colin/nix-files
1
0
Fork 1
Code Issues Pull Requests Projects Releases Wiki Activity

Compare commits

merge into: colin:staging/moby-6.1.0-rc7
Branches Tags
colin:master colin:2025-03-02-pure colin:2025-02-23-nixpkgs-update colin:2025-02-17-nixpkgs-update-2 colin:2025-02-17-nixpkgs-update colin:2025-01-30-wip-blanket colin:2025-01-30-wip-sane-vpn-up-bind-fix colin:2024-12-29-bind colin:2024-12-26-nixpkgs-update colin:2024-09-25-ppp-kernel colin:2024-09-20-megapixels colin:2024-08-14-wip-sandbox-share colin:2024-08-12-wip-flatpak colin:2024-08-11-wip-firefox-xdg-open colin:wip-2024-08-01-nixpkgs-bump colin:wip-secure-mounts colin:wip-login-gocryptfs-rework2 colin:dev colin:save-geoclue-polkit-override colin:wip-doofnet colin:tx-to-desko colin:wip-nm-systemd-sandbox colin:test-nm-nixpkgs-refactor colin:wip-polyunfill-pam colin:wip-trust-dns colin:wip-mpv-sysvol colin:wip-s6-2 colin:wip-nix-fast-build colin:wg-dev colin:wip-mootube colin:wip-swaync-update colin:wip-sxmo-suspend colin:sxmo-sway-merge colin:dev-export colin:wip-proot3 colin:wip-emulate-builder3 colin:wip-emulate-builder2 colin:wip-emulate-builder colin:staging/nixpkgs-2023-07-29 colin:staging/nixpkgs-2023-07-25 colin:wip/koreader colin:staging/gtk-theme colin:staging/nixpkgs-2023-06-27 colin:staging/nixpkgs-2023-06-23 colin:staging/nixpkgs-2023-06-22 colin:wip/sxmo-as-pkg2 colin:wip/sxmo-as-pkg colin:staging/nixpkgs-2023-06-10 colin:staging/nixpkgs-2023-06-07 colin:staging/jellyfin-cross colin:staging/dns-refactor colin:staging/nixpkgs-2023-05-24 colin:staging/nixpkgs-2023-05-22 colin:staging/librewolf-ext colin:staging/nixpkgs-2023-05-14 colin:staging/nur colin:staging/nixpkgs-2023-04-28 colin:staging/nixpkgs-2023-04-24-staging-next colin:staging/nixpkgs-2023-04-19-staging-next colin:staging/nixpkgs-2023-04-11 colin:staging/nixpkgs-2023-04-08 colin:wip/less-disable-flakey-tests colin:staging/nixpkgs-next-2023-03-28 colin:staging/nixpkgs-next-2023-03-11 colin:staging/nixpkgs-2023-03-09 colin:staging/nixpkgs-2023-03-08 colin:staging/nixpkgs-2023-03-04 colin:staging/ccache colin:wip/ccache colin:staging/mesa-downgrade-10 colin:staging/mesa-downgrade-12 colin:staging/nixpkgs-2023-02-25 colin:staging/mesa-downgrade-9 colin:staging/mesa-downgrade-8 colin:staging/nixpkgs-2023-02-09 colin:staging/mesa-downgrade-7 colin:staging/mesa-downgrade-6 colin:staging/mesa-downgrade-5 colin:staging/mesa-downgrade-4 colin:staging/mesa-downgrade-3 colin:staging/mesa-downgrade-2 colin:staging/nixpkgs-2023-02-01 colin:staging/mesa-downgrade colin:wip/packages2 colin:wip/packages colin:archive/dovecot-sieve colin:historic/fix-handbrake colin:wip/sway3-dbg colin:wip/sway2 colin:wip/sway colin:staging/nixpkgs-2023-01-25 colin:staging/linux-6.2 colin:staging/nixpkgs-2023-01-23 colin:wip/hosts colin:staging/nixpkgs-2023-01-15 colin:wip/signal colin:wip/mx-signal colin:wip/flake-std-uri colin:stable colin:staging/master colin:wip/moby-kernel colin:wip/feeds3 colin:wip/feeds2 colin:wip/overlays colin:wip/feeds colin:staging/merge colin:staging/nixpkgs-2023-01-04 colin:staging/impermanence-stores colin:wip/impermanence-fs colin:staging/impermanence-encrypt2 colin:staging/impermanence-encrypt colin:staging/nixpkgs-2022-12-22 colin:staging/nixpkgs-2022-12-18 colin:staging/nixpkgs-2022-12-02 colin:staging/moby-6.1.0-rc7 colin:staging/nixpkgs-2022-11-27 colin:ryzen-servo colin:staging/nixpkgs-2022-11-21 colin:staging/nixpkgs-2022-11-09 colin:staging/lightdm-mobile-upstream colin:staging/nixpkgs-2022-10-31 colin:stacking/nixpkgs-2022-10-30 colin:staging/nixpkgs-2022-10-29 colin:wip/tokodon colin:staging/pleroma-update colin:staging/nixpkgs-2022-10-22 colin:testing/munin colin:staging/nixpkgs-2022-10-20 colin:staging/phosh-lightdm colin:archive/2022-10-14-matrix-appservice-discord colin:staging/nixpkgs-2022-10-08 colin:wip/arm-flutter colin:staging/2022-10-08-flutter-update colin:staging/phosh-mobile-settings-2 colin:staging/phosh-mobile-settings colin:fork/alsa-pinephone-patch colin:wip.fluffychat.2022.09.20 colin:wip/fluffychat colin:wip-vulkan colin:wip-servoimg colin:wip-kaiteki
colin:test-tag
...
pull from: colin:staging/nixpkgs-2022-12-22
Branches Tags
colin:master colin:2025-03-02-pure colin:2025-02-23-nixpkgs-update colin:2025-02-17-nixpkgs-update-2 colin:2025-02-17-nixpkgs-update colin:2025-01-30-wip-blanket colin:2025-01-30-wip-sane-vpn-up-bind-fix colin:2024-12-29-bind colin:2024-12-26-nixpkgs-update colin:2024-09-25-ppp-kernel colin:2024-09-20-megapixels colin:2024-08-14-wip-sandbox-share colin:2024-08-12-wip-flatpak colin:2024-08-11-wip-firefox-xdg-open colin:wip-2024-08-01-nixpkgs-bump colin:wip-secure-mounts colin:wip-login-gocryptfs-rework2 colin:dev colin:save-geoclue-polkit-override colin:wip-doofnet colin:tx-to-desko colin:wip-nm-systemd-sandbox colin:test-nm-nixpkgs-refactor colin:wip-polyunfill-pam colin:wip-trust-dns colin:wip-mpv-sysvol colin:wip-s6-2 colin:wip-nix-fast-build colin:wg-dev colin:wip-mootube colin:wip-swaync-update colin:wip-sxmo-suspend colin:sxmo-sway-merge colin:dev-export colin:wip-proot3 colin:wip-emulate-builder3 colin:wip-emulate-builder2 colin:wip-emulate-builder colin:staging/nixpkgs-2023-07-29 colin:staging/nixpkgs-2023-07-25 colin:wip/koreader colin:staging/gtk-theme colin:staging/nixpkgs-2023-06-27 colin:staging/nixpkgs-2023-06-23 colin:staging/nixpkgs-2023-06-22 colin:wip/sxmo-as-pkg2 colin:wip/sxmo-as-pkg colin:staging/nixpkgs-2023-06-10 colin:staging/nixpkgs-2023-06-07 colin:staging/jellyfin-cross colin:staging/dns-refactor colin:staging/nixpkgs-2023-05-24 colin:staging/nixpkgs-2023-05-22 colin:staging/librewolf-ext colin:staging/nixpkgs-2023-05-14 colin:staging/nur colin:staging/nixpkgs-2023-04-28 colin:staging/nixpkgs-2023-04-24-staging-next colin:staging/nixpkgs-2023-04-19-staging-next colin:staging/nixpkgs-2023-04-11 colin:staging/nixpkgs-2023-04-08 colin:wip/less-disable-flakey-tests colin:staging/nixpkgs-next-2023-03-28 colin:staging/nixpkgs-next-2023-03-11 colin:staging/nixpkgs-2023-03-09 colin:staging/nixpkgs-2023-03-08 colin:staging/nixpkgs-2023-03-04 colin:staging/ccache colin:wip/ccache colin:staging/mesa-downgrade-10 colin:staging/mesa-downgrade-12 colin:staging/nixpkgs-2023-02-25 colin:staging/mesa-downgrade-9 colin:staging/mesa-downgrade-8 colin:staging/nixpkgs-2023-02-09 colin:staging/mesa-downgrade-7 colin:staging/mesa-downgrade-6 colin:staging/mesa-downgrade-5 colin:staging/mesa-downgrade-4 colin:staging/mesa-downgrade-3 colin:staging/mesa-downgrade-2 colin:staging/nixpkgs-2023-02-01 colin:staging/mesa-downgrade colin:wip/packages2 colin:wip/packages colin:archive/dovecot-sieve colin:historic/fix-handbrake colin:wip/sway3-dbg colin:wip/sway2 colin:wip/sway colin:staging/nixpkgs-2023-01-25 colin:staging/linux-6.2 colin:staging/nixpkgs-2023-01-23 colin:wip/hosts colin:staging/nixpkgs-2023-01-15 colin:wip/signal colin:wip/mx-signal colin:wip/flake-std-uri colin:stable colin:staging/master colin:wip/moby-kernel colin:wip/feeds3 colin:wip/feeds2 colin:wip/overlays colin:wip/feeds colin:staging/merge colin:staging/nixpkgs-2023-01-04 colin:staging/impermanence-stores colin:wip/impermanence-fs colin:staging/impermanence-encrypt2 colin:staging/impermanence-encrypt colin:staging/nixpkgs-2022-12-22 colin:staging/nixpkgs-2022-12-18 colin:staging/nixpkgs-2022-12-02 colin:staging/moby-6.1.0-rc7 colin:staging/nixpkgs-2022-11-27 colin:ryzen-servo colin:staging/nixpkgs-2022-11-21 colin:staging/nixpkgs-2022-11-09 colin:staging/lightdm-mobile-upstream colin:staging/nixpkgs-2022-10-31 colin:stacking/nixpkgs-2022-10-30 colin:staging/nixpkgs-2022-10-29 colin:wip/tokodon colin:staging/pleroma-update colin:staging/nixpkgs-2022-10-22 colin:testing/munin colin:staging/nixpkgs-2022-10-20 colin:staging/phosh-lightdm colin:archive/2022-10-14-matrix-appservice-discord colin:staging/nixpkgs-2022-10-08 colin:wip/arm-flutter colin:staging/2022-10-08-flutter-update colin:staging/phosh-mobile-settings-2 colin:staging/phosh-mobile-settings colin:fork/alsa-pinephone-patch colin:wip.fluffychat.2022.09.20 colin:wip/fluffychat colin:wip-vulkan colin:wip-servoimg colin:wip-kaiteki
colin:test-tag

153 Commits
staging/mo ... staging/ni

Author SHA1 Message Date
colin
a7d9e5cc54 flake update: nixpkgs 2022-12-18 -> 2022-12-22 
```
• Updated input 'nixpkgs':
    'github:NixOS/nixpkgs/04f574a1c0fde90b51bf68198e2297ca4e7cccf4' (2022-12-18)
  → 'github:NixOS/nixpkgs/652e92b8064949a11bc193b90b74cb727f2a1405' (2022-12-22)
• Updated input 'nixpkgs-stable':
    'github:NixOS/nixpkgs/cbe419ed4c8f98bd82d169c321d339ea30904f1f' (2022-12-20)
  → 'github:NixOS/nixpkgs/dac57a4eccf1442e8bf4030df6fcbb55883cb682' (2022-12-24)
• Updated input 'sops-nix':
    'github:Mic92/sops-nix/32840f16ffa0856cdf9503a8658f2dd42bf70342' (2022-12-19)
  → 'github:Mic92/sops-nix/855b8d51fc3991bd817978f0f093aa6ae0fae738' (2022-12-25)
• Updated input 'sops-nix/nixpkgs-stable':
    'github:NixOS/nixpkgs/87b58217c9a05edcf7630b9be32570f889217aef' (2022-12-19)
  → 'github:NixOS/nixpkgs/939c05a176b8485971463c18c44f48e56a7801c9' (2022-12-24)
```
 2022-12-26 05:19:58 +00:00
colin
13f3b322b0 alias to cd ~/Videos 2022-12-26 04:40:21 +00:00
colin
5c25330891 packages: add nheko matrix client 2022-12-26 03:52:04 +00:00
colin
dc6dc2e475 discord: remove the SKIP_HOST_UPDATE hack. it's been upstreamed 2022-12-26 03:30:25 +00:00
colin
c4352fa9bb packages: move Signal, Discord, Tokodon to private storage 2022-12-26 03:26:50 +00:00
colin
2c6629a658 packages: allow specifying multiple dir and private paths 2022-12-26 03:02:19 +00:00
colin
c0496b25b5 init-keyring: try to make atomic 2022-12-25 12:02:33 +00:00
colin
9e0346c329 snippets: update jackett to be a search query 2022-12-25 08:43:29 +00:00
colin
364a598324 pkgs: clean up the imports to not explicitly pass pkgs 2022-12-25 07:33:24 +00:00
colin
c6850aff23 ship fractal-latest (git tip) instead of fractal-next 2022-12-25 07:23:09 +00:00
colin
730ef272d1 feeds: add put a num on it; remove Kaiteki code feed 2022-12-25 03:39:44 +00:00
colin
16fa1e0eda sane-date-math: convert to LR parser 2022-12-24 05:08:17 +00:00
colin
51a96525d9 sane-date-math: use Productions as objects 2022-12-24 01:17:19 +00:00
colin
7b01822ee7 some kind of sane-date-math date/time util thing. idk, parsers are fun ig 2022-12-23 15:57:56 +00:00
colin
f9aa36a620 flake update: nixos-stable 2022-12-17 -> 2022-12-20 
```

• Updated input 'nixpkgs-stable':
    'github:NixOS/nixpkgs/0938d73bb143f4ae037143572f11f4338c7b2d1c' (2022-12-17)
  → 'github:NixOS/nixpkgs/cbe419ed4c8f98bd82d169c321d339ea30904f1f' (2022-12-20)
```
 2022-12-22 22:45:27 +00:00
colin
9b75d8705b ejabberd: enable push notifications (verified working on iOS/Modal IM) 2022-12-22 14:12:15 +00:00
colin
217ecec250 ejabberd: enable xmpps-{client,server} SRV records 2022-12-22 13:13:09 +00:00
colin
6c7ca7630a zsh: add tmp alias for ~/tmp 2022-12-22 11:35:35 +00:00
colin
1f99d44288 /home/colin: fix perms to 0700 2022-12-22 11:33:13 +00:00
colin
f1aa685a03 fix p10k variable expansion 2022-12-22 11:00:49 +00:00
colin
2b31fc8776 powerlevel10k: always show user/host 2022-12-22 10:58:02 +00:00
colin
0c35e2b3c1 servo: enable nsncd 2022-12-22 10:34:47 +00:00
colin
77b8d0ddc0 fuzzel: tune dialog widths 2022-12-22 10:10:03 +00:00
colin
84f23c602e new snipper: nixos options search 2022-12-22 10:06:55 +00:00
colin
ea5fbc63cf zsh/p10k: selectively disable gitstatus acceleration on ~/private/ 2022-12-21 14:13:20 +00:00
colin
69361ee9a2 zsh: document prezto modules, switch dir aliases to dirHashes 2022-12-21 13:53:22 +00:00
colin
1808d153b2 zsh: configure p10k 2022-12-21 13:08:23 +00:00
colin
b3ad0f8f1f update ~/knowledge to live in ~/private 2022-12-21 08:52:27 +00:00
colin
c745612cfd Merge branch 'master' of git.uninsane.org:colin/nix-files 2022-12-21 08:51:12 +00:00
colin
278cc98c6d minor ejabberd config changes, simplify DNS %NATIVE% updating 2022-12-21 08:50:41 +00:00
colin
fac661af15 new script: sane-git-init 2022-12-21 08:40:22 +00:00
colin
65777c70ad snippets: add link to home-manager docs 2022-12-21 08:30:16 +00:00
colin
09c524a5b1 Merge remote-tracking branch 'origin/staging/nixpkgs-2022-12-18' 2022-12-21 07:47:55 +00:00
colin
0db7f0857a moby: reduce the number of configurations we keep in /boot 2022-12-21 06:33:50 +00:00
colin
38befe502c new script to free space in /boot 2022-12-21 06:29:13 +00:00
colin
55e09c2dbf ejabberd: port to dns-dns; add experimental STUN/TURN support 
during startup it says:
```
Ignoring TLS-enabled STUN/TURN listener
```

and later
```
Invalid certificate in /var/lib/acme/uninsane.org/fullchain.pem: at line 61: certificate is signed by unknown CA
```

the invalid cert thing has always been here. it's for the root cert. idk
if i need to tell ejabberd that one's self-signed, or what.
 2022-12-20 03:26:08 +00:00
colin
bd699c887c sane-ssl-dump: new script to help debug ssl stuff 2022-12-20 03:25:07 +00:00
colin
2de6f7d364 fix i2p to build on aarch64 2022-12-20 03:10:05 +00:00
colin
d60e5264f3 don't bind-mount /etc/ssh/host_keys: symlink them instead 2022-12-20 00:04:09 +00:00
colin
c66699b697 update nixpkgs: 2022-12-11 -> 2022-12-18; sops-nix 
```
• Updated input 'nixpkgs':
    'github:NixOS/nixpkgs/64e0bf055f9d25928c31fb12924e59ff8ce71e60' (2022-12-11)
  → 'github:NixOS/nixpkgs/04f574a1c0fde90b51bf68198e2297ca4e7cccf4' (2022-12-18)
• Updated input 'nixpkgs-stable':
    'github:NixOS/nixpkgs/06278c77b5d162e62df170fec307e83f1812d94b' (2022-12-12)
  → 'github:NixOS/nixpkgs/0938d73bb143f4ae037143572f11f4338c7b2d1c' (2022-12-17)
• Updated input 'sops-nix':
    'github:Mic92/sops-nix/da98a111623101c64474a14983d83dad8f09f93d' (2022-12-04)
  → 'github:Mic92/sops-nix/32840f16ffa0856cdf9503a8658f2dd42bf70342' (2022-12-19)
• Updated input 'sops-nix/nixpkgs-stable':
    'github:NixOS/nixpkgs/86370507cb20c905800527539fc049a2bf09c667' (2022-12-04)
  → 'github:NixOS/nixpkgs/87b58217c9a05edcf7630b9be32570f889217aef' (2022-12-19)
```
 2022-12-19 22:42:58 +00:00
colin
97044bf70e trust-dns: port to dyn-dns for determining WAN IP 
although the systemd wantedBy directive is working,
`before` seems to be ignored when the unit fails. so on first run,
dyn-dns runs, fails (poor net connectivity), then trust-dns starts
(fails), then they both restart 10s later.

it's not great, but good enough. also, wan IP is persisted, so this
likely won't happen much in practice.
 2022-12-19 13:12:23 +00:00
colin
3122334a41 dyn-dns: fix to only react when the IP actually changes 2022-12-19 11:54:27 +00:00
colin
0b2faef989 /etc/ssh/host_keys: fix endlessly stacked mounts 
i believe this was mounting a new /etc/ssh/host_keys on every
activation, resulting in literally thousands of mounts and slowing down
later activations
 2022-12-19 11:18:08 +00:00
colin
8acd6ca4f1 create sane.services.dyn-dns to manage dynamic DNS stuff 
not yet integrated into servo
 2022-12-19 11:16:30 +00:00
colin
8169f7c6b2 ddns-trust-dns: use ddns from router rather than ipinfo.io 2022-12-19 08:24:11 +00:00
colin
cd1aa0b376 sane-vpn-*: reference sane-ip-check instead of duplicating 2022-12-19 06:19:13 +00:00
colin
72b627100c sane-scripts: simplify recursively referencing sane scripts 2022-12-19 06:18:44 +00:00
colin
567c08460a add sane-ip-check-router-wan to query WAN with a more trustworthy source 2022-12-19 05:59:44 +00:00
colin
9b66aecf1b trust-dns: port the remaining records to a structured format 
SRV and MX _could_ have more structure (priority, etc).
not sure the best path there (option submodule, i guess).
 2022-12-19 04:38:43 +00:00
colin
16cb3b83a2 trust-dns: more idiomatic way to define SOA records 2022-12-19 04:00:27 +00:00
colin
970438be8a trust-dns: rename records option -> extraConfig 
i'll be adding special options for records
 2022-12-19 03:12:32 +00:00
colin
51da29555e sane-ip-reconnect: fix issue where we'd reconnect to the existing, subpar network 2022-12-19 01:47:30 +00:00
colin
8a745a9b8a ejabberd: enable STUN (with partial discovery support) 
discovery is probably not working:
```
Won't auto-announce STUN/TURN service on port 3478 (udp) without public IP address, please specify 'turn_ipv4_address' and optionally 'turn_ipv6_address'
Won't auto-announce STUN/TURN service on port 3478 (tcp) without public IP address, please specify 'turn_ipv4_address' and optionally 'turn_ipv6_address'
```

no messages for the TLS implementation, so maybe that's working?
 2022-12-19 01:22:20 +00:00
colin
3505f3b9f3 ejabberd: provision cert for conference.xmpp.uninsane.org 
i guess the cert already had that because of legacy prosody setup (?),
but we weren't setup so that new requests would work, i expect.

either that or all of these nginx entries aren't necessary?
 2022-12-19 01:22:20 +00:00
colin
444595e847 disable HE and afraid DDNS 2022-12-19 01:22:20 +00:00
colin
3e1407c30b new script to reconnect to best wifi network 2022-12-19 00:29:48 +00:00
colin
0a744117a4 rename sane-check-ip -> sane-ip-check 2022-12-18 23:54:41 +00:00
colin
a2935cedaa snippets: add wikipedia search 2022-12-18 22:58:53 +00:00
colin
22e46d52c2 trust-dns: distribute records across service files 2022-12-17 01:29:12 +00:00
colin
1e0c213adf split webconfig into each service file 2022-12-17 00:52:48 +00:00
colin
3e1340ed61 enable i2p in firefox 2022-12-16 22:15:19 +00:00
colin
341dd3f2b2 new zsh alias: ref -> cd ~/ref 2022-12-16 20:56:48 +00:00
colin
1c9caa40bd snippets: update nixos wiki to include search param 2022-12-16 20:35:33 +00:00
colin
3be15c6d05 podcasts: add Michael Malice (is it any good? we'll see.) 2022-12-16 08:04:28 +00:00
colin
8e8168ec28 add splatmoji package and sway config 2022-12-16 07:46:06 +00:00
colin
28397807fc gpt2tc: disable, because the mirror is unreliable 2022-12-16 07:08:55 +00:00
colin
42ebb9a155 sane-private-do: run a command with the private store unlocked; then re-lock it 2022-12-16 06:10:44 +00:00
colin
a8a4b8e739 kiwix: serve the full english Wikipedia 2022-12-16 05:58:51 +00:00
colin
2550601179 serve w.uninsane.org through kiwix-serve 2022-12-16 02:25:57 +00:00
colin
199a49755a create a kiwix-serve service 2022-12-16 02:15:17 +00:00
colin
8c7700688f nixpatches: add kiwix-tools package that's being upstreamed 2022-12-16 01:22:38 +00:00
colin
8fe304d6c1 trust-dns: split the service into a generic config interface 2022-12-15 11:17:50 +00:00
colin
700fef7df3 servo: mediawiki: remove dead commented-out code 2022-12-15 11:17:50 +00:00
colin
01db7e1f23 servo: install mediawiki 2022-12-15 11:17:50 +00:00
colin
df6e8f1562 Merge branch 'master' of git.uninsane.org:colin/nix-files 2022-12-15 09:59:53 +00:00
colin
1f0a40c81f snippets: add nixos wiki 2022-12-15 09:54:32 +00:00
colin
995b41d1e8 flake: update nixpkgs-stable 22.05 -> 22.11 2022-12-14 22:32:41 +00:00
colin
7674735d42 Merge branch 'master' of git.uninsane.org:colin/nix-files 2022-12-14 12:28:58 +00:00
colin
329693c9ce pin grpc & users, until the grpc aarch64 build is fixed 2022-12-14 12:27:24 +00:00
colin
5ae3bb2f6c sane-rcp: allow a destination 2022-12-14 10:07:02 +00:00
colin
e0b1aef127 snippets: add sci-hub 2022-12-14 09:52:07 +00:00
colin
9b8363dfb4 firefox addons: bypass-paywalls-clean: update hash 2022-12-14 08:00:42 +00:00
colin
58ad87df8e vpns: add us-mi[ami] 2022-12-13 04:26:00 +00:00
colin
5fc894cda9 vpn: fix us-atlanta -> us-atl to match interface length limit 2022-12-13 04:13:01 +00:00
colin
07e6ec2533 sane-scripts: better vpn factoring 2022-12-13 04:11:58 +00:00
colin
005a79e680 vpn: factor out more helpers 2022-12-13 03:55:18 +00:00
colin
0f5279bbca add us-atlanta VPN 2022-12-13 03:26:23 +00:00
colin
e9b3b7ebab simplify ovpn impl 2022-12-13 03:17:27 +00:00
colin
7a83c1d6df trust-dns: use upstream build 2022-12-13 02:03:09 +00:00
colin
46788fe565 servo: make uninsane.org NS records consistent with upstream 2022-12-13 01:00:16 +00:00
colin
a473ef6db3 flake update: nixpkgs: 2022-12-02 -> 2022-12-11; others 
```
• Updated input 'mobile-nixos':
    'github:nixos/mobile-nixos/25eec596116553112681d72ee4880107fc3957fa' (2022-11-19)
  → 'github:nixos/mobile-nixos/5ee45cc1f8e43f4af14ee17ccef9156b0db8cd77' (2022-12-04)
• Updated input 'nixpkgs':
    'github:NixOS/nixpkgs/b72b8b94cf0c012b0252a9100a636cad69696666' (2022-12-02)
  → 'github:NixOS/nixpkgs/64e0bf055f9d25928c31fb12924e59ff8ce71e60' (2022-12-11)
• Updated input 'nixpkgs-stable':
    'github:NixOS/nixpkgs/5d7d1d5f742e6bb57dd2e3d7b433fb4010c7af22' (2022-12-02)
  → 'github:NixOS/nixpkgs/7b9eeb856cbf976482fa8d1cb295ea03fb3e1277' (2022-12-10)
• Updated input 'sops-nix':
    'github:Mic92/sops-nix/8295b8139ef7baadeb90c5cad7a40c4c9297ebf7' (2022-11-29)
  → 'github:Mic92/sops-nix/da98a111623101c64474a14983d83dad8f09f93d' (2022-12-04)
• Removed input 'sops-nix/nixpkgs-22_05'
• Added input 'sops-nix/nixpkgs-stable':
    'github:NixOS/nixpkgs/86370507cb20c905800527539fc049a2bf09c667' (2022-12-04)
```
 2022-12-13 00:52:54 +00:00
colin
3627d47f12 firefox: add uBlacklist 2022-12-13 00:44:38 +00:00
colin
115f8d7054 servo: vpn services are part of 'wireguard-wg0' 
this makes it so if we restart the wireguard connection, the services
themeselves _also_ restart. that should avoid leaving any of them in an
orphaned namespace
 2022-12-12 11:53:34 +00:00
colin
ac44b04d99 servo: trust-dns: note about maybe using dig instead of diff'ing the config 2022-12-12 11:35:47 +00:00
colin
afff0aff19 servo: trust-dns: fix up the timers/ddns reliability 2022-12-12 11:33:20 +00:00
colin
f0086dc5bd servo: trust-dns: implement some dynamic DNS shim 2022-12-12 10:30:08 +00:00
colin
acabd34f28 servo: net: forward http requests from vpn -> host w/o NATing the source address 
this ensures we have access to the source IP in our host-side logs
 2022-12-12 05:21:29 +00:00
colin
d0e6b82739 make it so wireguard-wg0 is restartable 2022-12-11 17:07:53 +00:00
colin
dc09b7b9b2 Merge branch 'master' of git.uninsane.org:colin/nix-files 2022-12-11 16:48:16 +00:00
colin
38c5b82a08 servo: fold wg0 setup into one single service 
it doesn't restart cleanly (maybe i can't kill a netns while stuff lives
inside it?). problem for another day.
 2022-12-11 16:46:55 +00:00
colin
89def1a073 servo: remove dead net code 2022-12-11 16:15:43 +00:00
colin
ad2ed370d9 servo: split the firewall rules across services 2022-12-11 16:12:23 +00:00
colin
3e8f7a9ba2 servo: use ISP-provided DNS resolvers by default 
this is really hacky and i hate it, but there's not a lot of good
options.
 2022-12-11 16:03:41 +00:00
colin
028ecfe93f snippets: add HN 2022-12-11 13:14:24 +00:00
colin
c5ac792c13 servo: connect wg0 via IP addr instead of hostname 
i think this fixes the connectivity issues i've seen.
 2022-12-11 12:48:50 +00:00
colin
bd1624bef9 servo: un-firewall tcp port 53 to fix trust-dns over TCP 2022-12-11 12:48:11 +00:00
colin
3ae53d7f32 services: add RestartSec to anything which auto-restarts 
this is to prevent rapid restart failures from killing the service
permanently.
 2022-12-10 13:28:46 +00:00
colin
e7f2d41b1f servo: forward DNS to root ns without NAT'ing the source address 2022-12-10 13:28:19 +00:00
colin
3394a79e2b trust-dns: restart on failure 
if the network isn't up, won't be able to bind to eth, and fails.
 2022-12-10 13:02:17 +00:00
colin
b01501663d trust-dns: listen on each address explicitly 2022-12-10 12:29:10 +00:00
colin
cbd5ccd1c8 desko: disable wifi 2022-12-10 12:27:02 +00:00
colin
cf857eaf9f zsh: more cd aliases (knowledge, secrets) 2022-12-10 12:16:16 +00:00
colin
3a7eb294c7 servo: fix jackett DNS entry 2022-12-10 09:47:28 +00:00
colin
2ccb470adc packages: add tcpdump 2022-12-10 02:56:00 +00:00
colin
0a2a929507 Merge branch 'master' of git.uninsane.org:colin/nix-files 2022-12-09 14:18:40 +00:00
colin
2014d5ce77 servo: bridge port 80/53 from ovpns to native using iptables instead of socat 
i should probably narrow the rules to match specifically things destined
for the ovpns address, but for now this should work.
 2022-12-09 14:16:48 +00:00
colin
041adb7092 snippets: add nixos search URL 2022-12-09 01:25:24 +00:00
colin
a979521a98 servo: enable ddns against freedns.afraid.org 2022-12-08 14:30:17 +00:00
colin
77881be955 trust-dns: document SOA parameters 2022-12-08 14:23:35 +00:00
colin
0450b4d9a6 trust-dns: fix SOA 2022-12-08 00:46:32 +00:00
colin
edea64a41c trust-dns: move nameserver to subdomain ns1,ns2 2022-12-08 00:39:22 +00:00
colin
90e479592f trust-dns: enable port 53 forward 2022-12-08 00:06:20 +00:00
colin
62d83d94f2 add script to query public IP 2022-12-07 23:39:20 +00:00
colin
52bbe4e9f4 trust-dns: don't restart on failure 
for in case anything goes wrong
 2022-12-07 12:17:03 +00:00
colin
ab176b8d4b servo: enable trust-dns (experimental) 2022-12-07 12:15:35 +00:00
colin
62df4492a3 Merge branch 'master' of git.uninsane.org:colin/nix-files 2022-12-07 09:47:03 +00:00
colin
f4ed194abc package trust-dns 2022-12-07 09:45:11 +00:00
colin
6420c9fd16 packages: add gajim (at least temporarily, for debugging) 2022-12-07 08:02:14 +00:00
colin
86245b460b Merge branch 'master' of git.uninsane.org:colin/nix-files 2022-12-07 07:41:58 +00:00
colin
bf1ba786b3 packages: add imagemagick (for convert) 2022-12-07 07:41:05 +00:00
colin
35a896a3e2 shell aliases to cd to common places 2022-12-07 07:40:52 +00:00
colin
b4314bd919 mess with XMPP stuff. ejabberd: enable mam, some other acl's that probably aren't used 
prosody is still broken
 2022-12-07 01:31:17 +00:00
colin
4696209822 nixpatches: update aerc fix hash 2022-12-07 01:14:24 +00:00
colin
c3957d81c2 ejabberd: enable MUC 2022-12-07 00:08:08 +00:00
colin
8a5be00c93 sway: define a "snippets.txt" file for e.g. browser bookmarks 2022-12-06 11:12:27 +00:00
colin
c2db9fe28e periodically archive my torrents so i don't lose them again 2022-12-06 07:17:19 +00:00
colin
ccaac901f7 Merge branch 'master' of git.uninsane.org:colin/nix-files 2022-12-06 07:06:32 +00:00
colin
7f285a8254 ejabberd: enable some more modules which don't conflict 2022-12-06 07:05:59 +00:00
colin
b0b82a3d88 feeds: add Matrix Live podcast 
haven't listened. just searching.
 2022-12-06 06:58:59 +00:00
colin
b0664d81ab ejabberd: enable mod_pubsub, mod_avatar 
i'm able to do this without breaking federation now,
but it doesn't seem to fullly work.
 2022-12-05 02:37:35 +00:00
colin
8ba52bb9cd ejabberd: enable mod_{carboncopy,last,offline,private,stream_mgmt} 2022-12-05 02:16:28 +00:00
colin
20f0a19e25 ejabberd: fix federation: disable mod_pubsub and mod_avatar 
now i can send messages FROM uninsane.org again
 2022-12-05 00:47:48 +00:00
colin
9dc17a3874 ejabberd: enable avatar support 
haven't tested that it federates properly -- only that Dino is able to
set it.
 2022-12-04 12:38:47 +00:00
colin
2992644901 bluetooth: persist bluetooth earbuds connection 2022-12-04 11:33:03 +00:00
colin
d5d89a10b9 bluetooth: add key for connecting to my car 2022-12-04 10:56:50 +00:00
colin
f7d9fdfe04 packages: add pstree 2022-12-04 03:42:54 +00:00
colin
c42aa2847b aerc: apply patch to fix awk / message reading 2022-12-04 02:48:37 +00:00
colin
768c5c910f update nixpkgs: 2022-11-27 -> 2022-12-02 
```
• Updated input 'nixpkgs':
    'github:NixOS/nixpkgs/a115bb9bd56831941be3776c8a94005867f316a7' (2022-11-27)
  → 'github:NixOS/nixpkgs/b72b8b94cf0c012b0252a9100a636cad69696666' (2022-12-02)
• Updated input 'nixpkgs-stable':
    'github:NixOS/nixpkgs/fecf05d4861f3985e8dee73f08bc82668ef75125' (2022-11-27)
  → 'github:NixOS/nixpkgs/5d7d1d5f742e6bb57dd2e3d7b433fb4010c7af22' (2022-12-02)
```
 2022-12-03 22:56:00 +00:00
colin
8790a7d9fd note about persisting bluetooth config 2022-12-03 11:35:03 +00:00
colin
7c36a0d522 bluetooth: share connections across machines 2022-12-03 11:05:09 +00:00
colin
977a80d59e Merge branch 'staging/moby-6.1.0-rc7' 2022-12-03 09:05:13 +00:00
colin
63c92a44ed servo: ejabberd: enable file uploads 2022-12-03 08:57:10 +00:00
colin
bf838ea203 packages: add tree as system package 2022-12-03 08:56:26 +00:00
89 changed files with 4472 additions and 662 deletions
Expand all files Collapse all files

