shelvacu/nix-stuff
1
0
Fork 1
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Compare commits

merge into: shelvacu:liam-relay
Branches Tags
shelvacu:master shelvacu:doofnet shelvacu:feat-nice shelvacu:repos shelvacu:wip-2024-09-doof shelvacu:fw-experiment shelvacu:wip-2024-09-verify-system shelvacu:restricted-inputs shelvacu:liam-relay shelvacu:add-mar shelvacu:wip-commands2 shelvacu:wip-commands shelvacu:wip-devver shelvacu:wip-nod
...
pull from: shelvacu:restricted-inputs
Branches Tags
shelvacu:master shelvacu:doofnet shelvacu:feat-nice shelvacu:repos shelvacu:wip-2024-09-doof shelvacu:fw-experiment shelvacu:wip-2024-09-verify-system shelvacu:restricted-inputs shelvacu:liam-relay shelvacu:add-mar shelvacu:wip-commands2 shelvacu:wip-commands shelvacu:wip-devver shelvacu:wip-nod

77 Commits
liam-relay ... restricted

Author SHA1 Message Date
Shelvacu
8b9e199a23 give all configurations a restricted set of inputs 2024-08-21 19:13:43 -07:00
Shelvacu
b7b281604b add git version info to all vacu builds 2024-08-21 17:08:41 -07:00
Shelvacu
6782539b4a slash timeouts in haproxy 2024-08-21 16:32:32 -07:00
Shelvacu
0637a617e8 fw: remove librenms 2024-08-18 18:11:09 -07:00
shelvacu
4fc5864466 make into-nix-cache auto-sudo 2024-08-18 18:03:17 -07:00
shelvacu
e6e0fe6e47 Merge branch 'master' of git.uninsane.org:shelvacu/nix-stuff 2024-08-18 17:23:10 -07:00
Shelvacu
3e7bb2d2f8 compute-deck: add some modules to initrd, just in case 2024-08-18 16:08:55 -07:00
Shelvacu
c197b31a5f and fix compute-deck 2024-08-18 15:37:17 -07:00
Shelvacu
a1e4e2aa91 reorganize nix-on-droid config and set nixpkgs & vacu in flake registry 2024-08-18 15:30:39 -07:00
root
94d28b7f57 disable patches 2024-08-17 21:43:39 -07:00
root
03fc273124 stuff 2024-08-17 20:33:13 -07:00
root
8d9de94083 fix compute deck 2024-08-17 20:32:22 -07:00
Shelvacu
359be2b446 stuff 2024-08-17 15:49:54 -07:00
Shelvacu
9c8fdd958f wip home manager 2024-08-12 14:58:38 -07:00
Shelvacu
f248b0cb52 add root cert for vnopn router 2024-08-12 14:38:53 -07:00
Shelvacu
2740141b2b lets package a bunch of useless shit whaddya say 2024-08-12 14:20:40 -07:00
Shelvacu
7665e92138 add snmpb for some reason 2024-08-11 17:34:50 -07:00
root
0a4350f191 fix jl-stats 2024-08-11 11:55:40 -07:00
root
b0d9d1a987 add git-lfs 2024-08-06 11:11:40 -07:00
root
e5a12a1f17 wip jellyfin 2024-08-06 10:33:21 -07:00
root
9d8a096916 stuff 2024-08-04 16:26:35 -07:00
root
2f498e49c7 stuff 2024-07-29 17:29:28 -07:00
root
a351665606 stuff 2024-07-29 17:29:15 -07:00
Shelvacu
cd1865dbc5 update flake inputs 2024-07-27 23:29:45 -07:00
root
2458df3d17 add allWithBuildDeps to flake 2024-07-27 20:48:37 -07:00
Shelvacu
daaa70e148 stuff 2024-07-25 17:45:02 -07:00
Shelvacu
0d20e797ba stuff 2024-07-25 17:40:04 -07:00
Shelvacu
0354a47c12 mess with apex stuff some more 2024-07-21 18:49:17 -07:00
root
797ec7dd07 reorganize packages 2024-07-21 15:53:12 -07:00
root
09561eca09 add opencl stuff 2024-07-21 12:39:12 -07:00
Shelvacu
d5d28c940e stuff 2024-07-21 12:31:50 -07:00
Shelvacu
0d2d0688f7 try to integrate vacufuncs (didnt work) 2024-07-20 15:48:37 -07:00
Shelvacu
e8d2b3aa63 stuff 2024-07-20 15:48:37 -07:00
Shelvacu
7cab530d40 add inkscape and libreoffice 2024-07-17 18:10:24 -07:00
Shelvacu
c79ca06af3 add opencl support 2024-07-17 18:10:24 -07:00
Shelvacu
876dbb2dc9 add work laptop to known hosts 2024-07-16 13:08:06 -07:00
Shelvacu
3c77d14e9b workaround for too-small efi partitions :( 2024-07-15 01:02:33 -07:00
Shelvacu
546247a569 stuff 2024-07-15 00:29:54 -07:00
Shelvacu
e6ff9373dd add ostiary known host 2024-07-15 00:07:04 -07:00
Shelvacu
4d66f3d9a2 halfway add vacufuncs to nix-on-droid config 2024-07-14 23:31:36 -07:00
Shelvacu
86bf3807bc enable commands for nixos 2024-07-14 18:41:18 -07:00
Shelvacu
332f6aeb76 stuff 2024-07-13 11:01:49 -07:00
Shelvacu
4eeaa337b9 stuff 2024-07-11 15:55:27 -07:00
Shelvacu
22f6270a06 stuff 2024-07-11 15:53:56 -07:00
Shelvacu
18387da12a stuff 2024-07-11 15:53:17 -07:00
Shelvacu
3e8df621c7 stuff 2024-07-11 15:49:59 -07:00
Shelvacu
78ffdde588 move common into a folder 2024-07-11 13:59:23 -07:00
Shelvacu
16fc9d93ad stuff 2024-07-10 16:47:25 -07:00
Shelvacu
500ab33b1b mar is no longer working here 2024-07-10 13:47:34 -07:00
Shelvacu
7920bacadd stuff 2024-07-05 23:59:03 -07:00
Shelvacu
61149ff1dd stuff 2024-07-05 23:22:23 -07:00
Shelvacu
be44048523 stuff 2024-07-05 23:09:25 -07:00
Shelvacu
e9e0c87752 stuff 2024-07-05 23:07:39 -07:00
Shelvacu
ee29b1a997 stuff 2024-07-05 23:05:57 -07:00
Shelvacu
20b5803eb9 stuff 2024-07-05 23:04:48 -07:00
Shelvacu
d03709f9d2 stuff 2024-07-05 23:02:56 -07:00
Shelvacu
265c0abd68 stuff 2024-07-05 22:31:29 -07:00
Shelvacu
582ac9ec34 stuff 2024-07-05 22:30:00 -07:00
Shelvacu
7b554988b8 stuff 2024-07-05 22:29:05 -07:00
Shelvacu
4e333b948e stuff 2024-07-05 22:28:13 -07:00
Shelvacu
543f7dec34 stuff 2024-07-05 22:25:50 -07:00
Shelvacu
568bbc1d89 stuff 2024-07-05 22:22:38 -07:00
Shelvacu
8be73f95d0 stuff 2024-07-05 22:15:49 -07:00
Shelvacu
17b63089e6 move postgres data dir 2024-07-05 21:34:06 -07:00
Shelvacu
a4b195c389 stuff 2024-07-04 19:55:55 -07:00
root
d77d0d720a stuff 2024-07-04 15:10:22 -07:00
root
6807f5c960 agpl3 doesnt exist anymore?? 2024-07-04 15:07:17 -07:00
Shelvacu
7e6cf686bb stuff 2024-07-03 19:08:22 -07:00
Shelvacu
f37b6a4a46 stuff 2024-07-03 18:52:11 -07:00
Shelvacu
7211ffb30a stuff 2024-07-03 18:49:48 -07:00
Shelvacu
4ced20fb2d stuff 2024-07-03 18:35:12 -07:00
Shelvacu
f5af9886f5 stuff 2024-07-03 18:24:40 -07:00
Shelvacu
383b57bace stuff 2024-07-03 18:21:40 -07:00
Shelvacu
4eb20970b6 stuff 2024-07-03 18:08:05 -07:00
Shelvacu
0288181706 add migadu creds 2024-07-03 17:57:23 -07:00
shelvacu
0756e0d8bf stuff 2024-06-28 17:15:30 -07:00
shelvacu
691a54cbfc stuff 2024-06-28 16:36:24 -07:00
41 changed files with 1869 additions and 704 deletions
Expand all files Collapse all files

291
common-config.nix
View File

@@ -1,291 +0,0 @@
{ config, pkgs, lib, inputs, ... }: let
inherit (lib) mkOption types flip concatMapStringsSep optionalString concatStringsSep readFile mapAttrsToList literalExpression;
inherit (builtins) attrValues;
cfg = config.vacu;
knownHosts = attrValues cfg.ssh.knownHosts;
knownHostsText = (flip (concatMapStringsSep "\n") knownHosts
(h: assert h.hostNames != [];
optionalString h.certAuthority "@cert-authority " + concatStringsSep "," h.hostNames + " "
+ (if h.publicKey != null then h.publicKey else readFile h.publicKeyFile)
)) + "\n";
packageNames = lib.splitString "\n" ''
nixos-rebuild
nano
vim
wget
screen
tmux
lsof
htop
mosh
dnsutils
iperf3
nmap
rsync
ethtool
sshfs
ddrescue
pciutils
ncdu
nix-index
git
pv
unzip
file
ripgrep
jq
units
tree
rclone
iputils
ssh-to-age
sops
inetutils
neovim
diffutils
findutils
utillinux
tzdata
hostname
man
gnugrep
gnused
gnutar
bzip2
gzip
xz
zip
unzip
openssh
dig
bash
termscp
usbutils
ruby
git'';
plainPackageOpts = map (name: { name = name; value = { enable = lib.mkDefault true; }; }) packageNames;
packageOpts = lib.recursiveUpdate (builtins.listToAttrs plainPackageOpts) {
nix-search-cli.package = inputs.nix-search-cli.packages.${pkgs.system}.default;
nix-search-cli.enable = lib.mkDefault true;
nix-inspect.package = inputs.nix-inspect.packages.${pkgs.system}.default;
nix-inspect.enable = lib.mkDefault true;
};
in {
imports = [ ./package-set.nix ];
options = {
vacu.ssh.authorizedKeys = mkOption {
type = types.listOf types.str;
};
vacu.ssh.config = mkOption {
type = types.lines;
};
# Straight copied from nixpkgs
# https://github.com/NixOS/nixpkgs/blob/46397778ef1f73414b03ed553a3368f0e7e33c2f/nixos/modules/programs/ssh.nix
vacu.ssh.knownHosts = mkOption {
default = {};
type = types.attrsOf (types.submodule ({ name, config, options, ... }: {
options = {
certAuthority = mkOption {
type = types.bool;
default = false;
description = ''
This public key is an SSH certificate authority, rather than an
individual host's key.
'';
};
hostNames = mkOption {
type = types.listOf types.str;
default = [ name ] ++ config.extraHostNames;
defaultText = literalExpression "[ ${name} ] ++ config.${options.extraHostNames}";
description = ''
A list of host names and/or IP numbers used for accessing
the host's ssh service. This list includes the name of the
containing `knownHosts` attribute by default
for convenience. If you wish to configure multiple host keys
for the same host use multiple `knownHosts`
entries with different attribute names and the same
`hostNames` list.
'';
};
extraHostNames = mkOption {
type = types.listOf types.str;
default = [];
description = ''
A list of additional host names and/or IP numbers used for
accessing the host's ssh service. This list is ignored if
`hostNames` is set explicitly.
'';
};
publicKey = mkOption {
default = null;
type = types.nullOr types.str;
example = "ecdsa-sha2-nistp521 AAAAE2VjZHN...UEPg==";
description = ''
The public key data for the host. You can fetch a public key
from a running SSH server with the {command}`ssh-keyscan`
command. The public key should not include any host names, only
the key type and the key itself.
'';
};
publicKeyFile = mkOption {
default = null;
type = types.nullOr types.path;
description = ''
The path to the public key file for the host. The public
key file is read at build time and saved in the Nix store.
You can fetch a public key file from a running SSH server
with the {command}`ssh-keyscan` command. The content
of the file should follow the same format as described for
the `publicKey` option. Only a single key
is supported. If a host has multiple keys, use
{option}`programs.ssh.knownHostsFiles` instead.
'';
};
};
}));
description = ''
The set of system-wide known SSH hosts. To make simple setups more
convenient the name of an attribute in this set is used as a host name
for the entry. This behaviour can be disabled by setting
`hostNames` explicitly. You can use
`extraHostNames` to add additional host names without
disabling this default.
'';
example = literalExpression ''
{
myhost = {
extraHostNames = [ "myhost.mydomain.com" "10.10.1.4" ];
publicKeyFile = ./pubkeys/myhost_ssh_host_dsa_key.pub;
};
"myhost2.net".publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILIRuJ8p1Fi+m6WkHV0KWnRfpM1WxoW8XAS+XvsSKsTK";
"myhost2.net/dsa" = {
hostNames = [ "myhost2.net" ];
publicKeyFile = ./pubkeys/myhost2_ssh_host_dsa_key.pub;
};
}
'';
};
vacu.nix.extraSubstituters = mkOption { type = types.listOf types.str; };
vacu.nix.extraTrustedKeys = mkOption { type = types.listOf types.str; };
};
config = {
vacu.packages = packageOpts;
vacu.nix.extraSubstituters = [
"https://nixcache.shelvacu.com/"
"https://nix-community.cachix.org/"
];
vacu.nix.extraTrustedKeys = [
"nix-community.cachix.org-1:mB9FSh9qf2dCimDSUo8Zy7bkq5CX+/rkCWyvRCYg3Fs="
"nixcache.shelvacu.com:73u5ZGBpPRoVZfgNJQKYYBt9K9Io/jPwgUfuOLsJbsM="
];
assertions = flip mapAttrsToList cfg.ssh.knownHosts (name: data: {
assertion = (data.publicKey == null && data.publicKeyFile != null) ||
(data.publicKey != null && data.publicKeyFile == null);
message = "knownHost ${name} must contain either a publicKey or publicKeyFile";
});
vacu.ssh.authorizedKeys = [
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIC4LYvUe9dsQb9OaTDFI4QKPtMmOHOGLwWsXsEmcJW86" # Termux on pixel6pro
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHcYwYy9/0Gu/GsqS72Nkz6OkId+zevqXA/aTIcvqflp" # t460s windows
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFsErA6M9LSHj2hPlLuHD8Lpei7WjMup1JxI1vxA6B8W" # pixel6pro nix-on-droid
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKoy1TrmfhBGWtVedgOM1FB1oD2UdodN3LkBnnLx6Tug" # compute-deck
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICVeSzDkGTueZijB0xUa08e06ovAEwwZK/D+Cc7bo91g" # triple-dezert
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOtwtao/TXbiuQOYJbousRPVesVcb/2nP0PCFUec0Nv8" # triple-dezert (root)
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAxAFFxQMXAgi+0cmGaNE/eAkVfEl91wafUqFIuAkI5I" # compute-deck (root)
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDcRDekd8ZOYfQS5X95/yNof3wFYIbHqWeq4jY0+ywQX" # pro1x nix-on-droid
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIExSObd1lZprdqAFLqFhtxDEckV0q/vZZIYqrYFKfkoC" # devver
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGHLPOxRd68+DJ/bYmqn0wsgwwIcMSMyuU1Ya16hCb/m" # fw (root)
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINQ2c0GzlVMjV06CS7bWbCaAbzG2+7g5FCg/vClJPe0C" # fw
];
vacu.ssh.config = ''
Host deckvacu
User deck
Host rsb
User user
HostName finaltask.xyz
Port 2222
Host awoo
HostName 45.142.157.71
Host trip
HostName trip.shelvacu.com
Port 6922
Host liam
HostName 178.128.79.152
Host pluto
HostName pluto.somevideogam.es
Host *
User shelvacu
GlobalKnownHostsFile ${pkgs.writeText "known_hosts" knownHostsText}
'';
vacu.ssh.knownHosts = {
#public hosts
"github.com".publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOMqqnkVzrm0SdG6UOoqKLsabgH5C9okWi0dh2l9GKJl";
"gitlab.com".publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAfuCHKVTjquxvt6CM6tdG4SLp1Btn/nOeHHE5UOzRdf";
#colin's stuff
"uninsane.org" = {
extraHostNames = [ "git.uninsane.org" ];
publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOfdSmFkrVT6DhpgvFeQKm3Fh9VKZ9DbLYOPOJWYQ0E8";
};
"desko" = {
publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFw9NoRaYrM6LbDd3aFBc4yyBlxGQn8HjeHd/dZ3CfHk";
};
#daymocker's stuff
"pluto" = {
extraHostNames = [ "74.208.184.137" ];
publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICpHY4fLZ1hNuB2oRQM7R3b4eQyIHbFB45ZYp3XCELLg";
};
#personal hosts
"zigbee-hub" = {
extraHostNames = [ "10.78.79.114" ];
publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBJxwUYddOxgViJDOiokfaQ6CsCx/Sw+b3IisdJv8zFN root@zigbee-hub";
};
trip = {
extraHostNames = [ "triple-dezert" "trip.shelvacu.com" "[trip.shelvacu.com]:6922" ];
publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGUQux9V0mSF5IauoO1z311NXR7ymEbwRMzT+OaaNQr+";
};
servacu = {
extraHostNames = [ "mail.dis8.net" "servacu.shelvacu.com" ];
publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIE+E6na7np0HnBV2X7owno+Fg+bNNRSHLxO6n1JzdUTV";
};
finaltask = {
extraHostNames = [ "rsb" "finaltask.xyz" "[finaltask.xyz]:2222" ];
publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPTx8WBNNKBVRV98HgDChpd59SHbreJ87SXU+zOKan6y";
};
compute-deck = {
publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGt43GmXCxkl5QjgPQ/QimW11lKfXmV4GFWvlxQSf4TQ";
};
"2esrever" = {
extraHostNames = [ "10.4.5.218" "10.244.46.71" ];
publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIH0LnPrJxAdffZ//uRe3NBiIfFCBNMLqKVylkyU0llvT";
};
awoo = {
extraHostNames = [ "45.142.157.71" ];
publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOQaDjjfSK8jnk9aFIiYH9LZO4nLY/oeAc7BKIPUXMh1";
};
deckvacu = {
publicKey = "ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBEa8qpFkIlLLJkH8rmEAn6/MZ9ilCGmEQWC3CeFae7r1kOqfwRk0nq0oyOGJ50uIh+PpwEh3rbgq6mLfpRfsFmM=";
};
liam = {
extraHostNames = [ "liam.dis8.net" "178.128.79.152" ];
publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHOqJYVHOIFmEA5uRbbirIupWvyBLAFwic/8EZQRdN/c";
};
devver = {
extraHostNames = [ "devver.t2d.lan" "10.78.79.10" ];
publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFeFaH2tzWIiCPdKNmxl3NqCnPTdmVIOBinauUAEl+UU";
};
fw = {
extraHostNames = [ "fw.t2d.lan" ];
publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIA6lX25mCy35tf1NpcHMAdeRgvT7l0Dw0FWBH3eX4TE2";
};
};
};
}

