colin/nix-files
1
0
Fork 1
Code Issues Pull Requests Projects Releases Wiki Activity

Compare commits

base: colin:wip/fluffychat
Branches Tags
colin:master colin:2025-03-02-pure colin:2025-02-23-nixpkgs-update colin:2025-02-17-nixpkgs-update-2 colin:2025-02-17-nixpkgs-update colin:2025-01-30-wip-blanket colin:2025-01-30-wip-sane-vpn-up-bind-fix colin:2024-12-29-bind colin:2024-12-26-nixpkgs-update colin:2024-09-25-ppp-kernel colin:2024-09-20-megapixels colin:2024-08-14-wip-sandbox-share colin:2024-08-12-wip-flatpak colin:2024-08-11-wip-firefox-xdg-open colin:wip-2024-08-01-nixpkgs-bump colin:wip-secure-mounts colin:wip-login-gocryptfs-rework2 colin:dev colin:save-geoclue-polkit-override colin:wip-doofnet colin:tx-to-desko colin:wip-nm-systemd-sandbox colin:test-nm-nixpkgs-refactor colin:wip-polyunfill-pam colin:wip-trust-dns colin:wip-mpv-sysvol colin:wip-s6-2 colin:wip-nix-fast-build colin:wg-dev colin:wip-mootube colin:wip-swaync-update colin:wip-sxmo-suspend colin:sxmo-sway-merge colin:dev-export colin:wip-proot3 colin:wip-emulate-builder3 colin:wip-emulate-builder2 colin:wip-emulate-builder colin:staging/nixpkgs-2023-07-29 colin:staging/nixpkgs-2023-07-25 colin:wip/koreader colin:staging/gtk-theme colin:staging/nixpkgs-2023-06-27 colin:staging/nixpkgs-2023-06-23 colin:staging/nixpkgs-2023-06-22 colin:wip/sxmo-as-pkg2 colin:wip/sxmo-as-pkg colin:staging/nixpkgs-2023-06-10 colin:staging/nixpkgs-2023-06-07 colin:staging/jellyfin-cross colin:staging/dns-refactor colin:staging/nixpkgs-2023-05-24 colin:staging/nixpkgs-2023-05-22 colin:staging/librewolf-ext colin:staging/nixpkgs-2023-05-14 colin:staging/nur colin:staging/nixpkgs-2023-04-28 colin:staging/nixpkgs-2023-04-24-staging-next colin:staging/nixpkgs-2023-04-19-staging-next colin:staging/nixpkgs-2023-04-11 colin:staging/nixpkgs-2023-04-08 colin:wip/less-disable-flakey-tests colin:staging/nixpkgs-next-2023-03-28 colin:staging/nixpkgs-next-2023-03-11 colin:staging/nixpkgs-2023-03-09 colin:staging/nixpkgs-2023-03-08 colin:staging/nixpkgs-2023-03-04 colin:staging/ccache colin:wip/ccache colin:staging/mesa-downgrade-10 colin:staging/mesa-downgrade-12 colin:staging/nixpkgs-2023-02-25 colin:staging/mesa-downgrade-9 colin:staging/mesa-downgrade-8 colin:staging/nixpkgs-2023-02-09 colin:staging/mesa-downgrade-7 colin:staging/mesa-downgrade-6 colin:staging/mesa-downgrade-5 colin:staging/mesa-downgrade-4 colin:staging/mesa-downgrade-3 colin:staging/mesa-downgrade-2 colin:staging/nixpkgs-2023-02-01 colin:staging/mesa-downgrade colin:wip/packages2 colin:wip/packages colin:archive/dovecot-sieve colin:historic/fix-handbrake colin:wip/sway3-dbg colin:wip/sway2 colin:wip/sway colin:staging/nixpkgs-2023-01-25 colin:staging/linux-6.2 colin:staging/nixpkgs-2023-01-23 colin:wip/hosts colin:staging/nixpkgs-2023-01-15 colin:wip/signal colin:wip/mx-signal colin:wip/flake-std-uri colin:stable colin:staging/master colin:wip/moby-kernel colin:wip/feeds3 colin:wip/feeds2 colin:wip/overlays colin:wip/feeds colin:staging/merge colin:staging/nixpkgs-2023-01-04 colin:staging/impermanence-stores colin:wip/impermanence-fs colin:staging/impermanence-encrypt2 colin:staging/impermanence-encrypt colin:staging/nixpkgs-2022-12-22 colin:staging/nixpkgs-2022-12-18 colin:staging/nixpkgs-2022-12-02 colin:staging/moby-6.1.0-rc7 colin:staging/nixpkgs-2022-11-27 colin:ryzen-servo colin:staging/nixpkgs-2022-11-21 colin:staging/nixpkgs-2022-11-09 colin:staging/lightdm-mobile-upstream colin:staging/nixpkgs-2022-10-31 colin:stacking/nixpkgs-2022-10-30 colin:staging/nixpkgs-2022-10-29 colin:wip/tokodon colin:staging/pleroma-update colin:staging/nixpkgs-2022-10-22 colin:testing/munin colin:staging/nixpkgs-2022-10-20 colin:staging/phosh-lightdm colin:archive/2022-10-14-matrix-appservice-discord colin:staging/nixpkgs-2022-10-08 colin:wip/arm-flutter colin:staging/2022-10-08-flutter-update colin:staging/phosh-mobile-settings-2 colin:staging/phosh-mobile-settings colin:fork/alsa-pinephone-patch colin:wip.fluffychat.2022.09.20 colin:wip/fluffychat colin:wip-vulkan colin:wip-servoimg colin:wip-kaiteki
colin:test-tag
..
compare: colin:wip-kaiteki
Branches Tags
colin:master colin:2025-03-02-pure colin:2025-02-23-nixpkgs-update colin:2025-02-17-nixpkgs-update-2 colin:2025-02-17-nixpkgs-update colin:2025-01-30-wip-blanket colin:2025-01-30-wip-sane-vpn-up-bind-fix colin:2024-12-29-bind colin:2024-12-26-nixpkgs-update colin:2024-09-25-ppp-kernel colin:2024-09-20-megapixels colin:2024-08-14-wip-sandbox-share colin:2024-08-12-wip-flatpak colin:2024-08-11-wip-firefox-xdg-open colin:wip-2024-08-01-nixpkgs-bump colin:wip-secure-mounts colin:wip-login-gocryptfs-rework2 colin:dev colin:save-geoclue-polkit-override colin:wip-doofnet colin:tx-to-desko colin:wip-nm-systemd-sandbox colin:test-nm-nixpkgs-refactor colin:wip-polyunfill-pam colin:wip-trust-dns colin:wip-mpv-sysvol colin:wip-s6-2 colin:wip-nix-fast-build colin:wg-dev colin:wip-mootube colin:wip-swaync-update colin:wip-sxmo-suspend colin:sxmo-sway-merge colin:dev-export colin:wip-proot3 colin:wip-emulate-builder3 colin:wip-emulate-builder2 colin:wip-emulate-builder colin:staging/nixpkgs-2023-07-29 colin:staging/nixpkgs-2023-07-25 colin:wip/koreader colin:staging/gtk-theme colin:staging/nixpkgs-2023-06-27 colin:staging/nixpkgs-2023-06-23 colin:staging/nixpkgs-2023-06-22 colin:wip/sxmo-as-pkg2 colin:wip/sxmo-as-pkg colin:staging/nixpkgs-2023-06-10 colin:staging/nixpkgs-2023-06-07 colin:staging/jellyfin-cross colin:staging/dns-refactor colin:staging/nixpkgs-2023-05-24 colin:staging/nixpkgs-2023-05-22 colin:staging/librewolf-ext colin:staging/nixpkgs-2023-05-14 colin:staging/nur colin:staging/nixpkgs-2023-04-28 colin:staging/nixpkgs-2023-04-24-staging-next colin:staging/nixpkgs-2023-04-19-staging-next colin:staging/nixpkgs-2023-04-11 colin:staging/nixpkgs-2023-04-08 colin:wip/less-disable-flakey-tests colin:staging/nixpkgs-next-2023-03-28 colin:staging/nixpkgs-next-2023-03-11 colin:staging/nixpkgs-2023-03-09 colin:staging/nixpkgs-2023-03-08 colin:staging/nixpkgs-2023-03-04 colin:staging/ccache colin:wip/ccache colin:staging/mesa-downgrade-10 colin:staging/mesa-downgrade-12 colin:staging/nixpkgs-2023-02-25 colin:staging/mesa-downgrade-9 colin:staging/mesa-downgrade-8 colin:staging/nixpkgs-2023-02-09 colin:staging/mesa-downgrade-7 colin:staging/mesa-downgrade-6 colin:staging/mesa-downgrade-5 colin:staging/mesa-downgrade-4 colin:staging/mesa-downgrade-3 colin:staging/mesa-downgrade-2 colin:staging/nixpkgs-2023-02-01 colin:staging/mesa-downgrade colin:wip/packages2 colin:wip/packages colin:archive/dovecot-sieve colin:historic/fix-handbrake colin:wip/sway3-dbg colin:wip/sway2 colin:wip/sway colin:staging/nixpkgs-2023-01-25 colin:staging/linux-6.2 colin:staging/nixpkgs-2023-01-23 colin:wip/hosts colin:staging/nixpkgs-2023-01-15 colin:wip/signal colin:wip/mx-signal colin:wip/flake-std-uri colin:stable colin:staging/master colin:wip/moby-kernel colin:wip/feeds3 colin:wip/feeds2 colin:wip/overlays colin:wip/feeds colin:staging/merge colin:staging/nixpkgs-2023-01-04 colin:staging/impermanence-stores colin:wip/impermanence-fs colin:staging/impermanence-encrypt2 colin:staging/impermanence-encrypt colin:staging/nixpkgs-2022-12-22 colin:staging/nixpkgs-2022-12-18 colin:staging/nixpkgs-2022-12-02 colin:staging/moby-6.1.0-rc7 colin:staging/nixpkgs-2022-11-27 colin:ryzen-servo colin:staging/nixpkgs-2022-11-21 colin:staging/nixpkgs-2022-11-09 colin:staging/lightdm-mobile-upstream colin:staging/nixpkgs-2022-10-31 colin:stacking/nixpkgs-2022-10-30 colin:staging/nixpkgs-2022-10-29 colin:wip/tokodon colin:staging/pleroma-update colin:staging/nixpkgs-2022-10-22 colin:testing/munin colin:staging/nixpkgs-2022-10-20 colin:staging/phosh-lightdm colin:archive/2022-10-14-matrix-appservice-discord colin:staging/nixpkgs-2022-10-08 colin:wip/arm-flutter colin:staging/2022-10-08-flutter-update colin:staging/phosh-mobile-settings-2 colin:staging/phosh-mobile-settings colin:fork/alsa-pinephone-patch colin:wip.fluffychat.2022.09.20 colin:wip/fluffychat colin:wip-vulkan colin:wip-servoimg colin:wip-kaiteki
colin:test-tag

1 Commits
wip/fluffy ... wip-kaitek

Author SHA1 Message Date
colin
5152159691 try to add Kaiteki as a package 
requires updating dart (flutter), which is causing problems...
 2022-06-05 02:28:23 -07:00
124 changed files with 1532 additions and 4731 deletions
Expand all files Collapse all files

33
.sops.yaml
View File

@@ -1,33 +0,0 @@
keys:
- &user_desko_colin age1tnl4jfgacwkargzeqnhzernw29xx8mkv73xh6ufdyde6q7859slsnzf24x
- &user_lappy_colin age1j2pqnl8j0krdzk6npe93s4nnqrzwx978qrc0u570gzlamqpnje9sc8le2g
- &user_servo_colin age1z8fauff34cdecr6sjkre260luzxcca05kpcwvhx988d306tpcejsp63znu
- &user_moby_colin age1zsrsvd7j6l62fjxpfd2qnhqlk8wk4p8r0dtxpe4sdgnh2474095qdu7xj9
- &host_desko age1vnw7lnfpdpjn62l3u5nyv5xt2c965k96p98kc43mcnyzpetrts9q54mc9v
- &host_lappy age1w7mectcjku6x3sd8plm8wkn2qfrhv9n6zhzlf329e2r2uycgke8qkf9dyn
- &host_servo age1tzlyex2z6t88tg9h82943e39shxhmqeyr7ywhlwpdjmyqsndv3qq27x0rf
- &host_moby age18vq5ktwgeaysucvw9t67drqmg5zd5c5k3le34yqxckkfj7wqdqgsd4ejmt
creation_rules:
- path_regex: secrets/universal*
key_groups:
- age:
- *user_desko_colin
- *user_lappy_colin
- *user_servo_colin
- *user_moby_colin
- *host_desko
- *host_lappy
- *host_servo
- *host_moby
- path_regex: secrets/servo.yaml$
key_groups:
- age:
- *user_desko_colin
- *user_servo_colin
- *host_servo
- path_regex: secrets/desko.yaml$
key_groups:
- age:
- *user_desko_colin
- *user_lappy_colin
- *host_desko

23
TODO.md
View File

@@ -1,16 +1,21 @@
# features/tweaks
- emoji picker application
- find a Masto/Pleroma app which works on mobile
- remove hardcoded uid/gids outside of allocations.nix (used in impermanence code -- replace with username/groupname)
- enable sshfs (deskto/lappy)
- set firefox default search engine
- iron out video drivers
# cleanup
- remove helpers from outputs section (use `let .. in`)
# speed up cross compiling
- <https://nixos.wiki/wiki/Cross_Compiling>
- <https://nixos.wiki/wiki/NixOS_on_ARM>
```nix
https://nixos.wiki/wiki/Cross_Compiling
https://nixos.wiki/wiki/NixOS_on_ARM
overlays = [{ ... }: {
nixpkgs.crossSystem.system = "aarch64-linux";
}];
```
- <https://github.com/nix-community/aarch64-build-box>
- apply for access to the community arm build box
# better secrets management? read:
- decrypted at activation time: https://github.com/Mic92/sops-nix
less promising:
- https://christine.website/blog/nixos-encrypted-secrets-2021-01-20
- git-crypt (https://github.com/bobbbay/dotfiles.git)

25
configuration.nix Normal file
View File

@@ -0,0 +1,25 @@
# Edit this configuration file to define what should be installed on
# your system. Help is available in the configuration.nix(5) man page
# and in the NixOS manual (accessible by running nixos-help).
# USEFUL COMMANDS:
# nix show-config
# nix eval --raw <expr> => print an expression. e.g. nixpkgs.raspberrypifw prints store path to the package
# nix-option ## query options -- including their SET VALUE; similar to search: https://search.nixos.org/options
# nixos-rebuild switch --upgrade ## pull changes from the nixos channel (e.g. security updates) and rebuild
{ config, pkgs, ... }:
{
# enable flake support.
# the real config root lives in flake.nix
nix = {
#package = pkgs.nixFlakes;
package = pkgs.nixUnstable;
extraOptions = ''
experimental-features = nix-command flakes
'';
};
}

88
flake.lock generated
View File

@@ -7,11 +7,11 @@
]
},
"locked": {
"lastModified": 1656169755,
"narHash": "sha256-Nlnm4jeQWEGjYrE6hxi/7HYHjBSZ/E0RtjCYifnNsWk=",
"lastModified": 1654113405,
"narHash": "sha256-VpK+0QaWG2JRgB00lw77N9TjkE3ec0iMYIX1TzGpxa4=",
"owner": "nix-community",
"repo": "home-manager",
"rev": "4a3d01fb53f52ac83194081272795aa4612c2381",
"rev": "ac2287df5a2d6f0a44bbcbd11701dbbf6ec43675",
"type": "github"
},
"original": {
@@ -21,29 +21,14 @@
"type": "github"
}
},
"impermanence": {
"locked": {
"lastModified": 1661933071,
"narHash": "sha256-RFgfzldpbCvS+H2qwH+EvNejvqs+NhPVD5j1I7HQQPY=",
"owner": "nix-community",
"repo": "impermanence",
"rev": "def994adbdfc28974e87b0e4c949e776207d5557",
"type": "github"
},
"original": {
"owner": "nix-community",
"repo": "impermanence",
"type": "github"
}
},
"mobile-nixos": {
"flake": false,
"locked": {
"lastModified": 1661716773,
"narHash": "sha256-uxf0aC+kx8av3/IT8/UecxSMElC9i4UQvH25RHFwna4=",
"lastModified": 1654281294,
"narHash": "sha256-hT2/u0jUOD4TFU6YyYt+5Gt+hjIeerLTyZG7ru79aDU=",
"owner": "nixos",
"repo": "mobile-nixos",
"rev": "09e388c42298fa777caa7738cd8d8d2b6d1ac8db",
"rev": "d798b0b34240b18a08c22f5c0ee1f59a3ce43c01",
"type": "github"
},
"original": {
@@ -54,11 +39,11 @@
},
"nixpkgs": {
"locked": {
"lastModified": 1663067291,
"narHash": "sha256-1BTrqhLMamWf53sJobtMiUDI91PEw6xF8YEwg2VE8w4=",
"lastModified": 1654275867,
"narHash": "sha256-pt14ZE4jVPGvfB2NynGsl34pgXfOqum5YJNpDK4+b9E=",
"owner": "NixOS",
"repo": "nixpkgs",
"rev": "d86a4619b7e80bddb6c01bc01a954f368c56d1df",
"rev": "7a20c208aacf4964c19186dcad51f89165dc7ed0",
"type": "github"
},
"original": {
@@ -67,64 +52,27 @@
"type": "indirect"
}
},
"nixpkgs-22_05": {
"nurpkgs": {
"locked": {
"lastModified": 1662864125,
"narHash": "sha256-AtjyEFK7Zp9+hOOUNO1/YZRADV/wC94R3yeKN8saUK4=",
"owner": "NixOS",
"repo": "nixpkgs",
"rev": "e6f053b6079c16e7df97531e3e0524ace1304d4d",
"lastModified": 1654367137,
"narHash": "sha256-xufB/+qvk/7rh7qrwZbzru1kTu8nsmNWBNQkYbdS84Q=",
"owner": "nix-community",
"repo": "NUR",
"rev": "86ff2d098bce1d623232f4886027a1d61317b195",
"type": "github"
},
"original": {
"owner": "NixOS",
"ref": "release-22.05",
"repo": "nixpkgs",
"type": "github"
}
},
"nixpkgs_2": {
"locked": {
"lastModified": 1662818301,
"narHash": "sha256-uRjbKN924ptf5CvQ4cfki3R9nIm5EhrJBeb/xUxwfcM=",
"owner": "NixOS",
"repo": "nixpkgs",
"rev": "a25f0b9bbdfedee45305da5d1e1410c5bcbd48f6",
"type": "github"
},
"original": {
"owner": "NixOS",
"ref": "nixpkgs-unstable",
"repo": "nixpkgs",
"owner": "nix-community",
"repo": "NUR",
"type": "github"
}
},
"root": {
"inputs": {
"home-manager": "home-manager",
"impermanence": "impermanence",
"mobile-nixos": "mobile-nixos",
"nixpkgs": "nixpkgs",
"sops-nix": "sops-nix"
}
},
"sops-nix": {
"inputs": {
"nixpkgs": "nixpkgs_2",
"nixpkgs-22_05": "nixpkgs-22_05"
},
"locked": {
"lastModified": 1662870301,
"narHash": "sha256-O+ABD+WzEBLVH6FwxKCIpps0hsR6b5dpYe6fB3e3Ju8=",
"owner": "Mic92",
"repo": "sops-nix",
"rev": "20929e1c5722a6db2f2dbe4cd36d4af0de0a9df0",
"type": "github"
},
"original": {
"owner": "Mic92",
"repo": "sops-nix",
"type": "github"
"nurpkgs": "nurpkgs"
}
}
},

170
flake.nix
View File

@@ -1,10 +1,11 @@
# docs:
# - <https://nixos.wiki/wiki/Flakes>
# - <https://serokell.io/blog/practical-nix-flakes>
# https://nixos.wiki/wiki/Flakes
# https://serokell.io/blog/practical-nix-flakes
{
inputs = {
nixpkgs.url = "nixpkgs/nixos-22.05";
# pkgs-telegram.url = "nixpkgs/33775ec9a2173a08e46edf9f46c9febadbf743e8";# 2022/04/18; telegram 3.7.3. fails: nix log /nix/store/y5kv47hnv55qknb6cnmpcyraicay79fx-telegram-desktop-3.7.3.drv: g++: fatal error: cannot execute '/nix/store/njk5sbd21305bhr7gwibxbbvgbx5lxvn-gcc-9.3.0/libexec/gcc/aarch64-unknown-linux-gnu/9.3.0/cc1plus': execv: No such file or directory
mobile-nixos = {
url = "github:nixos/mobile-nixos";
flake = false;
@@ -13,84 +14,103 @@
url = "github:nix-community/home-manager/release-22.05";
inputs.nixpkgs.follows = "nixpkgs";
};
sops-nix.url = "github:Mic92/sops-nix";
impermanence.url = "github:nix-community/impermanence";
nurpkgs.url = "github:nix-community/NUR";
};
outputs = { self, nixpkgs, mobile-nixos, home-manager, sops-nix, impermanence }:
let
patchedPkgs = system: nixpkgs.legacyPackages.${system}.applyPatches {
name = "nixpkgs-patched-uninsane";
src = nixpkgs;
patches = import ./nixpatches/list.nix nixpkgs.legacyPackages.${system}.fetchpatch;
};
# return something which behaves like `pkgs`, for the provided system
# `local` = architecture of builder. `target` = architecture of the system beying deployed to
nixpkgsFor = local: target: import (patchedPkgs target) { crossSystem = target; localSystem = local; };
# evaluate ONLY our overlay, for the provided system
customPackagesFor = local: target: import ./pkgs/overlay.nix (nixpkgsFor local target) (nixpkgsFor local target);
decl-machine = { name, local, target }:
let
nixosSystem = import ((patchedPkgs target) + "/nixos/lib/eval-config.nix");
in (nixosSystem {
# by default the local system is the same as the target, employing emulation when they differ
system = target;
specialArgs = { inherit mobile-nixos home-manager impermanence; };
modules = [
./modules
./machines/${name}
(import ./helpers/set-hostname.nix name)
home-manager.nixosModule
impermanence.nixosModule
sops-nix.nixosModules.sops
{
nixpkgs.config.allowUnfree = true;
nixpkgs.overlays = [
(import "${mobile-nixos}/overlay/overlay.nix")
(import ./pkgs/overlay.nix)
(next: prev: {
# non-emulated packages build *from* local *for* target.
# for large packages like the linux kernel which are expensive to build under emulation,
# the config can explicitly pull such packages from `pkgs.cross` to do more efficient cross-compilation.
cross = (nixpkgsFor local target) // (customPackagesFor local target);
})
];
}
];
outputs = { self, nixpkgs, mobile-nixos, home-manager, nurpkgs }: {
machines.uninsane = self.decl-bootable-machine { name = "uninsane"; system = "aarch64-linux"; };
machines.desko = self.decl-bootable-machine { name = "desko"; system = "x86_64-linux"; };
machines.lappy = self.decl-bootable-machine { name = "lappy"; system = "x86_64-linux"; };
machines.moby =
let machine = self.decl-machine {
name = "moby";
system = "aarch64-linux";
extraModules = [
(import "${mobile-nixos}/lib/configuration.nix" {
device = "pine64-pinephone";
})
];
};
in {
nixosConfiguration = machine;
img = machine.config.mobile.outputs.u-boot.disk-image;
};
nixosConfigurations = builtins.mapAttrs (name: value: value.nixosConfiguration) self.machines;
imgs = builtins.mapAttrs (name: value: value.img) self.machines;
decl-machine = { name, system, extraModules ? [], basePkgs ? nixpkgs }: let
patchedPkgs = basePkgs.legacyPackages.${system}.applyPatches {
name = "nixpkgs-patched-uninsane";
src = basePkgs;
patches = [
# for mobile: allow phoc to scale to non-integer values
./nixpatches/01-phosh-float-scale.patch
# for raspberry pi: allow building u-boot for rpi 4{,00}
./nixpatches/02-rpi4-uboot.patch
./nixpatches/03-whalebird-4.6.0.patch
./nixpatches/04-dart-2.7.0.patch
];
};
nixosSystem = import (patchedPkgs + "/nixos/lib/eval-config.nix");
in (nixosSystem {
inherit system;
specialArgs = { inherit home-manager; inherit nurpkgs; secrets = import ./secrets/default.nix; };
modules = [
./configuration.nix
./machines/${name}
(import ./helpers/set-hostname.nix name)
(self.overlaysModule system)
] ++ extraModules;
});
decl-bootable-machine = { name, local, target }: rec {
nixosConfiguration = decl-machine { inherit name local target; };
# this produces a EFI-bootable .img file (GPT with a /boot partition and a system (/ or /nix) partition).
# after building this:
# - flash it to a bootable medium (SD card, flash drive, HDD)
# - resize the root partition (use cfdisk)
# - mount the part
# - chown root:nixbld <part>/nix/store
# - chown root:root -R <part>/nix/store/*
# - chown root:root -R <part>/persist # if using impermanence
# - populate any important things (persist/, home/colin/.ssh, etc)
# - boot
# - if fs wasn't resized automatically, then `sudo btrfs filesystem resize max /`
# - checkout this flake into /etc/nixos AND UPDATE THE FS UUIDS.
# - `nixos-rebuild --flake './#<machine>' switch`
img = nixosConfiguration.config.system.build.img;
# this produces a EFI-bootable .img file (GPT with / and /boot).
# after building this, steps are:
# run `btrfs-convert --uuid copy <device>`
# boot, checkout this flake into /etc/nixos AND UPDATE THE UUIDS IT REFERENCES.
# then `nixos-rebuild ...`
decl-img = { name, system, extraModules ? [] }: (
(self.decl-machine { inherit name; inherit system; extraModules = extraModules ++ [./image.nix]; })
.config.system.build.raw
);
decl-bootable-machine = { name, system }: {
nixosConfiguration = self.decl-machine { inherit name; inherit system; };
img = self.decl-img { inherit name; inherit system; };
};
overlaysModule = system: { config, pkgs, ...}: {
nixpkgs.config.allowUnfree = true;
nixpkgs.overlays = [
#mobile-nixos.overlay
nurpkgs.overlay
(next: prev: {
#### customized packages
# nixos-unstable pleroma is too far out-of-date for our db
pleroma = prev.callPackage ./pkgs/pleroma { };
# jackett doesn't allow customization of the bind address: this will probably always be here.
jackett = next.callPackage ./pkgs/jackett { pkgs = prev; };
# fix abrupt HDD poweroffs as during reboot. patching systemd requires rebuilding nearly every package.
# systemd = import ./pkgs/systemd { pkgs = prev; };
# patch rpi uboot with something that fixes USB HDD boot
ubootRaspberryPi4_64bit = next.callPackage ./pkgs/ubootRaspberryPi4_64bit { pkgs = prev; };
#### TEMPORARY NIXOS-UNSTABLE PACKAGES
# stable telegram doesn't build, so explicitly use the stable one.
# TODO: apply this specifically to the moby build?
# tdesktop = pkgs-telegram.legacyPackages.${system}.tdesktop;
tdesktop = nixpkgs.legacyPackages.${system}.tdesktop;
#### TEMPORARY: PACKAGES WAITING TO BE UPSTREAMED
whalebird = prev.callPackage ./pkgs/whalebird { };
kaiteki = prev.callPackage ./pkgs/kaiteki { };
})
];
};
machines.servo = decl-bootable-machine { name = "servo"; local = "aarch64-linux"; target = "aarch64-linux"; };
machines.desko = decl-bootable-machine { name = "desko"; local = "x86_64-linux"; target = "x86_64-linux"; };
machines.lappy = decl-bootable-machine { name = "lappy"; local = "x86_64-linux"; target = "x86_64-linux"; };
machines.moby = decl-bootable-machine { name = "moby"; local = "aarch64-linux"; target = "aarch64-linux"; };
# special cross-compiled variant, to speed up deploys from an x86 box to the arm target
# note that these *do* produce different store paths, because the closure for the tools used to cross compile
# v.s. emulate differ.
# so deploying moby-cross and then moby incurs some rebuilding.
machines.moby-cross = decl-bootable-machine { name = "moby"; local = "x86_64-linux"; target = "aarch64-linux"; };
machines.rescue = decl-bootable-machine { name = "rescue"; local = "x86_64-linux"; target = "x86_64-linux"; };
in {
nixosConfigurations = builtins.mapAttrs (name: value: value.nixosConfiguration) machines;
imgs = builtins.mapAttrs (name: value: value.img) machines;
packages.x86_64-linux = customPackagesFor "x86_64-linux" "x86_64-linux";
packages.aarch64-linux = customPackagesFor "aarch64-linux" "aarch64-linux";
};
}

