qbit/xin
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

hello world!

Browse Source
This commit is contained in:
Aaron Bieber 2022-08-25 12:21:35 -06:00
parent 80238fa754
commit ed9e687dbe
No known key found for this signature in database
81 changed files with 8611 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
.allowed_signers Normal file
View File

@ -0,0 +1,3 @@
aaron@bolddaemon.com sk-ssh-ed25519@openssh.com AAAAGnNrLXNzaC1lZDI1NTE5QG9wZW5zc2guY29tAAAAIB1cBO17AFcS2NtIT+rIxR2Fhdu3HD4de4+IsFyKKuGQAAAACnNzaDpsZXNzZXI=
aaron@bolddaemon.com sk-ssh-ed25519@openssh.com AAAAGnNrLXNzaC1lZDI1NTE5QG9wZW5zc2guY29tAAAAIHrYWbbgBkGcOntDqdMaWVZ9xn+dHM+Ap6s1HSAalL28AAAACHNzaDptYWlu

1
.envrc Normal file
View File

@ -0,0 +1 @@
use flake

4
.gitignore vendored Normal file
View File

@ -0,0 +1,4 @@
.gcroots/
.direnv
result
.DS_Store

15
LICENSE Normal file
View File

@ -0,0 +1,15 @@
/*
* Copyright (c) 2021 Aaron Bieber <aaron@bolddaemon.com>
*
* Permission to use, copy, modify, and distribute this software for any
* purpose with or without fee is hereby granted, provided that the above
* copyright notice and this permission notice appear in all copies.
*
* THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
* WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
* MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
* ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
* WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
* ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
* OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
*/

82
README.md
View File

@ -0,0 +1,82 @@
nix-conf
========
```
.
├── bins
│   ├── default.nix
│   ├── ix.nix
│   ├── rage.nix
│   └── sfetch.nix
├── boot
├── configs
│   ├── colemak.nix
│   ├── develop.nix
│   ├── dns.nix
│   ├── doas.nix
│   ├── emacs.nix
│   ├── gitmux.nix
│   ├── git.nix
│   ├── neovim.lua
│   ├── neovim.nix
│   ├── tmux.nix
│   ├── ts.nix
│   └── zsh.nix
├── dbuild
│   ├── build-consumer.nix
│   ├── build-server.nix
│   └── default.nix
├── default.nix
├── deploy
├── flake.lock
├── flake.nix
├── fmt
├── gui
│   ├── default.nix
│   ├── gnome.nix
│   ├── kde.nix
│   └── xfce.nix
├── hosts
│   ├── box
│   │   ├── default.nix
│   │   ├── hardware-configuration.nix
│   │   └── secrets
│   │   └── services.yaml
│   ├── europa
│   │   ├── default.nix
│   │   └── hardware-configuration.nix
│   ├── faf
│   │   ├── default.nix
│   │   └── hardware-configuration.nix
│   ├── hass
│   ├── litr
│   │   ├── default.nix
│   │   └── hardware-configuration.nix
│   ├── nerm
│   │   ├── default.nix
│   │   └── hardware-configuration.nix
│   └── weather
│   ├── default.nix
│   └── hardware-configuration.nix
├── installer.nix
├── LICENSE
├── pkgs
│   ├── cinny-desktop.nix
│   ├── default.nix
│   ├── gitmux.nix
│   └── mudita-center.nix
├── README.md
├── services
│   ├── config-manager.nix
│   ├── default.nix
│   └── ssh-fido-agent.nix
├── shell.nix
├── system
│   ├── nix-config.nix
│   ├── nix-lockdown.nix
│   └── update.nix
└── users
└── default.nix
17 directories, 57 files
```

22
bins/check-restart.nix Normal file
View File

@ -0,0 +1,22 @@
{ perl }:
''
#!${perl}/bin/perl
use strict;
use warnings;
sub say { print @_, "\n"; }
my @booted = split("/", `readlink -f /run/booted-system/kernel`);
my @current = split("/", `readlink -f /run/current-system/kernel`);
if ($booted[3] ne $current[3]) {
say "Restart required!";
say "old: $booted[3]";
say "new: $current[3]";
exit 1;
} else {
say "system is clean..";
}
''

12
bins/default.nix Normal file
View File

@ -0,0 +1,12 @@
{ pkgs, lib, isUnstable, ... }:
let
oathPkg = pkgs.oath-toolkit or pkgs.oathToolkit;
ix = pkgs.writeScriptBin "ix" (import ./ix.nix { inherit (pkgs) perl; });
rage = pkgs.writeScriptBin "rage" (import ./rage.nix { inherit pkgs; });
sfetch = pkgs.writeScriptBin "sfetch"
(import ./sfetch.nix { inherit (pkgs) minisign curl; });
checkRestart = pkgs.writeScriptBin "check-restart"
(import ./check-restart.nix { inherit (pkgs) perl; });
in {
environment.systemPackages = with pkgs; [ rage ix sfetch xclip checkRestart ];
}

38
bins/ix.nix Normal file
View File

@ -0,0 +1,38 @@
{ perl }:
''
#!${perl}/bin/perl
use strict;
use warnings;
use HTTP::Tiny;
if ($^O eq "openbsd") {
require OpenBSD::Pledge;
require OpenBSD::Unveil;
OpenBSD::Unveil::unveil("/", "") or die;
OpenBSD::Pledge::pledge(qw( stdio dns inet rpath )) or die;
}
my $http = HTTP::Tiny->new();
sub slurp {
my ($fh) = @_;
local $/;
<$fh>;
}
sub sprunge {
my ($input) = @_;
my $url = "http://sprunge.us";
my $form = [ sprunge => $input ];
my $resp = $http->post_form($url, $form)
or die "could not POST: $!";
$resp->{content};
}
my $input = slurp('STDIN');
my $url = sprunge($input);
print $url;
''

87
bins/rage.nix Normal file
View File

@ -0,0 +1,87 @@
{ pkgs }:
let oathPkg = pkgs.oath-toolkit or pkgs.oathToolkit;
in ''
#!/usr/bin/env sh
set -e
rage_dir=~/.rage
. ''${rage_dir}/config
cmd=$1
list() {
find $rage_dir -type f -name \*.age
}
if [ -z $cmd ]; then
list
exit
fi
case $cmd in
ls)
list
;;
re)
F=""
if [ -f $2 ]; then
F=$2
else
F=$(list | grep $2)
fi
echo "Re-encrypting: '$F'"
pass="$(${pkgs.age}/bin/age -i $identity -d "$F")"
echo "$pass" | ${pkgs.age}/bin/age -a -R "$recipients" > "$F"
;;
en)
printf 'Password: '
stty -echo
read pass
stty echo
echo ""
printf 'Location: '
read loc
echo ""
mkdir -p "$(dirname ~/.rage/$loc)"
echo "$pass" | ${pkgs.age}/bin/age -a -R "$recipients" > ~/.rage/''${loc}.age
;;
de)
if [ -f $2 ]; then
${pkgs.age}/bin/age -i $identity -d $2
else
F=$(list | grep $2)
${pkgs.age}/bin/age -i $identity -d "$F"
fi
;;
cp)
if [ -f $2 ]; then
${pkgs.age}/bin/age -i $identity -d $2 | ${pkgs.xclip}/bin/xclip
else
F=$(list | grep $2)
${pkgs.age}/bin/age -i $identity -d "$F" | ${pkgs.xclip}/bin/xclip
fi
;;
otp)
if [ -f $2 ]; then
${pkgs.age}/bin/age -i $identity -d $2 | ${oathPkg}/bin/oathtool -b --totp -
else
F=$(list | grep $2)
${pkgs.age}/bin/age -i $identity -d "$F" | ${oathPkg}/bin/oathtool -b --totp -
fi
;;
push)
cd $rage_dir
git push
;;
sync)
cd $rage_dir
git sync
;;
default)
list
esac
''

23
bins/sfetch.nix Normal file
View File

@ -0,0 +1,23 @@
{ minisign, curl }:
''
#!/usr/bin/env sh
set -e
SERVER=cdn.openbsd.org
ITEM=$1
MACHINE=amd64
VER=snapshots
V=7.1
[[ ! -z $2 ]] && MACHINE=$2
if [[ ! -z $3 ]]; then
VER=$3
V=$(echo $VER | sed 's/\.//')
fi
${curl}/bin/curl -o "$PWD/$ITEM" "https://$SERVER/pub/OpenBSD/$VER/$MACHINE/$ITEM" && \
${curl}/bin/curl -o "$PWD/SHA256.sig" "https://$SERVER/pub/OpenBSD/$VER/$MACHINE/SHA256.sig"
${minisign}/bin/minisign -C -p "/etc/signify/openbsd-$V-base.pub" -x SHA256.sig "$ITEM"
''

13
boot Executable file
View File

@ -0,0 +1,13 @@
#!/usr/bin/env sh
case $1 in
weather)
nix build .#nixosConfigurations.weatherInstall.config.system.build.sdImage
;;
haas)
nix build .#nixosConfigurations.hassInstall.config.system.build.isoImage
;;
*)
echo "Usage: boot [weather|hass]"
esac

38
check-restart Executable file
View File

@ -0,0 +1,38 @@
#!/usr/bin/env sh
. ./common.sh
while getopts "r" arg; do
case $arg in
r)
REBOOT=1
;;
esac
done
start
trap finish EXIT INT HUP
for i in $(ls hosts); do
host=$(resolveAlias $i)
echo -n "===> $i: "
if tsAlive $host; then
if ${SSH} root@$host 'check-restart' >/dev/null 2>&1; then
echo -e "\tOK"
else
if [ ! -z $REBOOT ]; then
if isRunHost $i; then
echo -e "\tskipping runhost..."
else
echo -e "\trebooting..."
${SSH} root@$host 'reboot' >/dev/null 2>&1
fi
else
echo -e "\tREBOOT"
fi
fi
else
echo -e "\tDOWN"
fi
done

56
common.sh Normal file
View File

@ -0,0 +1,56 @@
NIX_SSHOPTS="-i /run/secrets/manager_pubkey -oIdentitiesOnly=yes -oControlPath=/tmp/manager-ssh-%r@%h:%p"
SSH="ssh ${NIX_SSHOPTS}"
CurrentVersion="$(git rev-parse HEAD)"
AgentKeys="$(ssh-add -L | awk '{print $2}')"
RunHost="$(uname -n)"
msg() {
echo "===> $@"
}
resolveAlias() {
host="${1}"
if [ -f hosts/${host}/alias ]; then
cat "hosts/${host}/alias"
return
fi
echo "$host"
}
agentHasKey() {
checkKey="$(echo $1 | awk '{print $NF}')"
for i in $AgentKeys; do
if [[ "$i" == $checkKey ]]; then
return 0
fi
done
return 1
}
isRunHost() {
if [ "$1" = "$RunHost" ]; then
return 0
fi
return 1
}
tsAlive() {
ping -c 1 -w 2 $1 >/dev/null 2>&1 && return 0
tailscale ping --timeout 2s --c 1 --until-direct=false $1 >/dev/null 2>&1 && return 0
return 1
}
error() {
msg "Something went wrong!"
exit 1
}
start() {
agentHasKey "$(cat /run/secrets/manager_pubkey | awk '{print $2}')" || \
ssh-add /run/secrets/manager_key
}
finish() {
ssh-add -d /run/secrets/manager_key
exit 0
}

22
configs/colemak.nix Normal file
View File

@ -0,0 +1,22 @@
{ config, lib, ... }:
with lib; {
options = {
colemak = {
enable = mkOption {
description = "Enable colemak keyboard layout";
default = true;
example = true;
type = lib.types.bool;
};
};
};
config = mkIf config.colemak.enable {
console = { keyMap = "colemak"; };
services.xserver = {
layout = "us";
xkbVariant = "colemak";
xkbOptions = "ctrl:swapcaps";
};
};
}

15
configs/develop.nix Normal file
View File

@ -0,0 +1,15 @@
{ config, lib, pkgs, ... }:
with lib; {
options = {
jetbrains = { enable = mkEnableOption "Install JetBrains editors"; };
};
config = mkMerge [
(mkIf config.jetbrains.enable {
nixpkgs.config.allowUnfreePredicate = pkg:
builtins.elem (lib.getName pkg) [ "idea-ultimate" ];
environment.systemPackages = with pkgs; [ jetbrains.idea-ultimate sshfs ];
})
];
}

32
configs/dns.nix Normal file
View File

@ -0,0 +1,32 @@
{ config, lib, ... }:
with lib; {
options = {
preDNS = {
enable = mkOption {
description = "Enable DNSSEC";
default = true;
example = true;
type = lib.types.bool;
};
};
};
config = mkIf config.preDNS.enable {
services = {
openntpd.enable = true;
resolved = {
enable = true;
dnssec = "allow-downgrade";
# TODO: Enable a toggle for ipv6
extraConfig = ''
[Resolve]
DNS=45.90.28.0#8436c6.dns1.nextdns.io
DNS=2a07:a8c0::#8436c6.dns1.nextdns.io
DNS=45.90.30.0#8436c6.dns2.nextdns.io
DNS=2a07:a8c1::#8436c6.dns2.nextdns.io
DNSOverTLS=yes
'';
};
};
}; # tailscale and what not have no preDNS
}

23
configs/doas.nix Normal file
View File

@ -0,0 +1,23 @@
{ config, lib, ... }:
with lib; {
options = {
doas = { enable = mkEnableOption "Enable doas for priv-escie"; };
};
config = mkIf config.doas.enable {
nixpkgs.config.packageOverrides = pkgs: {
doas = pkgs.doas.override { withPAM = false; };
};
security = {
doas = {
enable = true;
extraRules = [{
groups = [ "wheel" ];
persist = true;
}];
};
sudo.enable = false;
};
};
}

60
configs/emacs.nix Normal file
View File

@ -0,0 +1,60 @@
{ runCommand, emacsWithPackagesFromUsePackage, pkgs, lib, makeWrapper, mu
, writeTextDir, emacs, emacsPkg ? pkgs.emacsPgtkNativeComp, ... }:
let
muDir = "${mu}/share/emacs/site-lisp/mu4e";
# Generate a .el file from our emacs.org.
emacsConfig = runCommand "emacsConfig" { } ''
mkdir -p $out
cp -v ${./emacs.org} $out/emacs.org
cd $out
${emacs}/bin/emacs --batch -Q -q \
--debug-init \
-l org emacs.org \
-f org-babel-tangle
if [ $? != 0 ]; then
echo "Generating failed!"
exit 1;
else
echo "Generated org config!"
fi
'';
# init.el to load my config and other dependencies.
emacsInit = writeTextDir "share/emacs/site-lisp/init.el" ''
(message "Loading my 'mu4e' from: ${muDir}")
(add-to-list 'load-path "${muDir}")
(load "${muDir}/mu4e.el")
(message "Loading my 'emacs.org' config from: ${emacsConfig}")
(load "${emacsConfig}/emacs.el")
'';
emacsInitDir = "${emacsInit}/share/emacs/site-lisp";
# Binaries that are needed in emacs
emacsDepList = with pkgs; [
go-font
graphviz
ispell
isync
mu
texlive.combined.scheme-full
];
in emacsWithPackagesFromUsePackage {
config = ./emacs.org;
alwaysEnsure = true;
alwaysTangle = true;
package = emacsPkg.overrideAttrs (oa: {
nativeBuildInputs = oa.nativeBuildInputs ++ [ makeWrapper emacsConfig ];
postInstall = ''
${oa.postInstall}
wrapProgram $out/bin/emacs \
--prefix PATH : ${pkgs.lib.makeBinPath emacsDepList} \
--add-flags '--init-directory ${emacsInitDir}'
'';
});
}

1488
configs/emacs.org Normal file
View File

File diff suppressed because it is too large Load Diff

65
configs/git.nix Normal file
View File

@ -0,0 +1,65 @@
{ config, pkgs, isUnstable, ... }:
{
programs.git = {
enable = true;
lfs.enable = true;
config = {
init = { defaultBranch = "main"; };
user = {
name = "Aaron Bieber";
email = "aaron@bolddaemon.com";
signingKey = if isUnstable then
"key::sk-ssh-ed25519@openssh.com AAAAGnNrLXNzaC1lZDI1NTE5QG9wZW5zc2guY29tAAAAIHrYWbbgBkGcOntDqdMaWVZ9xn+dHM+Ap6s1HSAalL28AAAACHNzaDptYWlu"
else
"35863350BFEAC101DB1A4AF01F81112D62A9ADCE";
};
branch = { sort = "-committerdate"; };
alias = {
log = "log --color=never";
diff = "diff --color=always";
pr = ''"!f() { git fetch-pr upstream $1; git checkout pr/$1; }; f"'';
fetch-pr =
''"!f() { git fetch $1 refs/pull/$2/head:refs/remotes/pr/$2; }; f"'';
};
push = { default = "current"; };
gpg = if isUnstable then { format = "ssh"; } else { };
commit = if isUnstable then { gpgsign = true; } else { };
color = {
branch = false;
interactive = false;
log = false;
status = false;
ui = false;
};
safe = { directory = "/home/qbit/src/nix-conf"; };
transfer = { fsckobjects = true; };
fetch = { fsckobjects = true; };
github = { user = "qbit"; };
url = {
"ssh://git@github.com/" = { insteadOf = "https://github.com/"; };
};
sendmail = {
smtpserver = "mail.messagingengine.com";
smtpuser = "qbit@fastmail.com";
smtpauth = "PLAIN";
smtpencryption = "tls";
smtpserverport = 587;
cc = "aaron@bolddaemon.com";
confirm = "auto";
};
pull = { rebase = false; };
include = { path = "~/work/git/gitconfig"; };
};
};
}

35
configs/gitmux.nix Normal file
View File

@ -0,0 +1,35 @@
{ config, lib, pkgs, ... }: {
#environment.systemPackages = with pkgs; [ gitmux ];
environment.etc."gitmux.conf" = {
text = ''
tmux:
symbols:
branch: ' '
hashprefix: ':'
ahead: ·
behind: ·
staged: ' '
conflict: ' '
modified: ' '
untracked: ' '
stashed: ' '
clean:
styles:
clear: '#[fg=default]'
state: '#[fg=default]'
branch: '#[fg=default]'
remote: '#[fg=default]'
staged: '#[fg=default]'
conflict: '#[fg=default]'
modified: '#[fg=default]'
untracked: '#[fg=default]'
stashed: '#[fg=default]'
clean: '#[fg=default]'
divergence: '#[fg=default]'
layout: [branch, .., remote-branch, divergence, ' - ', flags]
options:
branch_max_len: 0
branch_trim: right
'';
};
}

24
configs/manager.nix Normal file
View File

@ -0,0 +1,24 @@
{ config, lib, ... }:
with lib; {
options = {
nixManager = {
enable = mkEnableOption "Configure host as nix-conf manager.";
user = mkOption {
type = types.str;
default = "root";
description = ''
User who will own the private key.
'';
};
};
};
config = mkIf config.nixManager.enable {
#sops.defaultSopsFile = ../manager.yaml;
sops.defaultSopsFile = config.xin-secrets.manager;
sops.secrets = {
manager_key = { owner = config.nixManager.user; };
manager_pubkey = { owner = config.nixManager.user; };
};
};
}

