diff --git a/.envrc b/.envrc index 3140b68..6a37c4f 100644 --- a/.envrc +++ b/.envrc @@ -1,3 +1,5 @@ +#!/bin/sh + watch_file devshell.nix use flake diff --git a/.github/dependabot.yml b/.github/dependabot.yml index 49f19df..512e01e 100644 --- a/.github/dependabot.yml +++ b/.github/dependabot.yml @@ -4,4 +4,4 @@ updates: directory: "/" schedule: interval: "weekly" - assignees: [ "dadada" ] + assignees: ["dadada"] diff --git a/.github/workflows/nix-flake-check.yml b/.github/workflows/nix-flake-check.yml index b0c0fa3..28b1d3c 100644 --- a/.github/workflows/nix-flake-check.yml +++ b/.github/workflows/nix-flake-check.yml @@ -1,26 +1,24 @@ name: Continuous Integration - on: pull_request: push: branches: [main] - jobs: checks: name: "Checks" runs-on: ubuntu-latest steps: - - uses: actions/checkout@v4 - - uses: cachix/install-nix-action@v26 - with: - nix_path: nixpkgs=channel:nixos-stable - extra_nix_config: | - experimental-features = nix-command flakes - access-tokens = github.com=${{ secrets.GITHUB_TOKEN }} - system-features = nixos-test benchmark big-parallel kvm - - uses: cachix/cachix-action@v14 - with: - name: dadada - signingKey: '${{ secrets.CACHIX_SIGNING_KEY }}' - authToken: '${{ secrets.CACHIX_AUTH_TOKEN }}' - - run: nix flake check + - uses: actions/checkout@v4 + - uses: cachix/install-nix-action@v26 + with: + nix_path: nixpkgs=channel:nixos-stable + extra_nix_config: | + experimental-features = nix-command flakes + access-tokens = github.com=${{ secrets.GITHUB_TOKEN }} + system-features = nixos-test benchmark big-parallel kvm + - uses: cachix/cachix-action@v14 + with: + name: dadada + signingKey: '${{ secrets.CACHIX_SIGNING_KEY }}' + authToken: '${{ secrets.CACHIX_AUTH_TOKEN }}' + - run: nix flake check diff --git a/.github/workflows/nix-flake-update.yml b/.github/workflows/nix-flake-update.yml index 9045f91..33843d1 100644 --- a/.github/workflows/nix-flake-update.yml +++ b/.github/workflows/nix-flake-update.yml @@ -3,7 +3,6 @@ on: workflow_dispatch: # allows manual triggering schedule: - cron: '0 0 * * 0' # runs weekly on Sunday at 00:00 - jobs: lockfile: runs-on: ubuntu-latest @@ -16,6 +15,6 @@ jobs: uses: DeterminateSystems/update-flake-lock@v21 with: pr-title: "Update flake.lock" # Title of PR to be created - pr-labels: | # Labels to be set on the PR + pr-labels: | # Labels to be set on the PR dependencies automated diff --git a/devshell.nix b/devshell.nix index ebdfb12..1fbad07 100644 --- a/devshell.nix +++ b/devshell.nix @@ -24,7 +24,7 @@ name = "format"; help = "Format the project"; command = '' - nixpkgs-fmt . + treefmt . ''; category = "dev"; } diff --git a/flake.lock b/flake.lock index a2f410e..8c964f5 100644 --- a/flake.lock +++ b/flake.lock @@ -25,6 +25,21 @@ "type": "github" } }, + "crane": { + "locked": { + "lastModified": 1731098351, + "narHash": "sha256-HQkYvKvaLQqNa10KEFGgWHfMAbWBfFp+4cAgkut+NNE=", + "owner": "ipetkov", + "repo": "crane", + "rev": "ef80ead953c1b28316cc3f8613904edc2eb90c28", + "type": "github" + }, + "original": { + "owner": "ipetkov", + "repo": "crane", + "type": "github" + } + }, "darwin": { "inputs": { "nixpkgs": [ @@ -67,6 +82,63 @@ "type": "github" } }, + "disko": { + "inputs": { + "nixpkgs": [ + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1753140376, + "narHash": "sha256-7lrVrE0jSvZHrxEzvnfHFE/Wkk9DDqb+mYCodI5uuB8=", + "owner": "nix-community", + "repo": "disko", + "rev": "545aba02960caa78a31bd9a8709a0ad4b6320a5c", + "type": "github" + }, + "original": { + "owner": "nix-community", + "repo": "disko", + "type": "github" + } + }, + "flake-compat": { + "flake": false, + "locked": { + "lastModified": 1696426674, + "narHash": "sha256-kvjfFW7WAETZlt09AgDn1MrtKzP7t90Vf7vypd3OL1U=", + "owner": "edolstra", + "repo": "flake-compat", + "rev": "0f9255e01c2351cc7d116c072cb317785dd33b33", + "type": "github" + }, + "original": { + "owner": "edolstra", + "repo": "flake-compat", + "type": "github" + } + }, + "flake-parts": { + "inputs": { + "nixpkgs-lib": [ + "lanzaboote", + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1730504689, + "narHash": "sha256-hgmguH29K2fvs9szpq2r3pz2/8cJd2LPS+b4tfNFCwE=", + "owner": "hercules-ci", + "repo": "flake-parts", + "rev": "506278e768c2a08bec68eb62932193e341f55c90", + "type": "github" + }, + "original": { + "owner": "hercules-ci", + "repo": "flake-parts", + "type": "github" + } + }, "flake-registry": { "flake": false, "locked": { @@ -103,6 +175,28 @@ "type": "github" } }, + "gitignore": { + "inputs": { + "nixpkgs": [ + "lanzaboote", + "pre-commit-hooks-nix", + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1709087332, + "narHash": "sha256-HG2cCnktfHsKV0s4XW83gU3F57gaTljL9KNSuG6bnQs=", + "owner": "hercules-ci", + "repo": "gitignore.nix", + "rev": "637db329424fd7e46cf4185293b9cc8c88c95394", + "type": "github" + }, + "original": { + "owner": "hercules-ci", + "repo": "gitignore.nix", + "type": "github" + } + }, "home-manager": { "inputs": { "nixpkgs": [ @@ -110,11 +204,11 @@ ] }, "locked": { - "lastModified": 1752286566, - "narHash": "sha256-A4nftqiNz2bNihz0bKY94Hq/6ydR6UQOcGioeL7iymY=", + "lastModified": 1753470191, + "narHash": "sha256-hOUWU5L62G9sm8NxdiLWlLIJZz9H52VuFiDllHdwmVA=", "owner": "nix-community", "repo": "home-manager", - "rev": "392ddb642abec771d63688c49fa7bcbb9d2a5717", + "rev": "a1817d1c0e5eabe7dfdfe4caa46c94d9d8f3fdb6", "type": "github" }, "original": { @@ -137,6 +231,32 @@ "url": "https://git.dadada.li/dadada/dadada.li/archive/main.tar.gz" } }, + "lanzaboote": { + "inputs": { + "crane": "crane", + "flake-compat": "flake-compat", + "flake-parts": "flake-parts", + "nixpkgs": [ + "nixpkgs" + ], + "pre-commit-hooks-nix": "pre-commit-hooks-nix", + "rust-overlay": "rust-overlay" + }, + "locked": { + "lastModified": 1737639419, + "narHash": "sha256-AEEDktApTEZ5PZXNDkry2YV2k6t0dTgLPEmAZbnigXU=", + "owner": "nix-community", + "repo": "lanzaboote", + "rev": "a65905a09e2c43ff63be8c0e86a93712361f871e", + "type": "github" + }, + "original": { + "owner": "nix-community", + "ref": "v0.4.2", + "repo": "lanzaboote", + "type": "github" + } + }, "nixlib": { "locked": { "lastModified": 1736643958, @@ -175,11 +295,11 @@ }, "nixos-hardware": { "locked": { - "lastModified": 1752048960, - "narHash": "sha256-gATnkOe37eeVwKKYCsL+OnS2gU4MmLuZFzzWCtaKLI8=", + "lastModified": 1753122741, + "narHash": "sha256-nFxE8lk9JvGelxClCmwuJYftbHqwnc01dRN4DVLUroM=", "owner": "NixOS", "repo": "nixos-hardware", - "rev": "7ced9122cff2163c6a0212b8d1ec8c33a1660806", + "rev": "cc66fddc6cb04ab479a1bb062f4d4da27c936a22", "type": "github" }, "original": { @@ -191,11 +311,11 @@ }, "nixpkgs": { "locked": { - "lastModified": 1751984180, - "narHash": "sha256-LwWRsENAZJKUdD3SpLluwDmdXY9F45ZEgCb0X+xgOL0=", + "lastModified": 1753429684, + "narHash": "sha256-9h7+4/53cSfQ/uA3pSvCaBepmZaz/dLlLVJnbQ+SJjk=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "9807714d6944a957c2e036f84b0ff8caf9930bc0", + "rev": "7fd36ee82c0275fb545775cc5e4d30542899511d", "type": "github" }, "original": { @@ -207,11 +327,11 @@ }, "nixpkgs-small": { "locked": { - "lastModified": 1752298176, - "narHash": "sha256-wY7/8k5mJbljXxBUX1bDHFVUcMrWdrDT8FNDrcPwLbA=", + "lastModified": 1753505055, + "narHash": "sha256-jQKnNATDGDeuIeUf7r0yHnmirfYkYPHeF0N2Lv8rjPE=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "d3807bc34e7d086b4754e1c842505570e23f9d01", + "rev": "7be0239edbf0783ff959f94f9728db414be73002", "type": "github" }, "original": { @@ -221,14 +341,59 @@ "type": "github" } }, + "nixpkgs-stable": { + "locked": { + "lastModified": 1730741070, + "narHash": "sha256-edm8WG19kWozJ/GqyYx2VjW99EdhjKwbY3ZwdlPAAlo=", + "owner": "NixOS", + "repo": "nixpkgs", + "rev": "d063c1dd113c91ab27959ba540c0d9753409edf3", + "type": "github" + }, + "original": { + "owner": "NixOS", + "ref": "nixos-24.05", + "repo": "nixpkgs", + "type": "github" + } + }, + "pre-commit-hooks-nix": { + "inputs": { + "flake-compat": [ + "lanzaboote", + "flake-compat" + ], + "gitignore": "gitignore", + "nixpkgs": [ + "lanzaboote", + "nixpkgs" + ], + "nixpkgs-stable": "nixpkgs-stable" + }, + "locked": { + "lastModified": 1731363552, + "narHash": "sha256-vFta1uHnD29VUY4HJOO/D6p6rxyObnf+InnSMT4jlMU=", + "owner": "cachix", + "repo": "pre-commit-hooks.nix", + "rev": "cd1af27aa85026ac759d5d3fccf650abe7e1bbf0", + "type": "github" + }, + "original": { + "owner": "cachix", + "repo": "pre-commit-hooks.nix", + "type": "github" + } + }, "root": { "inputs": { "agenix": "agenix", "devshell": "devshell", + "disko": "disko", "flake-registry": "flake-registry", "flake-utils": "flake-utils", "home-manager": "home-manager", "homepage": "homepage", + "lanzaboote": "lanzaboote", "nixos-generators": "nixos-generators", "nixos-hardware": "nixos-hardware", "nixpkgs": "nixpkgs", @@ -237,6 +402,27 @@ "treefmt-nix": "treefmt-nix" } }, + "rust-overlay": { + "inputs": { + "nixpkgs": [ + "lanzaboote", + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1731897198, + "narHash": "sha256-Ou7vLETSKwmE/HRQz4cImXXJBr/k9gp4J4z/PF8LzTE=", + "owner": "oxalica", + "repo": "rust-overlay", + "rev": "0be641045af6d8666c11c2c40e45ffc9667839b5", + "type": "github" + }, + "original": { + "owner": "oxalica", + "repo": "rust-overlay", + "type": "github" + } + }, "systems": { "locked": { "lastModified": 1681028828, @@ -274,11 +460,11 @@ ] }, "locked": { - "lastModified": 1752055615, - "narHash": "sha256-19m7P4O/Aw/6+CzncWMAJu89JaKeMh3aMle1CNQSIwM=", + "lastModified": 1753439394, + "narHash": "sha256-Bv9h1AJegLI8uAhiJ1sZ4XAndYxhgf38tMgCQwiEpmc=", "owner": "numtide", "repo": "treefmt-nix", - "rev": "c9d477b5d5bd7f26adddd3f96cfd6a904768d4f9", + "rev": "2673921c03d6e75fdf4aa93e025772608d1482cf", "type": "github" }, "original": { diff --git a/flake.nix b/flake.nix index 6ccece0..73686ce 100644 --- a/flake.nix +++ b/flake.nix @@ -4,6 +4,10 @@ inputs = { nixpkgs-small.url = "github:NixOS/nixpkgs/nixos-unstable-small"; nixpkgs.url = "github:NixOS/nixpkgs/nixos-unstable"; + disko = { + url = "github:nix-community/disko"; + inputs.nixpkgs.follows = "nixpkgs"; + }; flake-utils = { url = "github:numtide/flake-utils"; inputs.systems.follows = "systems"; @@ -12,6 +16,10 @@ url = "github:nix-community/home-manager"; inputs.nixpkgs.follows = "nixpkgs"; }; + lanzaboote = { + url = "github:nix-community/lanzaboote/v0.4.2"; + inputs.nixpkgs.follows = "nixpkgs"; + }; nixos-hardware.url = "github:NixOS/nixos-hardware/master"; homepage = { url = "https://git.dadada.li/dadada/dadada.li/archive/main.tar.gz"; diff --git a/home/modules/zsh.nix b/home/modules/zsh.nix index 96364ff..7a0cd6c 100644 --- a/home/modules/zsh.nix +++ b/home/modules/zsh.nix @@ -34,7 +34,7 @@ in }; plugins = [ ]; - initExtra = '' + initContent = '' source ${pkgs.zsh-git-prompt}/share/zsh-git-prompt/zshrc.sh source ${pkgs.fzf}/share/fzf/key-bindings.zsh source ${pkgs.fzf}/share/fzf/completion.zsh diff --git a/nixos/configurations.nix b/nixos/configurations.nix index adacb51..95b894e 100644 --- a/nixos/configurations.nix +++ b/nixos/configurations.nix @@ -1,8 +1,10 @@ { self, agenix, + disko, home-manager, homepage, + lanzaboote, nixos-hardware, nixos-generators, nixpkgs, @@ -19,18 +21,51 @@ let nixpkgs.lib.nixosSystem { inherit system; - modules = - [ - { - nixpkgs.overlays = nixpkgs.lib.attrValues self.overlays; - } - ] - ++ (nixpkgs.lib.attrValues self.nixosModules) - ++ [ agenix.nixosModules.age ] - ++ extraModules; + modules = [ + { + nixpkgs.overlays = nixpkgs.lib.attrValues self.overlays; + } + ] + ++ (nixpkgs.lib.attrValues self.nixosModules) + ++ [ agenix.nixosModules.age ] + ++ extraModules; }; in { + stolas = + let + system = "x86_64-linux"; + in + nixosSystem { + inherit nixpkgs system; + + extraModules = [ + lanzaboote.nixosModules.lanzaboote + disko.nixosModules.disko + { + nixpkgs.overlays = nixpkgs.lib.attrValues self.overlays; + dadada.pkgs = self.packages.${system}; + dadada.inputs = inputs // { + dadada = self; + }; + } + nixos-hardware.nixosModules.framework-amd-ai-300-series + home-manager.nixosModules.home-manager + ( + { pkgs, ... }: + { + home-manager.useGlobalPkgs = true; + home-manager.useUserPackages = true; + home-manager.sharedModules = (nixpkgs.lib.attrValues self.hmModules) ++ [ + { dadada.home.helix.package = pkgs.helix; } + ]; + home-manager.users.dadada = import ../home; + } + ) + ./stolas + ]; + }; + gorgon = let system = "x86_64-linux"; @@ -46,12 +81,10 @@ in dadada = self; }; } - nixos-hardware.nixosModules.lenovo-thinkpad-t14s-amd-gen1 - home-manager.nixosModules.home-manager ( - { pkgs, lib, ... }: + { pkgs, ... }: { home-manager.useGlobalPkgs = true; home-manager.useUserPackages = true; diff --git a/nixos/gorgon/configuration.nix b/nixos/gorgon/configuration.nix index d34d0e7..16f8130 100644 --- a/nixos/gorgon/configuration.nix +++ b/nixos/gorgon/configuration.nix @@ -5,6 +5,7 @@ ... }: let + secretsPath = config.dadada.secrets.path; xilinxJtag = pkgs.writeTextFile { name = "xilinx-jtag"; text = '' @@ -43,6 +44,13 @@ in sshIdentityFile = config.age.secrets."${config.networking.hostName}-backup-ssh-key".path; repo = "u355513-sub1@u355513-sub1.your-storagebox.de:/home/backup"; }; + dadada.backupClient.gs = { + enable = true; + passphrasePath = config.age.secrets."${config.networking.hostName}-backup-passphrase-gs".path; + }; + + age.secrets."${config.networking.hostName}-backup-passphrase-gs".file = + "${secretsPath}/${config.networking.hostName}-backup-passphrase-gs.age"; nixpkgs.config.android_sdk.accept_license = true; diff --git a/nixos/modules/admin.nix b/nixos/modules/admin.nix index 07323da..bd03ba7 100644 --- a/nixos/modules/admin.nix +++ b/nixos/modules/admin.nix @@ -93,12 +93,12 @@ in services.sshd.enable = true; services.openssh.settings.PasswordAuthentication = false; - security.sudo.wheelNeedsPassword = false; + security.sudo.wheelNeedsPassword = lib.mkDefault false; services.openssh.openFirewall = true; users.users = mapAttrs (user: keys: { shell = shells."${keys.shell}"; - extraGroups = extraGroups; + extraGroups = lib.mkDefault extraGroups; isNormalUser = true; openssh.authorizedKeys.keys = keys.keys; }) cfg.users; diff --git a/nixos/modules/borg-server.nix b/nixos/modules/borg-server.nix index 594f356..e498cd1 100644 --- a/nixos/modules/borg-server.nix +++ b/nixos/modules/borg-server.nix @@ -39,6 +39,14 @@ in path = "${cfg.path}/gorgon"; quota = "1T"; }; + "stolas" = { + allowSubRepos = false; + authorizedKeysAppendOnly = [ + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINC/mVYd3o7oA0dsA58CgkqR40CSfeuU+rikleSrSXFz dadada@gorgon" + ]; + path = "${cfg.path}/stolas"; + quota = "1T"; + }; "surgat" = { allowSubRepos = false; authorizedKeysAppendOnly = [ diff --git a/nixos/modules/profiles/base.nix b/nixos/modules/profiles/base.nix index b681d72..0976788 100644 --- a/nixos/modules/profiles/base.nix +++ b/nixos/modules/profiles/base.nix @@ -13,8 +13,8 @@ in ./upgrade-pg-cluster.nix ]; - boot.tmp.useTmpfs = true; - boot.tmp.tmpfsSize = "50%"; + boot.tmp.useTmpfs = lib.mkDefault true; + boot.tmp.tmpfsSize = lib.mkDefault "50%"; i18n.defaultLocale = mkDefault "en_US.UTF-8"; console = mkDefault { diff --git a/nixos/modules/profiles/laptop.nix b/nixos/modules/profiles/laptop.nix index d9f0bde..7089f4e 100644 --- a/nixos/modules/profiles/laptop.nix +++ b/nixos/modules/profiles/laptop.nix @@ -5,7 +5,6 @@ }: let inputs = config.dadada.inputs; - secretsPath = config.dadada.secrets.path; in with lib; { @@ -26,7 +25,7 @@ with lib; age.identityPaths = [ "/etc/ssh/ssh_host_ed25519_key" ]; - users.mutableUsers = mkDefault true; + users.mutableUsers = true; # Use the systemd-boot EFI boot loader. boot.loader.systemd-boot.enable = mkDefault true; @@ -48,13 +47,6 @@ with lib; alsa.support32Bit = true; pulse.enable = true; }; - hardware.pulseaudio.enable = false; - - dadada.backupClient.gs = { - enable = true; - passphrasePath = config.age.secrets."${config.networking.hostName}-backup-passphrase-gs".path; - }; - - age.secrets."${config.networking.hostName}-backup-passphrase-gs".file = - "${secretsPath}/${config.networking.hostName}-backup-passphrase-gs.age"; + services.pulseaudio.enable = false; + security.sudo.wheelNeedsPassword = true; } diff --git a/nixos/ninurta/configuration.nix b/nixos/ninurta/configuration.nix index d4eed97..39bdca7 100644 --- a/nixos/ninurta/configuration.nix +++ b/nixos/ninurta/configuration.nix @@ -149,13 +149,6 @@ in startAt = "daily"; }; - services.postgresqlBackup = { - enable = true; - backupAll = true; - compression = "zstd"; - location = "/var/backup/postgresql"; - }; - age.secrets."ninurta-backup-passphrase" = { file = "${secretsPath}/ninurta-backup-passphrase.age"; mode = "400"; @@ -237,33 +230,38 @@ in services.snapper = { cleanupInterval = "1d"; - snapshotInterval = "hourly"; + snapshotInterval = "daily"; configs.home = { SUBVOLUME = "/home"; TIMELINE_CREATE = true; TIMELINE_CLEANUP = true; - TIMELINE_LIMIT_HOURLY = "24"; - TIMELINE_LIMIT_DAILY = "13"; - TIMELINE_LIMIT_WEEKLY = "6"; - TIMELINE_LIMIT_MONTHLY = "3"; + TIMELINE_MIN_AGE = "1800"; + TIMELINE_LIMIT_HOURLY = "5"; + TIMELINE_LIMIT_DAILY = "7"; + TIMELINE_LIMIT_WEEKLY = "0"; + TIMELINE_LIMIT_MONTHLY = "0"; + TIMELINE_LIMIT_YEARLY = "0"; }; configs.var = { SUBVOLUME = "/var"; TIMELINE_CREATE = true; TIMELINE_CLEANUP = true; - TIMELINE_LIMIT_HOURLY = "24"; - TIMELINE_LIMIT_DAILY = "13"; - TIMELINE_LIMIT_WEEKLY = "6"; - TIMELINE_LIMIT_MONTHLY = "3"; + TIMELINE_MIN_AGE = "1800"; + TIMELINE_LIMIT_HOURLY = "5"; + TIMELINE_LIMIT_DAILY = "7"; + TIMELINE_LIMIT_WEEKLY = "0"; + TIMELINE_LIMIT_MONTHLY = "0"; + TIMELINE_LIMIT_YEARLY = "0"; }; configs.storage = { SUBVOLUME = "/mnt/storage"; TIMELINE_CREATE = true; TIMELINE_CLEANUP = true; - TIMELINE_LIMIT_HOURLY = "24"; - TIMELINE_LIMIT_DAILY = "13"; - TIMELINE_LIMIT_WEEKLY = "6"; - TIMELINE_LIMIT_MONTHLY = "3"; + TIMELINE_LIMIT_HOURLY = "10"; + TIMELINE_LIMIT_DAILY = "10"; + TIMELINE_LIMIT_WEEKLY = "10"; + TIMELINE_LIMIT_MONTHLY = "10"; + TIMELINE_LIMIT_YEARLY = "10"; }; }; diff --git a/nixos/stolas/default.nix b/nixos/stolas/default.nix new file mode 100644 index 0000000..696f55f --- /dev/null +++ b/nixos/stolas/default.nix @@ -0,0 +1,224 @@ +{ + config, + lib, + pkgs, + ... +}: +{ + + imports = [ + ../modules/profiles/laptop.nix + ./disks.nix + ./paperless.nix + ]; + + nixpkgs = { + hostPlatform = "x86_64-linux"; + config.allowUnfree = true; + }; + + boot = { + lanzaboote = { + enable = true; + pkiBundle = "/var/lib/sbctl"; + }; + kernelModules = [ "kvm-amd" ]; + extraModulePackages = [ pkgs.linuxPackages.v4l2loopback ]; + # Lanzaboote currently replaces the systemd-boot module. + # This setting is usually set to true in configuration.nix + # generated at installation time. So we force it to false + # for now. + loader.systemd-boot.enable = lib.mkForce false; + initrd = { + availableKernelModules = [ + "nvme" + "xhci_pci" + "thunderbolt" + "usb_storage" + "sd_mod" + ]; + # Ensure that TPM module is loaded + kernelModules = [ "tpm" ]; + }; + }; + + environment.systemPackages = [ + # For debugging and troubleshooting Secure Boot. + pkgs.sbctl + ]; + + hardware = { + # NOTE: hardware.framework.enableKmod requires kernel patching, but enables access to some EC features + bluetooth.enable = true; + cpu.amd.