13
helpers/gui/gnome.nix Normal file
View File

@@ -0,0 +1,13 @@
{ config, pkgs, lib, ... }:
{
# start gnome/gdm on boot
services.xserver.enable = true;
services.xserver.desktopManager.gnome.enable = true;
services.xserver.displayManager.gdm.enable = true;
# gnome does networking stuff with networkmanager
networking.useDHCP = false;
networking.networkmanager.enable = true;
networking.wireless.enable = lib.mkForce false;
}

16
helpers/gui/i3.nix Normal file
View File

@@ -0,0 +1,16 @@
{ pkgs, ... }:
{
environment.pathsToLink = [ "/libexec" ]; # patch for i3blocks to work
services.xserver.enable = true;
services.xserver.displayManager.defaultSession = "none+i3";
services.xserver.windowManager.i3 = {
enable = true;
extraPackages = with pkgs; [
dmenu
i3status
i3lock
i3blocks
];
};
}

21
helpers/gui/phosh.nix Normal file
View File

@@ -0,0 +1,21 @@
{ ... }:
{
# docs: https://github.com/NixOS/nixpkgs/blob/nixos-22.05/nixos/modules/services/x11/desktop-managers/phosh.nix
services.xserver.desktopManager.phosh = {
enable = true;
user = "colin";
group = "users";
phocConfig = {
xwayland = "true";
# find default outputs by catting /etc/phosh/phoc.ini
outputs.DSI-1 = {
scale = 1.5;
};
};
};
environment.variables = {
# Qt apps won't always start unless this env var is set
QT_QPA_PLATFORM = "wayland";
};
}

14
helpers/gui/plasma-mobile.nix Normal file
View File

@@ -0,0 +1,14 @@
{ config, pkgs, lib, ... }:
{
# start plasma-mobile on boot
services.xserver.enable = true;
services.xserver.desktopManager.plasma5.mobile.enable = true;
services.xserver.desktopManager.plasma5.mobile.installRecommendedSoftware = false; # not all plasma5-mobile packages build for aarch64
services.xserver.displayManager.sddm.enable = true;
# Plasma does networking stuff with networkmanager, but nix configures the defaults itself
# networking.useDHCP = false;
# networking.networkmanager.enable = true;
# networking.wireless.enable = lib.mkForce false;
}

31
helpers/gui/sway.nix Normal file
View File

@@ -0,0 +1,31 @@
{ pkgs, ... }:
# docs: https://nixos.wiki/wiki/Sway
{
programs.sway = {
# we configure sway with home-manager, but this enable gets us e.g. opengl and fonts
enable = true;
};
# TODO: should be able to use SDDM to get interactive login
services.greetd = {
enable = true;
settings = rec {
initial_session = {
command = "${pkgs.sway}/bin/sway";
user = "colin";
};
default_session = initial_session;
};
};
# unlike other DEs, sway configures no audio stack
# administer with pw-cli, pw-mon, pw-top commands
services.pipewire = {
enable = true;
alsa.enable = true;
alsa.support32Bit = true; # ??
pulse.enable = true;
};
}

65
helpers/hardware-x86_64.nix Normal file
View File

@@ -0,0 +1,65 @@
{ config, pkgs, lib, ... }:
{
boot.initrd.availableKernelModules = [
"xhci_pci" "ahci" "sd_mod" "sdhci_pci" # nixos-generate-config defaults
"usb_storage" # rpi needed this to boot from usb storage, i think.
# "usbhid" "hid-generic" # hopefully these will fix USB HID auto-sleep ?
];
boot.initrd.kernelModules = [ ];
boot.initrd.supportedFilesystems = [ "ext4" "btrfs" "ext2" "ext3" "vfat" ];
# find more of these with sensors-detect
boot.kernelModules = [
"coretemp"
"kvm-intel"
"kvm-amd" # desktop
"amdgpu" # desktop
];
boot.extraModulePackages = [ ];
boot.kernelParams = [ "boot.shell_on_fail" ];
boot.consoleLogLevel = 7;
# Use the systemd-boot EFI boot loader.
boot.loader.systemd-boot.enable = true;
boot.loader.systemd-boot.configurationLimit = 40; # keep this many generations
boot.loader.efi.canTouchEfiVariables = true;
# enable cross compilation
boot.binfmt.emulatedSystems = [ "aarch64-linux" ];
# nixpkgs.crossSystem.system = "aarch64-linux";
powerManagement.cpuFreqGovernor = "powersave";
hardware.enableRedistributableFirmware = true;
hardware.cpu.amd.updateMicrocode = true; # desktop
hardware.cpu.intel.updateMicrocode = true; # laptop
services.fwupd.enable = true;
# powertop will default to putting USB devices -- including HID -- to sleep after TWO SECONDS
powerManagement.powertop.enable = false;
hardware.opengl.extraPackages = [
# laptop
pkgs.intel-compute-runtime
pkgs.intel-media-driver # new
pkgs.libvdpau-va-gl # new
pkgs.vaapiIntel
# desktop
pkgs.rocm-opencl-icd
pkgs.rocm-opencl-runtime
];
hardware.opengl.driSupport = true;
# For 32 bit applications
hardware.opengl.driSupport32Bit = true;
# TODO colin: does this *do* anything?
swapDevices = [ ];
# services.snapper.configs = {
# root = {
# subvolume = "/";
# extraConfig = {
# ALLOW_USERS = "colin";
# };
# };
# };
# services.snapper.snapshotInterval = "daily";
}

532
helpers/home-manager-gen-colin.nix Normal file
View File

@@ -0,0 +1,532 @@
# docs:
# https://rycee.gitlab.io/home-manager/
# https://rycee.gitlab.io/home-manager/options.html
# man home-configuration.nix
#
# system is e.g. x86_64-linux
# gui is "gnome", or null
{ lib, pkgs, system, gui, extraPackages ? [] }: {
home.stateVersion = "21.11";
home.username = "colin";
home.homeDirectory = "/home/colin";
programs.home-manager.enable = true; # this lets home-manager manage dot-files in user dirs, i think
# XDG defines things like ~/Desktop, ~/Downloads, etc.
# these clutter the home, so i mostly don't use them.
xdg.userDirs = {
enable = true;
createDirectories = false; # on headless systems, most xdg dirs are noise
desktop = "$HOME/.xdg/Desktop";
documents = "$HOME/src";
download = "$HOME/tmp";
music = "$HOME/Music";
pictures = "$HOME/Pictures";
publicShare = "$HOME/.xdg/Public";
templates = "$HOME/.xdg/Templates";
videos = "$HOME/Videos";
};
programs.zsh = {
enable = true;
enableSyntaxHighlighting = true;
enableVteIntegration = true;
dotDir = ".config/zsh";
initExtraBeforeCompInit = ''
# p10k instant prompt
# run p10k configure to configure, but it can't write out its file :-(
POWERLEVEL9K_DISABLE_CONFIGURATION_WIZARD=true
'';
# prezto = oh-my-zsh fork; controls prompt, auto-completion, etc.
# see: https://github.com/sorin-ionescu/prezto
prezto = {
enable = true;
pmodules = [
"environment"
"terminal"
"editor"
"history"
"directory"
"spectrum"
"utility"
"completion"
"prompt"
"git"
];
prompt = {
theme = "powerlevel10k";
};
};
};
programs.kitty.enable = true;
programs.git = {
enable = true;
userName = "colin";
userEmail = "colin@uninsane.org";
};
programs.vim = {
enable = true;
extraConfig = ''
" wtf vim project: NOBODY LIKES MOUSE FOR VISUAL MODE
set mouse-=a
" copy/paste to system clipboard
set clipboard=unnamedplus
" <tab> completion menu settings
set wildmenu
set wildmode=longest,list,full
" highlight all matching searches (using / and ?)
set hlsearch
" allow backspace to delete empty lines in insert mode
set backspace=indent,eol,start
" built-in syntax highlighting
syntax enable
" show line/col number in bottom right
set ruler
" highlight trailing space & related syntax errors (does this work?)
let c_space_errors=1
let python_space_errors=1
'';
};
# obtain these by running `dconf dump /` after manually customizing gnome
# TODO: fix "is not of type `GVariant value'"
# dconf.settings = lib.mkIf (gui == "gnome") {
# gnome = {
# # control alt-tab behavior
# "org/gnome/desktop/wm/keybindings" = {
# switch-applications = [ "<Super>Tab" ];
# switch-applications-backward=[];
# switch-windows=["<Alt>Tab"];
# switch-windows-backward=["<Super><Alt>Tab"];
# };
# # idle power savings
# "org/gnome/settings-deamon/plugins/power" = {
# idle-brigthness = 50;
# sleep-inactive-ac-type = "nothing";
# sleep-inactive-battery-timeout = 5400; # seconds
# };
# "org/gnome/shell" = {
# favorite-apps = [
# "org.gnome.Nautilus.desktop"
# "firefox.desktop"
# "kitty.desktop"
# # "org.gnome.Terminal.desktop"
# ];
# };
# "org/gnome/desktop/session" = {
# # how long until considering a session idle (triggers e.g. screen blanking)
# idle-delay = 900;
# };
# "org/gnome/desktop/interface" = {
# text-scaling-factor = 1.25;
# };
# "org/gnome/desktop/media-handling" = {
# # don't auto-mount inserted media
# automount = false;
# automount-open = false;
# };
# };
# };
# home.pointerCursor = {
# package = pkgs.vanilla-dmz;
# name = "Vanilla-DMZ";
# };
# taken from https://github.com/srid/nix-config/blob/705a70c094da53aa50cf560179b973529617eb31/nix/home/i3.nix
xsession.windowManager.i3 = lib.mkIf (gui == "i3") (
let
mod = "Mod4";
in {
enable = true;
config = {
modifier = mod;
fonts = {
names = [ "DejaVu Sans Mono" ];
style = "Bold Semi-Condensed";
size = 11.0;
};
# terminal = "kitty";
# terminal = "${pkgs.kitty}/bin/kitty";
keybindings = {
"${mod}+Return" = "exec ${pkgs.kitty}/bin/kitty";
"${mod}+p" = "exec ${pkgs.dmenu}/bin/dmenu_run";
"${mod}+x" = "exec sh -c '${pkgs.maim}/bin/maim -s | xclip -selection clipboard -t image/png'";
"${mod}+Shift+x" = "exec sh -c '${pkgs.i3lock}/bin/i3lock -c 222222 & sleep 5 && xset dpms force of'";
# Focus
"${mod}+j" = "focus left";
"${mod}+k" = "focus down";
"${mod}+l" = "focus up";
"${mod}+semicolon" = "focus right";
# Move
"${mod}+Shift+j" = "move left";
"${mod}+Shift+k" = "move down";
"${mod}+Shift+l" = "move up";
"${mod}+Shift+semicolon" = "move right";
# multi monitor setup
# "${mod}+m" = "move workspace to output DP-2";
# "${mod}+Shift+m" = "move workspace to output DP-5";
};
# bars = [
# {
# position = "bottom";
# statusCommand = "${pkgs.i3status-rust}/bin/i3status-rs ${./i3status-rust.toml}";
# }
# ];
};
});
wayland.windowManager.sway = lib.mkIf (gui == "sway") {
enable = true;
wrapperFeatures.gtk = true;
config = rec {
terminal = "${pkgs.kitty}/bin/kitty";
window.border = 3; # pixel boundary between windows
# defaults; required for keybindings decl.
modifier = "Mod1";
# list of launchers: https://www.reddit.com/r/swaywm/comments/v39hxa/your_favorite_launcher/
# menu = "${pkgs.dmenu}/bin/dmenu_path";
menu = "${pkgs.fuzzel}/bin/fuzzel";
# menu = "${pkgs.albert}/bin/albert";
left = "h";
down = "j";
up = "k";
right = "l";
keybindings = {
"${modifier}+Return" = "exec ${terminal}";
"${modifier}+Shift+q" = "kill";
"${modifier}+d" = "exec ${menu}";
"${modifier}+${left}" = "focus left";
"${modifier}+${down}" = "focus down";
"${modifier}+${up}" = "focus up";
"${modifier}+${right}" = "focus right";
"${modifier}+Left" = "focus left";
"${modifier}+Down" = "focus down";
"${modifier}+Up" = "focus up";
"${modifier}+Right" = "focus right";
"${modifier}+Shift+${left}" = "move left";
"${modifier}+Shift+${down}" = "move down";
"${modifier}+Shift+${up}" = "move up";
"${modifier}+Shift+${right}" = "move right";
"${modifier}+Shift+Left" = "move left";
"${modifier}+Shift+Down" = "move down";
"${modifier}+Shift+Up" = "move up";
"${modifier}+Shift+Right" = "move right";
"${modifier}+b" = "splith";
"${modifier}+v" = "splitv";
"${modifier}+f" = "fullscreen toggle";
"${modifier}+a" = "focus parent";
"${modifier}+s" = "layout stacking";
"${modifier}+w" = "layout tabbed";
"${modifier}+e" = "layout toggle split";
"${modifier}+Shift+space" = "floating toggle";
"${modifier}+space" = "focus mode_toggle";
"${modifier}+1" = "workspace number 1";
"${modifier}+2" = "workspace number 2";
"${modifier}+3" = "workspace number 3";
"${modifier}+4" = "workspace number 4";
"${modifier}+5" = "workspace number 5";
"${modifier}+6" = "workspace number 6";
"${modifier}+7" = "workspace number 7";
"${modifier}+8" = "workspace number 8";
"${modifier}+9" = "workspace number 9";
"${modifier}+Shift+1" =
"move container to workspace number 1";
"${modifier}+Shift+2" =
"move container to workspace number 2";
"${modifier}+Shift+3" =
"move container to workspace number 3";
"${modifier}+Shift+4" =
"move container to workspace number 4";
"${modifier}+Shift+5" =
"move container to workspace number 5";
"${modifier}+Shift+6" =
"move container to workspace number 6";
"${modifier}+Shift+7" =
"move container to workspace number 7";
"${modifier}+Shift+8" =
"move container to workspace number 8";
"${modifier}+Shift+9" =
"move container to workspace number 9";
"${modifier}+Shift+minus" = "move scratchpad";
"${modifier}+minus" = "scratchpad show";
"${modifier}+Shift+c" = "reload";
"${modifier}+Shift+e" =
"exec swaynag -t warning -m 'You pressed the exit shortcut. Do you really want to exit sway? This will end your Wayland session.' -b 'Yes, exit sway' 'swaymsg exit'";
"${modifier}+r" = "mode resize";
} // {
# media keys
XF86MonBrightnessDown = ''exec "${pkgs.brightnessctl}/bin/brightnessctl set 2%-"'';
XF86MonBrightnessUp = ''exec "${pkgs.brightnessctl}/bin/brightnessctl set +2%"'';
XF86AudioRaiseVolume = "exec '${pkgs.pulsemixer}/bin/pulsemixer --change-volume +5'";
XF86AudioLowerVolume = "exec '${pkgs.pulsemixer}/bin/pulsemixer --change-volume -5'";
XF86AudioMute = "exec '${pkgs.pulsemixer}/bin/pulsemixer --toggle-mute'";
};
# mostly defaults:
bars = [{
mode = "dock";
hiddenState = "hide";
position = "top";
command = "${pkgs.waybar}/bin/waybar";
workspaceButtons = true;
workspaceNumbers = true;
statusCommand = "${pkgs.i3status}/bin/i3status";
fonts = {
names = [ "monospace" ];
size = 8.0;
};
trayOutput = "primary";
colors = {
background = "#000000";
statusline = "#ffffff";
separator = "#666666";
focusedWorkspace = {
border = "#4c7899";
background = "#285577";
text = "#ffffff";
};
activeWorkspace = {
border = "#333333";
background = "#5f676a";
text = "#ffffff";
};
inactiveWorkspace = {
border = "#333333";
background = "#222222";
text = "#888888";
};
urgentWorkspace = {
border = "#2f343a";
background = "#900000";
text = "#ffffff";
};
bindingMode = {
border = "#2f343a";
background = "#900000";
text = "#ffffff";
};
};
}];
};
};
programs.waybar = lib.mkIf (gui == "sway") {
enable = true;
# docs: https://github.com/Alexays/Waybar/wiki/Configuration
settings = {
mainBar = {
layer = "top";
height = 40;
modules-left = ["sway/workspaces" "sway/mode"];
modules-center = ["sway/window"];
modules-right = ["custom/mediaplayer" "clock" "cpu" "network"];
"sway/window" = {
max-length = 50;
};
# include song artist/title. source: https://www.reddit.com/r/swaywm/comments/ni0vso/waybar_spotify_tracktitle/
"custom/mediaplayer" = {
exec = pkgs.writeShellScript "waybar-mediaplayer" ''
player_status=$(${pkgs.playerctl}/bin/playerctl status 2> /dev/null)
if [ "$player_status" = "Playing" ]; then
echo "$(${pkgs.playerctl}/bin/playerctl metadata artist) - $(${pkgs.playerctl}/bin/playerctl metadata title)"
elif [ "$player_status" = "Paused" ]; then
echo " $(${pkgs.playerctl}/bin/playerctl metadata artist) - $(${pkgs.playerctl}/bin/playerctl metadata title)"
fi
'';
interval = 2;
format = "{} ";
# return-type = "json";
on-click = "${pkgs.playerctl}/bin/playerctl play-pause";
on-scroll-up = "${pkgs.playerctl}/bin/playerctl next";
on-scroll-down = "${pkgs.playerctl}/bin/playerctl previous";
};
network = {
interval = 1;
format-ethernet = "{ifname}: {ipaddr}/{cidr} up: {bandwidthUpBits} down: {bandwidthDownBits}";
};
cpu = {
format = "{usage}% ";
tooltip = false;
};
clock = {
format-alt = "{:%a, %d. %b %H:%M}";
};
};
};
# style = ''
# * {
# border: none;
# border-radius: 0;
# font-family: Source Code Pro;
# }
# window#waybar {
# background: #16191C;
# color: #AAB2BF;
# }
# #workspaces button {
# padding: 0 5px;
# }
# .custom-spotify {
# padding: 0 10px;
# margin: 0 4px;
# background-color: #1DB954;
# color: black;
# }
# '';
};
programs.firefox = lib.mkIf (gui != null) {
enable = true;
profiles.default = {
bookmarks = {
fed_uninsane.url = "https://fed.uninsane.org/";
delightful.url = "https://delightful.club/";
crowdsupply.url = "https://www.crowdsupply.com/";
linux_phone_apps.url = "https://linuxphoneapps.org/mobile-compatibility/5/";
mempool.url = "https://jochen-hoenicke.de/queue";
};
};
# firefox profile support seems to be broken :shrug:
# profiles.other = {
# id = 2;
# };
# NB: these must be manually enabled in the Firefox settings on first start
# extensions can be found here: https://gitlab.com/rycee/nur-expressions/-/blob/master/pkgs/firefox-addons/addons.json
extensions = [
pkgs.nur.repos.rycee.firefox-addons.bypass-paywalls-clean
pkgs.nur.repos.rycee.firefox-addons.metamask
pkgs.nur.repos.rycee.firefox-addons.i-dont-care-about-cookies
pkgs.nur.repos.rycee.firefox-addons.sidebery
pkgs.nur.repos.rycee.firefox-addons.sponsorblock
pkgs.nur.repos.rycee.firefox-addons.ublock-origin
];
};
home.shellAliases = {
":q" = "exit";
# common typos
"cd.." = "cd ..";
"cd../" = "cd ../";
};
home.packages = [
pkgs.btrfs-progs
pkgs.dig
pkgs.cryptsetup
pkgs.duplicity
pkgs.fatresize
pkgs.fd
pkgs.file
pkgs.gnumake
pkgs.gptfdisk
pkgs.hdparm
pkgs.htop
pkgs.iftop
pkgs.inetutils # for telnet
pkgs.iotop
pkgs.iptables
pkgs.jq
pkgs.killall
pkgs.lm_sensors # for sensors-detect
pkgs.lsof
pkgs.mix2nix
pkgs.netcat
pkgs.nixpkgs-review
pkgs.nixUnstable # TODO: still needed on 22.05?
# pkgs.nixos-generators
# pkgs.nettools
pkgs.nmap
pkgs.obsidian
pkgs.parted
pkgs.pciutils
# pkgs.ponymix
pkgs.powertop
pkgs.pulsemixer
pkgs.python3
pkgs.ripgrep
pkgs.smartmontools
pkgs.snapper
pkgs.socat
pkgs.sudo
pkgs.usbutils
pkgs.wget
pkgs.wireguard-tools
pkgs.youtube-dl
pkgs.zola
]
++ (if gui != null then
[
# GUI only
pkgs.chromium
pkgs.clinfo
pkgs.element-desktop # broken on phosh
pkgs.evince # works on phosh
pkgs.font-manager
pkgs.gimp # broken on phosh
pkgs.gnome.dconf-editor
pkgs.gnome.file-roller
pkgs.gnome.gnome-maps # works on phosh
pkgs.gnome.nautilus
pkgs.gnome-podcasts
pkgs.gnome.gnome-terminal # works on phosh
pkgs.inkscape
pkgs.kaiteki # Pleroma client
pkgs.libreoffice-fresh # XXX colin: maybe don't want this on mobile
pkgs.mesa-demos
pkgs.playerctl
pkgs.tdesktop # broken on phosh
pkgs.vlc # works on phosh
pkgs.whalebird # pleroma client. input is broken on phosh
pkgs.xterm # broken on phosh
] else [])
++ (if gui == "sway" then
[
# TODO: move this to helpers/gui/sway.nix?
pkgs.swaylock
pkgs.swayidle
pkgs.wl-clipboard
pkgs.mako # notification daemon
# pkgs.dmenu # todo: use wofi?
# user stuff
# pkgs.pavucontrol
] else [])
++ (if gui != null && system == "x86_64-linux" then
[
# x86_64 only
pkgs.signal-desktop
pkgs.spotify
pkgs.discord
] else [])
++ extraPackages;
}

17
helpers/universal/default.nix Normal file
View File

@@ -0,0 +1,17 @@
{ ... }:
{
imports = [
./fs.nix
./home-manager.nix
./nix-cache.nix
./users.nix
];
time.timeZone = "America/Los_Angeles";
environment.variables = {
EDITOR = "vim";
};
}

25
helpers/universal/fs.nix Normal file
View File

@@ -0,0 +1,25 @@
{ pkgs, ... }:
{
fileSystems."/mnt/media-uninsane" = {
# device = "sshfs#colin@uninsane.org:/opt/uninsane/media";
device = "colin@uninsane.org:/opt/uninsane/media";
fsType = "fuse.sshfs";
options = [
"x-systemd.automount"
"_netdev"
"user"
"idmap=user"
"transform_symlinks"
"identityfile=/home/colin/.ssh/id_ed25519"
"allow_other"
"default_permissions"
"uid=1000"
"gid=1000"
];
};
environment.systemPackages = [
pkgs.sshfs-fuse
];
}

9
helpers/universal/home-manager.nix Normal file
View File

@@ -0,0 +1,9 @@
{ home-manager, config, pkgs, ... }:
{
imports = [
home-manager.nixosModule
];
home-manager.useGlobalPkgs = true;
home-manager.useUserPackages = true;
}

16
helpers/universal/nix-cache.nix Normal file
View File

@@ -0,0 +1,16 @@
{ ... }:
{
# use our own binary cache
nix.settings = {
substituters = [
"https://nixcache.uninsane.org"
"https://nix-community.cachix.org"
"https://cache.nixos.org/"
];
trusted-public-keys = [
"nixcache.uninsane.org:r3WILM6+QrkmsLgqVQcEdibFD7Q/4gyzD9dGT33GP70="
"nix-community.cachix.org-1:mB9FSh9qf2dCimDSUo8Zy7bkq5CX+/rkCWyvRCYg3Fs="
];
};
}

53
helpers/universal/users.nix Normal file
View File

@@ -0,0 +1,53 @@
{ config, pkgs, lib, ... }:
# installer docs: https://github.com/NixOS/nixpkgs/blob/master/nixos/modules/profiles/installation-device.nix
{
# Users are exactly these specified here;
# old ones will be deleted (from /etc/passwd, etc) upon upgrade.
users.mutableUsers = false;
# docs: https://nixpkgs-manual-sphinx-markedown-example.netlify.app/generated/options-db.xml.html#users-users
users.users.colin = {
# sets group to "users" (?)
isNormalUser = true;
home = "/home/colin";
uid = 1000;
# XXX colin: this is what the installer has, but is it necessary?
# group = "users";
extraGroups = [
"wheel"
"nixbuild"
"networkmanager"
# phosh/mobile. XXX colin: unsure if necessary
"video"
"feedbackd"
"dialout" # required for modem access
];
initialPassword = lib.mkDefault "";
shell = pkgs.zsh;
# shell = pkgs.bashInteractive;
# XXX colin: create ssh key for THIS user by logging in and running:
# ssh-keygen -t ed25519
openssh.authorizedKeys.keys = [
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGSDe/y0e9PSeUwYlMPjzhW0UhNsGAGsW3lCG3apxrD5 colin@colin.desktop"
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIG+MZ/l5d8g5hbxMB9ed1uyvhV85jwNrSVNVxb5ujQjw colin@lappy"
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPU5GlsSfbaarMvDA20bxpSZGWviEzXGD8gtrIowc1pX colin@desko"
# TODO: should probably only let this authenticate to my server
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGCLCA9KbjXaXNNMJJvqbPO5KQQ64JCdG8sg88AfdKzi colin@moby"
];
};
security.sudo = {
enable = true;
wheelNeedsPassword = false;
};
services.openssh = {
enable = true;
permitRootLogin = "no";
passwordAuthentication = false;
};
# TODO colin: move this somewhere else!
programs.vim.defaultEditor = true;
}

21
image.nix Normal file
View File

@@ -0,0 +1,21 @@
{ config, lib, pkgs, modulesPath, ... }:
{
fileSystems."/" = {
# boot by label instead of unpredictable uuid
device = "/dev/disk/by-label/nixos-img";
# make-disk-image only supports ext4
fsType = "ext4";
};
# fileSystems."/boot".device = "/dev/vda1";
fileSystems."/boot".device = "/dev/disk/by-label/ESP";
system.build.raw = import "${toString modulesPath}/../lib/make-disk-image.nix" {
inherit lib config pkgs;
partitionTableType = "efi";
label = "nixos-img";
fsType = config.fileSystems."/".fsType;
diskSize = "auto";
format = "raw";
};
}

57
machines/desko/default.nix
View File

@@ -1,52 +1,25 @@
{ config, pkgs, ... }:
{ config, pkgs, lib, ... }:
{
imports = [
./../../helpers/universal
./../../helpers/hardware-x86_64.nix
# ./../../helpers/gui/gnome.nix
#./../../helpers/gui/i3.nix
./../../helpers/gui/sway.nix
./fs.nix
];
sane.gui.sway.enable = true;
sane.services.duplicity.enable = true;
sane.services.nixserve.enable = true;
sane.services.nixserve.sopsFile = ../../secrets/desko.yaml;
sane.impermanence.enable = true;
boot.loader.efi.canTouchEfiVariables = false;
sane.image.extraBootFiles = [ pkgs.bootpart-uefi-x86_64 ];
# needed to use libimobiledevice/ifuse, for iphone sync
services.usbmuxd.enable = true;
users.users.usbmux.uid = config.sane.allocations.usbmux-uid;
users.groups.usbmux.gid = config.sane.allocations.usbmux-gid;
# default config: https://man.archlinux.org/man/snapper-configs.5
# defaults to something like:
# - hourly snapshots
# - auto cleanup; keep the last 10 hourlies, last 10 daylies, last 10 monthlys.
services.snapper.configs.nix = {
# TODO: for the impermanent setup, we'd prefer to just do /nix/persist,
# but that also requires setting up the persist dir as a subvol
subvolume = "/nix";
# TODO: ALLOW_USERS doesn't seem to work. still need `sudo snapper -c nix list`
extraConfig = ''
ALLOW_USERS = "colin";
'';
home-manager.users.colin = import ./../../helpers/home-manager-gen-colin.nix {
inherit pkgs lib;
system = "x86_64-linux";
# gui = "gnome";
# gui = "i3";
gui = "sway";
extraPackages = [
pkgs.electrum
];
};
sops.secrets.duplicity_passphrase = {
sopsFile = ../../secrets/desko.yaml;
};
programs.steam = {
enable = true;
# not sure if needed: stole this whole snippet from the wiki
remotePlay.openFirewall = true; # Open ports in the firewall for Steam Remote Play
dedicatedServer.openFirewall = true; # Open ports in the firewall for Source Dedicated Server
};
sane.impermanence.home-dirs = [
".steam"
".local/share/Steam"
];
# docs: https://nixos.org/manual/nixos/stable/options.html#opt-system.stateVersion
system.stateVersion = "21.05";
}

