shelvacu/nix-stuff
1
0
Fork 1
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Compare commits

base: shelvacu:master
Branches Tags
shelvacu:master shelvacu:doofnet shelvacu:feat-nice shelvacu:repos shelvacu:wip-2024-09-doof shelvacu:fw-experiment shelvacu:wip-2024-09-verify-system shelvacu:restricted-inputs shelvacu:liam-relay shelvacu:add-mar shelvacu:wip-commands2 shelvacu:wip-commands shelvacu:wip-devver shelvacu:wip-nod
..
compare: shelvacu:wip-commands
Branches Tags
shelvacu:master shelvacu:doofnet shelvacu:feat-nice shelvacu:repos shelvacu:wip-2024-09-doof shelvacu:fw-experiment shelvacu:wip-2024-09-verify-system shelvacu:restricted-inputs shelvacu:liam-relay shelvacu:add-mar shelvacu:wip-commands2 shelvacu:wip-commands shelvacu:wip-devver shelvacu:wip-nod

4 Commits
master ... wip-comman

Author SHA1 Message Date
Shelvacu
3d478c8d37 wip commands 2024-06-22 17:03:25 -07:00
Shelvacu
e052a165ec wip commands 2024-06-22 17:00:44 -07:00
Shelvacu
5a9e975723 Merge branch 'master' of git.uninsane.org:shelvacu/nix-stuff 2024-06-22 16:50:31 -07:00
Shelvacu
91d9098ae2 remove (unnecssary) common-packages 2024-06-22 16:49:44 -07:00
313 changed files with 2622 additions and 21133 deletions
Expand all files Collapse all files

6
.gitignore vendored
View File

@@ -1,6 +1,2 @@
result /result
result-*
/.generated
.nixos-test-history .nixos-test-history
/packages/vacu-history/target/
/packages/altcaps/target/

26
.sops.yaml Normal file
View File

@@ -0,0 +1,26 @@
shel_keys: &shel_keys
- &pixel-termux age1y4zp4ddq6xyffd8fgmn2jkl78qfh4m94gcls2cu6vvjnwwznx5uqywjekm
- &t460s age1g9sh8u6s344569d3cg8h30g9h7thld5pexcwzc4549jc84jvceqqjt9cfh
- &pixel-nix age1t5s3txyj403rfecdhq5q2z3cnavy6m543gzyhkl2nu5t8fz0zctqtvm2tj
- &compute-deck-user age1dzdf4rgep3ctk3dnrmrqtdgrchaa8nszfc4dp29gqwsst3z6jyrq57vfsj
machine_host_keys:
- &trip age10lv32k2guszr5y69sez3z5xj92wzmdxvfejd6hm8xr0pmclw2cvq0hk6pe
- &compute-deck-host age1hcqem868xhjdj3lzsvgf0duylwrdp9nqs06a9d0043cpsuhms4as7cqnv4
- &liam age1hkve3khk7fthyrwxjqdf4r37lrqpmnkz6mke7psuphvu2ykynqaq9g6ja5
the_test_key: &test_key age1eqv5759uknu7d46rqyyzsmgt43qumsge33yp2xygapprnt8zu3sqx6kt8w
creation_rules:
- path_regex: secrets/[^/]+$
key_groups:
- age: *shel_keys
- path_regex: ^secrets/liam/
key_groups:
- age:
- *pixel-termux
- *t460s
- *pixel-nix
- *compute-deck-user
- *liam
- path_regex: ^tests/test_secrets/
key_groups:
- age:
- *test_key

44
README.md
View File

@@ -1,31 +1,13 @@
more just notes for now more just notes for now
--- deploy:
deploy: ```sh
nixos-rebuild switch --flake .#triple-dezert --target-host trip.shelvacu.com --use-remote-sudo
```sh ```
nixos-rebuild switch --flake .#triple-dezert --target-host trip.shelvacu.com --use-remote-sudo
``` build flake on remote machine, including eval:
--- ```sh
git add . && ssh trip nix flake check $(nix flake archive --to ssh://trip --json | jq .path -r)
build flake on remote machine, including eval: ```
```sh
git add . && ssh trip nix flake check $(nix flake archive --to ssh://trip --json | jq .path -r)
```
---
search for string in closure
```sh
rg search_str $(nix path-info --recursive ./result)
```
or
```sh
rg search_str $(nix path-info --recursive .#qb.trip)
```

42
archive.nix
View File

@@ -1,42 +0,0 @@
{
self,
lib,
pkgs,
...
}:
let
ignoreList = [
"iso"
"host-pxe-installer"
"host-pxe-installer-aarch64"
"pxe-initrd"
];
# We don't want iso/img derivations here because they de-dupe terribly. Any change anywhere requires generating a new iso/img file.
isoContentsStr = lib.concatStringsSep "\n" (
map (
c: "${c.source} => ${c.target}"
) self.nixosConfigurations.shel-installer-iso.config.isoImage.contents
);
isoContents = pkgs.writeText "iso-contents" isoContentsStr;
pxeConfig = self.nixosConfigurations.shel-installer-pxe.config;
pxeContents = pkgs.linkFarm "pxe-initrd-contents" {
inherit (pxeConfig.boot.initrd) compressor;
inherit (pxeConfig.system.build) initialRamdisk;
storeContents = pkgs.linkFarmFromDrvs "store-contents" pxeConfig.netboot.storeContents;
};
extraBuilds = { inherit isoContents pxeContents; };
buildListWithout = builtins.filter (v: !builtins.elem v ignoreList) (
builtins.attrNames self.buildList
);
allBuilds = self.buildList // extraBuilds;
in
rec {
archiveList = map (name: {
inherit name;
broken = builtins.elem name self.brokenBuilds;
impure = builtins.elem name self.impureBuilds;
}) (buildListWithout ++ builtins.attrNames extraBuilds);
drvs = allBuilds;
buildDepsDrvs = builtins.mapAttrs (_: v: pkgs.closureInfo { rootPaths = [ v.drvPath ]; }) drvs;
}

30
check-eval.sh
View File

@@ -1,30 +0,0 @@
#!/usr/bin/env bash
source shellvaculib.bash
svl_exact_args $# 0
svl_assert_probably_in_script_dir
declare -a nix_eval=(
nix eval
--show-trace
)
declare -a hosts=(
triple-dezert
compute-deck
liam
lp0
#skip shel-installer-*
fw
legtop
mmm
prophecy
)
set -x
"${nix_eval[@]}" --impure ".#.nixOnDroidConfigurations.default.activationPackage"
for host in "${hosts[@]}"; do
"${nix_eval[@]}" ".#.nixosConfigurations.${host}.config.system.build.toplevel"
done

31
common/acmeDependencies.nix
View File

@@ -1,31 +0,0 @@
{
config,
lib,
utils,
vacuModuleType,
...
}:
let
for-systemd-services = lib.concatMapAttrs (cert: units: {
"acme-selfsigned-${cert}" = {
wantedBy = units;
before = units;
};
}) config.vacu.acmeCertDependencies;
for-security-acme-certs = lib.concatMapAttrs (cert: units: {
${cert}.reloadServices = units;
}) config.vacu.acmeCertDependencies;
in
lib.optionalAttrs (vacuModuleType == "nixos") {
options.vacu.acmeCertDependencies = lib.mkOption {
default = { };
example = ''
vacu.acmeCertDependencies."mail.example.com" = [ "postfix.service" ];
'';
type = lib.types.attrsOf (lib.types.listOf utils.systemdUtils.lib.unitNameType);
};
config = {
systemd.services = for-systemd-services;
security.acme.certs = for-security-acme-certs;
};
}

51
common/assertions.nix
View File

@@ -1,51 +0,0 @@
{
lib,
vacuModuleType,
config,
...
}:
let
inherit (lib) mkOption types filter;
fatalAssertions = map (x: x.message) (filter (x: !x.assertion && x.fatal) config.vacu.assertions);
triggeredWarnings = map (x: x.message) (
filter (x: !x.assertion && !x.fatal) config.vacu.assertions
);
withAsserts =
x:
if fatalAssertions != [ ] then
throw ''
Failed assertions:
${lib.concatStringsSep "\n" (map (x: "- ${x}") fatalAssertions)}''
else
lib.showWarnings triggeredWarnings x;
adapter = {
config = {
assertions = map (x: { inherit (x) assertion message; }) (
filter (x: x.fatal) config.vacu.assertions
);
warnings = triggeredWarnings;
};
};
in
{
imports = lib.optional (vacuModuleType != "plain") adapter;
options.vacu.assertions = mkOption {
default = [ ];
type = types.listOf (
types.submodule {
options.assertion = mkOption { type = types.bool; };
options.message = mkOption { type = types.str; };
options.fatal = mkOption {
type = types.bool;
default = true;
};
}
);
};
options.vacu.withAsserts = mkOption {
readOnly = true;
default = withAsserts;
};
}

29
common/checks.nix
View File

@@ -1,29 +0,0 @@
{
lib,
pkgs,
config,
...
}:
let
inherit (lib) types;
in
{
options.vacu.checks = lib.mkOption {
type = types.attrsOf types.package;
default = { };
};
options.vacu.textChecks = lib.mkOption {
type = types.attrsOf types.lines;
default = { };
};
config.vacu.checks = lib.mapAttrs (
name: lines:
pkgs.runCommand "vacu-textChecks-${name}" { } ''
(
set -xev
${lines}
touch "$out"
)
''
) config.vacu.textChecks;
}

17
common/common-but-not.nix
View File

@@ -1,17 +0,0 @@
# todo: rename this module
# stuff that does actual configuring (so can't be in ./module.nix) but works in nixos module, home-manager modules, and nix-on-droid modules
{
inputs,
vacuModuleType,
config,
lib,
...
}:
lib.optionalAttrs (vacuModuleType != "plain") {
nix.registry = lib.mkIf (!config.vacu.isMinimal) {
vacu.to = {
type = "path";
path = inputs.self.outPath;
};
};
}

125
common/default.nix
View File

@@ -1,125 +0,0 @@
{
config,
lib,
inputs,
vacuModuleType,
vacuModules,
...
}:
let
inherit (lib) mkOption types;
inherit (inputs) self;
expectedModuleTypes = [
"nixos"
"nix-on-droid"
"plain"
];
anyRev = attrs: toString (attrs.rev or attrs.dirtyRev or "unk");
anyShortRev = attrs: toString (attrs.shortRev or attrs.dirtyShortRev or "unk");
in
if !builtins.elem vacuModuleType expectedModuleTypes then
builtins.throw "error: unrecognized vacuModuleType ${builtins.toString vacuModuleType}"
else
{
imports = [
vacuModules.packageSet
vacuModules.systemKind
../dns
./acmeDependencies.nix
./assertions.nix
./checks.nix
./common-but-not.nix
./git.nix
./hosts.nix
./hpn.nix
./lix.nix
./minimal-nixos.nix
./nixos.nix
./nixos-rebuild.nix
./nixvim.nix
./nix.nix
./nix-on-droid.nix
./packages.nix
./remapCapsLock.nix
./shell
./sops.nix
./sourceTree.nix
./staticNames.nix
./units-config.nix
./units-impl.nix
./verify-system
./thunderbird.nix
];
options = {
vacu.rootCAs = mkOption { type = types.listOf types.str; };
vacu.versionId = mkOption {
type = types.str;
readOnly = true;
};
vacu.versionInfo = mkOption { readOnly = true; };
vacu.hostName = mkOption {
type = types.nullOr types.str;
default = null;
};
vacu.shortHostName = mkOption {
type = types.nullOr types.str;
default = config.vacu.hostName;
defaultText = "{option}`vacu.hostName`";
};
vacu.vnopnCA = mkOption {
readOnly = true;
type = types.str;
};
};
config = {
vacu.versionId = "${anyShortRev self}-${self.lastModifiedDate or "unk"}";
vacu.versionInfo =
{
rev = anyRev self;
inherit (self) lastModified lastModifiedDate;
inherit (config.vacu) versionId;
inherit vacuModuleType;
inputRevs = lib.mapAttrs (_: v: anyRev v) inputs;
}
// lib.optionalAttrs (!config.vacu.isMinimal) {
flakePath = self.outPath;
inherit inputs;
};
vacu.nix.caches.vacu = {
url = "https://nixcache.shelvacu.com/";
keys = [ "nixcache.shelvacu.com:73u5ZGBpPRoVZfgNJQKYYBt9K9Io/jPwgUfuOLsJbsM=" ];
};
vacu.nix.caches.nix-community = {
url = "https://nix-community.cachix.org/";
keys = [ "nix-community.cachix.org-1:mB9FSh9qf2dCimDSUo8Zy7bkq5CX+/rkCWyvRCYg3Fs=" ];
enable = false;
};
vacu.nix.caches.nix-on-droid = {
url = "https://nix-on-droid.cachix.org/";
keys = [ "nix-on-droid.cachix.org-1:56snoMJTXmDRC1Ei24CmKoUqvHJ9XCp+nidK7qkMQrU=" ];
enable = false;
};
vacu.nix.caches.nixos = {
url = "https://cache.nixos.org/";
keys = [ "cache.nixos.org-1:6NCHdD59X431o0gWypbMrAURkbJ16ZPMQFGspcDShjY=" ];
};
vacu.vnopnCA = ''
-----BEGIN CERTIFICATE-----
MIIBnjCCAUWgAwIBAgIBBTAKBggqhkjOPQQDAjAgMQswCQYDVQQGEwJVUzERMA8G
A1UEAxMIdm5vcG4gQ0EwHhcNMjQwODEyMjExNTQwWhcNMzQwODEwMjExNTQwWjAg
MQswCQYDVQQGEwJVUzERMA8GA1UEAxMIdm5vcG4gQ0EwWTATBgcqhkjOPQIBBggq
hkjOPQMBBwNCAARqRbSeq00FfYUGeCHVkzwrjrydI56T12xy+iut0c4PemSuhyxC
AgfdKYtDqMNZmSqMaLihzkBenD0bN5i0ndjho3AwbjAPBgNVHRMBAf8EBTADAQH/
MCwGA1UdHgEB/wQiMCCgGDAKhwgKTkwA///8ADAKgggudDJkLmxhbqEEMAKBADAO
BgNVHQ8BAf8EBAMCAQYwHQYDVR0OBBYEFAjSkbJQCQc1WP6nIP5iLDIKGFrdMAoG
CCqGSM49BAMCA0cAMEQCIFtyawkZqFhvzgmqG/mYNNO6DdsQTPQ46x/08yrEiiF4
AiA+FwAPqX+CBkaSdIhuhv1kIecmvacnDL5kpyB+9nDodw==
-----END CERTIFICATE-----
'';
vacu.rootCAs = [ config.vacu.vnopnCA ];
vacu.ssh.authorizedKeys = import inputs.vacu-keys;
};
}

5
common/desktopApps.nix
View File

@@ -1,5 +0,0 @@
{ lib, vacuModuleType, ... }:
lib.optionalAttrs (vacuModuleType == "nixos") {
options.vacu.desktopApps = lib.mkEnableOption "asdf";
#todo
}

58
common/git.nix
View File

@@ -1,58 +0,0 @@
{ lib, config, vacuModules, ... }:
{
imports = [ vacuModules.git ];
vacu.git.enable = lib.mkDefault config.vacu.isDev;
vacu.git.config = {
init.defaultBranch = "master";
pull.rebase = false;
user.name = "Shelvacu";
user.email = "git@shelvacu.com";
author.name = "Shelvacu";
author.email = "git@shelvacu.com";
committer.name = "Shelvacu on ${config.vacu.hostName}";
committer.email = "git@shelvacu.com";
user.useConfigOnly = true;
checkout.workers = 0;
# "We *could* use atomic writes, but those are slowwwwww! Are you sure?????" - git, still living in the 90s
# Yes git, I'm sure
core.fsync = "all";
diff.mnemonicPrefix = true;
gc.reflogExpire = "never";
gc.reflogExpireUnreachable = "never";
url."https://github.com/".insteadOf = [
"hgh:"
"github-http:"
"github-https:"
];
url."git@github.com:".insteadOf = [
"sgh:"
"gh:"
"github-ssh:"
];
url."git@github.com:shelvacu/".insteadOf = [ "vgh:" ];
url."https://gitlab.com/".insteadOf = [
"hgl:"
"gitlab-http:"
"gitlab-https:"
];
url."git@gitlab.com:".insteadOf = [
"sgl:"
"gl:"
"gitlab-ssh:"
];
url."git@gitlab.com:shelvacu/".insteadOf = [ "vgl:" ];
url."https://git.uninsane.org/".insteadOf = [
"hu:"
"uninsane-http:"
"uninsane-https:"
];
url."git@git.uninsane.org:".insteadOf = [
"u:"
"su:"
"uninsane-ssh"
];
url."git@git.uninsane.org:shelvacu/".insteadOf = [ "vu:" ];
};
}

4
common/home.nix
View File

@@ -1,4 +0,0 @@
{ ... }:
{
imports = [ ./common-but-not.nix ];
}

155
common/hosts.nix
View File

@@ -1,155 +0,0 @@
{ lib, vacuModules, ... }:
{
imports = [
vacuModules.knownHosts
vacuModules.ssh
];
vacu.hosts = {
#public hosts
"github.com".sshKeys =
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOMqqnkVzrm0SdG6UOoqKLsabgH5C9okWi0dh2l9GKJl";
"gitlab.com".sshKeys =
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAfuCHKVTjquxvt6CM6tdG4SLp1Btn/nOeHHE5UOzRdf";
"git.sr.ht".sshKeys =
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMZvRd4EtM7R+IHVMWmDkVU3VLQTSwQDSAvW0t2Tkj60";
"sdf.org" = {
sshHostname = "tty.sdf.org";
sshKeys = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJJk3a190w/1TZkzVKORvz/kwyKmFY144lVeDFm80p17";
};
"rsn" = {
altNames = [
"rsyncnet"
"rsync.net"
];
sshUsername = "fm2382";
sshHostname = "fm2382.rsync.net";
sshKeys = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINdUkGe6kKn5ssz4WRZKjcws0InbQqZayenzk9obmP1z";
};
#colin's stuff
"servo" = {
altNames = [
"git.uninsane.org"
"uninsane.org"
];
isLan = true;
sshKeys = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOfdSmFkrVT6DhpgvFeQKm3Fh9VKZ9DbLYOPOJWYQ0E8";
};
"desko" = {
isLan = true;
sshKeys = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFw9NoRaYrM6LbDd3aFBc4yyBlxGQn8HjeHd/dZ3CfHk";
};
#daymocker's stuff
"pluto" = {
sshHostname = "pluto.somevideogam.es";
primaryIp = "74.208.184.137";
sshKeys = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICpHY4fLZ1hNuB2oRQM7R3b4eQyIHbFB45ZYp3XCELLg";
};
#powerhouse hosts
"ostiary" = {
isLan = true;
sshKeys = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBSYyd1DGPXGaV4mD34tUbXvbtIi/Uv2otoMUsCkxRse";
};
"habitat" = {
# previously known as zigbee-hub
primaryIp = "10.78.79.114";
sshKeys = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBJxwUYddOxgViJDOiokfaQ6CsCx/Sw+b3IisdJv8zFN";
};
"vnopn" = {
primaryIp = "10.78.79.1";
isLan = true;
sshKeys = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEMgJE8shlTYF3nxKR/aILd1SzwDwhtCrjz9yHL7lgSZ";
};
#personal hosts
triple-dezert = {
altNames = [
"trip"
"trip.shelvacu.com"
"triple-dezert.shelvacu.com"
];
sshAliases = [ "trip" ];
primaryIp = "172.83.159.53";
altIps = [ "10.78.79.237" ];
isLan = true;
sshPort = 6922;
sshKeys = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGUQux9V0mSF5IauoO1z311NXR7ymEbwRMzT+OaaNQr+";
};
prophecy = {
altNames = [
"prop"
"prop.shelvacu.com"
"prophecy.shelvacu.com"
];
sshAliases = [ "prop" ];
primaryIp = "205.201.63.13";
altIps = [ "10.78.79.22" ];
isLan = true;
sshKeys = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFPmy1+1CL6mLbp0IfRTLwsVdjKmw5u0kbQqHin8oXMq";
};
servacu = {
altNames = [
"mail.dis8.net"
"servacu.shelvacu.com"
];
sshKeys = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIE+E6na7np0HnBV2X7owno+Fg+bNNRSHLxO6n1JzdUTV";
};
finaltask = {
altNames = [
"rsb"
"finaltask.xyz"
];
sshAliases = [ "rsb" ];
primaryIp = "45.87.250.193";
sshPort = 2222;
sshUsername = "user";
sshKeys = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPTx8WBNNKBVRV98HgDChpd59SHbreJ87SXU+zOKan6y";
};
compute-deck = {
sshKeys = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGt43GmXCxkl5QjgPQ/QimW11lKfXmV4GFWvlxQSf4TQ";
};
"2esrever" = {
altIps = [
"10.4.5.218"
"10.244.46.71"
];
sshKeys = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIH0LnPrJxAdffZ//uRe3NBiIfFCBNMLqKVylkyU0llvT";
};
awoo = {
primaryIp = "45.142.157.71";
sshKeys = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOQaDjjfSK8jnk9aFIiYH9LZO4nLY/oeAc7BKIPUXMh1";
};
deckvacu = {
sshUsername = "deck";
sshKeys = "ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBEa8qpFkIlLLJkH8rmEAn6/MZ9ilCGmEQWC3CeFae7r1kOqfwRk0nq0oyOGJ50uIh+PpwEh3rbgq6mLfpRfsFmM=";
};
liam = {
altNames = [ "liam.dis8.net" ];
primaryIp = "178.128.79.152";
sshKeys = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHOqJYVHOIFmEA5uRbbirIupWvyBLAFwic/8EZQRdN/c";
};
fw = {
isLan = true;
sshKeys = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIA6lX25mCy35tf1NpcHMAdeRgvT7l0Dw0FWBH3eX4TE2";
};
legtop = {
altNames = [ "lt" ];
isLan = true;
sshKeys = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKvunOGsmHg8igMGo0FpoXaegYI20wZylG8nsMFY4+JL";
};
mmm = {
primaryIp = "10.78.79.11";
isLan = true;
sshKeys = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFsorkZ3rIZ2lLigwQWfA64xZRlt5lk6QPzypg55eLlD";
};
solis = {
altNames = [ "solis.dis8.net" ];
primaryIp = "89.213.174.171";
# altIps = [ "2a0f:9400:7e11:cd44:0000:0000:0000:0001" ];
sshKeys = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPhFKmRMfk+4Xx96Jwt6S9/ikC0cm4ukeO8hjpZDj+9n";
};
};
}

15
common/hpn.nix
View File

@@ -1,15 +0,0 @@
{
config,
lib,
vacuModuleType,
...
}:
{
# options.vacu.ssh-hpn.enable = lib.mkEnableOption "openssh hpn";
}
// lib.optionalAttrs (vacuModuleType == "nixos") {
# config.nixpkgs.overlays = [ (old: new: {
# openssh-without-hpn = old.openssh;
# openssh = if config.vacu.ssh-hpn.enable then new.openssh_hpn else new.openssh-without-hpn;
# }) ];
}

7
common/lix.nix
View File

@@ -1,7 +0,0 @@
{ vacuModuleType, ... }:
if vacuModuleType == "nixos" then
{
# imports = [ inputs.lix-module.nixosModules.default ];
}
else
{ }

53
common/minimal-nixos.nix
View File

@@ -1,53 +0,0 @@
{
config,
pkgs,
lib,
vacuModuleType,
inputs,
...
}:
let
inherit (lib) mkIf mkDefault;
in
lib.optionalAttrs (vacuModuleType == "nixos") {
config = mkIf config.vacu.isMinimal {
programs.git.lfs.enable = false;
programs.git.package = pkgs.gitMinimal;
nix.registry.nixpkgs.to = lib.mkForce {
type = "github";
owner = "NixOS";
repo = "nixpkgs";
rev = inputs.nixpkgs.rev;
};
# mostly copied from nixos's /profiles/minimal.nix
documentation.enable = mkDefault false;
documentation.doc.enable = mkDefault false;
documentation.info.enable = mkDefault false;
documentation.man.enable = mkDefault false;
documentation.nixos.enable = mkDefault false;
# Perl is a default package.
environment.defaultPackages = mkDefault [ ];
environment.stub-ld.enable = false;
# The lessopen package pulls in Perl.
programs.less.lessopen = mkDefault null;
programs.command-not-found.enable = mkDefault false;
services.logrotate.enable = mkDefault false;
services.udisks2.enable = mkDefault false;
xdg.autostart.enable = mkDefault false;
xdg.icons.enable = mkDefault false;
xdg.mime.enable = mkDefault false;
xdg.sounds.enable = mkDefault false;
};
}

