shelvacu/nix-stuff
1
0
Fork 1
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Compare commits

base: shelvacu:doofnet
Branches Tags
shelvacu:master shelvacu:doofnet shelvacu:feat-nice shelvacu:repos shelvacu:wip-2024-09-doof shelvacu:fw-experiment shelvacu:wip-2024-09-verify-system shelvacu:restricted-inputs shelvacu:liam-relay shelvacu:add-mar shelvacu:wip-commands2 shelvacu:wip-commands shelvacu:wip-devver shelvacu:wip-nod
..
compare: shelvacu:wip-commands
Branches Tags
shelvacu:master shelvacu:doofnet shelvacu:feat-nice shelvacu:repos shelvacu:wip-2024-09-doof shelvacu:fw-experiment shelvacu:wip-2024-09-verify-system shelvacu:restricted-inputs shelvacu:liam-relay shelvacu:add-mar shelvacu:wip-commands2 shelvacu:wip-commands shelvacu:wip-devver shelvacu:wip-nod

4 Commits
doofnet ... wip-comman

Author SHA1 Message Date
Shelvacu
3d478c8d37 wip commands 2024-06-22 17:03:25 -07:00
Shelvacu
e052a165ec wip commands 2024-06-22 17:00:44 -07:00
Shelvacu
5a9e975723 Merge branch 'master' of git.uninsane.org:shelvacu/nix-stuff 2024-06-22 16:50:31 -07:00
Shelvacu
91d9098ae2 remove (unnecssary) common-packages 2024-06-22 16:49:44 -07:00
191 changed files with 1900 additions and 12917 deletions
Expand all files Collapse all files

2
.gitignore vendored
View File

@@ -1,2 +1,2 @@
/result*
/result
.nixos-test-history

26
.sops.yaml Normal file
View File

@@ -0,0 +1,26 @@
shel_keys: &shel_keys
- &pixel-termux age1y4zp4ddq6xyffd8fgmn2jkl78qfh4m94gcls2cu6vvjnwwznx5uqywjekm
- &t460s age1g9sh8u6s344569d3cg8h30g9h7thld5pexcwzc4549jc84jvceqqjt9cfh
- &pixel-nix age1t5s3txyj403rfecdhq5q2z3cnavy6m543gzyhkl2nu5t8fz0zctqtvm2tj
- &compute-deck-user age1dzdf4rgep3ctk3dnrmrqtdgrchaa8nszfc4dp29gqwsst3z6jyrq57vfsj
machine_host_keys:
- &trip age10lv32k2guszr5y69sez3z5xj92wzmdxvfejd6hm8xr0pmclw2cvq0hk6pe
- &compute-deck-host age1hcqem868xhjdj3lzsvgf0duylwrdp9nqs06a9d0043cpsuhms4as7cqnv4
- &liam age1hkve3khk7fthyrwxjqdf4r37lrqpmnkz6mke7psuphvu2ykynqaq9g6ja5
the_test_key: &test_key age1eqv5759uknu7d46rqyyzsmgt43qumsge33yp2xygapprnt8zu3sqx6kt8w
creation_rules:
- path_regex: secrets/[^/]+$
key_groups:
- age: *shel_keys
- path_regex: ^secrets/liam/
key_groups:
- age:
- *pixel-termux
- *t460s
- *pixel-nix
- *compute-deck-user
- *liam
- path_regex: ^tests/test_secrets/
key_groups:
- age:
- *test_key

44
README.md
View File

@@ -1,31 +1,13 @@
more just notes for now
---
deploy:
```sh
nixos-rebuild switch --flake .#triple-dezert --target-host trip.shelvacu.com --use-remote-sudo
```
---
build flake on remote machine, including eval:
```sh
git add . && ssh trip nix flake check $(nix flake archive --to ssh://trip --json | jq .path -r)
```
---
search for string in closure
```sh
rg search_str $(nix path-info --recursive ./result)
```
or
```sh
rg search_str $(nix path-info --recursive .#qb.trip)
```
more just notes for now
deploy:
```sh
nixos-rebuild switch --flake .#triple-dezert --target-host trip.shelvacu.com --use-remote-sudo
```
build flake on remote machine, including eval:
```sh
git add . && ssh trip nix flake check $(nix flake archive --to ssh://trip --json | jq .path -r)
```

31
common/acmeDependencies.nix
View File

@@ -1,31 +0,0 @@
{
config,
lib,
utils,
vacuModuleType,
...
}:
let
for-systemd-services = lib.concatMapAttrs (cert: units: {
"acme-selfsigned-${cert}" = {
wantedBy = units;
before = units;
};
}) config.vacu.acmeCertDependencies;
for-security-acme-certs = lib.concatMapAttrs (cert: units: {
${cert}.reloadServices = units;
}) config.vacu.acmeCertDependencies;
in
lib.optionalAttrs (vacuModuleType == "nixos") {
options.vacu.acmeCertDependencies = lib.mkOption {
default = { };
example = ''
vacu.acmeCertDependencies."mail.example.com" = [ "postfix.service" ];
'';
type = lib.types.attrsOf (lib.types.listOf utils.systemdUtils.lib.unitNameType);
};
config = {
systemd.services = for-systemd-services;
security.acme.certs = for-security-acme-certs;
};
}

51
common/assertions.nix
View File

@@ -1,51 +0,0 @@
{
lib,
vacuModuleType,
config,
...
}:
let
inherit (lib) mkOption types filter;
fatalAssertions = map (x: x.message) (filter (x: !x.assertion && x.fatal) config.vacu.assertions);
triggeredWarnings = map (x: x.message) (
filter (x: !x.assertion && !x.fatal) config.vacu.assertions
);
withAsserts =
x:
if fatalAssertions != [ ] then
throw ''
Failed assertions:
${lib.concatStringsSep "\n" (map (x: "- ${x}") fatalAssertions)}''
else
lib.showWarnings triggeredWarnings x;
adapter = {
config = {
assertions = map (x: { inherit (x) assertion message; }) (
filter (x: x.fatal) config.vacu.assertions
);
warnings = map (x: x.message) (filter (x: !x.assertion && !x.fatal) config.vacu.assertions);
};
};
in
{
options.vacu.assertions = mkOption {
default = [ ];
type = types.listOf (
types.submodule {
options.assertion = mkOption { type = types.bool; };
options.message = mkOption { type = types.str; };
options.fatal = mkOption {
type = types.bool;
default = true;
};
}
);
};
options.vacu.withAsserts = mkOption {
readOnly = true;
default = withAsserts;
};
}
// (if vacuModuleType != "plain" then adapter else { })

29
common/checks.nix
View File

@@ -1,29 +0,0 @@
{
lib,
pkgs,
config,
...
}:
let
inherit (lib) types;
in
{
options.vacu.checks = lib.mkOption {
type = types.attrsOf types.package;
default = { };
};
options.vacu.textChecks = lib.mkOption {
type = types.attrsOf types.lines;
default = { };
};
config.vacu.checks = lib.mapAttrs (
name: lines:
pkgs.runCommand "vacu-textChecks-${name}" { } ''
(
set -xev
${lines}
touch $out
)
''
) config.vacu.textChecks;
}

14
common/common-but-not.nix
View File

@@ -1,14 +0,0 @@
# todo: rename this module
# stuff that does actual configuring (so can't be in ./module.nix) but works in nixos module, home-manager modules, and nix-on-droid modules
{
inputs,
vacuModuleType,
lib,
...
}:
lib.optionalAttrs (vacuModuleType != "plain") {
nix.registry.vacu.to = {
type = "path";
path = inputs.self.outPath;
};
}

359
common/default.nix
View File

@@ -1,359 +0,0 @@
{
config,
pkgs,
lib,
inputs,
vacuModuleType,
...
}:
let
inherit (lib) mkOption types;
inherit (inputs) self;
expectedModuleTypes = [
"nixos"
"nix-on-droid"
"plain"
];
anyRev = attrs: toString (attrs.rev or attrs.dirtyRev or "unk");
anyShortRev = attrs: toString (attrs.shortRev or attrs.dirtyShortRev or "unk");
in
if !builtins.elem vacuModuleType expectedModuleTypes then
builtins.throw "error: unrecognized vacuModuleType ${builtins.toString vacuModuleType}"
else
{
imports = [
./package-set.nix
./shell
./nixvim.nix
./ssh.nix
./nix.nix
./verify-system
./defaultPackages.nix
./lib
./sops.nix
../dns
./assertions.nix
./common-but-not.nix
./nixos.nix
./nix-on-droid.nix
./nixos-rebuild.nix
./minimal-nixos.nix
./acmeDependencies.nix
./nix-on-droid.nix
./remapCapsLock.nix
./sourceTree.nix
./units-impl.nix
./units-config.nix
./lix.nix
./git.nix
./hpn.nix
./checks.nix
./ffmpeg.nix
];
options = {
vacu.rootCAs = mkOption { type = types.listOf types.str; };
vacu.versionId = mkOption {
type = types.str;
readOnly = true;
};
vacu.versionInfo = mkOption { readOnly = true; };
vacu.hostName = mkOption {
type = types.nullOr types.str;
default = null;
};
vacu.shortHostName = mkOption {
type = types.nullOr types.str;
default = config.vacu.hostName;
};
vacu.nixvimPkg = mkOption { readOnly = true; };
vacu.systemKind = mkOption {
type = types.enum [
"minimal"
"desktop" # need a better name for this; should include laptops; everything I intend to get computery-stuff done on.
"container"
"server"
];
};
vacu.vnopnCA = mkOption {
readOnly = true;
type = types.str;
};
};
config = {
vacu.versionId = "${anyShortRev self}-${self.lastModifiedDate or "unk"}";
vacu.versionInfo =
{
rev = anyRev self;
flakePath = self.outPath;
inherit (self) lastModified lastModifiedDate;
inherit (config.vacu) versionId;
inherit inputs;
inherit vacuModuleType;
}
// lib.optionalAttrs (inputs ? nixpkgs) {
nixpkgs.source = "${inputs.nixpkgs}";
nixpkgs.rev = anyRev inputs.nixpkgs;
};
vacu.nix.caches.vacu = {
url = "https://nixcache.shelvacu.com/";
keys = [ "nixcache.shelvacu.com:73u5ZGBpPRoVZfgNJQKYYBt9K9Io/jPwgUfuOLsJbsM=" ];
};
vacu.nix.caches.nix-community = {
url = "https://nix-community.cachix.org/";
keys = [ "nix-community.cachix.org-1:mB9FSh9qf2dCimDSUo8Zy7bkq5CX+/rkCWyvRCYg3Fs=" ];
enable = false;
};
vacu.nix.caches.nix-on-droid = {
url = "https://nix-on-droid.cachix.org/";
keys = [ "nix-on-droid.cachix.org-1:56snoMJTXmDRC1Ei24CmKoUqvHJ9XCp+nidK7qkMQrU=" ];
enable = false;
};
vacu.nix.caches.nixos = {
url = "https://cache.nixos.org/";
keys = [ "cache.nixos.org-1:6NCHdD59X431o0gWypbMrAURkbJ16ZPMQFGspcDShjY=" ];
};
vacu.git.enable = config.vacu.systemKind == "server" || config.vacu.systemKind == "desktop";
vacu.git.config = {
init.defaultBranch = "master";
pull.rebase = false;
user.name = "Shelvacu";
user.email = "git@shelvacu.com";
author.name = "Shelvacu";
author.email = "git@shelvacu.com";
committer.name = "Shelvacu on ${config.vacu.hostName}";
committer.email = "git@shelvacu.com";
user.useConfigOnly = true;
checkout.workers = 0;
# We *could* use atomic writes, but those are slowwwwww! Are you sure????? - git, still living in the 90s
# Yes git, I'm sure
core.fsync = "all";
diff.mnemonicPrefix = true;
gc.reflogExpire = "never";
gc.reflogExpireUnreachable = "never";
url."https://github.com/".insteadOf = [
"hgh:"
"github-http:"
"github-https:"
];
url."git@github.com:".insteadOf = [
"sgh:"
"gh:"
"github-ssh:"
];
url."git@github.com:shelvacu/".insteadOf = [ "vgh:" ];
url."https://gitlab.com/".insteadOf = [
"hgl:"
"gitlab-http:"
"gitlab-https:"
];
url."git@gitlab.com:".insteadOf = [
"sgl:"
"gl:"
"gitlab-ssh:"
];
url."git@gitlab.com:shelvacu/".insteadOf = [ "vgl:" ];
url."https://git.uninsane.org/".insteadOf = [
"hu:"
"uninsane-http:"
"uninsane-https:"
];
url."git@git.uninsane.org:".insteadOf = [
"u:"
"su:"
"uninsane-ssh"
];
url."git@git.uninsane.org:shelvacu/".insteadOf = [ "vu:" ];
};
vacu.vnopnCA = ''
-----BEGIN CERTIFICATE-----
MIIBnjCCAUWgAwIBAgIBBTAKBggqhkjOPQQDAjAgMQswCQYDVQQGEwJVUzERMA8G
A1UEAxMIdm5vcG4gQ0EwHhcNMjQwODEyMjExNTQwWhcNMzQwODEwMjExNTQwWjAg
MQswCQYDVQQGEwJVUzERMA8GA1UEAxMIdm5vcG4gQ0EwWTATBgcqhkjOPQIBBggq
hkjOPQMBBwNCAARqRbSeq00FfYUGeCHVkzwrjrydI56T12xy+iut0c4PemSuhyxC
AgfdKYtDqMNZmSqMaLihzkBenD0bN5i0ndjho3AwbjAPBgNVHRMBAf8EBTADAQH/
MCwGA1UdHgEB/wQiMCCgGDAKhwgKTkwA///8ADAKgggudDJkLmxhbqEEMAKBADAO
BgNVHQ8BAf8EBAMCAQYwHQYDVR0OBBYEFAjSkbJQCQc1WP6nIP5iLDIKGFrdMAoG
CCqGSM49BAMCA0cAMEQCIFtyawkZqFhvzgmqG/mYNNO6DdsQTPQ46x/08yrEiiF4
AiA+FwAPqX+CBkaSdIhuhv1kIecmvacnDL5kpyB+9nDodw==
-----END CERTIFICATE-----
'';
vacu.rootCAs = [ config.vacu.vnopnCA ];
vacu.ssh.authorizedKeys = {
# pixel6pro-termux = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIC4LYvUe9dsQb9OaTDFI4QKPtMmOHOGLwWsXsEmcJW86";
# t460s = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHcYwYy9/0Gu/GsqS72Nkz6OkId+zevqXA/aTIcvqflp";
# pixel6pro-nod = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFsErA6M9LSHj2hPlLuHD8Lpei7WjMup1JxI1vxA6B8W";
compute-deck = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKoy1TrmfhBGWtVedgOM1FB1oD2UdodN3LkBnnLx6Tug";
triple-dezert = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICVeSzDkGTueZijB0xUa08e06ovAEwwZK/D+Cc7bo91g";
triple-dezert-root = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOtwtao/TXbiuQOYJbousRPVesVcb/2nP0PCFUec0Nv8";
compute-deck-root = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAxAFFxQMXAgi+0cmGaNE/eAkVfEl91wafUqFIuAkI5I";
pro1x-nod = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDcRDekd8ZOYfQS5X95/yNof3wFYIbHqWeq4jY0+ywQX";
fw-root = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGHLPOxRd68+DJ/bYmqn0wsgwwIcMSMyuU1Ya16hCb/m";
fw = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINQ2c0GzlVMjV06CS7bWbCaAbzG2+7g5FCg/vClJPe0C";
pixel9pro-nod = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINznGot+L8kYoVQqdLV/R17XCd1ILMoDCILOg+I3s5wC";
legtop = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOre0FnYDm3arsFj9c/l5H2Q8mdmv7kmvq683pL4heru";
};
vacu.ssh.config = ''
Host deckvacu
User deck
Host rsb
User user
HostName finaltask.xyz
Port 2222
Host awoo
HostName 45.142.157.71
Host trip
HostName trip.shelvacu.com
Port 6922
Host liam
HostName 178.128.79.152
Host pluto
HostName pluto.somevideogam.es
Host sdf
HostName tty.sdf.org
Host u
User git
HostName git.uninsane.org
Host gl
User git
HostName gitlab.com
Host gh
User git
HostName github.com
Host *
User shelvacu
GlobalKnownHostsFile ${pkgs.writeText "known_hosts" config.vacu.ssh.knownHostsText}
'';
vacu.ssh.knownHosts = {
#public hosts
"github.com".publicKey =
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOMqqnkVzrm0SdG6UOoqKLsabgH5C9okWi0dh2l9GKJl";
"gitlab.com".publicKey =
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAfuCHKVTjquxvt6CM6tdG4SLp1Btn/nOeHHE5UOzRdf";
"git.sr.ht".publicKey =
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMZvRd4EtM7R+IHVMWmDkVU3VLQTSwQDSAvW0t2Tkj60";
"sdf.org" = {
extraHostNames = [ "tty.sdf.org" ];
publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJJk3a190w/1TZkzVKORvz/kwyKmFY144lVeDFm80p17";
};
#colin's stuff
"uninsane.org" = {
extraHostNames = [ "git.uninsane.org" ];
publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOfdSmFkrVT6DhpgvFeQKm3Fh9VKZ9DbLYOPOJWYQ0E8";
};
"desko" = {
publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFw9NoRaYrM6LbDd3aFBc4yyBlxGQn8HjeHd/dZ3CfHk";
};
#daymocker's stuff
"pluto" = {
extraHostNames = [ "74.208.184.137" ];
publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICpHY4fLZ1hNuB2oRQM7R3b4eQyIHbFB45ZYp3XCELLg";
};
#powerhouse hosts
"ostiary" = {
publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBSYyd1DGPXGaV4mD34tUbXvbtIi/Uv2otoMUsCkxRse";
};
"habitat" = {
# previously known as zigbee-hub
extraHostNames = [ "10.78.79.114" ];
publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBJxwUYddOxgViJDOiokfaQ6CsCx/Sw+b3IisdJv8zFN";
};
"vnopn" = {
extraHostNames = [
"10.78.79.1"
"vnopn.t2d.lan"
];
publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEMgJE8shlTYF3nxKR/aILd1SzwDwhtCrjz9yHL7lgSZ";
};
#work laptop
"tebbs-MBP" = {
extraHostNames = [ "10.244.10.3" ];
publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKO/ks07zSByDH/qmDrghtBSFwWnze2s62zEmtXwaMJe";
};
#personal hosts
trip = {
extraHostNames = [
"triple-dezert"
"trip.shelvacu.com"
"[trip.shelvacu.com]:6922"
];
publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGUQux9V0mSF5IauoO1z311NXR7ymEbwRMzT+OaaNQr+";
};
servacu = {
extraHostNames = [
"mail.dis8.net"
"servacu.shelvacu.com"
];
publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIE+E6na7np0HnBV2X7owno+Fg+bNNRSHLxO6n1JzdUTV";
};
finaltask = {
extraHostNames = [
"rsb"
"finaltask.xyz"
"[finaltask.xyz]:2222"
];
publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPTx8WBNNKBVRV98HgDChpd59SHbreJ87SXU+zOKan6y";
};
compute-deck = {
publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGt43GmXCxkl5QjgPQ/QimW11lKfXmV4GFWvlxQSf4TQ";
};
"2esrever" = {
extraHostNames = [
"10.4.5.218"
"10.244.46.71"
];
publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIH0LnPrJxAdffZ//uRe3NBiIfFCBNMLqKVylkyU0llvT";
};
awoo = {
extraHostNames = [ "45.142.157.71" ];
publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOQaDjjfSK8jnk9aFIiYH9LZO4nLY/oeAc7BKIPUXMh1";
};
deckvacu = {
publicKey = "ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBEa8qpFkIlLLJkH8rmEAn6/MZ9ilCGmEQWC3CeFae7r1kOqfwRk0nq0oyOGJ50uIh+PpwEh3rbgq6mLfpRfsFmM=";
};
liam = {
extraHostNames = [
"liam.dis8.net"
"178.128.79.152"
];
publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHOqJYVHOIFmEA5uRbbirIupWvyBLAFwic/8EZQRdN/c";
};
fw = {
extraHostNames = [ "fw.t2d.lan" ];
publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIA6lX25mCy35tf1NpcHMAdeRgvT7l0Dw0FWBH3eX4TE2";
};
legtop = {
extraHostNames = [
"lt"
"legtop.t2d.lan"
];
publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKvunOGsmHg8igMGo0FpoXaegYI20wZylG8nsMFY4+JL";
};
mmm = {
extraHostNames = [
"mmm.t2d.lan"
"10.78.79.11"
];
publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFsorkZ3rIZ2lLigwQWfA64xZRlt5lk6QPzypg55eLlD";
};
};
};
}

89
common/defaultPackages.nix
View File

@@ -1,89 +0,0 @@
{
pkgs,
config,
inputs,
lib,
...
}:
lib.mkMerge [
(lib.mkIf (config.vacu.systemKind != "minimal" && config.vacu.systemKind != "container") {
vacu.packages =
(with pkgs; [
home-manager
nix-index
rclone
termscp
man
neovim
nmap
ruby
(p7zip.override { enableUnfree = true; })
tcpdump
cargo
wayland-utils
kanidm
megatools
])
++ [
inputs.nix-search-cli.packages.${pkgs.system}.default
inputs.nix-inspect.packages.${pkgs.system}.default
];
})
{
vacu.packages =
(with pkgs; [
netcat-openbsd
nixos-rebuild
which
nano
vim
wget
screen
tmux
lsof
htop
mosh
dnsutils
iperf3
rsync
ethtool
sshfs
ddrescue
pciutils
ncdu
pv
unzip
file
ripgrep
jq
tree
iputils
ssh-to-age
sops
inetutils
diffutils
findutils
util-linux
tzdata
hostname
gnugrep
gnused
gnutar
bzip2
gzip
xz
zip
unzip
openssh
dig
bash
usbutils
psutils
killall
curl
gnutls
progress
])
++ [ config.vacu.units.finalPackage ];
}
]

5
common/desktopApps.nix
View File

@@ -1,5 +0,0 @@
{ lib, vacuModuleType, ... }:
lib.optionalAttrs (vacuModuleType == "nixos") {
options.vacu.desktopApps = lib.mkEnableOption "asdf";
#todo
}

13
common/ffmpeg.nix
View File

@@ -1,13 +0,0 @@
{ pkgs, lib, ... }:
{
vacu.packages.ffmpeg-allvrything = {
enable = lib.mkDefault false;
package = pkgs.ffmpeg_7-full.override (old: {
libbluray = old.libbluray.override {
withJava = true;
withAACS = true;
withBDplus = true;
};
});
};
}