60
flake.lock generated
View File

@@ -54,11 +54,11 @@
"mobile-nixos": {
"flake": false,
"locked": {
"lastModified": 1668897543,
"narHash": "sha256-1bjvy5zi/6KDzhN3ihOUEA6y5FFEOf5xvIbf65RWIh0=",
"lastModified": 1670131242,
"narHash": "sha256-T/o1/3gffr010fsqgNshs1NJJjsnUYvQnUZgm6hilsY=",
"owner": "nixos",
"repo": "mobile-nixos",
"rev": "25eec596116553112681d72ee4880107fc3957fa",
"rev": "5ee45cc1f8e43f4af14ee17ccef9156b0db8cd77",
"type": "github"
},
"original": {
@@ -69,11 +69,11 @@
},
"nixpkgs": {
"locked": {
"lastModified": 1669542132,
"narHash": "sha256-DRlg++NJAwPh8io3ExBJdNW7Djs3plVI5jgYQ+iXAZQ=",
"lastModified": 1671722432,
"narHash": "sha256-ojcZUekIQeOZkHHzR81st7qxX99dB1Eaaq6PU5MNeKc=",
"owner": "NixOS",
"repo": "nixpkgs",
"rev": "a115bb9bd56831941be3776c8a94005867f316a7",
"rev": "652e92b8064949a11bc193b90b74cb727f2a1405",
"type": "github"
},
"original": {
@@ -82,37 +82,37 @@
"type": "indirect"
}
},
"nixpkgs-22_05": {
"locked": {
"lastModified": 1669513802,
"narHash": "sha256-AmTRNi8bHgJlmaNe3r5k+IMFbbXERM/KarqveMAZmsY=",
"owner": "NixOS",
"repo": "nixpkgs",
"rev": "6649e08812f579581bfb4cada3ba01e30485c891",
"type": "github"
},
"original": {
"owner": "NixOS",
"ref": "release-22.05",
"repo": "nixpkgs",
"type": "github"
}
},
"nixpkgs-stable": {
"locked": {
"lastModified": 1669546925,
"narHash": "sha256-Gvtk9agz88tBgqmCdHl5U7gYttTkiuEd8/Rq1Im0pTg=",
"lastModified": 1671883564,
"narHash": "sha256-C15oAtyupmLB3coZY7qzEHXjhtUx/+77olVdqVMruAg=",
"owner": "NixOS",
"repo": "nixpkgs",
"rev": "fecf05d4861f3985e8dee73f08bc82668ef75125",
"rev": "dac57a4eccf1442e8bf4030df6fcbb55883cb682",
"type": "github"
},
"original": {
"id": "nixpkgs",
"ref": "nixos-22.05",
"ref": "nixos-22.11",
"type": "indirect"
}
},
"nixpkgs-stable_2": {
"locked": {
"lastModified": 1671923641,
"narHash": "sha256-flPauiL5UrfRJD+1oAcEefpEIUqTqnyKScWe/UUU+lE=",
"owner": "NixOS",
"repo": "nixpkgs",
"rev": "939c05a176b8485971463c18c44f48e56a7801c9",
"type": "github"
},
"original": {
"owner": "NixOS",
"ref": "release-22.11",
"repo": "nixpkgs",
"type": "github"
}
},
"root": {
"inputs": {
"home-manager": "home-manager",
@@ -129,14 +129,14 @@
"nixpkgs": [
"nixpkgs"
],
"nixpkgs-22_05": "nixpkgs-22_05"
"nixpkgs-stable": "nixpkgs-stable_2"
},
"locked": {
"lastModified": 1669714206,
"narHash": "sha256-9aiMbzRL8REsyi9U0eZ+lT4s7HaILA1gh9n2apKzLxU=",
"lastModified": 1671937829,
"narHash": "sha256-YtaNB+mLw0d67JFYNjRWM+/AL3JCXuD/DGlnTlyX1tY=",
"owner": "Mic92",
"repo": "sops-nix",
"rev": "8295b8139ef7baadeb90c5cad7a40c4c9297ebf7",
"rev": "855b8d51fc3991bd817978f0f093aa6ae0fae738",
"type": "github"
},
"original": {

14
flake.nix
View File

@@ -4,7 +4,7 @@
{
inputs = {
nixpkgs-stable.url = "nixpkgs/nixos-22.05";
nixpkgs-stable.url = "nixpkgs/nixos-22.11";
nixpkgs.url = "nixpkgs/nixos-unstable";
mobile-nixos = {
url = "github:nixos/mobile-nixos";
@@ -38,7 +38,10 @@
patchedPkgs = system: nixpkgs.legacyPackages.${system}.applyPatches {
name = "nixpkgs-patched-uninsane";
src = nixpkgs;
patches = import ./nixpatches/list.nix nixpkgs.legacyPackages.${system}.fetchpatch;
patches = import ./nixpatches/list.nix {
inherit (nixpkgs.legacyPackages.${system}) fetchpatch;
inherit (nixpkgs.lib) fakeHash;
};
};
# return something which behaves like `pkgs`, for the provided system
# `local` = architecture of builder. `target` = architecture of the system beying deployed to
@@ -69,8 +72,15 @@
# the config can explicitly pull such packages from `pkgs.cross` to do more efficient cross-compilation.
cross = (nixpkgsFor local target) // (customPackagesFor local target);
stable = import nixpkgs-stable { system = target; };
# cross-compatible packages
# gocryptfs = cross.gocryptfs;
# pinned packages:
# 2022/12/13: grpc does not build on aarch64-linux. https://github.com/NixOS/nixpkgs/issues/205887
grpc = stable.grpc;
# depends on grpc, so pinned.
duplicity = stable.duplicity;
})
];
}

32
hosts/common/bluetooth.nix Normal file
View File

@@ -0,0 +1,32 @@
{ lib, pkgs, ... }:
{
# TODO: don't need to depend on binsh if we were to use a nix-style shebang
system.activationScripts.linkBluetoothKeys = let
unwrapped = ../../scripts/install-bluetooth;
install-bluetooth = pkgs.writeShellApplication {
name = "install-bluetooth";
runtimeInputs = with pkgs; [ coreutils gnused ];
text = ''${unwrapped} "$@"'';
};
in (lib.stringAfter
[ "setupSecrets" "binsh" ]
''
${install-bluetooth}/bin/install-bluetooth /run/secrets/bt
''
);
# TODO: use a glob, or a list, or something?
sops.secrets."bt/car" = {
sopsFile = ../../secrets/universal/bt/car.bin;
format = "binary";
};
sops.secrets."bt/earbuds" = {
sopsFile = ../../secrets/universal/bt/earbuds.bin;
format = "binary";
};
sops.secrets."bt/portable-speaker" = {
sopsFile = ../../secrets/universal/bt/portable-speaker.bin;
format = "binary";
};
}

2
hosts/common/default.nix
View File

@@ -1,8 +1,10 @@
{ pkgs, ... }:
{
imports = [
./bluetooth.nix
./fs.nix
./hardware
./i2p.nix
./machine-id.nix
./net.nix
./secrets.nix

4
hosts/common/i2p.nix Normal file
View File

@@ -0,0 +1,4 @@
{ ... }:
{
services.i2p.enable = true;
}

4
hosts/common/net.nix
View File

@@ -76,4 +76,8 @@
sopsFile = ../../secrets/universal/net/iphone.psk.bin;
format = "binary";
};
sops.secrets."router_passwd" = {
sopsFile = ../../secrets/universal.yaml;
};
}

11
hosts/common/ssh.nix
View File

@@ -1,17 +1,14 @@
{ ... }:
{
# we place the host keys (which we want to be persisted) into their own directory so that we can
# bind mount that whole directory instead of doing it per-file.
# otherwise, this is identical to nixos defaults
sane.impermanence.service-dirs = [ "/etc/ssh/host_keys" ];
# we can't naively `mount /etc/ssh/host_keys` directly,
# as /etc/fstab may not be populated yet (since that file depends on e.g. activationScripts.users)
# we can't even depend on impermanence's `createPersistentStorageDirs` to create the source/target directories
# since that also depends on `users`.
# previously we manually `mount --bind` the host_keys here, but it's difficult to make that idempotent.
# symlinking seems to work just as well, and is easier to make idempotent
system.activationScripts.persist-ssh-host-keys.text = ''
mkdir -p /etc/ssh/host_keys
mount --bind /nix/persist/etc/ssh/host_keys /etc/ssh/host_keys
mkdir -p /etc/ssh
ln -sf /nix/persist/etc/ssh/host_keys /etc/ssh/
'';
services.openssh.hostKeys = [

2
hosts/common/users.nix
View File

@@ -27,6 +27,8 @@ in
# sets group to "users" (?)
isNormalUser = true;
home = "/home/colin";
createHome = true;
homeMode = "700";
uid = config.sane.allocations.colin-uid;
# i don't get exactly what this is, but nixos defaults to this non-deterministically
# in /var/lib/nixos/auto-subuid-map and i don't want that.

105
hosts/common/vpn.nix
View File

@@ -1,58 +1,69 @@
{ config, ... }:
{ config, lib, ... }:
{
networking.wg-quick.interfaces.ovpnd-us = {
# to add a new OVPN VPN:
# - generate a privkey `wg genkey`
# - add this key to `sops secrets/universal.yaml`
# - upload pubkey to OVPN.com
# - generate config @ OVPN.com
# - copy the Address, PublicKey, Endpoint from OVPN's config
# N.B.: maximum interface name in Linux is 15 characters.
let
def-ovpn = name: { endpoint, publicKey, address }: {
networking.wg-quick.interfaces."ovpnd-${name}" = {
inherit address;
privateKeyFile = config.sops.secrets."wg_ovpnd_${name}_privkey".path;
dns = [
"46.227.67.134"
"192.165.9.158"
];
peers = [
{
allowedIPs = [
"0.0.0.0/0"
"::/0"
];
inherit endpoint publicKey;
}
];
# to start: `systemctl start wg-quick-ovpnd-${name}`
autostart = false;
};
sops.secrets."wg_ovpnd_${name}_privkey" = {
sopsFile = ../../secrets/universal.yaml;
};
};
in lib.mkMerge [
(def-ovpn "us" {
endpoint = "vpn31.prd.losangeles.ovpn.com:9929";
publicKey = "VW6bEWMOlOneta1bf6YFE25N/oMGh1E1UFBCfyggd0k=";
address = [
"172.27.237.218/32"
"fd00:0000:1337:cafe:1111:1111:ab00:4c8f/128"
];
dns = [
"46.227.67.134"
"192.165.9.158"
})
# NB: us-* share the same wg key and link-local addrs, but distinct public addresses
(def-ovpn "us-atl" {
endpoint = "vpn18.prd.atlanta.ovpn.com:9929";
publicKey = "Dpg/4v5s9u0YbrXukfrMpkA+XQqKIFpf8ZFgyw0IkE0=";
address = [
"172.21.182.178/32"
"fd00:0000:1337:cafe:1111:1111:cfcb:27e3/128"
];
peers = [
{
allowedIPs = [
"0.0.0.0/0"
"::/0"
];
endpoint = "vpn31.prd.losangeles.ovpn.com:9929";
publicKey = "VW6bEWMOlOneta1bf6YFE25N/oMGh1E1UFBCfyggd0k=";
}
})
(def-ovpn "us-mi" {
endpoint = "vpn34.prd.miami.ovpn.com:9929";
publicKey = "VtJz2irbu8mdkIQvzlsYhU+k9d55or9mx4A2a14t0V0=";
address = [
"172.21.182.178/32"
"fd00:0000:1337:cafe:1111:1111:cfcb:27e3/128"
];
privateKeyFile = config.sops.secrets.wg_ovpnd_us_privkey.path;
# to start: `systemctl start wg-quick-ovpnd-us`
autostart = false;
};
networking.wg-quick.interfaces.ovpnd-ukr = {
})
(def-ovpn "ukr" {
endpoint = "vpn96.prd.kyiv.ovpn.com:9929";
publicKey = "CjZcXDxaaKpW8b5As1EcNbI6+42A6BjWahwXDCwfVFg=";
address = [
"172.18.180.159/32"
"fd00:0000:1337:cafe:1111:1111:ec5c:add3/128"
];
dns = [
"46.227.67.134"
"192.165.9.158"
];
peers = [
{
allowedIPs = [
"0.0.0.0/0"
"::/0"
];
endpoint = "vpn96.prd.kyiv.ovpn.com:9929";
publicKey = "CjZcXDxaaKpW8b5As1EcNbI6+42A6BjWahwXDCwfVFg=";
}
];
privateKeyFile = config.sops.secrets.wg_ovpnd_ukr_privkey.path;
# to start: `systemctl start wg-quick-ovpnd-ukr`
autostart = false;
};
sops.secrets."wg_ovpnd_us_privkey" = {
sopsFile = ../../secrets/universal.yaml;
};
sops.secrets."wg_ovpnd_ukr_privkey" = {
sopsFile = ../../secrets/universal.yaml;
};
}
})
]

3
hosts/desko/default.nix
View File

@@ -25,6 +25,9 @@
neededForUsers = true;
};
# don't enable wifi by default: it messes with connectivity.
systemd.services.iwd.enable = false;
# default config: https://man.archlinux.org/man/snapper-configs.5
# defaults to something like:
# - hourly snapshots

4
hosts/moby/default.nix
View File

@@ -40,7 +40,9 @@
boot.loader.efi.canTouchEfiVariables = false;
# /boot space is at a premium. default was 20.
boot.loader.generic-extlinux-compatible.configurationLimit = 10;
# even 10 can be too much
# TODO: compress moby kernels!
boot.loader.generic-extlinux-compatible.configurationLimit = 8;
# mobile.bootloader.enable = false;
# mobile.boot.stage-1.enable = false;
# boot.initrd.systemd.enable = false;

3
hosts/servo/default.nix
View File

@@ -14,9 +14,8 @@
pkgs.freshrss
];
sane.impermanence.enable = true;
sane.services.dyn-dns.enable = true;
# sane.services.duplicity.enable = true; # TODO: re-enable after HW upgrade
sane.services.nixserve.enable = true;
sane.services.nixserve.sopsFile = ../../secrets/servo.yaml;
boot.loader.efi.canTouchEfiVariables = false;
sane.image.extraBootFiles = [ pkgs.bootpart-uefi-x86_64 ];

178
hosts/servo/net.nix
View File

@@ -13,83 +13,155 @@
# networking.firewall.enable = false;
networking.firewall.enable = true;
# TODO: split these into the submodules
networking.firewall.allowedTCPPorts = [
25 # SMTP
80 # HTTP
143 # IMAP
443 # HTTPS
465 # SMTPS
587 # SMTPS/submission
993 # IMAPS
4001 # IPFS
];
networking.firewall.allowedUDPPorts = [
1900 7359 # DLNA: https://jellyfin.org/docs/general/networking/index.html
4001 # IPFS
# this is needed to forward packets from the VPN to the host
boot.kernel.sysctl."net.ipv4.ip_forward" = 1;
# unless we add interface-specific settings for each VPN, we have to define nameservers globally.
# networking.nameservers = [
# "1.1.1.1"
# "9.9.9.9"
# ];
# use systemd's stub resolver.
# /etc/resolv.conf isn't sophisticated enough to use different servers per net namespace (or link).
# instead, running the stub resolver on a known address in the root ns lets us rewrite packets
# in the ovnps namespace to use the provider's DNS resolvers.
# a weakness is we can only query 1 NS at a time (unless we were to clone the packets?)
# there also seems to be some cache somewhere that's shared between the two namespaces.
# i think this is a libc thing. might need to leverage proper cgroups to _really_ kill it.
# - getent ahostsv4 www.google.com
# - try fix: <https://serverfault.com/questions/765989/connect-to-3rd-party-vpn-server-but-dont-use-it-as-the-default-route/766290#766290>
services.resolved.enable = true;
networking.nameservers = [
# use systemd-resolved resolver
# full resolver (which understands /etc/hosts) lives on 127.0.0.53
# stub resolver (just forwards upstream) lives on 127.0.0.54
"127.0.0.53"
];
# we need to use externally-visible nameservers in order for VPNs to be able to resolve hosts.
networking.nameservers = [
"1.1.1.1"
"9.9.9.9"
];
# nscd -- the Name Service Caching Daemon -- caches DNS query responses
# in a way that's unaware of my VPN routing, so routes are frequently poor against
# services which advertise different IPs based on geolocation.
# nscd claims to be usable without a cache, but in practice i can't get it to not cache!
# nsncd is the Name Service NON-Caching Daemon. it's a drop-in that doesn't cache;
# this is OK on the host -- because systemd-resolved caches. it's probably sub-optimal
# in the netns and we query upstream DNS more often than needed. hm.
# TODO: run a separate recursive resolver in each namespace.
services.nscd.enableNsncd = true;
# services.resolved.extraConfig = ''
# # docs: `man resolved.conf`
# # DNS servers to use via the `wg0` interface.
# # i hope that from the root ns, these aren't visible.
# DNS=46.227.67.134%wg0 192.165.9.158%wg0
# FallbackDNS=1.1.1.1 9.9.9.9
# '';
# OVPN CONFIG (https://www.ovpn.com):
# DOCS: https://nixos.wiki/wiki/WireGuard
# if you `systemctl restart wireguard-wg0`, make sure to also restart any other services in `NetworkNamespacePath = .../ovpns`.
# TODO: why not create the namespace as a seperate operation (nix config for that?)
networking.wireguard.enable = true;
networking.wireguard.interfaces.wg0 = {
networking.wireguard.interfaces.wg0 = let
ip = "${pkgs.iproute2}/bin/ip";
in-ns = "${ip} netns exec ovpns";
iptables = "${pkgs.iptables}/bin/iptables";
veth-host-ip = "10.0.1.5";
veth-local-ip = "10.0.1.6";
vpn-ip = "185.157.162.178";
# DNS = 46.227.67.134, 192.165.9.158, 2a07:a880:4601:10f0:cd45::1, 2001:67c:750:1:cafe:cd45::1
vpn-dns = "46.227.67.134";
in {
privateKeyFile = config.sops.secrets.wg_ovpns_privkey.path;
# wg is active only in this namespace.
# run e.g. ip netns exec ovpns <some command like ping/curl/etc, it'll go through wg>
# sudo ip netns exec ovpns ping www.google.com
# note: without the namespace, you'll need to add a specific route through eth0 for the peer (185.157.162.178/32)
interfaceNamespace = "ovpns";
preSetup = "${pkgs.iproute2}/bin/ip netns add ovpns || true";
postShutdown = "${pkgs.iproute2}/bin/ip netns delete ovpns";
ips = [
"185.157.162.178/32"
];
peers = [
{
publicKey = "SkkEZDCBde22KTs/Hc7FWvDBfdOCQA4YtBEuC3n5KGs=";
endpoint = "vpn36.prd.amsterdam.ovpn.com:9930";
endpoint = "185.157.162.10:9930";
# alternatively: use hostname, but that presents bootstrapping issues (e.g. if host net flakes)
# endpoint = "vpn36.prd.amsterdam.ovpn.com:9930";
allowedIPs = [ "0.0.0.0/0" ];
# nixOS says this is important for keeping NATs active
persistentKeepalive = 25;
# re-executes wg this often. docs hint that this might help wg notice DNS/hostname changes.
# so, maybe that helps if we specify endpoint as a domain name
# dynamicEndpointRefreshSeconds = 30;
# when refresh fails, try it again after this period instead.
# TODO: not avail until nixpkgs upgrade
# dynamicEndpointRefreshRestartSeconds = 5;
}
];
preSetup = "" + ''
${ip} netns add ovpns || echo "ovpns already exists"
'';
postShutdown = "" + ''
${in-ns} ip link del ovpns-veth-b || echo "couldn't delete ovpns-veth-b"
${ip} link del ovpns-veth-a || echo "couldn't delete ovpns-veth-a"
${ip} netns delete ovpns || echo "couldn't delete ovpns"
# restore rules/routes
${ip} rule del from ${veth-host-ip} lookup ovpns pref 50 || echo "couldn't delete init -> ovpns rule"
${ip} route del default via ${veth-local-ip} dev ovpns-veth-a proto kernel src ${veth-host-ip} metric 1002 table ovpns || echo "couldn't delete init -> ovpns route"
${ip} rule add from all lookup local pref 0
${ip} rule del from all lookup local pref 100
'';
postSetup = "" + ''
# DOCS:
# - some of this approach is described here: <https://josephmuia.ca/2018-05-16-net-namespaces-veth-nat/>
# - iptables primer: <https://danielmiessler.com/study/iptables/>
# create veth pair
${ip} link add ovpns-veth-a type veth peer name ovpns-veth-b
${ip} addr add ${veth-host-ip}/24 dev ovpns-veth-a
${ip} link set ovpns-veth-a up
# mv veth-b into the ovpns namespace
${ip} link set ovpns-veth-b netns ovpns
${in-ns} ip addr add ${veth-local-ip}/24 dev ovpns-veth-b
${in-ns} ip link set ovpns-veth-b up
# make it so traffic originating from the host side of the veth
# is sent over the veth no matter its destination.
${ip} rule add from ${veth-host-ip} lookup ovpns pref 50
# for traffic originating at the host veth to the WAN, use the veth as our gateway
# not sure if the metric 1002 matters.
${ip} route add default via ${veth-local-ip} dev ovpns-veth-a proto kernel src ${veth-host-ip} metric 1002 table ovpns
# give the default route lower priority
${ip} rule add from all lookup local pref 100
${ip} rule del from all lookup local pref 0
# bridge HTTP traffic:
# any external port-80 request sent to the VPN addr will be forwarded to the rootns.
# this exists so LetsEncrypt can procure a cert for the MX over http.
# TODO: we could use _acme_challence.mx.uninsane.org CNAME to avoid this forwarding
# - <https://community.letsencrypt.org/t/where-does-letsencrypt-resolve-dns-from/37607/8>
${in-ns} ${iptables} -A PREROUTING -t nat -p tcp --dport 80 -m iprange --dst-range ${vpn-ip} \
-j DNAT --to-destination ${veth-host-ip}:80
# we also bridge DNS traffic
${in-ns} ${iptables} -A PREROUTING -t nat -p udp --dport 53 -m iprange --dst-range ${vpn-ip} \
-j DNAT --to-destination ${veth-host-ip}:53
${in-ns} ${iptables} -A PREROUTING -t nat -p tcp --dport 53 -m iprange --dst-range ${vpn-ip} \
-j DNAT --to-destination ${veth-host-ip}:53
# in order to access DNS in this netns, we need to route it to the VPN's nameservers
# - alternatively, we could fix DNS servers like 1.1.1.1.
${in-ns} ${iptables} -A OUTPUT -t nat -p udp --dport 53 -m iprange --dst-range 127.0.0.53 \
-j DNAT --to-destination ${vpn-dns}:53
'';
};
systemd.services.wg0veth = {
description = "veth pair to allow communication between host and wg0 netns";
after = [ "wireguard-wg0.service" ];
wantedBy = [ "multi-user.target" ];
serviceConfig = {
Type = "oneshot";
RemainAfterExit = true;
ExecStart = with pkgs; writeScript "wg0veth-start" ''
#!${bash}/bin/bash
# create veth pair
${iproute2}/bin/ip link add ovpns-veth-a type veth peer name ovpns-veth-b
${iproute2}/bin/ip addr add 10.0.1.5/24 dev ovpns-veth-a
${iproute2}/bin/ip link set ovpns-veth-a up
# mv veth-b into the ovpns namespace
${iproute2}/bin/ip link set ovpns-veth-b netns ovpns
${iproute2}/bin/ip -n ovpns addr add 10.0.1.6/24 dev ovpns-veth-b
${iproute2}/bin/ip -n ovpns link set ovpns-veth-b up
# forward HTTP traffic, which we need for letsencrypt to work
${iproute2}/bin/ip netns exec ovpns ${socat}/bin/socat TCP4-LISTEN:80,reuseaddr,fork,su=nobody TCP4:10.0.1.5:80 &
'';
ExecStop = with pkgs; writeScript "wg0veth-stop" ''
#!${bash}/bin/bash
${iproute2}/bin/ip -n wg0 link del ovpns-veth-b
${iproute2}/bin/ip link del ovpns-veth-a
'';
};
};
# create a new routing table that we can use to proxy traffic out of the root namespace
# through the ovpns namespace, and to the WAN via VPN.
networking.iproute2.rttablesExtraConfig = ''
5 ovpns
'';
networking.iproute2.enable = true;
sops.secrets."wg_ovpns_privkey" = {
sopsFile = ../../secrets/servo.yaml;