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware; + enableAllFirmware = true; + framework.laptop13.audioEnhancement.enable = true; + graphics = { + enable = true; + extraPackages = with pkgs; [ + vaapiVdpau + libvdpau-va-gl + ]; + }; + }; + + powerManagement = { + enable = true; + cpuFreqGovernor = "schedutil"; + # TODO: Limit charge of battery, does this work without kernel patches from hardware.frameworkenableKmod? + powerUpCommands = '' + echo 80 > /sys/class/power_supply/BAT0/charge_control_stop_threshold + ''; + }; + + networking = { + hostName = "stolas"; + firewall = { + enable = true; + allowedTCPPorts = [ + 22000 # Syncthing + ]; + allowedUDPPorts = [ + 21027 # Syncthing + ]; + }; + }; + + nix = { + settings.max-jobs = lib.mkDefault 16; + }; + + dadada = { + admin.enable = true; + backupClient.gs.enable = false; + backupClient.backup1.enable = true; + backupClient.backup2 = { + enable = true; + repo = "u355513-sub5@u355513-sub5.your-storagebox.de:/home/backup"; + }; + }; + + programs = { + adb.enable = true; + firefox = { + enable = true; + package = pkgs.firefox-wayland; + }; + gnupg.agent.enable = true; + ssh.startAgent = true; + wireshark.enable = true; + }; + + services = { + avahi.enable = true; + desktopManager.plasma6.enable = true; + displayManager = { + sddm.enable = true; + sddm.wayland.enable = true; + }; + gnome.gnome-keyring.enable = lib.mkForce false; + smartd.enable = true; + printing = { + enable = true; + browsing = true; + }; + tlp.enable = false; + snapper = { + cleanupInterval = "1d"; + snapshotInterval = "hourly"; + configs = { + home = { + SUBVOLUME = "/home/dadada"; + ALLOW_USERS = [ "dadada" ]; + TIMELINE_CREATE = true; + TIMELINE_CLEANUP = true; + TIMELINE_MIN_AGE = "1800"; + TIMELINE_LIMIT_HOURLY = "5"; + TIMELINE_LIMIT_DAILY = "7"; + TIMELINE_LIMIT_WEEKLY = "0"; + TIMELINE_LIMIT_MONTHLY = "0"; + TIMELINE_LIMIT_YEARLY = "0"; + }; + var = { + SUBVOLUME = "/var"; + TIMELINE_CREATE = true; + TIMELINE_CLEANUP = true; + TIMELINE_MIN_AGE = "1800"; + TIMELINE_LIMIT_HOURLY = "5"; + TIMELINE_LIMIT_DAILY = "7"; + TIMELINE_LIMIT_WEEKLY = "0"; + TIMELINE_LIMIT_MONTHLY = "0"; + TIMELINE_LIMIT_YEARLY = "0"; + }; + paperless = { + SUBVOLUME = "/var/lib/paperless"; + TIMELINE_CREATE = true; + TIMELINE_CLEANUP = true; + TIMELINE_MIN_AGE = "3600"; + TIMELINE_LIMIT_HOURLY = "10"; + TIMELINE_LIMIT_DAILY = "10"; + TIMELINE_LIMIT_WEEKLY = "10"; + TIMELINE_LIMIT_MONTHLY = "10"; + TIMELINE_LIMIT_YEARLY = "10"; + }; + }; + }; + }; + + system = { + stateVersion = "25.05"; + }; + + systemd.services = { + modem-manager.enable = lib.mkForce false; + "dbus-org.freedesktop.ModemManager1".enable = lib.mkForce false; + }; + + systemd.sleep.extraConfig = '' + HibernateDelaySec=1h + ''; + + systemd.tmpfiles.rules = [ + "v /var/.snapshots 0755 root root - -" + "v /var/paperless/.snapshots 0755 root root - -" + "v /home/dadada/.snapshots 0755 root root - -" + ]; + + virtualisation.libvirtd.enable = true; + + users = { + users = { + dadada = { + initialHashedPassword = "$y$j9T$43qGBeY6hg6AXQmcVkS131$6AeRDOe6XAnmgA/AkJGaSIYTj5dbQLd9vrQ7zSyi5TA"; + isNormalUser = true; + extraGroups = [ + "wheel" + "networkmanager" + "libvirtd" + "adbusers" + "kvm" + "video" + "scanner" + "lp" + "docker" + "dialout" + "wireshark" + "paperless" + ]; + shell = "/run/current-system/sw/bin/zsh"; + }; + }; + }; + + # TODO + # age.secrets = { + # paperless = { + # file = "${config.dadada.secrets.path}/paperless.age"; + # mode = "700"; + # owner = "paperless"; + # }; + # }; + + # Create compressing swap space in RAM + zramSwap.enable = true; +} diff --git a/nixos/stolas/disks.nix b/nixos/stolas/disks.nix new file mode 100644 index 0000000..01cf635 --- /dev/null +++ b/nixos/stolas/disks.nix @@ -0,0 +1,100 @@ +{ + disko.devices = { + nodev."/nix/var/nix/builds" = { + fsType = "tmpfs"; + mountOptions = [ + "size=80%" + "defaults" + "mode=755" + ]; + }; + disk = { + main = { + type = "disk"; + device = "/dev/nvme0n1"; + content = { + type = "gpt"; + partitions = { + ESP = { + size = "1G"; + type = "EF00"; + content = { + type = "filesystem"; + format = "vfat"; + mountpoint = "/boot"; + mountOptions = [ "umask=0077" ]; + }; + }; + luks = { + size = "100%"; + content = { + type = "luks"; + name = "crypted"; + settings = { + allowDiscards = true; + crypttabExtraOpts = [ + "tpm2-device=auto" + "tpm2-pin=true" + ]; + }; + #additionalKeyFiles = [ "/tmp/additionalSecret.key" ]; + content = { + type = "btrfs"; + extraArgs = [ "-f" ]; + subvolumes = { + "/root" = { + mountpoint = "/"; + mountOptions = [ + "compress=zstd" + "relatime" + ]; + }; + "/home" = { + mountpoint = "/home"; + mountOptions = [ + "compress=zstd" + "noatime" + ]; + }; + "/dadada" = { + mountpoint = "/home/dadada"; + mountOptions = [ + "compress=zstd" + "relatime" + ]; + }; + "/nix" = { + mountpoint = "/nix"; + mountOptions = [ + "compress=zstd" + "noatime" + ]; + }; + "/var" = { + mountpoint = "/var"; + mountOptions = [ + "compress=zstd" + "noatime" + ]; + }; + "/paperless" = { + mountpoint = "/var/lib/paperless"; + mountOptions = [ + "compress=zstd" + "noatime" + ]; + }; + "/swap" = { + mountpoint = "/.swapvol"; + swap.swapfile.size = "64G"; + }; + }; + }; + }; + }; + }; + }; + }; + }; + }; +} diff --git a/nixos/stolas/paperless.nix b/nixos/stolas/paperless.nix new file mode 100644 index 0000000..a5fa69f --- /dev/null +++ b/nixos/stolas/paperless.nix @@ -0,0 +1,28 @@ +{ config, ... }: +{ + services.paperless = { + # TODO migrate DB + enable = true; + passwordFile = config.age.secrets.paperless.path; + }; + systemd.tmpfiles.rules = + let + cfg = config.services.paperless; + in + [ + ( + if cfg.consumptionDirIsPublic then + "d '${cfg.consumptionDir}' 777 - - - -" + else + "d '${cfg.consumptionDir}' 770 ${cfg.user} ${config.users.users.