37
common-packages.nix
View File

@@ -1,37 +0,0 @@
{ pkgs, inputs }: (with pkgs; [
inputs.nix-search-cli.packages.${pkgs.system}.default
inputs.nix-inspect.packages.${pkgs.system}.default
nixos-rebuild
nano
vim
wget
screen
tmux
lsof
htop
mosh
dnsutils
iperf3
nmap
rsync
ethtool
sshfs
ddrescue
pciutils
ncdu
nix-index
git
pv
unzip
file
ripgrep
jq
units
tree
rclone
iputils
ssh-to-age
sops
inetutils
neovim
])

86
common/commands.nix Normal file
View File

@@ -0,0 +1,86 @@
{ config, lib, pkgs, ... }: let
inherit (lib) mkOption types;
cfg = builtins.attrValues config.vacu.shell.functions;
enabled = builtins.filter (o: o.enable) cfg;
writeShellFunction = name: text: pkgs.writeTextFile {
inherit name;
executable = false;
destination = "/share/vacufuncs/${name}";
text = ''
${text}
'';
checkPhase = ''
${pkgs.stdenv.shellDryRun} "$target"
'';
};
in {
options = {
vacu.shell.functionsDir = mkOption {
type = types.path;
};
vacu.shell.interactiveLines = mkOption {
type = types.lines;
default = "";
};
vacu.shell.functions = mkOption {
default = {};
type = types.attrsOf (types.submodule ({ name, config, options, ... }: {
options = {
name = mkOption {
type = types.str;
default = name;
readonly = true;
};
content = mkOption {
type = types.str;
default = "";
};
enable = mkOption {
type = types.bool;
default = config.content != "";
defaultText = ''${name}.content != ""'';
};
};
}));
};
};
config = {
_module.args.vaculib.writeShellFunction = writeShellFunction;
vacu.shell.interactiveLines = ''
if [[ $- == *i* ]] && [[ -f ${config.vacu.shell.functionsDir}/vacureload ]]; then
function __vacushell_load() { eval "$(cat ${config.vacu.shell.functionsDir}/vacureload)"; }
__vacushell_load
unset __vacushell_load
fi
'';
vacu.packages.vacureload.enable = true;
vacu.packages.vacureload.package = let
inherit (config.vacu.shell) functionsDir;
in writeShellFunction "vacureload" ''
declare -gA vacuShellFunctionsLoaded
if ! [[ -f ${functionsDir}/vacureload ]]; then
echo "vacureload: I think that's my cue to leave (${functionsDir}/vacureload not found, assuming vacureload-less config has been loaded and unloading myself)" 1>&2
for funcname in "''${!vacuShellFunctionsLoaded[@]}"; do
unset -f $funcname
done
return
fi
for funcname in "''${!vacuShellFunctionsLoaded[@]}"; do
if ! [[ -f ${functionsDir}/$funcname ]]; then
unset -f $funcname
fi
done
for fullPath in ${functionsDir}/*; do
local funcname="$(basename "$fullPath")"
local followedPath="$(readlink -f "$fullPath")"
if [[ "''${vacuShellFunctionsLoaded[$funcname]}" != "$followedPath" ]]; then
unset -f $funcname
eval "function ''${funcname}() { if [[ -f '$fullPath' ]]; then eval "'"$'"(cat '$fullPath')"'"'"; else echo '$funcname is no longer there, kindly removing myself.' 1>&2; unset $funcname; return 1; fi }"
vacuShellFunctionsLoaded[$funcname]=$followedPath
fi
unset followedPath
unset funcname
done
'';
};
}

9
common/common-but-not.nix Normal file
View File

@@ -0,0 +1,9 @@
# todo: rename this module
# stuff that does actual configuring (so can't be in ./module.nix) but works in nixos module, home-manager modules, and nix-on-droid modules
{ inputs, ... }:
{
nix.registry.vacu.to = {
type = "path";
path = inputs.self.outPath;
};
}

5
common/home.nix Normal file
View File

@@ -0,0 +1,5 @@
{ ... }: let
in {
imports = [ ./common-but-not.nix ];
}

228
common/module.nix Normal file
View File

@@ -0,0 +1,228 @@
{ config, pkgs, lib, inputs, ... }: let
inherit (lib) mkOption types;
inherit (inputs) self;
in {
imports = [ ./package-set.nix ./not-aliases.nix ./ssh.nix ];
options = {
vacu.nix.extraSubstituters = mkOption { type = types.listOf types.str; };
vacu.nix.extraTrustedKeys = mkOption { type = types.listOf types.str; };
vacu.rootCAs = mkOption { type = types.listOf types.str; };
vacu.versionId = mkOption { type = types.str; readOnly = true; };
vacu.versionInfo = mkOption { readOnly = true; };
};
config = {
vacu.packages = with pkgs; [
home-manager
nixos-rebuild
which
nano
vim
wget
screen
tmux
lsof
htop
mosh
dnsutils
iperf3
nmap
rsync
ethtool
sshfs
ddrescue
pciutils
ncdu
nix-index
git
pv
unzip
file
ripgrep
jq
units
tree
rclone
iputils
ssh-to-age
sops
inetutils
neovim
diffutils
findutils
utillinux
tzdata
hostname
man
gnugrep
gnused
gnutar
bzip2
gzip
xz
zip
unzip
openssh
dig
bash
termscp
usbutils
ruby
psutils
killall
git
inputs.nix-search-cli.packages.${pkgs.system}.default
inputs.nix-inspect.packages.${pkgs.system}.default
];
vacu.versionId = toString (self.shortRev or self.dirtyShortRev);
vacu.versionInfo = {
id = config.vacu.versionId;
flakePath = self.outPath;
};
vacu.nix.extraSubstituters = [
"https://nixcache.shelvacu.com/"
"https://nix-community.cachix.org/"
"https://nix-on-droid.cachix.org/"
];
vacu.nix.extraTrustedKeys = [
"nix-community.cachix.org-1:mB9FSh9qf2dCimDSUo8Zy7bkq5CX+/rkCWyvRCYg3Fs="
"nixcache.shelvacu.com:73u5ZGBpPRoVZfgNJQKYYBt9K9Io/jPwgUfuOLsJbsM="
"nix-on-droid.cachix.org-1:56snoMJTXmDRC1Ei24CmKoUqvHJ9XCp+nidK7qkMQrU="
];
vacu.rootCAs = [
''
-----BEGIN CERTIFICATE-----
MIIBnjCCAUWgAwIBAgIBBTAKBggqhkjOPQQDAjAgMQswCQYDVQQGEwJVUzERMA8G
A1UEAxMIdm5vcG4gQ0EwHhcNMjQwODEyMjExNTQwWhcNMzQwODEwMjExNTQwWjAg
MQswCQYDVQQGEwJVUzERMA8GA1UEAxMIdm5vcG4gQ0EwWTATBgcqhkjOPQIBBggq
hkjOPQMBBwNCAARqRbSeq00FfYUGeCHVkzwrjrydI56T12xy+iut0c4PemSuhyxC
AgfdKYtDqMNZmSqMaLihzkBenD0bN5i0ndjho3AwbjAPBgNVHRMBAf8EBTADAQH/
MCwGA1UdHgEB/wQiMCCgGDAKhwgKTkwA///8ADAKgggudDJkLmxhbqEEMAKBADAO
BgNVHQ8BAf8EBAMCAQYwHQYDVR0OBBYEFAjSkbJQCQc1WP6nIP5iLDIKGFrdMAoG
CCqGSM49BAMCA0cAMEQCIFtyawkZqFhvzgmqG/mYNNO6DdsQTPQ46x/08yrEiiF4
AiA+FwAPqX+CBkaSdIhuhv1kIecmvacnDL5kpyB+9nDodw==
-----END CERTIFICATE-----
''
];
vacu.ssh.authorizedKeys = [
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIC4LYvUe9dsQb9OaTDFI4QKPtMmOHOGLwWsXsEmcJW86" # Termux on pixel6pro
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHcYwYy9/0Gu/GsqS72Nkz6OkId+zevqXA/aTIcvqflp" # t460s windows
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFsErA6M9LSHj2hPlLuHD8Lpei7WjMup1JxI1vxA6B8W" # pixel6pro nix-on-droid
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKoy1TrmfhBGWtVedgOM1FB1oD2UdodN3LkBnnLx6Tug" # compute-deck
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICVeSzDkGTueZijB0xUa08e06ovAEwwZK/D+Cc7bo91g" # triple-dezert
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOtwtao/TXbiuQOYJbousRPVesVcb/2nP0PCFUec0Nv8" # triple-dezert (root)
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAxAFFxQMXAgi+0cmGaNE/eAkVfEl91wafUqFIuAkI5I" # compute-deck (root)
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDcRDekd8ZOYfQS5X95/yNof3wFYIbHqWeq4jY0+ywQX" # pro1x nix-on-droid
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIExSObd1lZprdqAFLqFhtxDEckV0q/vZZIYqrYFKfkoC" # devver
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGHLPOxRd68+DJ/bYmqn0wsgwwIcMSMyuU1Ya16hCb/m" # fw (root)
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINQ2c0GzlVMjV06CS7bWbCaAbzG2+7g5FCg/vClJPe0C" # fw
];
vacu.ssh.config = ''
Host deckvacu
User deck
Host rsb
User user
HostName finaltask.xyz
Port 2222
Host awoo
HostName 45.142.157.71
Host trip
HostName trip.shelvacu.com
Port 6922
Host liam
HostName 178.128.79.152
Host pluto
HostName pluto.somevideogam.es
Host *
User shelvacu
GlobalKnownHostsFile ${pkgs.writeText "known_hosts" config.vacu.ssh.knownHostsText}
'';
vacu.ssh.knownHosts = {
#public hosts
"github.com".publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOMqqnkVzrm0SdG6UOoqKLsabgH5C9okWi0dh2l9GKJl";
"gitlab.com".publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAfuCHKVTjquxvt6CM6tdG4SLp1Btn/nOeHHE5UOzRdf";
"git.sr.ht".publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMZvRd4EtM7R+IHVMWmDkVU3VLQTSwQDSAvW0t2Tkj60";
#colin's stuff
"uninsane.org" = {
extraHostNames = [ "git.uninsane.org" ];
publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOfdSmFkrVT6DhpgvFeQKm3Fh9VKZ9DbLYOPOJWYQ0E8";
};
"desko" = {
publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFw9NoRaYrM6LbDd3aFBc4yyBlxGQn8HjeHd/dZ3CfHk";
};
#daymocker's stuff
"pluto" = {
extraHostNames = [ "74.208.184.137" ];
publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICpHY4fLZ1hNuB2oRQM7R3b4eQyIHbFB45ZYp3XCELLg";
};
#powerhouse hosts
"ostiary" = {
publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBSYyd1DGPXGaV4mD34tUbXvbtIi/Uv2otoMUsCkxRse";
};
"habitat" = { # previously known as zigbee-hub
extraHostNames = [ "10.78.79.114" ];
publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBJxwUYddOxgViJDOiokfaQ6CsCx/Sw+b3IisdJv8zFN";
};
"vnopn" = {
extraHostNames = [ "10.78.79.1" "vnopn.t2d.lan" ];
publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEMgJE8shlTYF3nxKR/aILd1SzwDwhtCrjz9yHL7lgSZ";
};
#work laptop
"tebbs-MBP" = {
extraHostNames = [ "10.244.10.3" ];
publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKO/ks07zSByDH/qmDrghtBSFwWnze2s62zEmtXwaMJe";
};
#personal hosts
trip = {
extraHostNames = [ "triple-dezert" "trip.shelvacu.com" "[trip.shelvacu.com]:6922" ];
publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGUQux9V0mSF5IauoO1z311NXR7ymEbwRMzT+OaaNQr+";
};
servacu = {
extraHostNames = [ "mail.dis8.net" "servacu.shelvacu.com" ];
publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIE+E6na7np0HnBV2X7owno+Fg+bNNRSHLxO6n1JzdUTV";
};
finaltask = {
extraHostNames = [ "rsb" "finaltask.xyz" "[finaltask.xyz]:2222" ];
publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPTx8WBNNKBVRV98HgDChpd59SHbreJ87SXU+zOKan6y";
};
compute-deck = {
publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGt43GmXCxkl5QjgPQ/QimW11lKfXmV4GFWvlxQSf4TQ";
};
"2esrever" = {
extraHostNames = [ "10.4.5.218" "10.244.46.71" ];
publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIH0LnPrJxAdffZ//uRe3NBiIfFCBNMLqKVylkyU0llvT";
};
awoo = {
extraHostNames = [ "45.142.157.71" ];
publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOQaDjjfSK8jnk9aFIiYH9LZO4nLY/oeAc7BKIPUXMh1";
};
deckvacu = {
publicKey = "ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBEa8qpFkIlLLJkH8rmEAn6/MZ9ilCGmEQWC3CeFae7r1kOqfwRk0nq0oyOGJ50uIh+PpwEh3rbgq6mLfpRfsFmM=";
};
liam = {
extraHostNames = [ "liam.dis8.net" "178.128.79.152" ];
publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHOqJYVHOIFmEA5uRbbirIupWvyBLAFwic/8EZQRdN/c";
};
devver = {
extraHostNames = [ "devver.t2d.lan" "10.78.79.10" ];
publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFeFaH2tzWIiCPdKNmxl3NqCnPTdmVIOBinauUAEl+UU";
};
fw = {
extraHostNames = [ "fw.t2d.lan" ];
publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIA6lX25mCy35tf1NpcHMAdeRgvT7l0Dw0FWBH3eX4TE2";
};
};
};
}

16
common/nix-on-droid.nix Normal file
View File

@@ -0,0 +1,16 @@
{ config, ... }:
{
imports = [
./module.nix
./commands.nix
./common-but-not.nix
];
environment.packages = config.vacu.packageList;
environment.etc."ssh/ssh_config".text = config.vacu.ssh.config;
nix.substituters = config.vacu.nix.extraSubstituters;
nix.trustedPublicKeys = config.vacu.nix.extraTrustedKeys;
vacu.shell.functionsDir = "${config.user.home}/.nix-profile/share/vacufuncs";
environment.etc.bashrc.text = config.vacu.shell.interactiveLines;
environment.etc.profile.text = config.vacu.shell.interactiveLines;
environment.etc."vacu.json".text = builtins.toJSON config.vacu.versionInfo;
}

16
common-nixos-config.nix → common/nixos.nix
View File

@@ -1,6 +1,6 @@
{ lib, pkgs, config, inputs, utils, ... }: { lib, pkgs, config, inputs, utils, ... }:
{ {
imports = [ ./common-config.nix ]; imports = [ ./module.nix ./commands.nix ./common-but-not.nix ];
options.vacu.underTest = lib.mkOption { options.vacu.underTest = lib.mkOption {
default = false; default = false;
type = lib.types.bool; type = lib.types.bool;
@@ -39,6 +39,12 @@
package = pkgs.xorg.xev; package = pkgs.xorg.xev;
}; };
environment.systemPackages = config.vacu.packageList; environment.systemPackages = config.vacu.packageList;
programs.git = {
enable = true;
lfs.enable = true;
};
system.nixos.tags = [ "vacu${config.vacu.versionId}" ];
environment.etc."vacu.json".text = builtins.toJSON config.vacu.versionInfo;
i18n.defaultLocale = lib.mkDefault "en_US.UTF-8"; i18n.defaultLocale = lib.mkDefault "en_US.UTF-8";
time.timeZone = "America/Los_Angeles"; time.timeZone = "America/Los_Angeles";
@@ -64,6 +70,7 @@
screenrc = '' screenrc = ''
defscrollback 10000 defscrollback 10000
termcapinfo xterm* ti@:te@ termcapinfo xterm* ti@:te@
maptimeout 5
''; '';
} // (if config.system.nixos.release == "23.11" then {} else { enable = true; }); } // (if config.system.nixos.release == "23.11" then {} else { enable = true; });
@@ -81,5 +88,12 @@
programs.mosh.enable = lib.mkDefault true; programs.mosh.enable = lib.mkDefault true;
programs.ssh.extraConfig = config.vacu.ssh.config; programs.ssh.extraConfig = config.vacu.ssh.config;
security.pki.certificates = config.vacu.rootCAs;
# commands.nix
environment.pathsToLink = [ "/share/vacufuncs" ];
vacu.shell.functionsDir = "/run/current-system/sw/share/vacufuncs";
programs.bash.interactiveShellInit = config.vacu.shell.interactiveLines;
}; };
} }

34
common/not-aliases.nix Normal file
View File

@@ -0,0 +1,34 @@
# These are the things that might in a simpler time go in ~/.bashrc as aliases. But they're not aliases, cuz aliases are bad
{ pkgs, vaculib, ... }: let
inherit (pkgs) writeScriptBin;
inherit (vaculib) writeShellFunction;
in {
vacu.packages = [
(writeScriptBin "ms" ''
set -e
if [[ $# != 1 ]]; then
echo "wrong number of args" 1>&2
exit 1
fi
set -x
mosh -- $1 sudo screen -Rd
'')
(writeScriptBin "rmln" ''
set -eo pipefail
for arg in "$@"; do
if [[ "$arg" != "-*" ]] && [[ ! -L "$arg" ]]; then
echo "$0: $arg is not a symlink" 1>&2
exit 1
fi
done
rm $@
'')
(writeShellFunction "nd" ''
declare -a args
args=("$@")
mkdir "''${args[@]}" && cd "''${args[-1]}"
'')
(writeShellFunction "td" ''pushd $(mktemp "$@")'')
];
}