31
machines/desko/fs.nix
View File

@@ -1,30 +1,8 @@
{ ... }:
{ config, pkgs, lib, ... }:
{
# root is a tmpfs so that we have an ephemeral system ("impermanence" handles the state)
fileSystems."/" = {
device = "none";
fsType = "tmpfs";
options = [
"mode=755"
"size=1G"
"defaults"
];
};
# we need a /tmp for building large nix things.
# a cross-compiled kernel, particularly, will easily use 30+GB of tmp
fileSystems."/tmp" = {
device = "none";
fsType = "tmpfs";
options = [
"mode=777"
"size=64G"
"defaults"
];
};
fileSystems."/nix" = {
# device = "/dev/disk/by-uuid/985a0a32-da52-4043-9df7-615adec2e4ff";
device = "/dev/disk/by-uuid/0ab0770b-7734-4167-88d9-6e4e20bb2a56";
fileSystems."/" = lib.mkDefault {
device = "/dev/disk/by-uuid/d969ee61-12cf-4490-be07-4440c7be593f";
fsType = "btrfs";
options = [
"compress=zstd"
@@ -33,8 +11,7 @@
};
fileSystems."/boot" = {
# device = "/dev/disk/by-uuid/CAA7-E7D2";
device = "/dev/disk/by-uuid/41B6-BAEF";
device = lib.mkDefault "/dev/disk/by-uuid/F826-6192";
fsType = "vfat";
};
}

26
machines/lappy/default.nix
View File

@@ -1,28 +1,18 @@
{ pkgs, ... }:
{ config, pkgs, lib, ... }:
{
imports = [
./../../helpers/universal
./../../helpers/hardware-x86_64.nix
./../../helpers/gui/gnome.nix
./fs.nix
];
# sane.users.guest.enable = true;
sane.gui.sway.enable = true;
sane.impermanence.enable = true;
boot.loader.efi.canTouchEfiVariables = false;
sane.image.extraBootFiles = [ pkgs.bootpart-uefi-x86_64 ];
# default config: https://man.archlinux.org/man/snapper-configs.5
# defaults to something like:
# - hourly snapshots
# - auto cleanup; keep the last 10 hourlies, last 10 daylies, last 10 monthlys.
services.snapper.configs.nix = {
# TODO: for the impermanent setup, we'd prefer to just do /nix/persist,
# but that also requires setting up the persist dir as a subvol
subvolume = "/nix";
home-manager.users.colin = import ./../../helpers/home-manager-gen-colin.nix {
inherit pkgs lib;
system = "x86_64-linux";
gui = "gnome";
};
# TODO: only here for debugging
# services.ipfs.enable = true;
# docs: https://nixos.org/manual/nixos/stable/options.html#opt-system.stateVersion
system.stateVersion = "21.05";
}

46
machines/lappy/fs.nix
View File

@@ -1,27 +1,7 @@
{ ... }:
{ config, pkgs, lib, ... }:
{
# root is a tmpfs so that we have an ephemeral system ("impermanence" handles the state)
fileSystems."/" = {
device = "none";
fsType = "tmpfs";
options = [
"mode=755"
"size=1G"
"defaults"
];
};
# we need a /tmp of default size (half RAM) for building large nix things
fileSystems."/tmp" = {
device = "none";
fsType = "tmpfs";
options = [
"mode=777"
"defaults"
];
};
fileSystems."/nix" = {
fileSystems."/" = lib.mkDefault {
device = "/dev/disk/by-uuid/75230e56-2c69-4e41-b03e-68475f119980";
fsType = "btrfs";
options = [
@@ -31,27 +11,7 @@
};
fileSystems."/boot" = {
device = "/dev/disk/by-uuid/BD79-D6BB";
device = lib.mkDefault "/dev/disk/by-uuid/BD79-D6BB";
fsType = "vfat";
};
# fileSystems."/nix" = {
# device = "/dev/disk/by-uuid/5a7fa69c-9394-8144-a74c-6726048b129f";
# fsType = "btrfs";
# };
# fileSystems."/boot" = {
# device = "/dev/disk/by-uuid/4302-1685";
# fsType = "vfat";
# };
# fileSystems."/" = {
# device = "none";
# fsType = "tmpfs";
# options = [
# "mode=755"
# "size=1G"
# "defaults"
# ];
# };
}

96
machines/moby/default.nix
View File

@@ -1,65 +1,49 @@
{ config, pkgs, lib, mobile-nixos, ... }:
{ config, pkgs, lib, ... }:
{
imports = [
# (import "${mobile-nixos}/lib/configuration.nix" {
# device = "pine64-pinephone";
# })
./firmware.nix
./fs.nix
./kernel.nix
./../../helpers/universal
./../../helpers/gui/phosh.nix
# ./../../helpers/gui/plasma-mobile.nix
# ./../../helpers/gui/gnome.nix
];
# XXX colin: phosh doesn't work well with passwordless login
users.users.colin.initialPassword = "147147";
services.getty.autologinUser = "root"; # allows for emergency maintenance?
# usability compromises
sane.impermanence.home-dirs = [
".librewolf"
];
home-manager.users.colin = import ./../../helpers/home-manager-gen-colin.nix {
inherit pkgs lib;
system = "aarch64-linux";
gui = "phosh";
extraPackages = [
# for web browsers see: https://forum.pine64.org/showthread.php?tid=13669
pkgs.angelfish # plasma mobile web browser; broken on phosh (poor wayland support)
# pkgs.plasma5Packages.index # file browser
pkgs.plasma5Packages.konsole # terminal
# pkgs.plasma5Packages.pix # picture viewer
pkgs.plasma5Packages.kalk # calculator; broken on phosh
# pkgs.plasma5Packages.buho # (plasma mobile?) note application
pkgs.plasma5Packages.kasts # podcast app; works on phosh after setting QT envar
pkgs.plasma5Packages.koko # image gallery; broken on phosh
pkgs.plasma5Packages.kwave # media player.
# pkgs.plasma5Packages.neochat # matrix client. needs qcoro => no aarch64 support
# pkgs.plasma5Packages.plasma-dialer # phone dialer
# pkgs.plasma5Packages.plasma-mobile # the whole shebang?
# pkgs.plasma5Packages.plasma-settings
pkgs.plasma5Packages.bomber # arcade game; broken on phosh
pkgs.plasma5Packages.kapman # pacman
pkgs.w3m # text-based web browser; works!
pkgs.st # suckless terminal; broken on phosh
# pkgs.alacritty # terminal; crashes phosh
];
};
# sane.home-manager.extraPackages = [
# # for web browsers see: https://forum.pine64.org/showthread.php?tid=13669
# pkgs.angelfish # plasma mobile web browser; broken on phosh (poor wayland support)
# # pkgs.plasma5Packages.index # file browser
# pkgs.plasma5Packages.konsole # terminal
# # pkgs.plasma5Packages.pix # picture viewer
# pkgs.plasma5Packages.kalk # calculator; broken on phosh
# # pkgs.plasma5Packages.buho # (plasma mobile?) note application
# pkgs.plasma5Packages.kasts # podcast app; works on phosh after setting QT envar
# pkgs.plasma5Packages.koko # image gallery; broken on phosh
# pkgs.plasma5Packages.kwave # media player.
# # pkgs.plasma5Packages.neochat # matrix client. needs qcoro => no aarch64 support
# # pkgs.plasma5Packages.plasma-dialer # phone dialer
# # pkgs.plasma5Packages.plasma-mobile # the whole shebang?
# # pkgs.plasma5Packages.plasma-settings
# pkgs.plasma5Packages.bomber # arcade game; broken on phosh
# pkgs.plasma5Packages.kapman # pacman
# pkgs.st # suckless terminal; broken on phosh
# # pkgs.alacritty # terminal; crashes phosh
# ];
# sane.home-packages.enableGuiPkgs = false; # XXX faster builds/imaging for debugging
sane.home-manager.extraPackages = [
pkgs.plasma5Packages.konsole # terminal
];
sane.nixcache.enable = true;
sane.impermanence.enable = true;
sane.gui.phosh.enable = true;
boot.loader.efi.canTouchEfiVariables = false;
# mobile.bootloader.enable = false;
# mobile.boot.stage-1.enable = false;
# boot.initrd.systemd.enable = false;
# boot.initrd.services.swraid.enable = false; # attempt to fix dm_mod stuff
# mobile-nixos' /lib/firmware includes:
# rtl_bt (bluetooth)
# anx7688-fw.bin (USB-C -> HDMI bridge)
# ov5640_af.bin (camera module)
# hardware.firmware = [ config.mobile.device.firmware ];
hardware.firmware = [ pkgs.rtl8723cs-firmware ];
system.stateVersion = "21.11";
# This value determines the NixOS release from which the default
# settings for stateful data, like file locations and database versions
# on your system were taken. Its perfectly fine and recommended to leave
# this value at the release version of the first install of this system.
# Before changing this value read the documentation for this option
# (e.g. man configuration.nix or on https://nixos.org/nixos/options.html).
system.stateVersion = "21.11"; # Did you read the comment?
# defined: https://www.freedesktop.org/software/systemd/man/machine-info.html
# XXX colin: not sure which, if any, software makes use of this
@@ -69,6 +53,4 @@
# enable rotation sensor
hardware.sensor.iio.enable = true;
users.groups.feedbackd.gid = config.sane.allocations.feedbackd-gid;
}

12
machines/moby/firmware.nix
View File

@@ -1,12 +0,0 @@
{ config, pkgs, ... }:
{
# we need space in the GPT header to place tow-boot.
# only actually need 1 MB, but better to over-allocate than under-allocate
sane.image.extraGPTPadding = 16 * 1024 * 1024;
sane.image.firstPartGap = 0;
system.build.img = pkgs.runCommandNoCC "nixos_full-disk-image.img" {} ''
cp -v ${config.system.build.img-without-firmware}/nixos.img $out
chmod +w $out
dd if=${pkgs.tow-boot-pinephone}/Tow-Boot.noenv.bin of=$out bs=1024 seek=8 conv=notrunc
'';
}

28
machines/moby/fs.nix
View File

@@ -1,28 +0,0 @@
{ ... }:
{
# root is a tmpfs so that we have an ephemeral system ("impermanence" handles the state)
fileSystems."/" = {
device = "none";
fsType = "tmpfs";
options = [
"mode=755"
"size=1G"
"defaults"
];
};
fileSystems."/nix" = {
device = "/dev/disk/by-uuid/1f1271f8-53ce-4081-8a29-60a4a6b5d6f9";
fsType = "btrfs";
options = [
"compress=zstd"
"defaults"
];
};
fileSystems."/boot" = {
device = "/dev/disk/by-uuid/0299-F1E5";
fsType = "vfat";
};
}

143
machines/moby/kernel.nix
View File

@@ -1,143 +0,0 @@
{ lib, pkgs, ... }:
let
# use the last commit on the 5.18 branch (5.18.14)
# manjaro's changes between kernel patch versions tend to be minimal if any.
manjaroBase = "https://gitlab.manjaro.org/manjaro-arm/packages/core/linux/-/raw/25bd828cd47b1c6e09fcbcf394a649b89d2876dd";
manjaroPatch = name: sha256: {
inherit name;
patch = pkgs.fetchpatch {
inherit name;
url = "${manjaroBase}/${name}?inline=false";
inherit sha256;
};
};
# the idea for patching off Manjaro's kernel comes from jakewaksbaum:
# - https://git.sr.ht/~jakewaksbaum/pi/tree/af20aae5653545d6e67a459b59ee3e1ca8a680b0/item/kernel/default.nix
# - he later abandoned this, i think because he's using the Pinephone Pro which received mainline support.
manjaroPatches = [
(manjaroPatch
"1001-arm64-dts-allwinner-add-hdmi-sound-to-pine-devices.patch"
"sha256-DApd791A+AxB28Ven/MVAyuyVphdo8KQDx8O7oxVPnc="
)
# these patches below are critical to enable wifi (RTL8723CS)
# - the alternative is a wholly forked kernel by megi/megous:
# - https://xnux.eu/howtos/build-pinephone-kernel.html#toc-how-to-build-megi-s-pinehpone-kernel
# - i don't know if these patches are based on megi's or original
(manjaroPatch
"2001-Bluetooth-Add-new-quirk-for-broken-local-ext-features.patch"
"sha256-CExhJuUWivegxPdnzKINEsKrMFx/m/1kOZFmlZ2SEOc="
)
(manjaroPatch
"2002-Bluetooth-btrtl-add-support-for-the-RTL8723CS.patch"
"sha256-dDdvOphTcP/Aog93HyH+L9m55laTgtjndPSE4/rnzUA="
)
(manjaroPatch
"2004-arm64-dts-allwinner-enable-bluetooth-pinetab-pinepho.patch"
"sha256-o43P3WzXyHK1PF+Kdter4asuyGAEKO6wf5ixcco2kCQ="
)
# XXX: this one has a Makefile, which hardcodes /sbin/depmod:
# - drivers/staging/rtl8723cs/Makefile
# - not sure if this is problematic?
(manjaroPatch
"2005-staging-add-rtl8723cs-driver.patch"
"sha256-6ywm3dQQ5JYl60CLKarxlSUukwi4QzqctCj3tVgzFbo="
)
];
# pinephone uses the linux dtb at arch/arm64/boot/dts/allwinner/sun50i-a64-pinephone.dtsi
# - this includes sun50i-a64.dtsi
# - and sun50i-a64-cpu-opp.dtsi
# - no need to touch the allwinner-h6 stuff: that's the SBC pine product
# - i think it's safe to ignore sun9i stuff, but i don't know what it is
kernelConfig = with lib.kernel; {
# NB: nix adds the CONFIG_ prefix to each of these.
# if you add the prefix yourself nix will IGNORE YOUR CONFIG.
RTL8723CS = module;
BT_HCIUART_3WIRE = yes;
BT_HCIUART_RTL = yes;
RTL8XXXU_UNTESTED = yes;
BT_BNEP_MC_FILTER = yes;
BT_BNEP_PROTO_FILTER = yes;
BT_HS = yes;
BT_LE = yes;
# relevant configs inherited from nixos defaults (or above additions):
# CONFIG_BT=m
# CONFIG_BT_BREDR=y
# CONFIG_BT_RFCOMM=m
# CONFIG_BT_RFCOMM_TTY=y
# CONFIG_BT_BNEP=m
# CONFIG_BT_HIDP=m
# CONFIG_BT_RTL=m
# CONFIG_BT_HCIBTUSB=m
# CONFIG_BT_HCIBTUSB_BCM=y
# CONFIG_BT_HCIBTUSB_RTL=y
# CONFIG_BT_HCIUART=m
# CONFIG_BT_HCIUART_SERDEV=y
# CONFIG_BT_HCIUART_H4=y
# CONFIG_BT_HCIUART_LL=y
# CONFIG_RTL_CARDS=m
# CONFIG_RTLWIFI=m
# CONFIG_RTLWIFI_PCI=m
# CONFIG_RTLWIFI_USB=m
# CONFIG_RTLWIFI_DEBUG=y
# CONFIG_RTL8723_COMMON=m
# CONFIG_RTLBTCOEXIST=m
# CONFIG_RTL8XXXU=m
# CONFIG_RTLLIB=m
# consider adding (from mobile-nixos):
# maybe: CONFIG_BT_HCIUART_3WIRE=y
# maybe: CONFIG_BT_HCIUART_RTL=y
# maybe: CONFIG_RTL8XXXU_UNTESTED=y
# consider adding (from manjaro):
# CONFIG_BT_6LOWPAN=m (not listed as option in nixos kernel)
# these are referenced in the rtl8723 source, but not known to config (and not in mobile-nixos config
# maybe: CONFIG_RTL_ODM_WLAN_DRIVER
# maybe: CONFIG_RTL_TRIBAND_SUPPORT
# maybe: CONFIG_SDIO_HCI
# maybe: CONFIG_USB_HCI
};
# create a kernelPatch which overrides nixos' defconfig with extra options
patchDefconfig = config: {
# defconfig options. this method comes from here:
# - https://discourse.nixos.org/t/the-correct-way-to-override-the-latest-kernel-config/533/9
name = "sane-moby-defconfig";
patch = null;
extraStructuredConfig = config;
};
in
{
# use Megi's kernel:
# even with the Manjaro patches, stock 5.18 has a few issues on Pinephone:
# - no battery charging
# - phone rotation sensor is off by 90 degrees
# - ambient light sensor causes screen brightness to be shakey
# - phosh greeter may not appear after wake from sleep
boot.kernelPackages = pkgs.linuxPackagesFor pkgs.cross.linux-megous;
boot.kernelPatches = [
(patchDefconfig (kernelConfig //
(with lib.kernel; {
# disabling the sun5i_eink driver avoids this compilation error:
# CC [M] drivers/video/fbdev/sun5i-eink-neon.o
# aarch64-unknown-linux-gnu-gcc: error: unrecognized command line option '-mfloat-abi=softfp'
# aarch64-unknown-linux-gnu-gcc: error: unrecognized command line option '-mfpu=neon'
# make[3]: *** [../scripts/Makefile.build:289: drivers/video/fbdev/sun5i-eink-neon.o] Error 1
FB_SUN5I_EINK = no;
})
))
];
# alternatively, use nixos' kernel and add the stuff we want:
# # cross-compilation optimization:
# boot.kernelPackages =
# let p = (import nixpkgs { localSystem = "x86_64-linux"; });
# in p.pkgsCross.aarch64-multiplatform.linuxPackages_5_18;
# # non-cross:
# # boot.kernelPackages = pkgs.linuxPackages_5_18;
# boot.kernelPatches = manjaroPatches ++ [
# (patchDefconfig kernelConfig)
# ];
}

16
machines/rescue/default.nix
View File

@@ -1,16 +0,0 @@
{ config, pkgs, ... }:
{
imports = [
./fs.nix
];
boot.loader.generic-extlinux-compatible.enable = true;
boot.loader.efi.canTouchEfiVariables = false;
sane.image.extraBootFiles = [ pkgs.bootpart-uefi-x86_64 ];
users.users.dhcpcd.uid = config.sane.allocations.dhcpcd-uid;
users.groups.dhcpcd.gid = config.sane.allocations.dhcpcd-gid;
# docs: https://nixos.org/manual/nixos/stable/options.html#opt-system.stateVersion
system.stateVersion = "21.05";
}

12
machines/rescue/fs.nix
View File

@@ -1,12 +0,0 @@
{ ... }:
{
fileSystems."/" = {
device = "/dev/disk/by-uuid/44445555-6666-7777-8888-999900001111";
fsType = "ext4";
};
fileSystems."/boot" = {
device = "/dev/disk/by-uuid/2222-3333";
fsType = "vfat";
};
}

69
machines/servo/fs.nix
View File

@@ -1,69 +0,0 @@
{ ... }:
{
# root is a tmpfs so that we have an ephemeral system ("impermanence" handles the state)
fileSystems."/" = {
device = "none";
fsType = "tmpfs";
options = [
"mode=755"
"size=1G"
"defaults"
];
};
# we need a /tmp for building large nix things
fileSystems."/tmp" = {
device = "none";
fsType = "tmpfs";
options = [
"size=40G"
"mode=777"
"defaults"
];
};
fileSystems."/nix" = {
device = "/dev/disk/by-uuid/aa272cff-0fcc-498e-a4cb-0d95fb60631b";
fsType = "btrfs";
};
fileSystems."/boot" = {
device = "/dev/disk/by-uuid/31D3-40CB";
fsType = "vfat";
};
# fileSystems."/var/lib/pleroma" = {
# device = "/opt/pleroma";
# options = [ "bind" ];
# };
# in-memory compressed RAM (seems to be dynamically sized)
zramSwap = {
enable = true;
};
# btrfs doesn't easily support swapfiles
# swapDevices = [
# { device = "/nix/persist/swapfile"; size = 4096; }
# ];
# this can be a partition. create with:
# fdisk <dev>
# n
# <default partno>
# <start>
# <end>
# t
# <partno>
# 19 # set part type to Linux swap
# w # write changes
# mkswap -L swap <part>
swapDevices = [
{
label = "swap";
# TODO: randomEncryption.enable = true;
}
];
}

32
machines/servo/services/ddns-he.nix
View File

@@ -1,32 +0,0 @@
{ config, pkgs, ... }:
{
systemd.services.ddns-he = {
description = "update dynamic DNS entries for HurricaneElectric";
serviceConfig = {
EnvironmentFile = config.sops.secrets.ddns_he.path;
# TODO: ProtectSystem = "strict";
# TODO: ProtectHome = "full";
# TODO: PrivateTmp = true;
};
# HE DDNS API is documented: https://dns.he.net/docs.html
script = let
crl = "${pkgs.curl}/bin/curl -4";
in ''
${crl} "https://he.uninsane.org:$HE_PASSPHRASE@dyn.dns.he.net/nic/update?hostname=he.uninsane.org"
${crl} "https://native.uninsane.org:$HE_PASSPHRASE@dyn.dns.he.net/nic/update?hostname=native.uninsane.org"
${crl} "https://uninsane.org:$HE_PASSPHRASE@dyn.dns.he.net/nic/update?hostname=uninsane.org"
'';
};
systemd.timers.ddns-he = {
wantedBy = [ "multi-user.target" ];
timerConfig = {
OnStartupSec = "2min";
OnUnitActiveSec = "10min";
};
};
sops.secrets."ddns_he" = {
sopsFile = ../../../secrets/servo.yaml;
};
}

69
machines/servo/services/ipfs.nix
View File

@@ -1,69 +0,0 @@
# admin:
# - view stats:
# - sudo -u ipfs -g ipfs ipfs -c /var/lib/ipfs/ stats bw
# - sudo -u ipfs -g ipfs ipfs -c /var/lib/ipfs/ stats dht
# - sudo -u ipfs -g ipfs ipfs -c /var/lib/ipfs/ bitswap stat
# - number of open peer connections:
# - sudo -u ipfs -g ipfs ipfs -c /var/lib/ipfs/ swarm peers | wc -l
{ ... }:
{
sane.impermanence.service-dirs = [
# TODO: mode? could be more granular
{ user = "261"; group = "261"; directory = "/var/lib/ipfs"; }
];
services.ipfs.enable = true;
services.ipfs.localDiscovery = true;
services.ipfs.swarmAddress = [
# "/dns4/ipfs.uninsane.org/tcp/4001"
# "/ip4/0.0.0.0/tcp/4001"
"/dns4/ipfs.uninsane.org/udp/4001/quic"
"/ip4/0.0.0.0/udp/4001/quic"
];
services.ipfs.extraConfig = {
Addresses = {
Announce = [
# "/dns4/ipfs.uninsane.org/tcp/4001"
"/dns4/ipfs.uninsane.org/udp/4001/quic"
];
};
Gateway = {
# the gateway can only be used to serve content already replicated on this host
NoFetch = true;
};
Swarm = {
ConnMgr = {
# maintain between LowWater and HighWater peer connections
# taken from: https://github.com/ipfs/ipfs-desktop/pull/2055
# defaults are 600-900: https://github.com/ipfs/kubo/blob/master/docs/config.md#swarmconnmgr
LowWater = 20;
HighWater = 40;
# default is 20s. i guess more grace period = less churn
GracePeriod = "1m";
};
ResourceMgr = {
# docs: https://github.com/libp2p/go-libp2p-resource-manager#resource-scopes
Enabled = true;
Limits = {
System = {
Conns = 196;
ConnsInbound = 128;
ConnsOutbound = 128;
FD = 512;
Memory = 1073741824; # 1GiB
Streams = 1536;
StreamsInbound = 1024;
StreamsOutbound = 1024;
};
};
};
Transports = {
Network = {
# disable TCP, force QUIC, for lighter resources
TCP = false;
QUIC = true;
};
};
};
};
}

11
machines/servo/services/jellyfin.nix
View File

@@ -1,11 +0,0 @@
{ config, ... }:
{
sane.impermanence.service-dirs = [
# TODO: mode? could be more granular
{ user = "jellyfin"; group = "jellyfin"; directory = "/var/lib/jellyfin"; }
];
users.users.jellyfin.uid = config.sane.allocations.jellyfin-uid;
users.groups.jellyfin.gid = config.sane.allocations.jellyfin-gid;
services.jellyfin.enable = true;
}

17
machines/servo/services/navidrome.nix
View File

@@ -1,17 +0,0 @@
{ ... }:
{
sane.impermanence.service-dirs = [
{ user = "navidrome"; group = "navidrome"; directory = "/var/lib/private/navidrome"; }
];
services.navidrome.enable = true;
services.navidrome.settings = {
# docs: https://www.navidrome.org/docs/usage/configuration-options/
Address = "127.0.0.1";
Port = 4533;
MusicFolder = "/var/lib/uninsane/media/Music";
CovertArtPriority = "*.jpg, *.JPG, *.png, *.PNG, embedded";
AutoImportPlaylists = false;
ScanSchedule = "@every 1h";
};
}

35
machines/servo/default.nix → machines/uninsane/default.nix
View File

@@ -1,48 +1,31 @@
{ pkgs, ... }:
{ pkgs, lib, ... }:
{
imports = [
./../../helpers/universal
./fs.nix
./hardware.nix
./net.nix
./users.nix
./services/ddns-he.nix
./services/duplicity.nix
./services/gitea.nix
./services/ipfs.nix
./services/jackett.nix
./services/jellyfin.nix
./services/matrix.nix
./services/navidrome.nix
./services/nginx.nix
./services/nix-serve.nix
./services/pleroma.nix
./services/postfix.nix
./services/postgres.nix
./services/transmission.nix
];
sane.home-manager.enable = true;
sane.home-manager.extraPackages = [
# for administering matrix
pkgs.matrix-synapse
];
sane.impermanence.enable = true;
sane.services.duplicity.enable = true;
sane.services.nixserve.enable = true;
# TODO: look into the EFI stuff
boot.loader.grub.enable = false;
boot.loader.generic-extlinux-compatible.enable = true;
boot.loader.efi.canTouchEfiVariables = false;
sane.image.extraBootFiles = [ pkgs.bootpart-u-boot-rpi-aarch64 ];
sops.secrets.duplicity_passphrase = {
sopsFile = ../../secrets/servo.yaml;
};
# both transmission and ipfs try to set different net defaults.
# we just use the most aggressive of the two here:
boot.kernel.sysctl = {
"net.core.rmem_max" = "4194304"; # 4MB
home-manager.users.colin = import ../../helpers/home-manager-gen-colin.nix {
inherit pkgs lib;
system = "aarch64-linux";
gui = null;
extraPackages = [ pkgs.matrix-synapse ];
};
# This value determines the NixOS release from which the default

37
machines/uninsane/fs.nix Normal file
View File

@@ -0,0 +1,37 @@
{ config, pkgs, lib, ... }:
{
fileSystems."/" = lib.mkDefault {
device = "/dev/disk/by-uuid/2be70d38-79f4-41b6-bee2-bce5a25f8f7b";
fsType = "ext4";
};
fileSystems."/boot" = {
device = lib.mkDefault "/dev/disk/by-uuid/B318-A67E";
fsType = "vfat";
};
fileSystems."/var/lib/pleroma" = {
device = "/opt/pleroma";
options = [ "bind" ];
};
fileSystems."/var/lib/transmission/Downloads" = {
device = "/opt/uninsane/media";
options = [ "bind" ];
};
fileSystems."/var/lib/transmission/.incomplete" = {
device = "/opt/uninsane/media/incomplete";
options = [ "bind" ];
};
# in-memory compressed RAM (seems to be dynamically sized)
zramSwap = {
enable = true;
};
swapDevices = [
{ device = "/swapfile"; size = 4096; }
];
}

21
machines/servo/hardware.nix → machines/uninsane/hardware.nix
View File

@@ -1,17 +1,26 @@
# this file originates from nixos-generate-config
# but has been heavily modified
{ pkgs, ... }:
{ config, lib, pkgs, modulesPath, ... }:
{
# enables non-free firmware
hardware.enableRedistributableFirmware = true;
# i changed this becuse linux 5.10 didn't have rpi-400 device tree blob.
# nixos-22.05 linux 5.15 DOES have these now.
# it should be possible to remove this if desired, but i'm not sure how the rpi-specific kernel differs.
# see: https://github.com/raspberrypi/linux
boot.kernelPackages = pkgs.linuxPackages_rpi4;
# NixOS defaults to grub: we don't want that.
boot.loader.grub.enable = false;
# raspberryPi boot loader creates extlinux.conf.
# otherwise, enable the generic-extlinux-compatible loader below.
# note: THESE ARE MUTUALLY EXCLUSIVE. generic-extlinux-compatible causes uboot to not be built
# boot.loader.generic-extlinux-compatible.enable = true;
boot.loader.raspberryPi.enable = true;
boot.loader.raspberryPi.uboot.enable = true;
boot.loader.raspberryPi.version = 4;
boot.initrd.availableKernelModules = [
"bcm2711_thermal"
@@ -35,6 +44,16 @@
"xhci_pci_renesas"
];
# boot.initrd.compressor = "gzip"; # defaults to zstd
# hack in the `boot.shell_on_fail` arg since it doesn't seem to work otherwise
boot.initrd.preFailCommands = "allowShell=1";
# default: 4 (warn). 7 is debug
boot.consoleLogLevel = 7;
# boot.kernelParams = [
# "boot.shell_on_fail"
# # "boot.trace"
# # "systemd.log_level=debug"
# # "systemd.log_target=console"
# ];
# ondemand power scaling keeps the cpu at low frequency when idle, and sets to max frequency
# when load is detected. (v.s. the "performance" default, which always uses the max frequency)