4
common/nix-command-extensions/default.nix
View File

@@ -1,4 +0,0 @@
{ ... }:
{
}

71
common/nix-command-extensions/nix.sh
View File

@@ -1,71 +0,0 @@
#!/bin/bash
# replaceme START
declare -A cache_to_url
cache_to_url["foo"]="https://example.com/some-nix-cache"
declare -a caches_to_use=("foo")
declare nixCmd="foo"
# replaceme END
declare -a preArgs
declare -a passThruArgs
cache_name=""
function valid_cache_name() {
cache_name="$1"
if [[ $cache_name == -* ]]; then
echo "invalid cache name" >&2
exit 1
fi
}
while [[ -n $1 ]]; do
arg="$1"
shift
case "$arg" in
"--without-cache")
cache_name="$1"
shift
valid_cache_name "$cache_name"
caches_to_use=("${caches_to_use[@]/$cache_name/}")
;;
"--with-cache")
cache_name="$1"
shift
valid_cache_name "$cache_name"
caches_to_use+=("$cache_name")
;;
"--only-cache")
cache_name="$1"
shift
valid_cache_name "$cache_name"
caches_to_use=("$cache_name")
;;
"--on-trip")
if [[ $HOSTNAME == "triple-dezert" ]]; then
echo "Warn: skipping --on-trip: already on trip" >&2
else
passThruArgs+=("--builders" "ssh://trip x86_64-linux,aarch64-linux" "--max-jobs" "0" "--option" "builders-use-substitutes" "true")
fi
;;
"--")
passThruArgs+=("$arg" "$@")
break
;;
*)
passThruArgs+=("$arg")
;;
esac
done
declare -a substituters
for c in "${caches_to_use[@]}"; do
url="${cache_to_url["$c"]}"
substituters+=("$url")
done
substituters_together="${substituters[*]}"
preArgs+=("--option" "substituters" "$substituters_together")
exec "$nixCmd" "${preArgs[@]}" "${passThruArgs[@]}"

20
common/nix-on-droid.nix
View File

@@ -1,20 +0,0 @@
{
config,
lib,
vacuModuleType,
...
}:
let
inherit (lib) mkDefault;
in
lib.optionalAttrs (vacuModuleType == "nix-on-droid") {
nix.substituters = lib.mkForce config.vacu.nix.substituterUrls;
nix.trustedPublicKeys = lib.mkForce config.vacu.nix.trustedKeys;
vacu.shell.functionsDir = "${config.user.home}/.nix-profile/share/vacufuncs";
environment.etc.bashrc.text = config.vacu.shell.interactiveLines;
environment.etc.profile.text = config.vacu.shell.interactiveLines;
environment.etc."vacu/info.json".text = builtins.toJSON config.vacu.versionInfo;
vacu.hostName = mkDefault "nix-on-droid";
vacu.shortHostName = mkDefault "nod";
}

34
common/nix.nix
View File

@@ -1,34 +0,0 @@
{ lib, config, ... }:
let
inherit (lib) mkOption types;
caches = builtins.attrValues config.vacu.nix.caches;
enabledCaches = builtins.filter (c: c.enable) caches;
in
{
options = {
vacu.nix.caches = mkOption {
type = types.attrsOf (
types.submodule (
{ ... }:
{
options = {
url = mkOption { type = types.str; };
keys = mkOption {
type = types.listOf types.str;
default = [ ];
};
enable = mkOption {
default = true;
type = types.bool;
};
};
}
)
);
};
vacu.nix.substituterUrls = mkOption { readOnly = true; };
vacu.nix.trustedKeys = mkOption { readOnly = true; };
};
config.vacu.nix.substituterUrls = map (c: c.url) enabledCaches;
config.vacu.nix.trustedKeys = builtins.concatMap (c: c.keys) enabledCaches;
}

23
common/nixos-rebuild.nix
View File

@@ -1,23 +0,0 @@
{
pkgs,
config,
lib,
vacuModuleType,
...
}:
let
nixos-rebuild = pkgs.nixos-rebuild.override { nix = config.nix.package; };
in
lib.optionalAttrs (vacuModuleType == "nixos") {
system.build.nixos-rebuild = lib.mkForce (
pkgs.runCommandLocal "nixos-rebuild-wrapped"
{
nativeBuildInputs = [ pkgs.makeShellWrapper ];
meta.mainProgram = "nixos-rebuild";
}
''
mkdir -p "$out"/bin
makeShellWrapper ${lib.getExe nixos-rebuild} "$out"/bin/nixos-rebuild --add-flags "--use-remote-sudo --use-substitutes"
''
);
}

91
common/nixos.nix
View File

@@ -1,91 +0,0 @@
{
lib,
pkgs,
config,
vacuModuleType,
...
}:
lib.optionalAttrs (vacuModuleType == "nixos") {
imports = [ ../nixos-modules ];
options.vacu.underTest = lib.mkOption {
default = false;
type = lib.types.bool;
};
config = {
programs.mosh.enable = true;
console = {
keyMap = lib.mkDefault "us";
};
networking = lib.mkIf (config.vacu.hostName != null) { inherit (config.vacu) hostName; };
vacu.packages."xorg-xev" = {
enable = config.services.xserver.enable;
package = pkgs.xorg.xev;
};
programs.nix-ld.enable = true;
system.nixos.tags = [
"vacu${config.vacu.versionId}"
config.vacu.hostName
];
environment.etc."vacu/info.json".text = builtins.toJSON config.vacu.versionInfo;
environment.etc."chromium" = lib.mkIf config.vacu.isGui {
source = "/run/current-system/sw/etc/chromium";
};
i18n.defaultLocale = lib.mkDefault "en_US.UTF-8";
time.timeZone = "America/Los_Angeles";
users.users.shelvacu = lib.mkIf (!config.vacu.isContainer) {
openssh.authorizedKeys.keys = lib.attrValues config.vacu.ssh.authorizedKeys;
isNormalUser = true;
extraGroups = [ "wheel" ];
};
services.openssh = {
# require public key authentication for better security
settings.PasswordAuthentication = false;
settings.KbdInteractiveAuthentication = false;
settings.PermitRootLogin = "prohibit-password";
};
nix.settings.trusted-users = lib.mkIf (!config.vacu.isContainer) [ "shelvacu" ];
security.sudo.wheelNeedsPassword = lib.mkDefault false;
programs.screen = {
enable = true;
screenrc = ''
defscrollback 10000
termcapinfo xterm* ti@:te@
maptimeout 5
'';
};
programs.tmux = lib.mkIf (!config.vacu.isContainer) {
enable = true;
extraConfig = "setw mouse";
clock24 = true;
};
nix.settings = {
experimental-features = [
"nix-command"
"flakes"
];
substituters = lib.mkForce config.vacu.nix.substituterUrls;
extra-substituters = lib.mkForce [ ];
trusted-public-keys = lib.mkForce config.vacu.nix.trustedKeys;
extra-trusted-public-keys = lib.mkForce [ ];
};
security.pki.certificates = config.vacu.rootCAs;
# commands.nix
environment.pathsToLink = [
"/share/vacufuncs"
"/etc/chromium"
];
programs.bash.interactiveShellInit = config.vacu.shell.interactiveLines;
programs.bash.promptInit = lib.mkForce "";
systemd.services.nix-daemon.serviceConfig.Nice = "10";
};
}

31
common/nixvim.nix
View File

@@ -1,31 +0,0 @@
{
pkgs,
config,
inputs,
lib,
...
}:
let
inherit (lib) mkOption types;
nixvim-name = if config.vacu.nixvim.minimal then "nixvim-minimal" else "nixvim";
in
{
options = {
vacu.nixvim.minimal = mkOption {
type = types.bool;
default = config.vacu.isMinimal;
};
vacu.nixvimPkg = mkOption {
type = types.package;
readOnly = true;
};
};
config = {
vacu.nixvimPkg = inputs.self.packages.${pkgs.system}.${nixvim-name};
vacu.shell.functions = lib.mkIf (!config.vacu.isMinimal) {
nvim-plain = ''${pkgs.neovim}/bin/nvim "$@"'';
nvim-nixvim = ''${config.vacu.nixvimPkg}/bin/nvim "$@"'';
nvim = ''nvim-nixvim "$@"'';
};
};
}

265
common/packages.nix
View File

@@ -1,265 +0,0 @@
{
pkgs,
config,
lib,
vacuModuleType,
...
}:
let
enableFfmpeg = !config.vacu.isMinimal;
enableFfmpegFull = enableFfmpeg && config.vacu.isGui;
enableFfmpegHeadless = enableFfmpeg && !config.vacu.isGui;
winePkgs = pkgs.wineWow64Packages;
in
{
vacu.packages = lib.mkMerge [
{
borgbackup.enable = config.vacu.isDev && (pkgs.system != "aarch64-linux"); # borgbackup build is borken on aarch64
ffmpeg-vacu-full = {
enable = enableFfmpegFull;
package = pkgs.ffmpeg-full;
overrides.libbluray = config.vacu.packages.libbluray-all.finalPackage;
};
ffmpeg-vacu-headless = {
enable = enableFfmpegHeadless;
package = pkgs.ffmpeg-headless;
overrides.libbluray = config.vacu.packages.libbluray-all.finalPackage;
};
libbluray-all = {
package = pkgs.libbluray;
overrides = {
withJava = true;
withAACS = true;
withBDplus = true;
};
};
inkscape-all = {
package = pkgs.inkscape-with-extensions;
# null actually means everything https://github.com/NixOS/nixpkgs/commit/5efd65b2d94b0ac0cf155e013b6747fa22bc04c3
overrides.inkscapeExtensions = null;
};
p7zip-unfree = {
package = pkgs.p7zip;
overrides.enableUnfree = true;
};
ruby.package = lib.mkOverride 900 pkgs.ruby_3_4;
wine.package = winePkgs.waylandFull;
wine-fonts.package = winePkgs.fonts;
vacu-units.package = config.vacu.units.finalPackage;
}
(lib.mkIf config.vacu.isGui
# just do all the matrix clients, surely one of them will work enough
''
cinny-desktop
element-call
element-desktop
fluffychat
fractal
gomuks
gomuks-web
# hydrogen has no -desktop version
iamb
kazv
matrix-commander
matrix-commander-rs
matrix-dl
mm
neosay
nheko
pinecone
# quaternion # build is borked
''
)
(lib.mkIf config.vacu.isGui
# pkgs for systems with a desktop GUI
''
acpi
anki
audacity
arduino-ide
bitwarden-desktop
brave
dino
filezilla
gamemode
gnome-maps
gparted
ghidra
gimp
haruna
iio-sensor-proxy
inkscape-all
jellyfin-media-player
josm
kdePackages.elisa
kdePackages.kdenlive
libreoffice-qt6-fresh
# librewolf
linphone
merkaartor
nextcloud-client
obsidian
openscad
openshot-qt
orca-slicer
OSCAR
prismlauncher
shotcut
signal-desktop
svp
# thunderbird #managed thru vacu.programs.thunderbird
tremotesf
ungoogled-chromium
vlc
wayland-utils
wev
wine
wine-fonts
wireshark
wl-clipboard
''
)
# pkgs for development-ish
(lib.mkIf config.vacu.isDev ''
cargo
clippy
gnumake
man-pages
patchelf
python3
ruby
rustc
rust-script
shellcheck
stdenv.cc
'')
(lib.mkIf (!config.vacu.isMinimal)
# big pkgs for non-minimal systems
''
aircrack-ng
android-tools
bitwarden-cli
dmidecode
fido2-manage
flac
hdparm
home-manager
imagemagickBig
kanidm_1_6
libsmi
man
mdadm
megatools
mercurial #aka hg
minicom
mkvtoolnix-cli
# neovim => see common/nixvim.nix
net-snmp
nix-index
nix-inspect
nix-search-cli
nix-tree
nmap
nvme-cli
proxmark3
rclone
ripgrep-all
smartmontools
tcpdump
termscp
tshark
vrb
yt-dlp
''
)
# pkgs included everywhere
''
_7zip
altcaps
ddrescue
dig
dnsutils
ethtool
file
# git is handled by common/git.nix
gnutls
gptfdisk
hostname
htop
inetutils
iperf3
iputils
jq
jujutsu
killall
libossp_uuid # provides `uuid` binary
linuxquota
lshw
lsof
mosh
nano
ncdu
netcat-openbsd
nixos-rebuild
openssl
# p7zip-unfree
pciutils
progress
psutils
pv
ripgrep
rsync
screen
# sed => gnused
shellvaculib
# sops => should use `nr vacu#sops` instead
sshfs
ssh-to-age
# tar => gnutar
tmux
tree
tzdata
# units => vacu-units
unzip
usbutils
vacu-units
vim
wget
zip
''
# packages that are in [`requiredPackages`][1] in nixos, but maybe not included in nix-on-droid
# [1]: https://github.com/NixOS/nixpkgs/blob/26d499fc9f1d567283d5d56fcf367edd815dba1d/nixos/modules/config/system-path.nix#L11
(lib.optionalAttrs (vacuModuleType == "nix-on-droid") ''
#stdenv.cc.libc shouldn't be needed right?
acl
attr
bashInteractive
bzip2
cpio
curl
diffutils
findutils
gawk
getent
getconf
gnugrep
gnupatch
gnused
gnutar
gzip
less
libcap
mkpasswd
ncurses
#netcat is replaced by netcat-openbsd
openssh
procps
su
time
util-linux
which
xz
zstd
'')
];
}

36
common/remapCapsLock.nix
View File

@@ -1,36 +0,0 @@
{
pkgs,
lib,
config,
vacuModuleType,
...
}:
let
inherit (lib) mkOption types;
in
lib.optionalAttrs (vacuModuleType == "nixos") {
options.vacu.enableCapsLockRemap = mkOption {
type = types.bool;
default = config.vacu.isGui;
defaultText = "{option}`vacu.isGui`";
};
config = lib.mkIf config.vacu.enableCapsLockRemap {
# https://discourse.nixos.org/t/best-way-to-remap-caps-lock-to-esc-with-wayland/39707/6
services.interception-tools =
let
itools = pkgs.interception-tools;
itools-caps = pkgs.interception-tools-plugins.caps2esc;
in
{
enable = true;
plugins = [ itools-caps ];
# requires explicit paths: https://github.com/NixOS/nixpkgs/issues/126681
udevmonConfig = pkgs.lib.mkDefault ''
- JOB: "${itools}/bin/intercept -g $DEVNODE | ${itools-caps}/bin/caps2esc -m 1 | ${itools}/bin/uinput -d $DEVNODE"
DEVICE:
EVENTS:
EV_KEY: [KEY_CAPSLOCK, KEY_ESC]
'';
};
};
}

29
common/shell/container-aliases.nix
View File

@@ -1,29 +0,0 @@
{
pkgs,
lib,
config,
vaculib,
...
}:
let
inherit (vaculib) script;
in
{
options.vacu.shell.containerAliases = lib.mkEnableOption "container aliases";
config = lib.mkIf config.vacu.shell.containerAliases {
vacu.packages = [
(script "ncrun" ''
svl_min_args $# 2
svl_auto_sudo
container="$1"
shift
exec ${lib.getExe pkgs.nixos-container} run "$container" -- "$@"
'')
(script "ncrl" ''
svl_exact_args $# 1
svl_auto_sudo
exec ${lib.getExe pkgs.nixos-container} root-login "$1"
'')
];
};
}

192
common/shell/default.nix
View File

@@ -1,192 +0,0 @@
{
config,
lib,
pkgs,
vaculib,
...
}:
let
inherit (lib) mkOption types;
cfg = config.vacu.shell;
writeShellFunction =
name: text:
pkgs.writeTextFile {
inherit name;
executable = false;
destination = "/share/vacufuncs/${name}";
text = ''
${text}
'';
checkPhase = ''
${pkgs.stdenv.shellDryRun} "$target"
'';
};
functionPackages = lib.mapAttrsToList writeShellFunction cfg.functions;
vacuInitFile = pkgs.writeText "vacu.shell.interactiveLines.sh" cfg.interactiveLines;
wrappedBashPkg = vaculib.makeWrapper {
original = pkgs.bash;
new = "vacuinit-bash";
prepend_flags = [
"--init-file"
vacuInitFile
];
};
wrappedBash = lib.getExe wrappedBashPkg;
in
{
imports = [
./not-aliases.nix
./ps1.nix
./container-aliases.nix
./vacuhistory.nix
./qcd.nix
];
options = {
vacu.shell.functionsDir = mkOption {
type = types.path;
default = "/run/current-system/sw/share/vacufuncs";
};
vacu.shell.interactiveLines = mkOption {
type = types.lines;
readOnly = true;
};
vacu.shell.wrappedBash = mkOption { readOnly = true; };
vacu.shell.idempotentShellLines = mkOption {
type = types.lines;
default = "";
};
vacu.shell.color = mkOption {
type = types.enum (builtins.attrNames vaculib.shellColors);
default = "white";
};
vacu.shell.functions = mkOption { type = types.attrsOf types.str; };
};
config.vacu = {
shell.interactiveLines = ''
if [[ $- == *i* ]]; then
SHELLVACULIB_COMPAT=1 source ${lib.escapeShellArg pkgs.shellvaculib.file}
if [[ -f ${cfg.functionsDir}/vacureload ]]; then
function __vacushell_load() { eval "$(<${cfg.functionsDir}/vacureload)"; }
__vacushell_load
unset __vacushell_load
fi
fi
'';
shell.wrappedBash = wrappedBash;
shell.idempotentShellLines = lib.mkBefore ''
PROMPT_COMMAND=()
PS0=""
'';
shell.functions = {
"vacureload" = ''
declare -gA vacuShellFunctionsLoaded
if ! [[ -f ${cfg.functionsDir}/vacureload ]]; then
echo "vacureload: I think that's my cue to leave (${cfg.functionsDir}/vacureload not found, assuming vacureload-less config has been loaded and unloading myself)" 1>&2
for funcname in "''${!vacuShellFunctionsLoaded[@]}"; do
unset -f $funcname
done
return
fi
for funcname in "''${!vacuShellFunctionsLoaded[@]}"; do
if ! [[ -f ${cfg.functionsDir}/$funcname ]]; then
unset -f $funcname
fi
done
for fullPath in ${cfg.functionsDir}/*; do
local funcname="$(basename "$fullPath")"
local followedPath="$(readlink -f "$fullPath")"
if [[ "''${vacuShellFunctionsLoaded[$funcname]-}" != "$followedPath" ]]; then
unset -f $funcname
eval "function ''${funcname}() { if [[ -f '$fullPath' ]]; then eval "'"$'"(<'$fullPath')"'"'"; else echo '$funcname is no longer there, kindly removing myself.' 1>&2; unset $funcname; return 1; fi }"
vacuShellFunctionsLoaded[$funcname]=$followedPath
fi
unset followedPath
unset funcname
done
__run_idempotents
# your idempotent shell lines are idempotent, right?
__run_idempotents
'';
"__run_idempotents" = cfg.idempotentShellLines;
vhich = ''
if [[ $# != 1 ]]; then
echo "expected exactly one arg" 1>&2
return 1
fi
declare query="$1"
declare quote='`'"$query'"
declare kind="$(type -t -- "$query")"
if [[ "$kind" == "" ]]; then
echo "could not find any command $quote" 1>&2
return 1
fi
echo "$quote is a $kind"
case "$kind" in
"alias")
alias "$query"
return 0
;;
"keyword")
echo "See https://www.gnu.org/software/bash/manual/html_node/Reserved-Word-Index.html"
return 0
;;
"function")
if [[ -v vacuShellFunctionsLoaded["$query"] ]]; then
echo "$quote is a vacufunc"
path="''${vacuShellFunctionsLoaded[$query]}"
# continue to below
else
declare -f "$query"
return 0
fi
;;
"builtin")
echo "Docs: https://www.gnu.org/software/bash/manual/html_node/Bash-Builtins.html#index-$query"
return 0
;;
"file")
path="$(type -p "$query")"
# continue to below
;;
*)
echo 'ERR: unexpected return from `type -t`: '"$kind" 1>&2
return 1
esac
echo "path:"
while [[ -L "$path" ]]; do
declare dest="$(readlink -- "$path")"
echo " $path is a symlink to $dest"
if [[ "$dest" != /* ]]; then
dest="$(dirname -- "$path")/$dest"
fi
path="$dest"
done
echo " $path"
if ! [[ -e "$path" ]]; then
echo "$path does not exist!"
return 1
fi
if ! [[ -x "$path" ]]; then
echo "$path is not executable!"
return 1
fi
canon="$(readlink -f -- "$path")"
if [[ "$path" != "$canon" ]]; then
echo " $path canonicalizes to $canon"
path="$canon"
fi
magic_parse="$(file --brief --mime -- "$path")"
echo "magic: $magic_parse"
case "$magic_parse" in
'text/x-shellscript;'* | 'text/plain;'*)
echo "initial contents:"
echo
head --lines=10 "$path" | head --bytes=2000
echo "..."
;;
esac
'';
};
packages = functionPackages;
};
}

226
common/shell/not-aliases.nix
View File

@@ -1,226 +0,0 @@
# These are the things that might in a simpler time go in ~/.bashrc as aliases. But they're not aliases, cuz aliases are bad
{
pkgs,
lib,
config,
vaculib,
...
}:
let
inherit (vaculib) script;
simple =
name: args:
let
binContents = ''
#!${lib.getExe pkgs.bash}
exec ${lib.escapeShellArgs args} "$@"'';
funcContents = ''
declare aliasName=${lib.escapeShellArg name}
declare -a replacementWords=(${lib.escapeShellArgs args})
declare replacementStr
declare oldIFS="$IFS"
IFS=' '
replacementStr="''${replacementWords[*]}"
IFS="$oldIFS"
COMP_LINE="''${COMP_LINE/#$aliasName/$replacementStr}"
COMP_POINT=$(( COMP_POINT + ''${#replacementStr} - ''${#aliasName} ))
COMP_CWORD=$(( COMP_CWORD + ''${#replacementWords[@]} - 1 ))
COMP_WORDS=("''${replacementWords[@]}" "''${COMP_WORDS[@]:1}")
_comp_command_offset 0
'';
in
pkgs.runCommandLocal "vacu-notalias-simple-${name}"
{
pname = name;
meta.mainProgram = name;
}
''
mkdir -p "$out"/bin
printf '%s' ${lib.escapeShellArg binContents} > "$out"/bin/${name}
chmod a+x "$out"/bin/${name}
out_base="$(basename -- "$out")"
LC_ALL=C
completion_function_name="_completion_''${out_base//[^a-zA-Z0-9_]/_}"
completion_file="$out"/share/bash-completion/completions/${name}
mkdir -p "$(dirname -- "$completion_file")"
printf '%s() {\n%s\n}\n' "$completion_function_name" ${lib.escapeShellArg funcContents} > "$completion_file"
printf 'complete -F %s %s\n' "$completion_function_name" ${lib.escapeShellArg name} >> "$completion_file"
'';
ms_text = with_sudo: ''
svl_minmax_args $# 1 2
host="$1"
session_name="''${2:-main}"
set -x
mosh -- "$host" ${lib.optionalString with_sudo "sudo"} screen -RdS "$session_name"
'';
systemctl = "${pkgs.systemd}/bin/systemctl";
journalctl = "${pkgs.systemd}/bin/journalctl";
in
{
imports = [ { vacu.packages.copy-altcaps.enable = config.vacu.isGui; } ];
vacu.packages = [
(script "ms" (ms_text false))
(script "mss" (ms_text true))
(script "msl" ''
svl_exact_args $# 1
host="$1"
echo 'echo "user:"; screen -ls; echo; echo "root:"; sudo screen -ls' | ssh -T "$host"
'')
(script "rmln" ''
svl_min_args $# 1
for arg in "$@"; do
if [[ "$arg" != -* ]] && [[ ! -L "$arg" ]]; then
svl_die "$arg is not a symlink"
fi
done
rm "$@"
'')
(script "copy-altcaps" ''
result="$(altcaps "$@")"
printf '%s' "$result" | wl-copy
echo "Copied to clipboard: $result"
'')
(script "nr" ''
# nix run nixpkgs#<thing> -- <args>
svl_min_args $# 1
installable="$1"
shift
if [[ "$installable" != *'#'* ]]; then
installable="nixpkgs#$installable"
fi
nix run "$installable" -- "$@"
'')
(script "nb" ''
# nix build nixpkgs#<thing> <args>
svl_min_args $# 1
installable="$1"
shift
if [[ "$installable" != *'#'* ]]; then
installable="nixpkgs#$installable"
fi
nix build "$installable" "$@"
'')
(script "ns" ''
# nix shell nixpkgs#<thing>
svl_min_args $# 1
new_args=( )
for arg in "$@"; do
if [[ "$arg" != *'#'* ]] && [[ "$arg" != -* ]]; then
arg="nixpkgs#$arg"
fi
new_args+=("$arg")
done
nix shell "''${new_args[@]}"
'')
(script "nixview" ''
svl_min_args $# 1
view_cmd="$1"
shift
d="$(mktemp -d --suffix=vacu-nixview)"
l="$d/out"
nix build --out-link "$l" "$@"
"$view_cmd" "$l"
rm -r "$d"
'')
(simple "nixcat" [
"nixview"
"cat"
])
(simple "nixless" [
"nixview"
"less"
])
(simple "sc" [ systemctl ])
(simple "scs" [
systemctl
"status"
"--lines=20"
"--full"
])
(simple "scc" [
systemctl
"cat"
])
(simple "scr" [
systemctl
"restart"
])
(simple "jc" [
journalctl
"--pager-end"
])
(simple "jcu" [
journalctl
"--pager-end"
"-u"
])
(simple "gs" [
"git"
"status"
])
(script "list-auto-roots" ''
auto_roots="/nix/var/nix/gcroots/auto"
svl_exact_args $# 0
echo "List of auto-added nix gcroots, excluding system profiles:"
echo
for fn in "$auto_roots/"*; do
if ! [[ -L "$fn" ]]; then
die "fn is not a symlink!?: $fn"
fi
pointed="$(readlink -v -- "$fn")"
if ! [[ -e "$pointed" ]]; then
continue
fi
if [[ "$pointed" == /nix/var/nix/profiles/system-* ]]; then
continue
fi
printf '%s\n' "$pointed"
done
'')
];
vacu.shell.functions = {
nd = ''
svl_min_args $# 1
declare -a args=("$@")
lastarg="''${args[-1]}"
if [[ "$lastarg" == "-"* ]]; then
echo "nd: last argument must be the directory" 1>&2
return 1
fi
for arg in "''${args[@]::''${#args[@]}-1}"; do
if [[ "$arg" != "-"* ]]; then
echo "nd: last argument must be the directory" 1>&2
return 1
fi
done
mkdir "''${args[@]}" && cd "''${args[-1]}"
'';
nt = ''pushd "$(mktemp -d "$@")"'';
};
vacu.textChecks."vacu-shell-functions-nd" = ''
source ${lib.escapeShellArg pkgs.shellvaculib.file}
function nd() {
${config.vacu.shell.functions.nd}
}
start=/tmp/test-place
mkdir -p $start
cd $start
nd a
[[ "$PWD" == "$start/a" ]]
cd $start
nd -p b/c
[[ "$PWD" == "$start/b/c" ]]
'';
vacu.textChecks."vacu-shell-functions-nt" = ''
source ${lib.escapeShellArg pkgs.shellvaculib.file}
function nt() {
${config.vacu.shell.functions.nt}
}
start=$PWD
nt
[[ "$PWD" != "$start" ]]
popd
[[ "$PWD" == "$start" ]]
'';
}

