colin/nix-files
1
0
Fork 1
Code Issues Pull Requests Projects Releases Wiki Activity

Compare commits

base: colin:staging/lightdm-mobile-upstream
Branches Tags
colin:master colin:2025-03-02-pure colin:2025-02-23-nixpkgs-update colin:2025-02-17-nixpkgs-update-2 colin:2025-02-17-nixpkgs-update colin:2025-01-30-wip-blanket colin:2025-01-30-wip-sane-vpn-up-bind-fix colin:2024-12-29-bind colin:2024-12-26-nixpkgs-update colin:2024-09-25-ppp-kernel colin:2024-09-20-megapixels colin:2024-08-14-wip-sandbox-share colin:2024-08-12-wip-flatpak colin:2024-08-11-wip-firefox-xdg-open colin:wip-2024-08-01-nixpkgs-bump colin:wip-secure-mounts colin:wip-login-gocryptfs-rework2 colin:dev colin:save-geoclue-polkit-override colin:wip-doofnet colin:tx-to-desko colin:wip-nm-systemd-sandbox colin:test-nm-nixpkgs-refactor colin:wip-polyunfill-pam colin:wip-trust-dns colin:wip-mpv-sysvol colin:wip-s6-2 colin:wip-nix-fast-build colin:wg-dev colin:wip-mootube colin:wip-swaync-update colin:wip-sxmo-suspend colin:sxmo-sway-merge colin:dev-export colin:wip-proot3 colin:wip-emulate-builder3 colin:wip-emulate-builder2 colin:wip-emulate-builder colin:staging/nixpkgs-2023-07-29 colin:staging/nixpkgs-2023-07-25 colin:wip/koreader colin:staging/gtk-theme colin:staging/nixpkgs-2023-06-27 colin:staging/nixpkgs-2023-06-23 colin:staging/nixpkgs-2023-06-22 colin:wip/sxmo-as-pkg2 colin:wip/sxmo-as-pkg colin:staging/nixpkgs-2023-06-10 colin:staging/nixpkgs-2023-06-07 colin:staging/jellyfin-cross colin:staging/dns-refactor colin:staging/nixpkgs-2023-05-24 colin:staging/nixpkgs-2023-05-22 colin:staging/librewolf-ext colin:staging/nixpkgs-2023-05-14 colin:staging/nur colin:staging/nixpkgs-2023-04-28 colin:staging/nixpkgs-2023-04-24-staging-next colin:staging/nixpkgs-2023-04-19-staging-next colin:staging/nixpkgs-2023-04-11 colin:staging/nixpkgs-2023-04-08 colin:wip/less-disable-flakey-tests colin:staging/nixpkgs-next-2023-03-28 colin:staging/nixpkgs-next-2023-03-11 colin:staging/nixpkgs-2023-03-09 colin:staging/nixpkgs-2023-03-08 colin:staging/nixpkgs-2023-03-04 colin:staging/ccache colin:wip/ccache colin:staging/mesa-downgrade-10 colin:staging/mesa-downgrade-12 colin:staging/nixpkgs-2023-02-25 colin:staging/mesa-downgrade-9 colin:staging/mesa-downgrade-8 colin:staging/nixpkgs-2023-02-09 colin:staging/mesa-downgrade-7 colin:staging/mesa-downgrade-6 colin:staging/mesa-downgrade-5 colin:staging/mesa-downgrade-4 colin:staging/mesa-downgrade-3 colin:staging/mesa-downgrade-2 colin:staging/nixpkgs-2023-02-01 colin:staging/mesa-downgrade colin:wip/packages2 colin:wip/packages colin:archive/dovecot-sieve colin:historic/fix-handbrake colin:wip/sway3-dbg colin:wip/sway2 colin:wip/sway colin:staging/nixpkgs-2023-01-25 colin:staging/linux-6.2 colin:staging/nixpkgs-2023-01-23 colin:wip/hosts colin:staging/nixpkgs-2023-01-15 colin:wip/signal colin:wip/mx-signal colin:wip/flake-std-uri colin:stable colin:staging/master colin:wip/moby-kernel colin:wip/feeds3 colin:wip/feeds2 colin:wip/overlays colin:wip/feeds colin:staging/merge colin:staging/nixpkgs-2023-01-04 colin:staging/impermanence-stores colin:wip/impermanence-fs colin:staging/impermanence-encrypt2 colin:staging/impermanence-encrypt colin:staging/nixpkgs-2022-12-22 colin:staging/nixpkgs-2022-12-18 colin:staging/nixpkgs-2022-12-02 colin:staging/moby-6.1.0-rc7 colin:staging/nixpkgs-2022-11-27 colin:ryzen-servo colin:staging/nixpkgs-2022-11-21 colin:staging/nixpkgs-2022-11-09 colin:staging/lightdm-mobile-upstream colin:staging/nixpkgs-2022-10-31 colin:stacking/nixpkgs-2022-10-30 colin:staging/nixpkgs-2022-10-29 colin:wip/tokodon colin:staging/pleroma-update colin:staging/nixpkgs-2022-10-22 colin:testing/munin colin:staging/nixpkgs-2022-10-20 colin:staging/phosh-lightdm colin:archive/2022-10-14-matrix-appservice-discord colin:staging/nixpkgs-2022-10-08 colin:wip/arm-flutter colin:staging/2022-10-08-flutter-update colin:staging/phosh-mobile-settings-2 colin:staging/phosh-mobile-settings colin:fork/alsa-pinephone-patch colin:wip.fluffychat.2022.09.20 colin:wip/fluffychat colin:wip-vulkan colin:wip-servoimg colin:wip-kaiteki
colin:test-tag
..
compare: colin:wip/arm-flutter
Branches Tags
colin:master colin:2025-03-02-pure colin:2025-02-23-nixpkgs-update colin:2025-02-17-nixpkgs-update-2 colin:2025-02-17-nixpkgs-update colin:2025-01-30-wip-blanket colin:2025-01-30-wip-sane-vpn-up-bind-fix colin:2024-12-29-bind colin:2024-12-26-nixpkgs-update colin:2024-09-25-ppp-kernel colin:2024-09-20-megapixels colin:2024-08-14-wip-sandbox-share colin:2024-08-12-wip-flatpak colin:2024-08-11-wip-firefox-xdg-open colin:wip-2024-08-01-nixpkgs-bump colin:wip-secure-mounts colin:wip-login-gocryptfs-rework2 colin:dev colin:save-geoclue-polkit-override colin:wip-doofnet colin:tx-to-desko colin:wip-nm-systemd-sandbox colin:test-nm-nixpkgs-refactor colin:wip-polyunfill-pam colin:wip-trust-dns colin:wip-mpv-sysvol colin:wip-s6-2 colin:wip-nix-fast-build colin:wg-dev colin:wip-mootube colin:wip-swaync-update colin:wip-sxmo-suspend colin:sxmo-sway-merge colin:dev-export colin:wip-proot3 colin:wip-emulate-builder3 colin:wip-emulate-builder2 colin:wip-emulate-builder colin:staging/nixpkgs-2023-07-29 colin:staging/nixpkgs-2023-07-25 colin:wip/koreader colin:staging/gtk-theme colin:staging/nixpkgs-2023-06-27 colin:staging/nixpkgs-2023-06-23 colin:staging/nixpkgs-2023-06-22 colin:wip/sxmo-as-pkg2 colin:wip/sxmo-as-pkg colin:staging/nixpkgs-2023-06-10 colin:staging/nixpkgs-2023-06-07 colin:staging/jellyfin-cross colin:staging/dns-refactor colin:staging/nixpkgs-2023-05-24 colin:staging/nixpkgs-2023-05-22 colin:staging/librewolf-ext colin:staging/nixpkgs-2023-05-14 colin:staging/nur colin:staging/nixpkgs-2023-04-28 colin:staging/nixpkgs-2023-04-24-staging-next colin:staging/nixpkgs-2023-04-19-staging-next colin:staging/nixpkgs-2023-04-11 colin:staging/nixpkgs-2023-04-08 colin:wip/less-disable-flakey-tests colin:staging/nixpkgs-next-2023-03-28 colin:staging/nixpkgs-next-2023-03-11 colin:staging/nixpkgs-2023-03-09 colin:staging/nixpkgs-2023-03-08 colin:staging/nixpkgs-2023-03-04 colin:staging/ccache colin:wip/ccache colin:staging/mesa-downgrade-10 colin:staging/mesa-downgrade-12 colin:staging/nixpkgs-2023-02-25 colin:staging/mesa-downgrade-9 colin:staging/mesa-downgrade-8 colin:staging/nixpkgs-2023-02-09 colin:staging/mesa-downgrade-7 colin:staging/mesa-downgrade-6 colin:staging/mesa-downgrade-5 colin:staging/mesa-downgrade-4 colin:staging/mesa-downgrade-3 colin:staging/mesa-downgrade-2 colin:staging/nixpkgs-2023-02-01 colin:staging/mesa-downgrade colin:wip/packages2 colin:wip/packages colin:archive/dovecot-sieve colin:historic/fix-handbrake colin:wip/sway3-dbg colin:wip/sway2 colin:wip/sway colin:staging/nixpkgs-2023-01-25 colin:staging/linux-6.2 colin:staging/nixpkgs-2023-01-23 colin:wip/hosts colin:staging/nixpkgs-2023-01-15 colin:wip/signal colin:wip/mx-signal colin:wip/flake-std-uri colin:stable colin:staging/master colin:wip/moby-kernel colin:wip/feeds3 colin:wip/feeds2 colin:wip/overlays colin:wip/feeds colin:staging/merge colin:staging/nixpkgs-2023-01-04 colin:staging/impermanence-stores colin:wip/impermanence-fs colin:staging/impermanence-encrypt2 colin:staging/impermanence-encrypt colin:staging/nixpkgs-2022-12-22 colin:staging/nixpkgs-2022-12-18 colin:staging/nixpkgs-2022-12-02 colin:staging/moby-6.1.0-rc7 colin:staging/nixpkgs-2022-11-27 colin:ryzen-servo colin:staging/nixpkgs-2022-11-21 colin:staging/nixpkgs-2022-11-09 colin:staging/lightdm-mobile-upstream colin:staging/nixpkgs-2022-10-31 colin:stacking/nixpkgs-2022-10-30 colin:staging/nixpkgs-2022-10-29 colin:wip/tokodon colin:staging/pleroma-update colin:staging/nixpkgs-2022-10-22 colin:testing/munin colin:staging/nixpkgs-2022-10-20 colin:staging/phosh-lightdm colin:archive/2022-10-14-matrix-appservice-discord colin:staging/nixpkgs-2022-10-08 colin:wip/arm-flutter colin:staging/2022-10-08-flutter-update colin:staging/phosh-mobile-settings-2 colin:staging/phosh-mobile-settings colin:fork/alsa-pinephone-patch colin:wip.fluffychat.2022.09.20 colin:wip/fluffychat colin:wip-vulkan colin:wip-servoimg colin:wip-kaiteki
colin:test-tag

1 Commits
staging/li ... wip/arm-fl

Author SHA1 Message Date
colin
a17ad5fbf2 moby: build/deploy kaiteki 2022-10-09 04:17:04 -07:00
97 changed files with 2299 additions and 2146 deletions
Expand all files Collapse all files

14
.sops.yaml
View File

@@ -23,7 +23,6 @@ creation_rules:
key_groups:
- age:
- *user_desko_colin
- *user_lappy_colin
- *user_servo_colin
- *host_servo
- path_regex: secrets/desko.yaml$
@@ -32,16 +31,3 @@ creation_rules:
- *user_desko_colin
- *user_lappy_colin
- *host_desko
- path_regex: secrets/lappy.yaml$
key_groups:
- age:
- *user_lappy_colin
- *user_desko_colin
- *host_lappy
- path_regex: secrets/moby.yaml$
key_groups:
- age:
- *user_desko_colin
- *user_lappy_colin
- *user_moby_colin
- *host_moby

16
TODO.md Normal file
View File

@@ -0,0 +1,16 @@
# features/tweaks
- emoji picker application
- find a Masto/Pleroma app which works on mobile
- remove hardcoded uid/gids outside of allocations.nix (used in impermanence code -- replace with username/groupname)
# speed up cross compiling
- <https://nixos.wiki/wiki/Cross_Compiling>
- <https://nixos.wiki/wiki/NixOS_on_ARM>
```nix
overlays = [{ ... }: {
nixpkgs.crossSystem.system = "aarch64-linux";
}];
```
- <https://github.com/nix-community/aarch64-build-box>
- apply for access to the community arm build box

95
flake.lock generated
View File

@@ -1,20 +1,5 @@
{
"nodes": {
"flake-utils": {
"locked": {
"lastModified": 1659877975,
"narHash": "sha256-zllb8aq3YO3h8B/U0/J1WBgAL8EX5yWf5pMj3G0NAmc=",
"owner": "numtide",
"repo": "flake-utils",
"rev": "c0e246b9b83f637f4681389ecabcb2681b4f3af0",
"type": "github"
},
"original": {
"owner": "numtide",
"repo": "flake-utils",
"type": "github"
}
},
"home-manager": {
"inputs": {
"nixpkgs": [
@@ -22,11 +7,11 @@
]
},
"locked": {
"lastModified": 1667299227,
"narHash": "sha256-vAJPFSDYUq3DdCL8OzTg4xObRNW+yA1Pt+NzbhGu1f8=",
"lastModified": 1656169755,
"narHash": "sha256-Nlnm4jeQWEGjYrE6hxi/7HYHjBSZ/E0RtjCYifnNsWk=",
"owner": "nix-community",
"repo": "home-manager",
"rev": "f0ecd4b1db5e15103e955b18cb94bea4296e5c45",
"rev": "4a3d01fb53f52ac83194081272795aa4612c2381",
"type": "github"
},
"original": {
@@ -54,11 +39,11 @@
"mobile-nixos": {
"flake": false,
"locked": {
"lastModified": 1667160126,
"narHash": "sha256-YRgxMHdvMuLsuXCaKs5YNMD6NKgvcATSjfi9YkUOOLk=",
"lastModified": 1664852186,
"narHash": "sha256-t0FhmTf3qRs8ScR8H9Rq7FAxptNELLSpxZG2ALL1HnE=",
"owner": "nixos",
"repo": "mobile-nixos",
"rev": "da56c338a2b00c868697b75bdbd388f60d50c820",
"rev": "ca872f1a617674c4045e880aab8a45037e73700b",
"type": "github"
},
"original": {
@@ -69,11 +54,11 @@
},
"nixpkgs": {
"locked": {
"lastModified": 1667231093,
"narHash": "sha256-RERXruzBEBuf0c7OfZeX1hxEKB+PTCUNxWeB6C1jd8Y=",
"lastModified": 1665081174,
"narHash": "sha256-6hsmzdhdy8Kbvl5e0xZNE83pW3fKQvNiobJkM6KQrgA=",
"owner": "NixOS",
"repo": "nixpkgs",
"rev": "d40fea9aeb8840fea0d377baa4b38e39b9582458",
"rev": "598f83ebeb2235435189cf84d844b8b73e858e0f",
"type": "github"
},
"original": {
@@ -84,11 +69,11 @@
},
"nixpkgs-22_05": {
"locked": {
"lastModified": 1667091951,
"narHash": "sha256-62sz0fn06Nq8OaeBYrYSR3Y6hUcp8/PC4dJ7HeGaOhU=",
"lastModified": 1665279158,
"narHash": "sha256-TpbWNzoJ5RaZ302dzvjY2o//WxtOJuYT3CnDj5N69Hs=",
"owner": "NixOS",
"repo": "nixpkgs",
"rev": "6440d13df2327d2db13d3b17e419784020b71d22",
"rev": "b3783bcfb8ec54e0de26feccfc6cc36b8e202ed5",
"type": "github"
},
"original": {
@@ -100,11 +85,11 @@
},
"nixpkgs-stable": {
"locked": {
"lastModified": 1667254466,
"narHash": "sha256-YrMQzDVOo+uz5gg1REj2q/uVhJE3WcpkqGiMzh3Da3o=",
"lastModified": 1665132027,
"narHash": "sha256-zoHPqSQSENt96zTk6Mt1AP+dMNqQDshXKQ4I6MfjP80=",
"owner": "NixOS",
"repo": "nixpkgs",
"rev": "1b4722674c315de0e191d0d79790b4eac51570a1",
"rev": "9ecc270f02b09b2f6a76b98488554dd842797357",
"type": "github"
},
"original": {
@@ -113,6 +98,22 @@
"type": "indirect"
}
},
"nixpkgs_2": {
"locked": {
"lastModified": 1665197809,
"narHash": "sha256-dRUzv/zNYV2EYtnxFG31pPBk0nErT+MBTu6ZJHm1o2A=",
"owner": "NixOS",
"repo": "nixpkgs",
"rev": "7b06206fa24198912cea58de690aa4943f238fbf",
"type": "github"
},
"original": {
"owner": "NixOS",
"ref": "nixpkgs-unstable",
"repo": "nixpkgs",
"type": "github"
}
},
"root": {
"inputs": {
"home-manager": "home-manager",
@@ -120,23 +121,20 @@
"mobile-nixos": "mobile-nixos",
"nixpkgs": "nixpkgs",
"nixpkgs-stable": "nixpkgs-stable",
"sops-nix": "sops-nix",
"uninsane": "uninsane"
"sops-nix": "sops-nix"
}
},
"sops-nix": {
"inputs": {
"nixpkgs": [
"nixpkgs"
],
"nixpkgs": "nixpkgs_2",
"nixpkgs-22_05": "nixpkgs-22_05"
},
"locked": {
"lastModified": 1667102919,
"narHash": "sha256-DP5j4TwXe96eZf0PLgYSj1Hdyt7SPUoQ003iNBQSKpQ=",
"lastModified": 1665289655,
"narHash": "sha256-j1Q9mNBhbzeJykhObiXwEGres9qvP4vH7gxdJ+ihkLI=",
"owner": "Mic92",
"repo": "sops-nix",
"rev": "448ec3e7eb7c7e4563cc2471db748a71baaf9698",
"rev": "0ce0449e6404c4ff9d1b7bd657794ae5ca54deb3",
"type": "github"
},
"original": {
@@ -144,27 +142,6 @@
"repo": "sops-nix",
"type": "github"
}
},
"uninsane": {
"inputs": {
"flake-utils": "flake-utils",
"nixpkgs": [
"nixpkgs"
]
},
"locked": {
"lastModified": 1666870107,
"narHash": "sha256-b9eXZxSwhzdJI5uQgfrMhu4SY2POrPkinUg7F5gQVYo=",
"ref": "refs/heads/master",
"rev": "80c6ec95bd430e29d231cf745f19279bb76fb382",
"revCount": 164,
"type": "git",
"url": "https://git.uninsane.org/colin/uninsane"
},
"original": {
"type": "git",
"url": "https://git.uninsane.org/colin/uninsane"
}
}
},
"root": "root",

43
flake.nix
View File

@@ -14,27 +14,13 @@
url = "github:nix-community/home-manager/release-22.05";
inputs.nixpkgs.follows = "nixpkgs";
};
sops-nix = {
url = "github:Mic92/sops-nix";
inputs.nixpkgs.follows = "nixpkgs";
};
# TODO: set these up to follow our nixpkgs?
sops-nix.url = "github:Mic92/sops-nix";
impermanence.url = "github:nix-community/impermanence";
uninsane = {
url = "git+https://git.uninsane.org/colin/uninsane";
inputs.nixpkgs.follows = "nixpkgs";
};
};
outputs = {
self,
nixpkgs,
nixpkgs-stable,
mobile-nixos,
home-manager,
sops-nix,
impermanence,
uninsane
}: let
outputs = { self, nixpkgs, nixpkgs-stable, mobile-nixos, home-manager, sops-nix, impermanence }:
let
patchedPkgs = system: nixpkgs.legacyPackages.${system}.applyPatches {
name = "nixpkgs-patched-uninsane";
src = nixpkgs;
@@ -54,14 +40,15 @@
specialArgs = { inherit mobile-nixos home-manager impermanence; };
modules = [
./modules
(import ./machines/instantiate.nix name)
./machines/${name}
(import ./helpers/set-hostname.nix name)
home-manager.nixosModule
impermanence.nixosModule
sops-nix.nixosModules.sops
{
nixpkgs.config.allowUnfree = true;
nixpkgs.overlays = [
(import "${mobile-nixos}/overlay/overlay.nix")
uninsane.overlay
(import ./pkgs/overlay.nix)
(next: prev: rec {
# non-emulated packages build *from* local *for* target.
@@ -70,10 +57,7 @@
cross = (nixpkgsFor local target) // (customPackagesFor local target);
stable = import nixpkgs-stable { system = target; };
# pinned packages:
electrum = stable.electrum; # 2022-10-10: build break
sequoia = stable.sequoia; # 2022-10-13: build break
# cross-compatible packages
gocryptfs = cross.gocryptfs;
electrum = stable.electrum;
})
];
}
@@ -110,15 +94,8 @@
in {
nixosConfigurations = builtins.mapAttrs (name: value: value.nixosConfiguration) machines;
imgs = builtins.mapAttrs (name: value: value.img) machines;
packages = let
allPkgsFor = sys: (customPackagesFor sys sys) // {
nixpkgs = nixpkgsFor sys sys;
uninsane = uninsane.packages."${sys}";
};
in {
x86_64-linux = allPkgsFor "x86_64-linux";
aarch64-linux = allPkgsFor "aarch64-linux";
};
packages.x86_64-linux = customPackagesFor "x86_64-linux" "x86_64-linux";
packages.aarch64-linux = customPackagesFor "aarch64-linux" "aarch64-linux";
};
}

4
helpers/set-hostname.nix Normal file
View File

@@ -0,0 +1,4 @@
hostName: { ... }:
{
networking.hostName = hostName;
}

7
machines/desko/default.nix
View File

@@ -4,8 +4,6 @@
./fs.nix
];
# sane.home-packages.enableDevPkgs = true;
sane.gui.sway.enable = true;
sane.services.duplicity.enable = true;
sane.services.nixserve.enable = true;
@@ -20,11 +18,6 @@
users.users.usbmux.uid = config.sane.allocations.usbmux-uid;
users.groups.usbmux.gid = config.sane.allocations.usbmux-gid;
sops.secrets.colin-passwd = {
sopsFile = ../../secrets/desko.yaml;
neededForUsers = true;
};
# default config: https://man.archlinux.org/man/snapper-configs.5
# defaults to something like:
# - hourly snapshots

11
machines/instantiate.nix
View File

@@ -1,11 +0,0 @@
# trampoline from flake.nix into the specific machine definition, while doing a tiny bit of common setup
hostName: { ... }: {
imports = [
./${hostName}
];
networking.hostName = hostName;
nixpkgs.config.allowUnfree = true;
}

7
machines/lappy/default.nix
View File

@@ -4,8 +4,6 @@
./fs.nix
];
# sane.home-packages.enableDevPkgs = true;
# sane.users.guest.enable = true;
sane.gui.sway.enable = true;
sane.impermanence.enable = true;
@@ -13,11 +11,6 @@
boot.loader.efi.canTouchEfiVariables = false;
sane.image.extraBootFiles = [ pkgs.bootpart-uefi-x86_64 ];
sops.secrets.colin-passwd = {
sopsFile = ../../secrets/lappy.yaml;
neededForUsers = true;
};
# default config: https://man.archlinux.org/man/snapper-configs.5
# defaults to something like:
# - hourly snapshots

12
machines/moby/default.nix
View File

@@ -13,19 +13,13 @@
# TODO: we could *maybe* inject pkgs.buildPackages.xyz = cross.buildPackages.xyz?
documentation.nixos.enable = false;
# XXX colin: phosh doesn't work well with passwordless login,
# so set this more reliable default password should anything go wrong
# XXX colin: phosh doesn't work well with passwordless login
users.users.colin.initialPassword = "147147";
services.getty.autologinUser = "root"; # allows for emergency maintenance?
sops.secrets.colin-passwd = {
sopsFile = ../../secrets/moby.yaml;
neededForUsers = true;
};
# usability compromises
sane.impermanence.home-dirs = [
config.sane.web-browser.dotDir
".librewolf"
];
# sane.home-packages.enableGuiPkgs = false; # XXX faster builds/imaging for debugging
@@ -81,5 +75,7 @@
environment.variables.ALSA_CONFIG_UCM2 = "${./ucm2}";
systemd.services.pulseaudio.environment.ALSA_CONFIG_UCM2 = "${./ucm2}";
users.groups.feedbackd.gid = config.sane.allocations.feedbackd-gid;
hardware.opengl.driSupport = true;
}

5
machines/servo/default.nix
View File

@@ -9,11 +9,10 @@
./services
];
sane.home-manager.enable = true;
sane.home-manager.extraPackages = [
# for administering services
# for administering matrix
pkgs.matrix-synapse
pkgs.freshrss
pkgs.goaccess
];
sane.impermanence.enable = true;
sane.services.duplicity.enable = true;

2
machines/servo/services/default.nix
View File

@@ -2,9 +2,7 @@
{
imports = [
./ddns-he.nix
./freshrss.nix
./gitea.nix
./goaccess.nix
./ipfs.nix
./jackett.nix
./jellyfin.nix

48
machines/servo/services/freshrss.nix
View File

@@ -1,48 +0,0 @@
# import feeds with e.g.
# ```console
# $ nix build '.#nixpkgs.freshrss'
# $ sudo -u freshrss -g freshrss FRESHRSS_DATA_PATH=/var/lib/freshrss ./result/cli/import-for-user.php --user admin --filename /home/colin/.config/newsflashFeeds.opml
# ```
#
# export feeds with
# ```console
# $ sudo -u freshrss -g freshrss FRESHRSS_DATA_PATH=/var/lib/freshrss ./result/cli/export-opml-for-user.php --user admin
# ```
{ config, lib, pkgs, ... }:
{
sops.secrets.freshrss_passwd = {
sopsFile = ../../../secrets/servo.yaml;
owner = config.users.users.freshrss.name;
mode = "400";
};
sane.impermanence.service-dirs = [
{ user = "freshrss"; group = "freshrss"; directory = "/var/lib/freshrss"; }
];
users.users.freshrss.uid = config.sane.allocations.freshrss-uid;
users.groups.freshrss.gid = config.sane.allocations.freshrss-gid;
services.freshrss.enable = true;
services.freshrss.baseUrl = "https://rss.uninsane.org";
services.freshrss.virtualHost = "rss.uninsane.org";
services.freshrss.passwordFile = config.sops.secrets.freshrss_passwd.path;
systemd.services.freshrss-import-feeds =
let
fresh = config.systemd.services.freshrss-config;
feeds = import ../../../modules/universal/home-manager/feeds.nix { inherit lib; };
opml = pkgs.writeText "sane-freshrss.opml" (feeds.feedsToOpml feeds.all);
in {
inherit (fresh) wantedBy environment;
serviceConfig = {
inherit (fresh.serviceConfig) Type User Group StateDirectory WorkingDirectory
# hardening options
CapabilityBoundingSet DeviceAllow LockPersonality NoNewPrivileges PrivateDevices PrivateTmp PrivateUsers ProcSubset ProtectClock ProtectControlGroups ProtectHome ProtectHostname ProtectKernelLogs ProtectKernelModules ProtectKernelTunables ProtectProc ProtectSystem RemoveIPC RestrictNamespaces RestrictRealtime RestrictSUIDSGID SystemCallArchitectures SystemCallFilter UMask;
};
description = "import sane RSS feed list";
after = [ "freshrss-config.service" ];
script = ''
${pkgs.freshrss}/cli/import-for-user.php --user admin --filename ${opml}
'';
};
}

44
machines/servo/services/goaccess.nix
View File

@@ -1,44 +0,0 @@
{ pkgs, ... }:
{
# based on <https://bytes.fyi/real-time-goaccess-reports-with-nginx/>
# log-format setting can be derived with this tool if custom:
# - <https://github.com/stockrt/nginx2goaccess>
# config options:
# - <https://github.com/allinurl/goaccess/blob/master/config/goaccess.conf>
systemd.services.goaccess = {
description = "GoAccess server monitoring";
serviceConfig = {
ExecStart = ''
${pkgs.goaccess}/bin/goaccess \
-f /var/log/nginx/public.log \
--log-format=VCOMBINED \
--real-time-html \
--no-query-string \
--anonymize-ip \
--ignore-panel=HOSTS \
--ws-url=wss://sink.uninsane.org:443/ws \
--port=7890 \
-o /var/lib/uninsane/sink/index.html
'';
ExecReload = "${pkgs.coreutils}/bin/kill -HUP $MAINPID";
Type = "simple";
Restart = "on-failure";
# hardening
WorkingDirectory = "/tmp";
NoNewPrivileges = true;
PrivateTmp = true;
ProtectHome = "read-only";
ProtectSystem = "strict";
SystemCallFilter = "~@clock @cpu-emulation @debug @keyring @memlock @module @mount @obsolete @privileged @reboot @resources @setuid @swap @raw-io";
ReadOnlyPaths = "/";
ReadWritePaths = [ "/proc/self" "/var/lib/uninsane/sink" ];
PrivateDevices = "yes";
ProtectKernelModules = "yes";
ProtectKernelTunables = "yes";
};
after = [ "network.target" ];
wantedBy = [ "multi-user.target" ];
};
}

1
machines/servo/services/matrix/default.nix
View File

@@ -4,6 +4,7 @@
{
imports = [
# ./discord-appservice.nix
./discord-puppet.nix
# ./irc.nix
];

69
machines/servo/services/matrix/discord-appservice.nix Normal file
View File

@@ -0,0 +1,69 @@
{ config, lib, ... }:
{
sane.impermanence.service-dirs = [
{ user = "matrix-appservice-discord"; group = "matrix-appservice-discord"; directory = "/var/lib/matrix-appservice-discord"; }
];
sops.secrets.matrix_appservice_discord_env = {
sopsFile = ../../../../secrets/servo/matrix_appservice_discord_env.bin;
owner = config.users.users.matrix-appservice-discord.name;
format = "binary";
};
services.matrix-synapse.settings.app_service_config_files = [
# auto-created by discord appservice
"/var/lib/matrix-appservice-discord/discord-registration.yaml"
];
# Discord bridging
# docs: https://github.com/matrix-org/matrix-appservice-discord
services.matrix-appservice-discord.enable = true;
services.matrix-appservice-discord.settings = {
bridge = {
homeserverUrl = "http://127.0.0.1:8008";
domain = "uninsane.org";
adminMxid = "admin.matrix@uninsane.org";
# self-service bridging is when a Matrix user bridges by DMing @_discord_bot:<HS>
# i don't know what the alternative is :?
enableSelfServiceBridging = true;
presenceInterval = 30000; # milliseconds
# allows matrix users to search for Discord channels (somehow?)
disablePortalBridging = false;
# disableReadReceipts = true;
# these are Matrix -> Discord
disableJoinLeaveNotifications = true;
disableInviteNotifications = true;
disableRoomTopicNotifications = true;
};
# these are marked as required in the yaml schema
auth = {
# apparently not needed if you provide them as env vars (below).
# clientId = "FILLME";
# botToken = "FILLME";
usePrivilegedIntents = false;
};
logging = {
# silly, verbose, info, http, warn, error, silent
console = "verbose";
};
};
# contains what's ordinarily put into auth.clientId, auth.botToken
# i.e. `APPSERVICE_DISCORD_AUTH_CLIENT_I_D=...` and `APPSERVICE_DISCORD_AUTH_BOT_TOKEN=...`
services.matrix-appservice-discord.environmentFile = config.sops.secrets.matrix_appservice_discord_env.path;
systemd.services.matrix-appservice-discord.serviceConfig = {
# fix up to not use /var/lib/private, but just /var/lib
DynamicUser = lib.mkForce false;
User = "matrix-appservice-discord";
Group = "matrix-appservice-discord";
};
users.groups.matrix-appservice-discord = {};
users.users.matrix-appservice-discord = {
description = "User for the Matrix-Discord bridge";
group = "matrix-appservice-discord";
isSystemUser = true;
};
users.users.matrix-appservice-discord.uid = 2134; # TODO: move to allocations
users.groups.matrix-appservice-discord.gid = 2134; # TODO
}

