue+VBu+EMupLjuv6wfR656CD1st71GRM +AsXHvpANM0mOiSW3LTqzbEneVQSKNb0TvsMY2WCPfbk +-> DJZq-grease 9))O09 z2- +ZFxd5v9Bma6VVIvpw8VK0DSR55lHUNOTh6cNxFJAezXn1apmjvuZPdMSXZ7OrE23 +qlqnskWvo+SX3JF7NH0yQf53dZJU +--- pSa5IqZmIDAHJkcPgqrS0WUwnD1ipE2pGr87qhTmrjk +(E/P(|Jؑҋz`JO2Ԗd3qO!8HN3\i \ No newline at end of file diff --git a/secrets/ddns-credentials.age b/secrets/ddns-credentials.age index e749a1b..9ae8b77 100644 Binary files a/secrets/ddns-credentials.age and b/secrets/ddns-credentials.age differ diff --git a/secrets/etc-ppp-chap-secrets.age b/secrets/etc-ppp-chap-secrets.age index ff3e453..6a4d954 100644 Binary files a/secrets/etc-ppp-chap-secrets.age and b/secrets/etc-ppp-chap-secrets.age differ diff --git a/secrets/etc-ppp-telekom-secret.age b/secrets/etc-ppp-telekom-secret.age index ece12f8..a97dc40 100644 Binary files a/secrets/etc-ppp-telekom-secret.age and b/secrets/etc-ppp-telekom-secret.age differ diff --git a/secrets/gorgon-backup-passphrase-gs.age b/secrets/gorgon-backup-passphrase-gs.age index 416b011..24beb40 100644 Binary files a/secrets/gorgon-backup-passphrase-gs.age and b/secrets/gorgon-backup-passphrase-gs.age differ diff --git a/secrets/gorgon-backup-passphrase.age b/secrets/gorgon-backup-passphrase.age index 68cc452..38b0cbc 100644 Binary files a/secrets/gorgon-backup-passphrase.age and b/secrets/gorgon-backup-passphrase.age differ diff --git a/secrets/gorgon-backup-ssh-key.age b/secrets/gorgon-backup-ssh-key.age index 0a00855..64ae675 100644 Binary files a/secrets/gorgon-backup-ssh-key.age and b/secrets/gorgon-backup-ssh-key.age differ diff --git a/secrets/hydra-github-authorization.age b/secrets/hydra-github-authorization.age index ef32814..a78cf11 100644 Binary files a/secrets/hydra-github-authorization.age and b/secrets/hydra-github-authorization.age differ diff --git a/secrets/ifrit-backup-passphrase.age b/secrets/ifrit-backup-passphrase.age index b4e55eb..640ac05 100644 --- a/secrets/ifrit-backup-passphrase.age +++ b/secrets/ifrit-backup-passphrase.age @@ -1,7 +1,10 @@ age-encryption.org/v1 --> ssh-ed25519 yMjj5g pE3otZ4+5k1GxhoU7FocCMvcHZ9PFzTRqRYiVXXq/H4 -aKCBiwVwbfetSTRaTJ31iTRsvNnbm2JYFQnqTOgCyOA --> ssh-ed25519 Otklkw jn4ZUyWFIeAt+XpxmlqckovK4/jit6SR+Xaouv7gfTU -8yJLyWHk1m9KInOWozqRWXi3kiirgQ7c/ONOwgHk/Z8 ---- 8TS+ZFZfHvgcgOYBE3nzSxbCCmCOtqPWyldlegSu6QU -:{ 4~NtXRl =>$8DQ @G1FAOtΫ \ No newline at end of file +-> ssh-ed25519 yMjj5g FtHlFiQa2xr57K9GiS2VX+NYI/2kP73wWXVBsr61cD8 +Gokj4dzQP6AB9YWRBvmXL8/Sts7NO6g6wP1hIYkKdp4 +-> ssh-ed25519 Otklkw UB1L2gKr0wnsGktaVlnbr+nSUZQ34g7JO4uuHYhuuyM +X4AT5taAJBtFia62IUTDa1cdbZtwaxYRQFCDez8aK8k +-> r;DMOG-grease h"Tb