100
common/git.nix
View File

@@ -1,100 +0,0 @@
{
lib,
config,
pkgs,
vacuModuleType,
...
}:
let
inherit (lib) types;
cfg = config.vacu.git;
in
{
imports = [
{
# https://github.com/NixOS/nixpkgs/blob/e8c38b73aeb218e27163376a2d617e61a2ad9b59/nixos/modules/programs/git.nix#L16
options.vacu.git = {
package = lib.mkPackageOption pkgs "git" { };
enable = lib.mkEnableOption "git";
config = lib.mkOption {
type =
let
gitini = types.attrsOf (types.attrsOf types.anything);
in
types.either gitini (types.listOf gitini)
// {
merge =
loc: defs:
let
config =
builtins.foldl'
(
acc:
{ value, ... }@x:
acc
// (
if builtins.isList value then
{ ordered = acc.ordered ++ value; }
else
{ unordered = acc.unordered ++ [ x ]; }
)
)
{
ordered = [ ];
unordered = [ ];
}
defs;
in
[ (gitini.merge loc config.unordered) ] ++ config.ordered;
};
default = [ ];
};
lfs.enable = lib.mkEnableOption "git lfs";
lfs.package = lib.mkPackageOption pkgs "git-lfs" { };
configText = lib.mkOption {
readOnly = true;
type = types.str;
};
};
config.vacu.git.configText = lib.concatMapStringsSep "\n" lib.generators.toGitINI cfg.config;
}
(lib.mkIf cfg.enable {
vacu.packages.git = {
enable = true;
package = cfg.package;
};
})
(lib.mkIf (cfg.enable && cfg.lfs.enable) {
vacu.packages.git-lfs = {
enable = true;
package = cfg.lfs.package;
};
vacu.git.config =
let
bin = lib.getExe cfg.lfs.package;
in
{
filter.lfs = {
clean = "${bin} clean -- %f";
smudge = "${bin} smudge -- %f";
process = "${bin} filter-process";
required = true;
};
};
})
(lib.optionalAttrs (vacuModuleType == "nixos") {
vacu.assertions = [
{
assertion = !(cfg.enable && config.programs.git.enable);
message = "vacu.git and programs.git should not both be enabled";
}
];
programs.git.enable = lib.mkIf cfg.enable false;
})
(lib.optionalAttrs (vacuModuleType == "nixos" || vacuModuleType == "nix-on-droid") {
environment = lib.mkIf (cfg.enable && cfg.config != [ ]) { etc.gitconfig.text = cfg.configText; };
})
];
}

4
common/home.nix
View File

@@ -1,4 +0,0 @@
{ ... }:
{
imports = [ ./common-but-not.nix ];
}

11
common/hpn.nix
View File

@@ -1,11 +0,0 @@
{
config,
lib,
pkgs,
vacuModuleType,
...
}:
lib.optionalAttrs (vacuModuleType == "nixos") {
options.vacu.ssh-hpn.enable = lib.mkEnableOption "openssh hpn";
config = lib.mkIf config.vacu.ssh-hpn.enable { programs.ssh.package = pkgs.openssh_hpn; };
}

19
common/lib/default.nix
View File

@@ -1,19 +0,0 @@
{ lib, config, ... }:
{
imports = [
./makeWrapper.nix
./outputOf.nix
./strings.nix
];
options.vacu.vaculib = lib.mkOption { type = lib.types.anything; };
config._module.args.vaculib = config.vacu.vaculib;
config.vacu.vaculib.mkOutOption =
val:
lib.mkOption {
readOnly = true;
default = val;
};
}

93
common/lib/makeWrapper.nix
View File

@@ -1,93 +0,0 @@
{ pkgs, lib, ... }:
let
inherit (lib)
optionals
optional
mapAttrsToList
concatMap
escapeShellArg
escapeShellArgs
;
in
{
config.vacu.vaculib.makeWrapper =
{
original,
new,
argv0 ? null,
inherit_argv0 ? false,
resolve_argv0 ? false,
set ? { },
set_default ? { },
unset ? [ ],
chdir ? null,
run ? [ ],
prepend_flags ? [ ],
add_flags ? [ ],
append_flags ? [ ],
runtimeHook ? null,
}:
let
prependFlags = prepend_flags ++ add_flags;
escapeFlags = escapeShellArgs;
# escapeFlags = flags: builtins.concatStringsSep " " (map escapeShellArg flags);
originalBin = if lib.isDerivation original then lib.getExe original else original;
makeWrapperFlags =
(optionals (argv0 != null) [
"--argv0"
argv0
])
++ (optional inherit_argv0 "--inherit-argv0")
++ (optional resolve_argv0 "--resolve-argv0")
++ (mapAttrsToList (k: v: [
"--set"
k
v
]) set)
++ (mapAttrsToList (k: v: [
"--set-default"
k
v
]) set_default)
++ (concatMap (k: [
"--unset"
k
]) unset)
++ (optionals (chdir != null) [
"--chdir"
chdir
])
++ (concatMap (k: [
"--run"
k
]) run)
++ (optionals (prependFlags != [ ]) [
"--add-flags"
(escapeFlags prependFlags)
])
++ (optionals (append_flags != [ ]) [
"--append-flags"
(escapeFlags append_flags)
]);
in
pkgs.stdenvNoCC.mkDerivation {
name = new;
nativeBuildInputs = [ pkgs.makeWrapper ];
phases = [ "installPhase" ];
installPhase = ''
runHook preInstall
mkdir -p $out/bin
makeWrapper ${escapeShellArg originalBin} $out/bin/${escapeShellArg new} ${escapeShellArgs makeWrapperFlags}
runHook postInstall
'';
inherit runtimeHook;
meta.mainProgram = new;
};
}

47
common/lib/outputOf.nix
View File

@@ -1,47 +0,0 @@
{
pkgs,
lib,
vaculib,
...
}:
let
runCommandBare =
{
cmd,
local ? true,
...
}@args:
assert !vaculib.isPrefixOf "-" cmd;
derivation (
{
builder = lib.getExe pkgs.bash;
args = [
"-c"
cmd
];
system = pkgs.buildPlatform.system;
}
// (lib.optionalAttrs local {
allowSubstitutes = false;
preferLocalBuild = true;
})
// (lib.removeAttrs args [
"cmd"
"local"
])
);
outputOf =
{
removeNewline ? true,
...
}@args:
let
passThruArgs = lib.removeAttrs args [ "removeNewline" ];
res = builtins.readFile (runCommandBare passThruArgs);
noNewline = lib.removeSuffix "\n" res;
in
if removeNewline then noNewline else res;
in
{
config.vacu.vaculib = { inherit runCommandBare outputOf; };
}

22
common/lib/strings.nix
View File

@@ -1,22 +0,0 @@
{ ... }:
let
inherit (builtins) stringLength substring;
# aka startsWith but hopefully clear from the name what order the arguments go
isPrefixOf =
prefix: s:
let
prefixl = stringLength prefix;
sl = stringLength s;
in
(sl >= prefixl) && (substring 0 prefixl s) == prefix;
isSuffixOf =
suffix: s:
let
suffixl = stringLength suffix;
sl = stringLength s;
in
(sl >= suffixl) && (substring (sl - suffixl - 1) - 1 s) == suffix;
in
{
config.vacu.vaculib = { inherit isPrefixOf isSuffixOf; };
}

7
common/lix.nix
View File

@@ -1,7 +0,0 @@
{ vacuModuleType, ... }:
if vacuModuleType == "nixos" then
{
# imports = [ inputs.lix-module.nixosModules.default ];
}
else
{ }

45
common/minimal-nixos.nix
View File

@@ -1,45 +0,0 @@
{
config,
pkgs,
lib,
vacuModuleType,
...
}:
let
inherit (lib) mkIf mkDefault;
in
lib.optionalAttrs (vacuModuleType == "nixos") {
config = mkIf (config.vacu.systemKind == "minimal") {
programs.git.lfs.enable = false;
programs.git.package = pkgs.gitMinimal;
# mostly copied from nixos's /profiles/minimal.nix
documentation.enable = mkDefault false;
documentation.doc.enable = mkDefault false;
documentation.info.enable = mkDefault false;
documentation.man.enable = mkDefault false;
documentation.nixos.enable = mkDefault false;
# Perl is a default package.
environment.defaultPackages = mkDefault [ ];
environment.stub-ld.enable = false;
# The lessopen package pulls in Perl.
programs.less.lessopen = mkDefault null;
programs.command-not-found.enable = mkDefault false;
services.logrotate.enable = mkDefault false;
services.udisks2.enable = mkDefault false;
xdg.autostart.enable = mkDefault false;
xdg.icons.enable = mkDefault false;
xdg.mime.enable = mkDefault false;
xdg.sounds.enable = mkDefault false;
};
}

4
common/nix-command-extensions/default.nix
View File

@@ -1,4 +0,0 @@
{ ... }:
{
}

71
common/nix-command-extensions/nix.sh
View File

@@ -1,71 +0,0 @@
#!/bin/bash
# replaceme START
declare -A cache_to_url
cache_to_url["foo"]="https://example.com/some-nix-cache"
declare -a caches_to_use=("foo")
declare nixCmd="foo"
# replaceme END
declare -a preArgs
declare -a passThruArgs
cache_name=""
function valid_cache_name() {
cache_name="$1"
if [[ $cache_name == -* ]]; then
echo "invalid cache name" >&2
exit 1
fi
}
while [[ -n $1 ]]; do
arg="$1"
shift
case "$arg" in
"--without-cache")
cache_name="$1"
shift
valid_cache_name "$cache_name"
caches_to_use=("${caches_to_use[@]/$cache_name/}")
;;
"--with-cache")
cache_name="$1"
shift
valid_cache_name "$cache_name"
caches_to_use+=("$cache_name")
;;
"--only-cache")
cache_name="$1"
shift
valid_cache_name "$cache_name"
caches_to_use=("$cache_name")
;;
"--on-trip")
if [[ $HOSTNAME == "triple-dezert" ]]; then
echo "Warn: skipping --on-trip: already on trip" >&2
else
passThruArgs+=("--builders" "ssh://trip x86_64-linux,aarch64-linux" "--max-jobs" "0" "--option" "builders-use-substitutes" "true")
fi
;;
"--")
passThruArgs+=("$arg" "$@")
break
;;
*)
passThruArgs+=("$arg")
;;
esac
done
declare -a substituters
for c in "${caches_to_use[@]}"; do
url="${cache_to_url["$c"]}"
substituters+=("$url")
done
substituters_together="${substituters[*]}"
preArgs+=("--option" "substituters" "$substituters_together")
exec "$nixCmd" "${preArgs[@]}" "${passThruArgs[@]}"

22
common/nix-on-droid.nix
View File

@@ -1,22 +0,0 @@
{
config,
lib,
vacuModuleType,
...
}:
let
inherit (lib) mkDefault;
in
lib.optionalAttrs (vacuModuleType == "nix-on-droid") {
environment.packages = config.vacu.packageList;
environment.etc."ssh/ssh_config".text = config.vacu.ssh.config;
nix.substituters = lib.mkForce config.vacu.nix.substituterUrls;
nix.trustedPublicKeys = lib.mkForce config.vacu.nix.trustedKeys;
vacu.shell.functionsDir = "${config.user.home}/.nix-profile/share/vacufuncs";
environment.etc.bashrc.text = config.vacu.shell.interactiveLines;
environment.etc.profile.text = config.vacu.shell.interactiveLines;
environment.etc."vacu/info.json".text = builtins.toJSON config.vacu.versionInfo;
vacu.hostName = mkDefault "nix-on-droid";
vacu.shortHostName = mkDefault "nod";
}

34
common/nix.nix
View File

@@ -1,34 +0,0 @@
{ lib, config, ... }:
let
inherit (lib) mkOption types;
caches = builtins.attrValues config.vacu.nix.caches;
enabledCaches = builtins.filter (c: c.enable) caches;
in
{
options = {
vacu.nix.caches = mkOption {
type = types.attrsOf (
types.submodule (
{ ... }:
{
options = {
url = mkOption { type = types.str; };
keys = mkOption {
type = types.listOf types.str;
default = [ ];
};
enable = mkOption {
default = true;
type = types.bool;
};
};
}
)
);
};
vacu.nix.substituterUrls = mkOption { readOnly = true; };
vacu.nix.trustedKeys = mkOption { readOnly = true; };
};
config.vacu.nix.substituterUrls = map (c: c.url) enabledCaches;
config.vacu.nix.trustedKeys = builtins.concatMap (c: c.keys) enabledCaches;
}

34
common/nixos-rebuild.nix
View File

@@ -1,34 +0,0 @@
{
pkgs,
config,
lib,
vacuModuleType,
...
}:
let
nixos-rebuild = pkgs.nixos-rebuild.override { nix = config.nix.package.out; };
in
lib.optionalAttrs (vacuModuleType == "nixos") {
options.vacu.alwaysUseRemoteSudo =
(lib.mkEnableOption "always deploy to this machine with --use-remote-sudo")
// {
default = true;
};
config = lib.mkIf config.vacu.alwaysUseRemoteSudo {
system.build.nixos-rebuild = lib.mkForce (
pkgs.runCommandLocal "nixos-rebuild-wrapped"
{
nativeBuildInputs = [ pkgs.makeShellWrapper ];
meta.mainProgram = "nixos-rebuild";
}
''
runHook preInstall
mkdir -p $out/bin
makeShellWrapper ${lib.getExe nixos-rebuild} $out/bin/nixos-rebuild --add-flags "--use-remote-sudo"
runHook postInstall
''
);
};
}

107
common/nixos.nix
View File

@@ -1,107 +0,0 @@
{
lib,
pkgs,
config,
vacuModuleType,
...
}:
lib.optionalAttrs (vacuModuleType == "nixos") {
options.vacu.underTest = lib.mkOption {
default = false;
type = lib.types.bool;
};
config = {
# the security warning might as well have said "its insecure maybe but there's nothing you can do about it"
# presumably needed by nheko
nixpkgs.config.permittedInsecurePackages = [ "olm-3.2.16" ];
# nixpkgs.overlays = [ inputs.self.overlays.default ];
console = {
keyMap = lib.mkDefault "us";
};
networking = if config.vacu.hostName == null then { } else { hostName = config.vacu.hostName; };
vacu.packages."xorg-xev" = {
enable = config.services.xserver.enable;
package = pkgs.xorg.xev;
};
vacu.ssh-hpn.enable = true;
environment.systemPackages = config.vacu.packageList;
programs.nix-ld.enable = true;
system.nixos.tags = [
"vacu${config.vacu.versionId}"
config.vacu.hostName
];
environment.etc."vacu/info.json".text = builtins.toJSON config.vacu.versionInfo;
environment.etc."chromium" = lib.mkIf (config.vacu.systemKind == "desktop") {
source = "/run/current-system/sw/etc/chromium";
};
i18n.defaultLocale = lib.mkDefault "en_US.UTF-8";
time.timeZone = "America/Los_Angeles";
users.users.shelvacu = lib.mkIf (config.vacu.systemKind != "container") {
openssh.authorizedKeys.keys = lib.attrValues config.vacu.ssh.authorizedKeys;
isNormalUser = true;
extraGroups = [ "wheel" ];
};
# # safety user: if something is super fucked up with my shell stuff, I can ssh in as shelvac2
# users.users.shelvac2 = {
# openssh.authorizedKeys.keys = config.vacu.ssh.authorizedKeys;
# isNormalUser = true;
# extraGroups = [ "wheel" ];
# shell = pkgs.bash;
# };
services.openssh = {
# require public key authentication for better security
settings.PasswordAuthentication = false;
settings.KbdInteractiveAuthentication = false;
settings.PermitRootLogin = "prohibit-password";
};
nix.settings.trusted-users = lib.mkIf (config.vacu.systemKind != "container") [ "shelvacu" ];
security.sudo.wheelNeedsPassword = lib.mkDefault false;
programs.screen = {
enable = true;
screenrc = ''
defscrollback 10000
termcapinfo xterm* ti@:te@
maptimeout 5
'';
};
programs.tmux = lib.mkIf (config.vacu.systemKind != "container") {
enable = true;
extraConfig = "setw mouse";
clock24 = true;
};
nix.settings = {
experimental-features = [
"nix-command"
"flakes"
];
substituters = lib.mkForce config.vacu.nix.substituterUrls;
extra-substituters = lib.mkForce [ ];
trusted-public-keys = lib.mkForce config.vacu.nix.trustedKeys;
extra-trusted-public-keys = lib.mkForce [ ];
};
nixpkgs.config.allowUnfree = lib.mkDefault true;
programs.mosh.enable = lib.mkIf (config.vacu.systemKind != "container") (lib.mkDefault true);
programs.ssh.extraConfig = config.vacu.ssh.config;
security.pki.certificates = config.vacu.rootCAs;
# commands.nix
environment.pathsToLink = [
"/share/vacufuncs"
"/etc/chromium"
];
programs.bash.interactiveShellInit = config.vacu.shell.interactiveLines;
programs.bash.promptInit = lib.mkForce "";
systemd.services.nix-daemon.serviceConfig.Nice = "10";
};
}

17
common/nixvim.nix
View File

@@ -1,17 +0,0 @@
{
pkgs,
config,
inputs,
lib,
...
}:
{
vacu.nixvimPkg = inputs.self.packages.${pkgs.system}.nixvim;
vacu.shell.functions =
lib.mkIf (config.vacu.systemKind != "minimal" && config.vacu.systemKind != "container")
{
nvim-plain = ''${pkgs.neovim}/bin/nvim "$@"'';
nvim-nixvim = ''${config.vacu.nixvimPkg}/bin/nvim "$@"'';
nvim = ''nvim-nixvim "$@"'';
};
}

69
common/package-set.nix
View File

@@ -1,69 +0,0 @@
{
config,
pkgs,
lib,
...
}:
let
inherit (lib) mkOption types;
pkgOptions = builtins.attrValues config.vacu.packages;
enabledOptions = builtins.filter (o: o.enable) pkgOptions;
enabledPkgs = builtins.map (o: o.package) enabledOptions;
packagesSetType = types.attrsOf (
types.submodule (
{ name, ... }:
{
options = {
enable = mkOption {
type = types.bool;
description = "Will this package be installed (included in environment.systemPackages)";
};
package = mkOption {
type = types.package;
default = pkgs.${name};
defaultText = "pkgs.${name}";
};
};
}
)
);
packageListToSet = (
from:
let
enable = lib.mkOverride 900 true; # more important than mkDefault, less important than setting explicitly
keyvals = map (
val:
if builtins.isString val then
{
name = val;
value = { inherit enable; };
}
else
{
name = val.pname or val.name;
value = {
package = lib.mkDefault val;
inherit enable;
};
}
) from;
in
builtins.listToAttrs keyvals
);
in
{
options = {
vacu.packages = mkOption {
default = { };
type = types.coercedTo (types.listOf (
types.either types.str types.package
)) packageListToSet packagesSetType;
};
vacu.packageList = mkOption {
type = types.listOf types.package;
readOnly = true;
};
};
config.vacu.packageList = enabledPkgs;
}

35
common/remapCapsLock.nix
View File

@@ -1,35 +0,0 @@
{
pkgs,
lib,
config,
vacuModuleType,
...
}:
let
inherit (lib) mkOption types;
in
lib.optionalAttrs (vacuModuleType == "nixos") {
options.vacu.enableCapsLockRemap = mkOption {
type = types.bool;
default = config.vacu.systemKind == "desktop";
};
config = lib.mkIf config.vacu.enableCapsLockRemap {
# https://discourse.nixos.org/t/best-way-to-remap-caps-lock-to-esc-with-wayland/39707/6
services.interception-tools =
let
itools = pkgs.interception-tools;
itools-caps = pkgs.interception-tools-plugins.caps2esc;
in
{
enable = true;
plugins = [ itools-caps ];
# requires explicit paths: https://github.com/NixOS/nixpkgs/issues/126681
udevmonConfig = pkgs.lib.mkDefault ''
- JOB: "${itools}/bin/intercept -g $DEVNODE | ${itools-caps}/bin/caps2esc -m 1 | ${itools}/bin/uinput -d $DEVNODE"
DEVICE:
EVENTS:
EV_KEY: [KEY_CAPSLOCK, KEY_ESC]
'';
};
};
}

38
common/shell/container-aliases.nix
View File

@@ -1,38 +0,0 @@
{
pkgs,
lib,
config,
...
}:
let
inherit (pkgs) writeScriptBin;
in
{
options.vacu.shell.containerAliases = lib.mkEnableOption "container aliases";
config = lib.mkIf config.vacu.shell.containerAliases {
vacu.packages = [
(writeScriptBin "ncrun" ''
if (( "$#" < 2 )); then
echo "need at least two args [container] and [command]" >&2
exit 1
fi
if [[ $UID != 0 ]]; then
exec /run/wrappers/bin/sudo "$0" "$@"
fi
container="$1"
shift
exec ${lib.getExe pkgs.nixos-container} run "$1" -- "$@"
'')
(writeScriptBin "ncrl" ''
if (( "$#" != 1 )); then
echo "need exactly one arg: [container]" >&2
exit 1
fi
if [[ $UID != 0 ]]; then
exec /run/wrappers/bin/sudo "$0" "$@"
fi
exec ${lib.getExe pkgs.nixos-container} root-login "$1"
'')
];
};
}

190
common/shell/default.nix
View File

@@ -1,190 +0,0 @@
{
config,
lib,
pkgs,
vaculib,
...
}:
let
inherit (lib) mkOption types;
cfg = config.vacu.shell;
writeShellFunction =
name: text:
pkgs.writeTextFile {
inherit name;
executable = false;
destination = "/share/vacufuncs/${name}";
text = ''
${text}
'';
checkPhase = ''
${pkgs.stdenv.shellDryRun} "$target"
'';
};
functionPackages = lib.mapAttrsToList writeShellFunction cfg.functions;
vacuInitFile = pkgs.writeText "vacu.shell.interactiveLines.sh" cfg.interactiveLines;
wrappedBashPkg = vaculib.makeWrapper {
original = pkgs.bash;
new = "vacuinit-bash";
prepend_flags = [
"--init-file"
vacuInitFile
];
};
wrappedBash = lib.getExe wrappedBashPkg;
in
{
imports = [
./not-aliases.nix
./ps1.nix
./container-aliases.nix
];
options = {
vacu.shell.functionsDir = mkOption {
type = types.path;
default = "/run/current-system/sw/share/vacufuncs";
};
vacu.shell.interactiveLines = mkOption {
type = types.lines;
readOnly = true;
};
vacu.shell.wrappedBash = mkOption { readOnly = true; };
vacu.shell.idempotentShellLines = mkOption {
type = types.lines;
default = "";
};
vacu.shell.color = mkOption {
type = types.enum (builtins.attrNames vaculib.shellColors);
default = "white";
};
vacu.shell.functions = mkOption { type = types.attrsOf types.str; };
};
config.vacu = {
vaculib = {
# https://en.wikipedia.org/wiki/ANSI_escape_code#Colors
shellColors = {
black = 30;
red = 31;
green = 32;
yellow = 33;
blue = 34;
magenta = 35;
cyan = 36;
white = 37;
};
};
shell.interactiveLines = ''
if [[ $- == *i* ]] && [[ -f ${cfg.functionsDir}/vacureload ]]; then
function __vacushell_load() { eval "$(cat ${cfg.functionsDir}/vacureload)"; }
__vacushell_load
unset __vacushell_load
fi
'';
shell.wrappedBash = wrappedBash;
shell.functions = {
"vacureload" = ''
declare -gA vacuShellFunctionsLoaded
if ! [[ -f ${cfg.functionsDir}/vacureload ]]; then
echo "vacureload: I think that's my cue to leave (${cfg.functionsDir}/vacureload not found, assuming vacureload-less config has been loaded and unloading myself)" 1>&2
for funcname in "''${!vacuShellFunctionsLoaded[@]}"; do
unset -f $funcname
done
return
fi
for funcname in "''${!vacuShellFunctionsLoaded[@]}"; do
if ! [[ -f ${cfg.functionsDir}/$funcname ]]; then
unset -f $funcname
fi
done
for fullPath in ${cfg.functionsDir}/*; do
local funcname="$(basename "$fullPath")"
local followedPath="$(readlink -f "$fullPath")"
if [[ "''${vacuShellFunctionsLoaded[$funcname]}" != "$followedPath" ]]; then
unset -f $funcname
eval "function ''${funcname}() { if [[ -f '$fullPath' ]]; then eval "'"$'"(cat '$fullPath')"'"'"; else echo '$funcname is no longer there, kindly removing myself.' 1>&2; unset $funcname; return 1; fi }"
vacuShellFunctionsLoaded[$funcname]=$followedPath
fi
unset followedPath
unset funcname
done
__set_idempotents
'';
"__set_idempotents" = cfg.idempotentShellLines;
vhich = ''
if [[ $# != 1 ]]; then
echo "expected exactly one arg" 1>&2
return 1
fi
query="$1"
quote='`'"$query'"
kind="$(type -t "$query")"
if [[ "$kind" == "" ]]; then
echo "could not find any command $quote" 1>&2
return 1
fi
echo "$quote is a $kind"
case "$kind" in
"alias")
alias "$query"
return 0
;;
"keyword")
echo "See https://www.gnu.org/software/bash/manual/html_node/Reserved-Word-Index.html"
return 0
;;
"function")
if [[ -v vacuShellFunctionsLoaded["$query"] ]]; then
echo "$quote is a vacufunc"
path="''${vacuShellFunctionsLoaded[$query]}"
# continue to below
else
declare -f "$query"
return 0
fi
;;
"builtin")
echo "Docs: https://www.gnu.org/software/bash/manual/html_node/Bash-Builtins.html#index-$query"
return 0
;;
"file")
path="$(which "$query")"
# continue to below
;;
*)
echo 'ERR: unexpected return from `type -t`: '"$kind" 1>&2
return 1
esac
echo "path:"
while [[ -L "$path" ]]; do
dest="$(readlink "$path")"
echo " $path is a symlink to $dest"
if [[ "$dest" != /* ]]; then
dest="$(dirname "$path")/$dest"
fi
path="$dest"
done
echo " $path"
if ! [[ -e "$path" ]]; then
echo "$path does not exist!"
return 1
fi
canon="$(readlink -f "$path")"
if [[ "$path" != "$canon" ]]; then
echo " $path canonicalizes to $canon"
path="$canon"
fi
magic_parse="$(file --brief --mime "$path")"
echo "magic: $magic_parse"
case "$magic_parse" in
'text/x-shellscript;'* | 'text/plain;'*)
echo "initial contents:"
echo
cat "$path" | head --lines=10 | head --bytes=2000
echo "..."
;;
esac
'';
};
packages = functionPackages;
};
}