59
machines/servo/services/nginx.nix
View File

@@ -1,40 +1,18 @@
# docs: https://nixos.wiki/wiki/Nginx
{ config, pkgs, ... }:
let
# make the logs for this host "public" so that they show up in e.g. metrics
publog = vhost: vhost // {
extraConfig = (vhost.extraConfig or "") + ''
access_log /var/log/nginx/public.log vcombined;
'';
};
in
{
services.nginx.enable = true;
# this is the standard `combined` log format, with the addition of $host
# so that we have the virtualHost in the log.
# KEEP IN SYNC WITH GOACCESS
# goaccess calls this VCOMBINED:
# - <https://gist.github.com/jyap808/10570005>
services.nginx.commonHttpConfig = ''
log_format vcombined '$host:$server_port $remote_addr - $remote_user [$time_local] "$request" $status $body_bytes_sent "$http_referrer" "$http_user_agent"';
access_log /var/log/nginx/private.log vcombined;
'';
# web blog/personal site
services.nginx.virtualHosts."uninsane.org" = publog {
root = "${pkgs.uninsane-dot-org}/share/uninsane-dot-org";
services.nginx.virtualHosts."uninsane.org" = {
root = "/var/lib/uninsane/root";
# a lot of places hardcode https://uninsane.org,
# and then when we mix http + non-https, we get CORS violations
# and things don't look right. so force SSL.
forceSSL = true;
enableACME = true;
# uninsane.org/share/foo => /var/lib/uninsane/root/share/foo.
# yes, nginx does not strip the prefix when evaluating against the root.
locations."/share".root = "/var/lib/uninsane/root";
# allow matrix users to discover that @user:uninsane.org is reachable via matrix.uninsane.org
locations."= /.well-known/matrix/server".extraConfig =
let
@@ -75,28 +53,8 @@ in
# };
};
# server statistics
services.nginx.virtualHosts."sink.uninsane.org" = {
addSSL = true;
enableACME = true;
root = "/var/lib/uninsane/sink";
locations."/ws" = {
proxyPass = "http://127.0.0.1:7890";
# XXX not sure how much of this is necessary
extraConfig = ''
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection $connection_upgrade;
proxy_buffering off;
proxy_read_timeout 7d;
'';
};
};
# Pleroma server and web interface
services.nginx.virtualHosts."fed.uninsane.org" = publog {
services.nginx.virtualHosts."fed.uninsane.org" = {
addSSL = true;
enableACME = true;
locations."/" = {
@@ -157,7 +115,7 @@ in
};
# matrix chat server
services.nginx.virtualHosts."matrix.uninsane.org" = publog {
services.nginx.virtualHosts."matrix.uninsane.org" = {
addSSL = true;
enableACME = true;
@@ -198,7 +156,7 @@ in
};
# hosted git (web view and for `git <cmd>` use
services.nginx.virtualHosts."git.uninsane.org" = publog {
services.nginx.virtualHosts."git.uninsane.org" = {
addSSL = true;
enableACME = true;
@@ -261,12 +219,6 @@ in
locations."/".proxyPass = "http://127.0.0.1:4533";
};
services.nginx.virtualHosts."rss.uninsane.org" = {
addSSL = true;
enableACME = true;
# the routing is handled by freshrss.nix
};
services.nginx.virtualHosts."ipfs.uninsane.org" = {
# don't default to ssl upgrades, since this may be dnslink'd from a different domain.
# ideally we'd disable ssl entirely, but some places assume it?
@@ -314,7 +266,6 @@ in
sane.impermanence.service-dirs = [
# TODO: mode?
{ user = "acme"; group = "acme"; directory = "/var/lib/acme"; }
# TODO: this is overly broad; only need media and share directories to be persisted
{ user = "colin"; group = "users"; directory = "/var/lib/uninsane"; }
];
}

7
machines/servo/services/pleroma.nix
View File

@@ -74,10 +74,9 @@
config :pleroma, configurable_from_database: false
# strip metadata from uploaded images
config :pleroma, Pleroma.Upload, filters: [Pleroma.Upload.Filter.Exiftool.StripLocation]
config :pleroma, Pleroma.Upload, filters: [Pleroma.Upload.Filter.Exiftool]
# TODO: GET /api/pleroma/captcha is broken
# there was a nixpkgs PR to fix this around 2022/10 though.
config :pleroma, Pleroma.Captcha,
enabled: false,
method: Pleroma.Captcha.Native
@@ -93,8 +92,8 @@
backends: [{ExSyslogger, :ex_syslogger}]
config :logger, :ex_syslogger,
level: :warn
# level: :debug
level: :debug
# level: :warn
# XXX colin: not sure if this actually _does_ anything
config :pleroma, :emoji,

6
machines/servo/services/postfix.nix
View File

@@ -18,12 +18,8 @@ in
{
sane.impermanence.service-dirs = [
# TODO: mode? could be more granular
{ user = "opendkim"; group = "opendkim"; directory = "/var/lib/opendkim"; }
{ user = "221"; group = "221"; directory = "/var/lib/opendkim"; }
{ user = "root"; group = "root"; directory = "/var/lib/postfix"; }
{ user = "root"; group = "root"; directory = "/var/spool/mail"; }
# *probably* don't need these dirs:
# "/var/lib/dhparams" # https://github.com/NixOS/nixpkgs/blob/master/nixos/modules/security/dhparams.nix
# "/var/lib/dovecot"
];
services.postfix.enable = true;
services.postfix.hostname = "mx.uninsane.org";

2
machines/servo/services/postgres.nix
View File

@@ -3,7 +3,7 @@
{
sane.impermanence.service-dirs = [
# TODO: mode?
{ user = "postgres"; group = "postgres"; directory = "/var/lib/postgresql"; }
{ user = "71"; group = "71"; directory = "/var/lib/postgresql"; }
];
services.postgresql.enable = true;
# services.postgresql.dataDir = "/opt/postgresql/13";

2
machines/servo/services/transmission.nix
View File

@@ -3,7 +3,7 @@
{
sane.impermanence.service-dirs = [
# TODO: mode? we need this specifically for the stats tracking in .config/
{ user = "transmission"; group = "transmission"; directory = "/var/lib/transmission"; }
{ user = "70"; group = "70"; directory = "/var/lib/transmission"; }
];
services.transmission.enable = true;
services.transmission.settings = {

3
modules/default.nix
View File

@@ -7,7 +7,8 @@
./image.nix
./impermanence.nix
./nixcache.nix
./services
./services/duplicity.nix
./services/nixserve.nix
./universal
];
}

1
modules/gui/default.nix
View File

@@ -22,6 +22,7 @@ in
config = lib.mkIf cfg.enable {
sane.home-packages.enableGuiPkgs = lib.mkDefault true;
sane.home-manager.enable = lib.mkDefault true;
# all GUIs use network manager?
users.users.nm-iodine.uid = config.sane.allocations.nm-iodine-uid;
};

10
modules/gui/gnome.nix
View File

@@ -14,16 +14,6 @@ in
config = mkIf cfg.enable {
sane.gui.enable = true;
users.users.avahi.uid = config.sane.allocations.avahi-uid;
users.groups.avahi.gid = config.sane.allocations.avahi-gid;
users.users.colord.uid = config.sane.allocations.colord-uid;
users.groups.colord.gid = config.sane.allocations.colord-gid;
users.users.geoclue.uid = config.sane.allocations.geoclue-uid;
users.groups.geoclue.gid = config.sane.allocations.geoclue-gid;
users.users.rtkit.uid = config.sane.allocations.rtkit-uid;
users.groups.rtkit.gid = config.sane.allocations.rtkit-gid;
# start gnome/gdm on boot
services.xserver.enable = true;
services.xserver.desktopManager.gnome.enable = true;

125
modules/gui/phosh.nix
View File

@@ -10,97 +10,60 @@ in
default = false;
type = types.bool;
};
sane.gui.phosh.useGreeter = mkOption {
description = ''
launch phosh via a greeter (like lightdm-mobile-greeter).
phosh is usable without a greeter, but skipping the greeter means no PAM session.
'';
default = true;
type = types.bool;
};
};
config = mkIf cfg.enable (mkMerge [
{
sane.gui.enable = true;
config = mkIf cfg.enable {
sane.gui.enable = true;
users.users.avahi.uid = config.sane.allocations.avahi-uid;
users.users.colord.uid = config.sane.allocations.colord-uid;
users.users.geoclue.uid = config.sane.allocations.geoclue-uid;
users.users.rtkit.uid = config.sane.allocations.rtkit-uid;
users.groups.avahi.gid = config.sane.allocations.avahi-gid;
users.groups.colord.gid = config.sane.allocations.colord-gid;
users.groups.feedbackd.gid = config.sane.allocations.feedbackd-gid;
users.groups.geoclue.gid = config.sane.allocations.geoclue-gid;
users.groups.rtkit.gid = config.sane.allocations.rtkit-gid;
users.users.avahi.uid = config.sane.allocations.avahi-uid;
users.users.colord.uid = config.sane.allocations.colord-uid;
users.users.geoclue.uid = config.sane.allocations.geoclue-uid;
users.users.rtkit.uid = config.sane.allocations.rtkit-uid;
users.groups.avahi.gid = config.sane.allocations.avahi-gid;
users.groups.colord.gid = config.sane.allocations.colord-gid;
users.groups.geoclue.gid = config.sane.allocations.geoclue-gid;
users.groups.rtkit.gid = config.sane.allocations.rtkit-gid;
# docs: https://github.com/NixOS/nixpkgs/blob/nixos-22.05/nixos/modules/services/x11/desktop-managers/phosh.nix
services.xserver.desktopManager.phosh = {
enable = true;
user = "colin";
group = "users";
phocConfig = {
# xwayland = "true";
# find default outputs by catting /etc/phosh/phoc.ini
outputs.DSI-1 = {
scale = 1.5;
};
# docs: https://github.com/NixOS/nixpkgs/blob/nixos-22.05/nixos/modules/services/x11/desktop-managers/phosh.nix
services.xserver.desktopManager.phosh = {
enable = true;
user = "colin";
group = "users";
phocConfig = {
# xwayland = "true";
# find default outputs by catting /etc/phosh/phoc.ini
outputs.DSI-1 = {
scale = 1.5;
};
};
};
# XXX: phosh enables networkmanager by default; can probably disable these lines
networking.useDHCP = false;
networking.networkmanager.enable = true;
networking.wireless.enable = lib.mkForce false;
# XXX: phosh enables networkmanager by default; can probably disable these lines
networking.useDHCP = false;
networking.networkmanager.enable = true;
networking.wireless.enable = lib.mkForce false;
# XXX: not clear if these are actually needed?
hardware.bluetooth.enable = true;
services.blueman.enable = true;
# XXX: not clear if these are actually needed?
hardware.bluetooth.enable = true;
services.blueman.enable = true;
hardware.opengl.enable = true;
hardware.opengl.driSupport = true;
hardware.opengl.enable = true;
hardware.opengl.driSupport = true;
environment.variables = {
# Qt apps won't always start unless this env var is set
QT_QPA_PLATFORM = "wayland";
# electron apps (e.g. Element) should use the wayland backend
# toggle this to have electron apps (e.g. Element) use the wayland backend.
# phocConfig.xwayland should be disabled if you do this
NIXOS_OZONE_WL = "1";
};
environment.variables = {
# Qt apps won't always start unless this env var is set
QT_QPA_PLATFORM = "wayland";
# electron apps (e.g. Element) should use the wayland backend
# toggle this to have electron apps (e.g. Element) use the wayland backend.
# phocConfig.xwayland should be disabled if you do this
NIXOS_OZONE_WL = "1";
};
sane.home-manager.extraPackages = with pkgs; [
phosh-mobile-settings
sane.home-manager.extraPackages = with pkgs; [
phosh-mobile-settings
# TODO: see about removing this if the in-built gnome-settings bluetooth manager can work
gnome.gnome-bluetooth
];
}
(mkIf cfg.useGreeter {
services.xserver.enable = true;
# NB: setting defaultSession has the critical side-effect that it lets org.freedesktop.AccountsService
# know that our user exists. this ensures lightdm succeeds when calling /org/freedesktop/AccountsServices ListCachedUsers
# lightdm greeters get the login users from lightdm which gets it from org.freedesktop.Accounts.ListCachedUsers.
# this requires the user we want to login as to be cached.
services.xserver.displayManager.job.preStart = ''
${pkgs.systemd}/bin/busctl call org.freedesktop.Accounts /org/freedesktop/Accounts org.freedesktop.Accounts CacheUser s colin
'';
# services.xserver.displayManager.defaultSession = "sm.puri.Phosh"; # XXX: not sure why this doesn't propagate correctly.
services.xserver.displayManager.lightdm.extraSeatDefaults = ''
user-session = phosh
'';
# services.xserver.displayManager.lightdm.greeters.gtk.enable = false; # gtk greeter overrides our own?
# services.xserver.displayManager.lightdm.greeter = {
# enable = true;
# package = pkgs.lightdm-mobile-greeter.xgreeters;
# name = "lightdm-mobile-greeter";
# };
# # services.xserver.displayManager.lightdm.enable = true;
services.xserver.displayManager.lightdm.enable = true;
services.xserver.displayManager.lightdm.greeters.mobile.enable = true;
systemd.services.phosh.wantedBy = lib.mkForce []; # disable auto-start
})
]);
# TODO: see about removing this if the in-built gnome-settings bluetooth manager can work
gnome.gnome-bluetooth
];
};
}

57
modules/gui/sway.nix
View File

@@ -11,14 +11,6 @@ in
default = false;
type = types.bool;
};
sane.gui.sway.useGreeter = mkOption {
description = ''
launch sway via a greeter (like greetd's gtkgreet).
sway is usable without a greeter, but skipping the greeter means no PAM session.
'';
default = true;
type = types.bool;
};
};
config = mkIf cfg.enable {
sane.gui.enable = true;
@@ -29,33 +21,15 @@ in
enable = true;
};
# alternatively, could use SDDM
services.greetd = let
swayConfig-greeter = pkgs.writeText "greetd-sway-config" ''
# `-l` activates layer-shell mode.
exec "${pkgs.greetd.gtkgreet}/bin/gtkgreet -l -c sway"
'';
default_session = {
"01" = {
# greeter session config
command = "${pkgs.sway}/bin/sway --config ${swayConfig-greeter}";
# alternatives:
# - TTY: `command = "${pkgs.greetd.greetd}/bin/agreety --cmd ${pkgs.sway}/bin/sway";`
# - autologin: `command = "${pkgs.sway}/bin/sway"; user = "colin";`
# - Dumb Login (doesn't work)": `command = "${pkgs.greetd.dlm}/bin/dlm";`
};
"0" = {
# no greeter
# TODO: should be able to use SDDM to get interactive login
services.greetd = {
enable = true;
settings = rec {
initial_session = {
command = "${pkgs.sway}/bin/sway";
user = "colin";
};
};
in {
# greetd source/docs:
# - <https://git.sr.ht/~kennylevinsen/greetd>
enable = true;
settings = {
default_session = default_session."0${builtins.toString cfg.useGreeter}";
default_session = initial_session;
};
};
@@ -114,22 +88,21 @@ in
"${modifier}+Return" = "exec ${terminal}";
"${modifier}+Shift+q" = "kill";
"${modifier}+d" = "exec ${menu}";
"${modifier}+l" = "exec ${pkgs.swaylock}/bin/swaylock --indicator-idle-visible --indicator-radius 100 --indicator-thickness 30";
# "${modifier}+${left}" = "focus left";
# "${modifier}+${down}" = "focus down";
# "${modifier}+${up}" = "focus up";
# "${modifier}+${right}" = "focus right";
"${modifier}+${left}" = "focus left";
"${modifier}+${down}" = "focus down";
"${modifier}+${up}" = "focus up";
"${modifier}+${right}" = "focus right";
"${modifier}+Left" = "focus left";
"${modifier}+Down" = "focus down";
"${modifier}+Up" = "focus up";
"${modifier}+Right" = "focus right";
# "${modifier}+Shift+${left}" = "move left";
# "${modifier}+Shift+${down}" = "move down";
# "${modifier}+Shift+${up}" = "move up";
# "${modifier}+Shift+${right}" = "move right";
"${modifier}+Shift+${left}" = "move left";
"${modifier}+Shift+${down}" = "move down";
"${modifier}+Shift+${up}" = "move up";
"${modifier}+Shift+${right}" = "move right";
"${modifier}+Shift+Left" = "move left";
"${modifier}+Shift+Down" = "move down";
@@ -599,7 +572,7 @@ in
};
sane.home-manager.extraPackages = with pkgs; [
swaylock
swayidle # (unused)
swayidle
wl-clipboard
mako # notification daemon
xdg-utils # for xdg-open

75
modules/impermanence.nix
View File

@@ -7,8 +7,6 @@
with lib;
let
cfg = config.sane.impermanence;
# taken from sops-nix code: checks if any secrets are needed to create /etc/shadow
secretsForUsers = (lib.filterAttrs (_: v: v.neededForUsers) config.sops.secrets) != {};
in
{
options = {
@@ -16,6 +14,10 @@ in
default = false;
type = types.bool;
};
sane.impermanence.home-files = mkOption {
default = [];
type = types.listOf types.str;
};
sane.impermanence.home-dirs = mkOption {
default = [];
type = types.listOf (types.either types.str (types.attrsOf types.str));
@@ -36,17 +38,38 @@ in
map-home-dirs = map-dirs { user = "colin"; group = "users"; mode = "0755"; directory = "/home/colin/"; };
map-sys-dirs = map-dirs { user = "root"; group = "root"; mode = "0755"; directory = ""; };
map-service-dirs = map-dirs { user = "root"; group = "root"; mode = "0755"; directory = ""; };
map-home-files = files: builtins.map (f: {
parentDirectory = {
user = "colin";
group = "users";
mode = "0755";
};
file = "/home/colin/${f}";
}) files;
in mkIf cfg.enable {
sane.image.extraDirectories = [ "/nix/persist/var/log" ];
environment.persistence."/nix/persist" = {
directories = (map-home-dirs cfg.home-dirs) ++ (map-sys-dirs [
# NB: this `0700` here clobbers the perms for /persist/etc, breaking boot on freshly-deployed devices
directories = (map-home-dirs ([
# cache is probably too big to fit on the tmpfs
# TODO: we could bind-mount it to something which gets cleared per boot, though.
".cache"
".cargo"
".rustup"
".ssh"
".local/share/keyrings"
# intentionally omitted:
# ".config" # managed by home-manager
# ".local" # nothing useful in here
] ++ cfg.home-dirs)) ++ (map-sys-dirs [
# TODO: this `0700` here clobbers the perms for /persist/etc, breaking boot on freshly-deployed devices
# { mode = "0700"; directory = "/etc/NetworkManager/system-connections"; }
# "/etc/nixos"
# "/etc/ssh" # persist only the specific files we want, instead
"/var/log"
"/var/backup" # for e.g. postgres dumps
]) ++ (map-service-dirs ([
# "/var/lib/AccountsService" # not sure what this is, but it's empty
"/var/lib/alsa" # preserve output levels, default devices
# "/var/lib/blueman" # files aren't human readable
@@ -70,25 +93,37 @@ in
# "/var/lib/upower" # historic charge data. unnecessary, but maybe used somewhere?
#
# servo additions:
] ++ cfg.service-dirs);
# /etc/machine-id is a globally unique identifier used for:
# - systemd-networkd: DHCP lease renewal (instead of keying by the MAC address)
# - systemd-journald: to filter logs by host
# - chromium (potentially to track re-installations)
# - gdbus; system services that might upgrade to AF_LOCAL if both services can confirm they're on the same machine
# of these, systemd-networkd is the only legitimate case to persist the machine-id.
# depersisting it should be "safe"; edge-cases like systemd-networkd can be directed to use some other ID if necessary.
# nixos-impermanence shows binding the host ssh priv key to this; i could probably hash the host key into /etc/machine-id if necessary.
# files = [ "/etc/machine-id" ];
# "/var/lib/dhparams" # https://github.com/NixOS/nixpkgs/blob/master/nixos/modules/security/dhparams.nix
# "/var/lib/dovecot"
# "/var/lib/duplicity"
] ++ cfg.service-dirs));
files = [
"/etc/machine-id"
"/etc/ssh/ssh_host_ed25519_key"
"/etc/ssh/ssh_host_ed25519_key.pub"
"/etc/ssh/ssh_host_rsa_key"
"/etc/ssh/ssh_host_rsa_key.pub"
"/home/colin/.zsh_history"
# # XXX these only need persistence because i have mutableUsers = true, i think
# "/etc/group"
# "/etc/passwd"
# "/etc/shadow"
] ++ map-home-files cfg.home-files;
};
# secret decoding depends on /etc/ssh keys, which may be persisted
system.activationScripts.setupSecrets.deps = [ "persist-ssh-host-keys" ];
system.activationScripts.setupSecretsForUsers = lib.mkIf secretsForUsers {
deps = [ "persist-ssh-host-keys" ];
systemd.services.sane-sops = {
# TODO: it would be better if we could inject the right dependency into setupSecrets instead of patching like this.
# /run/current-system/activate contains the precise ordering logic.
# it's largely unaware of systemd.
# maybe we could insert some activation script which simply waits for /etc/ssh to appear?
description = "sops relies on /etc/ssh being available, so re-run its activation AFTER fs-local";
script = ''
${config.system.activationScripts.setupSecrets.text}
${config.system.activationScripts.linkIwdKeys.text}
'';
after = [ "fs-local.target" ];
wantedBy = [ "multi-user.target" ];
};
# populated by ssh.nix, which persists /etc/ssh/host_keys
system.activationScripts.persist-ssh-host-keys.text = lib.mkDefault "";
};
}

10
modules/nixcache.nix
View File

@@ -1,13 +1,3 @@
# speed up builds from e.g. moby or lappy by having them query desko and servo first.
# if one of these hosts is offline, instead manually specify just cachix:
# - `nixos-rebuild --option substituters https://cache.nixos.org/`
#
# future improvements:
# - apply for community arm build box:
# - <https://github.com/nix-community/aarch64-build-box>
# - don't require all substituters to be online:
# - <https://github.com/NixOS/nix/pull/7188>
{ lib, config, ... }:
with lib;

7
modules/services/default.nix
View File

@@ -1,7 +0,0 @@
{ ... }:
{
imports = [
./duplicity.nix
./nixserve.nix
];
}

3
modules/universal/allocations.nix
View File

@@ -23,9 +23,6 @@ in
sane.allocations.greeter-uid = mkId 999;
sane.allocations.greeter-gid = mkId 999;
sane.allocations.freshrss-uid = mkId 2401;
sane.allocations.freshrss-gid = mkId 2401;
sane.allocations.colin-uid = mkId 1000;
sane.allocations.guest-uid = mkId 1100;

41
modules/universal/default.nix
View File

@@ -3,26 +3,16 @@
{
imports = [
./allocations.nix
./env
./fs.nix
./home-manager
./home-packages.nix
./net.nix
./machine-id.nix
./secrets.nix
./ssh.nix
./system-packages.nix
./users.nix
./vpn.nix
];
time.timeZone = "America/Los_Angeles";
# allow `nix flake ...` command
nix.extraOptions = ''
experimental-features = nix-command flakes
'';
# TODO: move this into home-manager?
fonts = {
enableDefaultFonts = true;
fonts = with pkgs; [ font-awesome twitter-color-emoji hack-font ];
@@ -35,30 +25,9 @@
};
};
# programs.vim.defaultEditor = true;
environment.variables = {
EDITOR = "vim";
# git claims it should use EDITOR, but it doesn't!
GIT_EDITOR = "vim";
# TODO: these should be moved to `home.sessionVariables` (home-manager)
# Electron apps should use native wayland backend:
# https://nixos.wiki/wiki/Slack#Wayland
# Discord under sway crashes with this.
# NIXOS_OZONE_WL = "1";
# LIBGL_ALWAYS_SOFTWARE = "1";
};
# enable zsh completions
environment.pathsToLink = [ "/share/zsh" ];
environment.systemPackages = with pkgs; [
# required for pam_mount
gocryptfs
];
security.pam.mount.enable = true;
# security.pam.mount.debugLevel = 1;
# security.pam.enableSSHAgentAuth = true; # ??
# needed for `allow_other` in e.g. gocryptfs mounts
# or i guess going through mount.fuse sets suid so that's not necessary?
# programs.fuse.userAllowOther = true;
# allow `nix flake ...` command
nix.extraOptions = ''
experimental-features = nix-command flakes
'';
}

24
modules/universal/env/default.nix vendored Normal file
View File

@@ -0,0 +1,24 @@
{ ... }:
{
imports = [
./feeds.nix
./home-manager.nix
./home-packages.nix
./system-packages.nix
];
# programs.vim.defaultEditor = true;
environment.variables = {
EDITOR = "vim";
# git claims it should use EDITOR, but it doesn't!
GIT_EDITOR = "vim";
# TODO: these should be moved to `home.sessionVariables` (home-manager)
# Electron apps should use native wayland backend:
# https://nixos.wiki/wiki/Slack#Wayland
# Discord under sway crashes with this.
# NIXOS_OZONE_WL = "1";
# LIBGL_ALWAYS_SOFTWARE = "1";
};
}

41
modules/universal/env/feeds.nix vendored Normal file
View File

@@ -0,0 +1,41 @@
{ lib, ... }:
with lib;
{
options = {
sane.feeds.podcastUrls = mkOption {
type = types.listOf types.str;
default = [
"https://lexfridman.com/feed/podcast/"
## Astral Codex Ten
"http://feeds.libsyn.com/108018/rss"
## Econ Talk
"https://feeds.simplecast.com/wgl4xEgL"
## Cory Doctorow
"https://feeds.feedburner.com/doctorow_podcast"
"https://congressionaldish.libsyn.com/rss"
## Civboot
"https://anchor.fm/s/34c7232c/podcast/rss"
"https://feeds.feedburner.com/80000HoursPodcast"
"https://allinchamathjason.libsyn.com/rss"
"https://acquired.libsyn.com/rss"
"https://rss.acast.com/deconstructed"
## The Daily
"https://feeds.simplecast.com/54nAGcIl"
"https://rss.acast.com/intercepted-with-jeremy-scahill"
"https://podcast.posttv.com/itunes/post-reports.xml"
## Eric Weinstein
"https://rss.art19.com/the-portal"
"https://feeds.megaphone.fm/darknetdiaries"
"http://feeds.wnyc.org/radiolab"
"https://wakingup.libsyn.com/rss"
## 99% Invisible
"https://feeds.simplecast.com/BqbsxVfO"
"https://rss.acast.com/ft-tech-tonic"
"https://feeds.feedburner.com/dancarlin/history?format=xml"
## 60 minutes (NB: this features more than *just* audio?)
"https://www.cbsnews.com/latest/rss/60-minutes"
];
};
};
}