e?z^VJ icNa +/0ZIHqI0whHoBw2Qs15bxY7o1sudscitKuUB3ysyFwUVsIG4nzTOS2GFuXTQ1WuD +5pH2CQfp33hvqrqV +--- vji5ZWP7+BLgpmyX2Sxgdv7Ht37NvQ8DuY1/t3cvvuI +]eޛ,% qnAM{DJWLG@/gGo.V4 \ No newline at end of file diff --git a/secrets/ifrit-backup-ssh-key.age b/secrets/ifrit-backup-ssh-key.age index 9d2879c..6611b7a 100644 Binary files a/secrets/ifrit-backup-ssh-key.age and b/secrets/ifrit-backup-ssh-key.age differ diff --git a/secrets/initrd-surgat-ssh_host_ed25519_key.age b/secrets/initrd-surgat-ssh_host_ed25519_key.age deleted file mode 100644 index 36c4b0c..0000000 Binary files a/secrets/initrd-surgat-ssh_host_ed25519_key.age and /dev/null differ diff --git a/secrets/miniflux-admin-credentials.age b/secrets/miniflux-admin-credentials.age index 9745c07..06ff0e0 100644 --- a/secrets/miniflux-admin-credentials.age +++ b/secrets/miniflux-admin-credentials.age @@ -1,7 +1,10 @@ age-encryption.org/v1 --> ssh-ed25519 jUOjpw 6ThewcuTvg2mn/jC1eqR0KFDXdN8G3JIUBLLiBabkFI -lstfGPvJgaUOp0jriP2nsi4IvgwRjs8dnRye7+ihD/Q --> ssh-ed25519 Otklkw N0ozjfxbOBq7EIvxP4TRa2XyMQ8fINCiHjK0MFq2X0w -tEeua88G2aN6REaUN6xTlkRLy0GFgNfj7v0VXhqddc4 ---- N9V7UfSDvrOAeOr3MRXiCwIu8JJt3NSL3FrGyPapLrM -E"K?>VÄbXdg!ѹ) B f\=[2LxwXH*l9w \ No newline at end of file +-> ssh-ed25519 jUOjpw Tuaz2+fgz5f2ZacAYc3TdREIurh+XG5RjjKpaEFgtGo +gB1iaKV+xAv0PGdjZwmBCxMbxgCqZrM2JBDiEWCl//8 +-> ssh-ed25519 Otklkw ocyFHtGzclF+7S9I7uSqsfn5weqxj5Wq32y4c6VDiSA +hDX5Viym/WdFZE5rXzToFhqtGvj+Ft3Hh7oiuzCuG/Q +-> b&-grease 2u ~R j4C 3|h`M}/ +fdhnmlw+wqO8nb86f8jdDNW2P2SxzdwuljpRrlG/ZxXcC4QxtnO6RwK9NAS9UBQr +OAxJ6v3P+cMYJcsPNLAr90rEzXfTV2VONZgoNwOKN2l5n/JX8aGCt5i/vVI +--- sYjj24oaGUMZPD4TV8JKfjSPHeYOKh+OpueLZT/TxCQ +TO&DdC2ƔW^˻Z &b ssh-ed25519 WJCMDA NDB+Z1hpwH3PWjViCbrRdrt0WCFnsYDBVd1rADCQy2I -p/QYmC6ZwwlyCNrVhUw1vUNfnNGiw8B/rsqP9EMGJ5E --> ssh-ed25519 Otklkw yLMSfitfbXO8qRqaJwKxx68R0AJHsTre0XlN2huudWY -JYogGtU0LLPcJpN9oWmAQE0Kyk2yhNmxrVgh0JMFphE ---- pGx08jh8YJCDeEvi7iZa6pXrlwg8otUTkxv0T5gwLcM -˲'t2͟E/ؿ6@ -DfiVGO_a\{}_~:>GN@K| \ No newline at end of file +-> ssh-ed25519 0aOabg 6QT8adxrQxGCx9w6JZPkbCsCM/Vos+D41JoEQ19h0AY +UaXt2lE7VnhaQ4McdCIGo8kdaYrPyg3ne8MIBCt7NXE +-> ssh-ed25519 Otklkw GJQj739xwoeP9xTLpLrCxANx3/Ebipnr345xKSFLf3w +xtQBgTYrLzkaWBkx8pi0R+GKa6inKFzFD5tompll3wo +-> )gWM0O-grease i%" tB +culBBLA5Bt/POa9w +--- Vtxd8HsFnjBl6eXE4UYNoR1Ca/JA9UlK/WE+FNkmPtk +bV v:ah&4fNJ2]{!