Compare commits
1 Commits
wip/hosts
...
wip/overla
Author | SHA1 | Date | |
---|---|---|---|
5801da97f3 |
44
flake.lock
generated
44
flake.lock
generated
@@ -60,38 +60,37 @@
|
||||
},
|
||||
"locked": {
|
||||
"lastModified": 1,
|
||||
"narHash": "sha256-5zCxdHGOS0OOP7vbgTA1iwv9GVr5JSiths7QmgUsU84=",
|
||||
"path": "/nix/store/9a5k9pfawxzz1sng17si26sc9af39jr1-source/nixpatches",
|
||||
"narHash": "sha256-5eJxyBRYQCoRt92ZFUOdT237Z0VscuNRd0pktDYWJYE=",
|
||||
"path": "nixpatches",
|
||||
"type": "path"
|
||||
},
|
||||
"original": {
|
||||
"path": "/nix/store/9a5k9pfawxzz1sng17si26sc9af39jr1-source/nixpatches",
|
||||
"path": "nixpatches",
|
||||
"type": "path"
|
||||
}
|
||||
},
|
||||
"nixpkgs-stable": {
|
||||
"locked": {
|
||||
"lastModified": 1673800717,
|
||||
"narHash": "sha256-SFHraUqLSu5cC6IxTprex/nTsI81ZQAtDvlBvGDWfnA=",
|
||||
"owner": "nixos",
|
||||
"lastModified": 1673163619,
|
||||
"narHash": "sha256-B33PFBL64ZgTWgMnhFL3jgheAN/DjHPsZ1Ih3z0VE5I=",
|
||||
"owner": "NixOS",
|
||||
"repo": "nixpkgs",
|
||||
"rev": "2f9fd351ec37f5d479556cd48be4ca340da59b8f",
|
||||
"rev": "8c54d842d9544361aac5f5b212ba04e4089e8efe",
|
||||
"type": "github"
|
||||
},
|
||||
"original": {
|
||||
"owner": "nixos",
|
||||
"id": "nixpkgs",
|
||||
"ref": "nixos-22.11",
|
||||
"repo": "nixpkgs",
|
||||
"type": "github"
|
||||
"type": "indirect"
|
||||
}
|
||||
},
|
||||
"nixpkgs-stable_2": {
|
||||
"locked": {
|
||||
"lastModified": 1673740915,
|
||||
"narHash": "sha256-MMH8zONfqahgHly3K8/A++X34800rajA/XgZ2DzNL/M=",
|
||||
"lastModified": 1673100377,
|
||||
"narHash": "sha256-mT76pTd0YFxT6CwtPhDgHJhuIgLY+ZLSMiQpBufwMG4=",
|
||||
"owner": "NixOS",
|
||||
"repo": "nixpkgs",
|
||||
"rev": "7c65528c3f8462b902e09d1ccca23bb9034665c2",
|
||||
"rev": "9f11a2df77cb945c115ae2a65f53f38121597d73",
|
||||
"type": "github"
|
||||
},
|
||||
"original": {
|
||||
@@ -103,18 +102,17 @@
|
||||
},
|
||||
"nixpkgs-unpatched": {
|
||||
"locked": {
|
||||
"lastModified": 1673796341,
|
||||
"narHash": "sha256-1kZi9OkukpNmOaPY7S5/+SlCDOuYnP3HkXHvNDyLQcc=",
|
||||
"owner": "nixos",
|
||||
"lastModified": 1673226411,
|
||||
"narHash": "sha256-b6cGb5Ln7Zy80YO66+cbTyGdjZKtkoqB/iIIhDX9gRA=",
|
||||
"owner": "NixOS",
|
||||
"repo": "nixpkgs",
|
||||
"rev": "6dccdc458512abce8d19f74195bb20fdb067df50",
|
||||
"rev": "aa1d74709f5dac623adb4d48fdfb27cc2c92a4d4",
|
||||
"type": "github"
|
||||
},
|
||||
"original": {
|
||||
"owner": "nixos",
|
||||
"id": "nixpkgs",
|
||||
"ref": "nixos-unstable",
|
||||
"repo": "nixpkgs",
|
||||
"type": "github"
|
||||
"type": "indirect"
|
||||
}
|
||||
},
|
||||
"root": {
|
||||
@@ -136,11 +134,11 @@
|
||||
"nixpkgs-stable": "nixpkgs-stable_2"
|
||||
},
|
||||
"locked": {
|
||||
"lastModified": 1673752321,
|
||||
"narHash": "sha256-EFfXY1ZHJq4FNaNQA9x0djtu/jiOhBbT0Xi+BT06cJw=",
|
||||
"lastModified": 1673147300,
|
||||
"narHash": "sha256-gR9OEfTzWfL6vG0qkbn1TlBAOlg4LuW8xK/u0V41Ihc=",
|
||||
"owner": "Mic92",
|
||||
"repo": "sops-nix",
|
||||
"rev": "e18eefd2b133a58309475298052c341c08470717",
|
||||
"rev": "2253120d2a6147e57bafb5c689e086221df8032f",
|
||||
"type": "github"
|
||||
},
|
||||
"original": {
|
||||
|
44
flake.nix
44
flake.nix
@@ -1,44 +1,24 @@
|
||||
# FLAKE FEEDBACK:
|
||||
# - if flake inputs are meant to be human-readable, a human should be able to easily track them down given the URL.
|
||||
# - this is not the case with registry URLs, like `nixpkgs/nixos-22.11`.
|
||||
# - this is marginally the case with schemes like `github:nixos/nixpkgs`.
|
||||
# - given the *existing* `git+https://` scheme, i propose expressing github URLs similarly:
|
||||
# - `github+https://github.com/nixos/nixpkgs/tree/nixos-22.11`
|
||||
# - need some way to apply local patches to inputs.
|
||||
#
|
||||
#
|
||||
# DEVELOPMENT DOCS:
|
||||
# - Flake docs: <https://nixos.wiki/wiki/Flakes>
|
||||
# - Flake RFC: <https://github.com/tweag/rfcs/blob/flakes/rfcs/0049-flakes.md>
|
||||
# - Discussion: <https://github.com/NixOS/rfcs/pull/49>
|
||||
# docs:
|
||||
# - <https://nixos.wiki/wiki/Flakes>
|
||||
# - <https://serokell.io/blog/practical-nix-flakes>
|
||||
|
||||
{
|
||||
# XXX: use the `github:` scheme instead of the more readable git+https: because it's *way* more efficient
|
||||
# preferably, i would rewrite the human-readable https URLs to nix-specific github: URLs with a helper,
|
||||
# but `inputs` is required to be a strict attrset: not an expression.
|
||||
inputs = {
|
||||
# <https://github.com/nixos/nixpkgs/tree/nixos-22.11>
|
||||
nixpkgs-stable.url = "github:nixos/nixpkgs?ref=nixos-22.11";
|
||||
|
||||
# <https://github.com/nixos/nixpkgs/tree/nixos-unstable>
|
||||
nixpkgs-unpatched.url = "github:nixos/nixpkgs?ref=nixos-unstable";
|
||||
nixpkgs-stable.url = "nixpkgs/nixos-22.11";
|
||||
nixpkgs-unpatched.url = "nixpkgs/nixos-unstable";
|
||||
nixpkgs = {
|
||||
url = "./nixpatches";
|
||||
url = "path:nixpatches";
|
||||
inputs.nixpkgs.follows = "nixpkgs-unpatched";
|
||||
};
|
||||
mobile-nixos = {
|
||||
# <https://github.com/nixos/mobile-nixos>
|
||||
url = "github:nixos/mobile-nixos";
|
||||
flake = false;
|
||||
};
|
||||
home-manager = {
|
||||
# <https://github.com/nix-community/home-manager/tree/release-22.05>
|
||||
url = "github:nix-community/home-manager?ref=release-22.05";
|
||||
url = "github:nix-community/home-manager/release-22.05";
|
||||
inputs.nixpkgs.follows = "nixpkgs";
|
||||
};
|
||||
sops-nix = {
|
||||
# <https://github.com/Mic92/sops-nix>
|
||||
url = "github:Mic92/sops-nix";
|
||||
inputs.nixpkgs.follows = "nixpkgs";
|
||||
};
|
||||
@@ -63,12 +43,10 @@
|
||||
|
||||
evalHost = { name, local, target }:
|
||||
let
|
||||
# XXX: we'd prefer to use `nixosSystem = (nixpkgsCompiledBy target).nixos`
|
||||
# XXX: we'd prefer to use `nixosSystem = (nixpkgsCompiledBy local).nixos`
|
||||
# but it doesn't propagate config to the underlying pkgs, meaning it doesn't let you use
|
||||
# non-free packages even after setting nixpkgs.allowUnfree.
|
||||
# XXX: patch using the target -- not local -- otherwise the target will
|
||||
# need to emulate the host in order to rebuild!
|
||||
nixosSystem = import ((nixpkgsCompiledBy target).path + "/nixos/lib/eval-config.nix");
|
||||
nixosSystem = import ((nixpkgsCompiledBy local).path + "/nixos/lib/eval-config.nix");
|
||||
in
|
||||
(nixosSystem {
|
||||
# we use pkgs built for and *by* the target, i.e. emulation, by default.
|
||||
@@ -82,7 +60,6 @@
|
||||
nixpkgs.overlays = [
|
||||
self.overlays.default
|
||||
self.overlays.passthru
|
||||
self.overlays.pins
|
||||
];
|
||||
}
|
||||
];
|
||||
@@ -119,12 +96,11 @@
|
||||
|
||||
overlays = rec {
|
||||
default = pkgs;
|
||||
pkgs = import ./overlays/pkgs.nix;
|
||||
pins = import ./overlays/pins.nix; # TODO: move to `nixpatches/` input
|
||||
pkgs = import ./pkgs/overlay.nix;
|
||||
passthru =
|
||||
let
|
||||
stable = next: prev: {
|
||||
stable = nixpkgs-stable.legacyPackages."${prev.stdenv.hostPlatform.system}";
|
||||
stable = nixpkgs-stable.legacyPackages."${prev.stdenv.hostPlatform}";
|
||||
};
|
||||
mobile = (import "${mobile-nixos}/overlay/overlay.nix");
|
||||
uninsane = uninsane-dot-org.overlay;
|
||||
|
@@ -1,41 +0,0 @@
|
||||
{ ... }:
|
||||
|
||||
{
|
||||
sops.secrets."ddns_afraid" = {
|
||||
sopsFile = ../../../secrets/servo.yaml;
|
||||
};
|
||||
sops.secrets."ddns_he" = {
|
||||
sopsFile = ../../../secrets/servo.yaml;
|
||||
};
|
||||
|
||||
sops.secrets."dovecot_passwd" = {
|
||||
sopsFile = ../../../secrets/servo.yaml;
|
||||
};
|
||||
|
||||
sops.secrets."duplicity_passphrase" = {
|
||||
sopsFile = ../../../secrets/servo.yaml;
|
||||
};
|
||||
|
||||
sops.secrets."freshrss_passwd" = {
|
||||
sopsFile = ../../../secrets/servo.yaml;
|
||||
};
|
||||
|
||||
sops.secrets."matrix_synapse_secrets" = {
|
||||
sopsFile = ../../../secrets/servo.yaml;
|
||||
};
|
||||
sops.secrets."mautrix_signal_env" = {
|
||||
sopsFile = ../../../secrets/servo/mautrix_signal_env.bin;
|
||||
};
|
||||
|
||||
sops.secrets."mediawiki_pw" = {
|
||||
sopsFile = ../../../secrets/servo.yaml;
|
||||
};
|
||||
|
||||
sops.secrets."pleroma_secrets" = {
|
||||
sopsFile = ../../../secrets/servo.yaml;
|
||||
};
|
||||
|
||||
sops.secrets."wg_ovpns_privkey" = {
|
||||
sopsFile = ../../../secrets/servo.yaml;
|
||||
};
|
||||
}
|
@@ -1,34 +0,0 @@
|
||||
# config options:
|
||||
# - <https://github.com/mautrix/signal/blob/master/mautrix_signal/example-config.yaml>
|
||||
{ config, pkgs, ... }:
|
||||
{
|
||||
services.signald.enable = true;
|
||||
services.mautrix-signal.enable = true;
|
||||
services.mautrix-signal.environmentFile =
|
||||
config.sops.secrets.mautrix_signal_env.path;
|
||||
|
||||
services.mautrix-signal.settings.signal.socket_path = "/run/signald/signald.sock";
|
||||
services.mautrix-signal.settings.homeserver.domain = "uninsane.org";
|
||||
services.mautrix-signal.settings.bridge.permissions."@colin:uninsane.org" = "admin";
|
||||
services.matrix-synapse.settings.app_service_config_files = [
|
||||
# auto-created by mautrix-signal service
|
||||
"/var/lib/mautrix-signal/signal-registration.yaml"
|
||||
];
|
||||
|
||||
systemd.services.mautrix-signal.serviceConfig = {
|
||||
# allow communication to signald
|
||||
SupplementaryGroups = [ "signald" ];
|
||||
ReadWritePaths = [ "/run/signald" ];
|
||||
};
|
||||
|
||||
sane.persist.sys.plaintext = [
|
||||
{ user = "mautrix-signal"; group = "mautrix-signal"; directory = "/var/lib/mautrix-signal"; }
|
||||
];
|
||||
|
||||
sops.secrets."mautrix_signal_env" = {
|
||||
format = "binary";
|
||||
mode = "0440";
|
||||
owner = config.users.users.mautrix-signal.name;
|
||||
group = config.users.users.matrix-synapse.name;
|
||||
};
|
||||
}
|
16
hosts/common/bluetooth.nix
Normal file
16
hosts/common/bluetooth.nix
Normal file
@@ -0,0 +1,16 @@
|
||||
{ lib, pkgs, ... }:
|
||||
|
||||
{
|
||||
# persist external pairings by default
|
||||
sane.persist.sys.plaintext = [ "/var/lib/bluetooth" ];
|
||||
|
||||
sane.fs."/var/lib/bluetooth".generated.acl.mode = "0700";
|
||||
sane.fs."/var/lib/bluetooth/.secrets.stamp" = {
|
||||
wantedBeforeBy = [ "bluetooth.service" ];
|
||||
# XXX: install-bluetooth uses sed, but that's part of the default systemd unit path, it seems
|
||||
generated.script.script = builtins.readFile ../../scripts/install-bluetooth + ''
|
||||
touch "/var/lib/bluetooth/.secrets.stamp"
|
||||
'';
|
||||
generated.script.scriptArgs = [ "/run/secrets/bt" ];
|
||||
};
|
||||
}
|
@@ -1,12 +1,5 @@
|
||||
{ config, ... }:
|
||||
{ ... }:
|
||||
|
||||
let
|
||||
mkCrossFrom = localSystem: pkgs: import pkgs.path {
|
||||
inherit localSystem;
|
||||
crossSystem = pkgs.stdenv.hostPlatform.system;
|
||||
inherit (config.nixpkgs) config overlays;
|
||||
};