578
modules/universal/env/home-manager.nix vendored Normal file
View File

@@ -0,0 +1,578 @@
# docs:
# https://rycee.gitlab.io/home-manager/
# https://rycee.gitlab.io/home-manager/options.html
# man home-configuration.nix
#
{ lib, config, pkgs, ... }:
with lib;
let
cfg = config.sane.home-manager;
vim-swap-dir = ".cache/vim-swap";
# extract package from `extraPackages`
pkglist = pkgspec: builtins.map (e: e.pkg or e) pkgspec;
# extract `dir` from `extraPackages`
dirlist = pkgspec: builtins.concatLists (builtins.map (e: if e ? "dir" then [ e.dir ] else []) pkgspec);
# extract `persist-files` from `extraPackages`
persistfileslist = pkgspec: builtins.concatLists (builtins.map (e: if e ? "persist-files" then e.persist-files else []) pkgspec);
# TODO: dirlist and persistfileslist should be folded
in
{
options = {
sane.home-manager.enable = mkOption {
default = false;
type = types.bool;
};
# packages to deploy to the user's home
sane.home-manager.extraPackages = mkOption {
default = [ ];
# each entry can be either a package, or attrs:
# { pkg = package; dir = optional string;
type = types.listOf (types.either types.package types.attrs);
};
# attributes to copy directly to home-manager's `wayland.windowManager` option
sane.home-manager.windowManager = mkOption {
default = {};
type = types.attrs;
};
# extra attributes to include in home-manager's `programs` option
sane.home-manager.programs = mkOption {
default = {};
type = types.attrs;
};
};
config = lib.mkIf cfg.enable {
sops.secrets."aerc_accounts" = {
owner = config.users.users.colin.name;
sopsFile = ../../../secrets/universal/aerc_accounts.conf;
format = "binary";
};
sops.secrets."sublime_music_config" = {
owner = config.users.users.colin.name;
sopsFile = ../../../secrets/universal/sublime_music_config.json.bin;
format = "binary";
};
sane.impermanence.home-dirs = [
"archive"
"dev"
"records"
"ref"
"tmp"
"use"
"Music"
"Pictures"
"Videos"
vim-swap-dir
] ++ (dirlist cfg.extraPackages);
sane.impermanence.home-files = persistfileslist cfg.extraPackages;
home-manager.useGlobalPkgs = true;
home-manager.useUserPackages = true;
# XXX this weird rename + closure is to get home-manager's `config.lib.file` to exist.
# see: https://github.com/nix-community/home-manager/issues/589#issuecomment-950474105
home-manager.users.colin = let sysconfig = config; in { config, ... }: {
# run `home-manager-help` to access manpages
# or `man home-configuration.nix`
manual.html.enable = true;
home.packages = pkglist cfg.extraPackages;
wayland.windowManager = cfg.windowManager;
home.stateVersion = "21.11";
home.username = "colin";
home.homeDirectory = "/home/colin";
home.activation = {
initKeyring = {
after = ["writeBoundary"];
before = [];
data = "${../../../scripts/init-keyring}";
};
};
# XDG defines things like ~/Desktop, ~/Downloads, etc.
# these clutter the home, so i mostly don't use them.
xdg.userDirs = {
enable = true;
createDirectories = false; # on headless systems, most xdg dirs are noise
desktop = "$HOME/.xdg/Desktop";
documents = "$HOME/dev";
download = "$HOME/tmp";
music = "$HOME/Music";
pictures = "$HOME/Pictures";
publicShare = "$HOME/.xdg/Public";
templates = "$HOME/.xdg/Templates";
videos = "$HOME/Videos";
};
# the xdg mime type for a file can be found with:
# - `xdg-mime query filetype path/to/thing.ext`
xdg.mimeApps.enable = true;
xdg.mimeApps.defaultApplications = {
# HTML
"text/html" = [ "librewolf.desktop" ];
"x-scheme-handler/http" = [ "librewolf.desktop" ];
"x-scheme-handler/https" = [ "librewolf.desktop" ];
"x-scheme-handler/about" = [ "librewolf.desktop" ];
"x-scheme-handler/unknown" = [ "librewolf.desktop" ];
# RICH-TEXT DOCUMENTS
"application/pdf" = [ "org.gnome.Evince.desktop" ];
"text/markdown" = [ "obsidian.desktop" ];
# IMAGES
"image/heif" = [ "org.gnome.gThumb.desktop" ]; # apple codec
"image/png" = [ "org.gnome.gThumb.desktop" ];
"image/jpeg" = [ "org.gnome.gThumb.desktop" ];
# VIDEO
"video/mp4" = [ "vlc.desktop" ];
"video/quicktime" = [ "vlc.desktop" ];
"video/x-matroska" = [ "vlc.desktop" ];
# AUDIO
"audio/flag" = [ "vlc.desktop" ];
"audio/mpeg" = [ "vlc.desktop" ];
"audio/x-vorbis+ogg" = [ "vlc.desktop" ];
};
# convenience
home.file."knowledge".source = config.lib.file.mkOutOfStoreSymlink "/home/colin/dev/knowledge";
home.file."nixos".source = config.lib.file.mkOutOfStoreSymlink "/home/colin/dev/nixos";
home.file."Videos/servo".source = config.lib.file.mkOutOfStoreSymlink "/mnt/servo-media/Videos";
home.file."Videos/servo-incomplete".source = config.lib.file.mkOutOfStoreSymlink "/mnt/servo-media/incomplete";
home.file."Music/servo".source = config.lib.file.mkOutOfStoreSymlink "/mnt/servo-media/Music";
# nb markdown/personal knowledge manager
home.file.".nb/knowledge".source = config.lib.file.mkOutOfStoreSymlink "/home/colin/dev/knowledge";
home.file.".nb/.current".text = "knowledge";
home.file.".nbrc".text = ''
# manage with `nb settings`
export NB_AUTO_SYNC=0
'';
# uBlock filter list configuration.
# specifically, enable the GDPR cookie prompt blocker.
# data.toOverwrite.filterLists is additive (i.e. it supplements the default filters)
# this configuration method is documented here:
# - <https://github.com/gorhill/uBlock/issues/2986#issuecomment-364035002>
# the specific attribute path is found via scraping ublock code here:
# - <https://github.com/gorhill/uBlock/blob/master/src/js/storage.js>
# - <https://github.com/gorhill/uBlock/blob/master/assets/assets.json>
home.file.".librewolf/managed-storage/uBlock0@raymondhill.net.json".text = ''
{
"name": "uBlock0@raymondhill.net",
"description": "ignored",
"type": "storage",
"data": {
"toOverwrite": "{\"filterLists\": [\"fanboy-cookiemonster\"]}"
}
}
'';
home.file.".librewolf/librewolf.overrides.cfg".text = ''
// if we can't query the revocation status of a SSL cert because the issuer is offline,
// treat it as unrevoked.
// see: <https://librewolf.net/docs/faq/#im-getting-sec_error_ocsp_server_error-what-can-i-do>
defaultPref("security.OCSP.require", false);
'';
# aerc TUI mail client
xdg.configFile."aerc/accounts.conf".source =
config.lib.file.mkOutOfStoreSymlink sysconfig.sops.secrets.aerc_accounts.path;
# make Discord usable even when client is "outdated"
xdg.configFile."discord/settings.json".text = ''
{
"SKIP_HOST_UPDATE": true
}
'';
# sublime music player
xdg.configFile."sublime-music/config.json".source =
config.lib.file.mkOutOfStoreSymlink sysconfig.sops.secrets.sublime_music_config.path;
xdg.configFile."vlc/vlcrc".text =
let
podcastUrls = lib.strings.concatStringsSep "|" sysconfig.sane.feeds.podcastUrls;
in ''
[podcast]
podcast-urls=${podcastUrls}
[core]
metadata-network-access=0
[qt]
qt-privacy-ask=0
'';
xdg.configFile."gpodderFeeds.opml".text =
let
entries = builtins.toString (builtins.map
(url: ''\n <outline xmlUrl="${url}" type="rss"/>'')
sysconfig.sane.feeds.podcastUrls
);
in ''
<?xml version="1.0" encoding="utf-8"?>
<opml version="2.0">
<body>${entries}
</body>
</opml>
'';
# gnome feeds RSS viewer
xdg.configFile."org.gabmus.gfeeds.json".text = builtins.toJSON {
feeds = {
# AGGREGATORS (> 1 post/day)
"https://www.lesswrong.com/feed.xml" = { tags = [ "hourly" "rat" ]; };
"http://www.econlib.org/index.xml" = { tags = [ "hourly" "pol" ]; };
# AGGREGATORS (< 1 post/day)
"https://palladiummag.com/feed" = { tags = [ "weekly" "uncat" ]; };
"https://profectusmag.com/feed" = { tags = [ "weekly" "uncat" ]; };
"https://semiaccurate.com/feed" = { tags = [ "weekly" "tech" ]; };
"https://linuxphoneapps.org/blog/atom.xml" = { tags = [ "infrequent" "tech" ]; };
"https://spectrum.ieee.org/rss" = { tags = [ "weekly" "tech" ]; };
## No Moods, Ads or Cutesy Fucking Icons
"https://www.rifters.com/crawl/?feed=rss2" = { tags = [ "weekly" "uncat" ]; };
# DEVELOPERS
"https://mg.lol/blog/rss/" = { tags = [ "infrequent" "tech" ]; };
## Ken Shirriff
"https://www.righto.com/feeds/posts/default" = { tags = [ "infrequent" "tech" ]; };
## Vitalik Buterin
"https://vitalik.ca/feed.xml" = { tags = [ "infrequent" "tech" ]; };
## ian (Sanctuary)
"https://sagacioussuricata.com/feed.xml" = { tags = [ "infrequent" "tech" ]; };
## Bunnie Juang
"https://www.bunniestudios.com/blog/?feed=rss2" = { tags = [ "infrequent" "tech" ]; };
"https://blog.danieljanus.pl/atom.xml" = { tags = [ "infrequent" "tech" ]; };
"https://ianthehenry.com/feed.xml" = { tags = [ "infrequent" "tech" ]; };
"https://bitbashing.io/feed.xml" = { tags = [ "infrequent" "tech" ]; };
"https://idiomdrottning.org/feed.xml" = { tags = [ "daily" "uncat" ]; };
# (TECH; POL) COMMENTATORS
"http://benjaminrosshoffman.com/feed" = { tags = [ "weekly" "pol" ]; };
## Ben Thompson
"https://www.stratechery.com/rss" = { tags = [ "weekly" "pol" ]; };
## Balaji
"https://balajis.com/rss" = { tags = [ "weekly" "pol" ]; };
"https://www.ben-evans.com/benedictevans/rss.xml" = { tags = [ "weekly" "pol" ]; };
"https://www.lynalden.com/feed" = { tags = [ "infrequent" "pol" ]; };
"https://austinvernon.site/rss.xml" = { tags = [ "infrequent" "tech" ]; };
"https://oversharing.substack.com/feed" = { tags = [ "daily" "pol" ]; };
"https://doomberg.substack.com/feed" = { tags = [ "weekly" "tech" ]; };
## David Rosenthal
"https://blog.dshr.org/rss.xml" = { tags = [ "weekly" "pol" ]; };
## Matt Levine
"https://www.bloomberg.com/opinion/authors/ARbTQlRLRjE/matthew-s-levine.rss" = { tags = [ "weekly" "pol" ]; };
# RATIONALITY/PHILOSOPHY/ETC
"https://samkriss.substack.com/feed" = { tags = [ "infrequent" "uncat" ]; }; # ... satire? phil?
"https://unintendedconsequenc.es/feed" = { tags = [ "infrequent" "rat" ]; };
"https://applieddivinitystudies.com/atom.xml" = { tags = [ "weekly" "rat" ]; };
"https://slimemoldtimemold.com/feed.xml" = { tags = [ "weekly" "rat" ]; };
"https://www.richardcarrier.info/feed" = { tags = [ "weekly" "rat" ]; };
"https://www.gwern.net/feed.xml" = { tags = [ "infrequent" "uncat" ]; };
## Jason Crawford
"https://rootsofprogress.org/feed.xml" = { tags = [ "weekly" "rat" ]; };
## Robin Hanson
"https://www.overcomingbias.com/feed" = { tags = [ "daily" "rat" ]; };
## Scott Alexander
"https://astralcodexten.substack.com/feed.xml" = { tags = [ "daily" "rat" ]; };
## Paul Christiano
"https://sideways-view.com/feed" = { tags = [ "infrequent" "rat" ]; };
## Sean Carroll
"https://www.preposterousuniverse.com/rss" = { tags = [ "infrequent" "rat" ]; };
# COMICS
"https://www.smbc-comics.com/comic/rss" = { tags = [ "daily" "visual" ]; };
"https://xkcd.com/atom.xml" = { tags = [ "daily" "visual" ]; };
"http://dilbert.com/feed" = { tags = ["daily" "visual" ]; };
# ART
"https://miniature-calendar.com/feed" = { tags = [ "daily" "visual" ]; };
# CODE
"https://github.com/Kaiteki-Fedi/Kaiteki/commits/master.atom" = { tags = [ "infrequent" "tech" ]; };
};
dark_reader = false;
new_first = true;
# windowsize = {
# width = 350;
# height = 650;
# };
max_article_age_days = 90;
enable_js = false;
max_refresh_threads = 3;
# saved_items = {};
# read_items = [];
show_read_items = true;
full_article_title = true;
# views: "webview", "reader", "rsscont"
default_view = "rsscont";
open_links_externally = true;
full_feed_name = false;
refresh_on_startup = true;
tags = [
# hourly => aggregator
# daily => prolifiq writer
# weekly => i can keep up with most -- but maybe not all -- of their content
# infrequent => i can read everything in this category
"hourly" "daily" "weekly" "infrequent"
# rat[ionality] gets used interchangably with philosophy, here.
# pol[itical] gets used for social commentary and economics as well.
# visual gets used for comics/art
"uncat" "rat" "tech" "pol" "visual"
];
open_youtube_externally = false;
media_player = "vlc"; # default: mpv
};
programs = {
home-manager.enable = true; # this lets home-manager manage dot-files in user dirs, i think
zsh = {
enable = true;
enableSyntaxHighlighting = true;
enableVteIntegration = true;
dotDir = ".config/zsh";
initExtraBeforeCompInit = ''
# p10k instant prompt
# run p10k configure to configure, but it can't write out its file :-(
POWERLEVEL9K_DISABLE_CONFIGURATION_WIZARD=true
'';
initExtra = ''
# zmv is a way to do rich moves/renames, with pattern matching/substitution.
# see for an example: <https://filipe.kiss.ink/zmv-zsh-rename/>
autoload -Uz zmv
'';
# prezto = oh-my-zsh fork; controls prompt, auto-completion, etc.
# see: https://github.com/sorin-ionescu/prezto
prezto = {
enable = true;
pmodules = [
"environment"
"terminal"
"editor"
"history"
"directory"
"spectrum"
"utility"
"completion"
"prompt"
"git"
];
prompt = {
theme = "powerlevel10k";
};
};
};
kitty = {
enable = true;
# docs: https://sw.kovidgoyal.net/kitty/conf/
settings = {
# disable terminal bell (when e.g. you backspace too many times)
enable_audio_bell = false;
};
keybindings = {
"ctrl+n" = "new_os_window_with_cwd";
};
# docs: https://github.com/kovidgoyal/kitty-themes
# theme = "1984 Light"; # dislike: awful, harsh blues/teals
# theme = "Adventure Time"; # dislike: harsh (dark)
# theme = "Atom One Light"; # GOOD: light theme. all color combos readable. not a huge fan of the blue.
# theme = "Belafonte Day"; # dislike: too low contrast for text colors
# theme = "Belafonte Night"; # better: dark theme that's easy on the eyes. all combos readable. low contrast.
# theme = "Catppuccin"; # dislike: a bit pale/low-contrast (dark)
# theme = "Desert"; # mediocre: colors are harsh
# theme = "Earthsong"; # BEST: dark theme. readable, good contrast. unique, but decent colors.
# theme = "Espresso Libre"; # better: dark theme. readable, but meh colors
# theme = "Forest Night"; # decent: very pastel. it's workable, but unconventional and muted/flat.
# theme = "Gruvbox Material Light Hard"; # mediocre light theme.
# theme = "kanagawabones"; # better: dark theme. colors are too background-y
# theme = "Kaolin Dark"; # dislike: too dark
# theme = "Kaolin Breeze"; # mediocre: not-too-harsh light theme, but some parts are poor contrast
# theme = "Later This Evening"; # mediocre: not-too-harsh dark theme, but cursor is poor contrast
# theme = "Material"; # decent: light theme, few colors.
# theme = "Mayukai"; # decent: not-too-harsh dark theme. the teal is a bit straining
# theme = "Nord"; # mediocre: pale background, low contrast
# theme = "One Half Light"; # better: not-too-harsh light theme. contrast could be better
theme = "PaperColor Dark"; # BEST: dark theme, very readable still the colors are background-y
# theme = "Parasio Dark"; # dislike: too low contrast
# theme = "Pencil Light"; # better: not-too-harsh light theme. decent contrast.
# theme = "Pnevma"; # dislike: too low contrast
# theme = "Piatto Light"; # better: readable light theme. pleasing colors. powerline prompt is hard to read.
# theme = "Rosé Pine Dawn"; # GOOD: light theme. all color combinations are readable. it is very mild -- may need to manually tweak contrast. tasteful colors
# theme = "Rosé Pine Moon"; # GOOD: dark theme. tasteful colors. but background is a bit intense
# theme = "Sea Shells"; # mediocre. not all color combos are readable
# theme = "Solarized Light"; # mediocre: not-too-harsh light theme; GREAT background; but some colors are low contrast
# theme = "Solarized Dark Higher Contrast"; # better: dark theme, decent colors
# theme = "Sourcerer"; # mediocre: ugly colors
# theme = "Space Gray"; # mediocre: too muted
# theme = "Space Gray Eighties"; # better: all readable, decent colors
# theme = "Spacemacs"; # mediocre: too muted
# theme = "Spring"; # mediocre: readable light theme, but the teal is ugly.
# theme = "Srcery"; # better: highly readable. colors are ehhh
# theme = "Substrata"; # decent: nice colors, but a bit flat.
# theme = "Sundried"; # mediocre: the solar text makes me squint
# theme = "Symfonic"; # mediocre: the dark purple has low contrast to the black bg.
# theme = "Tango Light"; # dislike: teal is too grating
# theme = "Tokyo Night Day"; # medicore: too muted
# theme = "Tokyo Night"; # better: tasteful. a bit flat
# theme = "Tomorrow"; # GOOD: all color combinations are readable. contrast is slightly better than Rose. on the blander side
# theme = "Treehouse"; # dislike: the orange is harsh on my eyes.
# theme = "Urple"; # dislike: weird palette
# theme = "Warm Neon"; # decent: not-too-harsh dark theme. the green is a bit unattractive
# theme = "Wild Cherry"; # GOOD: dark theme: nice colors. a bit flat
# theme = "Xcodedark"; # dislike: bad palette
# theme = "citylights"; # decent: dark theme. some parts have just a bit low contrast
# theme = "neobones_light"; # better light theme. the background is maybe too muted
# theme = "vimbones";
# theme = "zenbones_dark"; # mediocre: readable, but meh colors
# theme = "zenbones_light"; # decent: light theme. all colors are readable. contrast is passable but not excellent. highlight color is BAD
# theme = "zenwritten_dark"; # mediocre: looks same as zenbones_dark
# extraConfig = "";
};
git = {
enable = true;
userName = "colin";
userEmail = "colin@uninsane.org";
};
neovim = {
# neovim: https://github.com/neovim/neovim
enable = true;
viAlias = true;
vimAlias = true;
plugins = with pkgs.vimPlugins; [
# docs: surround-nvim: https://github.com/ur4ltz/surround.nvim/
# docs: vim-surround: https://github.com/tpope/vim-surround
vim-surround
# docs: fzf-vim (fuzzy finder): https://github.com/junegunn/fzf.vim
fzf-vim
# docs: https://github.com/KeitaNakamura/tex-conceal.vim/
({
plugin = tex-conceal-vim;
type = "viml";
config = ''
" present prettier fractions
let g:tex_conceal_frac=1
'';
})
({
plugin = vim-SyntaxRange;
type = "viml";
config = ''
" enable markdown-style codeblock highlighting for tex code
autocmd BufEnter * call SyntaxRange#Include('```tex', '```', 'tex', 'NonText')
" autocmd Syntax tex set conceallevel=2
'';
})
# nabla renders inline math in any document, but it's buggy.
# https://github.com/jbyuki/nabla.nvim
# ({
# plugin = pkgs.nabla;
# type = "lua";
# config = ''
# require'nabla'.enable_virt()
# '';
# })
# treesitter syntax highlighting: https://nixos.wiki/wiki/Tree_sitters
# docs: https://github.com/nvim-treesitter/nvim-treesitter
# config taken from: https://github.com/i077/system/blob/master/modules/home/neovim/default.nix
# this is required for tree-sitter to even highlight
({
plugin = (nvim-treesitter.withPlugins (_: pkgs.tree-sitter.allGrammars));
type = "lua";
config = ''
require'nvim-treesitter.configs'.setup {
highlight = {
enable = true,
-- disable treesitter on Rust so that we can use SyntaxRange
-- and leverage TeX rendering in rust projects
disable = { "rust", "tex", "latex" },
-- disable = { "tex", "latex" },
-- true to also use builtin vim syntax highlighting when treesitter fails
additional_vim_regex_highlighting = false
},
incremental_selection = {
enable = true,
keymaps = {
init_selection = "gnn",
node_incremental = "grn",
mcope_incremental = "grc",
node_decremental = "grm"
}
},
indent = {
enable = true,
disable = {}
}
}
vim.o.foldmethod = 'expr'
vim.o.foldexpr = 'nvim_treesitter#foldexpr()'
'';
})
];
extraConfig = ''
" let the terminal handle mouse events, that way i get OS-level ctrl+shift+c/etc
" this used to be default, until <https://github.com/neovim/neovim/pull/19290>
set mouse=
" copy/paste to system clipboard
set clipboard=unnamedplus
" screw tabs; always expand them into spaces
set expandtab
" at least don't open files with sections folded by default
set nofoldenable
" allow text substitutions for certain glyphs.
" higher number = more aggressive substitution (0, 1, 2, 3)
" i only make use of this for tex, but it's unclear how to
" apply that *just* to tex and retain the SyntaxRange stuff.
set conceallevel=2
" horizontal rule under the active line
" set cursorline
" highlight trailing space & related syntax errors (doesn't seem to work??)
" let c_space_errors=1
" let python_space_errors=1
" enable highlighting of leading/trailing spaces,
" and especially tabs
" source: https://www.reddit.com/r/neovim/comments/chlmfk/highlight_trailing_whitespaces_in_neovim/
set list
set listchars=tab:\·,trail:·,extends:,precedes:,nbsp:
'';
};
# XXX: although home-manager calls this option `firefox`, we can use other browsers and it still mostly works.
firefox = lib.mkIf (sysconfig.sane.gui.enable) {
enable = true;
package = import ./web-browser.nix pkgs;
};
# "command not found" will cause the command to be searched in nixpkgs
nix-index.enable = true;
} // cfg.programs;
home.shellAliases = {
":q" = "exit";
# common typos
"cd.." = "cd ..";
"cd../" = "cd ../";
};
};
};
}

63
modules/universal/home-packages.nix → modules/universal/env/home-packages.nix vendored
View File

@@ -6,12 +6,8 @@ let
cfg = config.sane.home-packages;
universalPkgs = [
backblaze-b2
cdrtools
duplicity
gnupg
gocryptfs
gopass
gopass-jsonapi
ifuse
ipfs
libimobiledevice
@@ -19,6 +15,7 @@ let
lm_sensors # for sensors-detect
lshw
ffmpeg
nb
networkmanager
nixpkgs-review
# nixos-generators
@@ -29,6 +26,7 @@ let
pulsemixer
python3
# python3Packages.eyeD3 # music tagging
rmlint
sane-scripts
sequoia
snapper
@@ -50,13 +48,12 @@ let
# GUI only
aerc # email client
audacity
celluloid # mpv frontend
chromium
clinfo
electrum
# creds/session keys, etc
{ pkg = element-desktop; private = ".config/Element"; }
{ pkg = element-desktop; dir = ".config/Element"; }
emote # TODO: package [smile](https://github.com/mijorus/smile) for probably a better mobile experience.
evince # works on phosh
@@ -69,7 +66,7 @@ let
# XXX by default fractal stores its state in ~/.local/share/<UUID>.
# after logging in, manually change ~/.local/share/keyrings/... to point it to some predictable subdir.
# then reboot (so that libsecret daemon re-loads the keyring...?)
{ pkg = fractal-next; private = ".local/share/fractal"; }
{ pkg = fractal-next; dir = ".local/share/fractal"; }
gimp # broken on phosh
gnome.cheese
@@ -79,7 +76,7 @@ let
gnome.gnome-disk-utility
gnome.gnome-maps # works on phosh
gnome.nautilus
# gnome-podcasts
gnome-podcasts
gnome.gnome-system-monitor
gnome.gnome-terminal # works on phosh
gnome.gnome-weather
@@ -87,22 +84,18 @@ let
{ pkg = gpodder-configured; dir = "gPodder/Downloads"; }
gthumb
handbrake
inkscape
kaiteki # Pleroma client
gnome.zenity # for kaiteki (it will use qarma, kdialog, or zenity)
kid3 # audio tagging
krita
libreoffice-fresh # XXX colin: maybe don't want this on mobile
lollypop
mesa-demos
{ pkg = mpv; dir = ".config/mpv/watch_later"; }
networkmanagerapplet
# not strictly necessary, but allows caching articles; offline use, etc.
{ pkg = newsflash; dir = ".local/share/news-flash"; }
# settings (electron app). TODO: can i manage these settings with home-manager?
{ pkg = obsidian; dir = ".config/obsidian"; }
@@ -118,7 +111,7 @@ let
tdesktop # broken on phosh
# vlc remembers play position in ~/.config/vlc/vlc-qt-interface.conf
{ pkg = vlc; dir = ".config/vlc"; }
{ pkg = vlc; persist-files = [ ".config/vlc/vlc-qt-interface.conf" ]; }
whalebird # pleroma client. input is broken on phosh
xdg-utils # for xdg-open
@@ -135,9 +128,6 @@ let
nss = pkgs.nss_latest;
}); in { pkg = discord; dir = ".config/discord"; })
# kaiteki # Pleroma client
# gnome.zenity # for kaiteki (it will use qarma, kdialog, or zenity)
logseq
losslesscut-bin
makemkv
@@ -159,20 +149,16 @@ let
] else []);
# useful devtools:
devPkgs = [
bison
dtc
flex
gcc
gdb
# gcc-arm-embedded
# gcc_multi
gnumake
mercurial
mix2nix
rustup
swig
];
# bison
# dtc
# flex
# gcc
# gcc-arm-embedded
# gcc_multi
# gnumake
# mix2nix
# rustup
# swig
in
{
options = {
@@ -180,18 +166,9 @@ in
default = false;
type = types.bool;
};
sane.home-packages.enableDevPkgs = mkOption {
description = ''
enable packages that are useful for building other software by hand.
you should prefer to keep this disabled except when prototyping, e.g. packaging new software.
'';
default = false;
type = types.bool;
};
};
config = {
sane.home-manager.extraPackages = universalPkgs
++ (if cfg.enableGuiPkgs then guiPkgs else [])
++ (if cfg.enableDevPkgs then devPkgs else []);
++ (if cfg.enableGuiPkgs then guiPkgs else []);
};
}

0
modules/universal/system-packages.nix → modules/universal/env/system-packages.nix vendored
View File

55
modules/universal/env/web-browser.nix vendored Normal file
View File

@@ -0,0 +1,55 @@
pkgs:
# common settings to toggle (at runtime, in about:config):
# > security.ssl.require_safe_negotiation
# librewolf is a forked firefox which patches firefox to allow more things
# (like default search engines) to be configurable at runtime.
# many of the settings below won't have effect without those patches.
# see: https://gitlab.com/librewolf-community/settings/-/blob/master/distribution/policies.json
pkgs.wrapFirefox pkgs.librewolf-unwrapped {
# inherit the default librewolf.cfg
# it can be further customized via ~/.librewolf/librewolf.overrides.cfg
inherit (pkgs.librewolf-unwrapped) extraPrefsFiles;
libName = "librewolf";
extraPolicies = {
NoDefaultBookmarks = true;
SearchEngines = {
Default = "DuckDuckGo";
};
AppUpdateURL = "https://localhost";
DisableAppUpdate = true;
OverrideFirstRunPage = "";
OverridePostUpdatePage = "";
DisableSystemAddonUpdate = true;
DisableFirefoxStudies = true;
DisableTelemetry = true;
DisableFeedbackCommands = true;
DisablePocket = true;
DisableSetDesktopBackground = false;
Extensions = {
Install = [
"https://addons.mozilla.org/firefox/downloads/latest/ublock-origin/latest.xpi"
"https://addons.mozilla.org/firefox/downloads/latest/sponsorblock/latest.xpi"
"https://addons.mozilla.org/firefox/downloads/latest/bypass-paywalls-clean/latest.xpi"
"https://addons.mozilla.org/firefox/downloads/latest/sidebery/latest.xpi"
"https://addons.mozilla.org/firefox/downloads/latest/ether-metamask/latest.xpi"
];
# remove many default search providers
Uninstall = [
"google@search.mozilla.org"
"bing@search.mozilla.org"
"amazondotcom@search.mozilla.org"
"ebay@search.mozilla.org"
"twitter@search.mozilla.org"
];
};
# XXX doesn't seem to have any effect...
# docs: https://github.com/mozilla/policy-templates#homepage
# Homepage = {
# HomepageURL = "https://uninsane.org/";
# StartPage = "homepage";
# };
# NewTabPage = true;
};
}

14
modules/universal/home-manager/aerc.nix
View File

@@ -1,14 +0,0 @@
# Terminal UI mail client
{ config, ... }:
{
sops.secrets."aerc_accounts" = {
owner = config.users.users.colin.name;
sopsFile = ../../../secrets/universal/aerc_accounts.conf;
format = "binary";
};
home-manager.users.colin = let sysconfig = config; in { config, ... }: {
# aerc TUI mail client
xdg.configFile."aerc/accounts.conf".source =
config.lib.file.mkOutOfStoreSymlink sysconfig.sops.secrets.aerc_accounts.path;
};
}

218
modules/universal/home-manager/default.nix
View File

@@ -1,218 +0,0 @@
# docs:
# https://rycee.gitlab.io/home-manager/
# https://rycee.gitlab.io/home-manager/options.html
# man home-configuration.nix
#
{ lib, config, pkgs, ... }:
with lib;
let
cfg = config.sane.home-manager;
# extract package from `extraPackages`
pkg-list = pkgspec: builtins.map (e: e.pkg or e) pkgspec;
# extract `dir` from `extraPackages`
dir-list = pkgspec: builtins.concatLists (builtins.map (e: if e ? "dir" then [ e.dir ] else []) pkgspec);
private-list = pkgspec: builtins.concatLists (builtins.map (e: if e ? "private" then [ e.private ] else []) pkgspec);
feeds = import ./feeds.nix { inherit lib; };
in
{
imports = [
./aerc.nix
./discord.nix
./firefox.nix
./git.nix
./kitty.nix
./mpv.nix
./nb.nix
./neovim.nix
./ssh.nix
./sublime-music.nix
./vlc.nix
./zsh.nix
];
options = {
# packages to deploy to the user's home
sane.home-manager.extraPackages = mkOption {
default = [ ];
# each entry can be either a package, or attrs:
# { pkg = package; dir = optional string;
type = types.listOf (types.either types.package types.attrs);
};
# attributes to copy directly to home-manager's `wayland.windowManager` option
sane.home-manager.windowManager = mkOption {
default = {};
type = types.attrs;
};
# extra attributes to include in home-manager's `programs` option
sane.home-manager.programs = mkOption {
default = {};
type = types.attrs;
};
};
config = {
sane.impermanence.home-dirs = [
"archive"
"dev"
"records"
"ref"
"tmp"
"use"
"Music"
"Pictures"
"Videos"
] ++ (dir-list cfg.extraPackages);
home-manager.useGlobalPkgs = true;
home-manager.useUserPackages = true;
# XXX this weird rename + closure is to get home-manager's `config.lib.file` to exist.
# see: https://github.com/nix-community/home-manager/issues/589#issuecomment-950474105
home-manager.users.colin = let sysconfig = config; in { config, ... }: {
# run `home-manager-help` to access manpages
# or `man home-configuration.nix`
manual.html.enable = false; # TODO: set to true later (build failure)
manual.manpages.enable = false; # TODO: enable after https://github.com/nix-community/home-manager/issues/3344
home.packages = pkg-list cfg.extraPackages;
wayland.windowManager = cfg.windowManager;
home.stateVersion = "21.11";
home.username = "colin";
home.homeDirectory = "/home/colin";
home.activation = {
initKeyring = {
after = ["writeBoundary"];
before = [];
data = "${../../../scripts/init-keyring}";
};
};
home.file = let
privates = builtins.listToAttrs (
builtins.map (path: {
name = path;
value = { source = config.lib.file.mkOutOfStoreSymlink "/home/colin/private/${path}"; };
})
(private-list cfg.extraPackages)
);
in {
# convenience
"knowledge".source = config.lib.file.mkOutOfStoreSymlink "/home/colin/dev/knowledge";
"nixos".source = config.lib.file.mkOutOfStoreSymlink "/home/colin/dev/nixos";
"Videos/servo".source = config.lib.file.mkOutOfStoreSymlink "/mnt/servo-media/Videos";
"Videos/servo-incomplete".source = config.lib.file.mkOutOfStoreSymlink "/mnt/servo-media/incomplete";
"Music/servo".source = config.lib.file.mkOutOfStoreSymlink "/mnt/servo-media/Music";
# used by password managers, e.g. unix `pass`
".password-store".source = config.lib.file.mkOutOfStoreSymlink "/home/colin/dev/knowledge/secrets/accounts";
} // privates;
# XDG defines things like ~/Desktop, ~/Downloads, etc.
# these clutter the home, so i mostly don't use them.
xdg.userDirs = {
enable = true;
createDirectories = false; # on headless systems, most xdg dirs are noise
desktop = "$HOME/.xdg/Desktop";
documents = "$HOME/dev";
download = "$HOME/tmp";
music = "$HOME/Music";
pictures = "$HOME/Pictures";
publicShare = "$HOME/.xdg/Public";
templates = "$HOME/.xdg/Templates";
videos = "$HOME/Videos";
};
# the xdg mime type for a file can be found with:
# - `xdg-mime query filetype path/to/thing.ext`
xdg.mimeApps.enable = true;
xdg.mimeApps.defaultApplications = let
www = sysconfig.sane.web-browser.desktop;
pdf = "org.gnome.Evince.desktop";
md = "obsidian.desktop";
thumb = "org.gnome.gThumb.desktop";
video = "vlc.desktop";
# audio = "mpv.desktop";
audio = "vlc.desktop";
in {
# HTML
"text/html" = [ www ];
"x-scheme-handler/http" = [ www ];
"x-scheme-handler/https" = [ www ];
"x-scheme-handler/about" = [ www ];
"x-scheme-handler/unknown" = [ www ];
# RICH-TEXT DOCUMENTS
"application/pdf" = [ pdf ];
"text/markdown" = [ md ];
# IMAGES
"image/heif" = [ thumb ]; # apple codec
"image/png" = [ thumb ];
"image/jpeg" = [ thumb ];
# VIDEO
"video/mp4" = [ video ];
"video/quicktime" = [ video ];
"video/x-matroska" = [ video ];
# AUDIO
"audio/flac" = [ audio ];
"audio/mpeg" = [ audio ];
"audio/x-vorbis+ogg" = [ audio ];
};
xdg.configFile."gpodderFeeds.opml".text = with feeds;
feedsToOpml feeds.podcasts;
# news-flash RSS viewer
xdg.configFile."newsflashFeeds.opml".text = with feeds;
feedsToOpml (feeds.texts ++ feeds.images);
# gnome feeds RSS viewer
xdg.configFile."org.gabmus.gfeeds.json".text =
let
myFeeds = feeds.texts ++ feeds.images;
in builtins.toJSON {
# feed format is a map from URL to a dict,
# with dict["tags"] a list of string tags.
feeds = builtins.foldl' (acc: feed: acc // {
"${feed.url}".tags = [ feed.cat feed.freq ];
}) {} myFeeds;
dark_reader = false;
new_first = true;
# windowsize = {
# width = 350;
# height = 650;
# };
max_article_age_days = 90;
enable_js = false;
max_refresh_threads = 3;
# saved_items = {};
# read_items = [];
show_read_items = true;
full_article_title = true;
# views: "webview", "reader", "rsscont"
default_view = "rsscont";
open_links_externally = true;
full_feed_name = false;
refresh_on_startup = true;
tags = lib.lists.unique (
(builtins.catAttrs "cat" myFeeds) ++ (builtins.catAttrs "freq" myFeeds)
);
open_youtube_externally = false;
media_player = "vlc"; # default: mpv
};
programs = {
home-manager.enable = true; # this lets home-manager manage dot-files in user dirs, i think
# "command not found" will cause the command to be searched in nixpkgs
nix-index.enable = true;
} // cfg.programs;
};
};
}

10
modules/universal/home-manager/discord.nix
View File

@@ -1,10 +0,0 @@
{ ... }:
{
# TODO: this should only be enabled on gui devices
# make Discord usable even when client is "outdated"
home-manager.users.colin.xdg.configFile."discord/settings.json".text = ''
{
"SKIP_HOST_UPDATE": true
}
'';
}