157
common/shell/not-aliases.nix
View File

@@ -1,157 +0,0 @@
# These are the things that might in a simpler time go in ~/.bashrc as aliases. But they're not aliases, cuz aliases are bad
{
pkgs,
lib,
config,
inputs,
...
}:
let
inherit (pkgs) writeScriptBin;
ms_text = with_sudo: ''
set -eo pipefail
if [[ $# -gt 3 ]] || [[ $# == 0 ]]; then
echo "wrong number of args" 1>&2
exit 1
fi
host="$1"
session_name="''${2:-main}"
set -x
mosh -- "$host" ${lib.optionalString with_sudo "sudo"} screen -RdS "$session_name"
'';
msl_text = ''
set -eo pipefail
if [[ $# != 1 ]]; then
echo "wrong number of args" 1>&2
exit 1
fi
host="$1"
echo 'echo "user:"; screen -ls; echo; echo "root:"; sudo screen -ls' | ssh -T "$host"
'';
systemctl = "${pkgs.systemd}/bin/systemctl";
journalctl = "${pkgs.systemd}/bin/journalctl";
system = pkgs.hostPlatform.system;
in
{
vacu.packages = [
(writeScriptBin "ms" (ms_text false))
(writeScriptBin "mss" (ms_text true))
(writeScriptBin "msl" msl_text)
(writeScriptBin "rmln" ''
set -eo pipefail
for arg in "$@"; do
if [[ "$arg" != "-*" ]] && [[ ! -L "$arg" ]]; then
echo "$0: $arg is not a symlink" 1>&2
exit 1
fi
done
rm "$@"
'')
(writeScriptBin "nr" ''
# nix run nixpkgs#<thing> -- <args>
set -eo pipefail
if [[ $# == 0 ]]; then
echo "need at least one arg" 1>&2
exit 1
fi
installable="$1"
shift
if [[ "$installable" != *'#'* ]]; then
installable="nixpkgs#$installable"
fi
nix run "$installable" -- "$@"
'')
(writeScriptBin "nb" ''
# nix build nixpkgs#<thing> <args>
set -eo pipefail
if [[ $# == 0 ]]; then
echo "need at least one arg" 1>&2
exit 1
fi
installable="$1"
shift
if [[ "$installable" != *'#'* ]]; then
installable="nixpkgs#$installable"
fi
nix build "$installable" "$@"
'')
(writeScriptBin "ns" ''
# nix shell nixpkgs#<thing>
set -eo pipefail
new_args=( )
for arg in "$@"; do
if [[ "$arg" != *'#'* ]] && [[ "$arg" != -* ]]; then
arg="nixpkgs#$arg"
fi
new_args+=("$arg")
done
nix shell "''${new_args[@]}"
'')
(writeScriptBin "sc" ''
exec ${systemctl} "$@"
'')
(writeScriptBin "scs" ''
exec ${systemctl} status --lines=20 --full "$@"
'')
(writeScriptBin "scc" ''
exec ${systemctl} cat "$@"
'')
(writeScriptBin "scr" ''
exec ${systemctl} restart "$@"
'')
(writeScriptBin "jc" ''
exec ${journalctl} --pager-end "$@"
'')
(writeScriptBin "jcu" ''
exec ${journalctl} --pager-end -u "$@"
'')
] ++ lib.optional (system == "x86_64-linux")
(writeScriptBin "dnix" ''exec ${inputs.determinate-nix.packages.${system}.nix} "$@"'')
;
vacu.shell.functions = {
nd = ''
declare -a args=("$@")
if [[ "''${#args[@]}" == 0 ]]; then
echo "nd: must provide at least one argument" 1>&1
return 1
fi
lastarg="''${args[-1]}"
if [[ "$lastarg" == "-"* ]]; then
echo "nd: last argument must be the directory" 1>&2
return 1
fi
for arg in "''${args[@]::''${#args[@]}-1}"; do
if [[ "$arg" != "-"* ]]; then
echo "nd: last argument must be the directory" 1>&2
return 1
fi
done
mkdir "''${args[@]}" && cd "''${args[-1]}"
'';
nt = ''pushd "$(mktemp -d "$@")"'';
};
vacu.textChecks."vacu-shell-functions-nd" = ''
function nd() {
${config.vacu.shell.functions.nd}
}
start=/tmp/test-place
mkdir -p $start
cd $start
nd a
[[ "$PWD" == "$start/a" ]]
cd $start
nd -p b/c
[[ "$PWD" == "$start/b/c" ]]
'';
vacu.textChecks."vacu-shell-functions-nt" = ''
function nt() {
${config.vacu.shell.functions.nt}
}
start=$PWD
nt
[[ "$PWD" != "$start" ]]
popd
[[ "$PWD" == "$start" ]]
'';
}

42
common/shell/ps1.nix
View File

@@ -1,42 +0,0 @@
{
config,
lib,
vaculib,
vacuModuleType,
...
}:
let
cfg = config.vacu.shell;
# https://en.wikipedia.org/wiki/ANSI_escape_code#Colors
colors = vaculib.shellColors;
# TODO: reset_without_clear doesn't fully work
# thanks colin https://git.uninsane.org/colin/nix-files/src/commit/7f5b2628016c8ca1beec417766157c7676a9c5e5/hosts/common/programs/zsh/starship.nix#L24
# https://man.archlinux.org/man/bash.1#PROMPTING
# \[ and \] begins and ends "a sequence of non-printing characters"
set_color = colornum: "\\[\\e[1;${toString colornum}m\\]";
set_inverted_color = colornum: "\\[\\e[1;37;${toString (colornum + 10)}m\\]";
reset_color = "\\[\\e[0m\\]";
colornum = colors.${cfg.color};
root_text = root: lib.optionalString root "ROOT@";
final = root: if root then (set_inverted_color colors.red) + "!!" else "$";
hostName = if vacuModuleType == "plain" then "\\h" else config.vacu.shortHostName;
default_ps1 =
root:
"\\n"
# + ''\[${reset_without_clear}\]''
+ (set_color colornum)
+ "${root_text root}${hostName}:\\w"
+ (final root)
+ reset_color
+ " ";
in
{
vacu.shell.idempotentShellLines = ''
if [ $UID = 0 ]; then
export PS1=${lib.escapeShellArg (default_ps1 true)}
else
export PS1=${lib.escapeShellArg (default_ps1 false)}
fi
'';
}

10
common/sops-integrate.nix
View File

@@ -1,10 +0,0 @@
{
inputs,
config,
...
}:
{
imports = [ inputs.sops-nix.nixosModules.sops ];
sops.defaultSopsFile = config.vacu.secretsFolder + "/${config.vacu.hostName}/main.yaml";
sops.age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];
}

77
common/sops.nix
View File

@@ -1,77 +0,0 @@
{
lib,
pkgs,
config,
vaculib,
...
}:
let
ssh-to-age = lib.getExe pkgs.ssh-to-age;
sshToAge =
sshPubText:
vaculib.outputOf {
name = "age-from-ssh.txt";
cmd = "echo ${lib.escapeShellArg sshPubText} | ${ssh-to-age} > $out";
};
userKeys = lib.attrValues config.vacu.ssh.authorizedKeys;
userKeysAge = map sshToAge userKeys;
liamKey = config.vacu.ssh.knownHosts.liam.publicKey;
liamKeyAge = sshToAge liamKey;
tripKey = config.vacu.ssh.knownHosts.trip.publicKey;
tripKeyAge = sshToAge tripKey;
singleGroup = keys: [ { age = keys; } ];
testAgeSecret = "AGE-SECRET-KEY-1QQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQPQQ94XCHF";
testAgePublic = vaculib.outputOf {
name = "test-age-public-key.txt";
cmd = "echo ${lib.escapeShellArg testAgeSecret} | ${pkgs.age}/bin/age-keygen -y > $out";
};
sopsConfig = {
creation_rules = [
{
path_regex = "/secrets/misc/[^/]+$";
key_groups = singleGroup userKeysAge;
}
{
path_regex = "/secrets/liam/[^/]+$";
key_groups = singleGroup (userKeysAge ++ [ liamKeyAge ]);
}
{
path_regex = "/secrets/trip/[^/]+$";
key_groups = singleGroup (userKeysAge ++ [ tripKeyAge ]);
}
{
path_regex = "/secrets/radicle-private.key$";
key_groups = singleGroup (userKeysAge ++ [ (sshToAge config.vacu.ssh.knownHosts.fw.publicKey) ]);
}
{
path_regex = "/tests/test_secrets/";
key_groups = singleGroup [ testAgePublic ];
}
];
};
sopsConfigFile = pkgs.writers.writeYAML "sops.yaml" sopsConfig;
wrappedSops = vaculib.makeWrapper {
original = lib.getExe pkgs.sops;
new = "vacu-nix-stuff-sops";
add_flags = [
"--config"
sopsConfigFile
];
run = lib.singleton ''
set -e
age_keys=("${testAgeSecret}" "$(cat $HOME/.ssh/id_ed25519 | ${lib.getExe pkgs.ssh-to-age} -private-key)")
export SOPS_AGE_KEY
printf -v SOPS_AGE_KEY "%s\n" "''${age_keys[@]}"
# declare -p SOPS_AGE_KEY
'';
};
in
{
options.vacu.sopsConfigFile = vaculib.mkOutOption sopsConfigFile;
options.vacu.wrappedSops = vaculib.mkOutOption wrappedSops;
options.vacu.secretsFolder = lib.mkOption {
type = lib.types.path;
default = ../secrets;
};
}

60
common/sourceTree.nix
View File

@@ -1,60 +0,0 @@
{
inputs,
pkgs,
lib,
config,
vacuModuleType,
...
}:
let
inherit (builtins) isString isAttrs;
inherit (lib) mkOption types;
inputsOf =
flake:
assert isAttrs flake;
let
inputs = removeAttrs (flake.inputs or { }) [ "self" ];
# inputTrees = lib.mapAttrs (_: val: inputsOf val) inputs;
in
pkgs.linkFarm "inputs-tree" (inputs // { self = flake; });
# traverseInputs =
# linkDir: unfilteredInputs:
# assert isString linkDir;
# assert isAttrs unfilteredInputs;
# let
# inputs = removeAttrs unfilteredInputs [ "self" ];
# in
# lib.concatStringsSep "\n" (
# lib.mapAttrsToList (
# inputName: inputAttrs:
# let
# thisDir = linkDir + "/" + inputName;
# in
# assert isAttrs inputAttrs;
# assert isAttrs (inputAttrs.inputs or { });
# ''
# mkdir -p ${thisDir}
# ln -s ${inputAttrs} ${thisDir}/self
# ${traverseInputs thisDir (inputAttrs.inputs or { })}
# ''
# ) inputs
# );
in
{
options.vacu.sourceTree = mkOption {
readOnly = true;
type = types.package;
};
config =
{
vacu.sourceTree = inputsOf inputs.self // { inherit inputs; };
# vacu.sourceTree = pkgs.runCommand "inputs-tree" { } ''
# mkdir -p $out
# ln -s ${inputs.self} $out/self
# ${traverseInputs "$out" inputs}
# '';
}
// (lib.optionalAttrs (vacuModuleType == "nixos" || vacuModuleType == "nix-on-droid") {
environment.etc."vacu/sources".source = "${config.vacu.sourceTree}";
});
}

145
common/ssh.nix
View File

@@ -1,145 +0,0 @@
{ lib, config, ... }:
let
inherit (lib)
mkOption
types
flip
concatMapStringsSep
optionalString
concatStringsSep
readFile
literalExpression
;
inherit (builtins) attrValues;
cfg = config.vacu;
knownHosts = attrValues cfg.ssh.knownHosts;
knownHostsText =
(flip (concatMapStringsSep "\n") knownHosts (
h:
assert h.hostNames != [ ];
optionalString h.certAuthority "@cert-authority "
+ concatStringsSep "," h.hostNames
+ " "
+ (if h.publicKey != null then h.publicKey else readFile h.publicKeyFile)
))
+ "\n";
in
{
options = {
vacu.ssh.knownHostsText = mkOption {
type = types.str;
readOnly = true;
default = knownHostsText;
};
#vacu.ssh.authorizedKeys = mkOption { type = types.listOf types.str; };
vacu.ssh.authorizedKeys = mkOption {
type = types.attrsOf types.str;
default = { };
};
vacu.ssh.config = mkOption { type = types.lines; };
# Straight copied from nixpkgs
# https://github.com/NixOS/nixpkgs/blob/46397778ef1f73414b03ed553a3368f0e7e33c2f/nixos/modules/programs/ssh.nix
vacu.ssh.knownHosts = mkOption {
default = { };
type = types.attrsOf (
types.submodule (
{
name,
config,
options,
...
}:
{
options = {
certAuthority = mkOption {
type = types.bool;
default = false;
description = ''
This public key is an SSH certificate authority, rather than an
individual host's key.
'';
};
hostNames = mkOption {
type = types.listOf types.str;
default = [ name ] ++ config.extraHostNames;
defaultText = literalExpression "[ ${name} ] ++ config.${options.extraHostNames}";
description = ''
A list of host names and/or IP numbers used for accessing
the host's ssh service. This list includes the name of the
containing `knownHosts` attribute by default
for convenience. If you wish to configure multiple host keys
for the same host use multiple `knownHosts`
entries with different attribute names and the same
`hostNames` list.
'';
};
extraHostNames = mkOption {
type = types.listOf types.str;
default = [ ];
description = ''
A list of additional host names and/or IP numbers used for
accessing the host's ssh service. This list is ignored if
`hostNames` is set explicitly.
'';
};
publicKey = mkOption {
default = null;
type = types.nullOr types.str;
example = "ecdsa-sha2-nistp521 AAAAE2VjZHN...UEPg==";
description = ''
The public key data for the host. You can fetch a public key
from a running SSH server with the {command}`ssh-keyscan`
command. The public key should not include any host names, only
the key type and the key itself.
'';
};
publicKeyFile = mkOption {
default = null;
type = types.nullOr types.path;
description = ''
The path to the public key file for the host. The public
key file is read at build time and saved in the Nix store.
You can fetch a public key file from a running SSH server
with the {command}`ssh-keyscan` command. The content
of the file should follow the same format as described for
the `publicKey` option. Only a single key
is supported. If a host has multiple keys, use
{option}`programs.ssh.knownHostsFiles` instead.
'';
};
};
}
)
);
description = ''
The set of system-wide known SSH hosts. To make simple setups more
convenient the name of an attribute in this set is used as a host name
for the entry. This behaviour can be disabled by setting
`hostNames` explicitly. You can use
`extraHostNames` to add additional host names without
disabling this default.
'';
example = literalExpression ''
{
myhost = {
extraHostNames = [ "myhost.mydomain.com" "10.10.1.4" ];
publicKeyFile = ./pubkeys/myhost_ssh_host_dsa_key.pub;
};
"myhost2.net".publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILIRuJ8p1Fi+m6WkHV0KWnRfpM1WxoW8XAS+XvsSKsTK";
"myhost2.net/dsa" = {
hostNames = [ "myhost2.net" ];
publicKeyFile = ./pubkeys/myhost2_ssh_host_dsa_key.pub;
};
}
'';
};
};
config.vacu.assertions = lib.flip lib.mapAttrsToList config.vacu.ssh.knownHosts (
name: data: {
assertion =
(data.publicKey == null && data.publicKeyFile != null)
|| (data.publicKey != null && data.publicKeyFile == null);
message = "knownHost ${name} must contain either a publicKey or publicKeyFile";
}
);
}

35
common/units-config.nix
View File

@@ -1,35 +0,0 @@
{
vacu.units.extraUnits = {
b = "bit";
B = "byte";
kibi- = "1024";
Ki- = "kibi";
mebi- = "1024 kibi";
Mi- = "mebi";
gibi- = "1024 mebi";
Gi- = "gibi";
tebi- = "1024 gibi";
Ti- = "tebi";
pebi- = "1024 tebi";
Pi- = "pebi";
baud = "bit/s";
kbps = "kilobit/s";
kibps = "kibibit/s";
mbps = "megabit/s";
mibps = "mebibit/s";
gbps = "gigabit/s";
gibps = "gibibit/s";
tbps = "terabit/s";
tibps = "tebibit/s";
pbps = "petabit/s";
pibps = "pebibit/s";
month = "year/12";
mo = "month";
usd = "USD";
dollar = "USD";
cent = "0.01 USD";
"$" = "USD";
BTC = "bitcoin";
};
}

126
common/units-impl.nix
View File

@@ -1,126 +0,0 @@
{
config,
lib,
pkgs,
vaculib,
...
}:
let
inherit (lib) mkOption types;
unitNameRegex =
let
# Unit names cannot begin or end with an underscore (_), a comma (,) or a decimal point (.). Names must not contain any of the operator characters +, -, *, /, |, ^, ;, ~, the comment character #, or parentheses. To facilitate copying and pasting from documents, several typographical characters are converted to operators: the figure dash (U+2012), minus (-; U+2212), and en dash (; U+2013) are converted to the operator -; the multiplication sign (×; U+00D7), N-ary times operator (U+2A09), dot operator (‘⋅’; U+22C5), and middle dot (‘·’; U+00B7) are converted to the operator *; the division sign (‘÷’; U+00F7) is converted to the operator /; and the fraction slash (U+2044) is converted to the operator |; accordingly, none of these characters can appear in unit names.
disallowedAnywhere =
"+*/|^;~#()" + (builtins.fromJSON ''"\u2012\u2212\u2013\u00d7\u2a09\u22c5\u00b7\u00f7\u2044"'');
disallowedMiddle = "-" + disallowedAnywhere;
disallowedAtEnd = "23456789_,." + disallowedAnywhere;
disallowedAtBegin = "-01" + disallowedAtEnd;
anyExcept = chars: "[^${lib.escapeRegex chars}]";
singleChar = anyExcept disallowedAtBegin;
multiChar = "${anyExcept disallowedAtBegin}${anyExcept disallowedMiddle}*${anyExcept disallowedAtEnd}";
numberSuffix = regex: "${regex}_[0-9\\.,]+";
fullRegex = "${singleChar}|${multiChar}|${numberSuffix singleChar}|${numberSuffix multiChar}";
in
fullRegex;
unitsAttrsType = types.addCheck (types.attrsOf types.str) (
attrs: builtins.all (name: (builtins.match unitNameRegex name) != null) (builtins.attrNames attrs)
);
unitsDir = pkgs.stdenvNoCC.mkDerivation {
name = "vacu-units-files";
src = pkgs.units.src;
phases = [
"unpackPhase"
"installPhase"
];
installPhase = ''
mkdir -p $out
cp {definitions,elements}.units $out
ln -s ${../units/currency.units} $out/currency.units
ln -s ${../units/cpi.units} $out/cpi.units
echo ${lib.escapeShellArg config.vacu.units.lines} > $out/vacu.units
'';
};
in
{
options.vacu.units = {
originalPackage = mkOption {
type = types.package;
default = pkgs.units;
};
finalPackage = mkOption {
type = types.package;
readOnly = true;
};
check = mkOption {
type = types.package;
readOnly = true;
};
generatedConfigDir = mkOption {
readOnly = true;
type = types.package;
};
generatedConfigFile = mkOption {
readOnly = true;
type = types.pathInStore;
};
lines = mkOption {
default = "";
type = types.lines;
};
extraUnits = mkOption {
type = unitsAttrsType;
default = { };
};
};
config = lib.mkMerge [
{
vacu.units = {
finalPackage = vaculib.makeWrapper {
original = config.vacu.units.originalPackage;
new = "units";
prepend_flags = [
"--file"
config.vacu.units.generatedConfigFile
];
};
generatedConfigDir = unitsDir;
generatedConfigFile = "${unitsDir}/vacu.units";
lines = lib.mkOrder 750 ''
# default units file, includes elements.units, currency.units, cpi.units
!include definitions.units
'';
};
vacu.textChecks.units-config = ''
# `units --check` returns success (exit code 0) regardless of success >:(
# example output:
# $ result/bin/units --check
# Currency exchange rates from exchangerate-api.com (USD base) on 2024-11-14
# Consumer price index data from US BLS, 2024-02-18
# 7247 units, 125 prefixes, 134 nonlinear units
#
output="$(${lib.getExe config.vacu.units.finalPackage} --check)"
echo "$output"
filteredLines="$(echo "$output" \
| grep -v '^\s*$' \
| grep -v 'Currency exchange rates from' \
| grep -v 'Consumer price index data from' \
| grep -vE '[0-9]+ units, [0-9]+ prefixes, [0-9]+ nonlinear units' || true
)"
if [[ -n "$filteredLines" ]]; then
exit 1
fi
touch $out
'';
}
{
vacu.units.lines = lib.concatStringsSep "\n" (
lib.mapAttrsToList (name: value: "+${name} ${value}") config.vacu.units.extraUnits
);
}
];
}