|
||||
in
|
||||
{
|
||||
# the configuration of which specific package set `pkgs.cross` refers to happens elsewhere;
|
||||
# here we just define them all.
|
||||
@@ -15,8 +8,8 @@ in
|
||||
# non-emulated packages build *from* local *for* target.
|
||||
# for large packages like the linux kernel which are expensive to build under emulation,
|
||||
# the config can explicitly pull such packages from `pkgs.cross` to do more efficient cross-compilation.
|
||||
crossFrom."x86_64-linux" = mkCrossFrom "x86_64-linux" next;
|
||||
crossFrom."aarch64-linux" = mkCrossFrom "aarch64-linux" next;
|
||||
crossFrom."x86_64-linux" = (prev.forceSystem "x86_64-linux" null).appendOverlays next.overlays;
|
||||
crossFrom."aarch64-linux" = (prev.forceSystem "aarch64-linux" null).appendOverlays next.overlays;
|
||||
})
|
||||
];
|
||||
}
|
||||
|
@@ -1,10 +1,11 @@
|
||||
{ pkgs, ... }:
|
||||
{
|
||||
imports = [
|
||||
./bluetooth.nix
|
||||
./cross.nix
|
||||
./feeds.nix
|
||||
./fs.nix
|
||||
./hardware.nix
|
||||
./hardware
|
||||
./i2p.nix
|
||||
./ids.nix
|
||||
./machine-id.nix
|
||||
@@ -29,9 +30,6 @@
|
||||
"/var/lib/machines" # maybe not needed, but would be painful to add a VM and forget.
|
||||
];
|
||||
|
||||
# some services which use private directories error if the parent (/var/lib/private) isn't 700.
|
||||
sane.fs."/var/lib/private".dir.acl.mode = "0700";
|
||||
|
||||
nixpkgs.config.allowUnfree = true;
|
||||
|
||||
# time.timeZone = "America/Los_Angeles";
|
||||
@@ -41,11 +39,6 @@
|
||||
nix.extraOptions = ''
|
||||
experimental-features = nix-command flakes
|
||||
'';
|
||||
# allow `nix-shell` (and probably nix-index?) to locate our patched and custom packages
|
||||
nix.nixPath = [
|
||||
"nixpkgs=${pkgs.path}"
|
||||
"nixpkgs-overlays=${../..}/overlays"
|
||||
];
|
||||
|
||||
# TODO: move this into home-manager?
|
||||
fonts = {
|
||||
|
@@ -1,4 +1,4 @@
|
||||
{ lib, sane-data, ... }:
|
||||
{ ... }:
|
||||
let
|
||||
hourly = { freq = "hourly"; };
|
||||
daily = { freq = "daily"; };
|
||||
@@ -12,8 +12,6 @@ let
|
||||
tech = { cat = "tech"; };
|
||||
uncat = { cat = "uncat"; };
|
||||
|
||||
text = { format = "text"; };
|
||||
|
||||
mkRss = format: url: { inherit url format; } // uncat // infrequent;
|
||||
# format-specific helpers
|
||||
mkText = mkRss "text";
|
||||
@@ -23,74 +21,48 @@ let
|
||||
# host-specific helpers
|
||||
mkSubstack = subdomain: { substack = subdomain; };
|
||||
|
||||
fromDb = name:
|
||||
let
|
||||
raw = sane-data.feeds."${name}";
|
||||
in {
|
||||
url = raw.url;
|
||||
# not sure the exact mapping with velocity here: entries per day?
|
||||
freq = lib.mkDefault (
|
||||
if raw.velocity or 0 > 2 then
|
||||
"hourly"
|
||||
else if raw.velocity or 0 > 0.5 then
|
||||
"daily"
|
||||
else if raw.velocity or 0 > 0.1 then
|
||||
"weekly"
|
||||
else
|
||||
"infrequent"
|
||||
);
|
||||
} // lib.optionalAttrs (raw.is_podcast or false) {
|
||||
format = "podcast";
|
||||
} // lib.optionalAttrs (raw.title or "" != "") {
|
||||
title = lib.mkDefault raw.title;
|
||||
};
|
||||
|
||||
podcasts = [
|
||||
(fromDb "lexfridman.com/podcast" // rat)
|
||||
# (mkPod "https://lexfridman.com/feed/podcast/" // rat // weekly)
|
||||
(mkPod "https://lexfridman.com/feed/podcast/" // rat // weekly)
|
||||
## Astral Codex Ten
|
||||
(fromDb "sscpodcast.libsyn.com" // rat)
|
||||
(mkPod "http://feeds.libsyn.com/108018/rss" // rat // daily)
|
||||
## Econ Talk
|
||||
(fromDb "feeds.simplecast.com/wgl4xEgL" // rat)
|
||||
## Cory Doctorow -- both podcast & text entries
|
||||
(fromDb "craphound.com" // pol)
|
||||
(mkPod "https://feeds.simplecast.com/wgl4xEgL" // rat // daily)
|
||||
## Cory Doctorow
|
||||
(mkPod "https://feeds.feedburner.com/doctorow_podcast" // pol // infrequent)
|
||||
(mkPod "https://congressionaldish.libsyn.com/rss" // pol // infrequent)
|
||||
## Civboot -- https://anchor.fm/civboot
|
||||
(fromDb "anchor.fm/s/34c7232c/podcast/rss" // tech)
|
||||
(fromDb "feeds.feedburner.com/80000HoursPodcast" // rat)
|
||||
(fromDb "allinchamathjason.libsyn.com" // pol)
|
||||
(fromDb "acquired.libsyn.com" // tech)
|
||||
# The Intercept - Deconstructed; also available: <rss.acast.com/deconstructed>
|
||||
(fromDb "rss.prod.firstlook.media/deconstructed/podcast.rss" // pol)
|
||||
## Civboot
|
||||
(mkPod "https://anchor.fm/s/34c7232c/podcast/rss" // tech // infrequent)
|
||||
(mkPod "https://feeds.feedburner.com/80000HoursPodcast" // rat // weekly)
|
||||
(mkPod "https://allinchamathjason.libsyn.com/rss" // pol // weekly)
|
||||
(mkPod "https://acquired.libsyn.com/rss" // tech // infrequent)
|
||||
(mkPod "https://rss.acast.com/deconstructed" // pol // infrequent)
|
||||
## The Daily
|
||||
(mkPod "https://feeds.simplecast.com/54nAGcIl" // pol // daily)
|
||||
# The Intercept - Intercepted; also available: <https://rss.acast.com/intercepted-with-jeremy-scahill>
|
||||
(fromDb "rss.prod.firstlook.media/intercepted/podcast.rss" // pol)
|
||||
(fromDb "podcast.posttv.com/itunes/post-reports.xml" // pol)
|
||||
(mkPod "https://rss.acast.com/intercepted-with-jeremy-scahill" // pol // weekly)
|
||||
(mkPod "https://podcast.posttv.com/itunes/post-reports.xml" // pol // weekly)
|
||||
## Eric Weinstein
|
||||
(fromDb "rss.art19.com/the-portal" // rat)
|
||||
(fromDb "darknetdiaries.com" // tech)
|
||||
## Radiolab -- also available here, but ONLY OVER HTTP: <http://feeds.wnyc.org/radiolab>
|
||||
(fromDb "feeds.feedburner.com/radiolab" // pol)
|
||||
## Sam Harris
|
||||
(fromDb "wakingup.libsyn.com" // pol)
|
||||
## 99% Invisible -- also available here: <https://feeds.simplecast.com/BqbsxVfO>
|
||||
(fromDb "feeds.99percentinvisible.org/99percentinvisible" // pol)
|
||||
(fromDb "rss.acast.com/ft-tech-tonic" // tech)
|
||||
(fromDb "feeds.feedburner.com/dancarlin/history" // rat)
|
||||
(fromDb "rss.art19.com/60-minutes" // pol)
|
||||
(mkPod "https://rss.art19.com/the-portal" // rat // infrequent)
|
||||
(mkPod "https://feeds.megaphone.fm/darknetdiaries" // tech // infrequent)
|
||||
(mkPod "http://feeds.wnyc.org/radiolab" // pol // infrequent)
|
||||
(mkPod "https://wakingup.libsyn.com/rss" // pol // infrequent)
|
||||
## 99% Invisible
|
||||
(mkPod "https://feeds.simplecast.com/BqbsxVfO" // pol // infrequent)
|
||||
(mkPod "https://rss.acast.com/ft-tech-tonic" // tech // infrequent)
|
||||
(mkPod "https://feeds.feedburner.com/dancarlin/history?format=xml" // rat // infrequent)