182
modules/universal/home-manager/feeds.nix
View File

@@ -1,182 +0,0 @@
{ lib }:
let
hourly = { freq = "hourly"; };
daily = { freq = "daily"; };
weekly = { freq = "weekly"; };
infrequent = { freq = "infrequent"; };
art = { cat = "art"; };
humor = { cat = "humor"; };
pol = { cat = "pol"; }; # or maybe just "social"
rat = { cat = "rat"; };
tech = { cat = "tech"; };
uncat = { cat = "uncat"; };
text = { format = "text"; };
image = { format = "image"; };
podcast = { format = "podcast"; };
mkRss = format: url: { inherit url format; } // uncat // infrequent;
# format-specific helpers
mkText = mkRss text;
mkImg = mkRss image;
mkPod = mkRss podcast;
# host-specific helpers
mkSubstack = subdomain: mkText "https://${subdomain}.substack.com/feed";
# merge the attrs `new` into each value of the attrs `addTo`
addAttrs = new: addTo: builtins.mapAttrs (k: v: v // new) addTo;
# for each value in `attrs`, add a value to the child attrs which holds its key within the parent attrs.
withInverseMapping = key: attrs: builtins.mapAttrs (k: v: v // { "${key}" = k; }) attrs;
in rec {
podcasts = [
(mkPod "https://lexfridman.com/feed/podcast/" // rat // weekly)
## Astral Codex Ten
(mkPod "http://feeds.libsyn.com/108018/rss" // rat // daily)
## Econ Talk
(mkPod "https://feeds.simplecast.com/wgl4xEgL" // rat // daily)
## Cory Doctorow
(mkPod "https://feeds.feedburner.com/doctorow_podcast" // pol // infrequent)
(mkPod "https://congressionaldish.libsyn.com/rss" // pol // infrequent)
## Civboot
(mkPod "https://anchor.fm/s/34c7232c/podcast/rss" // tech // infrequent)
(mkPod "https://feeds.feedburner.com/80000HoursPodcast" // rat // weekly)
(mkPod "https://allinchamathjason.libsyn.com/rss" // pol // weekly)
(mkPod "https://acquired.libsyn.com/rss" // tech // infrequent)
(mkPod "https://rss.acast.com/deconstructed" // pol // infrequent)
## The Daily
(mkPod "https://feeds.simplecast.com/54nAGcIl" // pol // daily)
(mkPod "https://rss.acast.com/intercepted-with-jeremy-scahill" // pol // weekly)
(mkPod "https://podcast.posttv.com/itunes/post-reports.xml" // pol // weekly)
## Eric Weinstein
(mkPod "https://rss.art19.com/the-portal" // rat // infrequent)
(mkPod "https://feeds.megaphone.fm/darknetdiaries" // tech // infrequent)
(mkPod "http://feeds.wnyc.org/radiolab" // pol // infrequent)
(mkPod "https://wakingup.libsyn.com/rss" // pol // infrequent)
## 99% Invisible
(mkPod "https://feeds.simplecast.com/BqbsxVfO" // pol // infrequent)
(mkPod "https://rss.acast.com/ft-tech-tonic" // tech // infrequent)
(mkPod "https://feeds.feedburner.com/dancarlin/history?format=xml" // rat // infrequent)
## 60 minutes (NB: this features more than *just* audio?)
(mkPod "https://www.cbsnews.com/latest/rss/60-minutes" // pol // infrequent)
];
texts = [
# AGGREGATORS (> 1 post/day)
(mkText "https://www.lesswrong.com/feed.xml" // rat // hourly)
(mkText "http://www.econlib.org/index.xml" // pol // hourly)
# AGGREGATORS (< 1 post/day)
(mkText "https://palladiummag.com/feed" // uncat // weekly)
(mkText "https://profectusmag.com/feed" // uncat // weekly)
(mkText "https://semiaccurate.com/feed" // tech // weekly)
(mkText "https://linuxphoneapps.org/blog/atom.xml" // tech // infrequent)
(mkText "https://spectrum.ieee.org/rss" // tech // weekly)
## No Moods, Ads or Cutesy Fucking Icons
(mkText "https://www.rifters.com/crawl/?feed=rss2" // uncat // weekly)
# DEVELOPERS
(mkText "https://uninsane.org/atom.xml" // infrequent // tech)
(mkText "https://mg.lol/blog/rss/" // infrequent // tech)
## Ken Shirriff
(mkText "https://www.righto.com/feeds/posts/default" // tech // infrequent)
## Vitalik Buterin
(mkText "https://vitalik.ca/feed.xml" // tech // infrequent)
## ian (Sanctuary)
(mkText "https://sagacioussuricata.com/feed.xml" // tech // infrequent)
## Bunnie Juang
(mkText "https://www.bunniestudios.com/blog/?feed=rss2" // tech // infrequent)
(mkText "https://blog.danieljanus.pl/atom.xml" // tech // infrequent)
(mkText "https://ianthehenry.com/feed.xml" // tech // infrequent)
(mkText "https://bitbashing.io/feed.xml" // tech // infrequent)
(mkText "https://idiomdrottning.org/feed.xml" // uncat // daily)
(mkText "https://anish.lakhwara.com/home.html" // tech // weekly)
# (TECH; POL) COMMENTATORS
(mkSubstack "edwardsnowden" // pol // infrequent)
(mkText "http://benjaminrosshoffman.com/feed" // pol // weekly)
## Ben Thompson
(mkText "https://www.stratechery.com/rss" // pol // weekly)
## Balaji
(mkText "https://balajis.com/rss" // pol // weekly)
(mkText "https://www.ben-evans.com/benedictevans/rss.xml" // pol // weekly)
(mkText "https://www.lynalden.com/feed" // pol // infrequent)
(mkText "https://austinvernon.site/rss.xml" // tech // infrequent)
(mkSubstack "oversharing" // pol // daily)
(mkSubstack "doomberg" // tech // weekly)
## David Rosenthal
(mkText "https://blog.dshr.org/rss.xml" // pol // weekly)
## Matt Levine
(mkText "https://www.bloomberg.com/opinion/authors/ARbTQlRLRjE/matthew-s-levine.rss" // pol // weekly)
# RATIONALITY/PHILOSOPHY/ETC
(mkSubstack "samkriss" // humor // infrequent)
(mkText "https://unintendedconsequenc.es/feed" // rat // infrequent)
(mkText "https://applieddivinitystudies.com/atom.xml" // rat // weekly)
(mkText "https://slimemoldtimemold.com/feed.xml" // rat // weekly)
(mkText "https://www.richardcarrier.info/feed" // rat // weekly)
(mkText "https://www.gwern.net/feed.xml" // uncat // infrequent)
## Jason Crawford
(mkText "https://rootsofprogress.org/feed.xml" // rat // weekly)
## Robin Hanson
(mkText "https://www.overcomingbias.com/feed" // rat // daily)
## Scott Alexander
(mkSubstack "astralcodexten" // rat // daily)
## Paul Christiano
(mkText "https://sideways-view.com/feed" // rat // infrequent)
## Sean Carroll
(mkText "https://www.preposterousuniverse.com/rss" // rat // infrequent)
# CODE
(mkText "https://github.com/Kaiteki-Fedi/Kaiteki/commits/master.atom" // tech // infrequent)
];
images = [
(mkImg "https://www.smbc-comics.com/comic/rss" // humor // daily)
(mkImg "https://xkcd.com/atom.xml" // humor // daily)
(mkImg "http://dilbert.com/feed" // humor // daily)
# ART
(mkImg "https://miniature-calendar.com/feed" // art // daily)
];
all = texts ++ images ++ podcasts;
# return only the feed items which match this category (e.g. "tech")
filterCat = cat: feeds: builtins.filter (item: item.cat == cat) feeds;
# return only the feed items which match this format (e.g. "podcast")
filterFormat = format: feeds: builtins.filter (item: item.format == format) feeds;
# transform a list of feeds into an attrs mapping cat => [ feed0 feed1 ... ]
partitionByCat = feeds: builtins.groupBy (f: f.cat) feeds;
# represents a single RSS feed.
opmlTerminal = feed: ''<outline xmlUrl="${feed.url}" type="rss"/>'';
# a list of RSS feeds.
opmlTerminals = feeds: lib.strings.concatStringsSep "\n" (builtins.map opmlTerminal feeds);
# one node which packages some flat grouping of terminals.
opmlGroup = title: feeds: ''
<outline text="${title}" title="${title}">
${opmlTerminals feeds}
</outline>
'';
# a list of groups (`groupMap` is an attrs mapping groupName => [ feed0 feed1 ... ]).
opmlGroups = groupMap: lib.strings.concatStringsSep "\n" (
builtins.attrValues (builtins.mapAttrs opmlGroup groupMap)
);
# top-level OPML file which could be consumed by something else.
opmlTopLevel = body: ''
<?xml version="1.0" encoding="utf-8"?>
<opml version="2.0">
<body>
${body}
</body>
</opml>
'';
# **primary API**: generate a OPML file from the provided feeds
feedsToOpml = feeds: opmlTopLevel (opmlGroups (partitionByCat feeds));
}

139
modules/universal/home-manager/firefox.nix
View File

@@ -1,139 +0,0 @@
# common settings to toggle (at runtime, in about:config):
# > security.ssl.require_safe_negotiation
# librewolf is a forked firefox which patches firefox to allow more things
# (like default search engines) to be configurable at runtime.
# many of the settings below won't have effect without those patches.
# see: https://gitlab.com/librewolf-community/settings/-/blob/master/distribution/policies.json
{ config, lib, pkgs, ...}:
with lib;
let
cfg = config.sane.web-browser;
# allow easy switching between firefox and librewolf with `defaultSettings`, below
librewolfSettings = {
browser = pkgs.librewolf-unwrapped;
# browser = pkgs.librewolf-unwrapped.overrideAttrs (drv: {
# # this allows side-loading unsigned addons
# MOZ_REQUIRE_SIGNING = false;
# });
libName = "librewolf";
dotDir = ".librewolf";
desktop = "librewolf.desktop";
};
firefoxSettings = {
browser = pkgs.firefox-esr-unwrapped;
libName = "firefox";
dotDir = ".mozilla/firefox";
desktop = "firefox.desktop";
};
defaultSettings = firefoxSettings;
# defaultSettings = librewolfSettings;
package = pkgs.wrapFirefox cfg.browser {
# inherit the default librewolf.cfg
# it can be further customized via ~/.librewolf/librewolf.overrides.cfg
inherit (pkgs.librewolf-unwrapped) extraPrefsFiles;
inherit (cfg) libName;
extraNativeMessagingHosts = [ pkgs.browserpass ];
# extraNativeMessagingHosts = [ pkgs.gopass-native-messaging-host ];
nixExtensions = let
addon = name: extid: hash: pkgs.fetchFirefoxAddon {
inherit name hash;
url = "https://addons.mozilla.org/firefox/downloads/latest/${name}/latest.xpi";
fixedExtid = extid;
};
localAddon = pkg: pkgs.fetchFirefoxAddon {
inherit (pkg) name;
src = "${pkg}/share/mozilla/extensions/\\{ec8030f7-c20a-464f-9b0e-13a3a9e97384\\}/${pkg.extid}.xpi";
fixedExtid = pkg.extid;
};
in [
(addon "ublock-origin" "uBlock0@raymondhill.net" "sha256-C+VQyaJ8BA0ErXGVTdnppJZ6J9SP+izf6RFxdS4VJoU=")
(addon "sponsorblock" "sponsorBlocker@ajay.app" "sha256-au5GGn22n4i6VrdOKqNMOrWdMoVCcpLdjO2wwRvyx7E=")
(addon "bypass-paywalls-clean" "{d133e097-46d9-4ecc-9903-fa6a722a6e0e}" "sha256-m14onUlnpLDPHezA/soKygcc76tF1fLG52tM/LkbAXQ=")
(addon "sidebery" "{3c078156-979c-498b-8990-85f7987dd929}" "sha256-YONfK/rIjlsrTgRHIt3km07Q7KnpIW89Z9r92ZSCc6w=")
(addon "ether-metamask" "webextension@metamask.io" "sha256-dnpwKpNF0KgHMAlz5btkkZySjMsnrXECS35ClkD2XHc=")
# (addon "browserpass-ce" "browserpass@maximbaz.com" "sha256-sXgUBbRvMnRpeIW1MTkmTcoqtW/8RDXAkxAq1evFkpc=")
(localAddon pkgs.browserpass-extension)
];
extraPolicies = {
NoDefaultBookmarks = true;
SearchEngines = {
Default = "DuckDuckGo";
};
AppUpdateURL = "https://localhost";
DisableAppUpdate = true;
OverrideFirstRunPage = "";
OverridePostUpdatePage = "";
DisableSystemAddonUpdate = true;
DisableFirefoxStudies = true;
DisableTelemetry = true;
DisableFeedbackCommands = true;
DisablePocket = true;
DisableSetDesktopBackground = false;
# remove many default search providers
# XXX this seems to prevent the `nixExtensions` from taking effect
# Extensions.Uninstall = [
# "google@search.mozilla.org"
# "bing@search.mozilla.org"
# "amazondotcom@search.mozilla.org"
# "ebay@search.mozilla.org"
# "twitter@search.mozilla.org"
# ];
# XXX doesn't seem to have any effect...
# docs: https://github.com/mozilla/policy-templates#homepage
# Homepage = {
# HomepageURL = "https://uninsane.org/";
# StartPage = "homepage";
# };
# NewTabPage = true;
};
};
in
{
options = {
sane.web-browser = mkOption {
default = defaultSettings;
type = types.attrs;
};
};
config = {
# XXX: although home-manager calls this option `firefox`, we can use other browsers and it still mostly works.
home-manager.users.colin = lib.mkIf (config.sane.gui.enable) {
programs.firefox = {
enable = true;
inherit package;
};
# uBlock filter list configuration.
# specifically, enable the GDPR cookie prompt blocker.
# data.toOverwrite.filterLists is additive (i.e. it supplements the default filters)
# this configuration method is documented here:
# - <https://github.com/gorhill/uBlock/issues/2986#issuecomment-364035002>
# the specific attribute path is found via scraping ublock code here:
# - <https://github.com/gorhill/uBlock/blob/master/src/js/storage.js>
# - <https://github.com/gorhill/uBlock/blob/master/assets/assets.json>
home.file."${cfg.dotDir}/managed-storage/uBlock0@raymondhill.net.json".text = ''
{
"name": "uBlock0@raymondhill.net",
"description": "ignored",
"type": "storage",
"data": {
"toOverwrite": "{\"filterLists\": [\"fanboy-cookiemonster\"]}"
}
}
'';
home.file."${cfg.dotDir}/${cfg.libName}.overrides.cfg".text = ''
// if we can't query the revocation status of a SSL cert because the issuer is offline,
// treat it as unrevoked.
// see: <https://librewolf.net/docs/faq/#im-getting-sec_error_ocsp_server_error-what-can-i-do>
defaultPref("security.OCSP.require", false);
'';
};
};
}

18
modules/universal/home-manager/git.nix
View File

@@ -1,18 +0,0 @@
{ pkgs, ... }:
{
home-manager.users.colin.programs.git = {
enable = true;
userName = "colin";
userEmail = "colin@uninsane.org";
aliases = { co = "checkout"; };
extraConfig = {
# difftastic docs:
# - <https://difftastic.wilfred.me.uk/git.html>
diff.tool = "difftastic";
difftool.prompt = false;
"difftool \"difftastic\"".cmd = ''${pkgs.difftastic}/bin/difft "$LOCAL" "$REMOTE"'';
# now run `git difftool` to use difftastic git
};
};
}

69
modules/universal/home-manager/kitty.nix
View File

@@ -1,69 +0,0 @@
{ ... }:
{
home-manager.users.colin.programs.kitty = {
enable = true;
# docs: https://sw.kovidgoyal.net/kitty/conf/
settings = {
# disable terminal bell (when e.g. you backspace too many times)
enable_audio_bell = false;
};
keybindings = {
"ctrl+n" = "new_os_window_with_cwd";
};
# docs: https://github.com/kovidgoyal/kitty-themes
# theme = "1984 Light"; # dislike: awful, harsh blues/teals
# theme = "Adventure Time"; # dislike: harsh (dark)
# theme = "Atom One Light"; # GOOD: light theme. all color combos readable. not a huge fan of the blue.
# theme = "Belafonte Day"; # dislike: too low contrast for text colors
# theme = "Belafonte Night"; # better: dark theme that's easy on the eyes. all combos readable. low contrast.
# theme = "Catppuccin"; # dislike: a bit pale/low-contrast (dark)
# theme = "Desert"; # mediocre: colors are harsh
# theme = "Earthsong"; # BEST: dark theme. readable, good contrast. unique, but decent colors.
# theme = "Espresso Libre"; # better: dark theme. readable, but meh colors
# theme = "Forest Night"; # decent: very pastel. it's workable, but unconventional and muted/flat.
# theme = "Gruvbox Material Light Hard"; # mediocre light theme.
# theme = "kanagawabones"; # better: dark theme. colors are too background-y
# theme = "Kaolin Dark"; # dislike: too dark
# theme = "Kaolin Breeze"; # mediocre: not-too-harsh light theme, but some parts are poor contrast
# theme = "Later This Evening"; # mediocre: not-too-harsh dark theme, but cursor is poor contrast
# theme = "Material"; # decent: light theme, few colors.
# theme = "Mayukai"; # decent: not-too-harsh dark theme. the teal is a bit straining
# theme = "Nord"; # mediocre: pale background, low contrast
# theme = "One Half Light"; # better: not-too-harsh light theme. contrast could be better
theme = "PaperColor Dark"; # BEST: dark theme, very readable still the colors are background-y
# theme = "Parasio Dark"; # dislike: too low contrast
# theme = "Pencil Light"; # better: not-too-harsh light theme. decent contrast.
# theme = "Pnevma"; # dislike: too low contrast
# theme = "Piatto Light"; # better: readable light theme. pleasing colors. powerline prompt is hard to read.
# theme = "Rosé Pine Dawn"; # GOOD: light theme. all color combinations are readable. it is very mild -- may need to manually tweak contrast. tasteful colors
# theme = "Rosé Pine Moon"; # GOOD: dark theme. tasteful colors. but background is a bit intense
# theme = "Sea Shells"; # mediocre. not all color combos are readable
# theme = "Solarized Light"; # mediocre: not-too-harsh light theme; GREAT background; but some colors are low contrast
# theme = "Solarized Dark Higher Contrast"; # better: dark theme, decent colors
# theme = "Sourcerer"; # mediocre: ugly colors
# theme = "Space Gray"; # mediocre: too muted
# theme = "Space Gray Eighties"; # better: all readable, decent colors
# theme = "Spacemacs"; # mediocre: too muted
# theme = "Spring"; # mediocre: readable light theme, but the teal is ugly.
# theme = "Srcery"; # better: highly readable. colors are ehhh
# theme = "Substrata"; # decent: nice colors, but a bit flat.
# theme = "Sundried"; # mediocre: the solar text makes me squint
# theme = "Symfonic"; # mediocre: the dark purple has low contrast to the black bg.
# theme = "Tango Light"; # dislike: teal is too grating
# theme = "Tokyo Night Day"; # medicore: too muted
# theme = "Tokyo Night"; # better: tasteful. a bit flat
# theme = "Tomorrow"; # GOOD: all color combinations are readable. contrast is slightly better than Rose. on the blander side
# theme = "Treehouse"; # dislike: the orange is harsh on my eyes.
# theme = "Urple"; # dislike: weird palette
# theme = "Warm Neon"; # decent: not-too-harsh dark theme. the green is a bit unattractive
# theme = "Wild Cherry"; # GOOD: dark theme: nice colors. a bit flat
# theme = "Xcodedark"; # dislike: bad palette
# theme = "citylights"; # decent: dark theme. some parts have just a bit low contrast
# theme = "neobones_light"; # better light theme. the background is maybe too muted
# theme = "vimbones";
# theme = "zenbones_dark"; # mediocre: readable, but meh colors
# theme = "zenbones_light"; # decent: light theme. all colors are readable. contrast is passable but not excellent. highlight color is BAD
# theme = "zenwritten_dark"; # mediocre: looks same as zenbones_dark
# extraConfig = "";
};
}

11
modules/universal/home-manager/mpv.nix
View File

@@ -1,11 +0,0 @@
{ ... }:
{
home-manager.users.colin.programs.mpv = {
enable = true;
config = {
save-position-on-quit = true;
keep-open = "yes";
};
};
}

24
modules/universal/home-manager/nb.nix
View File

@@ -1,24 +0,0 @@
# nb is a CLI-drive Personal Knowledge Manager
# - <https://xwmx.github.io/nb/>
#
# it's pretty opinionated:
# - autocommits (to git) excessively (disable-able)
# - inserts its own index files to give deterministic names to files
#
# it offers a primitive web-server
# and it offers some CLI query tools
{ lib, pkgs, ... }: lib.mkIf false # XXX disabled!
{
sane.home-manager.extraPackages = [ pkgs.nb ];
home-manager.users.colin = { config, ... }: {
# nb markdown/personal knowledge manager
home.file.".nb/knowledge".source = config.lib.file.mkOutOfStoreSymlink "/home/colin/dev/knowledge";
home.file.".nb/.current".text = "knowledge";
home.file.".nbrc".text = ''
# manage with `nb settings`
export NB_AUTO_SYNC=0
'';
};
}

115
modules/universal/home-manager/neovim.nix
View File

@@ -1,115 +0,0 @@
{ pkgs, ... }:
{
sane.impermanence.home-dirs = [ ".cache/vim-swap" ];
home-manager.users.colin.programs.neovim = {
# neovim: https://github.com/neovim/neovim
enable = true;
viAlias = true;
vimAlias = true;
plugins = with pkgs.vimPlugins; [
# docs: surround-nvim: https://github.com/ur4ltz/surround.nvim/
# docs: vim-surround: https://github.com/tpope/vim-surround
vim-surround
# docs: fzf-vim (fuzzy finder): https://github.com/junegunn/fzf.vim
fzf-vim
# docs: https://github.com/KeitaNakamura/tex-conceal.vim/
({
plugin = tex-conceal-vim;
type = "viml";
config = ''
" present prettier fractions
let g:tex_conceal_frac=1
'';
})
({
plugin = vim-SyntaxRange;
type = "viml";
config = ''
" enable markdown-style codeblock highlighting for tex code
autocmd BufEnter * call SyntaxRange#Include('```tex', '```', 'tex', 'NonText')
" autocmd Syntax tex set conceallevel=2
'';
})
# nabla renders inline math in any document, but it's buggy.
# https://github.com/jbyuki/nabla.nvim
# ({
# plugin = pkgs.nabla;
# type = "lua";
# config = ''
# require'nabla'.enable_virt()
# '';
# })
# treesitter syntax highlighting: https://nixos.wiki/wiki/Tree_sitters
# docs: https://github.com/nvim-treesitter/nvim-treesitter
# config taken from: https://github.com/i077/system/blob/master/modules/home/neovim/default.nix
# this is required for tree-sitter to even highlight
({
plugin = nvim-treesitter.withAllGrammars;
type = "lua";
config = ''
require'nvim-treesitter.configs'.setup {
highlight = {
enable = true,
-- disable treesitter on Rust so that we can use SyntaxRange
-- and leverage TeX rendering in rust projects
disable = { "rust", "tex", "latex" },
-- disable = { "tex", "latex" },
-- true to also use builtin vim syntax highlighting when treesitter fails
additional_vim_regex_highlighting = false
},
incremental_selection = {
enable = true,
keymaps = {
init_selection = "gnn",
node_incremental = "grn",
mcope_incremental = "grc",
node_decremental = "grm"
}
},
indent = {
enable = true,
disable = {}
}
}
vim.o.foldmethod = 'expr'
vim.o.foldexpr = 'nvim_treesitter#foldexpr()'
'';
})
];
extraConfig = ''
" let the terminal handle mouse events, that way i get OS-level ctrl+shift+c/etc
" this used to be default, until <https://github.com/neovim/neovim/pull/19290>
set mouse=
" copy/paste to system clipboard
set clipboard=unnamedplus
" screw tabs; always expand them into spaces
set expandtab
" at least don't open files with sections folded by default
set nofoldenable
" allow text substitutions for certain glyphs.
" higher number = more aggressive substitution (0, 1, 2, 3)
" i only make use of this for tex, but it's unclear how to
" apply that *just* to tex and retain the SyntaxRange stuff.
set conceallevel=2
" horizontal rule under the active line
" set cursorline
" highlight trailing space & related syntax errors (doesn't seem to work??)
" let c_space_errors=1
" let python_space_errors=1
" enable highlighting of leading/trailing spaces,
" and especially tabs
" source: https://www.reddit.com/r/neovim/comments/chlmfk/highlight_trailing_whitespaces_in_neovim/
set list
set listchars=tab:\·,trail:·,extends:,precedes:,nbsp:
'';
};
}

18
modules/universal/home-manager/ssh.nix
View File

@@ -1,18 +0,0 @@
{ config, pkgs, ... }:
{
home-manager.users.colin = let
host = config.networking.hostName;
user_pubkey = (import ../pubkeys.nix).users."${host}";
known_hosts_text = builtins.concatStringsSep
"\n"
(builtins.attrValues (import ../pubkeys.nix).hosts);
in { config, ...}: {
# ssh key is stored in private storage
home.file.".ssh/id_ed25519".source = config.lib.file.mkOutOfStoreSymlink "/home/colin/private/.ssh/id_ed25519";
home.file.".ssh/id_ed25519.pub".text = user_pubkey;
programs.ssh.enable = true;
# this optionally accepts multiple known_hosts paths, separated by space.
programs.ssh.userKnownHostsFile = builtins.toString (pkgs.writeText "known_hosts" known_hosts_text);
};
}

14
modules/universal/home-manager/sublime-music.nix
View File

@@ -1,14 +0,0 @@
{ config, ... }:
{
# TODO: this should only be shipped on gui platforms
sops.secrets."sublime_music_config" = {
owner = config.users.users.colin.name;
sopsFile = ../../../secrets/universal/sublime_music_config.json.bin;
format = "binary";
};
home-manager.users.colin = let sysconfig = config; in { config, ... }: {
# sublime music player
xdg.configFile."sublime-music/config.json".source =
config.lib.file.mkOutOfStoreSymlink sysconfig.sops.secrets.sublime_music_config.path;
};
}

17
modules/universal/home-manager/vlc.nix
View File

@@ -1,17 +0,0 @@
{ lib, ... }:
{
home-manager.users.colin.xdg.configFile."vlc/vlcrc".text =
let
feeds = import ./feeds.nix { inherit lib; };
podcastUrls = lib.strings.concatStringsSep "|" (
builtins.map (feed: feed.url) feeds.podcasts
);
in ''
[podcast]
podcast-urls=${podcastUrls}
[core]
metadata-network-access=0
[qt]
qt-privacy-ask=0
'';
}

61
modules/universal/home-manager/zsh.nix
View File

@@ -1,61 +0,0 @@
{ ... }:
{
# we don't need to full zsh dir -- just the history file --
# but zsh will sometimes backup the history file and we get fewer errors if we do proper mounts instead of symlinks.
sane.impermanence.home-dirs = [ ".local/share/zsh" ];
home-manager.users.colin.programs.zsh = {
enable = true;
enableSyntaxHighlighting = true;
enableVteIntegration = true;
history.ignorePatterns = [ "rm *" ];
dotDir = ".config/zsh";
history.path = "/home/colin/.local/share/zsh/history";
initExtraBeforeCompInit = ''
# p10k instant prompt
# run p10k configure to configure, but it can't write out its file :-(
POWERLEVEL9K_DISABLE_CONFIGURATION_WIZARD=true
'';
initExtra = ''
# zmv is a way to do rich moves/renames, with pattern matching/substitution.
# see for an example: <https://filipe.kiss.ink/zmv-zsh-rename/>
autoload -Uz zmv
# disable `rm *` confirmations
setopt rmstarsilent
function nd() {
mkdir -p "$1";
pushd "$1";
}
'';
# prezto = oh-my-zsh fork; controls prompt, auto-completion, etc.
# see: https://github.com/sorin-ionescu/prezto
prezto = {
enable = true;
pmodules = [
"environment"
"terminal"
"editor"
"history"
"directory"
"spectrum"
"utility"
"completion"
"prompt"
"git"
];
prompt.theme = "powerlevel10k";
utility.safeOps = false; # disable `mv` confirmation (and supposedly `rm`, too)
};
};
home-manager.users.colin.home.shellAliases = {
":q" = "exit";
# common typos
"cd.." = "cd ..";
"cd../" = "cd ../";
};
}

11
modules/universal/machine-id.nix
View File

@@ -1,11 +0,0 @@
{ ... }:
{
# we wan't an /etc/machine-id which is consistent across boot so that `journalctl` will actually show us
# logs from previous boots.
# maybe there's a config option for this (since persistent machine-id is bad for reasons listed in impermanence.nix),
# but for now generate it from ssh keys.
system.activationScripts.machine-id = {
deps = [ "persist-ssh-host-keys" ];
text = "sha256sum /etc/ssh/host_keys/ssh_host_ed25519_key | cut -c 1-32 > /etc/machine-id";
};
}

14
modules/universal/net.nix
View File

@@ -18,20 +18,10 @@
# docs:
# - <https://nixos.wiki/wiki/Iwd>
# - <https://iwd.wiki.kernel.org/networkmanager>
# - `man iwd.config` for global config
# - `man iwd.network` for per-SSID config
# use `iwctl` to control
networking.networkmanager.wifi.backend = "iwd";
networking.wireless.iwd.enable = true;
networking.wireless.iwd.settings = {
# auto-connect to a stronger network if signal drops below this value
# bedroom -> bedroom connection is -35 to -40 dBm
# bedroom -> living room connection is -60 dBm
General.RoamThreshold = "-52"; # default -70
General.RoamThreshold5G = "-52"; # default -76
};
networking.networkmanager.wifi.backend = "iwd";
# TODO: don't need to depend on binsh if we were to use a nix-style shebang
system.activationScripts.linkIwdKeys = let
unwrapped = ../../scripts/install-iwd;
install-iwd = pkgs.writeShellApplication {
@@ -40,7 +30,7 @@
text = ''${unwrapped} "$@"'';
};
in (lib.stringAfter
[ "setupSecrets" "binsh" ]
[ "setupSecrets" ]
''
mkdir -p /var/lib/iwd
${install-iwd}/bin/install-iwd /run/secrets/iwd /var/lib/iwd

34
modules/universal/pubkeys.nix
View File

@@ -1,34 +0,0 @@
# create ssh key by running:
# - `ssh-keygen -t ed25519`
let
withHost = host: key: "${host} ${key}";
withUser = user: key: "${key} ${user}";
keys = rec {
lappy = {
host = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILSJnqmVl9/SYQ0btvGb0REwwWY8wkdkGXQZfn/1geEc";
users.colin = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDpmFdNSVPRol5hkbbCivRhyeENzb9HVyf9KutGLP2Zu";
};
desko = {
host = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFw9NoRaYrM6LbDd3aFBc4yyBlxGQn8HjeHd/dZ3CfHk";
users.colin = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPU5GlsSfbaarMvDA20bxpSZGWviEzXGD8gtrIowc1pX";
};
servo = {
host = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOfdSmFkrVT6DhpgvFeQKm3Fh9VKZ9DbLYOPOJWYQ0E8";
users.colin = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPS1qFzKurAdB9blkWomq8gI1g0T3sTs9LsmFOj5VtqX";
};
moby = {
host = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIO1N/IT3nQYUD+dBlU1sTEEVMxfOyMkrrDeyHcYgnJvw";
users.colin = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICrR+gePnl0nV/vy7I5BzrGeyVL+9eOuXHU1yNE3uCwU";
};
"uninsane.org" = servo;
"git.uninsane.org" = servo;
};
in {
# map hostname -> something suitable for known_keys
hosts = builtins.mapAttrs (machine: keys: withHost machine keys.host) keys;
# map hostname -> something suitable for authorized_keys to allow access to colin@<hostname>
users = builtins.mapAttrs (machine: keys: withUser "colin@${machine}" keys.users.colin) keys;
}

4
modules/universal/secrets.nix
View File

@@ -35,9 +35,9 @@
sops.defaultSopsFile = ./../../secrets/universal.yaml;
# This will automatically import SSH keys as age keys
sops.age.sshKeyPaths = [
"/etc/ssh/host_keys/ssh_host_ed25519_key"
"/etc/ssh/ssh_host_ed25519_key"
# "/home/colin/.ssh/id_ed25519_dec"
];
sops.gnupg.sshKeyPaths = []; # disable RSA key import
# This is using an age key that is expected to already be in the filesystem
# sops.age.keyFile = "/home/colin/.ssh/age.pub";
# sops.age.keyFile = "/var/lib/sops-nix/key.txt";

21
modules/universal/ssh.nix
View File

@@ -1,21 +0,0 @@
{ ... }:
{
# we place the host keys (which we want to be persisted) into their own directory so that we can
# bind mount that whole directory instead of doing it per-file.
# otherwise, this is identical to nixos defaults
sane.impermanence.service-dirs = [ "/etc/ssh/host_keys" ];
# we can't naively `mount /etc/ssh/host_keys` directly,
# as /etc/fstab may not be populated yet (since that file depends on e.g. activationScripts.users)
# we can't even depend on impermanence's `createPersistentStorageDirs` to create the source/target directories
# since that also depends on `users`.
system.activationScripts.persist-ssh-host-keys.text = ''
mkdir -p /etc/ssh/host_keys
mount --bind /nix/persist/etc/ssh/host_keys /etc/ssh/host_keys
'';
services.openssh.hostKeys = [
{ type = "rsa"; bits = 4096; path = "/etc/ssh/host_keys/ssh_host_rsa_key"; }
{ type = "ed25519"; path = "/etc/ssh/host_keys/ssh_host_ed25519_key"; }
];
}

36
modules/universal/users.nix
View File

@@ -43,36 +43,20 @@ in
"feedbackd"
"dialout" # required for modem access
];
# initial password is empty, in case anything goes wrong.
# if `colin-passwd` (a password hash) is successfully found/decrypted, that becomes the password at boot.
initialPassword = lib.mkDefault "";
passwordFile = lib.mkIf (config.sops.secrets ? "colin-passwd") config.sops.secrets.colin-passwd.path;
shell = pkgs.zsh;
openssh.authorizedKeys.keys = builtins.attrValues (import ./pubkeys.nix).users;
pamMount = {
# mount encrypted stuff at login
# requires that login password == fs encryption password
# fstype = "fuse";
# path = "${pkgs.gocryptfs}/bin/gocryptfs#/nix/persist/home/colin/private";
fstype = "fuse.gocryptfs";
path = "/nix/persist/home/colin/private";
mountpoint = "/home/colin/private";
options="nodev,nosuid,quiet,allow_other";
};
# shell = pkgs.bashInteractive;
# XXX colin: create ssh key for THIS user by logging in and running:
# ssh-keygen -t ed25519
openssh.authorizedKeys.keys = [
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDpmFdNSVPRol5hkbbCivRhyeENzb9HVyf9KutGLP2Zu colin@lappy"
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPU5GlsSfbaarMvDA20bxpSZGWviEzXGD8gtrIowc1pX colin@desko"
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPS1qFzKurAdB9blkWomq8gI1g0T3sTs9LsmFOj5VtqX colin@servo"
# moby doesn't need to login to any other devices yet
# "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICrR+gePnl0nV/vy7I5BzrGeyVL+9eOuXHU1yNE3uCwU colin@moby"
];
};
sane.impermanence.home-dirs = [
# cache is probably too big to fit on the tmpfs
# TODO: we could bind-mount it to something which gets cleared per boot, though.
".cache"
".cargo"
".rustup"
".local/share/keyrings"
];
sane.impermanence.service-dirs = mkIf cfg.guest.enable [
{ user = "guest"; group = "users"; directory = "/home/guest"; }
];