61
common/verify-system/default.nix
View File

@@ -1,61 +0,0 @@
{
pkgs,
lib,
config,
...
}:
let
inherit (lib) mkOption mkEnableOption types;
cfg = config.vacu.verifySystem;
in
{
imports = [ ./nixos.nix ];
options.vacu.verifySystem = {
enable = (mkEnableOption "verify system is what is expected") // {
default = false;
};
verifiers = mkOption {
default = { };
type = types.attrsOf (
types.submodule (
{ name, config, ... }:
{
options = {
enable = mkEnableOption "Enable system ident check ${name}";
name = mkOption {
type = types.str;
default = name;
};
script = mkOption {
type = types.lines;
default = "## system ident check ${config.name}";
};
};
}
)
);
};
verifyAllScript =
let
verifiers = (builtins.attrValues cfg.verifiers);
enabled = builtins.filter (s: s.enable) verifiers;
files = map (s: pkgs.writeText "vacu-verify-system-${s.name}.sh" s.script) enabled;
script = ''
## vacu verify-system
for f in ${lib.concatStringsSep " " files}; do
echo "verifying system with $f"
if ! source $f; then
echo "ERR: $f failed" >&2
return 1
fi
done
'';
scriptFile = pkgs.writeText "vacu-verify-system-all.sh" script;
in
mkOption {
readOnly = true;
default = scriptFile;
};
};
}

66
common/verify-system/nixos.nix
View File

@@ -1,66 +0,0 @@
{
lib,
config,
pkgs,
vacuModuleType,
...
}:
let
inherit (lib) mkOption types;
in
lib.optionalAttrs (vacuModuleType == "nixos") {
options.vacu.verifySystem.expectedMac = mkOption {
type = types.nullOr (types.strMatching "[A-Fa-f0-9]{2}(:[A-Fa-f0-9]{2}){5}");
default = null;
};
config = lib.mkIf config.vacu.verifySystem.enable {
# system.activationScripts."00-verify-system" = {
# text = "if ! source ${config.vacu.verifySystem.verifyAllScript}; then exit $?; fi";
# supportsDryActivation = true;
# };
system.extraSystemBuilderCmds = ''
mv $out/bin/switch-to-configuration $out/bin/.switch-to-configuration-unverified
cat <<EOF > $out/bin/switch-to-configuration
#!${pkgs.bash}/bin/bash
oldpath="$PATH"
export PATH="${pkgs.coreutils}/bin"
if ! source ${config.vacu.verifySystem.verifyAllScript}; then exit \$?; fi
export PATH="$oldpath"
exec $out/bin/.switch-to-configuration-unverified "\$@"
EOF
${pkgs.coreutils}/bin/chmod a+x $out/bin/switch-to-configuration
'';
vacu.verifySystem.verifiers = {
hostname = {
enable = lib.mkDefault config.vacu.verifySystem.expectedMac == null;
script = ''
expected=${config.networking.hostName}
actual=$(cat /proc/sys/kernel/hostname)
if [[ "$expected" != "$actual" ]]; then
echo "ERR: unexpected hostname; Trying to deploy to $expected but this is $actual" >&2
return 1
fi
'';
};
expectedMac = {
enable = config.vacu.verifySystem.expectedMac != null;
script = ''
expected=${lib.toUpper config.vacu.verifySystem.expectedMac}
declare -a actual=($(${pkgs.iproute2}/bin/ip -j link | ${pkgs.jq}/bin/jq 'map([.permaddr, .address] | map(strings | ascii_upcase)) | flatten | join("\n")' -r))
for ifMac in "''${actual[@]}"; do
if [[ "$ifMac" == "$expected" ]]; then
# all is well
return 0
fi
done
echo "ERR: Interface MAC address $expected not present, this may not be the system you intend to deploy to." >&2
echo " Found MAC addresses: ''${actual[*]}" >&2
return 1
'';
};
};
};
}

9
compute-deck/bluetooth.nix
View File

@@ -1,7 +1,6 @@
{ ... }:
{
hardware.bluetooth.enable = true;
hardware.bluetooth.powerOnBoot = true;
{ ... }: {
hardware.bluetooth.enable = true;
hardware.bluetooth.powerOnBoot = true;
services.blueman.enable = true;
services.blueman.enable = true;
}

67
compute-deck/default.nix
View File

@@ -1,19 +1,18 @@
{
pkgs,
inputs,
...
}:
{ config, pkgs, lib, jovian, inputs, ... }:
{
imports = [
inputs.jovian.nixosModules.jovian
# inputs.disko.nixosModules.default
inputs.home-manager.nixosModules.default
inputs.disko.nixosModules.default
inputs.homeManager.nixosModules.default
./hardware.nix
./partitioning.nix
./home.nix
./bluetooth.nix
./partitioning.nix
./padtype.nix
../common-nixos-config.nix
];
system.nixos.tags = [ "host-${config.networking.hostName}" ];
boot.loader.systemd-boot.enable = false;
boot.loader.efi.efiSysMountPoint = "/boot/EFI";
@@ -24,10 +23,7 @@
boot.binfmt.emulatedSystems = [ "aarch64-linux" ];
vacu.hostName = "compute-deck";
vacu.shortHostName = "cd";
vacu.shell.color = "blue";
vacu.systemKind = "desktop";
networking.hostName = "compute-deck";
networking.hostId = "e595d9b0";
boot.supportedFilesystems = [ "zfs" ];
@@ -41,35 +37,40 @@
services.xserver.enable = true;
services.displayManager.sddm.enable = true;
services.desktopManager.plasma6.enable = true;
services.xserver.desktopManager.plasma5.enable = true;
services.openssh.enable = true;
vacu.packages = with pkgs; [
environment.systemPackages = with pkgs; [
audacity
librewolf
brave
jupiter-hw-support
steamdeck-firmware
steamdeck-bios-fwupd
cargo
clippy
rust-analyzer
rustc
rustfmt
rustup
];
# boot.kernelPatches = [
# {
# name = "gadget";
# patch = null;
# extraStructuredConfig = with lib.kernel; {
# USB_ETH=module;
# USB_GADGET=yes;
# USB_LIBCOMPOSITE=yes;
# USB_CONFIGFS=yes;
# USB_DWC3=module;
# USB_DWC3_PCI=module;
# USB_DWC3_DUAL_ROLE=yes;
# USB_DWC3_HOST=no;
# USB_DWC3_GADGET=no;
# USB_ROLE_SWITCH=yes;
# };
# }
# ];
boot.kernelPatches = [
{
name = "gadget";
patch = null;
extraStructuredConfig = with lib.kernel; {
USB_ETH=module;
USB_GADGET=yes;
USB_LIBCOMPOSITE=yes;
USB_CONFIGFS=yes;
USB_DWC3=module;
USB_DWC3_PCI=module;
USB_DWC3_DUAL_ROLE=yes;
USB_DWC3_HOST=no;
USB_DWC3_GADGET=no;
USB_ROLE_SWITCH=yes;
};
}
];
}

82
compute-deck/hardware.nix
View File

@@ -1,61 +1,51 @@
{
config,
lib,
modulesPath,
...
}:
{ config, lib, pkgs, modulesPath, ... }:
{
imports = [ (modulesPath + "/installer/scan/not-detected.nix") ];
imports =
[ (modulesPath + "/installer/scan/not-detected.nix")
];
boot.initrd.availableKernelModules = [
"nvme"
"xhci_pci"
"usbhid"
"sdhci_pci"
"dwc3_pci"
];
boot.initrd.availableKernelModules = [ "nvme" "usbhid" "sdhci_pci" ];
boot.initrd.kernelModules = [ ];
boot.kernelModules = [ "kvm-amd" ];
boot.extraModulePackages = [ ];
/*
fileSystems."/" =
{ device = "/dev/disk/by-uuid/63f25199-ee0b-4991-8861-c3ba3b464ef2";
fsType = "btrfs";
options = [ "subvol=root" ];
};
/*
fileSystems."/" =
{ device = "/dev/disk/by-uuid/63f25199-ee0b-4991-8861-c3ba3b464ef2";
fsType = "btrfs";
options = [ "subvol=root" ];
};
fileSystems."/home" =
{ device = "/dev/disk/by-uuid/63f25199-ee0b-4991-8861-c3ba3b464ef2";
fsType = "btrfs";
options = [ "subvol=home" ];
};
fileSystems."/home" =
{ device = "/dev/disk/by-uuid/63f25199-ee0b-4991-8861-c3ba3b464ef2";
fsType = "btrfs";
options = [ "subvol=home" ];
};
fileSystems."/nix" =
{ device = "/dev/disk/by-uuid/63f25199-ee0b-4991-8861-c3ba3b464ef2";
fsType = "btrfs";
options = [ "subvol=nix" ];
};
fileSystems."/nix" =
{ device = "/dev/disk/by-uuid/63f25199-ee0b-4991-8861-c3ba3b464ef2";
fsType = "btrfs";
options = [ "subvol=nix" ];
};
fileSystems."/boot" =
{ device = "/dev/disk/by-uuid/63f25199-ee0b-4991-8861-c3ba3b464ef2";
fsType = "btrfs";
options = [ "subvol=boot" ];
};
*/
fileSystems."/boot" =
{ device = "/dev/disk/by-uuid/63f25199-ee0b-4991-8861-c3ba3b464ef2";
fsType = "btrfs";
options = [ "subvol=boot" ];
};
*/
fileSystems."/boot" = {
device = "/dev/disk/by-uuid/2aad8cab-7b97-47de-8608-fe9f12e211a4";
fsType = "ext4";
options = [ "nofail" ];
};
fileSystems."/boot/EFI" = {
device = "/dev/disk/by-uuid/C268-79C8";
fsType = "vfat";
options = [ "nofail" ];
};
fileSystems."/boot" =
{ device = "/dev/disk/by-uuid/2aad8cab-7b97-47de-8608-fe9f12e211a4";
fsType = "ext4";
};
fileSystems."/boot/EFI" =
{ device = "/dev/disk/by-uuid/C268-79C8";
fsType = "vfat";
};
swapDevices = [ ];

14
compute-deck/home.nix
View File

@@ -2,15 +2,17 @@
{
home-manager.users.shelvacu = {
# these make vscode-remote work
imports = [ inputs.vscode-server.homeModules.default ];
imports = [
inputs.vscode-server.homeModules.default
];
services.vscode-server.enable = true;
home.stateVersion = "23.11";
# programs.git = {
# enable = true;
# userName = "Shelvacu";
# userEmail = "git@shelvacu.com";
# };
programs.git = {
enable = true;
userName = "Shelvacu";
userEmail = "git@shelvacu.com";
};
programs.librewolf = {
enable = true;

8
compute-deck/padtype.nix
View File

@@ -1,10 +1,8 @@
{ inputs, ... }:
let
{ inputs, ... }: let
padtype-pkg = inputs.padtype.packages."x86_64-linux".default;
in
{
in {
environment.systemPackages = [ padtype-pkg ];
systemd.services."padtype" = {
wantedBy = [ "multi-user.target" ];
script = "${padtype-pkg}/bin/padtype";

26
compute-deck/partitioning.nix
View File

@@ -1,6 +1,5 @@
{ inputs, ... }:
{ ... }:
{
imports = [ inputs.disko.nixosModules.default ];
disko.devices.disk.blarg = {
device = "/dev/disk/by-id/nvme-Micron_2400_MTFDKBK2T0QFM_230341951668_1-part11";
content = {
@@ -14,29 +13,20 @@
subvolumes = {
"/root" = {
mountpoint = "/";
mountOptions = [
"compress=zstd"
"noatime"
];
mountOptions = [ "compress=zstd" "noatime" ];
};
"/home" = {
mountpoint = "/home";
mountOptions = [
"compress=zstd"
"noatime"
];
mountOptions = [ "compress=zstd" "noatime" ];
};
"/nix" = {
mountpoint = "/nix";
mountOptions = [
"compress=zstd"
"noatime"
];
mountOptions = [ "compress=zstd" "noatime" ];
};
# "/swap" = {
# mountpoint = "/.swapvol";
# swap.swapfile.size = "20M";
# };
# "/swap" = {
# mountpoint = "/.swapvol";
# swap.swapfile.size = "20M";
# };
};
};
};

2
dcd
View File

@@ -1,3 +1,3 @@
#!/bin/sh
git add . && nixos-rebuild --flake .#compute-deck --build-host trip --target-host shelvacu@compute-deck --use-remote-sudo "$@"
git add . && nixos-rebuild --flake .#compute-deck --build-host trip --target-host shelvacu@compute-deck --use-remote-sudo $@

88
deterministic-certs.nix
View File

@@ -1,88 +0,0 @@
{
nixpkgs ? import <nixpkgs>,
}:
let
pkgs = nixpkgs;
lib = nixpkgs.lib;
defaultCertTemplate = {
serial = 1;
activation_date = "1970-01-01 00:00:00 UTC";
expiration_date = "2500-01-01 00:00:00 UTC";
};
keyValToConfigLines = (
key: value:
if (builtins.isString value) || (builtins.isPath value) then
''${key} = "${value}"''
else if builtins.isInt value then
"${key} = ${builtins.toString value}"
else if builtins.isList value then
map (innerValue: keyValToConfigLines key innerValue)
else if builtins.isBool value then
(if value then "${key}" else "# no ${key}")
else
throw "don't know how to handle ${builtins.typeOf value}"
);
mkTemplateConfig =
config:
lib.concatStringsSep "\n" (
lib.lists.flatten (lib.attrsets.mapAttrsToList keyValToConfigLines config)
);
privKeyFile =
name:
let
keySizeBits = 256;
keySizeHex = builtins.toString (keySizeBits / 4);
in
pkgs.runCommand "deterministic-privkey-${name}.pem" { } ''
seed=$(echo ${lib.escapeShellArg (builtins.toJSON name)} | ${pkgs.ruby_3_2}/bin/ruby -rjson -e 'name = JSON.parse(STDIN.gets); print name.unpack("H*")[0].ljust(${keySizeHex}, "0")')
${pkgs.gnutls}/bin/certtool --generate-privkey --outfile=$out --key-type=rsa --sec-param=high --seed=$seed
'';
generateCert =
{
name,
config,
args,
preCommands ? "",
}:
let
deriv = pkgs.runCommand "deterministic-cert-${name}" { } ''
mkdir -p $out
cd $out
ln -s ${privKeyFile name} privkey.pem
ln -s ${
pkgs.writeText "${name}-template.cfg" (mkTemplateConfig (defaultCertTemplate // config))
} template.cfg
${preCommands}
${pkgs.gnutls}/bin/certtool ${lib.escapeShellArgs args} --load-privkey=privkey.pem --outfile=cert.pem --template=template.cfg
'';
in
deriv
// {
privateKeyPath = "${deriv}/privkey.pem";
certificatePath = "${deriv}/cert.pem";
};
in
{
inherit privKeyFile;
selfSigned =
name: config:
generateCert {
inherit name config;
args = [ "--generate-self-signed" ];
};
caSigned =
name: ca: config:
generateCert {
inherit name config;
preCommands = ''
ln -s ${ca.privateKeyPath} ca-privkey.pem
ln -s ${ca.certificatePath} ca-cert.pem
'';
args = [
"--generate-certificate"
"--load-ca-certificate=ca-cert.pem"
"--load-ca-privkey=ca-privkey.pem"
];
};
}

57
devver/default.nix Normal file
View File

@@ -0,0 +1,57 @@
{ config, pkgs, lib, inputs, modulesPath, ... }:
{
imports = [
inputs.homeManager.nixosModules.default
../common-nixos-config.nix
(modulesPath + "/profiles/qemu-guest.nix")
];
boot.initrd.availableKernelModules = [ "virtio_pci" "usbhid" "virtio_blk" "9pnet_virtio" "9p" "autofs4" ];
boot.initrd.kernelModules = [ ];
boot.kernelModules = [ "kvm-intel" "9pnet_virtio" "9p" "autofs4" ];
boot.extraModulePackages = [ ];
system.nixos.tags = [ "host-${config.networking.hostName}" ];
networking.hostName = "devver";
boot.loader.external.enable = true;
boot.loader.external.installHook = pkgs.writeShellScript "vacuDirectBootInstaller" ''
PATH="$PATH:${pkgs.coreutils}/bin:${pkgs.gnused}/bin"
set -xev
mkdir -p /boot
cp $1/kernel /boot/kernel
cp $1/initrd /boot/initrd
cp $1/kernel-params /boot/kernel-params
sed -i "1 s|$| init=$1/sw/bin/init|" /boot/kernel-params
'';
users.users.root.shell = pkgs.bashInteractive;
fileSystems."/boot" = {
fsType = "9p";
device = "boot";
options = [
"trans=virtio"
"access=any"
"version=9p2000.L"
"posixacl"
"cache=mmap"
"nofail"
"noauto"
];
};
fileSystems."/" = {
device = "/dev/disk/by-uuid/a373835d-b942-4232-85fe-922cb1880af3";
fsType = "ext4";
};
#boot.binfmt.emulatedSystems = [ "aarch64-linux" ];
services.openssh.enable = true;
vacu.packages.nix-inspect.enable = false; #its broken for some reason I don't understand
system.stateVersion = "23.11";
}

2
dliam
View File

@@ -1,3 +1,3 @@
#!/bin/sh
git add . && nixos-rebuild --flake .#liam --build-host trip --target-host shelvacu@liam --use-remote-sudo "$@"
git add . && nixos-rebuild --flake .#liam --build-host trip --target-host shelvacu@liam --use-remote-sudo $@

3
dmmm
View File

@@ -1,3 +0,0 @@
#!/bin/sh
git add . && nixos-rebuild --flake .#mmm --build-host trip --target-host mmm --use-remote-sudo "$@"

71
dns/default.nix
View File

@@ -1,71 +0,0 @@
{
dns,
lib,
vaculib,
config,
...
}:
let
inherit (lib) mkOption types singleton;
inherit (vaculib) mkOutOption;
inherit (dns.lib.combinators)
spf
mx
ttl
ns
;
cfg = config.vacu.dnsData;
in
{
imports = [
./jean-luc.org.nix
./pwrhs.win.nix
./shelvacu.miras.pet.nix
./for.miras.pet.nix
];
options.vacu.dns = mkOption {
default = { };
type = types.attrsOf dns.lib.types.zone;
};
options.vacu.dnsData = {
tripPublicV4 = mkOutOption "172.83.159.53";
cloudnsNameServers = mkOutOption [
"ns1.shelvacu.com."
"ns2.shelvacu.com."
"ns3.shelvacu.com."
"ns4.shelvacu.com."
];
cloudnsSoa = mkOutOption (
ttl (60 * 60) {
nameServer = lib.head cfg.cloudnsNameServers;
adminEmail = "support@cloudns.net";
serial = 2025013101;
refresh = 7200;
retry = 1800;
expire = 1209600;
minimum = 3600;
}
);
dkimKeys.liam = mkOutOption {
name = "2024-03-liam";
content = "v=DKIM1; k=rsa; s=email; p=MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAqoFR9cwOb+IpvaqrI55zlouWMUk5hjKHQARajqeOev2I6Gc3QIvU8btyhKCJu7pwxr+DxK/9HeqTmweCSXZmLlVZ6LjW80aAg+8l2DyMKZPaTowSQcExfNMwHqI1ByUPx49LQQEzvwv8Lx3To2+JghZNXHUx7gcraoCUQnRNzCMoMsGF25Yyt4piW6SXKWsbWHVXaL2i953PtT6agJYqssnBqPx6wqibrkeB9MbtSw97L5oQDaDLmJzEK54vRjFFV4X6/Q1d3D6M5PH0XGm6WEhrNEPgMAAZ6rBqi+AoXUz9E9B+kE/Zc6krCTiV0Y1uL83RCILaEJIjRsHqgrGRYEIBUb4Z5d4CgB3szixzaFTmG+XAgDLGnAHRNGeOn0bUmj35miLUopzGJgHCUQYjaaXMH4FSQMYBFPVqZ1aSiZO0EC/mbLlFbBy51RYPJQK0IusN4IqaBYw6jZYMEVlLWkNb34bfNtPKwoG4T3UjxmSRpfiNCFjYd4DaOz/FBAvUL9bx+qU7O6EZRtslROaWN18uSt20hBH0SpvEovj7vBgWWqXG/chNS7YSSaf3Tlb3I5NbqbmvwFF0t8uuEtN0Wh26qMuOKx70K90B9FpJBpfIk/w8FQ80kP6spbMN1v1T5fA7oZMV1fOn1IezH4wE5Yk/3dS+OXJ4YiLH/hWfjecCAwEAAQ==";
};
modules.cloudns = mkOutOption {
SOA = cfg.cloudnsSoa;
NS = map (s: ttl (60 * 60) (ns s)) cfg.cloudnsNameServers;
TTL = lib.mkDefault 300;
};
modules.liamMail = mkOutOption {
MX = singleton (mx.mx 0 "liam.dis8.net.");
TXT = singleton (
spf.strict [
"mx"
"include:outbound.mailhop.org"
"include:_spf.mailersend.net"
"a:relay.dynu.com"
]
);
subdomains."${cfg.dkimKeys.liam.name}._domainkey".TXT = singleton cfg.dkimKeys.liam.content;
};
};
}

21
dns/for.miras.pet.nix
View File

@@ -1,21 +0,0 @@
{ lib, config, ... }:
let
inherit (lib) singleton;
inherit (config.vacu) dnsData;
in
{
vacu.dns."for.miras.pet" =
{ ... }:
{
imports = [ dnsData.modules.cloudns ];
SOA.minimum = lib.mkForce 30;
subdomains = {
"git".A = singleton dnsData.tripPublicV4;
"auth".A = singleton dnsData.tripPublicV4;
"wisdom".A = singleton dnsData.tripPublicV4;
"chat".A = singleton dnsData.tripPublicV4;
"gabriel-dropout".A = singleton dnsData.tripPublicV4;
"_acme-challenge".CNAME = singleton "199b8aa4-bc9f-4f43-88bf-3f613f62b663.auwwth.dis8.net.";
};
};
}

30
dns/jean-luc.org.nix
View File

@@ -1,30 +0,0 @@
{ lib, config, ... }:
let
inherit (lib) singleton;
inherit (config.vacu) dnsData;
main_ips = singleton dnsData.tripPublicV4;
in
{
vacu.dns."jean-luc.org" =
{ ... }:
{
imports = [
dnsData.modules.cloudns
dnsData.modules.liamMail
];
A = main_ips;
subdomains = {
"in" =
{ ... }:
{
imports = [ dnsData.modules.liamMail ];
};
"*".A = main_ips;
"_acme-challenge".CNAME = singleton "8cc7a174-c4a6-40f5-9fff-dfb271c5ce0b.auwwth.dis8.net.";
"stats".A = main_ips;
"tdi-readings".CNAME = singleton "d20l6bh1gp7s8.cloudfront.net.";
"_a908498ee692a9729bf12e161ae1887d.tdi-readings".CNAME =
singleton "_1f055e4fc0f439e67304a33945d09002.hkvuiqjoua.acm-validations.aws.";
};
};
}

15
dns/pwrhs.win.nix
View File

@@ -1,15 +0,0 @@
{ lib, config, ... }:
let
inherit (lib) singleton;
inherit (config.vacu) dnsData;
in
{
vacu.dns."pwrhs.win" =
{ ... }:
{
imports = [ dnsData.modules.cloudns ];
A = singleton dnsData.tripPublicV4;
subdomains.habitat.A = singleton dnsData.tripPublicV4;
subdomains._acme-challenge.CNAME = singleton "73697955-1c51-48ba-ba1e-b3398850f59f.auwwth.dis8.net.";
};
}