57
common/shell/ps1.nix
View File

@@ -1,57 +0,0 @@
{
config,
lib,
vaculib,
vacuModuleType,
...
}:
let
cfg = config.vacu.shell;
# https://en.wikipedia.org/wiki/ANSI_escape_code#Colors
colors = vaculib.shellColors;
# TODO: reset_without_clear doesn't fully work
# thanks colin https://git.uninsane.org/colin/nix-files/src/commit/7f5b2628016c8ca1beec417766157c7676a9c5e5/hosts/common/programs/zsh/starship.nix#L24
# https://man.archlinux.org/man/bash.1#PROMPTING
# \[ and \] begins and ends "a sequence of non-printing characters"
set_color = colornum: ''\[\e[1;${toString colornum}m\]'';
set_inverted_color = colornum: ''\[\e[1;37;${toString (colornum + 10)}m\]'';
reset_color = ''\[\e[0m\]'';
colornum = colors.${cfg.color};
root_text = root: lib.optionalString root "ROOT@";
final = root: if root then (set_inverted_color colors.red) + "!!" else "$";
hostName = if vacuModuleType == "plain" then ''\h'' else config.vacu.shortHostName;
default_ps1 =
root:
""
+ ''\n''
# + ''\[${reset_without_clear}\]''
+ (set_color colornum)
+ "${root_text root}${hostName}:\\w"
+ " "
+ ''$(vacu_shell_show_return_code)''
+ ''\n''
+ (set_color colornum)
+ (final root)
+ reset_color
+ " ";
in
{
vacu.shell.idempotentShellLines = ''
function vacu_shell_show_return_code() {
local ret=$?
local color=${toString colors.green}
if [[ "$ret" != 0 ]]; then
color=${toString colors.red}
fi
printf '\e[1;%dm' $color
printf "%d" "$ret"
return "$ret"
}
if [[ $EUID == 0 ]]; then
PS1=${lib.escapeShellArg (default_ps1 true)}
else
PS1=${lib.escapeShellArg (default_ps1 false)}
fi
'';
}

50
common/shell/qcd.nix
View File

@@ -1,50 +0,0 @@
{
lib,
config,
vacuModuleType,
vaculib,
...
}:
let
inherit (lib) mkOption types;
home =
if vacuModuleType == "nix-on-droid" then
"/data/data/com.termux.nix/files/home"
else
"/home/shelvacu";
in
{
options.vacu.qcd = mkOption {
default = { };
type = types.attrsOf types.path;
};
config.vacu.shell.functions.qcd = ''
svl_exact_args $# 1
declare the_arg="$1"
declare base="''${the_arg%%/*}"
declare rest="''${the_arg:''${#base}}"
declare path
if false; then :
${lib.pipe config.vacu.qcd [
(lib.mapAttrsToList (
alias: path:
''elif [[ $base == ${lib.escapeShellArg alias} ]]; then path=${lib.escapeShellArg path}''
))
(lib.concatStringsSep "\n")
]}
fi
if ! [[ -v path ]]; then
svl_eprintln "unrecognized alias $base"
return 1
fi
cd -- "$path$rest"
'';
config.vacu.qcd = {
ns = "${home}/dev/nix-stuff";
np = "${home}/dev/nixpkgs";
dev = "${home}/dev";
};
}

11
common/shell/tweaks.nix
View File

@@ -1,11 +0,0 @@
{ ... }:
{
config.vacu.shell.idempotentShellLines = ''
if [[ $- == *i* ]]; then
# don't overwrite files by default when using > redirection
set -o noclobber
# disable ! history expansion
set +o histexpand
fi
'';
}

15
common/shell/vacuhistory.nix
View File

@@ -1,15 +0,0 @@
{ pkgs, ... }:
{
config.vacu = {
shell.idempotentShellLines = ''
if [[ -z "''${VACU_HISTORY_SESSION_ID-}" ]]; then
VACU_HISTORY_SESSION_ID="$(${pkgs.libossp_uuid}/bin/uuid)"
fi
VACU_HISTORY_DB_PATH="$HOME/vacu-shell-history.sqlite"
function vacu_history_record() {
LC_ALL=C HISTTIMEFORMAT='%S|%M|%H|%d|%m|%Y|%w|%j|%z|' history 1 | VACU_HISTORY_SESSION_ID="$VACU_HISTORY_SESSION_ID" VACU_HISTORY_DB_PATH="$VACU_HISTORY_DB_PATH" ${pkgs.vacu-history}/bin/vacu-history
}
PS0='$(vacu_history_record >/dev/null)'"$PS0"
'';
};
}

82
common/sops.nix
View File

@@ -1,82 +0,0 @@
{
lib,
pkgs,
config,
vaculib,
...
}:
let
ssh-to-age = lib.getExe pkgs.ssh-to-age;
sshToAge =
sshPubText:
vaculib.outputOf {
name = "age-from-ssh.txt";
cmd = ''printf '%s' ${lib.escapeShellArg sshPubText} | ${ssh-to-age} > "$out"'';
};
userKeys = lib.attrValues config.vacu.ssh.authorizedKeys;
userKeysAge = map sshToAge userKeys;
agesOf = hostname: map sshToAge config.vacu.hosts.${hostname}.sshKeys;
singleGroup = keys: [ { age = keys; } ];
testAgeSecret = "AGE-SECRET-KEY-1QQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQPQQ94XCHF";
testAgePublic = vaculib.outputOf {
name = "test-age-public-key.txt";
cmd = ''printf '%s' ${lib.escapeShellArg testAgeSecret} | ${pkgs.age}/bin/age-keygen -y > "$out"'';
};
sopsConfig = {
creation_rules = [
{
path_regex = "/secrets/misc/[^/]+$";
key_groups = singleGroup userKeysAge;
}
{
path_regex = "/secrets/hosts/liam\\.yaml$";
key_groups = singleGroup (userKeysAge ++ agesOf "liam");
}
{
path_regex = "/secrets/hosts/triple-dezert\\.yaml$";
key_groups = singleGroup (userKeysAge ++ agesOf "triple-dezert");
}
{
path_regex = "/secrets/hosts/prophecy\\.yaml$";
key_groups = singleGroup (userKeysAge ++ agesOf "prophecy");
}
{
path_regex = "/secrets/hosts/solis\\.yaml$";
key_groups = singleGroup (userKeysAge ++ agesOf "solis");
}
{
path_regex = "/secrets/radicle-private\\.key$";
key_groups = singleGroup (userKeysAge ++ agesOf "fw");
}
{
path_regex = "/secrets/garage-rpc\\.key$";
key_groups = singleGroup (userKeysAge ++ agesOf "triple-dezert" ++ agesOf "prophecy" ++ agesOf "solis");
}
{
path_regex = "/tests/triple-dezert/test_secrets/";
key_groups = singleGroup [ testAgePublic ];
}
];
};
sopsConfigFile = pkgs.writers.writeYAML "sops.yaml" sopsConfig;
wrappedSops = vaculib.makeWrapper {
original = lib.getExe pkgs.sops;
new = "vacu-nix-stuff-sops";
add_flags = [
"--config"
sopsConfigFile
];
run = lib.singleton ''
set -e
age_keys=("${testAgeSecret}" "$(cat $HOME/.ssh/id_ed25519 | ${lib.getExe pkgs.ssh-to-age} -private-key)")
export SOPS_AGE_KEY
printf -v SOPS_AGE_KEY "%s\n" "''${age_keys[@]}"
# declare -p SOPS_AGE_KEY
'';
};
in
{
options.vacu.sopsConfigFile = vaculib.mkOutOption sopsConfigFile;
options.vacu.wrappedSops = vaculib.mkOutOption wrappedSops;
}

26
common/sourceTree.nix
View File

@@ -1,26 +0,0 @@
{
inputs,
pkgs,
lib,
config,
vacuModuleType,
...
}:
let
inherit (lib) mkOption types;
in
{
options.vacu.sourceTree = mkOption {
readOnly = true;
type = types.package;
};
config =
{
vacu.sourceTree = pkgs.linkFarm "simple-inputs-tree" inputs;
}
// (lib.optionalAttrs (vacuModuleType == "nixos" || vacuModuleType == "nix-on-droid") {
environment.etc = lib.optionalAttrs (!config.vacu.isMinimal) {
"vacu/sources".source = "${config.vacu.sourceTree}";
};
});
}

89
common/staticNames.nix
View File

@@ -1,89 +0,0 @@
{
lib,
vacuModuleType,
config,
...
}:
let
inherit (lib) mkOption types;
domainPartRegex = "[[:alnum:]]([[:alnum:]-]{0,61}[[:alnum:]])?";
domainRegex = ''^${domainPartRegex}(\.${domainPartRegex})*$'';
domainType = types.strMatching domainRegex;
hostsLines = lib.pipe config.vacu.staticNames [
(lib.mapAttrsToList (k: v: [ k ] ++ v))
(lib.filter (v: (builtins.length v) > 1))
(map (lib.concatStringsSep " "))
(lib.concatStringsSep "\n")
];
ip4Seg = ''[0-9]{1,3}'';
ip4Regex = lib.concatStringsSep ''\.'' [
ip4Seg
ip4Seg
ip4Seg
ip4Seg
];
ip6Regex = ''[0-9a-fA-F:]+'';
ipRegex = ''(${ip4Regex})|(${ip6Regex})'';
in
{
imports =
[
{
vacu.assertions = map (ip: {
assertion = (builtins.match ipRegex ip) != null;
message = ''config.vacu.staticNames: attr name "${ip}" is invalid'';
}) (builtins.attrNames config.vacu.staticNames);
}
]
++ lib.optional (vacuModuleType == "nixos") { networking.hosts = config.vacu.staticNames; }
++ lib.optional (vacuModuleType == "nix-on-droid") {
environment.etc.hosts.text = ''
127.0.0.1 localhost
::1 localhost
${hostsLines}
'';
};
options.vacu.staticNames = mkOption {
type = types.attrsOf (types.listOf domainType);
default = { };
};
config.vacu.staticNames = {
"205.201.63.13" = [
"prop"
"prophecy"
"prophecy.shelvacu-static"
];
"10.78.79.22" = [ "prophecy.t2d.lan.shelvacu-static" ];
"178.128.79.152" = [
"liam"
"liam.shelvacu-static"
];
"172.83.159.53" = [
"trip"
"triple-dezert"
"triple-dezert.shelvacu-static"
];
"10.78.79.237" = [ "triple-dezert.t2d.lan.shelvacu-static" ];
"205.201.63.12" = [
"servo"
"uninsane-servo.shelvacu-static"
];
"10.78.79.1" = [
"vnopn"
"vnopn.shelvacu-static"
"vnopn.t2d.lan.shelvacu-static"
];
"10.78.79.11" = [
"mmm"
"mmm.shelvacu-static"
"mmm.t2d.lan.shelvacu-static"
];
"10.78.79.69" = [
"oeto"
"oeto.shelvacu-static"
"oeto.t2d.lan.shelvacu-static"
];
};
}

100
common/thunderbird.nix
View File

@@ -1,100 +0,0 @@
{
lib,
config,
vacuModuleType,
vaculib,
...
}:
let
inherit (lib) mkOption types;
vacustoreCalUUID = "dd9a924e-57d9-4ea1-b7ec-22d1f0ff3d51";
vacustoreCalConfig = {
"cache.enabled" = true;
calendar-main-in-composite = true;
color = "#33d17a";
disabled = false;
"imip.identity.key" = "id1"; #what is this
name = "Personal";
readOnly = false;
type = "caldav";
uri = "https://vacu.store/remote.php/dav/calendars/shelvacu/personal/";
username = "shelvacu";
};
in
{
options.vacu.programs.thunderbird = {
enable = mkOption {
default = false;
type = types.bool;
};
};
config = lib.optionalAttrs (vacuModuleType == "nixos") (lib.mkIf config.vacu.programs.thunderbird.enable {
programs.thunderbird = {
enable = true;
policies = {
DisableTelemetry = true;
DNSOverHTTPS.Enabled = false;
ExtensionSettings = {
#*cloud - FileLink for Nextcloud and ownCloud
"cloud@johannes-endres.de".installation_mode = "normal_installed";
#NTFNTF: Notify on This Folder Not That Folder
"ntfntf@dan-sullivan.co.uk".installation_mode = "normal_installed";
};
SSLVersionMin = "tls1.3";
SearchEngines.Remove = [
"Amazon.com"
"Bing"
"DuckDuckGo"
"Google"
"Wikipedia (en)"
];
};
preferences = {
"accessibility.typeaheadfind.flashBar" = 0; #what is this
"app.donation.eoy.version.viewed" = -1; #dunno if this actually works
"browser.search.region" = "US";
"calendar.alarms.playsound" = false;
"calendar.alarms.show" = false;
"calendar.ui.version" = 3;
"intl.date_time.pattern_override.date_full" = "MMMM d, yyyy G z";
"intl.date_time.pattern_override.date_short" = "yyyy-MM-dd";
"intl.date_time.pattern_override.time_medium" = "HH:mm:ss z";
"intl.date_time.pattern_override.time_short" = "HH:mm";
# "ldap_2.servers.Contacts.carddav.url" = "https://vacu.store/remote.php/dav/addressbooks/users/shelvacu/contacts/";
# "ldap_2.servers.Contacts.carddav.username" = "shelvacu";
# "ldap_2.servers.Contacts.description" = "vacu.store Contacts";
# "ldap_2.servers.Contacts.dirType" = 102; #no idea what this does
"mail.account.account1.identities" = "id1,id2,id3";
"mail.account.account1.server" = "server1";
"mail.compose.other.header" = "X-Shelvacu-Custom-Header";
"mail.compose.warned_about_customize_from" = true;
"mail.identity.id1.fullName" = "Shelvacu";
"mail.identity.id1.useremail" = "shelvacu@shelvacu.com";
"mail.identity.id1.catchAll" = true;
"mail.server.server1.hostname" = "imap.shelvacu.com";
"mail.server.server1.login_at_startup" = true;
"mail.server.server1.name" = "shelvacu@shelvacu.com";
"mail.server.server1.port" = 993;
"mail.server.server1.type" = "imap";
"mail.server.server1.socketType" = 3; #TLS (as opposed to plaintext or STARTTLS)
"mail.server.server1.userName" = "shelvacu";
"mail.shell.checkDefaultClient" = false;
"mail.showCondensedAddresses" = false;
"mail.smtp.defaultserver" = "smtp1";
"mail.smtpserver.smtp1.authMethod" = 3;
"mail.smtpserver.smtp1.hostname" = "smtp.shelvacu.com";
"mail.smtpserver.smtp1.port" = 465;
"mail.smtpserver.smtp1.try_ssl" = 3;
"mail.smtpserver.smtp1.type" = "smtp";
"mail.smtpserver.smtp1.username" = "shelvacu";
"mail.startup.enabledMailCheckOnce" = true;
"mail.threadpane.listview" = 1;
"mailnews.customHeaders" = "X-Vacu-Action";
"mailnews.default_sort_type" = 27;
"mailnews.mark_message_read.auto" = false;
"mailnews.start_page.enabled" = false;
# "searchintegration.enable" = false;
} // vaculib.mapAttrNames (n: "calendar.registry.${vacustoreCalUUID}.${n}") vacustoreCalConfig;
};
});
}

35
common/units-config.nix
View File

@@ -1,35 +0,0 @@
{
vacu.units.extraUnits = {
b = "bit";
B = "byte";
kibi- = "1024";
Ki- = "kibi";
mebi- = "1024 kibi";
Mi- = "mebi";
gibi- = "1024 mebi";
Gi- = "gibi";
tebi- = "1024 gibi";
Ti- = "tebi";
pebi- = "1024 tebi";
Pi- = "pebi";
baud = "bit/s";
kbps = "kilobit/s";
kibps = "kibibit/s";
mbps = "megabit/s";
mibps = "mebibit/s";
gbps = "gigabit/s";
gibps = "gibibit/s";
tbps = "terabit/s";
tibps = "tebibit/s";
pbps = "petabit/s";
pibps = "pebibit/s";
month = "year/12";
mo = "month";
usd = "USD";
dollar = "USD";
cent = "0.01 USD";
"$" = "USD";
BTC = "bitcoin";
};
}

127
common/units-impl.nix
View File

@@ -1,127 +0,0 @@
{
config,
lib,
pkgs,
vaculib,
...
}:
let
inherit (lib) mkOption types;
unitNameRegex =
let
# Unit names cannot begin or end with an underscore (_), a comma (,) or a decimal point (.). Names must not contain any of the operator characters +, -, *, /, |, ^, ;, ~, the comment character #, or parentheses. To facilitate copying and pasting from documents, several typographical characters are converted to operators: the figure dash (U+2012), minus (-; U+2212), and en dash (; U+2013) are converted to the operator -; the multiplication sign (×; U+00D7), N-ary times operator (U+2A09), dot operator (‘⋅’; U+22C5), and middle dot (‘·’; U+00B7) are converted to the operator *; the division sign (‘÷’; U+00F7) is converted to the operator /; and the fraction slash (U+2044) is converted to the operator |; accordingly, none of these characters can appear in unit names.
disallowedAnywhere =
"+*/|^;~#()" + (builtins.fromJSON ''"\u2012\u2212\u2013\u00d7\u2a09\u22c5\u00b7\u00f7\u2044"'');
disallowedMiddle = "-" + disallowedAnywhere;
disallowedAtEnd = "23456789_,." + disallowedAnywhere;
disallowedAtBegin = "-01" + disallowedAtEnd;
anyExcept = chars: "[^${lib.escapeRegex chars}]";
singleChar = anyExcept disallowedAtBegin;
multiChar = "${anyExcept disallowedAtBegin}${anyExcept disallowedMiddle}*${anyExcept disallowedAtEnd}";
numberSuffix = regex: "${regex}_[0-9\\.,]+";
fullRegex = "${singleChar}|${multiChar}|${numberSuffix singleChar}|${numberSuffix multiChar}";
in
fullRegex;
unitsAttrsType = types.addCheck (types.attrsOf types.str) (
attrs: builtins.all (name: (builtins.match unitNameRegex name) != null) (builtins.attrNames attrs)
);
unitsDir = pkgs.stdenvNoCC.mkDerivation {
name = "vacu-units-files";
src = pkgs.units.src;
phases = [
"unpackPhase"
"installPhase"
];
installPhase = ''
mkdir -p "$out"
cp {definitions,elements}.units "$out"
ln -s ${../units/currency.units} "$out"/currency.units
ln -s ${../units/cpi.units} "$out"/cpi.units
printf '%s' ${lib.escapeShellArg config.vacu.units.lines} > "$out"/vacu.units
'';
};
in
{
options.vacu.units = {
originalPackage = mkOption {
type = types.package;
default = pkgs.units.override { enableCurrenciesUpdater = false; };
defaultText = "pkgs.units.override { ... }";
};
finalPackage = mkOption {
type = types.package;
readOnly = true;
};
check = mkOption {
type = types.package;
readOnly = true;
};
generatedConfigDir = mkOption {
readOnly = true;
type = types.package;
};
generatedConfigFile = mkOption {
readOnly = true;
type = types.pathInStore;
};
lines = mkOption {
default = "";
type = types.lines;
};
extraUnits = mkOption {
type = unitsAttrsType;
default = { };
};
};
config = lib.mkMerge [
{
vacu.units = {
finalPackage = vaculib.makeWrapper {
original = config.vacu.units.originalPackage;
new = "units";
prepend_flags = [
"--file"
config.vacu.units.generatedConfigFile
];
};
generatedConfigDir = unitsDir;
generatedConfigFile = "${unitsDir}/vacu.units";
lines = lib.mkOrder 750 ''
# default units file, includes elements.units, currency.units, cpi.units
!include definitions.units
'';
};
vacu.textChecks.units-config = ''
# `units --check` returns success (exit code 0) regardless of success >:(
# example output:
# $ result/bin/units --check
# Currency exchange rates from exchangerate-api.com (USD base) on 2024-11-14
# Consumer price index data from US BLS, 2024-02-18
# 7247 units, 125 prefixes, 134 nonlinear units
#
output="$(${lib.getExe config.vacu.units.finalPackage} --check)"
printf '%s' "$output"
filteredLines="$(printf '%s' "$output" \
| grep -v '^\s*$' \
| grep -v 'Currency exchange rates from' \
| grep -v 'Consumer price index data from' \
| grep -vE '[0-9]+ units, [0-9]+ prefixes, [0-9]+ nonlinear units' || true
)"
if [[ -n "$filteredLines" ]]; then
exit 1
fi
touch "$out"
'';
}
{
vacu.units.lines = lib.concatStringsSep "\n" (
lib.mapAttrsToList (name: value: "+${name} ${value}") config.vacu.units.extraUnits
);
}
];
}

63
common/verify-system/default.nix
View File

@@ -1,63 +0,0 @@
{
pkgs,
lib,
config,
...
}:
let
inherit (lib) mkOption mkEnableOption types;
cfg = config.vacu.verifySystem;
in
{
imports = [ ./nixos.nix ];
options.vacu.verifySystem = {
enable = (mkEnableOption "verify system is what is expected") // {
default = false;
};
verifiers = mkOption {
default = { };
type = types.attrsOf (
types.submodule (
{ name, config, ... }:
{
options = {
enable = mkEnableOption "Enable system ident check ${name}";
name = mkOption {
type = types.str;
default = name;
};
script = mkOption {
type = types.lines;
default = "## system ident check ${config.name}";
defaultText = lib.literalText ''## system ident check ${name}'';
};
};
}
)
);
};
verifyAllScript =
let
verifiers = (builtins.attrValues cfg.verifiers);
enabled = builtins.filter (s: s.enable) verifiers;
files = map (s: pkgs.writeText "vacu-verify-system-${s.name}.sh" s.script) enabled;
script = ''
## vacu verify-system
for f in ${lib.concatStringsSep " " files}; do
echo "verifying system with $f"
if ! source $f; then
echo "ERR: $f failed" >&2
return 1
fi
done
'';
scriptFile = pkgs.writeText "vacu-verify-system-all.sh" script;
in
mkOption {
readOnly = true;
default = scriptFile;
defaultText = "vacu-verify-system-all.sh package";
};
};
}