302
nixpatches/04-dart-2.7.0.patch Normal file
View File

@@ -0,0 +1,302 @@
diff --git a/pkgs/development/compilers/flutter/default.nix b/pkgs/development/compilers/flutter/default.nix
index 9eba6773448..f51aeb8b624 100644
--- a/pkgs/development/compilers/flutter/default.nix
+++ b/pkgs/development/compilers/flutter/default.nix
@@ -4,20 +4,20 @@ let
getPatches = dir:
let files = builtins.attrNames (builtins.readDir dir);
in map (f: dir + ("/" + f)) files;
- version = "2.10.1";
+ version = "3.0.0";
channel = "stable";
filename = "flutter_linux_${version}-${channel}.tar.xz";
# Decouples flutter derivation from dart derivation,
# use specific dart version to not need to bump dart derivation when bumping flutter.
- dartVersion = "2.16.1";
+ dartVersion = "2.17.0";
dartSourceBase = "https://storage.googleapis.com/dart-archive/channels";
dartForFlutter = dart.override {
version = dartVersion;
sources = {
"${dartVersion}-x86_64-linux" = fetchurl {
url = "${dartSourceBase}/stable/release/${dartVersion}/sdk/dartsdk-linux-x64-release.zip";
- sha256 = "sha256-PMY6DCFQC8XrlnFzOEPcwgBAs5/cAvNd78969Z+I1Fk=";
+ sha256 = "57b8fd964e47c81d467aeb95b099a670ab7e8f54a1cd74d45bcd1fdc77913d86";
};
};
};
@@ -29,7 +29,7 @@ in {
pname = "flutter";
src = fetchurl {
url = "https://storage.googleapis.com/flutter_infra_release/releases/${channel}/linux/${filename}";
- sha256 = "sha256-rSfwcglDV2rvJl10j7FByAWmghd2FYxrlkgYnvRO54Y=";
+ sha256 = "e96d75ec8e7dc2a46bc8dad5a9e01c391ab9310ad01c4e3940c963dd263788a0";
};
patches = getPatches ./patches;
};
diff --git a/pkgs/development/compilers/flutter/flutter.nix b/pkgs/development/compilers/flutter/flutter.nix
index 43538ede339..ece25c14b55 100644
--- a/pkgs/development/compilers/flutter/flutter.nix
+++ b/pkgs/development/compilers/flutter/flutter.nix
@@ -56,12 +56,15 @@ let
export STAMP_PATH="$FLUTTER_ROOT/bin/cache/flutter_tools.stamp"
export DART_SDK_PATH="${dart}"
+ export DART="${dart}/bin/dart"
HOME=../.. # required for pub upgrade --offline, ~/.pub-cache
# path is relative otherwise it's replaced by /build/flutter
+ # mkdir -p "$HOME/.cache"
+ # ln -sf "$FLUTTER_ROOT" "$HOME/.cache/flutter"
pushd "$FLUTTER_TOOLS_DIR"
- ${dart}/bin/pub get --offline
+ ${dart}/bin/dart pub get --offline
popd
local revision="$(cd "$FLUTTER_ROOT"; git rev-parse HEAD)"
diff --git a/pkgs/development/compilers/flutter/patches/git-dir.patch b/pkgs/development/compilers/flutter/patches/git-dir.patch
new file mode 100644
index 00000000000..0c736f945ea
--- /dev/null
+++ b/pkgs/development/compilers/flutter/patches/git-dir.patch
@@ -0,0 +1,102 @@
+diff --git a/dev/bots/prepare_package.dart b/dev/bots/prepare_package.dart
+index 468a91a954..5def6897ce 100644
+--- a/dev/bots/prepare_package.dart
++++ b/dev/bots/prepare_package.dart
+@@ -525,7 +525,7 @@ class ArchiveCreator {
+
+ Future<String> _runGit(List<String> args, {Directory? workingDirectory}) {
+ return _processRunner.runProcess(
+- <String>['git', ...args],
++ <String>['git', '--git-dir', '.git', ...args],
+ workingDirectory: workingDirectory ?? flutterRoot,
+ );
+ }
+diff --git a/packages/flutter_tools/lib/src/commands/downgrade.dart b/packages/flutter_tools/lib/src/commands/downgrade.dart
+index bb0eb428a9..4a2a48bb5e 100644
+--- a/packages/flutter_tools/lib/src/commands/downgrade.dart
++++ b/packages/flutter_tools/lib/src/commands/downgrade.dart
+@@ -118,7 +118,7 @@ class DowngradeCommand extends FlutterCommand {
+ // Detect unknown versions.
+ final ProcessUtils processUtils = _processUtils!;
+ final RunResult parseResult = await processUtils.run(<String>[
+- 'git', 'describe', '--tags', lastFlutterVersion,
++ 'git', '--git-dir', '.git', 'describe', '--tags', lastFlutterVersion,
+ ], workingDirectory: workingDirectory);
+ if (parseResult.exitCode != 0) {
+ throwToolExit('Failed to parse version for downgrade:\n${parseResult.stderr}');
+@@ -191,7 +191,7 @@ class DowngradeCommand extends FlutterCommand {
+ continue;
+ }
+ final RunResult parseResult = await _processUtils!.run(<String>[
+- 'git', 'describe', '--tags', sha,
++ 'git', '--git-dir', '.git', 'describe', '--tags', sha,
+ ], workingDirectory: workingDirectory);
+ if (parseResult.exitCode == 0) {
+ buffer.writeln('Channel "${getNameForChannel(channel)}" was previously on: ${parseResult.stdout}.');
+diff --git a/packages/flutter_tools/lib/src/version.dart b/packages/flutter_tools/lib/src/version.dart
+index f2068a6ca2..99b161689e 100644
+--- a/packages/flutter_tools/lib/src/version.dart
++++ b/packages/flutter_tools/lib/src/version.dart
+@@ -106,7 +106,7 @@ class FlutterVersion {
+ String? channel = _channel;
+ if (channel == null) {
+ final String gitChannel = _runGit(
+- 'git rev-parse --abbrev-ref --symbolic @{u}',
++ 'git --git-dir .git rev-parse --abbrev-ref --symbolic @{u}',
+ globals.processUtils,
+ _workingDirectory,
+ );
+@@ -114,7 +114,7 @@ class FlutterVersion {
+ if (slash != -1) {
+ final String remote = gitChannel.substring(0, slash);
+ _repositoryUrl = _runGit(
+- 'git ls-remote --get-url $remote',
++ 'git --git-dir .git ls-remote --get-url $remote',
+ globals.processUtils,
+ _workingDirectory,
+ );
+@@ -326,7 +326,7 @@ class FlutterVersion {
+ /// the branch name will be returned as `'[user-branch]'`.
+ String getBranchName({ bool redactUnknownBranches = false }) {
+ _branch ??= () {
+- final String branch = _runGit('git rev-parse --abbrev-ref HEAD', globals.processUtils);
++ final String branch = _runGit('git --git-dir .git rev-parse --abbrev-ref HEAD', globals.processUtils);
+ return branch == 'HEAD' ? channel : branch;
+ }();
+ if (redactUnknownBranches || _branch!.isEmpty) {
+@@ -359,7 +359,7 @@ class FlutterVersion {
+ /// wrapper that does that.
+ @visibleForTesting
+ static List<String> gitLog(List<String> args) {
+- return <String>['git', '-c', 'log.showSignature=false', 'log'] + args;
++ return <String>['git', '-c', 'log.showSignature=false', '--git-dir', '.git', 'log'] + args;
+ }
+
+ /// Gets the release date of the latest available Flutter version.
+@@ -730,7 +730,7 @@ class GitTagVersion {
+
+ static GitTagVersion determine(ProcessUtils processUtils, {String? workingDirectory, bool fetchTags = false, String gitRef = 'HEAD'}) {
+ if (fetchTags) {
+- final String channel = _runGit('git rev-parse --abbrev-ref HEAD', processUtils, workingDirectory);
++ final String channel = _runGit('git --git-dir .git rev-parse --abbrev-ref HEAD', processUtils, workingDirectory);
+ if (channel == 'dev' || channel == 'beta' || channel == 'stable') {
+ globals.printTrace('Skipping request to fetchTags - on well known channel $channel.');
+ } else {
+@@ -739,7 +739,7 @@ class GitTagVersion {
+ }
+ // find all tags attached to the given [gitRef]
+ final List<String> tags = _runGit(
+- 'git tag --points-at $gitRef', processUtils, workingDirectory).trim().split('\n');
++ 'git --git-dir .git tag --points-at $gitRef', processUtils, workingDirectory).trim().split('\n');
+
+ // Check first for a stable tag
+ final RegExp stableTagPattern = RegExp(r'^\d+\.\d+\.\d+$');
+@@ -760,7 +760,7 @@ class GitTagVersion {
+ // recent tag and number of commits past.
+ return parse(
+ _runGit(
+- 'git describe --match *.*.* --long --tags $gitRef',
++ 'git --git-dir .git describe --match *.*.* --long --tags $gitRef',
+ processUtils,
+ workingDirectory,
+ )
diff --git a/pkgs/development/compilers/flutter/patches/revert-frontend_server_cache.patch b/pkgs/development/compilers/flutter/patches/revert-frontend_server_cache.patch
new file mode 100644
index 00000000000..f68029eb7a1
--- /dev/null
+++ b/pkgs/development/compilers/flutter/patches/revert-frontend_server_cache.patch
@@ -0,0 +1,130 @@
+diff --git a/packages/flutter_tools/lib/src/artifacts.dart b/packages/flutter_tools/lib/src/artifacts.dart
+index 2aac9686e8..32c4b98b88 100644
+--- a/packages/flutter_tools/lib/src/artifacts.dart
++++ b/packages/flutter_tools/lib/src/artifacts.dart
+@@ -346,10 +346,10 @@ class CachedArtifacts implements Artifacts {
+ ) {
+ switch (artifact) {
+ case HostArtifact.engineDartSdkPath:
+- final String path = _dartSdkPath(_cache);
++ final String path = _dartSdkPath(_fileSystem);
+ return _fileSystem.directory(path);
+ case HostArtifact.engineDartBinary:
+- final String path = _fileSystem.path.join(_dartSdkPath(_cache), 'bin', _hostArtifactToFileName(artifact, _platform.isWindows));
++ final String path = _fileSystem.path.join(_dartSdkPath(_fileSystem), 'bin', _hostArtifactToFileName(artifact, _platform.isWindows));
+ return _fileSystem.file(path);
+ case HostArtifact.flutterWebSdk:
+ final String path = _getFlutterWebSdkPath();
+@@ -398,7 +398,7 @@ class CachedArtifacts implements Artifacts {
+ case HostArtifact.dart2jsSnapshot:
+ case HostArtifact.dartdevcSnapshot:
+ case HostArtifact.kernelWorkerSnapshot:
+- final String path = _fileSystem.path.join(_dartSdkPath(_cache), 'bin', 'snapshots', _hostArtifactToFileName(artifact, _platform.isWindows));
++ final String path = _fileSystem.path.join(_dartSdkPath(_fileSystem), 'bin', 'snapshots', _hostArtifactToFileName(artifact, _platform.isWindows));
+ return _fileSystem.file(path);
+ case HostArtifact.iosDeploy:
+ final String artifactFileName = _hostArtifactToFileName(artifact, _platform.isWindows);
+@@ -461,11 +461,13 @@ class CachedArtifacts implements Artifacts {
+ String _getAndroidArtifactPath(Artifact artifact, TargetPlatform platform, BuildMode mode) {
+ final String engineDir = _getEngineArtifactsPath(platform, mode)!;
+ switch (artifact) {
++ case Artifact.frontendServerSnapshotForEngineDartSdk:
++ assert(mode != BuildMode.debug, 'Artifact $artifact only available in non-debug mode.');
++ return _fileSystem.path.join(engineDir, _artifactToFileName(artifact));
+ case Artifact.genSnapshot:
+ assert(mode != BuildMode.debug, 'Artifact $artifact only available in non-debug mode.');
+ final String hostPlatform = getNameForHostPlatform(getCurrentHostPlatform());
+ return _fileSystem.path.join(engineDir, hostPlatform, _artifactToFileName(artifact));
+- case Artifact.frontendServerSnapshotForEngineDartSdk:
+ case Artifact.constFinder:
+ case Artifact.flutterFramework:
+ case Artifact.flutterMacOSFramework:
+@@ -497,13 +499,13 @@ class CachedArtifacts implements Artifacts {
+ switch (artifact) {
+ case Artifact.genSnapshot:
+ case Artifact.flutterXcframework:
++ case Artifact.frontendServerSnapshotForEngineDartSdk:
+ final String artifactFileName = _artifactToFileName(artifact)!;
+ final String engineDir = _getEngineArtifactsPath(platform, mode)!;
+ return _fileSystem.path.join(engineDir, artifactFileName);
+ case Artifact.flutterFramework:
+ final String engineDir = _getEngineArtifactsPath(platform, mode)!;
+ return _getIosEngineArtifactPath(engineDir, environmentType, _fileSystem);
+- case Artifact.frontendServerSnapshotForEngineDartSdk:
+ case Artifact.constFinder:
+ case Artifact.flutterMacOSFramework:
+ case Artifact.flutterMacOSPodspec:
+@@ -594,14 +596,10 @@ class CachedArtifacts implements Artifacts {
+ // For script snapshots any gen_snapshot binary will do. Returning gen_snapshot for
+ // android_arm in profile mode because it is available on all supported host platforms.
+ return _getAndroidArtifactPath(artifact, TargetPlatform.android_arm, BuildMode.profile);
+- case Artifact.frontendServerSnapshotForEngineDartSdk:
+- return _fileSystem.path.join(
+- _dartSdkPath(_cache), 'bin', 'snapshots',
+- _artifactToFileName(artifact),
+- );
+ case Artifact.flutterTester:
+ case Artifact.vmSnapshotData:
+ case Artifact.isolateSnapshotData:
++ case Artifact.frontendServerSnapshotForEngineDartSdk:
+ case Artifact.icuData:
+ final String engineArtifactsPath = _cache.getArtifactDirectory('engine').path;
+ final String platformDirName = _enginePlatformDirectoryName(platform);
+@@ -797,7 +795,7 @@ class CachedLocalEngineArtifacts implements LocalEngineArtifacts {
+ final String path = _fileSystem.path.join(_hostEngineOutPath, 'dart-sdk', 'bin', 'snapshots', _hostArtifactToFileName(artifact, _platform.isWindows));
+ return _fileSystem.file(path);
+ case HostArtifact.dartdevcSnapshot:
+- final String path = _fileSystem.path.join(_dartSdkPath(_cache), 'bin', 'snapshots', _hostArtifactToFileName(artifact, _platform.isWindows));
++ final String path = _fileSystem.path.join(_dartSdkPath(_fileSystem), 'bin', 'snapshots', _hostArtifactToFileName(artifact, _platform.isWindows));
+ return _fileSystem.file(path);
+ case HostArtifact.kernelWorkerSnapshot:
+ final String path = _fileSystem.path.join(_hostEngineOutPath, 'dart-sdk', 'bin', 'snapshots', _hostArtifactToFileName(artifact, _platform.isWindows));
+@@ -922,9 +920,7 @@ class CachedLocalEngineArtifacts implements LocalEngineArtifacts {
+ case Artifact.windowsUwpCppClientWrapper:
+ return _fileSystem.path.join(_hostEngineOutPath, artifactFileName);
+ case Artifact.frontendServerSnapshotForEngineDartSdk:
+- return _fileSystem.path.join(
+- _hostEngineOutPath, 'dart-sdk', 'bin', 'snapshots', artifactFileName,
+- );
++ return _fileSystem.path.join(_hostEngineOutPath, 'gen', artifactFileName);
+ case Artifact.uwptool:
+ return _fileSystem.path.join(_hostEngineOutPath, artifactFileName);
+ }
+@@ -1034,8 +1030,8 @@ class OverrideArtifacts implements Artifacts {
+ }
+
+ /// Locate the Dart SDK.
+-String _dartSdkPath(Cache cache) {
+- return cache.getRoot().childDirectory('dart-sdk').path;
++String _dartSdkPath(FileSystem fileSystem) {
++ return fileSystem.path.join(Cache.flutterRoot!, 'bin', 'cache', 'dart-sdk');
+ }
+
+ class _TestArtifacts implements Artifacts {
+diff --git a/packages/flutter_tools/test/general.shard/artifacts_test.dart b/packages/flutter_tools/test/general.shard/artifacts_test.dart
+index d906511a15..adfdd4bb42 100644
+--- a/packages/flutter_tools/test/general.shard/artifacts_test.dart
++++ b/packages/flutter_tools/test/general.shard/artifacts_test.dart
+@@ -153,10 +153,6 @@ void main() {
+ artifacts.getArtifactPath(Artifact.windowsUwpDesktopPath, platform: TargetPlatform.windows_uwp_x64, mode: BuildMode.release),
+ fileSystem.path.join('root', 'bin', 'cache', 'artifacts', 'engine', 'windows-uwp-x64-release'),
+ );
+- expect(
+- artifacts.getArtifactPath(Artifact.frontendServerSnapshotForEngineDartSdk),
+- fileSystem.path.join('root', 'bin', 'cache', 'dart-sdk', 'bin', 'snapshots', 'frontend_server.dart.snapshot')
+- );
+ });
+
+ testWithoutContext('precompiled web artifact paths are correct', () {
+@@ -322,11 +318,6 @@ void main() {
+ artifacts.getHostArtifact(HostArtifact.engineDartSdkPath).path,
+ fileSystem.path.join('/out', 'host_debug_unopt', 'dart-sdk'),
+ );
+- expect(
+- artifacts.getArtifactPath(Artifact.frontendServerSnapshotForEngineDartSdk),
+- fileSystem.path.join('/out', 'host_debug_unopt', 'dart-sdk', 'bin',
+- 'snapshots', 'frontend_server.dart.snapshot')
+- );
+ });
+
+ testWithoutContext('getEngineType', () {