18
dns/shelvacu.miras.pet.nix
View File

@@ -1,18 +0,0 @@
{ lib, config, ... }:
let
inherit (lib) singleton;
inherit (config.vacu) dnsData;
in
{
vacu.dns."shelvacu.miras.pet" =
{ ... }:
{
imports = [
dnsData.modules.cloudns
dnsData.modules.liamMail
];
A = singleton dnsData.tripPublicV4;
subdomains."_acme-challenge".CNAME =
singleton "65e44f64-3c65-46f6-b15f-4ad6363b21eb.auwwth.dis8.net.";
};
}

2
dtrip
View File

@@ -1,3 +1,3 @@
#!/bin/sh
git add . && nixos-rebuild --flake .#triple-dezert --build-host trip --target-host trip --use-remote-sudo "$@"
git add . && nixos-rebuild --flake .#triple-dezert --build-host trip --target-host trip --use-remote-sudo $@

1551
flake.lock generated
View File

File diff suppressed because it is too large Load Diff

534
flake.nix
View File

@@ -1,495 +1,141 @@
{
description = "Configs for shelvacu's nix things";
description = "Config for triple-dezert server";
inputs = {
nixpkgs.url = "nixpkgs/nixos-24.11-small";
nixpkgs-unstable.url = "nixpkgs/nixos-unstable-small";
flake-utils.url = "github:numtide/flake-utils";
nixvim = {
url = "github:nix-community/nixvim/nixos-24.11";
inputs.nixpkgs.follows = "nixpkgs";
inputs.home-manager.follows = "home-manager";
};
nixvim-unstable = {
url = "github:nix-community/nixvim";
inputs.nixpkgs.follows = "nixpkgs-unstable";
};
nixpkgs-unstable.url = "nixpkgs/nixos-unstable"; #todo: put this back to -small once jovian-nixos is fixed
nixpkgs.url = "nixpkgs/nixos-23.11-small";
nixpkgs2405.url = "nixpkgs/nixos-24.05-small";
nix-inspect = {
url = "github:bluskript/nix-inspect";
inputs.nixpkgs.follows = "nixpkgs";
};
nix-inspect-unstable = {
url = "github:bluskript/nix-inspect";
inputs.nixpkgs.follows = "nixpkgs-unstable";
};
vscode-server-unstable = {
url = "github:nix-community/nixos-vscode-server";
inputs.nixpkgs.follows = "nixpkgs-unstable";
inputs.flake-utils.follows = "flake-utils";
#inputs.nixpkgs.follows = "nixpkgs";
};
vscode-server = {
url = "github:nix-community/nixos-vscode-server";
inputs.nixpkgs.follows = "nixpkgs";
inputs.flake-utils.follows = "flake-utils";
};
nix-on-droid = {
url = "github:nix-community/nix-on-droid";
url = "github:nix-community/nix-on-droid/release-23.05";
inputs.nixpkgs.follows = "nixpkgs";
inputs.home-manager.follows = "home-manager";
};
jovian-unstable = {
# there is no stable jovian :cry:
jovian = {
url = "github:Jovian-Experiments/Jovian-NixOS";
inputs.nixpkgs.follows = "nixpkgs-unstable";
};
disko = {
url = "github:nix-community/disko";
inputs.nixpkgs.follows = "nixpkgs";
};
disko-unstable = {
url = "github:nix-community/disko";
inputs.nixpkgs.follows = "nixpkgs-unstable";
};
home-manager = {
url = "github:nix-community/home-manager/release-24.11";
inputs.nixpkgs.follows = "nixpkgs";
};
home-manager-unstable = {
url = "github:nix-community/home-manager";
homeManager = {
url = "github:nix-community/home-manager/master";
inputs.nixpkgs.follows = "nixpkgs-unstable";
};
nix-search-cli-unstable = {
url = "github:peterldowns/nix-search-cli";
inputs.nixpkgs.follows = "nixpkgs-unstable";
inputs.flake-utils.follows = "flake-utils";
};
nix-search-cli = {
url = "github:peterldowns/nix-search-cli";
inputs.nixpkgs.follows = "nixpkgs";
inputs.flake-utils.follows = "flake-utils";
};
padtype-unstable = {
url = "git+https://git.uninsane.org/shelvacu/padtype.git";
inputs.nixpkgs.follows = "nixpkgs-unstable";
padtype = {
url = "gitlab:shelvacu/padtype";
inputs.nixpkgs.follows = "nixpkgs";
};
sops-nix = {
url = "github:Mic92/sops-nix";
inputs.nixpkgs.follows = "nixpkgs";
};
nixos-hardware.url = "github:nixos/nixos-hardware";
most-winningest = {
url = "github:captain-jean-luc/most-winningest";
microvm = {
url = "github:astro/microvm.nix";
inputs.nixpkgs.follows = "nixpkgs";
inputs.flake-utils.follows = "flake-utils";
};
nixos-apple-silicon-unstable = {
url = "github:tpwrules/nixos-apple-silicon";
inputs.nixpkgs.follows = "nixpkgs-unstable";
};
sm64baserom.url = "git+https://git.uninsane.org/shelvacu/sm64baserom.git";
dns = {
url = "github:nix-community/dns.nix";
inputs.nixpkgs.follows = "nixpkgs";
inputs.flake-utils.follows = "flake-utils";
};
treefmt-nix = {
url = "github:numtide/treefmt-nix";
inputs.nixpkgs.follows = "nixpkgs-unstable";
};
determinate-nix = {
url = "https://flakehub.com/f/DeterminateSystems/nix-src/3.0.0";
inputs.nixpkgs.follows = "nixpkgs";
};
determinate-nix-unstable = {
url = "https://flakehub.com/f/DeterminateSystems/nix-src/3.0.0";
inputs.nixpkgs.follows = "nixpkgs-unstable";
};
};
outputs =
{
self,
nixpkgs,
nix-on-droid,
...
}@inputs:
let
x86 = "x86_64-linux";
arm = "aarch64-linux";
lib = import "${nixpkgs}/lib";
overlays = import ./overlays;
mkPlainInner =
pkgs:
lib.evalModules {
modules = [
./common
{ vacu.systemKind = "server"; }
];
specialArgs = {
inherit pkgs;
inherit lib;
inherit (inputs) dns;
vacuModuleType = "plain";
inherit inputs;
};
};
mkPlain =
pkgs:
let
inner = mkPlainInner pkgs;
in
inner.config.vacu.withAsserts inner;
mkPkgs =
arg:
let
argAttrAll = if builtins.isString arg then { system = arg; } else arg;
useUnstable = argAttrAll.useUnstable or false;
whichpkgs = if useUnstable then inputs.nixpkgs-unstable else inputs.nixpkgs;
argAttr = lib.removeAttrs argAttrAll [ "useUnstable" ];
config = {
allowUnfree = true;
permittedInsecurePackages = [ "olm-3.2.16" ];
} // (argAttr.config or { });
in
import whichpkgs (
argAttr // { inherit config; } // { overlays = (argAttr.overlays or [ ]) ++ overlays; }
);
pkgs = mkPkgs x86;
defaultInputs = [
"nix-search-cli"
"nix-inspect"
"nixvim"
"determinate-nix"
];
mkInputs =
{
unstable ? false,
inp ? [ ],
}:
let
suffix = if unstable then "-unstable" else "";
nixpkgs = inputs.${"nixpkgs" + suffix};
inp' = inp ++ defaultInputs;
thisInputsA = builtins.listToAttrs (
map (name: lib.nameValuePair name inputs.${name + suffix}) inp'
);
in
thisInputsA // {
inherit nixpkgs;
inherit (inputs) self;
};
mkNixosConfig =
{
unstable ? false,
module,
system ? "x86_64-linux",
inp ? [ ],
}:
let
inputs = mkInputs { inherit unstable inp; };
in
inputs.nixpkgs.lib.nixosSystem {
specialArgs = {
inherit inputs;
inherit (inputs) dns;
vacuModuleType = "nixos";
};
inherit system;
modules = [
./common
module
];
};
in
{
debug.isoDeriv = (
import "${inputs.nixpkgs}/nixos/release-small.nix" {
nixpkgs = ({ revCount = 0; } // inputs.nixpkgs);
}
);
nixosConfigurations = {
triple-dezert = mkNixosConfig {
module = ./triple-dezert;
inp = [ "most-winningest" "sops-nix" ];
};
compute-deck = mkNixosConfig {
module = ./compute-deck;
inp = [
"jovian"
"home-manager"
"vscode-server"
"disko"
"padtype"
];
unstable = true;
};
liam = mkNixosConfig {
module = ./liam;
inp = [ "sops-nix" ];
};
lp0 = mkNixosConfig { module = ./lp0; };
shel-installer = mkNixosConfig { module = ./installer.nix; };
fw = mkNixosConfig {
module = ./fw;
inp = [
"nixos-hardware"
"sops-nix"
];
};
legtop = mkNixosConfig {
module = ./legtop;
inp = [ "nixos-hardware" ];
};
mmm = mkNixosConfig {
module = ./mmm;
inp = [ "nixos-apple-silicon" ];
system = "aarch64-linux";
unstable = true;
};
toptop = mkNixosConfig {
module = ./toptop;
system = "x86_64-linux";
};
};
outputs = { self, nixpkgs, nix-on-droid, ... }@inputs: {
debug.isoDeriv = (import "${inputs.nixpkgs}/nixos/release-small.nix" { nixpkgs = ({ revCount = 0; } // inputs.nixpkgs); });
nixosConfigurations.triple-dezert = nixpkgs.lib.nixosSystem {
system = "x86_64-linux";
modules = [ ./triple-dezert ];
specialArgs = { inherit inputs; };
};
nixOnDroidConfigurations.default = nix-on-droid.lib.nixOnDroidConfiguration {
modules = [
./common
./nix-on-droid
];
extraSpecialArgs = {
inputs = mkInputs { };
inherit (inputs) dns;
vacuModuleType = "nix-on-droid";
};
pkgs = mkPkgs {
system = arm;
};
};
nixosConfigurations.compute-deck = inputs.nixpkgs-unstable.lib.nixosSystem {
system = "x86_64-linux";
modules = [ ./compute-deck ];
specialArgs = { inherit inputs; };
};
checks = nixpkgs.lib.genAttrs [ x86 ] (
system:
let
pkgs = mkPkgs system;
plain = mkPlain pkgs;
config = {
node.pkgs = pkgs;
node.pkgsReadOnly = false;
node.specialArgs.selfPackages = self.packages.${system};
node.specialArgs.vacuModuleType = "nixos";
};
checksFromConfig = plain.config.vacu.checks;
in
assert !(checksFromConfig ? liam) && !(checksFromConfig ? trip);
checksFromConfig
// {
liam = nixpkgs.lib.nixos.runTest {
hostPkgs = pkgs;
imports = [
config
./tests/liam.nix
{ node.specialArgs.inputs = self.nixosConfigurations.liam._module.specialArgs.inputs; }
];
};
trip = nixpkgs.lib.nixos.runTest {
hostPkgs = pkgs;
imports = [
config
./tests/triple-dezert.nix
{ node.specialArgs.inputs = self.nixosConfigurations.triple-dezert._module.specialArgs.inputs; }
];
};
}
);
nixosConfigurations.liam = nixpkgs.lib.nixosSystem {
system = "x86_64-linux";
modules = [ ./liam ];
specialArgs = { inherit inputs; };
};
qb = # qb is "quick build"
let
toplevelOf = name: self.nixosConfigurations.${name}.config.system.build.toplevel;
deterministicCerts = import ./deterministic-certs.nix { nixpkgs = mkPkgs x86; };
renamedAarchPackages = lib.mapAttrs' (
name: value: lib.nameValuePair (name + "-aarch64") value
) self.packages.aarch64-linux;
packages = self.packages.x86_64-linux // renamedAarchPackages;
in
rec {
fw = toplevelOf "fw";
triple-dezert = toplevelOf "triple-dezert";
trip = triple-dezert;
compute-deck = toplevelOf "compute-deck";
cd = compute-deck;
liam = toplevelOf "liam";
lp0 = toplevelOf "lp0";
legtop = toplevelOf "legtop";
lt = legtop;
mmm = toplevelOf "mmm";
shel-installer = toplevelOf "shel-installer";
toptop = toplevelOf "toptop";
tt = toptop;
iso = self.nixosConfigurations.shel-installer.config.system.build.isoImage;
check-triple-dezert = self.checks.x86_64-linux.trip.driver;
check-trip = check-triple-dezert;
check-liam = self.checks.x86_64-linux.liam.driver;
nixosConfigurations.lp0 = nixpkgs.lib.nixosSystem {
system = "x86_64-linux";
modules = [ ./lp0 ];
specialArgs = { inherit inputs; };
};
nixosConfigurations.shel-installer = nixpkgs.lib.nixosSystem {
system = "x86_64-linux";
modules = [ ./installer.nix ];
specialArgs = { inherit inputs; };
};
nix-on-droid = self.nixOnDroidConfigurations.default.activationPackage;
nod = nix-on-droid;
nixosConfigurations.devver = nixpkgs.lib.nixosSystem {
system = "x86_64-linux";
modules = [ ./devver ];
specialArgs = { inherit inputs; };
};
nod-bootstrap-x86_64 = inputs.nix-on-droid.packages.x86_64-linux.bootstrapZip-x86_64;
nod-bootstrap-aarch64 = inputs.nix-on-droid.packages.x86_64-linux.bootstrapZip-aarch64;
nixosConfigurations.fw = inputs.nixpkgs2405.lib.nixosSystem {
system = "x86_64-linux";
modules = [ ./fw ];
specialArgs = { inherit inputs; };
};
dc-priv = deterministicCerts.privKeyFile "test";
dc-cert = deterministicCerts.selfSigned "test" { };
nixOnDroidConfigurations.default = nix-on-droid.lib.nixOnDroidConfiguration {
modules = [ ./nix-on-droid.nix ];
extraSpecialArgs = { inherit inputs; };
};
# sm64 = packages.sm64coopdx;
ak = packages.authorizedKeys;
my-sops = packages.wrappedSops;
diskoConfigurations.compute-deck = import ./compute-deck/partitioning.nix;
inherit (inputs.nixos-apple-silicon-unstable.packages.aarch64-linux)
m1n1
uboot-asahi
installer-bootstrap
;
installer-bootstrap-cross =
inputs.nixos-apple-silicon-unstable.packages.x86_64-linux.installer-bootstrap;
}
// packages;
brokenBuilds = [
"sm64coopdx-aarch64"
"installer-bootstrap"
];
all =
let
linksNoContext = removeAttrs self.qb self.brokenBuilds;
links = builtins.mapAttrs (
name: val: builtins.addErrorContext "while evaluating link ${name}" val
) linksNoContext;
in
pkgs.runCommand "nix-stuff-all"
{
__structuredAttrs = true;
inherit links;
}
''
mkdir $out
cd $out
eval "$(${pkgs.jq}/bin/jq '.links | to_entries | map("ln -s "+.value+" "+.key) | join("\n")' /build/.attrs.json -r)"
'';
impureBuilds = [
"nix-on-droid"
"nod"
"nod-bootstrap-x86_64"
"nod-bootstrap-aarch64"
];
allPure = self.all.overrideAttrs (prev: {
links = removeAttrs prev.links self.impureBuilds;
});
archiveSmall =
let
# We don't want iso/img derivations here because they de-dupe terribly. Any change anywhere requires generating a new iso/img file.
isoContents = lib.concatStringsSep "\n" (
map (
c: "${c.source} => ${c.target}"
) self.nixosConfigurations.shel-installer.config.isoImage.contents
);
isoContentsPkg = pkgs.writeText "iso-contents" isoContents;
allButImgs = self.all.overrideAttrs (prev: {
links = (removeAttrs prev.links [ "iso" ]) // {
iso-contents = isoContentsPkg;
};
});
in
allButImgs;
archive =
let
inherit (self) archiveSmall;
in
archiveSmall.overrideAttrs (prev: {
links = prev.links // {
build-deps = pkgs.closureInfo { rootPaths = [ archiveSmall.drvPath ]; };
};
});
}
// (inputs.flake-utils.lib.eachDefaultSystem (
system:
checks = nixpkgs.lib.genAttrs [ "x86_64-linux" ] (system:
let
nixpkgs-args = {
inherit system;
config.allowUnfree = true;
overlays = [ inputs.sm64baserom.overlays.default ];
pkgs = nixpkgs.legacyPackages.${system};
config = {
node.pkgs = pkgs;
node.pkgsReadOnly = false;
node.specialArgs.selfPackages = self.packages.${system};
node.specialArgs.inputs = inputs;
};
pkgs-unstable = mkPkgs nixpkgs-args // {
useUnstable = true;
};
pkgs-stable = mkPkgs nixpkgs-args // {
useUnstable = false;
};
_plain = mkPlain pkgs-unstable;
plain = _plain.config.vacu.withAsserts _plain;
treefmtEval = inputs.treefmt-nix.lib.evalModule pkgs-unstable ./treefmt.nix;
in
{
formatter = treefmtEval.config.build.wrapper;
apps.sops = {
type = "app";
program = lib.getExe self.packages.${system}.wrappedSops;
liam = nixpkgs.lib.nixos.runTest {
hostPkgs = pkgs;
imports = [ config ./tests/liam.nix ];
};
vacuconfig = plain.config;
legacyPackages = {
unstable = pkgs-unstable;
stable = pkgs-stable;
};
packages = rec {
authorizedKeys = pkgs-stable.writeText "authorizedKeys" (
lib.concatStringsSep "\n" (
lib.mapAttrsToList (k: v: "${v} ${k}") plain.config.vacu.ssh.authorizedKeys
)
);
bandcamp-collection-downloader = pkgs-unstable.callPackage ./packages/bcd { };
bcd = bandcamp-collection-downloader;
dnix = inputs.determinate-nix.packages.${system}.nix;
dns = import ./scripts/dns {
inherit pkgs lib inputs;
inherit (plain) config;
};
haproxy-auth-request = pkgs.callPackage ./packages/haproxy-auth-request.nix {
inherit haproxy-lua-http;
};
haproxy-lua-http = pkgs.callPackage ./packages/haproxy-lua-http.nix { };
liam-sieve-script = self.nixosConfigurations.liam.config.vacu.liam-sieve-script;
nixvim = inputs.nixvim.legacyPackages.${system}.makeNixvimWithModule {
extraSpecialArgs = {
inputs = { };
};
module = {
imports = [ ./nixvim ];
};
};
nix-inspect = inputs.nix-inspect.packages.${system}.default;
nix-search-cli = inputs.nix-search-cli.packages.${system}.default;
openterface-qt = pkgs.callPackage ./packages/openterface-qt.nix { };
rg-cubexx-v1-0-1 = pkgs.fetchurlWithWetransfer {
url = "https://we.tl/t-nwhCNkgXwG";
name = "cxm_rgcubexx-v1-0-1-en32gb-2401018_2024-10-19_0631.zip";
recursiveHash = true;
hash = "sha256-kQds0/BdlEA10LJozOvpQ65TemTx6CxjO8rANi4o5K0=";
};
sopsConfig = plain.config.vacu.sopsConfigFile;
sourceTree = plain.config.vacu.sourceTree;
transferwee = pkgs.callPackage ./packages/transferwee.nix { };
units = plain.config.vacu.units.finalPackage;
update-git-keys = pkgs-stable.callPackage ./scripts/update-git-keys.nix { inherit (plain) config; };
vnopnCA = pkgs-stable.writeText "vnopnCA.cert" plain.config.vacu.vnopnCA;
wrappedSops = plain.config.vacu.wrappedSops;
z3 = pkgs-unstable.callPackage ./packages/z3 { };
# mycoopdx = pkgs-unstable.callPackage ./packages/sm64coopdx.nix { };
# zulip-server = pkgs.python312Packages.callPackage ./packages/zulip.nix { };
trip = nixpkgs.lib.nixos.runTest {
hostPkgs = pkgs;
imports = [ config ./tests/triple-dezert.nix ];
};
# trip_haproxy_config = let
# hacfg = self.nixosConfigurations.triple-dezert.config.containers.frontproxy.config.services.haproxy;
# in pkgs.stdenvNoCC.mkDerivation {
# name = "trip-haproxy-config-check";
# script = ''
# mkdir -p certs/shelvacu.com/
# touch certs/shelvacu.com/full.pem
# ${hacfg.package}/bin/haproxy \
# -f ${pkgs.writeText "haproxy-config" hacfg.config} \
# -c \
# -dW \
# -dD \
# -C $PWD
# '';
# };
}
));
);
nixosModules.common = import ./common-config.nix;
packages.x86_64-linux.digitalOceanImage = import ./generic-digitalocean-nixos.nix { inherit inputs; };
};
}

5
fw/android.nix
View File

@@ -1,5 +0,0 @@
{ pkgs, ... }:
{
vacu.packages = pkgs.androidStudioPackages.stable.all;
users.users.shelvacu.extraGroups = [ "kvm" ];
}

69
fw/apex.nix
View File

@@ -1,69 +0,0 @@
# everything to interact with my apex flex, pcsc stuff, fido2 stuff, etc
{ pkgs, config, ... }:
let
# to match package used in config.services.pcscd, unfortunately not exposed like usual
pcsclite-pkg = if config.security.polkit.enable then pkgs.pcscliteWithPolkit else pkgs.pcsclite;
in
{
# apparently this is already enabled??
# nixpkgs.overlays = [ ( final: prev: {
# libfido2 = prev.libfido2.override { withPcsclite = true; };
# } ) ];
vacu.packages =
(with pkgs; [
libfido2
pcsc-tools
scmccid
opensc
])
++ [ pcsclite-pkg ];
services.pcscd.enable = true;
# conflicts with pcscd, see https://stackoverflow.com/questions/55144458/unable-to-claim-usb-interface-device-or-resource-busy-stuck
boot.blacklistedKernelModules = [
"pn533_usb"
"pn533"
"nfc"
];
# bunch of stuff from https://wiki.nixos.org/wiki/Web_eID
# Tell p11-kit to load/proxy opensc-pkcs11.so, providing all available slots
# (PIN1 for authentication/decryption, PIN2 for signing).
# environment.etc."pkcs11/modules/opensc-pkcs11".text = ''
# module: ${pkgs.opensc}/lib/opensc-pkcs11.so
# '';
# environment.etc."opensc.conf".text = ''
# app default {
# reader_driver pcsc {
# enable_pinpad = false;
# }
# }
# '';
environment.systemPackages = [
# Wrapper script to tell to Chrome/Chromium to use p11-kit-proxy to load
# security devices, so they can be used for TLS client auth.
# Each user needs to run this themselves, it does not work on a system level
# due to a bug in Chromium:
#
# https://bugs.chromium.org/p/chromium/issues/detail?id=16387
(pkgs.writeShellScriptBin "setup-browser-eid" ''
NSSDB="''${HOME}/.pki/nssdb"
mkdir -p ''${NSSDB}
${pkgs.nssTools}/bin/modutil -force -dbdir sql:$NSSDB -add p11-kit-proxy \
-libfile ${pkgs.p11-kit}/lib/p11-kit-proxy.so
'')
];
programs.firefox.enable = true;
#programs.firefox.policies.SecurityDevices.p11-kit-proxy = "${pkgs.p11-kit}/lib/p11-kit-proxy.so";
# trying CTAP-bridge
services.udev.extraRules = ''
KERNEL=="hidg[0-9]", SUBSYSTEM=="hidg", SYMLINK+="ctaphid", MODE+="0666", TAG+="uaccess"
KERNEL=="ccidg[0-9]", SUBSYSTEM=="ccidg", SYMLINK+="ccidsc", MODE+="0666", TAG+="uaccess"
'';
}