${cfg.user}.group} - -" + ) + ]; + + age.secrets = { + paperless = { + file = "${config.dadada.secrets.path}/paperless.age"; + mode = "700"; + owner = "paperless"; + }; + }; +} diff --git a/outputs.nix b/outputs.nix index aea7953..c860d3c 100644 --- a/outputs.nix +++ b/outputs.nix @@ -5,12 +5,14 @@ nixpkgs, agenix, devshell, + treefmt-nix, ... }@inputs: (flake-utils.lib.eachDefaultSystem ( system: let pkgs = import nixpkgs { inherit system; }; + treefmtEval = treefmt-nix.lib.evalModule pkgs ./treefmt.nix; in { devShells.default = @@ -26,7 +28,7 @@ in import ./devshell.nix { inherit pkgs extraModules; }; - formatter = pkgs.nixfmt-tree; + formatter = treefmtEval.config.build.wrapper; packages = import ./pkgs { inherit pkgs; } // { installer-iso = self.nixosConfigurations.installer.config.system.build.isoImage; @@ -34,7 +36,6 @@ } )) // { - hmModules = import ./home/modules.nix { lib = nixpkgs.lib; }; nixosConfigurations = import ./nixos/configurations.nix inputs; diff --git a/pkgs/default.nix b/pkgs/default.nix index 9cd9053..9f52a8a 100644 --- a/pkgs/default.nix +++ b/pkgs/default.nix @@ -1,3 +1,4 @@ -{ pkgs }: { - citizen-cups = pkgs.callPackage ./citizen-cups.nix {}; +{ pkgs }: +{ + citizen-cups = pkgs.callPackage ./citizen-cups.nix { }; } diff --git a/secrets/agares-backup-passphrase.age b/secrets/agares-backup-passphrase.age index d538c5a..d710a45 100644 --- a/secrets/agares-backup-passphrase.age +++ b/secrets/agares-backup-passphrase.age @@ -1,10 +1,7 @@ age-encryption.org/v1 --> ssh-ed25519 L7f05w RayKtknLNvFu88aFp4QL7ZMLAh5VmHmlr1DWVsWBziE -rckeFrazZJ3TxY/yD2wlzRVLh9L4x1bV2Nk7Q0S/RWM --> ssh-ed25519 Otklkw oub7OICQalIkCqAZh4/FfXB9PPBe7j2IpBP7WF/UXGk -gAwxU97b0Js6UPv59/1389/qdPGQb4koa49R14c3UjA --> mU.rG&?F-grease V? d a}mj5 ^&dc?\ -B0k6BjXmH0cm74+rjQrzJwKa1dcFwTdmlgltZ70oHctwA3+E4/CQ1ChH9UHzkHGG -Fb62klB5XYePywsvxLo2nIGVIvhBgsfIvUpq ---- ONLpuXfKtuCB+VD5IQ5KeSPyqgEb4a2y26+n5E8Ph3E -uD{r ژR9P j?hD -u#F2N +Ys\ \ No newline at end of file +-> ssh-ed25519 L7f05w Sof4o2JYLqx59paPpBJWFek1IwCHb4VhuOcPpBkut20 +QNsXS0H2z5NCnKcDuxDVvY+AnTV27/Ijeo/kd12nkoQ +-> ssh-ed25519 Otklkw WZt99A5jBrb7MNqzpCuGiJ8wJ/NxZrJE5Q02hvcVEVo +yYlAifPMGC01CGpke5ABasi/sJ8O4r3+5SyoVpbpmM4 +--- vIe/LRs2QxPpZJUrdOFuTBNanHcMyzh7iAFRalWd2dU ++]GHuUʈQ&3'Eg܃Z‘\~e) 1׻ya \ No newline at end of file diff --git a/secrets/agares-backup-ssh-key.age b/secrets/agares-backup-ssh-key.age index 15eab18..32c7885 100644 Binary files a/secrets/agares-backup-ssh-key.age and b/secrets/agares-backup-ssh-key.age differ diff --git a/secrets/agares-wg0-key.age b/secrets/agares-wg0-key.age index 9938b85..5e12fbe 100644 --- a/secrets/agares-wg0-key.age +++ b/secrets/agares-wg0-key.age @@ -1,10 +1,7 @@ age-encryption.org/v1 --> ssh-ed25519 L7f05w ENcdsQ43v/xIe1Ej4BYjb/nTjIk76N2DR/zj754Puz0 -vIDFk+A/m8rOnBNXcvfBX4SJNxT6LP64s674v5pJtcQ --> ssh-ed25519 Otklkw lLwVf/2E67Bue+VBu+EMupLjuv6wfR656CD1st71GRM -AsXHvpANM0mOiSW3LTqzbEneVQSKNb0TvsMY2WCPfbk --> DJZq-grease 9))O09 z2- -ZFxd5v9Bma6VVIvpw8VK0DSR55lHUNOTh6cNxFJAezXn1apmjvuZPdMSXZ7OrE23 -qlqnskWvo+SX3JF7NH0yQf53dZJU ---- pSa5IqZmIDAHJkcPgqrS0WUwnD1ipE2pGr87qhTmrjk -(E/P(|Jؑҋz`JO2Ԗd3qO!8HN3\i \ No newline at end of file +-> ssh-ed25519 L7f05w Nj0zjzK+5vf4YfUxLPNcBBY4ZC57tH9+rEVCv/ycNWo +5Sk99vaYclDFwTnVKB6IOcTVYJ3SGTuLVJxyjb1W4tM +-> ssh-ed25519 Otklkw ogKGpgcz0Gekw7p4LnmIKU2CEdhlkjypRGVZmFda8TI +nkOU/yc7F5BCBRakevYDXyD8akGqYwD67C+9VDxUgyE +--- zuz8UjdxI+CbMr33Z4P5ga1UoRe+oDXzVWgFUhUH1qE +b#sPDF%|Ul e9f_UZ5oeeK}M`aM!5R@j}~3ZҾ͒\ \ No newline at end of file diff --git a/secrets/ddns-credentials.age b/secrets/ddns-credentials.age index 9ae8b77..e749a1b 100644 Binary files a/secrets/ddns-credentials.age and b/secrets/ddns-credentials.age differ diff --git a/secrets/etc-ppp-chap-secrets.age b/secrets/etc-ppp-chap-secrets.age index 6a4d954..ff3e453 100644 Binary files a/secrets/etc-ppp-chap-secrets.age and b/secrets/etc-ppp-chap-secrets.age differ diff --git a/secrets/etc-ppp-telekom-secret.age b/secrets/etc-ppp-telekom-secret.age index a97dc40..ece12f8 100644 Binary files a/secrets/etc-ppp-telekom-secret.age and b/secrets/etc-ppp-telekom-secret.age differ diff --git a/secrets/gorgon-backup-passphrase-gs.age b/secrets/gorgon-backup-passphrase-gs.age index 24beb40..416b011 100644 Binary files a/secrets/gorgon-backup-passphrase-gs.age and b/secrets/gorgon-backup-passphrase-gs.age differ diff --git a/secrets/gorgon-backup-passphrase.age b/secrets/gorgon-backup-passphrase.age index 38b0cbc..68cc452 100644 Binary files