31
hosts/servo/services/ddns-afraid.nix Normal file
View File

@@ -0,0 +1,31 @@
{ config, lib, pkgs, ... }:
# using manual ddns now
lib.mkIf false
{
systemd.services.ddns-afraid = {
description = "update dynamic DNS entries for freedns.afraid.org";
serviceConfig = {
EnvironmentFile = config.sops.secrets.ddns_afraid.path;
# TODO: ProtectSystem = "strict";
# TODO: ProtectHome = "full";
# TODO: PrivateTmp = true;
};
script = let
curl = "${pkgs.curl}/bin/curl -4";
in ''
${curl} "https://freedns.afraid.org/dynamic/update.php?$AFRAID_KEY"
'';
};
systemd.timers.ddns-afraid = {
wantedBy = [ "multi-user.target" ];
timerConfig = {
OnStartupSec = "2min";
OnUnitActiveSec = "10min";
};
};
sops.secrets."ddns_afraid" = {
sopsFile = ../../../secrets/servo.yaml;
};
}

4
hosts/servo/services/ddns-he.nix
View File

@@ -1,5 +1,7 @@
{ config, pkgs, ... }:
{ config, lib, pkgs, ... }:
# we use manual DDNS now
lib.mkIf false
{
systemd.services.ddns-he = {
description = "update dynamic DNS entries for HurricaneElectric";

5
hosts/servo/services/default.nix
View File

@@ -1,6 +1,7 @@
{ ... }:
{
imports = [
./ddns-afraid.nix
./ddns-he.nix
./ejabberd.nix
./freshrss.nix
@@ -9,13 +10,17 @@
./ipfs.nix
./jackett.nix
./jellyfin.nix
./kiwix-serve.nix
./matrix
./navidrome.nix
./nixserve.nix
./nginx.nix
./pleroma.nix
./postfix.nix
./postgres.nix
./prosody.nix
./transmission.nix
./trust-dns.nix
./wikipedia.nix
];
}

425
hosts/servo/services/ejabberd.nix
View File

@@ -1,84 +1,393 @@
# docs:
# - <https://docs.ejabberd.im/admin/configuration/basic>
# example configs:
# - <https://github.com/vkleen/machines/blob/138a2586ce185d7cf201d4e1fe898c83c4af52eb/hosts/europium/ejabberd.nix>
# - <https://github.com/Mic92/stockholm/blob/675ef0088624c9de1cb531f318446316884a9d3d/tv/3modules/ejabberd/default.nix>
# - <https://github.com/buffet/tararice/blob/master/programs/ejabberd.nix>
# - enables STUN and TURN
# - only over UDP 3478, not firewall-forwarding any TURN port range
# - uses stun_disco module (but with no options)
# - <https://github.com/leo60228/dotfiles/blob/39b3abba3009bdc31413d4757ca2f882a33eec8b/files/ejabberd.yml>
# - <https://github.com/Mic92/dotfiles/blob/ddf0f4821f554f7667fc803344657367c55fb9e6/nixos/eve/modules/ejabberd.nix>
# - <nixpkgs:nixos/tests/xmpp/ejabberd.nix>
# - 2013: <https://github.com/processone/ejabberd/blob/master/ejabberd.yml.example>
{ lib, ... }:
#
# compliance tests:
# - <https://compliance.conversations.im/server/uninsane.org/#xep0352>
{ config, lib, pkgs, ... }:
# XXX disabled: fails to start because of `mnesia_tm` dependency
# XXX: avatar support works in MUCs but not DMs
# lib.mkIf false
{
sane.impermanence.service-dirs = [
{ user = "ejabberd"; group = "ejabberd"; directory = "/var/lib/ejabberd"; }
];
networking.firewall.allowedTCPPorts = [
5222 # XMPP client -> server
5269 # XMPP server -> server
3478 # STUN/TURN
5222 # XMPP client -> server
5223 # XMPPS client -> server (XMPP over TLS)
5269 # XMPP server -> server
5270 # XMPPS server -> server (XMPP over TLS)
5280 # bosh
5281 # bosh (https) ??
5349 # STUN/TURN (TLS)
5443 # web services (file uploads, websockets, admin)
];
networking.firewall.allowedUDPPorts = [
3478 # STUN/TURN
];
networking.firewall.allowedTCPPortRanges = [{
from = 49152; # TURN
to = 65535;
}];
networking.firewall.allowedUDPPortRanges = [{
from = 49152; # TURN
to = 65535;
}];
# provide access to certs
users.users.ejabberd.extraGroups = [ "nginx" ];
security.acme.certs."uninsane.org".extraDomainNames = [
"xmpp.uninsane.org"
"muc.xmpp.uninsane.org"
"pubsub.xmpp.uninsane.org"
"upload.xmpp.uninsane.org"
"vjid.xmpp.uninsane.org"
];
# exists so the XMPP server's cert can obtain altNames for all its resources
services.nginx.virtualHosts."xmpp.uninsane.org" = {
useACMEHost = "uninsane.org";
};
services.nginx.virtualHosts."muc.xmpp.uninsane.org" = {
useACMEHost = "uninsane.org";
};
services.nginx.virtualHosts."pubsub.xmpp.uninsane.org" = {
useACMEHost = "uninsane.org";
};
services.nginx.virtualHosts."upload.xmpp.uninsane.org" = {
useACMEHost = "uninsane.org";
};
services.nginx.virtualHosts."vjid.xmpp.uninsane.org" = {
useACMEHost = "uninsane.org";
};
sane.services.trust-dns.zones."uninsane.org".inet = {
# XXX: SRV records have to point to something with a A/AAAA record; no CNAMEs
A."xmpp" = [ "%NATIVE%" ];
CNAME."muc.xmpp" = [ "xmpp" ];
CNAME."pubsub.xmpp" = [ "xmpp" ];
CNAME."upload.xmpp" = [ "xmpp" ];
CNAME."vjid.xmpp" = [ "xmpp" ];
# _Service._Proto.Name TTL Class SRV Priority Weight Port Target
# - <https://xmpp.org/extensions/xep-0368.html>
# something's requesting the SRV records for muc.xmpp, so let's include it
# nothing seems to request XMPP SRVs for the other records (except @)
# lower numerical priority field tells clients to prefer this method
SRV."_xmpps-client._tcp.muc.xmpp" = [ "3 50 5223 xmpp" ];
SRV."_xmpps-server._tcp.muc.xmpp" = [ "3 50 5270 xmpp" ];
SRV."_xmpp-client._tcp.muc.xmpp" = [ "5 50 5222 xmpp" ];
SRV."_xmpp-server._tcp.muc.xmpp" = [ "5 50 5269 xmpp" ];
SRV."_xmpps-client._tcp" = [ "3 50 5223 xmpp" ];
SRV."_xmpps-server._tcp" = [ "3 50 5270 xmpp" ];
SRV."_xmpp-client._tcp" = [ "5 50 5222 xmpp" ];
SRV."_xmpp-server._tcp" = [ "5 50 5269 xmpp" ];
SRV."_stun._udp" = [ "5 50 3478 xmpp" ];
SRV."_stun._tcp" = [ "5 50 3478 xmpp" ];
SRV."_stuns._tcp" = [ "5 50 5349 xmpp" ];
SRV."_turn._udp" = [ "5 50 3478 xmpp" ];
SRV."_turn._tcp" = [ "5 50 3478 xmpp" ];
SRV."_turns._tcp" = [ "5 50 5349 xmpp" ];
};
# TODO: allocate UIDs/GIDs ?
services.ejabberd.enable = true;
services.ejabberd.configFile = builtins.toFile "ejabberd.yaml" ''
hosts:
- uninsane.org
services.ejabberd.configFile = "/var/lib/ejabberd/ejabberd.yaml";
systemd.services.ejabberd.preStart = let
config-in = pkgs.writeTextFile {
name = "ejabberd.yaml.in";
text = ''
hosts:
- uninsane.org
# none | emergency | alert | critical | error | warning | notice | info | debug
loglevel: debug
# none | emergency | alert | critical | error | warning | notice | info | debug
loglevel: debug
# loglevel: info
# loglevel: notice
acme:
auto: false
certfiles:
- /var/lib/acme/uninsane.org/fullchain.pem
- /var/lib/acme/uninsane.org/key.pem
acme:
auto: false
certfiles:
- /var/lib/acme/uninsane.org/full.pem
# ca_file: ${pkgs.cacert.unbundled}/etc/ssl/certs/
# ca_file: ${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt
pam_userinfotype: jid
pam_userinfotype: jid
# docs: <https://docs.ejabberd.im/admin/configuration/basic/#shaper-rules>
shaper_rules:
max_s2s_connections: 3
max_user_offline_messages: 5000
c2s_shaper:
fast: all
s2s_shaper:
med: all
acl:
admin:
user:
- "colin@uninsane.org"
local:
user_regexp: ""
loopback:
ip:
- 127.0.0.0/8
- ::1/128
# docs: <https://docs.ejabberd.im/admin/configuration/basic/#shapers>
# this limits the bytes/sec.
# for example, burst: 3_000_000 and rate: 100_000 means:
# - each client has a BW budget that accumulates 100kB/sec and is capped at 3 MB
shaper:
fast: 1000000
med: 500000
# fast:
# - rate: 1000000
# - burst_size: 10000000
# med:
# - rate: 500000
# - burst_size: 5000000
access_rules:
local:
allow: local
c2s_access:
allow: all
announce:
allow: admin
configure:
allow: admin
muc_create:
allow: local
pubsub_createnode_access:
allow: all
trusted_network:
allow: loopback
# see: <https://docs.ejabberd.im/admin/configuration/listen/>
# TODO: host web admin panel
s2s_use_starttls: true
listen:
-
port: 5222
module: ejabberd_c2s
shaper: c2s_shaper
starttls: true
-
port: 5269
module: ejabberd_s2s_in
shaper: s2s_shaper
-
port: 5280
module: ejabberd_http
request_handlers:
/admin: ejabberd_web_admin
/api: mod_http_api
/bosh: mod_bosh
/upload: mod_http_upload
/ws: ejabberd_http_ws
# docs: <https://docs.ejabberd.im/admin/configuration/basic/#shaper-rules>
shaper_rules:
# setting this to above 1 may break outgoing messages
# - maybe some servers rate limit? or just don't understand simultaneous connections?
max_s2s_connections: 1
max_user_sessions: 10
max_user_offline_messages: 5000
c2s_shaper:
fast: all
s2s_shaper:
med: all
# docs: <https://docs.ejabberd.im/admin/configuration/basic/#shapers>
# this limits the bytes/sec.
# for example, burst: 3_000_000 and rate: 100_000 means:
# - each client has a BW budget that accumulates 100kB/sec and is capped at 3 MB
shaper:
fast: 1000000
med: 500000
# fast:
# - rate: 1000000
# - burst_size: 10000000
# med:
# - rate: 500000
# - burst_size: 5000000
# see: <https://docs.ejabberd.im/admin/configuration/listen/>
# s2s_use_starttls: true
s2s_use_starttls: optional
# lessens 504: remote-server-timeout errors
# see: <https://github.com/processone/ejabberd/issues/3105#issuecomment-562182967>
negotiation_timeout: 60
listen:
-
port: 5222
module: ejabberd_c2s
shaper: c2s_shaper
starttls: true
access: c2s_access
-
port: 5223
module: ejabberd_c2s
shaper: c2s_shaper
tls: true
access: c2s_access
-
port: 5269
module: ejabberd_s2s_in
shaper: s2s_shaper
-
port: 5270
module: ejabberd_s2s_in
shaper: s2s_shaper
tls: true
-
port: 5443
module: ejabberd_http
tls: true
request_handlers:
/admin: ejabberd_web_admin # TODO: ensure this actually works
/api: mod_http_api # ejabberd API endpoint (to control server)
/bosh: mod_bosh
/upload: mod_http_upload
/ws: ejabberd_http_ws
# /.well-known/host-meta: mod_host_meta
# /.well-known/host-meta.json: mod_host_meta
-
# STUN+TURN TCP
# note that the full port range should be forwarded ("not NAT'd")
# `use_turn=true` enables both TURN *and* STUN
port: 3478
module: ejabberd_stun
transport: tcp
use_turn: true
turn_min_port: 49152
turn_max_port: 65535
turn_ipv4_address: %NATIVE%
-
# STUN+TURN UDP
port: 3478
module: ejabberd_stun
transport: udp
use_turn: true
turn_min_port: 49152
turn_max_port: 65535
turn_ipv4_address: %NATIVE%
-
# STUN+TURN TLS over TCP
port: 5349
module: ejabberd_stun
transport: tcp
tls: true
certfile: /var/lib/acme/uninsane.org/full.pem
use_turn: true
turn_min_port: 49152
turn_max_port: 65535
turn_ipv4_address: %NATIVE%
# TODO: enable mod_fail2ban
# TODO(low): look into mod_http_fileserver for serving macros?
modules:
# mod_adhoc: {}
# mod_announce:
# access: admin
# allows users to set avatars in vCard
# - <https://docs.ejabberd.im/admin/configuration/modules/#mod-avatar>
mod_avatar: {}
mod_caps: {} # for mod_pubsub
mod_carboncopy: {} # allows multiple clients to receive a user's message
# queues messages when recipient is offline, including PEP and presence messages.
# compliance test suggests this be enabled
mod_client_state: {}
# mod_conversejs: TODO: enable once on 21.12
# allows clients like Dino to discover where to upload files
mod_disco:
server_info:
-
modules: all
name: abuse-addresses
urls:
- "mailto:admin.xmpp@uninsane.org"
- "xmpp:colin@uninsane.org"
-
modules: all
name: admin-addresses
urls:
- "mailto:admin.xmpp@uninsane.org"
- "xmpp:colin@uninsane.org"
mod_http_upload:
host: upload.xmpp.uninsane.org
hosts:
- upload.xmpp.uninsane.org
put_url: "https://@HOST@:5443/upload"
dir_mode: "0750"
file_mode: "0750"
rm_on_unregister: false
# allow discoverability of BOSH and websocket endpoints
# TODO: enable once on ejabberd 22.05 (presently 21.04)
# mod_host_meta: {}
mod_jidprep: {} # probably not needed: lets clients normalize jids
mod_last: {} # allow other users to know when i was last online
mod_mam:
# Mnesia is limited to 2GB, better to use an SQL backend
# For small servers SQLite is a good fit and is very easy
# to configure. Uncomment this when you have SQL configured:
# db_type: sql
assume_mam_usage: true
default: always
mod_muc:
access:
- allow
access_admin:
- allow: admin
access_create: muc_create
access_persistent: muc_create
access_mam:
- allow
history_size: 100 # messages to show new participants
host: muc.xmpp.uninsane.org
hosts:
- muc.xmpp.uninsane.org
default_room_options:
anonymous: false
lang: en
persistent: true
mam: true
mod_muc_admin: {}
mod_offline: # store messages for a user when they're offline (TODO: understand multi-client workflow?)
access_max_user_messages: max_user_offline_messages
store_groupchat: true
mod_ping: {}
mod_privacy: {} # deprecated, but required for `ejabberctl export_piefxis`
mod_private: {} # allow local clients to persist arbitrary data on my server
# push notifications to services integrated with e.g. Apple/Android.
# default is for a maximum amount of PII to be withheld, since these push notifs
# generally traverse 3rd party services. can opt to include message body, etc, though.
mod_push: {}
# i don't fully understand what this does, but it seems aimed at making push notifs more reliable.
mod_push_keepalive: {}
mod_roster:
versioning: true
# docs: <https://docs.ejabberd.im/admin/configuration/modules/#mod-s2s-dialback>
# s2s dialback to verify inbound messages
# unclear to what degree the XMPP network requires this
mod_s2s_dialback: {}
mod_shared_roster: {} # creates groups for @all, @online, and anything manually administered?
mod_stream_mgmt:
resend_on_timeout: if_offline # resend undelivered messages if the origin client is offline
# fallback for when DNS-based STUN discovery is unsupported.
# - see: <https://xmpp.org/extensions/xep-0215.html>
# docs: <https://docs.ejabberd.im/admin/configuration/modules/#mod-stun-disco>
# people say to just keep this defaulted (i guess ejabberd knows to return its `host` option of uninsane.org?)
mod_stun_disco: {}
# docs: <https://docs.ejabberd.im/admin/configuration/modules/#mod-vcard>
mod_vcard:
allow_return_all: true # all users are discoverable (?)
host: vjid.xmpp.uninsane.org
hosts:
- vjid.xmpp.uninsane.org
search: true
mod_vcard_xupdate: {} # needed for avatars
# docs: <https://docs.ejabberd.im/admin/configuration/modules/#mod-pubsub>
mod_pubsub: # needed for avatars
access_createnode: pubsub_createnode_access
host: pubsub.xmpp.uninsane.org
hosts:
- pubsub.xmpp.uninsane.org
ignore_pep_from_offline: false
last_item_cache: true
plugins:
- pep
- flat
force_node_config:
# ensure client bookmarks are private
storage:bookmarks:
access_model: whitelist
urn:xmpp:avatar:data:
access_model: open
urn:xmpp:avatar:metadata:
access_model: open
mod_version: {}
'';
};
sed = "${pkgs.gnused}/bin/sed";
in ''
ip=$(cat '${config.sane.services.dyn-dns.ipPath}')
# config is 444 (not 644), so we want to write out-of-place and then atomically move
# TODO: factor this out into `sane-woop` helper?
rm -f /var/lib/ejabberd/ejabberd.yaml.new
${sed} "s/%NATIVE%/$ip/" ${config-in} > /var/lib/ejabberd/ejabberd.yaml.new
mv /var/lib/ejabberd/ejabberd.yaml{.new,}
'';
sane.services.dyn-dns.restartOnChange = [ "ejabberd.service" ];
}

9
hosts/servo/services/freshrss.nix
View File

@@ -49,4 +49,13 @@
# the default ("*:0/5") is to run every 5 minutes.
# `systemctl list-timers` to show
systemd.services.freshrss-updater.startAt = lib.mkForce "*:3/30";
services.nginx.virtualHosts."rss.uninsane.org" = {
addSSL = true;
enableACME = true;
# inherit kTLS;
# the routing is handled by services.freshrss.virtualHost
};
sane.services.trust-dns.zones."uninsane.org".inet.CNAME."rss" = [ "native" ];
}

14
hosts/servo/services/gitea.nix
View File

@@ -72,4 +72,18 @@
"/var/lib/gitea"
];
};
# hosted git (web view and for `git <cmd>` use
# TODO: enable publog?
services.nginx.virtualHosts."git.uninsane.org" = {
forceSSL = true; # gitea complains if served over a different protocol than its config file says
enableACME = true;
# inherit kTLS;
locations."/" = {
proxyPass = "http://127.0.0.1:3000";
};
};
sane.services.trust-dns.zones."uninsane.org".inet.CNAME."git" = [ "native" ];
}

23
hosts/servo/services/goaccess.nix
View File

@@ -25,6 +25,7 @@
ExecReload = "${pkgs.coreutils}/bin/kill -HUP $MAINPID";
Type = "simple";
Restart = "on-failure";
RestartSec = "10s";
# hardening
WorkingDirectory = "/tmp";
@@ -42,4 +43,26 @@
after = [ "network.target" ];
wantedBy = [ "multi-user.target" ];
};
# server statistics
services.nginx.virtualHosts."sink.uninsane.org" = {
addSSL = true;
enableACME = true;
# inherit kTLS;
root = "/var/lib/uninsane/sink";
locations."/ws" = {
proxyPass = "http://127.0.0.1:7890";
# XXX not sure how much of this is necessary
extraConfig = ''
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection $connection_upgrade;
proxy_buffering off;
proxy_read_timeout 7d;
'';
};
};
sane.services.trust-dns.zones."uninsane.org".inet.CNAME."sink" = [ "native" ];
}

22
hosts/servo/services/ipfs.nix
View File

@@ -14,6 +14,28 @@ lib.mkIf false # i don't actively use ipfs anymore
# TODO: mode? could be more granular
{ user = "261"; group = "261"; directory = "/var/lib/ipfs"; }
];
networking.firewall.allowedTCPPorts = [ 4001 ];
networking.firewall.allowedUDPPorts = [ 4001 ];
services.nginx.virtualHosts."ipfs.uninsane.org" = {
# don't default to ssl upgrades, since this may be dnslink'd from a different domain.
# ideally we'd disable ssl entirely, but some places assume it?
addSSL = true;
enableACME = true;
# inherit kTLS;
locations."/" = {
proxyPass = "http://127.0.0.1:8080";
extraConfig = ''
proxy_set_header Host $host;
proxy_set_header X-Ipfs-Gateway-Prefix "";
'';
};
};
sane.services.trust-dns.zones."uninsane.org".inet.CNAME."ipfs" = [ "native" ];
# services.ipfs.enable = true;
services.kubo.localDiscovery = true;
services.kubo.settings = {

16
hosts/servo/services/jackett.nix
View File

@@ -7,12 +7,26 @@
];
services.jackett.enable = true;
systemd.services.jackett.after = ["wg0veth.service"];
systemd.services.jackett.after = [ "wireguard-wg0.service" ];
systemd.services.jackett.partOf = [ "wireguard-wg0.service" ];
systemd.services.jackett.serviceConfig = {
# run this behind the OVPN static VPN
NetworkNamespacePath = "/run/netns/ovpns";
# patch jackett to listen on the public interfaces
# ExecStart = lib.mkForce "${pkgs.jackett}/bin/Jackett --NoUpdates --DataFolder /var/lib/jackett/.config/Jackett --ListenPublic";
};
# jackett torrent search
services.nginx.virtualHosts."jackett.uninsane.org" = {
forceSSL = true;
enableACME = true;
# inherit kTLS;
locations."/" = {
# proxyPass = "http://ovpns.uninsane.org:9117";
proxyPass = "http://10.0.1.6:9117";
};
};
sane.services.trust-dns.zones."uninsane.org".inet.CNAME."jackett" = [ "native" ];
}

63
hosts/servo/services/jellyfin.nix
View File

@@ -1,14 +1,69 @@
{ config, ... }:
{ config, lib, ... }:
# TODO: re-enable after migrating media dir to /var/lib/uninsane/media
# else it's too spammy
lib.mkIf false
{
networking.firewall.allowedUDPPorts = [
1900 7359 # DLNA: https://jellyfin.org/docs/general/networking/index.html
];
sane.impermanence.service-dirs = [
# TODO: mode? could be more granular
{ user = "jellyfin"; group = "jellyfin"; directory = "/var/lib/jellyfin"; }
];
# Jellyfin multimedia server
# this is mostly taken from the official jellfin.org docs
services.nginx.virtualHosts."jelly.uninsane.org" = {
addSSL = true;
enableACME = true;
# inherit kTLS;
locations."/" = {
proxyPass = "http://127.0.0.1:8096";
extraConfig = ''
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Forwarded-Protocol $scheme;
proxy_set_header X-Forwarded-Host $http_host;
# Disable buffering when the nginx proxy gets very resource heavy upon streaming
proxy_buffering off;
'';
};
# locations."/web/" = {
# proxyPass = "http://127.0.0.1:8096/web/index.html";
# extraConfig = ''
# proxy_set_header Host $host;
# proxy_set_header X-Real-IP $remote_addr;
# proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
# proxy_set_header X-Forwarded-Proto $scheme;
# proxy_set_header X-Forwarded-Protocol $scheme;
# proxy_set_header X-Forwarded-Host $http_host;
# '';
# };
locations."/socket" = {
proxyPass = "http://127.0.0.1:8096";
extraConfig = ''
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Forwarded-Protocol $scheme;
proxy_set_header X-Forwarded-Host $http_host;
'';
};
};
sane.services.trust-dns.zones."uninsane.org".inet.CNAME."jelly" = [ "native" ];
# users.users.jellyfin.uid = config.sane.allocations.jellyfin-uid;
# users.groups.jellyfin.gid = config.sane.allocations.jellyfin-gid;
# TODO: re-enable after migrating media dir to /var/lib/uninsane/media
# else it's too spammy
# services.jellyfin.enable = true;
services.jellyfin.enable = true;
}

17
hosts/servo/services/kiwix-serve.nix Normal file
View File

@@ -0,0 +1,17 @@
{ ... }:
{
sane.services.kiwix-serve = {
enable = true;
port = 8013;
zimPaths = [ "/var/lib/uninsane/www-archive/wikipedia_en_all_maxi_2022-05.zim" ];
};
services.nginx.virtualHosts."w.uninsane.org" = {
forceSSL = true;
enableACME = true;
# inherit kTLS;
locations."/".proxyPass = "http://127.0.0.1:8013";
};
sane.services.trust-dns.zones."uninsane.org".inet.CNAME."w" = [ "native" ];
}

51
hosts/servo/services/matrix/default.nix
View File

@@ -1,6 +1,6 @@
# docs: https://nixos.wiki/wiki/Matrix
# docs: https://nixos.org/manual/nixos/stable/index.html#module-services-matrix-synapse
{ config, lib, ... }:
{ config, lib, pkgs, ... }:
{
imports = [
@@ -77,6 +77,55 @@
# create a token with limited uses:
# curl -d '{ "uses_allowed": 1 }' --header "Authorization: Bearer <my_token>" localhost:8008/_synapse/admin/v1/registration_tokens/new
# matrix chat server
# TODO: was `publog`
services.nginx.virtualHosts."matrix.uninsane.org" = {
addSSL = true;
enableACME = true;
# inherit kTLS;
# TODO colin: replace this with something helpful to the viewer
# locations."/".extraConfig = ''
# return 404;
# '';
locations."/" = {
proxyPass = "http://127.0.0.1:8008";
};
# redirect browsers to the web client.
# i don't think native matrix clients ever fetch the root.
# ideally this would be put behind some user-agent test though.
locations."= /" = {
return = "301 https://web.matrix.uninsane.org";
};
# locations."/_matrix" = {
# proxyPass = "http://127.0.0.1:8008";
# };
};
# matrix web client
# docs: https://nixos.org/manual/nixos/stable/index.html#module-services-matrix-element-web
services.nginx.virtualHosts."web.matrix.uninsane.org" = {
forceSSL = true;
enableACME = true;
# inherit kTLS;
root = pkgs.element-web.override {
conf = {
default_server_config."m.homeserver" = {
"base_url" = "https://matrix.uninsane.org";
"server_name" = "uninsane.org";
};
};
};
};
sane.services.trust-dns.zones."uninsane.org".inet = {
CNAME."matrix" = [ "native" ];
CNAME."web.matrix" = [ "native" ];
};
sops.secrets.matrix_synapse_secrets = {
sopsFile = ../../../../secrets/servo.yaml;