19
machines/servo/net.nix → machines/uninsane/net.nix
View File

@@ -1,4 +1,4 @@
{ config, pkgs, ... }:
{ config, pkgs, secrets, ... }:
{
networking.domain = "uninsane.org";
@@ -18,15 +18,12 @@
80 # HTTP
143 # IMAP
443 # HTTPS
465 # SMTPS
587 # SMTPS/submission
465 # SMTPS (maybe not required?)
587 # SMTPS/submission (maybe not required?)
993 # IMAPS
4001 # IPFS
];
networking.firewall.allowedUDPPorts = [
1900 7359 # DLNA: https://jellyfin.org/docs/general/networking/index.html
4001 # IPFS
];
# DLNA ports: https://jellyfin.org/docs/general/networking/index.html
networking.firewall.allowedUDPPorts = [ 1900 7359 ];
# we need to use externally-visible nameservers in order for VPNs to be able to resolve hosts.
networking.nameservers = [
@@ -38,7 +35,7 @@
# DOCS: https://nixos.wiki/wiki/WireGuard
networking.wireguard.enable = true;
networking.wireguard.interfaces.wg0 = {
privateKeyFile = config.sops.secrets.wg_ovpns_privkey.path;
privateKey = secrets.wireguard.privateKey;
# wg is active only in this namespace.
# run e.g. ip netns exec ovpns <some command like ping/curl/etc, it'll go through wg>
# sudo ip netns exec ovpns ping www.google.com
@@ -90,10 +87,6 @@
};
};
sops.secrets."wg_ovpns_privkey" = {
sopsFile = ../../secrets/servo.yaml;
};
# HURRICANE ELECTRIC CONFIG:
# networking.sits = {
# hurricane = {

20
machines/uninsane/services/ddns-he.nix Normal file
View File

@@ -0,0 +1,20 @@
{ pkgs, secrets, ... }:
{
systemd.services.ddns-he = {
description = "update dynamic DNS entries for HurricaneElectric";
# HE DDNS API is documented: https://dns.he.net/docs.html
script = let
pass = secrets.ddns-he.password;
crl = "${pkgs.curl}/bin/curl -4";
in ''
${crl} "https://he.uninsane.org:${pass}@dyn.dns.he.net/nic/update?hostname=he.uninsane.org"
${crl} "https://native.uninsane.org:${pass}@dyn.dns.he.net/nic/update?hostname=native.uninsane.org"
${crl} "https://uninsane.org:${pass}@dyn.dns.he.net/nic/update?hostname=uninsane.org"
'';
};
systemd.timers.ddns-he.timerConfig = {
OnStartupSec = "2min";
OnUnitActiveSec = "10min";
};
}

36
machines/uninsane/services/duplicity.nix Normal file
View File

@@ -0,0 +1,36 @@
# docs: https://search.nixos.org/options?channel=21.11&query=duplicity
{ config, pkgs, lib, secrets, ... }:
{
services.duplicity.enable = true;
services.duplicity.targetUrl = secrets.duplicity.url;
# format: PASSPHRASE=<cleartext>
# two sisters
services.duplicity.secretFile =
builtins.toFile "duplicity_env" "PASSPHRASE=${secrets.duplicity.passphrase}";
# NB: manually trigger with `systemctl start duplicity`
services.duplicity.frequency = "daily";
services.duplicity.exclude = [
# impermanent/inconsequential data:
"/dev"
"/proc"
"/run"
"/sys"
"/tmp"
# bind mounted (dupes):
"/var/lib/pleroma"
"/var/lib/transmission/Downloads"
"/var/lib/transmission/.incomplete"
# data that's not worth the cost to backup:
"/opt/uninsane/media"
];
services.duplicity.extraFlags = [
# without --allow-source-mismatch, duplicity will abort if you change the hostname between backups
"--allow-source-mismatch"
];
# set this for the FIRST backup, then remove it to enable incremental backups
# (that the first backup *isn't* full i think is a defect)
# services.duplicity.fullIfOlderThan = "always";
}

5
machines/servo/services/gitea.nix → machines/uninsane/services/gitea.nix
View File

@@ -1,11 +1,6 @@
{ config, pkgs, lib, ... }:
{
sane.impermanence.service-dirs = [
# TODO: mode? could be more granular
{ user = "git"; group = "gitea"; directory = "/var/lib/gitea"; }
];
users.groups.gitea.gid = config.sane.allocations.gitea-gid;
services.gitea.enable = true;
services.gitea.user = "git"; # default is 'gitea'
services.gitea.database.type = "postgres";

6
machines/servo/services/jackett.nix → machines/uninsane/services/jackett.nix
View File

@@ -1,10 +1,6 @@
{ ... }:
{ config, pkgs, lib, ... }:
{
sane.impermanence.service-dirs = [
# TODO: mode? we only need this to save Indexer creds ==> migrate to config?
{ user = "root"; group = "root"; directory = "/var/lib/jackett"; }
];
services.jackett.enable = true;
systemd.services.jackett.after = ["wg0veth.service"];

5
machines/uninsane/services/jellyfin.nix Normal file
View File

@@ -0,0 +1,5 @@
{ config, pkgs, lib, ... }:
{
services.jellyfin.enable = true;
}

38
machines/servo/services/matrix.nix → machines/uninsane/services/matrix.nix
View File

@@ -1,14 +1,8 @@
# docs: https://nixos.wiki/wiki/Matrix
# docs: https://nixos.org/manual/nixos/stable/index.html#module-services-matrix-synapse
{ config, ... }:
{ config, pkgs, lib, secrets, ... }:
{
sane.impermanence.service-dirs = [
# TODO: mode?
# user and group are both "matrix-appservice-irc"
{ user = "993"; group = "992"; directory = "/var/lib/matrix-appservice-irc"; }
{ user = "224"; group = "224"; directory = "/var/lib/matrix-synapse"; }
];
services.matrix-synapse.enable = true;
services.matrix-synapse.settings.server_name = "uninsane.org";
@@ -35,12 +29,29 @@
}
];
# services.matrix-synapse.extraConfig = ''
# registration_requires_token: true
# admin_contact: "admin.matrix@uninsane.org"
# '';
services.matrix-synapse.settings.admin_contact = "admin.matrix@uninsane.org";
services.matrix-synapse.settings.registrations_require_3pid = [ "email" ];
services.matrix-synapse.extraConfigFiles = [
config.sops.secrets.matrix_synapse_secrets.path
];
services.matrix-synapse.settings.email = {
smtp_host = "mx.uninsane.org";
smtp_port = 587;
smtp_user = "matrix-synapse";
smtp_pass = secrets.matrix-synapse.smtp_pass;
require_transport_security = true;
enable_tls = true;
notif_from = "%(app)s <notify.matrix@uninsane.org>";
app_name = "Uninsane Matrix";
enable_notifs = true;
validation_token_lifetime = "96h";
invite_client_location = "https://web.matrix.uninsane.org";
subjects = {
email_validation = "[%(server_name)s] Validate your email";
};
};
# services.matrix-synapse.extraConfigFiles = [builtins.toFile "matrix-synapse-extra-config" ''
# admin_contact: "admin.matrix@uninsane.org"
@@ -161,9 +172,4 @@
};
};
};
sops.secrets.matrix_synapse_secrets = {
sopsFile = ../../../secrets/servo.yaml;
owner = config.users.users.matrix-synapse.name;
};
}

38
machines/servo/services/nginx.nix → machines/uninsane/services/nginx.nix
View File

@@ -6,11 +6,8 @@
# web blog/personal site
services.nginx.virtualHosts."uninsane.org" = {
root = "/var/lib/uninsane/root";
# a lot of places hardcode https://uninsane.org,
# and then when we mix http + non-https, we get CORS violations
# and things don't look right. so force SSL.
forceSSL = true;
root = "/opt/uninsane/root";
addSSL = true;
enableACME = true;
# allow matrix users to discover that @user:uninsane.org is reachable via matrix.uninsane.org
@@ -213,29 +210,6 @@
};
};
services.nginx.virtualHosts."music.uninsane.org" = {
forceSSL = true;
enableACME = true;
locations."/".proxyPass = "http://127.0.0.1:4533";
};
services.nginx.virtualHosts."ipfs.uninsane.org" = {
# don't default to ssl upgrades, since this may be dnslink'd from a different domain.
# ideally we'd disable ssl entirely, but some places assume it?
addSSL = true;
enableACME = true;
default = true;
locations."/" = {
proxyPass = "http://127.0.0.1:8080";
extraConfig = ''
proxy_set_header Host $host;
proxy_set_header X-Ipfs-Gateway-Prefix "";
'';
};
};
# exists only to manage certs for dovecot
services.nginx.virtualHosts."imap.uninsane.org" = {
forceSSL = true;
@@ -260,12 +234,4 @@
security.acme.acceptTerms = true;
security.acme.defaults.email = "admin.acme@uninsane.org";
users.users.acme.uid = config.sane.allocations.acme-uid;
users.groups.acme.gid = config.sane.allocations.acme-gid;
sane.impermanence.service-dirs = [
# TODO: mode?
{ user = "acme"; group = "acme"; directory = "/var/lib/acme"; }
{ user = "colin"; group = "users"; directory = "/var/lib/uninsane"; }
];
}

12
machines/uninsane/services/nix-serve.nix Normal file
View File

@@ -0,0 +1,12 @@
# docs: https://nixos.wiki/wiki/Binary_Cache
# to copy something to this machine's nix cache, do:
# nix copy --to ssh://nixcache.uninsane.org PACKAGE
{ secrets, ... }:
{
services.nix-serve = {
enable = true;
secretKeyFile = builtins.toFile "nix-serve-priv-key.pem" secrets.nix-serve.cache-priv-key;
# "/var/cache-priv-key.pem";
};
}

32
machines/servo/services/pleroma.nix → machines/uninsane/services/pleroma.nix
View File

@@ -1,26 +1,21 @@
# docs: https://github.com/NixOS/nixpkgs/blob/master/nixos/modules/services/networking/pleroma.nix
#
# to run it in a oci-container: https://github.com/barrucadu/nixfiles/blob/master/services/pleroma.nix
{ config, pkgs, ... }:
{ config, pkgs, lib, secrets, ... }:
{
sane.impermanence.service-dirs = [
# TODO: mode? could be more granular
{ user = "pleroma"; group = "pleroma"; directory = "/var/lib/pleroma"; }
];
users.users.pleroma.uid = config.sane.allocations.pleroma-uid;
users.groups.pleroma.gid = config.sane.allocations.pleroma-gid;
services.pleroma.enable = true;
services.pleroma.secretConfigFile = config.sops.secrets.pleroma_secrets.path;
# TODO: we should write a config file somewhere outside the store... somehow.
services.pleroma.secretConfigFile = "/dev/null";
services.pleroma.configs = [
''
import Config
config :pleroma, Pleroma.Web.Endpoint,
url: [host: "fed.uninsane.org", scheme: "https", port: 443],
http: [ip: {127, 0, 0, 1}, port: 4000]
# secret_key_base: "{secrets.pleroma.secret_key_base}",
# signing_salt: "{secrets.pleroma.signing_salt}"
http: [ip: {127, 0, 0, 1}, port: 4000],
secret_key_base: "${secrets.pleroma.secret_key_base}",
signing_salt: "${secrets.pleroma.signing_salt}"
config :pleroma, :instance,
name: "Perfectly Sane",
@@ -51,6 +46,7 @@
config :pleroma, Pleroma.Repo,
adapter: Ecto.Adapters.Postgres,
username: "pleroma",
password: "${secrets.pleroma.db_password}",
database: "pleroma",
hostname: "localhost",
pool_size: 10,
@@ -58,15 +54,14 @@
parameters: [
plan_cache_mode: "force_custom_plan"
]
# password: "{secrets.pleroma.db_password}",
# Configure web push notifications
config :web_push_encryption, :vapid_details,
subject: "mailto:notify.pleroma@uninsane.org"
# public_key: "{secrets.pleroma.vapid_public_key}",
# private_key: "{secrets.pleroma.vapid_private_key}"
subject: "mailto:notify.pleroma@uninsane.org",
public_key: "${secrets.pleroma.vapid_public_key}",
private_key: "${secrets.pleroma.vapid_private_key}"
# config :joken, default_signer: "{secrets.pleroma.joken_default_signer}"
config :joken, default_signer: "${secrets.pleroma.joken_default_signer}"
config :pleroma, :database, rum_enabled: false
config :pleroma, :instance, static_dir: "/var/lib/pleroma/instance/static"
@@ -129,9 +124,4 @@
# PrivateTmp = lib.mkForce false;
# CapabilityBoundingSet = lib.mkForce "~";
# };
sops.secrets.pleroma_secrets = {
sopsFile = ../../../secrets/servo.yaml;
owner = config.users.users.pleroma.name;
};
}

19
machines/servo/services/postfix.nix → machines/uninsane/services/postfix.nix
View File

@@ -1,4 +1,4 @@
{ config, lib, ... }:
{ config, pkgs, lib, secrets, ... }:
let
submissionOptions = {
@@ -16,11 +16,6 @@ let
};
in
{
sane.impermanence.service-dirs = [
# TODO: mode? could be more granular
{ user = "221"; group = "221"; directory = "/var/lib/opendkim"; }
{ user = "root"; group = "root"; directory = "/var/lib/postfix"; }
];
services.postfix.enable = true;
services.postfix.hostname = "mx.uninsane.org";
services.postfix.origin = "uninsane.org";
@@ -87,7 +82,10 @@ in
services.dovecot2.enablePAM = false;
services.dovecot2.extraConfig =
let
passwdFile = config.sops.secrets.dovecot_passwd.path;
passwdFile = builtins.toFile "dovecot-passwd-file" ''
colin:${secrets.dovecot.hashedPasswd.colin}:1000:1000::/var/mail/colin/run/current-system/sw/bin/nologin:
matrix-synapse:${secrets.dovecot.hashedPasswd.matrix-synapse}:224:224::/var/mail/colin:/run/current-system/sw/bin/nologin:
'';
in
''
passdb {
@@ -135,11 +133,4 @@ in
# pattern = "/^Subject:.*activate your account/";
# }
];
sops.secrets.dovecot_passwd = {
sopsFile = ../../../secrets/servo.yaml;
owner = config.users.users.dovecot2.name;
# TODO: debug why mail can't be sent without this being world-readable
mode = "0444";
};
}

8
machines/servo/services/postgres.nix → machines/uninsane/services/postgres.nix
View File

@@ -1,12 +1,8 @@
{ ... }:
{ config, pkgs, lib, ... }:
{
sane.impermanence.service-dirs = [
# TODO: mode?
{ user = "71"; group = "71"; directory = "/var/lib/postgresql"; }
];
services.postgresql.enable = true;
# services.postgresql.dataDir = "/opt/postgresql/13";
services.postgresql.dataDir = "/opt/postgresql/13";
# XXX colin: for a proper deploy, we'd want to include something for Pleroma here too.
# services.postgresql.initialScript = pkgs.writeText "synapse-init.sql" ''
# CREATE ROLE "matrix-synapse" WITH LOGIN PASSWORD '<password goes here>';

16
machines/servo/services/transmission.nix → machines/uninsane/services/transmission.nix
View File

@@ -1,10 +1,6 @@
{ ... }:
{ config, pkgs, lib, ... }:
{
sane.impermanence.service-dirs = [
# TODO: mode? we need this specifically for the stats tracking in .config/
{ user = "70"; group = "70"; directory = "/var/lib/transmission"; }
];
services.transmission.enable = true;
services.transmission.settings = {
rpc-bind-address = "0.0.0.0";
@@ -18,8 +14,6 @@
rpc-whitelist-enabled = false;
# download-dir = "/opt/uninsane/media/";
# hopefully, make the downloads world-readable
umask = 0;
# force peer connections to be encrypted
encryption = 2;
@@ -27,15 +21,9 @@
# units in kBps
speed-limit-down = 3000;
speed-limit-down-enabled = true;
speed-limit-up = 300;
speed-limit-up = 600;
speed-limit-up-enabled = true;
# see: https://git.zknt.org/mirror/transmission/commit/cfce6e2e3a9b9d31a9dafedd0bdc8bf2cdb6e876?lang=bg-BG
anti-brute-force-enabled = false;
download-dir = "/var/lib/uninsane/media";
incomplete-dir = "/var/lib/uninsane/media/incomplete";
};
# transmission will by default not allow the world to read its files.
services.transmission.downloadDirPermissions = "775";

3
machines/servo/users.nix → machines/uninsane/users.nix
View File

@@ -1,4 +1,4 @@
{ config, ... }:
{ config, pkgs, lib, ... }:
# installer docs: https://github.com/NixOS/nixpkgs/blob/master/nixos/modules/profiles/installation-device.nix
{
@@ -12,7 +12,6 @@
home = "/var/lib/gitea";
useDefaultShell = true;
group = "gitea";
uid = config.sane.allocations.git-uid;
isSystemUser = true;
# sendmail access (not 100% sure if this is necessary)
extraGroups = [ "postdrop" ];

14
modules/default.nix
View File

@@ -1,14 +0,0 @@
{ ... }:
{
imports = [
./gui
./hardware
./image.nix
./impermanence.nix
./nixcache.nix
./services/duplicity.nix
./services/nixserve.nix
./universal
];
}

29
modules/gui/default.nix
View File

@@ -1,29 +0,0 @@
{ lib, config, ... }:
with lib;
let
cfg = config.sane.gui;
in
{
imports = [
./gnome.nix
./phosh.nix
./plasma-mobile.nix
./sway.nix
];
options = {
# doesn't directly create outputs. consumed by e.g. home-manager.nix module
sane.gui.enable = mkOption {
default = false;
type = types.bool;
};
};
config = lib.mkIf cfg.enable {
sane.home-packages.enableGuiPkgs = lib.mkDefault true;
sane.home-manager.enable = lib.mkDefault true;
# all GUIs use network manager?
users.users.nm-iodine.uid = config.sane.allocations.nm-iodine-uid;
};
}

68
modules/gui/gnome.nix
View File

@@ -1,68 +0,0 @@
{ lib, config, ... }:
with lib;
let
cfg = config.sane.gui.gnome;
in
{
options = {
sane.gui.gnome.enable = mkOption {
default = false;
type = types.bool;
};
};
config = mkIf cfg.enable {
sane.gui.enable = true;
# start gnome/gdm on boot
services.xserver.enable = true;
services.xserver.desktopManager.gnome.enable = true;
services.xserver.displayManager.gdm.enable = true;
# gnome does networking stuff with networkmanager
networking.useDHCP = false;
networking.networkmanager.enable = true;
networking.wireless.enable = lib.mkForce false;
};
# home-mananger.users.colin extras
# obtain these by running `dconf dump /` after manually customizing gnome
# TODO: fix "is not of type `GVariant value'"
# dconf.settings = lib.mkIf (gui == "gnome") {
# gnome = {
# # control alt-tab behavior
# "org/gnome/desktop/wm/keybindings" = {
# switch-applications = [ "<Super>Tab" ];
# switch-applications-backward=[];
# switch-windows=["<Alt>Tab"];
# switch-windows-backward=["<Super><Alt>Tab"];
# };
# # idle power savings
# "org/gnome/settings-deamon/plugins/power" = {
# idle-brigthness = 50;
# sleep-inactive-ac-type = "nothing";
# sleep-inactive-battery-timeout = 5400; # seconds
# };
# "org/gnome/shell" = {
# favorite-apps = [
# "org.gnome.Nautilus.desktop"
# "firefox.desktop"
# "kitty.desktop"
# # "org.gnome.Terminal.desktop"
# ];
# };
# "org/gnome/desktop/session" = {
# # how long until considering a session idle (triggers e.g. screen blanking)
# idle-delay = 900;
# };
# "org/gnome/desktop/interface" = {
# text-scaling-factor = 1.25;
# };
# "org/gnome/desktop/media-handling" = {
# # don't auto-mount inserted media
# automount = false;
# automount-open = false;
# };
# };
# };
}

67
modules/gui/phosh.nix
View File

@@ -1,67 +0,0 @@
{ lib, config, pkgs, ... }:
with lib;
let
cfg = config.sane.gui.phosh;
in
{
options = {
sane.gui.phosh.enable = mkOption {
default = false;
type = types.bool;
};
};
config = mkIf cfg.enable {
sane.gui.enable = true;
users.users.avahi.uid = config.sane.allocations.avahi-uid;
users.users.colord.uid = config.sane.allocations.colord-uid;
users.users.geoclue.uid = config.sane.allocations.geoclue-uid;
users.users.rtkit.uid = config.sane.allocations.rtkit-uid;
users.groups.avahi.gid = config.sane.allocations.avahi-gid;
users.groups.colord.gid = config.sane.allocations.colord-gid;
users.groups.geoclue.gid = config.sane.allocations.geoclue-gid;
users.groups.rtkit.gid = config.sane.allocations.rtkit-gid;
# docs: https://github.com/NixOS/nixpkgs/blob/nixos-22.05/nixos/modules/services/x11/desktop-managers/phosh.nix
services.xserver.desktopManager.phosh = {
enable = true;
user = "colin";
group = "users";
phocConfig = {
# xwayland = "true";
# find default outputs by catting /etc/phosh/phoc.ini
outputs.DSI-1 = {
scale = 1.5;
};
};
};
# XXX: phosh enables networkmanager by default; can probably disable these lines
networking.useDHCP = false;
networking.networkmanager.enable = true;
networking.wireless.enable = lib.mkForce false;
# XXX: not clear if these are actually needed?
hardware.bluetooth.enable = true;
services.blueman.enable = true;
hardware.opengl.enable = true;
hardware.opengl.driSupport = true;
environment.variables = {
# Qt apps won't always start unless this env var is set
QT_QPA_PLATFORM = "wayland";
# electron apps (e.g. Element) should use the wayland backend
# toggle this to have electron apps (e.g. Element) use the wayland backend.
# phocConfig.xwayland should be disabled if you do this
NIXOS_OZONE_WL = "1";
};
sane.home-manager.extraPackages = with pkgs; [
# TODO: see about removing this if the in-built gnome-settings bluetooth manager can work
gnome.gnome-bluetooth
];
};
}

28
modules/gui/plasma-mobile.nix
View File

@@ -1,28 +0,0 @@
{ lib, config, ... }:
with lib;
let
cfg = config.sane.gui.plasma-mobile;
in
{
options = {
sane.gui.plasma-mobile.enable = mkOption {
default = false;
type = types.bool;
};
};
config = mkIf cfg.enable {
sane.gui.enable = true;
# start plasma-mobile on boot
services.xserver.enable = true;
services.xserver.desktopManager.plasma5.mobile.enable = true;
services.xserver.desktopManager.plasma5.mobile.installRecommendedSoftware = false; # not all plasma5-mobile packages build for aarch64
services.xserver.displayManager.sddm.enable = true;
# Plasma does networking stuff with networkmanager, but nix configures the defaults itself
# networking.useDHCP = false;
# networking.networkmanager.enable = true;
# networking.wireless.enable = lib.mkForce false;
};
}