145
configs/neomutt.nix Normal file
View File

@ -0,0 +1,145 @@
{ config, lib, pkgs, ... }: {
environment.systemPackages = with pkgs; [ neomutt urlview ];
environment.etc."neomuttrc" = {
text = ''
ignore *
unignore from: subject to cc date x-mailer x-url user-agent
set from = "aaron@bolddaemon.com"
set realname = "Aaron Bieber"
set imap_user = "qbit@fastmail.com"
set imap_pass = `cat /run/secrets/fastmail`
set smtp_url = "smtps://$imap_user@mail.messagingengine.com"
set smtp_pass = $imap_pass
set folder = "imaps://mail.messagingengine.com:993"
set spoolfile = "+INBOX"
set header_cache = ~/.mutt/cache/fm/headers
set message_cachedir = ~/.mutt/cache/fm/bodies
folder-hook . set from="aaron@bolddaemon.com"
unmailboxes *
named-mailboxes Inbox "=INBOX"
named-mailboxes git "=INBOX.git"
named-mailboxes OpenBSD/ "=INBOX.OpenBSD"
named-mailboxes OpenBSD/Hackers "=INBOX.OpenBSD.Hackers"
named-mailboxes OpenBSD/Tech "=INBOX.OpenBSD.Tech"
named-mailboxes OpenBSD/Ports "=INBOX.OpenBSD.Ports"
named-mailboxes OpenBSD/GOT "=INBOX.OpenBSD.GOT"
named-mailboxes OpenBSD/Bugs "=INBOX.OpenBSD.Bugs"
named-mailboxes OpenBSD/Misc "=INBOX.OpenBSD.Misc"
named-mailboxes OpenBSD/ARM "=INBOX.OpenBSD.Arm"
named-mailboxes OpenBSD/PPC "=INBOX.OpenBSD.ppc"
named-mailboxes OpenBSD/src-ch "=INBOX.OpenBSD.src-changes"
named-mailboxes OpenBSD/ports-ch "=INBOX.OpenBSD.ports-changes"
named-mailboxes 9front "=INBOX.9front"
named-mailboxes OSS-Sec "=INBOX.OSS-Sec"
named-mailboxes Archive "=INBOX.Archive"
named-mailboxes Sent "=INBOX.Sent Items"
named-mailboxes Drafts "=INBOX.Drafts"
named-mailboxes Trash "=INBOX.Trash"
named-mailboxes JunkCan "=INBOX.JunkCan
set editor = "nvim"
set certificate_file = ~/.mutt/certificates
set mail_check = 120
set mail_check_stats = yes
set timeout = 300
set imap_keepalive = 300
set imap_passive
set imap_check_subscribed = yes
set ispell = "aspell --mode=email --add-email-quote=%,#,:,} --check"
set message_cache_clean = yes
set user_agent = no
set smart_wrap = yes
set attach_format="%u%D%I %t%2n %T%.20d %> [%.7m/%.10M, %.6e%?C?, %C?, %s] "
set date_format="!%a, %d %b %Y at %H:%M:%S %Z"
set forward_format="fwd: %s"
set index_format="%[%m-%d] [%Z] %-54.54s %F"
set pager_format=" %f: %s"
set sidebar_format="%B%* %?N?(%N)?"
set status_format=" %h: %f (msgs:%?M?%M/?%m %l%?n? new:%n?%?o? old:%o?%?d? del:%d?%?F? flag:%F?%?t? tag:%t?%?p? post:%p?%?b? inc:%b?%?l??) %> %_v "
set move = no
set askcc
set sort = 'threads'
set sort_aux = 'last-date-received'
set mailcap_path="~/.mailcap"
set sidebar_visible = yes
set sidebar_width = 30
set sidebar_format = "%B%?F? [%F]?%* %?N?%N/?%S"
bind index,pager \Ck sidebar-prev
bind index,pager \Cj sidebar-next
bind index,pager \Co sidebar-open
set pager_index_lines=10
set spoolfile = "="
set record="=INBOX.Sent Items"
set postponed="=INBOX.Drafts"
set trash = "=INBOX.Trash"
mono attachment bold
mono body underline "(https?|t?ftp|mailto|gopher|ssh|telnet|finger)://[^ ]+"
mono body underline "[-a-z_0-9.]+@[-a-z_0-9.]+[a-z]" # email addresses
mono body bold "-----Original Message-----"
mono body bold "[;:]-[)/(|]"
mono header none .
mono header bold "^From: "
mono header bold "^Resent-From: "
mono header bold "^To: "
mono header bold "^Subject: "
mono header bold "^Organi[zs]ation: "
mono header bold "^Priority: Urgent"
mono header bold "^Importance: high"
mono index bold '~U'
mono index bold '~F'
mono signature bold
mono tilde bold
mono tree bold
mono quoted bold
color normal default default
color attachment brightdefault default
color body brightdefault default "(http|https|ftp|mailto|gopher|telnet|finger)://[^ ]+"
color body brightdefault default "[-a-z_0-9.]+@[-a-z_0-9.]+[a-z]"
color body brightdefault default "-----Original Message-----"
color body brightdefault default "[;:]-[)/(|]"
color header default default .
color header brightdefault default "^From: "
color header brightdefault default "^Resent-From: "
color header brightdefault default "^To: "
color header brightdefault default "^Subject: "
color header brightdefault default "^Organi[zs]ation: "
color header brightdefault default "^Priority: Urgent"
color header brightdefault default "^Importance: high"
color header brightdefault default '~U'
color header brightdefault default '~F'
color signature brightdefault default
color tilde brightblack default
color quoted brightblack default
color index red default '~F'
color index brightblack default '~D'
color index default default '~U'
color index red default '~z 500000-'
# make diffs pop
color body brightblack default '^(Index: |\+\+\+ |--- |diff ).*$'
color body red default '^-.*$'
color body green default '^\+.*$'
'';
};
}

38
configs/neovim.lua Normal file
View File

@ -0,0 +1,38 @@
local map = vim.api.nvim_set_keymap
local o = vim.o
local cmd = vim.cmd
cmd("syntax off");
cmd("set nolist");
cmd("set ruler");
cmd("set mouse-=a");
require("compe").setup {
enabled = true;
autocomplete = true;
source = {
path = true;
buffer = true;
calc = true;
nvim_lsp = true;
nvim_lua = true;
vsnip = true;
ultisnips = true;
luasnip = true;
};
}
local lspc = require("lspconfig")
lspc.gopls.setup {};
o.hlsearch = true;
map('n', '<C-n>', ':NvimTreeToggle<CR>', {noremap = true})
map('n', '<leader>r', ':NvimTreeRefresh<CR>', {noremap = true})
map('n', '<leader>n', ':NvimTreeFindFile<CR>', {noremap = true})
map('n', '<leader>s', ':%s/\\s\\+$//e', {noremap = true})
map('n', '<learder>1', ':GitGutterToggle<CR>', {noremap = true})
map('n', '<learder>2', ':set list!<CR>', {noremap = true})
map('n', '<learder>3', ':set nu!<CR>', {noremap = true})
map('n', '<learder>4', ':set paste!<CR>', {noremap = true})

35
configs/neovim.nix Normal file
View File

@ -0,0 +1,35 @@
{ config, lib, pkgs, ... }:
with pkgs;
let
baseVimPackages = with vimPlugins; [
fugitive
nvim-compe
nvim-lspconfig
vim-gitgutter
vim-nix
zig-vim
vimagit
rust-vim
];
myVimPackages = if pkgs.system == "aarch64-linux" then
baseVimPackages
else
baseVimPackages ++ [ vimPlugins.vim-go ];
in {
programs.neovim = {
enable = true;
defaultEditor = true;
configure = {
packages.myVimPackage = { start = myVimPackages; };
customRC = ''
" Restore cursor position
autocmd BufReadPost *
\ if line("'\"") > 1 && line("'\"") <= line("$") |
\ exe "normal! g`\"" |
\ endif
luafile ${./neovim.lua}
'';
};
};
}

38
configs/net-overlay.nix Normal file
View File

@ -0,0 +1,38 @@
{ config, lib, pkgs, ... }:
with lib; {
options = {
zerotier = {
enable = mkOption {
description = "Enable ZeroTier";
default = false;
example = true;
type = lib.types.bool;
};
};
tailscale = {
enable = mkOption {
description = "Enable TailScale";
default = true;
example = true;
type = lib.types.bool;
};
};
};
config = mkMerge [
(mkIf config.tailscale.enable {
services = { tailscale = { enable = true; }; };
networking.firewall.checkReversePath = "loose";
})
(mkIf config.zerotier.enable {
environment.systemPackages = with pkgs; [ zerotierone ];
services = {
zerotierone = {
enable = true;
joinNetworks = [ "db64858fedd3b256" ];
};
};
networking.firewall.checkReversePath = "loose";
})
];
}

60
configs/tmux.nix Normal file
View File

@ -0,0 +1,60 @@
{ config, lib, ... }:
with lib; {
programs.tmux = {
enable = true;
extraConfig = ''
unbind C-b
set-option -g prefix C-o
set-window-option -g mode-keys emacs
set-window-option -g automatic-rename off
set-window-option -g base-index 1
bind-key \\ split-window -h -c '#{pane_current_path}' # vertical pane
bind-key - split-window -v -c '#{pane_current_path}' # horizontal pane
bind-key C-r source-file /etc/tmux.conf \; \
display-message "source-file done"
bind-key m set mouse \; \
display-message "toggle mouse"
bind-key C-s set synchronize-panes \; \
display-message "toggle synchronize-panes"
# stolen from jca
bind o send-prefix
bind C-o last-window
bind-key h select-pane -L
bind-key j select-pane -D
bind-key k select-pane -U
bind-key l select-pane -R
set -g bell-action any
set -g default-terminal "tmux-256color"
set -g set-titles on
set -g automatic-rename
set-option -g status-bg colour253
set-window-option -g clock-mode-colour colour246
set -g clock-mode-style 12
set-window-option -g window-status-bell-style fg=white,bg=red
# Change the default escape-time to 0 (from 500) so emacs will work right
set -g escape-time 0
set -g window-status-current-format '#[bg=colour250]#I:#W•'
set -g status-left '#[fg=green][#[fg=red]#S:#(~/bin/beat)#[fg=black,dim]#[fg=green]] '
set -g status-right-length 50
set -g status-right '#[fg=green][#[fg=black]#(basename "#{pane_current_path}")#[fg=green]][#[fg=black]%Y-%m-%d #[fg=black]%I:%M %p#[default]#[fg=green]]'
set -g window-style 'bg=#DEDEFF'
set -g window-active-style 'bg=terminal'
'';
};
}

57
configs/zsh.nix Normal file
View File

@ -0,0 +1,57 @@
{ config, lib, ... }: {
config = {
programs.zsh.interactiveShellInit = ''
export NO_COLOR=1
# That sweet sweet ^W
WORDCHARS='*?_-.[]~=&;!#$%^(){}<>'
autoload -Uz compinit && compinit
set -o emacs
'';
programs.zsh.promptInit = ''
autoload -U promptinit && promptinit
autoload -Uz vcs_info
autoload -Uz colors && colors
setopt prompt_subst
#setopt prompt_sp
zstyle ':vcs_info:*' enable git hg cvs
zstyle ':vcs_info:*' get-revision true
zstyle ':vcs_info:git:*' check-for-changes true
zstyle ':vcs_info:git:*' formats '(%b)'
precmd_vcs_info() { vcs_info }
precmd_functions+=( precmd_vcs_info )
prompt_char() {
if [ -z "$IN_NIX_SHELL" ]; then
echo -n "%#"
else
echo -n ";"
fi
}
PROMPT='%n@%m[%(?.%{$fg[default]%}.%{$fg[red]%})%?%{$reset_color%}]:%~$vcs_info_msg_0_$(prompt_char) '
k() {
''${K_DEBUG}
if [ -z $1 ]; then
echo $PWD >> ~/.k
else
K=~/.k
case $1 in
clean) sort -u $K -o ''${K};;
rm) sed -i -E "\#^''${2:-''${PWD}}\$#d" ''${K};;
ls) cat ''${K};;
*) cd "$(grep -e "$1" ''${K} | head -n 1)";;
esac
fi
}
eval "$(direnv hook zsh)"
'';
};
}

36
dbuild/build-consumer.nix Normal file
View File

@ -0,0 +1,36 @@
{ config, lib, ... }:
with lib; {
options = {
buildConsumer = { enable = mkEnableOption "Use remote build machines"; };
};
config = mkIf config.buildConsumer.enable {
programs.ssh.knownHosts = {
pcake = {
hostNames = [ "pcake" "pcake.tapenet.org" "10.6.0.202" ];
publicKey =
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHgqVw3QWNG6Ty5o2HwW+25Eh59W3lZ30+wMqTEkUZVH";
};
};
programs.ssh.extraConfig = ''
Host pcake
HostName 10.6.0.202
IdentitiesOnly yes
IdentityFile /root/.ssh/nix_remote
'';
nix.buildMachines = [{
hostName = "pcake";
systems = [ "x86_64-linux" "aarch64-linux" ];
maxJobs = 2;
speedFactor = 4;
supportedFeatures = [ "kvm" "big-parallel" "nixos-test" "benchmark" ];
mandatoryFeatures = [ ];
}];
nix.distributedBuilds = true;
nix.extraOptions = ''
builders-use-substitutes = true
'';
};
}

18
dbuild/build-server.nix Normal file
View File

@ -0,0 +1,18 @@
{ config, lib, ... }:
with lib; {
options = {
buildServer = {
enable = mkEnableOption "Server will be used as part of the build infra";
};
};
config = mkIf config.buildServer.enable {
boot.binfmt.emulatedSystems = [ "aarch64-linux" ];
users.users.root.openssh.authorizedKeys.keys = [
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICEtoU6ObMP7wmglT7rXMg0HEnh7cGBo6COL7BpmRC/o"
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGyOQdqfm7mG+5rOGIqPHSaZQdG/4L03dVJnuE1lO1fo"
];
};
}

4
dbuild/default.nix Normal file
View File

@ -0,0 +1,4 @@
{ config, lib, ... }:
with lib; {
imports = [ ./build-consumer.nix ./build-server.nix ];
}

142
default.nix Normal file
View File

@ -0,0 +1,142 @@
{ config, lib, options, pkgs, isUnstable, ... }:
let
managementKey =
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDM2k2C6Ufx5RNf4qWA9BdQHJfAkskOaqEWf8yjpySwH Nix Manager";
in {
imports = [
./configs/colemak.nix
./configs/develop.nix
./configs/dns.nix
./configs/doas.nix
./configs/gitmux.nix
./configs/git.nix
./configs/neovim.nix
./configs/manager.nix
./configs/tmux.nix
./configs/net-overlay.nix
./configs/zsh.nix
./dbuild
./gui
#./overlays
./services
./system/nix-config.nix
./system/nix-lockdown.nix
#./system/update.nix
./users
./bins
];
options.myconf = {
hwPubKeys = lib.mkOption rec {
type = lib.types.listOf lib.types.str;
default = [
managementKey
"sk-ssh-ed25519@openssh.com AAAAGnNrLXNzaC1lZDI1NTE5QG9wZW5zc2guY29tAAAAIB1cBO17AFcS2NtIT+rIxR2Fhdu3HD4de4+IsFyKKuGQAAAACnNzaDpsZXNzZXI="
"sk-ssh-ed25519@openssh.com AAAAGnNrLXNzaC1lZDI1NTE5QG9wZW5zc2guY29tAAAAIDEKElNAm/BhLnk4Tlo00eHN5bO131daqt2DIeikw0b2AAAABHNzaDo="
"ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBBB/V8N5fqlSGgRCtLJMLDJ8Hd3JcJcY8skI0l+byLNRgQLZfTQRxlZ1yymRs36rXj+ASTnyw5ZDv+q2aXP7Lj0="
"sk-ssh-ed25519@openssh.com AAAAGnNrLXNzaC1lZDI1NTE5QG9wZW5zc2guY29tAAAAIHrYWbbgBkGcOntDqdMaWVZ9xn+dHM+Ap6s1HSAalL28AAAACHNzaDptYWlu"
];
example = default;
description = "List of hardwar public keys to use";
};
};
config = {
sops.age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];
security.pki.certificates = [''
-----BEGIN CERTIFICATE-----
MIIBrjCCAVOgAwIBAgIIKUKZ6zcNut8wCgYIKoZIzj0EAwIwFzEVMBMGA1UEAxMM
Qm9sZDo6RGFlbW9uMCAXDTIyMDEyOTAxMDMxOVoYDzIxMjIwMTI5MDEwMzE5WjAX
MRUwEwYDVQQDEwxCb2xkOjpEYWVtb24wWTATBgcqhkjOPQIBBggqhkjOPQMBBwNC
AARYgIn1RWf059Hb964JEaiU3G248k2ZpBHtrACMmLRRO9reKr/prEJ2ltKrjCaX
+98ButRNIn78U8pL+H+aeE0Zo4GGMIGDMA4GA1UdDwEB/wQEAwIChDAdBgNVHSUE
FjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwEgYDVR0TAQH/BAgwBgEB/wIBADAdBgNV
HQ4EFgQUiUdCcaNy3E2bFzO9I76TPlMJ4w4wHwYDVR0jBBgwFoAUiUdCcaNy3E2b
FzO9I76TPlMJ4w4wCgYIKoZIzj0EAwIDSQAwRgIhAOd6ejqevrYAH5JtDdy2Mh9M
OTIx9nDZd+AOAg0wzlzfAiEAvG5taCm14H+qdWbEZVn+vqj6ChtxjH7fqOHv3Xla
HWw=
-----END CERTIFICATE-----
''];
# from https://github.com/dylanaraps/neofetch
users.motd = ''
::::. '::::: ::::'
'::::: ':::::. ::::'
::::: '::::.:::::
.......:::::..... ::::::::
::::::::::::::::::. :::::: ::::.
::::::::::::::::::::: :::::. ::::'
..... ::::' :::::'
::::: '::' :::::'
........::::: ' :::::::::::.
::::::::::::: :::::::::::::
::::::::::: .. :::::
.::::: .::: :::::
.::::: .....
::::: :::::. ......:::::::::::::'
::: ::::::. ':::::::::::::::::'
.:::::::: '::::::::::
.::::'''::::. '::::.
.::::' ::::. '::::.
.:::: :::: '::::.
'';
boot.cleanTmpDir = true;
environment.systemPackages = with pkgs; [
(callPackage ./pkgs/got.nix { inherit isUnstable; })
age
apg
bind
btop
direnv
git-sync
jq
lz4
minisign
mosh
nix-diff
nix-top
nixfmt
nix-index
pass
rbw
tmux
];
environment.interactiveShellInit = ''
alias vi=nvim
'';
time.timeZone = "US/Mountain";
documentation.enable = true;
documentation.man.enable = true;
networking.timeServers = options.networking.timeServers.default;
programs = {
zsh.enable = true;
gnupg.agent.enable = true;
ssh = {
knownHosts."[namish.humpback-trout.ts.net]:2222".publicKey =
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIF9jlU5XATs8N90mXuCqrflwOJ+s3s7LefDmFZBx8cCk";
startAgent = true;
extraConfig = "";
};
};
services = {
openssh = {
enable = true;
permitRootLogin = "prohibit-password";
passwordAuthentication = false;
};
};
};
}

112
deploy Executable file
View File

@ -0,0 +1,112 @@
#!/usr/bin/env sh
. ./common.sh
trap error INT TERM
rebuild() {
host="$(resolveAlias $1)"
skip_check=$2
msg "Rebuilding: ${host}"
#if [ "$host" = "$(uname -n)" ]; then
# # Don't use ssh for the machine we are running on. Assume it's a manager machine and needs to
# # be bootstrapped.
# if [ "$(nixos-version --json | jq -r .configurationRevision)" = "$CurrentVersion" ] && [ $skip_check = false ]; then
# msg "Up-to-date: ${host}"
# return 0
# else
# sudo nixos-rebuild --flake .#${1} switch
# fi
# return 0
#fi
if ! tsAlive $host; then
msg "can't reach ${host}.. skipping.."
return
fi
hostVersion=$(${SSH} root@${host} 'nixos-version --json | jq -r .configurationRevision')
if [ $? != 0 ]; then
return $?
fi
if [ "$hostVersion" = "$CurrentVersion" ] && [ $skip_check = false ]; then
msg "Up-to-date: ${host}"
return 0
fi
nixos-rebuild --flake .#${1} --build-host root@${host} --target-host root@${host} switch
return $?
}
if [ "$1" = "install" ]; then
host="$(resolveAlias $2)"
start
if [ ! -d hosts/${host} ]; then
msg "No config found for $host"
exit 1
fi
set -eu
mkdir -p .gcroots
out=$(nix build -o .gcroots/${host} --json .#nixosConfigurations.${host}.config.system.build.toplevel | jq -r '.[0].outputs.out')
nix copy -s --to "ssh://root@${host}" "$out"
nix copy -s --derivation --to "ssh://root@${host}" "$out"
${SSH} "root@${host}" nix build --profile /nix/var/nix/profiles/system "$out"
${SSH} "root@${host}" nix shell -vv "$out" -c switch-to-configuration "$@"
exit 0
fi
if [ "$1" = "update" ]; then
can_sign=0
for i in $(ssh-add -L | awk '{print $NF}'); do
grep -q $i .allowed_signers && can_sign=1
done
if [ $can_sign = 1 ]; then
nix flake update --commit-lock-file
exit
else
echo "Can't find signing key."
exit 1
fi
fi
if [ "$1" = "installer" ]; then
nix build .#nixosConfigurations.isoInstall.config.system.build.isoImage
exit $?
fi
start
if [ "$1" = "diff" ]; then
set -x
host="$(resolveAlias $2)"
mkdir -p .gcroots
out=$(nix build -o .gcroots/${host} --json .#nixosConfigurations.${2}.config.system.build.toplevel | jq -r '.[0].outputs.out')
nix copy -s --to "ssh://root@$host" "$out"
nix copy -s --derivation --to "ssh://root@$host" "$out"
${SSH} "root@$host" "nix-store -qd /run/current-system $out | xargs nix-diff --color=always" | less
exit $?
fi
ret=0
if [ ${#@} = 1 ]; then
rebuild $1 true || ret=1
else
for host in $(ls hosts); do
rebuild $host false || ret=1
done
fi
if [ $ret = 0 ]; then
finish
else
msg "WARNING: Management key retained!"
fi