%1Ia\}Xex1~_"r,j:O?5 \ No newline at end of file diff --git a/secrets/pruflas-backup-passphrase.age b/secrets/pruflas-backup-passphrase.age index 7315527..7750b1c 100644 Binary files a/secrets/pruflas-backup-passphrase.age and b/secrets/pruflas-backup-passphrase.age differ diff --git a/secrets/pruflas-backup-ssh-key.age b/secrets/pruflas-backup-ssh-key.age index 57e57c8..dd41e28 100644 Binary files a/secrets/pruflas-backup-ssh-key.age and b/secrets/pruflas-backup-ssh-key.age differ diff --git a/secrets/pruflas-wg-hydra-key.age b/secrets/pruflas-wg-hydra-key.age index 7c1333d..be57748 100644 Binary files a/secrets/pruflas-wg-hydra-key.age and b/secrets/pruflas-wg-hydra-key.age differ diff --git a/secrets/pruflas-wg0-key.age b/secrets/pruflas-wg0-key.age index 1312de7..122adcd 100644 --- a/secrets/pruflas-wg0-key.age +++ b/secrets/pruflas-wg0-key.age @@ -1,7 +1,10 @@ age-encryption.org/v1 --> ssh-ed25519 J6ROvw jC7rwmoizfZqenUwlrMlLRyN9yQnog2X3KIJ2GgRZB8 -yGoiZTNfrPm6+fb1BcZGH6Lzm8Pj4aeyjWtLNYbGSFg --> ssh-ed25519 Otklkw a2/N7JOiOY/orGyCogBIj48EjTltThv7AAHuMHK7Xzo -PTP9vaEpFf7PXoRobHJgAkNVBh+u3+7rUMKiMj+fadQ ---- KR51LRGHd6jWP4rUWvQqXskwEGfxb0tSCNKtnFT255A -Gw)HkG F&e[{RGh"L{\{H~{.uWMaZ \ No newline at end of file +-> ssh-ed25519 J6ROvw R+xnmMAoVmaJi9UMYBSX5CKk21LhI9iIionc6Nh8ZWg +eR+OpFfB6BIOzOUeeY5IzmXerCCiqOYS9ZAGIb0UAS0 +-> ssh-ed25519 Otklkw HYpIGulRkcfpKhSdb1mF/hbBHiXCUzYR6/b0KspgHTU +1HAtdynQZ10AVgGqh4cw3qDqSh6Suum3zYo6/G7qKw4 +-> +YMQ-grease +wyHx9k+fMnxTm1LMDhmmMye/ +--- g1F7i8Y0foxjDp6qbBtjhY3A/vyxM2R/zIQJZTG2F5o +.]n"wjkYd<2{N N0`XUsPxV)nfOg \ No newline at end of file diff --git a/secrets/pruflas-wg0-preshared-key.age b/secrets/pruflas-wg0-preshared-key.age index 94f9a88..7528977 100644 Binary files a/secrets/pruflas-wg0-preshared-key.age and b/secrets/pruflas-wg0-preshared-key.age differ diff --git a/secrets/secrets.nix b/secrets/secrets.nix index 50dd263..7da57e3 100644 --- a/secrets/secrets.nix +++ b/secrets/secrets.nix @@ -1,83 +1,37 @@ let dadada = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIN+bBJptw2H35vMPV7Mfj9oaepR7cHCQH8ZsvL8qnj+r dadada (nix-config-secrets) "; systems = { + agares = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPcbuLtU9/VhFy5VAp/ZI0T+gr7kExG73hmjjvno10gP root@nixos"; gorgon = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDCcwG8BkqjZJ1bPdFbLYfXeBgaI10+gyVs1r1aNJ49H root@gorgon"; ifrit = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEYO4L5EvKRtVUB6YHtHN7R980fwH9kKVt0V3kj6rORS root@nixos"; ninurta = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIO8TDCzjVVO7A4k6rp+srMj0HHc5gmUOlskTBOvhMkEc root@nixos"; pruflas = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBqZHu5ygTODgrNzcU9C2O+b8yCfVsnztV83qxXV4aA8 root@pruflas"; surgat = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOOJ9UgAle5sX0pAawfRztckVwaQm2U8o0Bawv7cZfXE root@surgat"; - stolas = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIObI38cB8gTDXmDb5GcK4pLm5xM+nnvGeSfEpB4lVEwE root@stolas"; }; backupSecrets = hostName: { - "${hostName}-backup-passphrase.age".publicKeys = [ - systems.