584
modules/gui/sway.nix
View File

@@ -1,584 +0,0 @@
{ pkgs, lib, config, ... }:
# docs: https://nixos.wiki/wiki/Sway
with lib;
let
cfg = config.sane.gui.sway;
in
{
options = {
sane.gui.sway.enable = mkOption {
default = false;
type = types.bool;
};
};
config = mkIf cfg.enable {
sane.gui.enable = true;
users.users.greeter.uid = config.sane.allocations.greeter-uid;
users.groups.greeter.gid = config.sane.allocations.greeter-gid;
programs.sway = {
# we configure sway with home-manager, but this enable gets us e.g. opengl and fonts
enable = true;
};
# TODO: should be able to use SDDM to get interactive login
services.greetd = {
enable = true;
settings = rec {
initial_session = {
command = "${pkgs.sway}/bin/sway";
user = "colin";
};
default_session = initial_session;
};
};
# unlike other DEs, sway configures no audio stack
# administer with pw-cli, pw-mon, pw-top commands
services.pipewire = {
enable = true;
alsa.enable = true;
alsa.support32Bit = true; # ??
pulse.enable = true;
};
hardware.bluetooth.enable = true;
services.blueman.enable = true;
networking.useDHCP = false;
networking.networkmanager.enable = true;
networking.wireless.enable = lib.mkForce false;
sane.home-manager.windowManager.sway = {
enable = true;
wrapperFeatures.gtk = true;
config = rec {
terminal = "${pkgs.kitty}/bin/kitty";
window = {
border = 3; # pixel boundary between windows
hideEdgeBorders = "smart"; # don't show border if only window on workspace
};
output = {
### DESKTOP
"Samsung Electric Company S22C300 0x00007F35" = { pos = "0,0"; res = "1920x1080"; };
"Goldstar Company Ltd LG ULTRAWIDE 0x00004E94" = { pos = "1920,0"; res = "3440x1440"; };
### LAPTOP
# shen TV
"Pioneer Electronic Corporation VSX-524 0x00000101" = { pos = "0,0"; res = "1920x1080"; };
# internal display
"Unknown 0x0637 0x00000000" = { pos = "1920,0"; res = "1920x1080"; };
};
# defaults; required for keybindings decl.
modifier = "Mod1";
# list of launchers: https://www.reddit.com/r/swaywm/comments/v39hxa/your_favorite_launcher/
# menu = "${pkgs.dmenu}/bin/dmenu_path";
menu = "${pkgs.fuzzel}/bin/fuzzel";
# menu = "${pkgs.albert}/bin/albert";
left = "h";
down = "j";
up = "k";
right = "l";
# XKB key names: https://wiki.linuxquestions.org/wiki/List_of_Keysyms_Recognised_by_Xmodmap
keybindings = {
"${modifier}+Return" = "exec ${terminal}";
"${modifier}+Shift+q" = "kill";
"${modifier}+d" = "exec ${menu}";
"${modifier}+${left}" = "focus left";
"${modifier}+${down}" = "focus down";
"${modifier}+${up}" = "focus up";
"${modifier}+${right}" = "focus right";
"${modifier}+Left" = "focus left";
"${modifier}+Down" = "focus down";
"${modifier}+Up" = "focus up";
"${modifier}+Right" = "focus right";
"${modifier}+Shift+${left}" = "move left";
"${modifier}+Shift+${down}" = "move down";
"${modifier}+Shift+${up}" = "move up";
"${modifier}+Shift+${right}" = "move right";
"${modifier}+Shift+Left" = "move left";
"${modifier}+Shift+Down" = "move down";
"${modifier}+Shift+Up" = "move up";
"${modifier}+Shift+Right" = "move right";
"${modifier}+b" = "splith";
"${modifier}+v" = "splitv";
"${modifier}+f" = "fullscreen toggle";
"${modifier}+a" = "focus parent";
"${modifier}+s" = "layout stacking";
"${modifier}+w" = "layout tabbed";
"${modifier}+e" = "layout toggle split";
"${modifier}+Shift+space" = "floating toggle";
"${modifier}+space" = "focus mode_toggle";
"${modifier}+1" = "workspace number 1";
"${modifier}+2" = "workspace number 2";
"${modifier}+3" = "workspace number 3";
"${modifier}+4" = "workspace number 4";
"${modifier}+5" = "workspace number 5";
"${modifier}+6" = "workspace number 6";
"${modifier}+7" = "workspace number 7";
"${modifier}+8" = "workspace number 8";
"${modifier}+9" = "workspace number 9";
"${modifier}+Shift+1" =
"move container to workspace number 1";
"${modifier}+Shift+2" =
"move container to workspace number 2";
"${modifier}+Shift+3" =
"move container to workspace number 3";
"${modifier}+Shift+4" =
"move container to workspace number 4";
"${modifier}+Shift+5" =
"move container to workspace number 5";
"${modifier}+Shift+6" =
"move container to workspace number 6";
"${modifier}+Shift+7" =
"move container to workspace number 7";
"${modifier}+Shift+8" =
"move container to workspace number 8";
"${modifier}+Shift+9" =
"move container to workspace number 9";
"${modifier}+Shift+minus" = "move scratchpad";
"${modifier}+minus" = "scratchpad show";
"${modifier}+Shift+c" = "reload";
"${modifier}+Shift+e" =
"exec swaynag -t warning -m 'You pressed the exit shortcut. Do you really want to exit sway? This will end your Wayland session.' -b 'Yes, exit sway' 'swaymsg exit'";
"${modifier}+r" = "mode resize";
} // {
# media keys
XF86MonBrightnessDown = ''exec "${pkgs.brightnessctl}/bin/brightnessctl set 2%-"'';
XF86MonBrightnessUp = ''exec "${pkgs.brightnessctl}/bin/brightnessctl set +2%"'';
XF86AudioRaiseVolume = "exec '${pkgs.pulsemixer}/bin/pulsemixer --change-volume +5'";
XF86AudioLowerVolume = "exec '${pkgs.pulsemixer}/bin/pulsemixer --change-volume -5'";
XF86AudioMute = "exec '${pkgs.pulsemixer}/bin/pulsemixer --toggle-mute'";
"${modifier}+Page_Up" = "exec '${pkgs.pulsemixer}/bin/pulsemixer --change-volume +5'";
"${modifier}+Page_Down" = "exec '${pkgs.pulsemixer}/bin/pulsemixer --change-volume -5'";
"${modifier}+Print" = "exec '${pkgs.sway-contrib.grimshot}/bin/grimshot copy area'";
};
# mostly defaults:
bars = [{
mode = "dock";
hiddenState = "hide";
position = "top";
command = "${pkgs.waybar}/bin/waybar";
workspaceButtons = true;
workspaceNumbers = true;
statusCommand = "${pkgs.i3status}/bin/i3status";
fonts = {
# names = [ "monospace" "Noto Color Emoji" ];
# size = 8.0;
# names = [ "Font Awesome 6 Free" "DejaVu Sans" "Hack" ];
# names = with config.fonts.fontconfig.defaultFonts; (emoji ++ monospace ++ serif ++ sansSerif);
names = with config.fonts.fontconfig.defaultFonts; (monospace ++ emoji);
size = 24.0;
};
trayOutput = "primary";
colors = {
background = "#000000";
statusline = "#ffffff";
separator = "#666666";
focusedWorkspace = {
border = "#4c7899";
background = "#285577";
text = "#ffffff";
};
activeWorkspace = {
border = "#333333";
background = "#5f676a";
text = "#ffffff";
};
inactiveWorkspace = {
border = "#333333";
background = "#222222";
text = "#888888";
};
urgentWorkspace = {
border = "#2f343a";
background = "#900000";
text = "#ffffff";
};
bindingMode = {
border = "#2f343a";
background = "#900000";
text = "#ffffff";
};
};
}];
};
};
sane.home-manager.programs.waybar = {
enable = true;
# docs: https://github.com/Alexays/Waybar/wiki/Configuration
# format specifiers: https://fmt.dev/latest/syntax.html#syntax
settings = {
mainBar = {
layer = "top";
height = 40;
modules-left = ["sway/workspaces" "sway/mode"];
modules-center = ["sway/window"];
modules-right = ["custom/mediaplayer" "clock" "battery" "cpu" "network"];
"sway/window" = {
max-length = 50;
};
# include song artist/title. source: https://www.reddit.com/r/swaywm/comments/ni0vso/waybar_spotify_tracktitle/
"custom/mediaplayer" = {
exec = pkgs.writeShellScript "waybar-mediaplayer" ''
player_status=$(${pkgs.playerctl}/bin/playerctl status 2> /dev/null)
if [ "$player_status" = "Playing" ]; then
echo "$(${pkgs.playerctl}/bin/playerctl metadata artist) - $(${pkgs.playerctl}/bin/playerctl metadata title)"
elif [ "$player_status" = "Paused" ]; then
echo " $(${pkgs.playerctl}/bin/playerctl metadata artist) - $(${pkgs.playerctl}/bin/playerctl metadata title)"
fi
'';
interval = 2;
format = "{} ";
# return-type = "json";
on-click = "${pkgs.playerctl}/bin/playerctl play-pause";
on-scroll-up = "${pkgs.playerctl}/bin/playerctl next";
on-scroll-down = "${pkgs.playerctl}/bin/playerctl previous";
};
network = {
# docs: https://github.com/Alexays/Waybar/blob/master/man/waybar-network.5.scd
interval = 2;
max-length = 40;
# custom :> format specifier explained here: https://github.com/Alexays/Waybar/pull/472
format-ethernet = " {bandwidthUpBits:>} {bandwidthDownBits:>}";
tooltip-format-ethernet = "{ifname} {bandwidthUpBits:>} {bandwidthDownBits:>}";
format-wifi = "{ifname} ({signalStrength}%) {bandwidthUpBits:>} {bandwidthDownBits:>}";
tooltip-format-wifi = "{essid} ({signalStrength}%) {bandwidthUpBits:>} {bandwidthDownBits:>}";
format-disconnected = "";
};
cpu = {
format = " {usage:2}%";
tooltip = false;
};
battery = {
states = {
good = 95;
warning = 30;
critical = 10;
};
format = "{icon} {capacity}%";
format-icons = [
""
""
""
""
""
];
};
clock = {
format-alt = "{:%a, %d. %b %H:%M}";
};
};
};
# style docs: https://github.com/Alexays/Waybar/wiki/Styling
style = ''
* {
font-family: monospace;
}
/* defaults below: https://github.com/Alexays/Waybar/blob/master/resources/style.css */
window#waybar {
background-color: rgba(43, 48, 59, 0.5);
border-bottom: 3px solid rgba(100, 114, 125, 0.5);
color: #ffffff;
transition-property: background-color;
transition-duration: .5s;
}
window#waybar.hidden {
opacity: 0.2;
}
/*
window#waybar.empty {
background-color: transparent;
}
window#waybar.solo {
background-color: #FFFFFF;
}
*/
window#waybar.termite {
background-color: #3F3F3F;
}
window#waybar.chromium {
background-color: #000000;
border: none;
}
#workspaces button {
padding: 0 5px;
background-color: transparent;
color: #ffffff;
/* Use box-shadow instead of border so the text isn't offset */
box-shadow: inset 0 -3px transparent;
/* Avoid rounded borders under each workspace name */
border: none;
border-radius: 0;
}
/* https://github.com/Alexays/Waybar/wiki/FAQ#the-workspace-buttons-have-a-strange-hover-effect */
#workspaces button:hover {
background: rgba(0, 0, 0, 0.2);
box-shadow: inset 0 -3px #ffffff;
}
#workspaces button.focused {
background-color: #64727D;
box-shadow: inset 0 -3px #ffffff;
}
#workspaces button.urgent {
background-color: #eb4d4b;
}
#mode {
background-color: #64727D;
border-bottom: 3px solid #ffffff;
}
#clock,
#battery,
#cpu,
#memory,
#disk,
#temperature,
#backlight,
#network,
#pulseaudio,
#custom-media,
#tray,
#mode,
#idle_inhibitor,
#mpd {
padding: 0 10px;
color: #ffffff;
}
#window,
#workspaces {
margin: 0 4px;
}
/* If workspaces is the leftmost module, omit left margin */
.modules-left > widget:first-child > #workspaces {
margin-left: 0;
}
/* If workspaces is the rightmost module, omit right margin */
.modules-right > widget:last-child > #workspaces {
margin-right: 0;
}
#clock {
background-color: #64727D;
}
#battery {
background-color: #ffffff;
color: #000000;
}
#battery.charging, #battery.plugged {
color: #ffffff;
background-color: #26A65B;
}
@keyframes blink {
to {
background-color: #ffffff;
color: #000000;
}
}
#battery.critical:not(.charging) {
background-color: #f53c3c;
color: #ffffff;
animation-name: blink;
animation-duration: 0.5s;
animation-timing-function: linear;
animation-iteration-count: infinite;
animation-direction: alternate;
}
label:focus {
background-color: #000000;
}
#cpu {
background-color: #2ecc71;
color: #000000;
}
#memory {
background-color: #9b59b6;
}
#disk {
background-color: #964B00;
}
#backlight {
background-color: #90b1b1;
}
#network {
background-color: #2980b9;
}
#network.disconnected {
background-color: #f53c3c;
}
#pulseaudio {
background-color: #f1c40f;
color: #000000;
}
#pulseaudio.muted {
background-color: #90b1b1;
color: #2a5c45;
}
#custom-media {
background-color: #66cc99;
color: #2a5c45;
min-width: 100px;
}
#custom-media.custom-spotify {
background-color: #66cc99;
}
#custom-media.custom-vlc {
background-color: #ffa000;
}
#temperature {
background-color: #f0932b;
}
#temperature.critical {
background-color: #eb4d4b;
}
#tray {
background-color: #2980b9;
}
#tray > .passive {
-gtk-icon-effect: dim;
}
#tray > .needs-attention {
-gtk-icon-effect: highlight;
background-color: #eb4d4b;
}
#idle_inhibitor {
background-color: #2d3436;
}
#idle_inhibitor.activated {
background-color: #ecf0f1;
color: #2d3436;
}
#mpd {
background-color: #66cc99;
color: #2a5c45;
}
#mpd.disconnected {
background-color: #f53c3c;
}
#mpd.stopped {
background-color: #90b1b1;
}
#mpd.paused {
background-color: #51a37a;
}
#language {
background: #00b093;
color: #740864;
padding: 0 5px;
margin: 0 5px;
min-width: 16px;
}
#keyboard-state {
background: #97e1ad;
color: #000000;
padding: 0 0px;
margin: 0 5px;
min-width: 16px;
}
#keyboard-state > label {
padding: 0 5px;
}
#keyboard-state > label.locked {
background: rgba(0, 0, 0, 0.2);
}
'';
# style = ''
# * {
# border: none;
# border-radius: 0;
# font-family: Source Code Pro;
# }
# window#waybar {
# background: #16191C;
# color: #AAB2BF;
# }
# #workspaces button {
# padding: 0 5px;
# }
# .custom-spotify {
# padding: 0 10px;
# margin: 0 4px;
# background-color: #1DB954;
# color: black;
# }
# '';
};
sane.home-manager.extraPackages = with pkgs; [
swaylock
swayidle
wl-clipboard
mako # notification daemon
xdg-utils # for xdg-open
# user stuff
# pavucontrol
sway-contrib.grimshot
gnome.gnome-bluetooth
gnome.gnome-control-center
];
};
}

40
modules/hardware/all.nix
View File

@@ -1,40 +0,0 @@
{ lib, pkgs, ... }:
{
boot.initrd.supportedFilesystems = [ "ext4" "btrfs" "ext2" "ext3" "vfat" ];
# useful emergency utils
boot.initrd.extraUtilsCommands = ''
copy_bin_and_libs ${pkgs.btrfs-progs}/bin/btrfstune
'';
boot.kernelParams = [ "boot.shell_on_fail" ];
# other kernelParams:
# "boot.trace"
# "systemd.log_level=debug"
# "systemd.log_target=console"
# hack in the `boot.shell_on_fail` arg since that doesn't always seem to work.
boot.initrd.preFailCommands = "allowShell=1";
# default: 4 (warn). 7 is debug
boot.consoleLogLevel = 7;
boot.loader.grub.enable = lib.mkDefault false;
boot.loader.generic-extlinux-compatible.enable = lib.mkDefault true;
# non-free firmware
hardware.enableRedistributableFirmware = true;
services.fwupd.enable = true;
# powertop will default to putting USB devices -- including HID -- to sleep after TWO SECONDS
powerManagement.powertop.enable = false;
# services.snapper.configs = {
# root = {
# subvolume = "/";
# extraConfig = {
# ALLOW_USERS = "colin";
# };
# };
# };
# services.snapper.snapshotInterval = "daily";
}

8
modules/hardware/default.nix
View File

@@ -1,8 +0,0 @@
{ ... }:
{
imports = [
./all.nix
./x86_64.nix
];
}

26
modules/hardware/x86_64.nix
View File

@@ -1,26 +0,0 @@
{ lib, pkgs, ... }:
with lib;
{
config = mkIf (pkgs.system == "x86_64-linux") {
boot.initrd.availableKernelModules = [
"xhci_pci" "ahci" "sd_mod" "sdhci_pci" # nixos-generate-config defaults
"usb_storage" # rpi needed this to boot from usb storage, i think.
"nvme" # to boot from nvme devices
# efi_pstore evivars
];
# enable cross compilation
boot.binfmt.emulatedSystems = [ "aarch64-linux" ];
# nixpkgs.config.allowUnsupportedSystem = true;
# nixpkgs.crossSystem.system = "aarch64-linux";
powerManagement.cpuFreqGovernor = "powersave";
hardware.cpu.amd.updateMicrocode = true; # desktop
hardware.cpu.intel.updateMicrocode = true; # laptop
hardware.opengl.driSupport = true;
# For 32 bit applications
hardware.opengl.driSupport32Bit = true;
};
}

132
modules/image.nix
View File

@@ -1,132 +0,0 @@
{ config, lib, pkgs, mobile-nixos, utils, ... }:
with lib;
let
cfg = config.sane.image;
in
{
options = {
# packages whose contents should be copied directly into the /boot partition.
# e.g. EFI loaders, u-boot bootloader, etc.
sane.image.extraBootFiles = mkOption {
default = [];
type = types.listOf types.package;
};
# extra (empty) directories to create in the rootfs.
# for example, /var/log might be required by the boot process, so ensure it exists.
sane.image.extraDirectories = mkOption {
default = [];
type = types.listOf types.str;
};
# the GPT header is fixed to Logical Block Address 1,
# but we can actually put the partition entries anywhere.
# this option reserves so many bytes after LBA 1 but *before* the partition entries.
# this is not universally supported, but is an easy hack to claim space near the start
# of the disk for other purposes (e.g. firmware blobs)
sane.image.extraGPTPadding = mkOption {
default = 0;
# NB: rpi doesn't like non-zero values for this.
# at the same time, spinning disks REALLY need partitions to be aligned to 4KiB boundaries.
# maybe there's some imageBuilder.fileSystem type which represents empty space?
# default = 2014 * 512; # standard is to start part0 at sector 2048 (versus 34 if no padding)
type = types.int;
};
# optional space (in bytes) to leave unallocated after the GPT structure and before the first partition.
sane.image.firstPartGap = mkOption {
# align the first part to 16 MiB.
# do this by inserting a gap of 16 MiB - gptHeaderSize
# and then multiply by 1MiB and subtract 1 because mobile-nixos
# has a bug which will divide this by 1 MiB (and round up)
default = (16 * 1024 * 1024 - 34 * 512) * 1024 * 1024 - 1;
type = types.nullOr types.int;
};
sane.image.bootPartSize = mkOption {
default = 512 * 1024 * 1024;
type = types.int;
};
};
config = let
# return true if super starts with sub
startsWith = super: sub: (
(builtins.substring 0 (builtins.stringLength sub) super) == sub
);
# return the (string) path to get from `stem` to `path`
# or errors if not a sub-path
relPath = stem: path: (
builtins.head (builtins.match "^${stem}(.+)" path)
);
fileSystems = config.fileSystems;
bootFs = fileSystems."/boot";
nixFs = fileSystems."/nix/store" or fileSystems."/nix" or fileSystems."/";
# resolves to e.g. "nix/store", "/store" or ""
storeRelPath = relPath nixFs.mountPoint "/nix/store";
uuidFromFs = fs: builtins.head (builtins.match "/dev/disk/by-uuid/(.+)" fs.device);
vfatUuidFromFs = fs: builtins.replaceStrings ["-"] [""] (uuidFromFs fs);
fsBuilderMapBoot = {
"vfat" = pkgs.imageBuilder.fileSystem.makeESP;
};
fsBuilderMapNix = {
"ext4" = pkgs.imageBuilder.fileSystem.makeExt4;
"btrfs" = pkgs.imageBuilder.fileSystem.makeBtrfs;
};
in {
system.build.img-without-firmware = with pkgs; imageBuilder.diskImage.makeGPT {
name = "nixos";
diskID = vfatUuidFromFs bootFs;
# leave some space for firmware
# TODO: we'd prefer to turn this into a protected firmware partition, rather than reserving space in the GPT header itself
# Tow-Boot manages to do that; not sure how.
headerHole = cfg.extraGPTPadding;
partitions = [
(pkgs.imageBuilder.gap cfg.firstPartGap)
(fsBuilderMapBoot."${bootFs.fsType}" {
# fs properties
name = "ESP";
partitionID = vfatUuidFromFs bootFs;
# partition properties
partitionLabel = "EFI System";
partitionUUID = "44444444-4444-4444-4444-4444${vfatUuidFromFs bootFs}";
size = cfg.bootPartSize;
populateCommands = let
extras = builtins.toString (builtins.map (d: "cp -R ${d}/* ./") cfg.extraBootFiles);
in ''
echo "running installBootLoader"
${config.system.build.installBootLoader} ${config.system.build.toplevel} -d .
echo "ran installBootLoader"
${extras}
echo "copied extraBootFiles"
'';
})
(fsBuilderMapNix."${nixFs.fsType}" {
# fs properties
name = "NIXOS_SYSTEM";
partitionID = uuidFromFs nixFs;
# partition properties
partitionLabel = "Linux filesystem";
partitionUUID = uuidFromFs nixFs;
populateCommands =
let
closureInfo = buildPackages.closureInfo { rootPaths = config.system.build.toplevel; };
extraRelPaths = builtins.toString (builtins.map (p: "./" + builtins.toString(relPath nixFs.mountPoint p)) cfg.extraDirectories);
in
''
mkdir -p ./${storeRelPath} ${extraRelPaths}
echo "Copying system closure..."
while IFS= read -r path; do
echo " Copying $path"
cp -prf "$path" ./${storeRelPath}
done < "${closureInfo}/store-paths"
echo "Done copying system closure..."
cp -v ${closureInfo}/registration ./nix-path-registration
'';
})
];
};
system.build.img = lib.mkDefault config.system.build.img-without-firmware;
};
}

108
modules/impermanence.nix
View File

@@ -1,108 +0,0 @@
# borrows from:
# https://xeiaso.net/blog/paranoid-nixos-2021-07-18
# https://elis.nu/blog/2020/05/nixos-tmpfs-as-root/
# https://github.com/nix-community/impermanence
{ lib, config, impermanence, ... }:
with lib;
let
cfg = config.sane.impermanence;
in
{
options = {
sane.impermanence.enable = mkOption {
default = false;
type = types.bool;
};
sane.impermanence.home-dirs = mkOption {
default = [];
type = types.listOf (types.either types.str (types.attrsOf types.str));
};
sane.impermanence.service-dirs = mkOption {
default = [];
type = types.listOf (types.either types.str (types.attrsOf types.str));
};
};
config = let
map-dir = defaults: dir: if isString dir then
map-dir defaults { directory = "${defaults.directory}${dir}"; }
else
defaults // dir
;
map-dirs = defaults: dirs: builtins.map (map-dir defaults) dirs;
map-home-dirs = map-dirs { user = "colin"; group = "users"; mode = "0755"; directory = "/home/colin/"; };
map-sys-dirs = map-dirs { user = "root"; group = "root"; mode = "0755"; directory = ""; };
map-service-dirs = map-dirs { user = "root"; group = "root"; mode = "0755"; directory = ""; };
in mkIf cfg.enable {
sane.image.extraDirectories = [ "/nix/persist/var/log" ];
environment.persistence."/nix/persist" = {
directories = (map-home-dirs ([
# cache is probably too big to fit on the tmpfs
# TODO: we could bind-mount it to something which gets cleared per boot, though.
".cache"
".cargo"
".rustup"
".ssh"
# intentionally omitted:
# ".config" # managed by home-manager
# ".local" # nothing useful in here
] ++ cfg.home-dirs)) ++ (map-sys-dirs [
# TODO: this `0700` here clobbers the perms for /persist/etc, breaking boot on freshly-deployed devices
{ mode = "0700"; directory = "/etc/NetworkManager/system-connections"; }
# "/etc/nixos"
# "/etc/ssh" # persist only the specific files we want, instead
"/var/log"
"/var/backup" # for e.g. postgres dumps
]) ++ (map-service-dirs ([
# "/var/lib/AccountsService" # not sure what this is, but it's empty
"/var/lib/alsa" # preserve output levels, default devices
# "/var/lib/blueman" # files aren't human readable
"/var/lib/bluetooth" # preserve bluetooth handshakes
"/var/lib/colord" # preserve color calibrations (?)
# "/var/lib/dhclient" # empty on lappy; dunno about desko
# "/var/lib/fwupd" # not sure why this would need persistent state
# "/var/lib/geoclue" # empty on lappy
# "/var/lib/lockdown" # empty on desko; might store secrets after iOS handshake?
# "/var/lib/logrotate.status" # seems redundant with what's in /var/log?
"/var/lib/machines" # maybe not needed, but would be painful to add a VM and forget.
# "/var/lib/misc" # empty on lappy
# "/var/lib/NetworkManager" # looks to be mostly impermanent state?
# "/var/lib/NetworkManager-fortisslvpn" # empty on lappy
# "/var/lib/nixos" # has some uid/gid maps, but we enforce these to be deterministic.
# "/var/lib/PackageKit" # wtf is this?
# "/var/lib/power-profiles-daemon" # redundant with nixos declarations
# "/var/lib/private" # empty on lappy
# "/var/lib/systemd" # nothing obviously necessary
# "/var/lib/udisks2" # empty on lappy
# "/var/lib/upower" # historic charge data. unnecessary, but maybe used somewhere?
#
# servo additions:
# "/var/lib/dhparams" # https://github.com/NixOS/nixpkgs/blob/master/nixos/modules/security/dhparams.nix
# "/var/lib/dovecot"
# "/var/lib/duplicity"
] ++ cfg.service-dirs));
files = [
"/etc/machine-id"
"/etc/ssh/ssh_host_ed25519_key"
"/etc/ssh/ssh_host_ed25519_key.pub"
"/etc/ssh/ssh_host_rsa_key"
"/etc/ssh/ssh_host_rsa_key.pub"
"/home/colin/.zsh_history"
# # XXX these only need persistence because i have mutableUsers = true, i think
# "/etc/group"
# "/etc/passwd"
# "/etc/shadow"
];
};
systemd.services.sane-sops = {
description = "sops relies on /etc/ssh being available, so re-run its activation AFTER fs-local";
script = config.system.activationScripts.setupSecrets.text;
after = [ "fs-local.target" ];
wantedBy = [ "multi-user.target" ];
};
};
}

31
modules/nixcache.nix
View File

@@ -1,31 +0,0 @@
{ lib, config, ... }:
with lib;
let
cfg = config.sane.nixcache;
in
{
options = {
sane.nixcache.enable = mkOption {
default = false;
type = types.bool;
};
};
config = mkIf cfg.enable {
# use our own binary cache
nix.settings = {
substituters = [
"https://nixcache.uninsane.org"
"http://desko:5000"
"https://nix-community.cachix.org"
"https://cache.nixos.org/"
];
trusted-public-keys = [
"nixcache.uninsane.org:r3WILM6+QrkmsLgqVQcEdibFD7Q/4gyzD9dGT33GP70="
"desko:Q7mjjqoBMgNQ5P0e63sLur65A+D4f3Sv4QiycDIKxiI="
"nix-community.cachix.org-1:mB9FSh9qf2dCimDSUo8Zy7bkq5CX+/rkCWyvRCYg3Fs="
];
};
};
}

74
modules/services/duplicity.nix
View File

@@ -1,74 +0,0 @@
# docs: https://search.nixos.org/options?channel=21.11&query=duplicity
{ config, lib, ... }:
with lib;
let
cfg = config.sane.services.duplicity;
in
{
options = {
sane.services.duplicity.enable = mkOption {
default = false;
type = types.bool;
};
};
config = mkIf cfg.enable {
# we need this mostly because of the size of duplicity's cache
sane.impermanence.service-dirs = [ "/var/lib/duplicity" ];
services.duplicity.enable = true;
services.duplicity.targetUrl = ''"$DUPLICITY_URL"'';
services.duplicity.escapeUrl = false;
# format: PASSPHRASE=<cleartext> \n DUPLICITY_URL=b2://...
# two sisters
# PASSPHRASE: remote backups will be encrypted using this passphrase (using gpg)
# DUPLICITY_URL: b2://$key_id:$app_key@$bucket
# create key with: backblaze-b2 create-key --bucket uninsane-host-duplicity uninsane-host-duplicity-safe listBuckets,listFiles,readBuckets,readFiles,writeFiles
# ^ run this until you get a key with no forward slashes :upside_down:
# web-created keys are allowed to delete files, which you probably don't want for an incremental backup program
# you need to create a new application key from the web in order to first get a key which can create new keys (use env vars in the above command)
# TODO: s/duplicity_passphrase/duplicity_env/
services.duplicity.secretFile = config.sops.secrets.duplicity_passphrase.path;
# NB: manually trigger with `systemctl start duplicity`
services.duplicity.frequency = "daily";
# TODO: this needs updating to handle impermanence changes
services.duplicity.exclude = [
# impermanent/inconsequential data:
"/dev"
"/proc"
"/run"
"/sys"
"/tmp"
# bind mounted (dupes):
"/var/lib"
# other mounts
"/mnt"
# data that's not worth the cost to backup:
"/nix/persist/var/lib/uninsane/media"
"/nix/persist/home/colin/tmp"
"/nix/persist/home/colin/Videos"
"/home/colin/tmp"
"/home/colin/Videos"
];
services.duplicity.extraFlags = [
# without --allow-source-mismatch, duplicity will abort if you change the hostname between backups
"--allow-source-mismatch"
];
# set this for the FIRST backup, then remove it to enable incremental backups
# (that the first backup *isn't* full i think is a defect)
# services.duplicity.fullIfOlderThan = "always";
systemd.services.duplicity.serviceConfig = {
# rate-limit the read bandwidth in an effort to thereby prevent net upload saturation
# this could perhaps be done better by adding a duplicity config option to replace the binary with `trickle`
IOReadBandwidthMax = [
"/dev/sda1 5M"
"/dev/nvme0n1 5M"
"/dev/mmc0 5M"
];
};
};
}

33
modules/services/nixserve.nix
View File

@@ -1,33 +0,0 @@
# docs: https://nixos.wiki/wiki/Binary_Cache
# to copy something to this machine's nix cache, do:
# nix copy --to ssh://nixcache.uninsane.org PACKAGE
{ config, lib, ... }:
with lib;
let
cfg = config.sane.services.nixserve;
in
{
options = {
sane.services.nixserve.enable = mkOption {
default = false;
type = types.bool;
};
sane.services.nixserve.sopsFile = mkOption {
default = ../../secrets/servo.yaml;
type = types.path;
};
};
config = mkIf cfg.enable {
services.nix-serve = {
enable = true;
secretKeyFile = config.sops.secrets.nix_serve_privkey.path;
openFirewall = true; # not needed for servo; only desko
};
sops.secrets.nix_serve_privkey = {
sopsFile = cfg.sopsFile;
};
};
}

54
modules/universal/allocations.nix
View File

@@ -1,54 +0,0 @@
{ lib, ... }:
with lib;
let
mkId = id: mkOption {
default = id;
type = types.int;
};
in
{
options = {
# legacy servo users, some are inconvenient to migrate
sane.allocations.dhcpcd-gid = mkId 991;
sane.allocations.dhcpcd-uid = mkId 992;
sane.allocations.gitea-gid = mkId 993;
sane.allocations.git-uid = mkId 994;
sane.allocations.jellyfin-gid = mkId 994;
sane.allocations.pleroma-gid = mkId 995;
sane.allocations.jellyfin-uid = mkId 996;
sane.allocations.acme-gid = mkId 996;
sane.allocations.pleroma-uid = mkId 997;
sane.allocations.acme-uid = mkId 998;
sane.allocations.greeter-uid = mkId 999;
sane.allocations.greeter-gid = mkId 999;
sane.allocations.colin-uid = mkId 1000;
sane.allocations.guest-uid = mkId 1100;
# found on all machines
sane.allocations.sshd-uid = mkId 2001; # 997
sane.allocations.sshd-gid = mkId 2001; # 997
sane.allocations.polkituser-gid = mkId 2002; # 998
sane.allocations.systemd-coredump-gid = mkId 2003; # 996
# found on graphical machines
sane.allocations.nm-iodine-uid = mkId 2101; # desko/moby/lappy
# found on desko machine
sane.allocations.usbmux-uid = mkId 2204;
sane.allocations.usbmux-gid = mkId 2204;
# originally found on moby machine
sane.allocations.avahi-uid = mkId 2304;
sane.allocations.avahi-gid = mkId 2304;
sane.allocations.colord-uid = mkId 2305;
sane.allocations.colord-gid = mkId 2305;
sane.allocations.geoclue-uid = mkId 2306;
sane.allocations.geoclue-gid = mkId 2306;
sane.allocations.rtkit-uid = mkId 2307;
sane.allocations.rtkit-gid = mkId 2307;
sane.allocations.feedbackd-gid = mkId 2308;
};
}