262
flake.lock generated Normal file
View File

@ -0,0 +1,262 @@
{
"nodes": {
"darwin": {
"inputs": {
"nixpkgs": [
"stable"
]
},
"locked": {
"lastModified": 1661329936,
"narHash": "sha256-dafFjAcJPo0SdegK3E+SnTI8CNMgV/bBm/6CeDf82f8=",
"owner": "lnl7",
"repo": "nix-darwin",
"rev": "ef0e7f41cdf8fae1d2390c4df246c90a364ed8d9",
"type": "github"
},
"original": {
"owner": "lnl7",
"repo": "nix-darwin",
"type": "github"
}
},
"emacs-overlay": {
"inputs": {
"flake-utils": "flake-utils",
"nixpkgs": [
"stable"
]
},
"locked": {
"lastModified": 1661431289,
"narHash": "sha256-LnUTdQeJ/eaGhxYBwDXVAfroHnGqt+TXjxHG2EDvDPE=",
"owner": "nix-community",
"repo": "emacs-overlay",
"rev": "f9ae61e7793b2dd0a2beef59270fc4b4e9f54a46",
"type": "github"
},
"original": {
"owner": "nix-community",
"repo": "emacs-overlay",
"type": "github"
}
},
"flake-utils": {
"locked": {
"lastModified": 1659877975,
"narHash": "sha256-zllb8aq3YO3h8B/U0/J1WBgAL8EX5yWf5pMj3G0NAmc=",
"owner": "numtide",
"repo": "flake-utils",
"rev": "c0e246b9b83f637f4681389ecabcb2681b4f3af0",
"type": "github"
},
"original": {
"owner": "numtide",
"repo": "flake-utils",
"type": "github"
}
},
"gqrss": {
"flake": false,
"locked": {
"lastModified": 1643674728,
"narHash": "sha256-1ZGjifDgqA9yk9l0YB4rLpcvwaq9lWxDgItJ7lCVj2I=",
"owner": "qbit",
"repo": "gqrss",
"rev": "107278bcd497501475435d9a36f0aa91d1f2e1f9",
"type": "github"
},
"original": {
"owner": "qbit",
"repo": "gqrss",
"type": "github"
}
},
"mcchunkie": {
"flake": false,
"locked": {
"lastModified": 1660353113,
"narHash": "sha256-UNPv9QXFJeNx+3RleseNVSKBZGNc3eiMsEKnfIVyoeA=",
"owner": "qbit",
"repo": "mcchunkie",
"rev": "aaa3bc6958a2a99fbc061afadb968e1fa8160cba",
"type": "github"
},
"original": {
"owner": "qbit",
"repo": "mcchunkie",
"type": "github"
}
},
"microca": {
"flake": false,
"locked": {
"lastModified": 1647132345,
"narHash": "sha256-3lkT/b9vIf4nMGKnS14sWr5GhcgUFK/xsCgooM60SiU=",
"owner": "qbit",
"repo": "microca",
"rev": "8e175431c2027751704e74347f0842a5af372f53",
"type": "github"
},
"original": {
"owner": "qbit",
"repo": "microca",
"type": "github"
}
},
"nixos-hardware": {
"locked": {
"lastModified": 1660407119,
"narHash": "sha256-04lWO0pDbhAXFdL4v2VzzwgxrZ5IefKn+TmZPiPeKxg=",
"owner": "NixOS",
"repo": "nixos-hardware",
"rev": "12620020f76b1b5d2b0e6fbbda831ed4f5fe56e1",
"type": "github"
},
"original": {
"owner": "NixOS",
"ref": "master",
"repo": "nixos-hardware",
"type": "github"
}
},
"nixpkgs-22_05": {
"locked": {
"lastModified": 1661009065,
"narHash": "sha256-i+Q2ttGp4uOL3j0wEYP3MXLcu/4L/WbChxGQogiNSZo=",
"owner": "NixOS",
"repo": "nixpkgs",
"rev": "9a91318fffec81ad009b73fd3b640d2541d87909",
"type": "github"
},
"original": {
"owner": "NixOS",
"ref": "release-22.05",
"repo": "nixpkgs",
"type": "github"
}
},
"root": {
"inputs": {
"darwin": "darwin",
"emacs-overlay": "emacs-overlay",
"gqrss": "gqrss",
"mcchunkie": "mcchunkie",
"microca": "microca",
"nixos-hardware": "nixos-hardware",
"sshKnownHosts": "sshKnownHosts",
"stable": "stable",
"unstable": "unstable",
"xin-secrets": "xin-secrets"
}
},
"sops-nix": {
"inputs": {
"nixpkgs": [
"xin-secrets",
"stable"
],
"nixpkgs-22_05": "nixpkgs-22_05"
},
"locked": {
"lastModified": 1661054796,
"narHash": "sha256-SWiWmENiim8liUNOZ1oxjc5yKb/fNpcyfSRo41bsEy0=",
"owner": "Mic92",
"repo": "sops-nix",
"rev": "6068774a8e85fea4b0177efcc90afb3c3b74430b",
"type": "github"
},
"original": {
"owner": "Mic92",
"repo": "sops-nix",
"type": "github"
}
},
"sshKnownHosts": {
"flake": false,
"locked": {
"lastModified": 1656701928,
"narHash": "sha256-wxSl4azf1nQNcUZVNOn6zDzk31sQ1NNoiFDEVUqdGmk=",
"owner": "qbit",
"repo": "ssh_known_hosts",
"rev": "3b18047443bfe259497de7584cf389c72c5afec2",
"type": "github"
},
"original": {
"owner": "qbit",
"repo": "ssh_known_hosts",
"type": "github"
}
},
"stable": {
"locked": {
"lastModified": 1661405040,
"narHash": "sha256-bubG0NFaLT9sj7dCCFGrp9CQcTkXyWRxGRLwZNF5oro=",
"owner": "NixOS",
"repo": "nixpkgs",
"rev": "5f17353d51c38d56df382517b038f37b8fc02f93",
"type": "github"
},
"original": {
"owner": "NixOS",
"ref": "nixos-22.05-small",
"repo": "nixpkgs",
"type": "github"
}
},
"stable_2": {
"locked": {
"lastModified": 1661405040,
"narHash": "sha256-bubG0NFaLT9sj7dCCFGrp9CQcTkXyWRxGRLwZNF5oro=",
"owner": "NixOS",
"repo": "nixpkgs",
"rev": "5f17353d51c38d56df382517b038f37b8fc02f93",
"type": "github"
},
"original": {
"owner": "NixOS",
"ref": "nixos-22.05-small",
"repo": "nixpkgs",
"type": "github"
}
},
"unstable": {
"locked": {
"lastModified": 1661328374,
"narHash": "sha256-GGMupfk/lGzPBQ/dRrcQEhiFZ0F5KPg0j5Q4Fb5coxc=",
"owner": "NixOS",
"repo": "nixpkgs",
"rev": "f034b5693a26625f56068af983ed7727a60b5f8b",
"type": "github"
},
"original": {
"owner": "NixOS",
"ref": "nixos-unstable",
"repo": "nixpkgs",
"type": "github"
}
},
"xin-secrets": {
"inputs": {
"sops-nix": "sops-nix",
"stable": "stable_2"
},
"locked": {
"lastModified": 1661447779,
"narHash": "sha256-J3+gFXbSzRiyROS01+jycpwmJQ2ElJKRE/SoQk335qk=",
"ref": "main",
"rev": "b1377c8cd7e0eedaec8002f8a12c82205e532a1f",
"revCount": 23,
"type": "git",
"url": "ssh://gitea@git.tapenet.org:2222/qbit/xin-secrets.git"
},
"original": {
"ref": "main",
"type": "git",
"url": "ssh://gitea@git.tapenet.org:2222/qbit/xin-secrets.git"
}
}
},
"root": "root",
"version": 7
}

155
flake.nix Normal file
View File

@ -0,0 +1,155 @@
{
description = "bold.daemon";
inputs = {
xin-secrets = {
url =
"git+ssh://gitea@git.tapenet.org:2222/qbit/xin-secrets.git?ref=main";
};
unstable.url = "github:NixOS/nixpkgs/nixos-unstable";
stable.url = "github:NixOS/nixpkgs/nixos-22.05-small";
nixos-hardware = {
url = "github:NixOS/nixos-hardware/master";
inputs.nixpkgs.follows = "unstable";
inputs.nixpkgs-22_05.follows = "stable";
};
emacs-overlay = {
url = "github:nix-community/emacs-overlay";
inputs.nixpkgs.follows = "stable";
};
darwin = {
url = "github:lnl7/nix-darwin";
inputs.nixpkgs.follows = "stable";
};
sshKnownHosts = {
url = "github:qbit/ssh_known_hosts";
flake = false;
};
microca = {
url = "github:qbit/microca";
flake = false;
};
mcchunkie = {
url = "github:qbit/mcchunkie";
flake = false;
};
gqrss = {
url = "github:qbit/gqrss";
flake = false;
};
};
outputs = { self, unstable, stable, nixos-hardware, sshKnownHosts, microca
, mcchunkie, gqrss, darwin, xin-secrets, ... }@flakes:
let
hostBase = {
overlays = [ flakes.emacs-overlay.overlay ];
modules = [
# Common config stuffs
(import (./default.nix))
(import "${sshKnownHosts}")
xin-secrets.nixosModules.sops
xin-secrets.nixosModules.xin-secrets
];
};
overlays = [ flakes.emacs-overlay.overlay ];
buildVer = { system.configurationRevision = self.rev or "DIRTY"; };
buildShell = pkgs:
pkgs.mkShell {
shellHook = ''
PS1='\u@\h:\w; '
'';
nativeBuildInputs = with pkgs; [
tree
go
jq
statix
sops
nix-diff
nixfmt
git
ssh-to-age
ssh-to-pgp
];
};
buildSys = sys: sysBase: extraMods: name:
sysBase.lib.nixosSystem {
system = sys;
modules = hostBase.modules ++ extraMods ++ [{
nix = {
registry.nixpkgs.flake = sysBase;
nixPath = [ "nixpkgs=${sysBase}" ];
};
}] ++ [ buildVer (./. + "/hosts/${name}") ]
++ [{ nixpkgs.overlays = overlays; }];
};
pkgs = unstable.legacyPackages.x86_64-linux;
darwinPkgs = unstable.legacyPackages.aarch64-darwin;
in {
darwinConfigurations = {
plq = darwin.lib.darwinSystem {
system = "aarch64-darwin";
modules = [
xin-secrets.nixosModules.sops
(import "${sshKnownHosts}")
./overlays
./hosts/plq
];
};
};
devShells.x86_64-linux.default = buildShell pkgs;
devShells.aarch64-darwin.default = buildShell darwinPkgs;
nixosConfigurations = {
europa = buildSys "x86_64-linux" unstable [
"${nixos-hardware}/common/cpu/intel"
"${nixos-hardware}/common/pc/laptop"
"${nixos-hardware}/common/pc/laptop/ssd"
] "europa";
box = buildSys "x86_64-linux" stable [ ] "box";
h = buildSys "x86_64-linux" stable [ ] "h";
faf = buildSys "x86_64-linux" stable [ ] "faf";
litr = buildSys "x86_64-linux" unstable [ ] "litr";
#nerm = buildSys "x86_64-linux" unstable [ ] "nerm";
hass = buildSys "x86_64-linux" stable [ ] "hass";
weather = buildSys "aarch64-linux" stable
[ nixos-hardware.nixosModules.raspberry-pi-4 ] "weather";
weatherInstall = stable.lib.nixosSystem {
system = "aarch64-linux";
modules = [
(import (./installer.nix))
xin-secrets.nixosModules.sops
(import "${sshKnownHosts}")
"${stable}/nixos/modules/installer/sd-card/sd-image-aarch64-installer.nix"
];
};
isoInstall = stable.lib.nixosSystem {
system = "x86_64-linux";
modules = [
buildVer
(import (./installer.nix))
xin-secrets.nixosModules.sops
(import "${sshKnownHosts}")
"${stable}/nixos/modules/installer/cd-dvd/installation-cd-minimal.nix"
];
};
};
};
}

6
fmt Executable file
View File

@ -0,0 +1,6 @@
#!/bin/sh
for i in $(find . -name \*.nix ); do
nixfmt $i
done
statix check .

11
gui/arcan.nix Normal file
View File

@ -0,0 +1,11 @@
{ config, lib, pkgs, ... }:
let myArcan = pkgs.arcanPackages or pkgs.arcan;
in with lib; {
options = {
arcan = { enable = mkEnableOption "Enable Arcan/Durden desktop."; };
};
config = mkIf config.arcan.enable {
environment.systemPackages = with pkgs; [ myArcan.all-wrapped ];
};
}

72
gui/default.nix Normal file
View File

@ -0,0 +1,72 @@
{ config, lib, pkgs, ... }:
with lib; {
imports = [ ./gnome.nix ./kde.nix ./xfce.nix ./arcan.nix ];
options = {
pulse = {
enable = mkOption {
description = "Enable PulseAudio";
default = false;
example = true;
type = types.bool;
};
};
pipewire = {
enable = mkOption {
description = "Enable PipeWire";
default = true;
example = true;
type = types.bool;
};
};
};
config = mkMerge [
(mkIf config.arcan.enable {
sound.enable = true;
services = { xserver.enable = false; };
environment.systemPackages = with pkgs; [ brave go-font vlc pcsctools ];
})
(mkIf (config.kde.enable || config.gnome.enable || config.xfce.enable) {
services = {
xserver.enable = true;
pcscd.enable = true;
};
# TODO: TEMP FIX
systemd.services.NetworkManager-wait-online.serviceConfig.ExecStart =
lib.mkForce [ "" "${pkgs.networkmanager}/bin/nm-online -q" ];
sound.enable = true;
security.rtkit.enable = true;
environment.systemPackages = with pkgs; [ brave go-font vlc pcsctools ];
programs = {
firejail = {
enable = true;
wrappedBinaries = {
firefox = {
executable = "${lib.getBin pkgs.firefox}/bin/firefox";
profile = "${pkgs.firejail}/etc/firejail/firefox.profile";
};
#brave = {
# executable = "${lib.getBin pkgs.brave}/bin/brave";
# profile = "${pkgs.firejail}/etc/firejail/brave.profile";
#};
};
};
};
})
(mkIf config.pulse.enable { hardware.pulseaudio = { enable = true; }; })
(mkIf config.pipewire.enable {
services.pipewire = {
enable = true;
pulse.enable = true;
jack.enable = true;
alsa.enable = true;
};
})
];
}

9
gui/gnome.nix Normal file
View File

@ -0,0 +1,9 @@
{ config, lib, ... }:
with lib; {
options = { gnome = { enable = mkEnableOption "Enable GNOME desktop."; }; };
config = mkIf config.gnome.enable {
services.xserver.displayManager.gdm.enable = true;
services.xserver.desktopManager.gnome.enable = true;
};
}

29
gui/kde.nix Normal file
View File

@ -0,0 +1,29 @@
{ config, lib, pkgs, ... }:
with lib; {
options = { kde = { enable = mkEnableOption "Enable KDE desktop."; }; };
config = mkIf config.kde.enable {
services.xserver.displayManager.sddm.enable = true;
services.xserver.desktopManager.plasma5.enable = true;
# Listen for KDE Connect connections on the tailnet
networking.firewall.interfaces = {
"tailscale0" = {
allowedTCPPorts = range 1714 1764;
allowedUDPPorts = range 1714 1764;
};
};
environment.systemPackages = with pkgs; [
akonadi
plasma5Packages.akonadiconsole
plasma5Packages.akonadi-contacts
plasma5Packages.akonadi-search
plasma5Packages.akonadi-mime
libsForQt5.bismuth
kdeconnect
kmail
plasma-pass
];
};
}

9
gui/xfce.nix Normal file
View File

@ -0,0 +1,9 @@
{ config, lib, ... }:
with lib; {
options = { xfce = { enable = mkEnableOption "Enable XFCE desktop."; }; };
config = mkIf config.xfce.enable {
services.xserver.displayManager.sddm.enable = true;
services.xserver.desktopManager.xfce = { enable = true; };
};
}

35
hosts/.hass/default.nix Normal file
View File

@ -0,0 +1,35 @@
{ config, pkgs, ... }:
let
pubKeys = [
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFbj3DNho0T/SLcuKPzxT2/r8QNdEQ/ms6tRiX6YraJk root@tal.tapenet.org"
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIPMaAm4rDxyU975Z54YiNw3itC2fGc3SaE2VaS1fai8 root@box"
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIITjFpmWZVWixv2i9902R+g5B8umVhaqmjYEKs2nF3Lu qbit@tal.tapenet.org"
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILnaC1v+VoVNnK04D32H+euiCyWPXU8nX6w+4UoFfjA3 qbit@plq"
];
userBase = { openssh.authorizedKeys.keys = pubKeys; };
in {
_module.args.isUnstable = false;
imports = [ ./hardware-configuration.nix ];
boot.loader.systemd-boot.enable = true;
boot.loader.efi.canTouchEfiVariables = true;
#boot.supportedFilesystems = [ "zfs" ];
#boot.zfs.devNodes = "/dev/";
networking.hostName = "hass";
networking.hostId = "cd47baaf";
networking.useDHCP = false;
#networking.interfaces.enp1s0.useDHCP = true;
#networking.interfaces.enp2s0.useDHCP = true;
networking.firewall.allowedTCPPorts = [ 22 ];
users.users.root = userBase;
users.users.qbit = userBase;
dnsOverTLS.enable = true;
system.stateVersion = "22.05"; # Did you read the comment?
}

47
hosts/.hass/hardware-configuration.nix Normal file
View File

@ -0,0 +1,47 @@
# Do not modify this file! It was generated by nixos-generate-config
# and may be overwritten by future invocations. Please make changes
# to /etc/nixos/configuration.nix instead.
{ config, lib, pkgs, modulesPath, ... }:
{
imports = [ (modulesPath + "/installer/scan/not-detected.nix") ];
boot.initrd.availableKernelModules = [
"ehci_pci"
"ahci"
"megaraid_sas"
"usb_storage"
"usbhid"
"sd_mod"
"sr_mod"
];
boot.initrd.kernelModules = [ ];
boot.kernelModules = [ "kvm-intel" ];
boot.extraModulePackages = [ ];
fileSystems."/" = {
device = "/dev/disk/by-uuid/38318896-9ce1-4ede-a599-9a7d2feb31a1";
fsType = "ext4";
};
fileSystems."/boot" = {
device = "/dev/disk/by-uuid/57D7-FFCF";
fsType = "vfat";
};
swapDevices =
[{ device = "/dev/disk/by-uuid/b3d27f92-fbf2-4560-a113-2165201fa8b8"; }];
# Enables DHCP on each ethernet and wireless interface. In case of scripted networking
# (the default) this is the recommended approach. When using systemd-networkd it's
# still possible to use this option, but it's recommended to use it in conjunction
# with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
networking.useDHCP = lib.mkDefault true;
# networking.interfaces.eno1.useDHCP = lib.mkDefault true;
# networking.interfaces.eno2.useDHCP = lib.mkDefault true;
# networking.interfaces.enp65s0f0.useDHCP = lib.mkDefault true;
# networking.interfaces.enp65s0f1.useDHCP = lib.mkDefault true;
hardware.cpu.intel.updateMicrocode =
lib.mkDefault config.hardware.enableRedistributableFirmware;
}