646
nixpatches/11-flutter-3.3.3-189338.patch Normal file
View File

@@ -0,0 +1,646 @@
diff --git a/pkgs/applications/networking/instant-messengers/fluffychat/default.nix b/pkgs/applications/networking/instant-messengers/fluffychat/default.nix
index d50e7118cc1..22bbeb212f0 100644
--- a/pkgs/applications/networking/instant-messengers/fluffychat/default.nix
+++ b/pkgs/applications/networking/instant-messengers/fluffychat/default.nix
@@ -1,16 +1,16 @@
{ lib
, fetchFromGitLab
-, flutter
+, flutter2
, olm
, imagemagick
, makeDesktopItem
}:
-flutter.mkFlutterApp rec {
+flutter2.mkFlutterApp rec {
pname = "fluffychat";
version = "1.2.0";
- vendorHash = "sha256-co+bnsVIyg42JpM9FimfGEjrd6A99GlBeow1Dgv7NBI=";
+ vendorHash = "sha256-1PDX023WXRmRe/b1L+6Du91BvGwYNp3YATqYSQdPrRY=";
src = fetchFromGitLab {
owner = "famedly";
diff --git a/pkgs/development/compilers/flutter/default.nix b/pkgs/development/compilers/flutter/default.nix
index 4529d2adc1a..02188335129 100644
--- a/pkgs/development/compilers/flutter/default.nix
+++ b/pkgs/development/compilers/flutter/default.nix
@@ -4,34 +4,40 @@ let
getPatches = dir:
let files = builtins.attrNames (builtins.readDir dir);
in map (f: dir + ("/" + f)) files;
- version = "3.0.4";
- channel = "stable";
- filename = "flutter_linux_${version}-${channel}.tar.xz";
-
- # Decouples flutter derivation from dart derivation,
- # use specific dart version to not need to bump dart derivation when bumping flutter.
- dartVersion = "2.17.5";
- dartSourceBase = "https://storage.googleapis.com/dart-archive/channels";
- dartForFlutter = dart.override {
- version = dartVersion;
- sources = {
- "${dartVersion}-x86_64-linux" = fetchurl {
- url = "${dartSourceBase}/stable/release/${dartVersion}/sdk/dartsdk-linux-x64-release.zip";
- sha256 = "sha256-AFJGeiPsjUZSO+DykmOIFETg2jIohg62tp3ghZrKJFk=";
+ flutterDrv = { version, pname, dartVersion, hash, dartHash, patches }: mkFlutter {
+ inherit version pname patches;
+ dart = dart.override {
+ version = dartVersion;
+ sources = {
+ "${dartVersion}-x86_64-linux" = fetchurl {
+ url = "https://storage.googleapis.com/dart-archive/channels/stable/release/${dartVersion}/sdk/dartsdk-linux-x64-release.zip";
+ sha256 = dartHash;
+ };
};
};
+ src = fetchurl {
+ url = "https://storage.googleapis.com/flutter_infra_release/releases/stable/linux/flutter_linux_${version}-stable.tar.xz";
+ sha256 = hash;
+ };
};
in
{
inherit mkFlutter;
- stable = mkFlutter rec {
- inherit version;
- dart = dartForFlutter;
+ stable = flutterDrv {
pname = "flutter";
- src = fetchurl {
- url = "https://storage.googleapis.com/flutter_infra_release/releases/${channel}/linux/${filename}";
- sha256 = "sha256-vh3QjLGFBN321DUET9XhYqSkILjEj+ZqAALu/mxY+go=";
- };
- patches = getPatches ./patches;
+ version = "3.3.3";
+ dartVersion = "2.18.2";
+ hash = "sha256-MTZeWQUp4/TcPzYIT6eqIKSPUPvn2Mp/thOQzNgpTXg=";
+ dartHash = "sha256-C3+YjecXLvSmJrLwi9H7TgD9Np0AArRWx3EdBrfQpTU";
+ patches = getPatches ./patches/flutter3;
+ };
+
+ v2 = flutterDrv {
+ pname = "flutter";
+ version = "2.10.5";
+ dartVersion = "2.16.2";
+ hash = "sha256-DTZwxlMUYk8NS1SaWUJolXjD+JnRW73Ps5CdRHDGnt0=";
+ dartHash = "sha256-egrYd7B4XhkBiHPIFE2zopxKtQ58GqlogAKA/UeiXnI=";
+ patches = getPatches ./patches/flutter2;
};
}
diff --git a/pkgs/development/compilers/flutter/flutter.nix b/pkgs/development/compilers/flutter/flutter.nix
index 28a78c3e306..f2c861356ab 100644
--- a/pkgs/development/compilers/flutter/flutter.nix
+++ b/pkgs/development/compilers/flutter/flutter.nix
@@ -65,7 +65,7 @@ let
popd
local revision="$(cd "$FLUTTER_ROOT"; git rev-parse HEAD)"
- ${dart}/bin/dart --snapshot="$SNAPSHOT_PATH" --packages="$FLUTTER_TOOLS_DIR/.packages" "$SCRIPT_PATH"
+ ${dart}/bin/dart --snapshot="$SNAPSHOT_PATH" --packages="$FLUTTER_TOOLS_DIR/.dart_tool/package_config.json" "$SCRIPT_PATH"
echo "$revision" > "$STAMP_PATH"
echo -n "${version}" > version
diff --git a/pkgs/development/compilers/flutter/patches/disable-auto-update.patch b/pkgs/development/compilers/flutter/patches/flutter2/disable-auto-update.patch
similarity index 100%
rename from pkgs/development/compilers/flutter/patches/disable-auto-update.patch
rename to pkgs/development/compilers/flutter/patches/flutter2/disable-auto-update.patch
diff --git a/pkgs/development/compilers/flutter/patches/flutter2/git-dir.patch b/pkgs/development/compilers/flutter/patches/flutter2/git-dir.patch
new file mode 100644
index 00000000000..0136ef93106
--- /dev/null
+++ b/pkgs/development/compilers/flutter/patches/flutter2/git-dir.patch
@@ -0,0 +1,80 @@
+diff --git a/dev/bots/prepare_package.dart b/dev/bots/prepare_package.dart
+index 468a91a954..5def6897ce 100644
+--- a/dev/bots/prepare_package.dart
++++ b/dev/bots/prepare_package.dart
+@@ -525,7 +525,7 @@ class ArchiveCreator {
+
+ Future<String> _runGit(List<String> args, {Directory? workingDirectory}) {
+ return _processRunner.runProcess(
+- <String>['git', ...args],
++ <String>['git', '--git-dir', '.git', ...args],
+ workingDirectory: workingDirectory ?? flutterRoot,
+ );
+ }
+diff --git a/packages/flutter_tools/lib/src/version.dart b/packages/flutter_tools/lib/src/version.dart
+index f2068a6ca2..99b161689e 100644
+--- a/packages/flutter_tools/lib/src/version.dart
++++ b/packages/flutter_tools/lib/src/version.dart
+@@ -106,7 +106,7 @@ class FlutterVersion {
+ String? channel = _channel;
+ if (channel == null) {
+ final String gitChannel = _runGit(
+- 'git rev-parse --abbrev-ref --symbolic @{u}',
++ 'git --git-dir .git rev-parse --abbrev-ref --symbolic @{u}',
+ globals.processUtils,
+ _workingDirectory,
+ );
+@@ -114,7 +114,7 @@ class FlutterVersion {
+ if (slash != -1) {
+ final String remote = gitChannel.substring(0, slash);
+ _repositoryUrl = _runGit(
+- 'git ls-remote --get-url $remote',
++ 'git --git-dir .git ls-remote --get-url $remote',
+ globals.processUtils,
+ _workingDirectory,
+ );
+@@ -326,7 +326,7 @@ class FlutterVersion {
+ /// the branch name will be returned as `'[user-branch]'`.
+ String getBranchName({ bool redactUnknownBranches = false }) {
+ _branch ??= () {
+- final String branch = _runGit('git rev-parse --abbrev-ref HEAD', globals.processUtils);
++ final String branch = _runGit('git --git-dir .git rev-parse --abbrev-ref HEAD', globals.processUtils);
+ return branch == 'HEAD' ? channel : branch;
+ }();
+ if (redactUnknownBranches || _branch!.isEmpty) {
+@@ -359,7 +359,7 @@ class FlutterVersion {
+ /// wrapper that does that.
+ @visibleForTesting
+ static List<String> gitLog(List<String> args) {
+- return <String>['git', '-c', 'log.showSignature=false', 'log'] + args;
++ return <String>['git', '-c', 'log.showSignature=false', '--git-dir', '.git', 'log'] + args;
+ }
+
+ /// Gets the release date of the latest available Flutter version.
+@@ -730,7 +730,7 @@ class GitTagVersion {
+
+ static GitTagVersion determine(ProcessUtils processUtils, {String? workingDirectory, bool fetchTags = false, String gitRef = 'HEAD'}) {
+ if (fetchTags) {
+- final String channel = _runGit('git rev-parse --abbrev-ref HEAD', processUtils, workingDirectory);
++ final String channel = _runGit('git --git-dir .git rev-parse --abbrev-ref HEAD', processUtils, workingDirectory);
+ if (channel == 'dev' || channel == 'beta' || channel == 'stable') {
+ globals.printTrace('Skipping request to fetchTags - on well known channel $channel.');
+ } else {
+@@ -739,7 +739,7 @@ class GitTagVersion {
+ }
+ // find all tags attached to the given [gitRef]
+ final List<String> tags = _runGit(
+- 'git tag --points-at $gitRef', processUtils, workingDirectory).trim().split('\n');
++ 'git --git-dir .git tag --points-at $gitRef', processUtils, workingDirectory).trim().split('\n');
+
+ // Check first for a stable tag
+ final RegExp stableTagPattern = RegExp(r'^\d+\.\d+\.\d+$');
+@@ -760,7 +760,7 @@ class GitTagVersion {
+ // recent tag and number of commits past.
+ return parse(
+ _runGit(
+- 'git describe --match *.*.* --long --tags $gitRef',
++ 'git --git-dir .git describe --match *.*.* --long --tags $gitRef',
+ processUtils,
+ workingDirectory,
+ )
diff --git a/pkgs/development/compilers/flutter/patches/flutter2/move-cache.patch b/pkgs/development/compilers/flutter/patches/flutter2/move-cache.patch
new file mode 100644
index 00000000000..a81d2def242
--- /dev/null
+++ b/pkgs/development/compilers/flutter/patches/flutter2/move-cache.patch
@@ -0,0 +1,72 @@
+diff --git a/packages/flutter_tools/lib/src/asset.dart b/packages/flutter_tools/lib/src/asset.dart
+index ed42baea29..12941f733a 100644
+--- a/packages/flutter_tools/lib/src/asset.dart
++++ b/packages/flutter_tools/lib/src/asset.dart
+@@ -11,11 +11,11 @@ import 'base/file_system.dart';
+ import 'base/logger.dart';
+ import 'base/platform.dart';
+ import 'build_info.dart';
+-import 'cache.dart';
+ import 'convert.dart';
+ import 'dart/package_map.dart';
+ import 'devfs.dart';
+ import 'flutter_manifest.dart';
++import 'globals.dart' as globals;
+ import 'license_collector.dart';
+ import 'project.dart';
+
+@@ -504,7 +504,7 @@ class ManifestAssetBundle implements AssetBundle {
+ }
+ final Uri entryUri = _fileSystem.path.toUri(asset);
+ result.add(_Asset(
+- baseDir: _fileSystem.path.join(Cache.flutterRoot!, 'bin', 'cache', 'artifacts', 'material_fonts'),
++ baseDir: _fileSystem.path.join(globals.fsUtils.homeDirPath!, '.cache', 'flutter', 'artifacts', 'material_fonts'),
+ relativeUri: Uri(path: entryUri.pathSegments.last),
+ entryUri: entryUri,
+ package: null,
+diff --git a/packages/flutter_tools/lib/src/cache.dart b/packages/flutter_tools/lib/src/cache.dart
+index defc86cc20..7fdf14d112 100644
+--- a/packages/flutter_tools/lib/src/cache.dart
++++ b/packages/flutter_tools/lib/src/cache.dart
+@@ -22,6 +22,7 @@ import 'base/user_messages.dart';
+ import 'build_info.dart';
+ import 'convert.dart';
+ import 'features.dart';
++import 'globals.dart' as globals;
+
+ const String kFlutterRootEnvironmentVariableName = 'FLUTTER_ROOT'; // should point to //flutter/ (root of flutter/flutter repo)
+ const String kFlutterEngineEnvironmentVariableName = 'FLUTTER_ENGINE'; // should point to //engine/src/ (root of flutter/engine repo)
+@@ -322,8 +323,13 @@ class Cache {
+ return;
+ }
+ assert(_lock == null);
++ final Directory dir = _fileSystem.directory(_fileSystem.path.join(globals.fsUtils.homeDirPath!, '.cache', 'flutter'));
++ if (!dir.existsSync()) {
++ dir.createSync(recursive: true);
++ globals.os.chmod(dir, '755');
++ }
+ final File lockFile =
+- _fileSystem.file(_fileSystem.path.join(flutterRoot!, 'bin', 'cache', 'lockfile'));
++ _fileSystem.file(_fileSystem.path.join(globals.fsUtils.homeDirPath!, '.cache', 'flutter', 'lockfile'));
+ try {
+ _lock = lockFile.openSync(mode: FileMode.write);
+ } on FileSystemException catch (e) {
+@@ -382,8 +388,7 @@ class Cache {
+
+ String get devToolsVersion {
+ if (_devToolsVersion == null) {
+- const String devToolsDirPath = 'dart-sdk/bin/resources/devtools';
+- final Directory devToolsDir = getCacheDir(devToolsDirPath, shouldCreate: false);
++ final Directory devToolsDir = _fileSystem.directory(_fileSystem.path.join(flutterRoot!, 'bin/cache/dart-sdk/bin/resources/devtools'));
+ if (!devToolsDir.existsSync()) {
+ throw Exception('Could not find directory at ${devToolsDir.path}');
+ }
+@@ -536,7 +541,7 @@ class Cache {
+ if (_rootOverride != null) {
+ return _fileSystem.directory(_fileSystem.path.join(_rootOverride!.path, 'bin', 'cache'));
+ } else {
+- return _fileSystem.directory(_fileSystem.path.join(flutterRoot!, 'bin', 'cache'));
++ return _fileSystem.directory(_fileSystem.path.join(globals.fsUtils.homeDirPath!, '.cache', 'flutter'));
+ }
+ }
+
diff --git a/pkgs/development/compilers/flutter/patches/flutter3/disable-auto-update.patch b/pkgs/development/compilers/flutter/patches/flutter3/disable-auto-update.patch
new file mode 100644
index 00000000000..21b676a2af3
--- /dev/null
+++ b/pkgs/development/compilers/flutter/patches/flutter3/disable-auto-update.patch
@@ -0,0 +1,36 @@
+diff --git a/bin/internal/shared.sh b/bin/internal/shared.sh
+index ab746724e9..1087983c87 100644
+--- a/bin/internal/shared.sh
++++ b/bin/internal/shared.sh
+@@ -215,8 +215,6 @@ function shared::execute() {
+ exit 1
+ fi
+
+- upgrade_flutter 7< "$PROG_NAME"
+-
+ BIN_NAME="$(basename "$PROG_NAME")"
+ case "$BIN_NAME" in
+ flutter*)
+diff --git a/packages/flutter_tools/lib/src/runner/flutter_command_runner.dart b/packages/flutter_tools/lib/src/runner/flutter_command_runner.dart
+index 738fef987d..03a152e64f 100644
+--- a/packages/flutter_tools/lib/src/runner/flutter_command_runner.dart
++++ b/packages/flutter_tools/lib/src/runner/flutter_command_runner.dart
+@@ -241,7 +241,6 @@ class FlutterCommandRunner extends CommandRunner<void> {
+ globals.flutterUsage.suppressAnalytics = true;
+ }
+
+- globals.flutterVersion.ensureVersionFile();
+ final bool machineFlag = topLevelResults['machine'] as bool? ?? false;
+ final bool ci = await globals.botDetector.isRunningOnBot;
+ final bool redirectedCompletion = !globals.stdio.hasTerminal &&
+@@ -250,10 +249,6 @@ class FlutterCommandRunner extends CommandRunner<void> {
+ final bool versionCheckFlag = topLevelResults['version-check'] as bool? ?? false;
+ final bool explicitVersionCheckPassed = topLevelResults.wasParsed('version-check') && versionCheckFlag;
+
+- if (topLevelResults.command?.name != 'upgrade' &&
+- (explicitVersionCheckPassed || (versionCheckFlag && !isMachine))) {
+- await globals.flutterVersion.checkFlutterVersionFreshness();
+- }
+
+ // See if the user specified a specific device.
+ globals.deviceManager?.specifiedDeviceId = topLevelResults['device-id'] as String?;
diff --git a/pkgs/development/compilers/flutter/patches/git-dir.patch b/pkgs/development/compilers/flutter/patches/flutter3/git-dir.patch
similarity index 86%
rename from pkgs/development/compilers/flutter/patches/git-dir.patch
rename to pkgs/development/compilers/flutter/patches/flutter3/git-dir.patch
index 0c736f945ea..42ad756f8ea 100644
--- a/pkgs/development/compilers/flutter/patches/git-dir.patch
+++ b/pkgs/development/compilers/flutter/patches/flutter3/git-dir.patch
@@ -1,8 +1,8 @@
diff --git a/dev/bots/prepare_package.dart b/dev/bots/prepare_package.dart
-index 468a91a954..5def6897ce 100644
+index 8e4cb81340..2c20940423 100644
--- a/dev/bots/prepare_package.dart
+++ b/dev/bots/prepare_package.dart
-@@ -525,7 +525,7 @@ class ArchiveCreator {
+@@ -526,7 +526,7 @@ class ArchiveCreator {
Future<String> _runGit(List<String> args, {Directory? workingDirectory}) {
return _processRunner.runProcess(
@@ -12,7 +12,7 @@ index 468a91a954..5def6897ce 100644
);
}
diff --git a/packages/flutter_tools/lib/src/commands/downgrade.dart b/packages/flutter_tools/lib/src/commands/downgrade.dart
-index bb0eb428a9..4a2a48bb5e 100644
+index 666c190067..b6c3761f6f 100644
--- a/packages/flutter_tools/lib/src/commands/downgrade.dart
+++ b/packages/flutter_tools/lib/src/commands/downgrade.dart
@@ -118,7 +118,7 @@ class DowngradeCommand extends FlutterCommand {
@@ -34,19 +34,19 @@ index bb0eb428a9..4a2a48bb5e 100644
if (parseResult.exitCode == 0) {
buffer.writeln('Channel "${getNameForChannel(channel)}" was previously on: ${parseResult.stdout}.');
diff --git a/packages/flutter_tools/lib/src/version.dart b/packages/flutter_tools/lib/src/version.dart
-index f2068a6ca2..99b161689e 100644
+index dc47f17057..8068e2d1f5 100644
--- a/packages/flutter_tools/lib/src/version.dart
+++ b/packages/flutter_tools/lib/src/version.dart
-@@ -106,7 +106,7 @@ class FlutterVersion {
+@@ -111,7 +111,7 @@ class FlutterVersion {
String? channel = _channel;
if (channel == null) {
final String gitChannel = _runGit(
-- 'git rev-parse --abbrev-ref --symbolic @{u}',
-+ 'git --git-dir .git rev-parse --abbrev-ref --symbolic @{u}',
+- 'git rev-parse --abbrev-ref --symbolic $kGitTrackingUpstream',
++ 'git --git-dir .git rev-parse --abbrev-ref --symbolic $kGitTrackingUpstream',
globals.processUtils,
_workingDirectory,
);
-@@ -114,7 +114,7 @@ class FlutterVersion {
+@@ -119,7 +119,7 @@ class FlutterVersion {
if (slash != -1) {
final String remote = gitChannel.substring(0, slash);
_repositoryUrl = _runGit(
@@ -55,7 +55,7 @@ index f2068a6ca2..99b161689e 100644
globals.processUtils,
_workingDirectory,
);
-@@ -326,7 +326,7 @@ class FlutterVersion {
+@@ -298,7 +298,7 @@ class FlutterVersion {
/// the branch name will be returned as `'[user-branch]'`.
String getBranchName({ bool redactUnknownBranches = false }) {
_branch ??= () {
@@ -64,7 +64,7 @@ index f2068a6ca2..99b161689e 100644
return branch == 'HEAD' ? channel : branch;
}();
if (redactUnknownBranches || _branch!.isEmpty) {
-@@ -359,7 +359,7 @@ class FlutterVersion {
+@@ -331,7 +331,7 @@ class FlutterVersion {
/// wrapper that does that.
@visibleForTesting
static List<String> gitLog(List<String> args) {
@@ -73,16 +73,16 @@ index f2068a6ca2..99b161689e 100644
}
/// Gets the release date of the latest available Flutter version.
-@@ -730,7 +730,7 @@ class GitTagVersion {
-
- static GitTagVersion determine(ProcessUtils processUtils, {String? workingDirectory, bool fetchTags = false, String gitRef = 'HEAD'}) {
+@@ -708,7 +708,7 @@ class GitTagVersion {
+ String gitRef = 'HEAD'
+ }) {
if (fetchTags) {
- final String channel = _runGit('git rev-parse --abbrev-ref HEAD', processUtils, workingDirectory);
+ final String channel = _runGit('git --git-dir .git rev-parse --abbrev-ref HEAD', processUtils, workingDirectory);
if (channel == 'dev' || channel == 'beta' || channel == 'stable') {
globals.printTrace('Skipping request to fetchTags - on well known channel $channel.');
} else {
-@@ -739,7 +739,7 @@ class GitTagVersion {
+@@ -718,7 +718,7 @@ class GitTagVersion {
}
// find all tags attached to the given [gitRef]
final List<String> tags = _runGit(
@@ -91,7 +91,7 @@ index f2068a6ca2..99b161689e 100644
// Check first for a stable tag
final RegExp stableTagPattern = RegExp(r'^\d+\.\d+\.\d+$');
-@@ -760,7 +760,7 @@ class GitTagVersion {
+@@ -739,7 +739,7 @@ class GitTagVersion {
// recent tag and number of commits past.
return parse(
_runGit(
diff --git a/pkgs/development/compilers/flutter/patches/move-cache.patch b/pkgs/development/compilers/flutter/patches/flutter3/move-cache.patch
similarity index 83%
rename from pkgs/development/compilers/flutter/patches/move-cache.patch
rename to pkgs/development/compilers/flutter/patches/flutter3/move-cache.patch
index 5cb7c71e9bd..008c5959e5b 100644
--- a/pkgs/development/compilers/flutter/patches/move-cache.patch
+++ b/pkgs/development/compilers/flutter/patches/flutter3/move-cache.patch
@@ -1,13 +1,9 @@
+diff --git a/packages/flutter_tools/lib/src/artifacts.dart b/packages/flutter_tools/lib/src/artifacts.dart
diff --git a/packages/flutter_tools/lib/src/asset.dart b/packages/flutter_tools/lib/src/asset.dart
-index ed42baea29..12941f733a 100644
+index 9dd7272fbe..642c8e48e4 100644
--- a/packages/flutter_tools/lib/src/asset.dart
+++ b/packages/flutter_tools/lib/src/asset.dart
-@@ -11,11 +11,11 @@ import 'base/file_system.dart';
- import 'base/logger.dart';
- import 'base/platform.dart';
- import 'build_info.dart';
--import 'cache.dart';
- import 'convert.dart';
+@@ -16,6 +16,7 @@ import 'convert.dart';
import 'dart/package_map.dart';
import 'devfs.dart';
import 'flutter_manifest.dart';
@@ -15,17 +11,18 @@ index ed42baea29..12941f733a 100644
import 'license_collector.dart';
import 'project.dart';
-@@ -504,7 +504,7 @@ class ManifestAssetBundle implements AssetBundle {
- }
+@@ -530,8 +531,7 @@ class ManifestAssetBundle implements AssetBundle {
final Uri entryUri = _fileSystem.path.toUri(asset);
result.add(_Asset(
-- baseDir: _fileSystem.path.join(Cache.flutterRoot!, 'bin', 'cache', 'artifacts', 'material_fonts'),
-+ baseDir: _fileSystem.path.join(globals.fsUtils.homeDirPath!, '.cache', 'flutter', 'artifacts', 'material_fonts'),
+ baseDir: _fileSystem.path.join(
+- Cache.flutterRoot!,
+- 'bin', 'cache', 'artifacts', 'material_fonts',
++ globals.fsUtils.homeDirPath!, '.cache', 'flutter', 'artifacts', 'material_fonts',
+ ),
relativeUri: Uri(path: entryUri.pathSegments.last),
entryUri: entryUri,
- package: null,
diff --git a/packages/flutter_tools/lib/src/cache.dart b/packages/flutter_tools/lib/src/cache.dart
-index defc86cc20..7fdf14d112 100644
+index dd80b1e46e..8e54517765 100644
--- a/packages/flutter_tools/lib/src/cache.dart
+++ b/packages/flutter_tools/lib/src/cache.dart
@@ -22,6 +22,7 @@ import 'base/user_messages.dart';
@@ -36,7 +33,7 @@ index defc86cc20..7fdf14d112 100644
const String kFlutterRootEnvironmentVariableName = 'FLUTTER_ROOT'; // should point to //flutter/ (root of flutter/flutter repo)
const String kFlutterEngineEnvironmentVariableName = 'FLUTTER_ENGINE'; // should point to //engine/src/ (root of flutter/engine repo)
-@@ -322,8 +323,13 @@ class Cache {
+@@ -318,8 +319,13 @@ class Cache {
return;
}
assert(_lock == null);
@@ -51,7 +48,7 @@ index defc86cc20..7fdf14d112 100644
try {
_lock = lockFile.openSync(mode: FileMode.write);
} on FileSystemException catch (e) {
-@@ -382,8 +388,7 @@ class Cache {
+@@ -378,8 +384,7 @@ class Cache {
String get devToolsVersion {
if (_devToolsVersion == null) {
@@ -61,7 +58,7 @@ index defc86cc20..7fdf14d112 100644
if (!devToolsDir.existsSync()) {
throw Exception('Could not find directory at ${devToolsDir.path}');
}
-@@ -536,7 +541,7 @@ class Cache {
+@@ -532,7 +537,7 @@ class Cache {
if (_rootOverride != null) {
return _fileSystem.directory(_fileSystem.path.join(_rootOverride!.path, 'bin', 'cache'));
} else {
@@ -70,8 +67,7 @@ index defc86cc20..7fdf14d112 100644
}
}
-diff --git a/packages/flutter_tools/lib/src/artifacts.dart b/packages/flutter_tools/lib/src/artifacts.dart
-index 2aac9686e8..32c4b98b88 100644
+index c539d67156..4e0a64f7a9 100644
--- a/packages/flutter_tools/lib/src/artifacts.dart
+++ b/packages/flutter_tools/lib/src/artifacts.dart
@@ -346,10 +346,10 @@ class CachedArtifacts implements Artifacts {
@@ -82,8 +78,8 @@ index 2aac9686e8..32c4b98b88 100644
+ final String path = _dartSdkPath(_fileSystem);
return _fileSystem.directory(path);
case HostArtifact.engineDartBinary:
-- final String path = _fileSystem.path.join(_dartSdkPath(_cache), 'bin', _hostArtifactToFileName(artifact, _platform.isWindows));
-+ final String path = _fileSystem.path.join(_dartSdkPath(_fileSystem), 'bin', _hostArtifactToFileName(artifact, _platform.isWindows));
+- final String path = _fileSystem.path.join(_dartSdkPath(_cache), 'bin', _hostArtifactToFileName(artifact, _platform));
++ final String path = _fileSystem.path.join(_dartSdkPath(_fileSystem), 'bin', _hostArtifactToFileName(artifact, _platform));
return _fileSystem.file(path);
case HostArtifact.flutterWebSdk:
final String path = _getFlutterWebSdkPath();
@@ -91,12 +87,12 @@ index 2aac9686e8..32c4b98b88 100644
case HostArtifact.dart2jsSnapshot:
case HostArtifact.dartdevcSnapshot:
case HostArtifact.kernelWorkerSnapshot:
-- final String path = _fileSystem.path.join(_dartSdkPath(_cache), 'bin', 'snapshots', _hostArtifactToFileName(artifact, _platform.isWindows));
-+ final String path = _fileSystem.path.join(_dartSdkPath(_fileSystem), 'bin', 'snapshots', _hostArtifactToFileName(artifact, _platform.isWindows));
+- final String path = _fileSystem.path.join(_dartSdkPath(_cache), 'bin', 'snapshots', _hostArtifactToFileName(artifact, _platform));
++ final String path = _fileSystem.path.join(_dartSdkPath(_fileSystem), 'bin', 'snapshots', _hostArtifactToFileName(artifact, _platform));
return _fileSystem.file(path);
case HostArtifact.iosDeploy:
- final String artifactFileName = _hostArtifactToFileName(artifact, _platform.isWindows);
-@@ -461,11 +461,13 @@ class CachedArtifacts implements Artifacts {
+ final String artifactFileName = _hostArtifactToFileName(artifact, _platform);
+@@ -465,11 +465,13 @@ class CachedArtifacts implements Artifacts {
String _getAndroidArtifactPath(Artifact artifact, TargetPlatform platform, BuildMode mode) {
final String engineDir = _getEngineArtifactsPath(platform, mode)!;
switch (artifact) {
@@ -125,8 +121,8 @@ index 2aac9686e8..32c4b98b88 100644
- case Artifact.frontendServerSnapshotForEngineDartSdk:
case Artifact.constFinder:
case Artifact.flutterMacOSFramework:
- case Artifact.flutterMacOSPodspec:
-@@ -594,14 +596,10 @@ class CachedArtifacts implements Artifacts {
+ case Artifact.flutterPatchedSdkPath:
+@@ -586,14 +588,10 @@ class CachedArtifacts implements Artifacts {
// For script snapshots any gen_snapshot binary will do. Returning gen_snapshot for
// android_arm in profile mode because it is available on all supported host platforms.
return _getAndroidArtifactPath(artifact, TargetPlatform.android_arm, BuildMode.profile);
@@ -142,27 +138,27 @@ index 2aac9686e8..32c4b98b88 100644
case Artifact.icuData:
final String engineArtifactsPath = _cache.getArtifactDirectory('engine').path;
final String platformDirName = _enginePlatformDirectoryName(platform);
-@@ -797,7 +795,7 @@ class CachedLocalEngineArtifacts implements LocalEngineArtifacts {
- final String path = _fileSystem.path.join(_hostEngineOutPath, 'dart-sdk', 'bin', 'snapshots', _hostArtifactToFileName(artifact, _platform.isWindows));
+@@ -776,7 +774,7 @@ class CachedLocalEngineArtifacts implements LocalEngineArtifacts {
+ final String path = _fileSystem.path.join(_hostEngineOutPath, 'dart-sdk', 'bin', 'snapshots', _hostArtifactToFileName(artifact, _platform));
return _fileSystem.file(path);
case HostArtifact.dartdevcSnapshot:
-- final String path = _fileSystem.path.join(_dartSdkPath(_cache), 'bin', 'snapshots', _hostArtifactToFileName(artifact, _platform.isWindows));
-+ final String path = _fileSystem.path.join(_dartSdkPath(_fileSystem), 'bin', 'snapshots', _hostArtifactToFileName(artifact, _platform.isWindows));
+- final String path = _fileSystem.path.join(_dartSdkPath(_cache), 'bin', 'snapshots', _hostArtifactToFileName(artifact, _platform));
++ final String path = _fileSystem.path.join(_dartSdkPath(_fileSystem), 'bin', 'snapshots', _hostArtifactToFileName(artifact, _platform));
return _fileSystem.file(path);
case HostArtifact.kernelWorkerSnapshot:
- final String path = _fileSystem.path.join(_hostEngineOutPath, 'dart-sdk', 'bin', 'snapshots', _hostArtifactToFileName(artifact, _platform.isWindows));
-@@ -922,9 +920,7 @@ class CachedLocalEngineArtifacts implements LocalEngineArtifacts {
- case Artifact.windowsUwpCppClientWrapper:
+ final String path = _fileSystem.path.join(_hostEngineOutPath, 'dart-sdk', 'bin', 'snapshots', _hostArtifactToFileName(artifact, _platform));
+@@ -901,9 +899,7 @@ class CachedLocalEngineArtifacts implements LocalEngineArtifacts {
+ case Artifact.windowsCppClientWrapper:
return _fileSystem.path.join(_hostEngineOutPath, artifactFileName);
case Artifact.frontendServerSnapshotForEngineDartSdk:
- return _fileSystem.path.join(
- _hostEngineOutPath, 'dart-sdk', 'bin', 'snapshots', artifactFileName,
- );
+ return _fileSystem.path.join(_hostEngineOutPath, 'gen', artifactFileName);
- case Artifact.uwptool:
- return _fileSystem.path.join(_hostEngineOutPath, artifactFileName);
}
-@@ -1034,8 +1030,8 @@ class OverrideArtifacts implements Artifacts {
+ }
+
+@@ -1011,8 +1007,8 @@ class OverrideArtifacts implements Artifacts {
}
/// Locate the Dart SDK.
@@ -174,12 +170,12 @@ index 2aac9686e8..32c4b98b88 100644
class _TestArtifacts implements Artifacts {
diff --git a/packages/flutter_tools/test/general.shard/artifacts_test.dart b/packages/flutter_tools/test/general.shard/artifacts_test.dart
-index d906511a15..adfdd4bb42 100644
+index aed3eb9285..81b8362648 100644
--- a/packages/flutter_tools/test/general.shard/artifacts_test.dart
+++ b/packages/flutter_tools/test/general.shard/artifacts_test.dart
-@@ -153,10 +153,6 @@ void main() {
- artifacts.getArtifactPath(Artifact.windowsUwpDesktopPath, platform: TargetPlatform.windows_uwp_x64, mode: BuildMode.release),
- fileSystem.path.join('root', 'bin', 'cache', 'artifacts', 'engine', 'windows-uwp-x64-release'),
+@@ -141,10 +141,6 @@ void main() {
+ artifacts.getArtifactPath(Artifact.flutterTester, platform: TargetPlatform.linux_arm64),
+ fileSystem.path.join('root', 'bin', 'cache', 'artifacts', 'engine', 'linux-arm64', 'flutter_tester'),
);
- expect(
- artifacts.getArtifactPath(Artifact.frontendServerSnapshotForEngineDartSdk),
@@ -188,7 +184,7 @@ index d906511a15..adfdd4bb42 100644
});
testWithoutContext('precompiled web artifact paths are correct', () {
-@@ -322,11 +318,6 @@ void main() {
+@@ -310,11 +306,6 @@ void main() {
artifacts.getHostArtifact(HostArtifact.engineDartSdkPath).path,
fileSystem.path.join('/out', 'host_debug_unopt', 'dart-sdk'),
);
@@ -197,6 +193,6 @@ index d906511a15..adfdd4bb42 100644
- fileSystem.path.join('/out', 'host_debug_unopt', 'dart-sdk', 'bin',
- 'snapshots', 'frontend_server.dart.snapshot')
- );
- });
-
- testWithoutContext('getEngineType', () {
+ expect(
+ artifacts.getHostArtifact(HostArtifact.impellerc).path,
+ fileSystem.path.join('/out', 'host_debug_unopt', 'impellerc'),
diff --git a/pkgs/os-specific/linux/firmware/firmware-updater/default.nix b/pkgs/os-specific/linux/firmware/firmware-updater/default.nix
index fb9d3a9a36c..cc906b763e8 100644
--- a/pkgs/os-specific/linux/firmware/firmware-updater/default.nix
+++ b/pkgs/os-specific/linux/firmware/firmware-updater/default.nix
@@ -1,13 +1,13 @@
{ lib
-, flutter
+, flutter2
, fetchFromGitHub
}:
-flutter.mkFlutterApp {
+flutter2.mkFlutterApp {
pname = "firmware-updater";
version = "unstable";
- vendorHash = "sha256-3wVA9BLCnMijC0gOmskz+Hv7NQIGu/jhBDbWjmoq1Tc=";
+ vendorHash = "sha256-7uOiebGBcX61oUyNCi1h9KldTRTrCfYaHUQSH4J5OoQ=";
src = fetchFromGitHub {
owner = "canonical";
diff --git a/pkgs/top-level/all-packages.nix b/pkgs/top-level/all-packages.nix
index 4f25d9b20d8..c282471c464 100644
--- a/pkgs/top-level/all-packages.nix
+++ b/pkgs/top-level/all-packages.nix
@@ -13448,6 +13448,7 @@ with pkgs;
flutterPackages =
recurseIntoAttrs (callPackage ../development/compilers/flutter { });
flutter = flutterPackages.stable;
+ flutter2 = flutterPackages.v2;
fnm = callPackage ../development/tools/fnm {
inherit (darwin.apple_sdk.frameworks) DiskArbitration Foundation Security;

66
nixpatches/12-flutter-arm64-2.patch Normal file
View File

@@ -0,0 +1,66 @@
diff --git a/pkgs/applications/networking/instant-messengers/fluffychat/default.nix b/pkgs/applications/networking/instant-messengers/fluffychat/default.nix
index 22bbeb212f0..c07bd8e9fd4 100644
--- a/pkgs/applications/networking/instant-messengers/fluffychat/default.nix
+++ b/pkgs/applications/networking/instant-messengers/fluffychat/default.nix
@@ -4,13 +4,19 @@
, olm
, imagemagick
, makeDesktopItem
+, stdenv
}:
+let vendorHashes = {
+ x86_64-linux = "sha256-Gi0mfxaMtPI/TxrxnvzQvH9M8CtLADKJfYO2JnzAz+Y=";
+ aarch64-linux = "sha256-iq8bMSJoYbDNtR82QunrpQdPUv0nceUKXRqAwDvxCpE=";
+};
+in
flutter2.mkFlutterApp rec {
pname = "fluffychat";
version = "1.2.0";
- vendorHash = "sha256-1PDX023WXRmRe/b1L+6Du91BvGwYNp3YATqYSQdPrRY=";
+ vendorHash = vendorHashes."${stdenv.hostPlatform.system}" or (throw "unsupported system: ${stdenv.hostPlatform.system}");
src = fetchFromGitLab {
owner = "famedly";
diff --git a/pkgs/development/compilers/flutter/default.nix b/pkgs/development/compilers/flutter/default.nix
index 02188335129..c264565e50a 100644
--- a/pkgs/development/compilers/flutter/default.nix
+++ b/pkgs/development/compilers/flutter/default.nix
@@ -11,7 +11,11 @@ let
sources = {
"${dartVersion}-x86_64-linux" = fetchurl {
url = "https://storage.googleapis.com/dart-archive/channels/stable/release/${dartVersion}/sdk/dartsdk-linux-x64-release.zip";
- sha256 = dartHash;
+ sha256 = dartHash.x86_64-linux;
+ };
+ "${dartVersion}-aarch64-linux" = fetchurl {
+ url = "https://storage.googleapis.com/dart-archive/channels/stable/release/${dartVersion}/sdk/dartsdk-linux-arm64-release.zip";
+ sha256 = dartHash.aarch64-linux;
};
};
};
@@ -28,7 +32,10 @@ in
version = "3.3.3";
dartVersion = "2.18.2";
hash = "sha256-MTZeWQUp4/TcPzYIT6eqIKSPUPvn2Mp/thOQzNgpTXg=";
- dartHash = "sha256-C3+YjecXLvSmJrLwi9H7TgD9Np0AArRWx3EdBrfQpTU";
+ dartHash = {
+ x86_64-linux = "sha256-C3+YjecXLvSmJrLwi9H7TgD9Np0AArRWx3EdBrfQpTU";
+ aarch64-linux = "sha256-zyIK1i5/9P2C+sjzdArhFwpVO4P+It+/X50l+n9gekI=";
+ };
patches = getPatches ./patches/flutter3;
};
@@ -37,7 +44,10 @@ in
version = "2.10.5";
dartVersion = "2.16.2";
hash = "sha256-DTZwxlMUYk8NS1SaWUJolXjD+JnRW73Ps5CdRHDGnt0=";
- dartHash = "sha256-egrYd7B4XhkBiHPIFE2zopxKtQ58GqlogAKA/UeiXnI=";
+ dartHash = {
+ x86_64-linux = "sha256-egrYd7B4XhkBiHPIFE2zopxKtQ58GqlogAKA/UeiXnI=";
+ aarch64-linux = "sha256-vmerjXkUAUnI8FjK+62qLqgETmA+BLPEZXFxwYpI+KY=";
+ };
patches = getPatches ./patches/flutter2;
};
}

46
nixpatches/list.nix
View File

@@ -1,39 +1,31 @@
fetchpatch: [
# Flutter: 3.0.4 -> 3.3.3, flutter.dart: 2.17.5 -> 2.18.2
# merged 2022/10/07
# (fetchpatch {
# url = "https://github.com/NixOS/nixpkgs/pull/189338.diff";
# sha256 = "sha256-HRkOIBcOnSXyTKkYxnMgZou8MHU/5eNhxxARdUq9UWg=";
# # url = "https://git.uninsane.org/colin/nixpkgs/commit/889c3a8cbc91c0d10b34ab7825fa1f6d1d31668a.diff";
# # sha256 = "sha256-qVWLpNoW3HVSWRtXS1BcSusKOq0CAMfY0BVU9MxPm98=";
# })
#
# XXX this is a cherry-pick of all the commits in PR 189338 (as appears in tree).
# the diff yielded by Github is apparently not the same somehow (maybe because the branches being merged had diverged too much?)
./11-flutter-3.3.3-189338.patch
# phosh-mobile-settings: init at 0.21.1
(fetchpatch {
url = "https://git.uninsane.org/colin/nixpkgs/commit/0c1a7e8504291eb0076bbee3f8ebf693f4641112.diff";
url = "http://git.uninsane.org/colin/nixpkgs/commit/0c1a7e8504291eb0076bbee3f8ebf693f4641112.diff";
# url = "https://github.com/NixOS/nixpkgs/pull/193845.diff";
sha256 = "sha256-OczjlQcG7sTM/V9Y9VL/qdwaWPKfjAJsh3czqqhRQig=";
})
# librewolf: build with `MOZ_REQUIRE_SIGNING=false`
# kaiteki: init at 2022-09-03
(fetchpatch {
url = "https://github.com/NixOS/nixpkgs/pull/199134.diff";
# url = "https://git.uninsane.org/colin/nixpkgs/commit/99b82e07fee4d194520d6e8d51bc45c80a4d3c7e.diff";
sha256 = "sha256-FOAZYaMpSPMYwU26xYD+V/f+df0JjlbuVtqjlcBFW5Q=";
url = "https://git.uninsane.org/colin/nixpkgs/commit/e2c7f5f4870fcb0e5405e9001b39a64c516852d4.diff";
# url = "https://github.com/NixOS/nixpkgs/pull/193169.diff";
sha256 = "sha256-UWnfS+stVpUZ3Sfaym9XtVBlwvHWJVMaW7cYIcf3M5Q=";
})
# lightdm-mobile-greeter: init at 2022-10-30
(fetchpatch {
url = "https://git.uninsane.org/colin/nixpkgs/commit/0a9018c8879d8fe871ee03bc386f8d148e4f88b8.diff";
sha256 = "sha256-h1+K8UO4+G6yvl6JFd8xBGitPgOCIY7BunW49eGkXQQ=";
})
# lightdm: add `greeters.mobile` config option
(fetchpatch {
url = "https://git.uninsane.org/colin/nixpkgs/commit/1144d6cfe976e7bcfb9611b1d0a66071e17cd569.diff";
sha256 = "sha256-ZEvLPqrkpr79yXrsBxgxELR2Awtqk3675jkYZqx2AfY=";
})
# # kaiteki: init at 2022-09-03
# vendorHash changes too frequently (might not be reproducible).
# using local package defn until stabilized
# (fetchpatch {
# url = "https://git.uninsane.org/colin/nixpkgs/commit/e2c7f5f4870fcb0e5405e9001b39a64c516852d4.diff";
# # url = "https://github.com/NixOS/nixpkgs/pull/193169.diff";
# sha256 = "sha256-UWnfS+stVpUZ3Sfaym9XtVBlwvHWJVMaW7cYIcf3M5Q=";
# })
# Fix mk flutter app
# closed (not merged). updates fluffychat 1.2.0 -> 1.6.1, but unstable hashing
# (fetchpatch {
@@ -47,9 +39,9 @@ fetchpatch: [
./02-rpi4-uboot.patch
# TODO: upstream
# maybe convert this patch to add a `targetUrlExpr` instead of doing the `escapeShellArgs` hack
./07-duplicity-rich-url.patch
# enable aarch64 support for flutter's dart package
# ./10-flutter-arm64.patch
./12-flutter-arm64-2.patch
]

57
pkgs/browserpass-extension/default.nix
View File

@@ -1,57 +0,0 @@
{ stdenv
, fetchFromGitHub
, gnused
, jq
, mkYarnModules
, zip
}:
let
pname = "browserpass-extension";
version = "3.7.2";
src = fetchFromGitHub {
owner = "browserpass";
repo = "browserpass-extension";
rev = version;
sha256 = "sha256-uDJ0ID8mD+5WLQK40+OfzRNIOOhZWsLYIi6QgcdIDvc=";
};
browserpass-extension-yarn-modules = mkYarnModules {
inherit pname version;
packageJSON = "${src}/src/package.json";
yarnLock = "${src}/src/yarn.lock";
};
extid = "browserpass@maximbaz.com";
in stdenv.mkDerivation {
inherit pname version src;
patchPhase = ''
# dependencies are built separately: skip the yarn install
${gnused}/bin/sed -i /yarn\ install/d src/Makefile
'';
preBuild = ''
ln -s ${browserpass-extension-yarn-modules}/node_modules src/node_modules
'';
installPhase = ''
BASE=$out/share/mozilla/extensions/\{ec8030f7-c20a-464f-9b0e-13a3a9e97384\}
mkdir -p $BASE
pushd firefox
# firefox requires addons to have an id field when sideloading:
# - <https://extensionworkshop.com/documentation/publish/distribute-sideloading/>
cat manifest.json \
| ${jq}/bin/jq '. + { applications: {gecko: {id: "${extid}" }}, browser_specific_settings: {gecko: {id: "${extid}"}} }' \
> manifest.patched.json
mv manifest{.patched,}.json
${zip}/bin/zip -r $BASE/browserpass@maximbaz.com.xpi ./*
popd
'';
passthru = {
inherit extid;
};
}

47
pkgs/browserpass/default.nix
View File

@@ -1,47 +0,0 @@
{ pkgs
, bash
, fetchFromGitea
, gnused
, lib
, sane-scripts
, sops
, stdenv
, substituteAll
}:
let
sane-browserpass-gpg = stdenv.mkDerivation {
pname = "sane-browserpass-gpg";
version = "0.1.0";
src = ./.;
inherit bash gnused sops;
sane_scripts = sane-scripts;
installPhase = ''
mkdir -p $out/bin
substituteAll ${./sops-gpg-adapter} $out/bin/gpg
chmod +x $out/bin/gpg
ln -s $out/bin/gpg $out/bin/gpg2
'';
};
in
(pkgs.browserpass.overrideAttrs (upstream: {
src = fetchFromGitea {
domain = "git.uninsane.org";
owner = "colin";
repo = "browserpass-native";
rev = "8de7959fa5772aca406bf29bb17707119c64b81e";
hash = "sha256-ewB1YdWqfZpt8d4p9LGisiGUsHzRW8RiSO/+NZRiQpk=";
};
installPhase = ''
make install
wrapProgram $out/bin/browserpass \
--prefix PATH : ${lib.makeBinPath [ sane-browserpass-gpg ]}
# This path is used by our firefox wrapper for finding native messaging hosts
mkdir -p $out/lib/mozilla/native-messaging-hosts
ln -s $out/lib/browserpass/hosts/firefox/*.json $out/lib/mozilla/native-messaging-hosts
'';
}))

19
pkgs/browserpass/sops-gpg-adapter
View File

@@ -1,19 +0,0 @@
#! @bash@/bin/sh
# browserpass "validates" the gpg binary by invoking it with --version
if [ "$1" = "--version" ]
then
echo "sane-browserpass-gpg @version@";
exit 0
fi
# ensure the secret store is unlocked
@sane_scripts@/bin/sane-secrets-unlock
# using exec here forwards our stdin
# browserpass parses the response in
# <browserpass-extension/src/background.js#parseFields>
# it cares about `key:value`, and ignores whatever doesn't fit that (or has an unknown key)
# browserpass understands the `totp` field to hold either secret tokens, or full URLs.
# i use totp-b32 for the base-32-encoded secrets. renaming that field works OOTB.
exec @sops@/bin/sops --input-type yaml -d --output-type yaml --config /dev/null /dev/stdin | @gnused@/bin/sed s/\^totp-b32:/totp:/