69
common/verify-system/nixos.nix
View File

@@ -1,69 +0,0 @@
{
lib,
config,
pkgs,
vacuModuleType,
...
}:
let
inherit (lib) mkOption types;
in
lib.optionalAttrs (vacuModuleType == "nixos") {
options.vacu.verifySystem.expectedMac = mkOption {
# lowercase only
type = types.nullOr (types.strMatching "[a-f0-9]{2}(:[a-f0-9]{2}){5}");
default = null;
};
config = lib.mkIf config.vacu.verifySystem.enable {
# system.activationScripts."00-verify-system" = {
# text = "if ! source ${config.vacu.verifySystem.verifyAllScript}; then exit $?; fi";
# supportsDryActivation = true;
# };
system.extraSystemBuilderCmds = ''
mv "$out"/bin/switch-to-configuration "$out"/bin/.switch-to-configuration-unverified
echo '#!${pkgs.bash}/bin/bash
(
PATH="${pkgs.coreutils}/bin"
if ! source ${config.vacu.verifySystem.verifyAllScript}; then
exit $?
fi
)
' > "$out"/bin/switch-to-configuration
echo "exec $out/bin/.switch-to-configuration-unverified" '"$@"' >> "$out"/bin/switch-to-configuration
${pkgs.coreutils}/bin/chmod a+x "$out"/bin/switch-to-configuration
'';
vacu.verifySystem.verifiers = {
hostname = {
enable = lib.mkDefault config.vacu.verifySystem.expectedMac == null;
script = ''
expected=${lib.escapeShellArg config.networking.hostName}
actual="$(</proc/sys/kernel/hostname)"
if [[ "$expected" != "$actual" ]]; then
echo "ERR: unexpected hostname; Trying to deploy to $expected but this is $actual" >&2
return 1
fi
'';
};
expectedMac = {
enable = config.vacu.verifySystem.expectedMac != null;
script = ''
declare expected=${lib.escapeShellArg (lib.toUpper config.vacu.verifySystem.expectedMac)}
declare -a actualMacs
mapfile -d"" -t actualMacs < <(${pkgs.iproute2}/bin/ip -j link | ${pkgs.jq}/bin/jq 'map([.permaddr, .address] | map(strings | ascii_upcase)) | flatten[]' --raw-output0)
for ifMac in "''${actualMacs[@]}"; do
if [[ "$ifMac" == "$expected" ]]; then
# all is well
return 0
fi
done
echo "ERR: Interface MAC address $expected not present, this may not be the system you intend to deploy to." >&2
echo " Found MAC addresses: ''${actualMacs[*]}" >&2
return 1
'';
};
};
};
}

6
compute-deck/bluetooth.nix Normal file
View File

@@ -0,0 +1,6 @@
{ ... }: {
hardware.bluetooth.enable = true;
hardware.bluetooth.powerOnBoot = true;
services.blueman.enable = true;
}

76
compute-deck/default.nix Normal file
View File

@@ -0,0 +1,76 @@
{ config, pkgs, lib, jovian, inputs, ... }:
{
imports = [
inputs.jovian.nixosModules.jovian
inputs.disko.nixosModules.default
inputs.homeManager.nixosModules.default
./hardware.nix
./partitioning.nix
./home.nix
./bluetooth.nix
./padtype.nix
../common-nixos-config.nix
];
system.nixos.tags = [ "host-${config.networking.hostName}" ];
boot.loader.systemd-boot.enable = false;
boot.loader.efi.efiSysMountPoint = "/boot/EFI";
boot.loader.grub.efiSupport = true;
boot.loader.grub.device = "nodev";
boot.loader.efi.canTouchEfiVariables = false;
boot.loader.grub.efiInstallAsRemovable = true;
boot.binfmt.emulatedSystems = [ "aarch64-linux" ];
networking.hostName = "compute-deck";
networking.hostId = "e595d9b0";
boot.supportedFilesystems = [ "zfs" ];
boot.zfs.forceImportRoot = false;
system.stateVersion = "23.11";
jovian.devices.steamdeck.enable = true;
networking.networkmanager.enable = true;
services.xserver.enable = true;
services.displayManager.sddm.enable = true;
services.xserver.desktopManager.plasma5.enable = true;
services.openssh.enable = true;
environment.systemPackages = with pkgs; [
audacity
librewolf
jupiter-hw-support
steamdeck-firmware
steamdeck-bios-fwupd
cargo
clippy
rust-analyzer
rustc
rustfmt
rustup
];
boot.kernelPatches = [
{
name = "gadget";
patch = null;
extraStructuredConfig = with lib.kernel; {
USB_ETH=module;
USB_GADGET=yes;
USB_LIBCOMPOSITE=yes;
USB_CONFIGFS=yes;
USB_DWC3=module;
USB_DWC3_PCI=module;
USB_DWC3_DUAL_ROLE=yes;
USB_DWC3_HOST=no;
USB_DWC3_GADGET=no;
USB_ROLE_SWITCH=yes;
};
}
];
}

62
compute-deck/hardware.nix Normal file
View File

@@ -0,0 +1,62 @@
{ config, lib, pkgs, modulesPath, ... }:
{
imports =
[ (modulesPath + "/installer/scan/not-detected.nix")
];
boot.initrd.availableKernelModules = [ "nvme" "usbhid" "sdhci_pci" ];
boot.initrd.kernelModules = [ ];
boot.kernelModules = [ "kvm-amd" ];
boot.extraModulePackages = [ ];
/*
fileSystems."/" =
{ device = "/dev/disk/by-uuid/63f25199-ee0b-4991-8861-c3ba3b464ef2";
fsType = "btrfs";
options = [ "subvol=root" ];
};
fileSystems."/home" =
{ device = "/dev/disk/by-uuid/63f25199-ee0b-4991-8861-c3ba3b464ef2";
fsType = "btrfs";
options = [ "subvol=home" ];
};
fileSystems."/nix" =
{ device = "/dev/disk/by-uuid/63f25199-ee0b-4991-8861-c3ba3b464ef2";
fsType = "btrfs";
options = [ "subvol=nix" ];
};
fileSystems."/boot" =
{ device = "/dev/disk/by-uuid/63f25199-ee0b-4991-8861-c3ba3b464ef2";
fsType = "btrfs";
options = [ "subvol=boot" ];
};
*/
fileSystems."/boot" =
{ device = "/dev/disk/by-uuid/2aad8cab-7b97-47de-8608-fe9f12e211a4";
fsType = "ext4";
};
fileSystems."/boot/EFI" =
{ device = "/dev/disk/by-uuid/C268-79C8";
fsType = "vfat";
};
swapDevices = [ ];
# Enables DHCP on each ethernet and wireless interface. In case of scripted networking
# (the default) this is the recommended approach. When using systemd-networkd it's
# still possible to use this option, but it's recommended to use it in conjunction
# with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
networking.useDHCP = lib.mkDefault true;
# networking.interfaces.wlo1.useDHCP = lib.mkDefault true;
nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
powerManagement.cpuFreqGovernor = lib.mkDefault "ondemand";
hardware.cpu.amd.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
}

13
hosts/compute-deck/home.nix → compute-deck/home.nix
View File

@@ -1,7 +1,18 @@
{ ... }: { inputs, ... }:
{ {
home-manager.users.shelvacu = { home-manager.users.shelvacu = {
# these make vscode-remote work
imports = [
inputs.vscode-server.homeModules.default
];
services.vscode-server.enable = true;
home.stateVersion = "23.11"; home.stateVersion = "23.11";
programs.git = {
enable = true;
userName = "Shelvacu";
userEmail = "git@shelvacu.com";
};
programs.librewolf = { programs.librewolf = {
enable = true; enable = true;

16
hosts/compute-deck/padtype.nix → compute-deck/padtype.nix
View File

@@ -1,22 +1,12 @@
{ inputs, ... }: { inputs, ... }: let
let
padtype-pkg = inputs.padtype.packages."x86_64-linux".default; padtype-pkg = inputs.padtype.packages."x86_64-linux".default;
in in {
{
environment.systemPackages = [ padtype-pkg ]; environment.systemPackages = [ padtype-pkg ];
systemd.services."padtype" = { systemd.services."padtype" = {
wantedBy = [ "multi-user.target" ]; wantedBy = [ "multi-user.target" ];
script = "${padtype-pkg}/bin/padtype"; script = "${padtype-pkg}/bin/padtype";
}; };
boot.initrd.preLVMCommands = "${padtype-pkg}/bin/padtype &"; boot.initrd.preLVMCommands = "${padtype-pkg}/bin/padtype &";
boot.initrd.kernelModules = [
"uhid"
"i2c_hid_acpi"
"usbhid"
"mac_hid"
"evdev"
"uinput"
];
} }

26
hosts/compute-deck/partitioning.nix → compute-deck/partitioning.nix
View File

@@ -1,6 +1,5 @@
{ inputs, ... }: { ... }:
{ {
imports = [ inputs.disko.nixosModules.default ];
disko.devices.disk.blarg = { disko.devices.disk.blarg = {
device = "/dev/disk/by-id/nvme-Micron_2400_MTFDKBK2T0QFM_230341951668_1-part11"; device = "/dev/disk/by-id/nvme-Micron_2400_MTFDKBK2T0QFM_230341951668_1-part11";
content = { content = {
@@ -14,29 +13,20 @@
subvolumes = { subvolumes = {
"/root" = { "/root" = {
mountpoint = "/"; mountpoint = "/";
mountOptions = [ mountOptions = [ "compress=zstd" "noatime" ];
"compress=zstd"
"noatime"
];
}; };
"/home" = { "/home" = {
mountpoint = "/home"; mountpoint = "/home";
mountOptions = [ mountOptions = [ "compress=zstd" "noatime" ];
"compress=zstd"
"noatime"
];
}; };
"/nix" = { "/nix" = {
mountpoint = "/nix"; mountpoint = "/nix";
mountOptions = [ mountOptions = [ "compress=zstd" "noatime" ];
"compress=zstd"
"noatime"
];
}; };
# "/swap" = { # "/swap" = {
# mountpoint = "/.swapvol"; # mountpoint = "/.swapvol";
# swap.swapfile.size = "20M"; # swap.swapfile.size = "20M";
# }; # };
}; };
}; };
}; };

2
dcd
View File

@@ -1,3 +1,3 @@
#!/bin/sh #!/bin/sh
git add . && nixos-rebuild --flake .#compute-deck --build-host trip --target-host shelvacu@compute-deck --use-remote-sudo "$@" git add . && nixos-rebuild --flake .#compute-deck --build-host trip --target-host shelvacu@compute-deck --use-remote-sudo $@

29
default.nix
View File

@@ -1,29 +0,0 @@
{
system ? builtins.currentSystem,
}:
let
flakeCompat = (import
(
let
lock = builtins.fromJSON (builtins.readFile ./flake.lock);
nodeName = lock.nodes.root.inputs.flake-compat;
in
fetchTarball {
url = lock.nodes.${nodeName}.locked.url or "https://github.com/edolstra/flake-compat/archive/${lock.nodes.${nodeName}.locked.rev}.tar.gz";
sha256 = lock.nodes.${nodeName}.locked.narHash;
}
)
{
inherit system;
src = ./.;
}
);
flake = flakeCompat.outputs;
overlays = import ./overlays;
pkgs = import flake.inputs.nixpkgs {
inherit system overlays;
};
in
pkgs // {
nixpkgs-update = { ... }@args: import "${flake.inputs.nixpkgs}/maintainers/scripts/update.nix" ({ include-overlays = overlays; } // args);
}

88
deterministic-certs.nix
View File

@@ -1,88 +0,0 @@
{
nixpkgs ? import <nixpkgs>,
}:
let
pkgs = nixpkgs;
lib = nixpkgs.lib;
defaultCertTemplate = {
serial = 1;
activation_date = "1970-01-01 00:00:00 UTC";
expiration_date = "2500-01-01 00:00:00 UTC";
};
keyValToConfigLines = (
key: value:
if (builtins.isString value) || (builtins.isPath value) then
''${key} = "${value}"''
else if builtins.isInt value then
"${key} = ${builtins.toString value}"
else if builtins.isList value then
map (innerValue: keyValToConfigLines key innerValue)
else if builtins.isBool value then
(if value then "${key}" else "# no ${key}")
else
throw "don't know how to handle ${builtins.typeOf value}"
);
mkTemplateConfig =
config:
lib.concatStringsSep "\n" (
lib.lists.flatten (lib.attrsets.mapAttrsToList keyValToConfigLines config)
);
privKeyFile =
name:
let
keySizeBits = 256;
keySizeHex = builtins.toString (keySizeBits / 4);
in
pkgs.runCommand "deterministic-privkey-${name}.pem" { } ''
seed=$(printf '%s' ${lib.escapeShellArg (builtins.toJSON name)} | ${pkgs.ruby_3_2}/bin/ruby -rjson -e 'name = JSON.parse(STDIN.gets); print name.unpack("H*")[0].ljust(${keySizeHex}, "0")')
${pkgs.gnutls}/bin/certtool --generate-privkey --outfile="$out" --key-type=rsa --sec-param=high --seed=$seed
'';
generateCert =
{
name,
config,
args,
preCommands ? "",
}:
let
deriv = pkgs.runCommand "deterministic-cert-${name}" { } ''
mkdir -p "$out"
cd "$out"
ln -s ${privKeyFile name} privkey.pem
ln -s ${
pkgs.writeText "${name}-template.cfg" (mkTemplateConfig (defaultCertTemplate // config))
} template.cfg
${preCommands}
${pkgs.gnutls}/bin/certtool ${lib.escapeShellArgs args} --load-privkey=privkey.pem --outfile=cert.pem --template=template.cfg
'';
in
deriv
// {
privateKeyPath = "${deriv}/privkey.pem";
certificatePath = "${deriv}/cert.pem";
};
in
{
inherit privKeyFile;
selfSigned =
name: config:
generateCert {
inherit name config;
args = [ "--generate-self-signed" ];
};
caSigned =
name: ca: config:
generateCert {
inherit name config;
preCommands = ''
ln -s ${ca.privateKeyPath} ca-privkey.pem
ln -s ${ca.certificatePath} ca-cert.pem
'';
args = [
"--generate-certificate"
"--load-ca-certificate=ca-cert.pem"
"--load-ca-privkey=ca-privkey.pem"
];
};
}

57
devver/default.nix Normal file
View File

@@ -0,0 +1,57 @@
{ config, pkgs, lib, inputs, modulesPath, ... }:
{
imports = [
inputs.homeManager.nixosModules.default
../common-nixos-config.nix
(modulesPath + "/profiles/qemu-guest.nix")
];
boot.initrd.availableKernelModules = [ "virtio_pci" "usbhid" "virtio_blk" "9pnet_virtio" "9p" "autofs4" ];
boot.initrd.kernelModules = [ ];
boot.kernelModules = [ "kvm-intel" "9pnet_virtio" "9p" "autofs4" ];
boot.extraModulePackages = [ ];
system.nixos.tags = [ "host-${config.networking.hostName}" ];
networking.hostName = "devver";
boot.loader.external.enable = true;
boot.loader.external.installHook = pkgs.writeShellScript "vacuDirectBootInstaller" ''
PATH="$PATH:${pkgs.coreutils}/bin:${pkgs.gnused}/bin"
set -xev
mkdir -p /boot
cp $1/kernel /boot/kernel
cp $1/initrd /boot/initrd
cp $1/kernel-params /boot/kernel-params
sed -i "1 s|$| init=$1/sw/bin/init|" /boot/kernel-params
'';
users.users.root.shell = pkgs.bashInteractive;
fileSystems."/boot" = {
fsType = "9p";
device = "boot";
options = [
"trans=virtio"
"access=any"
"version=9p2000.L"
"posixacl"
"cache=mmap"
"nofail"
"noauto"
];
};
fileSystems."/" = {
device = "/dev/disk/by-uuid/a373835d-b942-4232-85fe-922cb1880af3";
fsType = "ext4";
};
#boot.binfmt.emulatedSystems = [ "aarch64-linux" ];
services.openssh.enable = true;
vacu.packages.nix-inspect.enable = false; #its broken for some reason I don't understand
system.stateVersion = "23.11";
}

2
dliam
View File

@@ -1,3 +1,3 @@
#!/bin/sh #!/bin/sh
git add . && nixos-rebuild --flake .#liam --build-host trip --target-host shelvacu@liam --use-remote-sudo "$@" git add . && nixos-rebuild --flake .#liam --build-host trip --target-host shelvacu@liam --use-remote-sudo $@

3
dmmm
View File

@@ -1,3 +0,0 @@
#!/bin/sh
git add . && nixos-rebuild --flake .#mmm --build-host trip --target-host mmm --use-remote-sudo "$@"

137
dns/default.nix
View File

@@ -1,137 +0,0 @@
{
dns,
lib,
vaculib,
config,
...
}:
let
inherit (lib) mkOption types singleton;
inherit (dns.lib.combinators)
ns
ttl
spf
mx
;
inherit (config.vacu) hosts;
cloudnsNameServers = [
"pns51.cloudns.net."
"pns52.cloudns.net."
"pns53.cloudns.net."
"pns54.cloudns.net."
];
cloudnsSoa = (
ttl (60 * 60) {
nameServer = lib.head cloudnsNameServers;
adminEmail = "support@cloudns.net";
serial = 1970010101; # cloudns takes care of updating the serial
refresh = 7200;
retry = 1800;
expire = 1209600;
minimum = 3600;
}
);
dkimKeyLiam = {
name = "2024-03-liam";
content = "v=DKIM1; k=rsa; s=email; p=MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAqoFR9cwOb+IpvaqrI55zlouWMUk5hjKHQARajqeOev2I6Gc3QIvU8btyhKCJu7pwxr+DxK/9HeqTmweCSXZmLlVZ6LjW80aAg+8l2DyMKZPaTowSQcExfNMwHqI1ByUPx49LQQEzvwv8Lx3To2+JghZNXHUx7gcraoCUQnRNzCMoMsGF25Yyt4piW6SXKWsbWHVXaL2i953PtT6agJYqssnBqPx6wqibrkeB9MbtSw97L5oQDaDLmJzEK54vRjFFV4X6/Q1d3D6M5PH0XGm6WEhrNEPgMAAZ6rBqi+AoXUz9E9B+kE/Zc6krCTiV0Y1uL83RCILaEJIjRsHqgrGRYEIBUb4Z5d4CgB3szixzaFTmG+XAgDLGnAHRNGeOn0bUmj35miLUopzGJgHCUQYjaaXMH4FSQMYBFPVqZ1aSiZO0EC/mbLlFbBy51RYPJQK0IusN4IqaBYw6jZYMEVlLWkNb34bfNtPKwoG4T3UjxmSRpfiNCFjYd4DaOz/FBAvUL9bx+qU7O6EZRtslROaWN18uSt20hBH0SpvEovj7vBgWWqXG/chNS7YSSaf3Tlb3I5NbqbmvwFF0t8uuEtN0Wh26qMuOKx70K90B9FpJBpfIk/w8FQ80kP6spbMN1v1T5fA7oZMV1fOn1IezH4wE5Yk/3dS+OXJ4YiLH/hWfjecCAwEAAQ==";
};
dmarc = lib.pipe [
# see https://www.rfc-editor.org/rfc/rfc7489.html#section-6.3
"v=DMARC1"
"p=reject" # policy = reject all mail that fails DKIM or SPF
# no need for sp=, policy applies to subdomains by default
"adkim=s" # match dkim domains strictly (foo.shelvacu.com != shelvacu.com)
"aspf=s" # match spf domains strictly
"fo=1" # failure reporting: report a failure if any of dkim or spf fails
"rua=mailto:dmarc-rua@shelvacu.com!25m"
"ruf=mailto:dmarc-ruf@shelvacu.com!25m"
] [
(map (s: s + ";"))
(lib.concatStringsSep " ")
];
vacuZoneExtModule = { config, ... }: {
imports = [ vacuDomainExtModule ];
options.vacu.cloudns = mkOption {
default = true;
type = types.bool;
};
config = lib.mkIf config.vacu.cloudns {
SOA = cloudnsSoa;
NS = map (server: ttl (60 * 60) (ns server)) cloudnsNameServers;
TTL = lib.mkDefault 300;
};
};
vacuDomainExtModule = { config, ... }: {
options.vacu = {
liamMail = mkOption {
default = false;
type = types.bool;
};
_ancestorHasDMARC = mkOption {
type = types.bool;
default = false;
internal = true;
};
};
options.subdomains = mkOption {
type = types.attrsOf (types.submodule [
{
config.vacu._ancestorHasDMARC = config.vacu.liamMail || config.vacu._ancestorHasDMARC;
}
vacuDomainExtModule
]);
};
config = lib.mkMerge [
(lib.mkIf config.vacu.liamMail {
MX = singleton (mx.mx 0 "liam.dis8.net.");
TXT = singleton (
spf.strict [
"mx"
"include:outbound.mailhop.org"
"include:_spf.mailersend.net"
"a:relay.dynu.com"
]
);
subdomains."${dkimKeyLiam.name}._domainkey".TXT = singleton dkimKeyLiam.content;
})
(lib.mkIf (config.vacu.liamMail && !config.vacu._ancestorHasDMARC) {
subdomains._dmarc.TXT = singleton dmarc;
})
];
};
# vacuZone = lib.mkMerge [
# dns.lib.types.zone
# (types.submodule vacuZoneExtModule)
# ];
in
{
imports = [
./jean-luc.org.nix
./pwrhs.win.nix
./shelvacu.miras.pet.nix
./for.miras.pet.nix
./shelvacu.com.nix
./dis8.net.nix
./sv.mt.nix
({ dns, ... }: {
options.vacu.dns = mkOption {
default = { };
type = types.attrsOf dns.lib.types.zone;
};
})
];
options.vacu.dns = mkOption {
type = types.attrsOf (types.submodule vacuZoneExtModule);
};
options.vacu.dnsData = vaculib.mkOutOptions rec {
tripPublicV4 = hosts.triple-dezert.primaryIp;
propPublicV4 = hosts.prophecy.primaryIp;
digitalOcean = {
reservedV4 = "138.197.233.105";
liamPublicV4 = "178.128.79.152";
mailPublicV4 = "167.99.161.174";
};
doV4 = digitalOcean.reservedV4;
awooV4 = hosts.awoo.primaryIp;
};
}

28
dns/dis8.net.nix
View File

@@ -1,28 +0,0 @@
{
lib,
config,
...
}:
let
inherit (lib) singleton;
inherit (config.vacu) dnsData;
inherit (config.vacu.dnsData.digitalOcean) liamPublicV4 mailPublicV4 reservedV4;
in
{
vacu.dns."dis8.net" = { ... }: {
vacu.liamMail = true;
A = singleton mailPublicV4;
subdomains = {
do-a.A = singleton reservedV4;
liam.A = singleton reservedV4;
mail.A = singleton liamPublicV4;
auwwth = {
subdomains.ns.A = singleton dnsData.awooV4;
NS = singleton "ns.auwwth.dis8.net.";
};
solis.A = singleton config.vacu.hosts.solis.primaryIp;
"_acme-challenge".CNAME = singleton "a55a31f9-74ac-44fc-bf97-c8c9f2498d3a.auth.dis8.net.";
};
};
}

26
dns/for.miras.pet.nix
View File

@@ -1,26 +0,0 @@
{ lib, config, ... }:
let
inherit (lib) singleton;
inherit (config.vacu) dnsData;
in
{
vacu.dns."for.miras.pet" =
{ ... }:
{
subdomains = {
"git".A = singleton dnsData.tripPublicV4;
"auth".A = singleton dnsData.tripPublicV4;
"wisdom".A = singleton dnsData.tripPublicV4;
"chat" =
{ ... }:
{
config.vacu.liamMail = true;
config.A = singleton dnsData.tripPublicV4;
config.subdomains."duo-1745490301302-14f65157._domainkey".TXT =
singleton "v=DKIM1; k=rsa; s=email; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDA/94Rh5eMPsKwGGolkleY1Rhh2Q6H22bfdGVu0lXpoHP1K7JxloWu/Ice2vVN/udztmPY+BK1x+5qubcGZKpPt1bC9amsXnyTXfKIMGD2CNd0tnaO54hmMOfv+lTA9YjF0X93tcQP3yUxJgJ9yPZcalFl/bBAqv4/lUVLYFeIVQIDAQAB";
};
"gabriel-dropout".A = singleton dnsData.tripPublicV4;
"_acme-challenge".CNAME = singleton "199b8aa4-bc9f-4f43-88bf-3f613f62b663.auwwth.dis8.net.";
};
};
}

24
dns/jean-luc.org.nix
View File

@@ -1,24 +0,0 @@
{ lib, config, ... }:
let
inherit (lib) singleton;
inherit (config.vacu) dnsData;
main_ips = singleton dnsData.tripPublicV4;
in
{
vacu.dns."jean-luc.org" =
{ ... }:
{
vacu.liamMail = true;
A = main_ips;
NS = lib.mkAfter [ "ns2.afraid.org." ]; # note: appends to NS records from modules.cloudns
subdomains = {
"in".vacu.liamMail = true;
"*".A = main_ips;
"_acme-challenge".CNAME = singleton "8cc7a174-c4a6-40f5-9fff-dfb271c5ce0b.auwwth.dis8.net.";
"stats".A = main_ips;
"tdi-readings".CNAME = singleton "d20l6bh1gp7s8.cloudfront.net.";
"_a908498ee692a9729bf12e161ae1887d.tdi-readings".CNAME =
singleton "_1f055e4fc0f439e67304a33945d09002.hkvuiqjoua.acm-validations.aws.";
};
};
}