a/secrets/gorgon-backup-passphrase.age and b/secrets/gorgon-backup-passphrase.age differ diff --git a/secrets/gorgon-backup-ssh-key.age b/secrets/gorgon-backup-ssh-key.age index 64ae675..0a00855 100644 Binary files a/secrets/gorgon-backup-ssh-key.age and b/secrets/gorgon-backup-ssh-key.age differ diff --git a/secrets/hydra-github-authorization.age b/secrets/hydra-github-authorization.age index a78cf11..ef32814 100644 Binary files a/secrets/hydra-github-authorization.age and b/secrets/hydra-github-authorization.age differ diff --git a/secrets/ifrit-backup-passphrase.age b/secrets/ifrit-backup-passphrase.age index 640ac05..b4e55eb 100644 --- a/secrets/ifrit-backup-passphrase.age +++ b/secrets/ifrit-backup-passphrase.age @@ -1,10 +1,7 @@ age-encryption.org/v1 --> ssh-ed25519 yMjj5g FtHlFiQa2xr57K9GiS2VX+NYI/2kP73wWXVBsr61cD8 -Gokj4dzQP6AB9YWRBvmXL8/Sts7NO6g6wP1hIYkKdp4 --> ssh-ed25519 Otklkw UB1L2gKr0wnsGktaVlnbr+nSUZQ34g7JO4uuHYhuuyM -X4AT5taAJBtFia62IUTDa1cdbZtwaxYRQFCDez8aK8k --> r;DMOG-grease h"Tb e?z^VJ icNa -/0ZIHqI0whHoBw2Qs15bxY7o1sudscitKuUB3ysyFwUVsIG4nzTOS2GFuXTQ1WuD -5pH2CQfp33hvqrqV ---- vji5ZWP7+BLgpmyX2Sxgdv7Ht37NvQ8DuY1/t3cvvuI -]eޛ,% qnAM{DJWLG@/gGo.V4 \ No newline at end of file +-> ssh-ed25519 yMjj5g pE3otZ4+5k1GxhoU7FocCMvcHZ9PFzTRqRYiVXXq/H4 +aKCBiwVwbfetSTRaTJ31iTRsvNnbm2JYFQnqTOgCyOA +-> ssh-ed25519 Otklkw jn4ZUyWFIeAt+XpxmlqckovK4/jit6SR+Xaouv7gfTU +8yJLyWHk1m9KInOWozqRWXi3kiirgQ7c/ONOwgHk/Z8 +--- 8TS+ZFZfHvgcgOYBE3nzSxbCCmCOtqPWyldlegSu6QU +:{ 4~NtXRl =>$8DQ @G1FAOtΫ \ No newline at end of file diff --git a/secrets/ifrit-backup-ssh-key.age b/secrets/ifrit-backup-ssh-key.age index 6611b7a..9d2879c 100644 Binary files a/secrets/ifrit-backup-ssh-key.age and b/secrets/ifrit-backup-ssh-key.age differ diff --git a/secrets/initrd-surgat-ssh_host_ed25519_key.age b/secrets/initrd-surgat-ssh_host_ed25519_key.age index 32dbcbf..36c4b0c 100644 Binary files a/secrets/initrd-surgat-ssh_host_ed25519_key.age and b/secrets/initrd-surgat-ssh_host_ed25519_key.age differ diff --git a/secrets/miniflux-admin-credentials.age b/secrets/miniflux-admin-credentials.age index 06ff0e0..9745c07 100644 --- a/secrets/miniflux-admin-credentials.age +++ b/secrets/miniflux-admin-credentials.age @@ -1,10 +1,7 @@ age-encryption.org/v1 --> ssh-ed25519 jUOjpw Tuaz2+fgz5f2ZacAYc3TdREIurh+XG5RjjKpaEFgtGo -gB1iaKV+xAv0PGdjZwmBCxMbxgCqZrM2JBDiEWCl//8 --> ssh-ed25519 Otklkw ocyFHtGzclF+7S9I7uSqsfn5weqxj5Wq32y4c6VDiSA -hDX5Viym/WdFZE5rXzToFhqtGvj+Ft3Hh7oiuzCuG/Q --> b&-grease 2u ~R j4C 3|h`M}/ -fdhnmlw+wqO8nb86f8jdDNW2P2SxzdwuljpRrlG/ZxXcC4QxtnO6RwK9NAS9UBQr -OAxJ6v3P+cMYJcsPNLAr90rEzXfTV2VONZgoNwOKN2l5n/JX8aGCt5i/vVI ---- sYjj24oaGUMZPD4TV8JKfjSPHeYOKh+OpueLZT/TxCQ -TO&DdC2ƔW^˻Z &b ssh-ed25519 jUOjpw 6ThewcuTvg2mn/jC1eqR0KFDXdN8G3JIUBLLiBabkFI +lstfGPvJgaUOp0jriP2nsi4IvgwRjs8dnRye7+ihD/Q +-> ssh-ed25519 Otklkw N0ozjfxbOBq7EIvxP4TRa2XyMQ8fINCiHjK0MFq2X0w +tEeua88G2aN6REaUN6xTlkRLy0GFgNfj7v0VXhqddc4 +--- N9V7UfSDvrOAeOr3MRXiCwIu8JJt3NSL3FrGyPapLrM +E"K?>VÄbXdg!ѹ) B f\=[2LxwXH*l9w \ No newline at end of file diff --git a/secrets/ninurta-backup-passphrase.age b/secrets/ninurta-backup-passphrase.age index be260fe..6b89f13 100644 Binary files a/secrets/ninurta-backup-passphrase.age and b/secrets/ninurta-backup-passphrase.age differ diff --git a/secrets/ninurta-backup-ssh-key.age b/secrets/ninurta-backup-ssh-key.age index 30a2b2e..0eb3e9c 100644 Binary files a/secrets/ninurta-backup-ssh-key.age and b/secrets/ninurta-backup-ssh-key.age differ diff --git a/secrets/ninurta-initrd-ssh-key.age b/secrets/ninurta-initrd-ssh-key.age index 7d1aae3..bdb981f 100644 Binary files a/secrets/ninurta-initrd-ssh-key.age and b/secrets/ninurta-initrd-ssh-key.age differ diff --git a/secrets/paperless.age b/secrets/paperless.age index d2c2d86..318a9f9 100644 --- a/secrets/paperless.age +++ b/secrets/paperless.age @@ -1,9 +1,8 @@ age-encryption.org/v1 --> ssh-ed25519 0aOabg 6QT8adxrQxGCx9w6JZPkbCsCM/Vos+D41JoEQ19h0AY -UaXt2lE7VnhaQ4McdCIGo8kdaYrPyg3ne8MIBCt7NXE --> ssh-ed25519 Otklkw GJQj739xwoeP9xTLpLrCxANx3/Ebipnr345xKSFLf3w -xtQBgTYrLzkaWBkx8pi0R+GKa6inKFzFD5tompll3wo --> )gWM0O-grease i%" tB -culBBLA5Bt/POa9w ---- Vtxd8HsFnjBl6eXE4UYNoR1Ca/JA9UlK/WE+FNkmPtk -bV v:ah&4fNJ2]{!