|
||||
## 60 minutes (NB: this features more than *just* audio?)
|
||||
(mkPod "https://www.cbsnews.com/latest/rss/60-minutes" // pol // infrequent)
|
||||
## The Verge - Decoder
|
||||
(fromDb "feeds.megaphone.fm/recodedecode" // tech)
|
||||
(mkPod "https://feeds.megaphone.fm/recodedecode" // tech // weekly)
|
||||
## Matrix (chat) Live
|
||||
(fromDb "feed.podbean.com/matrixlive/feed.xml" // tech)
|
||||
## Michael Malice - Your Welcome -- also available here: <https://origin.podcastone.com/podcast?categoryID2=2232>
|
||||
(fromDb "rss.art19.com/your-welcome" // pol)
|
||||
(mkPod "https://feed.podbean.com/matrixlive/feed.xml" // tech // weekly)
|
||||
## Michael Malice - Your Welcome
|
||||
(mkPod "https://www.podcastone.com/podcast?categoryID2=2232" // pol // weekly)
|
||||
];
|
||||
|
||||
texts = [
|
||||
# AGGREGATORS (> 1 post/day)
|
||||
(fromDb "lesswrong.com" // rat)
|
||||
(fromDb "econlib.org" // pol)
|
||||
(mkText "https://www.lesswrong.com/feed.xml" // rat // hourly)
|
||||
(mkText "http://www.econlib.org/index.xml" // pol // hourly)
|
||||
|
||||
# AGGREGATORS (< 1 post/day)
|
||||
(mkText "https://palladiummag.com/feed" // uncat // weekly)
|
||||
@@ -103,10 +75,10 @@ let
|
||||
(mkText "https://www.rifters.com/crawl/?feed=rss2" // uncat // weekly)
|
||||
|
||||
# DEVELOPERS
|
||||
(fromDb "uninsane.org" // tech)
|
||||
(fromDb "mg.lol" // tech)
|
||||
(mkText "https://uninsane.org/atom.xml" // infrequent // tech)
|
||||
(mkText "https://mg.lol/blog/rss/" // infrequent // tech)
|
||||
## Ken Shirriff
|
||||
(fromDb "righto.com" // tech)
|
||||
(mkText "https://www.righto.com/feeds/posts/default" // tech // infrequent)
|
||||
## Vitalik Buterin
|
||||
(mkText "https://vitalik.ca/feed.xml" // tech // infrequent)
|
||||
## ian (Sanctuary)
|
||||
@@ -122,7 +94,7 @@ let
|
||||
(mkText "https://pomeroyb.com/feed.xml" // tech // infrequent)
|
||||
|
||||
# (TECH; POL) COMMENTATORS
|
||||
(fromDb "edwardsnowden.substack.com" // pol // text)
|
||||
(mkSubstack "edwardsnowden" // pol // infrequent)
|
||||
(mkText "http://benjaminrosshoffman.com/feed" // pol // weekly)
|
||||
## Ben Thompson
|
||||
(mkText "https://www.stratechery.com/rss" // pol // weekly)
|
||||
@@ -176,11 +148,4 @@ let
|
||||
in
|
||||
{
|
||||
sane.feeds = texts ++ images ++ podcasts;
|
||||
|
||||
assertions = builtins.map
|
||||
(p: {
|
||||
assertion = p.format or "unknown" == "podcast";
|
||||
message = ''${p.url} is not a podcast: ${p.format or "unknown"}'';
|
||||
})
|
||||
podcasts;
|
||||
}
|
||||
|
@@ -2,6 +2,7 @@
|
||||
|
||||
{
|
||||
imports = [
|
||||
./all.nix
|
||||
./x86_64.nix
|
||||
];
|
||||
}
|
@@ -1,7 +1,8 @@
|
||||
{ lib, pkgs, ... }:
|
||||
|
||||
with lib;
|
||||
{
|
||||
config = lib.mkIf (pkgs.system == "x86_64-linux") {
|
||||
config = mkIf (pkgs.system == "x86_64-linux") {
|
||||
boot.initrd.availableKernelModules = [
|
||||
"xhci_pci" "ahci" "sd_mod" "sdhci_pci" # nixos-generate-config defaults
|
||||
"usb_storage" # rpi needed this to boot from usb storage, i think.
|
@@ -21,10 +21,6 @@
|
||||
sane.ids.freshrss.uid = 2401;
|
||||
sane.ids.freshrss.gid = 2401;
|
||||
sane.ids.mediawiki.uid = 2402;
|
||||
sane.ids.signald.uid = 2403;
|
||||
sane.ids.signald.gid = 2403;
|
||||
sane.ids.mautrix-signal.uid = 2404;
|
||||
sane.ids.mautrix-signal.gid = 2404;
|
||||
|
||||
sane.ids.colin.uid = 1000;
|
||||
sane.ids.guest.uid = 1100;
|
||||
|
@@ -1,6 +1,16 @@
|
||||
{ config, lib, pkgs, ... }:
|
||||
|
||||
{
|
||||
# if using router's DNS, these mappings will already exist.
|
||||
# if using a different DNS provider (which servo does), then we need to explicity provide them.
|
||||
# ugly hack. would be better to get servo to somehow use the router's DNS
|
||||
networking.hosts = {
|
||||
"192.168.0.5" = [ "servo" ];
|
||||
"192.168.0.20" = [ "lappy" ];
|
||||
"192.168.0.22" = [ "desko" ];
|
||||
"192.168.0.48" = [ "moby" ];
|
||||
};
|
||||
|
||||
# the default backend is "wpa_supplicant".
|
||||
# wpa_supplicant reliably picks weak APs to connect to.
|
||||
# see: <https://gitlab.freedesktop.org/NetworkManager/NetworkManager/-/issues/474>
|
||||
@@ -20,4 +30,14 @@
|
||||
General.RoamThreshold = "-52"; # default -70
|
||||
General.RoamThreshold5G = "-52"; # default -76
|
||||
};
|
||||
|
||||
sane.fs."/var/lib/iwd/.secrets.psk.stamp" = {
|
||||
wantedBeforeBy = [ "iwd.service" ];
|
||||
generated.acl.mode = "0600";
|
||||
# XXX: install-iwd uses sed, but that's part of the default systemd unit path, it seems
|
||||
generated.script.script = builtins.readFile ../../scripts/install-iwd + ''
|
||||
touch "/var/lib/iwd/.secrets.psk.stamp"
|
||||
'';
|
||||
generated.script.scriptArgs = [ "/run/secrets/iwd" "/var/lib/iwd" ];
|
||||
};
|
||||
}
|
||||
|
@@ -1,33 +1,24 @@
|
||||
{ config, lib, sane-data, sane-lib, ... }:
|
||||
|
||||
let
|
||||
inherit (builtins) head map mapAttrs tail;
|
||||
inherit (lib) concatStringsSep mkMerge reverseList;
|
||||
in
|
||||
{
|
||||
sane.ssh.pubkeys =
|
||||
let
|
||||
# path is a DNS-style path like [ "org" "uninsane" "root" ]
|
||||
keyNameForPath = path:
|
||||
let
|
||||
rev = reverseList path;
|
||||
name = head rev;
|
||||
host = concatStringsSep "." (tail rev);
|
||||
rev = lib.reverseList path;
|
||||
name = builtins.head rev;
|
||||
host = lib.concatStringsSep "." (builtins.tail rev);
|
||||
in
|
||||
"${name}@${host}";
|
||||
|
||||
# [{ path :: [String], value :: String }] for the keys we want to install
|
||||
globalKeys = sane-lib.flattenAttrs sane-data.keys;
|
||||
domainKeys = sane-lib.flattenAttrs (
|
||||
mapAttrs (host: cfg: {
|
||||
colin = cfg.ssh.user_pubkey;
|
||||
root = cfg.ssh.host_pubkey;
|
||||
}) config.sane.hosts.by-name
|
||||
);
|
||||
in mkMerge (map
|
||||
localKeys = sane-lib.flattenAttrs sane-data.keys.org.uninsane.local;
|
||||
in lib.mkMerge (builtins.map
|
||||
({ path, value }: {
|
||||
"${keyNameForPath path}" = lib.mkIf (value != null) value;
|
||||
"${keyNameForPath path}" = value;
|
||||
})
|
||||
(globalKeys ++ domainKeys)
|
||||
(globalKeys ++ localKeys)
|
||||
);
|
||||
}
|
||||
|
@@ -86,7 +86,6 @@ in
|
||||
"Pictures"
|
||||
"Videos"
|
||||
|
||||
".cache/nix"
|
||||
".cargo"
|
||||
".rustup"
|
||||
];
|
||||
|
@@ -6,16 +6,12 @@
|
||||
|
||||
# sane.packages.enableDevPkgs = true;
|
||||
|
||||
sane.roles.client = true;
|
||||
sane.services.wg-home.enable = true;
|
||||
sane.services.wg-home.ip = config.sane.hosts.by-name."desko".wg-home.ip;
|
||||
sane.gui.sway.enable = true;
|
||||
sane.services.duplicity.enable = true;
|
||||
sane.services.nixserve.enable = true;
|
||||
sane.services.nixserve.sopsFile = ../../../secrets/desko.yaml;
|
||||
sane.services.nixserve.sopsFile = ../../secrets/desko.yaml;
|
||||
sane.persist.enable = true;
|
||||
|
||||
sane.gui.sway.enable = true;
|
||||
|
||||
boot.loader.efi.canTouchEfiVariables = false;
|
||||
sane.image.extraBootFiles = [ pkgs.bootpart-uefi-x86_64 ];
|
||||
|
||||
@@ -23,7 +19,7 @@
|
||||
services.usbmuxd.enable = true;
|
||||
|
||||
sops.secrets.colin-passwd = {
|
||||
sopsFile = ../../../secrets/desko.yaml;
|
||||
sopsFile = ../../secrets/desko.yaml;
|
||||
neededForUsers = true;
|
||||
};
|
||||
|
||||
@@ -45,7 +41,7 @@
|
||||
};
|
||||
|
||||
sops.secrets.duplicity_passphrase = {
|
||||
sopsFile = ../../../secrets/desko.yaml;
|
||||
sopsFile = ../../secrets/desko.yaml;
|
||||
};
|
||||
|
||||
programs.steam = {
|
@@ -1,16 +1,12 @@
|
||||
# trampoline from flake.nix into the specific host definition, while doing a tiny bit of common setup
|
||||
|
||||
# args from flake-level `import`
|
||||
{ hostName, localSystem }:
|
||||
|
||||
# module args
|
||||
{ config, ... }:
|
||||
{ ... }:
|
||||
|
||||
{
|
||||
imports = [
|
||||
./by-name/${hostName}
|
||||
./${hostName}
|
||||
./common
|
||||
./modules
|
||||
];
|
||||
|
||||
networking.hostName = hostName;
|
||||
|
@@ -1,13 +1,9 @@
|
||||
{ config, pkgs, ... }:
|
||||
{ pkgs, ... }:
|
||||
{
|
||||
imports = [
|
||||
./fs.nix
|
||||
];
|
||||
|
||||
sane.roles.client = true;
|
||||
sane.services.wg-home.enable = true;
|
||||
sane.services.wg-home.ip = config.sane.hosts.by-name."lappy".wg-home.ip;
|
||||
|
||||
# sane.packages.enableDevPkgs = true;
|
||||
|
||||
# sane.users.guest.enable = true;
|
||||
@@ -18,7 +14,7 @@
|
||||
sane.image.extraBootFiles = [ pkgs.bootpart-uefi-x86_64 ];
|
||||
|
||||
sops.secrets.colin-passwd = {
|
||||
sopsFile = ../../../secrets/lappy.yaml;
|
||||
sopsFile = ../../secrets/lappy.yaml;
|
||||
neededForUsers = true;
|
||||
};
|
||||
|
@@ -6,11 +6,6 @@
|
||||
./kernel.nix
|
||||
];
|
||||
|
||||
sane.roles.client = true;
|
||||
# TODO
|
||||
# sane.services.wg-home.enable = true;
|
||||
# sane.services.wg-home.ip = config.sane.hosts.by-name."moby".wg-home.ip;
|
||||
|
||||
# cross-compiled documentation is *slow*.
|
||||
# no obvious way to natively compile docs (2022/09/29).
|
||||
# entrypoint is nixos/modules/misc/documentation.nix
|
||||
@@ -24,7 +19,7 @@
|
||||
services.getty.autologinUser = "root"; # allows for emergency maintenance?