61
hosts/.nerm/default.nix Normal file
View File

@ -0,0 +1,61 @@
{ config, lib, options, pkgs, fetchFromGitHub, kernel, kmod, ... }:
let
pubKeys = [
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBZExBj4QByLZSyKJ5+fPQnqDNrbsFz1IQWbFqCDcq9g qbit@ren.bold.daemon"
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIITjFpmWZVWixv2i9902R+g5B8umVhaqmjYEKs2nF3Lu qbit@tal.tapenet.org"
];
userBase = { openssh.authorizedKeys.keys = pubKeys; };
in {
_module.args.isUnstable = true;
imports = [ ./hardware-configuration.nix ];
boot.loader.grub.enable = true;
boot.loader.grub.version = 2;
boot.loader.grub.device = "/dev/vda";
buildConsumer.enable = true;
boot.kernelModules = [ "vmm_clock" "virtio_vmmci" ];
boot.extraModulePackages =
[ pkgs.linuxPackages.vmm_clock pkgs.linuxPackages.virtio_vmmci ];
boot.kernelParams = [ "console=ttyS0,115200n8" ];
networking.hostName = "nerm";
# No IPv6
networking.enableIPv6 = false;
networking.useDHCP = false;
networking.interfaces.enp0s2.useDHCP = false;
networking.defaultGateway = "10.10.10.1";
networking.interfaces.enp0s3.ipv4.addresses = [{
address = "10.10.10.21";
prefixLength = 24;
}];
nixpkgs.overlays = [
(self: super:
{
#bitwarden_rs = unstable.bitwarden_rs;
})
];
environment.systemPackages = with pkgs; [
ssb-patchwork
signal-desktop
neochat
];
services = { openssh.forwardX11 = true; };
networking.firewall.allowedTCPPorts = [ 22 ];
users.users.root = userBase;
users.users.qbit = userBase;
system.stateVersion = "20.03";
}

23
hosts/.nerm/hardware-configuration.nix Normal file
View File

@ -0,0 +1,23 @@
# Do not modify this file! It was generated by nixos-generate-config
# and may be overwritten by future invocations. Please make changes
# to /etc/nixos/configuration.nix instead.
{ config, lib, pkgs, ... }:
{
imports = [ ];
boot.initrd.availableKernelModules = [ "virtio_pci" "sr_mod" "virtio_blk" ];
boot.initrd.kernelModules = [ ];
boot.kernelModules = [ ];
boot.extraModulePackages = [ ];
fileSystems."/" = {
device = "/dev/disk/by-uuid/be72669d-5454-4602-86cd-3a939d1f4c0f";
fsType = "ext4";
};
swapDevices =
[{ device = "/dev/disk/by-uuid/b2cd835b-0544-40a8-9c7f-5d9d789a05fc"; }];
nix.maxJobs = lib.mkDefault 1;
}

740
hosts/box/default.nix Normal file
View File

@ -0,0 +1,740 @@
{ lib, config, pkgs, isUnstable, ... }:
let
photoPrismTag = "220302-buster";
httpCacheTime = "720m";
httpAllow = ''
allow 10.6.0.0/24;
allow 100.64.0.0/10;
allow 10.20.30.1/32;
'';
openbsdPub = {
extraConfig = ''
proxy_cache my_cache;
proxy_cache_revalidate on;
proxy_cache_min_uses 1;
proxy_cache_use_stale error timeout updating http_500 http_502
http_503 http_504;
proxy_cache_background_update on;
proxy_cache_lock on;
proxy_ignore_headers Cache-Control;
proxy_cache_valid any ${httpCacheTime};
# from jeremy
proxy_set_header Connection "";
proxy_http_version 1.1;
proxy_pass http://ftp.usa.openbsd.org;
'';
};
pubKeys = [
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIITjFpmWZVWixv2i9902R+g5B8umVhaqmjYEKs2nF3Lu qbit@tal.tapenet.org"
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILnaC1v+VoVNnK04D32H+euiCyWPXU8nX6w+4UoFfjA3 qbit@plq"
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFbj3DNho0T/SLcuKPzxT2/r8QNdEQ/ms6tRiX6YraJk root@tal.tapenet.org"
];
userBase = { openssh.authorizedKeys.keys = pubKeys; };
mkNginxSecret = {
sopsFile = config.xin-secrets.box.certs;
owner = config.users.users.nginx.name;
mode = "400";
};
in {
disabledModules = [
#"services/security/step-ca.nix"
#"services/matrix/mjolnir.nix"
];
_module.args.isUnstable = false;
imports = [
./hardware-configuration.nix
#(import "${
# toString unstableSrc.path
# }/nixos/modules/services/security/step-ca.nix")
#(import
# "${toString unstableSrc.path}/nixos/modules/services/matrix/mjolnir.nix")
];
sops.secrets = {
photoprism_admin_password = { sopsFile = config.xin-secrets.box.services; };
gitea_db_pass = {
owner = config.users.users.gitea.name;
sopsFile = config.xin-secrets.box.services;
};
};
sops.secrets.jelly_cert = mkNginxSecret;
sops.secrets.jelly_key = mkNginxSecret;
sops.secrets.reddit_cert = mkNginxSecret;
sops.secrets.reddit_key = mkNginxSecret;
sops.secrets.sonarr_cert = mkNginxSecret;
sops.secrets.sonarr_key = mkNginxSecret;
sops.secrets.radarr_cert = mkNginxSecret;
sops.secrets.radarr_key = mkNginxSecret;
sops.secrets.prowlarr_cert = mkNginxSecret;
sops.secrets.prowlarr_key = mkNginxSecret;
sops.secrets.nzb_cert = mkNginxSecret;
sops.secrets.nzb_key = mkNginxSecret;
sops.secrets.lidarr_cert = mkNginxSecret;
sops.secrets.lidarr_key = mkNginxSecret;
#nixpkgs.config = {
# packageOverrides = super:
# let self = super.pkgs;
# in {
# step-ca = unstableSrc.step-ca;
# mjolnir = unstableSrc.mjolnir;
# };
#};
boot.supportedFilesystems = [ "zfs" ];
boot.loader.grub.copyKernels = true;
boot.loader.systemd-boot.enable = true;
boot.loader.efi.canTouchEfiVariables = true;
boot.kernelPackages = pkgs.linuxPackages;
doas.enable = true;
networking.hostName = "box";
networking.hostId = "9a2d2563";
networking.useDHCP = false;
networking.enableIPv6 = false;
networking = {
defaultGateway = "10.20.30.1";
nameservers = [ "10.20.30.1" ];
interfaces.enp7s0 = {
ipv4 = {
routes = [{
address = "10.6.0.0";
prefixLength = 24;
via = "10.6.0.1";
}];
addresses = [{
address = "10.6.0.15";
prefixLength = 24;
}];
};
};
interfaces.enp8s0 = {
ipv4.addresses = [{
address = "10.20.30.15";
prefixLength = 24;
}];
};
};
nixpkgs.config.allowUnfree = true;
environment.systemPackages = with pkgs; [
nixfmt
tmux
mosh
apg
git
signify
glowing-bear
(callPackage ../../pkgs/athens.nix { inherit isUnstable; })
];
security.acme = {
acceptTerms = true;
defaults.email = "aaron@bolddaemon.com";
};
# for photoprism
users.groups.photoprism = {
name = "photoprism";
gid = 986;
};
users.users.photoprism = {
uid = 991;
name = "photoprism";
isSystemUser = true;
hashedPassword = null;
group = "photoprism";
shell = "/bin/sh";
openssh.authorizedKeys.keys = pubKeys;
};
virtualisation.podman = {
enable = true;
#dockerCompat = true;
};
virtualisation.oci-containers.backend = "podman";
virtualisation.oci-containers.containers = {
kativa = {
autoStart = true;
ports = [ "127.0.0.1:5000:5000" ];
image = "kizaing/kavita:0.5.2";
volumes = [ "/media/books:/books" "/media/books/config:/kativa/config" ];
};
photoprism = {
#user = "${toString config.users.users.photoprism.name}:${toString config.users.groups.photoprism.name}";
autoStart = true;
ports = [ "127.0.0.1:2343:2343" ];
image = "photoprism/photoprism:${photoPrismTag}";
workdir = "/photoprism";
volumes = [
"/media/pictures/photoprism/storage:/photoprism/storage"
"/media/pictures/photoprism/originals:/photoprism/originals"
"/media/pictures/photoprism/import:/photoprism/import"
];
environment = {
PHOTOPRISM_HTTP_PORT = "2343";
PHOTOPRISM_UPLOAD_NSFW = "true";
PHOTOPRISM_DETECT_NSFW = "false";
PHOTOPRISM_UID = "${toString config.users.users.photoprism.uid}";
PHOTOPRISM_GID = "${toString config.users.groups.photoprism.gid}";
#PHOTOPRISM_SITE_URL = "https://photos.tapenet.org/";
PHOTOPRISM_SITE_URL = "https://box.humpback-trout.ts.net/photos";
PHOTOPRISM_SETTINGS_HIDDEN = "false";
PHOTOPRISM_DATABASE_DRIVER = "sqlite";
};
};
};
users.groups.media = {
name = "media";
members =
[ "qbit" "sonarr" "radarr" "lidarr" "nzbget" "jellyfin" "headphones" ];
};
services = {
cron = {
enable = true;
systemCronJobs = let
tsCertsScript = pkgs.writeScriptBin "ts-certs.sh" ''
#!/usr/bin/env sh
. /etc/profile;
(
mkdir -p /etc/nixos/secrets;
chown root /etc/nixos/secrets/box.humpback-trout.ts.net.*;
tailscale cert \
--cert-file /etc/nixos/secrets/box.humpback-trout.ts.net.crt \
--key-file=/etc/nixos/secrets/box.humpback-trout.ts.net.key \
box.humpback-trout.ts.net;
chown nginx /etc/nixos/secrets/box.humpback-trout.ts.net.*
) >/dev/null 2>&1
'';
in [ "@daily root ${tsCertsScript}/bin/ts-certs.sh" ];
};
openssh.forwardX11 = true;
tor.enable = true;
#step-ca = {
# enable = true;
# intermediatePasswordFile = "/var/data/step-ca/secrets/password";
# settings = {
# dnsNames = [ "box.bold.daemon" ];
# root = "/var/lib/step-ca/certs/root_ca.crt";
# crt = "/var/lib/step-ca/certs/intermediate_ca.crt";
# key = "/var/lib/step-ca/secrets/intermediate_ca_key";
# db = {
# type = "badger";
# dataSource = "/var/lib/step-ca/db";
# };
# authority = {
# provisioners = [{
# type = "ACME";
# name = "acme";
# }];
# };
# };
# address = "127.0.0.1";
# port = 8435;
#};
sonarr.enable = true;
radarr.enable = true;
lidarr.enable = true;
jackett.enable = true;
prowlarr.enable = true;
headphones.enable = false;
nzbget = {
enable = true;
group = "media";
settings = { MainDir = "/media/downloads"; };
};
fwupd.enable = true;
zfs = {
autoSnapshot.enable = true;
autoReplication = {
enable = true;
host = "10.6.0.245";
identityFilePath = "/etc/ssh/ssh_host_ed25519_key";
localFilesystem = "rpool";
recursive = true;
remoteFilesystem = "tank/backups/box";
username = "root";
};
};
jellyfin = {
enable = true;
openFirewall = true;
};
grafana = {
enable = true;
domain = "graph.tapenet.org";
port = 2342;
addr = "127.0.0.1";
};
prometheus = {
enable = true;
port = 9001;
exporters = {
node = {
enable = true;
enabledCollectors = [ "systemd" ];
port = 9002;
};
nginx = { enable = true; };
};
scrapeConfigs = [
{
job_name = "box";
static_configs = [{
targets = [
"127.0.0.1:${
toString config.services.prometheus.exporters.node.port
}"
];
}];
}
{
job_name = "greenhouse";
static_configs = [{ targets = [ "10.6.0.20:80" ]; }];
}
{
job_name = "house";
static_configs = [{ targets = [ "10.6.0.21:80" ]; }];
}
{
job_name = "outside";
static_configs = [{ targets = [ "10.6.0.22:8811" ]; }];
}
{
job_name = "tal";
static_configs = [{ targets = [ "10.6.0.110:9100" ]; }];
}
{
job_name = "namish";
static_configs = [{ targets = [ "10.6.0.2:9100" ]; }];
}
{
job_name = "nginx";
static_configs = [{
targets = [
"127.0.0.1:${
toString config.services.prometheus.exporters.nginx.port
}"
];
}];
}
];
};
vaultwarden = {
enable = true;
backupDir = "/backups/bitwarden_rs";
config = {
domain = "https://bw.tapenet.org";
signupsAllowed = false;
rocketPort = 8222;
rocketLog = "critical";
environmentFile = "/root/bitwarden_rs.env";
};
};
gitea = {
enable = true;
domain = "git.tapenet.org";
rootUrl = "https://git.tapenet.org";
stateDir = "/media/git";
appName = "Tape:neT";
lfs.enable = true;
ssh.enable = true;
ssh.clonePort = 2222;
settings = {
server = {
START_SSH_SERVER = true;
SSH_SERVER_HOST_KEYS = "ssh/gitea-ed25519";
};
};
disableRegistration = true;
cookieSecure = true;
database = {
type = "postgres";
passwordFile = "${config.sops.secrets.gitea_db_pass.path}";
socket = "/run/postgresql";
};
};
#nextcloud = {
# enable = true;
# hostName = "box.tapenet.org";
# package = pkgs.nextcloud22;
# home = "/media/nextcloud";
# https = true;
# autoUpdateApps = { enable = true; };
# config = {
# overwriteProtocol = "https";
# dbtype = "pgsql";
# dbuser = "nextcloud";
# dbhost = "/run/postgresql";
# dbname = "nextcloud";
# dbpassFile = "${config.sops.secrets.nextcloud_db_pass.path}";
# adminpassFile = "${config.sops.secrets.nextcloud_admin_pass.path}";
# adminuser = "admin";
# };
#};
rsnapshot = {
enable = false;
enableManualRsnapshot = true;
extraConfig = ''
snapshot_root /backups/snapshots/
retain daily 7
retain manual 3
backup_exec date "+ backup of suah.dev started at %c"
backup root@suah.dev:/home/ suah.dev/
backup root@suah.dev:/etc/ suah.dev/
backup root@suah.dev:/var/synapse/ suah.dev/
backup root@suah.dev:/var/dendrite/ suah.dev/
backup root@suah.dev:/var/hammer/ suah.dev/
backup root@suah.dev:/var/go-ipfs/ suah.dev/
backup root@suah.dev:/var/gopher/ suah.dev/
backup root@suah.dev:/var/honk/ suah.dev/
backup root@suah.dev:/var/mcchunkie/ suah.dev/
backup root@suah.dev:/var/www/ suah.dev/
backup_exec date "+ backup of suah.dev ended at %c"
'';
cronIntervals = { daily = "50 21 * * *"; };
};
libreddit = {
enable = true;
port = 8482;
redirect = true;
};
nginx = {
enable = true;
package = pkgs.openresty;
statusPage = true;
recommendedTlsSettings = true;
recommendedOptimisation = true;
recommendedGzipSettings = true;
recommendedProxySettings = true;
clientMaxBodySize = "512M";
commonHttpConfig = ''
proxy_cache_path /backups/nginx_cache levels=1:2 keys_zone=my_cache:10m max_size=10g
inactive=${httpCacheTime} use_temp_path=off;
'';
virtualHosts = {
"box.humpback-trout.ts.net" = {
forceSSL = true;
sslCertificateKey =
"/etc/nixos/secrets/box.humpback-trout.ts.net.key";
sslCertificate = "/etc/nixos/secrets/box.humpback-trout.ts.net.crt";
locations."/photos" = {
proxyPass = "http://localhost:2343";
proxyWebsockets = true;
};
locations."/pub" = openbsdPub;
};
"photos.tapenet.org" = {
forceSSL = true;
enableACME = true;
locations."/" = {
proxyPass = "http://localhost:2343";
proxyWebsockets = true;
};
};
"bw.tapenet.org" = {
forceSSL = true;
enableACME = true;
locations."/" = {
proxyPass = "http://localhost:${
toString config.services.vaultwarden.config.rocketPort
}";
proxyWebsockets = true;
};
# For push notifications. Unfortunately the ports are not set in a config
locations."/notifications/hub" = {
proxyPass = "http://localhost:3012";
proxyWebsockets = true;
};
locations."/notifications/hub/negotiate" = {
proxyPass = "http://localhost:8812";
proxyWebsockets = true;
};
};
"bear.tapenet.org" = {
forceSSL = true;
enableACME = true;
locations."/" = { root = "${pkgs.glowing-bear}"; };
};
"jelly.bold.daemon" = {
forceSSL = true;
sslCertificateKey = "${config.sops.secrets.jelly_key.path}";
sslCertificate = "${config.sops.secrets.jelly_cert.path}";
locations."/" = {
# TODO: jellyfin.nix doesn't expose the port being used.
proxyPass = "http://localhost:8096";
proxyWebsockets = true;
extraConfig = ''
${httpAllow}
deny all;
'';
};
};
"reddit.bold.daemon" = {
sslCertificateKey = "${config.sops.secrets.reddit_key.path}";
sslCertificate = "${config.sops.secrets.reddit_cert.path}";
forceSSL = true;
locations."/" = {
proxyPass =
"http://localhost:${toString config.services.libreddit.port}";
proxyWebsockets = true;
extraConfig = ''
${httpAllow}
deny all;
'';
};
};
"sonarr.bold.daemon" = {
sslCertificateKey = "${config.sops.secrets.sonarr_key.path}";
sslCertificate = "${config.sops.secrets.sonarr_cert.path}";
forceSSL = true;
locations."/" = {
proxyPass = "http://localhost:8989";
proxyWebsockets = true;
extraConfig = ''
${httpAllow}
deny all;
'';
};
};
"radarr.bold.daemon" = {
sslCertificateKey = "${config.sops.secrets.radarr_key.path}";
sslCertificate = "${config.sops.secrets.radarr_cert.path}";
forceSSL = true;
locations."/" = {
proxyPass = "http://localhost:7878";
proxyWebsockets = true;
extraConfig = ''
${httpAllow}
deny all;
'';
};
};
"prowlarr.bold.daemon" = {
sslCertificateKey = "${config.sops.secrets.prowlarr_key.path}";
sslCertificate = "${config.sops.secrets.prowlarr_cert.path}";
forceSSL = true;
locations."/" = {
proxyPass = "http://localhost:9696";
proxyWebsockets = true;
extraConfig = ''
${httpAllow}
deny all;
'';
};
};
"nzb.bold.daemon" = {
sslCertificateKey = "${config.sops.secrets.nzb_key.path}";
sslCertificate = "${config.sops.secrets.nzb_cert.path}";
forceSSL = true;
locations."/" = {
proxyPass = "http://localhost:6789";
proxyWebsockets = true;
extraConfig = ''
${httpAllow}
deny all;
'';
};
};
"headphones.bold.daemon" = {
locations."/" = {
proxyPass = "http://localhost:8181";
proxyWebsockets = true;
extraConfig = ''
${httpAllow}
deny all;
'';
};
};
"lidarr.bold.daemon" = {
sslCertificateKey = "${config.sops.secrets.lidarr_key.path}";
sslCertificate = "${config.sops.secrets.lidarr_cert.path}";
forceSSL = true;
locations."/" = {
proxyPass = "http://localhost:8686";
proxyWebsockets = true;
extraConfig = ''
${httpAllow}
deny all;
'';
};
};
${config.services.grafana.domain} = {
forceSSL = true;
enableACME = true;
locations."/" = {
proxyPass =
"http://127.0.0.1:${toString config.services.grafana.port}";
proxyWebsockets = true;
extraConfig = ''
${httpAllow}
deny all;
'';
};
locations."/_pub" = {
extraConfig = ''
default_type 'application/json';
content_by_lua_block {
function lsplit (str, sep)
sep = "\n"
local t={}
for str in string.gmatch(str, "([^"..sep.."]+)") do
table.insert(t, str)
end
return t
end
local sock = ngx.socket.tcp()
local ok, err = sock:connect("127.0.0.1", ${
toString config.services.prometheus.port
})
if not ok then
ngx.say("failed to connect to backend: ", err)
return
end
local bytes = sock:send("GET /api/v1/query?query=wstation_temp_c HTTP/1.1\nHost: 127.0.0.1:${
toString config.services.prometheus.port
}\n\n")
sock:settimeouts(1000, 1000, 1000)
local data, err = sock:receiveany(10 * 1024)
if not data then
ngx.say("failed to read weather data: ", err)
return
end
local b = lsplit(data)
ngx.say(b[#b])
sock:close()
}
'';
};
};
"git.tapenet.org" = {
forceSSL = true;
enableACME = true;
locations."/" = {
proxyPass =
"http://localhost:${toString config.services.gitea.httpPort}";
proxyWebsockets = true;
priority = 1000;
};
};
};
};
postgresqlBackup = {
enable = true;
location = "/backups/postgresql";
};
postgresql = {
enable = true;
dataDir = "/db/postgres";
ensureDatabases = [ "nextcloud" "gitea" ];
ensureUsers = [
{
name = "nextcloud";
ensurePermissions."DATABASE nextcloud" = "ALL PRIVILEGES";
}
{
name = "gitea";
ensurePermissions."DATABASE gitea" = "ALL PRIVILEGES";
}
];
};
};
systemd.services.nginx.serviceConfig = {
ReadWritePaths = [ "/backups/nginx_cache" ];
ReadOnlyPaths = [ "/etc/nixos/secrets" ];
};
#systemd.services."nextcloud-setup" = {
# requires = [ "postgresql.service" ];
# after = [ "postgresql.service" ];
#};
networking.firewall.allowedTCPPorts = config.services.openssh.ports
++ [ 80 443 config.services.gitea.ssh.clonePort ];
networking.firewall.allowedUDPPortRanges = [{
from = 60000;
to = 61000;
}];
users.users.qbit = userBase;
users.users.root = userBase;
programs.zsh.enable = true;
system.stateVersion = "20.03";
}