40
common/package-set.nix Normal file
View File

@@ -0,0 +1,40 @@
{ config, pkgs, lib, ... }: let
inherit (lib) mkOption types;
pkgOptions = builtins.attrValues config.vacu.packages;
enabledOptions = builtins.filter (o: o.enable) pkgOptions;
enabledPkgs = builtins.map (o: o.package) enabledOptions;
packagesSetType = types.attrsOf (types.submodule ({ name, config, options, ... }: {
options = {
enable = mkOption {
type = types.bool;
description = "Will this package be installed (included in environment.systemPackages)";
};
package = mkOption {
type = types.package;
default = pkgs.${name};
defaultText = "pkgs.${name}";
};
};
}));
packageListToSet = (from: let
keyvals = map (val:
if builtins.isString val then
{ name = val; value = { package = pkgs."${val}"; enable = lib.mkDefault true; }; }
else
{ name = val.name; value = { package = val; enable = lib.mkDefault true; }; }
) from;
in builtins.listToAttrs keyvals);
in {
options = {
vacu.packages = mkOption {
default = {};
type = types.coercedTo (types.listOf (types.either types.str types.package)) packageListToSet packagesSetType;
};
vacu.packageList = mkOption {
type = types.listOf types.package;
readOnly = true;
};
};
config.vacu.packageList = enabledPkgs;
}

116
common/ssh.nix Normal file
View File

@@ -0,0 +1,116 @@
{ pkgs, lib, config, ... }: let
inherit (lib) mkOption types flip concatMapStringsSep optionalString concatStringsSep readFile mapAttrsToList literalExpression;
inherit (builtins) attrValues;
cfg = config.vacu;
knownHosts = attrValues cfg.ssh.knownHosts;
knownHostsText = (flip (concatMapStringsSep "\n") knownHosts
(h: assert h.hostNames != [];
optionalString h.certAuthority "@cert-authority " + concatStringsSep "," h.hostNames + " "
+ (if h.publicKey != null then h.publicKey else readFile h.publicKeyFile)
)) + "\n";
in {
options = {
vacu.ssh.knownHostsText = mkOption {
type = types.str;
readOnly = true;
default = knownHostsText;
};
vacu.ssh.authorizedKeys = mkOption {
type = types.listOf types.str;
};
vacu.ssh.config = mkOption {
type = types.lines;
};
# Straight copied from nixpkgs
# https://github.com/NixOS/nixpkgs/blob/46397778ef1f73414b03ed553a3368f0e7e33c2f/nixos/modules/programs/ssh.nix
vacu.ssh.knownHosts = mkOption {
default = {};
type = types.attrsOf (types.submodule ({ name, config, options, ... }: {
options = {
certAuthority = mkOption {
type = types.bool;
default = false;
description = ''
This public key is an SSH certificate authority, rather than an
individual host's key.
'';
};
hostNames = mkOption {
type = types.listOf types.str;
default = [ name ] ++ config.extraHostNames;
defaultText = literalExpression "[ ${name} ] ++ config.${options.extraHostNames}";
description = ''
A list of host names and/or IP numbers used for accessing
the host's ssh service. This list includes the name of the
containing `knownHosts` attribute by default
for convenience. If you wish to configure multiple host keys
for the same host use multiple `knownHosts`
entries with different attribute names and the same
`hostNames` list.
'';
};
extraHostNames = mkOption {
type = types.listOf types.str;
default = [];
description = ''
A list of additional host names and/or IP numbers used for
accessing the host's ssh service. This list is ignored if
`hostNames` is set explicitly.
'';
};
publicKey = mkOption {
default = null;
type = types.nullOr types.str;
example = "ecdsa-sha2-nistp521 AAAAE2VjZHN...UEPg==";
description = ''
The public key data for the host. You can fetch a public key
from a running SSH server with the {command}`ssh-keyscan`
command. The public key should not include any host names, only
the key type and the key itself.
'';
};
publicKeyFile = mkOption {
default = null;
type = types.nullOr types.path;
description = ''
The path to the public key file for the host. The public
key file is read at build time and saved in the Nix store.
You can fetch a public key file from a running SSH server
with the {command}`ssh-keyscan` command. The content
of the file should follow the same format as described for
the `publicKey` option. Only a single key
is supported. If a host has multiple keys, use
{option}`programs.ssh.knownHostsFiles` instead.
'';
};
};
}));
description = ''
The set of system-wide known SSH hosts. To make simple setups more
convenient the name of an attribute in this set is used as a host name
for the entry. This behaviour can be disabled by setting
`hostNames` explicitly. You can use
`extraHostNames` to add additional host names without
disabling this default.
'';
example = literalExpression ''
{
myhost = {
extraHostNames = [ "myhost.mydomain.com" "10.10.1.4" ];
publicKeyFile = ./pubkeys/myhost_ssh_host_dsa_key.pub;
};
"myhost2.net".publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILIRuJ8p1Fi+m6WkHV0KWnRfpM1WxoW8XAS+XvsSKsTK";
"myhost2.net/dsa" = {
hostNames = [ "myhost2.net" ];
publicKeyFile = ./pubkeys/myhost2_ssh_host_dsa_key.pub;
};
}
'';
};
config.assertions = lib.flip lib.mapAttrsToList config.vacu.ssh.knownHosts (name: data: {
assertion = (data.publicKey == null && data.publicKeyFile != null) ||
(data.publicKey != null && data.publicKeyFile == null);
message = "knownHost ${name} must contain either a publicKey or publicKeyFile";
});
};
}

44
compute-deck/default.nix
View File

@@ -3,14 +3,14 @@
{ {
imports = [ imports = [
inputs.jovian.nixosModules.jovian inputs.jovian.nixosModules.jovian
inputs.disko.nixosModules.default # inputs.disko.nixosModules.default
inputs.homeManager.nixosModules.default inputs.home-manager.nixosModules.default
./hardware.nix ./hardware.nix
./partitioning.nix
./home.nix ./home.nix
./bluetooth.nix ./bluetooth.nix
./partitioning.nix
./padtype.nix ./padtype.nix
../common-nixos-config.nix ../common/nixos.nix
]; ];
system.nixos.tags = [ "host-${config.networking.hostName}" ]; system.nixos.tags = [ "host-${config.networking.hostName}" ];
@@ -55,22 +55,22 @@
rustup rustup
]; ];
boot.kernelPatches = [ # boot.kernelPatches = [
{ # {
name = "gadget"; # name = "gadget";
patch = null; # patch = null;
extraStructuredConfig = with lib.kernel; { # extraStructuredConfig = with lib.kernel; {
USB_ETH=module; # USB_ETH=module;
USB_GADGET=yes; # USB_GADGET=yes;
USB_LIBCOMPOSITE=yes; # USB_LIBCOMPOSITE=yes;
USB_CONFIGFS=yes; # USB_CONFIGFS=yes;
USB_DWC3=module; # USB_DWC3=module;
USB_DWC3_PCI=module; # USB_DWC3_PCI=module;
USB_DWC3_DUAL_ROLE=yes; # USB_DWC3_DUAL_ROLE=yes;
USB_DWC3_HOST=no; # USB_DWC3_HOST=no;
USB_DWC3_GADGET=no; # USB_DWC3_GADGET=no;
USB_ROLE_SWITCH=yes; # USB_ROLE_SWITCH=yes;
}; # };
} # }
]; # ];
} }

2
compute-deck/hardware.nix
View File

@@ -5,7 +5,7 @@
[ (modulesPath + "/installer/scan/not-detected.nix") [ (modulesPath + "/installer/scan/not-detected.nix")
]; ];
boot.initrd.availableKernelModules = [ "nvme" "usbhid" "sdhci_pci" ]; boot.initrd.availableKernelModules = [ "nvme" "xhci_pci" "usbhid" "sdhci_pci" "dwc3_pci" ];
boot.initrd.kernelModules = [ ]; boot.initrd.kernelModules = [ ];
boot.kernelModules = [ "kvm-amd" ]; boot.kernelModules = [ "kvm-amd" ];
boot.extraModulePackages = [ ]; boot.extraModulePackages = [ ];

3
compute-deck/partitioning.nix
View File

@@ -1,5 +1,6 @@
{ ... }: { inputs, ... }:
{ {
imports = [ inputs.disko.nixosModules.default ];
disko.devices.disk.blarg = { disko.devices.disk.blarg = {
device = "/dev/disk/by-id/nvme-Micron_2400_MTFDKBK2T0QFM_230341951668_1-part11"; device = "/dev/disk/by-id/nvme-Micron_2400_MTFDKBK2T0QFM_230341951668_1-part11";
content = { content = {

4
devver/default.nix
View File

@@ -2,8 +2,8 @@
{ {
imports = [ imports = [
inputs.homeManager.nixosModules.default inputs.home-manager.nixosModules.default
../common-nixos-config.nix ../common/nixos.nix
(modulesPath + "/profiles/qemu-guest.nix") (modulesPath + "/profiles/qemu-guest.nix")
]; ];

805
flake.lock generated
View File

File diff suppressed because it is too large Load Diff

108
flake.nix
View File

@@ -2,39 +2,55 @@
description = "Config for triple-dezert server"; description = "Config for triple-dezert server";
inputs = { inputs = {
nixpkgs-unstable.url = "nixpkgs/nixos-unstable"; #todo: put this back to -small once jovian-nixos is fixed
nixpkgs.url = "nixpkgs/nixos-24.05-small"; nixpkgs.url = "nixpkgs/nixos-24.05-small";
nixpkgs-unstable.url = "nixpkgs/nixos-unstable";
nix-inspect = { nix-inspect = {
url = "github:bluskript/nix-inspect"; url = "github:bluskript/nix-inspect";
#inputs.nixpkgs.follows = "nixpkgs"; inputs.nixpkgs.follows = "nixpkgs";
};
nix-inspect-unstable = {
url = "github:bluskript/nix-inspect";
inputs.nixpkgs.follows = "nixpkgs-unstable";
};
vscode-server-unstable = {
url = "github:nix-community/nixos-vscode-server";
inputs.nixpkgs.follows = "nixpkgs-unstable";
}; };
vscode-server = { vscode-server = {
url = "github:nix-community/nixos-vscode-server"; url = "github:nix-community/nixos-vscode-server";
inputs.nixpkgs.follows = "nixpkgs"; inputs.nixpkgs.follows = "nixpkgs";
}; };
nix-on-droid = { nix-on-droid = {
url = "github:nix-community/nix-on-droid/release-23.05"; url = "github:nix-community/nix-on-droid";
inputs.nixpkgs.follows = "nixpkgs"; inputs.nixpkgs.follows = "nixpkgs";
}; };
jovian = { jovian-unstable = { # there is no stable jovian :cry:
url = "github:Jovian-Experiments/Jovian-NixOS"; url = "github:Jovian-Experiments/Jovian-NixOS";
inputs.nixpkgs.follows = "nixpkgs-unstable"; inputs.nixpkgs.follows = "nixpkgs-unstable";
}; };
disko = { disko-unstable = {
url = "github:nix-community/disko"; url = "github:nix-community/disko";
inputs.nixpkgs.follows = "nixpkgs-unstable"; inputs.nixpkgs.follows = "nixpkgs-unstable";
}; };
homeManager = { home-manager = {
url = "github:nix-community/home-manager/master"; url = "github:nix-community/home-manager/release-24.05";
inputs.nixpkgs.follows = "nixpkgs";
};
home-manager-unstable = {
url = "github:nix-community/home-manager";
inputs.nixpkgs.follows = "nixpkgs-unstable";
};
nix-search-cli-unstable = {
url = "github:peterldowns/nix-search-cli";
inputs.nixpkgs.follows = "nixpkgs-unstable"; inputs.nixpkgs.follows = "nixpkgs-unstable";
}; };
nix-search-cli = { nix-search-cli = {
url = "github:peterldowns/nix-search-cli"; url = "github:peterldowns/nix-search-cli";
inputs.nixpkgs.follows = "nixpkgs"; inputs.nixpkgs.follows = "nixpkgs";
}; };
padtype = { padtype-unstable = {
url = "gitlab:shelvacu/padtype"; url = "gitlab:shelvacu/padtype";
inputs.nixpkgs.follows = "nixpkgs"; inputs.nixpkgs.follows = "nixpkgs-unstable";
}; };
sops-nix = { sops-nix = {
url = "github:Mic92/sops-nix"; url = "github:Mic92/sops-nix";
@@ -45,55 +61,80 @@
inputs.nixpkgs.follows = "nixpkgs"; inputs.nixpkgs.follows = "nixpkgs";
}; };
nixos-hardware.url = "github:nixos/nixos-hardware"; nixos-hardware.url = "github:nixos/nixos-hardware";
most-winningest = {
url = "github:captain-jean-luc/most-winningest";
inputs.nixpkgs.follows = "nixpkgs";
};
}; };
outputs = { self, nixpkgs, nix-on-droid, ... }@inputs: { outputs = { self, nixpkgs, nix-on-droid, home-manager, ... }@inputs: let
defaultInputs = { inherit (inputs) self nix-search-cli nix-inspect; };
defaultArgs = { inputs = defaultInputs; };
in {
debug.isoDeriv = (import "${inputs.nixpkgs}/nixos/release-small.nix" { nixpkgs = ({ revCount = 0; } // inputs.nixpkgs); }); debug.isoDeriv = (import "${inputs.nixpkgs}/nixos/release-small.nix" { nixpkgs = ({ revCount = 0; } // inputs.nixpkgs); });
nixosConfigurations.triple-dezert = nixpkgs.lib.nixosSystem { nixosConfigurations.triple-dezert = nixpkgs.lib.nixosSystem {
system = "x86_64-linux"; system = "x86_64-linux";
modules = [ ./triple-dezert ]; modules = [ ./triple-dezert ];
specialArgs = { inherit inputs; }; specialArgs = { inputs = defaultInputs // { inherit (inputs) most-winningest; }; };
}; };
nixosConfigurations.compute-deck = inputs.nixpkgs-unstable.lib.nixosSystem { nixosConfigurations.compute-deck = inputs.nixpkgs-unstable.lib.nixosSystem {
system = "x86_64-linux"; system = "x86_64-linux";
modules = [ ./compute-deck ]; modules = [ ./compute-deck ];
specialArgs = { inherit inputs; }; specialArgs = { inputs = {
jovian = inputs.jovian-unstable;
home-manager = inputs.home-manager-unstable;
vscode-server = inputs.vscode-server-unstable;
disko = inputs.disko-unstable;
padtype = inputs.padtype-unstable;
nix-search-cli = inputs.nix-search-cli-unstable;
nix-inspect = inputs.nix-inspect-unstable;
self = inputs.self;
}; };
}; };
nixosConfigurations.liam = nixpkgs.lib.nixosSystem { nixosConfigurations.liam = nixpkgs.lib.nixosSystem {
system = "x86_64-linux"; system = "x86_64-linux";
modules = [ ./liam ]; modules = [ ./liam ];
specialArgs = { inherit inputs; }; specialArgs = { inputs = defaultInputs // { inherit (inputs) sops-nix; }; };
}; };
nixosConfigurations.lp0 = nixpkgs.lib.nixosSystem { nixosConfigurations.lp0 = nixpkgs.lib.nixosSystem {
system = "x86_64-linux"; system = "x86_64-linux";
modules = [ ./lp0 ]; modules = [ ./lp0 ];
specialArgs = { inherit inputs; }; specialArgs = defaultArgs;
}; };
nixosConfigurations.shel-installer = nixpkgs.lib.nixosSystem { nixosConfigurations.shel-installer = nixpkgs.lib.nixosSystem {
system = "x86_64-linux"; system = "x86_64-linux";
modules = [ ./installer.nix ]; modules = [ ./installer.nix ];
specialArgs = { inherit inputs; }; specialArgs = defaultArgs;
}; };
nixosConfigurations.devver = nixpkgs.lib.nixosSystem { nixosConfigurations.devver = nixpkgs.lib.nixosSystem {
system = "x86_64-linux"; system = "x86_64-linux";
modules = [ ./devver ]; modules = [ ./devver ];
specialArgs = { inherit inputs; }; specialArgs = { inputs = defaultInputs // { inherit (inputs) home-manager; }; };
}; };
nixosConfigurations.fw = nixpkgs.lib.nixosSystem { nixosConfigurations.fw = nixpkgs.lib.nixosSystem {
system = "x86_64-linux"; system = "x86_64-linux";
modules = [ ./fw ]; modules = [ ./fw ];
specialArgs = { inherit inputs; }; specialArgs = { inputs = defaultInputs // { inherit (inputs) nixos-hardware; }; };
}; };
nixOnDroidConfigurations.default = nix-on-droid.lib.nixOnDroidConfiguration { nixOnDroidConfigurations.default = nix-on-droid.lib.nixOnDroidConfiguration {
modules = [ ./nix-on-droid.nix ]; modules = [ ./nix-on-droid ];
extraSpecialArgs = { inherit inputs; }; extraSpecialArgs = defaultArgs;
pkgs = import nixpkgs { system = "aarch64-linux"; };
};
homeConfigurations."nix-on-droid" = home-manager.lib.homeManagerConfiguration {
modules = [
./home/nix-on-droid.nix
{ _module.args.inputs = defaultInputs; }
];
pkgs = import nixpkgs { system = "aarch64-linux"; };
}; };
checks = nixpkgs.lib.genAttrs [ "x86_64-linux" ] (system: checks = nixpkgs.lib.genAttrs [ "x86_64-linux" ] (system:
@@ -103,27 +144,37 @@
node.pkgs = pkgs; node.pkgs = pkgs;
node.pkgsReadOnly = false; node.pkgsReadOnly = false;
node.specialArgs.selfPackages = self.packages.${system}; node.specialArgs.selfPackages = self.packages.${system};
node.specialArgs.inputs = inputs; #node.specialArgs.inputs = defaultInputs;
}; };
in in
{ {
liam = nixpkgs.lib.nixos.runTest { liam = nixpkgs.lib.nixos.runTest {
hostPkgs = pkgs; hostPkgs = pkgs;
imports = [ config ./tests/liam.nix ]; imports = [ config ./tests/liam.nix { node.specialArgs.inputs = self.nixosConfigurations.liam._module.specialArgs.inputs; } ];
}; };
trip = nixpkgs.lib.nixos.runTest { trip = nixpkgs.lib.nixos.runTest {
hostPkgs = pkgs; hostPkgs = pkgs;
imports = [ config ./tests/triple-dezert.nix ]; imports = [ config ./tests/triple-dezert.nix { node.specialArgs.inputs = self.nixosConfigurations.triple-dezert._module.specialArgs.inputs; } ];
}; };
} }
); );
nixosModules.common = import ./common-config.nix; nixosModules.common = import ./common/module.nix;
packages.x86_64-linux.snmpb = nixpkgs.legacyPackages.x86_64-linux.libsForQt5.callPackage ./packages/snmpb/package.nix {};
packages.x86_64-linux.snmp-mibs-downloader = nixpkgs.legacyPackages.x86_64-linux.callPackage ./packages/snmp-mibs-downloader.nix {};
packages.x86_64-linux.digitalOceanImage = import ./generic-digitalocean-nixos.nix { inherit inputs; }; packages.x86_64-linux.digitalOceanImage = import ./generic-digitalocean-nixos.nix { inherit inputs; };
packages.x86_64-linux.authorizedKeys = let
pkgs = nixpkgs.legacyPackages.x86_64-linux;
in pkgs.writeText "authorizedKeys" (pkgs.lib.concatStringsSep "\n" self.nixosConfigurations.fw.config.vacu.ssh.authorizedKeys);
packages.aarch64-linux.authorizedKeys = let
pkgs = nixpkgs.legacyPackages.aarch64-linux;
in pkgs.writeText "authorizedKeys" (pkgs.lib.concatStringsSep "\n" self.nixOnDroidConfigurations.default.config.vacu.ssh.authorizedKeys);
qb = /* qb is "quick build" */ let qb = /* qb is "quick build" */ let
toplevelOf = name: self.nixosConfigurations.${name}.config.system.build.toplevel; toplevelOf = name: self.nixosConfigurations.${name}.config.system.build.toplevel;
deterministicCerts = import ./deterministic-certs.nix { nixpkgs = inputs.nixpkgs.legacyPackages.x86_64-linux; }; deterministicCerts = import ./deterministic-certs.nix { nixpkgs = inputs.nixpkgs.legacyPackages.x86_64-linux; };
pkgs = nixpkgs.legacyPackages.x86_64-linux;
in rec { in rec {
# nix-on-droid is impure >:( # nix-on-droid is impure >:(
# nod = self.nixOnDroidConfigurations.default.activationPackage; # nod = self.nixOnDroidConfigurations.default.activationPackage;
@@ -138,12 +189,17 @@
shel-installer = toplevelOf "shel-installer"; shel-installer = toplevelOf "shel-installer";
iso = self.nixosConfigurations.shel-installer.config.system.build.isoImage; iso = self.nixosConfigurations.shel-installer.config.system.build.isoImage;
do = self.packages.x86_64-linux.digitalOceanImage; do = self.packages.x86_64-linux.digitalOceanImage;
snmpb = self.packages.x86_64-linux.snmpb;
check-triple-dezert = self.checks.x86_64-linux.trip.driver; check-triple-dezert = self.checks.x86_64-linux.trip.driver;
check-trip = check-triple-dezert; check-trip = check-triple-dezert;
check-liam = self.checks.x86_64-linux.liam.driver; check-liam = self.checks.x86_64-linux.liam.driver;
dc.priv = deterministicCerts.privKeyFile "test"; authorizedKeys = self.packages.x86_64-linux.authorizedKeys;
dc.cert = deterministicCerts.selfSigned "test" {}; authorizedKeysAarch = self.packages.aarch64-linux.authorizedKeys;
ak = authorizedKeys;
dc-priv = deterministicCerts.privKeyFile "test";
dc-cert = deterministicCerts.selfSigned "test" {};
}; };
all = let all = let
@@ -154,5 +210,7 @@
cd $out cd $out
${pkgs.lib.concatStringsSep "\n" symlinkCommands} ${pkgs.lib.concatStringsSep "\n" symlinkCommands}
''; '';
allWithBuildDeps = nixpkgs.legacyPackages.x86_64-linux.closureInfo { rootPaths = [ self.all.drvPath ]; };
}; };
} }