173
fw/default.nix
View File

@@ -1,98 +1,24 @@
{ inputs, pkgs, ... }:
{
imports = [
inputs.nixos-hardware.nixosModules.framework-16-7040-amd
./apex.nix
./android.nix
./thunderbolt.nix
./fwupd.nix
./zfs.nix
./virtualbox.nix
./sops.nix
./radicle.nix
./orca-slicer.nix
./tpm-fido.nix
{ config, inputs, pkgs, lib, ... }: {
imports = [
../common-nixos-config.nix
];
vacu.hostName = "fw";
vacu.shell.color = "magenta";
vacu.verifySystem.expectedMac = "e8:65:38:52:5c:59";
vacu.systemKind = "desktop";
system.nixos.tags = [ "host-${config.networking.hostName}" ];
boot.binfmt.emulatedSystems = [ "aarch64-linux" ];
networking.networkmanager.enable = true;
# boot.kernelParams = [ "nvme.noacpi=1" ]; # DONT DO IT: breaks shit even more
services.fprintd.enable = false; # kinda broken
users.users.shelvacu.extraGroups = [ "dialout" ];
programs.steam.extraCompatPackages = [ pkgs.proton-ge-bin ];
vacu.packages =
(with pkgs; [
bitwarden-desktop
nheko
librewolf
brave
thunderbird
wl-clipboard
nextcloud-client
signal-desktop
fw-ectool
framework-tool
iio-sensor-proxy
power-profiles-daemon
acpi
jellyfin-media-player
vlc
dmidecode
prismlauncher
"ffmpeg-allvrything"
wireshark
obsidian
dino
aircrack-ng
libreoffice-qt6-fresh
gimp
# null actually means everything https://github.com/NixOS/nixpkgs/commit/5efd65b2d94b0ac0cf155e013b6747fa22bc04c3
(inkscape-with-extensions.override { inkscapeExtensions = null; })
libsmi
net-snmp
android-tools
ghidra
wineWowPackages.stableFull
wineWowPackages.fonts
winetricks
tremotesf
smartmontools
nvme-cli
arduino-ide
headsetcontrol
OSCAR
# makemkv
mkvtoolnix-cli
flac
imagemagickBig
anki
openshot-qt
kdePackages.kdenlive
shotcut
radicle-node
josm
merkaartor
kaffeine
kdePackages.elisa
haruna
kdePackages.dragon
wev
svp
filezilla
mercurial
])
++ [ ];
networking.firewall.enable = false;
vacu.packages.bitwarden-desktop.enable = true;
vacu.packages.nheko.enable = true;
vacu.packages.librewolf.enable = true;
vacu.packages.brave.enable = true;
vacu.packages.thunderbird.enable = true;
vacu.packages.wl-clipboard.enable = true;
vacu.packages.nextcloud-client.enable = true;
vacu.packages.signal-desktop.enable = true;
vacu.packages.fw-ectool.enable = true;
vacu.packages.framework-tool.enable = true;
vacu.packages.iio-sensor-proxy.enable = true;
vacu.packages.power-profiles-daemon.enable = true;
vacu.packages.acpi.enable = true;
services.xserver.enable = true;
services.displayManager.sddm.enable = true;
@@ -114,54 +40,41 @@
}
];
networking.hostName = "fw"; # Define your hostname.
networking.hostId = "c6e309d5";
boot.zfs.extraPools = [ "fw" ];
boot.kernelPackages = config.boot.zfs.package.latestCompatibleLinuxPackages;
systemd.services.zfs-mount.enable = false;
services.openssh.enable = true;
system.stateVersion = "23.11"; # Did you read the comment?
boot.initrd.availableKernelModules = [
"nvme"
"xhci_pci"
"thunderbolt"
"usb_storage"
"usbhid"
"sd_mod"
];
#boot.initrd.kernelModules = [ ];
boot.initrd.availableKernelModules = [ "nvme" "xhci_pci" "thunderbolt" "usb_storage" "usbhid" "sd_mod" ];
boot.initrd.kernelModules = [ ];
boot.kernelModules = [ "kvm-amd" ];
#boot.extraModulePackages = [ ];
boot.extraModulePackages = [ ];
fileSystems."/" = {
device = "fw/root";
fsType = "zfs";
};
fileSystems."/" =
{ device = "fw/root";
fsType = "zfs";
};
fileSystems."/boot0" = {
device = "/dev/disk/by-label/BOOT0";
fsType = "vfat";
options = [
"fmask=0022"
"dmask=0022"
"nofail"
];
};
fileSystems."/boot0" =
{ device = "/dev/disk/by-label/BOOT0";
fsType = "vfat";
options = [ "fmask=0022" "dmask=0022" ];
};
fileSystems."/boot1" = {
device = "/dev/disk/by-label/BOOT1";
fsType = "vfat";
options = [
"fmask=0022"
"dmask=0022"
"nofail"
];
};
fileSystems."/boot1" =
{ device = "/dev/disk/by-label/BOOT1";
fsType = "vfat";
options = [ "fmask=0022" "dmask=0022" ];
};
hardware.cpu.amd.updateMicrocode = true;
hardware.enableAllFirmware = true;
hardware.graphics = {
extraPackages = [
pkgs.rocmPackages.clr.icd
pkgs.amdvlk
];
hardware.opengl = {
driSupport = true;
driSupport32Bit = true;
};
programs.nix-ld.enable = true;
programs.steam = {
@@ -178,8 +91,4 @@
hardware.bluetooth.enable = true;
hardware.bluetooth.powerOnBoot = true;
services.blueman.enable = true;
services.postgresql.enable = true; # for development
virtualisation.waydroid.enable = true;
}

43
fw/experiment.nix
View File

@@ -1,43 +0,0 @@
{
pkgs,
config,
lib,
...
}:
let
version = "6.10.4";
hash = "sha256:1y2m2pqrvsgr9ng72nnh4yvsprkvkznhnmn4p8g78350bzyrvip2";
customKernel = pkgs.linux_6_10.override {
inherit version;
src = pkgs.fetchurl {
url = "mirror://kernel/linux/kernel/v${lib.versions.major version}.x/linux-${version}.tar.xz";
inherit hash;
};
modDirVersion = lib.versions.pad 3 version;
};
customKernelPackages = pkgs.linuxPackagesFor customKernel;
in
{
system.nixos.tags = [
"EXPERIMENT"
"kernel-${config.boot.kernelPackages.kernel.version}"
];
boot.kernelPackages = lib.mkForce customKernelPackages;
# boot.zfs.extraPools = lib.mkForce [];
# fileSystems."/".fsType = lib.mkForce "ext4";
vacu.packages.sm64coopdx.enable = false;
vacu.verifySystem.expectedMac = lib.mkForce null;
}
# good:
# Linux fw 6.6.50 #1-NixOS SMP PREEMPT_DYNAMIC Sun Sep 8 05:54:49 UTC 2024 x86_64 GNU/Linux
# Linux fw 6.8.12 #1-NixOS SMP PREEMPT_DYNAMIC Thu May 30 07:49:53 UTC 2024 x86_64 GNU/Linux
# linux-6.9.12
# 6.10.4 (maybe?? sus)
# Linux fw 6.10.10 #1-NixOS SMP PREEMPT_DYNAMIC Thu Sep 12 09:13:13 UTC 2024 x86_64 GNU/Linux (but this was supposed to be 6.10.4....)
# bad:
# Linux fw 6.10.10-gnu #1-NixOS SMP PREEMPT_DYNAMIC Tue Jan 1 00:00:00 UTC 1980 x86_64 GNU/Linux
# linux linux-6.10.10

8
fw/fwupd.nix
View File

@@ -1,8 +0,0 @@
{ config, lib, ... }:
{
vacu.packages = [ config.services.fwupd.package ];
services.fwupd.enable = true;
#fwupd gets confused by the multiple EFI partitions, I think I just have to pick one
#update: it didn't work, I dunno why. Leaving this here anyways
services.fwupd.daemonSettings.EspLocation = lib.mkForce "/boot0";
}

16
fw/orca-slicer.nix
View File

@@ -1,16 +0,0 @@
{ pkgs, ... }:
{
vacu.packages.orca-slicer = {
enable = true;
package = pkgs.orca-slicer.overrideAttrs (prev: {
patches = (prev.patches or [ ]) ++ [
(pkgs.fetchpatch {
name = "pr-7650-configurable-update-check.patch";
url = "https://github.com/SoftFever/OrcaSlicer/pull/7650.patch";
hash = "sha256-t4own5AwPsLYBsGA15id5IH1ngM0NSuWdFsrxMRXmTk=";
})
];
cmakeFlags = (prev.cmakeFlags or [ ]) ++ [ "-DORCA_VERSION_CHECK_DEFAULT=OFF" ];
});
};
}

16
fw/radicle.nix
View File

@@ -1,16 +0,0 @@
{ config, ... }:
{
sops.secrets.radicle-key = {
sopsFile = ../secrets/radicle-private.key;
format = "binary"; # its actually an openssh private key which is kinda plaintext, but there is no plaintext option and treating it as opaque binary works fine
};
services.radicle = {
enable = false;
publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIC2HqXfjT4vPEqqM5Pty7EuswzeO80IgG6MtCvDAqOkD";
privateKeyFile = config.sops.secrets.radicle-key.path;
settings = {
node.alias = "shelvacu-fw";
seedingPolicy.default = "block";
};
};
}

19
fw/sops.nix
View File

@@ -1,19 +0,0 @@
{
inputs,
lib,
config,
...
}:
{
imports = [ inputs.sops-nix.nixosModules.sops ];
options.vacu.secretsFolder = lib.mkOption {
type = lib.types.path;
default = ../secrets;
};
config = {
# sops.defaultSopsFile = config.vacu.secretsFolder + "/liam/main.yaml";
sops.age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];
};
}

10
fw/thunderbolt.nix
View File

@@ -1,10 +0,0 @@
{ pkgs, config, ... }:
{
services.hardware.bolt.enable = true;
vacu.packages = [
pkgs.thunderbolt
config.services.hardware.bolt.package
pkgs.kdePackages.plasma-thunderbolt
];
}

11
fw/tpm-fido.nix
View File

@@ -1,11 +0,0 @@
{ config, ... }:
{
vacu.packages = [ "tpm-fido" ];
users.groups.uhid = {};
users.users.shelvacu.extraGroups = [ config.security.tpm2.tssGroup config.users.groups.uhid.name ];
security.tpm2.enable = true;
security.tpm2.applyUdevRules = true;
services.udev.extraRules = ''
KERNEL=="uhid", SUBSYSTEM=="misc", GROUP="${config.users.groups.uhid.name}", MODE="0660"
'';
}

8
fw/virtualbox.nix
View File

@@ -1,8 +0,0 @@
{ ... }:
{
virtualisation.virtualbox.host = {
enable = true;
enableExtensionPack = true;
};
users.extraGroups.vboxusers.members = [ "shelvacu" ];
}

9
fw/zfs.nix
View File

@@ -1,9 +0,0 @@
{ pkgs, ... }:
{
boot.zfs.extraPools = [ "fw" ];
# config.boot.zfs.package.latestCompatibleLinuxPackages is fucked, if there are multiple compatible linuxes of the same version, it picks effectively an arbitrary one
boot.kernelPackages = pkgs.linuxKernel.packages.linux_6_6;
systemd.services.zfs-mount.enable = false;
# see also fileSystems."/"
}

10
generic-digitalocean-nixos.nix Normal file
View File

@@ -0,0 +1,10 @@
{ inputs, system ? "x86_64-linux" }:
let
pkgs = inputs.nixpkgs.legacyPackages.${system};
config = { config, ... }: {
imports = [ "${inputs.nixpkgs}/nixos/modules/virtualisation/digital-ocean-image.nix" ];
system.stateVersion = config.system.nixos.release;
};
in
(pkgs.nixos config).digitalOceanImage

7
home/nix-on-droid.nix
View File

@@ -1,7 +0,0 @@
{ ... }:
{
imports = [ ../common/home.nix ];
home.stateVersion = "24.05";
home.homeDirectory = "/data/data/com.termux.nix/files/home";
home.username = "nix-on-droid";
}

26
installer.nix
View File

@@ -1,16 +1,18 @@
{
config,
modulesPath,
lib,
...
}:
{
imports = [ "${modulesPath}/installer/cd-dvd/installation-cd-minimal.nix" ];
{ config, inputs, modulesPath, lib, ... }: {
imports = [
"${modulesPath}/installer/cd-dvd/installation-cd-minimal.nix"
./common-nixos-config.nix
];
# this is an installer image, created anew every time. There's no state we need to worry about messing up
system.stateVersion = config.system.nixos.version;
system.stateVersion = config.system.nixos.version;
isoImage.isoBaseName = "nixos-shel-installer";
services.openssh.settings.PermitRootLogin = lib.mkForce "yes";
vacu.hostName = "vacuInstaller";
vacu.shell.color = "red";
vacu.systemKind = "server";
# boot.kernelPatches = [{
# name = "foo";
# patch = null;
# extraStructuredConfig = {
# VIRTIO = lib.kernel.yes;
# VIRTIO_BLK = lib.kernel.yes;
# };
# }];
}

92
jobs/public/index.html
View File

@@ -1,92 +0,0 @@
<!DOCTYPE html>
<html>
<head>
<title>Hire Shelvacu today!</title>
<style>
/* with thanks to http://bettermotherfuckingwebsite.com/ */
body {
margin: 40px auto;
max-width: 650px;
line-height: 1.6;
font-size: 18px;
color: #444;
background: #eee;
padding: 0 10px;
}
h1,h2,h3 { line-height: 1.2; }
form {
padding: 5px;
border: 1px solid black;
border-radius: 3px;
margin: 5px;
}
form label { display: block; }
</style>
</head>
<body>
<h1>Jobs info</h1>
<p>Hi! I am currently looking to find a Software Engineering job. I am a professional developer specializing in Ruby on Rails and Rust, with over 10 years of experience.</p>
<p>
What I want in a job:
<ul>
<li><b>Fully Remote</b> - that means 1 visit to an office per month or less. Strongly preferred; non-remote jobs will have to be very tempting in every other category.</li>
<li>Prefer direct hire, but not required.</li>
<li>W2 employment preferred, but also open to C2C/1099.</li>
<li>While I could be productive in nearly any language, I would most like to work with Rust.</li>
</ul>
</p>
<p>
Things you probably want to know:
<ul>
<li>I am a US citizen (USC), for work authorization purposes I can work anywhere in the US.</li>
<li>Open to both contract and permanent positions.</li>
<li>I can start within a week.</li>
<li>I do not have a formal degree, but more than enough experience to make up for it.</li>
</ul>
</p>
<h2>Resume</h2>
<p>
<a href="/shelvacu-resume.pdf">You can see my latest, up-to-date resume here</a>.
</p>
<h2>To send me job offers</h2>
<p>Unfortunately I get a lot of bad job offers if I just give out my email to anyone. As such, I will only accept job offers sent using this form.</b>
<p>Each time you want to send me an email about a new job offer, you must return to this page. The process may change from time to time. If you have multiple jobs you think I am a good fit for, please combine them in one email.</p>
<form method="get" action="/email">
<label>
<input type="checkbox" name="confirm_fully_remote_or_exceptional" value="yes" required>
<span>This is a fully remote job, or you will give an exceptional reason why the offer should be considered despite not being fully remote.</span>
</label>
<label>
<input type="checkbox" name="confirm_i_read_the_above" value="yes" required>
<span>You have read the above and will not ask about work authorization status, earliest date to start, or formal education because you already have that information.</span>
</label>
<label>
<input type="checkbox" name="confirm_include_pay" value="yes" required>
<span>You will include an estimated pay range. No "depends on experience", my resume clearly shows how much experience I have.</span>
</label>
<label>
<input type="checkbox" name="confirm_no_ask_resume" value="yes" required>
<span>You will not ask for an updated resume. The latest resume is always available on this page.</span>
</label>
<label>
<div>Your email:</div>
<input type="email" name="email" required>
</label>
<button type="submit">Submit</button>
</form>
<p>I apologize for the hassle. I promise that if you follow everything here before sending a job offer to me, I <i>will</i> respond, and I will make every effort to respond within 1 week.</p>
</body>
</html>

BIN
jobs/public/shelvacu-resume.pdf
View File

Binary file not shown.

7
legtop/bluetooth.nix
View File

@@ -1,7 +0,0 @@
{ ... }:
{
hardware.bluetooth.enable = true;
hardware.bluetooth.powerOnBoot = true;
# services.blueman.enable = true;
}

83
legtop/default.nix
View File

@@ -1,83 +0,0 @@
{ pkgs, inputs, ... }:
{
imports = [
../common/nixos.nix
inputs.nixos-hardware.nixosModules.gpd-micropc
./hardware.nix
./bluetooth.nix
];
vacu.hostName = "legtop";
vacu.shortHostName = "lt";
vacu.shell.color = "blue";
vacu.verifySystem.expectedMac = "30:9e:90:33:01:07";
vacu.systemKind = "desktop";
system.stateVersion = "24.05";
boot.binfmt.emulatedSystems = [ "aarch64-linux" ];
networking.networkmanager.enable = true;
vacu.packages =
(with pkgs; [
bitwarden-desktop
nheko
# librewolf
brave
thunderbird
wl-clipboard
nextcloud-client
signal-desktop
iio-sensor-proxy
power-profiles-daemon
acpi
jellyfin-media-player
vlc
dmidecode
prismlauncher
ffmpeg_7-full
wireshark
obsidian
dino
aircrack-ng
libreoffice-qt6-fresh
gimp
# null actually means everything https://github.com/NixOS/nixpkgs/commit/5efd65b2d94b0ac0cf155e013b6747fa22bc04c3
(inkscape-with-extensions.override { inkscapeExtensions = null; })
libsmi
net-snmp
android-tools
ghidra
wineWowPackages.stableFull
wineWowPackages.fonts
winetricks
lutris
radicle-node
proxmark3
])
++ [ ];
services.openssh.enable = true;
services.xserver.enable = true;
services.displayManager.sddm.enable = true;
services.displayManager.sddm.wayland.enable = true;
services.desktopManager.plasma6.enable = true;
boot.loader.grub.enable = true;
boot.loader.grub.efiSupport = true;
boot.loader.grub.device = "nodev";
boot.loader.efi.canTouchEfiVariables = true;
hardware.cpu.intel.updateMicrocode = true;
hardware.enableAllFirmware = true;
services.fwupd.enable = true;
services.pipewire = {
enable = true;
alsa.enable = true;
alsa.support32Bit = true;
pulse.enable = true;
};
programs.steam.enable = true;
}

33
legtop/hardware.nix
View File

@@ -1,33 +0,0 @@
{ ... }:
{
boot.initrd.availableKernelModules = [
"ahci"
"xhci_pci"
"usbhid"
"usb_storage"
"sd_mod"
"sdhci_pci"
];
boot.initrd.kernelModules = [ ];
boot.kernelModules = [ "kvm-intel" ];
boot.extraModulePackages = [ ];
fileSystems."/" = {
device = "/dev/disk/by-uuid/e3aebf24-be76-4064-a9f5-3930c8cd1382";
fsType = "ext4";
};
boot.initrd.luks.devices."root".device = "/dev/disk/by-uuid/7fd2ca2d-7faf-4d40-8cde-ce531fa679b5";
fileSystems."/boot" = {
device = "/dev/disk/by-uuid/4C47-D9A3";
fsType = "vfat";
options = [
"fmask=0022"
"dmask=0022"
"nofail"
];
};
nixpkgs.hostPlatform = "x86_64-linux";
hardware.cpu.intel.updateMicrocode = true;
}

54
liam/default.nix
View File

@@ -1,71 +1,57 @@
{
modulesPath,
config,
vaculib,
...
}:
let
inherit (vaculib) mkOutOption;
in
{
{ modulesPath, config, lib, ... }: {
imports = [
(modulesPath + "/installer/scan/not-detected.nix")
(modulesPath + "/virtualisation/digital-ocean-config.nix")
../common-nixos-config.nix
./nginx.nix
./sops.nix
./dovecot.nix
./mail.nix
./dkim.nix
./sieve.nix
./network.nix
];
options = {
options = let
mkReadOnly = val: lib.options.mkOption { default = val; readOnly = true; };
in {
vacu.liam = {
shel_domains = mkOutOption [
shel_domains = mkReadOnly [
"shelvacu.com"
"dis8.net"
"mail.dis8.net"
"jean-luc.org"
"in.jean-luc.org"
"vacu.store"
"shelvacu.miras.pet"
];
julie_domains = mkOutOption [
julie_domains = mkReadOnly [
"violingifts.com"
"theviolincase.com"
"shop.theviolincase.com"
];
domains = mkOutOption (config.vacu.liam.shel_domains ++ config.vacu.liam.julie_domains);
relayhosts = {
allDomains = (mkOutOption "[outbound.mailhop.org]:587") // {
readOnly = false;
};
shelvacuAlt = (mkOutOption "[relay.dynu.com]:587") // {
readOnly = false;
};
};
reservedIpLocal = mkOutOption "10.46.0.7";
domains = mkReadOnly (config.vacu.liam.shel_domains ++ config.vacu.liam.julie_domains);
reservedIpLocal = mkReadOnly "10.46.0.7";
};
};
config = {
vacu.hostName = "liam";
vacu.shell.color = "cyan";
system.nixos.tags = [ "host-${config.networking.hostName}" ];
networking.hostName = "liam";
networking.domain = "dis8.net";
vacu.systemKind = "minimal";
hardware.enableAllFirmware = false;
hardware.enableRedistributableFirmware = false;
# networking.interfaces."ens3".useDHCP = false;
# from `curl -fsSL http://169.254.169.254/metadata/v1.json | jq '.interfaces.public[0].anchor_ipv4'`
# {
# "ip_address": "10.46.0.7",
# "netmask": "255.255.0.0",
# "gateway": "10.46.0.1"
# }
services.openssh.enable = true;
virtualisation.digitalOcean.setSshKeys = false;
users.users.root.openssh.authorizedKeys.keys =
config.users.users.shelvacu.openssh.authorizedKeys.keys;
users.users.root.openssh.authorizedKeys.keys = config.users.users.shelvacu.openssh.authorizedKeys.keys;
system.stateVersion = "23.11";
};
}
}