9
hosts/servo/services/navidrome.nix
View File

@@ -14,4 +14,13 @@
AutoImportPlaylists = false;
ScanSchedule = "@every 1h";
};
services.nginx.virtualHosts."music.uninsane.org" = {
forceSSL = true;
enableACME = true;
# inherit kTLS;
locations."/".proxyPass = "http://127.0.0.1:4533";
};
sane.services.trust-dns.zones."uninsane.org".inet.CNAME."music" = [ "native" ];
}

269
hosts/servo/services/nginx.nix
View File

@@ -9,9 +9,12 @@ let
'';
};
kTLS = true; # in-kernel TLS for better perf
# kTLS = true; # in-kernel TLS for better perf
in
{
networking.firewall.allowedTCPPorts = [ 80 443 ];
services.nginx.enable = true;
services.nginx.appendConfig = ''
# use 1 process per core.
@@ -45,7 +48,7 @@ in
# and things don't look right. so force SSL.
forceSSL = true;
enableACME = true;
inherit kTLS;
# inherit kTLS;
# for OCSP stapling
sslTrustedCertificate = "${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt";
@@ -93,246 +96,6 @@ in
# };
};
# server statistics
services.nginx.virtualHosts."sink.uninsane.org" = {
addSSL = true;
enableACME = true;
inherit kTLS;
root = "/var/lib/uninsane/sink";
locations."/ws" = {
proxyPass = "http://127.0.0.1:7890";
# XXX not sure how much of this is necessary
extraConfig = ''
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection $connection_upgrade;
proxy_buffering off;
proxy_read_timeout 7d;
'';
};
};
# Pleroma server and web interface
services.nginx.virtualHosts."fed.uninsane.org" = publog {
forceSSL = true; # pleroma redirects to https anyway
enableACME = true;
inherit kTLS;
locations."/" = {
proxyPass = "http://127.0.0.1:4000";
# documented: https://git.pleroma.social/pleroma/pleroma/-/blob/develop/installation/pleroma.nginx
extraConfig = ''
# XXX colin: this block is in the nixos examples: i don't understand all of it
add_header 'Access-Control-Allow-Origin' '*' always;
add_header 'Access-Control-Allow-Methods' 'POST, PUT, DELETE, GET, PATCH, OPTIONS' always;
add_header 'Access-Control-Allow-Headers' 'Authorization, Content-Type, Idempotency-Key' always;
add_header 'Access-Control-Expose-Headers' 'Link, X-RateLimit-Reset, X-RateLimit-Limit, X-RateLimit-Remaining, X-Request-Id' always;
if ($request_method = OPTIONS) {
return 204;
}
add_header X-XSS-Protection "1; mode=block";
add_header X-Permitted-Cross-Domain-Policies none;
add_header X-Frame-Options DENY;
add_header X-Content-Type-Options nosniff;
add_header Referrer-Policy same-origin;
add_header X-Download-Options noopen;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
# proxy_set_header Host $http_host;
proxy_set_header Host $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
# colin: added this due to Pleroma complaining in its logs
# proxy_set_header X-Real-IP $remote_addr;
# proxy_set_header X-Forwarded-Proto $scheme;
client_max_body_size 16m;
'';
};
};
# transmission web client
services.nginx.virtualHosts."bt.uninsane.org" = {
# basicAuth is literally cleartext user/pw, so FORCE this to happen over SSL
forceSSL = true;
enableACME = true;
inherit kTLS;
locations."/" = {
# proxyPass = "http://ovpns.uninsane.org:9091";
proxyPass = "http://10.0.1.6:9091";
};
};
# jackett torrent search
services.nginx.virtualHosts."jackett.uninsane.org" = {
forceSSL = true;
enableACME = true;
inherit kTLS;
locations."/" = {
# proxyPass = "http://ovpns.uninsane.org:9117";
proxyPass = "http://10.0.1.6:9117";
};
};
# matrix chat server
services.nginx.virtualHosts."matrix.uninsane.org" = publog {
addSSL = true;
enableACME = true;
inherit kTLS;
# TODO colin: replace this with something helpful to the viewer
# locations."/".extraConfig = ''
# return 404;
# '';
locations."/" = {
proxyPass = "http://127.0.0.1:8008";
};
# redirect browsers to the web client.
# i don't think native matrix clients ever fetch the root.
# ideally this would be put behind some user-agent test though.
locations."= /" = {
return = "301 https://web.matrix.uninsane.org";
};
# locations."/_matrix" = {
# proxyPass = "http://127.0.0.1:8008";
# };
};
# matrix web client
# docs: https://nixos.org/manual/nixos/stable/index.html#module-services-matrix-element-web
services.nginx.virtualHosts."web.matrix.uninsane.org" = {
forceSSL = true;
enableACME = true;
inherit kTLS;
root = pkgs.element-web.override {
conf = {
default_server_config."m.homeserver" = {
"base_url" = "https://matrix.uninsane.org";
"server_name" = "uninsane.org";
};
};
};
};
# hosted git (web view and for `git <cmd>` use
services.nginx.virtualHosts."git.uninsane.org" = publog {
forceSSL = true; # gitea complains if served over a different protocol than its config file says
enableACME = true;
inherit kTLS;
locations."/" = {
proxyPass = "http://127.0.0.1:3000";
};
};
# Jellyfin multimedia server
# this is mostly taken from the official jellfin.org docs
services.nginx.virtualHosts."jelly.uninsane.org" = {
addSSL = true;
enableACME = true;
inherit kTLS;
locations."/" = {
proxyPass = "http://127.0.0.1:8096";
extraConfig = ''
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Forwarded-Protocol $scheme;
proxy_set_header X-Forwarded-Host $http_host;
# Disable buffering when the nginx proxy gets very resource heavy upon streaming
proxy_buffering off;
'';
};
# locations."/web/" = {
# proxyPass = "http://127.0.0.1:8096/web/index.html";
# extraConfig = ''
# proxy_set_header Host $host;
# proxy_set_header X-Real-IP $remote_addr;
# proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
# proxy_set_header X-Forwarded-Proto $scheme;
# proxy_set_header X-Forwarded-Protocol $scheme;
# proxy_set_header X-Forwarded-Host $http_host;
# '';
# };
locations."/socket" = {
proxyPass = "http://127.0.0.1:8096";
extraConfig = ''
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Forwarded-Protocol $scheme;
proxy_set_header X-Forwarded-Host $http_host;
'';
};
};
services.nginx.virtualHosts."music.uninsane.org" = {
forceSSL = true;
enableACME = true;
inherit kTLS;
locations."/".proxyPass = "http://127.0.0.1:4533";
};
services.nginx.virtualHosts."rss.uninsane.org" = {
addSSL = true;
enableACME = true;
inherit kTLS;
# the routing is handled by freshrss.nix
};
services.nginx.virtualHosts."ipfs.uninsane.org" = {
# don't default to ssl upgrades, since this may be dnslink'd from a different domain.
# ideally we'd disable ssl entirely, but some places assume it?
addSSL = true;
enableACME = true;
inherit kTLS;
locations."/" = {
proxyPass = "http://127.0.0.1:8080";
extraConfig = ''
proxy_set_header Host $host;
proxy_set_header X-Ipfs-Gateway-Prefix "";
'';
};
};
# exists only to manage certs for dovecot
services.nginx.virtualHosts."imap.uninsane.org" = {
forceSSL = true;
enableACME = true;
};
# exists only to manage certs for Postfix
services.nginx.virtualHosts."mx.uninsane.org" = {
forceSSL = true;
enableACME = true;
};
services.nginx.virtualHosts."nixcache.uninsane.org" = {
addSSL = true;
enableACME = true;
inherit kTLS;
# serverAliases = [ "nixcache" ];
locations."/".extraConfig = ''
proxy_pass http://localhost:${toString config.services.nix-serve.port};
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
'';
};
# serve any site not listed above, if it's static.
# because we define it dynamically, SSL isn't trivial. support only http
@@ -365,6 +128,28 @@ in
{ user = "colin"; group = "users"; directory = "/var/www/sites"; }
];
# let's encrypt default chain looks like:
# - End-entity certificate ← R3 ← ISRG Root X1 ← DST Root CA X3
# - <https://community.letsencrypt.org/t/production-chain-changes/150739>
# DST Root CA X3 expired in 2021 (?)
# the alternative chain is:
# - End-entity certificate ← R3 ← ISRG Root X1 (self-signed)
# using this alternative chain grants more compatibility for services like ejabberd
# but might decrease compatibility with very old clients that don't get updates (e.g. old android, iphone <= 4).
# security.acme.defaults.extraLegoFlags = [
security.acme.certs."uninsane.org" = rec {
# ISRG Root X1 results in lets encrypt sending the same chain as default,
# just without the final ISRG Root X1 ← DST Root CA X3 link.
# i.e. we could alternative clip the last item and achieve the exact same thing.
extraLegoRunFlags = [
"--preferred-chain" "ISRG Root X1"
];
extraLegoRenewFlags = extraLegoRunFlags;
};
# TODO: alternatively, we could clip the last cert IF it's expired,
# optionally outputting that to a new cert file.
# security.acme.defaults.postRun = "";
# create a self-signed SSL certificate for use with literally any domain.
# browsers will reject this, but proxies and local testing tools can be configured
# to accept it.

21
hosts/servo/services/nixserve.nix Normal file
View File

@@ -0,0 +1,21 @@
{ config, ... }:
{
services.nginx.virtualHosts."nixcache.uninsane.org" = {
addSSL = true;
enableACME = true;
# inherit kTLS;
# serverAliases = [ "nixcache" ];
locations."/".extraConfig = ''
proxy_pass http://localhost:${toString config.services.nix-serve.port};
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
'';
};
sane.services.trust-dns.zones."uninsane.org".inet.CNAME."nixcache" = [ "native" ];
sane.services.nixserve.enable = true;
sane.services.nixserve.sopsFile = ../../../secrets/servo.yaml;
}

45
hosts/servo/services/pleroma.nix
View File

@@ -127,6 +127,7 @@
systemd.services.pleroma.serviceConfig = {
# postgres can be slow to service early requests, preventing pleroma from starting on the first try
Restart = "on-failure";
RestartSec = "10s";
};
# systemd.services.pleroma.serviceConfig = {
@@ -136,6 +137,50 @@
# CapabilityBoundingSet = lib.mkForce "~";
# };
# Pleroma server and web interface
# TODO: enable publog?
services.nginx.virtualHosts."fed.uninsane.org" = {
forceSSL = true; # pleroma redirects to https anyway
enableACME = true;
# inherit kTLS;
locations."/" = {
proxyPass = "http://127.0.0.1:4000";
# documented: https://git.pleroma.social/pleroma/pleroma/-/blob/develop/installation/pleroma.nginx
extraConfig = ''
# XXX colin: this block is in the nixos examples: i don't understand all of it
add_header 'Access-Control-Allow-Origin' '*' always;
add_header 'Access-Control-Allow-Methods' 'POST, PUT, DELETE, GET, PATCH, OPTIONS' always;
add_header 'Access-Control-Allow-Headers' 'Authorization, Content-Type, Idempotency-Key' always;
add_header 'Access-Control-Expose-Headers' 'Link, X-RateLimit-Reset, X-RateLimit-Limit, X-RateLimit-Remaining, X-Request-Id' always;
if ($request_method = OPTIONS) {
return 204;
}
add_header X-XSS-Protection "1; mode=block";
add_header X-Permitted-Cross-Domain-Policies none;
add_header X-Frame-Options DENY;
add_header X-Content-Type-Options nosniff;
add_header Referrer-Policy same-origin;
add_header X-Download-Options noopen;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
# proxy_set_header Host $http_host;
proxy_set_header Host $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
# colin: added this due to Pleroma complaining in its logs
# proxy_set_header X-Real-IP $remote_addr;
# proxy_set_header X-Forwarded-Proto $scheme;
client_max_body_size 16m;
'';
};
};
sane.services.trust-dns.zones."uninsane.org".inet.CNAME."fed" = [ "native" ];
sops.secrets.pleroma_secrets = {
sopsFile = ../../../secrets/servo.yaml;
owner = config.users.users.pleroma.name;

61
hosts/servo/services/postfix.nix
View File

@@ -25,6 +25,61 @@ in
# "/var/lib/dhparams" # https://github.com/NixOS/nixpkgs/blob/master/nixos/modules/security/dhparams.nix
# "/var/lib/dovecot"
];
networking.firewall.allowedTCPPorts = [
25 # SMTP
143 # IMAP
465 # SMTPS
587 # SMTPS/submission
993 # IMAPS
];
# exists only to manage certs for dovecot
services.nginx.virtualHosts."imap.uninsane.org" = {
enableACME = true;
};
# exists only to manage certs for Postfix
services.nginx.virtualHosts."mx.uninsane.org" = {
enableACME = true;
};
sane.services.trust-dns.zones."uninsane.org".inet = {
MX."@" = [ "10 mx.uninsane.org." ];
# XXX: RFC's specify that the MX record CANNOT BE A CNAME
A."mx" = [ "185.157.162.178" ];
CNAME."imap" = [ "native" ];
# Sender Policy Framework:
# +mx => mail passes if it originated from the MX
# +a => mail passes if it originated from the A address of this domain
# +ip4:.. => mail passes if it originated from this IP
# -all => mail fails if none of these conditions were met
TXT."@" = [ "v=spf1 a mx -all" ];
# DKIM public key:
TXT."mx._domainkey" = [
"v=DKIM1; k=rsa; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCkSyMufc2KrRx3j17e/LyB+3eYSBRuEFT8PUka8EDX04QzCwDPdkwgnj3GNDvnB5Ktb05Cf2SJ/S1OLqNsINxJRWtkVfZd/C339KNh9wrukMKRKNELL9HLUw0bczOI4gKKFqyrRE9qm+4csCMAR79Te9FCjGV/jVnrkLdPT0GtFwIDAQAB"
];
# DMARC fields <https://datatracker.ietf.org/doc/html/rfc7489>:
# p=none|quarantine|reject: what to do with failures
# sp = p but for subdomains
# rua = where to send aggregrate reports
# ruf = where to send individual failure reports
# fo=0|1|d|s controls WHEN to send failure reports
# (1=on bad alignment; d=on DKIM failure; s=on SPF failure);
# Additionally:
# adkim=r|s (is DKIM relaxed [default] or strict)
# aspf=r|s (is SPF relaxed [default] or strict)
# pct = sampling ratio for punishing failures (default 100 for 100%)
# rf = report format
# ri = report interval
TXT."_dmarc" = [
"v=DMARC1;p=quarantine;sp=reject;rua=mailto:admin+mail@uninsane.org;ruf=mailto:admin+mail@uninsane.org;fo=1:d:s"
];
};
services.postfix.enable = true;
services.postfix.hostname = "mx.uninsane.org";
services.postfix.origin = "uninsane.org";
@@ -55,7 +110,8 @@ in
services.postfix.enableSubmissions = true;
services.postfix.submissionsOptions = submissionOptions;
systemd.services.postfix.after = [ "wg0veth.service" ];
systemd.services.postfix.after = [ "wireguard-wg0.service" ];
systemd.services.postfix.partOf = [ "wireguard-wg0.service" ];
systemd.services.postfix.serviceConfig = {
# run this behind the OVPN static VPN
NetworkNamespacePath = "/run/netns/ovpns";
@@ -76,7 +132,8 @@ in
# keeping this the same as the hostname seems simplest
services.opendkim.selector = "mx";
systemd.services.opendkim.after = [ "wg0veth.service" ];
systemd.services.opendkim.after = [ "wireguard-wg0.service" ];
systemd.services.opendkim.partOf = [ "wireguard-wg0.service" ];
systemd.services.opendkim.serviceConfig = {
# run this behind the OVPN static VPN
NetworkNamespacePath = "/run/netns/ovpns";

8
hosts/servo/services/prosody.nix
View File

@@ -1,3 +1,5 @@
# example configs:
# - <https://github.com/kittywitch/nixfiles/blob/main/services/prosody.nix>
# create users with:
# - `sudo -u prosody prosodyctl adduser colin@uninsane.org`
@@ -13,7 +15,7 @@ lib.mkIf false
networking.firewall.allowedTCPPorts = [
5222 # XMPP client -> server
5269 # XMPP server -> server
5280 # Prosody HTTP port (necessary?)
5280 # bosh
5281 # Prosody HTTPS port (necessary?)
];
@@ -34,7 +36,7 @@ lib.mkIf false
# c2s_require_encryption = true
# '';
# extraModules = [ "private" "vcard" "privacy" "compression" "component" "muc" "pep" "adhoc" "lastactivity" "admin_adhoc" "blocklist"];
extraModules = [ "private" "vcard" "privacy" "compression" "component" "muc" "pep" "adhoc" "lastactivity" "admin_adhoc" "blocklist"];
ssl.cert = "/var/lib/acme/uninsane.org/fullchain.pem";
ssl.key = "/var/lib/acme/uninsane.org/key.pem";
@@ -51,7 +53,7 @@ lib.mkIf false
domain = "localhost";
enabled = true;
};
"uninsane.org" = {
"xmpp.uninsane.org" = {
domain = "uninsane.org";
enabled = true;
ssl.cert = "/var/lib/acme/uninsane.org/fullchain.pem";

34
hosts/servo/services/transmission.nix
View File

@@ -1,4 +1,4 @@
{ ... }:
{ pkgs, ... }:
{
sane.impermanence.service-dirs = [
@@ -40,11 +40,41 @@
# transmission will by default not allow the world to read its files.
services.transmission.downloadDirPermissions = "775";
systemd.services.transmission.after = ["wg0veth.service"];
systemd.services.transmission.after = [ "wireguard-wg0.service" ];
systemd.services.transmission.partOf = [ "wireguard-wg0.service" ];
systemd.services.transmission.serviceConfig = {
# run this behind the OVPN static VPN
NetworkNamespacePath = "/run/netns/ovpns";
LogLevelMax = "warning";
};
# service to automatically backup torrents i add to transmission
systemd.services.backup-torrents = {
description = "archive torrents to storage not owned by transmission";
script = ''
${pkgs.rsync}/bin/rsync -arv /var/lib/transmission/.config/transmission-daemon/torrents/ /var/backup/torrents/
'';
};
systemd.timers.backup-torrents = {
wantedBy = [ "multi-user.target" ];
timerConfig = {
OnStartupSec = "11min";
OnUnitActiveSec = "240min";
};
};
# transmission web client
services.nginx.virtualHosts."bt.uninsane.org" = {
# basicAuth is literally cleartext user/pw, so FORCE this to happen over SSL
forceSSL = true;
enableACME = true;
# inherit kTLS;
locations."/" = {
# proxyPass = "http://ovpns.uninsane.org:9091";
proxyPass = "http://10.0.1.6:9091";
};
};
sane.services.trust-dns.zones."uninsane.org".inet.CNAME."bt" = ["native"];
}

66
hosts/servo/services/trust-dns.nix Normal file
View File

@@ -0,0 +1,66 @@
{ config, pkgs, ... }:
{
sane.services.trust-dns.enable = true;
sane.services.trust-dns.listenAddrsIPv4 = [
# specify each address explicitly, instead of using "*".
# this ensures responses are sent from the address at which the request was received.
"192.168.0.5"
"10.0.1.5"
];
sane.services.trust-dns.zones."uninsane.org".TTL = 900;
# SOA record structure: <https://en.wikipedia.org/wiki/SOA_record#Structure>
# SOA MNAME RNAME (... rest)
# MNAME = Master name server for this zone. this is where update requests should be sent.
# RNAME = admin contact (encoded email address)
# Serial = YYYYMMDDNN, where N is incremented every time this file changes, to trigger secondary NS to re-fetch it.
# Refresh = how frequently secondary NS should query master
# Retry = how long secondary NS should wait until re-querying master after a failure (must be < Refresh)
# Expire = how long secondary NS should continue to reply to queries after master fails (> Refresh + Retry)
sane.services.trust-dns.zones."uninsane.org".inet = {
SOA."@" = [''
ns1.uninsane.org. admin-dns.uninsane.org. (
2022122101 ; Serial
4h ; Refresh
30m ; Retry
7d ; Expire
5m) ; Negative response TTL
''];
TXT."rev" = [ "2022122101" ];
# XXX NS records must also not be CNAME
# it's best that we keep this identical, or a superset of, what org. lists as our NS.
# so, org. can specify ns2/ns3 as being to the VPN, with no mention of ns1. we provide ns1 here.
A."ns1" = [ "%NATIVE%" ];
A."ns2" = [ "185.157.162.178" ];
A."ns3" = [ "185.157.162.178" ];
A."ovpns" = [ "185.157.162.178" ];
A."native" = [ "%NATIVE%" ];
A."@" = [ "%NATIVE%" ];
NS."@" = [
"ns1.uninsane.org."
"ns2.uninsane.org."
"ns3.uninsane.org."
];
};
sane.services.trust-dns.zones."uninsane.org".file =
"/var/lib/trust-dns/uninsane.org.zone";
systemd.services.trust-dns.preStart = let
sed = "${pkgs.gnused}/bin/sed";
zone-dir = "/var/lib/trust-dns";
zone-out = "${zone-dir}/uninsane.org.zone";
zone-template = pkgs.writeText "uninsane.org.zone.in" config.sane.services.trust-dns.generatedZones."uninsane.org";
in ''
# make WAN records available to trust-dns
mkdir -p ${zone-dir}
ip=$(cat '${config.sane.services.dyn-dns.ipPath}')
${sed} s/%NATIVE%/$ip/ ${zone-template} > ${zone-out}
'';
sane.services.dyn-dns.restartOnChange = [ "trust-dns.service" ];
}

33
hosts/servo/services/wikipedia.nix Normal file
View File

@@ -0,0 +1,33 @@
# docs: <https://nixos.wiki/wiki/MediaWiki>
{ config, lib, ... }:
# XXX: working to host wikipedia with kiwix instead of mediawiki
# mediawiki does more than i need and isn't obviously superior in any way
# except that the dumps are more frequent/up-to-date.
lib.mkIf false
{
sops.secrets."mediawiki_pw" = {
owner = config.users.users.mediawiki.name;
sopsFile = ../../../secrets/servo.yaml;
};
users.users.mediawiki.uid = config.sane.allocations.mediawiki-uid;
services.mediawiki.enable = true;
services.mediawiki.name = "Uninsane Wiki";
services.mediawiki.passwordFile = config.sops.secrets.mediawiki_pw.path;
services.mediawiki.extraConfig = ''
# Disable anonymous editing
$wgGroupPermissions['*']['edit'] = false;
'';
services.mediawiki.virtualHost.listen = [
{
ip = "127.0.0.1";
port = 8013;
ssl = false;
}
];
services.mediawiki.virtualHost.hostName = "w.uninsane.org";
services.mediawiki.virtualHost.adminAddr = "admin+mediawiki@uninsane.org";
# services.mediawiki.extensions = TODO: wikipedia sync extension?
}

2
modules/allocations.nix
View File

@@ -23,8 +23,10 @@ in
sane.allocations.greeter-uid = mkId 999;
sane.allocations.greeter-gid = mkId 999;
# new servo users
sane.allocations.freshrss-uid = mkId 2401;
sane.allocations.freshrss-gid = mkId 2401;
sane.allocations.mediawiki-uid = mkId 2402;
sane.allocations.colin-uid = mkId 1000;
sane.allocations.guest-uid = mkId 1100;

11
modules/gui/snippets.txt Normal file
View File

@@ -0,0 +1,11 @@
https://search.nixos.org/options?channel=unstable&query=
https://search.nixos.org/packages?channel=unstable&query=
https://nixos.wiki/index.php?go=Go&search=
https://github.com/nixos/nixpkgs/pulls?q=
https://nix-community.github.io/home-manager/options.html
https://w.uninsane.org/viewer#search?books.name=wikipedia_en_all_maxi_2022-05&pattern=
https://jackett.uninsane.org/UI/Dashboard#search=
https://fed.uninsane.org
https://bt.uninsane.org
https://sci-hub.se
https://news.ycombinator.com

48
modules/gui/sway.nix
View File

@@ -81,8 +81,25 @@ in
sane.home-manager.windowManager.sway = {
enable = true;
wrapperFeatures.gtk = true;
config = rec {
terminal = "${pkgs.kitty}/bin/kitty";
config = let
fuzzel = "${pkgs.fuzzel}/bin/fuzzel";
wtype = "${pkgs.wtype}/bin/wtype";
kitty = "${pkgs.kitty}/bin/kitty";
lock-cmd = "${pkgs.swaylock}/bin/swaylock --indicator-idle-visible --indicator-radius 100 --indicator-thickness 30";
vol-up-cmd = "${pkgs.pulsemixer}/bin/pulsemixer --change-volume +5";
vol-down-cmd = "${pkgs.pulsemixer}/bin/pulsemixer --change-volume -5";
mute-cmd = "${pkgs.pulsemixer}/bin/pulsemixer --toggle-mute";
brightness-up-cmd = "${pkgs.brightnessctl}/bin/brightnessctl set +2%";
brightness-down-cmd = "${pkgs.brightnessctl}/bin/brightnessctl set 2%-";
screenshot-cmd = "${pkgs.sway-contrib.grimshot}/bin/grimshot copy area";
# "bookmarking"/snippets inspired by Luke Smith:
# - <https://www.youtube.com/watch?v=d_11QaTlf1I>
snip-file = ./snippets.txt;
snip-cmd = "${wtype} $(cat ${snip-file} | ${fuzzel} -d -i -w 60)";
# TODO: next splatmoji release should allow `-s none` to disable skin tones
emoji-cmd = "${pkgs.splatmoji}/bin/splatmoji -s medium-light type";
in rec {
terminal = kitty;
window = {
border = 3; # pixel boundary between windows
hideEdgeBorders = "smart"; # don't show border if only window on workspace
@@ -103,7 +120,7 @@ in
modifier = "Mod1";
# list of launchers: https://www.reddit.com/r/swaywm/comments/v39hxa/your_favorite_launcher/
# menu = "${pkgs.dmenu}/bin/dmenu_path";
menu = "${pkgs.fuzzel}/bin/fuzzel";
menu = fuzzel;
# menu = "${pkgs.albert}/bin/albert";
left = "h";
down = "j";
@@ -114,7 +131,9 @@ in
"${modifier}+Return" = "exec ${terminal}";
"${modifier}+Shift+q" = "kill";
"${modifier}+d" = "exec ${menu}";
"${modifier}+l" = "exec ${pkgs.swaylock}/bin/swaylock --indicator-idle-visible --indicator-radius 100 --indicator-thickness 30";
"${modifier}+s" = "exec ${snip-cmd}";
"${modifier}+l" = "exec ${lock-cmd}";
"${modifier}+slash" = "exec ${emoji-cmd}";
# "${modifier}+${left}" = "focus left";
# "${modifier}+${down}" = "focus down";
@@ -141,7 +160,7 @@ in
"${modifier}+f" = "fullscreen toggle";
"${modifier}+a" = "focus parent";
"${modifier}+s" = "layout stacking";
# "${modifier}+s" = "layout stacking";
"${modifier}+w" = "layout tabbed";
"${modifier}+e" = "layout toggle split";
@@ -185,19 +204,20 @@ in
"exec swaynag -t warning -m 'You pressed the exit shortcut. Do you really want to exit sway? This will end your Wayland session.' -b 'Yes, exit sway' 'swaymsg exit'";
"${modifier}+r" = "mode resize";
} // {
# media keys
XF86MonBrightnessDown = ''exec "${pkgs.brightnessctl}/bin/brightnessctl set 2%-"'';
XF86MonBrightnessUp = ''exec "${pkgs.brightnessctl}/bin/brightnessctl set +2%"'';
XF86MonBrightnessDown = "exec ${brightness-down-cmd}";
XF86MonBrightnessUp = "exec ${brightness-up-cmd}";
XF86AudioRaiseVolume = "exec '${pkgs.pulsemixer}/bin/pulsemixer --change-volume +5'";
XF86AudioLowerVolume = "exec '${pkgs.pulsemixer}/bin/pulsemixer --change-volume -5'";
XF86AudioMute = "exec '${pkgs.pulsemixer}/bin/pulsemixer --toggle-mute'";
# TODO: hook into a visual prompt to display volume?
XF86AudioRaiseVolume = "exec ${vol-up-cmd}";
XF86AudioLowerVolume = "exec ${vol-down-cmd}";
XF86AudioMute = "exec ${mute-cmd}";
"${modifier}+Page_Up" = "exec '${pkgs.pulsemixer}/bin/pulsemixer --change-volume +5'";
"${modifier}+Page_Down" = "exec '${pkgs.pulsemixer}/bin/pulsemixer --change-volume -5'";
"${modifier}+Page_Up" = "exec ${vol-up-cmd}";
"${modifier}+Page_Down" = "exec ${vol-down-cmd}";
"${modifier}+Print" = "exec '${pkgs.sway-contrib.grimshot}/bin/grimshot copy area'";
"${modifier}+Print" = "exec ${screenshot-cmd}";
};
# mostly defaults:

12
modules/home-manager/default.nix
View File

@@ -12,24 +12,24 @@ let
# extract package from `sane.packages.enabledUserPkgs`
pkg-list = pkgspec: builtins.map (e: e.pkg or e) pkgspec;
# extract `dir` from `sane.packages.enabledUserPkgs`
dir-list = pkgspec: builtins.concatLists (builtins.map (e: if e ? "dir" then [ e.dir ] else []) pkgspec);
private-list = pkgspec: builtins.concatLists (builtins.map (e: if e ? "private" then [ e.private ] else []) pkgspec);
dir-list = pkgspec: builtins.concatLists (builtins.map (e: e.dir or []) pkgspec);
private-list = pkgspec: builtins.concatLists (builtins.map (e: e.private or []) pkgspec);
feeds = import ./feeds.nix { inherit lib; };
in
{
imports = [
./aerc.nix
./discord.nix
./firefox.nix
./git.nix
./kitty.nix
./mpv.nix
./nb.nix
./neovim.nix
./splatmoji.nix
./ssh.nix
./sublime-music.nix
./vlc.nix
./zsh.nix
./zsh
];
options = {
@@ -101,14 +101,14 @@ in
);
in {
# convenience
"knowledge".source = config.lib.file.mkOutOfStoreSymlink "/home/colin/dev/knowledge";
"knowledge".source = config.lib.file.mkOutOfStoreSymlink "/home/colin/private/knowledge";
"nixos".source = config.lib.file.mkOutOfStoreSymlink "/home/colin/dev/nixos";
"Videos/servo".source = config.lib.file.mkOutOfStoreSymlink "/mnt/servo-media/Videos";
"Videos/servo-incomplete".source = config.lib.file.mkOutOfStoreSymlink "/mnt/servo-media/incomplete";
"Music/servo".source = config.lib.file.mkOutOfStoreSymlink "/mnt/servo-media/Music";
# used by password managers, e.g. unix `pass`
".password-store".source = config.lib.file.mkOutOfStoreSymlink "/home/colin/dev/knowledge/secrets/accounts";
".password-store".source = config.lib.file.mkOutOfStoreSymlink "/home/colin/knowledge/secrets/accounts";
} // privates;
# XDG defines things like ~/Desktop, ~/Downloads, etc.