4
fw/android.nix Normal file
View File

@@ -0,0 +1,4 @@
{ pkgs, ... }: {
vacu.packages = pkgs.androidStudioPackages.stable.all;
users.users.shelvacu.extraGroups = [ "kvm" ];
}

40
fw/apex.nix
View File

@@ -4,11 +4,13 @@
# nixpkgs.overlays = [ ( final: prev: { # nixpkgs.overlays = [ ( final: prev: {
# libfido2 = prev.libfido2.override { withPcsclite = true; }; # libfido2 = prev.libfido2.override { withPcsclite = true; };
# } ) ]; # } ) ];
vacu.packages.libfido2.enable = true; vacu.packages = with pkgs; [
vacu.packages.pcsclite.enable = true; libfido2
vacu.packages.pcsc-tools.enable = true; pcsclite
vacu.packages.scmccid.enable = true; pcsc-tools
vacu.packages.opensc.enable = true; scmccid
opensc
];
services.pcscd.enable = true; services.pcscd.enable = true;
# conflicts with pcscd, see https://stackoverflow.com/questions/55144458/unable-to-claim-usb-interface-device-or-resource-busy-stuck # conflicts with pcscd, see https://stackoverflow.com/questions/55144458/unable-to-claim-usb-interface-device-or-resource-busy-stuck
@@ -18,17 +20,17 @@
# Tell p11-kit to load/proxy opensc-pkcs11.so, providing all available slots # Tell p11-kit to load/proxy opensc-pkcs11.so, providing all available slots
# (PIN1 for authentication/decryption, PIN2 for signing). # (PIN1 for authentication/decryption, PIN2 for signing).
environment.etc."pkcs11/modules/opensc-pkcs11".text = '' # environment.etc."pkcs11/modules/opensc-pkcs11".text = ''
module: ${pkgs.opensc}/lib/opensc-pkcs11.so # module: ${pkgs.opensc}/lib/opensc-pkcs11.so
''; # '';
environment.etc."opensc.conf".text = '' # environment.etc."opensc.conf".text = ''
app default { # app default {
reader_driver pcsc { # reader_driver pcsc {
enable_pinpad = false; # enable_pinpad = false;
} # }
} # }
''; # '';
environment.systemPackages = [ environment.systemPackages = [
# Wrapper script to tell to Chrome/Chromium to use p11-kit-proxy to load # Wrapper script to tell to Chrome/Chromium to use p11-kit-proxy to load
@@ -47,5 +49,11 @@
]; ];
programs.firefox.enable = true; programs.firefox.enable = true;
programs.firefox.policies.SecurityDevices.p11-kit-proxy = "${pkgs.p11-kit}/lib/p11-kit-proxy.so"; #programs.firefox.policies.SecurityDevices.p11-kit-proxy = "${pkgs.p11-kit}/lib/p11-kit-proxy.so";
# trying CTAP-bridge
services.udev.extraRules = ''
KERNEL=="hidg[0-9]", SUBSYSTEM=="hidg", SYMLINK+="ctaphid", MODE+="0666", TAG+="uaccess"
KERNEL=="ccidg[0-9]", SUBSYSTEM=="ccidg", SYMLINK+="ccidsc", MODE+="0666", TAG+="uaccess"
'';
} }

59
fw/default.nix
View File

@@ -1,32 +1,47 @@
{ config, inputs, pkgs, lib, ... }: { { config, inputs, pkgs, lib, ... }: {
imports = [ imports = [
../common-nixos-config.nix ../common/nixos.nix
inputs.nixos-hardware.nixosModules.framework-16-7040-amd inputs.nixos-hardware.nixosModules.framework-16-7040-amd
./apex.nix ./apex.nix
./android.nix
]; ];
#boot.loader.grub.configurationLimit = 5;
system.nixos.tags = [ "host-${config.networking.hostName}" ]; system.nixos.tags = [ "host-${config.networking.hostName}" ];
boot.binfmt.emulatedSystems = [ "aarch64-linux" ]; boot.binfmt.emulatedSystems = [ "aarch64-linux" ];
networking.networkmanager.enable = true; networking.networkmanager.enable = true;
# boot.kernelParams = [ "nvme.noacpi=1" ]; # DONT DO IT: breaks shit even more # boot.kernelParams = [ "nvme.noacpi=1" ]; # DONT DO IT: breaks shit even more
services.fprintd.enable = false; #kinda broken
vacu.packages.bitwarden-desktop.enable = true; vacu.packages = with pkgs; [
vacu.packages.nheko.enable = true; bitwarden-desktop
vacu.packages.librewolf.enable = true; nheko
vacu.packages.brave.enable = true; librewolf
vacu.packages.thunderbird.enable = true; brave
vacu.packages.wl-clipboard.enable = true; thunderbird
vacu.packages.nextcloud-client.enable = true; wl-clipboard
vacu.packages.signal-desktop.enable = true; nextcloud-client
vacu.packages.fw-ectool.enable = true; signal-desktop
vacu.packages.framework-tool.enable = true; fw-ectool
vacu.packages.iio-sensor-proxy.enable = true; framework-tool
vacu.packages.power-profiles-daemon.enable = true; iio-sensor-proxy
vacu.packages.acpi.enable = true; power-profiles-daemon
vacu.packages.jellyfin-media-player.enable = true; acpi
vacu.packages.vlc.enable = true; jellyfin-media-player
vacu.packages.dmidecode.enable = true; vlc
vacu.packages.prismlauncher.enable = true; dmidecode
vacu.packages.ffmpeg_7-full.enable = true; prismlauncher
ffmpeg_7-full
wireshark
obsidian
dino
aircrack-ng
libreoffice-qt6-fresh
# null actually means everything https://github.com/NixOS/nixpkgs/commit/5efd65b2d94b0ac0cf155e013b6747fa22bc04c3
(inkscape-with-extensions.override { inkscapeExtensions = null; })
libsmi
net-snmp
];
services.fwupd.enable = true; services.fwupd.enable = true;
#fwupd gets confused by the multiple EFI partitions, I think I just have to pick one #fwupd gets confused by the multiple EFI partitions, I think I just have to pick one
@@ -88,6 +103,7 @@
hardware.opengl = { hardware.opengl = {
driSupport = true; driSupport = true;
driSupport32Bit = true; driSupport32Bit = true;
extraPackages = [ pkgs.rocmPackages.clr.icd pkgs.amdvlk ];
}; };
programs.nix-ld.enable = true; programs.nix-ld.enable = true;
programs.steam = { programs.steam = {
@@ -104,4 +120,7 @@
hardware.bluetooth.enable = true; hardware.bluetooth.enable = true;
hardware.bluetooth.powerOnBoot = true; hardware.bluetooth.powerOnBoot = true;
services.blueman.enable = true; services.blueman.enable = true;
services.postgresql.enable = true; #for development
} }

7
home/nix-on-droid.nix Normal file
View File

@@ -0,0 +1,7 @@
{ ... }:
{
imports = [ ../common/home.nix ];
home.stateVersion = "24.05";
home.homeDirectory = "/data/data/com.termux.nix/files/home";
home.username = "nix-on-droid";
}

2
installer.nix
View File

@@ -1,7 +1,7 @@
{ config, inputs, modulesPath, lib, ... }: { { config, inputs, modulesPath, lib, ... }: {
imports = [ imports = [
"${modulesPath}/installer/cd-dvd/installation-cd-minimal.nix" "${modulesPath}/installer/cd-dvd/installation-cd-minimal.nix"
./common-nixos-config.nix ./common/nixos.nix
]; ];
# this is an installer image, created anew every time. There's no state we need to worry about messing up # this is an installer image, created anew every time. There's no state we need to worry about messing up
system.stateVersion = config.system.nixos.version; system.stateVersion = config.system.nixos.version;

5
liam/default.nix
View File

@@ -2,7 +2,7 @@
imports = [ imports = [
(modulesPath + "/installer/scan/not-detected.nix") (modulesPath + "/installer/scan/not-detected.nix")
(modulesPath + "/virtualisation/digital-ocean-config.nix") (modulesPath + "/virtualisation/digital-ocean-config.nix")
../common-nixos-config.nix ../common/nixos.nix
./nginx.nix ./nginx.nix
./sops.nix ./sops.nix
./dovecot.nix ./dovecot.nix
@@ -32,7 +32,8 @@
domains = mkReadOnly (config.vacu.liam.shel_domains ++ config.vacu.liam.julie_domains); domains = mkReadOnly (config.vacu.liam.shel_domains ++ config.vacu.liam.julie_domains);
relayhost = lib.options.mkOption { relayhost = lib.options.mkOption {
type = lib.types.str; type = lib.types.str;
default = "[smtp.migadu.com]:465"; # mailhop is duocircle
default = "[outbound.mailhop.org]:587 [relay.dynu.com]:587";
}; };
reservedIpLocal = mkReadOnly "10.46.0.7"; reservedIpLocal = mkReadOnly "10.46.0.7";
}; };

8
liam/mail.nix
View File

@@ -16,14 +16,12 @@ in {
virtual = '' virtual = ''
julie@shelvacu.com julie julie@shelvacu.com julie
mom@shelvacu.com julie mom@shelvacu.com julie
mar@shelvacu.com mar
psv@shelvacu.com psv psv@shelvacu.com psv
'' + (lib.concatMapStringsSep "\n" (d: "@${d} shelvacu") shel_domains) + "\n" '' + (lib.concatMapStringsSep "\n" (d: "@${d} shelvacu") shel_domains) + "\n"
+ (lib.concatMapStringsSep "\n" (d: "@${d} julie") julie_domains); + (lib.concatMapStringsSep "\n" (d: "@${d} julie") julie_domains);
transport = '' transport = ''
shelvacu@${fqdn} ${dovecot_transport} shelvacu@${fqdn} ${dovecot_transport}
mar@${fqdn} ${dovecot_transport}
julie@${fqdn} ${dovecot_transport} julie@${fqdn} ${dovecot_transport}
psv@${fqdn} ${dovecot_transport} psv@${fqdn} ${dovecot_transport}
backup@${fqdn} ${dovecot_transport} backup@${fqdn} ${dovecot_transport}
@@ -45,6 +43,7 @@ in {
# verbatim appended to main.cf # verbatim appended to main.cf
extraConfig = '' extraConfig = ''
smtp_tls_CAfile = /etc/pki/tls/certs/ca-bundle.crt smtp_tls_CAfile = /etc/pki/tls/certs/ca-bundle.crt
inet_protocols = ipv4
virtual_alias_domains = virtual_alias_domains =
${lib.concatStringsSep ",\n " domains} ${lib.concatStringsSep ",\n " domains}
@@ -74,6 +73,9 @@ in {
# not actually 1024 bits, this applies to all DHE >= 1024 bits # not actually 1024 bits, this applies to all DHE >= 1024 bits
smtpd_tls_dh1024_param_file = ${lib.optionalString config.services.dovecot2.enableDHE config.security.dhparams.params.dovecot2.path} smtpd_tls_dh1024_param_file = ${lib.optionalString config.services.dovecot2.enableDHE config.security.dhparams.params.dovecot2.path}
# smtp_bind_address = 10.46.0.7
# inet_interfaces = all
# inet_protocols = ipv4
${lib.optionalString config.services.opendkim.enable (assert (config.services.opendkim.socket == "local:/run/opendkim/opendkim.sock"); '' ${lib.optionalString config.services.opendkim.enable (assert (config.services.opendkim.socket == "local:/run/opendkim/opendkim.sock"); ''
smtpd_milters = unix:/run/opendkim/opendkim.sock smtpd_milters = unix:/run/opendkim/opendkim.sock
non_smtpd_milters = unix:/run/opendkim/opendkim.sock non_smtpd_milters = unix:/run/opendkim/opendkim.sock
@@ -88,7 +90,7 @@ in {
"-o" "smtp_sasl_security_options=noanonymous" "-o" "smtp_sasl_security_options=noanonymous"
"-o" "smtp_tls_security_level=secure" "-o" "smtp_tls_security_level=secure"
"-o" "smtp_sasl_password_maps=texthash:${config.sops.secrets.relay_creds.path}" "-o" "smtp_sasl_password_maps=texthash:${config.sops.secrets.relay_creds.path}"
"-o" "smtp_tls_wrappermode=yes" "-o" "smtp_tls_wrappermode=no"
#"-o" "relayhost=${relayhost}" #"-o" "relayhost=${relayhost}"
] ++ (if debug then ["-v"] else []); ] ++ (if debug then ["-v"] else []);
}; };

2
lp0/default.nix
View File

@@ -1,7 +1,7 @@
{ config, pkgs, ... }: { config, pkgs, ... }:
{ {
imports = [ imports = [
../common-nixos-config.nix ../common/nixos.nix
./hardware-config.nix ./hardware-config.nix
]; ];

12
nix-on-droid.nix → nix-on-droid/default.nix
View File

@@ -1,19 +1,19 @@
{ config, lib, pkgs, inputs, ... }: { config, lib, pkgs, inputs, ... }:
{ {
imports = [ ./common-config.nix ]; imports = [
environment.packages = config.vacu.packageList; ../common/nix-on-droid.nix
./flake-registry.nix
];
environment.etc."resolv.conf".text = lib.mkForce '' environment.etc."resolv.conf".text = lib.mkForce ''
nameserver 10.78.79.1 # nameserver 10.78.79.1
nameserver 9.9.9.10 nameserver 9.9.9.10
nameserver 149.112.112.10 nameserver 149.112.112.10
options timeout:1 attempts:5 options timeout:1 attempts:5
''; '';
environment.etc."ssh/ssh_config".text = config.vacu.ssh.config;
# Backup etc files instead of failing to activate generation if a file already exists in /etc # Backup etc files instead of failing to activate generation if a file already exists in /etc
environment.etcBackupExtension = ".bak"; environment.etcBackupExtension = ".bak";
@@ -24,8 +24,6 @@
nix.extraOptions = '' nix.extraOptions = ''
experimental-features = nix-command flakes experimental-features = nix-command flakes
''; '';
nix.substituters = config.vacu.nix.extraSubstituters;
nix.trustedPublicKeys = config.vacu.nix.extraTrustedKeys;
environment.sessionVariables."PS1" = "\\w $ "; environment.sessionVariables."PS1" = "\\w $ ";

9
nix-on-droid/flake-registry.nix Normal file
View File

@@ -0,0 +1,9 @@
# To make `nix run nixpkgs#hello` and such use the same nixpkgs used to build this, so that it doesn't take forever
{ inputs, ... }:
{
nix.registry.nixpkgs.to = {
type = "path";
path = inputs.nixpkgs.outPath;
};
nix.nixPath = [ "nxipkgs=flake:nixpkgs" ];
}