14
dns/pwrhs.win.nix
View File

@@ -1,14 +0,0 @@
{ lib, config, ... }:
let
inherit (lib) singleton;
inherit (config.vacu) dnsData;
in
{
vacu.dns."pwrhs.win" =
{ ... }:
{
A = singleton dnsData.tripPublicV4;
subdomains.habitat.A = singleton dnsData.tripPublicV4;
subdomains._acme-challenge.CNAME = singleton "73697955-1c51-48ba-ba1e-b3398850f59f.auwwth.dis8.net.";
};
}

100
dns/shelvacu.com.nix
View File

@@ -1,100 +0,0 @@
{
config,
lib,
vaculib,
...
}:
let
s = v: [ v ];
inherit (config.vacu) dnsData;
trip_ips = s dnsData.tripPublicV4;
prop_ips = s dnsData.propPublicV4;
solis_ips = s config.vacu.hosts.solis.primaryIp;
mail_thing = s "178.128.79.152";
# which domains to allow dmarc reports.
# ex: _dmarc.dis8.net TXT has "rua=rua-reports@shelvacu.com", reports will only be sent if shelvacu.com allows them
# allow all domains configured in this repo, and one level of subdomain (ideally all but thats hard, this should be good enough)
allow_report_domains = lib.pipe config.vacu.dns [
lib.attrNames
(list: list ++ [ "theviolincase.com" "violingifts.com" ])
(lib.concatMap (domain: [domain "*.${domain}"]))
];
in
{
vacu.dns."shelvacu.com" =
{ ... }:
{
vacu.liamMail = true;
A = trip_ips;
CAA = [
{
issuerCritical = true;
tag = "issue";
value = "letsencrypt.org";
}
{
issuerCritical = true;
tag = "issue";
value = "sectigo.com";
}
{
issuerCritical = true;
tag = "issuewild";
value = "letsencrypt.org";
}
{
issuerCritical = false;
tag = "iodef";
value = "mailto:caa-violation@shelvacu.com";
}
];
subdomains = {
_acme-challenge.CNAME = s "5cb20bf7-5203-417f-b729-fa3a3ad3b775.auwwth.dis8.net.";
_atproto.TXT = s "did=did:plc:oqenurzqeji6ulii3myxls64";
"_report._dmarc".subdomains = vaculib.mapNamesToAttrsConst { TXT = s "v=DMARC1"; } allow_report_domains;
actual.A = prop_ips;
admin-garage-trip.A = trip_ips;
auth.A = trip_ips;
autoconfig.A = mail_thing;
awoo.A = s "45.142.157.71";
dav.A = trip_ips;
dav-experiment.A = prop_ips;
ft.subdomains = {
"*".A = s "45.87.250.193";
_acme-challenge.CNAME = s "17aa43aa-9295-4522-8cf2-b94ba537753d.auth.acme-dns.io.";
};
# hzo3bcydh5khtpeio6zrzb7kwcwiccnh.subdomains._domainkey.CNAME = s "hzo3bcydh5khtpeio6zrzb7kwcwiccnh.dkim.amazonses.com.";
id.A = trip_ips;
imap.A = mail_thing;
jobs.A = trip_ips;
llm.A = trip_ips;
mail.A = mail_thing;
# mlsend2.subdomains._domainkey.CNAME = s "mlsend2._domainkey.mailersend.net.";
mumble.A = prop_ips;
nixcache.A = trip_ips;
ns1.CNAME = s "pns51.cloudns.net.";
ns2.CNAME = s "pns52.cloudns.net.";
ns3.CNAME = s "pns53.cloudns.net.";
ns4.CNAME = s "pns54.cloudns.net.";
prop.CNAME = s "prophecy";
prophecy.A = prop_ips;
prophecy.subdomains.garage.subdomains = {
s3.A = prop_ips;
admin.A = prop_ips;
};
rad.A = trip_ips;
s3-garage-trip.A = trip_ips;
servacu.A = s "167.99.161.174";
smtp.A = mail_thing;
sol.CNAME = s "solis";
solis.A = solis_ips;
solis.subdomains.garage.subdomains = {
s3.A = solis_ips;
admin.A = solis_ips;
};
trip.A = trip_ips;
vaultwarden.A = trip_ips;
www.A = trip_ips;
};
};
}

15
dns/shelvacu.miras.pet.nix
View File

@@ -1,15 +0,0 @@
{ lib, config, ... }:
let
inherit (lib) singleton;
inherit (config.vacu) dnsData;
in
{
vacu.dns."shelvacu.miras.pet" =
{ ... }:
{
vacu.liamMail = true;
A = singleton dnsData.tripPublicV4;
subdomains."_acme-challenge".CNAME =
singleton "65e44f64-3c65-46f6-b15f-4ad6363b21eb.auwwth.dis8.net.";
};
}

24
dns/sv.mt.nix
View File

@@ -1,24 +0,0 @@
{ lib, config, ... }:
let
inherit (lib) singleton;
inherit (config.vacu) dnsData;
in
{
vacu.dns."sv.mt" =
{ ... }:
{
vacu.liamMail = true;
A = singleton dnsData.propPublicV4;
subdomains.www.A = singleton dnsData.propPublicV4;
subdomains.thisthirdlevelisownedbyshelandwasnotmadeavailabletoemily = {
NS = [
"thisns1isonlyusedbyshelandisnotusedforthirdlevelregistrationfor.emilygeil.com."
"thisns2isonlyusedbyshelandisnotusedforthirdlevelregistrationfor.emilygeil.com."
"thisns3isonlyusedbyshelandisnotusedforthirdlevelregistrationfor.emilygeil.com."
"thisns4isonlyusedbyshelandisnotusedforthirdlevelregistrationfor.emilygeil.com."
"thisns5isonlyusedbyshelandisnotusedforthirdlevelregistrationfor.emilygeil.com."
];
# TXT = singleton "ha5d5dc3ca7b34574bc60929e3910ba8a";
};
};
}

3
dprop
View File

@@ -1,3 +0,0 @@
#!/bin/sh
git add . && nixos-rebuild --flake .#prophecy --build-host prop --target-host prop --use-remote-sudo "$@"

2
dtrip
View File

@@ -1,3 +1,3 @@
#!/bin/sh #!/bin/sh
git add . && nixos-rebuild --flake .#triple-dezert --build-host trip --target-host trip --use-remote-sudo "$@" git add . && nixos-rebuild --flake .#triple-dezert --build-host trip --target-host trip --use-remote-sudo $@

1086
flake.lock generated
View File

File diff suppressed because it is too large Load Diff

558
flake.nix
View File

@@ -1,497 +1,141 @@
{ {
description = "Configs for shelvacu's nix things"; description = "Config for triple-dezert server";
inputs = { inputs = {
nixpkgs.url = "nixpkgs/nixos-25.05-small"; nixpkgs-unstable.url = "nixpkgs/nixos-unstable"; #todo: put this back to -small once jovian-nixos is fixed
nixpkgs-unstable.url = "nixpkgs/nixos-unstable-small"; nixpkgs.url = "nixpkgs/nixos-23.11-small";
nixpkgs2405.url = "nixpkgs/nixos-24.05-small";
disko = { nix-inspect = {
url = "git+https://git.uninsane.org/shelvacu/disko.git"; url = "github:bluskript/nix-inspect";
#inputs.nixpkgs.follows = "nixpkgs";
};
vscode-server = {
url = "github:nix-community/nixos-vscode-server";
inputs.nixpkgs.follows = "nixpkgs"; inputs.nixpkgs.follows = "nixpkgs";
}; };
disko-unstable = { nix-on-droid = {
url = "git+https://git.uninsane.org/shelvacu/disko.git"; url = "github:nix-community/nix-on-droid/release-23.05";
inputs.nixpkgs.follows = "nixpkgs-unstable";
};
dns = {
url = "github:nix-community/dns.nix";
inputs.nixpkgs.follows = "nixpkgs";
inputs.flake-utils.follows = "flake-utils";
};
flake-compat.url = "github:edolstra/flake-compat";
flake-utils.url = "github:numtide/flake-utils";
home-manager = {
url = "github:nix-community/home-manager/release-25.05";
inputs.nixpkgs.follows = "nixpkgs"; inputs.nixpkgs.follows = "nixpkgs";
}; };
home-manager-unstable = { jovian = {
url = "github:nix-community/home-manager";
inputs.nixpkgs.follows = "nixpkgs-unstable";
};
impermanence.url = "github:nix-community/impermanence";
jovian-unstable = {
# there is no stable jovian :cry:
url = "github:Jovian-Experiments/Jovian-NixOS"; url = "github:Jovian-Experiments/Jovian-NixOS";
inputs.nixpkgs.follows = "nixpkgs-unstable"; inputs.nixpkgs.follows = "nixpkgs-unstable";
}; };
most-winningest = { disko = {
url = "github:captain-jean-luc/most-winningest"; url = "github:nix-community/disko";
inputs.nixpkgs.follows = "nixpkgs";
inputs.flake-utils.follows = "flake-utils";
};
nixos-hardware.url = "github:nixos/nixos-hardware";
nixos-apple-silicon-unstable = {
url = "github:tpwrules/nixos-apple-silicon";
inputs.nixpkgs.follows = "nixpkgs-unstable"; inputs.nixpkgs.follows = "nixpkgs-unstable";
}; };
nixvim = { homeManager = {
url = "github:nix-community/nixvim/nixos-25.05"; url = "github:nix-community/home-manager/master";
inputs.nixpkgs.follows = "nixpkgs";
};
nixvim-unstable = {
url = "github:nix-community/nixvim";
inputs.nixpkgs.follows = "nixpkgs-unstable"; inputs.nixpkgs.follows = "nixpkgs-unstable";
}; };
nix-colors = { nix-search-cli = {
url = "github:Misterio77/nix-colors"; url = "github:peterldowns/nix-search-cli";
};
nix-on-droid = {
url = "github:nix-community/nix-on-droid";
inputs.nixpkgs.follows = "nixpkgs"; inputs.nixpkgs.follows = "nixpkgs";
inputs.home-manager.follows = "home-manager";
}; };
padtype-unstable = { padtype = {
url = "git+https://git.uninsane.org/shelvacu/padtype.git"; url = "gitlab:shelvacu/padtype";
inputs.nixpkgs.follows = "nixpkgs-unstable"; inputs.nixpkgs.follows = "nixpkgs";
}; };
sm64baserom.url = "git+https://git.uninsane.org/shelvacu/sm64baserom.git";
sops-nix = { sops-nix = {
url = "github:Mic92/sops-nix"; url = "github:Mic92/sops-nix";
inputs.nixpkgs.follows = "nixpkgs"; inputs.nixpkgs.follows = "nixpkgs";
}; };
tf2-nix = { microvm = {
url = "gitlab:shelvacu-forks/tf2-nix/with-my-patches"; url = "github:astro/microvm.nix";
inputs.nixpkgs.follows = "nixpkgs"; inputs.nixpkgs.follows = "nixpkgs";
}; };
treefmt-nix = {
url = "github:numtide/treefmt-nix";
inputs.nixpkgs.follows = "nixpkgs-unstable";
};
vacu-keys = {
url = "git+https://git.uninsane.org/shelvacu/keys.nix.git";
flake = false;
};
}; };
outputs = outputs = { self, nixpkgs, nix-on-droid, ... }@inputs: {
{ debug.isoDeriv = (import "${inputs.nixpkgs}/nixos/release-small.nix" { nixpkgs = ({ revCount = 0; } // inputs.nixpkgs); });
self, nixosConfigurations.triple-dezert = nixpkgs.lib.nixosSystem {
nixpkgs, system = "x86_64-linux";
nix-on-droid, modules = [ ./triple-dezert ];
... specialArgs = { inherit inputs; };
}@allInputs: };
let
x86 = "x86_64-linux";
arm = "aarch64-linux";
lib = import "${nixpkgs}/lib";
overlays = import ./overlays;
vacuModules = import ./modules;
mkVaculib = { pkgs }: import ./vaculib { inherit pkgs; nix-colors-lib = allInputs.nix-colors.lib; };
vaculib = mkVaculib { inherit pkgs; };
defaultSuffixedInputNames = [
"nixvim"
"nixpkgs"
];
defaultInputs = { inherit (allInputs) self vacu-keys; };
mkInputs =
{
unstable ? false,
inp ? [ ],
}:
let
suffix = if unstable then "-unstable" else "";
inputNames = inp ++ defaultSuffixedInputNames;
thisInputsA = vaculib.mapNamesToAttrs (name: allInputs.${name + suffix}) inputNames;
in
if inp == "all" then allInputs else thisInputsA // defaultInputs;
mkPkgs =
arg:
let
argAttrAll = if builtins.isString arg then { system = arg; } else arg;
unstable = argAttrAll.unstable or false;
whichpkgs = if unstable then allInputs.nixpkgs-unstable else allInputs.nixpkgs;
argAttr = lib.removeAttrs argAttrAll [ "unstable" ];
config = {
allowUnfree = true;
# the security warning might as well have said "its insecure maybe but there's nothing you can do about it"
# presumably needed by nheko
permittedInsecurePackages = [
"olm-3.2.16"
"fluffychat-linux-1.27.0"
];
} // (argAttr.config or { });
in
import whichpkgs (
argAttr // { inherit config; } // { overlays = (argAttr.overlays or [ ]) ++ overlays; }
);
mkCommon =
{
unstable ? false,
inp ? [ ],
system ? x86,
vacuModuleType,
}:
let
pkgsStable = mkPkgs { unstable = false; inherit system; };
pkgsUnstable = mkPkgs { unstable = true; inherit system; };
pkgs = if unstable then pkgsUnstable else pkgsStable;
inputs = mkInputs { inherit unstable inp; };
vaculib = mkVaculib { inherit pkgs; };
in
{
inherit pkgs pkgsStable pkgsUnstable inputs vaculib;
specialArgs = {
inherit inputs vacuModules vacuModuleType vaculib pkgsStable pkgsUnstable;
inherit (allInputs) dns;
};
};
mkPlain =
{
unstable ? false,
system ? x86,
}@args:
let
common = mkCommon (args // {
vacuModuleType = "plain";
inp = "all";
});
inner = lib.evalModules {
modules = [
./common
{ vacu.systemKind = "server"; }
];
specialArgs = common.specialArgs // {
inherit (common) pkgs;
inherit (common.pkgs) lib;
};
};
in
inner.config.vacu.withAsserts inner;
pkgs = mkPkgs x86;
mkNixosConfig =
{
unstable ? false,
module,
system ? "x86_64-linux",
inp ? [ ],
}:
let
common = mkCommon { inherit unstable inp system; vacuModuleType = "nixos"; };
in
allInputs.nixpkgs.lib.nixosSystem {
inherit (common) specialArgs;
inherit system;
modules = [
{ nixpkgs.pkgs = common.pkgs; }
./common
module
];
};
in
{
debug.isoDeriv = (
import "${allInputs.nixpkgs}/nixos/release-small.nix" {
nixpkgs = ({ revCount = 0; } // allInputs.nixpkgs);
}
);
lib = { nixosConfigurations.compute-deck = inputs.nixpkgs-unstable.lib.nixosSystem {
inherit system = "x86_64-linux";
mkPlain modules = [ ./compute-deck ];
mkPkgs specialArgs = { inherit inputs; };
mkInputs };
mkNixosConfig
vaculib
;
};
nixosConfigurations = { nixosConfigurations.liam = nixpkgs.lib.nixosSystem {
triple-dezert = mkNixosConfig { system = "x86_64-linux";
module = ./hosts/triple-dezert; modules = [ ./liam ];
inp = [ specialArgs = { inherit inputs; };
"most-winningest" };
"sops-nix"
];
};
compute-deck = mkNixosConfig {
module = ./hosts/compute-deck;
inp = [
"jovian"
"home-manager"
"disko"
"padtype"
];
unstable = true;
};
liam = mkNixosConfig {
module = ./hosts/liam;
inp = [ "sops-nix" ];
};
lp0 = mkNixosConfig { module = ./hosts/lp0; };
shel-installer-iso = mkNixosConfig { module = ./hosts/installer/iso.nix; };
shel-installer-pxe = mkNixosConfig { module = ./hosts/installer/pxe.nix; };
fw = mkNixosConfig {
module = ./hosts/fw;
inp = [
"nixos-hardware"
"sops-nix"
"tf2-nix"
];
};
legtop = mkNixosConfig {
module = ./hosts/legtop;
inp = [ "nixos-hardware" ];
};
mmm = mkNixosConfig {
module = ./hosts/mmm;
inp = [ "nixos-apple-silicon" ];
system = "aarch64-linux";
unstable = true;
};
prophecy = mkNixosConfig {
module = ./hosts/prophecy;
system = "x86_64-linux";
inp = [
"impermanence"
"sops-nix"
"disko"
];
};
solis = mkNixosConfig {
module = ./hosts/solis;
system = "x86_64-linux";
inp = [
"disko"
"impermanence"
"sops-nix"
];
};
};
nixOnDroidConfigurations.default = nixosConfigurations.lp0 = nixpkgs.lib.nixosSystem {
let system = "x86_64-linux";
common = mkCommon { system = arm; vacuModuleType = "nix-on-droid"; }; modules = [ ./lp0 ];
in specialArgs = { inherit inputs; };
nix-on-droid.lib.nixOnDroidConfiguration { };
modules = [
./common nixosConfigurations.shel-installer = nixpkgs.lib.nixosSystem {
./hosts/nix-on-droid system = "x86_64-linux";
]; modules = [ ./installer.nix ];
extraSpecialArgs = common.specialArgs; specialArgs = { inherit inputs; };
inherit (common) pkgs; };
};
checks = nixpkgs.lib.genAttrs [ x86 ] ( nixosConfigurations.devver = nixpkgs.lib.nixosSystem {
system: system = "x86_64-linux";
let modules = [ ./devver ];
common = mkCommon { inherit system; vacuModuleType = "nixos"; }; specialArgs = { inherit inputs; };
inherit (common) pkgs; };
plain = mkPlain { inherit system; };
commonTestModule = {
hostPkgs = pkgs;
_module.args.inputs = { inherit (allInputs) self; };
node.pkgs = pkgs;
node.pkgsReadOnly = true;
node.specialArgs = (lib.removeAttrs common.specialArgs [ "inputs" ]) // { selfPackages = self.packages.${system}; };
};
mkTest =
name:
nixpkgs.lib.nixos.runTest {
imports = [
commonTestModule
./tests/${name}
{ node.specialArgs.inputs = self.nixosConfigurations.${name}._module.specialArgs.inputs; }
];
};
checksFromConfig = plain.config.vacu.checks;
in
assert !(checksFromConfig ? liam) && !(checksFromConfig ? trip);
checksFromConfig
// {
liam = mkTest "liam";
triple-dezert = mkTest "triple-dezert";
}
);
buildList = nixosConfigurations.fw = inputs.nixpkgs2405.lib.nixosSystem {
let system = "x86_64-linux";
toplevelOf = name: self.nixosConfigurations.${name}.config.system.build.toplevel; modules = [ ./fw ];
deterministicCerts = import ./deterministic-certs.nix { nixpkgs = mkPkgs x86; }; specialArgs = { inherit inputs; };
renamedAarchPackages = lib.mapAttrs' ( };
name: value: lib.nameValuePair (name + "-aarch64") value
) self.packages.aarch64-linux;
packages = self.packages.x86_64-linux // renamedAarchPackages;
pxe-build = self.nixosConfigurations.shel-installer-pxe.config.system.build;
in
{
fw = toplevelOf "fw";
triple-dezert = toplevelOf "triple-dezert";
compute-deck = toplevelOf "compute-deck";
liam = toplevelOf "liam";
lp0 = toplevelOf "lp0";
legtop = toplevelOf "legtop";
mmm = toplevelOf "mmm";
shel-installer-iso = toplevelOf "shel-installer-iso";
shel-installer-pxe = toplevelOf "shel-installer-pxe";
prophecy = toplevelOf "prophecy";
iso = self.nixosConfigurations.shel-installer-iso.config.system.build.isoImage;
pxe-toplevel = toplevelOf "shel-installer-pxe";
pxe-kernel = pxe-build.kernel;
pxe-initrd = pxe-build.netbootRamdisk;
check-triple-dezert = self.checks.x86_64-linux.triple-dezert.driver;
check-liam = self.checks.x86_64-linux.liam.driver;
liam-sieve = self.nixosConfigurations.liam.config.vacu.liam-sieve-script;
nix-on-droid = self.nixOnDroidConfigurations.default.activationPackage; nixOnDroidConfigurations.default = nix-on-droid.lib.nixOnDroidConfiguration {
modules = [ ./nix-on-droid.nix ];
extraSpecialArgs = { inherit inputs; };
};
nod-bootstrap-x86_64 = allInputs.nix-on-droid.packages.x86_64-linux.bootstrapZip-x86_64; diskoConfigurations.compute-deck = import ./compute-deck/partitioning.nix;
nod-bootstrap-aarch64 = allInputs.nix-on-droid.packages.x86_64-linux.bootstrapZip-aarch64;
dc-priv = deterministicCerts.privKeyFile "test"; checks = nixpkgs.lib.genAttrs [ "x86_64-linux" ] (system:
dc-cert = deterministicCerts.selfSigned "test" { };
inherit (allInputs.nixos-apple-silicon-unstable.packages.aarch64-linux)
m1n1
uboot-asahi
installer-bootstrap
;
installer-bootstrap-cross =
allInputs.nixos-apple-silicon-unstable.packages.x86_64-linux.installer-bootstrap;
}
// packages;
qb = self.buildList // {
trip = self.buildList.triple-dezert;
cd = self.buildList.compute-deck;
lt = self.buildList.legtop;
prop = self.buildList.prophecy;
check-trip = self.buildList.check-triple-dezert;
nod = self.buildList.nix-on-droid;
ak = self.buildList.authorizedKeys;
my-sops = self.buildList.wrappedSops;
};
brokenBuilds = [
"sm64coopdx-aarch64"
"installer-bootstrap"
];
impureBuilds = [
"nix-on-droid"
"nod"
"nod-bootstrap-x86_64"
"nod-bootstrap-aarch64"
];
archival = import ./archive.nix { inherit self pkgs lib; };
}
// (allInputs.flake-utils.lib.eachDefaultSystem (
system:
let let
mkNixvim = pkgs = nixpkgs.legacyPackages.${system};
{ unstable, minimal }: config = {
let node.pkgs = pkgs;
common = mkCommon { inherit unstable system; vacuModuleType = "nixvim"; }; node.pkgsReadOnly = false;
nixvim-input = if unstable then allInputs.nixvim-unstable else allInputs.nixvim; node.specialArgs.selfPackages = self.packages.${system};
in node.specialArgs.inputs = inputs;
nixvim-input.legacyPackages.${system}.makeNixvimWithModule { };
module = {
imports = [ ./nixvim ];
};
extraSpecialArgs = common.specialArgs // { inherit minimal; };
};
common = mkCommon { unstable = true; inherit system; vacuModuleType = "plain"; };
inherit (common) pkgs pkgsStable pkgsUnstable;
plain = mkPlain { unstable = true; inherit system; };
treefmtEval = allInputs.treefmt-nix.lib.evalModule pkgsUnstable ./treefmt.nix;
formatter = treefmtEval.config.build.wrapper;
vacuPackagePaths = import ./packages;
vacuPackages = builtins.intersectAttrs vacuPackagePaths pkgsStable;
in in
{ {
inherit formatter; liam = nixpkgs.lib.nixos.runTest {
inherit (common) vaculib; hostPkgs = pkgs;
apps.sops = { imports = [ config ./tests/liam.nix ];
type = "app";
program = lib.getExe self.packages.${system}.wrappedSops;
}; };
vacuConfig = plain.config; trip = nixpkgs.lib.nixos.runTest {
inherit vacuPackages; hostPkgs = pkgs;
legacyPackages = { imports = [ config ./tests/triple-dezert.nix ];
unstable = pkgsUnstable;
stable = pkgsStable;
nixpkgs-update = { ... }@args: import "${allInputs.nixpkgs}/maintainers/scripts/update.nix" ({ include-overlays = [ (import ./overlays/newPackages.nix) ]; } // args);
}; };
packages = rec { # trip_haproxy_config = let
archive = pkgsStable.callPackage ./scripts/archive { }; # hacfg = self.nixosConfigurations.triple-dezert.config.containers.frontproxy.config.services.haproxy;
authorizedKeys = pkgsStable.writeText "authorizedKeys" ( # in pkgs.stdenvNoCC.mkDerivation {
lib.concatStringsSep "\n" ( # name = "trip-haproxy-config-check";
lib.mapAttrsToList (k: v: "${v} ${k}") plain.config.vacu.ssh.authorizedKeys # script = ''
) # mkdir -p certs/shelvacu.com/
); # touch certs/shelvacu.com/full.pem
dns = import ./scripts/dns { # ${hacfg.package}/bin/haproxy \
inherit pkgs lib; # -f ${pkgs.writeText "haproxy-config" hacfg.config} \
inputs = allInputs; # -c \
inherit (plain) config; # -dW \
}; # -dD \
inherit formatter; # -C $PWD
generated = pkgsStable.linkFarm "generated" { # '';
nixpkgs = "${allInputs.nixpkgs}"; # };
"liam-test/hints.py" = pkgs.writeText "hints.py" (
import ./typesForTest.nix {
name = "liam";
inherit (pkgsStable) lib;
inherit self;
inherit (allInputs) nixpkgs;
}
);
"dns/python-env" = builtins.dirOf (builtins.dirOf dns.interpreter);
"mailtest/python-env" = builtins.dirOf (
builtins.dirOf self.checks.x86_64-linux.liam.nodes.checker.vacu.mailtest.smtp.interpreter
);
};
host-pxe-installer = pkgs.callPackage ./host-pxe-installer.nix {
nixosInstaller = self.nixosConfigurations.shel-installer-pxe;
};
liam-sieve-script = self.nixosConfigurations.liam.config.vacu.liam-sieve-script;
nixvim = mkNixvim {
unstable = false;
minimal = false;
};
nixvim-unstable = mkNixvim {
unstable = true;
minimal = false;
};
nixvim-minimal = mkNixvim {
unstable = false;
minimal = true;
};
nixvim-unstable-minimal = mkNixvim {
unstable = true;
minimal = true;
};
# optionsDocNixOnDroid = (pkgs.nixosOptionsDoc {
# inherit (self.nixOnDroidConfigurations.default) options;
# }).optionsCommonMark;
openterface-qt-eudev = vacuPackages.openterface-qt.override { useSystemd = false; };
openterface-qt-systemd = vacuPackages.openterface-qt.override { useSystemd = true; };
sopsConfig = plain.config.vacu.sopsConfigFile;
sourceTree = plain.config.vacu.sourceTree;
units = plain.config.vacu.units.finalPackage;
update-git-keys = pkgsStable.callPackage ./scripts/update-git-keys.nix { inherit (plain) config; inputs = allInputs; };
vnopnCA = pkgsStable.writeText "vnopnCA.cert" plain.config.vacu.vnopnCA;
wrappedSops = plain.config.vacu.wrappedSops;
} // vacuPackages;
} }
)); );
nixosModules.common = import ./common-config.nix;
packages.x86_64-linux.digitalOceanImage = import ./generic-digitalocean-nixos.nix { inherit inputs; };
};
} }