33
modules/universal/default.nix
View File

@@ -1,33 +0,0 @@
{ pkgs, ... }:
{
imports = [
./allocations.nix
./env
./fs.nix
./net.nix
./secrets.nix
./users.nix
./vpn.nix
];
time.timeZone = "America/Los_Angeles";
fonts = {
enableDefaultFonts = true;
fonts = with pkgs; [ font-awesome twitter-color-emoji hack-font ];
fontconfig.enable = true;
fontconfig.defaultFonts = {
emoji = [ "Font Awesome 6 Free" "Twitter Color Emoji" ];
monospace = [ "Hack" ];
serif = [ "DejaVu Serif" ];
sansSerif = [ "DejaVu Sans" ];
};
};
# allow `nix flake ...` command
nix.extraOptions = ''
experimental-features = nix-command flakes
'';
}

21
modules/universal/env/default.nix vendored
View File

@@ -1,21 +0,0 @@
{ ... }:
{
imports = [
./home-manager.nix
./home-packages.nix
./system-packages.nix
];
# programs.vim.defaultEditor = true;
environment.variables = {
EDITOR = "vim";
# git claims it should use EDITOR, but it doesn't!
GIT_EDITOR = "vim";
# Electron apps should use native wayland backend:
# https://nixos.wiki/wiki/Slack#Wayland
# Discord under sway crashes with this.
# NIXOS_OZONE_WL = "1";
};
}

522
modules/universal/env/home-manager.nix vendored
View File

@@ -1,522 +0,0 @@
# docs:
# https://rycee.gitlab.io/home-manager/
# https://rycee.gitlab.io/home-manager/options.html
# man home-configuration.nix
#
{ lib, config, pkgs, ... }:
with lib;
let
cfg = config.sane.home-manager;
vim-swap-dir = ".cache/vim-swap";
# extract package from `extraPackages`
pkglist = pkgspec: builtins.map (e: e.pkg or e) pkgspec;
# extract `dir` from `extraPackages`
dirlist = pkgspec: builtins.concatLists (builtins.map (e: if e ? "dir" then [ e.dir ] else []) pkgspec);
in
{
options = {
sane.home-manager.enable = mkOption {
default = false;
type = types.bool;
};
# packages to deploy to the user's home
sane.home-manager.extraPackages = mkOption {
default = [ ];
# each entry can be either a package, or attrs:
# { pkg = package; dir = optional string;
type = types.listOf (types.either types.package types.attrs);
};
# attributes to copy directly to home-manager's `wayland.windowManager` option
sane.home-manager.windowManager = mkOption {
default = {};
type = types.attrs;
};
# extra attributes to include in home-manager's `programs` option
sane.home-manager.programs = mkOption {
default = {};
type = types.attrs;
};
};
config = lib.mkIf cfg.enable {
sops.secrets."aerc_accounts" = {
owner = config.users.users.colin.name;
sopsFile = ../../../secrets/universal/aerc_accounts.conf;
format = "binary";
};
sops.secrets."sublime_music_config" = {
owner = config.users.users.colin.name;
sopsFile = ../../../secrets/universal/sublime_music_config.json.bin;
format = "binary";
};
sane.impermanence.home-dirs = [
"archive"
"dev"
"records"
"ref"
"tmp"
"use"
"Music"
"Pictures"
"Videos"
vim-swap-dir
] ++ (dirlist cfg.extraPackages);
home-manager.useGlobalPkgs = true;
home-manager.useUserPackages = true;
# XXX this weird rename + closure is to get home-manager's `config.lib.file` to exist.
# see: https://github.com/nix-community/home-manager/issues/589#issuecomment-950474105
home-manager.users.colin = let sysconfig = config; in { config, ... }: {
home.packages = pkglist cfg.extraPackages;
wayland.windowManager = cfg.windowManager;
home.stateVersion = "21.11";
home.username = "colin";
home.homeDirectory = "/home/colin";
# XDG defines things like ~/Desktop, ~/Downloads, etc.
# these clutter the home, so i mostly don't use them.
xdg.userDirs = {
enable = true;
createDirectories = false; # on headless systems, most xdg dirs are noise
desktop = "$HOME/.xdg/Desktop";
documents = "$HOME/dev";
download = "$HOME/tmp";
music = "$HOME/Music";
pictures = "$HOME/Pictures";
publicShare = "$HOME/.xdg/Public";
templates = "$HOME/.xdg/Templates";
videos = "$HOME/Videos";
};
xdg.mimeApps.enable = true;
xdg.mimeApps.defaultApplications = {
"text/html" = [ "librewolf.desktop" ];
"x-scheme-handler/http" = [ "librewolf.desktop" ];
"x-scheme-handler/https" = [ "librewolf.desktop" ];
"x-scheme-handler/about" = [ "librewolf.desktop" ];
"x-scheme-handler/unknown" = [ "librewolf.desktop" ];
"image/png" = [ "org.gnome.gThumb.desktop" ];
};
# convenience
home.file."knowledge".source = config.lib.file.mkOutOfStoreSymlink "/home/colin/dev/knowledge";
home.file."nixos".source = config.lib.file.mkOutOfStoreSymlink "/home/colin/dev/nixos";
# nb markdown/personal knowledge manager
home.file.".nb/knowledge".source = config.lib.file.mkOutOfStoreSymlink "/home/colin/dev/knowledge";
home.file.".nb/.current".text = "knowledge";
home.file.".nbrc".text = ''
# manage with `nb settings`
export NB_AUTO_SYNC=0
'';
# uBlock filter list configuration.
# specifically, enable the GDPR cookie prompt blocker.
# data.toOverwrite.filterLists is additive (i.e. it supplements the default filters)
# this configuration method is documented here:
# - <https://github.com/gorhill/uBlock/issues/2986#issuecomment-364035002>
# the specific attribute path is found via scraping ublock code here:
# - <https://github.com/gorhill/uBlock/blob/master/src/js/storage.js>
# - <https://github.com/gorhill/uBlock/blob/master/assets/assets.json>
home.file.".librewolf/managed-storage/uBlock0@raymondhill.net.json".text = ''
{
"name": "uBlock0@raymondhill.net",
"description": "ignored",
"type": "storage",
"data": {
"toOverwrite": "{\"filterLists\": [\"fanboy-cookiemonster\"]}"
}
}
'';
# aerc TUI mail client
xdg.configFile."aerc/accounts.conf".source =
config.lib.file.mkOutOfStoreSymlink sysconfig.sops.secrets.aerc_accounts.path;
# sublime music player
xdg.configFile."sublime-music/config.json".source =
config.lib.file.mkOutOfStoreSymlink sysconfig.sops.secrets.sublime_music_config.path;
xdg.configFile."vlc/vlcrc".text =
let
podcast_urls = lib.strings.concatStringsSep "|" [
"https://lexfridman.com/feed/podcast/"
## Astral Codex Ten
"http://feeds.libsyn.com/108018/rss"
## Econ Talk
"https://feeds.simplecast.com/wgl4xEgL"
## Cory Doctorow
"https://feeds.feedburner.com/doctorow_podcast"
"https://congressionaldish.libsyn.com/rss"
## Civboot
"https://anchor.fm/s/34c7232c/podcast/rss"
"https://feeds.feedburner.com/80000HoursPodcast"
"https://allinchamathjason.libsyn.com/rss"
## Eric Weinstein
"https://rss.art19.com/the-portal"
"https://feeds.megaphone.fm/darknetdiaries"
"http://feeds.wnyc.org/radiolab"
"https://wakingup.libsyn.com/rss"
## 99% Invisible
"https://feeds.simplecast.com/BqbsxVfO"
"https://rss.acast.com/ft-tech-tonic"
"https://feeds.feedburner.com/dancarlin/history?format=xml"
];
in ''
[podcast]
podcast-urls=${podcast_urls}
[core]
metadata-network-access=0
[qt]
qt-privacy-ask=0
'';
# gnome feeds RSS viewer
xdg.configFile."org.gabmus.gfeeds.json".text = builtins.toJSON {
feeds = {
# AGGREGATORS (> 1 post/day)
"https://www.lesswrong.com/feed.xml" = { tags = [ "hourly" "rat" ]; };
"http://www.econlib.org/index.xml" = { tags = [ "hourly" "pol" ]; };
# AGGREGATORS (< 1 post/day)
"https://palladiummag.com/feed" = { tags = [ "weekly" "uncat" ]; };
"https://profectusmag.com/feed" = { tags = [ "weekly" "uncat" ]; };
"https://semiaccurate.com/feed" = { tags = [ "weekly" "tech" ]; };
"https://linuxphoneapps.org/blog/atom.xml" = { tags = [ "infrequent" "tech" ]; };
"https://spectrum.ieee.org/rss" = { tags = [ "weekly" "tech" ]; };
## No Moods, Ads or Cutesy Fucking Icons
"https://www.rifters.com/crawl/?feed=rss2" = { tags = [ "weekly" "uncat" ]; };
# DEVELOPERS
"https://mg.lol/blog/rss/" = { tags = [ "infrequent" "tech" ]; };
## Ken Shirriff
"https://www.righto.com/feeds/posts/default" = { tags = [ "infrequent" "tech" ]; };
## Vitalik Buterin
"https://vitalik.ca/feed.xml" = { tags = [ "infrequent" "tech" ]; };
## ian (Sanctuary)
"https://sagacioussuricata.com/feed.xml" = { tags = [ "infrequent" "tech" ]; };
## Bunnie Juang
"https://www.bunniestudios.com/blog/?feed=rss2" = { tags = [ "infrequent" "tech" ]; };
"https://blog.danieljanus.pl/atom.xml" = { tags = [ "infrequent" "tech" ]; };
"https://ianthehenry.com/feed.xml" = { tags = [ "infrequent" "tech" ]; };
"https://bitbashing.io/feed.xml" = { tags = [ "infrequent" "tech" ]; };
"https://idiomdrottning.org/feed.xml" = { tags = [ "daily" "uncat" ]; };
# (TECH; POL) COMMENTATORS
"http://benjaminrosshoffman.com/feed" = { tags = [ "weekly" "pol" ]; };
## Ben Thompson
"https://www.stratechery.com/rss" = { tags = [ "weekly" "pol" ]; };
## Balaji
"https://balajis.com/rss" = { tags = [ "weekly" "pol" ]; };
"https://www.ben-evans.com/benedictevans/rss.xml" = { tags = [ "weekly" "pol" ]; };
"https://www.lynalden.com/feed" = { tags = [ "infrequent" "pol" ]; };
"https://austinvernon.site/rss.xml" = { tags = [ "infrequent" "tech" ]; };
"https://oversharing.substack.com/feed" = { tags = [ "daily" "pol" ]; };
## David Rosenthal
"https://blog.dshr.org/rss.xml" = { tags = [ "weekly" "pol" ]; };
## Matt Levine
"https://www.bloomberg.com/opinion/authors/ARbTQlRLRjE/matthew-s-levine.rss" = { tags = [ "weekly" "pol" ]; };
# RATIONALITY/PHILOSOPHY/ETC
"https://unintendedconsequenc.es/feed" = { tags = [ "infrequent" "rat" ]; };
"https://applieddivinitystudies.com/atom.xml" = { tags = [ "weekly" "rat" ]; };
"https://slimemoldtimemold.com/feed.xml" = { tags = [ "weekly" "rat" ]; };
"https://www.richardcarrier.info/feed" = { tags = [ "weekly" "rat" ]; };
"https://www.gwern.net/feed.xml" = { tags = [ "infrequent" "uncat" ]; };
## Jason Crawford
"https://rootsofprogress.org/feed.xml" = { tags = [ "weekly" "rat" ]; };
## Robin Hanson
"https://www.overcomingbias.com/feed" = { tags = [ "daily" "rat" ]; };
## Scott Alexander
"https://astralcodexten.substack.com/feed.xml" = { tags = [ "daily" "rat" ]; };
## Paul Christiano
"https://sideways-view.com/feed" = { tags = [ "infrequent" "rat" ]; };
## Sean Carroll
"https://www.preposterousuniverse.com/rss" = { tags = [ "infrequent" "rat" ]; };
# COMICS
"https://www.smbc-comics.com/comic/rss" = { tags = [ "daily" "visual" ]; };
"https://xkcd.com/atom.xml" = { tags = [ "daily" "visual" ]; };
# ART
"https://miniature-calendar.com/feed" = { tags = [ "daily" "visual" ]; };
};
dark_reader = false;
new_first = true;
# windowsize = {
# width = 350;
# height = 650;
# };
max_article_age_days = 90;
enable_js = false;
max_refresh_threads = 3;
# saved_items = {};
# read_items = [];
show_read_items = true;
full_article_title = true;
# views: "webview", "reader", "rsscont"
default_view = "rsscont";
open_links_externally = true;
full_feed_name = false;
refresh_on_startup = true;
tags = [
# hourly => aggregator
# daily => prolifiq writer
# weekly => i can keep up with most -- but maybe not all -- of their content
# infrequent => i can read everything in this category
"hourly" "daily" "weekly" "infrequent"
# rat[ionality] gets used interchangably with philosophy, here.
# pol[itical] gets used for social commentary and economics as well.
# visual gets used for comics/art
"uncat" "rat" "tech" "pol" "visual"
];
open_youtube_externally = false;
media_player = "vlc"; # default: mpv
};
programs = {
home-manager.enable = true; # this lets home-manager manage dot-files in user dirs, i think
zsh = {
enable = true;
enableSyntaxHighlighting = true;
enableVteIntegration = true;
dotDir = ".config/zsh";
initExtraBeforeCompInit = ''
# p10k instant prompt
# run p10k configure to configure, but it can't write out its file :-(
POWERLEVEL9K_DISABLE_CONFIGURATION_WIZARD=true
'';
# prezto = oh-my-zsh fork; controls prompt, auto-completion, etc.
# see: https://github.com/sorin-ionescu/prezto
prezto = {
enable = true;
pmodules = [
"environment"
"terminal"
"editor"
"history"
"directory"
"spectrum"
"utility"
"completion"
"prompt"
"git"
];
prompt = {
theme = "powerlevel10k";
};
};
};
kitty = {
enable = true;
# docs: https://sw.kovidgoyal.net/kitty/conf/
settings = {
# disable terminal bell (when e.g. you backspace too many times)
enable_audio_bell = false;
};
keybindings = {
"ctrl+n" = "new_os_window_with_cwd";
};
# docs: https://github.com/kovidgoyal/kitty-themes
# theme = "1984 Light"; # dislike: awful, harsh blues/teals
# theme = "Adventure Time"; # dislike: harsh (dark)
# theme = "Atom One Light"; # GOOD: light theme. all color combos readable. not a huge fan of the blue.
# theme = "Belafonte Day"; # dislike: too low contrast for text colors
# theme = "Belafonte Night"; # better: dark theme that's easy on the eyes. all combos readable. low contrast.
# theme = "Catppuccin"; # dislike: a bit pale/low-contrast (dark)
# theme = "Desert"; # mediocre: colors are harsh
# theme = "Earthsong"; # BEST: dark theme. readable, good contrast. unique, but decent colors.
# theme = "Espresso Libre"; # better: dark theme. readable, but meh colors
# theme = "Forest Night"; # decent: very pastel. it's workable, but unconventional and muted/flat.
# theme = "Gruvbox Material Light Hard"; # mediocre light theme.
# theme = "kanagawabones"; # better: dark theme. colors are too background-y
# theme = "Kaolin Dark"; # dislike: too dark
# theme = "Kaolin Breeze"; # mediocre: not-too-harsh light theme, but some parts are poor contrast
# theme = "Later This Evening"; # mediocre: not-too-harsh dark theme, but cursor is poor contrast
# theme = "Material"; # decent: light theme, few colors.
# theme = "Mayukai"; # decent: not-too-harsh dark theme. the teal is a bit straining
# theme = "Nord"; # mediocre: pale background, low contrast
# theme = "One Half Light"; # better: not-too-harsh light theme. contrast could be better
theme = "PaperColor Dark"; # BEST: dark theme, very readable still the colors are background-y
# theme = "Parasio Dark"; # dislike: too low contrast
# theme = "Pencil Light"; # better: not-too-harsh light theme. decent contrast.
# theme = "Pnevma"; # dislike: too low contrast
# theme = "Piatto Light"; # better: readable light theme. pleasing colors. powerline prompt is hard to read.
# theme = "Rosé Pine Dawn"; # GOOD: light theme. all color combinations are readable. it is very mild -- may need to manually tweak contrast. tasteful colors
# theme = "Rosé Pine Moon"; # GOOD: dark theme. tasteful colors. but background is a bit intense
# theme = "Sea Shells"; # mediocre. not all color combos are readable
# theme = "Solarized Light"; # mediocre: not-too-harsh light theme; GREAT background; but some colors are low contrast
# theme = "Solarized Dark Higher Contrast"; # better: dark theme, decent colors
# theme = "Sourcerer"; # mediocre: ugly colors
# theme = "Space Gray"; # mediocre: too muted
# theme = "Space Gray Eighties"; # better: all readable, decent colors
# theme = "Spacemacs"; # mediocre: too muted
# theme = "Spring"; # mediocre: readable light theme, but the teal is ugly.
# theme = "Srcery"; # better: highly readable. colors are ehhh
# theme = "Substrata"; # decent: nice colors, but a bit flat.
# theme = "Sundried"; # mediocre: the solar text makes me squint
# theme = "Symfonic"; # mediocre: the dark purple has low contrast to the black bg.
# theme = "Tango Light"; # dislike: teal is too grating
# theme = "Tokyo Night Day"; # medicore: too muted
# theme = "Tokyo Night"; # better: tasteful. a bit flat
# theme = "Tomorrow"; # GOOD: all color combinations are readable. contrast is slightly better than Rose. on the blander side
# theme = "Treehouse"; # dislike: the orange is harsh on my eyes.
# theme = "Urple"; # dislike: weird palette
# theme = "Warm Neon"; # decent: not-too-harsh dark theme. the green is a bit unattractive
# theme = "Wild Cherry"; # GOOD: dark theme: nice colors. a bit flat
# theme = "Xcodedark"; # dislike: bad palette
# theme = "citylights"; # decent: dark theme. some parts have just a bit low contrast
# theme = "neobones_light"; # better light theme. the background is maybe too muted
# theme = "vimbones";
# theme = "zenbones_dark"; # mediocre: readable, but meh colors
# theme = "zenbones_light"; # decent: light theme. all colors are readable. contrast is passable but not excellent. highlight color is BAD
# theme = "zenwritten_dark"; # mediocre: looks same as zenbones_dark
# extraConfig = "";
};
git = {
enable = true;
userName = "colin";
userEmail = "colin@uninsane.org";
};
neovim = {
# neovim: https://github.com/neovim/neovim
enable = true;
viAlias = true;
vimAlias = true;
plugins = with pkgs.vimPlugins; [
# docs: surround-nvim: https://github.com/ur4ltz/surround.nvim/
# docs: vim-surround: https://github.com/tpope/vim-surround
vim-surround
# docs: fzf-vim (fuzzy finder): https://github.com/junegunn/fzf.vim
fzf-vim
# docs: https://github.com/KeitaNakamura/tex-conceal.vim/
({
plugin = tex-conceal-vim;
type = "viml";
config = ''
" present prettier fractions
let g:tex_conceal_frac=1
'';
})
({
plugin = vim-SyntaxRange;
type = "viml";
config = ''
" enable markdown-style codeblock highlighting for tex code
autocmd BufEnter * call SyntaxRange#Include('```tex', '```', 'tex', 'NonText')
" autocmd Syntax tex set conceallevel=2
'';
})
# nabla renders inline math in any document, but it's buggy.
# https://github.com/jbyuki/nabla.nvim
# ({
# plugin = pkgs.nabla;
# type = "lua";
# config = ''
# require'nabla'.enable_virt()
# '';
# })
# treesitter syntax highlighting: https://nixos.wiki/wiki/Tree_sitters
# docs: https://github.com/nvim-treesitter/nvim-treesitter
# config taken from: https://github.com/i077/system/blob/master/modules/home/neovim/default.nix
# this is required for tree-sitter to even highlight
({
plugin = (nvim-treesitter.withPlugins (_: pkgs.tree-sitter.allGrammars));
type = "lua";
config = ''
require'nvim-treesitter.configs'.setup {
highlight = {
enable = true,
-- disable treesitter on Rust so that we can use SyntaxRange
-- and leverage TeX rendering in rust projects
disable = { "rust", "tex", "latex" },
-- disable = { "tex", "latex" },
-- true to also use builtin vim syntax highlighting when treesitter fails
additional_vim_regex_highlighting = false
},
incremental_selection = {
enable = true,
keymaps = {
init_selection = "gnn",
node_incremental = "grn",
mcope_incremental = "grc",
node_decremental = "grm"
}
},
indent = {
enable = true,
disable = {}
}
}
vim.o.foldmethod = 'expr'
vim.o.foldexpr = 'nvim_treesitter#foldexpr()'
'';
})
];
extraConfig = ''
" copy/paste to system clipboard
set clipboard=unnamedplus
" screw tabs; always expand them into spaces
set expandtab
" at least don't open files with sections folded by default
set nofoldenable
" allow text substitutions for certain glyphs.
" higher number = more aggressive substitution (0, 1, 2, 3)
" i only make use of this for tex, but it's unclear how to
" apply that *just* to tex and retain the SyntaxRange stuff.
set conceallevel=2
" horizontal rule under the active line
" set cursorline
" highlight trailing space & related syntax errors (doesn't seem to work??)
" let c_space_errors=1
" let python_space_errors=1
" enable highlighting of leading/trailing spaces,
" and especially tabs
" source: https://www.reddit.com/r/neovim/comments/chlmfk/highlight_trailing_whitespaces_in_neovim/
set list
set listchars=tab:\·,trail:·,extends:,precedes:,nbsp:
'';
};
# XXX: although home-manager calls this option `firefox`, we can use other browsers and it still mostly works.
firefox = lib.mkIf (sysconfig.sane.gui.enable) {
enable = true;
package = import ./web-browser.nix pkgs;
};
# "command not found" will cause the command to be searched in nixpkgs
nix-index.enable = true;
} // cfg.programs;
home.shellAliases = {
":q" = "exit";
# common typos
"cd.." = "cd ..";
"cd../" = "cd ../";
};
};
};
}

150
modules/universal/env/home-packages.nix vendored
View File

@@ -1,150 +0,0 @@
{ config, lib, pkgs, ... }:
with lib;
with pkgs;
let
cfg = config.sane.home-packages;
universalPkgs = [
backblaze-b2
duplicity
gnupg
ifuse
ipfs
libimobiledevice
lm_sensors # for sensors-detect
lshw
ffmpeg
nb
networkmanager
nixpkgs-review
# nixos-generators
# nettools
nmon
oathToolkit # for oathtool
# ponymix
pulsemixer
python3
rmlint
sane-scripts
sequoia
snapper
sops
speedtest-cli
ssh-to-age
sudo
unar
visidata
w3m
wireguard-tools
# youtube-dl
yt-dlp
];
guiPkgs = [
# GUI only
aerc # email client
audacity
chromium
clinfo
electrum
# creds/session keys, etc
{ pkg = element-desktop; dir = ".config/Element"; }
emote # TODO: package [smile](https://github.com/mijorus/smile) for probably a better mobile experience.
evince # works on phosh
fluffychat
foliate
font-manager
gimp # broken on phosh
gnome.cheese
gnome.dconf-editor
gnome-feeds # RSS reader (with claimed mobile support)
gnome.file-roller
gnome.gnome-disk-utility
gnome.gnome-maps # works on phosh
gnome.nautilus
gnome-podcasts
gnome.gnome-system-monitor
gnome.gnome-terminal # works on phosh
gthumb
inkscape
libreoffice-fresh # XXX colin: maybe don't want this on mobile
lollypop
mesa-demos
networkmanagerapplet
# settings (electron app). TODO: can i manage these settings with home-manager?
{ pkg = obsidian; dir = ".config/obsidian"; }
pavucontrol
playerctl
soundconverter
# sublime music persists any downloaded albums here.
# it doesn't obey a conventional ~/Music/{Artist}/{Album}/{Track} notation, so no symlinking
# config (e.g. server connection details) is persisted in ~/.config/sublime-music/config.json
# possible to pass config as a CLI arg (sublime-music -c config.json)
{ pkg = sublime-music; dir = ".local/share/sublime-music"; }
tdesktop # broken on phosh
vlc # works on phosh
whalebird # pleroma client. input is broken on phosh
xterm # broken on phosh
]
++ (if pkgs.system == "x86_64-linux" then
[
# x86_64 only
# creds, but also 200 MB of node modules, etc
(let discord = (pkgs.discord.override {
# XXX 2022-07-31: fix to allow links to open in default web-browser:
# https://github.com/NixOS/nixpkgs/issues/78961
nss = pkgs.nss_latest;
}); in { pkg = discord; dir = ".config/discord"; })
# kaiteki # Pleroma client
# gnome.zenity # for kaiteki (it will use qarma, kdialog, or zenity)
logseq
losslesscut-bin
makemkv
# actual monero blockchain (not wallet/etc; safe to delete, just slow to regenerate)
{ pkg = monero-gui; dir = ".bitmonero"; }
# creds, media
{ pkg = signal-desktop; dir = ".config/Signal"; }
# creds. TODO: can i manage this with home-manager?
{ pkg = spotify; dir = ".config/spotify"; }
# hardenedMalloc solves a crash at startup
(tor-browser-bundle-bin.override { useHardenedMalloc = false; })
# zcash coins. safe to delete, just slow to regenerate (10-60 minutes)
{ pkg = zecwallet-lite; dir = ".zcash"; }
] else []);
# useful devtools:
# bison
# dtc
# flex
# gcc
# gcc-arm-embedded
# gcc_multi
# gnumake
# mix2nix
# rustup
# swig
in
{
options = {
sane.home-packages.enableGuiPkgs = mkOption {
default = false;
type = types.bool;
};
};
config = {
sane.home-manager.extraPackages = universalPkgs
++ (if cfg.enableGuiPkgs then guiPkgs else []);
};
}

38
modules/universal/env/system-packages.nix vendored
View File

@@ -1,38 +0,0 @@
{ pkgs, ... }:
{
# general-purpose utilities that we want any user to be able to access
# (specifically: root, in case of rescue)
environment.systemPackages = with pkgs; [
btrfs-progs
cryptsetup
dig
efibootmgr
fatresize
fd
file
gptfdisk
hdparm
htop
iftop
inetutils # for telnet
iotop
iptables
jq
killall
lsof
netcat
nethogs
nmap
openssl
parted
pciutils
powertop
ripgrep
screen
smartmontools
socat
usbutils
wget
];
}

55
modules/universal/env/web-browser.nix vendored
View File

@@ -1,55 +0,0 @@
pkgs:
# common settings to toggle (at runtime, in about:config):
# > security.ssl.require_safe_negotiation
# librewolf is a forked firefox which patches firefox to allow more things
# (like default search engines) to be configurable at runtime.
# many of the settings below won't have effect without those patches.
# see: https://gitlab.com/librewolf-community/settings/-/blob/master/distribution/policies.json
pkgs.wrapFirefox pkgs.librewolf-unwrapped {
# inherit the default librewolf.cfg
# it can be further customized via ~/.librewolf/librewolf.overrides.cfg
inherit (pkgs.librewolf-unwrapped) extraPrefsFiles;
libName = "librewolf";
extraPolicies = {
NoDefaultBookmarks = true;
SearchEngines = {
Default = "DuckDuckGo";
};
AppUpdateURL = "https://localhost";
DisableAppUpdate = true;
OverrideFirstRunPage = "";
OverridePostUpdatePage = "";
DisableSystemAddonUpdate = true;
DisableFirefoxStudies = true;
DisableTelemetry = true;
DisableFeedbackCommands = true;
DisablePocket = true;
DisableSetDesktopBackground = false;
Extensions = {
Install = [
"https://addons.mozilla.org/firefox/downloads/latest/ublock-origin/latest.xpi"
"https://addons.mozilla.org/firefox/downloads/latest/sponsorblock/latest.xpi"
"https://addons.mozilla.org/firefox/downloads/latest/bypass-paywalls-clean/latest.xpi"
"https://addons.mozilla.org/firefox/downloads/latest/sidebery/latest.xpi"
"https://addons.mozilla.org/firefox/downloads/latest/ether-metamask/latest.xpi"
];
# remove many default search providers
Uninstall = [
"google@search.mozilla.org"
"bing@search.mozilla.org"
"amazondotcom@search.mozilla.org"
"ebay@search.mozilla.org"
"twitter@search.mozilla.org"
];
};
# XXX doesn't seem to have any effect...
# docs: https://github.com/mozilla/policy-templates#homepage
# Homepage = {
# HomepageURL = "https://uninsane.org/";
# StartPage = "homepage";
# };
# NewTabPage = true;
};
}