32
package-set.nix
View File

@@ -1,32 +0,0 @@
{ config, pkgs, lib, ... }: let
inherit (lib) mkOption types;
pkgOptions = builtins.attrValues config.vacu.packages;
enabledOptions = builtins.filter (o: o.enable) pkgOptions;
enabledPkgs = builtins.map (o: o.package) enabledOptions;
in {
options = {
vacu.packages = mkOption {
default = {};
type = types.attrsOf (types.submodule ({ name, config, options, ... }: {
options = {
enable = mkOption {
type = types.bool;
default = true;
description = "Will this package be installed (included in environment.systemPackages)";
};
package = mkOption {
type = types.package;
default = pkgs.${name};
defaultText = "pkgs.${name}";
};
};
}));
};
vacu.packageList = mkOption {
type = types.listOf types.package;
readOnly = true;
};
};
config.vacu.packageList = enabledPkgs;
}

104
packages/snmp-mibs-downloader.nix Normal file
View File

@@ -0,0 +1,104 @@
{
bash,
coreutils,
gzip,
gnutar,
unzip,
wget,
gnupatch,
fetchFromGitLab,
fetchurl,
#libsmi,
#resholve,
stdenv,
writeText,
lib,
}@args:
stdenv.mkDerivation (self: let
# this script depends on an old version of libsmi's smistrip
libsmi = stdenv.mkDerivation rec {
pname = "libsmi";
version = "0.4.8";
src = fetchurl {
url = "https://www.ibr.cs.tu-bs.de/projects/libsmi/download/${pname}-${version}.tar.gz";
hash = "sha256-8EilJw9BvIiww7Co/nDKTXFqRrUxoOyqqHxGL0nXSEk=";
};
env.NIX_CFLAGS_COMPILE = "-std=gnu90";
#env.CFLAGS="-Wno-error";
#env.NIX_DEBUG="7";
hardeningDisable = [ "format" ];
meta = with lib; {
description = "A Library to Access SMI MIB Information";
homepage = "https://www.ibr.cs.tu-bs.de/projects/libsmi/index.html";
license = licenses.free;
platforms = lib.platforms.linux ++ lib.platforms.darwin;
};
};
in rec {
pname = "snmp-mibs-downloader";
version = "1.6";
src = fetchFromGitLab {
domain = "salsa.debian.org";
owner = "debian";
repo = "${pname}";
rev = "debian/${version}";
hash = "sha256-W2VW3EJWmHwlqMoL12dFcfkYmAADLOtUWCydcL5qUKc=";
};
# installPhase = ''
# install -Dm755 download-mibs $out/bin
# install -Dm644 *.conf *list $out/etc/snmp-mips-downloader
# cp mibrfcs/* $out/share/snmp/mibs-downloader/mibrfcs
# cp mibiana/* $out/share/snmp/mibs-downloader/mibiana
# gzip -9 $out/share/snmp/mibs-downloader/*/*
# '';
postPatch = ''
substituteInPlace download-mibs \
--replace-fail SMISTRIP=/usr/bin/smistrip "" \
--replace-fail CONFDIR=/etc/snmp-mibs-downloader "BASEDIR=/var/lib/mibs; AUTOLOAD='rfc ianarfc iana'" \
--replace-fail '. $CONFDIR/snmp-mibs-downloader.conf' ""
'';
preInstall = ''
mkdir -p $out/usr/bin $out/etc/snmp-mibs-downloader $out/usr/share/snmp/mibs-downloader/mib{rfcs,iana} $out/usr/share/snmp/mibs
'';
installFlags = [ "INSTALL=install" "DESTDIR=$(out)" ];
postInstall = ''
mv $out/usr/* $out
rmdir $out/usr
substituteInPlace $out/etc/snmp-mibs-downloader/* \
--replace-quiet 'DIR=/usr/share/snmp/mibs-downloader' 'DIR='$out'/share/snmp/mibs-downloader'
mv $out/bin/download-mibs $out/bin/.download-mibs-unwrapped
cat <<EOF > $out/bin/download-mibs
#!${bash}/bin/bash
PATH=${lib.escapeShellArg (lib.concatStringsSep ":" (lib.flip map [ coreutils gzip gnutar unzip wget gnupatch ] (p: "${p}/bin")))}
SMISTRIP=${libsmi}/bin/smistrip
CONFDIR=$out/etc/snmp-mibs-downloader
source $out/bin/.download-mibs-unwrapped
EOF
chmod u+x $out/bin/download-mibs
'';
env.NIX_DEBUG="7";
# solutions.default = {
# scripts = [ "bin/download-mibs" ];
# interpreter = "${bash}/bin/bash";
# inputs = [ coreutils gzip gnutar unzip wget gnupatch ];
# keep = {
# "$archive_fetcher" = true;
# source = [ "$CONFDIR/$i.conf" ];
# "${wget}/bin/wget" = true;
# };
# fix = { "$SMISTRIP" = [ "${libsmi}/bin/smistrip" ]; };
# };
meta = {
mainProgram = "download-mibs";
};
})

124
packages/snmpb/package.nix Normal file
View File

@@ -0,0 +1,124 @@
{
fetchgit,
lib,
libsmi,
libtomcrypt,
qmake,
qtbase,
qwt,
stdenv,
wrapQtAppsHook,
breakpointHook,
}@args:
stdenv.mkDerivation (finalAttrs: let
# ./configure --disable-shared --disable-yang --with-pathseparator=';' --with-dirseparator='/' --with-smipath=${INSTALL_PREFIX}'/${SHARE}/snmpb/mibs;'${INSTALL_PREFIX}'/${SHARE}/snmpb/pibs'
libsmi = finalAttrs.passthru.libsmi;
# $(INSTALL) -m 444 ${ROOT_OWNER} libsmi/mibs/iana/* ${INSTALL_PREFIX}/${SHARE}/snmpb/mibs
# $(INSTALL) -m 444 ${ROOT_OWNER} libsmi/mibs/ietf/* ${INSTALL_PREFIX}/${SHARE}/snmpb/mibs
# $(INSTALL) -m 444 ${ROOT_OWNER} libsmi/mibs/tubs/* ${INSTALL_PREFIX}/${SHARE}/snmpb/mibs
# $(INSTALL) -m 444 ${ROOT_OWNER} libsmi/pibs/ietf/* ${INSTALL_PREFIX}/${SHARE}/snmpb/pibs
# $(INSTALL) -m 444 ${ROOT_OWNER} libsmi/pibs/tubs/* ${INSTALL_PREFIX}/${SHARE}/snmpb/pibs
in {
pname = "snmpb";
version = "0.9pre1";
# __structuredAttrs = true;
passthru = {
proFile = "${finalAttrs.pname}.pro";
makeFile = "makefile.${finalAttrs.pname}";
smipath = "${finalAttrs.passthru.libsmi-data}/share/snmpb/mibs;${finalAttrs.passthru.libsmi-data}/share/snmpb/pibs";
libsmi = args.libsmi.overrideAttrs (final: prev: {
#preConfigure = (prev.preConfigure or "") + "\n" + ''
# appendToVar configureFlags --prefix=$out/ --disable-yang --with-pathseparator=';' --with-dirseparator='/'
#'';
configureFlags = (prev.configureFlags or []) ++ ["--with-pathseparator=;" "--with-smipath=${finalAttrs.passthru.smipath}"];
env.NIX_DEBUG="2";
pname = prev.pname + "-for-snmpb";
});
libsmi-data = stdenv.mkDerivation {
name = "libsmi-snmpb-data";
phases = "unpackPhase installPhase";
src = libsmi.src;
installPhase = ''
mkdir -p $out/share/snmpb/{mibs,pibs}
shopt -s globstar
for foo in mibs pibs; do
for node in $foo/**/*; do
[[ -f $node ]] && install -m444 $node $out/share/snmpb/$foo/
done
done
rm $out/share/snmpb/*/Makefile*
'';
};
};
src = fetchgit {
url = "https://git.code.sf.net/p/snmpb/code";
rev = "a092855bfd201778f87be578b91aeb062726e329";
hash = "sha256-nlS1pqv2ERZGkk0SJ8ByXqBHHho1GTSq/oxrXL2tytM=";
};
patches = [ ./unvendor.patch ];
buildInputs = [
qwt
qtbase
libtomcrypt
libsmi
];
nativeBuildInputs = [
wrapQtAppsHook
qmake
breakpointHook
];
#setSourceRoot = "sourceRoot=$(echo */app)";
#NIX_DEBUG="7";
#installFlags = "INSTALL_PREFIX=$(out) NO_ROOT=1";
installPhase = ''
popd
install -Dm 555 -s app/snmpb $out/bin/snmpb
#mkdir -p $out/share/snmpb/{mibs,pibs}
#for foo in mibs pibs; do
# for file in ${libsmi}/share/$foo/*; do
# ln -s $file $out/share/snmpb/$foo/
# done
#done
install -Dm 444 app/snmpb.desktop $out/share/applications
install -Dm 444 app/snmpb.xml $out/share/mime/packages
install -Dm 444 app/images/snmpb.png $out/share/icons/hicolor/128x128/apps
install -Dm 444 app/images/snmpb.png $out/share/pixmaps
install -Dm 444 app/images/snmpb.svg $out/share/icons/hicolor/scalable/apps
'';
postPatch = ''
rm -rf libsmi libtomcrypt qwt #ensures un-vendoring worked correctly
#smipath_parts=(${libsmi}/share/{mibs,pibs}/*)
#smipath=$(IFS=";" ; echo "''${smipath_parts[*]}")
substituteInPlace app/preferences.cpp --subst-var smipath
substituteInPlace app/*.pro \
--subst-var libs \
--subst-var include
pushd app
'';
env = {
include = "${qwt.dev}/include ${libsmi}/include ${libtomcrypt}/include";
libs = "${qwt}/lib/libqwt.so ${libsmi}/lib/libsmi.so ${libtomcrypt}/lib/libtomcrypt.so -lqwt -lsmi -ltomcrypt";
inherit (finalAttrs.passthru) smipath;
};
preConfigure = ''
qmakeFlags+=( "${finalAttrs.passthru.proFile}" "-o" "${finalAttrs.passthru.makeFile}" )
'';
makefile = finalAttrs.passthru.makeFile;
meta = {
description = "GUI SNMP browser and MIB editor wrtten with Qt";
};
})

61
packages/snmpb/unvendor.patch Normal file
View File

@@ -0,0 +1,61 @@
diff --git a/app/preferences.cpp b/app/preferences.cpp
index 29fa8c8..98e842f 100644
--- a/app/preferences.cpp
+++ b/app/preferences.cpp
@@ -22,13 +22,6 @@
#include <qfileinfo.h>
#include <qtextstream.h>
-// For DEFAULT_SMIPATH
-#ifdef WIN32
-#include "../libsmi/win/config.h"
-#else
-#include "../libsmi/config.h"
-#endif
-
#include "mibmodule.h"
#include "preferences.h"
@@ -288,7 +281,7 @@ void Preferences::MibPathRefresh()
void Preferences::MibPathReset()
{
// "Reset to default" for MIB paths
- QStringList defaultpaths = QString(DEFAULT_SMIPATH).split(SMI_PATH_SEPARATOR);
+ QStringList defaultpaths = QString("@smipath@").split(SMI_PATH_SEPARATOR);
QSettings settings;
settings.beginWriteArray("mibpaths");
diff --git a/app/snmpb.h b/app/snmpb.h
index 63f0d6e..c1da1b8 100644
--- a/app/snmpb.h
+++ b/app/snmpb.h
@@ -20,6 +20,7 @@
#ifndef SNMPB_H
#define SNMPB_H
+#include <qwt_text.h>
#include "ui_mainw.h"
#define SNMPB_VERSION_STRING "1.0"
diff --git a/app/snmpb.pro b/app/snmpb.pro
index b6ee631..a5ff14a 100644
--- a/app/snmpb.pro
+++ b/app/snmpb.pro
@@ -83,14 +83,9 @@ FORMS += \
INCLUDEPATH += \
../snmp++/include \
../snmp++/ \
- ../libtomcrypt/src/headers \
- ../libsmi/lib \
- ../qwt/src
-LIBS += \
- -L../libtomcrypt \
- -L../libsmi/lib/.libs \
- -L../qwt/lib \
- -lsmi -ltomcrypt -lqwt
+ @include@
+
+LIBS += @libs@
RESOURCES = snmpb.qrc