76
hosts/box/hardware-configuration.nix Normal file
View File

@ -0,0 +1,76 @@
{ config, lib, pkgs, ... }:
{
boot.initrd.availableKernelModules =
[ "ehci_pci" "ahci" "usbhid" "usb_storage" "sd_mod" ];
boot.initrd.kernelModules = [ ];
boot.kernelModules = [ "kvm-intel" ];
boot.extraModulePackages = [ ];
hardware.enableRedistributableFirmware = true;
fileSystems."/" = {
device = "/dev/disk/by-uuid/248dfcf7-999b-4dba-bfbf-0b10dbb376b1";
fsType = "ext4";
};
fileSystems."/home" = {
device = "rpool/home";
fsType = "zfs";
};
fileSystems."/backups" = {
device = "rpool/backups";
fsType = "zfs";
};
fileSystems."/media/music" = {
device = "rpool/media/music";
fsType = "zfs";
};
fileSystems."/media/movies" = {
device = "rpool/media/movies";
fsType = "zfs";
};
fileSystems."/media/pictures" = {
device = "rpool/pictures";
fsType = "zfs";
};
fileSystems."/media/tv" = {
device = "rpool/media/tv";
fsType = "zfs";
};
fileSystems."/media/nextcloud" = {
device = "rpool/nextcloud";
fsType = "zfs";
};
fileSystems."/media/git" = {
device = "rpool/git";
fsType = "zfs";
};
fileSystems."/media/downloads" = {
device = "rpool/downloads";
fsType = "zfs";
};
fileSystems."/db/postgres" = {
device = "rpool/db/postgres";
fsType = "zfs";
};
fileSystems."/boot" = {
device = "/dev/disk/by-uuid/2AC3-DB6C";
fsType = "vfat";
};
swapDevices =
[{ device = "/dev/disk/by-uuid/97d6ef56-ea18-493b-aac0-e58e773ced30"; }];
nix.maxJobs = lib.mkDefault 8;
}

202
hosts/europa/default.nix Normal file
View File

@ -0,0 +1,202 @@
{ config, pkgs, lib, modulesPath, ... }:
let
myEmacs = pkgs.callPackage ../../configs/emacs.nix { };
in {
_module.args.isUnstable = true;
imports = [
./hardware-configuration.nix
../../pkgs
../../configs/neomutt.nix
../../overlays/default.nix
];
sops.secrets = {
fastmail = {
sopsFile = config.xin-secrets.europa.qbit;
owner = "qbit";
group = "wheel";
mode = "400";
};
fastmail_user = {
sopsFile = config.xin-secrets.europa.qbit;
owner = "qbit";
group = "wheel";
mode = "400";
};
nix_review = {
sopsFile = config.xin-secrets.europa.qbit;
owner = "qbit";
group = "wheel";
mode = "400";
};
};
boot.binfmt.emulatedSystems = [ "aarch64-linux" ];
nixpkgs.config.allowUnsupportedSystem = true;
boot = {
initrd.availableKernelModules =
[ "xhci_pci" "thunderbolt" "nvme" "usb_storage" "usbhid" "sd_mod" ];
initrd.kernelModules = [ ];
extraModulePackages = [ ];
loader = {
systemd-boot.enable = true;
efi.canTouchEfiVariables = true;
};
kernelPackages = pkgs.linuxPackages;
kernelParams = [ "boot.shell_on_fail" "nvme.noacpi=1" ];
kernelModules = [ "kvm-intel" ];
extraModprobeConfig = ''
options snd-hda-intel model=dell-headset-multi
'';
};
programs.zsh.shellAliases = {
"nix-review" = "GITHUB_TOKEN=$(cat /run/secrets/nix_review) nix-review";
"neomutt" = "neomutt -F /etc/neomuttrc";
"mutt" = "neomutt -F /etc/neomuttrc";
};
sshFidoAgent.enable = true;
configManager = {
enable = true;
router = {
enable = true;
hostName = "10.6.0.1";
pfAllowUnifi = false;
interfaces = {
em0 = {
text = ''
inet autoconf
inet6 autoconf
'';
};
em1 = {
text = ''
inet 10.99.99.1 255.255.255.0 10.99.99.255
description "Trunk"
up
'';
};
vlan2 = {
text = ''
inet 10.3.0.1 255.255.255.0 10.3.0.255 vnetid 2 parent em1 description "Lab" up'';
};
vlan10 = {
text = ''
inet 10.10.0.1 255.255.255.0 10.10.0.255 vnetid 10 parent em1 description "Untrusted WiFi" up'';
};
vlan11 = {
text = ''
inet 10.12.0.1 255.255.255.0 10.12.0.255 vnetid 11 parent em1 description "Trusted WiFi" up'';
};
};
};
};
nixManager = {
enable = true;
user = "qbit";
};
kde.enable = true;
jetbrains.enable = true;
virtualisation.libvirtd.enable = true;
programs.dconf.enable = true;
networking.hosts."100.120.151.126" = [ "graph.tapenet.org" ];
networking = {
hostName = "europa";
hostId = "87703c3e";
wireless.userControlled.enable = true;
networkmanager.enable = true;
firewall = {
enable = true;
allowedTCPPorts = [ 22 ];
checkReversePath = "loose";
};
};
programs.steam.enable = true;
services = {
emacs = {
enable = false;
package = myEmacs;
install = true;
};
tor = {
enable = true;
client.enable = true;
};
#blueman.enable = true;
cron = {
enable = true;
systemCronJobs = [
"*/2 * * * * qbit . /etc/profile; (cd ~/Notes && git sync) >/dev/null 2>&1"
"*/5 * * * * qbit . /etc/profile; (cd ~/org && git sync) >/dev/null 2>&1"
];
};
fprintd.enable = true;
#logind = {
# lidSwitch = "suspend-then-hibernate";
# lidSwitchExternalPower = "lock";
#};
tlp = {
enable = false;
settings = {
CPU_BOOST_ON_BAT = 0;
CPU_SCALING_GOVERNOR_ON_BATTERY = "powersave";
START_CHARGE_THRESH_BAT0 = 90;
STOP_CHARGE_THRESH_BAT0 = 97;
RUNTIME_PM_ON_BAT = "auto";
};
};
fwupd = {
enable = true;
enableTestRemote = true;
};
udev.extraRules = ''
SUBSYSTEM=="usb", ATTRS{idVendor}=="1209", ATTRS{idProduct}=="5bf0", GROUP="users", TAG+="uaccess"
SUBSYSTEM=="pci", ATTR{vendor}=="0x8086", ATTR{device}=="0xa0e0", ATTR{power/control}="on"
'';
};
users.users.qbit.extraGroups = [ "libvirtd" ];
nixpkgs.config.allowUnfree = true;
environment.systemPackages = with pkgs; [
arcanPackages.all-wrapped
barrier
cider
drawterm
element-desktop
exercism
isync
klavaro
libfprint-2-tod1-goodix
linphone
logseq
mu
nheko
nix-index
nix-review
nix-top
rofi
signal-desktop
thunderbird
tidal-hifi
tigervnc
virt-manager
yt-dlp
];
system.stateVersion = "21.11";
}

71
hosts/europa/hardware-configuration.nix Normal file
View File

@ -0,0 +1,71 @@
# Do not modify this file! It was generated by nixos-generate-config
# and may be overwritten by future invocations. Please make changes
# to /etc/nixos/configuration.nix instead.
{ config, lib, pkgs, modulesPath, ... }:
{
imports = [ (modulesPath + "/installer/scan/not-detected.nix") ];
boot.initrd.availableKernelModules =
[ "xhci_pci" "thunderbolt" "nvme" "usb_storage" "usbhid" "uas" "sd_mod" ];
boot.initrd.kernelModules = [ ];
boot.kernelModules = [ "kvm-intel" ];
boot.extraModulePackages = [ ];
fileSystems."/" = {
device = "rpool/nixos";
fsType = "zfs";
};
fileSystems."/nix" = {
device = "rpool/nixos/nix";
fsType = "zfs";
};
fileSystems."/etc" = {
device = "rpool/nixos/etc";
fsType = "zfs";
};
fileSystems."/var" = {
device = "rpool/nixos/var";
fsType = "zfs";
};
fileSystems."/var/lib" = {
device = "rpool/nixos/var/lib";
fsType = "zfs";
};
fileSystems."/var/log" = {
device = "rpool/nixos/var/log";
fsType = "zfs";
};
fileSystems."/var/spool" = {
device = "rpool/nixos/var/spool";
fsType = "zfs";
};
fileSystems."/home" = {
device = "rpool/nixos/home";
fsType = "zfs";
};
fileSystems."/boot" = {
device = "/dev/disk/by-uuid/5250-11DE";
fsType = "vfat";
};
swapDevices = [ ];
#swapDevices =
# [{ device = "/dev/disk/by-uuid/6e56876e-bd04-4fbb-9ff7-5202cbf5eaa4"; }];
powerManagement.cpuFreqGovernor = lib.mkDefault "powersave";
hardware = {
cpu.intel.updateMicrocode = config.hardware.enableRedistributableFirmware;
acpilight.enable = true;
video.hidpi.enable = true;
bluetooth.enable = true;
};
}

112
hosts/faf/default.nix Normal file
View File

@ -0,0 +1,112 @@
{ config, pkgs, ... }:
let
pubKeys = [
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFbj3DNho0T/SLcuKPzxT2/r8QNdEQ/ms6tRiX6YraJk root@tal.tapenet.org"
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIPMaAm4rDxyU975Z54YiNw3itC2fGc3SaE2VaS1fai8 root@box"
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIITjFpmWZVWixv2i9902R+g5B8umVhaqmjYEKs2nF3Lu qbit@tal.tapenet.org"
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILnaC1v+VoVNnK04D32H+euiCyWPXU8nX6w+4UoFfjA3 qbit@plq"
];
userBase = { openssh.authorizedKeys.keys = pubKeys; };
in {
_module.args.isUnstable = false;
imports = [ ./hardware-configuration.nix ];
boot.loader.systemd-boot.enable = true;
boot.loader.efi.canTouchEfiVariables = true;
boot.supportedFilesystems = [ "zfs" ];
boot.zfs.devNodes = "/dev/";
networking.hostName = "faf";
networking.hostId = "12963a2a";
networking.useDHCP = false;
networking.interfaces.enp1s0.useDHCP = true;
networking.interfaces.enp2s0.useDHCP = true;
networking.firewall.allowedTCPPorts = [ 22 53 ];
networking.firewall.allowedUDPPorts = [ 53 ];
users.users.root = userBase;
users.users.qbit = userBase;
services = {
adguardhome = {
enable = false;
port = 3000;
openFirewall = true;
settings = {
user_rules = [
"# Stuff from kyle"
"# some google stuff that wasn't being blocked"
"||googleadservices.com^"
"||imasdk.googleapis.com^"
"# some advertising stuff I saw on my network"
"||adjust.com^"
"||appsflyer.com^"
"||doubleclick.net^"
"||googleadservices.com^"
"||raygun.io^"
"||pizzaseo.com^"
"||scorecardresearch.com^"
"# annoying website 'features'"
"||drift.com^"
"||driftcdn.com^"
"||driftt.com^"
"||driftt.imgix.net^"
"||intercomcdn.com^"
"||intercom.io^"
"||salesforceliveagent.com^"
"||viafoura.co^"
"||viafoura.com^"
];
filters = [
{
name = "AdGuard DNS filter";
url =
"https://adguardteam.github.io/AdGuardSDNSFilter/Filters/filter.txt";
enabled = true;
}
{
name = "AdaAway Default Blocklist";
url = "https://adaway.org/hosts.txt";
enabled = true;
}
{
name = "OISD";
url = "https://abp.oisd.nl";
enabled = true;
}
];
dns = {
statistics_interval = 90;
bind_host = "10.6.0.245";
bootstrap_dns = "10.6.0.1";
};
};
};
unbound = {
enable = true;
settings = {
server = {
interface = [ "100.64.130.122" ];
access-control = [ "100.64.0.0/10 allow" ];
};
local-zone = ''"bold.daemon." static'';
local-data = [
''"reddit.bold.daemon. IN A 100.120.151.126"''
''"jelly.bold.daemon. IN A 100.120.151.126"''
''"sonarr.bold.daemon. IN A 100.120.151.126"''
''"radarr.bold.daemon. IN A 100.120.151.126"''
''"prowlarr.bold.daemon. IN A 100.120.151.126"''
''"headphones.bold.daemon. IN A 100.120.151.126"''
''"lidarr.bold.daemon. IN A 100.120.151.126"''
''"nzb.bold.daemon. IN A 100.120.151.126"''
];
};
};
};
system.stateVersion = "21.11"; # Did you read the comment?
}

72
hosts/faf/hardware-configuration.nix Normal file
View File

@ -0,0 +1,72 @@
# Do not modify this file! It was generated by nixos-generate-config
# and may be overwritten by future invocations. Please make changes
# to /etc/nixos/configuration.nix instead.
{ config, lib, pkgs, modulesPath, ... }:
{
imports = [ (modulesPath + "/installer/scan/not-detected.nix") ];
boot.initrd.availableKernelModules = [
"uhci_hcd"
"ehci_pci"
"ahci"
"xhci_pci"
"sata_sil24"
"usb_storage"
"usbhid"
"sd_mod"
];
boot.initrd.kernelModules = [ ];
boot.kernelModules = [ ];
boot.extraModulePackages = [ ];
fileSystems."/" = {
device = "tank/nixos";
fsType = "zfs";
};
fileSystems."/nix" = {
device = "tank/nixos/nix";
fsType = "zfs";
};
fileSystems."/etc" = {
device = "tank/nixos/etc";
fsType = "zfs";
};
fileSystems."/var" = {
device = "tank/nixos/var";
fsType = "zfs";
};
fileSystems."/var/lib" = {
device = "tank/nixos/var/lib";
fsType = "zfs";
};
fileSystems."/var/log" = {
device = "tank/nixos/var/log";
fsType = "zfs";
};
fileSystems."/var/spool" = {
device = "tank/nixos/var/spool";
fsType = "zfs";
};
fileSystems."/home" = {
device = "tank/userdata/home";
fsType = "zfs";
};
fileSystems."/boot" = {
device = "/dev/disk/by-uuid/5851-DEF2";
fsType = "vfat";
};
swapDevices = [ ];
hardware.cpu.intel.updateMicrocode =
lib.mkDefault config.hardware.enableRedistributableFirmware;
}