15
pkgs/gocryptfs/default.nix
View File

@@ -1,15 +0,0 @@
{ pkgs, lib, ... }:
(pkgs.gocryptfs.overrideAttrs (upstream: {
# XXX `su colin` hangs when pam_mount tries to mount a gocryptfs system
# unless `logger` (util-linux) is accessible from gocryptfs.
# this is surprising: the code LOOKS like it's meant to handle logging failures.
# propagating util-linux through either `environment.systemPackages` or `security.pam.mount.additionalSearchPaths` DOES NOT WORK.
#
# TODO: see about upstreaming this
postInstall = ''
wrapProgram $out/bin/gocryptfs \
--suffix PATH : ${lib.makeBinPath [ pkgs.fuse pkgs.util-linux ]}
ln -s $out/bin/gocryptfs $out/bin/mount.fuse.gocryptfs
'';
}))

10
pkgs/gopass-native-messaging-host/com.justwatch.gopass.json
View File

@@ -1,10 +0,0 @@
{
"name": "com.justwatch.gopass",
"description": "Gopass wrapper to search and return passwords",
"path": "@out@/bin/gopass-wrapper",
"type": "stdio",
"allowed_extensions": [
"{eec37db0-22ad-4bf1-9068-5ae08df8c7e9}"
]
}

22
pkgs/gopass-native-messaging-host/default.nix
View File

@@ -1,22 +0,0 @@
{ stdenv
, bash
, gopass-jsonapi
, substituteAll
}:
stdenv.mkDerivation {
pname = "gopass-native-messaging-host";
version = "1.0";
src = ./.;
inherit bash;
# substituteAll doesn't work with hyphenated vars ??
gopassJsonapi = gopass-jsonapi;
installPhase = ''
mkdir -p $out/bin $out/lib/mozilla/native-messaging-hosts
substituteAll ${./gopass-wrapper.sh} $out/bin/gopass-wrapper
chmod +x $out/bin/gopass-wrapper
substituteAll ${./com.justwatch.gopass.json} $out/lib/mozilla/native-messaging-hosts/com.justwatch.gopass.json
'';
}

2
pkgs/gopass-native-messaging-host/gopass-wrapper.sh
View File

@@ -1,2 +0,0 @@
#! @bash@/bin/sh
exec @gopassJsonapi@/bin/gopass-jsonapi listen

2
pkgs/kaiteki/default.nix
View File

@@ -10,7 +10,7 @@ flutter.mkFlutterApp rec {
pname = "kaiteki";
version = "unstable-2022-09-03";
vendorHash = "sha256-CXEaQeXEY5PYpcoqmPcRfcyaFsEDZ8bq1pgApmjyp0c=";
vendorHash = "sha256-Y0BXQ7xt9w+J896ar6o+FiVGcDJw7dPHo7tgij+p6R0=";
src = fetchFromGitHub {
owner = "Kaiteki-Fedi";

53
pkgs/lightdm-mobile-greeter/default.nix
View File

@@ -1,53 +0,0 @@
{ lib
, fetchFromGitea
, gtk3
, libhandy_0
, lightdm
, pkgs
, linkFarm
, pkg-config
, rustPlatform
}:
rustPlatform.buildRustPackage rec {
pname = "lightdm-mobile-greeter";
version = "2022-10-30";
src = fetchFromGitea {
domain = "git.raatty.club";
owner = "raatty";
repo = "lightdm-mobile-greeter";
rev = "8c8d6dfce62799307320c8c5a1f0dd5c8c18e4d3";
hash = "sha256-SrAR2+An3BN/doFl/s8PcYZMUHLfVPXKZOo6ndO60nY=";
};
cargoHash = "sha256-NZ0jOkEBNa5oOydfyKm0XQB/vkAvBv9wHBbnM9egQFQ=";
buildInputs = [
gtk3
libhandy_0
lightdm
];
nativeBuildInputs = [
pkg-config
];
postInstall = ''
mkdir -p $out/share/applications
substitute lightdm-mobile-greeter.desktop \
$out/share/applications/lightdm-mobile-greeter.desktop \
--replace lightdm-mobile-greeter $out/bin/lightdm-mobile-greeter
'';
passthru.xgreeters = linkFarm "lightdm-mobile-greeter-xgreeters" [{
path = "${pkgs.lightdm-mobile-greeter}/share/applications/lightdm-mobile-greeter.desktop";
name = "lightdm-mobile-greeter.desktop";
}];
meta = with lib; {
description = "A simple log in screen for use on touch screens.";
homepage = "https://git.raatty.club/raatty/lightdm-mobile-greeter";
maintainers = with maintainers; [ colinsane ];
platforms = platforms.linux;
license = licenses.mit;
};
}

6
pkgs/linux-megous/default.nix
View File

@@ -3,7 +3,7 @@
with lib;
buildLinux (args // rec {
version = "6.0.2";
version = "6.0.0";
# modDirVersion needs to be x.y.z, will automatically add .0 if needed
modDirVersion = if (modDirVersionArg == null) then concatStringsSep "." (take 3 (splitVersion "${version}.0")) else modDirVersionArg;
@@ -15,7 +15,7 @@ buildLinux (args // rec {
owner = "megous";
repo = "linux";
# branch: orange-pi-6.0
rev = "2683672a2052ffda995bb987fa62a1abe8424ef4";
hash = "sha256-hL/SbLgaTk/CqFLFrAK/OV9/OS20O42zJvSScsvWBQk=";
rev = "b16232c6156de17e1dfdb63fdaea8e317baa07a7";
sha256 = "sha256-Tb05IQKFdX/T7elGNnXTLVmgGLvXoeBFBq/8Q7jQhX0=";
};
} // (args.argsOverride or { }))

13
pkgs/matrix-appservice-discord/01-puppet.patch Normal file
View File

@@ -0,0 +1,13 @@
diff --git a/src/clientfactory.ts b/src/clientfactory.ts
index b7fea47..587acfd 100644
--- a/src/clientfactory.ts
+++ b/src/clientfactory.ts
@@ -53,7 +53,7 @@ export class DiscordClientFactory {
});
try {
- await this.botClient.login(this.config.botToken, true);
+ await this.botClient.login(this.config.botToken, false);
log.info("Waiting for shardReady signal");
await waitPromise;
log.info("Got shardReady signal");

16
pkgs/matrix-appservice-discord/02-auto-approve.patch Normal file
View File

@@ -0,0 +1,16 @@
diff --git a/src/provisioner.ts b/src/provisioner.ts
index c1568af..28a44c5 100644
--- a/src/provisioner.ts
+++ b/src/provisioner.ts
@@ -99,8 +99,9 @@
this.pendingRequests.set(channelId, approveFn);
setTimeout(() => approveFn(false, true), timeout);
- await channel.send(`${requestor} on matrix would like to bridge this channel. Someone with permission` +
- " to manage webhooks please reply with `!matrix approve` or `!matrix deny` in the next 5 minutes");
+ // await channel.send(`${requestor} on matrix would like to bridge this channel. Someone with permission` +
+ // " to manage webhooks please reply with `!matrix approve` or `!matrix deny` in the next 5 minutes");
+ approveFn(true);
return await deferP;
}

14
pkgs/matrix-appservice-discord/03-no-edits.patch Normal file
View File

@@ -0,0 +1,14 @@
diff --git a/src/bot.ts b/src/bot.ts
index 8bc73d4..1e6ea67 100644
--- a/src/bot.ts
+++ b/src/bot.ts
@@ -568,7 +568,8 @@ export class DiscordBot {
}
const link = `https://discord.com/channels/${chan.guild.id}/${chan.id}/${editEventId}`;
embedSet.messageEmbed.description = `[Edit](${link}): ${embedSet.messageEmbed.description}`;
- await this.send(embedSet, opts, roomLookup, event);
+ log.warn("not editing sent Matrix -> Discord message");
+ // await this.send(embedSet, opts, roomLookup, event);
} catch (err) {
// throw wrapError(err, Unstable.ForeignNetworkError, "Couldn't edit message");
log.warn(`Failed to edit message ${event.event_id}`);

88
pkgs/matrix-appservice-discord/04-no-kickbans.patch Normal file
View File

@@ -0,0 +1,88 @@
diff --git a/src/bot.ts b/src/bot.ts
index 8bc73d4..1e6ea67 100644
--- a/src/bot.ts
+++ b/src/bot.ts
@@ -795,82 +796,7 @@ export class DiscordBot {
roomId: string, kickeeUserId: string, kicker: string, kickban: "leave"|"ban",
previousState: string, reason?: string,
) {
- const restore = kickban === "leave" && previousState === "ban";
- const client = await this.clientFactory.getClient(kicker);
- let channel: Discord.Channel;
- try {
- channel = await this.GetChannelFromRoomId(roomId, client);
- } catch (ex) {
- log.error("Failed to get channel for ", roomId, ex);
- return;
- }
- if (channel.type !== "text") {
- log.warn("Channel was not a text channel");
- return;
- }
- const tchan = (channel as Discord.TextChannel);
- const kickeeUser = await this.GetDiscordUserOrMember(
- kickeeUserId.substring("@_discord_".length, kickeeUserId.indexOf(":") - 1),
- tchan.guild.id,
- );
- if (!kickeeUser) {
- log.error("Could not find discord user for", kickeeUserId);
- return;
- }
- const kickee = kickeeUser as Discord.GuildMember;
- let res: Discord.Message;
- const botChannel = await this.GetChannelFromRoomId(roomId) as Discord.TextChannel;
- if (restore) {
- await tchan.overwritePermissions([
- {
- allow: ["SEND_MESSAGES", "VIEW_CHANNEL"],
- id: kickee.id,
- }],
- `Unbanned.`,
- );
- this.channelLock.set(botChannel.id);
- res = await botChannel.send(
- `${kickee} was unbanned from this channel by ${kicker}.`,
- ) as Discord.Message;
- this.sentMessages.push(res.id);
- this.channelLock.release(botChannel.id);
- return;
- }
- const existingPerms = tchan.permissionsFor(kickee);
- if (existingPerms && existingPerms.has(Discord.Permissions.FLAGS.VIEW_CHANNEL as number) === false ) {
- log.warn("User isn't allowed to read anyway.");
- return;
- }
- const word = `${kickban === "ban" ? "banned" : "kicked"}`;
- this.channelLock.set(botChannel.id);
- res = await botChannel.send(
- `${kickee} was ${word} from this channel by ${kicker}.`
- + (reason ? ` Reason: ${reason}` : ""),
- ) as Discord.Message;
- this.sentMessages.push(res.id);
- this.channelLock.release(botChannel.id);
- log.info(`${word} ${kickee}`);
-
- await tchan.overwritePermissions([
- {
- deny: ["SEND_MESSAGES", "VIEW_CHANNEL"],
- id: kickee.id,
- }],
- `Matrix user was ${word} by ${kicker}.`,
- );
- if (kickban === "leave") {
- // Kicks will let the user back in after ~30 seconds.
- setTimeout(async () => {
- log.info(`Kick was lifted for ${kickee.displayName}`);
- await tchan.overwritePermissions([
- {
- allow: ["SEND_MESSAGES", "VIEW_CHANNEL"],
- id: kickee.id,
- }],
- `Lifting kick since duration expired.`,
- );
- }, this.config.room.kickFor);
- }
+ return; // this is about letting Discord users know when Matrix users are kicked/banned
}
public async GetEmojiByMxc(mxc: string): Promise<DbEmoji> {

13
pkgs/matrix-appservice-discord/05-no-meta.patch Normal file
View File

@@ -0,0 +1,13 @@
diff --git a/src/matrixeventprocessor.ts b/src/matrixeventprocessor.ts
index f1f4611..7b57ff3 100644
--- a/src/matrixeventprocessor.ts
+++ b/src/matrixeventprocessor.ts
@@ -278,6 +278,8 @@ export class MatrixEventProcessor {
return;
}
+ return; // disable all meta notifications
+
msg += " on Matrix.";
const channel = await this.discord.GetChannelFromRoomId(event.room_id) as Discord.TextChannel;
await this.discord.sendAsBot(msg, channel, event);

19
pkgs/matrix-appservice-discord/default.nix Normal file
View File

@@ -0,0 +1,19 @@
{ pkgs }:
(pkgs.matrix-appservice-discord.overrideAttrs (upstream: {
# 2022-10-05: the service can't login as an ordinary user unless i change the source
doCheck = false;
patches = (upstream.patches or []) ++ [
# don't register with better-discord as a bot
./01-puppet.patch
# don't ask Discord admin for approval before bridging
./02-auto-approve.patch
# disable Matrix -> Discord edits because they do not fit Discord semantics
./03-no-edits.patch
# we don't want to notify Discord users that a Matrix user was kicked/banned
./04-no-kickbans.patch
# don't notify Discord users when the Matrix room changes (name, topic, membership)
./05-no-meta.patch
];
}))

9
pkgs/overlay.nix
View File

@@ -27,6 +27,8 @@
pleroma = prev.callPackage ./pleroma { };
# jackett doesn't allow customization of the bind address: this will probably always be here.
jackett = prev.callPackage ./jackett { pkgs = prev; };
# TODO: delete matrix-appservice-discord
matrix-appservice-discord = prev.callPackage ./matrix-appservice-discord { pkgs = prev; };
# mozilla keeps nerfing itself and removing configuration options
firefox-unwrapped = prev.callPackage ./firefox-unwrapped { pkgs = prev; };
# fix abrupt HDD poweroffs as during reboot. patching systemd requires rebuilding nearly every package.
@@ -35,15 +37,8 @@
# patch rpi uboot with something that fixes USB HDD boot
ubootRaspberryPi4_64bit = prev.callPackage ./ubootRaspberryPi4_64bit { pkgs = prev; };
gocryptfs = prev.callPackage ./gocryptfs { pkgs = prev; };
browserpass = prev.callPackage ./browserpass { pkgs = prev; inherit sane-scripts; };
#### TEMPORARY: PACKAGES WAITING TO BE UPSTREAMED
kaiteki = prev.callPackage ./kaiteki { };
# lightdm-mobile-greeter = prev.callPackage ./lightdm-mobile-greeter { pkgs = next; };
browserpass-extension = prev.callPackage ./browserpass-extension { };
gopass-native-messaging-host = prev.callPackage ./gopass-native-messaging-host { };
# kaiteki = prev.kaiteki;
# TODO: upstream, or delete nabla
nabla = prev.callPackage ./nabla { };

50
pkgs/pleroma/default.nix
View File

@@ -1,7 +1,6 @@
{ lib, beamPackages
, fetchFromGitHub, fetchFromGitLab
, file, cmake, bash
, libxcrypt
, nixosTests, writeText
, cookieFile ? "/var/lib/pleroma/.cookie"
, ...
@@ -15,10 +14,11 @@ beamPackages.mixRelease rec {
domain = "git.pleroma.social";
owner = "pleroma";
repo = "pleroma";
rev = "7a519b6a6607bc1dd22e6a3450aebf0f1ff11fb8";
rev = "4605efe272016a5ba8ba6e96a9bec9a6e40c1591";
# to update: uncomment the null hash, run nixos-rebuild and
# compute the new hash with `nix to-sri sha256:<output from failed nix build>`
sha256 = "sha256-6NglBcEGEvRlYMnVNB8kr4i/fccrzO6mnyp3X+O0m74=";
# sha256 = "sha256-0000000000000000000000000000000000000000000=";
sha256 = "sha256-Dp1kTUDfNC7EDoK9WToXkUvsj7v66eKuD15le5IZgiY=";
};
preFixup = if (cookieFile != null) then ''
@@ -72,49 +72,29 @@ beamPackages.mixRelease rec {
name = "crypt";
version = "0.4.3";
# src = fetchFromGitHub {
# owner = "msantos";
# repo = "crypt";
# rev = "f75cd55325e33cbea198fb41fe41871392f8fb76";
# sha256 = "sha256-ZYhZTe7cTITkl8DZ4z2IOlxTX5gnbJImu/lVJ2ZjR1o=";
# };
# this is the old crypt, from before 2021/09/21.
# nixpkgs still uses this as of 2022-10-24 and it works.
src = fetchFromGitLab {
domain = "git.pleroma.social";
group = "pleroma";
owner = "elixir-libraries";
src = fetchFromGitHub {
owner = "msantos";
repo = "crypt";
rev = "cf2aa3f11632e8b0634810a15b3e612c7526f6a3";
sha256 = "sha256-48QIsgyEaDzvnihdsFy7pYURLFcb9G8DXIrf5Luk3zo=";
rev = "f75cd55325e33cbea198fb41fe41871392f8fb76";
sha256 = "sha256-ZYhZTe7cTITkl8DZ4z2IOlxTX5gnbJImu/lVJ2ZjR1o=";
};
postInstall = "mv $out/lib/erlang/lib/crypt-${version}/priv/{source,crypt}.so";
beamDeps = with final; [ elixir_make ];
buildInputs = [ libxcrypt ];
};
prometheus_ex = beamPackages.buildMix rec {
name = "prometheus_ex";
version = "3.0.5";
src = fetchFromGitHub {
owner = "lanodan";
src = fetchFromGitLab {
domain = "git.pleroma.social";
group = "pleroma";
owner = "elixir-libraries";
repo = "prometheus.ex";
# branch = "fix/elixir-1.14";
rev = "31f7fbe4b71b79ba27efc2a5085746c4011ceb8f";
sha256 = "sha256-2PZP+YnwnHt69HtIAQvjMBqBbfdbkRSoMzb1AL2Zsyc=";
rev = "a4e9beb3c1c479d14b352fd9d6dd7b1f6d7deee5";
sha256 = "1v0q4bi7sb253i8q016l7gwlv5562wk5zy3l2sa446csvsacnpjk";
};
# src = fetchFromGitLab {
# domain = "git.pleroma.social";
# group = "pleroma";
# owner = "elixir-libraries";
# repo = "prometheus.ex";
# rev = "a4e9beb3c1c479d14b352fd9d6dd7b1f6d7deee5";
# sha256 = "1v0q4bi7sb253i8q016l7gwlv5562wk5zy3l2sa446csvsacnpjk";
# };
beamDeps = with final; [ prometheus ];
};
prometheus_phx = beamPackages.buildMix rec {
@@ -129,8 +109,8 @@ beamPackages.mixRelease rec {
group = "pleroma";
owner = "elixir-libraries";
repo = "prometheus-phx";
rev = "0c950ac2d145b1ee3fc8ee5c3290ccb9ef2331e9";
sha256 = "sha256-HjN0ku1q5aNtrhHopch0wpp4Z+dMCGj5GxHroiz5u/w=";
rev = "9cd8f248c9381ffedc799905050abce194a97514";
sha256 = "0211z4bxb0bc0zcrhnph9kbbvvi1f2v95madpr96pqzr60y21cam";
};
beamDeps = with final; [ prometheus_ex ];
};

19
pkgs/pleroma/mix.nix
View File

@@ -34,6 +34,7 @@ let
beamDeps = [ custom_base ];
};
# base64url = buildMix rec {
base64url = buildRebar3 rec {
name = "base64url";
version = "0.0.1";
@@ -361,12 +362,12 @@ let
eblurhash = buildRebar3 rec {
name = "eblurhash";
version = "1.2.2";
version = "1.1.0";
src = fetchHex {
pkg = "${name}";
version = "${version}";
sha256 = "0k040pj8hlm8mwy0ra459hk35v9gfsvvgp596nl27q2dj00cl84c";
sha256 = "07dmkbyafpxffh8ar6af4riqfxiqc547rias7i73gpgx16fqhsrf";
};
beamDeps = [];
@@ -1645,19 +1646,5 @@ let
beamDeps = [ httpoison jose ];
};
websockex = buildMix rec {
name = "websockex";
version = "0.4.3";
src = fetchHex {
pkg = "${name}";
version = "${version}";
sha256 = "1r2kmi2pcmdzvgbd08ci9avy0g5p2lhx80jn736a98w55c3ygwlm";
};
beamDeps = [];
};
};
in self

20
pkgs/pleroma/updating.txt
View File

@@ -1,16 +1,10 @@
in pleroma checkout:
- grab version: `rg 'version: ' mix.exs`
in default.nix:
- update `rev` and recompute sha256.
update `rev` and recompute sha256.
use nix to-sri sha256:<expected>
in pleroma checkout:
- `mix2nix > mix.nix`
run mix2nix inside the pleroma git root and pipe the output into mix.nix
inside default.nix, update all git mix deps
inside mix.nix, change base64url to use buildRebar3 instead of buildMix
in nix repo:
- cp the new mix.nix here.
- move majic from mix.nix -> default.nix and add:
- buildInputs = [ file ];
- update `mixNixDeps` in default.nix:
- grab the version from pleroma/mix.exs or mix.lock
- redundant?: inside mix.nix, change base64url to use buildRebar3 instead of buildMix
move majic from mix.nix -> default.nix and add:
buildInputs = [ file ];

21
pkgs/sane-scripts/default.nix
View File

@@ -23,7 +23,6 @@ resholve.mkDerivation {
file
findutils
gnugrep
gocryptfs
ifuse
inotify-tools
ncurses
@@ -49,22 +48,20 @@ resholve.mkDerivation {
"umount"
"sudo"
# these are used internally; probably a better fix
# this is actually internal; probably a better fix
"sane-mount-servo"
"sane-private-unlock"
];
};
# list of programs which *can* or *cannot* exec their arguments
execer = with pkgs; [
"cannot:${gocryptfs}/bin/gocryptfs"
"cannot:${ifuse}/bin/ifuse"
"cannot:${oath-toolkit}/bin/oathtool"
"cannot:${openssh}/bin/ssh-keygen"
"cannot:${rmlint}/bin/rmlint"
"cannot:${rsync}/bin/rsync"
"cannot:${sops}/bin/sops"
"cannot:${ssh-to-age}/bin/ssh-to-age"
execer = [
"cannot:${pkgs.ifuse}/bin/ifuse"
"cannot:${pkgs.oath-toolkit}/bin/oathtool"
"cannot:${pkgs.openssh}/bin/ssh-keygen"
"cannot:${pkgs.rmlint}/bin/rmlint"
"cannot:${pkgs.rsync}/bin/rsync"
"cannot:${pkgs.ssh-to-age}/bin/ssh-to-age"
"cannot:${pkgs.sops}/bin/sops"
];
};
};

32
pkgs/sane-scripts/src/sane-private-change-passwd
View File

@@ -1,32 +0,0 @@
#!/usr/bin/env bash
set -ex
new_plain=/home/colin/private-new
new_cipher="/nix/persist${new_plain}"
dest_plain=/home/colin/private
dest_cipher="/nix/persist${dest_plain}"
# initialize the new store
sudo mkdir -p "${new_cipher}" && sudo chown colin:users "${new_cipher}"
mkdir -p "${new_plain}"
gocryptfs -init "${new_cipher}"
# mount the new and old store
gocryptfs "${new_cipher}" "${new_plain}"
sane-private-unlock
# transfer to the new store
rsync -arv /home/colin/private/ "${new_plain}"/
# unmount both stores
sudo umount "${new_plain}"
sudo umount /home/colin/private
# swap the stores
sudo mv "${dest_cipher}" "${dest_cipher}-old"
sudo mv "${new_cipher}" "${dest_cipher}"
sane-private-unlock
echo "if things look well, rm ${dest_cipher}-old"

10
pkgs/sane-scripts/src/sane-private-init
View File

@@ -1,10 +0,0 @@
#!/usr/bin/env bash
set -ex
# configure persistent, encrypted storage that is auto-mounted on login.
# this is a one-time setup and user should log out/back in after running it.
p=/nix/persist/home/colin/private
mkdir -p $p
gocryptfs -init $p

3
pkgs/sane-scripts/src/sane-private-lock
View File

@@ -1,3 +0,0 @@
#!/usr/bin/env bash
sudo umount /home/colin/private

14
pkgs/sane-scripts/src/sane-private-unlock
View File

@@ -1,14 +0,0 @@
#!/usr/bin/env bash
set -ex
# configure persistent, encrypted storage that is auto-mounted on login.
# this is a one-time setup and user should log out/back in after running it.
mount=/home/colin/private
cipher="/nix/persist$mount"
mkdir -p "$mount"
if [ ! -f "$mount/init" ]
then
gocryptfs "$cipher" "$mount"
fi

3
pkgs/sane-scripts/src/sane-rcp
View File

@@ -1,3 +0,0 @@
#!/usr/bin/env sh
# copy some remote file(s) to the working directory, with sane defaults
rsync -arv --progress "$@" .

16
pkgs/sane-scripts/src/sane-sudo-redirect
View File

@@ -1,16 +0,0 @@
#!/usr/bin/env bash
# redirects to $1, when writing to $1 requires sudo permissions.
# i.e. convert a failing command:
#
# ```
# $ sudo do_thing > /into/file
# ```
#
# to
#
# ```
# $ sudo do_thing | sane-sudo-redirect /into/file
# ```
exec sudo tee $@ > /dev/null

9
pkgs/sane-scripts/src/sane-sync-from-iphone
View File

@@ -5,13 +5,8 @@ set -ex
# make sure the mountpoint exists
if ! (test -e /mnt/iphone)
then
sudo umount /mnt/iphone || true # maybe the mount hung
if ! (test -e /mnt/iphone)
then
sudo mkdir /mnt/iphone
sudo chown colin:users /mnt/iphone
fi
sudo mkdir /mnt/iphone
sudo chown colin:users /mnt/iphone
fi
# make sure the device is mounted