7
secrets/liam/main.yaml
View File

@@ -1,6 +1,7 @@
dovecot-passwd: ENC[AES256_GCM,data:K54kOi2MB37Jra6ce+yDrVqFlie3+mJnVWD/A6c6d3nGV5fLi2ppn9Gkevuzz490QKNpZDbRa3CSnOHLrID5zJ2JTlOnXGAIPOd2XQZSZdW+lcnfKk2WjffRHkFoQIdKnKDqh8x0i+Ymrpy1TBg3USAAilvYliLHQDjd1djj0kFsxRScQyCc9F3YGM11X1pRNX2R7YyKKNxQVcTkCRxWdh8hs/o8aybpy7EeAHZoJyI+vywRKJK1FYLhX+tj3dTqLVsvpT1OePQJRVdrSifpGVP9uHoYZRVMrhb2nyCXjuJ/k3pHbHhKXt+Gnhh+2/cvvKApFE0YJoyqg6wey1GcmIw7tnE7dRfO/HGkDgHwzLQVPcdb2fdQs/C+AeJhtHAVMowYWroiEylMMqsv5QmAdDmFJjXRqhW7Zh/uaKOTZLa/xMUEf0/59pP8PWXvTrRB77c+EAcM+b804bvsa/cUly/vz+8AcWhCrZJIbmmbkToP3NGy4K3bbD7y4A6I01svSBlOXQGOF6D6QLK6snZ6ox4ZrdqClCzhSfZYSu4ZGtzr323Z,iv:JAvVAHK6OwutD2gph6rHlBxdaPh4OjL7Kr82kVz9dh0=,tag:+3HCNdV0+wbhNpYVPGAaaw==,type:str] dovecot-passwd: ENC[AES256_GCM,data:pcj7T1AKqZfMBGiHiihW0WxVKzAiy6xsGGlOhOV4IeHPEn+SXNoQjTQQVhZoNxYsENptH54SgWwlMETCcQrQzq6prrktlT3iZCnwlwvzaNRXrMe1mk/WT+OiTpaQ0PWGfrhVkQXj4bxWKCRc2i3NJxm1AtYfE0nNL/1dUk9rzwYTH6zjiQFYmZHbwzjtxiE3YbZCwYnpNR3Ql08S4kNf5TtsecFtTY1VOPFRycjEfIIIUbVLUM06DZ5savKVNRdgaVMUuXyPoOxy65YbkwZ9vkoBleRShY0v6FOgG1YLmQmr7f8QtiHlFbA0NJ0vUkg8bgSTsw27jC/JQU0qTSNVrMHgzfApw6GUQgGTYZK24tFCVNBJ3sxvTbuVOcShy01yJA==,iv:5gTo8ySgq//ZaY88F7AcAa2CEe2hXR415EqqSsYIbF8=,tag:DOf4yEXW5kzYAL89KQOAdQ==,type:str]
dkim_key: ENC[AES256_GCM,data:CZC/1U1cJUIyNhXAWp+YFJd0pZZKvZClJxOh3uZ3YyfEQBiK9nEQryAJHirpFXAmZTcGhsuotkAuJvVQtoh/pM9YGkrncCKlw+P96hiafHGoSOnqd77DazcVERwGEGYBPK7fIZfhpAaYiIvjwq6FbMzkkZ4vLcYRNRj+LCtrXu4K5cy5ZJaRFkLCiaIVHhrOfjyhDFCkFBd3pZ/oCGH57teisjFl+LWFqGOQFyGs3Vkv0bY1fUTUtFvpYcTdrRe6A7yI3OGveX3Q9JnDKD+PBqHhd/a/OjBF0Xme6BeipRnv6/Md2F5LNDfUWugOtDy0xigtWAp/mbVel8GYgTXEQYv+sxVu0kFM7bX8fa/A/BHNx98HFoScwLCt8VmCc26asfGvGFfADrJMBIk2IbmqjQ2NV7/ejB6Zym7tjLLpYI24LBAyZDH/Rtw7CqGPmpHXCQ9xILFxLMdqMSmgPPJtF/75qFICCQH2p3CHj7b/TmTpu8RLIVu2pxG48u4VnUgJE1zPBeaY5EY1uS7L5sF37CI+vMy1mY/3m5ZsWeOu9YigZouYy/Y6OrdtOzaEVaipQ2cYirD00MOYqO57izmjuUdw47OJ5zK7XInR4MHoLX0PfdJiw5Oq8OVir6KJf9UWPSXBbSZlj6PMkqbvQ+7VWJmDT0jKTbRg2M1eZCbcRrJAnE/YenMqYFXiVY1dOGjcrrxUn0zcnJ51UJmfDU2+UQc7urBVtqm7jfegudQ+Em735ynclMfYRWvRXQGQUm2YCUFXTwd6RhY4hHb32j6x00hi6iLjt1gjlMx8pHAcVbqcOdHFoLvNe1DlBsl/7jmL7otyY5m1VF3+H0tksDTSYfil5oudMEECTPypsZfp8iLU4xgjuh/+fXjZf4hQJMiA6OaGMw7R2cwvfiuSaHL/iz57ZtlHFW6TMWK77UBU2xZACVfylnqEaaIgzhYX0/wAsVQI+gqt03EsUx/AqlCFOCrOSwjov06k2bTDzSDcITayLkf9UjwOo/lmRz+7fCfvCaw26wZCEsEtRBfLrZc+Ibwq9uvNDsrV1hthi0qh1ngZonQOA1Y2NURDom3VMKkfu++nFIV+CGrAI5n0CVlVLkJn4RbPCDcmNGd9Kr8pYv7rU4MnMmD2n2M1OzAJbScrbb+f4Z8hEOIUk0dMVxOr/clrg+7F3vqceZC8VTzBbBAH4QuBAf67VwmZTpDB5bobFv/UwEC8pJ4HWmKcBN+s1QihtD7x+WYz+8pSNucr+oN56fiY8xAyvFFyTE7/zNWlXVi94E0is30q3/ZB/Gog5eOQT21tOI4Ak0N4y+ElfNIXSqtEUGhck2DIjfegygpvwiuu8ktEZwje9Q4SAYK8/0THT8ANyzDunwSocMdztL1zF6/ZhDub8hmOuaRJWotXzmL/zCXSGR0nEPXVSmyXKwHt/4MMGkasXOXetrENKIwDqYdm1eZBMCl8EGnyAbAo21LAfVTI0GLrNoFWNTPkpBIo3dKoBofmdRei/jHtQmBtvaILUv6UsIAyjJ+x2cpARW+yMIrv/0g8MnDMj4cCiIFk+AIXI279BvMrkVP1cOA7ESJkLe1hsL6+b7lmrhAWK1cpDnIWTXJG+v9aKlc0jz9D47gr7kD/ePC8sMaI95aQBbA93ftzYhKzsU9hINsU/IKGmT0rXS4j/BPZ0o8uC1HRaMjdE5Z0KHsebS9tn8lXfHFgX5wTDMaES9h+usUJrjc6F1lj2zYP5oTOjM8YmN6YQedo3wmi/PnA/8YMXz0tRFAZvg8VAYYtsfdV/2GLtjfD2YRK3iHsg5+GSEwqFafmWGgr+uhsl4JmKiASWJvx0Ron8RwdEzK2MC6WD1JERLU4UojOfx2xy5v15eveNnEufb7o1MJSAbjuRbVYiABqNFjIwe9hquIyTYVsiqiXi6fLeIV4fsTtiI5LLKx/6dOw31nFg/WfFWzvzLiLJ6b0NZowECP+Rsvzl3U0Qo/LbePyY/o8UYOo7u1zLpzxIOPyTqdKh64WqGYnqXmWy1ga57vnyl9mWhzr9ZlEuhM+0U8bVelIXmLTZp1Nredrs8E5ERdVnKmThbrLr8GvJAl4B7g5BIrGhSBB841wMm9h/SheKdq8SN9gUDRNgW0QNFkflBhX5ZsAHlPiJxddePbbAxfChv+ClG0oDuFDoSwSElCRR9GRayLRiws6CCDhviU8ub5JApSPTI9p/UjSJePSj+GqyqljTge0J/wgxRL2pAHk1HDQyOnv4kFZ5UhMFjU6GvbuPl2W2lqICJOcK9UuKdvivGsYkSSrOfke3mZMh52/f+03ciZ4xlwjDGV91kGONq5GME8dFEPD093xg0KbScfWanRWSoV3fOxitPWpcJ+xuNnDDOHjzLOYgt07u1QQs62rg/6BII+1XKBowLwG9Z5aWexZ3yCzrOR70pLRWPbOJNCAggEIaTkIa0ukOlaPbGzSZ6LuIyup7ex0Uabd2cOuvmAdMqGwnIB7fhtkdR7G4iDbnUqu7hbFurJn/3IZalJvbyZUuvC5X4oGU/CTWzDtdSgv5jQQ9qnr9ehCNCWjdg9T05v65XsW/OwHnRUN8A+1vxBIZ884lvFoOhJYeKXMufdAg4bCzUE/kdctRPwAVt3OjLnykXYcJV/3Ch+YIwv2vNA4pXqsMw8wgxX7DCvrCrVpkZAC1JIE32aKCXrN4tRUMrc0mnqUXa9M1rc6HCGa/vFCMj5ZW8xP9mOG+HEJFiJaV6ydxvhI7NMyXW2YDSxVh5RMMjXHUBq/bKMHPrLN57qmzvtcKUNcmS+VTvjS64wZlUsA1PEVwaJ/EQVAaY6ZeZi0CJ2A3YpklXYJpNqYhv8ICtFK2Uf6STfNYGaLTW2bgfZpWhic1y/V4wAWKa5A/XALXec+ioFr0foQR2ADiUycQYhMLZPSKPnWhcmwUPY+KPrjP11raVSM4ehtKdDlrbL3vmw6SlwowveyC3aqiceYzISWAw9o+ccvLs/bedEBeC2af2V53/vIuN4XYWjtZArRyqpzeeqlnTOb7vhpI84plXJdGHlmw0bml0yV3r3ucgB50wbAMRvQtJQ6ePPfOLOYLpDYFLPZJci8Vc3vRInskPOF39m9tSTT1noUSRZ3IxGi4LiUT76nAgI8BeTp3bqNuA6Of6I4yYS4Jmmby5C5eel0Ozl3gkMk1xuM5UTwcE7EDkr9rnzxs6rbx3CpQB3y6QB3tAe00zPpMm5YKJq1AKqvSzPco58g1vVu06e3l+tcGyt85t5wQTco3OX2kgBBxsiA629yAWcSIqKFZ+o7nTpA+zZmQrjVganWflbOhVNkvRSkLpThkYVlnkqBU9ixzQa79xVOF3WmNYBhdWfnO9VxFwE4MqgpOyL7sz0PsV5/ZsOy8m7DadM3GCS2mFtWZiM1RnGCayZvyY2KFNj3I8qM1HGMMfeF+3KXjyCBSyBkD25in85M0QaPlMzBxFZupSoleJLLwqd4BfsLk+POiZjLQQseSDVSqrjqWyE6d+baiy+m6d+z6sx4ojRf+q9wlMjZ2oRa+wsLnhbCrdHsZi6Q9eZawU6Vlsy3/KjarJABnapJsMbHYTlwPHlPYU6Du9T3lO2aJuTewOzA42Aoqm2Tlm4xh0GRV6Rx7najkMjc3cex1DAu0PNaFzWVBD7yPuv9FS+DzdEneEj9Tx81v245I9U8Oc6yacu72Ry2CG03ONld70oEU2BHrIgswoyMNg72hnhot9jfDutjJrB10b65pP5WZOAUGtwDh2a2KrdnYG/TGId+ehnkkwS2Sd87/CM4aaSYlsVneId6bXYpUcxSLroXUAHsigA3rjMpNpvR8XRiQZUfLWRQ+d8gyL5PVLp1H7R6LEDO4sZP8IuDJfxDzlP0Rh6GOQgu+dlkcxWGVHQxcexBThMURJYVMhTDoYopEfUqo3j+q7Fla4Q3HdypKg17VyVfEA/J7Nie+eDZvTEuvX0jWQmGAFdC9GbkVuT7hlzYx4kZ6/B81kVyQi8e3L3ZBAYHQXbHeK4GhSWQDwHG6ZBU16KrD6dhjIvn4HlXaGYaPMvv0Rp+yjeiur/n0NOWyvx0R1RrksbsyeaLIEDhOS19wXP4kiDrTR2qJN4LHcWu3m/hYuB4Fj72qyr2K7osXvbC/up2bSpY0IOcei8Nc/hIhqoe7uM4Jg3cpXt0hTpcDZ74HNIsd/6f592BqpoXIy5Cr1ZOxmnpkHdgZIyJ3KqwZEhYa7pSkOIIEAY9EnTPm3ViBHQdqjUpghYNzntO8EomNNw0sXUFFrwlGAY+ntLYUty0kREWt4l8Iot+XblCc8FX1gKYSqhnJOGjHHjOHO22Cr6NPJdcHfgkIBCknwwFWWMRPwZOomE=,iv:7LF3l52m6YRKGd/8rxDady3AbSEcXuVRsIaLlgNfKOs=,tag:UCjMRgFZFHQyXY5NfbZRcg==,type:str] dkim_key: ENC[AES256_GCM,data:CZC/1U1cJUIyNhXAWp+YFJd0pZZKvZClJxOh3uZ3YyfEQBiK9nEQryAJHirpFXAmZTcGhsuotkAuJvVQtoh/pM9YGkrncCKlw+P96hiafHGoSOnqd77DazcVERwGEGYBPK7fIZfhpAaYiIvjwq6FbMzkkZ4vLcYRNRj+LCtrXu4K5cy5ZJaRFkLCiaIVHhrOfjyhDFCkFBd3pZ/oCGH57teisjFl+LWFqGOQFyGs3Vkv0bY1fUTUtFvpYcTdrRe6A7yI3OGveX3Q9JnDKD+PBqHhd/a/OjBF0Xme6BeipRnv6/Md2F5LNDfUWugOtDy0xigtWAp/mbVel8GYgTXEQYv+sxVu0kFM7bX8fa/A/BHNx98HFoScwLCt8VmCc26asfGvGFfADrJMBIk2IbmqjQ2NV7/ejB6Zym7tjLLpYI24LBAyZDH/Rtw7CqGPmpHXCQ9xILFxLMdqMSmgPPJtF/75qFICCQH2p3CHj7b/TmTpu8RLIVu2pxG48u4VnUgJE1zPBeaY5EY1uS7L5sF37CI+vMy1mY/3m5ZsWeOu9YigZouYy/Y6OrdtOzaEVaipQ2cYirD00MOYqO57izmjuUdw47OJ5zK7XInR4MHoLX0PfdJiw5Oq8OVir6KJf9UWPSXBbSZlj6PMkqbvQ+7VWJmDT0jKTbRg2M1eZCbcRrJAnE/YenMqYFXiVY1dOGjcrrxUn0zcnJ51UJmfDU2+UQc7urBVtqm7jfegudQ+Em735ynclMfYRWvRXQGQUm2YCUFXTwd6RhY4hHb32j6x00hi6iLjt1gjlMx8pHAcVbqcOdHFoLvNe1DlBsl/7jmL7otyY5m1VF3+H0tksDTSYfil5oudMEECTPypsZfp8iLU4xgjuh/+fXjZf4hQJMiA6OaGMw7R2cwvfiuSaHL/iz57ZtlHFW6TMWK77UBU2xZACVfylnqEaaIgzhYX0/wAsVQI+gqt03EsUx/AqlCFOCrOSwjov06k2bTDzSDcITayLkf9UjwOo/lmRz+7fCfvCaw26wZCEsEtRBfLrZc+Ibwq9uvNDsrV1hthi0qh1ngZonQOA1Y2NURDom3VMKkfu++nFIV+CGrAI5n0CVlVLkJn4RbPCDcmNGd9Kr8pYv7rU4MnMmD2n2M1OzAJbScrbb+f4Z8hEOIUk0dMVxOr/clrg+7F3vqceZC8VTzBbBAH4QuBAf67VwmZTpDB5bobFv/UwEC8pJ4HWmKcBN+s1QihtD7x+WYz+8pSNucr+oN56fiY8xAyvFFyTE7/zNWlXVi94E0is30q3/ZB/Gog5eOQT21tOI4Ak0N4y+ElfNIXSqtEUGhck2DIjfegygpvwiuu8ktEZwje9Q4SAYK8/0THT8ANyzDunwSocMdztL1zF6/ZhDub8hmOuaRJWotXzmL/zCXSGR0nEPXVSmyXKwHt/4MMGkasXOXetrENKIwDqYdm1eZBMCl8EGnyAbAo21LAfVTI0GLrNoFWNTPkpBIo3dKoBofmdRei/jHtQmBtvaILUv6UsIAyjJ+x2cpARW+yMIrv/0g8MnDMj4cCiIFk+AIXI279BvMrkVP1cOA7ESJkLe1hsL6+b7lmrhAWK1cpDnIWTXJG+v9aKlc0jz9D47gr7kD/ePC8sMaI95aQBbA93ftzYhKzsU9hINsU/IKGmT0rXS4j/BPZ0o8uC1HRaMjdE5Z0KHsebS9tn8lXfHFgX5wTDMaES9h+usUJrjc6F1lj2zYP5oTOjM8YmN6YQedo3wmi/PnA/8YMXz0tRFAZvg8VAYYtsfdV/2GLtjfD2YRK3iHsg5+GSEwqFafmWGgr+uhsl4JmKiASWJvx0Ron8RwdEzK2MC6WD1JERLU4UojOfx2xy5v15eveNnEufb7o1MJSAbjuRbVYiABqNFjIwe9hquIyTYVsiqiXi6fLeIV4fsTtiI5LLKx/6dOw31nFg/WfFWzvzLiLJ6b0NZowECP+Rsvzl3U0Qo/LbePyY/o8UYOo7u1zLpzxIOPyTqdKh64WqGYnqXmWy1ga57vnyl9mWhzr9ZlEuhM+0U8bVelIXmLTZp1Nredrs8E5ERdVnKmThbrLr8GvJAl4B7g5BIrGhSBB841wMm9h/SheKdq8SN9gUDRNgW0QNFkflBhX5ZsAHlPiJxddePbbAxfChv+ClG0oDuFDoSwSElCRR9GRayLRiws6CCDhviU8ub5JApSPTI9p/UjSJePSj+GqyqljTge0J/wgxRL2pAHk1HDQyOnv4kFZ5UhMFjU6GvbuPl2W2lqICJOcK9UuKdvivGsYkSSrOfke3mZMh52/f+03ciZ4xlwjDGV91kGONq5GME8dFEPD093xg0KbScfWanRWSoV3fOxitPWpcJ+xuNnDDOHjzLOYgt07u1QQs62rg/6BII+1XKBowLwG9Z5aWexZ3yCzrOR70pLRWPbOJNCAggEIaTkIa0ukOlaPbGzSZ6LuIyup7ex0Uabd2cOuvmAdMqGwnIB7fhtkdR7G4iDbnUqu7hbFurJn/3IZalJvbyZUuvC5X4oGU/CTWzDtdSgv5jQQ9qnr9ehCNCWjdg9T05v65XsW/OwHnRUN8A+1vxBIZ884lvFoOhJYeKXMufdAg4bCzUE/kdctRPwAVt3OjLnykXYcJV/3Ch+YIwv2vNA4pXqsMw8wgxX7DCvrCrVpkZAC1JIE32aKCXrN4tRUMrc0mnqUXa9M1rc6HCGa/vFCMj5ZW8xP9mOG+HEJFiJaV6ydxvhI7NMyXW2YDSxVh5RMMjXHUBq/bKMHPrLN57qmzvtcKUNcmS+VTvjS64wZlUsA1PEVwaJ/EQVAaY6ZeZi0CJ2A3YpklXYJpNqYhv8ICtFK2Uf6STfNYGaLTW2bgfZpWhic1y/V4wAWKa5A/XALXec+ioFr0foQR2ADiUycQYhMLZPSKPnWhcmwUPY+KPrjP11raVSM4ehtKdDlrbL3vmw6SlwowveyC3aqiceYzISWAw9o+ccvLs/bedEBeC2af2V53/vIuN4XYWjtZArRyqpzeeqlnTOb7vhpI84plXJdGHlmw0bml0yV3r3ucgB50wbAMRvQtJQ6ePPfOLOYLpDYFLPZJci8Vc3vRInskPOF39m9tSTT1noUSRZ3IxGi4LiUT76nAgI8BeTp3bqNuA6Of6I4yYS4Jmmby5C5eel0Ozl3gkMk1xuM5UTwcE7EDkr9rnzxs6rbx3CpQB3y6QB3tAe00zPpMm5YKJq1AKqvSzPco58g1vVu06e3l+tcGyt85t5wQTco3OX2kgBBxsiA629yAWcSIqKFZ+o7nTpA+zZmQrjVganWflbOhVNkvRSkLpThkYVlnkqBU9ixzQa79xVOF3WmNYBhdWfnO9VxFwE4MqgpOyL7sz0PsV5/ZsOy8m7DadM3GCS2mFtWZiM1RnGCayZvyY2KFNj3I8qM1HGMMfeF+3KXjyCBSyBkD25in85M0QaPlMzBxFZupSoleJLLwqd4BfsLk+POiZjLQQseSDVSqrjqWyE6d+baiy+m6d+z6sx4ojRf+q9wlMjZ2oRa+wsLnhbCrdHsZi6Q9eZawU6Vlsy3/KjarJABnapJsMbHYTlwPHlPYU6Du9T3lO2aJuTewOzA42Aoqm2Tlm4xh0GRV6Rx7najkMjc3cex1DAu0PNaFzWVBD7yPuv9FS+DzdEneEj9Tx81v245I9U8Oc6yacu72Ry2CG03ONld70oEU2BHrIgswoyMNg72hnhot9jfDutjJrB10b65pP5WZOAUGtwDh2a2KrdnYG/TGId+ehnkkwS2Sd87/CM4aaSYlsVneId6bXYpUcxSLroXUAHsigA3rjMpNpvR8XRiQZUfLWRQ+d8gyL5PVLp1H7R6LEDO4sZP8IuDJfxDzlP0Rh6GOQgu+dlkcxWGVHQxcexBThMURJYVMhTDoYopEfUqo3j+q7Fla4Q3HdypKg17VyVfEA/J7Nie+eDZvTEuvX0jWQmGAFdC9GbkVuT7hlzYx4kZ6/B81kVyQi8e3L3ZBAYHQXbHeK4GhSWQDwHG6ZBU16KrD6dhjIvn4HlXaGYaPMvv0Rp+yjeiur/n0NOWyvx0R1RrksbsyeaLIEDhOS19wXP4kiDrTR2qJN4LHcWu3m/hYuB4Fj72qyr2K7osXvbC/up2bSpY0IOcei8Nc/hIhqoe7uM4Jg3cpXt0hTpcDZ74HNIsd/6f592BqpoXIy5Cr1ZOxmnpkHdgZIyJ3KqwZEhYa7pSkOIIEAY9EnTPm3ViBHQdqjUpghYNzntO8EomNNw0sXUFFrwlGAY+ntLYUty0kREWt4l8Iot+XblCc8FX1gKYSqhnJOGjHHjOHO22Cr6NPJdcHfgkIBCknwwFWWMRPwZOomE=,iv:7LF3l52m6YRKGd/8rxDady3AbSEcXuVRsIaLlgNfKOs=,tag:UCjMRgFZFHQyXY5NfbZRcg==,type:str]
dkim_pub: ENC[AES256_GCM,data:XLYRTAviK+r6DnRU4+lc58elI3FJ+FPsB1A5sQOk+pb+fNu7zFCiZdz/MwTVkE9izDP1Onv+VhV8sRgmxacTv4nW5GcukCrm3FmCp2jm6QF1/40/WRv6Lkbek0tV1bMOQPy9Zj8wdO9M05XCXUVXk4x17rj+lw8ApwJS2pJMoultMFx34tx2pNEnmO3MFtuBOxzeU2yP+NhF2sJNA62to78AiH5EblkoF0a6sUYk553U+sv3Ob0lo1nSv6c8zwl7y1WSNQnLK+/3WxSVGfePHVsVM8Zze1KFTVLQQggIzWTdcr7AgcTGbk3kaYCeucfQ60pVlqOyPnkJoUJ8HR1RSajFk6Ylzw0xBpY85qAXNT2YIRiq0HTUc1s5lD0luXLQEP+g+XUwZfzFRZgt1nWBlPmpbj2Ylj1FfrA7EXsIK9nyo+rf0qRn/4HusJATr9ddYmZdxwazl1FXkOKLHPyu1NlzwoTNSQQgMHlzxzUvrrv7+mI2nQvXRx82TSRytqrMvoBTF1NFX+pRjhNg9fcq0oPJ2ORqOVQsxzhLhB+tw7Cg+UHGWlnKnkqaKH1JDmOFyJDB96aPUnSQT2J8qkyb+hMBXz9mme8rZopkHrA4WyDXv3zpEi0P5Sj0DDwdRxKMdDdZ4hw79YQIrd63cIorN8XG6Icevb25LfekLEq/C2FS8+kADagyOM0uzCw2p/qacNz37ZNGqPK6gYkjnyoAfSm14zbgoLX/5dnf7eCuMatevTm4AcE53RawQfzz0YNJuEv5uqD/WUy+UIKHIwxPYY9FWBBPmH+8eaPC1mMPh54I444b39FwpnPU8GwxEPsjRg8TSnohawNmmhEWEpmlawEKw+C+BE6A2DmVJzyeBvVRwe/W6CPgyYxgSGWUuvfZFm1GrzwZDjCOEMRn7qMwMBxh1nr2BOAiNxA38UtsymaZO5ZOknClWlKIkIFl8NJdVITNNsI48KMuSY20o1puzkxMaAUH3OrGEhtoHrEOeIq+KCFzH2gZo6L5hbv9CHM7QgCYsbtVIMwL+cRZZaSNubS3K48OmWJnHNuqkcrSI4lqfjLhz1DbnQ==,iv:/cNMmlpq9LSOk0MwVq8NaWvp47q68lKWTx4s5nkwF5c=,tag:ZNX+yZsSxdhFsavDpX380g==,type:str] dkim_pub: ENC[AES256_GCM,data:XLYRTAviK+r6DnRU4+lc58elI3FJ+FPsB1A5sQOk+pb+fNu7zFCiZdz/MwTVkE9izDP1Onv+VhV8sRgmxacTv4nW5GcukCrm3FmCp2jm6QF1/40/WRv6Lkbek0tV1bMOQPy9Zj8wdO9M05XCXUVXk4x17rj+lw8ApwJS2pJMoultMFx34tx2pNEnmO3MFtuBOxzeU2yP+NhF2sJNA62to78AiH5EblkoF0a6sUYk553U+sv3Ob0lo1nSv6c8zwl7y1WSNQnLK+/3WxSVGfePHVsVM8Zze1KFTVLQQggIzWTdcr7AgcTGbk3kaYCeucfQ60pVlqOyPnkJoUJ8HR1RSajFk6Ylzw0xBpY85qAXNT2YIRiq0HTUc1s5lD0luXLQEP+g+XUwZfzFRZgt1nWBlPmpbj2Ylj1FfrA7EXsIK9nyo+rf0qRn/4HusJATr9ddYmZdxwazl1FXkOKLHPyu1NlzwoTNSQQgMHlzxzUvrrv7+mI2nQvXRx82TSRytqrMvoBTF1NFX+pRjhNg9fcq0oPJ2ORqOVQsxzhLhB+tw7Cg+UHGWlnKnkqaKH1JDmOFyJDB96aPUnSQT2J8qkyb+hMBXz9mme8rZopkHrA4WyDXv3zpEi0P5Sj0DDwdRxKMdDdZ4hw79YQIrd63cIorN8XG6Icevb25LfekLEq/C2FS8+kADagyOM0uzCw2p/qacNz37ZNGqPK6gYkjnyoAfSm14zbgoLX/5dnf7eCuMatevTm4AcE53RawQfzz0YNJuEv5uqD/WUy+UIKHIwxPYY9FWBBPmH+8eaPC1mMPh54I444b39FwpnPU8GwxEPsjRg8TSnohawNmmhEWEpmlawEKw+C+BE6A2DmVJzyeBvVRwe/W6CPgyYxgSGWUuvfZFm1GrzwZDjCOEMRn7qMwMBxh1nr2BOAiNxA38UtsymaZO5ZOknClWlKIkIFl8NJdVITNNsI48KMuSY20o1puzkxMaAUH3OrGEhtoHrEOeIq+KCFzH2gZo6L5hbv9CHM7QgCYsbtVIMwL+cRZZaSNubS3K48OmWJnHNuqkcrSI4lqfjLhz1DbnQ==,iv:/cNMmlpq9LSOk0MwVq8NaWvp47q68lKWTx4s5nkwF5c=,tag:ZNX+yZsSxdhFsavDpX380g==,type:str]
relay_creds: ENC[AES256_GCM,data:yWG53NaiA2s5aUudZWecDS1+fOURTHd0D0rNxZ9Tud9TsTO2F/6+5i3vRz/4qP4FoBexEVoW5Xhkqo8o8OaGOpZHh/Nla7TJTnaSCgJw9QPfFoRNiE9f46LytXYThiCGBdy3Z3gtNmSX5BQk1zNI1TiHBFG4IYfauq7e6jJ4Bp/9z3LRknDITdlLjzAPjIO5kUG95IrQQCl3SeAjS+LwxPFRuV1+zWNdOXJLmSeWv1JcAcyhkwutMhQYRGMaS09bbXp29N8DX3lsAK9pYZLr5F3gXwOrZN7nG4+K0KOqfMI4UcLpIOlCPdj9XjgAYcWC+LL5bA0W53e7je3IDVebevDheKPowKK/A6le2TfqXKfhOVi4qXaEsjOBIJzLylOqXoAb1ZCM3nTHCC3M/r3/il+6RnFgISOCHezTiEYM,iv:0kAJzoV/HEIRuEAxzWAaQqwlzWlBSwklipWquF9WeoY=,tag:SCQOQCXm6kmLSYhkT6dubQ==,type:str]
sops: sops:
kms: [] kms: []
gcp_kms: [] gcp_kms: []
@@ -115,8 +116,8 @@ sops:
TjhQY0VoNU91Zi96VzZGaitsWHptT0UKZ3Vx/iqilkHrFkAbaSeJZNmSOzXvMDX6 TjhQY0VoNU91Zi96VzZGaitsWHptT0UKZ3Vx/iqilkHrFkAbaSeJZNmSOzXvMDX6
HhcXrrq+sVjnq0XhOqWVY72h8Hp3d0JWA9VOxNQRyM9hdVENXur8YA== HhcXrrq+sVjnq0XhOqWVY72h8Hp3d0JWA9VOxNQRyM9hdVENXur8YA==
-----END AGE ENCRYPTED FILE----- -----END AGE ENCRYPTED FILE-----
lastmodified: "2024-07-03T23:02:46Z" lastmodified: "2024-07-10T20:44:49Z"
mac: ENC[AES256_GCM,data:SlmS0pn+nA2goHKojWRcz7VJJCoUXgunkP9jlZzh/BdeH9Jo1h1J4XRlejEKzD9Zi63EHlfPzsQXIrBO7CnxHDST+9roZc+24Yb552PKjF6aiMVTR+iRiYmHvSGCExvdHU9U2GWvF9WUmdtDan33TkmtvHlO9on9FG/iF/4sDG4=,iv:CY7xoR0lvRI40iudbtY1VZNem+37s5GCoEshLGa9y4U=,tag:1jzH2fQvl1QCsdjtSo2MzA==,type:str] mac: ENC[AES256_GCM,data:tSTKCP7HUUCSCrbeiLutPghjfbL9TsxuCmbARUqwQBH8pyeOsyFHyPCqmqjCDSu2ha0QTldNGM9baiIQa/05DV5KNmFfVuoWy6dd4/3L5yNd3FPkzR2SvBua1g09YZpC1G2IaGrOcqBEOY9baILeBGgXfxRtcpMVAR2C3bOqJyQ=,iv:4phBdZ/4u5DAbUn4Z7pdrJym+iG9oxZSsIPZqoDEqco=,tag:RJn0416yl+0FV9bTu5tA5w==,type:str]
pgp: [] pgp: []
unencrypted_suffix: _unencrypted unencrypted_suffix: _unencrypted
version: 3.8.1 version: 3.8.1