${hostName} - dadada - ]; - "${hostName}-backup-ssh-key.age".publicKeys = [ - systems.${hostName} - dadada - ]; + "${hostName}-backup-passphrase.age".publicKeys = [ systems.${hostName} dadada ]; + "${hostName}-backup-ssh-key.age".publicKeys = [ systems.${hostName} dadada ]; }; in { - "pruflas-wg0-key.age".publicKeys = [ - systems.ninurta - dadada - ]; - "pruflas-wg0-preshared-key.age".publicKeys = [ - systems.ninurta - dadada - ]; - "pruflas-wg-hydra-key.age".publicKeys = [ - systems.ninurta - dadada - ]; - "hydra-github-authorization.age".publicKeys = [ - systems.ninurta - dadada - ]; - "miniflux-admin-credentials.age".publicKeys = [ - systems.surgat - dadada - ]; - "gorgon-backup-passphrase-gs.age".publicKeys = [ - systems.gorgon - dadada - ]; - "paperless.age".publicKeys = [ - #systems.gorgon - systems.stolas - dadada - ]; - "initrd-surgat-ssh_host_ed25519_key.age".publicKeys = [ - systems.surgat - dadada - ]; - "surgat-ssh_host_ed25519_key.age".publicKeys = [ - systems.surgat - dadada - ]; - "ninurta-initrd-ssh-key.age".publicKeys = [ - systems.ninurta - dadada - ]; - "ddns-credentials.age".publicKeys = [ - systems.ninurta - dadada - ]; - "etc-ppp-chap-secrets.age".publicKeys = [ - dadada - ]; - "etc-ppp-telekom-secret.age".publicKeys = [ - dadada - ]; - "wg-privkey-vpn-dadada-li.age".publicKeys = [ - dadada - ]; -} -// backupSecrets "ninurta" -// backupSecrets "gorgon" -// backupSecrets "ifrit" -// backupSecrets "pruflas" -// backupSecrets "surgat" -// backupSecrets "stolas" + "pruflas-wg0-key.age".publicKeys = [ systems.ninurta dadada ]; + "pruflas-wg0-preshared-key.age".publicKeys = [ systems.ninurta dadada ]; + "pruflas-wg-hydra-key.age".publicKeys = [ systems.ninurta dadada ]; + "hydra-github-authorization.age".publicKeys = [ systems.ninurta dadada ]; + "miniflux-admin-credentials.age".publicKeys = [ systems.surgat dadada ]; + "gorgon-backup-passphrase-gs.age".publicKeys = [ systems.gorgon dadada ]; + "paperless.age".publicKeys = [ systems.gorgon dadada ]; + "surgat-ssh_host_ed25519_key.age".publicKeys = [ systems.surgat dadada ]; + "ninurta-initrd-ssh-key.age".publicKeys = [ systems.ninurta dadada ]; + "ddns-credentials.age".publicKeys = [ systems.agares systems.ninurta dadada ]; + "etc-ppp-chap-secrets.age".publicKeys = [ systems.agares dadada ]; + "etc-ppp-telekom-secret.age".publicKeys = [ systems.agares dadada ]; + "wg-privkey-vpn-dadada-li.age".publicKeys = [ systems.agares dadada ]; + "agares-wg0-key.age".publicKeys = [ systems.agares dadada ]; +} // +backupSecrets "ninurta" // +backupSecrets "gorgon" // +backupSecrets "ifrit" // +backupSecrets "pruflas" // +backupSecrets "surgat" // +backupSecrets "agares" diff --git a/secrets/stolas-backup-passphrase.age b/secrets/stolas-backup-passphrase.age deleted file mode 100644 index 4b4a687..0000000 Binary files a/secrets/stolas-backup-passphrase.age and /dev/null differ diff --git a/secrets/stolas-backup-ssh-key.age b/secrets/stolas-backup-ssh-key.age deleted file mode 100644 index 0a06547..0000000 Binary files a/secrets/stolas-backup-ssh-key.age and /dev/null differ diff --git a/secrets/surgat-backup-passphrase.age b/secrets/surgat-backup-passphrase.age index b3a0a80..2c9bd49 100644 --- a/secrets/surgat-backup-passphrase.age +++ b/secrets/surgat-backup-passphrase.age @@ -1,7 +1,9 @@ age-encryption.org/v1 --> ssh-ed25519 jUOjpw FXHC9VzSKIkbJ9JVge5vsGHiGtxBnxB7Nvqqi4OsRHA -1zhd0kCd37fXmWtq9kRx1vQvjTT4i5HsQ9DibyGmNUI --> ssh-ed25519 Otklkw ZKy9Vbf1W1UpejNy8nh+eGss19XLqJuHL6qJuG1KP20 -t5C0Jw//1vK5iiG3+tJK6bu/SBR7StHRDog9ivlfVAI ---- 08Q8bBFnJF2TFV62trgPig/VL3RwKN0dyw4PBgg5LDU -F` 4tۭ ٧o9~}ق)7#a/W\;l2Рl \ No newline at end of file +-> ssh-ed25519 jUOjpw zb9yidyhlOj2LnVSCjNwq0MBj8Ik7zdT+6vs5k2vdTY +lxFHzj+mUpW8ogGkfpZZWZRPfMp38Sb2GYojBUrxGB0 +-> ssh-ed25519 Otklkw G3tj2S2BM+jmGg5ajD2hTIKAWJMAhuHAT4jpFpu2YmQ +XDLRUWirSzXQ55HnWdICzICPQDL8pyJC9SnS9ODwhdM +-> v#M-grease +rEp5i85i+0HA+Rx31HR27NU +--- 2Q+j2Vh/Tbv6NYYg614YL1+yP8hff++2zAuWV7dHDe8 +HY\ \;m~qoz85Z̯e9Ia䔝Y \ No newline at end of file diff --git a/secrets/surgat-backup-ssh-key.age b/secrets/surgat-backup-ssh-key.age index 2abfeac..7523e7a 100644 Binary files a/secrets/surgat-backup-ssh-key.age and b/secrets/surgat-backup-ssh-key.age differ diff --git a/secrets/surgat-ssh_host_ed25519_key.age b/secrets/surgat-ssh_host_ed25519_key.age index 7400a57..c664303 100644 Binary files a/secrets/surgat-ssh_host_ed25519_key.age and b/secrets/surgat-ssh_host_ed25519_key.age differ diff --git a/secrets/wg-privkey-vpn-dadada-li.age b/secrets/wg-privkey-vpn-dadada-li.age index 4bd9044..b956b5e 100644 Binary files a/secrets/wg-privkey-vpn-dadada-li.age and b/secrets/wg-privkey-vpn-dadada-li.age differ diff --git a/treefmt.nix b/treefmt.nix deleted file mode 100644 index 75acdfa..0000000 --- a/treefmt.nix +++ /dev/null @@ -1,8 +0,0 @@ -{ pkgs, ... }: -{ - projectRootFile = "flake.nix"; - programs.nixfmt.enable = true; - programs.shellcheck.enable = pkgs.hostPlatform.system != "riscv64-linux"; - programs.shfmt.enable = pkgs.hostPlatform.system != "riscv64-linux"; - programs.yamlfmt.enable = true; -}