16
readme.md
View File

@@ -1,11 +1,9 @@
to deploy:
```sh
nixos-rebuild --flake "./#servo" {build,switch}
```
more options (like building packages defined in this repo):
```sh
nix flake show
```
@@ -30,18 +28,6 @@ refer to flake.nix for more details.
to build one of the custom sane packages, just name it:
```sh
```
nix build ./#fluffychat-moby
```
to build a nixpkg:
```sh
nix build ./#nixpkgs.curl
```
to build a package for another platform:
```sh
nix build ./#packages.aarch64-linux.nixpkgs.ubootRaspberryPi4_64bit
```

8
scripts/ensure-perms
View File

@@ -1,8 +0,0 @@
#!/usr/bin/env bash
# ensures perms on a newly-built distribution are good.
# usage: sudo ensure-perms /path/to/nix
nix_path=$1
chown root:root -R $nix_path
chown root:nixbld $nix_path/store

5
secrets/desko.yaml
View File

@@ -1,7 +1,6 @@
duplicity_passphrase: ENC[AES256_GCM,data:rzUfcxe5YPloOrqgVwdCjsccexWc5RvmFf1i3Xs459iVTfWHlVJeT/IqReY6ZqdAkPJteTtrUZzak2GXyRUkE13+W0kE8isnDjPX/YDQwoK2sa+dwc4xGTekboc0gf6HH3vQpF1aiJDBfb3GtGyDVLH9MVIRPJGXSztZBduUDezA2wAx2wI=,iv:EHJg8kE/07v+ySSFDtW4FA4y1y/+fcGxfNCWoainwBI=,tag:S3ecM4DbDl8jqXLRKipZmQ==,type:str]
#ENC[AES256_GCM,data:yU9cr6MXjS4m69BeIUjUw477wt4c1djYof3Qlfr4Dytv8hWqCuqThDwQTMY5jfHdv5ipS0aEjf7GWu2M2t9W88fYdxnTN2m8IfYZp76YcjxO4fup5BXiLGIjnm+qI0g=,iv:nPo8FyGiyLRQozE4kZ6Rei6CObvbVynOs3jdMvdkpZw=,tag:+4esxPiewSsjwao6ZhAMxA==,type:comment]
nix_serve_privkey: ENC[AES256_GCM,data:/Ph9J00cV7PcfpJw/NWcBpkQR+a0SQyHv1jmF4CkH+Uj8l+cRcXWynAc2APenMSfHdighXMqjsXuwRbGo0S57YuMXQjFbI8jhbXEhhAWlmET1q7uRaaZRSgq34qABw==,iv:LLYgLauPsD+3mx1GTjEUkiXgdWsnqixCJl4UfSdS5Ac=,tag:S7V6GKezS/JsbZVfq9DjjA==,type:str]
colin-passwd: ENC[AES256_GCM,data:/b+l5zTlOhdoiFaMVG5HB98AOGfGZtwkH+IS/mhDgHNZ4J+t3OiEBAFPl/KPctg6ZM55QiAjNnnJ8zAsKL85om6amvrWF/Qz17qC9+pZF+6Ef8xvTQr3VPlFEYq4rGb74jQ7uyvtCjn0Ow==,iv:Z0qUimlPQMu6rsjn5b/Xfw99NzbXGS8B/hNWE+f+GoM=,tag:uGB1DZzHiLCkOtlAA58mmg==,type:str]
sops:
kms: []
gcp_kms: []
@@ -35,8 +34,8 @@ sops:
Si9kT0ZMUnJJWlhUZ3FFakZFaDlPdEEKXtWfh6wdGPin1h/UUs21cdspddpW1YDq
rCKS2DI2KWdgciih9FnmWGAwGUhB3uhimUr6hgho4z+dZfLrpoP1PA==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2022-10-24T08:49:49Z"
mac: ENC[AES256_GCM,data:dvxYlU/btzzH9Qor8z02kdv3S4gFUGHnEjV/XBM99+IFuAD6vuE8zFL4peGW1GiXqM2QQY0Qc9wZ+nC5/ak9ROMC8uZPXF417gs6U9yyT92FRlMSdC0AMsUhNGWjJlM733hI4YATnR+1XuwHewzzW1R3TvrouBZqSv+2rBsiZCw=,iv:A+D7IG4U+EQ6nP4xKOK1ExeZLeERpiSPzj/g87R1SdM=,tag:jSVGDO9kNxXdDSSixDrkDQ==,type:str]
lastmodified: "2022-09-14T21:34:55Z"
mac: ENC[AES256_GCM,data:Zex69KG2a2Rxyodyci40azr9qGbA5XwH4Qhip0BDbrJymHjZzqCeRDKjdHjAWXPdPyglvUY0kADfm7xxlE1zU84oOahI9FldADtQrGUWS0elU+a3F93LVNGlhlKc+g8JGzUyBvPr6Toi52L2hI18K5bmWFPesczWedL07r85s9M=,iv:W+SMAX0HY5GbAqqgXWbSxm4wbzXZt5PEsLhwWcxkRWY=,tag:VPnw2X+6i0EyiFB3rkon8Q==,type:str]
pgp: []
unencrypted_suffix: _unencrypted
version: 3.7.3

42
secrets/lappy.yaml
View File

@@ -1,42 +0,0 @@
#ENC[AES256_GCM,data:s512crIo2ylwy1pWPDs6324+NpP3dHvW0QmuZzvOOyrepTQvmB4NW07NFXYzY/UUPn7E4HrB7mzhvQYxVYDBlZKAMr9llT80Nnpt0AqrxnLiqnnY79EvP+aXvNmi0yWsTGqh6k36BWNTUyPSzgjGtvjQgTLSvr9uRzfy9e4C6NVWBm5sTEbYg9y3ZslToVSsEyGHYMVT6fSKM7ewH8wV,iv:sbBWcHYP5Ak4h7gWbdu8JyL2SEeUgrvkjji11Sp2GoA=,tag:yQTWlrrcBxotdKBbB54x5g==,type:comment]
#ENC[AES256_GCM,data:XcQaEDhsAG2kY0Rdw2AKOwaHQIm3/zrWMjpQlU8pWlifNY9eoPqndzIbCNDKhbEJqrzeAuxGYFRBgohRcHQz2O/cbgr8GwTZ3Uo+NHsX6qcoUhzUKd1xlUnIKLjNcV7vlxofrmXikQ==,iv:OKSw1bw2TiPweUJeqCqwr8V+A+ovIT+meygH9l9m4cI=,tag:aTROLuGpTgoxF1JV/w2Cpw==,type:comment]
#ENC[AES256_GCM,data:GFdHTjsr2DJtg/BIyOSeM6EQw92Q/8JFdqXLwpg/FWn9olTws2KDchSWRDlkrEbgoXSMP3Atd33YgckUebDYMIK8ctJai2SUxLJK5fW8LX1JbKUAC5PHUygAIkWYsHlNse7Qbgrw1rtBuR43L6NbMw==,iv:5beGhtM2wja2GgrLCzizsqamfakDIBlZ74ZJhNr33lg=,tag:Ej1za572vRpPcvcHXliQDA==,type:comment]
colin-passwd: ENC[AES256_GCM,data:+vPsqF9XiY9USDQuTt6n7K9f4/+/Sdgp6J8LnWvhYdlTTltz8a4/RYdg0JHC4o/pNae3k7KwYGMJI+vY25mgvLGj+kL23Fc9j1EYJgJk5uTz8MlmKOlKxKcSfmI3v+zOUOlQm/warktksQ==,iv:cZEFjTvHCXogXEh+xQG++aJCUFp/NtT6t7qjPIjUtAU=,tag:fnzz6uYwU9j4RZXj9MV6jg==,type:str]
sops:
kms: []
gcp_kms: []
azure_kv: []
hc_vault: []
age:
- recipient: age1j2pqnl8j0krdzk6npe93s4nnqrzwx978qrc0u570gzlamqpnje9sc8le2g
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB4bzFLUFloMU1uUWRmdkZu
TllhSGxvNzBJQTZRaE9EbTA3R3JLNGpVT25nCmd0SG1BWEJWL1JlKzhmSFdFS3Fk
SnRGbUFqdzVFTy95eVhiZGN6a3VMOGcKLS0tIHFJQUtEYVhGWWlTRlQrbEpoQ2h1
VXJ5SXNlS1ZNNjhuVDFrMnlrVHp2NlUKwD3ZznQVcz1ZLb/weULpXET9uZb4aj/U
FnY9ktEEtKeSl10jzU3/sUla6Ap6K6b9KLmmqd5Rnp0ZhbxVOR8rkg==
-----END AGE ENCRYPTED FILE-----
- recipient: age1tnl4jfgacwkargzeqnhzernw29xx8mkv73xh6ufdyde6q7859slsnzf24x
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBOa1dpZHVoY2tTWVJ2bG1J
Z0xjVGplMGZqajFlcWtPL0YwUXcxWThNOWcwCmQvZllaZ1JSK3N1WmIvV2F6YjZv
U1ZtMVVSSU1LZ3M4SWExSm9yRzRTR3MKLS0tIFU1dERKdko1SVZLcmVXQXMydExm
OWVEdDJsbENOYkJNSzc5MzlEanVSL0EKbKVgN0/LUiC92N9/MvoXJouiIRHE5aWO
R7xPtxYG91vC+HVj8ThHbu0fcUIqD7LTX82XCrWoYMwkplbTC/F2cw==
-----END AGE ENCRYPTED FILE-----
- recipient: age1w7mectcjku6x3sd8plm8wkn2qfrhv9n6zhzlf329e2r2uycgke8qkf9dyn
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB3SGk4YzhEaldpcTBRSG1T
Nkpla0s3d2ZRU2RsK2ZDRlhEdVY0NkRYUVU0CjYrTjhxZDVyYUlmbnRQQXBQZVhD
OTcrbmV0YjdyeEhEaHVRUm03Z2hTNTQKLS0tIGVrTjhCL3RlZ2dIOFduVVdSbnJ3
L2JhVWhmQk9qZzdnYkYrQTBCZnI3eE0KHju7x28mP5jLt4u6T6CnQ3ThiEYFhG5P
D7c0h2YhqeqdewuwQWjqJMbUc308N5f0Hz/BsUgYZNanl9qqQRXkrA==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2022-10-24T07:43:11Z"
mac: ENC[AES256_GCM,data:1n1iOEJPnVbvvlVp9Cw9wY+HB6KYLwZDcr5UkbXbQUZMm+LQS8Pib/0R8AeQLnNrfyJMnsvoNpmYWLQ6i4BZFJp4rsdjpHb4/FqIAEOwTb5SP5FC8rFpn9UeduUs9tq+fyvezywqaoLPBsXXqb092XZvHv6w1osgyfbLepiyJ2s=,iv:qM2d9smvsRwhuJ/MyD8bqVfD4IJM7T6Hu4wy/2/COiM=,tag:TlcJX1USn3TgPSMWy5hZPg==,type:str]
pgp: []
unencrypted_suffix: _unencrypted
version: 3.7.3

51
secrets/moby.yaml
View File

@@ -1,51 +0,0 @@
#ENC[AES256_GCM,data:akcgE1j3wiKoyB9Uara51P/DPVcKyzt5lZ0kTuxqotjBvVtsGdPVHaeMPMi5blNyPIuiWxo9Jn0MJGyknCs9AL+g96G/yDvvD7or44sK1v8ED+2glfdMi0cjDm80anh7SMchyA6tmtgJhMW1EtkhZ/b/xpysNBzsn5e+zb9jXS4a7LF23jJr7d6tbJo9jks7vVJ7/p33cONglhO573TD,iv:M+S7WCO3V6pQg0UuzWF2y9IgH7p/P4at+qm2Y38To1o=,tag:DPlXsDSYySaHNgSzywiJRQ==,type:comment]
#ENC[AES256_GCM,data:De/BSe24Uf4Ch+JBzJMOEc7W+E72vYrqQWG4LeEk8vVHa/3eGHyKylHIgkMTr5CvwhX7/uCkjm8fgz1QHuRb8jLru8n2u/AxoY9kLUTZ/7VyYes3t9tawZ7tTFzbcqMxjV0Xy5eTzw==,iv:q3bDj1iYv3JBPzSoRU2ANCpfwWtLyCzyn81r5kl2tcw=,tag:f+d6+cWQEb83qK8I/oOCkw==,type:comment]
#ENC[AES256_GCM,data:tYLNlC3Ov2RRnaEH0QAALmMYRc4fyDDM5A7J2sfJbMvoDmkgKoP0HYWy3diJMEcLsw3ZoDGibcU03QduisxjP0eWfEHkzE4R2+tWY+yWYy7TFx7Qg3BfSTtnMt5V9vSWcVLMAgoYaRUMqykIRMRaCQ==,iv:81HzxZyAJvXa5fQDOIIqRTL3dhKA4S2TftE3yfw6VIk=,tag:9+3stfyHrrmkfZpLGpmMOA==,type:comment]
colin-passwd: ENC[AES256_GCM,data:+2uEyJX6FUbOSoJpJpjF+TmwWu3eJlrN5S9J1kRtTbS84c23E4AKTHojk5zEcPZZ9RG3vYjH6C37dRj4/SK/Z1/G31B31RgzwkLnmf11JXK+HSQZHZATgSvH07ANEYIg5VR78IQUz6qbGg==,iv:jyF/QzLyrQU+ebRfBrWRcu5/dmwY9LB4D1FxHVo8+TQ=,tag:3u7HO1VYzenIqvq0iZwuRw==,type:str]
sops:
kms: []
gcp_kms: []
azure_kv: []
hc_vault: []
age:
- recipient: age1tnl4jfgacwkargzeqnhzernw29xx8mkv73xh6ufdyde6q7859slsnzf24x
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBpck5EWDVkWjdIU2YzQ2Mx
VUpJbW96dXIvM0pPK2Vnd3ZZU3lmSlVheEdRCmVXNFZWV0FjT2p6b3FZOW1vaFNO
MCtubi9QL1Jtd2FQL05vZmd5SjQxelEKLS0tICtaa3VRQ2JJZXpnd3pRd1lndUQ3
d1JCZ3JtZENsSGR4SkVrNHIvTEhndTQK6pQqmcq7xmhZ9E099rBy9MtCdZghBTmU
UCVWxq8zWanK11GLyh6cvs8hHSLIyvpbODnBYA1WM0AeIJoxtRRWEw==
-----END AGE ENCRYPTED FILE-----
- recipient: age1j2pqnl8j0krdzk6npe93s4nnqrzwx978qrc0u570gzlamqpnje9sc8le2g
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB0OWl2dlcyU0VoRW90Q3ZR
eURXS1hPSG0reFFhUmxyTGRFNVdIZVJHYVJ3Cm0rcFpjQjQzVGVEcjhNR2RldkVL
WnA4U3N1ZUFUTTBkSEdCbHZCeGxNNFkKLS0tIHY3RFdxUC9SaFhVTFBLemVEQytZ
R01wWFBYR1dYNWlNUkw5M2VNK04yWE0KBPcJduySzwhAnx4BshPX/7QVdeN+L3fH
4sZqC4gYFj3KXZhIOkUcCtwS/dObBoy02EhPsUtSKRheacFVs46w8A==
-----END AGE ENCRYPTED FILE-----
- recipient: age1zsrsvd7j6l62fjxpfd2qnhqlk8wk4p8r0dtxpe4sdgnh2474095qdu7xj9
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBSZVBzNG5pOGlXZzI0c3J4
YnFsTDdsQjFwZ3czenlUVkJYcWxJbDAxNkFjCjYyK3VDOS8xRkhBSVRFYTRFSTZ5
Y0htSE13Q1NFNDg3czVuZ3dPOUFlekUKLS0tIDJpRHBWdU9hMnpUSWV0cSsvNjF5
cHVGRXdla0NGZ2lOMVQ3Ym43dDMvaVUKmx7p/TMj5uu/RJjRe4yCKt87brs7E7s0
F88swQCwY41lCdFwISM0jRbY/MymTtbtP+2gcSYlq/S619ytQqf7SQ==
-----END AGE ENCRYPTED FILE-----
- recipient: age18vq5ktwgeaysucvw9t67drqmg5zd5c5k3le34yqxckkfj7wqdqgsd4ejmt
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBmbWlCZW1VR2FXNHZ3VjZP
R3UrbGgvZEdYdWhBcFJnV0FZZkJWZ3pxcVJNCjR5bzE3M3dHQWZSbWhqS0MrTURp
NnBPQS9xeE1nZFV1VFd5MW9NaFFlM1kKLS0tICsrUkpOaEFFMVExUHhJNSs4eHdB
SlMyTGQ5SWVCU3NLeVcvWmhUc3VSVGsKHJSSl1QFrHq6iefNEL7kpM+XYQ5abz8H
aL6KiK6wvPOWB2RAT5DDicPYSEPXWGpHYTzNT+/hVFk5fXk/zqzOhQ==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2022-10-24T15:24:12Z"
mac: ENC[AES256_GCM,data:cYWayG+pAQv1wTsx4ozbx33cl5QwuR+a480zQVl2RVJF028NlVR3yuYdndvwIT9QY79UVcix0pYtK3pm/zTpPLMz59oLIv1TNUdE4/10o3RGw+6fllKdxNftNBcos/1n6ENZRw6K7lviuG4ZKEZMDO3tvPC+XPoPofROyu9WMQE=,iv:Kddn/71vylvLkK7gT4p5juW2nI/qWB3Q+oCQ5hN4Zqk=,tag:AOrjSII1zWXPB0VPpol6Zw==,type:str]
pgp: []
unencrypted_suffix: _unencrypted
version: 3.7.3

44
secrets/servo.yaml
View File

@@ -7,7 +7,6 @@ wg_ovpns_privkey: ENC[AES256_GCM,data:+SdnhsPyg6Vbl0itNLq4fBPONLBknkjFCr/4shTr2H
#ENC[AES256_GCM,data:857w7AqbAbVTOKFLxKcMkcQjJ7EkHZFwBRwtCJFspOk8do2f,iv:bIrXzdrhRYk79ZV+JCdIw4UVxq11/tTZUDL6Bwf+NoE=,tag:igMRz5UPX//JrF9NGCOwHQ==,type:comment]
#ENC[AES256_GCM,data:KzCOrdCiXHrVx+oGj2mz/+zkZ8eRRnFhHadx6FlXj8OXQDMvDkSPi6G2f6j5FE//G2F321mZCiMJ1Mf32tItGb0SxoEhyO9wxTesNn45hmA7M0z5HqTxACU=,iv:ksdz8j2fq1W/xnzu0y1JaIgbKzjiqj2KHCEYhkEKsrM=,tag:dbH/vy4JgL1eUeNpv7afSQ==,type:comment]
dovecot_passwd: ENC[AES256_GCM,data:GsXT6PQjCibzyr5G4W3IOIRL4xBuYqFYHpRJOjS2TvXIlTSwVrHbx5Vw5wLHI0zN14rvYy5sycJvEMiCC1YPVphAYNm7VHdo97sUGLpjZ1BpUaJ2KBx77jErxbPrJUSpAroojQFtXFYA2t2bTpOSjZGH7UeyZoLckZtdDqXmnBDvirwVDPNaPv04RrhnqehGyh8EN+b2b5KAm99U9H1oyxIL6mAMJo6FtduVejiVqJB2sl/myI5fJ+bvwkW1CLRmVi0JdVHs4BlTQpi5Q8Kx2SMOH02TP+QDSHv/O8ROpbZ8m0oTk2YbgAG7U8K0t55j8jjWX/7OD4nMv485PgzAMINdzI46g9l9afzo,iv:8MqpUkRPpGJiuWtrdTJAIDXrKZMI73LcwzOiqVMWR88=,tag:+zXmEPV90loAMJtL/+v3vA==,type:str]
freshrss_passwd: ENC[AES256_GCM,data:MilteAOk+MZjta+E7Zhxq80y,iv:VigZk0nNHvQNlm36jVN5YXY7bhxmx2CFBizbVFCA8O0=,tag:DKsxGsv53SsJsp3J7UIsgg==,type:str]
#ENC[AES256_GCM,data:1zQ8X9W4ZGquYEjEsN8YNLhwBt6kaRCKYMjM8GiZbKzsaqwt/cFk+4cC85+QKWF0FNlX38Uba7bI2FvC8fTIO8eoZ5VymJ9Du3NcExE1976FSIze44FhtkSKQkm/vQw5cb2sPNKBGFLSNV/IpdPu,iv:xwv2+Fns0k2STkS760v9p1XZ5s2HAz3wLb8xyIOGTGA=,tag:OGtHxQgyWxGKtg5I9nJAag==,type:comment]
nix_serve_privkey: ENC[AES256_GCM,data:JlLuslwyjKARo3Mo36SeRz6ctVuV+jzDMXACekaGs/UjP+Jm8PoxZsWjMcN+qq0tJB9xGMfi7TKHDi+XnK2k60h+7+yDyeqJQfjID6axMYmgxYUivq4CugutFVB27FmDPljUs2M7CRqe1IHrdjc=,iv:1iQVr9rP80hHCRSVD95KW7bpOWj3oZReJAvqa9TllJ8=,tag:6DDGtHF4suOyy2kcnqSDsQ==,type:str]
#ENC[AES256_GCM,data:cyptbs4VfXY4P4+W5e2LRZOHkpqvWzn2JEpV80w8cIaQ0lTZa/Hg7IwDNQcsYobmBFO2yLrKawHDKlDos2fMy0KgIhUrw4f8WksxdC06oMqS0mDtgA==,iv:StB34bvA8GWR+7nwOOpsiJ3yqGgeSg5frAgRMhff8nw=,tag:b1LYFzII2Ik1nmGXxgMZuw==,type:comment]
@@ -23,41 +22,32 @@ sops:
- recipient: age1tnl4jfgacwkargzeqnhzernw29xx8mkv73xh6ufdyde6q7859slsnzf24x
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB1TUlOMTlaemdpa2RxWDVL
MFVPM254czF1VWh2MTljZTcwekpiVzZCTlNFCkJGeTVCRE1zMERJclRwU3JzbW5m
WEdOSGxtUzJSS3JhS3NPK2Q4MXc3bG8KLS0tIGdBWEdYVXJNYitzTFVlUzkzekpJ
enFjWnhIVGR3WWVMMFRGSldhRWZPKzgKHp6QWSNQBy8a6odEiELsr+FV05kGiby7
4Wc+AyGTvuvIpoN4SQlYlUslHCHGd+Yk0hVutNVozLCY1//IpH8Dmw==
-----END AGE ENCRYPTED FILE-----
- recipient: age1j2pqnl8j0krdzk6npe93s4nnqrzwx978qrc0u570gzlamqpnje9sc8le2g
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBHZmU5OUVQNkRSL0ZRKzNU
R3RIMERDV1NRdi81TkV0OVdGQlFIRG0vekFvCjg3dHI3WWJic3h5cTQrdjFINDdr
bndHSEc4dWk5WGM4K29FRXh2WCs5ZDgKLS0tIFY5UlNrQ0dtNW5IYXlUNnltelJX
Y0xFNFFtek5hZFZMWXhWQy9GWlBneEEKZqsFgGGCIMH58kaZJoO8yn8KlrJooDvp
iGO4qMjjgM5WvJjZbfk7trO1dNAhpKzjiJyirw9+lToqWPNnRw2Zwg==
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAyTWJwNXplSnJQTzUxVjBt
TzZ2aUZ4RUkyejVUQnpOdnpKajcxa0l3WWlrCmkwZVJuenhpN0R2OUxFV1pXUkVa
dk8ydnlnU1JvOElvNVovVlBjKzZVYlkKLS0tIHlVbkRRYllJR2J5UWhKeGg5SWJj
VExDaHc3amdTcWdUU3ZRUDNGREtxelEKXHuDfNM3uc3UBiPCAveG/u5b7C8zPzTi
GGCx0R+6swS9yVSAJ//nUvu1zFuFfGgm3mKaSqfqWKfDSMFvAp0Pyg==
-----END AGE ENCRYPTED FILE-----
- recipient: age1z8fauff34cdecr6sjkre260luzxcca05kpcwvhx988d306tpcejsp63znu
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBCNEl5K3dGQWVFRFI4SVlt
NFpvSFZaMGs0ZzYrWW4vbldaOWVpa3ZWV0c0CmxqOFR3RkdKNWUvQWtnSWZSUVlL
SUlHbWIvWGpsN1Vsclk4VWo1dUR2OGsKLS0tIFhRVU9NUzlnQkhDelEzalVFOHFM
UW9YZG9DUSt2OU03Sll5d1RZYlcySzAK9LneAD2s+me3ZkRGC098nhUlcVgRwMt9
yVgTCleC9groGaUq0J4rwhVQ4CuUHV2GL188QtmqVTBGLEftfHIDmQ==
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBDY3NCbCtjY2ZHNkE2dWxN
Vk5nQ0Z2M1pQOXUzMVYyS3MxT252T1lhKzFJCm5NZ25DSlpZbnhTV0JMbVBvbm9j
SEtzdDJWS3gxby8rVlpzZ20yY3hRK2MKLS0tIGVqNUFZeGYxRnVSd3E1eitNUGFW
dEszSTFicTZRUzZxbFF5YWF1RmtwSkkKPle5Xw5gyd5YCPIAABaABNdgbpialJTV
hUOVdYCsmqd+spCA0Q9f0D3S5ud59iFq8moBh97BZQuLcc2qUeyJ2g==
-----END AGE ENCRYPTED FILE-----
- recipient: age1tzlyex2z6t88tg9h82943e39shxhmqeyr7ywhlwpdjmyqsndv3qq27x0rf
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBpMlNZZGpVU1h3NkUyNkND
RnVpSWxrRmNxMjJ6dUJ5RkdaTWx0SHZMQlRNCjQzUFI5ejhuZ0RDcHNYQnZ5eFN4
Z3djZ2g3ajRxQXNEcUMzQWl0QzYyV0UKLS0tIFlDYXlhNFB5ekVKblJudmM3TEU0
cWplOHBNWjlJdGI3ZWtJc0t4Mk9URG8KE+9IPGYZsIs2PaDJ2AUE4gB4QEj5zo6P
aZVbubu6Tbg+tD/98RkfWAkNvoVeDYuLNPDNgqOL0UgCQiTrPPaTjw==
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB4UGdCMjRpRUFMdXJRQVgx
aklIY1dkOXRXNmliVjIyNHlUN1B1ZmZZbTB3CnFxQjZLbWkwWHRTN2lycEx4K3RL
UGdFVktETXJCSXhKSWFsbnNyU25tRzgKLS0tIDVsdmdxRDFnQU9XeHpibm00bm1C
U0ZlOUljcE9BL1lhcmIrVVl6eFdTUmMKBHmv96FmkL/oQw9//ATfem6HtORRjcce
xJNwnsdrEqrBS3sG6xDkmJYOjaFrg1pwxYZRG87zeLShgkXkMNvz2A==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2022-10-14T00:37:52Z"
mac: ENC[AES256_GCM,data:qKr1aKWxuJWwjUYX+JWAdwHFAwApHm9hOYBgZxAIXbXHhOo04K1MFBDTsAvtvN1a11QtCJYDNuVNpuRu3bf/5Ji5ROTaKfQCgPk+ZScJuWpLsxchYV+TnlREwQI+qgvogyMKMlPInozgd7RNnsePdg7DtYFfGMAvUtX9OidxAXI=,iv:EAkNQkIqoXtRy+uSb7ccl9T5b6hiyRll/m76nhir9AI=,tag:kCDEBJDW34VgLQPd4V+uYA==,type:str]
lastmodified: "2022-06-10T08:38:03Z"
mac: ENC[AES256_GCM,data:DroE9KGyV6hba0aPVYmwxpL8yXDa+AFsjyF5ttImW5bKzE9EM2I76APoGOyvOnnnbBRrOditWXA2HQzhf4M/7hq0CmLLph1J3I8xgEsaiJiExaKZQpQTBS/ZAHeygR/fvRcMmAY9VZRubv1iQ94rDkZ3C3UJ+8SMuwpdmdlaPYc=,iv:KkY0Kmd02QYx0Ds0LUY9tXz+AayKj6Y5p/rUO8sLYCc=,tag:gZDe+GOw2ULJ1yHONlt7bw==,type:str]
pgp: []
unencrypted_suffix: _unencrypted
version: 3.7.3

28
secrets/servo/matrix_appservice_discord_env.bin Normal file
View File

@@ -0,0 +1,28 @@
{
"data": "ENC[AES256_GCM,data:7j1l4XJ8cp8MVuSmOedOZwGDWV11hmwFyLW43ixUBaZLWbUZ6Z4P4Gt+o7bj8gc/X8aiPV8sxAR/jY28Sc5DIaAnkKnXjesPVlG0c3oRAsXemKGX8fANkoNX5iEPbWAkFiJdLS6Fgdv2g4z6DQ4odvZQKrMchx8MPYq8icBvvbhKiGs5xo+MGrMBVRCZOERM2FJSy/q9zLv6hU5SfnnYDTMt,iv:poHHiCs0YOCv74dQ2kyXogdgTUqmKRgGq2r7lcxe4bQ=,tag:rz1/FLC5Q8S13TTWNKcYyQ==,type:str]",
"sops": {
"kms": null,
"gcp_kms": null,
"azure_kv": null,
"hc_vault": null,
"age": [
{
"recipient": "age1tnl4jfgacwkargzeqnhzernw29xx8mkv73xh6ufdyde6q7859slsnzf24x",
"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB2TjVWenJkYVdjeExzYjVj\nUVdFeUdMRUtwOWJNYUx6dFRWRXdEUWJhdkVFClM1UnhtWndYbE91RCtVRnl4TGp4\nZHNJNUliOWhqcUorZVBEQWR0eXZaMVEKLS0tIDdsVFJ2bmdNeVk5b3FJVDQ3T1BG\nU0taQlA1QVEvYVJweDQ5L2YwTmo2ek0K+nbzpIpjAhRgJ5Lw+mx/doGMjw0aMNkZ\n5sAnPJo88Sa/TW3qBN48xFBMLWMp/SKs2JTaMu0xW0u2SkQX38TLlw==\n-----END AGE ENCRYPTED FILE-----\n"
},
{
"recipient": "age1z8fauff34cdecr6sjkre260luzxcca05kpcwvhx988d306tpcejsp63znu",
"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAyUFBSYVJZUmRBcGJXclNP\nRDRUZnRKMmYwdFhQcE1oWUhrZGxNTk5YOFIwCldUMW92NGl0VVBsS0JtYjJOTW9E\nK2ZZdm9GK3FOMitUdEU3QStsR2svQWMKLS0tIE9SWXAzVndsdGY3Uzh2eHpBRjdO\nTVc4cWNDUWRuSWRmZC8rK1ZFS2l4WEkKQR9mApDjb0k14W3jK+CEz3Dez6wSBpg+\nZ7uUfSbPXFxRxvNEascRn/+EHPcd/A7MZjViDUyWVcP6fSMPsQvxhw==\n-----END AGE ENCRYPTED FILE-----\n"
},
{
"recipient": "age1tzlyex2z6t88tg9h82943e39shxhmqeyr7ywhlwpdjmyqsndv3qq27x0rf",
"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBkWHlteTRDcHRneW9hbzlh\nMHBjZ2RHeDBIbDM2QXVxK09mcERVSUliVWw0Ckg1dGFkUUxPQW1HcDFXcEEyejFD\nWW5qUkNwRkdIdjRiTFJNd0Q5NWpLUUEKLS0tIG1wTnk1aEhudm9VZjZRVGRWWnR0\nVHlFbUJHaitadDVOSG1FMTBqeHJGV0kKAjuuw3j4dx3QfNcjyl8XCP9Q6oOkLZBN\nsW7uCqbVgBCG+uIggwefLWAy8g6PYlLj0aumgLPYVsXShbQYi32m/g==\n-----END AGE ENCRYPTED FILE-----\n"
}
],
"lastmodified": "2022-10-06T05:07:20Z",
"mac": "ENC[AES256_GCM,data:9WR8xfs5XIkWxDlJVX1EiSJBLBgWMR99PJJXCK9RcbuChK7QvjWjEflwq419qeNbMWdHLkUwSQrBsoHomaiGWFOPZ0C8bqcqDl0zzXMk7nBxM4UgTjRLmML2tdI2bCS0DC0AtytThYPvkW+JHgKB6bOAEw/bVWVP4YJQKWEf6FY=,iv:nG+J7jCdqZHp6x6Vlvye7BbK7YSl0Y9cjTWbW/BZLxo=,tag:OWqXktZE52Q3j7D2KG+vHw==,type:str]",
"pgp": null,
"unencrypted_suffix": "_unencrypted",
"version": "3.7.3"
}
}

6
secrets/universal/net/home-shared-24G.psk.bin
View File

@@ -1,5 +1,5 @@
{
"data": "ENC[AES256_GCM,data:eB7lM7gzQVRrs31/vb4D19N0xvmau5mp77scLaj6h9HHI/6sJ9LTu+gfSGQIOID7xJA4m1T77aYLC6wC9tXBOAVwcdFcXrFsoYuVU2COtRPWTjeMWiK3t5eQ6TLrgru6OUcC0bpeCtZhQbXYkBTBViMNOfXdah0t9NxGPrSn0pNwMs22Ndcc1zRJFPqvjcaVWCxRsfWWBZfDx+AK0PWwxCbHaDMx9Vw5vJltmF1NVc37dTqIVRY/n4xNbqA1pEs4Ese8rjojU9VZFObpJb0k,iv:JAJIuOzPM3/jw/3APWPCCwuhXaFlKABFqch8GUDFX9E=,tag:S7Tk3T+/8H7pIWMKkrfGSg==,type:str]",
"data": "ENC[AES256_GCM,data:ZYCyNfJdnYij3ZPNftCq+shfLs1Du/WjRyXMnphEltKr1MRr+f5RY++na3VVtREHYq/NMFNHMjlkcsBREt8KrPOlk5CUh4oNfwrFLsvDN9mJmW7mw0h0Nl0kxwPMI+SRHh1cKsmSjDYWBQ7pLKXbDfv46wyrFKT1v2mI5OiFjWNtL/Gtq8xeA9XQPN9plkqKc1oaazT4TsBgV0kqBlsH7cWuI2l8A7dLpKGqf+fhQ0xvdCo76WcvYuphgE2Wru8xWALPx+OttRTLc2nLHX0=,iv:A7+QdWvSRVRIWf+yW9QgVXQjVY47F2Jj2FqcYbqkz+I=,tag:cU+6Kc2LC/30c2hNv2GVgw==,type:str]",
"sops": {
"kms": null,
"gcp_kms": null,
@@ -39,8 +39,8 @@
"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBHVTQyV0o3eWtQTEsxTXNZ\ndGJjcjQwWjA2QXFubmJSdGwyRHliRmtQSW1VCmh1K2l0NnVmNUlMUjdmd09IeG5a\nTVgvOWh1RWZZZnB1RkNHMjVSMG1pVG8KLS0tIElNbk53dnJxRE90WHZSbFVYRVAr\nNjcraVhhWVdpTDZJOG9uaUVmWFF2T00KGyNISTg/g7v1+VFlCg0MjDTjbcahdSQk\nQpxdjvqQ3qtcfOS/+OO5CZYEJIVp6YybXyHJ4SSbaED22YtTJGmRNw==\n-----END AGE ENCRYPTED FILE-----\n"
}
],
"lastmodified": "2022-10-10T06:28:09Z",
"mac": "ENC[AES256_GCM,data:GnYn/2ZxpiaNiS/nXITkyETliL8HLnhP7iIlagna7xEnng5ttWTRvrzvF2P2ehUcCb7t7c0M7DPhA4rqLZlqvNNP+qi9UKkZ+Skn9e7d67hPmIrp6bOPpY+UGFmIA71xWjGUehtT7AfbHqYo26VjaYzP/OPrVT3uuAMkw8xsRo8=,iv:ISQUmG3speflSfQoU9eefYmfPw3Sq0cJPzIirk7W9rA=,tag:LkSnOJfBca/8KQggXmvYdA==,type:str]",
"lastmodified": "2022-10-08T03:30:39Z",
"mac": "ENC[AES256_GCM,data:0qrOFciOrb0Q0ZaaYbjKMOJwaZxsOiodPJomWVliVt7OFmxIdBorE/SGgtgQGQz6twJqeSCJi9NiEFWTfnitO0NH//jaMFiAZVGBbk3r8YrZ4UyzhQsEYCED036y0cIU31qxX2DbwNBA2R69mJqzCcTgpZORVsKOoyANp+HDhzc=,iv:B7Uopjj6jS4rIYZ0uHU6nfBMBvHUJkg6CCBZIQZNaYU=,tag:Qdi1bHKpp80XhniokLHLJw==,type:str]",
"pgp": null,
"unencrypted_suffix": "_unencrypted",
"version": "3.7.3"

6
secrets/universal/net/iphone.psk.bin
View File

@@ -1,5 +1,5 @@
{
"data": "ENC[AES256_GCM,data:fFb8QudY/dQNjrEtPMs7fnJxywLrSN1A4mgpZRw0Bicz5kFlr70qSSAd3jOg1YJm/x7nRLWLcEAv9Nn99bLywkLiiWaVhWmVGp6jTI3Mj0SX5lET7Xt0slcrJm6qUt6rTkH2dGueOm37m0rU7iR44bs/rWStNBbmuQRurRGo3zaxRSC0djyQ1wwbALJ1zhHQhf4=,iv:58ZLkQra5PJ6u4Xc1aztZ1ywlAmbudRSrk23MEbNv64=,tag:Nr4SNsqUytUMlM3i/nf0LA==,type:str]",
"data": "ENC[AES256_GCM,data:XGhxqtkmLOKQqcdmJvQ9rKdUW0qassF2glLvUpAs6uyO6WHVKvXKhAIJIsZZbd1RRlJ5PuwBvu7lKIrcVIswKvwF/MhXTCqfoB0fpmysaCpKdkLYojiSvsHQAXB9gIAnL0dVIEvZ+s7MRG5wp8s2+y18JsgS8jBM0vMFoLxVF41isocMcxO0a1wnCjAWy2s0845OOjhVSNCuVSjI5Oc1dTO9vycDHV4Y6MulFoBSlwfJdUf2nVR/FNuCxyxFX//wgRuN3cg1zkmoBblnvkccMGIzkmuByUAlqdaaug/Q,iv:9HIUqe5dTjVrHM5a9IrpYLtsDpg3Ts3mX9H8M8M572o=,tag:2EK0Zj6DTM/QmbVL+lG8wg==,type:str]",
"sops": {
"kms": null,
"gcp_kms": null,
@@ -39,8 +39,8 @@
"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBtYlJWZ2t6WDlRdUJqU2pG\nYkE3T005bUhCcUJ0TEw0MEdDY1JFUzJjcVMwCkhCckRzcldLWTJPSEVjbHk3VE1p\nY21rRWR3cUVscmNiL29NL3M1QjZsYlUKLS0tIDJ4M3JtdGFRbUhFR2FtSGVuZk9n\nL1VjS1hnbzZwT1lQalJBbFU0SjFOWkUKUkGyPmpilSZdupNlR+cD4+HUOwyNm8WF\nu3vS7Ec4FJcjnx2t185yXEStZSVGptw/wKTxJiJ5P9by75XkAJZFmg==\n-----END AGE ENCRYPTED FILE-----\n"
}
],
"lastmodified": "2022-10-10T11:53:54Z",
"mac": "ENC[AES256_GCM,data:CnF1ePN5hPJU37H0Qx7R1K9qvLDJuTv0hppv+sIjYyetVUjxVduS6e8szGPmZz4uBgglmtSIEOSc+j2MCrQ2AIkJmS9LoGH2FX1lzId4h8KdBs+aJZmngNPiO6apcVsNDKBmcQnw1gweJefpTKgJnhVbo9cw/bwRqs9hJMrQDDU=,iv:G5Hwonp9AB12xOxPFFVK1+xo5JSYOGacSbAZ2RFy5wo=,tag:p5zHaSzjZcVaIgTsBb0Ohw==,type:str]",
"lastmodified": "2022-10-09T02:24:20Z",
"mac": "ENC[AES256_GCM,data:AIRI5vLpVvWuxjvPerwzsBnwsSPrtazgCMPjP2be5aUcglT9e+98Dlg+jX60XjiO/1DvEepoCLd5Xnr6GHOkgRRR90YPsZT9eRttwhBavXaOF2Da7zwP5ZOg3cO0JGQsegTxJYFMmROCZppybL6EOsT2n18pc2M2HdEBt5oKP2k=,iv:ive5dqvbBQ3Ef5ycZP+l1Vuc38ylFTJhGh5+ksMCyAc=,tag:OP9EgZN2q2OKPRpOv2x7Tg==,type:str]",
"pgp": null,
"unencrypted_suffix": "_unencrypted",
"version": "3.7.3"