12
modules/home-manager/discord.nix
View File

@@ -1,12 +0,0 @@
{ config, lib, ... }:
lib.mkIf config.sane.home-manager.enable
{
# TODO: this should only be enabled on gui devices
# make Discord usable even when client is "outdated"
home-manager.users.colin.xdg.configFile."discord/settings.json".text = ''
{
"SKIP_HOST_UPDATE": true
}
'';
}

9
modules/home-manager/feeds.nix
View File

@@ -63,6 +63,10 @@ in rec {
(mkPod "https://www.cbsnews.com/latest/rss/60-minutes" // pol // infrequent)
## The Verge - Decoder
(mkPod "https://feeds.megaphone.fm/recodedecode" // tech // weekly)
## Matrix (chat) Live
(mkPod "https://feed.podbean.com/matrixlive/feed.xml" // tech // weekly)
## Michael Malice - Your Welcome
(mkPod "https://www.podcastone.com/podcast?categoryID2=2232" // pol // weekly)
];
texts = [
@@ -135,8 +139,11 @@ in rec {
## Sean Carroll
(mkText "https://www.preposterousuniverse.com/rss" // rat // infrequent)
## mostly dating topics. not advice, or humor, but looking through a social lens
(mkText "https://putanumonit.com/feed" // rat // infrequent)
# CODE
(mkText "https://github.com/Kaiteki-Fedi/Kaiteki/commits/master.atom" // tech // infrequent)
# (mkText "https://github.com/Kaiteki-Fedi/Kaiteki/commits/master.atom" // tech // infrequent)
];
images = [

8
modules/home-manager/firefox.nix
View File

@@ -43,6 +43,7 @@ let
addon = name: extid: hash: pkgs.fetchFirefoxAddon {
inherit name hash;
url = "https://addons.mozilla.org/firefox/downloads/latest/${name}/latest.xpi";
# extid can be found by unar'ing the above xpi, and copying browser_specific_settings.gecko.id field
fixedExtid = extid;
};
localAddon = pkg: pkgs.fetchFirefoxAddon {
@@ -51,11 +52,16 @@ let
fixedExtid = pkg.extid;
};
in [
# get names from:
# - ~/ref/nix-community/nur-combined/repos/rycee/pkgs/firefox-addons/generated-firefox-addons.nix
# `wget ...xpi`; `unar ...xpi`; `cat */manifest.json | jq '.browser_specific_settings.gecko.id'`
(addon "ublock-origin" "uBlock0@raymondhill.net" "sha256-+xc4lcdsOwXxMsr4enFsdePbIb6GHq0bFLpqvH5xXos=")
(addon "sponsorblock" "sponsorBlocker@ajay.app" "sha256-30F8oDIgshXVY7YKgnfoc1tUTHfgeFbzXISJuVJs0AM=")
(addon "bypass-paywalls-clean" "{d133e097-46d9-4ecc-9903-fa6a722a6e0e}" "sha256-aDBRpcOeMyROnXjmveHKm9zsPC+LzXCG0uhAqI1EWf0=")
(addon "bypass-paywalls-clean" "{d133e097-46d9-4ecc-9903-fa6a722a6e0e}" "sha256-7ZDkG8O1rEYdh/La0PLi9tp92JxYeQvaOFt/BmnDv3U=")
(addon "sidebery" "{3c078156-979c-498b-8990-85f7987dd929}" "sha256-YONfK/rIjlsrTgRHIt3km07Q7KnpIW89Z9r92ZSCc6w=")
(addon "ether-metamask" "webextension@metamask.io" "sha256-G+MwJDOcsaxYSUXjahHJmkWnjLeQ0Wven8DU/lGeMzA=")
(addon "ublacklist" "@ublacklist" "sha256-vHe/7EYOzcKeAbTElmt0Rb4E2rX0f3JgXThJaUmaz+M=")
(addon "i2p-in-private-browsing" "i2ppb@eyedeekay.github.io" "sha256-dJcJ3jxeAeAkRvhODeIVrCflvX+S4E0wT/PyYzQBQWs=")
# (addon "browserpass-ce" "browserpass@maximbaz.com" "sha256-sXgUBbRvMnRpeIW1MTkmTcoqtW/8RDXAkxAq1evFkpc=")
(localAddon pkgs.browserpass-extension)
];

2
modules/home-manager/nb.nix
View File

@@ -17,7 +17,7 @@ lib.mkIf false # XXX disabled!
home-manager.users.colin = { config, ... }: {
# nb markdown/personal knowledge manager
home.file.".nb/knowledge".source = config.lib.file.mkOutOfStoreSymlink "/home/colin/dev/knowledge";
home.file.".nb/knowledge".source = config.lib.file.mkOutOfStoreSymlink "/home/colin/knowledge";
home.file.".nb/.current".text = "knowledge";
home.file.".nbrc".text = ''
# manage with `nb settings`

20
modules/home-manager/splatmoji.nix Normal file
View File

@@ -0,0 +1,20 @@
# borrows from:
# - default config: <https://github.com/cspeterson/splatmoji/blob/master/splatmoji.config>
# - wayland: <https://github.com/cspeterson/splatmoji/issues/32#issuecomment-830862566>
{ pkgs, ... }:
{
home-manager.users.colin = {
xdg.configFile."splatmoji/splatmoji.config".text = ''
history_file=/home/colin/.local/state/splatmoji/history
history_length=5
# TODO: wayland equiv
paste_command=xdotool key ctrl+v
# rofi_command=${pkgs.wofi}/bin/wofi --dmenu --insensitive --cache-file /dev/null
rofi_command=${pkgs.fuzzel}/bin/fuzzel -d -i -w 60
xdotool_command=${pkgs.wtype}/bin/wtype
# TODO: wayland equiv
xsel_command=xsel -b -i
'';
};
}

63
modules/home-manager/zsh.nix
View File

@@ -1,63 +0,0 @@
{ config, lib, ... }:
lib.mkIf config.sane.home-manager.enable
{
# we don't need to full zsh dir -- just the history file --
# but zsh will sometimes backup the history file and we get fewer errors if we do proper mounts instead of symlinks.
sane.impermanence.home-dirs = [ ".local/share/zsh" ];
home-manager.users.colin.programs.zsh = {
enable = true;
enableSyntaxHighlighting = true;
enableVteIntegration = true;
history.ignorePatterns = [ "rm *" ];
dotDir = ".config/zsh";
history.path = "/home/colin/.local/share/zsh/history";
initExtraBeforeCompInit = ''
# p10k instant prompt
# run p10k configure to configure, but it can't write out its file :-(
POWERLEVEL9K_DISABLE_CONFIGURATION_WIZARD=true
'';
initExtra = ''
# zmv is a way to do rich moves/renames, with pattern matching/substitution.
# see for an example: <https://filipe.kiss.ink/zmv-zsh-rename/>
autoload -Uz zmv
# disable `rm *` confirmations
setopt rmstarsilent
function nd() {
mkdir -p "$1";
pushd "$1";
}
'';
# prezto = oh-my-zsh fork; controls prompt, auto-completion, etc.
# see: https://github.com/sorin-ionescu/prezto
prezto = {
enable = true;
pmodules = [
"environment"
"terminal"
"editor"
"history"
"directory"
"spectrum"
"utility"
"completion"
"prompt"
"git"
];
prompt.theme = "powerlevel10k";
utility.safeOps = false; # disable `mv` confirmation (and supposedly `rm`, too)
};
};
home-manager.users.colin.home.shellAliases = {
":q" = "exit";
# common typos
"cd.." = "cd ..";
"cd../" = "cd ../";
};
}

103
modules/home-manager/zsh/default.nix Normal file
View File

@@ -0,0 +1,103 @@
{ config, lib, ... }:
lib.mkIf config.sane.home-manager.enable
{
# we don't need to full zsh dir -- just the history file --
# but zsh will sometimes backup the history file and we get fewer errors if we do proper mounts instead of symlinks.
sane.impermanence.home-dirs = [ ".local/share/zsh" ];
home-manager.users.colin.programs.zsh = {
enable = true;
enableSyntaxHighlighting = true;
enableVteIntegration = true;
history.ignorePatterns = [ "rm *" ];
dotDir = ".config/zsh";
history.path = "/home/colin/.local/share/zsh/history";
# defaultKeymap = "vicmd"; # vim normal mode (cmd mode)
# powerlevel10k prompt config
# p10k.zsh is the auto-generated config, and i overwrite those defaults here, below.
initExtraBeforeCompInit = (builtins.readFile ./p10k.zsh) + ''
# powerlevel10k launches a gitstatusd daemon to accelerate git prompt queries.
# this keeps open file handles for any git repo i touch for 60 minutes (by default).
# that prevents unmounting whatever device the git repo is on -- particularly problematic for ~/private.
# i can disable gitstatusd and get slower fallback git queries:
# - either universally
# - or selectively by path
# see: <https://github.com/romkatv/powerlevel10k/issues/246>
typeset -g POWERLEVEL9K_VCS_DISABLED_DIR_PATTERN='(/home/colin/private/*|/home/colin/knowledge/*)'
# typeset -g POWERLEVEL9K_DISABLE_GITSTATUS=true
# show user@host also when logged into the current machine.
# default behavior is to show it only over ssh.
typeset -g POWERLEVEL9K_CONTEXT_{DEFAULT,SUDO}_CONTENT_EXPANSION='$P9K_CONTENT'
'';
initExtra = ''
# zmv is a way to do rich moves/renames, with pattern matching/substitution.
# see for an example: <https://filipe.kiss.ink/zmv-zsh-rename/>
autoload -Uz zmv
# disable `rm *` confirmations
setopt rmstarsilent
function nd() {
mkdir -p "$1";
pushd "$1";
}
'';
# prezto = oh-my-zsh fork; controls prompt, auto-completion, etc.
# see: https://github.com/sorin-ionescu/prezto
prezto = {
enable = true;
pmodules = [
# configures jobs to persist after shell exit; other basic niceties
"environment"
# auto-titles terminal (e.g. based on cwd)
"terminal"
# configures shortcuts like Ctrl+U=undo, Ctrl+L=clear
"editor"
# adds `history-stat` alias, setopts for good history defaults
"history"
# sets AUTO_CD, adds `d` alias to list directory stack, and `1`-`9` to cd that far back the stack
"directory"
# helpers for term colors and styling. used by prompts? might be unnecessary
"spectrum"
# configures aliases like `ll`, `la`, disables globbing for things like rsync
# adds aliases like `get` to fetch a file. also adds `http-serve` alias??
"utility"
# tab completion. requires `utility` module prior to loading
# TODO: enable AUTO_PARAM_SLASH
"completion"
"prompt"
# TODO: enable syntax-highlighting ?
];
prompt.theme = "powerlevel10k";
utility.safeOps = false; # disable `mv` confirmation (and supposedly `rm`, too)
# editor.keymap = "vi";
};
dirHashes = {
# convenient `cd`-isms
"3rd" = "/home/colin/dev/3rd";
"dev" = "/home/colin/dev";
"knowledge" = "/home/colin/knowledge";
"nixos" = "/home/colin/nixos";
"nixpkgs" = "/home/colin/dev/3rd/nixpkgs";
"ref" = "/home/colin/ref";
"secrets" = "/home/colin/knowledge/secrets";
"tmp" = "/home/colin/tmp";
"uninsane" = "/home/colin/dev/uninsane";
"Videos" = "/home/colin/Videos";
};
};
home-manager.users.colin.home.shellAliases = {
":q" = "exit";
# common typos
"cd.." = "cd ..";
"cd../" = "cd ../";
};
}

1635
modules/home-manager/zsh/p10k.zsh Normal file
View File

File diff suppressed because it is too large Load Diff

10
modules/impermanence.nix
View File

@@ -50,6 +50,7 @@ in
# "/var/lib/AccountsService" # not sure what this is, but it's empty
"/var/lib/alsa" # preserve output levels, default devices
# "/var/lib/blueman" # files aren't human readable
# TODO: if we changed the bluetooth installer to auto-discover the host MAC address, we could de-persist this
"/var/lib/bluetooth" # preserve bluetooth handshakes
"/var/lib/colord" # preserve color calibrations (?)
# "/var/lib/dhclient" # empty on lappy; dunno about desko
@@ -82,6 +83,15 @@ in
# files = [ "/etc/machine-id" ];
};
# for each edge in a mount path, impermanence gives that target directory the same permissions
# as the matching folder in /nix/persist.
# /nix/persist is often created with poor permissions. so patch them to get the desired directory permissions.
system.activationScripts.fixImpermanencePerms = {
text = "chmod ${config.users.users.colin.homeMode} /nix/persist/home/colin";
deps = [ "users" ];
};
system.activationScripts.createPersistentStorageDirs.deps = [ "fixImpermanencePerms" ];
# secret decoding depends on /etc/ssh keys, which may be persisted
system.activationScripts.setupSecrets.deps = [ "persist-ssh-host-keys" ];
system.activationScripts.setupSecretsForUsers = lib.mkIf secretsForUsers {

81
modules/packages.nix
View File

@@ -4,6 +4,11 @@ with lib;
with pkgs;
let
cfg = config.sane.packages;
imagemagick = pkgs.imagemagick.override {
ghostscriptSupport = true;
};
consolePkgs = [
backblaze-b2
cdrtools
@@ -12,11 +17,13 @@ let
efivar
flashrom
fwupd
ghostscript # TODO: imagemagick wrapper should add gs to PATH
gnupg
gocryptfs
gopass
gopass-jsonapi
ifuse
imagemagick
ipfs
libimobiledevice
libsecret # for managing user keyrings
@@ -59,18 +66,18 @@ let
celluloid # mpv frontend
chromium
clinfo
{ pkg = dino; private = ".local/share/dino"; }
{ pkg = dino; private = [ ".local/share/dino" ]; }
electrum
# creds/session keys, etc
{ pkg = element-desktop; private = ".config/Element"; }
{ pkg = element-desktop; private = [ ".config/Element" ]; }
# `emote` will show a first-run dialog based on what's in this directory.
# mostly, it just keeps a LRU of previously-used emotes to optimize display order.
# TODO: package [smile](https://github.com/mijorus/smile) for probably a better mobile experience.
{ pkg = emote; dir = ".local/share/Emote"; }
{ pkg = emote; dir = [ ".local/share/Emote" ]; }
evince # works on phosh
# { pkg = fluffychat-moby; dir = ".local/share/chat.fluffy.fluffychat"; } # TODO: ship normal fluffychat on non-moby?
# { pkg = fluffychat-moby; dir = [ ".local/share/chat.fluffy.fluffychat" ]; } # TODO: ship normal fluffychat on non-moby?
foliate
font-manager
@@ -78,8 +85,10 @@ let
# XXX by default fractal stores its state in ~/.local/share/<UUID>.
# after logging in, manually change ~/.local/share/keyrings/... to point it to some predictable subdir.
# then reboot (so that libsecret daemon re-loads the keyring...?)
{ pkg = fractal-next; private = ".local/share/fractal"; }
{ pkg = fractal-latest; private = [ ".local/share/fractal" ]; }
# { pkg = fractal-next; private = [ ".local/share/fractal" ]; }
gajim # XMPP client
gimp # broken on phosh
gnome.cheese
gnome.dconf-editor
@@ -93,7 +102,7 @@ let
gnome.gnome-terminal # works on phosh
gnome.gnome-weather
{ pkg = gpodder-configured; dir = "gPodder/Downloads"; }
{ pkg = gpodder-configured; dir = [ "gPodder/Downloads" ]; }
gthumb
handbrake
@@ -106,15 +115,21 @@ let
lollypop
mesa-demos
{ pkg = mpv; dir = ".config/mpv/watch_later"; }
{ pkg = mpv; dir = [ ".config/mpv/watch_later" ]; }
networkmanagerapplet
# not strictly necessary, but allows caching articles; offline use, etc.
{ pkg = newsflash; dir = ".local/share/news-flash"; }
{ pkg = newsflash; dir = [ ".local/share/news-flash" ]; }
{ pkg = nheko; private = [
".config/nheko" # config file (including client token)
".cache/nheko" # media cache
".local/share/nheko" # per-account state database
]; }
# settings (electron app). TODO: can i manage these settings with home-manager?
{ pkg = obsidian; dir = ".config/obsidian"; }
{ pkg = obsidian; dir = [ ".config/obsidian" ]; }
pavucontrol
# picard # music tagging
@@ -127,14 +142,14 @@ let
# it doesn't obey a conventional ~/Music/{Artist}/{Album}/{Track} notation, so no symlinking
# config (e.g. server connection details) is persisted in ~/.config/sublime-music/config.json
# possible to pass config as a CLI arg (sublime-music -c config.json)
# { pkg = sublime-music; dir = ".local/share/sublime-music"; }
{ pkg = sublime-music-mobile; dir = ".local/share/sublime-music"; }
# { pkg = sublime-music; dir = [ ".local/share/sublime-music" ]; }
{ pkg = sublime-music-mobile; dir = [ ".local/share/sublime-music" ]; }
tdesktop # broken on phosh
{ pkg = tokodon; dir = ".cache/KDE/tokodon"; }
{ pkg = tokodon; private = [ ".cache/KDE/tokodon" ]; }
# vlc remembers play position in ~/.config/vlc/vlc-qt-interface.conf
{ pkg = vlc; dir = ".config/vlc"; }
{ pkg = vlc; dir = [ ".config/vlc" ]; }
whalebird # pleroma client. input is broken on phosh
xdg-utils # for xdg-open
@@ -149,36 +164,37 @@ let
# XXX 2022-07-31: fix to allow links to open in default web-browser:
# https://github.com/NixOS/nixpkgs/issues/78961
nss = pkgs.nss_latest;
}); in { pkg = discord; dir = ".config/discord"; })
}); in { pkg = discord; private = [ ".config/discord" ]; })
# kaiteki # Pleroma client
# gnome.zenity # for kaiteki (it will use qarma, kdialog, or zenity)
gpt2tc
# gpt2tc # XXX: unreliable mirror
logseq
losslesscut-bin
makemkv
# actual monero blockchain (not wallet/etc; safe to delete, just slow to regenerate)
{ pkg = monero-gui; dir = ".bitmonero"; }
{ pkg = monero-gui; dir = [ ".bitmonero" ]; }
# creds, media
{ pkg = signal-desktop; dir = ".config/Signal"; }
{ pkg = signal-desktop; private = [ ".config/Signal" ]; }
# creds. TODO: can i manage this with home-manager?
{ pkg = spotify; dir = ".config/spotify"; }
{ pkg = spotify; dir = [ ".config/spotify" ]; }
# hardenedMalloc solves a crash at startup
(tor-browser-bundle-bin.override { useHardenedMalloc = false; })
# zcash coins. safe to delete, just slow to regenerate (10-60 minutes)
{ pkg = zecwallet-lite; private = ".zcash"; }
{ pkg = zecwallet-lite; private = [ ".zcash" ]; }
] else []);
# general-purpose utilities that we want any user to be able to access
# (specifically: root, in case of rescue)
systemPkgs = [
btrfs-progs
cacert.unbundled # some services require unbundled /etc/ssl/certs
cryptsetup
dig
efibootmgr
@@ -203,11 +219,14 @@ let
parted
pciutils
powertop
pstree
ripgrep
screen
smartmontools
socat
strace
tcpdump
tree
usbutils
wget
];
@@ -227,15 +246,31 @@ let
rustup
swig
];
pkgSpec = types.submodule {
options = {
pkg = mkOption {
type = types.package;
};
dir = mkOption {
type = types.listOf types.str;
default = [];
description = "list of home-relative paths to persist for this package";
};
private = mkOption {
type = types.listOf types.str;
default = [];
description = "list of home-relative paths to persist (in encrypted format) for this package";
};
};
};
in
{
options = {
# packages to deploy to the user's home
sane.packages.extraUserPkgs = mkOption {
default = [ ];
# each entry can be either a package, or attrs:
# { pkg = package; dir = optional string; private = optional string };
type = types.listOf (types.either types.package types.attrs);
type = types.listOf (types.either types.package pkgSpec);
};
sane.packages.enableConsolePkgs = mkOption {
default = false;
@@ -272,5 +307,7 @@ in
config = {
environment.systemPackages = mkIf cfg.enableSystemPkgs systemPkgs;
# XXX: this might not be necessary. try removing this and cacert.unbundled?
environment.etc."ssl/certs".source = mkIf cfg.enableSystemPkgs "${pkgs.cacert.unbundled}/etc/ssl/certs/*";
};
}

3
modules/services/default.nix
View File

@@ -2,6 +2,9 @@
{
imports = [
./duplicity.nix
./dyn-dns.nix
./kiwix-serve.nix
./nixserve.nix
./trust-dns.nix
];
}

91
modules/services/dyn-dns.nix Normal file
View File

@@ -0,0 +1,91 @@
{ config, lib, pkgs, ... }:
with lib;
let
cfg = config.sane.services.dyn-dns;
in
{
options = {
sane.services.dyn-dns = {
enable = mkOption {
default = false;
type = types.bool;
};
ipPath = mkOption {
default = "/var/lib/uninsane/wan.txt";
type = types.str;
description = "where to store the latest WAN IPv4 address";
};
ipCmd = mkOption {
default = "${pkgs.sane-scripts}/bin/sane-ip-check-router-wan";
type = types.path;
description = "command to run to query the current WAN IP";
};
interval = mkOption {
type = types.str;
default = "10min";
description = "systemd time string for how frequently to re-check the IP";
};
restartOnChange = mkOption {
type = types.listOf types.str;
default = [];
description = "list of systemd unit files to restart when the IP changes";
};
};
};
config = mkIf cfg.enable {
systemd.services.dyn-dns = {
description = "update this host's record of its WAN IP";
serviceConfig.Type = "oneshot";
restartTriggers = [(builtins.toJSON cfg)];
after = [ "network.target" ];
wantedBy = cfg.restartOnChange;
before = cfg.restartOnChange;
script = ''
mkdir -p "$(dirname '${cfg.ipPath}')"
newIp=$(${cfg.ipCmd})
oldIp=$(cat '${cfg.ipPath}' || true)
# systemd path units are triggered on any file write action,
# regardless of content change. so only update the file if our IP *actually* changed
if [ "$newIp" != "$oldIp" ]
then
echo "$newIp" > '${cfg.ipPath}'
echo "WAN ip changed $oldIp -> $newIp"
fi
exit $(test -f '${cfg.ipPath}')
'';
};
systemd.timers.dyn-dns = {
# if anything wants dyn-dns.service, they surely want the timer too.
wantedBy = [ "dyn-dns.service" ];
timerConfig = {
OnUnitActiveSec = cfg.interval;
};
};
systemd.paths.dyn-dns-watcher = {
before = [ "dyn-dns.timer" ];
wantedBy = [ "dyn-dns.timer" ];
pathConfig = {
Unit = "dyn-dns-reactor.service";
PathChanged = [ cfg.ipPath ];
};
};
systemd.services.dyn-dns-reactor = {
description = "react to the system's WAN IP changing";
serviceConfig.Type = "oneshot";
script = if cfg.restartOnChange != [] then ''
${pkgs.systemd}/bin/systemctl restart ${toString cfg.restartOnChange}
'' else "${pkgs.coreutils}/bin/true";
};
};
}

55
modules/services/kiwix-serve.nix Normal file
View File

@@ -0,0 +1,55 @@
{ config, lib, pkgs, ... }:
with lib;
let
cfg = config.sane.services.kiwix-serve;
in
{
options = {
sane.services.kiwix-serve = {
enable = mkOption {
default = false;
type = types.bool;
};
package = mkOption {
type = types.package;
default = pkgs.kiwix-tools;
defaultText = literalExpression "pkgs.kiwix-tools";
description = lib.mdDoc ''
The package that provides `bin/kiwix-serve`.
'';
};
port = mkOption {
type = types.port;
default = 80;
description = lib.mdDoc "Port number to listen on.";
};
listenAddress = mkOption {
type = types.nullOr types.str;
default = null;
description = lib.mdDoc ''
IP address to listen on. Listens on all available addresses if unspecified.
'';
};
zimPaths = mkOption {
type = types.nonEmptyListOf (types.either types.str types.path);
description = lib.mdDoc "ZIM file path(s)";
};
};
};
config = mkIf cfg.enable {
systemd.services.kiwix-serve = {
description = "Deliver ZIM file(s) articles via HTTP";
serviceConfig = let
maybeListenAddress = lib.optionals (cfg.listenAddress != null) ["-l" cfg.listenAddress];
args = maybeListenAddress ++ ["-p" cfg.port] ++ cfg.zimPaths;
in {
ExecStart = "${cfg.package}/bin/kiwix-serve ${lib.escapeShellArgs args}";
Type = "simple";
};
after = [ "network.target" ];
wantedBy = [ "multi-user.target" ];
};
};
}