|
||||
|
||||
sops.secrets.colin-passwd = {
|
||||
sopsFile = ../../../secrets/moby.yaml;
|
||||
sopsFile = ../../secrets/moby.yaml;
|
||||
neededForUsers = true;
|
||||
};
|
||||
|
@@ -125,9 +125,6 @@ in
|
||||
# aarch64-unknown-linux-gnu-gcc: error: unrecognized command line option '-mfpu=neon'
|
||||
# make[3]: *** [../scripts/Makefile.build:289: drivers/video/fbdev/sun5i-eink-neon.o] Error 1
|
||||
FB_SUN5I_EINK = no;
|
||||
# used by the pinephone pro, but fails to compile with:
|
||||
# ../drivers/media/i2c/ov8858.c:1834:27: error: implicit declaration of function 'compat_ptr'
|
||||
VIDEO_OV8858 = no;
|
||||
})
|
||||
))
|
||||
];
|
@@ -1,12 +0,0 @@
|
||||
{ ... }:
|
||||
|
||||
{
|
||||
imports = [
|
||||
./derived-secrets.nix
|
||||
./hardware
|
||||
./hostnames.nix
|
||||
./hosts.nix
|
||||
./roles
|
||||
./wg-home.nix
|
||||
];
|
||||
}
|
@@ -1,47 +0,0 @@
|
||||
{ config, lib, ... }:
|
||||
|
||||
let
|
||||
inherit (builtins) toString;
|
||||
inherit (lib) mapAttrs mkOption types;
|
||||
cfg = config.sane.derived-secrets;
|
||||
secret = types.submodule {
|
||||
options = {
|
||||
len = mkOption {
|
||||
type = types.int;
|
||||
};
|
||||
encoding = mkOption {
|
||||
type = types.enum [ "base64" ];
|
||||
};
|
||||
};
|
||||
};
|
||||
in
|
||||
{
|
||||
options = {
|
||||
sane.derived-secrets = mkOption {
|
||||
type = types.attrsOf secret;
|
||||
default = {};
|
||||
description = ''
|
||||
fs path => secret options.
|
||||
for each entry, we create an item at the given path whose value is deterministic,
|
||||
but also pseudo-random and not predictable by anyone without root access to the machine.
|
||||
as PRNG source we use the host ssh key, and derived secrets are salted based on the destination path.
|
||||
'';
|
||||
};
|
||||
};
|
||||
|
||||
config = {
|
||||
sane.fs = mapAttrs (path: c: {
|
||||
generated.script.script = ''
|
||||
echo "$1" | cat /dev/stdin /etc/ssh/host_keys/ssh_host_ed25519_key \
|
||||
| sha512sum \
|
||||
| cut -c 1-${toString (c.len * 2)} \
|
||||
| tr a-z A-Z \
|
||||
| basenc -d --base16 \
|
||||
| basenc --${c.encoding} \
|
||||
> "$1"
|
||||
'';
|
||||
generated.script.scriptArgs = [ path ];
|
||||
generated.acl.mode = "0600";
|
||||
}) cfg;
|
||||
};
|
||||
}
|
@@ -1,11 +0,0 @@
|
||||
{ config, lib, ... }:
|
||||
|
||||
{
|
||||
# if using router's DNS, these mappings will already exist.
|
||||
# if using a different DNS provider (which servo does), then we need to explicity provide them.
|
||||
# ugly hack. would be better to get servo to somehow use the router's DNS
|
||||
networking.hosts = lib.mapAttrs' (host: cfg: {
|
||||
name = cfg.lan-ip;
|
||||
value = [ host ];
|
||||
}) config.sane.hosts.by-name;
|
||||
}
|
@@ -1,98 +0,0 @@
|
||||
{ config, lib, ... }:
|
||||
|
||||
let
|
||||
inherit (lib) attrValues filterAttrs mkMerge mkOption types;
|
||||
cfg = config.sane.hosts;
|
||||
|
||||
host = types.submodule ({ config, ... }: {
|
||||
options = {
|
||||
ssh.user_pubkey = mkOption {
|
||||
type = types.str;
|
||||
description = ''
|
||||
ssh pubkey that the primary user of this machine will use when connecting to other machines.
|
||||
e.g. "ssh-ed25519 AAAA<base64>".
|
||||
'';
|
||||
};
|
||||
ssh.host_pubkey = mkOption {
|
||||
type = types.str;
|
||||
description = ''
|
||||
ssh pubkey which this host will present to connections initiated against it.
|
||||
e.g. "ssh-ed25519 AAAA<base64>".
|
||||
'';
|
||||
};
|
||||
wg-home.pubkey = mkOption {
|
||||
type = types.nullOr types.str;
|
||||
default = null;
|
||||
description = ''
|
||||
wireguard public key for the wg-home VPN.
|
||||
e.g. "pWtnKW7f7sNIZQ2M83uJ7cHg3IL1tebE3IoVkCgjkXM=".
|
||||
'';
|
||||
};
|
||||
wg-home.ip = mkOption {
|
||||
type = types.nullOr types.str;
|
||||
default = null;
|
||||
description = ''
|
||||
IP address to use on the wg-home VPN.
|
||||
e.g. "10.0.10.5";
|
||||
'';
|
||||
};
|
||||
wg-home.endpoint = mkOption {
|
||||
type = types.nullOr types.str;
|
||||
default = null;
|
||||
};
|
||||
lan-ip = mkOption {
|
||||
type = types.str;
|
||||
description = ''
|
||||
ip address when on the lan.
|
||||
e.g. "192.168.0.5";
|
||||
'';
|
||||
};
|
||||
};
|
||||
});
|
||||
in
|
||||
{
|
||||
options = {
|
||||
sane.hosts.by-name = mkOption {
|
||||
type = types.attrsOf host;
|
||||
default = {};
|
||||
description = ''
|
||||
map of hostname => attrset of information specific to that host,
|
||||
like its ssh pubkey, etc.
|
||||
'';
|
||||
};
|
||||
};
|
||||
|
||||
config = {
|
||||
# TODO: this should be populated per-host
|
||||
sane.hosts.by-name."desko" = {
|
||||
ssh.user_pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPU5GlsSfbaarMvDA20bxpSZGWviEzXGD8gtrIowc1pX";
|
||||
ssh.host_pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFw9NoRaYrM6LbDd3aFBc4yyBlxGQn8HjeHd/dZ3CfHk";
|
||||
wg-home.pubkey = "17PMZssYi0D4t2d0vbmhjBKe1sGsE8kT8/dod0Q2CXc=";
|
||||
wg-home.ip = "10.0.10.22";
|
||||
lan-ip = "192.168.0.22";
|
||||
};
|
||||
|
||||
sane.hosts.by-name."lappy" = {
|
||||
ssh.user_pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDpmFdNSVPRol5hkbbCivRhyeENzb9HVyf9KutGLP2Zu";
|
||||
ssh.host_pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILSJnqmVl9/SYQ0btvGb0REwwWY8wkdkGXQZfn/1geEc";
|
||||
wg-home.pubkey = "FTUWGw2p4/cEcrrIE86PWVnqctbv8OYpw8Gt3+dC/lk=";
|
||||
wg-home.ip = "10.0.10.20";
|
||||
lan-ip = "192.168.0.20";
|
||||
};
|
||||
|
||||
sane.hosts.by-name."moby" = {
|
||||
ssh.user_pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICrR+gePnl0nV/vy7I5BzrGeyVL+9eOuXHU1yNE3uCwU";
|
||||
ssh.host_pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIO1N/IT3nQYUD+dBlU1sTEEVMxfOyMkrrDeyHcYgnJvw";
|
||||
lan-ip = "192.168.0.48";
|
||||
};
|
||||
|
||||
sane.hosts.by-name."servo" = {
|
||||
ssh.user_pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPS1qFzKurAdB9blkWomq8gI1g0T3sTs9LsmFOj5VtqX";
|
||||
ssh.host_pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOfdSmFkrVT6DhpgvFeQKm3Fh9VKZ9DbLYOPOJWYQ0E8";
|
||||
wg-home.pubkey = "roAw+IUFVtdpCcqa4khB385Qcv9l5JAB//730tyK4Wk=";
|
||||
wg-home.ip = "10.0.10.5";
|
||||
wg-home.endpoint = "uninsane.org:51820";
|
||||
lan-ip = "192.168.0.5";
|
||||
};
|
||||
};
|
||||
}
|
@@ -1,18 +0,0 @@
|
||||
{ config, lib, pkgs, ... }:
|
||||
|
||||
{
|
||||
config = lib.mkIf config.sane.roles.client {
|
||||
# persist external pairings by default
|
||||
sane.persist.sys.plaintext = [ "/var/lib/bluetooth" ];
|
||||
|
||||
sane.fs."/var/lib/bluetooth".generated.acl.mode = "0700";
|
||||
sane.fs."/var/lib/bluetooth/.secrets.stamp" = {
|
||||
wantedBeforeBy = [ "bluetooth.service" ];
|
||||
# XXX: install-bluetooth uses sed, but that's part of the default systemd unit path, it seems
|
||||
generated.script.script = builtins.readFile ../../../../scripts/install-bluetooth + ''
|
||||
touch "/var/lib/bluetooth/.secrets.stamp"
|
||||
'';
|
||||
generated.script.scriptArgs = [ "/run/secrets/bt" ];
|
||||
};
|
||||
};
|
||||
}
|
@@ -1,17 +0,0 @@
|
||||
{ config, lib, ... }:
|
||||
|
||||
let
|
||||
inherit (lib) mkIf mkOption types;
|
||||
in
|
||||
{
|
||||
imports = [
|
||||
./bluetooth-pairings.nix
|
||||
./wifi-pairings.nix
|
||||
];
|
||||
|
||||
# option is consumed by the other imports in this dir
|
||||
options.sane.roles.client = mkOption {
|
||||
type = types.bool;
|
||||
default = false;
|
||||
};
|
||||
}
|
@@ -1,15 +0,0 @@
|
||||
{ config, lib, pkgs, ... }:
|
||||
|
||||
{
|
||||
config = lib.mkIf config.sane.roles.client {
|
||||
sane.fs."/var/lib/iwd/.secrets.psk.stamp" = {
|
||||
wantedBeforeBy = [ "iwd.service" ];
|
||||
generated.acl.mode = "0600";
|
||||
# XXX: install-iwd uses sed, but that's part of the default systemd unit path, it seems
|
||||
generated.script.script = builtins.readFile ../../../../scripts/install-iwd + ''
|
||||
touch "/var/lib/iwd/.secrets.psk.stamp"
|
||||
'';
|
||||
generated.script.scriptArgs = [ "/run/secrets/iwd" "/var/lib/iwd" ];
|
||||
};
|
||||
};
|
||||
}
|
@@ -1,6 +0,0 @@
|
||||
{ ... }:
|
||||
{
|
||||
imports = [
|
||||
./client
|
||||
];
|
||||
}
|
@@ -1,80 +0,0 @@
|
||||
{ config, lib, pkgs, ... }:
|
||||
|
||||
let
|
||||
inherit (builtins) filter map;
|
||||
inherit (lib) concatMap mapAttrsToList mkIf mkMerge mkOption optionalAttrs types;
|
||||
cfg = config.sane.services.wg-home;
|
||||
server-cfg = config.sane.hosts.by-name."servo".wg-home;
|
||||
mkPeer = { ips, pubkey, endpoint }: {
|
||||
publicKey = pubkey;
|
||||
allowedIPs = map (k: "${k}/32") ips;
|
||||
} // (optionalAttrs (endpoint != null) {
|
||||
inherit endpoint;
|
||||
# send keepalives every 25 seconds to keep NAT routes live.
|
||||
# only need to do this from client -> server though, i think.
|
||||
persistentKeepalive = 25;
|
||||
# allows wireguard to notice DNS/hostname changes, with this much effective TTL.
|
||||
dynamicEndpointRefreshSeconds = 600;
|
||||
});
|
||||
# make separate peers to route each given host
|
||||
mkClientPeers = hosts: map (p: mkPeer {
|
||||
inherit (p) pubkey endpoint;
|
||||
ips = [ p.ip ];
|
||||
}) hosts;
|
||||
# make a single peer which routes all the given hosts
|
||||
mkServerPeer = hosts: mkPeer {
|
||||
inherit (server-cfg) pubkey endpoint;
|
||||
ips = map (h: h.ip) hosts;
|
||||
};
|
||||
in
|
||||
{
|
||||
options = {
|
||||
sane.services.wg-home.enable = mkOption {
|
||||
type = types.bool;
|
||||
default = false;
|
||||
};
|
||||
sane.services.wg-home.ip = mkOption {
|
||||
type = types.str;
|
||||
};
|
||||
};
|
||||
|
||||
config = mkIf cfg.enable {
|
||||
# generate a (deterministic) wireguard private key
|
||||
sane.derived-secrets."/run/wg-home.priv" = {
|
||||
len = 32;
|
||||
encoding = "base64";
|
||||
};