62
modules/universal/fs.nix
View File

@@ -1,62 +0,0 @@
{ pkgs, ... }:
let sshOpts = rec {
fsType = "fuse.sshfs";
optionsBase = [
"x-systemd.automount"
"_netdev"
"user"
"identityfile=/home/colin/.ssh/id_ed25519"
"allow_other"
"default_permissions"
];
optionsColin = optionsBase ++ [
"transform_symlinks"
"idmap=user"
"uid=1000"
"gid=100"
];
optionsRoot = optionsBase ++ [
# we don't transform_symlinks because that breaks the validity of remote /nix stores
"sftp_server=/run/wrappers/bin/sudo\\040${pkgs.openssh}/libexec/sftp-server"
];
};
in
{
fileSystems."/mnt/servo-media-wan" = {
device = "colin@uninsane.org:/var/lib/uninsane/media";
inherit (sshOpts) fsType;
options = sshOpts.optionsColin;
};
fileSystems."/mnt/servo-media-lan" = {
device = "colin@servo:/var/lib/uninsane/media";
inherit (sshOpts) fsType;
options = sshOpts.optionsColin;
};
fileSystems."/mnt/servo-root-wan" = {
device = "colin@uninsane.org:/";
inherit (sshOpts) fsType;
options = sshOpts.optionsRoot;
};
fileSystems."/mnt/servo-root-lan" = {
device = "colin@servo:/";
inherit (sshOpts) fsType;
options = sshOpts.optionsRoot;
};
fileSystems."/mnt/desko-home" = {
device = "colin@desko:/home/colin";
inherit (sshOpts) fsType;
options = sshOpts.optionsColin;
};
fileSystems."/mnt/desko-root" = {
device = "colin@desko:/";
inherit (sshOpts) fsType;
options = sshOpts.optionsRoot;
};
environment.systemPackages = [
pkgs.sshfs-fuse
];
}

12
modules/universal/net.nix
View File

@@ -1,12 +0,0 @@
{ config, ... }:
{
# if using router's DNS, these mappings will already exist.
# if using a different DNS provider (which servo does), then we need to explicity provide them.
# ugly hack. would be better to get servo to somehow use the router's DNS
networking.hosts = {
"192.168.0.5" = [ "servo" ];
"192.168.0.20" = [ "lappy" ];
"192.168.0.22" = [ "desko" ];
};
}

53
modules/universal/secrets.nix
View File

@@ -1,53 +0,0 @@
{ config, ... }:
{
# SOPS configuration:
# docs: https://github.com/Mic92/sops-nix
#
# for each new user you want to edit sops files:
# create a private age key from ssh key:
# $ mkdir -p ~/.config/sops/age; ssh-to-age -private-key -i ~/.ssh/id_ed25519 > ~/.config/sops/age/keys.txt; chmod 600 ~/.config/sops/age/keys.txt
# if the private key was password protected, then first decrypt it:
# $ cp ~/.ssh/id_ed25519 /tmp/id_ed25519
# $ ssh-keygen -p -N "" -f /tmp/id_ed25519
#
# for each user you want to decrypt secrets:
# $ cat ~/.ssh/id_ed25519.pub | ssh-to-age
# add the result to .sops.yaml
# since we specify ssh pubkeys in the nix config, you can just grep for `ssh-ed25519` here and use those instead
#
# for each machine you want to decrypt secrets:
# $ cat /etc/ssh/ssh_host_ed25519_key.pub | ssh-to-age
# add the result to .sops.yaml
# $ sops updatekeys secrets/example.yaml
#
# to create a new secret:
# $ sops secrets/example.yaml
# control access below (sops.secret.<x>.owner = ...)
#
# to read a secret:
# $ cat /run/secrets/example_key
# sops.age.sshKeyPaths = [ "/home/colin/.ssh/id_ed25519_dec" ];
# This will add secrets.yml to the nix store
# You can avoid this by adding a string to the full path instead, i.e.
# sops.defaultSopsFile = "/root/.sops/secrets/example.yaml";
sops.defaultSopsFile = ./../../secrets/universal.yaml;
# This will automatically import SSH keys as age keys
sops.age.sshKeyPaths = [
"/etc/ssh/ssh_host_ed25519_key"
# "/home/colin/.ssh/id_ed25519_dec"
];
# This is using an age key that is expected to already be in the filesystem
# sops.age.keyFile = "/home/colin/.ssh/age.pub";
# sops.age.keyFile = "/var/lib/sops-nix/key.txt";
# This will generate a new key if the key specified above does not exist
# sops.age.generateKey = true;
# This is the actual specification of the secrets.
# sops.secrets.example_key = {
# owner = config.users.users.colin.name;
# };
# sops.secrets."myservice/my_subdir/my_secret" = {};
}

118
modules/universal/users.nix
View File

@@ -1,118 +0,0 @@
{ config, pkgs, lib, ... }:
# installer docs: https://github.com/NixOS/nixpkgs/blob/master/nixos/modules/profiles/installation-device.nix
with lib;
let
cfg = config.sane.users;
# see nixpkgs/nixos/modules/services/networking/dhcpcd.nix
hasDHCP = config.networking.dhcpcd.enable &&
(config.networking.useDHCP || any (i: i.useDHCP == true) (attrValues config.networking.interfaces));
in
{
options = {
sane.users.guest.enable = mkOption {
default = false;
type = types.bool;
};
};
config = {
# Users are exactly these specified here;
# old ones will be deleted (from /etc/passwd, etc) upon upgrade.
users.mutableUsers = false;
# docs: https://nixpkgs-manual-sphinx-markedown-example.netlify.app/generated/options-db.xml.html#users-users
users.users.colin = {
# sets group to "users" (?)
isNormalUser = true;
home = "/home/colin";
uid = config.sane.allocations.colin-uid;
# i don't get exactly what this is, but nixos defaults to this non-deterministically
# in /var/lib/nixos/auto-subuid-map and i don't want that.
subUidRanges = [
{ startUid=100000; count=1; }
];
group = "users";
extraGroups = [
"wheel"
"nixbuild"
"networkmanager"
# phosh/mobile. XXX colin: unsure if necessary
"video"
"feedbackd"
"dialout" # required for modem access
];
initialPassword = lib.mkDefault "";
shell = pkgs.zsh;
# shell = pkgs.bashInteractive;
# XXX colin: create ssh key for THIS user by logging in and running:
# ssh-keygen -t ed25519
openssh.authorizedKeys.keys = [
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDpmFdNSVPRol5hkbbCivRhyeENzb9HVyf9KutGLP2Zu colin@lappy"
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPU5GlsSfbaarMvDA20bxpSZGWviEzXGD8gtrIowc1pX colin@desko"
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPS1qFzKurAdB9blkWomq8gI1g0T3sTs9LsmFOj5VtqX colin@servo"
# moby doesn't need to login to any other devices yet
# "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICrR+gePnl0nV/vy7I5BzrGeyVL+9eOuXHU1yNE3uCwU colin@moby"
];
};
sane.impermanence.service-dirs = mkIf cfg.guest.enable [
{ user = "guest"; group = "users"; directory = "/home/guest"; }
];
users.users.guest = mkIf cfg.guest.enable {
isNormalUser = true;
home = "/home/guest";
uid = config.sane.allocations.guest-uid;
subUidRanges = [
{ startUid=200000; count=1; }
];
group = "users";
initialPassword = lib.mkDefault "";
shell = pkgs.zsh;
openssh.authorizedKeys.keys = [
# TODO: insert pubkeys that should be allowed in
];
};
users.users.dhcpcd = mkIf hasDHCP {
uid = config.sane.allocations.dhcpcd-uid;
};
users.groups.dhcpcd = mkIf hasDHCP {
gid = config.sane.allocations.dhcpcd-gid;
};
security.sudo = {
enable = true;
wheelNeedsPassword = false;
};
services.openssh = {
enable = true;
permitRootLogin = "no";
passwordAuthentication = false;
};
# affix some UIDs which were historically auto-generated
users.users.sshd.uid = config.sane.allocations.sshd-uid;
users.groups.polkituser.gid = config.sane.allocations.polkituser-gid;
users.groups.sshd.gid = config.sane.allocations.sshd-gid;
users.groups.systemd-coredump.gid = config.sane.allocations.systemd-coredump-gid;
# guarantee determinism in uid/gid generation for users:
assertions = let
uidAssertions = builtins.attrValues (builtins.mapAttrs (name: user: {
assertion = user.uid != null;
message = "non-deterministic uid detected for: ${name}";
}) config.users.users);
gidAssertions = builtins.attrValues (builtins.mapAttrs (name: group: {
assertion = group.gid != null;
message = "non-deterministic gid detected for: ${name}";
}) config.users.groups);
autoSubAssertions = builtins.attrValues (builtins.mapAttrs (name: user: {
assertion = !user.autoSubUidGidRange;
message = "non-deterministic subUids/Guids detected for: ${name}";
}) config.users.users);
in uidAssertions ++ gidAssertions ++ autoSubAssertions;
};
}

58
modules/universal/vpn.nix
View File

@@ -1,58 +0,0 @@
{ config, ... }:
{
networking.wg-quick.interfaces.ovpnd-us = {
address = [
"172.27.237.218/32"
"fd00:0000:1337:cafe:1111:1111:ab00:4c8f/128"
];
dns = [
"46.227.67.134"
"192.165.9.158"
];
peers = [
{
allowedIPs = [
"0.0.0.0/0"
"::/0"
];
endpoint = "vpn31.prd.losangeles.ovpn.com:9929";
publicKey = "VW6bEWMOlOneta1bf6YFE25N/oMGh1E1UFBCfyggd0k=";
}
];
privateKeyFile = config.sops.secrets.wg_ovpnd_us_privkey.path;
# to start: `systemctl start wg-quick-ovpnd-us`
autostart = false;
};
networking.wg-quick.interfaces.ovpnd-ukr = {
address = [
"172.18.180.159/32"
"fd00:0000:1337:cafe:1111:1111:ec5c:add3/128"
];
dns = [
"46.227.67.134"
"192.165.9.158"
];
peers = [
{
allowedIPs = [
"0.0.0.0/0"
"::/0"
];
endpoint = "vpn96.prd.kyiv.ovpn.com:9929";
publicKey = "CjZcXDxaaKpW8b5As1EcNbI6+42A6BjWahwXDCwfVFg=";
}
];
privateKeyFile = config.sops.secrets.wg_ovpnd_ukr_privkey.path;
# to start: `systemctl start wg-quick-ovpnd-ukr`
autostart = false;
};
sops.secrets."wg_ovpnd_us_privkey" = {
sopsFile = ../../secrets/universal.yaml;
};
sops.secrets."wg_ovpnd_ukr_privkey" = {
sopsFile = ../../secrets/universal.yaml;
};
}

19
nixpatches/01-phosh-float-scale.patch Normal file
View File

@@ -0,0 +1,19 @@
diff --git a/nixos/modules/services/x11/desktop-managers/phosh.nix b/nixos/modules/services/x11/desktop-managers/phosh.nix
index 4bf78fa16e7..13f7b3fbef2 100644
--- a/nixos/modules/services/x11/desktop-managers/phosh.nix
+++ b/nixos/modules/services/x11/desktop-managers/phosh.nix
@@ -78,7 +78,13 @@ let
description = ''
Display scaling factor.
'';
- type = types.nullOr types.ints.unsigned;
+ type = types.nullOr (
+ types.addCheck
+ (types.either types.int types.float)
+ (x : x > 0)
+ ) // {
+ description = "null or positive integer or float";
+ };
default = null;
example = 2;
};

18
nixpatches/03-whalebird-4.6.0.patch Normal file
View File

@@ -0,0 +1,18 @@
diff --git a/pkgs/applications/misc/whalebird/default.nix b/pkgs/applications/misc/whalebird/default.nix
index 9b8a7f0a348..0f60f74c91b 100644
--- a/pkgs/applications/misc/whalebird/default.nix
+++ b/pkgs/applications/misc/whalebird/default.nix
@@ -3,11 +3,11 @@
stdenv.mkDerivation rec {
pname = "whalebird";
- version = "4.5.4";
+ version = "4.6.0";
src = fetchurl {
url = "https://github.com/h3poteto/whalebird-desktop/releases/download/${version}/Whalebird-${version}-linux-x64.deb";
- sha256 = "048c2hpnlzjli8r1lcm7hd32qfsq4p9vkimrgc049yw9f15ndjpr";
+ sha256 = "d8042eb21e4320771782a1835a591252894ad657eec46248c807d5a772e1938e";
};
nativeBuildInputs = [

262
nixpatches/04-dart-2.7.0.patch
View File

@@ -36,19 +36,19 @@ index 9eba6773448..f51aeb8b624 100644
patches = getPatches ./patches;
};
diff --git a/pkgs/development/compilers/flutter/flutter.nix b/pkgs/development/compilers/flutter/flutter.nix
index 43538ede339..ece25c14b55 100644
index 43538ede339..26f50f731c2 100644
--- a/pkgs/development/compilers/flutter/flutter.nix
+++ b/pkgs/development/compilers/flutter/flutter.nix
@@ -56,12 +56,15 @@ let
export STAMP_PATH="$FLUTTER_ROOT/bin/cache/flutter_tools.stamp"
@@ -48,6 +48,7 @@ let
'';
export DART_SDK_PATH="${dart}"
+ export DART="${dart}/bin/dart"
HOME=../.. # required for pub upgrade --offline, ~/.pub-cache
buildPhase = ''
+ set -ex
export FLUTTER_ROOT="$(pwd)"
export FLUTTER_TOOLS_DIR="$FLUTTER_ROOT/packages/flutter_tools"
export SCRIPT_PATH="$FLUTTER_TOOLS_DIR/bin/flutter_tools.dart"
@@ -61,7 +62,7 @@ let
# path is relative otherwise it's replaced by /build/flutter
+ # mkdir -p "$HOME/.cache"
+ # ln -sf "$FLUTTER_ROOT" "$HOME/.cache/flutter"
pushd "$FLUTTER_TOOLS_DIR"
- ${dart}/bin/pub get --offline
@@ -56,247 +56,3 @@ index 43538ede339..ece25c14b55 100644
popd
local revision="$(cd "$FLUTTER_ROOT"; git rev-parse HEAD)"
diff --git a/pkgs/development/compilers/flutter/patches/git-dir.patch b/pkgs/development/compilers/flutter/patches/git-dir.patch
new file mode 100644
index 00000000000..0c736f945ea
--- /dev/null
+++ b/pkgs/development/compilers/flutter/patches/git-dir.patch
@@ -0,0 +1,102 @@
+diff --git a/dev/bots/prepare_package.dart b/dev/bots/prepare_package.dart
+index 468a91a954..5def6897ce 100644
+--- a/dev/bots/prepare_package.dart
++++ b/dev/bots/prepare_package.dart
+@@ -525,7 +525,7 @@ class ArchiveCreator {
+
+ Future<String> _runGit(List<String> args, {Directory? workingDirectory}) {
+ return _processRunner.runProcess(
+- <String>['git', ...args],
++ <String>['git', '--git-dir', '.git', ...args],
+ workingDirectory: workingDirectory ?? flutterRoot,
+ );
+ }
+diff --git a/packages/flutter_tools/lib/src/commands/downgrade.dart b/packages/flutter_tools/lib/src/commands/downgrade.dart
+index bb0eb428a9..4a2a48bb5e 100644
+--- a/packages/flutter_tools/lib/src/commands/downgrade.dart
++++ b/packages/flutter_tools/lib/src/commands/downgrade.dart
+@@ -118,7 +118,7 @@ class DowngradeCommand extends FlutterCommand {
+ // Detect unknown versions.
+ final ProcessUtils processUtils = _processUtils!;
+ final RunResult parseResult = await processUtils.run(<String>[
+- 'git', 'describe', '--tags', lastFlutterVersion,
++ 'git', '--git-dir', '.git', 'describe', '--tags', lastFlutterVersion,
+ ], workingDirectory: workingDirectory);
+ if (parseResult.exitCode != 0) {
+ throwToolExit('Failed to parse version for downgrade:\n${parseResult.stderr}');
+@@ -191,7 +191,7 @@ class DowngradeCommand extends FlutterCommand {
+ continue;
+ }
+ final RunResult parseResult = await _processUtils!.run(<String>[
+- 'git', 'describe', '--tags', sha,
++ 'git', '--git-dir', '.git', 'describe', '--tags', sha,
+ ], workingDirectory: workingDirectory);
+ if (parseResult.exitCode == 0) {
+ buffer.writeln('Channel "${getNameForChannel(channel)}" was previously on: ${parseResult.stdout}.');
+diff --git a/packages/flutter_tools/lib/src/version.dart b/packages/flutter_tools/lib/src/version.dart
+index f2068a6ca2..99b161689e 100644
+--- a/packages/flutter_tools/lib/src/version.dart
++++ b/packages/flutter_tools/lib/src/version.dart
+@@ -106,7 +106,7 @@ class FlutterVersion {
+ String? channel = _channel;
+ if (channel == null) {
+ final String gitChannel = _runGit(
+- 'git rev-parse --abbrev-ref --symbolic @{u}',
++ 'git --git-dir .git rev-parse --abbrev-ref --symbolic @{u}',
+ globals.processUtils,
+ _workingDirectory,
+ );
+@@ -114,7 +114,7 @@ class FlutterVersion {
+ if (slash != -1) {
+ final String remote = gitChannel.substring(0, slash);
+ _repositoryUrl = _runGit(
+- 'git ls-remote --get-url $remote',
++ 'git --git-dir .git ls-remote --get-url $remote',
+ globals.processUtils,
+ _workingDirectory,
+ );
+@@ -326,7 +326,7 @@ class FlutterVersion {
+ /// the branch name will be returned as `'[user-branch]'`.
+ String getBranchName({ bool redactUnknownBranches = false }) {
+ _branch ??= () {
+- final String branch = _runGit('git rev-parse --abbrev-ref HEAD', globals.processUtils);
++ final String branch = _runGit('git --git-dir .git rev-parse --abbrev-ref HEAD', globals.processUtils);
+ return branch == 'HEAD' ? channel : branch;
+ }();
+ if (redactUnknownBranches || _branch!.isEmpty) {
+@@ -359,7 +359,7 @@ class FlutterVersion {
+ /// wrapper that does that.
+ @visibleForTesting
+ static List<String> gitLog(List<String> args) {
+- return <String>['git', '-c', 'log.showSignature=false', 'log'] + args;
++ return <String>['git', '-c', 'log.showSignature=false', '--git-dir', '.git', 'log'] + args;
+ }
+
+ /// Gets the release date of the latest available Flutter version.
+@@ -730,7 +730,7 @@ class GitTagVersion {
+
+ static GitTagVersion determine(ProcessUtils processUtils, {String? workingDirectory, bool fetchTags = false, String gitRef = 'HEAD'}) {
+ if (fetchTags) {
+- final String channel = _runGit('git rev-parse --abbrev-ref HEAD', processUtils, workingDirectory);
++ final String channel = _runGit('git --git-dir .git rev-parse --abbrev-ref HEAD', processUtils, workingDirectory);
+ if (channel == 'dev' || channel == 'beta' || channel == 'stable') {
+ globals.printTrace('Skipping request to fetchTags - on well known channel $channel.');
+ } else {
+@@ -739,7 +739,7 @@ class GitTagVersion {
+ }
+ // find all tags attached to the given [gitRef]
+ final List<String> tags = _runGit(
+- 'git tag --points-at $gitRef', processUtils, workingDirectory).trim().split('\n');
++ 'git --git-dir .git tag --points-at $gitRef', processUtils, workingDirectory).trim().split('\n');
+
+ // Check first for a stable tag
+ final RegExp stableTagPattern = RegExp(r'^\d+\.\d+\.\d+$');
+@@ -760,7 +760,7 @@ class GitTagVersion {
+ // recent tag and number of commits past.
+ return parse(
+ _runGit(
+- 'git describe --match *.*.* --long --tags $gitRef',
++ 'git --git-dir .git describe --match *.*.* --long --tags $gitRef',
+ processUtils,
+ workingDirectory,
+ )
diff --git a/pkgs/development/compilers/flutter/patches/revert-frontend_server_cache.patch b/pkgs/development/compilers/flutter/patches/revert-frontend_server_cache.patch
new file mode 100644
index 00000000000..f68029eb7a1
--- /dev/null
+++ b/pkgs/development/compilers/flutter/patches/revert-frontend_server_cache.patch
@@ -0,0 +1,130 @@
+diff --git a/packages/flutter_tools/lib/src/artifacts.dart b/packages/flutter_tools/lib/src/artifacts.dart
+index 2aac9686e8..32c4b98b88 100644
+--- a/packages/flutter_tools/lib/src/artifacts.dart
++++ b/packages/flutter_tools/lib/src/artifacts.dart
+@@ -346,10 +346,10 @@ class CachedArtifacts implements Artifacts {
+ ) {
+ switch (artifact) {
+ case HostArtifact.engineDartSdkPath:
+- final String path = _dartSdkPath(_cache);
++ final String path = _dartSdkPath(_fileSystem);
+ return _fileSystem.directory(path);
+ case HostArtifact.engineDartBinary:
+- final String path = _fileSystem.path.join(_dartSdkPath(_cache), 'bin', _hostArtifactToFileName(artifact, _platform.isWindows));
++ final String path = _fileSystem.path.join(_dartSdkPath(_fileSystem), 'bin', _hostArtifactToFileName(artifact, _platform.isWindows));
+ return _fileSystem.file(path);
+ case HostArtifact.flutterWebSdk:
+ final String path = _getFlutterWebSdkPath();
+@@ -398,7 +398,7 @@ class CachedArtifacts implements Artifacts {
+ case HostArtifact.dart2jsSnapshot:
+ case HostArtifact.dartdevcSnapshot:
+ case HostArtifact.kernelWorkerSnapshot:
+- final String path = _fileSystem.path.join(_dartSdkPath(_cache), 'bin', 'snapshots', _hostArtifactToFileName(artifact, _platform.isWindows));
++ final String path = _fileSystem.path.join(_dartSdkPath(_fileSystem), 'bin', 'snapshots', _hostArtifactToFileName(artifact, _platform.isWindows));
+ return _fileSystem.file(path);
+ case HostArtifact.iosDeploy:
+ final String artifactFileName = _hostArtifactToFileName(artifact, _platform.isWindows);
+@@ -461,11 +461,13 @@ class CachedArtifacts implements Artifacts {
+ String _getAndroidArtifactPath(Artifact artifact, TargetPlatform platform, BuildMode mode) {
+ final String engineDir = _getEngineArtifactsPath(platform, mode)!;
+ switch (artifact) {
++ case Artifact.frontendServerSnapshotForEngineDartSdk:
++ assert(mode != BuildMode.debug, 'Artifact $artifact only available in non-debug mode.');
++ return _fileSystem.path.join(engineDir, _artifactToFileName(artifact));
+ case Artifact.genSnapshot:
+ assert(mode != BuildMode.debug, 'Artifact $artifact only available in non-debug mode.');
+ final String hostPlatform = getNameForHostPlatform(getCurrentHostPlatform());
+ return _fileSystem.path.join(engineDir, hostPlatform, _artifactToFileName(artifact));
+- case Artifact.frontendServerSnapshotForEngineDartSdk:
+ case Artifact.constFinder:
+ case Artifact.flutterFramework:
+ case Artifact.flutterMacOSFramework:
+@@ -497,13 +499,13 @@ class CachedArtifacts implements Artifacts {
+ switch (artifact) {
+ case Artifact.genSnapshot:
+ case Artifact.flutterXcframework:
++ case Artifact.frontendServerSnapshotForEngineDartSdk:
+ final String artifactFileName = _artifactToFileName(artifact)!;
+ final String engineDir = _getEngineArtifactsPath(platform, mode)!;
+ return _fileSystem.path.join(engineDir, artifactFileName);
+ case Artifact.flutterFramework:
+ final String engineDir = _getEngineArtifactsPath(platform, mode)!;
+ return _getIosEngineArtifactPath(engineDir, environmentType, _fileSystem);
+- case Artifact.frontendServerSnapshotForEngineDartSdk:
+ case Artifact.constFinder:
+ case Artifact.flutterMacOSFramework:
+ case Artifact.flutterMacOSPodspec:
+@@ -594,14 +596,10 @@ class CachedArtifacts implements Artifacts {
+ // For script snapshots any gen_snapshot binary will do. Returning gen_snapshot for
+ // android_arm in profile mode because it is available on all supported host platforms.
+ return _getAndroidArtifactPath(artifact, TargetPlatform.android_arm, BuildMode.profile);
+- case Artifact.frontendServerSnapshotForEngineDartSdk:
+- return _fileSystem.path.join(
+- _dartSdkPath(_cache), 'bin', 'snapshots',
+- _artifactToFileName(artifact),
+- );
+ case Artifact.flutterTester:
+ case Artifact.vmSnapshotData:
+ case Artifact.isolateSnapshotData:
++ case Artifact.frontendServerSnapshotForEngineDartSdk:
+ case Artifact.icuData:
+ final String engineArtifactsPath = _cache.getArtifactDirectory('engine').path;
+ final String platformDirName = _enginePlatformDirectoryName(platform);
+@@ -797,7 +795,7 @@ class CachedLocalEngineArtifacts implements LocalEngineArtifacts {
+ final String path = _fileSystem.path.join(_hostEngineOutPath, 'dart-sdk', 'bin', 'snapshots', _hostArtifactToFileName(artifact, _platform.isWindows));
+ return _fileSystem.file(path);
+ case HostArtifact.dartdevcSnapshot:
+- final String path = _fileSystem.path.join(_dartSdkPath(_cache), 'bin', 'snapshots', _hostArtifactToFileName(artifact, _platform.isWindows));
++ final String path = _fileSystem.path.join(_dartSdkPath(_fileSystem), 'bin', 'snapshots', _hostArtifactToFileName(artifact, _platform.isWindows));
+ return _fileSystem.file(path);
+ case HostArtifact.kernelWorkerSnapshot:
+ final String path = _fileSystem.path.join(_hostEngineOutPath, 'dart-sdk', 'bin', 'snapshots', _hostArtifactToFileName(artifact, _platform.isWindows));
+@@ -922,9 +920,7 @@ class CachedLocalEngineArtifacts implements LocalEngineArtifacts {
+ case Artifact.windowsUwpCppClientWrapper:
+ return _fileSystem.path.join(_hostEngineOutPath, artifactFileName);
+ case Artifact.frontendServerSnapshotForEngineDartSdk:
+- return _fileSystem.path.join(
+- _hostEngineOutPath, 'dart-sdk', 'bin', 'snapshots', artifactFileName,
+- );
++ return _fileSystem.path.join(_hostEngineOutPath, 'gen', artifactFileName);
+ case Artifact.uwptool:
+ return _fileSystem.path.join(_hostEngineOutPath, artifactFileName);
+ }
+@@ -1034,8 +1030,8 @@ class OverrideArtifacts implements Artifacts {
+ }
+
+ /// Locate the Dart SDK.
+-String _dartSdkPath(Cache cache) {
+- return cache.getRoot().childDirectory('dart-sdk').path;
++String _dartSdkPath(FileSystem fileSystem) {
++ return fileSystem.path.join(Cache.flutterRoot!, 'bin', 'cache', 'dart-sdk');
+ }
+
+ class _TestArtifacts implements Artifacts {
+diff --git a/packages/flutter_tools/test/general.shard/artifacts_test.dart b/packages/flutter_tools/test/general.shard/artifacts_test.dart
+index d906511a15..adfdd4bb42 100644
+--- a/packages/flutter_tools/test/general.shard/artifacts_test.dart
++++ b/packages/flutter_tools/test/general.shard/artifacts_test.dart
+@@ -153,10 +153,6 @@ void main() {
+ artifacts.getArtifactPath(Artifact.windowsUwpDesktopPath, platform: TargetPlatform.windows_uwp_x64, mode: BuildMode.release),
+ fileSystem.path.join('root', 'bin', 'cache', 'artifacts', 'engine', 'windows-uwp-x64-release'),
+ );
+- expect(
+- artifacts.getArtifactPath(Artifact.frontendServerSnapshotForEngineDartSdk),
+- fileSystem.path.join('root', 'bin', 'cache', 'dart-sdk', 'bin', 'snapshots', 'frontend_server.dart.snapshot')
+- );
+ });
+
+ testWithoutContext('precompiled web artifact paths are correct', () {
+@@ -322,11 +318,6 @@ void main() {
+ artifacts.getHostArtifact(HostArtifact.engineDartSdkPath).path,
+ fileSystem.path.join('/out', 'host_debug_unopt', 'dart-sdk'),
+ );
+- expect(
+- artifacts.getArtifactPath(Artifact.frontendServerSnapshotForEngineDartSdk),
+- fileSystem.path.join('/out', 'host_debug_unopt', 'dart-sdk', 'bin',
+- 'snapshots', 'frontend_server.dart.snapshot')
+- );
+ });
+
+ testWithoutContext('getEngineType', () {