1
hosts/h/alias Normal file
View File

@ -0,0 +1 @@
h.suah.dev

435
hosts/h/default.nix Normal file
View File

@ -0,0 +1,435 @@
{ config, pkgs, lib, isUnstable, ... }:
with pkgs;
let
gqrss = callPackage ../../pkgs/gqrss.nix { inherit isUnstable; };
icbirc = callPackage ../../pkgs/icbirc.nix { inherit isUnstable; };
mcchunkie = callPackage ../../pkgs/mcchunkie.nix { inherit isUnstable; };
pgBackupDir = "/var/backups/postgresql";
pubKeys = [
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIITjFpmWZVWixv2i9902R+g5B8umVhaqmjYEKs2nF3Lu qbit@tal.tapenet.org"
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILnaC1v+VoVNnK04D32H+euiCyWPXU8nX6w+4UoFfjA3 qbit@plq"
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIO7v+/xS8832iMqJHCWsxUZ8zYoMWoZhjj++e26g1fLT europa"
];
userBase = { openssh.authorizedKeys.keys = pubKeys; };
in {
_module.args.isUnstable = false;
imports = [ ./hardware-configuration.nix ];
boot.loader.grub.enable = true;
boot.loader.grub.version = 2;
boot.loader.grub.device = "/dev/sda";
boot.kernelParams = [ "net.ifnames=0" ];
tailscale.enable = false;
sops.secrets = {
synapse_signing_key = {
owner = config.users.users.matrix-synapse.name;
mode = "600";
sopsFile = config.xin-secrets.h.services;
};
hammer_access_token = {
owner = config.users.users.mjolnir.name;
mode = "600";
sopsFile = config.xin-secrets.h.services;
};
gqrss_token = {
owner = config.users.users.qbit.name;
mode = "400";
sopsFile = config.xin-secrets.h.services;
};
restic_env_file = {
owner = config.users.users.root.name;
mode = "400";
sopsFile = config.xin-secrets.h.services;
};
restic_password_file = {
owner = config.users.users.root.name;
mode = "400";
sopsFile = config.xin-secrets.h.services;
};
};
networking = {
hostName = "h";
enableIPv6 = true;
useDHCP = false;
defaultGateway = "23.29.118.1";
defaultGateway6 = "2602:ff16:3::1";
nameservers = [ "9.9.9.9" ];
interfaces.eth0 = {
ipv4.addresses = [{
address = "23.29.118.127";
prefixLength = 24;
}];
ipv6 = {
addresses = [{
address = "2602:ff16:3:0:1:3a0:0:1";
prefixLength = 64;
}];
};
};
firewall = {
allowedTCPPorts = [ 22 80 443 53 ];
allowedUDPPorts = [ 53 ];
allowedUDPPortRanges = [{
from = 60000;
to = 61000;
}];
};
};
environment.systemPackages = with pkgs; [
inetutils
# irc
weechat
weechatScripts.highmon
aspell
icbirc
# matrix things
matrix-synapse-tools.synadm
matrix-synapse-tools.rust-synapse-compress-state
mcchunkie
restic
];
security.acme = {
acceptTerms = true;
defaults.email = "aaron@bolddaemon.com";
};
users.groups.mcchunkie = { };
users.users.mcchunkie = {
createHome = true;
isSystemUser = true;
home = "/var/lib/mcchunkie";
group = "mcchunkie";
};
systemd.services.mcchunkie = {
wantedBy = [ "multi-user.target" ];
serviceConfig = {
User = "mcchunkie";
Group = "mcchunkie";
Restart = "always";
WorkingDirectory = "/var/lib/mcchunkie";
RuntimeDirectory = "/var/lib/mcchunkie";
ExecStart = "${mcchunkie}/bin/mcchunkie";
};
};
services = {
cron = {
enable = true;
systemCronJobs = [
''
@hourly qbit (export GH_AUTH_TOKEN=$(cat /run/secrets/gqrss_token); cd /var/www/suah.dev/rss; ${gqrss}/bin/gqrss ; ${gqrss}/bin/gqrss -search "LibreSSL" -prefix libressl_ ) >/dev/null 2>&1''
];
};
restic = {
backups = {
b2 = {
initialize = true;
repository = "b2:cyaspanJicyeemJedMarlEjcasOmos";
environmentFile = "${config.sops.secrets.restic_env_file.path}";
passwordFile = "${config.sops.secrets.restic_password_file.path}";
paths = [ pgBackupDir "/var/lib/synapse/media_store" "/var/www" ];
timerConfig = { OnCalendar = "00:05"; };
pruneOpts = [ "--keep-daily 7" "--keep-weekly 5" "--keep-yearly 10" ];
};
};
};
nginx = {
enable = true;
recommendedTlsSettings = true;
recommendedOptimisation = true;
recommendedGzipSettings = true;
recommendedProxySettings = true;
clientMaxBodySize = "50M";
commonHttpConfig = ''
# Add HSTS header with preloading to HTTPS requests.
# Adding this header to HTTP requests is discouraged
map $scheme $hsts_header {
https "max-age=31536000; includeSubdomains; preload";
}
add_header Strict-Transport-Security $hsts_header;
# Enable CSP for your services.
#add_header Content-Security-Policy "script-src 'self'; object-src 'none'; base-uri 'none';" always;
# Minimize information leaked to other domains
add_header 'Referrer-Policy' 'origin-when-cross-origin';
# Disable embedding as a frame
add_header X-Frame-Options DENY;
# Prevent injection of code in other mime types (XSS Attacks)
add_header X-Content-Type-Options nosniff;
# This might create errors
proxy_cookie_path / "/; secure; HttpOnly; SameSite=strict";
'';
virtualHosts = {
"deftly.net" = {
forceSSL = true;
enableACME = true;
root = "/var/www/deftly.net";
extraConfig = ''
location ~ ^/pub|^/patches|^/dist|^/pbp|^/screenshots|^/pharo|^/fw {
autoindex on;
index index.php index.html index.htm;
}
'';
};
"bolddaemon.com" = {
forceSSL = true;
enableACME = true;
root = "/var/www/bolddaemon.com";
};
"relay.bolddaemon.com" = {
forceSSL = true;
enableACME = true;
root = "/var/www/bolddaemon.com";
locations."/weechat" = {
proxyWebsockets = true;
proxyPass = "http://localhost:9009/weechat";
};
};
"suah.dev" = {
forceSSL = true;
enableACME = true;
root = "/var/www/suah.dev";
extraConfig = ''
location ~ ^/_got {
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Host $host:$server_port;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Forwarded-Ssl on;
proxy_read_timeout 300;
proxy_connect_timeout 300;
proxy_pass http://127.0.0.1:8043;
}
location ~ ^/_sms {
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Host $host:$server_port;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Forwarded-Ssl on;
proxy_read_timeout 300;
proxy_connect_timeout 300;
proxy_pass http://127.0.0.1:8044;
}
location ~ ^/p/ {
autoindex on;
}
location ~ ^/recipes/ {
autoindex on;
}
location ~* .(xml)$ {
autoindex on;
root /var/www/suah.dev/rss;
}
location ~ "([^/\s]+)(/.*)?" {
set $not_serving 1;
if ($request_filename = 'index.html') {
set $not_serving 0;
}
if (-f $request_filename) {
set $not_serving 0;
}
if ($args = "go-get=1") {
add_header Strict-Transport-Security $hsts_header;
add_header Referrer-Policy origin-when-cross-origin;
add_header X-Frame-Options DENY;
add_header X-Content-Type-Options nosniff;
add_header Content-Type text/html;
return 200 '<html><head>
<meta name="go-import" content="$host/$1 git https://git.sr.ht/~qbit/$1">
<meta name="go-source" content="$host/$1 _ https://git.sr.ht/~qbit/$1/tree/master{/dir} https://git.sr.ht/~qbit/$1/tree/master{/dir}/{file}#L{line}">
<meta http-equiv="refresh" content="0; url=https://pkg.go.dev/mod/suah.dev/$1">
</head>
<body>
Redirecting to docs at <a href="https://pkg.go.dev/mod/suah.dev/$1">pkg.go.dev/mod/suah.dev/$1</a>...
</body>
</html>';
}
if ($not_serving) {
add_header Strict-Transport-Security $hsts_header;
add_header Referrer-Policy origin-when-cross-origin;
add_header X-Frame-Options DENY;
add_header X-Content-Type-Options nosniff;
add_header Content-Type text/html;
return 200 '<html><head>
<meta name="go-import" content="$host/$1 git https://git.sr.ht/~qbit/$1">
<meta name="go-source" content="$host/$1 _ https://git.sr.ht/~qbit/$1/tree/master{/dir} https://git.sr.ht/~qbit/$1/tree/master{/dir}/{file}#L{line}">
<meta http-equiv="refresh" content="0; url=https://pkg.go.dev/mod/suah.dev/$1">
</head>
<body>
Redirecting to docs at <a href="https://pkg.go.dev/mod/suah.dev/$1">pkg.go.dev/mod/suah.dev/$1</a>...
</body>
</html>';
}
}
'';
};
"qbit.io" = {
forceSSL = true;
enableACME = true;
root = "/var/www/qbit.io";
};
"mammothcircus.com" = {
forceSSL = true;
enableACME = true;
root = "/var/www/mammothcircus.com";
};
"akb.io" = {
forceSSL = true;
enableACME = true;
root = "/var/www/akb.io";
};
"tapenet.org" = {
forceSSL = true;
enableACME = true;
root = "/var/www/tapenet.org";
locations."/_matrix" = {
proxyWebsockets = true;
proxyPass = "http://127.0.0.1:8009";
};
locations."/_synapse/client" = {
proxyWebsockets = true;
proxyPass = "http://127.0.0.1:8009";
};
};
};
};
postgresqlBackup = {
enable = true;
location = pgBackupDir;
};
postgresql = {
enable = true;
package = pkgs.postgresql_14;
settings = { };
enableTCPIP = true;
authentication = pkgs.lib.mkOverride 14 ''
local all all trust
host all all 127.0.0.1/32 trust
host all all ::1/128 trust
'';
initialScript = pkgs.writeText "synapse-init.sql" ''
CREATE ROLE "synapse-user" LOGIN;
CREATE DATABASE "synapse" WITH OWNER "synapse-user"
TEMPLATE template0
LC_COLLATE = "C"
LC_CTYPE = "C";
'';
ensureDatabases = [ "synapse" ];
ensureUsers = [{
name = "synapse_user";
ensurePermissions."DATABASE synapse" = "ALL PRIVILEGES";
}];
};
mjolnir = {
enable = true;
pantalaimon.enable = false;
pantalaimon.username = "hammer";
accessTokenFile = "${config.sops.secrets.hammer_access_token.path}";
homeserverUrl = "https://tapenet.org";
protectedRooms = [
"https://matrix.to/#/#openbsd:matrix.org"
"https://matrix.to/#/#go-lang:matrix.org"
"https://matrix.to/#/#plan9:matrix.org"
"https://matrix.to/#/#nix-openbsd:tapenet.org"
];
settings = {
verboseLogging = false;
protections = {
wordlist = {
words = [
"^https://libera.chat <-- visit!$"
"^@.*@.*@.*@.*@.*@.*@.*@.*@.*@.*"
];
};
};
managementRoom = "#moderation:tapenet.org";
automaticallyRedactForReasons = [ "spam" "racism" "advertising" ];
automaticallyReactForReasons =
[ "spam" "advertising" "trolling" "racism" ];
aditionalPrefixes = [ "hammer" ];
confirmWildcardBan = false;
};
};
matrix-synapse = {
enable = true;
dataDir = "/var/lib/synapse";
settings = {
enable_registration = false;
media_store_path = "/var/lib/synapse/media_store";
presence.enabled = false;
public_baseurl = "https://tapenet.org";
server_name = "tapenet.org";
signing_key_path = "${config.sops.secrets.synapse_signing_key.path}";
url_preview_enabled = false;
plugins = with config.services.matrix-synapse.package.plugins;
[ matrix-synapse-mjolnir-antispam ];
database = {
name = "psycopg2";
args = {
database = "synapse";
user = "synapse_user";
};
};
listeners = [{
bind_addresses = [ "127.0.0.1" ];
port = 8009;
resources = [
{
compress = true;
names = [ "client" ];
}
{
compress = false;
names = [ "federation" ];
}
];
tls = false;
type = "http";
x_forwarded = true;
}];
};
};
};
users.users.qbit = userBase;
system.stateVersion = "22.11";
}

25
hosts/h/hardware-configuration.nix Normal file
View File

@ -0,0 +1,25 @@
# Do not modify this file! It was generated by nixos-generate-config
# and may be overwritten by future invocations. Please make changes
# to /etc/nixos/configuration.nix instead.
{ config, lib, pkgs, modulesPath, ... }:
{
imports = [ (modulesPath + "/profiles/qemu-guest.nix") ];
boot.initrd.availableKernelModules =
[ "ahci" "xhci_pci" "virtio_pci" "sd_mod" ];
boot.initrd.kernelModules = [ ];
boot.kernelModules = [ ];
boot.extraModulePackages = [ ];
fileSystems."/" = {
device = "/dev/disk/by-uuid/b3caa6ff-5610-4ae2-999d-f8f0b1599c4f";
fsType = "ext4";
};
swapDevices =
[{ device = "/dev/disk/by-uuid/610a3dbc-59d5-4e5b-b5de-b31402135d44"; }];
hardware.cpu.intel.updateMicrocode =
lib.mkDefault config.hardware.enableRedistributableFirmware;
}

128
hosts/litr/default.nix Normal file
View File

@ -0,0 +1,128 @@
{ config, pkgs, lib, ... }:
let
pubKeys = [
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIITjFpmWZVWixv2i9902R+g5B8umVhaqmjYEKs2nF3Lu qbit@tal.tapenet.org"
"sk-ssh-ed25519@openssh.com AAAAGnNrLXNzaC1lZDI1NTE5QG9wZW5zc2guY29tAAAAIA7khawMK6P0fXjhXXPEUTA2rF2tYB2VhzseZA/EQ/OtAAAAC3NzaDpncmVhdGVy qbit@litr.bold.daemon"
"sk-ssh-ed25519@openssh.com AAAAGnNrLXNzaC1lZDI1NTE5QG9wZW5zc2guY29tAAAAIB1cBO17AFcS2NtIT+rIxR2Fhdu3HD4de4+IsFyKKuGQAAAACnNzaDpsZXNzZXI= qbit@litr.bold.daemon"
"ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBBB/V8N5fqlSGgRCtLJMLDJ8Hd3JcJcY8skI0l+byLNRgQLZfTQRxlZ1yymRs36rXj+ASTnyw5ZDv+q2aXP7Lj0= hosts@secretive.plq.local"
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIO7v+/xS8832iMqJHCWsxUZ8zYoMWoZhjj++e26g1fLT europa"
];
userBase = { openssh.authorizedKeys.keys = pubKeys; };
in {
_module.args.isUnstable = true;
imports = [ ./hardware-configuration.nix ../../overlays/default.nix ];
doas.enable = true;
kde.enable = true;
jetbrains.enable = true;
sshFidoAgent.enable = true;
boot.loader.systemd-boot.enable = true;
boot.loader.efi.canTouchEfiVariables = true;
boot.blacklistedKernelModules = [ "dvb_usb_rtl28xxu" ];
boot.kernelPackages = pkgs.linuxPackages_latest;
networking.hostName = "litr";
networking.hosts."172.16.30.253" = [ "proxmox-02.vm.calyptix.local" ];
networking.hosts."127.0.0.1" = [ "borg.calyptix.dev" "localhost" ];
networking.hosts."192.168.122.133" = [ "arst.arst" "vm" ];
networking.networkmanager.enable = true;
preDNS.enable = false;
sops.secrets = {
tskey = {
sopsFile = config.xin-secrets.litr.secrets;
owner = "root";
mode = "400";
};
};
systemd.services = {
"tailscale-init" = {
wantedBy = [ "tailscaled.service" ];
after = [ "tailscaled.service" ];
serviceConfig = {
ExecStart =
"${pkgs.tailscale}/bin/tailscale up --auth-key file://${config.sops.secrets.tskey.path}";
};
};
};
environment.systemPackages = with pkgs; [
arcanPackages.all-wrapped
aircrack-ng
apg
barrier
barrier
firefox
fzf
gnome.gnome-keyring
ispell
jitsi-meet-electron
keychain
kismet
matterhorn
mercurial
mosh
mupdf
nfs-utils
nmap
nodejs
notejot
oathToolkit
obs-studio
openvpn
rbw
rust-analyzer
silver-searcher
sshfs
tcpdump
teams
tor
uucp
vlc
vscode
wireshark
virt-manager
google-chrome-dev
];
nixpkgs.config.allowUnfree = true;
virtualisation.libvirtd.enable = true;
programs.dconf.enable = true;
services = {
fwupd.enable = true;
unifi.enable = true;
openntpd.enable = true;
resolved = {
enable = true;
dnssec = "allow-downgrade";
};
};
networking.firewall = {
allowedTCPPorts = [ 22 ];
checkReversePath = "loose";
};
users.users.root = userBase;
users.users.abieber = userBase // {
isNormalUser = true;
shell = pkgs.zsh;
extraGroups = [ "wheel" "networkmanager" "libvirtd" ];
};
programs.zsh.enable = true;
system.stateVersion = "20.03"; # Did you read the comment?
}

37
hosts/litr/hardware-configuration.nix Normal file
View File

@ -0,0 +1,37 @@
{ config, lib, pkgs, ... }:
{
boot.initrd.availableKernelModules = [
"nvme"
"ehci_pci"
"xhci_pci"
"ahci"
"usb_storage"
"sd_mod"
"rtsx_pci_sdmmc"
];
boot.initrd.kernelModules = [ ];
boot.kernelModules = [ "kvm-amd" ];
boot.extraModulePackages = [ ];
hardware = {
enableRedistributableFirmware = true;
bluetooth.enable = true;
#rtl-sdr.enable = true;
};
fileSystems."/" = {
device = "/dev/disk/by-uuid/90420d7b-15a7-404b-b3cf-ac9a1bc418de";
fsType = "ext4";
};
fileSystems."/boot" = {
device = "/dev/disk/by-uuid/4378-1665";
fsType = "vfat";
};
swapDevices =
[{ device = "/dev/disk/by-uuid/5d0c92f0-c812-432f-a199-acce01673ffe"; }];
nix.settings.max-jobs = lib.mkDefault 8;
}

63
hosts/plq/default.nix Normal file
View File

@ -0,0 +1,63 @@
{ config, pkgs, emacs, isUnstable, ... }:
let
pubKeys = [
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFbj3DNho0T/SLcuKPzxT2/r8QNdEQ/ms6tRiX6YraJk root@tal.tapenet.org"
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIPMaAm4rDxyU975Z54YiNw3itC2fGc3SaE2VaS1fai8 root@box"
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIITjFpmWZVWixv2i9902R+g5B8umVhaqmjYEKs2nF3Lu qbit@tal.tapenet.org"
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILnaC1v+VoVNnK04D32H+euiCyWPXU8nX6w+4UoFfjA3 qbit@plq"
];
userBase = { openssh.authorizedKeys.keys = pubKeys; };
secretAgent =
"Contents/Library/LoginItems/SecretAgent.app/Contents/MacOS/SecretAgent";
in {
_module.args.isUnstable = false;
imports = [ ../../configs/tmux.nix ../../configs/zsh.nix ../../bins ];
networking.hostName = "plq";
programs.zsh.enable = true;
services.nix-daemon.enable = true;
nix.package = pkgs.nix;
services.emacs.package = pkgs.emacsUnstable;
system = {
keyboard = {
enableKeyMapping = true;
remapCapsLockToControl = true;
};
defaults = {
dock.orientation = "left";
SoftwareUpdate.AutomaticallyInstallMacOSUpdates = true;
};
};
launchd.user.agents."SecretAgent" = {
command =
''"/Users/qbit/Applications/Nix Apps/Secretive.app/${secretAgent}"'';
serviceConfig = rec {
KeepAlive = true;
StandardErrorPath = StandardOutPath;
StandardOutPath = "/Users/qbit/Library/Logs/SecretAgent.log";
};
};
environment.variables = {
SSH_AUTH_SOCK =
"$HOME/Library/Containers/com.maxgoedjen.Secretive.SecretAgent/Data/socket.ssh";
};
environment.systemPackages = with pkgs; [
(callPackage ../../pkgs/nheko.nix { inherit isUnstable; })
(callPackage ../../pkgs/secretive.nix { inherit isUnstable; })
direnv
go
mosh
neovim
nixfmt
nmap
statix
];
}

197
hosts/weather/default.nix Normal file
View File

@ -0,0 +1,197 @@
{ config, pkgs, lib, ... }:
let
pubKeys = [
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDM2k2C6Ufx5RNf4qWA9BdQHJfAkskOaqEWf8yjpySwH Nix Manager"
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIO7v+/xS8832iMqJHCWsxUZ8zYoMWoZhjj++e26g1fLT europa"
"sk-ssh-ed25519@openssh.com AAAAGnNrLXNzaC1lZDI1NTE5QG9wZW5zc2guY29tAAAAIA7khawMK6P0fXjhXXPEUTA2rF2tYB2VhzseZA/EQ/OtAAAAC3NzaDpncmVhdGVy qbit@litr.bold.daemon"
"sk-ssh-ed25519@openssh.com AAAAGnNrLXNzaC1lZDI1NTE5QG9wZW5zc2guY29tAAAAIB1cBO17AFcS2NtIT+rIxR2Fhdu3HD4de4+IsFyKKuGQAAAACnNzaDpsZXNzZXI= qbit@litr.bold.daemon"
"ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBBB/V8N5fqlSGgRCtLJMLDJ8Hd3JcJcY8skI0l+byLNRgQLZfTQRxlZ1yymRs36rXj+ASTnyw5ZDv+q2aXP7Lj0= hosts@secretive.plq.local"
];
userBase = { openssh.authorizedKeys.keys = pubKeys; };
in {
_module.args.isUnstable = false;
imports = [ ./hardware-configuration.nix ];
defaultUsers.enable = false;
boot = {
initrd.availableKernelModules =
[ "usbhid" "usb_storage" "vc4" "rtc-ds3232" "rtc-ds1307" ];
kernelPackages = pkgs.linuxPackages_rpi4;
kernelModules = [ "raspberrypi_ts" "rtc-ds3232" "rtc-ds1307" ];
#kernelPatches = [{
# name = "touchscreen";
# patch = null;
# extraConfig = ''
# CONFIG_TOUCHSCREEN_RASPBERRYPI_FW m
# CONFIG_RTC_DRV_DS1307 m
# CONFIG_RTC_DRV_DS3232 m
# '';
#}];
loader = {
grub.enable = false;
generic-extlinux-compatible.enable = true;
};
};
networking = {
hostName = "weather";
networkmanager = { enable = true; };
wireless.userControlled.enable = true;
hosts."100.120.151.126" = [ "graph.tapenet.org" ];
};
users.users.weather = {
shell = pkgs.zsh;
isNormalUser = true;
description = "Weather";
extraGroups = [ "wheel" ];
};
preDNS.enable = false;
services.xserver = {
enable = true;
libinput.enable = true;
windowManager.xmonad = {
enable = true;
extraPackages = haskellPackages: [ haskellPackages.xmonad-contrib ];
config = ''
{-# LANGUAGE QuasiQuotes #-}
import qualified Data.Map as M
import Data.Monoid
import XMonad
import XMonad.Actions.CycleWS
import XMonad.Hooks.EwmhDesktops
import XMonad.Hooks.ManageDocks
import XMonad.Hooks.UrgencyHook
import XMonad.Layout.Decoration
import XMonad.Layout.LayoutModifier
import XMonad.Layout.Simplest (Simplest(..))
import XMonad.Layout.Spacing
import XMonad.Layout.SubLayouts
import XMonad.Layout.Tabbed
import XMonad.Layout.WindowNavigation
import qualified XMonad.StackSet as W
import XMonad.Util.EZConfig
import XMonad.Util.NamedWindows
import XMonad.Util.Run
import XMonad.Util.SpawnOnce
data LibNotifyUrgencyHook =
LibNotifyUrgencyHook
deriving (Read, Show)
instance UrgencyHook LibNotifyUrgencyHook where
urgencyHook LibNotifyUrgencyHook w = do
name <- getName w
Just idx <- fmap (W.findTag w) $ gets windowset
safeSpawn "notify-send" [show name, "workspace " ++ idx]
main :: IO ()
main = do
xmonad $
ewmh $
withUrgencyHook LibNotifyUrgencyHook $
def
{ normalBorderColor = "#666666"
, focusedBorderColor = "darkgrey"
, focusFollowsMouse = False
, terminal = "xterm"
, workspaces = myWorkspaces
, startupHook = myStartupHook
, layoutHook = myLayoutHook
, keys = \c -> myKeys c `M.union` XMonad.keys def c
, manageHook = manageDocks <+> myManageHook <+> manageHook def
} `removeKeysP`
["M-p"] -- don't clober emacs.
myKeys :: XConfig t -> M.Map (KeyMask, KeySym) (X ())
myKeys (XConfig {XMonad.modMask = modm}) =
M.fromList
[ ((modm .|. shiftMask, xK_Right), shiftToNext)
, ((modm .|. shiftMask, xK_Left), shiftToPrev)
, ((modm, xK_r), spawn "rofi -show run")
, ((modm .|. controlMask, xK_h), sendMessage $ pullGroup L)
, ((modm .|. controlMask, xK_l), sendMessage $ pullGroup R)
, ((modm .|. controlMask, xK_k), sendMessage $ pullGroup U)
, ((modm .|. controlMask, xK_j), sendMessage $ pullGroup D)
, ((modm .|. controlMask, xK_m), withFocused (sendMessage . MergeAll))
, ((modm .|. controlMask, xK_u), withFocused (sendMessage . UnMerge))
, ((modm .|. controlMask, xK_period), onGroup W.focusUp')
, ((modm .|. controlMask, xK_comma), onGroup W.focusDown')
]
myWorkspaces :: [String]
myWorkspaces =
clickable $ ["main", "2", "3", "4", "5", "6", "7", "8", "console"]
where
clickable l =
[ "%{A1:xdotool key alt+" ++ show (n) ++ "&:}" ++ ws ++ "%{A}"
| (i, ws) <- zip [1 :: Int .. 9 :: Int] l
, let n = i
]
myTabTheme :: Theme
myTabTheme =
def
{ activeTextColor = "#000"
, activeColor = "#ffffea"
, inactiveColor = "#dedeff"
, urgentBorderColor = "red"
}
myLayoutHook ::
XMonad.Layout.LayoutModifier.ModifiedLayout WindowNavigation (XMonad.Layout.LayoutModifier.ModifiedLayout (XMonad.Layout.Decoration.Decoration XMonad.Layout.Tabbed.TabbedDecoration XMonad.Layout.Decoration.DefaultShrinker) (XMonad.Layout.LayoutModifier.ModifiedLayout (Sublayout Simplest) (XMonad.Layout.LayoutModifier.ModifiedLayout Spacing (Choose (XMonad.Layout.LayoutModifier.ModifiedLayout (XMonad.Layout.Decoration.Decoration XMonad.Layout.Tabbed.TabbedDecoration XMonad.Layout.Decoration.DefaultShrinker) (XMonad.Layout.LayoutModifier.ModifiedLayout (Sublayout Simplest) Tall)) (Choose (Mirror (XMonad.Layout.LayoutModifier.ModifiedLayout (XMonad.Layout.Decoration.Decoration XMonad.Layout.Tabbed.TabbedDecoration XMonad.Layout.Decoration.DefaultShrinker) (XMonad.Layout.LayoutModifier.ModifiedLayout (Sublayout Simplest) Tall))) Full))))) Window
myLayoutHook =
windowNavigation $
subTabbed $
spacingRaw True (Border 20 5 5 5) True (Border 10 10 10 10) True $
(tiled ||| Mirror tiled ||| Full)
where
tiled =
addTabs shrinkText myTabTheme . subLayout [] Simplest $
Tall nmaster delta ratio
nmaster = 1
ratio = 0.5
delta = 0.03
myManageHook :: Query (Data.Monoid.Endo WindowSet)
myManageHook =
composeAll
[ className =? "mpv" --> doFloat
, className =? "VLC" --> doFloat
, className =? "Pinentry-gtk-2" --> doFloat
, className =? "Pinentry-gnome3" --> doFloat
, className =? "XConsole" --> doF (W.shift (myWorkspaces !! 8))
]
myStartupHook :: X ()
myStartupHook = do
spawn "pkill polybar; polybar"
spawnOnce "firefox --kiosk https://graph.tapenet.org"
'';
};
#desktopManager.xfce.enable = true;
displayManager.autoLogin = {
enable = true;
user = "weather";
};
};
users.users.root = userBase;
environment.systemPackages = with pkgs; [
qutebrowser
firefox
dtc
rofi
polybar
nix-top
];
system.stateVersion = "21.11";
}