|
||||
|
||||
# wireguard VPN which allows everything on my domain to speak to each other even when
|
||||
# not behind a shared LAN.
|
||||
# this config defines both the endpoint (server) and client configs
|
||||
|
||||
# for convenience, have both the server and client use the same port for their wireguard connections.
|
||||
networking.firewall.allowedUDPPorts = [ 51820 ];
|
||||
networking.wireguard.interfaces.wg-home = {
|
||||
listenPort = 51820;
|
||||
privateKeyFile = "/run/wg-home.priv";
|
||||
preSetup =
|
||||
let
|
||||
gen-key = config.sane.fs."/run/wg-home.priv".unit;
|
||||
in
|
||||
"${pkgs.systemd}/bin/systemctl start '${gen-key}'";
|
||||
|
||||
ips = [
|
||||
"${cfg.ip}/24"
|
||||
];
|
||||
|
||||
peers =
|
||||
let
|
||||
all-peers = mapAttrsToList (_: hostcfg: hostcfg.wg-home) config.sane.hosts.by-name;
|
||||
peer-list = filter (p: p.ip != null && p.ip != cfg.ip && p.pubkey != null) all-peers;
|
||||
in
|
||||
if cfg.ip == server-cfg.ip then
|
||||
# if we're the server, then we maintain the entire client list
|
||||
mkClientPeers peer-list
|
||||
else
|
||||
# but if we're a client, we maintain a single peer -- the server -- which does the actual routing
|
||||
[ (mkServerPeer peer-list) ];
|
||||
};
|
||||
};
|
||||
}
|
@@ -1,29 +1,29 @@
|
||||
{ config, pkgs, ... }:
|
||||
{ pkgs, ... }:
|
||||
|
||||
{
|
||||
imports = [
|
||||
./fs.nix
|
||||
./net.nix
|
||||
./users.nix
|
||||
./secrets.nix
|
||||
./services
|
||||
];
|
||||
|
||||
sane.packages.extraUserPkgs = with pkgs; [
|
||||
sane.packages.extraUserPkgs = [
|
||||
# for administering services
|
||||
freshrss
|
||||
matrix-synapse
|
||||
signaldctl
|
||||
pkgs.matrix-synapse
|
||||
pkgs.freshrss
|
||||
];
|
||||
sane.persist.enable = true;
|
||||
sane.services.dyn-dns.enable = true;
|
||||
sane.services.wg-home.enable = true;
|
||||
sane.services.wg-home.ip = config.sane.hosts.by-name."servo".wg-home.ip;
|
||||
# sane.services.duplicity.enable = true; # TODO: re-enable after HW upgrade
|
||||
|
||||
boot.loader.efi.canTouchEfiVariables = false;
|
||||
sane.image.extraBootFiles = [ pkgs.bootpart-uefi-x86_64 ];
|
||||
|
||||
sops.secrets.duplicity_passphrase = {
|
||||
sopsFile = ../../secrets/servo.yaml;
|
||||
};
|
||||
|
||||
# both transmission and ipfs try to set different net defaults.
|
||||
# we just use the most aggressive of the two here:
|
||||
boot.kernel.sysctl = {
|
@@ -52,18 +52,18 @@
|
||||
|
||||
# services.resolved.extraConfig = ''
|
||||
# # docs: `man resolved.conf`
|
||||
# # DNS servers to use via the `wg-ovpns` interface.
|
||||
# # DNS servers to use via the `wg0` interface.
|
||||
# # i hope that from the root ns, these aren't visible.
|
||||
# DNS=46.227.67.134%wg-ovpns 192.165.9.158%wg-ovpns
|
||||
# DNS=46.227.67.134%wg0 192.165.9.158%wg0
|
||||
# FallbackDNS=1.1.1.1 9.9.9.9
|
||||
# '';
|
||||
|
||||
# OVPN CONFIG (https://www.ovpn.com):
|
||||
# DOCS: https://nixos.wiki/wiki/WireGuard
|
||||
# if you `systemctl restart wireguard-wg-ovpns`, make sure to also restart any other services in `NetworkNamespacePath = .../ovpns`.
|
||||
# if you `systemctl restart wireguard-wg0`, make sure to also restart any other services in `NetworkNamespacePath = .../ovpns`.
|
||||
# TODO: why not create the namespace as a seperate operation (nix config for that?)
|
||||
networking.wireguard.enable = true;
|
||||
networking.wireguard.interfaces.wg-ovpns = let
|
||||
networking.wireguard.interfaces.wg0 = let
|
||||
ip = "${pkgs.iproute2}/bin/ip";
|
||||
in-ns = "${ip} netns exec ovpns";
|
||||
iptables = "${pkgs.iptables}/bin/iptables";
|
||||
@@ -159,10 +159,13 @@
|
||||
# create a new routing table that we can use to proxy traffic out of the root namespace
|
||||
# through the ovpns namespace, and to the WAN via VPN.
|
||||
networking.iproute2.rttablesExtraConfig = ''
|
||||
5 ovpns
|
||||
5 ovpns
|
||||
'';
|
||||
networking.iproute2.enable = true;
|
||||
|
||||
sops.secrets."wg_ovpns_privkey" = {
|
||||
sopsFile = ../../secrets/servo.yaml;
|
||||
};
|
||||
|
||||
# HURRICANE ELECTRIC CONFIG:
|
||||
# networking.sits = {
|
@@ -24,4 +24,8 @@ lib.mkIf false
|
||||
OnUnitActiveSec = "10min";
|
||||
};
|
||||
};
|
||||
|
||||
sops.secrets."ddns_afraid" = {
|
||||
sopsFile = ../../../secrets/servo.yaml;
|
||||
};
|
||||
}
|
@@ -27,4 +27,8 @@ lib.mkIf false
|
||||
OnUnitActiveSec = "10min";
|
||||
};
|
||||
};
|
||||
|
||||
sops.secrets."ddns_he" = {
|
||||
sopsFile = ../../../secrets/servo.yaml;
|
||||
};
|
||||
}
|
@@ -46,8 +46,6 @@
|
||||
}];
|
||||
|
||||
# provide access to certs
|
||||
# TODO: this should just be `acme`. then we also add nginx to the `acme` group.
|
||||
# why is /var/lib/acme/* owned by `nginx` group??
|
||||
users.users.ejabberd.extraGroups = [ "nginx" ];
|
||||
|
||||
security.acme.certs."uninsane.org".extraDomainNames = [
|
@@ -11,7 +11,8 @@
|
||||
|
||||
{ config, lib, pkgs, sane-lib, ... }:
|
||||
{
|
||||
sops.secrets."freshrss_passwd" = {
|
||||
sops.secrets.freshrss_passwd = {
|
||||
sopsFile = ../../../secrets/servo.yaml;
|
||||
owner = config.users.users.freshrss.name;
|
||||
mode = "0400";
|
||||
};
|
@@ -7,8 +7,8 @@
|
||||
];
|
||||
services.jackett.enable = true;
|
||||
|
||||
systemd.services.jackett.after = [ "wireguard-wg-ovpns.service" ];
|
||||
systemd.services.jackett.partOf = [ "wireguard-wg-ovpns.service" ];
|
||||
systemd.services.jackett.after = [ "wireguard-wg0.service" ];
|
||||
systemd.services.jackett.partOf = [ "wireguard-wg0.service" ];
|
||||
systemd.services.jackett.serviceConfig = {
|
||||
# run this behind the OVPN static VPN
|
||||
NetworkNamespacePath = "/run/netns/ovpns";
|
@@ -6,12 +6,8 @@
|
||||
imports = [
|
||||
./discord-puppet.nix
|
||||
# ./irc.nix
|
||||
./signal.nix
|
||||
];
|
||||
|
||||
# allow synapse to read the registration files of its appservices
|
||||
users.users.matrix-synapse.extraGroups = [ "mautrix-signal" ];
|
||||
|
||||
sane.persist.sys.plaintext = [
|
||||
{ user = "matrix-synapse"; group = "matrix-synapse"; directory = "/var/lib/matrix-synapse"; }
|
||||
];
|
||||
@@ -131,7 +127,8 @@
|
||||
};
|
||||
|
||||
|
||||
sops.secrets."matrix_synapse_secrets" = {
|
||||
sops.secrets.matrix_synapse_secrets = {
|
||||
sopsFile = ../../../../secrets/servo.yaml;
|
||||
owner = config.users.users.matrix-synapse.name;
|
||||
};
|
||||
}
|
@@ -43,7 +43,6 @@
|
||||
};
|
||||
};
|
||||
|
||||
# TODO: should use a dedicated user
|
||||
systemd.services.mx-puppet-discord.serviceConfig = {
|
||||
# fix up to not use /var/lib/private, but just /var/lib
|
||||
DynamicUser = lib.mkForce false;
|
@@ -17,5 +17,5 @@
|
||||
sane.services.trust-dns.zones."uninsane.org".inet.CNAME."nixcache" = "native";
|
||||
|
||||
sane.services.nixserve.enable = true;
|
||||
sane.services.nixserve.sopsFile = ../../../../secrets/servo.yaml;
|
||||
sane.services.nixserve.sopsFile = ../../../secrets/servo.yaml;
|
||||
}
|
@@ -179,7 +179,8 @@
|
||||
|
||||
sane.services.trust-dns.zones."uninsane.org".inet.CNAME."fed" = "native";
|
||||
|
||||
sops.secrets."pleroma_secrets" = {
|
||||
sops.secrets.pleroma_secrets = {
|
||||
sopsFile = ../../../secrets/servo.yaml;
|
||||
owner = config.users.users.pleroma.name;
|
||||
};
|
||||
}
|
@@ -110,8 +110,8 @@ in
|
||||
services.postfix.enableSubmissions = true;
|
||||
services.postfix.submissionsOptions = submissionOptions;
|
||||
|
||||
systemd.services.postfix.after = [ "wireguard-wg-ovpns.service" ];
|
||||
systemd.services.postfix.partOf = [ "wireguard-wg-ovpns.service" ];
|
||||
systemd.services.postfix.after = [ "wireguard-wg0.service" ];
|
||||
systemd.services.postfix.partOf = [ "wireguard-wg0.service" ];
|
||||
systemd.services.postfix.serviceConfig = {
|
||||
# run this behind the OVPN static VPN
|
||||
NetworkNamespacePath = "/run/netns/ovpns";
|
||||
@@ -132,8 +132,8 @@ in
|
||||
# keeping this the same as the hostname seems simplest
|
||||
services.opendkim.selector = "mx";
|
||||
|
||||
systemd.services.opendkim.after = [ "wireguard-wg-ovpns.service" ];
|
||||
systemd.services.opendkim.partOf = [ "wireguard-wg-ovpns.service" ];
|
||||
systemd.services.opendkim.after = [ "wireguard-wg0.service" ];
|
||||
systemd.services.opendkim.partOf = [ "wireguard-wg0.service" ];
|
||||
systemd.services.opendkim.serviceConfig = {
|
||||
# run this behind the OVPN static VPN
|
||||
NetworkNamespacePath = "/run/netns/ovpns";
|
||||
@@ -197,7 +197,8 @@ in
|
||||
# }
|
||||
];
|
||||
|
||||
sops.secrets."dovecot_passwd" = {
|
||||
sops.secrets.dovecot_passwd = {
|
||||
sopsFile = ../../../secrets/servo.yaml;
|
||||
owner = config.users.users.dovecot2.name;
|
||||
# TODO: debug why mail can't be sent without this being world-readable
|
||||
mode = "0444";