43
nixpatches/07-duplicity-rich-url.patch
View File

@@ -1,43 +0,0 @@
diff --git a/nixos/modules/services/backup/duplicity.nix b/nixos/modules/services/backup/duplicity.nix
index 6949fa8b995..33d772ffa37 100644
--- a/nixos/modules/services/backup/duplicity.nix
+++ b/nixos/modules/services/backup/duplicity.nix
@@ -54,6 +54,17 @@ in
'';
};
+ escapeUrl = mkOption {
+ type = types.bool;
+ example = false;
+ default = true;
+ description = ''
+ Whether to escape the targetUrl when passing it to Duplicity as a CLI
+ argument. One might disable this in order to make use of shell
+ expressions such as environment variables.
+ '';
+ };
+
secretFile = mkOption {
type = types.nullOr types.path;
default = null;
@@ -148,7 +159,7 @@ in
script =
let
- target = escapeShellArg cfg.targetUrl;
+ target = if cfg.escapeUrl then (escapeShellArg cfg.targetUrl) else cfg.targetUrl;
extra = escapeShellArgs ([ "--archive-dir" stateDirectory ] ++ cfg.extraFlags);
dup = "${pkgs.duplicity}/bin/duplicity";
in
@@ -158,9 +169,8 @@ in
${lib.optionalString (cfg.cleanup.maxAge != null) "${dup} remove-older-than ${lib.escapeShellArg cfg.cleanup.maxAge} ${target} --force ${extra}"}
${lib.optionalString (cfg.cleanup.maxFull != null) "${dup} remove-all-but-n-full ${toString cfg.cleanup.maxFull} ${target} --force ${extra}"}
${lib.optionalString (cfg.cleanup.maxIncr != null) "${dup} remove-all-inc-of-but-n-full ${toString cfg.cleanup.maxIncr} ${target} --force ${extra}"}
- exec ${dup} ${if cfg.fullIfOlderThan == "always" then "full" else "incr"} ${lib.escapeShellArgs (
- [ cfg.root cfg.targetUrl ]
- ++ concatMap (p: [ "--include" p ]) cfg.include
+ exec ${dup} ${if cfg.fullIfOlderThan == "always" then "full" else "incr"} ${lib.escapeShellArg cfg.root} ${target} ${lib.escapeShellArgs (
+ concatMap (p: [ "--include" p ]) cfg.include
++ concatMap (p: [ "--exclude" p ]) cfg.exclude
++ (lib.optionals (cfg.fullIfOlderThan != "never" && cfg.fullIfOlderThan != "always") [ "--full-if-older-than" cfg.fullIfOlderThan ])
)} ${extra}

40
nixpatches/10-flutter-arm64.patch
View File

@@ -1,40 +0,0 @@
diff --git a/pkgs/applications/networking/instant-messengers/fluffychat/default.nix b/pkgs/applications/networking/instant-messengers/fluffychat/default.nix
index 565c44f72e9..f20a3d4e9be 100644
--- a/pkgs/applications/networking/instant-messengers/fluffychat/default.nix
+++ b/pkgs/applications/networking/instant-messengers/fluffychat/default.nix
@@ -4,13 +4,19 @@
, olm
, imagemagick
, makeDesktopItem
+, stdenv
}:
+let vendorHashes = {
+ x86_64-linux = "sha256-j5opwEFifa+DMG7Uziv4SWEPVokD6OSq8mSIr0AdDL0=";
+ aarch64-linux = "sha256-gPz/j7oHO2f3DVNNy7DpY/8XTjWt2Kcf3XjFmH81HDs=";
+};
+in
flutter.mkFlutterApp rec {
pname = "fluffychat";
version = "1.2.0";
- vendorHash = "sha256-j5opwEFifa+DMG7Uziv4SWEPVokD6OSq8mSIr0AdDL0=";
+ vendorHash = vendorHashes."${stdenv.hostPlatform.system}" or (throw "unsupported system: ${stdenv.hostPlatform.system}");
src = fetchFromGitLab {
owner = "famedly";
diff --git a/pkgs/development/compilers/flutter/default.nix b/pkgs/development/compilers/flutter/default.nix
index 9eba6773448..e9d352169b2 100644
--- a/pkgs/development/compilers/flutter/default.nix
+++ b/pkgs/development/compilers/flutter/default.nix
@@ -19,6 +19,10 @@ let
url = "${dartSourceBase}/stable/release/${dartVersion}/sdk/dartsdk-linux-x64-release.zip";
sha256 = "sha256-PMY6DCFQC8XrlnFzOEPcwgBAs5/cAvNd78969Z+I1Fk=";
};
+ "${dartVersion}-aarch64-linux" = fetchurl {
+ url = "${dartSourceBase}/stable/release/${dartVersion}/sdk/dartsdk-linux-arm64-release.zip";
+ sha256 = "sha256-3p0cUoNn+Du9GSvVZa9bfZ1I9295uqTA5M9kcj4/uL4=";
+ };
};
};
in {

57
nixpatches/list.nix
View File

@@ -1,57 +0,0 @@
fetchpatch: [
# phosh: allow fractional scaling
(fetchpatch {
url = "https://github.com/NixOS/nixpkgs/pull/175872.diff";
sha256 = "sha256-mEmqhe8DqlyCxkFWQKQZu+2duz69nOkTANh9TcjEOdY=";
})
# for raspberry pi: allow building u-boot for rpi 4{,00}
# TODO: remove after upstreamed: https://github.com/NixOS/nixpkgs/pull/176018
# (it's a dupe of https://github.com/NixOS/nixpkgs/pull/112677 )
./02-rpi4-uboot.patch
# # flutter.dart: 2.16.1 -> 2.16.2
# (fetchpatch {
# url = "https://github.com/NixOS/nixpkgs/pull/172873.diff";
# sha256 = "sha256-HGYk83XOhFe1wWNCKNdF6s/7laWJ0Jisb8bDJcHVlsQ=";
# })
# # Flutter: 2.10.1->3.0.4
# (fetchpatch {
# url = "https://github.com/NixOS/nixpkgs/pull/173200.diff";
# sha256 = "sha256-g1tZdLTrAJx3ijgabqz8XInC20PQM3FYRENQ7c6NfQw=";
# })
# # dart: 2.17.3 -> 2.18.0
# (fetchpatch {
# url = "https://github.com/NixOS/nixpkgs/pull/189841.diff";
# sha256 = "sha256-E3rTNex7PiFHsLgtb0x9/Q/naqDYD1vFuGyduV4Z6qY=";
# })
# # # Flutter: 3.0.4->3.3.2, flutter.dart: 2.17.5->2.18.1
# # (fetchpatch {
# # url = "https://github.com/NixOS/nixpkgs/pull/189338.diff";
# # sha256 = "sha256-MppSk1D3qQT8Z4lzEZ93UexoidT8yqM7ASPec4VvxCI=";
# # })
# enable aarch64 support for flutter's dart package
./10-flutter-arm64.patch
# whalebird: support aarch64
(fetchpatch {
url = "https://github.com/NixOS/nixpkgs/pull/176476.diff";
sha256 = "sha256-126DljM06hqPZ3fjLZ3LBZR64nFbeTfzSazEu72d4y8=";
})
# TODO: upstream
./07-duplicity-rich-url.patch
# zecwallet-lite: init at 1.7.13
(fetchpatch {
url = "https://github.com/NixOS/nixpkgs/pull/180960.diff";
sha256 = "sha256-HVVj/T3yQtjYBoxXpoPiG9Zar/eik9IoDVDhTOehBdY=";
})
# makemkv: 1.16.7 -> 1.17.1
(fetchpatch {
url = "https://github.com/NixOS/nixpkgs/pull/188342.diff";
sha256 = "sha256-3M4DpvXf5Us70FX5geE0L1Ns23Iw2NG82YNlwSd+WzI=";
})
]

13
pkgs/bootpart-tow-boot-rpi-aarch64/config.txt
View File

@@ -1,13 +0,0 @@
[pi3]
kernel=Tow-Boot.noenv.rpi3.bin
[pi4]
kernel=Tow-Boot.noenv.rpi4.bin
enable_gic=1
armstub=armstub8-gic.bin
disable_overscan=1
[all]
arm_64bit=1
enable_uart=1
avoid_warnings=1

37
pkgs/bootpart-tow-boot-rpi-aarch64/default.nix
View File

@@ -1,37 +0,0 @@
{ stdenv, pkgs }:
stdenv.mkDerivation rec {
pname = "bootpart-tow-boot-rpi-aarch64";
version = "1";
buildInputs = with pkgs; [
tow-boot-rpi4 # for Tow-Boot.*.bin
raspberrypifw # for bootcode.bin, *.dat, *.elf, *.dtb
raspberrypi-armstubs # for armstub*
];
src = ./config.txt;
dontUnpack = true;
installPhase = with pkgs; ''
mkdir "$out"
cp ${tow-boot-rpi4}/Tow-Boot.noenv.*.bin "$out"/
cp -R ${raspberrypifw}/share/raspberrypi/boot/*.dtb "$out"/
cp -R ${raspberrypifw}/share/raspberrypi/boot/*.bin "$out"/
cp -R ${raspberrypifw}/share/raspberrypi/boot/*.dat "$out"/
cp -R ${raspberrypifw}/share/raspberrypi/boot/*.img "$out"/
cp -R ${raspberrypifw}/share/raspberrypi/boot/*.elf "$out"/
cp -R ${raspberrypifw}/share/raspberrypi/boot/overlays "$out"/
cp ${raspberrypi-armstubs}/* "$out"/
cp ${src} "$out"/config.txt
'';
meta = {
description = "unmanaged files to place in /boot on a raspberry pi system";
platforms = [ "aarch64-linux" ];
};
}

10
pkgs/bootpart-u-boot-rpi-aarch64/config.txt
View File

@@ -1,10 +0,0 @@
[pi4]
kernel=u-boot.bin
enable_gic=1
armstub=armstub8-gic.bin
disable_overscan=1
[all]
arm_64bit=1
enable_uart=1
avoid_warnings=1

39
pkgs/bootpart-u-boot-rpi-aarch64/default.nix
View File

@@ -1,39 +0,0 @@
{ stdenv, pkgs }:
stdenv.mkDerivation rec {
pname = "bootpart-u-boot-rpi-aarch64";
version = "1";
buildInputs = with pkgs; [
ubootRaspberryPi4_64bit
raspberrypifw # for bootcode.bin, *.dat, *.elf, *.dtb
raspberrypi-armstubs # for armstub*
];
src = ./config.txt;
dontUnpack = true;
installPhase = with pkgs; ''
mkdir "$out"
cp ${ubootRaspberryPi4_64bit}/u-boot.bin "$out"/
cp ${ubootRaspberryPi4_64bit}/*.dtb "$out"/
# NB: raspberrypifw dtb's are meant for the kernel, not for u-boot
# cp -R ${raspberrypifw}/share/raspberrypi/boot/*.dtb "$out"/
cp -R ${raspberrypifw}/share/raspberrypi/boot/*.bin "$out"/
cp -R ${raspberrypifw}/share/raspberrypi/boot/*.dat "$out"/
cp -R ${raspberrypifw}/share/raspberrypi/boot/*.img "$out"/
cp -R ${raspberrypifw}/share/raspberrypi/boot/*.elf "$out"/
cp -R ${raspberrypifw}/share/raspberrypi/boot/overlays "$out"/
cp ${raspberrypi-armstubs}/* "$out"/
cp ${src} "$out"/config.txt
'';
meta = {
description = "unmanaged files to place in /boot on a raspberry pi system";
platforms = [ "aarch64-linux" ];
};
}

37
pkgs/bootpart-uefi-x86_64/default.nix
View File

@@ -1,37 +0,0 @@
{ stdenv, pkgs }:
stdenv.mkDerivation rec {
pname = "bootpart-uefi-x86_64";
version = "1";
buildInputs = [ pkgs.syslinux ];
dontUnpack = true;
installPhase = with pkgs; ''
# populate the EFI directory with syslinux, and configure it to read that extlinux.conf file managed by nixos
mkdir -p "$out/EFI/syslinux" "$out/EFI/BOOT" "$out/syslinux"
cp -R "${syslinux}/share/syslinux/efi64"/* "$out/EFI/syslinux"
echo "DEFAULT trampoline" > "$out/EFI/syslinux/syslinux.cfg"
echo "LABEL trampoline" >> "$out/EFI/syslinux/syslinux.cfg"
echo " SAY trampoline into generic extlinux.conf" >> "$out/EFI/syslinux/syslinux.cfg"
echo " CONFIG ../../syslinux/syslinux.cfg ../../syslinux" >> "$out/EFI/syslinux/syslinux.cfg"
# we create this "trampoline" layer so that we can setup the UI directive
# and enable a menu before loading the real, nixos-managed extlinux.conf
cp "${syslinux}/share/syslinux/efi64/menu.c32" "$out/syslinux/menu.c32"
echo "UI menu.c32" > "$out/syslinux/syslinux.cfg"
echo "INCLUDE ../extlinux/extlinux.conf" >> "$out/syslinux/syslinux.cfg"
# create the EFI/BOOT/BOOTX64.EFI default entry
cp "$out/EFI/syslinux"/* "$out/EFI/BOOT"
mv "$out/EFI/BOOT/syslinux.efi" "$out/EFI/BOOT/BOOTX64.EFI"
'';
meta = {
description = "unmanaged files to place in /boot on a x86-64 extlinux system";
platforms = [ "x86_64-linux" ];
};
}

13
pkgs/firefox-unwrapped/allow-searchengines-non-esr.patch
View File

@@ -1,13 +0,0 @@
diff --git a/browser/components/enterprisepolicies/schemas/policies-schema.json b/browser/components/enterprisepolicies/schemas/policies-schema.json
index d436cf1ca1..ecd6e53b9e 100644
--- a/browser/components/enterprisepolicies/schemas/policies-schema.json
+++ b/browser/components/enterprisepolicies/schemas/policies-schema.json
@@ -1074,7 +1074,7 @@
},
"SearchEngines": {
- "enterprise_only": true,
+ "enterprise_only": false,
"type": "object",
"properties": {

10
pkgs/firefox-unwrapped/default.nix
View File

@@ -1,10 +0,0 @@
{ pkgs }:
(pkgs.firefox-unwrapped.overrideAttrs (upstream: {
# NB: firefox takes about 1hr to build on my 24-thread ryzen desktop
patches = (upstream.patches or []) ++ [
# see https://gitlab.com/librewolf-community/browser/source/-/blob/main/patches/sed-patches/allow-searchengines-non-esr.patch
./allow-searchengines-non-esr.patch
];
}))

2
pkgs/jackett/default.nix
View File

@@ -1,8 +1,6 @@
{ pkgs }:
(pkgs.jackett.overrideAttrs (upstream: {
# 2022-07-29: check phase segfaults on arm (with or without my patches)
doCheck = false;
patches = (upstream.patches or []) ++ [
# bind to an IP address which is usable behind a netns
./01-fix-bind-host.patch

64
pkgs/kaiteki/default.nix
View File

@@ -1,15 +1,16 @@
{ lib
, fetchFromGitHub
, flutter
, olm
, imagemagick
, makeDesktopItem
}:
flutter.mkFlutterApp rec {
pname = "kaiteki";
version = "unstable-2022-06-03";
version = "1.1";
# this hash seems unstable -- depends on other nixpkgs, perhaps?
vendorHash = "sha256-IC3FAPFASuMcNOpUuaB+MDcm9nqGCtq/6A2dCxIXHEg=";
vendorHash = "sha256-N7s63e8z4pAFtFV9cFN+CIIg+A/s8lYfiJWrBkMkkd0=";
src = fetchFromGitHub {
owner = "Kaiteki-Fedi";
@@ -18,23 +19,70 @@ flutter.mkFlutterApp rec {
hash = "sha256-ggDIbVwueS162m15TFaC6Tcg+0lpcVGi4x/O691sxR8";
};
desktopItems = [ (makeDesktopItem {
desktopItem = makeDesktopItem {
name = "Kaiteki";
exec = "kaiteki";
exec = "@out@/bin/kaiteki";
icon = "kaiteki";
desktopName = "Kaiteki";
genericName = "Micro-blogging client";
comment = meta.description;
categories = [ "Network" "InstantMessaging" "GTK" ];
}) ];
};
sourceRoot = "source/src/kaiteki";
# postUnpack = ''
# mv assets assets-toplevel
# mv src/kaiteki/* .
# '';
buildInputs = [
olm
];
nativeBuildInputs = [
imagemagick
];
# flutterExtraFetchCommands = ''
# M=$(echo $TMP/.pub-cache/hosted/pub.dartlang.org/matrix-*)
# sed -i $M/scripts/prepare.sh \
# -e "s|/usr/lib/x86_64-linux-gnu/libolm.so.3|/bin/sh|g" \
# -e "s|if which flutter >/dev/null; then|exit; if which flutter >/dev/null; then|g"
# pushd $M
# bash scripts/prepare.sh
# popd
# '';
# replace olm dummy path
# postConfigure = ''
# M=$(echo $depsFolder/.pub-cache/hosted/pub.dartlang.org/matrix-*)
# ln -sf ${olm}/lib/libolm.so.3 $M/ffi/olm/libolm.so
# '';
# postInstall = ''
# FAV=$out/app/data/flutter_assets/assets/favicon.png
# ICO=$out/share/icons
# install -D $FAV $ICO/fluffychat.png
# mkdir $out/share/applications
# cp $desktopItem/share/applications/*.desktop $out/share/applications
# for s in 24 32 42 64 128 256 512; do
# D=$ICO/hicolor/''${s}x''${s}/apps
# mkdir -p $D
# convert $FAV -resize ''${s}x''${s} $D/fluffychat.png
# done
# substituteInPlace $out/share/applications/*.desktop \
# --subst-var out
# '';
meta = with lib; {
description = "The comfy Fediverse client";
homepage = "https://craftplacer.moe/projects/kaiteki/";
license = licenses.agpl3Plus;
# maintainers = with maintainers; [ colinsane ];
# maintainers = with maintainers; [ uninsane ];
platforms = platforms.linux;
};
}

21
pkgs/linux-megous/default.nix
View File

@@ -1,21 +0,0 @@
{ lib, buildPackages, fetchFromGitHub, perl, buildLinux, nixosTests, modDirVersionArg ? null, ... } @ args:
with lib;
buildLinux (args // rec {
version = "5.18.14";
# modDirVersion needs to be x.y.z, will automatically add .0 if needed
modDirVersion = if (modDirVersionArg == null) then concatStringsSep "." (take 3 (splitVersion "${version}.0")) else modDirVersionArg;
# branchVersion needs to be x.y
extraMeta.branch = versions.majorMinor version;
src = fetchFromGitHub {
owner = "megous";
repo = "linux";
# branch: orange-pi-5.18
rev = "3ef835b665191e4833ae1363245be48e96013df6";
sha256 = "sha256-nQsBXeGLZhpem1p7Vnc8z7XB354AO1mn7VTj/hH5twY=";
};
} // (args.argsOverride or { }))

14
pkgs/nabla/default.nix
View File

@@ -1,14 +0,0 @@
{ pkgs, fetchFromGitHub, ... }:
# buildVimPluginFrom2Nix {
pkgs.vimUtils.buildVimPlugin {
pname = "nabla";
version = "2022-08-17";
src = fetchFromGitHub {
owner = "jbyuki";
repo = "nabla.nvim";
rev = "5379635d71b9877eaa4df822e8a2a5c575d808b0";
sha256 = "sha256-1VabgTnOSsfdhmHnfXl/h9djgNV3Gqro5VOr8ZbUlWw=";
};
meta.homepage = "https://github.com/jbyuki/nabla.nvim/";
}

40
pkgs/overlay.nix
View File

@@ -1,40 +0,0 @@
(next: prev: rec {
#### my own, non-upstreamable packages:
sane-scripts = prev.callPackage ./sane-scripts { };
tow-boot-pinephone = prev.callPackage ./tow-boot-pinephone { };
tow-boot-rpi4 = prev.callPackage ./tow-boot-rpi4 { };
bootpart-uefi-x86_64 = prev.callPackage ./bootpart-uefi-x86_64 { pkgs = prev; };
bootpart-tow-boot-rpi-aarch64 = prev.callPackage ./bootpart-tow-boot-rpi-aarch64 {
# not sure why i can't just do pkgs = next here
pkgs = prev // { inherit tow-boot-rpi4; };
};
bootpart-u-boot-rpi-aarch64 = prev.callPackage ./bootpart-u-boot-rpi-aarch64 {
# not sure why i can't just do pkgs = next here
pkgs = prev // { inherit ubootRaspberryPi4_64bit; };
};
rtl8723cs-firmware = prev.callPackage ./rtl8723cs-firmware { };
linux-megous = prev.callPackage ./linux-megous {
kernelPatches = [
prev.kernelPatches.bridge_stp_helper
prev.kernelPatches.request_key_helper
];
};
#### customized packages
# nixos-unstable pleroma is too far out-of-date for our db
pleroma = prev.callPackage ./pleroma { };
# jackett doesn't allow customization of the bind address: this will probably always be here.
jackett = prev.callPackage ./jackett { pkgs = prev; };
# mozilla keeps nerfing itself and removing configuration options
firefox-unwrapped = prev.callPackage ./firefox-unwrapped { pkgs = prev; };
# fix abrupt HDD poweroffs as during reboot. patching systemd requires rebuilding nearly every package.
# systemd = import ./pkgs/systemd { pkgs = prev; };
# patch rpi uboot with something that fixes USB HDD boot
ubootRaspberryPi4_64bit = prev.callPackage ./ubootRaspberryPi4_64bit { pkgs = prev; };
#### TEMPORARY: PACKAGES WAITING TO BE UPSTREAMED
kaiteki = prev.callPackage ./kaiteki { };
nabla = prev.callPackage ./nabla { };
})

36
pkgs/rtl8723cs-firmware/default.nix
View File

@@ -1,36 +0,0 @@
{ lib, stdenv, fetchFromGitHub }:
with lib;
stdenv.mkDerivation {
pname = "rtl8723cs-firmware";
version = "2020-07-05";
src = fetchFromGitHub {
owner = "anarsoul";
repo = "rtl8723bt-firmware";
rev = "8840b1052b4ee426f348cb35e4994c5cafc5fbbd";
sha256 = "sha256-z6OZNDvGbU1g+U9aL/Pq6fB3l7Fxwq6EHSeHgrkqt78=";
};
dontBuild = true;
installPhase = ''
mkdir -p "$out/lib/firmware"
cp -R rtl_bt "$out/lib/firmware"
'';
meta = with lib; {
description = "Firmware for rtl8723bs and rtl8723cs";
# there are many sources for this, none of them authoritative.
# the original binaries likely come from some Realtek SDK, hardcoded into a C array
# if consistent with other drivers, but Realtek does not list this model in their
# downloads page.
# other sources:
# - <https://megous.com/git/linux-firmware>
# - <https://github.com/armbian/firmware>
homepage = "https://github.com/anarsoul/rtl8723bt-firmware";
license = licenses.unfreeRedistributableFirmware;
maintainers = with maintainers; [ colinsane ];
platforms = with platforms; linux;
};
}

78
pkgs/sane-scripts/default.nix
View File

@@ -1,78 +0,0 @@
{ lib
, pkgs
, resholve
}:
# resholve documentation:
# - nix: https://github.com/nixos/nixpkgs/blob/master/pkgs/development/misc/resholve/README.md
# - generic: https://github.com/abathur/resholve
resholve.mkDerivation {
pname = "sane-scripts";
version = "0.1.0";
src = ./src;
solutions = {
default = {
# note: `scripts` refers to the store path here
scripts = [ "bin/*" ];
interpreter = "${pkgs.bash}/bin/bash";
inputs = with pkgs; [
coreutils
curl
file
findutils
gnugrep
ifuse
inotifyTools
ncurses
oath-toolkit
openssh
rmlint
rsync
ssh-to-age
sops
sudo
which
];
keep = {
# we write here: keep it
"/tmp/rmlint.sh" = true;
# intentionally escapes (into user code)
"$external_cmd" = true;
};
fake = {
external = [
# https://github.com/abathur/resholve/issues/29
"umount"
"sudo"
# this is actually internal; probably a better fix
"sane-mount-servo"
];
};
# list of programs which *can* or *cannot* exec their arguments
execer = [
"cannot:${pkgs.ifuse}/bin/ifuse"
"cannot:${pkgs.oath-toolkit}/bin/oathtool"
"cannot:${pkgs.openssh}/bin/ssh-keygen"
"cannot:${pkgs.rmlint}/bin/rmlint"
"cannot:${pkgs.rsync}/bin/rsync"
"cannot:${pkgs.ssh-to-age}/bin/ssh-to-age"
"cannot:${pkgs.sops}/bin/sops"
];
};
};
installPhase = ''
mkdir -p "$out/bin"
cp -R * "$out"/bin/
'';
meta = {
description = "collection of scripts associated with uninsane systems";
homepage = "https://git.uninsane.org";
platforms = lib.platforms.all;
};
}

30
pkgs/sane-scripts/src/sane-dev-cargo-loop
View File

@@ -1,30 +0,0 @@
#!/usr/bin/env bash
# watches PWD for any changes underneath it and re-runs `cargo build --a>
# optionally, provide your own build command as the first argument
external_cmd="cargo build --all"
if [ "x$1" != "x" ]
then
external_cmd=$1
fi
# run this once before starting the inotify
$external_cmd
# other interesting commands to monitor:
# - -e move
# - -e create
# - -e delete
# - -e close_write
# but most (except close_write) seem to cause multiple events per vim :w
# TODO: consider using watchman: https://facebook.github.io/watchman/
# - watchman waits for the root to settle before invoking my command
# so, fewer runs
inotifywait --monitor --recursive \
--timefmt '%d/%m/%y %H:%M' --format '%T %w %f' \
-e modify ./ |
while read -r date time dir file
do
tput reset
$external_cmd
done

18
pkgs/sane-scripts/src/sane-mount-servo
View File

@@ -1,18 +0,0 @@
#!/usr/bin/env bash
set -ex
mnt=/mnt/servo-media-wan
# if lan not mounted, then try to mount it
if ! (test -d /mnt/servo-media-lan/Music)
then
sudo mount /mnt/servo-media-lan && mnt=/mnt/servo-media-lan
fi
# if the needed mount isn't mounted, mount it
if ! (test -d $mnt/Music)
then
sudo mount $mnt
fi
# symlink the fastest mount point into place
sudo ln -sf $mnt /mnt/servo-media

18
pkgs/sane-scripts/src/sane-mount-servo-root
View File

@@ -1,18 +0,0 @@
#!/usr/bin/env bash
set -ex
mnt=/mnt/servo-root-wan
# if lan not mounted, then try to mount it
if ! (test -d /mnt/servo-root-lan/nix)
then
sudo mount /mnt/servo-root-lan && mnt=/mnt/servo-root-lan
fi
# if the needed mount isn't mounted, mount it
if ! (test -d $mnt/nix)
then
sudo mount $mnt
fi
# symlink the fastest mount point into place
sudo ln -sf $mnt /mnt/servo-root

19
pkgs/sane-scripts/src/sane-reclaim-disk-space
View File

@@ -1,19 +0,0 @@
#!/usr/bin/env bash
set -ex
# script to reclaim some hard drive space
sudo nix-collect-garbage
# identify duplicate files in the nix store
rmlint --types="duplicates" --config=sh:handler=clone --output=sh:/tmp/rmlint.sh --progress /nix/store
# link the dupes together (uses ioctl_fideduperange)
# see: https://btrfs.wiki.kernel.org/index.php/Deduplication
# see: https://rmlint.readthedocs.io/en/latest/tutorial.html
sudo mount -o remount,rw /nix/store
/tmp/rmlint.sh -d || true # on failure, we still want to remount ro
# XXX this doesn't work: 'mount point is busy.'
sudo mount -o remount,ro /nix/store
# TODO: instead of using rmlint, could use dduper: https://github.com/Lakshmipathi/dduper
# better perf for btrfs (checksum tests)
# likely also better compression, on account of being block-based instead of whole-file based.
# however, not clearly actively maintained; uses custom btrfs-progs patch; riskier
# might not currently build on nix: https://github.com/NixOS/nixpkgs/issues/175730

Some files were not shown because too many files have changed in this diff Show More