167
modules/services/trust-dns.nix Normal file
View File

@@ -0,0 +1,167 @@
{ config, lib, pkgs, ... }:
with lib;
let
cfg = config.sane.services.trust-dns;
toml = pkgs.formats.toml { };
fmtRecord = proto: rrtype: name: value: "${name}\t${proto}\t${rrtype}\t${value}";
fmtRecordList = proto: rrtype: name: values: concatStringsSep
"\n"
(map (fmtRecord proto rrtype name) values)
;
fmtRecordAttrs = proto: rrtype: rrAttrs:
concatStringsSep
"\n"
(
attrValues (
mapAttrs
(name: fmtRecordList proto rrtype name)
rrAttrs
)
);
fmtIncludes = paths: concatStringsSep
"\n"
(map (path: "$INCLUDE ${path}") paths);
genZone = zcfg: ''
$TTL ${toString zcfg.TTL}
${fmtRecordAttrs "IN" "SOA" zcfg.inet.SOA}
${fmtRecordAttrs "IN" "A" zcfg.inet.A}
${fmtRecordAttrs "IN" "CNAME" zcfg.inet.CNAME}
${fmtRecordAttrs "IN" "MX" zcfg.inet.MX}
${fmtRecordAttrs "IN" "NS" zcfg.inet.NS}
${fmtRecordAttrs "IN" "SRV" zcfg.inet.SRV}
${fmtRecordAttrs "IN" "TXT" zcfg.inet.TXT}
${fmtIncludes zcfg.include}
${zcfg.extraConfig}
'';
configFile = toml.generate "trust-dns.toml" {
listen_addrs_ipv4 = cfg.listenAddrsIPv4;
zones = attrValues (
mapAttrs (zname: zcfg: rec {
zone = if zcfg.name == null then zname else zcfg.name;
zone_type = "Primary";
file = if zcfg.file == null then
pkgs.writeText "${zone}.zone" (genZone zcfg)
else
zcfg.file;
}) cfg.zones
);
};
in
{
options = {
sane.services.trust-dns = {
enable = mkOption {
default = false;
type = types.bool;
};
listenAddrsIPv4 = mkOption {
type = types.listOf types.str;
default = [];
description = "array of ipv4 addresses on which to listen for DNS queries";
};
# reference <nixpkgs:nixos/modules/services/web-servers/nginx/vhost-options.nix>
zones = mkOption {
type = types.attrsOf (types.submodule {
options = {
name = mkOption {
type = types.nullOr types.str;
description = "zone name. defaults to the attribute name in zones";
default = null;
};
TTL = mkOption {
type = types.int;
description = "default TTL";
default = 3600;
};
include = mkOption {
type = types.listOf types.str;
description = "paths of other zone files to $INCLUDE into this one";
default = [];
};
extraConfig = mkOption {
type = types.lines;
description = "extra lines to append to the zone file";
default = "";
};
inet = {
SOA = mkOption {
type = types.attrsOf (types.listOf types.str);
description = "Start of Authority record(s)";
default = {};
};
A = mkOption {
type = types.attrsOf (types.listOf types.str);
description = "IPv4 address record(s)";
default = {};
};
CNAME = mkOption {
type = types.attrsOf (types.listOf types.str);
description = "canonical name record(s)";
default = {};
};
MX = mkOption {
type = types.attrsOf (types.listOf types.str);
description = "mail exchanger record(s)";
default = {};
};
NS = mkOption {
type = types.attrsOf (types.listOf types.str);
description = "name server record(s)";
default = {};
};
SRV = mkOption {
type = types.attrsOf (types.listOf types.str);
description = "service record(s)";
default = {};
};
TXT = mkOption {
type = types.attrsOf (types.listOf types.str);
description = "text record(s)";
default = {};
};
};
file = mkOption {
type = types.nullOr types.str;
default = null;
description = "instead of using the generated zone file, use the specified path";
};
};
});
default = {};
description = "Declarative zone config";
};
generatedZones = mkOption {
type = types.attrsOf types.str;
description = "generated zone text for each zone";
};
};
};
config = mkIf cfg.enable {
sane.services.trust-dns.generatedZones = mapAttrs (zone: zcfg: genZone zcfg) cfg.zones;
networking.firewall.allowedTCPPorts = [ 53 ];
networking.firewall.allowedUDPPorts = [ 53 ];
systemd.services.trust-dns = {
description = "trust-dns DNS server";
serviceConfig = {
ExecStart = ''
${pkgs.trust-dns}/bin/named \
--config ${configFile} \
--zonedir /
'';
Type = "simple";
Restart = "on-failure";
RestartSec = "10s";
# TODO: hardening (like, don't run as root!)
};
after = [ "network.target" ];
wantedBy = [ "multi-user.target" ];
};
};
}

26
nixpatches/2022-12-19-i2p-aarch64.patch Normal file
View File

@@ -0,0 +1,26 @@
diff --git a/pkgs/tools/networking/i2p/default.nix b/pkgs/tools/networking/i2p/default.nix
index e835007fdc5..1406486c7d4 100644
--- a/pkgs/tools/networking/i2p/default.nix
+++ b/pkgs/tools/networking/i2p/default.nix
@@ -50,7 +50,7 @@ stdenv.mkDerivation rec {
binaryBytecode # source bundles dependencies as jars
];
license = licenses.gpl2;
- platforms = [ "x86_64-linux" "i686-linux" ];
+ platforms = [ "x86_64-linux" "i686-linux" "aarch64-linux" ];
maintainers = with maintainers; [ joelmo ];
};
}
diff --git a/pkgs/tools/system/java-service-wrapper/default.nix b/pkgs/tools/system/java-service-wrapper/default.nix
index 93d86a75d18..ab563085f93 100644
--- a/pkgs/tools/system/java-service-wrapper/default.nix
+++ b/pkgs/tools/system/java-service-wrapper/default.nix
@@ -44,7 +44,7 @@ stdenv.mkDerivation rec {
homepage = "https://wrapper.tanukisoftware.com/";
changelog = "https://wrapper.tanukisoftware.com/doc/english/release-notes.html#${version}";
license = licenses.gpl2Only;
- platforms = [ "x86_64-linux" "i686-linux" ];
+ platforms = [ "x86_64-linux" "i686-linux" "aarch64-linux" ];
maintainers = [ maintainers.suhr ];
};
}

17
nixpatches/list.nix
View File

@@ -1,4 +1,4 @@
fetchpatch: [
{ fakeHash, fetchpatch }: [
# librewolf: build with `MOZ_REQUIRE_SIGNING=false`
(fetchpatch {
url = "https://github.com/NixOS/nixpkgs/pull/199134.diff";
@@ -6,6 +6,21 @@ fetchpatch: [
sha256 = "sha256-Ne4hyHQDwBHUlWo8Z3QyRdmEv1rYGOjFGxSfOAcLUvQ=";
})
# trust-dns: init at 0.22.0
(fetchpatch {
# https://git.uninsane.org/colin/nixpkgs/compare/master...pr-trust-dns.diff
url = "https://git.uninsane.org/colin/nixpkgs/commit/feee7e0357a74ab0510b2d113a3bdede1d509759.diff";
sha256 = "sha256-t4sG+xLDaxbJ/mV5G18N4ag8EC3IXPgtN5FJGANh1Dc=";
})
# kiwix-tools: init at 3.4.0
(fetchpatch {
url = "https://github.com/NixOS/nixpkgs/pull/206254.diff";
sha256 = "sha256-Z4V9mOv4HYg3kDnWoYcxz3ch03I/1USrLjzlq4X9YqI=";
})
./2022-12-19-i2p-aarch64.patch
# # kaiteki: init at 2022-09-03
# vendorHash changes too frequently (might not be reproducible).
# using local package defn until stabilized

6
pkgs/bootpart-tow-boot-rpi-aarch64/default.nix
View File

@@ -1,10 +1,10 @@
{ stdenv, pkgs }:
{ stdenv, tow-boot-rp4, raspberrypifw, raspberrypi-armstubs }:
stdenv.mkDerivation rec {
pname = "bootpart-tow-boot-rpi-aarch64";
version = "1";
buildInputs = with pkgs; [
buildInputs = with [
tow-boot-rpi4 # for Tow-Boot.*.bin
raspberrypifw # for bootcode.bin, *.dat, *.elf, *.dtb
raspberrypi-armstubs # for armstub*
@@ -15,7 +15,7 @@ stdenv.mkDerivation rec {
dontUnpack = true;
installPhase = with pkgs; ''
installPhase = ''
mkdir "$out"
cp ${tow-boot-rpi4}/Tow-Boot.noenv.*.bin "$out"/
cp -R ${raspberrypifw}/share/raspberrypi/boot/*.dtb "$out"/

10
pkgs/bootpart-u-boot-rpi-aarch64/default.nix
View File

@@ -1,10 +1,14 @@
{ stdenv, pkgs }:
{ stdenv
, ubootRaspberryPi4_64bit
, raspberrypifw
, raspberrypi-armstubs
}:
stdenv.mkDerivation rec {
pname = "bootpart-u-boot-rpi-aarch64";
version = "1";
buildInputs = with pkgs; [
buildInputs = [
ubootRaspberryPi4_64bit
raspberrypifw # for bootcode.bin, *.dat, *.elf, *.dtb
raspberrypi-armstubs # for armstub*
@@ -15,7 +19,7 @@ stdenv.mkDerivation rec {
dontUnpack = true;
installPhase = with pkgs; ''
installPhase = ''
mkdir "$out"
cp ${ubootRaspberryPi4_64bit}/u-boot.bin "$out"/
cp ${ubootRaspberryPi4_64bit}/*.dtb "$out"/

6
pkgs/bootpart-uefi-x86_64/default.nix
View File

@@ -1,14 +1,14 @@
{ stdenv, pkgs }:
{ stdenv, syslinux }:
stdenv.mkDerivation rec {
pname = "bootpart-uefi-x86_64";
version = "1";
buildInputs = [ pkgs.syslinux ];
buildInputs = [ syslinux ];
dontUnpack = true;
installPhase = with pkgs; ''
installPhase = ''
# populate the EFI directory with syslinux, and configure it to read that extlinux.conf file managed by nixos
mkdir -p "$out/EFI/syslinux" "$out/EFI/BOOT" "$out/syslinux"
cp -R "${syslinux}/share/syslinux/efi64"/* "$out/EFI/syslinux"

6
pkgs/browserpass/default.nix
View File

@@ -1,8 +1,8 @@
{ pkgs
{ lib
, browserpass
, bash
, fetchFromGitea
, gnused
, lib
, sane-scripts
, sops
, stdenv
@@ -26,7 +26,7 @@ let
};
in
(pkgs.browserpass.overrideAttrs (upstream: {
(browserpass.overrideAttrs (upstream: {
src = fetchFromGitea {
domain = "git.uninsane.org";
owner = "colin";

4
pkgs/firefox-unwrapped/default.nix
View File

@@ -1,6 +1,6 @@
{ pkgs }:
{ firefox-unwrapped }:
(pkgs.firefox-unwrapped.overrideAttrs (upstream: {
(firefox-unwrapped.overrideAttrs (upstream: {
# NB: firefox takes about 1hr to build on my 24-thread ryzen desktop
patches = (upstream.patches or []) ++ [
# see https://gitlab.com/librewolf-community/browser/source/-/blob/main/patches/sed-patches/allow-searchengines-non-esr.patch

8
pkgs/fluffychat-moby/default.nix
View File

@@ -1,9 +1,9 @@
{ pkgs }:
{ symlinkJoin, fluffychat, makeWrapper }:
(pkgs.symlinkJoin {
(symlinkJoin {
name = "fluffychat-moby";
paths = [ pkgs.fluffychat ];
buildInputs = [ pkgs.makeWrapper ];
paths = [ fluffychat ];
buildInputs = [ makeWrapper ];
# ordinary fluffychat on moby displays blank window;
# > Failed to start Flutter renderer: Unable to create a GL context

18
pkgs/fractal-latest/default.nix Normal file
View File

@@ -0,0 +1,18 @@
{ fractal-next, fetchFromGitLab, rustPlatform }:
(fractal-next.overrideAttrs (prev: rec {
version = "20221220";
src = fetchFromGitLab {
domain = "gitlab.gnome.org";
owner = "GNOME";
repo = "fractal";
rev = "d394badd0bf36c43026e01dbeb1cd7f881cf3440";
hash = "sha256-JgLrDrMLEh7302tZ3NOJ12dCMiSxGgecaUjcuDPcGSg=";
};
patches = [];
postPatch = "";
cargoDeps = rustPlatform.fetchCargoTarball {
inherit src;
hash = "sha256-hHsMcU6s42yKn2+LkWraLDhnmWNY72dL2cJoy6uoOKI=";
};
}))

6
pkgs/gocryptfs/default.nix
View File

@@ -1,6 +1,6 @@
{ pkgs, lib, ... }:
{ gocryptfs, fuse, util-linux, lib }:
(pkgs.gocryptfs.overrideAttrs (upstream: {
(gocryptfs.overrideAttrs (upstream: {
# XXX `su colin` hangs when pam_mount tries to mount a gocryptfs system
# unless `logger` (util-linux) is accessible from gocryptfs.
# this is surprising: the code LOOKS like it's meant to handle logging failures.
@@ -9,7 +9,7 @@
# TODO: see about upstreaming this
postInstall = ''
wrapProgram $out/bin/gocryptfs \
--suffix PATH : ${lib.makeBinPath [ pkgs.fuse pkgs.util-linux ]}
--suffix PATH : ${lib.makeBinPath [ fuse util-linux ]}
ln -s $out/bin/gocryptfs $out/bin/mount.fuse.gocryptfs
'';
}))

10
pkgs/gpodder-configured/default.nix
View File

@@ -1,12 +1,14 @@
{ pkgs
{ makeWrapper
, gpodder
, symlinkJoin
, writeShellScript
, config
}:
(pkgs.symlinkJoin {
(symlinkJoin {
name = "gpodder-configured";
paths = [ pkgs.gpodder ];
buildInputs = [ pkgs.makeWrapper ];
paths = [ gpodder ];
buildInputs = [ makeWrapper ];
# gpodder keeps all its feeds in a sqlite3 database.
# we can configure the feeds externally by wrapping gpodder and just instructing it to import

4
pkgs/jackett/default.nix
View File

@@ -1,6 +1,6 @@
{ pkgs }:
{ jackett }:
(pkgs.jackett.overrideAttrs (upstream: {
(jackett.overrideAttrs (upstream: {
# 2022-07-29: check phase segfaults on arm (with or without my patches)
doCheck = false;
patches = (upstream.patches or []) ++ [

30
pkgs/overlay.nix
View File

@@ -3,14 +3,14 @@
sane-scripts = prev.callPackage ./sane-scripts { };
tow-boot-pinephone = prev.callPackage ./tow-boot-pinephone { };
tow-boot-rpi4 = prev.callPackage ./tow-boot-rpi4 { };
bootpart-uefi-x86_64 = prev.callPackage ./bootpart-uefi-x86_64 { pkgs = prev; };
bootpart-uefi-x86_64 = prev.callPackage ./bootpart-uefi-x86_64 { };
bootpart-tow-boot-rpi-aarch64 = prev.callPackage ./bootpart-tow-boot-rpi-aarch64 {
# not sure why i can't just do pkgs = next here
pkgs = prev // { inherit tow-boot-rpi4; };
# not sure why i can't just do `next.callPackage` instead
inherit tow-boot-rpi4;
};
bootpart-u-boot-rpi-aarch64 = prev.callPackage ./bootpart-u-boot-rpi-aarch64 {
# not sure why i can't just do pkgs = next here
pkgs = prev // { inherit ubootRaspberryPi4_64bit; };
# not sure why i can't just do `next.callPackage` instead
inherit ubootRaspberryPi4_64bit;
};
rtl8723cs-firmware = prev.callPackage ./rtl8723cs-firmware { };
linux-megous = prev.callPackage ./linux-megous {
@@ -23,28 +23,32 @@
sublime-music-mobile = prev.callPackage ./sublime-music-mobile { };
#### customized packages
fluffychat-moby = prev.callPackage ./fluffychat-moby { pkgs = prev; };
gpodder-configured = prev.callPackage ./gpodder-configured { pkgs = prev; };
fluffychat-moby = prev.callPackage ./fluffychat-moby { };
gpodder-configured = prev.callPackage ./gpodder-configured { };
# nixos-unstable pleroma is too far out-of-date for our db
pleroma = prev.callPackage ./pleroma { };
# jackett doesn't allow customization of the bind address: this will probably always be here.
jackett = prev.callPackage ./jackett { pkgs = prev; };
jackett = prev.callPackage ./jackett { inherit (prev) jackett; };
# mozilla keeps nerfing itself and removing configuration options
firefox-unwrapped = prev.callPackage ./firefox-unwrapped { pkgs = prev; };
firefox-unwrapped = prev.callPackage ./firefox-unwrapped { };
# patch rpi uboot with something that fixes USB HDD boot
ubootRaspberryPi4_64bit = prev.callPackage ./ubootRaspberryPi4_64bit { pkgs = prev; };
ubootRaspberryPi4_64bit = prev.callPackage ./ubootRaspberryPi4_64bit { };
gocryptfs = prev.callPackage ./gocryptfs { pkgs = prev; };
gocryptfs = prev.callPackage ./gocryptfs { inherit (prev) gocryptfs; };
browserpass = prev.callPackage ./browserpass { pkgs = prev; inherit sane-scripts; };
browserpass = prev.callPackage ./browserpass { inherit (prev) browserpass; inherit sane-scripts; };
fractal-latest = prev.callPackage ./fractal-latest { };
#### TEMPORARY: PACKAGES WAITING TO BE UPSTREAMED
kaiteki = prev.callPackage ./kaiteki { };
lightdm-mobile-greeter = prev.callPackage ./lightdm-mobile-greeter { pkgs = next; };
lightdm-mobile-greeter = prev.callPackage ./lightdm-mobile-greeter { };
browserpass-extension = prev.callPackage ./browserpass-extension { };
gopass-native-messaging-host = prev.callPackage ./gopass-native-messaging-host { };
tokodon = prev.libsForQt5.callPackage ./tokodon { };
splatmoji = prev.callPackage ./splatmoji { };
# trust-dns = prev.callPackage ./trust-dns { };
# kaiteki = prev.kaiteki;
})

43
pkgs/sane-scripts/default.nix
View File

@@ -18,24 +18,34 @@ resholve.mkDerivation {
scripts = [ "bin/*" ];
interpreter = "${pkgs.bash}/bin/bash";
inputs = with pkgs; [
coreutils
# string is interpreted as relative path from @OUT@.
# this lets our scripts reference eachother.
# see: <https://github.com/abathur/resholve/issues/26>
"bin"
coreutils-full
curl
duplicity
file
findutils
git
gnugrep
gnused
gocryptfs
ifuse
inetutils
inotify-tools
iwd
jq
ncurses
oath-toolkit
openssh
openssl
rmlint
rsync
ssh-to-age
sops
sudo
systemd
util-linux
which
];
@@ -45,37 +55,54 @@ resholve.mkDerivation {
"/tmp/rmlint.sh" = true;
# intentionally escapes (into user code)
"$external_cmd" = true;
"$maybe_sudo" = true;
};
fake = {
external = [
# https://github.com/abathur/resholve/issues/29
"umount"
# "umount"
# "/run/wrappers/bin/sudo"
"sudo"
# these are used internally; probably a better fix
"sane-mount-servo"
"sane-private-unlock"
];
};
fix = {
# this replaces umount with the non-setuid-wrapper umount.
# not sure if/where that lack of suid causes problems.
umount = true;
};
# prologue is broken; see <https://github.com/abathur/resholve/issues/89>
# prologue = "bin/prologue";
# list of programs which *can* or *cannot* exec their arguments
execer = with pkgs; [
"cannot:${duplicity}/bin/duplicity"
"cannot:${git}/bin/git"
"cannot:${gocryptfs}/bin/gocryptfs"
"cannot:${ifuse}/bin/ifuse"
"cannot:${iwd}/bin/iwctl"
"cannot:${oath-toolkit}/bin/oathtool"
"cannot:${openssh}/bin/ssh-keygen"
"cannot:${rmlint}/bin/rmlint"
"cannot:${rsync}/bin/rsync"
"cannot:${sops}/bin/sops"
"cannot:${ssh-to-age}/bin/ssh-to-age"
"cannot:${systemd}/bin/systemctl"
];
};
};
patchPhase = ''
# remove python scripts
# TODO: figure out how to make resholve process only shell scripts
rm sane-reclaim-boot-space
rm sane-date-math
'';
installPhase = ''
mkdir -p "$out/bin"
cp -R * "$out"/bin/
mkdir -p $out/bin
cp -R * $out/bin/
# allow scripts to make use of sudo, umount wrappers
sed -i '3iPATH=$PATH:/run/wrappers/bin' $out/bin/*;
'';
meta = {

347
pkgs/sane-scripts/src/sane-date-math Executable file
View File

@@ -0,0 +1,347 @@
#!/usr/bin/env python3
# i just went overboard playing around with parsers, is all.
# use this like `./sane-date-math 'today - 5d'`
# of course, it handles parentheses and operator precedence/associativity, so you can do sillier things like
# `./sane-date-math ' today - (1+3 *4 - ((0)) ) *7d '`
import abc
from datetime import datetime, timedelta
import sys
class Token:
def __init__(self, c: str):
self.c = c
def __repr__(self) -> str:
return f"{self.c!r}"
def __str__(self) -> str:
return self.c
def __eq__(self, other: 'Token') -> bool:
return self.c == other.c
PLUS = Token('+')
MINUS = Token('-')
ASTERISK = Token('*')
SPACE = Token(' ')
OPEN_PAREN = Token('(')
CLOSE_PAREN = Token(')')
UNDERSCORE = Token('_')
DIGITS = [Token(c) for c in '0123456789']
ALPHA_LOWER = [Token(c) for c in 'abcdefghijklmnopqrstuvwxyz']
ALPHA_UPPER = [Token(t.c.upper()) for t in ALPHA_LOWER]
ALPHA = ALPHA_LOWER + ALPHA_UPPER
ALPHA_UNDER = ALPHA + [UNDERSCORE]
ALPHA_NUM_UNDER = ALPHA_UNDER + DIGITS
class ParserContext:
def feed(self, token: Token) -> 'ParserContext':
return None # can't ingest the token
def upgrade(self) -> 'ParserContext':
return None # no upgrade path
class Parser:
"""
LR parser.
keeps exactly one root item, and for each input token
feeds it to the root, possibly "upgrading" the root N times
before it's able to be fed.
"""
def __init__(self, root: ParserContext):
self.root = root
def feed(self, token: Token) -> bool:
new_root = self.root.feed(token)
if new_root is not None:
self.root = new_root
return True
else:
# root can't directly accept this item.
# "upgrade" it and try again.
new_root = self.root.upgrade()
if new_root is None: return False
self.root = new_root
return self.feed(token)
def complete(self) -> ParserContext:
# upgrade the root as far as possible before returning
root = None
new_root = self.root
while new_root is not None:
root = new_root
new_root = root.upgrade()
return root
class ReprParserContext(ParserContext):
""" helper that gives a good default repr to most contexts """
def __init__(self, items: list = None):
self.items = items if items is not None else []
def __repr__(self) -> str:
return f'{self.__class__.__name__}({self.items!r})'
class BaseContext(ReprParserContext):
""" empty context; initial state of the parser """
def feed(self, token: Token) -> ParserContext:
if token == SPACE:
return self
if token == OPEN_PAREN:
return ParenContext(BaseContext())
if token in DIGITS:
return IntegerContext([token])
if token in ALPHA_UNDER:
return IdentifierContext([token])
class IdentifierContext(ReprParserContext):
""" context is an identifier like `today` """
def __init__(self, tokens: list):
super().__init__(tokens)
self.tokens = tokens
def feed(self, token: Token) -> ParserContext:
if token in ALPHA_NUM_UNDER:
return IdentifierContext(self.tokens + [token])
def upgrade(self) -> ParserContext:
return StrongValueContext(self)
class IntegerContext(ReprParserContext):
""" context is an integer like `45` """
def __init__(self, tokens: list):
super().__init__(tokens)
self.tokens = tokens
def feed(self, token: Token) -> ParserContext:
if token in DIGITS:
return IntegerContext(self.tokens + [token])
if token == Token('d'):
return DurationContext(self)
def upgrade(self) -> ParserContext:
# can't continue the integer; it becomes a value
return StrongValueContext(self)
class DurationContext(ReprParserContext):
""" context is a duration like `14d` """
def __init__(self, value: IntegerContext):
super().__init__([value])
self.value = value
def upgrade(self) -> ParserContext:
return StrongValueContext(self)
class BaseValueContext(ReprParserContext):
""" abstract base for types that can be used in compound expressions """
def __init__(self, value: ParserContext):
super().__init__([value])
self.value = value
def feed(self, token: Token) -> ParserContext:
if token == SPACE:
return self
class StrongValueContext(BaseValueContext):
"""
in the context of operators, a strong value is something which prefers
to not be grabbed by a lhs value.
so for example, strong values have the opportunity to initiate a multiply operation before the lhs closes an addition operation that this strong value is a part of
"""
def feed(self, token: Token) -> ParserContext:
if token == ASTERISK:
return BinaryOpContext(self, token, BaseContext())
return super().feed(token)
def upgrade(self) -> ParserContext:
return WeakValueContext(self.value)
class WeakValueContext(BaseValueContext):
def feed(self, token: Token) -> ParserContext:
if token == PLUS:
return BinaryOpContext(self, token, BaseContext())
if token == MINUS:
return BinaryOpContext(self, token, BaseContext())
return super().feed(token)
class BinaryOpContext(ReprParserContext):
""" context for a binary operation. the LHS and operator are parsed, but the rhs may not yet contain a value """
def __init__(self, lhs: BaseValueContext, oper: Token, rhs: ParserContext):
super().__init__([lhs, oper, rhs])
self.lhs = lhs
self.oper = oper
self.rhs = rhs
@property
def precedence_class(self) -> type:
if self.oper in [PLUS, MINUS]:
return WeakValueContext
if self.oper == ASTERISK:
return StrongValueContext
def feed(self, token: Token) -> ParserContext:
new_rhs = self.rhs.feed(token)
if new_rhs is not None:
return BinaryOpContext(self.lhs, self.oper, new_rhs)
def upgrade(self) -> ParserContext:
new_rhs = self.rhs.upgrade()
if new_rhs is None: return None
# upgrade self once the rhs has reach the required precedence compatible with this operator
new_self = BinaryOpContext(self.lhs, self.oper, new_rhs)
if isinstance(new_rhs, self.precedence_class):
return StrongValueContext(self) # close the operation
return new_self
class ParenContext(ReprParserContext):
""" context for a value contained within parentheses """
def __init__(self, inner: ParserContext):
super().__init__([inner])
self.inner = inner
def feed(self, token: Token) -> ParserContext:
new_inner = self.inner.feed(token)
if new_inner is not None:
return ParenContext(new_inner)
if token == CLOSE_PAREN and isinstance(self.inner, WeakValueContext):
return StrongValueContext(self)
def upgrade(self) -> ParserContext:
new_inner = self.inner.upgrade()
if new_inner is not None:
return ParenContext(new_inner)
## AstItems are produced from a ParserContext input
## ParserContext parse outputs are translated into `AstItem`s before evaluation
## so that we can operate on a higher-level tree that directly encodes native values like integers
class AstItem(metaclass=abc.ABCMeta):
@abc.abstractmethod
def eval(self, context: dict):
pass
@staticmethod
def decode_item(p: ParserContext) -> 'AstItem':
if isinstance(p, IntegerContext):
return Literal(AstItem.decode_integer(p))
if isinstance(p, DurationContext):
return Literal(timedelta(AstItem.decode_integer(p.value)))
if isinstance(p, IdentifierContext):
return Variable(AstItem.decode_identifier(p))
if isinstance(p, BaseValueContext):
return AstItem.decode_item(p.value)
if isinstance(p, BinaryOpContext):
return AstItem.decode_bin_op(
p.oper.c,
AstItem.decode_item(p.lhs),
AstItem.decode_item(p.rhs)
)
if isinstance(p, ParenContext):
return AstItem.decode_item(p.inner)
@staticmethod
def decode_integer(p: IntegerContext) -> int:
return int(''.join(t.c for t in p.tokens))
@staticmethod
def decode_identifier(p: IdentifierContext) -> str:
return ''.join(t.c for t in p.tokens)
@staticmethod
def decode_bin_op(ty: str, lhs: 'AstItem', rhs: 'AstItem') -> 'BinaryOp':
if ty == '+':
return AddOp(lhs, rhs)
if ty == '-':
return SubOp(lhs, rhs)
if ty == '*':
return MulOp(lhs, rhs)
class Literal(AstItem):
def __init__(self, v):
self.v = v
def __str__(self) -> str:
return str(self.v)
def eval(self, context: dict):
return self.v
class Variable(AstItem):
def __init__(self, name: str):
self.name = name
def __str__(self) -> str:
return self.name
def eval(self, context: dict):
return context[self.name]
class BinaryOp(AstItem):
def __init__(self, lhs, rhs):
self.lhs = lhs
self.rhs = rhs
class AddOp(BinaryOp):
def __str__(self):
return f"({self.lhs} + {self.rhs})"
def eval(self, context: dict):
return self.lhs.eval(context) + self.rhs.eval(context)
class SubOp(BinaryOp):
def __str__(self):
return f"({self.lhs} - {self.rhs})"
def eval(self, context: dict):
return self.lhs.eval(context) - self.rhs.eval(context)
class MulOp(BinaryOp):
def __str__(self):
return f"({self.lhs} * {self.rhs})"
def eval(self, context: dict):
return self.lhs.eval(context) * self.rhs.eval(context)
## toplevel routine. tokenize -> parse -> decode to AST -> evaluate
def tokenize(stream: str) -> list:
return [Token(char) for char in stream]
def parse(tokens: list) -> ParserContext:
parser = Parser(BaseContext())
for i, t in enumerate(tokens):
result = parser.feed(t)
# print(f"i={i}; t={t}; state: {ctx!r}")
assert result, f"unexpected token '{t}' at {i}; state: {parser.complete()!r}"
return parser.complete()
def evaluate(expr: str) -> object:
tok = tokenize(expr)
parse_tree = parse(tok)
print(parse_tree)
ast = AstItem.decode_item(parse_tree)
print(ast)
env = dict(
today=datetime.now()
)
return ast.eval(env)
if __name__ == '__main__':
expr = " ".join(sys.argv[1:])
print(evaluate(expr))