94
fw/default.nix Normal file
View File

@@ -0,0 +1,94 @@
{ config, inputs, pkgs, lib, ... }: {
imports = [
../common-nixos-config.nix
];
system.nixos.tags = [ "host-${config.networking.hostName}" ];
boot.binfmt.emulatedSystems = [ "aarch64-linux" ];
networking.networkmanager.enable = true;
vacu.packages.bitwarden-desktop.enable = true;
vacu.packages.nheko.enable = true;
vacu.packages.librewolf.enable = true;
vacu.packages.brave.enable = true;
vacu.packages.thunderbird.enable = true;
vacu.packages.wl-clipboard.enable = true;
vacu.packages.nextcloud-client.enable = true;
vacu.packages.signal-desktop.enable = true;
vacu.packages.fw-ectool.enable = true;
vacu.packages.framework-tool.enable = true;
vacu.packages.iio-sensor-proxy.enable = true;
vacu.packages.power-profiles-daemon.enable = true;
vacu.packages.acpi.enable = true;
services.xserver.enable = true;
services.displayManager.sddm.enable = true;
services.desktopManager.plasma6.enable = true;
boot.loader.grub.enable = true;
boot.loader.grub.efiSupport = true;
boot.loader.grub.efiInstallAsRemovable = true;
boot.loader.grub.memtest86.enable = true;
boot.loader.grub.mirroredBoots = [
{
devices = [ "nodev" ];
path = "/boot0";
}
{
devices = [ "nodev" ];
path = "/boot1";
}
];
networking.hostName = "fw"; # Define your hostname.
networking.hostId = "c6e309d5";
boot.zfs.extraPools = [ "fw" ];
boot.kernelPackages = config.boot.zfs.package.latestCompatibleLinuxPackages;
systemd.services.zfs-mount.enable = false;
services.openssh.enable = true;
system.stateVersion = "23.11"; # Did you read the comment?
boot.initrd.availableKernelModules = [ "nvme" "xhci_pci" "thunderbolt" "usb_storage" "usbhid" "sd_mod" ];
boot.initrd.kernelModules = [ ];
boot.kernelModules = [ "kvm-amd" ];
boot.extraModulePackages = [ ];
fileSystems."/" =
{ device = "fw/root";
fsType = "zfs";
};
fileSystems."/boot0" =
{ device = "/dev/disk/by-label/BOOT0";
fsType = "vfat";
options = [ "fmask=0022" "dmask=0022" ];
};
fileSystems."/boot1" =
{ device = "/dev/disk/by-label/BOOT1";
fsType = "vfat";
options = [ "fmask=0022" "dmask=0022" ];
};
hardware.cpu.amd.updateMicrocode = true;
hardware.enableAllFirmware = true;
hardware.opengl = {
driSupport = true;
driSupport32Bit = true;
};
programs.nix-ld.enable = true;
programs.steam = {
enable = true;
remotePlay.openFirewall = true;
};
security.rtkit.enable = true;
services.pipewire = {
enable = true;
alsa.enable = true;
alsa.support32Bit = true;
pulse.enable = true;
};
hardware.bluetooth.enable = true;
hardware.bluetooth.powerOnBoot = true;
services.blueman.enable = true;
}

10
generic-digitalocean-nixos.nix Normal file
View File

@@ -0,0 +1,10 @@
{ inputs, system ? "x86_64-linux" }:
let
pkgs = inputs.nixpkgs.legacyPackages.${system};
config = { config, ... }: {
imports = [ "${inputs.nixpkgs}/nixos/modules/virtualisation/digital-ocean-image.nix" ];
system.stateVersion = config.system.nixos.release;
};
in
(pkgs.nixos config).digitalOceanImage

7
home/nix-on-droid.nix
View File

@@ -1,7 +0,0 @@
{ ... }:
{
imports = [ ../common/home.nix ];
home.stateVersion = "24.05";
home.homeDirectory = "/data/data/com.termux.nix/files/home";
home.username = "nix-on-droid";
}

7
hosts/compute-deck/bluetooth.nix
View File

@@ -1,7 +0,0 @@
{ ... }:
{
hardware.bluetooth.enable = true;
hardware.bluetooth.powerOnBoot = true;
services.blueman.enable = true;
}

74
hosts/compute-deck/default.nix
View File

@@ -1,74 +0,0 @@
{ pkgs, inputs, ... }:
{
imports = [
inputs.jovian.nixosModules.jovian
# inputs.disko.nixosModules.default
inputs.home-manager.nixosModules.default
./hardware.nix
./home.nix
./bluetooth.nix
./partitioning.nix
./padtype.nix
];
boot.loader = {
systemd-boot.enable = false;
efi = {
efiSysMountPoint = "/boot/EFI";
canTouchEfiVariables = false;
};
grub = {
efiSupport = true;
device = "nodev";
efiInstallAsRemovable = true;
};
};
boot.binfmt.emulatedSystems = [ "aarch64-linux" ];
vacu.hostName = "compute-deck";
vacu.shortHostName = "cd";
vacu.shell.color = "blue";
vacu.systemKind = "desktop";
networking.hostId = "e595d9b0";
boot.supportedFilesystems = [ "zfs" ];
boot.zfs.forceImportRoot = false;
system.stateVersion = "23.11";
jovian.devices.steamdeck.enable = true;
networking.networkmanager.enable = true;
services.xserver.enable = true;
services.displayManager.sddm.enable = true;
services.desktopManager.plasma6.enable = true;
services.openssh.enable = true;
vacu.packages = ''
jupiter-hw-support
steamdeck-firmware
steamdeck-bios-fwupd
'';
# boot.kernelPatches = [
# {
# name = "gadget";
# patch = null;
# extraStructuredConfig = with lib.kernel; {
# USB_ETH=module;
# USB_GADGET=yes;
# USB_LIBCOMPOSITE=yes;
# USB_CONFIGFS=yes;
# USB_DWC3=module;
# USB_DWC3_PCI=module;
# USB_DWC3_DUAL_ROLE=yes;
# USB_DWC3_HOST=no;
# USB_DWC3_GADGET=no;
# USB_ROLE_SWITCH=yes;
# };
# }
# ];
}

72
hosts/compute-deck/hardware.nix
View File

@@ -1,72 +0,0 @@
{
config,
lib,
modulesPath,
...
}:
{
imports = [ (modulesPath + "/installer/scan/not-detected.nix") ];
boot.initrd.availableKernelModules = [
"nvme"
"xhci_pci"
"usbhid"
"sdhci_pci"
"dwc3_pci"
];
boot.initrd.kernelModules = [ ];
boot.kernelModules = [ "kvm-amd" ];
boot.extraModulePackages = [ ];
/*
fileSystems."/" =
{ device = "/dev/disk/by-uuid/63f25199-ee0b-4991-8861-c3ba3b464ef2";
fsType = "btrfs";
options = [ "subvol=root" ];
};
fileSystems."/home" =
{ device = "/dev/disk/by-uuid/63f25199-ee0b-4991-8861-c3ba3b464ef2";
fsType = "btrfs";
options = [ "subvol=home" ];
};
fileSystems."/nix" =
{ device = "/dev/disk/by-uuid/63f25199-ee0b-4991-8861-c3ba3b464ef2";
fsType = "btrfs";
options = [ "subvol=nix" ];
};
fileSystems."/boot" =
{ device = "/dev/disk/by-uuid/63f25199-ee0b-4991-8861-c3ba3b464ef2";
fsType = "btrfs";
options = [ "subvol=boot" ];
};
*/
fileSystems."/boot" = {
device = "/dev/disk/by-uuid/2aad8cab-7b97-47de-8608-fe9f12e211a4";
fsType = "ext4";
options = [ "nofail" ];
};
fileSystems."/boot/EFI" = {
device = "/dev/disk/by-uuid/C268-79C8";
fsType = "vfat";
options = [ "nofail" ];
};
swapDevices = [ ];
# Enables DHCP on each ethernet and wireless interface. In case of scripted networking
# (the default) this is the recommended approach. When using systemd-networkd it's
# still possible to use this option, but it's recommended to use it in conjunction
# with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
networking.useDHCP = lib.mkDefault true;
# networking.interfaces.wlo1.useDHCP = lib.mkDefault true;
nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
powerManagement.cpuFreqGovernor = lib.mkDefault "ondemand";
hardware.cpu.amd.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
}

5
hosts/fw/android.nix
View File

@@ -1,5 +0,0 @@
{ pkgs, ... }:
{
vacu.packages = pkgs.androidStudioPackages.stable.all;
users.users.shelvacu.extraGroups = [ "kvm" ];
}

76
hosts/fw/apex.nix
View File

@@ -1,76 +0,0 @@
# everything to interact with my apex flex, pcsc stuff, fido2 stuff, etc
{
pkgs,
lib,
config,
...
}:
let
# to match package used in config.services.pcscd, unfortunately not exposed like usual
pcsclite-pkg = if config.security.polkit.enable then pkgs.pcscliteWithPolkit else pkgs.pcsclite;
in
{
# apparently this is already enabled??
# nixpkgs.overlays = [ ( final: prev: {
# libfido2 = prev.libfido2.override { withPcsclite = true; };
# } ) ];
vacu.packages = lib.mkMerge [
''
libfido2
pcsc-tools
scmccid
opensc
pcsclite
''
{ pcsclite.package = pcsclite-pkg; }
];
services.pcscd.enable = true;
# conflicts with pcscd, see https://stackoverflow.com/questions/55144458/unable-to-claim-usb-interface-device-or-resource-busy-stuck
boot.blacklistedKernelModules = [
"pn533_usb"
"pn533"
"nfc"
];
# bunch of stuff from https://wiki.nixos.org/wiki/Web_eID
# Tell p11-kit to load/proxy opensc-pkcs11.so, providing all available slots
# (PIN1 for authentication/decryption, PIN2 for signing).
# environment.etc."pkcs11/modules/opensc-pkcs11".text = ''
# module: ${pkgs.opensc}/lib/opensc-pkcs11.so
# '';
# environment.etc."opensc.conf".text = ''
# app default {
# reader_driver pcsc {
# enable_pinpad = false;
# }
# }
# '';
environment.systemPackages = [
# Wrapper script to tell to Chrome/Chromium to use p11-kit-proxy to load
# security devices, so they can be used for TLS client auth.
# Each user needs to run this themselves, it does not work on a system level
# due to a bug in Chromium:
#
# https://bugs.chromium.org/p/chromium/issues/detail?id=16387
(pkgs.writeShellScriptBin "setup-browser-eid" ''
NSSDB="''${HOME}/.pki/nssdb"
mkdir -p ''${NSSDB}
${pkgs.nssTools}/bin/modutil -force -dbdir sql:$NSSDB -add p11-kit-proxy \
-libfile ${pkgs.p11-kit}/lib/p11-kit-proxy.so
'')
];
# programs.firefox.enable = true;
# programs.firefox.policies.SecurityDevices.p11-kit-proxy = "${pkgs.p11-kit}/lib/p11-kit-proxy.so";
# trying CTAP-bridge
services.udev.extraRules = ''
KERNEL=="hidg[0-9]", SUBSYSTEM=="hidg", SYMLINK+="ctaphid", MODE="0666", TAG+="uaccess"
KERNEL=="ccidg[0-9]", SUBSYSTEM=="ccidg", SYMLINK+="ccidsc", MODE="0666", TAG+="uaccess"
'';
}

158
hosts/fw/default.nix
View File

@@ -1,158 +0,0 @@
{ inputs, pkgs, lib, vacuModules, ... }:
{
imports = [
inputs.nixos-hardware.nixosModules.framework-16-7040-amd
"${inputs.self}/tf2"
vacuModules.sops
./apex.nix
./android.nix
./thunderbolt.nix
./fwupd.nix
./zfs.nix
./virtualbox.nix
./radicle.nix
./tpm-fido.nix
./podman.nix
./waydroid.nix
];
boot.supportedFilesystems = [ "bcachefs" ];
vacu.hostName = "fw";
vacu.shell.color = "magenta";
vacu.verifySystem.expectedMac = "e8:65:38:52:5c:59";
vacu.systemKind = "laptop";
boot.binfmt.emulatedSystems = [ "aarch64-linux" ];
# standard kernel: waydroid works
# lqx kernel: games run with less stutters
boot.kernelPackages = pkgs.linuxKernel.packages.linux_lqx;
# boot.kernelPackages = pkgs.linuxKernel.packages.linux_6_15;
networking.networkmanager.enable = true;
services.irqbalance.enable = true;
# boot.kernelParams = [ "nvme.noacpi=1" ]; # DONT DO IT: breaks shit even more
services.fprintd.enable = false; # kinda broken
users.users.shelvacu.extraGroups = [ "dialout" ];
programs.steam.extraCompatPackages = [ pkgs.proton-ge-bin ];
vacu.packages = ''
android-studio
framework-tool
fw-ectool
headsetcontrol
openterface-qt
intiface-central
osu-lazer
mumble
obs-studio
'';
services.power-profiles-daemon.enable = true;
networking.firewall.enable = false;
services.xserver.enable = true;
services.displayManager.sddm.enable = true;
services.desktopManager.plasma6.enable = true;
services.printing.enable = true;
programs.system-config-printer.enable = true;
boot.loader.grub.enable = true;
boot.loader.grub.efiSupport = true;
boot.loader.grub.efiInstallAsRemovable = true;
boot.loader.grub.memtest86.enable = true;
boot.loader.grub.mirroredBoots = [
{
devices = [ "nodev" ];
path = "/boot0";
}
{
devices = [ "nodev" ];
path = "/boot1";
}
];
networking.hostId = "c6e309d5";
services.openssh.enable = true;
system.stateVersion = "23.11"; # Did you read the comment?
boot.initrd.availableKernelModules = [
"nvme"
"xhci_pci"
"thunderbolt"
"usb_storage"
"usbhid"
"sd_mod"
];
#boot.initrd.kernelModules = [ ];
boot.kernelModules = [ "kvm-amd" ];
#boot.extraModulePackages = [ ];
fileSystems."/" = {
device = "fw/root";
fsType = "zfs";
};
fileSystems."/cache" = {
device = "fw/cache";
fsType = "zfs";
};
fileSystems."/home/shelvacu/cache" = {
device = "/cache/shelvacu";
options = [ "bind" ];
};
fileSystems."/boot0" = {
device = "/dev/disk/by-label/BOOT0";
fsType = "vfat";
options = [
"fmask=0022"
"dmask=0022"
"nofail"
];
};
fileSystems."/boot1" = {
device = "/dev/disk/by-label/BOOT1";
fsType = "vfat";
options = [
"fmask=0022"
"dmask=0022"
"nofail"
];
};
hardware.cpu.amd.updateMicrocode = true;
hardware.enableAllFirmware = true;
hardware.graphics = {
extraPackages = [
pkgs.rocmPackages.clr.icd
pkgs.amdvlk
];
};
programs.nix-ld.enable = true;
programs.steam = {
enable = true;
remotePlay.openFirewall = true;
};
security.rtkit.enable = true;
services.pipewire = {
enable = true;
alsa.enable = true;
alsa.support32Bit = true;
pulse.enable = true;
};
hardware.bluetooth.enable = true;
hardware.bluetooth.powerOnBoot = true;
services.blueman.enable = true;
services.postgresql.enable = true; # for development
vacu.programs.thunderbird.enable = true;
}

8
hosts/fw/fwupd.nix
View File

@@ -1,8 +0,0 @@
{ config, lib, ... }:
{
vacu.packages = [ config.services.fwupd.package ];
services.fwupd.enable = true;
#fwupd gets confused by the multiple EFI partitions, I think I just have to pick one
#update: it didn't work, I dunno why. Leaving this here anyways
services.fwupd.daemonSettings.EspLocation = lib.mkForce "/boot0";
}

13
hosts/fw/podman.nix
View File

@@ -1,13 +0,0 @@
{ ... }:
{
virtualisation.containers.enable = true;
virtualisation.podman = {
enable = true;
# Create a `docker` alias for podman, to use it as a drop-in replacement
dockerCompat = true;
# Required for containers under podman-compose to be able to talk to each other.
defaultNetwork.settings.dns_enabled = true;
};
users.users.shelvacu.extraGroups = [ "podman" ];
}

20
hosts/fw/radicle.nix
View File

@@ -1,20 +0,0 @@
{ config, ... }:
{
sops.secrets.radicle-key = {
sopsFile = "${config.vacu.sops.secretsPath}/radicle-private.key";
format = "binary"; # its actually an openssh private key which is kinda plaintext, but there is no plaintext option and treating it as opaque binary works fine
};
# services.radicle = {
# enable = true;
# publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIC2HqXfjT4vPEqqM5Pty7EuswzeO80IgG6MtCvDAqOkD";
# privateKeyFile = config.sops.secrets.radicle-key.path;
# settings = {
# node.alias = "shelvacu-fw";
# seedingPolicy.default = "block";
# };
# };
vacu.packages.radicle-node = {
enable = true;
package = config.services.radicle.package;
};
}

13
hosts/fw/thunderbolt.nix
View File

@@ -1,13 +0,0 @@
{ lib, config, ... }:
{
services.hardware.bolt.enable = true;
vacu.packages = lib.mkMerge [
''
thunderbolt
bolt
kdePackages.plasma-thunderbolt
''
{ bolt.package = config.services.hardware.bolt.package; }
];
}

14
hosts/fw/tpm-fido.nix
View File

@@ -1,14 +0,0 @@
{ config, ... }:
{
vacu.packages = [ "tpm-fido" ];
users.groups.uhid = { };
users.users.shelvacu.extraGroups = [
config.security.tpm2.tssGroup
config.users.groups.uhid.name
];
security.tpm2.enable = true;
security.tpm2.applyUdevRules = true;
services.udev.extraRules = ''
KERNEL=="uhid", SUBSYSTEM=="misc", GROUP="${config.users.groups.uhid.name}", MODE="0660"
'';
}

8
hosts/fw/virtualbox.nix
View File

@@ -1,8 +0,0 @@
{ ... }:
{
virtualisation.virtualbox.host = {
enable = true;
enableExtensionPack = true;
};
users.extraGroups.vboxusers.members = [ "shelvacu" ];
}

5
hosts/fw/waydroid.nix
View File

@@ -1,5 +0,0 @@
{ ... }:
{
boot.kernelParams = [ "psi=1" ];
virtualisation.waydroid.enable = true;
}

7
hosts/fw/zfs.nix
View File

@@ -1,7 +0,0 @@
{ pkgs, ... }:
{
boot.zfs.extraPools = [ "fw" ];
systemd.services.zfs-mount.enable = false;
# see also fileSystems."/"
}

30
hosts/installer/common/default.nix
View File

@@ -1,30 +0,0 @@
{ config, lib, ... }:
{
# this is an installer image, created anew every time. There's no state we need to worry about messing up
system.stateVersion = config.system.nixos.release;
services.openssh.settings.PermitRootLogin = lib.mkForce "yes";
vacu.hostName = "vacuInstaller";
vacu.shell.color = "red";
vacu.systemKind = "minimal";
vacu.packages = ''
acpi
iio-sensor-proxy
aircrack-ng
# bitwarden-cli # 800MB closure size!
borgbackup
dmidecode
home-manager
man
mercurial
nix-index
nix-inspect
nix-search-cli
nmap
nvme-cli
rclone
smartmontools
tcpdump
termscp
'';
}

8
hosts/installer/iso.nix
View File

@@ -1,8 +0,0 @@
{ modulesPath, ... }:
{
imports = [
./common
"${modulesPath}/installer/cd-dvd/installation-cd-minimal.nix"
];
isoImage.isoBaseName = "nixos-shel-installer";
}

7
hosts/installer/pxe.nix
View File

@@ -1,7 +0,0 @@
{ modulesPath, ... }:
{
imports = [
./common
"${modulesPath}/installer/netboot/netboot-minimal.nix"
];
}

7
hosts/legtop/bluetooth.nix
View File

@@ -1,7 +0,0 @@
{ ... }:
{
hardware.bluetooth.enable = true;
hardware.bluetooth.powerOnBoot = true;
# services.blueman.enable = true;
}

47
hosts/legtop/default.nix
View File

@@ -1,47 +0,0 @@
{ pkgs, inputs, ... }:
{
imports = [
inputs.nixos-hardware.nixosModules.gpd-micropc
./hardware.nix
./bluetooth.nix
];
vacu.hostName = "legtop";
vacu.shortHostName = "lt";
vacu.shell.color = "blue";
vacu.verifySystem.expectedMac = "30:9e:90:33:01:07";
vacu.systemKind = "laptop";
system.stateVersion = "24.05";
boot.binfmt.emulatedSystems = [ "aarch64-linux" ];
services.power-profiles-daemon.enable = true;
networking.networkmanager.enable = true;
services.openssh.enable = true;
services.xserver.enable = true;
services.displayManager.sddm.enable = true;
services.displayManager.sddm.wayland.enable = true;
services.desktopManager.plasma6.enable = true;
boot.loader.grub.enable = true;
boot.loader.grub.efiSupport = true;
boot.loader.grub.device = "nodev";
boot.loader.efi.canTouchEfiVariables = true;
hardware.cpu.intel.updateMicrocode = true;
hardware.enableAllFirmware = true;
services.fwupd.enable = true;
services.pipewire = {
enable = true;
alsa.enable = true;
alsa.support32Bit = true;
pulse.enable = true;
};
programs.steam.enable = true;
boot.kernelPackages = pkgs.linuxPackages_lqx;
}

33
hosts/legtop/hardware.nix
View File

@@ -1,33 +0,0 @@
{ ... }:
{
boot.initrd.availableKernelModules = [
"ahci"
"xhci_pci"
"usbhid"
"usb_storage"
"sd_mod"
"sdhci_pci"
];
boot.initrd.kernelModules = [ ];
boot.kernelModules = [ "kvm-intel" ];
boot.extraModulePackages = [ ];
fileSystems."/" = {
device = "/dev/disk/by-uuid/e3aebf24-be76-4064-a9f5-3930c8cd1382";
fsType = "ext4";
};
boot.initrd.luks.devices."root".device = "/dev/disk/by-uuid/7fd2ca2d-7faf-4d40-8cde-ce531fa679b5";
fileSystems."/boot" = {
device = "/dev/disk/by-uuid/4C47-D9A3";
fsType = "vfat";
options = [
"fmask=0022"
"dmask=0022"
"nofail"
];
};
nixpkgs.hostPlatform = "x86_64-linux";
hardware.cpu.intel.updateMicrocode = true;
}