14
liam/dkim.nix
View File

@@ -1,13 +1,7 @@
{
config,
pkgs,
lib,
...
}:
{ config, pkgs, lib, ... }:
let
inherit (config.vacu.liam) domains;
in
{
inherit (config.vacu.liam) domains;
in {
services.opendkim = {
enable = true;
keyPath = "/run/secrets/dkimkeys";
@@ -21,4 +15,4 @@ in
systemd.services.postfix.after = [ "opendkim.service" ];
}
# 2024-03-liam._domainkey
# v=DKIM1; k=rsa; s=email; p=MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAqoFR9cwOb+IpvaqrI55zlouWMUk5hjKHQARajqeOev2I6Gc3QIvU8btyhKCJu7pwxr+DxK/9HeqTmweCSXZmLlVZ6LjW80aAg+8l2DyMKZPaTowSQcExfNMwHqI1ByUPx49LQQEzvwv8Lx3To2+JghZNXHUx7gcraoCUQnRNzCMoMsGF25Yyt4piW6SXKWsbWHVXaL2i953PtT6agJYqssnBqPx6wqibrkeB9MbtSw97L5oQDaDLmJzEK54vRjFFV4X6/Q1d3D6M5PH0XGm6WEhrNEPgMAAZ6rBqi+AoXUz9E9B+kE/Zc6krCTiV0Y1uL83RCILaEJIjRsHqgrGRYEIBUb4Z5d4CgB3szixzaFTmG+XAgDLGnAHRNGeOn0bUmj35miLUopzGJgHCUQYjaaXMH4FSQMYBFPVqZ1aSiZO0EC/mbLlFbBy51RYPJQK0IusN4IqaBYw6jZYMEVlLWkNb34bfNtPKwoG4T3UjxmSRpfiNCFjYd4DaOz/FBAvUL9bx+qU7O6EZRtslROaWN18uSt20hBH0SpvEovj7vBgWWqXG/chNS7YSSaf3Tlb3I5NbqbmvwFF0t8uuEtN0Wh26qMuOKx70K90B9FpJBpfIk/w8FQ80kP6spbMN1v1T5fA7oZMV1fOn1IezH4wE5Yk/3dS+OXJ4YiLH/hWfjecCAwEAAQ==
# v=DKIM1; k=rsa; s=email; p=MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAqoFR9cwOb+IpvaqrI55zlouWMUk5hjKHQARajqeOev2I6Gc3QIvU8btyhKCJu7pwxr+DxK/9HeqTmweCSXZmLlVZ6LjW80aAg+8l2DyMKZPaTowSQcExfNMwHqI1ByUPx49LQQEzvwv8Lx3To2+JghZNXHUx7gcraoCUQnRNzCMoMsGF25Yyt4piW6SXKWsbWHVXaL2i953PtT6agJYqssnBqPx6wqibrkeB9MbtSw97L5oQDaDLmJzEK54vRjFFV4X6/Q1d3D6M5PH0XGm6WEhrNEPgMAAZ6rBqi+AoXUz9E9B+kE/Zc6krCTiV0Y1uL83RCILaEJIjRsHqgrGRYEIBUb4Z5d4CgB3szixzaFTmG+XAgDLGnAHRNGeOn0bUmj35miLUopzGJgHCUQYjaaXMH4FSQMYBFPVqZ1aSiZO0EC/mbLlFbBy51RYPJQK0IusN4IqaBYw6jZYMEVlLWkNb34bfNtPKwoG4T3UjxmSRpfiNCFjYd4DaOz/FBAvUL9bx+qU7O6EZRtslROaWN18uSt20hBH0SpvEovj7vBgWWqXG/chNS7YSSaf3Tlb3I5NbqbmvwFF0t8uuEtN0Wh26qMuOKx70K90B9FpJBpfIk/w8FQ80kP6spbMN1v1T5fA7oZMV1fOn1IezH4wE5Yk/3dS+OXJ4YiLH/hWfjecCAwEAAQ==

26
liam/dovecot.nix
View File

@@ -1,4 +1,4 @@
{ config, lib, ... }:
{ config, pkgs, lib, ... }:
{
networking.firewall.allowedTCPPorts = [ 993 ];
systemd.tmpfiles.settings.whatever."/var/lib/mail".d = {
@@ -17,11 +17,8 @@
sslServerKey = config.security.acme.certs."liam.dis8.net".directory + "/key.pem";
sslServerCert = config.security.acme.certs."liam.dis8.net".directory + "/full.pem";
enablePAM = false;
protocols = lib.mkForce [
"imap"
"lmtp"
"sieve"
];
protocols = lib.mkForce [ "imap" "lmtp" "sieve" ];
modules = [ pkgs.dovecot_pigeonhole ];
mailUser = "vmail";
mailGroup = "vmail";
createMailUser = true;
@@ -78,33 +75,22 @@
userdb {
driver = passwd-file
args = username_format=%n ${config.sops.secrets."dovecot-passwd".path}
args = username_format=%n /run/secrets/dovecot-passwd
override_fields = uid=${config.services.dovecot2.mailUser} gid=${config.services.dovecot2.mailGroup} user=%n
}
passdb {
driver = passwd-file
args = username_format=%n ${config.sops.secrets."dovecot-passwd".path}
args = username_format=%n /run/secrets/dovecot-passwd
override_fields = user=%n
}
namespace {
separator = .
inbox = yes
mailbox MagicRefilter {
auto = create
}
}
# mail_debug = yes
mail_plugins = $mail_plugins notify mail_log
plugin {
# sieve_trace_debug = yes
mail_log_events = delete undelete expunge save copy mailbox_create mailbox_delete mailbox_rename flag_change
mail_log_fields = uid box msgid size from
}
'';
};
}
}

149
liam/mail.nix
View File

@@ -1,46 +1,10 @@
{
config,
lib,
pkgs,
...
}:
{ config, lib, pkgs, ... }:
let
inherit (config.vacu.liam)
shel_domains
julie_domains
domains
relayhosts
;
mapLines = f: lis: lib.concatStringsSep "\n" (map f lis);
debug = false;
fqdn = config.networking.fqdn;
relayable_domains = [
"shelvacu.com"
"vacu.store"
];
dovecot_transport = "lmtp:unix:private/dovecot-lmtp";
reject_spam_sources = [
"reject-spam-test@example.com"
"buyerservice@made-in-china.com"
"upgrade-plans@asuswebstorage.com"
"info@rfidlabel.com"
];
banned_ips = [
"45.192.103.243/32"
"165.154.207.0/24"
"165.154.226.0/24"
"210.242.134.0/26"
"137.220.198.0/24"
"122.96.0.0/15"
];
# must be bigger than gmail's 25MB "attachment limit" which after base64 encoding (x 1.33) is ~33MB
mailSizeLimit = 35 * 1024 * 1024;
in
{
networking.firewall.allowedTCPPorts = [
25
465
];
inherit (config.vacu.liam) shel_domains julie_domains domains;
fqdn = config.networking.fqdn;
dovecot_transport = "lmtp:unix:private/dovecot-lmtp";
in {
networking.firewall.allowedTCPPorts = [ 25 465 ];
vacu.acmeCertDependencies."liam.dis8.net" = [ "postfix.service" ];
services.postfix = {
@@ -49,15 +13,12 @@ in
# this goes into virtual_alias_maps
# "Note: for historical reasons, virtual_alias_maps apply to recipients in all domain classes, not only the virtual alias domain class."
virtual =
''
julie@shelvacu.com julie
mom@shelvacu.com julie
psv@shelvacu.com psv
''
+ (mapLines (d: "@${d} shelvacu") shel_domains)
+ "\n"
+ (mapLines (d: "@${d} julie") julie_domains);
virtual = ''
julie@shelvacu.com julie
mom@shelvacu.com julie
psv@shelvacu.com psv
'' + (lib.concatMapStringsSep "\n" (d: "@${d} shelvacu") shel_domains) + "\n"
+ (lib.concatMapStringsSep "\n" (d: "@${d} julie") julie_domains);
transport = ''
shelvacu@${fqdn} ${dovecot_transport}
@@ -72,54 +33,19 @@ in
rootAlias = "shelvacu";
enableSubmission = false;
enableSubmissions = true;
mapFiles.header_checks = pkgs.writeText "header-checks" (
''
/./ INFO checker headers
''
+ (mapLines (
d: "/^(from|x-original-from|return-path|mail-?from):.*@${lib.escape [ "." ] d}\\s*>?\\s*$/ REJECT"
) domains)
);
mapFiles.sender_access = pkgs.writeText "sender-access" (
mapLines (pattern: "${pattern} REJECT spam") (domains ++ reject_spam_sources)
);
mapFiles.banned_ips = pkgs.writeText "banned-ips" (mapLines (ip: "${ip} REJECT spam") banned_ips);
mapFiles.header_checks = pkgs.writeText "header-checks" ("/./ INFO checker headers\n" + (lib.concatMapStringsSep "\n" (d: "/^(from|x-original-from|return-path|mail-?from):.*@${lib.escape [ "." ] d}\\s*>?\\s*$/ REJECT") domains));
mapFiles.sender_access = pkgs.writeText "sender-access" (lib.concatMapStringsSep "\n" (d: "${d} REJECT") domains);
# hack to get postfix to add a X-Original-To header
mapFiles.add_envelope_to = pkgs.writeText "addenvelopeto" "/(.+)/ PREPEND X-Envelope-To: $1";
# mapFiles.sender_transport = pkgs.writeText "sender-transport" "@shelvacu.com relayservice";
mapFiles.sender_transport = pkgs.writeText "sender-transport" (
mapLines (d: "@${d} relayservice") relayable_domains
);
mapFiles.sender_relay = pkgs.writeText "sender-relay" (
''
@shelvacu.com ${relayhosts.allDomains} ${relayhosts.shelvacuAlt}
''
+ (mapLines (d: "@${d} ${relayhosts.allDomains}") relayable_domains)
);
mapFiles.extra_login_maps = pkgs.writeText "extra-login-maps" (
''
robot@vacu.store vacustore
''
+ config.services.postfix.virtual
);
# verbatim appended to main.cf
extraConfig = ''
smtp_tls_CAfile = /etc/pki/tls/certs/ca-bundle.crt
inet_protocols = ipv4
virtual_alias_domains =
${lib.concatStringsSep ",\n " domains}
message_size_limit = ${toString mailSizeLimit}
sender_dependent_default_transport_maps = hash:/etc/postfix/sender_transport
sender_dependent_relayhost_maps = hash:/etc/postfix/sender_relay
header_checks = pcre:/etc/postfix/header_checks
smtpd_sender_restrictions = check_sender_access hash:/etc/postfix/sender_access permit
smtpd_client_restrictions = check_client_access cidr:/etc/postfix/banned_ips permit
smtpd_recipient_restrictions = check_recipient_access pcre:/etc/postfix/add_envelope_to permit
recipient_delimiter = +
smtpd_sender_restrictions = check_sender_access hash:/etc/postfix/sender_access
smtpd_recipient_restrictions = check_recipient_access pcre:/etc/postfix/add_envelope_to
#we should never use these transport methods unless thru transport map
# RFC3463:
@@ -127,8 +53,8 @@ in
# X.3.X = mail system failure
# X.3.5 = System incorrectly configured
# I would've never thought there'd be a standard way to specifically say "you found an error in my config"
local_transport = error:5.3.5 how did this even happen?? (e-local)
virtual_transport = error:5.3.5 how did this even happen?? (e-virtual)
local_transport = error:5.3.5 how did this even hapenn??
virtual_transport = error:5.3.5 how did this even happenn??
# X.7.1 = Delivery not authorized, message refused
relay_transport = error:5.7.1 relay is so very disabled
@@ -140,37 +66,13 @@ in
smtpd_tls_dh1024_param_file = ${lib.optionalString config.services.dovecot2.enableDHE config.security.dhparams.params.dovecot2.path}
# smtp_bind_address = 10.46.0.7
# inet_interfaces = all
# inet_protocols = ipv4
${lib.optionalString config.services.opendkim.enable (
assert (config.services.opendkim.socket == "local:/run/opendkim/opendkim.sock");
''
smtpd_milters = unix:/run/opendkim/opendkim.sock
non_smtpd_milters = unix:/run/opendkim/opendkim.sock
''
)}
${lib.optionalString config.services.opendkim.enable (assert (config.services.opendkim.socket == "local:/run/opendkim/opendkim.sock"); ''
smtpd_milters = unix:/run/opendkim/opendkim.sock
non_smtpd_milters = unix:/run/opendkim/opendkim.sock
'')}
'';
masterConfig."relayservice" = {
command = "smtp";
type = "unix";
args = [
"-o"
"smtp_sasl_auth_enable=yes"
"-o"
"smtp_sasl_security_options=noanonymous"
"-o"
"smtp_tls_security_level=secure"
"-o"
"smtp_sasl_password_maps=texthash:${config.sops.secrets.relay_creds.path}"
"-o"
"smtp_tls_wrappermode=no"
] ++ (if debug then [ "-v" ] else [ ]);
};
masterConfig.qmgr = lib.mkIf debug { args = [ "-v" ]; };
masterConfig.cleanup = lib.mkIf debug { args = [ "-v" ]; };
masterConfig.smtpd = lib.mkIf debug { args = [ "-v" ]; };
submissionsOptions = {
smtpd_tls_key_file = config.security.acme.certs."liam.dis8.net".directory + "/key.pem";
smtpd_tls_cert_file = config.security.acme.certs."liam.dis8.net".directory + "/full.pem";
@@ -184,7 +86,7 @@ in
smtpd_sasl_type = "dovecot";
smtpd_sasl_path = "private/dovecot-auth";
message_size_limit = "100000000";
smtpd_sender_login_maps = "hash:/etc/postfix/extra_login_maps";
smtpd_sender_login_maps = "hash:/etc/postfix/virtual";
smtpd_sender_restrictions = "reject_authenticated_sender_login_mismatch";
header_checks = "";
@@ -197,5 +99,6 @@ in
tls_preempt_cipherlist = "no";
};
};
}
}

32
liam/network.nix
View File

@@ -1,32 +0,0 @@
{ lib, config, ... }:
let
# from `curl -fsSL http://169.254.169.254/metadata/v1.json | jq '.interfaces.public[0].anchor_ipv4'`
# {
# "ip_address": "10.46.0.7",
# "netmask": "255.255.0.0",
# "gateway": "10.46.0.1"
# }
interface_conf = {
useDHCP = true;
ipv4.addresses = [
{
address = "10.46.0.7";
prefixLength = 24;
}
];
ipv4.routes = [
{
address = "0.0.0.0";
prefixLength = 0;
via = "10.46.0.1";
options.scope = "global";
options.src = "10.46.0.7";
options.metric = "1200";
}
];
};
in
{
networking.interfaces."ens3" = lib.mkIf (!config.vacu.underTest) interface_conf;
networking.interfaces."eth0" = lib.mkIf (config.vacu.underTest) interface_conf;
}

25
liam/nginx.nix
View File

@@ -1,19 +1,16 @@
{ ... }:
{ config, ... }:
let
domains = [
"smtp.shelvacu.com"
"imap.shelvacu.com"
"mail.shelvacu.com"
"autoconfig.shelvacu.com"
"mail.dis8.net"
"liam.dis8.net"
];
domains = [
"smtp.shelvacu.com"
"imap.shelvacu.com"
"mail.shelvacu.com"
"autoconfig.shelvacu.com"
"mail.dis8.net"
"liam.dis8.net"
];
in
{
networking.firewall.allowedTCPPorts = [
80
443
];
networking.firewall.allowedTCPPorts = [ 80 443 ];
security.acme.acceptTerms = true;
security.acme.defaults.webroot = "/var/lib/acme/acme-challenge";
security.acme.defaults.email = "shelvacu@gmail.com";
@@ -34,4 +31,4 @@ in
default = true;
};
};
}
}

419
liam/sieve.nix
View File

@@ -1,18 +1,4 @@
{
pkgs,
lib,
config,
...
}:
let
inherit (lib.strings)
concatStringsSep
splitString
match
replaceStrings
concatStrings
;
inherit (lib.lists) reverseList length elemAt;
{ config, pkgs, lib, ... }: with lib.strings; with lib.lists; let
email_folders = [
"24nm-domain@shelvacu.com"
"agora@shelvacu.com"
@@ -21,7 +7,6 @@ let
"paxful@shelvacu.com"
"postgres-lists@shelvacu.com"
"cpapsupplies@shelvacu.com"
"jork@shelvacu.com"
"bob@dis8.net"
"fresh.avocado@dis8.net"
@@ -33,7 +18,7 @@ let
"jean-luc@jean-luc.org"
"mariceayukawa@jean-luc.org"
"snow@jean-luc.org"
"capt@in.jean-luc.org"
];
domain_folders = [
@@ -41,388 +26,48 @@ let
"shelvacu.com"
"jean-luc.org"
"in.jean-luc.org"
"mail.dis8.net"
"liam.dis8.net"
# no longer used:
"tulpaudcast.info"
"tulpae.info"
"xn--tulp-yoa.info"
];
valid_ish_domain = domain: match "[a-z0-9][a-z0-9-]*(\\.[a-z0-9][a-z0-9-]*)+" domain != null;
mk_domain_folder_name =
domain:
assert valid_ish_domain domain;
concatStringsSep "." (reverseList (splitString "." domain));
mk_email_folder_name =
email:
let
parts = splitString "@" email;
domain_part =
assert (length parts) == 2;
elemAt parts 1;
user_part =
assert (length parts) == 2;
elemAt parts 0;
domain_folder = mk_domain_folder_name domain_part;
folder_name = domain_folder + ".@" + user_part;
in
folder_name;
is_match = regex: s: (match regex s) != null;
is_not_match = regex: s: !(is_match regex s);
is_quoteable = s: (is_match "[ -~]*" s) && (is_not_match ("\\$" + "\\{") s);
sieve_quote_string_bare =
s:
assert is_quoteable s;
replaceStrings [ ''"'' "\\" ] [ ''\"'' "\\\\" ] s;
sieve_quote_string = s: ''"'' + (sieve_quote_string_bare s) + ''"'';
interp = ident: "$" + "{${ident}}";
dest = "envelope_to";
dest_domain = "envelope_to_domain";
set_envelope = ''
#set_envelope START
if header :index 1 :matches "X-Envelope-To" "*" {
set ${sieve_quote_string dest} "''${1}";
}
if header :index 1 :matches "X-Envelope-To" "*@*" {
set ${sieve_quote_string dest_domain} "''${2}";
}
#set_envelope END
'';
envelope_is = key: ''string :is "${interp dest}" ${sieve_quote_string key}'';
envelope_domain_is = key: ''string :is "${interp dest_domain}" ${sieve_quote_string key}'';
email_filters = map (e: ''
elsif ${envelope_is e} { # item of email_filters
addheader "X-Vacu-Action" "email_filters fileinto ${sieve_quote_string_bare (mk_email_folder_name e)}";
fileinto :create ${sieve_quote_string (mk_email_folder_name e)};
}
'') email_folders;
domain_filters = map (d: ''
elsif ${envelope_domain_is d} { # item of domain_filters
addheader "X-Vacu-Action" "domain_filters fileinto ${sieve_quote_string_bare (mk_domain_folder_name d)}";
fileinto :create ${sieve_quote_string (mk_domain_folder_name d)};
}
'') domain_folders;
set_from =
{
condition,
var,
default ? "-",
warn_if_unset ? false,
}:
mk_domain_folder_name = domain: assert valid_ish_domain domain; concatStringsSep "." (reverseList (splitString "." domain));
mk_email_folder_name = email: let
parts = splitString "@" email;
domain_part = assert (length parts) == 2; elemAt parts 1;
user_part = assert (length parts) == 2; elemAt parts 0;
domain_folder = mk_domain_folder_name domain_part;
folder_name = domain_folder + ".@" + user_part;
in folder_name;
is_quoteable = s: match "[ -~]*" s != null;
sieve_quote_string = s: assert is_quoteable s; "\"" + (replaceStrings ["\"" "\\"] ["\\\"" "\\\\"] s) + "\"";
email_filters = map (e:
''
# set_from { condition = ${sieve_quote_string condition}; var = ${sieve_quote_string var}; default = ${sieve_quote_string default}; warn_if_unset = ${toString warn_if_unset}; }
if ${condition} {
set ${sieve_quote_string var} "''${1}";
elsif header :is "X-Envelope-To" ${sieve_quote_string e} {
fileinto :create ${sieve_quote_string (mk_email_folder_name e)};
}
else {
${lib.optionalString warn_if_unset ''
if ihave "vnd.dovecot.debug" {
debug_log "info: Could not set ${sieve_quote_string_bare var} from condition ${sieve_quote_string_bare condition}, setting to default(${sieve_quote_string_bare default})";
}
''}
set ${sieve_quote_string var} ${sieve_quote_string default};
''
) email_folders;
domain_filters = map (d:
''
elsif header :matches "X-Envelope-To" ${sieve_quote_string ("*@" + d)} {
fileinto :create ${sieve_quote_string (mk_domain_folder_name d)};
}
# set_from END
'';
set_var_from_environment =
item: var:
''
# set_var_from_environment
''
+ set_from {
condition = ''environment :matches ${sieve_quote_string item} "*"'';
inherit var;
};
) domain_folders;
sieve_text = ''
require [
"fileinto",
"mailbox",
"imap4flags",
"editheader",
"environment",
"variables",
"date",
"index",
"ihave"
];
# if ihave "vnd.dovecot.debug" {
# debug_log "debug log is available";
# if environment :matches "location" "*" {
# debug_log "environment ''${1}";
# }
# if environment :matches "phase" "*" {
# debug_log "phase ''${1}";
# }
# }
require ["fileinto", "mailbox"];
if allof(
ihave "imapsieve",
environment :matches "imap.user" "*",
environment :matches "location" "MS",
environment :matches "phase" "post"
) {
set "in_imap" "1";
} else {
set "in_imap" "0";
if header :is "X-Envelope-To" "brandcrowd@shelvacu.com" {
discard;
}
if string "''${in_imap}" "1" {
if not allof(
environment :is "imap.cause" ["APPEND", "COPY", ""],
environment :is "imap.mailbox" ["MagicRefilter", ""]
) {
if ihave "vnd.dovecot.debug" {
debug_log "NOT doing anything cuz imap.cause and/or imap.mailbox isn't right";
}
stop;
}
elsif header :is "X-Envelope-To" "gmailfwd-fc2e10bec8b2@shelvacu.com" {
fileinto :create "gmail";
}
${set_envelope}
${set_var_from_environment "location" "env_location"}
${set_var_from_environment "phase" "env_phase"}
${set_var_from_environment "imap.user" "env_imap_user"}
${set_var_from_environment "imap.email" "env_imap_email"}
${set_var_from_environment "imap.cause" "env_imap_cause"}
${set_var_from_environment "imap.mailbox" "env_imap_mailbox"}
${set_var_from_environment "imap.changedflags" "env_imap_changedflags"}
${set_from {
condition = ''currentdate :matches "iso8601" "*"'';
var = "datetime";
}}
set "sieved_message" "at ''${datetime} by ${config.vacu.versionId} loc ''${env_location} phase ''${env_phase} user ''${env_imap_user} email ''${env_imap_email} cause ''${env_imap_cause} mailbox ''${env_imap_mailbox} changedflags ''${env_imap_changedflags} envelope ${interp dest}";
if ihave "vnd.dovecot.debug" {
debug_log "X-Vacu-Sieved: ''${sieved_message}";
}
if ihave "envelope" {
if envelope :all :matches "to" "*@*" {
set "userfor" "''${1}";
} else {
error "i dunno what to do, theres no envelope";
}
}
elsif string "''${in_imap}" "1" {
set "userfor" "''${env_imap_user}";
}
else {
error "dont have envelope or imapsieve, dunno what to do";
}
if string :is "''${userfor}" "shelvacu" {
addheader "X-Vacu-Sieved" "''${sieved_message}";
removeflag "auto-amazon-ignore";
if allof(
${envelope_is "amznbsns@shelvacu.com"},
header :matches "Subject" ["Your Amazon.com order has shipped*", "Your Amazon.com order of * has shipped!"]
) {
addheader "X-Vacu-Action" "amazon-ignore";
addflag "auto-amazon-ignore";
}
removeflag "auto-bandcamp-ignore";
if allof(
${envelope_is "bandcamp@shelvacu.com"},
header :matches "Subject" ["* just announced a listening party on Bandcamp", "New items from *", "Starting in *", "New from *"]
) {
addheader "X-Vacu-Action" "bandcamp-ignore";
addflag "auto-bandcamp-ignore";
}
removeflag "auto-ika-ignore";
if ${envelope_is "ika@dis8.net"} {
addheader "X-Vacu-Action" "ika-ignore";
addflag "auto-ika-ignore";
}
removeflag "bloomberg";
if ${envelope_is "bloomberg@shelvacu.com"} {
addheader "X-Vacu-Action" "flag-bloomberg";
addflag "bloomberg";
}
removeflag "money-stuff";
if allof (
${envelope_is "bloomberg@shelvacu.com"},
header :matches "From" "\"Matt Levine\" *"
) {
addheader "X-Vacu-Action" "flag-money-stuff";
addflag "money-stuff";
}
removeflag "git-uninsane";
removeflag "git";
if ${envelope_is "git-uninsane@shelvacu.com"} {
addheader "X-Vacu-Action" "flag-git-uninsane";
addflag "git-uninsane";
addheader "X-Vacu-Action" "flag-git";
addflag "git";
} elsif anyof (
exists "X-GitHub-Reason",
exists "X-GitLab-Project"
) {
addheader "X-Vacu-Action" "flag-git";
addflag "git";
}
removeflag "discourse";
if exists "X-Discourse-Post-Id" {
addheader "X-Vacu-Action" "flag-discourse";
addflag "discourse";
}
removeflag "agora";
if ${envelope_is "agora@shelvacu.com"} {
addheader "X-Vacu-Action" "flag-agora";
addflag "agora";
}
removeflag "postgres-list";
if header :matches "List-Id" "<*.lists.postgresql.org>" {
addheader "X-Vacu-Action" "flag-postgres-list";
addflag "postgres-list";
}
removeflag "gmail-fwd";
if ${envelope_is "gmailfwd-fc2e10bec8b2@shelvacu.com"} {
addheader "X-Vacu-Action" "gmail-fwd";
addflag "gmail-fwd";
}
removeflag "aliexpress";
if header :matches "From" [ "*<transaction@notice.aliexpress.com>", "*<aliexpress@notice.aliexpress.com>" ] {
addheader "X-Vacu-Action" "aliexpress";
addflag "aliexpress";
}
removeflag "secureaccesswa";
if header :is "From" "help@secureaccess.wa.gov" {
addheader "X-Vacu-Action" "secureaccesswa";
addflag "secureaccesswa";
}
removeflag "letsencrypt-mailing-list";
if ${envelope_is "lets-encrypt-mailing-list@shelvacu.com"} {
addheader "X-Vacu-Action" "letsencrypt-mailing-list";
addflag "letsencrypt-mailing-list";
}
removeflag "jmp-news";
if header :matches "List-Id" "*<jmp-news.soprani.ca>" {
addheader "X-Vacu-Action" "jmp-news";
addflag "jmp-news";
}
removeflag "ally-statement";
if allof(
${envelope_is "ally@shelvacu.com"},
header :is "Subject" "Your latest statement is ready to view."
) {
addheader "X-Vacu-Action" "ally-statement";
addflag "ally-statement";
}
removeflag "auto-marked-read";
if hasflag ["auto-amazon-ignore", "auto-bandcamp-ignore", "auto-ika-ignore", "ally-statement"] {
addheader "X-Vacu-Action" "auto-mark-read";
addflag "\\Seen";
addflag "auto-marked-read";
}
removeflag "spamish";
if allof (
anyof (
header :is "Precedence" "bulk",
exists "List-Unsubscribe",
exists "List-Unsubscribe-Post"
),
not hasflag "agora",
not hasflag "git",
not hasflag "money-stuff",
not hasflag "discourse",
not hasflag "postgres-list",
not hasflag "letsencrypt-mailing-list",
not hasflag "secureaccesswa",
not hasflag "jmp-news"
) {
addheader "X-Vacu-Action" "spamish";
addflag "spamish";
}
if ${envelope_is "brandcrowd@shelvacu.com"} {
discard;
}
elsif allof (
${envelope_domain_is "shelvacu.com"},
hasflag "spamish"
) {
addheader "X-Vacu-Action" "fileinto com.shelvacu.#spamish";
fileinto :create "com.shelvacu.#spamish";
}
elsif hasflag "gmail-fwd" {
addheader "X-Vacu-Action" "fileinto gmail";
fileinto :create "gmail";
}
elsif hasflag "money-stuff" {
addheader "X-Vacu-Action" "fileinto com.shelvacu.#money-stuff";
fileinto :create "com.shelvacu.#money-stuff";
}
elsif hasflag "aliexpress" {
addheader "X-Vacu-Action" "aliexpress fileinto";
fileinto :create "aliexpress";
}
${concatStrings email_filters}
${concatStrings domain_filters}
else {
keep;
}
}
# disable any sieve scripts that might want to run after this one
stop;
${concatStrings email_filters}
${concatStrings domain_filters}
'';
pigeonhole_pkg = pkgs.dovecot_pigeonhole;
in
{
imports = [
# Allow running a sieve filter when a message gets moved to another folder in imap
# see https://doc.dovecot.org/2.3/configuration_manual/sieve/plugins/imapsieve/
{
services.dovecot2 = {
sieve.plugins = [ "sieve_imapsieve" ];
mailPlugins.perProtocol.imap.enable = [ "imap_sieve" ];
};
}
];
options.vacu.checkSieve = lib.mkOption {
readOnly = true;
default = pkgs.writeScriptBin "check-liam-sieve" ''
set -xev
${lib.escapeShellArgs [
(lib.getExe' pigeonhole_pkg "sieve-test")
"-c"
config.services.dovecot2.configFile
"-C" # force compilation
"-D" # enable sieve debugging
"-f"
"some-rando@example.com"
"-a"
"shelvacu@liam.dis8.net"
config.services.dovecot2.sieve.scripts.before
"/dev/null"
]}
'';
};
options.vacu.liam-sieve-script = lib.mkOption {
readOnly = true;
default = pkgs.writeText "mainsieve" sieve_text;
};
config = {
services.dovecot2.modules = [ pigeonhole_pkg ];
services.dovecot2.sieve = {
extensions = [
"fileinto"
"mailbox"
"editheader"
"vnd.dovecot.debug"
];
scripts.before = config.vacu.liam-sieve-script;
};
services.dovecot2.imapsieve.mailbox = [
{
name = "*";
causes = [
"APPEND"
"COPY"
"FLAG"
];
before = config.vacu.liam-sieve-script;
}
];
# services.dovecot2.mailboxes."magic-refilter".auto = "create";
};
}
in {
services.dovecot2.sieveScripts.before = pkgs.writeText "blargsieve" sieve_text;
}