|
@@ -40,8 +40,8 @@
|
||||
# transmission will by default not allow the world to read its files.
|
||||
services.transmission.downloadDirPermissions = "775";
|
||||
|
||||
systemd.services.transmission.after = [ "wireguard-wg-ovpns.service" ];
|
||||
systemd.services.transmission.partOf = [ "wireguard-wg-ovpns.service" ];
|
||||
systemd.services.transmission.after = [ "wireguard-wg0.service" ];
|
||||
systemd.services.transmission.partOf = [ "wireguard-wg0.service" ];
|
||||
systemd.services.transmission.serviceConfig = {
|
||||
# run this behind the OVPN static VPN
|
||||
NetworkNamespacePath = "/run/netns/ovpns";
|
@@ -8,6 +8,7 @@ lib.mkIf false
|
||||
{
|
||||
sops.secrets."mediawiki_pw" = {
|
||||
owner = config.users.users.mediawiki.name;
|
||||
sopsFile = ../../../secrets/servo.yaml;
|
||||
};
|
||||
|
||||
services.mediawiki.enable = true;
|
@@ -1,21 +0,0 @@
|
||||
{
|
||||
"bozo": 0,
|
||||
"content_length": 1369733,
|
||||
"content_type": "application/rss+xml; charset=utf-8",
|
||||
"description": "Every company has a story. Learn the playbooks that built the world’s greatest companies — and how you can apply them as a founder, operator, or investor.",
|
||||
"favicon": null,
|
||||
"hubs": [],
|
||||
"is_podcast": true,
|
||||
"is_push": false,
|
||||
"item_count": 173,
|
||||
"last_seen": "2023-01-11T15:26:37.515527+00:00",
|
||||
"last_updated": "2022-12-19T07:22:28+00:00",
|
||||
"score": 18,
|
||||
"self_url": "https://acquired.libsyn.com/rss",
|
||||
"site_name": null,
|
||||
"site_url": null,
|
||||
"title": "Acquired",
|
||||
"url": "https://acquired.libsyn.com/rss",
|
||||
"velocity": 0.066,
|
||||
"version": "rss20"
|
||||
}
|
@@ -1,21 +0,0 @@
|
||||
{
|
||||
"bozo": 0,
|
||||
"content_length": 1030773,
|
||||
"content_type": "application/rss+xml; charset=utf-8",
|
||||
"description": "Industry veterans, degenerate gamblers & besties Chamath Palihapitiya, Jason Calacanis, David Sacks & David Friedberg cover all things economic, tech, political, social & poker.",
|
||||
"favicon": null,
|
||||
"hubs": [],
|
||||
"is_podcast": true,
|
||||
"is_push": false,
|
||||
"item_count": 124,
|
||||
"last_seen": "2023-01-11T12:44:53.606606+00:00",
|
||||
"last_updated": "2023-01-06T10:51:00+00:00",
|
||||
"score": 18,
|
||||
"self_url": "https://allinchamathjason.libsyn.com/rss",
|
||||
"site_name": "All-In with Chamath, Jason, Sacks & Friedberg",
|
||||
"site_url": "https://allinchamathjason.libsyn.com",
|
||||
"title": "All-In with Chamath, Jason, Sacks & Friedberg",
|
||||
"url": "https://allinchamathjason.libsyn.com/rss",
|
||||
"velocity": 0.12,
|
||||
"version": "rss20"
|
||||
}
|
@@ -1,23 +0,0 @@
|
||||
{
|
||||
"bozo": 0,
|
||||
"content_length": 13316,
|
||||
"content_type": "application/rss+xml; charset=utf-8",
|
||||
"description": "A podcast around the idea of creating a Civilizational Bootstrapper, a set of tools and technology that can be used to replicate the foundations of civilization along with itself.",
|
||||
"favicon": null,
|
||||
"hubs": [
|
||||
"https://pubsubhubbub.appspot.com/"
|
||||
],
|
||||
"is_podcast": true,
|
||||
"is_push": true,
|
||||
"item_count": 6,
|
||||
"last_seen": "2023-01-11T16:11:01.720399+00:00",
|
||||
"last_updated": "2022-04-13T19:37:17+00:00",
|
||||
"score": 22,
|
||||
"self_url": "https://anchor.fm/s/34c7232c/podcast/rss",
|
||||
"site_name": "Anchor",
|
||||
"site_url": "https://anchor.fm",
|
||||
"title": "Civboot",
|
||||
"url": "https://anchor.fm/s/34c7232c/podcast/rss",
|
||||
"velocity": 0.009,
|
||||
"version": "rss20"
|
||||
}
|
@@ -1,21 +0,0 @@
|
||||
{
|
||||
"bozo": 0,
|
||||
"content_length": 12669,
|
||||
"content_type": "application/rss+xml; charset=utf-8",
|
||||
"description": "The territory is a map of the map.",
|
||||
"favicon": "http://benjaminrosshoffman.com/favicon.ico",
|
||||
"hubs": [],
|
||||
"is_podcast": false,
|
||||
"is_push": false,
|
||||
"item_count": 10,
|
||||
"last_seen": "2023-01-11T12:32:52.176940+00:00",
|
||||
"last_updated": "2023-01-09T04:33:31+00:00",
|
||||
"score": -15,
|
||||
"self_url": "http://benjaminrosshoffman.com/comments/feed/",
|
||||
"site_name": "Compass Rose",
|
||||
"site_url": "http://benjaminrosshoffman.com",
|
||||
"title": "Comments for Compass Rose",
|
||||
"url": "http://benjaminrosshoffman.com/comments/feed/",
|
||||
"velocity": 0.312,
|
||||
"version": "rss20"
|
||||
}
|
@@ -1,21 +0,0 @@
|
||||
{
|
||||
"bozo": 0,
|
||||
"content_length": 56666,
|
||||
"content_type": "application/rss+xml; charset=utf-8",
|
||||
"description": "Cory Doctorow's Literary Works",
|
||||
"favicon": "https://craphound.com/favicon.ico",
|
||||
"hubs": [],
|
||||
"is_podcast": true,
|
||||
"is_push": false,
|
||||
"item_count": 20,
|
||||
"last_seen": "2023-01-11T12:55:10.545856+00:00",
|
||||
"last_updated": "2022-12-12T14:46:35+00:00",
|
||||
"score": 12,
|
||||
"self_url": "https://craphound.com/feed/",
|
||||
"site_name": "Cory Doctorow's craphound.com | Cory Doctorow's Literary Works",
|
||||
"site_url": "https://craphound.com",
|
||||
"title": "Cory Doctorow's craphound.com",
|
||||
"url": "https://craphound.com/feed/",
|
||||
"velocity": 0.069,
|
||||
"version": "rss20"
|
||||
}
|
@@ -1,21 +0,0 @@
|
||||
{
|
||||
"bozo": 0,
|
||||
"content_length": 227480,
|
||||
"content_type": "application/xml; charset=utf-8",
|
||||
"description": "True stories from the dark side of the Internet",
|
||||
"favicon": "https://darknetdiaries.com/imgs/favicon.png",
|
||||
"hubs": [],
|
||||
"is_podcast": true,
|
||||
"is_push": false,
|
||||
"item_count": 131,
|
||||
"last_seen": "2023-01-11T14:49:53.136566+00:00",
|
||||
"last_updated": "2022-12-27T08:00:00+00:00",
|
||||
"score": 20,
|
||||
"self_url": "https://darknetdiaries.com/feedfree.xml",
|
||||
"site_name": "Darknet Diaries – True stories from the dark side of the Internet.",
|
||||
"site_url": "https://darknetdiaries.com",
|
||||
"title": "Darknet Diaries (ad free)",
|
||||
"url": "https://darknetdiaries.com/feedfree.xml",
|
||||
"velocity": 0.067,
|
||||
"version": "rss20"
|
||||
}
|
@@ -1,6 +1,6 @@
|
||||
{
|
||||
"bozo": 0,
|
||||
"content_length": 66775,
|
||||
"content_length": 27184,
|
||||
"content_type": "application/rss+xml; charset=utf-8",
|
||||
"description": "The Library of Economics and Liberty",
|
||||
"favicon": null,
|
||||
@@ -9,13 +9,13 @@
|
||||
"is_push": false,
|
||||
"item_count": 10,
|
||||
"last_seen": "2023-01-11T10:46:38.526754+00:00",
|
||||
"last_updated": "2023-01-10T05:21:31+00:00",
|
||||
"score": 14,
|
||||
"self_url": "https://www.econlib.org/feed/",
|
||||
"site_name": "Econlib",
|
||||
"site_url": "https://www.econlib.org",
|
||||
"title": "Econlib",
|
||||
"url": "https://www.econlib.org/feed/",
|
||||
"velocity": 2.549,
|
||||
"last_updated": "2023-01-09T11:30:25+00:00",
|
||||
"score": -18,
|
||||
"self_url": "http://www.econtalk.org/feed/",
|
||||
"site_name": null,
|
||||
"site_url": null,
|
||||
"title": "EconTalk Podcast – Econlib",
|
||||
"url": "http://www.econtalk.org/feed/",
|
||||
"velocity": 0.143,
|
||||
"version": "rss20"
|
||||
}
|
||||
|
@@ -1,21 +0,0 @@
|
||||
{
|
||||
"bozo": 0,
|
||||
"content_length": 27185,
|
||||
"content_type": "application/rss+xml; charset=utf-8",
|
||||
"description": "The Library of Economics and Liberty",
|
||||
"favicon": null,
|
||||
"hubs": [],
|
||||
"is_podcast": false,
|
||||
"is_push": false,
|
||||
"item_count": 10,
|
||||
"last_seen": "2023-01-11T13:05:47.318206+00:00",
|
||||
"last_updated": "2023-01-09T11:30:25+00:00",
|
||||
"score": 14,
|
||||
"self_url": "https://www.econtalk.org/feed/",
|
||||
"site_name": null,
|
||||
"site_url": null,
|
||||
"title": "EconTalk Podcast – Econlib",
|
||||
"url": "https://www.econtalk.org/feed",
|
||||
"velocity": 0.143,
|
||||
"version": "rss20"
|
||||
}
|
@@ -1,21 +0,0 @@
|
||||
{
|
||||
"bozo": 0,
|
||||
"content_length": 429348,
|
||||
"content_type": "application/rss+xml; charset=utf-8",
|
||||
"description": "The world's most famous whistleblower writes from exile on the intersection of technology, humanity, and power.",
|
||||
"favicon": "https://bucketeer-e05bbc84-baa3-437e-9518-adb32be77984.s3.amazonaws.com/public/images/2a7d3aa2-3c2f-4196-ab7c-31541be1272e/favicon.ico",
|
||||
"hubs": [],
|
||||
"is_podcast": true,
|
||||
"is_push": false,
|
||||
"item_count": 16,
|
||||
"last_seen": "2023-01-11T12:32:02.320483+00:00",
|
||||
"last_updated": "2022-09-20T13:03:59+00:00",
|
||||
"score": 14,
|
||||
"self_url": "https://edwardsnowden.substack.com/feed",
|
||||
"site_name": "Continuing Ed — with Edward Snowden",
|
||||
"site_url": "https://edwardsnowden.substack.com",
|
||||
"title": "Continuing Ed — with Edward Snowden",
|
||||
"url": "https://edwardsnowden.substack.com/feed",
|
||||
"velocity": 0.032,
|
||||
"version": "rss20"
|
||||
}
|
@@ -1,21 +0,0 @@
|
||||
{
|
||||
"bozo": 0,
|
||||
"content_length": 281377,
|
||||
"content_type": "text/xml; charset=utf-8",
|
||||
"description": "Matrix Live, now as an audio podcast",
|
||||
"favicon": "https://feed.podbean.com/favicon.ico",
|
||||
"hubs": [],
|
||||
"is_podcast": true,
|
||||
"is_push": false,
|
||||
"item_count": 100,
|
||||
"last_seen": "2023-01-11T15:54:24.440541+00:00",
|
||||
"last_updated": "2023-01-06T16:45:00+00:00",
|
||||
"score": 18,
|
||||
"self_url": "https://feed.podbean.com/matrixlive/feed.xml",
|
||||
"site_name": null,
|
||||
"site_url": "https://feed.podbean.com",
|
||||
"title": "Matrix Live",
|
||||
"url": "https://feed.podbean.com/matrixlive/feed.xml",
|
||||
"velocity": 0.12,
|
||||
"version": "rss20"
|
||||
}
|
@@ -1,23 +0,0 @@
|
||||
{
|
||||
"bozo": 0,
|
||||
"content_length": 1600578,
|
||||
"content_type": "application/xml; charset=utf-8",
|
||||