26
tests/liam.nix
View File

@@ -20,7 +20,7 @@
testAgeSecretFile = pkgs.writeText "test-age-key" testAgeSecret; testAgeSecretFile = pkgs.writeText "test-age-key" testAgeSecret;
sopsTestSecrets = { sopsTestSecrets = {
"dovecot-passwd" = (lib.concatStringsSep "\n" (map (name: "${name}:{plain}${name}::::::") [ "shelvacu" "julie" "mar" ])) + "\nbackup:::::::"; "dovecot-passwd" = (lib.concatStringsSep "\n" (map (name: "${name}:{plain}${name}::::::") [ "shelvacu" "julie" ])) + "\nbackup:::::::";
dkim_key = '' dkim_key = ''
-----BEGIN PRIVATE KEY----- -----BEGIN PRIVATE KEY-----
MIICdwIBADANBgkqhkiG9w0BAQEFAASCAmEwggJdAgEAAoGBANn62hMdcFw4znAB MIICdwIBADANBgkqhkiG9w0BAQEFAASCAmEwggJdAgEAAoGBANn62hMdcFw4znAB
@@ -39,7 +39,7 @@
hCvgabgr0wsi1y0= hCvgabgr0wsi1y0=
-----END PRIVATE KEY----- -----END PRIVATE KEY-----
''; '';
relay_creds = "[${relayDomain}]:465 ${relayUser}:${relayPass}"; relay_creds = "[${relayDomain}]:587 ${relayUser}:${relayPass}";
}; };
sopsTestSecretsYaml = pkgs.writeText "test-secrets-plain.json.yaml" (builtins.toJSON sopsTestSecrets); sopsTestSecretsYaml = pkgs.writeText "test-secrets-plain.json.yaml" (builtins.toJSON sopsTestSecrets);
sopsTestSecretsFolder = pkgs.runCommand "test-secrets-encrypted" {} '' sopsTestSecretsFolder = pkgs.runCommand "test-secrets-encrypted" {} ''
@@ -98,12 +98,12 @@ in {
MP_DATABASE = "${dir}/mailpit.db"; MP_DATABASE = "${dir}/mailpit.db";
MP_SMTP_TLS_CERT = relayCert.certificatePath; MP_SMTP_TLS_CERT = relayCert.certificatePath;
MP_SMTP_TLS_KEY = relayCert.privateKeyPath; MP_SMTP_TLS_KEY = relayCert.privateKeyPath;
MP_SMTP_REQUIRE_TLS = "true"; MP_SMTP_REQUIRE_STARTTLS = "true";
MP_SMTP_BIND_ADDR = "0.0.0.0:465"; MP_SMTP_BIND_ADDR = "0.0.0.0:587";
MP_SMTP_AUTH_FILE = "${relayPassFile}"; MP_SMTP_AUTH_FILE = "${relayPassFile}";
MP_UI_BIND_ADDR = "0.0.0.0:8025"; MP_UI_BIND_ADDR = "0.0.0.0:8025";
}; };
serviceConfig.ExecStart = "${mailpit}/bin/mailpit --smtp-require-tls"; serviceConfig.ExecStart = "${mailpit}/bin/mailpit";
# serviceConfig.Restart = "always"; # serviceConfig.Restart = "always";
serviceConfig.User = config.users.users.mailpit.name; serviceConfig.User = config.users.users.mailpit.name;
serviceConfig.Group = config.users.groups.mailpit.name; serviceConfig.Group = config.users.groups.mailpit.name;
@@ -121,7 +121,7 @@ in {
systemd.services."acme-selfsigned-liam.dis8.net".wantedBy = [ "postfix.service" "dovecot2.service" ]; systemd.services."acme-selfsigned-liam.dis8.net".wantedBy = [ "postfix.service" "dovecot2.service" ];
systemd.services."acme-selfsigned-liam.dis8.net".before = [ "postfix.service" "dovecot2.service" ]; systemd.services."acme-selfsigned-liam.dis8.net".before = [ "postfix.service" "dovecot2.service" ];
vacu.secretsFolder = "${sopsTestSecretsFolder}"; vacu.secretsFolder = "${sopsTestSecretsFolder}";
vacu.liam.relayhost = "[${relayDomain}]:465"; vacu.liam.relayhost = "[badhost.blarg]:587 [${relayDomain}]:587";
system.activationScripts.sopsHack.text = "ln -s ${testAgeSecretFile} /run/secretKey"; system.activationScripts.sopsHack.text = "ln -s ${testAgeSecretFile} /run/secretKey";
system.activationScripts.setupSecrets.deps = [ "sopsHack" ]; system.activationScripts.setupSecrets.deps = [ "sopsHack" ];
sops.age.keyFile = "/run/secretKey"; sops.age.keyFile = "/run/secretKey";
@@ -177,17 +177,15 @@ in {
--submission --mailfrom me@shelvacu.com --rcptto foo@example.com --username shelvacu --expect-mailpit-received --mailpit-url http://${nodes.relay.networking.primaryIPAddress}:8025 --submission --mailfrom me@shelvacu.com --rcptto foo@example.com --username shelvacu --expect-mailpit-received --mailpit-url http://${nodes.relay.networking.primaryIPAddress}:8025
--submission --mailfrom me@dis8.net --rcptto foo@example.com --username shelvacu --expect-mailpit-not-received --mailpit-url http://${nodes.relay.networking.primaryIPAddress}:8025 --submission --mailfrom me@dis8.net --rcptto foo@example.com --username shelvacu --expect-mailpit-not-received --mailpit-url http://${nodes.relay.networking.primaryIPAddress}:8025
# mar's emails should NOT get sieve'd like mine # julie's emails should NOT get sieve'd like mine
--rcptto mar@shelvacu.com --username mar --imap-dir INBOX --rcptto julie@shelvacu.com --username julie --imap-dir INBOX
--rcptto mar+stuff@shelvacu.com --username mar --imap-dir INBOX --rcptto julie+stuff@shelvacu.com --username julie --imap-dir INBOX
# test the sieve script is working # test the sieve script is working
--mailfrom whoever@example.com --rcptto sievetest@shelvacu.com --username shelvacu --imap-dir com.shelvacu --mailfrom whoever@example.com --rcptto sievetest@shelvacu.com --username shelvacu --imap-dir com.shelvacu
--rcptto shelvacu@shelvacu.com --username shelvacu --smtp-starttls --rcptto shelvacu@shelvacu.com --username shelvacu --smtp-starttls
--rcptto mar@shelvacu.com --username mar
--rcptto mar+stuff@shelvacu.com --username mar
--rcptto shelvacu@shelvacu.com --username shelvacu --rcptto shelvacu@shelvacu.com --username shelvacu
--rcptto julie@shelvacu.com --username julie --rcptto julie@shelvacu.com --username julie
--rcptto foobar@shelvacu.com --username shelvacu --rcptto foobar@shelvacu.com --username shelvacu
@@ -204,10 +202,6 @@ in {
--submission --expect-recipient-refused --mailfrom julie@shelvacu.com --username shelvacu --submission --expect-recipient-refused --mailfrom julie@shelvacu.com --username shelvacu
--submission --expect-recipient-refused --mailfrom fubar@theviolincase.com --username shelvacu --submission --expect-recipient-refused --mailfrom fubar@theviolincase.com --username shelvacu
--submission --expect-recipient-refused --mailfrom fubar@vacu.store --username julie --submission --expect-recipient-refused --mailfrom fubar@vacu.store --username julie
--submission --expect-recipient-refused --mailfrom shelvacu@shelvacu.com --username mar
--submission --expect-recipient-refused --mailfrom me@shelvacu.com --username mar
--submission --expect-recipient-refused --mailfrom shelvacu+foo@shelvacu.com --username mar
--submission --expect-recipient-refused --mailfrom me+foo@shelvacu.com --username mar
--submission --mailfrom shelvacu@shelvacu.com --rcptto foo@example.com --username shelvacu --password shelvacu --expect-sent --submission --mailfrom shelvacu@shelvacu.com --rcptto foo@example.com --username shelvacu --password shelvacu --expect-sent
--submission --mailfrom shelvacu@shelvacu.com --rcptto foo@example.com --username shelvacu@shelvacu.com --password shelvacu --expect-sent --submission --mailfrom shelvacu@shelvacu.com --rcptto foo@example.com --username shelvacu@shelvacu.com --password shelvacu --expect-sent
@@ -215,8 +209,6 @@ in {
--submission --mailfrom foo@vacu.store --rcptto foo@example.com --username shelvacu@shelvacu.com --password shelvacu --expect-sent --submission --mailfrom foo@vacu.store --rcptto foo@example.com --username shelvacu@shelvacu.com --password shelvacu --expect-sent
--submission --mailfrom foo@violingifts.com --rcptto foo@example.com --username julie --password julie --expect-sent --submission --mailfrom foo@violingifts.com --rcptto foo@example.com --username julie --password julie --expect-sent
--submission --mailfrom foo@violingifts.com --rcptto foo@example.com --username julie@shelvacu.com --password julie --expect-sent --submission --mailfrom foo@violingifts.com --rcptto foo@example.com --username julie@shelvacu.com --password julie --expect-sent
--submission --mailfrom mar@shelvacu.com --rcptto foo@example.com --username mar --password mar --expect-sent
--submission --mailfrom mar+stuff@shelvacu.com --rcptto foo@example.com --username mar --password mar --expect-sent
""" """
for check in checks.split("\n"): for check in checks.split("\n"):

6
triple-dezert/database.nix
View File

@@ -53,10 +53,10 @@ in
services.postgresql = rec { services.postgresql = rec {
enable = true; enable = true;
package = pkgs.postgresql_16; package = pkgs.postgresql_16;
dataDir = "/trip/pg/data/${package.psqlSchema}"; dataDir = "/var/postgres/data/${package.psqlSchema}";
enableJIT = true; enableJIT = true;
initdbArgs = [ initdbArgs = [
"--waldir=/trip/pg/wal/${package.psqlSchema}" "--waldir=/var/postgres/wal/${package.psqlSchema}"
]; ];
ensureUsers = [ ensureUsers = [
{ {
@@ -76,4 +76,4 @@ in
systemd.services.postgresql.postStart = "\n#START stuff from database.nix\n" + (concatMapStringsSep "\n" (d: ''$PSQL -tAc 'ALTER DATABASE "${d.name}" OWNER TO "${d.user}";' '') databases) + "\n#END stuff from database.nix\n"; systemd.services.postgresql.postStart = "\n#START stuff from database.nix\n" + (concatMapStringsSep "\n" (d: ''$PSQL -tAc 'ALTER DATABASE "${d.name}" OWNER TO "${d.user}";' '') databases) + "\n#END stuff from database.nix\n";
}; };
} }