156
hosts/liam/backup.nix
View File

@@ -1,156 +0,0 @@
{
config,
vaculib,
pkgs,
lib,
...
}:
let
inherit (lib) mkOption;
cfg = config.vacu.liam.backup;
commonServiceConfig = {
Type = "oneshot";
StateDirectory = "auto-borg";
CacheDirectory = "auto-borg";
ReadOnlyPaths = cfg.paths ++ [ cfg.keyPath ];
User = cfg.user;
Group = cfg.user;
LockPersonality = true;
MemoryDenyWriteExecute = true;
PrivateDevices = true;
# PrivateUsers = true;
ProcSubset = "pid";
PrivateTmp = true;
ProtectClock = true;
ProtectControlGroups = true;
ProtectHome = true;
ProtectHostname = true;
ProtectKernelLogs = true;
ProtectKernelModules = true;
ProtectKernelTunables = true;
ProtectProc = "invisible";
ProtectSystem = "strict";
RestrictAddressFamilies = [
"AF_INET"
"AF_INET6"
];
RestrictNamespaces = true;
RestrictRealtime = true;
RestrictSUIDSGID = true;
SystemCallArchitectures = "native";
SystemCallFilter = [
"@system-service"
"~@privileged"
];
UMask = "0077";
AmbientCapabilities = [ "CAP_DAC_READ_SEARCH" ];
CapabilityBoundingSet = [ "CAP_DAC_READ_SEARCH" ];
};
in
{
options.vacu.liam.backup = {
user = mkOption { default = "autoborger"; };
rsyncUser = mkOption { default = "fm2382"; };
rsyncHost = mkOption {
default = "${cfg.rsyncUser}.rsync.net";
defaultText = "(output)";
};
repo = mkOption {
default = "${cfg.rsyncUser}@${cfg.rsyncHost}:borg-repos/liam-backup";
defaultText = "(output)";
};
package = mkOption {
default = pkgs.borgbackup;
defaultText = "pkgs.borgbackup";
};
cmd = mkOption {
default = lib.getExe cfg.package;
defaultText = "lib.getExe cfg.package";
};
paths = mkOption {
default = [
"/var/lib/mail"
"/var/lib/dovecot"
"/var/log"
];
};
keyPath = mkOption {
default = config.sops.secrets.liam-borg-key.path;
defaultText = "TODO";
};
};
config = {
vacu.assertions = lib.singleton {
assertion =
(lib.versionAtLeast cfg.package.version "1.4.0")
&& !(lib.versionAtLeast cfg.package.version "1.5.0");
message = "Only for version 1.4.x";
fatal = true;
};
sops.secrets.liam-borg-key = {
owner = cfg.user;
};
# systemd.tmpfiles.settings."10-auto-borg" = lib.genAttrs cfg.paths (_:
# {
# # A+ = append to ACLs recursively
# "A+" = {
# argument = "u:${cfg.user}:r-x";
# };
# }
# );
users.users.${cfg.user} = {
isSystemUser = true;
group = cfg.user;
home = "/var/lib/auto-borg";
};
users.groups.${cfg.user} = { };
systemd.services.auto-borg-gen-key = {
script = ''
set -euo pipefail
${lib.optionalString config.vacu.underTest "${pkgs.openssh}/bin/ssh -oBatchMode=yes -oStrictHostKeyChecking=accept-new ${cfg.rsyncHost} || true"}
${pkgs.openssh}/bin/ssh-keygen -t ed25519 -f "$STATE_DIRECTORY"/id_ed25519 -N ""
'';
serviceConfig = commonServiceConfig;
};
systemd.services.auto-borg = {
script = ''
set -euo pipefail
# makes a date like 2025-04-15_21-24-29_UTC
dashed_date="$(date -u '+%F_%H-%M-%S_%Z')"
archive_name="liam-auto-backup--$dashed_date"
export BORG_PASSPHRASE="$(cat ${lib.escapeShellArg cfg.keyPath})"
export BORG_REMOTE_PATH="borg14"
export BORG_RSH="ssh -i $STATE_DIRECTORY/id_ed25519"
export BORG_REPO=${lib.escapeShellArg cfg.repo}
export BORG_CACHE_DIR="$CACHE_DIRECTORY/borg"
export BORG_CONFIG_DIR="$STATE_DIRECTORY/borg"
cmd=(
${lib.escapeShellArg cfg.cmd}
create
--show-rc
--verbose
--show-version
--stats
--atime
"::$archive_name"
${lib.escapeShellArgs cfg.paths}
)
"''${cmd[@]}"
'';
serviceConfig = commonServiceConfig;
};
systemd.timers.auto-borg = {
enable = !config.vacu.underTest;
wantedBy = [ "timers.target" ];
# run every day at a random time between 3am and 4am, los angeles time
timerConfig = {
OnCalendar = "*-*-* 03:00:00 America/Los_Angeles";
RandomizedDelaySec = 3600;
};
};
};
}

74
hosts/liam/default.nix
View File

@@ -1,74 +0,0 @@
{
modulesPath,
config,
vaculib,
...
}:
let
inherit (vaculib) mkOutOption;
in
{
imports = [
(modulesPath + "/installer/scan/not-detected.nix")
(modulesPath + "/virtualisation/digital-ocean-config.nix")
./nginx.nix
./sops.nix
./dovecot.nix
./mail.nix
./dkim.nix
./sieve.nix
./network.nix
./backup.nix
];
options = {
vacu.liam = {
shel_domains = mkOutOption [
"shelvacu.com"
"dis8.net"
"mail.dis8.net"
"jean-luc.org"
"in.jean-luc.org"
"vacu.store"
"shelvacu.miras.pet"
"chat.for.miras.pet"
"sv.mt"
];
julie_domains = mkOutOption [
"violingifts.com"
"theviolincase.com"
"shop.theviolincase.com"
];
domains = mkOutOption (config.vacu.liam.shel_domains ++ config.vacu.liam.julie_domains);
relayhosts = {
allDomains = (mkOutOption "[outbound.mailhop.org]:587") // {
readOnly = false;
};
shelvacuAlt = (mkOutOption "[relay.dynu.com]:587") // {
readOnly = false;
};
};
reservedIpLocal = mkOutOption "10.46.0.7";
};
};
config = {
vacu.hostName = "liam";
vacu.shell.color = "cyan";
networking.domain = "dis8.net";
vacu.systemKind = "minimal";
hardware.enableAllFirmware = false;
hardware.enableRedistributableFirmware = false;
# networking.interfaces."ens3".useDHCP = false;
services.openssh.enable = true;
virtualisation.digitalOcean.setSshKeys = false;
users.users.root.openssh.authorizedKeys.keys =
config.users.users.shelvacu.openssh.authorizedKeys.keys;
system.stateVersion = "23.11";
};
}

208
hosts/liam/mail.nix
View File

@@ -1,208 +0,0 @@
{
config,
lib,
pkgs,
...
}:
let
inherit (config.vacu.liam)
shel_domains
julie_domains
domains
relayhosts
;
mapLines = f: lis: lib.concatStringsSep "\n" (map f lis);
debug = false;
fqdn = config.networking.fqdn;
relayable_domains = [
"shelvacu.com"
"vacu.store"
"chat.for.miras.pet"
];
dovecot_transport = "lmtp:unix:private/dovecot-lmtp";
reject_spam_sources = [
"reject-spam-test@example.com"
"buyerservice@made-in-china.com"
"upgrade-plans@asuswebstorage.com"
"info@rfidlabel.com"
"made-in-china.com"
"*.made-in-china.com"
"hotels.com"
"*.hotels.com"
];
banned_ips = [
"45.192.103.243/32"
"165.154.207.0/24"
"165.154.226.0/24"
"210.242.134.0/26"
"137.220.198.0/24"
"122.96.0.0/15"
];
# must be bigger than gmail's 25MB "attachment limit" which after base64 encoding (x 1.33) is ~33MB
mailSizeLimit = 35 * 1024 * 1024;
in
{
networking.firewall.allowedTCPPorts = [
25
465
];
vacu.acmeCertDependencies."liam.dis8.net" = [ "postfix.service" ];
services.postfix = {
enable = true;
hostname = fqdn;
# this goes into virtual_alias_maps
# "Note: for historical reasons, virtual_alias_maps apply to recipients in all domain classes, not only the virtual alias domain class."
virtual =
''
julie@shelvacu.com julie
mom@shelvacu.com julie
psv@shelvacu.com psv
''
+ (mapLines (d: "@${d} shelvacu") shel_domains)
+ "\n"
+ (mapLines (d: "@${d} julie") julie_domains);
transport = ''
shelvacu@${fqdn} ${dovecot_transport}
julie@${fqdn} ${dovecot_transport}
psv@${fqdn} ${dovecot_transport}
backup@${fqdn} ${dovecot_transport}
'';
sslKey = config.security.acme.certs."liam.dis8.net".directory + "/key.pem";
sslCert = config.security.acme.certs."liam.dis8.net".directory + "/full.pem";
postmasterAlias = "shelvacu";
rootAlias = "shelvacu";
enableSubmission = false;
enableSubmissions = true;
mapFiles.header_checks = pkgs.writeText "header-checks" (
''
/./ INFO checker headers
''
+ (mapLines (
d: "/^(from|x-original-from|return-path|mail-?from):.*@${lib.escape [ "." ] d}\\s*>?\\s*$/ REJECT"
) domains)
);
mapFiles.sender_access = pkgs.writeText "sender-access" (
mapLines (pattern: "${pattern} REJECT spam") (domains ++ reject_spam_sources)
);
mapFiles.banned_ips = pkgs.writeText "banned-ips" (mapLines (ip: "${ip} REJECT spam") banned_ips);
# hack to get postfix to add a X-Original-To header
mapFiles.add_envelope_to = pkgs.writeText "addenvelopeto" "/(.+)/ PREPEND X-Envelope-To: $1";
# mapFiles.sender_transport = pkgs.writeText "sender-transport" "@shelvacu.com relayservice";
mapFiles.sender_transport = pkgs.writeText "sender-transport" (
mapLines (d: "@${d} relayservice") relayable_domains
);
mapFiles.sender_relay = pkgs.writeText "sender-relay" (
''
@shelvacu.com ${relayhosts.allDomains} ${relayhosts.shelvacuAlt}
''
+ (mapLines (d: "@${d} ${relayhosts.allDomains}") relayable_domains)
);
mapFiles.extra_login_maps = pkgs.writeText "extra-login-maps" (
''
robot@vacu.store vacustore
zulip-notify@chat.for.miras.pet miracult-zulip
idrac-62pn9z1@shelvacu.com idrac-62pn9z1
''
+ config.services.postfix.virtual
);
# verbatim appended to main.cf
extraConfig = ''
smtp_tls_CAfile = /etc/pki/tls/certs/ca-bundle.crt
inet_protocols = ipv4
virtual_alias_domains =
${lib.concatStringsSep ",\n " domains}
message_size_limit = ${toString mailSizeLimit}
sender_dependent_default_transport_maps = hash:/etc/postfix/sender_transport
sender_dependent_relayhost_maps = hash:/etc/postfix/sender_relay
header_checks = pcre:/etc/postfix/header_checks
smtpd_sender_restrictions = check_sender_access hash:/etc/postfix/sender_access permit
smtpd_client_restrictions = check_client_access cidr:/etc/postfix/banned_ips permit
smtpd_recipient_restrictions = check_recipient_access pcre:/etc/postfix/add_envelope_to permit
recipient_delimiter = +
#we should never use these transport methods unless thru transport map
# RFC3463:
# 5.X.X = permanent error
# X.3.X = mail system failure
# X.3.5 = System incorrectly configured
# I would've never thought there'd be a standard way to specifically say "you found an error in my config"
local_transport = error:5.3.5 how did this even happen?? (e-local)
virtual_transport = error:5.3.5 how did this even happen?? (e-virtual)
# X.7.1 = Delivery not authorized, message refused
relay_transport = error:5.7.1 relay is so very disabled
lmtp_destination_recipient_limit = 1
always_bcc = backup@${fqdn}
# not actually 1024 bits, this applies to all DHE >= 1024 bits
smtpd_tls_dh1024_param_file = ${lib.optionalString config.services.dovecot2.enableDHE config.security.dhparams.params.dovecot2.path}
# smtp_bind_address = 10.46.0.7
# inet_interfaces = all
# inet_protocols = ipv4
${lib.optionalString config.services.opendkim.enable (
assert (config.services.opendkim.socket == "local:/run/opendkim/opendkim.sock");
''
smtpd_milters = unix:/run/opendkim/opendkim.sock
non_smtpd_milters = unix:/run/opendkim/opendkim.sock
''
)}
'';
masterConfig."relayservice" = {
command = "smtp";
type = "unix";
args = [
"-o"
"smtp_sasl_auth_enable=yes"
"-o"
"smtp_sasl_security_options=noanonymous"
"-o"
"smtp_tls_security_level=secure"
"-o"
"smtp_sasl_password_maps=texthash:${config.sops.secrets.relay_creds.path}"
"-o"
"smtp_tls_wrappermode=no"
] ++ (if debug then [ "-v" ] else [ ]);
};
masterConfig.qmgr = lib.mkIf debug { args = [ "-v" ]; };
masterConfig.cleanup = lib.mkIf debug { args = [ "-v" ]; };
masterConfig.smtpd = lib.mkIf debug { args = [ "-v" ]; };
submissionsOptions = {
smtpd_tls_key_file = config.security.acme.certs."liam.dis8.net".directory + "/key.pem";
smtpd_tls_cert_file = config.security.acme.certs."liam.dis8.net".directory + "/full.pem";
smtpd_tls_security_level = "encrypt";
smtpd_sasl_auth_enable = "yes";
smtpd_tls_auth_only = "yes";
smtpd_reject_unlisted_recipient = "no";
smtpd_client_restrictions = "permit_sasl_authenticated,reject";
milter_macro_daemon_name = "ORIGINATING";
smtpd_sasl_security_options = "noanonymous";
smtpd_sasl_type = "dovecot";
smtpd_sasl_path = "private/dovecot-auth";
message_size_limit = "100000000";
smtpd_sender_login_maps = "hash:/etc/postfix/extra_login_maps";
smtpd_sender_restrictions = "reject_authenticated_sender_login_mismatch";
header_checks = "";
# mozilla intermediate config
smtpd_tls_mandatory_protocols = "!SSLv2,!SSLv3,!TLSv1,!TLSv1.1";
smtpd_tls_protocols = "!SSLv2,!SSLv3,!TLSv1,!TLSv1.1";
smtpd_tls_mandatory_ciphers = "medium";
tls_medium_cipherlist = "ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305";
tls_preempt_cipherlist = "no";
};
};
}

32
hosts/liam/network.nix
View File

@@ -1,32 +0,0 @@
{ lib, config, ... }:
let
# from `curl -fsSL http://169.254.169.254/metadata/v1.json | jq '.interfaces.public[0].anchor_ipv4'`
# {
# "ip_address": "10.46.0.7",
# "netmask": "255.255.0.0",
# "gateway": "10.46.0.1"
# }
interface_conf = {
useDHCP = true;
ipv4.addresses = [
{
address = "10.46.0.7";
prefixLength = 24;
}
];
ipv4.routes = [
{
address = "0.0.0.0";
prefixLength = 0;
via = "10.46.0.1";
options.scope = "global";
options.src = "10.46.0.7";
options.metric = "1200";
}
];
};
in
{
networking.interfaces."ens3" = lib.mkIf (!config.vacu.underTest) interface_conf;
networking.interfaces."eth0" = lib.mkIf (config.vacu.underTest) interface_conf;
}

21
hosts/liam/notes.txt
View File

@@ -1,21 +0,0 @@
I think I can sort my email into these categories:
- A Top priority: should be a notification
- personal emails
- here is a code to login (except ms, ugh)
- B Normal priority: should be reviewed regularly, at least once every couple days
- (some) purchase receipts
- your credit card was used for <amount>
- money stuff
- patreons
- C Low priority: should be skimmed occaisionally to make sure nothing got caught that shouldn't have
- C1 good emails:
- your statement is available to view
-
- C2 spam
- D Shit-tier: never reviewed, except if I'm missing an email I was otherwise expecting
- unsolicited job offers
- anything definitely spam
- M Mailing lists
searches should generally search A,B,C but not D or M