"description": "Design is everywhere in our lives, perhaps most importantly in the places where we've just stopped noticing. 99% Invisible is a weekly exploration of the process and power of design and architecture. From award winning producer Roman Mars. Learn more at 99percentinvisible.org.",
|
||||
"favicon": null,
|
||||
"hubs": [
|
||||
"https://simplecast.superfeedr.com/"
|
||||
],
|
||||
"is_podcast": true,
|
||||
"is_push": true,
|
||||
"item_count": 577,
|
||||
"last_seen": "2023-01-11T15:25:01.536556+00:00",
|
||||
"last_updated": "2023-01-10T23:46:05+00:00",
|
||||
"score": 4,
|
||||
"self_url": "https://feeds.simplecast.com/BqbsxVfO",
|
||||
"site_name": null,
|
||||
"site_url": null,
|
||||
"title": "99% Invisible",
|
||||
"url": "https://feeds.simplecast.com/BqbsxVfO",
|
||||
"velocity": 0.128,
|
||||
"version": "rss20"
|
||||
}
|
@@ -1,23 +0,0 @@
|
||||
{
|
||||
"bozo": 0,
|
||||
"content_length": 1505641,
|
||||
"content_type": "text/xml; charset=utf-8",
|
||||
"description": "<p>Unusually in-depth conversations about the world's most pressing problems and what you can do to solve them.<br /></p>",
|
||||
"favicon": null,
|
||||
"hubs": [
|
||||
"https://pubsubhubbub.appspot.com/"
|
||||
],
|
||||
"is_podcast": true,
|
||||
"is_push": true,
|
||||
"item_count": 181,
|
||||
"last_seen": "2023-01-11T13:29:43.501516+00:00",
|
||||
"last_updated": "2023-01-09T22:57:00+00:00",
|
||||
"score": 14,
|
||||
"self_url": "https://feeds.backtracks.fm/feeds/80000hours/80000-hours-podcast-with-rob-wiblin/feed.xml",
|
||||
"site_name": null,
|
||||
"site_url": null,
|
||||
"title": "80,000 Hours Podcast with Rob Wiblin",
|
||||
"url": "https://feeds.feedburner.com/80000HoursPodcast",
|
||||
"velocity": 0.087,
|
||||
"version": "rss20"
|
||||
}
|
@@ -1,21 +0,0 @@
|
||||
{
|
||||
"bozo": 0,
|
||||
"content_length": 23712,
|
||||
"content_type": "text/xml; charset=utf-8",
|
||||
"description": "This isn't academic history (and Carlin isn't a historian) but the podcast's unique blend of high drama, masterful narration and Twilight Zone-style twists has entertained millions of listeners.",
|
||||
"favicon": null,
|
||||
"hubs": [],
|
||||
"is_podcast": true,
|
||||
"is_push": false,
|
||||
"item_count": 13,
|
||||
"last_seen": "2023-01-11T15:05:34.359948+00:00",
|
||||
"last_updated": "2022-03-06T19:08:44+00:00",
|
||||
"score": 2,
|
||||
"self_url": "https://feeds.feedburner.com/dancarlin/history?format=xml",
|
||||
"site_name": null,
|
||||
"site_url": null,
|
||||
"title": "Dan Carlin's Hardcore History",
|
||||
"url": "https://feeds.feedburner.com/dancarlin/history",
|
||||
"velocity": 0.005,
|
||||
"version": "rss20"
|
||||
}
|
@@ -1,21 +0,0 @@
|
||||
{
|
||||
"bozo": 0,
|
||||
"content_length": 62633,
|
||||
"content_type": "text/xml; charset=utf-8",
|
||||
"description": "Articles, speeches, stories and novels by an award-winning science fiction writer, read aloud in small regular chunks",
|
||||
"favicon": null,
|
||||
"hubs": [],
|
||||
"is_podcast": true,
|
||||
"is_push": false,
|
||||
"item_count": 20,
|
||||
"last_seen": "2023-01-11T12:57:50.103797+00:00",
|
||||
"last_updated": "2022-12-12T14:46:35+00:00",
|
||||
"score": 4,
|
||||
"self_url": "https://craphound.com/category/podcast/feed/",
|
||||
"site_name": null,
|
||||
"site_url": null,
|
||||
"title": "Podcast – Cory Doctorow's craphound.com",
|
||||
"url": "https://feeds.feedburner.com/doctorow_podcast",
|
||||
"velocity": 0.068,
|
||||
"version": "rss20"
|
||||
}
|
@@ -1,21 +0,0 @@
|
||||
{
|
||||
"bozo": 0,
|
||||
"content_length": 1315558,
|
||||
"content_type": "text/xml; charset=utf-8",
|
||||
"description": "Radiolab",
|
||||
"favicon": null,
|
||||
"hubs": [],
|
||||
"is_podcast": true,
|
||||
"is_push": false,
|
||||
"item_count": 150,
|
||||
"last_seen": "2023-01-11T15:01:17.273650+00:00",
|
||||
"last_updated": "2023-01-06T15:00:00+00:00",
|
||||
"score": 4,
|
||||
"self_url": "https://www.wnycstudios.org/feeds/series/podcasts",
|
||||
"site_name": null,
|
||||
"site_url": null,
|
||||
"title": "Radiolab",
|
||||
"url": "https://feeds.feedburner.com/radiolab",
|
||||
"velocity": 0.139,
|
||||
"version": "rss20"
|
||||
}
|
@@ -1,21 +0,0 @@
|
||||
{
|
||||
"bozo": 0,
|
||||
"content_length": 2976783,
|
||||
"content_type": "application/xml; charset=utf-8",
|
||||
"description": "A business show about big ideas — and other problems.",
|
||||
"favicon": null,
|
||||
"hubs": [],
|
||||
"is_podcast": true,
|
||||
"is_push": false,
|
||||
"item_count": 660,
|
||||
"last_seen": "2023-01-11T15:51:13.652417+00:00",
|
||||
"last_updated": "2023-01-10T10:00:00+00:00",
|
||||
"score": 14,
|
||||
"self_url": "https://feeds.megaphone.fm/recodedecode",
|
||||
"site_name": null,
|
||||
"site_url": null,
|
||||
"title": "Decoder with Nilay Patel",
|
||||
"url": "https://feeds.megaphone.fm/recodedecode",
|
||||
"velocity": 0.24,
|
||||
"version": "rss20"
|
||||
}
|
@@ -1,23 +0,0 @@
|
||||
{
|
||||
"bozo": 0,
|
||||
"content_length": 2940192,
|
||||
"content_type": "application/xml; charset=utf-8",
|
||||
"description": "EconTalk: Conversations for the Curious is an award-winning weekly podcast hosted by Russ Roberts of Shalem College in Jerusalem and Stanford's Hoover Institution. The eclectic guest list includes authors, doctors, psychologists, historians, philosophers, economists, and more. Learn how the health care system really works, the serenity that comes from humility, the challenge of interpreting data, how potato chips are made, what it's like to run an upscale Manhattan restaurant, what caused the 2008 financial crisis, the nature of consciousness, and more. EconTalk has been taking the Monday out of Mondays since 2006. All 800+ episodes are available in the archive. Go to EconTalk.org for transcripts, related resources, and comments.",
|
||||
"favicon": null,
|
||||
"hubs": [
|
||||
"https://simplecast.superfeedr.com/"
|
||||
],
|
||||
"is_podcast": true,
|
||||
"is_push": true,
|
||||
"item_count": 875,
|
||||
"last_seen": "2023-01-11T14:31:49.308489+00:00",
|
||||
"last_updated": "2023-01-09T11:30:00+00:00",
|
||||
"score": 24,
|
||||
"self_url": "https://feeds.simplecast.com/wgl4xEgL",
|
||||
"site_name": null,
|
||||
"site_url": null,
|
||||
"title": "EconTalk",
|
||||
"url": "https://feeds.simplecast.com/wgl4xEgL",
|
||||
"velocity": 0.142,
|
||||
"version": "rss20"
|
||||
}
|
@@ -10,7 +10,7 @@
|
||||
"is_podcast": true,
|
||||
"is_push": true,
|
||||
"item_count": 300,
|
||||
"last_seen": "2023-01-11T12:40:59.343327+00:00",
|
||||
"last_seen": "2023-01-08T23:41:32.928322+00:00",
|
||||
"last_updated": "2022-12-29T17:35:50+00:00",
|
||||
"score": 20,
|
||||
"self_url": "https://lexfridman.com/feed/podcast/",
|
@@ -1,21 +0,0 @@
|
||||
{
|
||||
"bozo": 0,
|
||||
"content_length": 83074,
|
||||
"content_type": "text/xml; charset=utf-8",
|
||||
"description": "projects & research",
|
||||
"favicon": null,
|
||||
"hubs": [],
|
||||
"is_podcast": false,
|
||||
"is_push": false,
|
||||
"item_count": 14,
|
||||
"last_seen": "2023-01-11T12:28:34.383284+00:00",
|
||||
"last_updated": "2021-07-29T05:10:05+00:00",
|
||||
"score": 14,
|
||||
"self_url": "https://mg.lol/blog/rss/",
|
||||
"site_name": null,
|
||||
"site_url": "https://mg.lol",
|
||||
"title": "MG",
|
||||
"url": "https://mg.lol/blog/rss/",
|
||||
"velocity": 0.004,
|
||||
"version": "rss20"
|
||||
}
|
@@ -1,21 +0,0 @@
|
||||
{
|
||||
"bozo": 0,
|
||||
"content_length": 3568150,
|
||||
"content_type": "application/rss+xml; charset=utf-8",
|
||||
"description": "Post Reports",
|
||||
"favicon": null,
|
||||
"hubs": [],
|
||||
"is_podcast": true,
|
||||
"is_push": false,
|
||||
"item_count": 1070,
|
||||
"last_seen": "2023-01-11T14:37:23.650030+00:00",
|
||||
"last_updated": "2023-01-10T21:40:40+00:00",
|
||||
"score": 14,
|
||||
"self_url": "https://podcast.posttv.com/itunes/post-reports.xml",
|
||||
"site_name": null,
|
||||
"site_url": null,
|
||||
"title": "Post Reports",
|
||||
"url": "https://podcast.posttv.com/itunes/post-reports.xml",
|
||||
"velocity": 0.711,
|
||||
"version": "rss20"
|
||||
}
|
@@ -1,23 +0,0 @@
|
||||
{
|
||||
"bozo": 0,
|
||||
"content_length": 862917,
|
||||
"content_type": "application/atom+xml; charset=utf-8",
|
||||
"description": "Computer history, restoring vintage computers, IC reverse engineering, and whatever",
|
||||
"favicon": "https://www.blogger.com/about/favicon/favicon.ico",
|
||||
"hubs": [
|
||||
"http://pubsubhubbub.appspot.com/"
|
||||
],
|
||||
"is_podcast": false,
|
||||
"is_push": true,
|
||||
"item_count": 25,
|
||||
"last_seen": "2023-01-11T12:29:19.820378+00:00",
|
||||
"last_updated": "2023-01-10T18:21:20.265000+00:00",
|
||||
"score": -2,
|
||||
"self_url": "https://www.blogger.com/feeds/6264947694886887540/posts/default",
|
||||
"site_name": "Blogger.com - Create a unique and beautiful blog easily.",
|
||||
"site_url": "https://www.blogger.com",
|
||||
"title": "Ken Shirriff's blog",
|
||||
"url": "https://www.blogger.com/feeds/6264947694886887540/posts/default",
|
||||
"velocity": 0.12,
|
||||
"version": "atom10"
|
||||
}
|
@@ -1,21 +0,0 @@
|
||||
{
|
||||
"bozo": 0,
|
||||
"content_length": 550915,
|
||||
"content_type": "application/xml; charset=utf-8",
|
||||
"description": "The show that looks at the way technology is changing our economies, societies and daily lives.",
|
||||
"favicon": null,
|
||||
"hubs": [],
|
||||
"is_podcast": true,
|
||||
"is_push": false,
|
||||
"item_count": 160,
|
||||
"last_seen": "2023-01-11T15:31:40.303733+00:00",
|
||||
"last_updated": "2022-11-22T05:00:36+00:00",
|
||||
"score": 10,
|
||||
"self_url": "https://feeds.acast.com/public/shows/125ef5a6-6c61-4024-b70e-3487a971a26c",
|
||||
"site_name": null,
|
||||
"site_url": null,
|
||||
"title": "FT Tech Tonic",
|
||||
"url": "https://feeds.acast.com/public/shows/125ef5a6-6c61-4024-b70e-3487a971a26c",
|
||||