24
hosts/weather/hardware-configuration.nix Normal file
View File

@ -0,0 +1,24 @@
{ config, lib, pkgs, ... }:
{
fileSystems = {
"/" = {
device = "/dev/disk/by-label/NIXOS_SD";
fsType = "ext4";
};
"/tmp" = {
device = "/dev/disk/by-label/nix-extra";
fsType = "ext4";
};
};
hardware.enableRedistributableFirmware = true;
hardware.deviceTree = {
overlays = [
"${pkgs.raspberrypifw}/share/raspberrypi/boot/overlays/rpi-ft5406.dtbo"
];
};
hardware.raspberry-pi."4".fkms-3d.enable = true;
}

133
installer.nix Normal file
View File

@ -0,0 +1,133 @@
{ config, lib, options, pkgs, ... }:
let
managementKey =
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDM2k2C6Ufx5RNf4qWA9BdQHJfAkskOaqEWf8yjpySwH Nix Manager";
in {
imports = [ ./configs/colemak.nix ./configs/tmux.nix ./configs/neovim.nix ];
options.myconf = {
hwPubKeys = lib.mkOption rec {
type = lib.types.listOf lib.types.str;
default = [
managementKey
"sk-ssh-ed25519@openssh.com AAAAGnNrLXNzaC1lZDI1NTE5QG9wZW5zc2guY29tAAAAIB1cBO17AFcS2NtIT+rIxR2Fhdu3HD4de4+IsFyKKuGQAAAACnNzaDpsZXNzZXI="
"sk-ssh-ed25519@openssh.com AAAAGnNrLXNzaC1lZDI1NTE5QG9wZW5zc2guY29tAAAAIDEKElNAm/BhLnk4Tlo00eHN5bO131daqt2DIeikw0b2AAAABHNzaDo="
"ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBBB/V8N5fqlSGgRCtLJMLDJ8Hd3JcJcY8skI0l+byLNRgQLZfTQRxlZ1yymRs36rXj+ASTnyw5ZDv+q2aXP7Lj0="
"sk-ssh-ed25519@openssh.com AAAAGnNrLXNzaC1lZDI1NTE5QG9wZW5zc2guY29tAAAAIHrYWbbgBkGcOntDqdMaWVZ9xn+dHM+Ap6s1HSAalL28AAAACHNzaDptYWlu"
];
example = default;
description = "List of hardwar public keys to use";
};
zshPrompt = lib.mkOption rec {
type = lib.types.lines;
example = default;
description = "Base zsh prompt";
default = ''
autoload -U promptinit && promptinit
autoload -Uz vcs_info
autoload -Uz colors && colors
setopt prompt_subst
#setopt prompt_sp
zstyle ':vcs_info:*' enable git hg cvs
zstyle ':vcs_info:*' get-revision true
zstyle ':vcs_info:git:*' check-for-changes true
zstyle ':vcs_info:git:*' formats '(%b)'
precmd_vcs_info() { vcs_info }
precmd_functions+=( precmd_vcs_info )
prompt_char() {
if [ -z "$IN_NIX_SHELL" ]; then
echo -n "%#"
else
echo -n ";"
fi
}
PROMPT='%n@%m[%(?.%{$fg[default]%}.%{$fg[red]%})%?%{$reset_color%}]:%~$vcs_info_msg_0_$(prompt_char) '
eval "$(direnv hook zsh)"
'';
};
zshConf = lib.mkOption rec {
type = lib.types.lines;
example = default;
description = "Base zsh config";
default = ''
export NO_COLOR=1
# That sweet sweet ^W
WORDCHARS='*?_-.[]~=&;!#$%^(){}<>'
autoload -Uz compinit && compinit
set -o emacs
'';
};
};
config = {
sops.age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];
# from https://github.com/dylanaraps/neofetch
users.motd = ''
::::. '::::: ::::'
'::::: ':::::. ::::'
::::: '::::.:::::
.......:::::..... ::::::::
::::::::::::::::::. :::::: ::::.
::::::::::::::::::::: :::::. ::::'
..... ::::' :::::'
::::: '::' :::::'
........::::: ' :::::::::::.
::::::::::::: :::::::::::::
::::::::::: .. :::::
.::::: .::: :::::
.::::: .....
::::: :::::. ......:::::::::::::'
::: ::::::. ':::::::::::::::::'
.:::::::: '::::::::::
.::::'''::::. '::::.
.::::' ::::. '::::.
.:::: :::: '::::.
'';
boot.cleanTmpDir = true;
environment.systemPackages = with pkgs; [ apg inetutils nixfmt ];
environment.interactiveShellInit = ''
alias vi=nvim
'';
time.timeZone = "US/Mountain";
programs = {
zsh.enable = true;
ssh = {
startAgent = true;
extraConfig = "";
};
};
users.users.root = {
openssh.authorizedKeys.keys = config.myconf.hwPubKeys;
};
services = {
openntpd.enable = true;
pcscd.enable = true;
openssh = {
enable = true;
# This is set in modules/profiles/installation-device.nix, but it is set to 'yes' :(
#permitRootLogin = "prohibit-password";
passwordAuthentication = false;
};
};
};
}

43
overlays/default.nix Normal file
View File

@ -0,0 +1,43 @@
{ self, config, pkgs, lib, isUnstable, ... }:
{
nixpkgs.overlays = if isUnstable then [
# https://github.com/NixOS/nixpkgs/pull/186130
(self: super: {
tidal-hifi = super.tidal-hifi.overrideAttrs (old: {
buildInputs = (old.buildInputs or [ ]) ++ [ pkgs.imagemagick ];
postFixup = ''
makeWrapper $out/opt/tidal-hifi/tidal-hifi $out/bin/tidal-hifi \
--prefix LD_LIBRARY_PATH : "${
lib.makeLibraryPath super.tidal-hifi.buildInputs
}" \
"''${gappsWrapperArgs[@]}"
substituteInPlace $out/share/applications/tidal-hifi.desktop --replace \
"/opt/tidal-hifi/tidal-hifi" "tidal-hifi"
for size in 48 64 128 256 512; do
mkdir -p $out/share/icons/hicolor/''${size}x''${size}/apps/
convert $out/share/icons/hicolor/0x0/apps/tidal-hifi.png \
-resize ''${size}x''${size} \
$out/share/icons/hicolor/''${size}x''${size}/apps/tidal-hifi.png
done
'';
});
})
(self: super: {
wireplumber = super.wireplumber.overrideAttrs (old: {
patches = (old.patches or [ ]) ++ [
(super.fetchpatch {
url =
"https://gitlab.freedesktop.org/pipewire/wireplumber/-/merge_requests/398.patch";
sha256 = "sha256-rEp/3fjBRbkFuw4rBW6h8O5hcy/oBP3DW7bPu5rVfNY=";
})
];
});
})
] else
[ ];
}

45
pkgs/athens.nix Normal file
View File

@ -0,0 +1,45 @@
{ stdenv, lib, buildGoModule, fetchFromGitHub, isUnstable, makeWrapper, go, git
, ... }:
let
vendorHash = if isUnstable then
""
else
"sha256-7CnkKMZ1so1lflmp4D9EAESR6/u9ys5CTuVOsYetp0I=";
in with lib;
buildGoModule rec {
pname = "athens";
version = "0.11.0";
src = fetchFromGitHub {
owner = "gomods";
repo = pname;
rev = "v${version}";
sha256 = "sha256-hkewZ21ElkoDsbPPiCZNmWu4MBlKTlnrK72/xCX06Sk=";
};
doCheck = false;
ldflags = [ "-X github.com/gomods/athens/pkg/build.version=${version}" ];
nativeBuildInputs = lib.optionals stdenv.isLinux [ makeWrapper go ];
proxyVendor = true;
subPackages = [ "cmd/proxy" ];
vendorSha256 = vendorHash;
postInstall = lib.optionalString stdenv.isLinux ''
mv $out/bin/proxy $out/bin/athens
wrapProgram $out/bin/athens --prefix PATH : ${lib.makeBinPath [ git ]}
'';
meta = {
description = "A Go module datastore and proxy";
homepage = "https://github.com/gomods/athens";
license = licenses.mit;
maintainers = with maintainers; [ qbit ];
};
}

58
pkgs/cinny-desktop.nix Normal file
View File

@ -0,0 +1,58 @@
{ lib, fetchurl, appimageTools, makeDesktopItem, isUnstable, desktop-file-utils
, ... }:
let
name = "cinny-desktop";
version = "2.0.4";
src = fetchurl {
name = "cinny_${version}_amd64.AppImage";
url =
"https://github.com/cinnyapp/cinny-desktop/releases/download/v${version}/cinny_${version}_amd64.AppImage";
sha256 = "sha256-9ZQyVcTsHja67DhuIyniTK/xr0C6qN7fiCmjt8enUd8=";
};
appimageContents = appimageTools.extract { inherit name src; };
in appimageTools.wrapType2 rec {
inherit name src;
extraInstallCommands = ''
cp -r ${appimageContents}/* $out
cd $out
chmod -R +w $out
${desktop-file-utils}/bin/desktop-file-install --dir $out/share/applications \
--set-key Exec --set-value ${name} "cinny.desktop"
mv usr/bin/cinny $out/${name}
#mv usr/share share
rm -rf usr/lib/* AppRun* *.desktop
'';
extraPkgs = pkgs:
with pkgs; [
atk
avahi
brotli
cairo
fontconfig
freetype
fribidi
glew-egl
gobject-introspection
gst_all_1.gstreamer
harfbuzz
icu
libdrm
libGLU
libgpg-error
librsvg
libthai
pango
xorg.libX11
xorg.libxcb
zlib
];
}

8
pkgs/default.nix Normal file
View File

@ -0,0 +1,8 @@
{ config, lib, pkgs, isUnstable, ... }:
with pkgs; {
environment.systemPackages = with pkgs; [
(callPackage ./cinny-desktop.nix { inherit isUnstable; })
(callPackage ./mudita-center.nix { inherit isUnstable; })
];
}

35
pkgs/gitmux.nix Normal file
View File

@ -0,0 +1,35 @@
{ lib, buildGoModule, fetchFromGitHub, isUnstable, ... }:
let
vendorHash = if isUnstable then
"sha256-lUVngyYnLwCmNXFBMEDO7ecFZNkSi9GGDNTIG4Mk1Zw="
else
"sha256-oBZaMS7O6MvvznVn9kQ7h0srWvD3VvxerXgghj0CIzM=";
in with lib;
buildGoModule rec {
pname = "gitmux";
version = "0.7.9";
src = fetchFromGitHub {
owner = "arl";
repo = pname;
rev = "v${version}";
sha256 = "sha256-tB/HPOJQEgs3/rHFn7ezi6R9C3HceASLU3WjjKDii9o=";
};
vendorSha256 = vendorHash;
ldflags = [ "-X main.version=${version}" ];
proxyVendor = true;
doCheck = false;
meta = {
description = "Gitmux shows git status in your tmux status bar";
homepage = "https://github.com/arl/gitmux";
license = licenses.mit;
maintainers = with maintainers; [ qbit ];
};
}

1751
pkgs/got-sigs.diff Normal file
View File

File diff suppressed because it is too large Load Diff

56
pkgs/got.nix Normal file
View File

@ -0,0 +1,56 @@
{ lib, stdenv, fetchpatch, fetchgit, bison, pkg-config, libressl, libbsd
, libuuid, libmd, zlib, ncurses, isUnstable, openssh, autoreconfHook
, sshKeyGenPath ? "/run/current-system/sw/bin/ssh-keygen" }:
stdenv.mkDerivation rec {
pname = "got";
rev = "a8fa2ba8469e013475c403304989843b7fc17ae8";
version = "0.74";
src = fetchgit {
inherit rev;
url = "git://git.gameoftrees.org/got-portable.git";
sha256 = "sha256-oQofGknpCyRFyNuUZYpLcZ57JCl04wuaxM1RpIXp1LE=";
};
patches = [
(fetchpatch {
url = "http://sprunge.us/sEDCV2";
sha256 = "sha256-oondY/IMU6YMnx5+lIGpN43/tQ/tkCarmveMykQc24c=";
})
];
nativeBuildInputs = [ pkg-config libressl libbsd libmd zlib autoreconfHook ];
buildInputs = [ bison libressl libbsd libuuid libmd zlib ncurses ];
CFLAGS = ''-DGOT_TAG_PATH_SSH_KEYGEN=\"${sshKeyGenPath}\"'';
doInstallCheck = true;
installCheckPhase = ''
runHook preInstallCheck
test "$($out/bin/got --version)" = '${pname} ${version}'
runHook postInstallCheck
'';
meta = with lib; {
description =
"A version control system which prioritizes ease of use and simplicity over flexibility";
longDescription = ''
Game of Trees (Got) is a version control system which prioritizes
ease of use and simplicity over flexibility.
Got uses Git repositories to store versioned data. Git can be used
for any functionality which has not yet been implemented in
Got. It will always remain possible to work with both Got and Git
on the same repository.
'';
homepage = "https://gameoftrees.org";
license = licenses.isc;
platforms = platforms.linux;
maintainers = with maintainers; [ qbit ];
};
}

33
pkgs/gqrss.nix Normal file
View File

@ -0,0 +1,33 @@
{ lib, buildGoModule, fetchFromGitHub, isUnstable, ... }:
let
vendorHash = if isUnstable then
""
else
"sha256-NIAJKq7TiMessqaohkdHy+j/vBKvMsiPgmnaiNAsGeE=";
in with lib;
buildGoModule rec {
pname = "gqrss";
version = "1.0.0";
src = fetchFromGitHub {
owner = "qbit";
repo = pname;
rev = "v${version}";
sha256 = "sha256-1ZGjifDgqA9yk9l0YB4rLpcvwaq9lWxDgItJ7lCVj2I=";
};
vendorSha256 = vendorHash;
proxyVendor = true;
doCheck = false;
meta = {
description = "Simple github query tool";
homepage = "https://github.com/qbit/gqrss";
license = licenses.isc;
maintainers = with maintainers; [ qbit ];
};
}