964
hosts/liam/sieve.nix
View File

@@ -1,964 +0,0 @@
{
pkgs,
lib,
config,
vaculib,
...
}:
let
inherit (builtins)
isString
isList
length
head
all
isInt
isAttrs
isFloat
isBool
;
inherit (lib)
concatStrings
concatStringsSep
splitString
match
replaceStrings
reverseList
elemAt
mapAttrsToList
;
mapConcat = f: xs: concatStrings (map f xs);
mapConcatSep =
sep: f: xs:
concatStringsSep sep (map f xs);
mapConcatLines = f: xs: mapConcatSep "\n" f xs;
isListWhere = xs: f: (isList xs) && (all f xs);
stringOrList = val: (isString val) || ((isListWhere val isString) && (length val) > 0);
listify = val: if isList val then val else [ val ];
is_match = regex: s: (match regex s) != null;
is_not_match = regex: s: !(is_match regex s);
only_printable_ascii = s: is_match "[ -~\r\n]*" s;
has_vars = s: lib.hasInfix ("$" + "{") s;
sieve_raw_escape_string =
s:
if !only_printable_ascii s then
builtins.trace s throw "s failed only_printable_ascii check"
else
replaceStrings [ ''"'' ''\'' "\n" "\r" ] [ ''\"'' ''\\'' ''\n'' ''\r'' ] s;
sieve_encode_string =
{
allow_vars,
for_debug_comment,
with_quotes,
}:
s:
assert isString s;
assert allow_vars || for_debug_comment || (!has_vars s);
let
a = sieve_raw_escape_string s;
b = if for_debug_comment then replaceStrings [ ''*/'' ] [ ''*\/'' ] a else a;
res = if with_quotes then ''"${b}"'' else b;
in
res;
sieve_quote_string = sieve_encode_string {
allow_vars = false;
for_debug_comment = false;
with_quotes = true;
};
sieve_quote_string_with_interp = sieve_encode_string {
allow_vars = true;
for_debug_comment = false;
with_quotes = true;
};
is_valid_long_ident = is_match "[a-z_][a-z0-9_]*";
is_number_ident = is_match "[0-9]*";
is_valid_ident = s: (is_valid_long_ident s) || (is_number_ident s);
interp =
ident:
assert isString ident;
assert is_valid_ident ident;
"$" + "{${ident}}";
dest = "envelope_to";
dest_domain = "envelope_to_domain";
set_envelope = ''
#set_envelope START
if header :index 1 :matches "X-Envelope-To" "*" {
set ${sieve_quote_string dest} "''${1}";
}
if header :index 1 :matches "X-Envelope-To" "*@*" {
set ${sieve_quote_string dest_domain} "''${2}";
}
#set_envelope END
'';
envelope_is =
key:
assert stringOrList key;
''string :is "${interp dest}" ${sieve_encode key}'';
envelope_matches =
key:
assert stringOrList key;
''string :matches "${interp dest}" ${sieve_encode key}'';
envelope_domain_is = key: ''string :is "${interp dest_domain}" ${sieve_quote_string key}'';
sieve_encode_list =
xs:
assert isListWhere xs isString;
"[ ${mapConcatSep ", " sieve_encode xs} ]";
sieve_encode =
val:
if isString val then
sieve_quote_string val
else if isList val then
sieve_encode_list val
else
assert "dunno what to do with this";
null;
sieve_debug_list = xs: "[ ${mapConcat (s: (sieve_debug s) + " ") xs}]";
sieve_debug_attrs =
attrs:
let
toPairStr = name: val: "${sieve_debug name} = ${sieve_debug val}; ";
pairStrs = mapAttrsToList toPairStr attrs;
pairsStr = concatStrings pairStrs;
in
"{ ${pairsStr}}";
sieve_debug =
val:
if isString val then
sieve_encode_string {
allow_vars = true;
for_debug_comment = true;
with_quotes = true;
} val
else if (isInt val) || (isFloat val) then
toString val
else if (isBool val) then
(if val then "true" else "false")
else if isNull val then
"null"
else if isList val then
sieve_debug_list val
else if isAttrs val then
sieve_debug_attrs val
else
assert "dunno what to do with this";
null;
is_flagish =
flag_name:
let
# escape_all = map lib.escapeRegex;
# all from https://datatracker.ietf.org/doc/html/rfc9051#name-formal-syntax
# resp-specials = escape_all [ "]" ];
# DQUOTE = ''"'';
# quoted-specials = escape_all [ DQUOTE "\\" ];
# list-wildcards = escape_all [ "%" "*" ];
# CTL = something; # 0x00 thru 0x1F, and 0x7F
# SP = escape_all [ " " ];
# atom-specials = (escape_all [ "(" ")" "{" ]) ++ [ SP CTL list-wildcards quoted-specials resp-specials ];
# " " 0x20 !allowed
# "!" 0x21 ok
# "\"" 0x22 !allowed
# "#" 0x23 ok
# "$" 0x24 ok
# "%" 0x25 !allowed
# "&" 0x26 ok
# "'" 0x27 ok
# "(" 0x28 !allowed
# ")" 0x29 !allowed
# "*" 0x2a !allowed
# "+" 0x2b ok
# ...
# "Z" 0x5a ok
# "[" 0x5b !allowed
# "\\" 0x5c !allowed
# "]" 0x5d ok
# "^" 0x5e ok
# ...
# "z" 0x7a ok
# "{" 0x7b !allowed
# "|" 0x7c ok
# "}" 0x7d ok
# "~" 0x7e ok
# DEL 0x7f !allowed
# ATOM-CHAR = something; # "any CHAR except atom-specials"
ATOM-CHAR = ''[]!#$&'+-Z^-z|}~]'';
atom = "${ATOM-CHAR}+";
flag-keyword = ''\$MDNSent|\$Forwarded|\$Junk|\$NotJunk|\$Phishing|(${atom})'';
flag-extension = ''\\(${atom})'';
flag = ''\\Answered|\\Flagged|\\Deleted|\\Seen|\\Draft|(${flag-keyword})|(${flag-extension})'';
in
(isString flag_name) && ((builtins.match flag flag_name) != null);
known_flags = rec {
seen = ''\Seen'';
read = seen;
};
pure_flags_impl =
flags: conditions:
assert isListWhere flags isString;
assert isListWhere conditions isString;
assert (length flags) > 0;
assert (length conditions) > 0;
let
argAttrs = { inherit flags conditions; };
firstFlag = head flags;
combined_condition = if (length conditions) == 1 then head conditions else (allof conditions);
in
''
# pure_flags ${sieve_debug argAttrs};
removeflag ${sieve_quote_string firstFlag};
if ${combined_condition} {
${record_action "pure_flags ${concatStringsSep " " flags}"}
${concatStringsSep "\n" (map (flag: ''addflag ${sieve_quote_string flag};'') flags)}
}
# pure_flags end
'';
pure_flags =
flags: conditions:
assert stringOrList flags;
assert stringOrList conditions;
pure_flags_impl (listify flags) (listify conditions);
exists_impl =
headers:
assert isListWhere headers isString;
if headers == [ ] then
"/* exists START: called with empty array */ false /* exists END */"
else
"/* exists START */ exists ${sieve_encode_list headers} /* exists END */";
exists =
headers:
assert stringOrList headers;
exists_impl (listify headers);
header_generic =
match_kind: header_s: match_es:
assert stringOrList header_s;
assert stringOrList match_es;
''/* header_generic START */ header ${match_kind} ${sieve_encode header_s} ${sieve_encode match_es} /* header_generic END */'';
header_matches = header_generic ":matches";
header_is = header_generic ":is";
subject_generic = match_kind: match_es: header_generic match_kind "Subject" match_es;
subject_matches = subject_generic ":matches";
subject_is = subject_generic ":is";
environment_generic =
match_kind: environment_name_s: match_es:
assert stringOrList environment_name_s;
assert stringOrList match_es;
"environment ${match_kind} ${sieve_encode environment_name_s} ${sieve_encode match_es}";
environment_matches = environment_generic ":matches";
environment_is = environment_generic ":is";
from_is =
addr_list:
assert stringOrList addr_list;
''/* from_is START */ address :is :all "From" ${sieve_encode addr_list} /* from_is END */'';
from_matches =
addr_list:
assert stringOrList addr_list;
''/* from_is START */ address :matches :all "From" ${sieve_encode addr_list} /* from_is END */'';
var_is =
var_name: rhs:
assert isString var_name;
assert stringOrList rhs;
''string :is "''${${var_name}}" ${sieve_encode rhs}'';
var_is_true = var_name: var_is var_name "1";
var_is_false = var_name: not (var_is_true var_name);
has_flag =
flag_name:
assert isString flag_name;
assert is_flagish flag_name; # no spaces allowed in flag names
''hasflag :is ${sieve_encode flag_name}'';
set_with_interp =
var_name: new_val:
assert isString var_name;
assert is_valid_ident var_name;
assert isString new_val;
"set ${sieve_encode var_name} ${sieve_quote_string_with_interp new_val};";
set =
var_name: new_val:
assert isString var_name;
assert is_valid_ident var_name;
assert isString new_val;
"set ${sieve_encode var_name} ${sieve_encode new_val};";
set_bool_var =
var_name: bool_val:
assert isBool bool_val;
set var_name (if bool_val then "1" else "0");
over_test_list =
name: test_list:
assert isListWhere test_list isString;
''
${name}(
${concatStringsSep ",\n" test_list}
)
'';
anyof = over_test_list "anyof";
allof = over_test_list "allof";
not = test: "not ${test}";
record_action =
action_desc:
assert isString action_desc;
''addheader "X-Vacu-Action" ${sieve_encode action_desc};'';
fileinto =
folder:
assert isString folder;
''
${record_action "fileinto ${folder}"}
fileinto :create ${sieve_encode folder};
'';
ihave =
extension_name_s:
assert stringOrList extension_name_s;
"ihave ${sieve_encode extension_name_s}";
# email_filters = map (e: ''
# elsif ${envelope_is e} { # item of email_filters
# ${record_action "email_filters fileinto ${mk_email_folder_name e}"}
# fileinto :create ${sieve_quote_string (mk_email_folder_name e)};
# }
# '') email_folders;
# domain_filters = map (d: ''
# elsif ${envelope_domain_is d} { # item of domain_filters
# ${record_action "domain_filters fileinto ${mk_domain_folder_name d}"}
# fileinto :create ${sieve_quote_string (mk_domain_folder_name d)};
# }
# '') domain_folders;
set_from =
{
condition,
var,
default ? "-",
warn_if_unset ? false,
}@args:
''
# set_from ${sieve_debug args}
if ${condition} {
${set_with_interp var (interp "1")}
}
else {
${lib.optionalString warn_if_unset (
maybe_debug "info: Could not set ${var} from condition ${condition}, setting to default(${default})"
)}
${set var default}
}
# set_from END
'';
set_var_from_environment =
item: var:
''
# set_var_from_environment
''
+ set_from {
condition = ''environment :matches ${sieve_quote_string item} "*"'';
inherit var;
};
maybe_debug = msg: ''
if ${ihave "vnd.dovecot.debug"} {
debug_log ${sieve_quote_string_with_interp msg};
}
'';
# trimmed down from https://pages.ebay.com/securitycenter/security_researchers_eligible_domains.html
ebay_domains = vaculib.listOfLines { } ''
ebay.com
ebay.co.uk
ebay.com.au
ebay.de
ebay.ca
ebay.fr
ebay.it
ebay.es
ebay.at
ebay.ch
ebay.com.hk
ebay.com.sg
ebay.com.my
ebay.in
ebay.ph
ebay.ie
ebay.pl
ebay.be
ebay.nl
ebay.cn
ebay.com.tw
ebay.co.jp
ebaythailand.co.th
'';
sieve_text = ''
require [
"fileinto",
"mailbox",
"imap4flags",
"editheader",
"environment",
"variables",
"date",
"index",
"ihave"
];
if ${
allof [
(ihave "imapsieve")
(environment_matches "imap.user" "*")
(environment_matches "location" "MS")
(environment_matches "phase" "post")
]
} {
${set_bool_var "in_imap" true}
} else {
${set_bool_var "in_imap" false}
}
if ${var_is_true "in_imap"} {
if ${
not (allof [
(environment_is "imap.cause" [
"APPEND"
"COPY"
""
])
(environment_is "imap.mailbox" [
"MagicRefilter"
""
])
])
} {
${maybe_debug "NOT doing anything cuz imap.cause and/or imap.mailbox isn't right"}
stop;
}
}
${set_envelope}
${set_var_from_environment "location" "env_location"}
${set_var_from_environment "phase" "env_phase"}
${set_var_from_environment "imap.user" "env_imap_user"}
${set_var_from_environment "imap.email" "env_imap_email"}
${set_var_from_environment "imap.cause" "env_imap_cause"}
${set_var_from_environment "imap.mailbox" "env_imap_mailbox"}
${set_var_from_environment "imap.changedflags" "env_imap_changedflags"}
${set_from {
condition = ''currentdate :matches "iso8601" "*"'';
var = "datetime";
}}
${set_with_interp "sieved_message" ''at ''${datetime} by ${config.vacu.versionId} loc ''${env_location} phase ''${env_phase} user ''${env_imap_user} email ''${env_imap_email} cause ''${env_imap_cause} mailbox ''${env_imap_mailbox} changedflags ''${env_imap_changedflags} envelope ''${dest}''}
${maybe_debug ''X-Vacu-Sieved: ''${sieved_message}''}
if ${ihave "envelope"} {
if envelope :all :matches "to" "*@*" {
${set_with_interp "userfor" (interp "1")}
} else {
error "i dunno what to do, theres no envelope";
}
}
elsif ${var_is_true "in_imap"} {
${set_with_interp "userfor" (interp "env_imap_user")}
}
else {
error "dont have envelope or imapsieve, dunno what to do";
}
if ${var_is "userfor" "shelvacu"} {
addheader "X-Vacu-Sieved" "''${sieved_message}";
removeflag "not-spamish";
removeflag "orders";
removeflag "banking";
removeflag "banking-statements";
removeflag "banking-transactions";
removeflag "A";
removeflag "B";
removeflag "B.subscriptions";
removeflag "C";
removeflag "D";
${pure_flags [ "wells-fargo" "banking" ] (envelope_is "wf-primary@shelvacu.com")}
${pure_flags
[ "wells-fargo-transactions" "banking-transactions" "B" ]
[
(has_flag "wells-fargo")
(subject_matches [
"You just got paid!"
"Wells Fargo card purchase exceeded preset amount"
"You made a payment"
"You made a credit card purchase of *"
"Your card wasn't present for a purchase"
"Account update"
"You've earned cash back from My Wells Fargo Deals"
"Confirmation of your Wells Fargo Rewards redemption"
"You sent money with Zelle(R)"
])
]
}
${pure_flags
[ "wells-fargo-statements" "banking-statements" "C" ]
[
(has_flag "wells-fargo")
(subject_matches [
"Your statement for credit card account *"
"Your statement for account *"
])
]
}
${pure_flags
[ "wells-fargo-action-required" "A" ]
[
# wf is actually careful about saying action required
(has_flag "wells-fargo")
(subject_matches "Action Required: *")
]
}
${pure_flags
[ "wells-fargo-misc" "A" ]
[
(has_flag "wells-fargo")
(not (has_flag "wells-fargo-transactions"))
(not (has_flag "wells-fargo-statements"))
(not (has_flag "wells-fargo-action-required"))
]
}
${pure_flags [ "chase" "banking" ] (envelope_is "chase@shelvacu.com")}
${pure_flags
[ "chase-transactions" "banking-transactions" "B" ]
[
(has_flag "chase")
(subject_matches [
"Your * payment is scheduled"
"You made a * transaction with *"
"Your * transaction with *"
"Chase security alert: You signed in with a new device"
])
]
}
${pure_flags
[ "chase-statements" "banking-statements" "C" ]
[
(has_flag "chase")
(subject_matches [
"Your credit card statement is available"
])
]
}
${pure_flags
[ "chase-spam" "D" ]
[
(has_flag "chase")
(anyof [
(header_is "From" "Chase Credit Journey <no.reply.alerts@chase.com>")
(subject_is [
"Review your recent activity"
"Good news: You may qualify for a credit line increase!"
"Your Chase card is available to use with Paze - Activate now!"
])
])
]
}
${pure_flags [ "experian" ] (envelope_is "fbyjemby@shelvacu.com")}
${pure_flags
[ "experian-spam" "D" ]
[
(has_flag "experian")
(subject_matches [
"*, your FICO* Score has been updated"
"Your monthly account statement is here, *"
])
]
}
${pure_flags
[ "paypal" "banking" ]
[
# can't go purely on envelope, because paypal loves to give my email to every merchant I interact with
(envelope_is "paypal@shelvacu.com")
(from_matches [
"*@paypal.com"
"*@*.paypal.com"
])
]
}
${pure_flags
[ "paypal-transactions" "banking-transactions" "B" ]
[
(has_flag "paypal")
(subject_matches [
"Receipt for your payment to *"
"*: $* USD"
"*: $* CAD"
"*: kr * SEK"
"You authorized a payment to *"
"You sent an automatic payment to *"
"Review your new automatic payment setup for *"
"You have a refund from *"
])
]
}
${pure_flags
[ "paypal-statements" "banking-statements" "C" ]
[
(has_flag "paypal")
(subject_matches [
"*, your * account statement is available."
])
]
}
${pure_flags [ "usps-id" ] (envelope_is "usps-id@shelvacu.com")}
${pure_flags
[ "usps-expected-delivery" "C" ]
[
(has_flag "usps-id")
(subject_matches "USPS* Expected Delivery *")
]
}
${pure_flags
[ "amazon-ignore" "C" ]
[
(envelope_is "amznbsns@shelvacu.com")
(subject_matches [
"Your Amazon.com order has shipped*"
"Your Amazon.com order of * has shipped!"
])
]
}
${pure_flags
[ "bandcamp-ignore" "C" ]
[
(envelope_is "bandcamp@shelvacu.com")
(subject_matches [
"* just announced a listening party on Bandcamp"
"New items from *"
"Starting in *"
"New from *"
])
]
}
${pure_flags
[ "bandcamp-not-ignore" "B.subscriptions" ]
[
(envelope_is "bandcamp@shelvacu.com")
''not hasflag "bandcamp-ignore"''
]
}
${pure_flags [ "ika-ignore" "D" ] (envelope_is "ika@dis8.net")}
${pure_flags
[ "ally-statement" "C" ]
[
(envelope_is "ally@shelvacu.com")
(subject_is "Your latest statement is ready to view.")
]
}
${pure_flags "bloomberg" (envelope_is "bloomberg@shelvacu.com")}
${pure_flags
[ "money-stuff" "not-spamish" ]
[
(envelope_is "bloomberg@shelvacu.com")
''header :matches "From" "\"Matt Levine\" *"''
]
}
${pure_flags
[ "money-stuff-podcast" "D" known_flags.read ]
[
(has_flag "money-stuff")
(subject_matches "Money Stuff: The Podcast:*")
]
}
${pure_flags
[ "money-stuff-not-podcast" "B.subscriptions" ]
[
(has_flag "money-stuff")
(not (has_flag "money-stuff-podcast"))
]
}
${pure_flags [ "git" "not-spamish" "B" ] (exists [
"X-GitHub-Reason"
"X-GitLab-Project"
])}
${pure_flags [ "git-uninsane" "git" "not-spamish" "B" ] (envelope_is "git-uninsane@shelvacu.com")}
${pure_flags [ "github" "git" "not-spamish" "B" ] (header_matches "List-Id" "*<*.github.com>")}
${pure_flags [ "mailing-list-by-envelope" "not-spamish" "B" ] (
envelope_matches "*-ml@shelvacu.com"
)}
${pure_flags [ "discourse" "not-spamish" "B" ] (exists "X-Discourse-Post-Id")}
${pure_flags [ "agora" "not-spamish" ] (envelope_is "agora@shelvacu.com")}
${pure_flags [ "postgres-list" "not-spamish" ] (
header_matches "List-Id" "<*.lists.postgresql.org>"
)}
${pure_flags [ "secureaccesswa" "not-spamish" "A" ] (from_is "help@secureaccess.wa.gov")}
${pure_flags [ "letsencrypt-mailing-list" "not-spamish" "B" ] (
envelope_is "lets-encrypt-mailing-list@shelvacu.com"
)}
${pure_flags [ "jmp-news" "not-spamish" "B" ] (header_matches "List-Id" "*<jmp-news.soprani.ca>")}
${pure_flags
[ "tf2wiki" "not-spamish" "B" ]
[
(envelope_is "tf2wiki@shelvacu.com")
(from_is "noreply@wiki.teamfortress.com")
]
}
${pure_flags "gmail-fwd" (envelope_is "gmailfwd-fc2e10bec8b2@shelvacu.com")}
${pure_flags [ "ebay" "orders" ] (envelope_is "ebay@shelvacu.com")}
${pure_flags
[ "ebay-delivered" "B" ]
[
(has_flag "ebay")
(subject_matches [
"*ORDER DELIVERED: *"
])
]
}
${pure_flags
[ "ebay-message" "B" ]
[
(has_flag "ebay")
(from_matches (map (domain: "*@members.${domain}") ebay_domains))
]
}
${pure_flags
[ "ebay-offer" "B" ]
[
(has_flag "ebay")
(subject_matches [
"You have an offer from the seller, *"
"You saw it at *, but the seller is now offering *"
])
]
}
${pure_flags
[ "ebay-order-update" "C" ]
[
(has_flag "ebay")
(subject_matches [
"Out for delivery: *"
"*DELIVERY UPDATE: *"
"*Order update: *"
"EARLY DELIVERY UPDATE: *"
"Important information regarding your Global Shipping Program transaction *" # ebay: "important information! your order is being shipped." why did you say this was ""important""???
"Your package is now with *"
"*Order confirmed: *"
"Your order is confirmed"
"Your order is in!"
"*An update on your order"
])
]
}
${pure_flags
[ "ebay-bid-ongoing-notification" "C" ]
[
(has_flag "ebay")
(subject_matches [
"Michael, your bid for * is winning"
"* just got a new bid."
])
]
}
${pure_flags
[ "ebay-feedback" "D" ]
[
(has_flag "ebay")
(subject_matches "Please provide feedback for your eBay items")
]
}
${pure_flags [ "royal-mail" "orders" ] (from_is "no-reply@royalmail.com")}
${pure_flags
[ "royal-mail-delivered" "B" ]
[
(has_flag "royal-mail")
(subject_matches "Your Royal Mail parcel has been delivered")
]
}
${pure_flags
[ "royal-mail-on-the-way" "D" ]
[
(has_flag "royal-mail")
(subject_matches "Your Royal Mail parcel is on its way")
]
}
${pure_flags [ "aliexpress" "orders" ] (from_is [
"transaction@notice.aliexpress.com"
"aliexpress@notice.aliexpress.com"
])}
${pure_flags
[ "aliexpress-delivered" "B" ]
[
(has_flag "aliexpress")
(from_is "transaction@notice.aliexpress.com")
(subject_matches "Order * has been signed for")
]
}
${pure_flags
[ "aliexpress" "orders" "C" ]
[
(has_flag "aliexpress")
(not (has_flag "aliexpress-delivered"))
]
}
${pure_flags [ "brandcrowd" "D" ] (envelope_is "brandcrowd@shelvacu.com")}
${pure_flags [ "cpapsupplies" "D" ] (envelope_is "cpapsupplies@shelvacu.com")}
${pure_flags [ "genshin" "D" ] (envelope_is "genshin@shelvacu.com")}
${pure_flags [ "jork" "B" ] (envelope_is "jork@shelvacu.com")}
${pure_flags [ "patreon" "not-spamish" ] (envelope_is "patreon@shelvacu.com")}
${pure_flags
[ "patreon-post" "B.subscriptions" ]
[
(has_flag "patreon")
(header_is "X-Mailgun-Tag" "template_newsletterpostcontrol")
]
}
${pure_flags
[ "patreon-free-member-digest" "D" ]
[
(has_flag "patreon")
(header_is "X-Mailgun-Tag" "template_freememberdigest")
]
}
${pure_flags
[ "patreon-other" "B" ]
[
(has_flag "patreon")
(not (has_flag "patreon-post"))
(not (has_flag "patreon-free-member-digest"))
]
}
${pure_flags [ "subscribestar-update" "B.subscriptions" ] [
(envelope_is "subscribestar@shelvacu.com")
(subject_matches "New post from * on SubscribeStar.com")
]}
${pure_flags [ "rsb" "B" ] (from_is "support@rapidseedbox.com")}
${pure_flags [ "fresh-avocado-dis8" "D" ] (envelope_is "fresh.avocado@dis8.net")}
${pure_flags [ "discord" "A" ] (envelope_matches "discord@*")}
${pure_flags [ "za-sa" "D" ] (from_matches [
"*@*.sa.com"
"*@*.za.com"
])}
${pure_flags [ "localdomain" "D" ] (from_matches [
"*@*.local"
"*@*.localdomain"
])}
${pure_flags [ "helium" "D" ] (envelope_is "creepyface@dis8.net")}
${pure_flags [ "sharkmood" "C" ] (envelope_is "sharkmood@dis8.net")}
${pure_flags [ "im-not-district-158" "D" ] (envelope_is [
"khamar.anderson@dis8.net"
"pbooth@dis8.net"
"sgaylor@dis8.net"
])}
${pure_flags [ "next-level-burger" "D" ] (header_matches "From" "*Next Level Burger*")}
${pure_flags [ "lyft" "D" ] (envelope_is "lyft@shelvacu.com")}
${pure_flags [ "coursera" "D" ] (from_matches "*.*.coursera.org")}
${pure_flags [ "taskrabbit" "D" ] (envelope_is "taskrabbit@shelvacu.com")}
${pure_flags [ "subscribestar_code" "A" ] (allof [
(envelope_is "subscribestar@shelvacu.com")
(subject_is "Your authentication code")
])}
${pure_flags "itch-io" (from_is "postmaster@itch.io")}
${pure_flags
[ "itch-io-update" "B.subscriptions" ]
[
(has_flag "itch-io")
(subject_matches "[itch.io] * update *")
]
}
${pure_flags
[ "lowering-the-bar" "B.subscriptions" ]
[
(envelope_is "ltb@shelvacu.com")
]
}
${pure_flags [ "hotels-com" "D" ] (from_matches [
"hotels.com"
"*.hotels.com"
])}
${pure_flags
[ "spamish-by-headers" "C" ]
[
(anyof [
(header_is "Precedence" "bulk")
(exists "List-Unsubscribe")
(exists "List-Unsubscribe-Post")
])
(not (has_flag "not-spamish"))
]
}
if hasflag "agora" {
${fileinto "M.agora"}
} elsif hasflag "postgres-list" {
${fileinto "M.postgres"}
} elsif hasflag "D" {
${fileinto "D"}
} elsif hasflag "C" {
${fileinto "C"}
} elsif hasflag "A" {
${fileinto "A"}
} elsif hasflag "B.subscriptions" {
${fileinto "B.subscriptions"}
} else {
${fileinto "B"}
}
}
# disable any sieve scripts that might want to run after this one
stop;
'';
pigeonhole_pkg = pkgs.dovecot_pigeonhole;
in
{
imports = [
# Allow running a sieve filter when a message gets moved to another folder in imap
# see https://doc.dovecot.org/2.3/configuration_manual/sieve/plugins/imapsieve/
{
services.dovecot2 = {
sieve.plugins = [ "sieve_imapsieve" ];
mailPlugins.perProtocol.imap.enable = [ "imap_sieve" ];
};
}
];
options.vacu.checkSieve = lib.mkOption {
readOnly = true;
default = pkgs.writeScriptBin "check-liam-sieve" ''
set -xev
${lib.escapeShellArgs [
(lib.getExe' pigeonhole_pkg "sieve-test")
"-c"
config.services.dovecot2.configFile
"-C" # force compilation
"-D" # enable sieve debugging
"-f"
"some-rando@example.com"
"-a"
"shelvacu@liam.dis8.net"
config.services.dovecot2.sieve.scripts.before
"/dev/null"
]}
'';
defaultText = "check-liam-sieve package";
};
options.vacu.liam-sieve-script = lib.mkOption {
readOnly = true;
default = pkgs.writeText "mainsieve" sieve_text;
defaultText = "mainsieve text package";
};
config = {
vacu.packages = [ pigeonhole_pkg ];
services.dovecot2.sieve = {
extensions = [
"fileinto"
"mailbox"
"editheader"
"vnd.dovecot.debug"
];
scripts.before = config.vacu.liam-sieve-script;
};
services.dovecot2.imapsieve.mailbox = [
{
name = "*";
causes = [
"APPEND"
"COPY"
"FLAG"
];
before = config.vacu.liam-sieve-script;
}
];
# services.dovecot2.mailboxes."magic-refilter".auto = "create";
};
}

23
hosts/liam/sops.nix
View File

@@ -1,23 +0,0 @@
{
config,
vacuModules,
...
}:
{
imports = [ vacuModules.sops ];
config.sops = {
secrets.dovecot-passwd = {
restartUnits = [ "dovecot2.service" ];
};
secrets.dkim_key = {
name = "dkimkeys/2024-03-liam.private";
restartUnits = [ "opendkim.service" ];
owner = config.services.opendkim.user;
};
secrets.relay_creds = {
restartUnits = [ "postfix.service" ];
owner = config.services.postfix.user;
};
};
}

22
hosts/mmm/default.nix
View File

@@ -1,22 +0,0 @@
{ inputs, ... }:
{
imports = [
inputs.nixos-apple-silicon.nixosModules.default
./hardware.nix
];
vacu.hostName = "mmm";
vacu.shell.color = "red";
vacu.verifySystem.enable = false;
vacu.verifySystem.expectedMac = "14:98:77:3f:b8:2e";
vacu.systemKind = "server";
# asahi recommends systemd-boot
boot.loader.systemd-boot.enable = true;
boot.loader.efi.canTouchEfiVariables = false;
hardware.asahi.peripheralFirmwareDirectory = ./firmware;
services.openssh.enable = true;
system.stateVersion = "24.05";
}

BIN
hosts/mmm/firmware/all_firmware.tar.gz
View File

Binary file not shown.

BIN
hosts/mmm/firmware/kernelcache.release.mac13g
View File

Binary file not shown.

69
hosts/mmm/hardware.nix
View File

@@ -1,69 +0,0 @@
{ lib, ... }:
let
btrfsopts = [
"noatime"
"compress=zstd"
];
in
{
boot.initrd.availableKernelModules = [
"xhci_pci"
"usbhid"
"usb_storage"
"xhci_hcd"
"uas"
];
boot.initrd.kernelModules = [ ];
boot.kernelModules = [ ];
boot.extraModulePackages = [ ];
fileSystems."/" = {
device = "/dev/disk/by-uuid/2f8b5094-94ab-4634-b11b-d4bcd2dc3f24";
fsType = "btrfs";
options = [ "subvol=root" ] ++ btrfsopts;
};
boot.initrd.luks.devices."cryptroot" = {
device = "/dev/disk/by-uuid/4e75b9ed-ac4f-48a2-b38c-c5026723171f";
# note: creation requires --new-key-file-size not --key-file-size
keyFileSize = 2048;
keyFile = "/dev/disk/by-partuuid/9d171b52-329e-4e21-9399-dcc66ff572cd";
};
fileSystems."/boot" = {
device = "/dev/disk/by-uuid/4407-1EF3";
fsType = "vfat";
options = [
"fmask=0022"
"dmask=0022"
"nofail"
];
};
fileSystems."/nix/store" = {
device = "/dev/disk/by-uuid/2f8b5094-94ab-4634-b11b-d4bcd2dc3f24";
fsType = "btrfs";
options = [ "subvol=nix-store" ] ++ btrfsopts;
};
fileSystems."/btrfs-root" = {
device = "/dev/disk/by-uuid/2f8b5094-94ab-4634-b11b-d4bcd2dc3f24";
fsType = "btrfs";
options = [
"subvol=/"
"noauto"
] ++ btrfsopts;
};
swapDevices = [ ];
# Enables DHCP on each ethernet and wireless interface. In case of scripted networking
# (the default) this is the recommended approach. When using systemd-networkd it's
# still possible to use this option, but it's recommended to use it in conjunction
# with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
networking.useDHCP = lib.mkDefault true;
# networking.interfaces.end0.useDHCP = lib.mkDefault true;
# networking.interfaces.wlan0.useDHCP = lib.mkDefault true;
nixpkgs.hostPlatform = lib.mkDefault "aarch64-linux";
}

44
hosts/nix-on-droid/default.nix
View File

@@ -1,44 +0,0 @@
{ lib, ... }:
{
imports = [ ./flake-registry.nix ];
vacu.shell.color = "white";
vacu.systemKind = "server";
environment.etc."resolv.conf".text = lib.mkForce ''
# nameserver 10.78.79.1
nameserver 9.9.9.10
nameserver 149.112.112.10
options timeout:1 attempts:5
'';
# Backup etc files instead of failing to activate generation if a file already exists in /etc
environment.etcBackupExtension = ".bak";
# Read the changelog before changing this value
system.stateVersion = "23.05";
# Set up nix for flakes
nix.extraOptions = ''
experimental-features = nix-command flakes
'';
# Set your time zone
time.timeZone = "America/Los_Angeles";
android-integration = {
am.enable = true;
termux-open.enable = true;
termux-open-url.enable = true;
termux-reload-settings.enable = true;
termux-setup-storage.enable = true;
termux-wake-lock.enable = true;
termux-wake-unlock.enable = true;
xdg-open.enable = true;
};
vacu.packages.jujutsu.enable = false; # build is borked on aarch64-linux
vacu.packages.gnupg.enable = true;
}

Some files were not shown because too many files have changed in this diff Show More