19
triple-dezert/default.nix
View File

@@ -1,7 +1,7 @@
{ config, pkgs, inputs, lib, ... }: { { config, pkgs, inputs, lib, ... }: {
imports = imports =
[ [
../common-nixos-config.nix ../common/nixos.nix
./hardware-configuration.nix ./hardware-configuration.nix
./awootrip.nix ./awootrip.nix
./frontproxy.nix ./frontproxy.nix
@@ -15,12 +15,16 @@
#./vms.nix #./vms.nix
./networking.nix ./networking.nix
./devver-host.nix ./devver-host.nix
./emily.nix
./jellyfin.nix
]; ];
system.nixos.tags = [ "host-${config.networking.hostName}" ]; system.nixos.tags = [ "host-${config.networking.hostName}" ];
boot.loader.systemd-boot.enable = true; boot.loader.systemd-boot.enable = true;
boot.loader.efi.canTouchEfiVariables = true; boot.loader.efi.canTouchEfiVariables = true;
#todo: increase boot partition size
boot.loader.systemd-boot.configurationLimit = 10;
# The first thing to complain was redis in the vacustore container: # The first thing to complain was redis in the vacustore container:
# #
# WARNING Memory overcommit must be enabled! Without it, a background save or replication may fail under low memory condition. Being disabled, it can also cause failures without low memory condition, see https://github.com/jemalloc/jemalloc/issues/1328. To fix this issue add 'vm.overcommit_memory = 1' to /etc/sysctl.conf and then reboot or run the command 'sysctl vm.overcommit_memory=1' for this to take effect. # WARNING Memory overcommit must be enabled! Without it, a background save or replication may fail under low memory condition. Being disabled, it can also cause failures without low memory condition, see https://github.com/jemalloc/jemalloc/issues/1328. To fix this issue add 'vm.overcommit_memory = 1' to /etc/sysctl.conf and then reboot or run the command 'sysctl vm.overcommit_memory=1' for this to take effect.
@@ -34,14 +38,23 @@
services.xserver.enable = false; services.xserver.enable = false;
environment.systemPackages = with pkgs; [ vacu.packages = with pkgs; [
zfs zfs
smartmontools smartmontools
openvpn openvpn
nvme-cli nvme-cli
tshark tshark
postgresql_16 config.services.postgresql.package
(pkgs.writeScriptBin "into-nix-cache" ''
if [[ $UID -ne 0 ]]; then exec sudo $0 "$@";fi
${pkgs.nix}/bin/nix copy \
--no-update-lock-file \
--no-write-lock-file \
--to 'file:///trip/nix-binary-cache?parallel-compression=true&secret-key=/root/cache-priv-key.pem&want-mass-query=true&write-nar-listing=true' \
"$@"
'')
]; ];
hardware.opengl.extraPackages = [ pkgs.intel-compute-runtime pkgs.ocl-icd ];
services.openssh = { services.openssh = {
enable = true; enable = true;

43
triple-dezert/emily.nix Normal file
View File

@@ -0,0 +1,43 @@
{ config, ... }: let
sshPort = 32767;
container = config.containers.emily;
in {
networking.firewall.allowedTCPPorts = [ sshPort ];
networking.nat.forwardPorts = [{
destination = container.localAddress;
proto = "tcp";
sourcePort = sshPort;
}];
containers.emily = {
privateNetwork = true;
hostAddress = "192.168.100.20";
localAddress = "192.168.100.21";
autoStart = true;
ephemeral = false;
bindMounts."/emdata" = {
hostPath = "/trip/ncdata/data/melamona/files";
isReadOnly = false;
};
config = { config, ... }: {
system.stateVersion = "24.05";
services.openssh.enable = true;
services.openssh.ports = [ sshPort ];
services.openssh.openFirewall = true;
users.groups.emily.gid = 999;
users.users.emily = {
isNormalUser = true;
isSystemUser = false;
hashedPassword = "$y$j9T$gP2phgJ9iSH.tWROn/T2C1$dwifP4R4SY4Fyd6W4vZ7tMDFhZB7Cfji9QvporeKUXB";
group = "emily";
};
users.mutableUsers = false;
users.allowNoPasswordLogin = true;
};
};
}

2
triple-dezert/frontproxy.nix
View File

@@ -10,6 +10,7 @@ let
"vacu.store" "vacu.store"
"jean-luc.org" "jean-luc.org"
"pwrhs.win" "pwrhs.win"
"jf.finaltask.xyz"
]; ];
in { in {
security.acme.acceptTerms = true; security.acme.acceptTerms = true;
@@ -71,6 +72,7 @@ in {
"${outer_config.containers.nix-cache-nginx.localAddress}" = [ "nix-cache" ]; "${outer_config.containers.nix-cache-nginx.localAddress}" = [ "nix-cache" ];
"${outer_config.containers.jl-stats.localAddress}" = [ "jl_stats" ]; "${outer_config.containers.jl-stats.localAddress}" = [ "jl_stats" ];
"${outer_config.containers.static-stuff.localAddress}" = [ "static_stuff" ]; "${outer_config.containers.static-stuff.localAddress}" = [ "static_stuff" ];
"${outer_config.containers.jellyfin.localAddress}" = [ "jellyfin" ];
}; };
}; };
}; };

24
triple-dezert/haproxy-config.cfg
View File

@@ -13,8 +13,8 @@ global
defaults defaults
# https://world.hey.com/goekesmi/haproxy-chrome-tcp-preconnect-and-error-408-a-post-preserved-from-the-past-2497d1f7 # https://world.hey.com/goekesmi/haproxy-chrome-tcp-preconnect-and-error-408-a-post-preserved-from-the-past-2497d1f7
timeout server 302s timeout server 3s
timeout client 302s timeout client 3s
timeout connect 10s timeout connect 10s
option http-ignore-probes option http-ignore-probes
@@ -25,7 +25,7 @@ defaults
frontend main frontend main
bind :80 bind :80
bind :443 ssl crt /certs/shelvacu.com/full.pem crt /certs/vacu.store/full.pem crt /certs/jean-luc.org/full.pem crt /certs/pwrhs.win/full.pem bind :443 ssl crt /certs/shelvacu.com/full.pem crt /certs/vacu.store/full.pem crt /certs/jean-luc.org/full.pem crt /certs/pwrhs.win/full.pem crt /certs/jf.finaltask.xyz/full.pem
mode http mode http
@@ -36,12 +36,13 @@ frontend main
# Check whether the client is attempting domain fronting. # Check whether the client is attempting domain fronting.
acl ssl_sni_http_host_match ssl_fc_sni,strcmp(req.host) eq 0 acl ssl_sni_http_host_match ssl_fc_sni,strcmp(req.host) eq 0
acl host_vacustore var(req.host) -m str "vacu.store"
# acl host_auth var(req.host) -m str "auth.shelvacu.com" # acl host_auth var(req.host) -m str "auth.shelvacu.com"
acl host_cache var(req.host) -m str "nixcache.shelvacu.com" acl host_vacustore var(req.host) -m str "vacu.store"
acl host_stats_jl var(req.host) -m str "stats.jean-luc.org" acl host_cache var(req.host) -m str "nixcache.shelvacu.com"
acl host_tulpaudcast_jl var(req.host) -m str "tulpaudcast.jean-luc.org" acl host_stats_jl var(req.host) -m str "stats.jean-luc.org"
acl host_habitat_pwrhs var(req.host) -m str "habitat.pwrhs.win" acl host_tulpaudcast_jl var(req.host) -m str "tulpaudcast.jean-luc.org"
acl host_habitat_pwrhs var(req.host) -m str "habitat.pwrhs.win"
acl host_jellyfin var(req.host) -m str "jf.finaltask.xyz"
http-after-response set-header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" if { ssl_fc } http-after-response set-header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" if { ssl_fc }
@@ -64,6 +65,7 @@ frontend main
http-request allow if host_stats_jl http-request allow if host_stats_jl
http-request allow if host_tulpaudcast_jl http-request allow if host_tulpaudcast_jl
http-request allow if host_habitat_pwrhs http-request allow if host_habitat_pwrhs
http-request allow if host_jellyfin
http-request return status 404 string "not found" content-type text/plain http-request return status 404 string "not found" content-type text/plain
use_backend vacustore if host_vacustore use_backend vacustore if host_vacustore
@@ -72,6 +74,7 @@ frontend main
use_backend jl_stats if host_stats_jl use_backend jl_stats if host_stats_jl
use_backend static_stuff if host_tulpaudcast_jl use_backend static_stuff if host_tulpaudcast_jl
use_backend habitat if host_habitat_pwrhs use_backend habitat if host_habitat_pwrhs
use_backend jellyfin if host_jellyfin
backend vacustore backend vacustore
mode http mode http
@@ -83,6 +86,11 @@ backend kani
option forwardfor option forwardfor
server main kani:8443 check maxconn 500 ssl verify none ssl-reuse server main kani:8443 check maxconn 500 ssl verify none ssl-reuse
backend jellyfin
mode http
option forwardfor
server main jellyfin:8096 check maxconn 100 proto h1
# backend keycloak # backend keycloak
# mode http # mode http
# option forwardfor # option forwardfor

42
triple-dezert/jellyfin.nix Normal file
View File

@@ -0,0 +1,42 @@
{ config, pkgs, ... }: let
name = "jellyfin";
contain = config.containers.${name};
in {
systemd.tmpfiles.settings.${name}."/trip/${name}".d = {
mode = "0755";
};
containers.${name} = {
privateNetwork = true;
hostAddress = "192.168.100.22";
localAddress = "192.168.100.23";
autoStart = true;
ephemeral = true;
restartIfChanged = true;
bindMounts."/${name}" = {
hostPath = "/trip/${name}";
isReadOnly = false;
};
config = { pkgs, ... }: {
system.stateVersion = "24.05";
networking.useHostResolvConf = false;
networking.nameservers = [ "10.78.79.1" ];
networking.firewall.enable = false;
services.jellyfin = {
enable = true;
dataDir = "/${name}";
};
environment.systemPackages = with pkgs; [
jellyfin
jellyfin-web
jellyfin-ffmpeg
];
};
};
}

31
triple-dezert/jl-stats.nix
View File

@@ -2,29 +2,8 @@
let let
name = "jl-stats"; name = "jl-stats";
contain = config.containers.${name}; contain = config.containers.${name};
most-winningest = pkgs.callPackage ({ pg = config.services.postgresql.package;
rustPlatform, most-winningest = inputs.most-winningest.packages."${config.nixpkgs.system}".default.override { postgresql = pg; };
fetchFromGitHub,
pkg-config,
openssl,
postgresql,
}: rustPlatform.buildRustPackage rec {
pname = "most-winningest";
version = "69.420";
nativeBuildInputs = [ pkg-config ];
buildInputs = [ openssl postgresql ];
src = fetchFromGitHub {
owner = "captain-jean-luc";
repo = pname;
rev = "d203ae1b8dd450b281bc1b4bb2ae7518a5665352";
hash = "sha256-RDVIu4zU4BvsJ1Ek7SwlpvA7H48TlPTzTCvUk+9hZ74=";
};
cargoHash = "sha256-5Wbx/RBqtDmJUKdLXttryMuJfpkUJwRGTFYP3UFEPT0=";
}) {};
in { in {
vacu.databases.${name}.authByIp = contain.localAddress; vacu.databases.${name}.authByIp = contain.localAddress;
@@ -86,6 +65,10 @@ in {
timerConfig.OnBootSec = "5m"; timerConfig.OnBootSec = "5m";
timerConfig.OnUnitInactiveSec = "1h"; timerConfig.OnUnitInactiveSec = "1h";
}; };
environment.systemPackages = [
pg #provides psql binary, helpful for debugging
];
}; };
}; };
} }

60
triple-dezert/vacustore.nix
View File

@@ -31,8 +31,6 @@
networking.useHostResolvConf = lib.mkForce false; networking.useHostResolvConf = lib.mkForce false;
services.resolved.enable = true; services.resolved.enable = true;
systemd.services.nextcloud-setup.after = [ "network-online.target" ];
services.nginx.virtualHosts."vacu.store".extraConfig = '' services.nginx.virtualHosts."vacu.store".extraConfig = ''
client_body_timeout 5m; client_body_timeout 5m;
''; '';
@@ -41,69 +39,69 @@
services.nextcloud = { services.nextcloud = {
enable = true; enable = true;
package = pkgs.nextcloud28; package = pkgs.nextcloud29;
configureRedis = true; configureRedis = true;
hostName = "vacu.store"; hostName = "vacu.store";
datadir = "/ncdata"; datadir = "/ncdata";
logLevel = 1;
https = true; https = true;
maxUploadSize = "1000G"; maxUploadSize = "1000G";
database.createLocally = false; database.createLocally = false;
extraApps = { extraApps = {
inherit (config.services.nextcloud.package.packages.apps) calendar notes tasks contacts; inherit (config.services.nextcloud.package.packages.apps) calendar notes tasks contacts;
appointments = pkgs.fetchNextcloudApp { # appointments = pkgs.fetchNextcloudApp {
appName = "appointments"; # appName = "appointments";
url = "https://github.com/SergeyMosin/Appointments/raw/v2.1.4/build/artifacts/appstore/appointments.tar.gz"; # url = "https://github.com/SergeyMosin/Appointments/raw/v2.1.4/build/artifacts/appstore/appointments.tar.gz";
sha256 = "sha256-LKxTF6yF7n6t34KzRRRqsf1doqS7DaKPmqscmNmtzAg="; # sha256 = "sha256-LKxTF6yF7n6t34KzRRRqsf1doqS7DaKPmqscmNmtzAg=";
appVersion = "2.1.4"; # appVersion = "2.1.4";
license = "agpl3"; # license = "gpl3";
}; # };
gpoddersync = pkgs.fetchNextcloudApp { gpoddersync = pkgs.fetchNextcloudApp {
appName = "gpoddersync"; appName = "gpoddersync";
url = "https://github.com/thrillfall/nextcloud-gpodder/releases/download/3.8.2/gpoddersync.tar.gz"; url = "https://github.com/thrillfall/nextcloud-gpodder/releases/download/3.9.0/gpoddersync.tar.gz";
sha256 = "sha256-eeBvRZUDVIaym0ngfPD2d7aY3SI/7lPWkrYPnqSh5Kw="; sha256 = "sha256-wLiM8kv+HinOoAebarQ9MwuxqUpVeF0zS2RVYpAoYMI=";
appVersion = "3.8.2"; appVersion = "3.9.0";
license = "agpl3"; license = "gpl3";
}; };
webapppassword = pkgs.fetchNextcloudApp { webapppassword = pkgs.fetchNextcloudApp {
appName = "webapppassword"; appName = "webapppassword";
url = "https://github.com/digital-blueprint/webapppassword/releases/download/v23.12.0/webapppassword.tar.gz"; url = "https://github.com/digital-blueprint/webapppassword/releases/download/v24.6.0/webapppassword.tar.gz";
sha256 = "sha256-nQUHEm+cvTmRS2ECZK4lk7YAd+2gUYTFcu44A967kY4="; sha256 = "sha256-x9uARo/VtkFLabif2/GZhs4cG6qmhAJs93dzhFFmhB0=";
appVersion = "23.12.0"; appVersion = "24.6.0";
license = "agpl3"; license = "gpl3";
}; };
# oidc_login = pkgs.fetchNextcloudApp { # oidc_login = pkgs.fetchNextcloudApp {
# appName = "oidc_login"; # appName = "oidc_login";
# url = "https://github.com/pulsejet/nextcloud-oidc-login/releases/download/v3.0.2/oidc_login.tar.gz"; # url = "https://github.com/pulsejet/nextcloud-oidc-login/releases/download/v3.0.2/oidc_login.tar.gz";
# sha256 = "sha256-cN5azlThKPKRVip14yfUNR85of5z+N6NVI7sg6pSGQI="; # sha256 = "sha256-cN5azlThKPKRVip14yfUNR85of5z+N6NVI7sg6pSGQI=";
# appVersion = "3.0.2"; # appVersion = "3.0.2";
# license = "agpl3"; # license = "gpl3";
# };
# sociallogin = pkgs.fetchNextcloudApp {
# appName = "sociallogin";
# url = "https://github.com/zorn-v/nextcloud-social-login/releases/download/v5.6.3/release.tar.gz";
# sha256 = "sha256-XHHD87InU9P5uq9zCJnFliHhWh5tpSpSnMMOfNgJKRw=";
# appVersion = "5.6.3";
# license = "gpl3";
# }; # };
sociallogin = pkgs.fetchNextcloudApp {
appName = "sociallogin";
url = "https://github.com/zorn-v/nextcloud-social-login/releases/download/v5.6.3/release.tar.gz";
sha256 = "sha256-XHHD87InU9P5uq9zCJnFliHhWh5tpSpSnMMOfNgJKRw=";
appVersion = "5.6.3";
license = "agpl3";
};
}; };
phpOptions."opcache.interned_strings_buffer" = "32"; phpOptions."opcache.interned_strings_buffer" = "32";
config = { config = {
trustedProxies = [ outer_config.containers.vacustore.hostAddress ];
adminpassFile = "/etc/admin_password"; adminpassFile = "/etc/admin_password";
dbtype = "pgsql"; dbtype = "pgsql";
dbuser = "ncadmin"; dbuser = "ncadmin";
dbhost = outer_config.containers.vacustore.hostAddress; dbhost = outer_config.containers.vacustore.hostAddress;
dbname = "nextcloud"; dbname = "nextcloud";
dbtableprefix = "oc_"; dbtableprefix = "oc_";
overwriteProtocol = "https";
defaultPhoneRegion = "US";
}; };
extraOptions = { settings = {
loglevel = 1;
default_phone_region = "US";
overwriteprotocol = "https";
trusted_proxies = [ outer_config.containers.vacustore.hostAddress ];
allow_user_to_change_display_name = false; allow_user_to_change_display_name = false;
lost_password_link = "disabled"; lost_password_link = "disabled";
oidc_login_provider_url = "https://id.shelvacu.com/oauth2/openid/vacustore/"; oidc_login_provider_url = "https://id.shelvacu.com/oauth2/openid/vacustore/";