%1Ia\}Xex1~_"r,j:O?5 \ No newline at end of file +-> ssh-ed25519 WJCMDA NDB+Z1hpwH3PWjViCbrRdrt0WCFnsYDBVd1rADCQy2I +p/QYmC6ZwwlyCNrVhUw1vUNfnNGiw8B/rsqP9EMGJ5E +-> ssh-ed25519 Otklkw yLMSfitfbXO8qRqaJwKxx68R0AJHsTre0XlN2huudWY +JYogGtU0LLPcJpN9oWmAQE0Kyk2yhNmxrVgh0JMFphE +--- pGx08jh8YJCDeEvi7iZa6pXrlwg8otUTkxv0T5gwLcM +˲'t2͟E/ؿ6@ +DfiVGO_a\{}_~:>GN@K| \ No newline at end of file diff --git a/secrets/pruflas-backup-passphrase.age b/secrets/pruflas-backup-passphrase.age index 7750b1c..7315527 100644 Binary files a/secrets/pruflas-backup-passphrase.age and b/secrets/pruflas-backup-passphrase.age differ diff --git a/secrets/pruflas-backup-ssh-key.age b/secrets/pruflas-backup-ssh-key.age index dd41e28..57e57c8 100644 Binary files a/secrets/pruflas-backup-ssh-key.age and b/secrets/pruflas-backup-ssh-key.age differ diff --git a/secrets/pruflas-wg-hydra-key.age b/secrets/pruflas-wg-hydra-key.age index be57748..7c1333d 100644 Binary files a/secrets/pruflas-wg-hydra-key.age and b/secrets/pruflas-wg-hydra-key.age differ diff --git a/secrets/pruflas-wg0-key.age b/secrets/pruflas-wg0-key.age index 122adcd..1312de7 100644 --- a/secrets/pruflas-wg0-key.age +++ b/secrets/pruflas-wg0-key.age @@ -1,10 +1,7 @@ age-encryption.org/v1 --> ssh-ed25519 J6ROvw R+xnmMAoVmaJi9UMYBSX5CKk21LhI9iIionc6Nh8ZWg -eR+OpFfB6BIOzOUeeY5IzmXerCCiqOYS9ZAGIb0UAS0 --> ssh-ed25519 Otklkw HYpIGulRkcfpKhSdb1mF/hbBHiXCUzYR6/b0KspgHTU -1HAtdynQZ10AVgGqh4cw3qDqSh6Suum3zYo6/G7qKw4 --> +YMQ-grease -wyHx9k+fMnxTm1LMDhmmMye/ ---- g1F7i8Y0foxjDp6qbBtjhY3A/vyxM2R/zIQJZTG2F5o -.]n"wjkYd<2{N N0`XUsPxV)nfOg \ No newline at end of file +-> ssh-ed25519 J6ROvw jC7rwmoizfZqenUwlrMlLRyN9yQnog2X3KIJ2GgRZB8 +yGoiZTNfrPm6+fb1BcZGH6Lzm8Pj4aeyjWtLNYbGSFg +-> ssh-ed25519 Otklkw a2/N7JOiOY/orGyCogBIj48EjTltThv7AAHuMHK7Xzo +PTP9vaEpFf7PXoRobHJgAkNVBh+u3+7rUMKiMj+fadQ +--- KR51LRGHd6jWP4rUWvQqXskwEGfxb0tSCNKtnFT255A +Gw)HkG F&e[{RGh"L{\{H~{.uWMaZ \ No newline at end of file diff --git a/secrets/pruflas-wg0-preshared-key.age b/secrets/pruflas-wg0-preshared-key.age index 7528977..94f9a88 100644 Binary files a/secrets/pruflas-wg0-preshared-key.age and b/secrets/pruflas-wg0-preshared-key.age differ diff --git a/secrets/secrets.nix b/secrets/secrets.nix index 1da186e..f449646 100644 --- a/secrets/secrets.nix +++ b/secrets/secrets.nix @@ -7,6 +7,7 @@ let ninurta = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIO8TDCzjVVO7A4k6rp+srMj0HHc5gmUOlskTBOvhMkEc root@nixos"; pruflas = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBqZHu5ygTODgrNzcU9C2O+b8yCfVsnztV83qxXV4aA8 root@pruflas"; surgat = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOOJ9UgAle5sX0pAawfRztckVwaQm2U8o0Bawv7cZfXE root@surgat"; + stolas = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIObI38cB8gTDXmDb5GcK4pLm5xM+nnvGeSfEpB4lVEwE root@stolas"; }; backupSecrets = hostName: { "${hostName}-backup-passphrase.age".publicKeys = [ @@ -45,7 +46,8 @@ in dadada ]; "paperless.age".publicKeys = [ - systems.gorgon + #systems.gorgon + systems.stolas dadada ]; "initrd-surgat-ssh_host_ed25519_key.age".publicKeys = [ @@ -88,3 +90,4 @@ in // backupSecrets "pruflas" // backupSecrets "surgat" // backupSecrets "agares" +// backupSecrets "stolas" diff --git a/secrets/stolas-backup-passphrase.age b/secrets/stolas-backup-passphrase.age new file mode 100644 index 0000000..4b4a687 Binary files /dev/null and b/secrets/stolas-backup-passphrase.age differ diff --git a/secrets/stolas-backup-ssh-key.age b/secrets/stolas-backup-ssh-key.age new file mode 100644 index 0000000..0a06547 Binary files /dev/null and b/secrets/stolas-backup-ssh-key.age differ diff --git a/secrets/surgat-backup-passphrase.age b/secrets/surgat-backup-passphrase.age index 2c9bd49..b3a0a80 100644 --- a/secrets/surgat-backup-passphrase.age +++ b/secrets/surgat-backup-passphrase.age @@ -1,9 +1,7 @@ age-encryption.org/v1 --> ssh-ed25519 jUOjpw zb9yidyhlOj2LnVSCjNwq0MBj8Ik7zdT+6vs5k2vdTY -lxFHzj+mUpW8ogGkfpZZWZRPfMp38Sb2GYojBUrxGB0 --> ssh-ed25519 Otklkw G3tj2S2BM+jmGg5ajD2hTIKAWJMAhuHAT4jpFpu2YmQ -XDLRUWirSzXQ55HnWdICzICPQDL8pyJC9SnS9ODwhdM --> v#M-grease -rEp5i85i+0HA+Rx31HR27NU ---- 2Q+j2Vh/Tbv6NYYg614YL1+yP8hff++2zAuWV7dHDe8 -HY\ \;m~qoz85Z̯e9Ia䔝Y \ No newline at end of file +-> ssh-ed25519 jUOjpw FXHC9VzSKIkbJ9JVge5vsGHiGtxBnxB7Nvqqi4OsRHA +1zhd0kCd37fXmWtq9kRx1vQvjTT4i5HsQ9DibyGmNUI +-> ssh-ed25519 Otklkw ZKy9Vbf1W1UpejNy8nh+eGss19XLqJuHL6qJuG1KP20 +t5C0Jw//1vK5iiG3+tJK6bu/SBR7StHRDog9ivlfVAI +--- 08Q8bBFnJF2TFV62trgPig/VL3RwKN0dyw4PBgg5LDU +F` 4tۭ ٧o9~}ق)7#a/W\;l2Рl \ No newline at end of file diff --git a/secrets/surgat-backup-ssh-key.age b/secrets/surgat-backup-ssh-key.age index 7523e7a..2abfeac 100644 Binary files a/secrets/surgat-backup-ssh-key.age and b/secrets/surgat-backup-ssh-key.age differ diff --git a/secrets/surgat-ssh_host_ed25519_key.age b/secrets/surgat-ssh_host_ed25519_key.age index c664303..7400a57 100644 Binary files a/secrets/surgat-ssh_host_ed25519_key.age and b/secrets/surgat-ssh_host_ed25519_key.age differ diff --git a/secrets/wg-privkey-vpn-dadada-li.age b/secrets/wg-privkey-vpn-dadada-li.age index b956b5e..4bd9044 100644 Binary files a/secrets/wg-privkey-vpn-dadada-li.age and b/secrets/wg-privkey-vpn-dadada-li.age differ diff --git a/treefmt.nix b/treefmt.nix new file mode 100644 index 0000000..75acdfa --- /dev/null +++ b/treefmt.nix @@ -0,0 +1,8 @@ +{ pkgs, ... }: +{ + projectRootFile = "flake.nix"; + programs.nixfmt.enable = true; + programs.shellcheck.enable = pkgs.hostPlatform.system != "riscv64-linux"; + programs.shfmt.enable = pkgs.hostPlatform.system != "riscv64-linux"; + programs.yamlfmt.enable = true; +}