14
pkgs/sane-scripts/src/sane-git-init Executable file
View File

@@ -0,0 +1,14 @@
#!/usr/bin/env bash
set -x
# initialize a repository with each of my machines configured as remotes.
# it's assumed each machine stores the repo at the same fs path
path=$PWD
git init
git remote add desko "colin@desko:$path"
git remote add lappy "colin@lappy:$path"
git remote add moby "colin@moby:$path"
git remote add servo "colin@servo:$path"

3
pkgs/sane-scripts/src/sane-ip-check Executable file
View File

@@ -0,0 +1,3 @@
#!/usr/bin/env bash
curl https://ipinfo.io/ip
echo

15
pkgs/sane-scripts/src/sane-ip-check-router-wan Executable file
View File

@@ -0,0 +1,15 @@
#!/usr/bin/env bash
# query the WAN IP address OF MY ROUTER
# requires creds
passwd=$(sudo cat /run/secrets/router_passwd)
cookie=$(mktemp)
# authenticate
curl -s --insecure --cookie-jar $cookie \
--data "username=admin&password=$passwd" \
https://192.168.0.1
# query the WAN IP
curl -s --insecure --cookie $cookie \
-H "X-Requested-With: XMLHttpRequest" \
"https://192.168.0.1/cgi/cgi_action?Action=GetConnectionStatus" \
| jq -r .wan_status.ipaddr

20
pkgs/sane-scripts/src/sane-ip-reconnect Executable file
View File

@@ -0,0 +1,20 @@
#!/usr/bin/env bash
# reconnect to best wifi network.
# lappy frequently DCs from the ideal network
set -ex
sudo iwctl station wlan0 scan
sleep 5
# get networks. remove control characters (colors), then leading info, then take the top-rated network
networks=$(iwctl station wlan0 get-networks rssi-dbms | sed 's/\[[0-9;]*m//g' | sed 's/ [ >]*/ /g' | sed 's/^ //' | tail -n +5)
strengths=$(echo "$networks" | grep -o '\-[0-9][0-9]* *$')
best_strength=$(echo "$strengths" | sort -h | tail -n 1)
best_line=$(echo "$networks" | grep -- "$best_strength$")
# network names could have spaces in them if someone's evil, so rather than `cut`, we trim the `psk` and `db` columnds
best_network=$(echo "$best_line" | sed 's/ [a-z][a-z]* -[0-9][0-9]* *$//g')
sudo iwctl station wlan0 connect "$best_network"

11
pkgs/sane-scripts/src/sane-private-do Executable file
View File

@@ -0,0 +1,11 @@
#!/usr/bin/env bash
# unlock the ~/private store, run some command, and then re-lock the store
set -x
external_cmd=$@
sane-private-unlock
$external_cmd
exec sane-private-lock

3
pkgs/sane-scripts/src/sane-private-unlock
View File

@@ -2,8 +2,7 @@
set -ex
# configure persistent, encrypted storage that is auto-mounted on login.
# this is a one-time setup and user should log out/back in after running it.
# mounts ~/private
mount=/home/colin/private
cipher="/nix/persist$mount"

11
pkgs/sane-scripts/src/sane-rcp
View File

@@ -1,3 +1,10 @@
#!/usr/bin/env sh
# copy some remote file(s) to the working directory, with sane defaults
rsync -arv --progress --append-verify "$@" .
# rsync, with sane defaults
# + verbosity
# + default to cwd as destination if none is provided
dest=
if (( $# <= 1 )); then
# rsync to the current directory by default
dest='.'
fi
rsync -arv --progress --append-verify "$@" $dest

194
pkgs/sane-scripts/src/sane-reclaim-boot-space Executable file
View File

@@ -0,0 +1,194 @@
#!/usr/bin/env python3
import os
import os.path
import subprocess
import sys
EXTLINUX_CONF = "/boot/extlinux/extlinux.conf"
class ConfItem:
pass
class ConfLine:
""" uninteresting line in the config """
def __init__(self, line: str):
self.line = line
def __str__(self) -> str:
return self.line
class ConfEntry:
""" boot entry, with label/linux/etc """
menu = linux = initrd = append = fdtdir = None
def __init__(self, label: str):
self.label = label
def format_attr(self, attr_name: str) -> str:
attr_val = getattr(self, attr_name)
assert attr_val is not None, f"not set: {attr_name}"
return f"{attr_name.upper()} {attr_val}"
def __str__(self) -> str:
return f"""
{self.format_attr("label")}
{self.format_attr("menu")}
{self.format_attr("linux")}
{self.format_attr("initrd")}
{self.format_attr("append")}
{self.format_attr("fdtdir")}
""".strip()
def parse(self, line: str) -> None:
split_at = line.index(" ")
directive, contents = line[:split_at], line[1+split_at:]
self.setattr(directive.lower(), contents)
def setattr(self, directive: str, contents: str) -> None:
assert getattr(self, directive) is None, f"attr already set: {directive} = {contents!r}"
setattr(self, directive, contents)
class UseTracker:
def __init__(self):
self.linux = []
self.initrd = []
self.fdtdir = []
self.sizes = {} # item: str -> [num_using, bytes]
@staticmethod
def from_items(entries: list) -> 'UseTracker':
me = UseTracker()
me.populate_from_fs()
for i in entries:
me.track(i)
return me
def populate_from_fs(self) -> None:
for entry in os.listdir("/boot/nixos"):
item = os.path.join("../nixos", entry)
self.sizes[item] = [0, self._get_size(item)]
def append_unique(self, list_: list, item: str) -> None:
if item not in list_:
list_.append(item)
self.sizes[item][0] += 1
def track(self, entry: ConfItem) -> None:
if isinstance(entry, ConfEntry):
self.append_unique(self.linux, entry.linux)
self.append_unique(self.initrd, entry.initrd)
self.append_unique(self.fdtdir, entry.fdtdir)
def get_use_count(self, item: str) -> int:
return self.sizes[item][0]
def get_size(self, item: str) -> int:
return self.sizes[item][1]
def used_size(self) -> int:
return sum(i[1] for i in self.sizes.values() if i[0] != 0)
def get_unused(self) -> list:
return [i for (i, v) in self.sizes.items() if v[0] == 0]
def unused_size(self) -> int:
return sum(self.get_size(i) for i in self.get_unused())
def _get_size(self, item: str) -> int:
path = os.path.join("/boot/extlinux", item)
du_output = subprocess.check_output(["du", "-b", "-c", path], text=True).strip()
last = du_output.split("\n")[-1]
size, label = last.split("\t")
assert label == "total", f"unexpected du output: {last}"
return int(size)
def print_use_by_cat(tracker: UseTracker, label: str) -> None:
items = getattr(tracker, label)
formatted_items = []
for item in items:
count, size = tracker.get_use_count(item), tracker.get_size(item)
formatted_items.append(f"\n {item}\n {count}x {size}")
print(f" {label}:{''.join(formatted_items)}")
def print_tracker_use(tracker: UseTracker) -> None:
print("in use:")
print_use_by_cat(tracker, "linux")
print_use_by_cat(tracker, "initrd")
print_use_by_cat(tracker, "fdtdir")
print("unused:")
for i in tracker.get_unused():
print(f" {i}\n {tracker.get_size(i)}")
print(f"used space: {tracker.used_size()}")
def delete_unused_from_disk(tracker: UseTracker) -> None:
for f in tracker.get_unused():
path = os.path.join("/boot/extlinux", f)
cmd = ["rm", "-r", "-f", path]
print(" ".join(cmd))
subprocess.check_output(cmd)
def parse_extlinux(contents: str) -> list:
items = []
active_entry = None
for line in contents.split("\n"):
if line.startswith("#") or line == "" or line.startswith("DEFAULT ") or line.startswith("MENU ") or line.startswith("TIMEOUT "):
items.append(ConfLine(line))
elif line.startswith("LABEL "):
items.append(ConfEntry(line[len("LABEL "):]))
elif line.startswith(" "):
items[-1].parse(line[2:])
else:
assert False, f"unknown directive {line!r}"
return items
def write_extlinux(contents: str) -> None:
with open(EXTLINUX_CONF, "r+") as new:
# backup file
with open("./extlinux.conf.back", "w") as back:
back.write(new.read())
new.seek(0)
new.write(new_extlinux)
new.truncate()
def dump_items(items: list) -> str:
return "\n".join(str(i) for i in items)
def prompt_continue() -> None:
if input("continue? [y/N] ").lower() != "y":
print("aborting")
sys.exit(0)
orig_extlinux = open(EXTLINUX_CONF, "r").read()
items = parse_extlinux(orig_extlinux)
tracker = UseTracker.from_items(items)
print_tracker_use(tracker)
print()
if tracker.get_unused():
print(f"recommended to delete unused items from disk to save {tracker.unused_size()}b")
prompt_continue()
else:
orig_tracker = tracker
rmcount = 0
while tracker.used_size() == orig_tracker.used_size():
item = items.pop()
rmcount += isinstance(item, ConfEntry)
tracker = UseTracker.from_items(items)
orig_size = orig_tracker.used_size()
new_size = tracker.used_size()
print(f"recommended to delete {rmcount} oldest entries to save {orig_size - new_size}b")
print_tracker_use(tracker)
prompt_continue()
print()
new_extlinux = dump_items(items)
print(f"new contents:\n{new_extlinux}")
prompt_continue()
write_extlinux(new_extlinux)
delete_unused_from_disk(tracker)

15
pkgs/sane-scripts/src/sane-ssl-dump Executable file
View File

@@ -0,0 +1,15 @@
#!/usr/bin/env bash
# dump info about the provided SSL certificate
cert="$1"
maybe_sudo=
if ! (test -e "$cert")
then
cert="/var/lib/acme/${cert}/full.pem"
maybe_sudo=sudo
fi
# $maybe_sudo openssl x509 -in "$file" -text
$maybe_sudo openssl crl2pkcs7 -nocrl -certfile "$cert" | openssl pkcs7 -print_certs -text -noout

2
pkgs/sane-scripts/src/sane-stop-all-servo
View File

@@ -8,4 +8,4 @@ sudo systemctl stop nginx
sudo systemctl stop postgresql
sudo systemctl stop duplicity.timer
sudo systemctl stop duplicity
sudo systemctl stop wg0veth wireguard-wg0
sudo systemctl stop wireguard-wg0

23
pkgs/sane-scripts/src/sane-vpn-down
View File

@@ -2,15 +2,18 @@
# first arg should be the region, e.g. `us` or `ukr`
case $1 in
ukr)
iface=wg-quick-ovpnd-ukr;;
us)
iface=wg-quick-ovpnd-us;;
*)
echo "invalid vpn name '$1'"; exit 1;;
esac
vpns=$(systemctl list-unit-files | grep wg-quick-ovpnd- | cut -f 1 -d ' ' | sed s'/^wg-quick-ovpnd-\([a-zA-Z-]*\)\.service$/\1/g')
echo vpn: $(curl https://ipinfo.io/ip)
if ! [ $(echo "$vpns" | grep "^$1$") ]
then
echo "invalid vpn name '$1'"
echo "choices:"
echo "$vpns"
exit 1
fi
iface=wg-quick-ovpnd-$1.service
echo vpn: $(sane-ip-check)
sudo systemctl stop $iface
echo plain: $(curl https://ipinfo.io/ip)
echo plain: $(sane-ip-check)

23
pkgs/sane-scripts/src/sane-vpn-up
View File

@@ -2,15 +2,18 @@
# first arg should be the region, e.g. `us` or `ukr`
case $1 in
ukr)
iface=wg-quick-ovpnd-ukr;;
us)
iface=wg-quick-ovpnd-us;;
*)
echo "invalid vpn name '$1'"; exit 1;;
esac
vpns=$(systemctl list-unit-files | grep wg-quick-ovpnd- | cut -f 1 -d ' ' | sed s'/^wg-quick-ovpnd-\([a-zA-Z-]*\)\.service$/\1/g')
echo plain: $(curl https://ipinfo.io/ip)
if ! [ $(echo "$vpns" | grep "^$1$") ]
then
echo "invalid vpn name '$1'"
echo "choices:"
echo "$vpns"
exit 1
fi
iface=wg-quick-ovpnd-$1.service
echo plain: $(sane-ip-check)
sudo systemctl start $iface
echo vpn: $(curl https://ipinfo.io/ip)
echo vpn: $(sane-ip-check)

37
pkgs/splatmoji/default.nix Normal file
View File

@@ -0,0 +1,37 @@
{ lib
, stdenv
, fetchFromGitHub
}:
stdenv.mkDerivation rec {
pname = "splatmoji";
version = "1.2.0";
src = fetchFromGitHub {
owner = "cspeterson";
repo = "splatmoji";
rev = "v${version}";
sha256 = "sha256-fsZ8FhLP3vAalRJWUEi/0fe0DlwAz5zZeRZqAuwgv/U=";
};
dontBuild = true;
# TODO: generate a wrapper so that bin/lib, bin/data aren't linked into the environment?
installPhase = ''
mkdir -p $out/bin
cp splatmoji $out/bin
cp -R lib $out/bin/lib
cp -R data $out/bin/data
cp splatmoji.config $out/bin
patchShebangs $out/bin/splatmoji
'';
meta = with lib; {
description = "Quickly look up and input emoji and/or emoticons/kaomoji on your GNU/Linux desktop via pop-up menu";
homepage = "https://github.com/cspeterson/splatmoji";
license = licenses.mit;
maintainers = with maintainers; [ colinsane ];
platforms = with platforms; linux;
};
}

33
pkgs/trust-dns/default.nix Normal file
View File

@@ -0,0 +1,33 @@
{ lib
, fetchFromGitHub
, openssl
, pkg-config
, rustPlatform
}:
rustPlatform.buildRustPackage rec {
pname = "trust-dns";
version = "0.22.0";
src = fetchFromGitHub {
owner = "bluejekyll";
repo = "trust-dns";
rev = "v${version}";
sha256 = "sha256-b9tK1JbTwB3ZuRPh0wb3cOFj9dMW7URXIaFzUq0Yipw=";
};
cargoHash = "sha256-mpobdeTRWJzIEmhwtcM6UE66qRD5ot/0yLeQM6Tec+0=";
buildInputs = [ openssl ];
nativeBuildInputs = [ pkg-config ];
# tests expect internet connectivity to query real nameservers like 8.8.8.8
doCheck = false;
meta = with lib; {
description = "A Rust based DNS client, server, and resolver";
homepage = "https://trust-dns.org/";
maintainers = with maintainers; [ colinsane ];
platforms = platforms.linux;
license = with licenses; [ asl20 mit ];
};
}

4
pkgs/ubootRaspberryPi4_64bit/default.nix
View File

@@ -1,6 +1,6 @@
{ pkgs, fetchurl }:
{ buildUBoot, fetchurl }:
(pkgs.buildUBoot {
(buildUBoot {
# nixos-22.05 is on 2022.01 at time of writing, which lacks rpi-4 dtb.
# TODO: remove this version/src override once upstream bumps u-boot version.
version = "2022.04";

13
scripts/init-keyring
View File

@@ -10,9 +10,10 @@ fi
keyring=~/.local/share/keyrings/Default_keyring.keyring
echo 'initializing default user keyring:' "$keyring"
echo '[keyring]' > "$keyring"
echo 'display-name=Default keyring' >> "$keyring"
echo 'lock-on-idle=false' >> "$keyring"
echo 'lock-after=false' >> "$keyring"
echo -n "Default_keyring" > ~/.local/share/keyrings/default
echo 'initializing default user keyring:' "$keyring.new"
echo '[keyring]' > "$keyring.new"
echo 'display-name=Default keyring' >> "$keyring.new"
echo 'lock-on-idle=false' >> "$keyring.new"
echo 'lock-after=false' >> "$keyring.new"
# closest to an atomic update we can achieve
mv "$keyring.new" "$keyring" && echo -n "Default_keyring" > ~/.local/share/keyrings/default

25
scripts/install-bluetooth Executable file
View File

@@ -0,0 +1,25 @@
#!/bin/sh
# usage: install-bluetooth <source_dir> <dest_dir>
# source_dir contains plain-text files of any filename.
# for each file, this extracts the MAC and creates a symlink in dest_dir which
# points to the original file, using the MAC name as file path
#
# bluetooth connection structure is /var/lib/bluetooth/<HOST_MAC>/<DEVICE_MAX>/{attributes,info}
#
set -ex
src_dir="$1"
dest_dir="$2"
if [ "x$dest_dir" = "x" ]
then
# default to the first MAC address on the host
dest_dir="/var/lib/bluetooth/$(ls /var/lib/bluetooth)"
fi
for f in $(ls "$src_dir")
do
mac=$(sed -rn 's/# MAC=(.*)/\1/p' "$src_dir/$f")
mkdir -p "$dest_dir/$mac"
ln -sf "$src_dir/$f" "$dest_dir/$mac/info"
done

8
secrets/servo.yaml
View File

@@ -1,5 +1,9 @@
mediawiki_pw: ENC[AES256_GCM,data:g7qM+CMU12apnGQ=,iv:q5K8sBAaUi47Hr0DAWiU1o5CVIO6zkdVVGJ5Zk4P9HA=,tag:CFpSmsflkNFG4kIBzrr5yQ==,type:str]
duplicity_passphrase: ENC[AES256_GCM,data:LgPORB0HhIAfpJdQrwjS+/TWdOeddQ2YNYqfRbWhhuNlImuOlniPzrPaaFv+Mfght7OHs7rnuVr3tOHfeIEBo9S2z05ABOulttHEyeuyJZPE1/0t8IBz2gcNNWs4nhCYbVX3y/rSAG8bhz1Vdb2B/MiCicfJEZAqpXkRilQELXTR5cF5NnmEcR7zOso=,iv:NvwZhBbkYnTDt3izwwQPj4U4XAmiOD5Dv3sF50JA97o=,tag:HSJ5xr/WXn6MQdyV8QYWYw==,type:str]
#ENC[AES256_GCM,data:5uf2kYCg8ZqoOLv50QNI73MYV0HDl4ML2xEKHPOEvCf/Z3aeM6ED,iv:ljqw6IBTPDodejMO2dcjLYyv+LlS/7r9nQ7RyiKC2Dg=,tag:Jko9tIhER4ByDbv5qhsfaQ==,type:comment]
ddns_he: ENC[AES256_GCM,data:zAKbEAIMIsENUctG9bNAAjAty6g+w3QW5VM=,iv:ncIjblXnTiU3TQcHJutz9lCl0wBdWs+FybY0sZcnaH0=,tag:7O6EIob2/if1fcVDVEkVzQ==,type:str]
#ENC[AES256_GCM,data:s9NlxWPP5H3OV0PNEWz81XuPX3EXCz7GWcoJcicXpMatLM8d7MvvUJzTWCX29KIcpfXnN/ASjhML+SnAN4l+JLm2ltTJbcIVnpcWvcQ=,iv:9q73OtDm2o0YwpOYB5x5NH1Wr+QQN4lmbgJkCY/UW2c=,tag:qO6UvqGQCCl04pr2nNFauw==,type:comment]
ddns_afraid: ENC[AES256_GCM,data:fTjwU7DoPDXulmjUNXSe5FVLGv4DvPvIHYCLwagVmKXlWOc39Rsco2YGf/kcoAk5oXqUdtdwuA==,iv:x0QwZb2xne8w7BaOXq4Srh5YbFldwLFsgdfK7WE2LGI=,tag:s8QyDBma/ljcSzAY4V1vkA==,type:str]
#ENC[AES256_GCM,data:LMfqz2Rih6CR7RcCbA==,iv:MQ7z93Mhus2Z2q7HZMk4BzkkY/apBIR+9hIiZlknolc=,tag:HU5McecdYk12I3AcvVHEBw==,type:comment]
#ENC[AES256_GCM,data:zhL2iNWZ8xPbBneffWcc93ZCW/SDv5FH,iv:P3a8+oucJRM8o7hnHUxAvefHdZEAbKJKhK2Y1+r75GA=,tag:VFvFucE5c780RmspW7p8Qg==,type:comment]
#ENC[AES256_GCM,data:N0wn6NUjQKXFbSULhrKzqDc4bHVbM3JLWJwOu5Zoi00gCKSiMA==,iv:9NhoT+OM+bjz4DwRRm2c4rTBZ3Jr6eMOY7F1l4WeE1k=,tag:inkd6kw8HvT5Tz3UAbIklw==,type:comment]
@@ -56,8 +60,8 @@ sops:
cWplOHBNWjlJdGI3ZWtJc0t4Mk9URG8KE+9IPGYZsIs2PaDJ2AUE4gB4QEj5zo6P
aZVbubu6Tbg+tD/98RkfWAkNvoVeDYuLNPDNgqOL0UgCQiTrPPaTjw==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2022-11-16T03:02:50Z"
mac: ENC[AES256_GCM,data:0/lDp6jWueeF4TPfB5rSoEzEF8QVw815DYEHRRea+SrYXGHJT80eK5sqUz00m6adG8aaSlNMAD8d2/nClar6VJKKOHdY+oN8hLztxNGQraMo107d8XOMMycj9vA4IGkCbnlng0cZTB2jsPV6Mfkmf5v+PN4N9F0bQ9W50V1Pf40=,iv:slFJjjlyCyk8aAwfRbiZ/2SKLmUGZE4OvpfrrvSJw3g=,tag:X+057fZLJnDW7CAka8+pCw==,type:str]
lastmodified: "2022-12-15T09:12:44Z"
mac: ENC[AES256_GCM,data:QQiTsQogs6MP9X0lrpf2FeSia6SeQP5/9dtUrWQOd2Vh/s0fBJfIGUdLeLgt5itvaD5QywY6lN9Rsx++BUN0rrwUu/uF42KOMC7wjHdSv07CYuDfvlFZItuIo5eWlfcEq9+p6/VwUXY0TU3M6Ex+mABT5XK67tnLuh/SoHUl+DA=,iv:12sa+wFdO5T7pZrLM3mnEwoJ0WmXZZLKpucEgMYQHMI=,tag:zZEz6+vTma6KDMwXi/fNZA==,type:str]
pgp: []
unencrypted_suffix: _unencrypted
version: 3.7.3

15
secrets/universal.yaml
View File

@@ -1,5 +1,16 @@
#ENC[AES256_GCM,data:3Swm4ixzL+sg9UVl0VWUq5HmXoLFFY2tkfCLeACB,iv:brZxrQmInGekhv+sX72Ne2ow1katiT4upDBuTPStLuA=,tag:ORcRds8Fo86S5DkAHeeGKw==,type:comment]
#ENC[AES256_GCM,data:LA3vDETFSVN8HZ9dieFHAvV3oP4lmG2Hpiz50MF6NHpSf7mCLbgikTv7UFohKM3vLpU=,iv:rby8r8+ELAV5ZSxALxbRTeXn0u+gv8b5wlxLwbwHt2o=,tag:50csomwWpHmSvLEGiPBAdA==,type:comment]
#ENC[AES256_GCM,data:03yoGnxvrxifgY2sPWVo4AoqJzOfmDw4dGG+/gfbdhnymsYK7MC8Dr9g6sAdXk2r22rtPh97Wz+lkKekAxB8EX6/XIQMvUSFoAOFOKjOyC43hl0=,iv:9QKJNnZT9joQJ0klbluaVc3V3KcgqfJgrX+yn0/VgkM=,tag:TKNubbb0yGFyAbXenUvtbg==,type:comment]
#ENC[AES256_GCM,data:UfEMJoxSCGajodTRERNT9UWHIw==,iv:dG/UI4AW8ZwmI0fr8dAOWRkSyrNwX1GOI1MCYcIVBy8=,tag:rONazGrpRolwttbTEX3Y1A==,type:comment]
#ENC[AES256_GCM,data:NQA7bJoU,iv:nufPTe+1v70yQhznqJ/rf9C4p8oFYZDTDMsR0yrLp7U=,tag:MAG3g70Rxu9QEQilC/Ij1w==,type:comment]
#ENC[AES256_GCM,data:IK/8v+Y=,iv:hhqaIkH13dFmTUPjkS5OEvR93ymDj9zKsOBlMNOgiq4=,tag:sCR4a5pJBhQIFTZnI8awzw==,type:comment]
#ENC[AES256_GCM,data:O1Unbl8lDfY8,iv:u7V1SQQ7Z0D6D077yJdVjg7mMqAc1RLnj3YjLTD62b0=,tag:VNQDVP3YTur674N0tQzFRw==,type:comment]
wg_ovpnd_us_privkey: ENC[AES256_GCM,data:5YkQ4r7HNWiRr/5pa1XfexxtJAz6kDjX+hNiZcheUWCXVIuK0/AuyzcdQ/0=,iv:vr1UHSlsWFnTwEfZj3pBLxvaibQxhSum3SL0Uaqtceo=,tag:dN2U+TkQAgJejgDDYIWdOA==,type:str]
wg_ovpnd_us-atl_privkey: ENC[AES256_GCM,data:NMguzx35VvOAo37U9pGD5bYa/ghWeSK5tVh2XRNsfKjMPhMa44lm3pTscdU=,iv:f9hBhMksL0VGT8k2RsztU9AjR2AIIL+Z2Ls24UOPeNA=,tag:C46xDGb2d32mmHWl7WQb2g==,type:str]
wg_ovpnd_us-mi_privkey: ENC[AES256_GCM,data:uEC3UOOqn1l7KwGmOxKvXccPR9Gu8/BNTlpXxXlNWf19/pIX1CLPORUWme0=,iv:cnPGghGBAsIsR86F1hPZawLWlY/pLCNF/1cg6gjrIKE=,tag:LqMbpGklQH0GX7dNNV3/8Q==,type:str]
wg_ovpnd_ukr_privkey: ENC[AES256_GCM,data:5zfhsZnBk0Kb9Nb/3igsV/fN0ZDjwTAGTKyMLMly/l7MlJe6MEmd5Lv+JT8=,iv:Mov9eUP8WfvzfZ6NljgLolJ49GSqR7eSV+k0dgE1+1I=,tag:O9UtGX2qt+qEvabcsA0vIA==,type:str]
#ENC[AES256_GCM,data:qlF8rpSMUv6Z/YrOTp7WYs0lcpmSIi/r+gCuiw==,iv:cneNp/0av/ttQvnW4JVX9mj3261QFAzkLIzEMwiKwE8=,tag:FFsPUQBsSeImtymawY4eSg==,type:comment]
router_passwd: ENC[AES256_GCM,data:Tya3Pd75Yu4=,iv:lqi7SavFnymL+uOQXDEzGxgikB6/ckNOBifjhyjXn1Q=,tag:HG3kf6e2g53uNUGI9FXyqQ==,type:str]
sops:
kms: []
gcp_kms: []
@@ -78,8 +89,8 @@ sops:
YmhsY0FaSW5oWVNJMlhUSDRCeWQ4KzAKaQp321XYtAZ98f4QMl5PxivAYm6VMF43
wCThiQgvYAP59jvVDTZngvfWAD5PyWVVvMNbjHGvAzK5WnsTPmxlsg==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2022-07-09T07:48:24Z"
mac: ENC[AES256_GCM,data:j5Rvh2EcWyi42lWhiKF5/t6isowgPZPqwHQIW+H6T7eb1YCRUusqnK69KSIBUvk/19ZXQXxcYqFSxilAEiuinKglXqmK5Tq2hSF+vJjqW9cunuPgeQl58GeA9PyjxrRo+HNjsXqGND9/fcZf+cqvZEQnhQdPE7mCzZaJ3kAXMKY=,iv:BsDIVtzO8nSStlKYYoFktZs2sRwVk5EgQ3GBkCk+1UE=,tag:pxQyFn6Y8bbDF9hQMJqTvA==,type:str]
lastmodified: "2022-12-19T05:49:20Z"
mac: ENC[AES256_GCM,data:sFi/oip78pnd7hKK3L8ExBPt0/QYh1Vl68uLIOKiKBoKpk/mPGBgHAP5jGCWiSG+X6GCe5DpztremmkJhuCyMVcurS/ynZKpXpMuomy2QxLHQnvXXwF4MrqPBGheITczY07J6mJJ3tGI65+NdzCyjb9kE+YfWWMkUHv4PDUT9Mk=,iv:qjxFrkLYcbtox0maq4MyA+VLeTyQxcno5lc6fXnyPiU=,tag:6nqEZPfnllQ4N+Q6Gs6lFA==,type:str]
pgp: []
unencrypted_suffix: _unencrypted
version: 3.7.3