"velocity": 0.072,
|
||||
"version": "rss20"
|
||||
}
|
@@ -1,21 +0,0 @@
|
||||
{
|
||||
"bozo": 0,
|
||||
"content_length": 1041745,
|
||||
"content_type": "application/rss+xml; charset=utf-8",
|
||||
"description": "<p>Get the best reporting and storytelling on television from 60 Minutes - on your schedule. Now you can listen to the show in its entirety every week. 60 Minutes is the most successful broadcast in television history with more than 80 Emmys under its belt. 60 Minutes offers unbiased reporting on politics, in-depth investigations and important adventures from around the world- like no one else. </p>",
|
||||
"favicon": "https://rss.art19.com/favicon.ico",
|
||||
"hubs": [],
|
||||
"is_podcast": true,
|
||||
"is_push": false,
|
||||
"item_count": 374,
|
||||
"last_seen": "2023-01-11T15:45:07.189940+00:00",
|
||||
"last_updated": "2023-01-09T03:00:00+00:00",
|
||||
"score": 18,
|
||||
"self_url": "https://rss.art19.com/60-minutes",
|
||||
"site_name": null,
|
||||
"site_url": "https://rss.art19.com",
|
||||
"title": "60 Minutes",
|
||||
"url": "https://rss.art19.com/60-minutes",
|
||||
"velocity": 0.082,
|
||||
"version": "rss20"
|
||||
}
|
@@ -1,21 +0,0 @@
|
||||
{
|
||||
"bozo": 0,
|
||||
"content_length": 235911,
|
||||
"content_type": "application/xml; charset=utf-8",
|
||||
"description": "<p>The Portal is an exploration into discovery, including conversations with thought leaders. Host Eric Weinstein, Managing Director of Thiel Capital, brings his unique expertise and diverse roster of guests for a wide range of discussions, including science, culture, business, and capitalism. The show will feature people whose lives demonstrate that portals into what we would normally consider impossible, are indeed possible. Guests include presidential candidate Andrew Yang, NY Times bestselling author Sam Harris, and retired Navy Seal and creator of the hit business podcast Jocko Willink.</p>",
|
||||
"favicon": null,
|
||||
"hubs": [],
|
||||
"is_podcast": true,
|
||||
"is_push": false,
|
||||
"item_count": 44,
|
||||
"last_seen": "2023-01-11T14:47:44.995855+00:00",
|
||||
"last_updated": "2020-12-02T07:50:55+00:00",
|
||||
"score": -12,
|
||||
"self_url": "https://www.omnycontent.com/d/playlist/9b7dacdf-a925-4f95-84dc-ac46003451ff/1713c520-edb6-43a3-b1b9-acb8002fdae7/58e33a0c-f86b-41c5-a11c-acb8002fdaf5/podcast.rss",
|
||||
"site_name": null,
|
||||
"site_url": null,
|
||||
"title": "The Portal",
|
||||
"url": "https://www.omnycontent.com/d/playlist/9b7dacdf-a925-4f95-84dc-ac46003451ff/1713c520-edb6-43a3-b1b9-acb8002fdae7/58e33a0c-f86b-41c5-a11c-acb8002fdaf5/podcast.rss",
|
||||
"velocity": 0.082,
|
||||
"version": "rss20"
|
||||
}
|
@@ -1,21 +0,0 @@
|
||||
{
|
||||
"bozo": 0,
|
||||
"content_length": 1462485,
|
||||
"content_type": "text/xml; charset=utf-8",
|
||||
"description": "Michael Malice brings his unique perspective – and plenty of sick burns – as he discusses everything from north Korea to American politics and culture with a bevy of guests.",
|
||||
"favicon": null,
|
||||
"hubs": [],
|
||||
"is_podcast": true,
|
||||
"is_push": false,
|
||||
"item_count": 238,
|
||||
"last_seen": "2023-01-11T15:58:45.264936+00:00",
|
||||
"last_updated": "2023-01-04T10:40:00+00:00",
|
||||
"score": -10,
|
||||
"self_url": "http://origin.podcastone.com/podcast?categoryID2=2232",
|
||||
"site_name": null,
|
||||
"site_url": null,
|
||||
"title": "\"YOUR WELCOME\" with Michael Malice",
|
||||
"url": "https://www.podcastone.com/podcast?categoryID2=2232",
|
||||
"velocity": 0.141,
|
||||
"version": "rss20"
|
||||
}
|
@@ -1,21 +0,0 @@
|
||||
{
|
||||
"bozo": 0,
|
||||
"content_length": 809084,
|
||||
"content_type": "application/xml+rss; charset=utf-8",
|
||||
"description": "A show that cuts through all the political drivel and media misinformation to give you a straight take on one big news story of the week.",
|
||||
"favicon": null,
|
||||
"hubs": [],
|
||||
"is_podcast": true,
|
||||
"is_push": false,
|
||||
"item_count": 217,
|
||||
"last_seen": "2023-01-11T13:40:50.240217+00:00",
|
||||
"last_updated": "2023-01-06T10:37:50+00:00",
|
||||
"score": 16,
|
||||
"self_url": "https://feeds.acast.com/public/shows/1d1223a2-9d05-473b-9e79-c2b65b71d676",
|
||||
"site_name": null,
|
||||
"site_url": null,
|
||||
"title": "Deconstructed",
|
||||
"url": "https://rss.prod.firstlook.media/deconstructed/podcast.rss",
|
||||
"velocity": 0.122,
|
||||
"version": "rss20"
|
||||
}
|
@@ -1,21 +0,0 @@
|
||||
{
|
||||
"bozo": 0,
|
||||
"content_length": 1034995,
|
||||
"content_type": "application/xml+rss; charset=utf-8",
|
||||
"description": "The people behind The Intercept’s fearless reporting and incisive commentary discuss the crucial issues of our time.",
|
||||
"favicon": null,
|
||||
"hubs": [],
|
||||
"is_podcast": true,
|
||||
"is_push": false,
|
||||
"item_count": 243,
|
||||
"last_seen": "2023-01-11T14:04:41.283509+00:00",
|
||||
"last_updated": "2022-12-21T10:30:43+00:00",
|
||||
"score": 16,
|
||||
"self_url": "https://feeds.acast.com/public/shows/f5b64019-68c3-57d4-b70b-043e63e5cbf6",
|
||||
"site_name": null,
|
||||
"site_url": null,
|
||||
"title": "Intercepted",
|
||||
"url": "https://rss.prod.firstlook.media/intercepted/podcast.rss",
|
||||
"velocity": 0.112,
|
||||
"version": "rss20"
|
||||
}
|
@@ -1,21 +0,0 @@
|
||||
{
|
||||
"bozo": 0,
|
||||
"content_length": 3905927,
|
||||
"content_type": "application/rss+xml; charset=utf-8",
|
||||
"description": "The official audio version of Astral Codex Ten, with an archive of posts from Slate Star Codex. It's just me reading Scott Alexander's blog posts.",
|
||||
"favicon": null,
|
||||
"hubs": [],
|
||||
"is_podcast": true,
|
||||
"is_push": false,
|
||||
"item_count": 739,
|
||||
"last_seen": "2023-01-11T11:05:40.604126+00:00",
|
||||
"last_updated": "2023-01-11T05:13:00+00:00",
|
||||
"score": 18,
|
||||
"self_url": "https://sscpodcast.libsyn.com/rss",
|
||||
"site_name": "Astral Codex Ten Podcast",
|
||||
"site_url": "https://sscpodcast.libsyn.com",
|
||||
"title": "Astral Codex Ten Podcast",
|
||||
"url": "https://sscpodcast.libsyn.com/rss",
|
||||
"velocity": 0.384,
|
||||
"version": "rss20"
|
||||
}
|
@@ -1,21 +0,0 @@
|
||||
{
|
||||
"bozo": 1,
|
||||
"content_length": 178687,
|
||||
"content_type": "text/xml; charset=utf-8",
|
||||
"description": null,
|
||||
"favicon": null,
|
||||
"hubs": [],
|
||||
"is_podcast": false,
|
||||
"is_push": false,
|
||||
"item_count": 6,
|
||||
"last_seen": "2023-01-11T10:51:13.435393+00:00",
|
||||
"last_updated": "2022-10-13T00:00:00+00:00",
|
||||
"score": -4,
|
||||
"self_url": "https://uninsane.org/atom.xml",
|
||||
"site_name": "Perfectly Sane",
|
||||
"site_url": "https://uninsane.org",
|
||||
"title": "Perfectly Sane",
|
||||
"url": "https://uninsane.org/atom.xml",
|
||||
"velocity": 0.025,
|
||||
"version": "atom10"
|
||||
}
|
@@ -1,21 +0,0 @@
|
||||
{
|
||||
"bozo": 0,
|
||||
"content_length": 825822,
|
||||
"content_type": "application/rss+xml; charset=utf-8",
|
||||
"description": "Join neuroscientist, philosopher, and best-selling author Sam Harris as he explores questions about the human mind, society, and current events.",
|
||||
"favicon": null,
|
||||
"hubs": [],
|
||||
"is_podcast": true,
|
||||
"is_push": false,
|
||||
"item_count": 326,
|
||||
"last_seen": "2023-01-11T15:13:28.154435+00:00",
|
||||
"last_updated": "2023-01-05T18:36:25+00:00",
|
||||
"score": 18,
|
||||
"self_url": "https://wakingup.libsyn.com/rss",
|
||||
"site_name": "Making Sense with Sam Harris",
|
||||
"site_url": "https://wakingup.libsyn.com",
|
||||
"title": "Making Sense with Sam Harris",
|
||||
"url": "https://wakingup.libsyn.com/rss",
|
||||
"velocity": 0.096,
|
||||
"version": "rss20"
|
||||
}
|
@@ -5,11 +5,20 @@
|
||||
org.uninsane = rec {
|
||||
root = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOfdSmFkrVT6DhpgvFeQKm3Fh9VKZ9DbLYOPOJWYQ0E8";
|
||||
git.root = root;
|
||||
};
|
||||
|
||||
com.github = {
|
||||
# documented here: <https://docs.github.com/en/authentication/keeping-your-account-and-data-secure/githubs-ssh-key-fingerprints>
|
||||
# Github actually uses multiple keys -- one per format
|
||||
root = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOMqqnkVzrm0SdG6UOoqKLsabgH5C9okWi0dh2l9GKJl";
|
||||
local = {
|
||||
# machine aliases i specify on my lan; not actually asserted as DNS
|
||||
desko.colin = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPU5GlsSfbaarMvDA20bxpSZGWviEzXGD8gtrIowc1pX";
|
||||
desko.root = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFw9NoRaYrM6LbDd3aFBc4yyBlxGQn8HjeHd/dZ3CfHk";
|
||||
|
||||
lappy.colin = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDpmFdNSVPRol5hkbbCivRhyeENzb9HVyf9KutGLP2Zu";
|
||||
lappy.root = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILSJnqmVl9/SYQ0btvGb0REwwWY8wkdkGXQZfn/1geEc";
|
||||
|
||||
moby.colin = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICrR+gePnl0nV/vy7I5BzrGeyVL+9eOuXHU1yNE3uCwU";
|
||||
moby.root = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIO1N/IT3nQYUD+dBlU1sTEEVMxfOyMkrrDeyHcYgnJvw";
|
||||
|
||||
servo.colin = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPS1qFzKurAdB9blkWomq8gI1g0T3sTs9LsmFOj5VtqX";
|
||||
servo.root = root;
|
||||
};
|
||||
};
|
||||
}
|
||||
|
@@ -1,4 +1,4 @@
|
||||
{ lib, sane-data, ... }:
|
||||
{ lib, ... }:
|
||||
|
||||
with lib;
|
||||
let
|
||||
@@ -16,10 +16,6 @@ let
|
||||
type = types.enum [ "text" "image" "podcast" ];
|
||||
default = "text";
|
||||
};
|
||||
title = mkOption {
|
||||
type = types.nullOr types.str;
|
||||
default = null;
|
||||
};
|
||||
url = mkOption {
|
||||
type = types.str;
|
||||
description = ''
|
||||
|
Some files were not shown because too many files have changed in this diff Show More
Reference in New Issue
Block a user