212
pkgs/icbirc.diff Normal file
View File

@ -0,0 +1,212 @@
diff --git a/Makefile b/Makefile
index 60b96d5..d894cc9 100644
--- a/Makefile
+++ b/Makefile
@@ -4,6 +4,7 @@ PROG= icbirc
SRCS= icbirc.c icb.c irc.c
MAN= icbirc.8
-CFLAGS+= -Wall -Werror -Wstrict-prototypes -ansi
+CFLAGS+= -Wall -Wstrict-prototypes -std=gnu99
+LDFLAGS+= -lbsd
.include <bsd.prog.mk>
diff --git a/irc.c b/irc.c
index 239b7eb..2cb47c7 100644
--- a/irc.c
+++ b/irc.c
@@ -42,7 +42,7 @@ extern void scan(const char **, char *, size_t, const char *,
const char *);
extern int sync_write(int, const char *, int);
-static void irc_cmd(const char *, int, int);
+static void irc_cmd(char *, int, int);
static void irc_send_pong(int, const char *);
@@ -93,44 +93,55 @@ irc_recv(const char *buf, unsigned len, int client_fd, int server_fd)
}
static void
-irc_cmd(const char *cmd, int client_fd, int server_fd)
+irc_cmd(char *cmd, int client_fd, int server_fd)
{
- if (!strncasecmp(cmd, "PASS ", 5)) {
- cmd += 5;
- scan(&cmd, irc_pass, sizeof(irc_pass), " ", " ");
- } else if (!strncasecmp(cmd, "USER ", 5)) {
- cmd += 5;
- scan(&cmd, irc_ident, sizeof(irc_ident), " ", " ");
+ if (!strncasecmp(cmd, "RAWICB ", 7)) {
+ icb_send_raw(server_fd, cmd + 7);
+ return;
+ }
+
+ char *argv[10], *p;
+ int argc = 1;
+
+ for (p = cmd, argv[0] = p; argc < 10 && (p = strchr(p, ' ')) != NULL;
+ argc++) {
+ *p = 0;
+ p++;
+ while (*p == ' ')
+ p++;
+ if (*p == ':') {
+ argv[argc] = p + 1;
+ argc++;
+ break;
+ }
+ argv[argc] = p;
+ }
+
+ if (!strcasecmp(argv[0], "PASS")) {
+ strlcpy(irc_pass, argv[1], sizeof(irc_pass));
+ } else if (!strcasecmp(argv[0], "USER")) {
+ strlcpy(irc_ident, argv[1], sizeof(irc_ident));
if (!icb_logged_in && irc_nick[0] && irc_ident[0])
icb_send_login(server_fd, irc_nick,
irc_ident, irc_pass);
- } else if (!strncasecmp(cmd, "NICK ", 5)) {
- cmd += 5;
- scan(&cmd, irc_nick, sizeof(irc_nick), " ", " ");
+ } else if (!strcasecmp(argv[0], "NICK")) {
+ strlcpy(irc_nick, argv[1], sizeof(irc_nick));
if (icb_logged_in)
icb_send_name(server_fd, irc_nick);
else if (irc_nick[0] && irc_ident[0])
icb_send_login(server_fd, irc_nick,
irc_ident, irc_pass);
- } else if (!strncasecmp(cmd, "JOIN ", 5)) {
- char group[128];
-
- cmd += 5;
- if (*cmd == '#')
- cmd++;
- scan(&cmd, group, sizeof(group), " ", " ");
- icb_send_group(server_fd, group);
- } else if (!strncasecmp(cmd, "PART ", 5)) {
+ } else if (!strcasecmp(argv[0], "JOIN")) {
+ icb_send_group(server_fd,
+ argv[1] + (argv[1][0] == '#' ? 1 : 0));
+ } else if (!strcasecmp(argv[0], "PART")) {
in_irc_channel = 0;
- } else if (!strncasecmp(cmd, "PRIVMSG ", 8) ||
- !strncasecmp(cmd, "NOTICE ", 7)) {
- char dst[128];
+ } else if (!strcasecmp(argv[0], "PRIVMSG") ||
+ !strcasecmp(argv[0], "NOTICE")) {
char msg[8192];
unsigned i, j;
- cmd += strncasecmp(cmd, "NOTICE ", 7) ? 8 : 7;
- scan(&cmd, dst, sizeof(dst), " ", " ");
- scan(&cmd, msg, sizeof(msg), " ", "");
+ strlcpy(msg, argv[2], sizeof(msg));
/* strip \001 found in CTCP messages */
i = 0;
while (msg[i]) {
@@ -141,73 +152,52 @@ irc_cmd(const char *cmd, int client_fd, int server_fd)
} else
i++;
}
- if (!strcmp(dst, irc_channel))
- icb_send_openmsg(server_fd,
- msg + (msg[0] == ':' ? 1 : 0));
+ if (!strcmp(argv[1], irc_channel))
+ icb_send_openmsg(server_fd, msg);
else
- icb_send_privmsg(server_fd, dst,
- msg + (msg[0] == ':' ? 1 : 0));
- } else if (!strncasecmp(cmd, "MODE ", 5)) {
- cmd += 5;
- if (!strcmp(cmd, irc_channel))
+ icb_send_privmsg(server_fd, argv[1], msg);
+ } else if (!strcasecmp(argv[0], "MODE")) {
+ if (strcmp(argv[1], irc_channel))
+ return;
+ if (argc == 2)
icb_send_names(server_fd, irc_channel);
- else if (!strncmp(cmd, irc_channel, strlen(irc_channel))) {
- cmd += strlen(irc_channel);
- if (strncmp(cmd, " +o ", 4)) {
+ else {
+ if (strcmp(argv[2], "+o")) {
printf("irc_cmd: invalid MODE args '%s'\n",
- cmd);
+ argv[2]);
return;
}
- cmd += 4;
- icb_send_pass(server_fd, cmd);
+ icb_send_pass(server_fd, argv[3]);
}
- } else if (!strncasecmp(cmd, "TOPIC ", 6)) {
- cmd += 6;
- if (strncmp(cmd, irc_channel, strlen(irc_channel))) {
- printf("irc_cmd: invalid TOPIC args '%s'\n", cmd);
+ } else if (!strcasecmp(argv[0], "TOPIC")) {
+ if (strcmp(argv[1], irc_channel)) {
+ printf("irc_cmd: invalid TOPIC channel '%s'\n",
+ argv[1]);
return;
}
- cmd += strlen(irc_channel);
- if (strncmp(cmd, " :", 2)) {
- printf("irc_cmd: invalid TOPIC args '%s'\n", cmd);
- return;
- }
- cmd += 2;
- icb_send_topic(server_fd, cmd);
- } else if (!strcasecmp(cmd, "LIST")) {
+ icb_send_topic(server_fd, argv[2]);
+ } else if (!strcasecmp(argv[0], "LIST")) {
icb_send_list(server_fd);
- } else if (!strncasecmp(cmd, "NAMES ", 6)) {
- cmd += 6;
- icb_send_names(server_fd, cmd);
- } else if (!strncasecmp(cmd, "WHOIS ", 6)) {
- cmd += 6;
- icb_send_whois(server_fd, cmd);
- } else if (!strncasecmp(cmd, "WHO ", 4)) {
- cmd += 4;
- icb_send_who(server_fd, cmd);
- } else if (!strncasecmp(cmd, "KICK ", 5)) {
- char channel[128], nick[128];
-
- cmd += 5;
- scan(&cmd, channel, sizeof(channel), " ", " ");
- scan(&cmd, nick, sizeof(nick), " ", " ");
- if (strcmp(channel, irc_channel)) {
- printf("irc_cmd: invalid KICK args '%s'\n", cmd);
+ } else if (!strcasecmp(argv[0], "NAMES")) {
+ icb_send_names(server_fd, argv[1]);
+ } else if (!strcasecmp(argv[0], "WHOIS")) {
+ icb_send_whois(server_fd, argv[1]);
+ } else if (!strcasecmp(argv[0], "WHO")) {
+ icb_send_who(server_fd, argv[1]);
+ } else if (!strcasecmp(argv[0], "KICK")) {
+ if (strcmp(argv[1], irc_channel)) {
+ printf("irc_cmd: invalid KICK args '%s'\n", argv[1]);
return;
}
- icb_send_boot(server_fd, nick);
- } else if (!strncasecmp(cmd, "PING ", 5)) {
+ icb_send_boot(server_fd, argv[2]);
+ } else if (!strcasecmp(argv[0], "PING")) {
icb_send_noop(server_fd);
- cmd += 5;
- irc_send_pong(client_fd, cmd);
- } else if (!strncasecmp(cmd, "RAWICB ", 7)) {
- cmd += 7;
- icb_send_raw(server_fd, cmd);
- } else if (!strncasecmp(cmd, "QUIT ", 5)) {
+ irc_send_pong(client_fd, argv[1]);
+ } else if (!strcasecmp(argv[0], "QUIT")) {
printf("client QUIT\n");
terminate_client = 1;
} else
- printf("irc_cmd: unknown cmd '%s'\n", cmd);
+ printf("irc_cmd: unknown command '%s'\n", argv[0]);
}
void

27
pkgs/icbirc.nix Normal file
View File

@ -0,0 +1,27 @@
{ lib, stdenv, fetchpatch, fetchurl, pkgs, ... }:
stdenv.mkDerivation rec {
pname = "icbirc";
version = "2.1";
src = fetchurl {
url = "http://www.benzedrine.ch/icbirc-2.1.tar.gz";
sha256 = "sha256-aDk0TZPABNqX7Gu12AWh234Kee/DhwRFeIBDYnFiu7E=";
};
patches = [ ./icbirc.diff ];
buildInputs = with pkgs; [ libbsd bsdbuild bmake ];
meta = with lib; {
description = "proxy IRC client with ICB server";
longDescription = ''
icbirc is a proxy that allows to connect an IRC client to an ICB server.
'';
homepage = "http://www.benzedrine.ch/icbirc.html";
license = licenses.bsd2;
platforms = platforms.linux;
maintainers = with maintainers; [ qbit ];
};
}

35
pkgs/mcchunkie.nix Normal file
View File

@ -0,0 +1,35 @@
{ lib, buildGo118Module, fetchFromGitHub, isUnstable, ... }:
let
vendorHash = if isUnstable then
""
else
"sha256-d8YeLD/BQAB6IC4jvBke9EIKAe+7/MnPgVYztqjU5c4=";
in with lib;
buildGo118Module rec {
pname = "mcchunkie";
version = "1.0.8";
src = fetchFromGitHub {
owner = "qbit";
repo = pname;
rev = "v${version}";
sha256 = "sha256-UNPv9QXFJeNx+3RleseNVSKBZGNc3eiMsEKnfIVyoeA=";
};
vendorSha256 = vendorHash;
ldflags = [ "-X suah.dev/mcchunkie/plugins.version=${version}" ];
proxyVendor = true;
doCheck = false;
meta = {
description = "Matrix Bot";
homepage = "https://github.com/qbit/mcchunkie";
license = licenses.mit;
maintainers = with maintainers; [ qbit ];
};
}

37
pkgs/mudita-center.nix Normal file
View File

@ -0,0 +1,37 @@
{ lib, fetchurl, appimageTools, makeDesktopItem, isUnstable, desktop-file-utils
, ... }:
let
name = "mudita-center";
version = "1.3.0";
src = fetchurl {
name = "mudita-center.AppImage";
url =
"https://github.com/mudita/mudita-center/releases/download/${version}/Mudita-Center.AppImage";
sha256 = "1cqrrs5ycl5lrla8mprx443dpiz99a63f4i3da43vxh1xxl0ki4n";
};
appimageContents = appimageTools.extract { inherit name src; };
in appimageTools.wrapType1 rec {
inherit name src;
extraInstallCommands = ''
cp -r ${appimageContents}/* $out
cd $out
chmod -R +w $out
mv "Mudita Center" $out/${name}
# TODO:
#${desktop-file-utils}/bin/desktop-file-install --dir $out/share/applications \
# --set-key Exec --set-value ${name} "Mudita Center.desktop"
mv usr/share/icons share
rm usr/lib/* AppRun *.desktop
'';
#extraPkgs = pkgs: with pkgs; [ ];
}

28
pkgs/nheko.nix Normal file
View File

@ -0,0 +1,28 @@
{ lib, fetchurl, stdenv, undmg, isUnstable }:
stdenv.mkDerivation rec {
pname = "nheko";
version = "0.10.0";
src = fetchurl {
url =
"https://github.com/Nheko-Reborn/nheko/releases/download/v${version}/nheko-v${version}.dmg";
hash = "sha256-t7evlvb+ueJZhtmt4KrOeXv2BZV8/fY4vj4GAmoCR2w=";
};
nativeBuildInputs = [ undmg ];
sourceRoot = ".";
installPhase = ''
mkdir -p $out/Applications
cp -a Nheko.app $out/Applications/
'';
meta = {
description = "Desktop client for Matrix using Qt and C++17";
homepage = "https://github.com/Nheko-Reborn/nheko";
license = lib.licenses.gpl3;
platforms = lib.platforms.darwin;
};
}

28
pkgs/secretive.nix Normal file
View File

@ -0,0 +1,28 @@
{ lib, fetchurl, stdenv, unzip, isUnstable }:
stdenv.mkDerivation rec {
pname = "secretive";
version = "2.2.0";
src = fetchurl {
name = "Secretive-${version}.zip";
url =
"https://github.com/maxgoedjen/secretive/releases/download/v${version}/Secretive.zip";
hash = "sha256-gjB8bevzbgYZ1GtAVMK+IBp9eP+Y79s8RhK/sdg7AI8=";
};
buildInputs = [ unzip ];
installPhase = ''
mkdir -p $out/Applications
cp -R ../*.app $out/Applications
'';
meta = {
description =
"Secretive is an app for storing and managing SSH keys in the Secure Enclave. It is inspired by the sekey project, but rewritten in Swift with no external dependencies and with a handy native management app.";
homepage = "https://github.com/maxgoedjen/secretive";
license = lib.licenses.mit;
platforms = lib.platforms.darwin;
};
}

147
services/config-manager.nix Normal file
View File

@ -0,0 +1,147 @@
{ config, lib, pkgs, ... }:
with lib;
let
cfgMgr = config.configManager;
cfgRouter = config.configManager.router;
pfConf = pkgs.writeTextFile {
name = "pf.conf";
text = ''
# Auto generated pf.conf for ${cfgRouter.hostName}
table <martians> { 0.0.0.0/8 10.0.0.0/8 127.0.0.0/8 169.254.0.0/16 \
172.16.0.0/12 192.0.0.0/24 192.0.2.0/24 224.0.0.0/3 \
192.168.0.0/16 198.18.0.0/15 198.51.100.0/24 \
203.0.113.0/24 }
# Tables defined in `extraTables`;
${cfgRouter.extraTables}
set block-policy drop
set loginterface egress
set skip on lo
set optimization aggressive
match in all scrub (no-df random-id max-mss 1440)
match out on egress inet from !(egress:network) to any nat-to (egress:0)
block out on vlan10 from !vlan10:network
block out on vlan6 from !vlan6:network
antispoof quick for { egress, em, vlan, wg }
block in quick on egress from <martians> to any
block return out quick on egress from any to <martians>
block all
pass out quick inet
#pass in on { em1, vlan2, vlan5, vlan6, vlan10, vlan11, wg0 } inet
pass in on { vlan20, vlan2, vlan5, vlan6, vlan10, vlan11, wg0 } inet
${optionalString cfgRouter.pfAllowUnifi ''
# cfgRouter.pfAllowUnifi.enabled = true;
pass in on { em1 } inet
pass proto tcp from em1:network to vlan5:network
''}
pass in on egress proto udp from any to port 7121
pass proto tcp from vlan20:network to vlan5:network
pass proto tcp from wg0:network to vlan5:network
pass in on egress inet proto tcp from any to (egress) port { 80, 443, 2222 } rdr-to 10.20.30.15
pass in log proto tcp from vlan5:network to (egress) port 2222 divert-to 127.0.0.1 port 2222
pass in log proto tcp from vlan5:network to (egress) port 443 divert-to 127.0.0.1 port 443
pass in log proto tcp from vlan5:network to (egress) port 80 divert-to 127.0.0.1 port 80
anchor "relayd/*"
'';
};
interfaceOptions = mkOptionType { name = "interface text"; };
interfaceFiles = mapAttrs' (name: value:
nameValuePair "configManager/router/hostname.${name}" {
text = value.text + "\n";
}) cfgRouter.interfaces;
in {
options = {
configManager = {
enable = lib.mkEnableOption "Manage configurations for non-nix machines.";
router = {
enable = lib.mkEnableOption "Manage an OpenBSD router.";
hostName = mkOption {
type = types.str;
description = ''
Host to sync router configs with.
'';
};
extraTables = mkOption {
type = types.lines;
default = "";
description = ''
Extra pf.conf tables to add to the generated pf.conf.
'';
};
services = mkOption {
type = types.listOf types.str;
default = [ ];
example = [ "dhcpd" "unbound" ];
description = ''
Services to run on the router (rcctl enable XXX, rcctl start XXX).
'';
};
keepClean = mkOption {
type = types.bool;
default = true;
description = ''
Keep host configuration clean. This means any non-managed hostname.if files will be
removed, non-managed services will be stopped and disabled, non-managed packages will
be removed.. etc.
'';
};
interfaces = mkOption {
default = { };
type = types.attrsOf interfaceOptions;
description = ''
Interfaces to create hostname.if files for.
'';
example = literalExpression ''
{
em0 = {
text = "inet autoconf inet6 autoconf";
};
vlan1 {
text = "inet 10.12.0.1 255.255.255.0 10.12.0.255 vnetid 1 parent em1 up";
};
}
'';
};
pfAllowUnifi = mkOption {
type = types.bool;
description = ''
Whether to allow the Ubiquiti Unifi stuff to have access to the greater internet.
'';
};
};
};
};
config = lib.mkIf cfgMgr.enable {
environment.etc = {
"configManager/router/pf.conf".text = builtins.readFile pfConf;
"configManager/router/managed_interfaces".text =
(concatMapStringsSep "\n") (h: "hostname.${h}")
(builtins.attrNames config.configManager.router.interfaces) + "\n";
} // interfaceFiles;
};
}

4
services/default.nix Normal file
View File

@ -0,0 +1,4 @@
{ config, lib, pkgs, ... }:
with lib; {
imports = [ ./ssh-fido-agent.nix ./config-manager.nix ];
}

68
services/ssh-fido-agent.nix Normal file
View File

@ -0,0 +1,68 @@
{ config, lib, pkgs, ... }:
let
perl = "${pkgs.perl}/bin/perl";
sshAdd = "${pkgs.openssh}/bin/ssh-add";
pKill = "${pkgs.procps}/bin/pkill";
awk = "${pkgs.gawk}/bin/awk";
# fido-add-device is started by a systemd unit. It runs continuously waiting for a USR1 signal
# that is triggered by inserting a Yubikey. Once it receives the signal, it executes 'ssh-add -K'
# which when run without a terminal will use SSH_ASKPASS to prompt the user for the unlock
# phrase for their YK FIDO setup.
fidoAddDevice = pkgs.writeScriptBin "fido-add-device" ''
#!${perl}
use strict;
use warnings;
$ENV{'SSH_AUTH_SOCK'} = "$ENV{'XDG_RUNTIME_DIR'}/ssh-agent";
$ENV{'DISPLAY'} = `systemctl --user show-environment | ${awk} -F= '/^DISPLAY/ {print \$NF}'`;
$SIG{USR1} = sub { system("${sshAdd}", "-K") };
while (1) {
sleep;
}
'';
# fido-send-sig is called by a udev rule when a YK is attached. It sends SIGUSR1 to fido-add-device.
fidoSendSig = pkgs.writeScriptBin "fido-send-sig" ''
#! ${pkgs.runtimeShell} -e
${pKill} -USR1 -xf "${perl} ${fidoAddDevice}/bin/fido-add-device"
'';
# my-ssh-askpass-wrapper wraps programs.ssh.askPassword in order to supply user-specific environment
# variables.
# TODO: replace this with makeWrapper
askPassWrapper = pkgs.writeScript "my-ssh-askpass-wrapper" ''
#! ${pkgs.runtimeShell} -e
export DISPLAY="$(systemctl --user show-environment | ${awk} -F= '/^DISPLAY/ {print $NF}')"
export SSH_AUTH_SOCK="$(echo $XDG_RUNTIME_DIR/ssh-agent)";
exec ${config.programs.ssh.askPassword} "$@"
'';
in {
options = {
sshFidoAgent = {
enable = lib.mkEnableOption "Add FIDO keys to ssh-agent when attached.";
};
};
config = lib.mkIf config.sshFidoAgent.enable {
environment.systemPackages = with pkgs; [ fidoAddDevice ];
systemd.user.services.sshfidoagent = {
script = ''
${fidoAddDevice}/bin/fido-add-device
'';
wantedBy = [ "graphical-session.target" ];
partOf = [ "graphical-session.target" ];
after = [ "graphical-session.target" ];
environment.DISPLAY = "fake";
environment.SSH_ASKPASS = askPassWrapper;
#serviceConfig = { Restart = "on-failure"; };
};
services.udev.extraRules = ''
SUBSYSTEM=="hidraw", ACTION=="add", ATTRS{idVendor}=="1050", ATTRS{idProduct}=="0407|0402", RUN+="${fidoSendSig}/bin/fido-send-sig"
'';
};
}

22
system/nix-config.nix Normal file
View File

@ -0,0 +1,22 @@
{ config, pkgs, lib, isUnstable, ... }:
let
nixOptions = {
gc = {
automatic = true;
dates = "daily";
options = "--delete-older-than 10d";
};
# Enable flakes
package = pkgs.nixUnstable;
extraOptions = ''
experimental-features = nix-command flakes
'';
};
in {
nix = if isUnstable then
{ settings.auto-optimise-store = true; } // nixOptions
else
{ autoOptimiseStore = true; } // nixOptions;
}

25
system/nix-lockdown.nix Normal file
View File

@ -0,0 +1,25 @@
{ config, lib, isUnstable, ... }:
with lib; {
options = {
nixLockdown = {
enable = mkOption {
description = "Lockdown Nix";
default = true;
example = true;
type = lib.types.bool;
};
};
};
config = mkIf config.nixLockdown.enable {
nix = if isUnstable then {
settings.sandbox = true;
settings.trusted-users = [ "@wheel" ];
settings.allowed-users = [ "root" "qbit" ];
} else {
allowedUsers = [ "@wheel" ];
trustedUsers = [ "root" "qbit" ];
useSandbox = true;
};
};
}

20
system/update.nix Normal file
View File

@ -0,0 +1,20 @@
{ config, lib, ... }:
with lib; {
options = {
autoUpdate = {
enable = mkOption {
description = "Enable Auto Update";
default = true;
example = true;
type = lib.types.bool;
};
};
};
config = mkIf config.autoUpdate.enable {
system.autoUpgrade = {
enable = true;
allowReboot = false;
};
};
}

51
users/default.nix Normal file
View File

@ -0,0 +1,51 @@
{ config, lib, pkgs, isUnstable, ... }:
with lib;
let
userBase = {
shell = pkgs.zsh;
openssh.authorizedKeys.keys = config.myconf.hwPubKeys;
};
goVersion = pkgs.go_1_18;
in {
options = {
defaultUsers = {
enable = mkOption {
description = "Enable regular set of users";
default = true;
example = true;
type = lib.types.bool;
};
};
};
config = mkIf config.defaultUsers.enable {
users.users.root = userBase;
users.users.qbit = userBase // {
isNormalUser = true;
description = "Aaron Bieber";
home = "/home/qbit";
extraGroups = [ "wheel" ];
};
environment.systemPackages =
if isUnstable then [ goVersion pkgs.yash ] else [ goVersion ];
programs.ssh = {
startAgent = true;
agentTimeout = "100m";
extraConfig = ''
VerifyHostKeyDNS yes
AddKeysToAgent confirm 90m
CanonicalizeHostname always
Host *
controlmaster auto
controlpath /tmp/ssh-%r@%h:%p
Include /home/qbit/.ssh/host_config
'';
};
};
}