48
secrets/universal/bt/car.bin Normal file
View File

@@ -0,0 +1,48 @@
{
"data": "ENC[AES256_GCM,data:+AGpYL+H20r13Ynl0r1w2wmk9t1vI8gxuedfXeWSrt/aa6isCiWC23+NpqZxfzHk8BihTdQ2MAi75tUSaE0QHlaMI15igtEOTjKo6KU1XkdUn1Lz79Z4jE11Ug6+IgwOXIdXEaoqot9KPUBy+/jBsZ4GaFJSHtAvnRiJZFTvVZDOHeJFknkhaFOl6fAPvf4QSX4Fg9FLSGONsShjPXX34HHiXoeyQmLUXnmc/eFhDX2BQDe+fs3AmLR0UT7H4zRmOzToChiSuXSHZIpc24c20orEpqANRRe6ghPW+26VJvVxSbAmd7aMZfTGgEUZ1hchEJkaHHyeU22Ao5MKuMniHFay4u3liYCHZAufym0VB8tpeCpLT8CxS9/rhsJaH4AcvERCjCSR1uoWq/8lbzdmcg0X9yTIbcVOMLkvn2CjqvuOHkKZqw9WKm+jh5DdmvVHGyfq8PQpOjox4vMTm6p4Dzi36sburCMW3eZNkVf+A0oXL+R1bRWERJTnEQ==,iv:bbYhaZibN8YjcrLHKk/p67p9dsAH2NPDMvNrMxp6EXs=,tag:Srcq9V+niuMC04bdGIxT1g==,type:str]",
"sops": {
"kms": null,
"gcp_kms": null,
"azure_kv": null,
"hc_vault": null,
"age": [
{
"recipient": "age1tnl4jfgacwkargzeqnhzernw29xx8mkv73xh6ufdyde6q7859slsnzf24x",
"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBhRW1DZmVTVCs0Ym9vLytG\nUm1DWGZHaUhsZkNSTW9RWURDWmxhRFY4QkRZCkMvbExwWGplTFFnQUdDdG5RdFhY\nYWNEM1cxR0hIQS90dS9nVE1rMmhSdDAKLS0tIDFjcEVTZ3pQc2pwVU5yeEJDQjFl\nUmFLZGlQN29saTlramcxejFaWDcyamsKX3GnzkjF3Yqc3T2g0sw+8d0MHUCUDaGg\nG/HBpGBS2ESTH+jAVxv5PFbnS5VFpf4nlPxhUzdE3j7KTikvmAJoAA==\n-----END AGE ENCRYPTED FILE-----\n"
},
{
"recipient": "age1j2pqnl8j0krdzk6npe93s4nnqrzwx978qrc0u570gzlamqpnje9sc8le2g",
"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB6eWhOc0xNTDY4YUdyYmcv\nQWQ4WEFFcVpmZEhNbGthRVlVcVM1RzQraFZvCmN5L00zTTV2MXFTcWxaWC8ydytu\nQ0NTbDVsRXBaWTVMSzI2VTFCWGFxZFUKLS0tIFoxSTUvREVreEo5dmdmYmExSDB1\nckp5ZnUrOGZxSjB0SHFMaTB2VFFEUVEKqn/1aXfZ/WHtDDVOmGjOT/PUas+5eZ/S\n+QY0qc6mjeJ8yn8ULOmm9M1E4zk5dJGiOIHzJ/rSFZDO0ayR0tcbwg==\n-----END AGE ENCRYPTED FILE-----\n"
},
{
"recipient": "age1z8fauff34cdecr6sjkre260luzxcca05kpcwvhx988d306tpcejsp63znu",
"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBiay9zZ3lCYk9oOVk1bzVi\naEhCeU9WOHFMdE5xb0RxeEhoTEpPT3B4em5RClhrWjN3YXRsd1E4WTVVc2RPMzJ1\nai94Y0RsUUxOSTlCTSs0SXdTL3ROVGMKLS0tIHBIcXFGc2h4WmtPZGxNM1hQamFt\nM1I3U1cySWtGK29BS0lXZ3paRXhVVFUKf/blwoKGYVgb1YbvDU8/gZbcQJaArKTw\n6oFb7R4bVAkmTtTuSEjRylGomu4tde562zuT3IiZ/ReNnNdcQOSi2g==\n-----END AGE ENCRYPTED FILE-----\n"
},
{
"recipient": "age1zsrsvd7j6l62fjxpfd2qnhqlk8wk4p8r0dtxpe4sdgnh2474095qdu7xj9",
"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBSaVpFTHVlTjJYdEJVVVp0\ndTZobFc2dlorTUx5STd4c3k3K2VzTTVSMlVjCnBtaDdaMjAzOUQ1ejlUMGFmQjJO\nM1hPSXJMa0NmYmgza0lYeWRkaHc1VWMKLS0tIFZJTTM1TFRSZU5GejlRSTQxMlVW\nMXJ3VTNzUjJET1dpaEg5emk0T0xrbEUKBBYPgzSCKXU9jMD9Sc5YRNqBxoxN340R\njf4sBD2LWTofriB1E+ltrd82o0Gz3+JH21/+0cEI0MTD8H5o1r6Sqg==\n-----END AGE ENCRYPTED FILE-----\n"
},
{
"recipient": "age1vnw7lnfpdpjn62l3u5nyv5xt2c965k96p98kc43mcnyzpetrts9q54mc9v",
"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBMOVR3S1pDZzlmZVJibENs\nU0k0M1NEQWRacW1oOXY3eVREWE5LVkNaN0NVCk9DNE5CVnpvcGFGSWxZOUFCQ1hn\nS1BQdXBVWm9ta1pMWFZlMm43Zm44WGMKLS0tIDViYmdYWENhc3Y1eDdXYXFDWUR1\na1dBQWtHRTJRTjFySytzSHliaGJ0MlEKKN+Nrqi2NHhV9debUfIIbgYo0eClSUkY\nb24VJc1vj9WBHu6xP0fOfhDaue5oOk0g+7w1RQE7yI5lYBR7DQyxJA==\n-----END AGE ENCRYPTED FILE-----\n"
},
{
"recipient": "age1w7mectcjku6x3sd8plm8wkn2qfrhv9n6zhzlf329e2r2uycgke8qkf9dyn",
"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB6U1B4aHRyem9INTIzU3py\nby9OS1AxYkRlbVlHSTFCVVdRU21INGdVclY4CllvQVZWTVVPajUrSDBFaFdPaGFR\naVhRU0xpNExreVFQZUNzVUlyTzdTbU0KLS0tICtCVVBCWndGNTQvSm1naGY2OVZ4\nY3BDMzZuek5XeXIySEI3MEF2eHhNOUkKPVFHVOVyatt141Nb4EMXR7KdrVIIoDNI\njb86cX3Nq4CyrajmnXKJmBbNoSMHdiehUEaFoimMccnTmQhhxtXKVw==\n-----END AGE ENCRYPTED FILE-----\n"
},
{
"recipient": "age1tzlyex2z6t88tg9h82943e39shxhmqeyr7ywhlwpdjmyqsndv3qq27x0rf",
"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBtbFNpQy9XWTlJTThOUmFD\nMWYyNEs5ZkVESkp3TFVPOXpIRUJrYTkzRXlvCndzZ1JsOXphZkRSY1BPd3NWdjFB\nY1dzQ3FZVi9rM21QNE9wRnVKdzB0a1EKLS0tIEsycmRiYTJGRFVUNTVoU1N5c0RZ\nTDlKclFZQVkrYXVaWEJtenRXcW5hOEEKFhbLhR2HH5j8iId1PEt2Qr4uLIcSSoiP\nmka7YtK2fe1W9012xKUqKtqZvjtbuFrHb/L7p+UfvCxBXy2c+bXG8w==\n-----END AGE ENCRYPTED FILE-----\n"
},
{
"recipient": "age18vq5ktwgeaysucvw9t67drqmg5zd5c5k3le34yqxckkfj7wqdqgsd4ejmt",
"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBDQW52MVVRell4eWVnMzZt\nenFqbnVtVGpGRlpVR0NnNkVvUk9Ed25qTXpZCjhlaTFzZXlUZHRsS3dHWDNUMUVI\nOVlmbkdiZnN2RnhVY3F2OWRqQUJBQzgKLS0tIHRJMHJ2d3RJV0JUVUdJTmMxYk1U\nTjQrUkZuQ0xVbWQxZm8xMm5RYzB1WGsKovG+0ueoZS0CQbTsC44upsX1tAXBtxn/\nxgdkUe7EiDX5QLq+AldVc0UzvEY5/ROBBf4d2LzSqp3jJPtEJbYc9Q==\n-----END AGE ENCRYPTED FILE-----\n"
}
],
"lastmodified": "2022-12-04T10:55:44Z",
"mac": "ENC[AES256_GCM,data:AIFVCniHkBJex0u6LTKj6CmxH92qc7JlRIGFWDGIFqG0LhvHbHdtRq3asT6N557ZiCbZCt+tCe+bcEDTsZrYqzE2BIdTa3qtW5ofmfaB9UXt1qcNAKRAy4LWYAwAGLRjXtgbnRINgaD/NCmOVf/+g7/VkigYXkWHLBLVRAmS1Io=,iv:eVQYqQrDPPyvsOYDRzcZUWqh11KuAcR4+ZPaNGup0LU=,tag:Cje0SL8sxlTbu3BaBc0ogg==,type:str]",
"pgp": null,
"unencrypted_suffix": "_unencrypted",
"version": "3.7.3"
}
}

48
secrets/universal/bt/earbuds.bin Normal file
View File

@@ -0,0 +1,48 @@
{
"data": "ENC[AES256_GCM,data:IGm1odrTgOg5GAJFpyWgVbQMC5FEDukW1k8kgWgIEnBPvCsamDyFC07EZD2uMuP0KEs7VLxhE2c+mJN9BdnFd8TJocy2JtHoizzvv6leTxO4YRx8rHBXutGI9FdUeeI/Sv+1V9hiLfVCxQPnvyBpvThfddKSfg7vjdgkEHMixnipCrUQZaRyCW2lByEoAe0WzzpmLtdJ0HBiyZQ6PKzQ+05gA7dwqOaK4ZYLh39cEzAqGVYxzPastxAqxXOIt+4pL5THwnwdfhqfb/buntj4VpA+avePRexMVbY/JmJx+hQpdvZKx17PFVzhlqCZJefsgglObDRrSyTsGkmkkdTch6SPtnymLlI97FYat+V3wFUGo2uwkZVSfSEuXjpwnM0y3hx9C2OlkR1sYCM8cLVQkAqR13x87Uvdq3O4qo48IOM6Zu1lBwL9AblxgCHHfK7DzomcF41VF/pI0yZltEwATOiqvr2ir41uFKLxZ+fw/O3oOjv/jEap/7UFTgx4ShFAAP6vCs54iAGmgh/7b+YnA3ec59bzpXzFC9lZZt1RJyoXnAl+ADev53Q=,iv:ZfxmfvSqWj0IbNJeRGayapUYEznXMD7hhmBhzNPwMuA=,tag:YsjgEJ5p2GXqnzQeGaRX1Q==,type:str]",
"sops": {
"kms": null,
"gcp_kms": null,
"azure_kv": null,
"hc_vault": null,
"age": [
{
"recipient": "age1tnl4jfgacwkargzeqnhzernw29xx8mkv73xh6ufdyde6q7859slsnzf24x",
"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBrVGl5WEhVWEtGMjNZSUMx\nMStIUGpaQ2ttdmxjNUtyS1J0bVViY1k3Snk0CkhZMmhMQVQrM0lQL05hcFlTOTdv\ncFU2N01VNmlwWS9Tczd1aVlkUUpRem8KLS0tIDNXQ0xLVmUwYW5Edy8rSW9CaWhW\ndUVYRFdGMjVwV2w0My9PT0NHS1JtakEK/KjEcC0Ubci8hInUqc2G6uFs2hd9TN76\nPgMDTi8Mt1dM1cGNj7uiPeTo8/ft26yuAtikybpLGMdayuEXp6aTPA==\n-----END AGE ENCRYPTED FILE-----\n"
},
{
"recipient": "age1j2pqnl8j0krdzk6npe93s4nnqrzwx978qrc0u570gzlamqpnje9sc8le2g",
"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBCTkNzYVowcGxwek4rdUow\nc3VYbndpSWVscVdmaXB2VFdVS3JpYWdPbGprCmtiQUJzSStjeTVpdGRodDRjcVlQ\nb2NFczZjUzNxSVd3Y0puYUV5WnM1V28KLS0tIC9HdlgxUVBFZ2hPdlBVcVRha05v\nb05hbmRqV29scGE5bjltVVNHZ2V5UU0KfKu9wvY0EfTxUB8Qiy7jc4eI5zoUBtIT\nDUdb6MO7OUHJxtq5YzVJcPui5krR4ehJI7vB5IRWXxT/Yx+BjUd2qw==\n-----END AGE ENCRYPTED FILE-----\n"
},
{
"recipient": "age1z8fauff34cdecr6sjkre260luzxcca05kpcwvhx988d306tpcejsp63znu",
"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAzUEZmNHBmTlUrSVNON0Vx\nU0kwRTNyQTY0UTdjaDVwUjZFSzdPaWgyL2trCkJCZU1MdFlhSndHNjZZb3VBdE9V\na3Iza3FyTUhEcTB3azBURXJKS3dkakkKLS0tIFNMNkZtWXNralFRM1FKVlZuL09p\ncHJGeUJxSXFSMDA4MU1lNU9jWWl4OXcKK71tw9/Xg9uCANFgDQ+kC9sgVP5UEa9S\nqaWPn+VGCMMiGb3TAb9BoRonfmj9eI+NxA/er5jpyT5g2GxKymTN9w==\n-----END AGE ENCRYPTED FILE-----\n"
},
{
"recipient": "age1zsrsvd7j6l62fjxpfd2qnhqlk8wk4p8r0dtxpe4sdgnh2474095qdu7xj9",
"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBwUThqL2k0ZW9maHMzSVhm\nbFBBUEl1Vzh0ZW52S1ZxM1BBTG1ZdUxFQ0ZzClV6aE4zTzlkbW4vMjczMHBJNjRS\nUEs2a21xMndxK1FDMDZqN2xUTHFka0EKLS0tIG5paTZCUmJnN2Z2Y3JncWxPWTli\nSmd3dHZzT3l4MDBIeS9FMC9Bc1F2c0EK4jplLargqOCN5eSpsAqU7zmdEvZzN6Bd\nTLgiuOPwFeQwCJ28lPFXNtPYFQzXhoASatd4Sn/MOKWCQJeVJOhDog==\n-----END AGE ENCRYPTED FILE-----\n"
},
{
"recipient": "age1vnw7lnfpdpjn62l3u5nyv5xt2c965k96p98kc43mcnyzpetrts9q54mc9v",
"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBSb1hNd1k2ZUM3U1REVTlo\ndkhLUG81WGFxQlRVd2cvUU9WVmNSb09Ub1RFCmhINEdhT1I2WS9rUE9CNlppbDRa\nVlgwNzB6RmIra2NRUjU0Ni9abVNSd1kKLS0tIG5pbityUFc2RVJGQTlTend1YTV0\nbStYSWIxSjdGYU0rMHQrTHFkSGNjd2sKBymQa50r5Uo727VI+nM+qc3YAGzM+ZDI\nU6T+MA8L5noCb/ZzKYZFAEN8z8a/xHT7nRiqp8NWQ8OJ0KJDzQvE3w==\n-----END AGE ENCRYPTED FILE-----\n"
},
{
"recipient": "age1w7mectcjku6x3sd8plm8wkn2qfrhv9n6zhzlf329e2r2uycgke8qkf9dyn",
"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAxSHJtWVpWVE5mVmZ4RVV0\nS3J6MGhQY3NsYTk2S2FFbGJTQTBjaUlaNWc4CmZRamZmZ2l2OENKZWpOWU1IQXdo\nN29TSVM4dUJXbmZISkVyL0RCTFBrZ1UKLS0tIHY2SDBndG1PRVZqcGxJSjNXUWU5\nL3RyZ0JIblJPS0lmc1pDc2pGK2dTeHMKB1T/43hZDb4lP+seHsKt+aB1TdNyP6FZ\nOt8rezQZqeJ+GnHwV6qsdEtX1DE30niqe3upUS+igkHJ65RGd5TAuQ==\n-----END AGE ENCRYPTED FILE-----\n"
},
{
"recipient": "age1tzlyex2z6t88tg9h82943e39shxhmqeyr7ywhlwpdjmyqsndv3qq27x0rf",
"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBFOU9TWXlCRFh3Sk9aZkF3\nTDVUMWhzQkQ2OW1YbVlQSHUvdHBIWGx1R2tnCi9ubVJyV0lnUHYreDQwNFYxNTM0\nMEk0M1ZRQmliL0ZUVlZlYTM3aG01eXcKLS0tIDZxR3V1ZVpEWHRJajdCcU16NUZS\nNFpGanJxNlpKcm1VS1cxWHNieHVmbTgK0ggrvlCvK+j8F77b4gl1RsWGDfGiFmg/\ns0cMGtIflPT/0D43R/jczrJ/Xp1aBL0TeHyf9YxZu254QeZ5ZPa5kQ==\n-----END AGE ENCRYPTED FILE-----\n"
},
{
"recipient": "age18vq5ktwgeaysucvw9t67drqmg5zd5c5k3le34yqxckkfj7wqdqgsd4ejmt",
"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBXTVg0YTFFL1owd1RNUEEx\nMWJOeGttbTI1elhZMTU1VXcwcWt4ZzdJSW5VCnlQRk5OakJJU0grczlHRnhJTWxI\nd21pTDdVTk1vc0dsdVpuWGNrVUpEVDAKLS0tIGNYQVNjellNajR3czlKc0ZYbWpL\nbkt6QnZ1MGRGL0hSS2F6aktXMzB3aVEKb/XnuAMiB6Zn2Hr+LUlPdCii5G7TKYgp\njE7Loh9mPY/WPK2KvCAPYFcjNCmu0JYzCYgpU/i+4Wm7ObsrXh+lGw==\n-----END AGE ENCRYPTED FILE-----\n"
}
],
"lastmodified": "2022-12-04T11:32:25Z",
"mac": "ENC[AES256_GCM,data:UIyF5JSi+GZqch1cPgmgrdZ1ImicdrzVTwYudwKhHDvfXXHzFG+I+1MGRRim872XbImc2EJRBSe27vhyum8pDc7y8cQVepecfqkeEdD66IxEbwx9Wt5ZW9X4nPlj+vobSHjjyV+0Wpmy9pgsfLiQzT+9S8jE4H0FgZv89MNNmCA=,iv:s9V7SDMhttZ1iFk3xNTrnNgMGnn+5LW3G/ORI66QHqY=,tag:+O3YRbsMuz+M+pzrk8zhiQ==,type:str]",
"pgp": null,
"unencrypted_suffix": "_unencrypted",
"version": "3.7.3"
}
}

48
secrets/universal/bt/portable-speaker.bin Normal file
View File

@@ -0,0 +1,48 @@
{
"data": "ENC[AES256_GCM,data:639/SycbUOC4kwBAJvk2sQCBfnXZrYDzucXFXysOW8DOPU7nZwsdWKmB+41zvLg3vS5GyPTzMco/EaytPbGj+HvRqyKEYCJvBY/ZOoPpAZKltqMkkIS449OFy3vuOS46TPLQ1c5AgsBnHuSFrGGcVXRs+yP1A4rRcn5Au3Z7hPujZA/W3lUR+/Cp4UYc2tk1w2kpWD/SXLqkSX2XTRNPXb1rOva6xxllUiFuG7Yt1a7KfjrkaF4GJK5TNWgGVrY1N7IKzC75Sh1x5wvumF7A1mwLE1I+sa55Sn9qtGsmWwfsDBN+9SRg7uCUipTCrAEAgJK07QdN5P0ZFrQlxqNGn0i5BvKSxn+GK+f7xJIHjb+sexQgNMFQ56V83Zej8U5HQ9vyrx7EHpE44UneUQQ8FkckQVWyhSGs3MVSkfbznb3L2WnOCEogb0xft56pXPOG/K4q7uLkOwUtgcq0Jlf+gZZmuXRoVnNQc//o0u296CF8AFnxA/MJJc67bkONITjlekB7f23NFoywhzyX4RYjjbflRkMF8BRu0RDuynGu0xLZLLlK8QM4uJfpPyH8L2ThiKRbYO7OGaKCYJy6fYx+ViUVsRf3hpHMiDn8yGHxrqABOTv6HSIZvIKo3G4Kn5iF/GPxWQISTZxE7YdYhgUf61UpZEfkgw==,iv:jqWb8k8f8jKscWPwcZy9o9QmOJKG38m9ukbeBDX3IN8=,tag:vZh6J2mtUhaoiwpn17l80g==,type:str]",
"sops": {
"kms": null,
"gcp_kms": null,
"azure_kv": null,
"hc_vault": null,
"age": [
{
"recipient": "age1tnl4jfgacwkargzeqnhzernw29xx8mkv73xh6ufdyde6q7859slsnzf24x",
"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBqTXp0RHN2bW9wUDdvWlJa\nNFhyMEJ0OUhSS2RvLyswejc3ZUx2SW1rdDFVCmtZVG9wZitidEZMaE1rdjZSZito\nclB1N2s2bU93S0IwK1UrYlk4NjU1UFUKLS0tIEdvcytSOElhRHlKY1FyRTlTYUlR\najdHeGh6d2FROUJab3d1cExkYlJLQUEKJQUv1/2YuAOEQGaaJ5itEtXrfwB18RcI\nC3V0MXuLqpQpVzsMz6tBU66+343gPTVMZXi/cLLKjpzARKUCPJ3ghA==\n-----END AGE ENCRYPTED FILE-----\n"
},
{
"recipient": "age1j2pqnl8j0krdzk6npe93s4nnqrzwx978qrc0u570gzlamqpnje9sc8le2g",
"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBNdmtuT0NaUEplbzQ0WWV2\nQUsrOFRYN0ZET2lwNkhMeTE3bTV6OUUzWW5jCmtsT3dNbXdlSFQyTmlNdndqT0V6\nSGFDM3BaY1plUVYrRkZRSXQ3eno4dWsKLS0tIGRBSzQzVVdCQ3Q2WGpwdTlsSHJO\nZGR5NjRrbW1lWW80NCtVUWtIUEhGcTAKSRPJHEUFWCCe4v2nLnaDY3FIeWvc75jd\nMb8+grC61jBRO3kpMLrHb5dn3/okLX33nZtJNnkCA8jDlR1tyCXUuA==\n-----END AGE ENCRYPTED FILE-----\n"
},
{
"recipient": "age1z8fauff34cdecr6sjkre260luzxcca05kpcwvhx988d306tpcejsp63znu",
"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAvRWZFWkVWVWlpWjBWenE3\naHp2d1RVcmNrQVVYNkVuWHRUcGRBNTBFbmdNCk4zUGFFSm5lWXhzR05RelNvbnBX\neHhoZDZjZTJPWndQT0dJajh0K2xhWGsKLS0tIHIyeUVoQ0szZHpBQkdBc0hVbFVF\nU29JWFNPT2VtaEFTSTc0OEpsYVVRbWMKLq33uUYhelMgkz/zuI3wmYTPbn+fv4uB\nkwUX2KDOzunPkfznFJ0/uGDHBRgTj5kYKid53IPPAByCGrWemXbbBA==\n-----END AGE ENCRYPTED FILE-----\n"
},
{
"recipient": "age1zsrsvd7j6l62fjxpfd2qnhqlk8wk4p8r0dtxpe4sdgnh2474095qdu7xj9",
"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBVNlFGNGZyZWdLQnRkSE1z\nTUgwOWFvL2ZQSWVOVTBBOHJOM0RSaHNFOWlBCmljOTdKQzB1UTU3ZFFENDJFRnps\nYi8xa0czTTNvTFFGc2QydWVmTmN2bEUKLS0tIFJQMkNQOUhDazlsRTlrRDR3TFJP\nLzl3UGRSakhITXdnYzEvMXdsZ3M2RjgKbXJw6e5aFsrL52zknH5vva3y7sLvqVTd\nsyOnStwaTwBWEMRAvG+vtEhgLIJDVCJGEYqKIBzzoOOujJ9ojuzOqw==\n-----END AGE ENCRYPTED FILE-----\n"
},
{
"recipient": "age1vnw7lnfpdpjn62l3u5nyv5xt2c965k96p98kc43mcnyzpetrts9q54mc9v",
"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBRRmh3R05RNXhjclRHYnB6\ndmxIV1dPQTNud0htRFFHN3ZveUd3NSt1RENRCkRmQzJvNUxZQzc3enlvZjRGTE9x\nWmFxaGRrYzNTUm5WNUtkaHJzbmo1Q3cKLS0tIFVJdXliL0xnZHRnYVBwYkcrTnhx\nc1M2bzQvNmxHcEsyZmZNVUYycDh5QTQKyOSJlIwrwUaglkvdAw24NxxdZnmy88J5\nNWo04oEImdlMCEZQBQ3/o1xyftU8BNY+ovNy7Nym0darKM9f8ka1PA==\n-----END AGE ENCRYPTED FILE-----\n"
},
{
"recipient": "age1w7mectcjku6x3sd8plm8wkn2qfrhv9n6zhzlf329e2r2uycgke8qkf9dyn",
"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBiR3VhRUZybjJuVVFrNXVo\nMkJwNDgweFFmb3BIeEhSZ01RNWk0dEQ1bHlVCkI5Wm42d3haTms3bjlJdldpSGtW\nSGN5cnlkZmlpSm11VjBFeHI4blI0aUkKLS0tIHhESkdjbGFPZis4V0tQcUpXaVJ1\nTEpadHlVL3NUeUZudU15WldZWlpKNXMKVxsLBUb7BwJJ0lJRQk1ZppMID8bt/cbC\namvKeagoT6QDR42FyA6W2Rp8+tBrrkBD3CGRAcXMfUSPIzN9p6kcQg==\n-----END AGE ENCRYPTED FILE-----\n"
},
{
"recipient": "age1tzlyex2z6t88tg9h82943e39shxhmqeyr7ywhlwpdjmyqsndv3qq27x0rf",
"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBPSXRPbW9OeGFpYng5RXR4\nT3BUMDZmOTRoNlVsVlp3endKOEJCWno2TjFZClpYWklWbDU3OGoySFFJUkRjS2tw\nUFhtZ0puTkV2ckRPMUhLY01MVW1kR2MKLS0tIGJkdHhaNzQ3WG9JRXF6OTNMNnF5\nQ3FVU2FVVDJyYUNqaVlhSkEyZmd6RGcKMRxyVMpxCYxoWXK6zlAPyo3YcPJtTWIO\no2RUlS8oSTB05G7sGkjq3VSFRSgNnekvXOBE513Qmym/cDDbusxpAQ==\n-----END AGE ENCRYPTED FILE-----\n"
},
{
"recipient": "age18vq5ktwgeaysucvw9t67drqmg5zd5c5k3le34yqxckkfj7wqdqgsd4ejmt",
"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBzYnMxbDNUR2xyV3B5VzFQ\nM1IxQzV5OXM5L1VYdFRYWUt0cWl4ZUdsQVNJCmRjUjdPMmhoaEFmUUxrVmJCRlFl\nNzZqY3p0YUF3T2lYdysvakx4WVg0bFUKLS0tIFFlazJzb3hmVXNyUU5leUFKL3p0\nNlN0TGxVbGtoUHFtK3hBS2RiYUViVFEKii4w04zeDD6HWURzmAhJdxNdNmQgsPw/\nawI6HSVbbmEGXyL23Pe0oultY8k/ZVE4oHRKBkHh00XoCZM/Ye6neA==\n-----END AGE ENCRYPTED FILE-----\n"
}
],
"lastmodified": "2022-12-03T10:23:14Z",
"mac": "ENC[AES256_GCM,data:KBm0rXwAGPa0ZkqGI9K3rW5B4vJ1FLmITa8xV5WR1SG2MlSqvCqSj4Qe5kxcIc3AqqHF2W+LDaJ0f1fXOCVqWRe1mi/LJyYgPERL5Hn3iOHty9g984Q/QSGvH13O7eY/Fuk2h0mpIX4pOhdpW74qlp1zYDXqUswsKW7ERTTRf6E=,iv:maE+9/OgdgYNX4F/MrzIpJr+/XXyFSayC1YX382oc2Y=,tag:NmrKXA9AjnoTXrQThnvxvg==,type:str]",
"pgp": null,
"unencrypted_suffix": "_unencrypted",
"version": "3.7.3"
}
}