23
liam/sops.nix
View File

@@ -1,10 +1,17 @@
{ inputs, lib, config, ... }:
{
config,
...
}:
{
imports = [ ../common/sops-integrate.nix ];
imports = [
inputs.sops-nix.nixosModules.sops
];
options.vacu.secretsFolder = lib.mkOption {
type = lib.types.path;
default = ../secrets;
};
config = {
sops.defaultSopsFile = config.vacu.secretsFolder + "/liam/main.yaml";
sops.age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];
sops.secrets.dovecot-passwd = {
restartUnits = [ "dovecot2.service" ];
};
@@ -13,9 +20,5 @@
restartUnits = [ "opendkim.service" ];
owner = config.services.opendkim.user;
};
sops.secrets.relay_creds = {
restartUnits = [ "postfix.service" ];
owner = config.services.postfix.user;
};
};
}
}

14
lp0/default.nix
View File

@@ -1,15 +1,15 @@
{ config, pkgs, ... }:
{
imports = [ ./hardware-config.nix ];
imports = [
../common-nixos-config.nix
./hardware-config.nix
];
# Use the systemd-boot EFI boot loader.
boot.loader.systemd-boot.enable = true;
boot.loader.efi.canTouchEfiVariables = true;
vacu.hostName = "lp0onfire"; # Define your hostname.
vacu.shortHostName = "lp0";
vacu.shell.color = "green";
vacu.systemKind = "server";
networking.hostName = "lp0onfire"; # Define your hostname.
# Set your time zone.
time.timeZone = "America/Los_Angeles";
@@ -37,6 +37,7 @@
pciutils
ncdu
nix-index
git
];
# This value determines the NixOS release from which the default
@@ -52,7 +53,7 @@
# system.autoUpgrade.enable = true;
# system.autoUpgrade.allowReboot = true;
# system.autoUpgrade.channel = https://nixos.org/channels/nixos-22.05-small;
nixpkgs.config.allowUnfree = true;
services.zerotierone = {
enable = true;
@@ -72,3 +73,4 @@
# internalInterfaces = [ "ztrf26rjvk" ];
# };
}

31
lp0/hardware-config.nix
View File

@@ -1,32 +1,27 @@
# Do not modify this file! It was generated by nixos-generate-config
# and may be overwritten by future invocations. Please make changes
# to /etc/nixos/configuration.nix instead.
{ lib, modulesPath, ... }:
{ config, lib, pkgs, modulesPath, ... }:
{
imports = [ (modulesPath + "/installer/scan/not-detected.nix") ];
imports =
[ (modulesPath + "/installer/scan/not-detected.nix")
];
boot.initrd.availableKernelModules = [
"xhci_pci"
"ahci"
"usb_storage"
"usbhid"
"sd_mod"
];
boot.initrd.availableKernelModules = [ "xhci_pci" "ahci" "usb_storage" "usbhid" "sd_mod" ];
boot.initrd.kernelModules = [ ];
boot.kernelModules = [ "kvm-intel" ];
boot.extraModulePackages = [ ];
fileSystems."/" = {
device = "/dev/disk/by-uuid/51a9c6de-3231-469f-a292-ada7d2531d63";
fsType = "ext4";
};
fileSystems."/" =
{ device = "/dev/disk/by-uuid/51a9c6de-3231-469f-a292-ada7d2531d63";
fsType = "ext4";
};
fileSystems."/boot" = {
device = "/dev/disk/by-uuid/36B4-78A2";
fsType = "vfat";
options = [ "nofail" ];
};
fileSystems."/boot" =
{ device = "/dev/disk/by-uuid/36B4-78A2";
fsType = "vfat";
};
swapDevices = [ ];

23
mmm/default.nix
View File

@@ -1,23 +0,0 @@
{ inputs, ... }:
{
imports = [
../common/nixos.nix
inputs.nixos-apple-silicon.nixosModules.default
./hardware.nix
];
vacu.hostName = "mmm";
vacu.shell.color = "red";
vacu.verifySystem.enable = false;
vacu.verifySystem.expectedMac = "14:98:77:3f:b8:2e";
vacu.systemKind = "server";
# asahi recommends systemd-boot
boot.loader.systemd-boot.enable = true;
boot.loader.efi.canTouchEfiVariables = false;
hardware.asahi.peripheralFirmwareDirectory = ./firmware;
services.openssh.enable = true;
system.stateVersion = "24.05";
}

BIN
mmm/firmware/all_firmware.tar.gz
View File

Binary file not shown.

BIN
mmm/firmware/kernelcache.release.mac13g
View File

Binary file not shown.

69
mmm/hardware.nix
View File

@@ -1,69 +0,0 @@
{ lib, ... }:
let
btrfsopts = [
"noatime"
"compress=zstd"
];
in
{
boot.initrd.availableKernelModules = [
"xhci_pci"
"usbhid"
"usb_storage"
"xhci_hcd"
"uas"
];
boot.initrd.kernelModules = [ ];
boot.kernelModules = [ ];
boot.extraModulePackages = [ ];
fileSystems."/" = {
device = "/dev/disk/by-uuid/2f8b5094-94ab-4634-b11b-d4bcd2dc3f24";
fsType = "btrfs";
options = [ "subvol=root" ] ++ btrfsopts;
};
boot.initrd.luks.devices."cryptroot" = {
device = "/dev/disk/by-uuid/4e75b9ed-ac4f-48a2-b38c-c5026723171f";
# note: creation requires --new-key-file-size not --key-file-size
keyFileSize = 2048;
keyFile = "/dev/disk/by-partuuid/9d171b52-329e-4e21-9399-dcc66ff572cd";
};
fileSystems."/boot" = {
device = "/dev/disk/by-uuid/4407-1EF3";
fsType = "vfat";
options = [
"fmask=0022"
"dmask=0022"
"nofail"
];
};
fileSystems."/nix/store" = {
device = "/dev/disk/by-uuid/2f8b5094-94ab-4634-b11b-d4bcd2dc3f24";
fsType = "btrfs";
options = [ "subvol=nix-store" ] ++ btrfsopts;
};
fileSystems."/btrfs-root" = {
device = "/dev/disk/by-uuid/2f8b5094-94ab-4634-b11b-d4bcd2dc3f24";
fsType = "btrfs";
options = [
"subvol=/"
"noauto"
] ++ btrfsopts;
};
swapDevices = [ ];
# Enables DHCP on each ethernet and wireless interface. In case of scripted networking
# (the default) this is the recommended approach. When using systemd-networkd it's
# still possible to use this option, but it's recommended to use it in conjunction
# with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
networking.useDHCP = lib.mkDefault true;
# networking.interfaces.end0.useDHCP = lib.mkDefault true;
# networking.interfaces.wlan0.useDHCP = lib.mkDefault true;
nixpkgs.hostPlatform = lib.mkDefault "aarch64-linux";
}

19
nix-on-droid/default.nix → nix-on-droid.nix
View File

@@ -1,19 +1,19 @@
{ lib, ... }:
{ config, lib, pkgs, inputs, ... }:
{
imports = [ ./flake-registry.nix ];
vacu.shell.color = "white";
vacu.systemKind = "server";
imports = [ ./common-config.nix ];
environment.packages = config.vacu.packageList;
environment.etc."resolv.conf".text = lib.mkForce ''
# nameserver 10.78.79.1
nameserver 10.78.79.1
nameserver 9.9.9.10
nameserver 149.112.112.10
options timeout:1 attempts:5
'';
environment.etc."ssh/ssh_config".text = config.vacu.ssh.config;
# Backup etc files instead of failing to activate generation if a file already exists in /etc
environment.etcBackupExtension = ".bak";
@@ -24,13 +24,14 @@
nix.extraOptions = ''
experimental-features = nix-command flakes
'';
nix.substituters = config.vacu.nix.extraSubstituters;
nix.trustedPublicKeys = config.vacu.nix.extraTrustedKeys;
environment.sessionVariables."PS1" = "\\w $ ";
# Set your time zone
time.timeZone = "America/Los_Angeles";
vacu.packages.yt-dlp.enable = true;
vacu.packages.radicle-node.enable = true;
#specific to the particular install; avoids impurity
#user.gid = 10287;
#user.uid = 10287;

9
nix-on-droid/flake-registry.nix
View File

@@ -1,9 +0,0 @@
# To make `nix run nixpkgs#hello` and such use the same nixpkgs used to build this, so that it doesn't take forever
{ inputs, ... }:
{
nix.registry.nixpkgs.to = {
type = "path";
path = inputs.nixpkgs.outPath;
};
nix.nixPath = [ "nixpkgs=flake:nixpkgs" ];
}

33
nixvim/default.nix
View File

@@ -1,33 +0,0 @@
{ ... }:
{
opts = {
smartindent = true;
expandtab = true;
shiftwidth = 2;
softtabstop = -1;
};
plugins.comment.enable = true;
plugins.vim-surround.enable = true;
plugins.lsp = {
enable = true;
# onAttach = builtins.readFile ./nixd-init.lua;
servers = {
bashls.enable = true;
jsonls.enable = true;
# nil-ls.enable = true;
nixd = {
enable = true;
};
pyright.enable = true;
ts_ls.enable = true;
lua_ls.enable = true;
rust_analyzer = {
enable = true;
installCargo = false;
installRustc = false;
};
html.enable = true;
yamlls.enable = true;
};
};
}

26
nixvim/nixd-init.lua
View File

@@ -1,26 +0,0 @@
-- --@param client vim.lsp.Client
-- local function init_per_dir_nixd(client)
-- if client.workspace_folders == nil then
-- return
-- end
-- local path = client.workspace_folders[1].name
-- local command = client.config.cmd[1]
-- local name = string.gsub(command, "(.*/)(.*)", "%2")
-- local is_nixd = name == "nixd"
-- local is_nix_stuff = (path == '/home/shelvacu/dev/nix-stuff' or path == '/home/shelvacu/nix-stuff' or path == '/data/data/com.termux.nix/files/home/nix-stuff')
-- if is_nixd and is_nix_stuff then
-- local get_flake = "(builtins.getFlake \"" .. path .. "\")"
-- local set = client.config.settings
-- if not set.nixd then
-- set.nixd = {}
-- end
-- client.config.settings.nixd.options = {
-- nixos = { expr = get_flake .. ".nixosConfigurations.fw.options", },
-- -- ["home-manager"] = { expr = get_flake .. ".homeConfigurations.\"nix-on-droid\".options", },
-- ["nix-on-droid"] = { expr = get_flake .. ".nixOnDroidConfigurations.default.options", },
-- }
-- client.notify("workspace/didChangeConfiguration", { settings = client.config.settings, })
-- end
-- end
--
-- init_per_dir_nixd(client)

4
overlays/betterbird/default.nix
View File

@@ -1,4 +0,0 @@
self: super: {
betterbird-128-unwrapped = self.callPackage ./package.nix { };
betterbird-128 = self.wrapThunderbird self.betterbird-128-unwrapped { };
}

148
overlays/betterbird/package.nix
View File

@@ -1,148 +0,0 @@
{
lib,
thunderbird-128-unwrapped,
fetchFromGitHub,
fetchhg,
runCommandNoCC,
curl,
git,
libdbusmenu,
# options passed to the thunderbird builder, but with betterbird defaults
privacySupport ? true,
requireSigning ? false,
allowAddonSideload ? true,
}:
let
majorVersion = "128";
version = "${majorVersion}.8.0esr-bb23";
#from Betterbird/thunderbird-patches/blob/main/128/128.sh
stuff = {
MOZILLA_REPO = "https://hg.mozilla.org/releases/mozilla-esr128/";
MOZILLA_REV = "c685d5844a0e4f99ac535b6ffc641fbd07696c68";
COMM_REPO = "https://hg.mozilla.org/releases/comm-esr128/";
COMM_REV = "f8183c5232ec457f3c8b5be36c7891d933bbb457";
RUST_VER = "1.79.0";
MOZ = "-moz";
MOZU = "-moz";
};
betterbirdPatches = fetchFromGitHub {
name = "betterbird--thunderbird-patches";
owner = "Betterbird";
repo = "thunderbird-patches";
tag = version;
hash = "sha256-9UG1juN/vKHY3LRuryjMDdaFapd6y7ySu0Fn3GTeN2w=";
};
patchesFromThunderbird = runCommandNoCC "betterbird-patches-from-network" {
outputHashAlgo = "sha256";
outputHashMode = "recursive";
outputHash = "sha256-4OD7OckIA/qB0jI9dNk1Q6cTZZrKVufDNvPKSeEWYBY=";
} ''
set -xev
mkdir -p $out
fetchFromSeries() {
local seriesFile="$1"
shift
filteredSeries="$(mktemp)"
cat "$seriesFile" | grep " # " | grep -v "^#" | sed 's/ # / /' | sed 's:/rev/:/raw-rev/:' > "$filteredSeries"
while IFS=" " read -r filename url; do
${lib.getExe curl} -v -k "$url" --output "$out/$filename"
done < "$filteredSeries"
}
fetchFromSeries ${betterbirdPatches}/${majorVersion}/series${stuff.MOZU}
fetchFromSeries ${betterbirdPatches}/${majorVersion}/series
'';
mozilla_src = fetchhg {
name = "mozilla--mozilla";
url = stuff.MOZILLA_REPO;
rev = stuff.MOZILLA_REV;
hash = "sha256-5p5CY+luDsjwUCL6/wbzT7/0mQ4IJQKyXj3Ty4j+In4=";
};
comm_src = fetchhg {
name = "mozilla--comm";
url = stuff.COMM_REPO;
rev = stuff.COMM_REV;
hash = "sha256-WVRmlqd7+1Noq+I91cm334LIY5uxRUs/w8K48E57WKY=";
};
replacement_src = runCommandNoCC "combined-source-from-hg" { } ''
set -xev
cp -r ${mozilla_src} $out
chmod u+w $out
cp -r ${comm_src} $out/comm
chmod -R u+w $out
allBetterbirdPatches="$(mktemp -d)"
cp ${patchesFromThunderbird}/* "$allBetterbirdPatches"
cp ${betterbirdPatches}/${majorVersion}/branding/*.patch "$allBetterbirdPatches"
cp ${betterbirdPatches}/${majorVersion}/bugs/*.patch "$allBetterbirdPatches"
cp ${betterbirdPatches}/${majorVersion}/features/*.patch "$allBetterbirdPatches"
cp ${betterbirdPatches}/${majorVersion}/misc/*.patch "$allBetterbirdPatches"
applySeries() {
local seriesFile="$1"
shift
local onFolder="$1"
shift
local patches=()
local aaa="$(mktemp)"
cat "$seriesFile" | grep -v "^#" | sed 's/ \?#.*//' > "$aaa"
while IFS=" " read -r line; do
patches+=("$line")
done < "$aaa"
for patchName in "''${patches[@]}"; do
${lib.getExe git} apply --unsafe-paths --verbose --directory="$onFolder" -p1 "$allBetterbirdPatches/$patchName"
done
}
applySeries ${betterbirdPatches}/${majorVersion}/series${stuff.MOZU} $out
applySeries ${betterbirdPatches}/${majorVersion}/series $out/comm
'';
in
(thunderbird-128-unwrapped.override {
inherit privacySupport requireSigning allowAddonSideload;
}).overrideAttrs (old: rec {
pname = "betterbird";
inherit version;
name = "${pname}-${version}";
buildInputs = (old.buildInputs or []) ++ [ libdbusmenu ];
src = replacement_src;
configureFlags = (old.configureFlags or []) ++ [
# "--enable-application=comm/mail"
"--with-branding=comm/mail/branding/betterbird"
# "--disable-updater"
# "--disable-crashreporter"
# "--enable-tests"
# "--without-wasm-sandboxed-libraries"
# "--with-unsigned-addon-scopes=app,system"
# "--allow-addon-sideload"
# "--enable-default-toolkit=cairo-gtk3-wayland"
# "--enable-official-branding"
];
preConfigure = (old.preConfigure or "") + ''
# Disable enforcing that add-ons are signed.
export MOZ_REQUIRE_SIGNING=
export MOZ_REQUIRE_ADDON_SIGNING=0
# For NSS symbols
export MOZ_DEBUG_SYMBOLS=1
# Set the WM_CLASS referenced in the .desktop file.
export MOZ_APP_REMOTINGNAME=eu.betterbird.Betterbird
# Needed to enable breakpad in application.ini
# The preceding comment appears all over the Mozilla repos, however it is misleading.
# "Official" (server) builds, as opposed to local builds, should have nothing to do
# with "breakpad" (https://chromium.googlesource.com/breakpad/) crash reporting.
# In any case, we don't want a local build.
export MOZILLA_OFFICIAL=1
export MOZ_TELEMETRY_REPORTING= # No telemetry.
# Used for Linux to create small launcher executable for file browsers.
# See https://hg.mozilla.org/mozilla-central/rev/3cbbfc5127e4 for details.
export MOZ_NO_PIE_COMPAT=1
'';
passthru = (old.passthru or {}) // { inherit betterbirdPatches mozilla_src comm_src replacement_src patchesFromThunderbird; };
})

Some files were not shown because too many files have changed in this diff Show More