shelvacu/nix-stuff
1
0
Fork 1
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Compare commits

merge into: shelvacu:restricted-inputs
Branches Tags
shelvacu:master shelvacu:doofnet shelvacu:feat-nice shelvacu:repos shelvacu:wip-2024-09-doof shelvacu:fw-experiment shelvacu:wip-2024-09-verify-system shelvacu:restricted-inputs shelvacu:liam-relay shelvacu:add-mar shelvacu:wip-commands2 shelvacu:wip-commands shelvacu:wip-devver shelvacu:wip-nod
...
pull from: shelvacu:wip-2024-09-doof
Branches Tags
shelvacu:master shelvacu:doofnet shelvacu:feat-nice shelvacu:repos shelvacu:wip-2024-09-doof shelvacu:fw-experiment shelvacu:wip-2024-09-verify-system shelvacu:restricted-inputs shelvacu:liam-relay shelvacu:add-mar shelvacu:wip-commands2 shelvacu:wip-commands shelvacu:wip-devver shelvacu:wip-nod

65 Commits
restricted ... wip-2024-0

Author SHA1 Message Date
Shelvacu
135354ea65 wip 2024-09-18 11:17:59 -07:00
Shelvacu
2ff3cbe417 cleanup 2024-09-18 11:17:15 -07:00
Shelvacu
6c2e19d398 stuff 2024-09-18 10:35:46 -07:00
Shelvacu
eda2b3085d fix coopdx 2024-09-17 20:07:26 -07:00
Shelvacu
608c4899ec audio 2024-09-17 18:56:52 -07:00
Shelvacu
b54e90049b default verify expectedMac only 2024-09-17 17:23:07 -07:00
Shelvacu
046252da60 add legtop 2024-09-17 17:07:47 -07:00
Shelvacu
d587f2ae84 stuff 2024-09-17 15:48:53 -07:00
Shelvacu
9935f280c0 fix alias 2024-09-17 15:48:26 -07:00
shelvacu
5e62f70951 stuff 2024-09-15 15:48:27 -07:00
shelvacu
c99528ad0a fix minimal for nod 2024-09-15 15:37:47 -07:00
shelvacu
063869e616 stuff 2024-09-15 15:09:38 -07:00
Shelvacu
d365fe304a stuff 2024-09-15 15:03:23 -07:00
Shelvacu
0bce429ad0 stuff 2024-09-15 15:01:28 -07:00
Shelvacu
bb1c2bbbb8 stuff 2024-09-15 14:20:40 -07:00
Shelvacu
b17125ebaf stuff 2024-09-15 14:19:10 -07:00
Shelvacu
7ca34cf82c updaaaaaate 2024-09-14 19:50:12 -07:00
Shelvacu
bfda13b128 massively shrink liam closure size 2024-09-14 14:40:20 -07:00
shelvacu
04d47744d7 screw snmp 2024-09-14 12:45:28 -07:00
Shelvacu
64c031ed71 waydroid 2024-09-14 11:39:35 -07:00
shelvacu
53141d7be7 mark broken sm64coopdx build 2024-09-14 11:00:01 -07:00
Shelvacu
4a2ad61a8b fmt 2024-09-14 10:47:22 -07:00
Shelvacu
12827583f2 stuff 2024-09-14 10:45:23 -07:00
Shelvacu
e6b5c98bcd nixos-rebuild --use-remote-sudo no more 2024-09-14 10:35:42 -07:00
shelvacu
014961aef8 stuff 2024-09-14 00:51:55 -07:00
Shelvacu
ccba74fb9c stuff 2024-09-13 21:30:56 -07:00
Shelvacu
6bb5486180 i dont care about """"unfree"""" 2024-09-13 21:29:33 -07:00
Shelvacu
9dc0718386 reorganize shell functions 2024-09-13 20:48:59 -07:00
Shelvacu
27bd4077cf fmt run 2024-09-13 20:24:23 -07:00
Shelvacu
54abbe179a stuff 2024-09-13 20:20:18 -07:00
Shelvacu
76036a25b2 stuff 2024-09-13 20:19:56 -07:00
Shelvacu
8b062011ad nixvim 2024-09-13 20:18:24 -07:00
Shelvacu
cfb2b44b77 stuff 2024-09-13 19:42:33 -07:00
shelvacu
332d43e768 stuff 2024-09-13 18:04:15 -07:00
Shelvacu
1f8bd06367 allWithBuildDeps -> archive, try to avoid builing iso every time 2024-09-13 17:52:32 -07:00
shelvacu
c7921cb8ed reorg fwupd 2024-09-13 16:35:18 -07:00
shelvacu
74180f9a41 Merge branch 'master' of git.uninsane.org:shelvacu/nix-stuff 2024-09-13 13:43:25 -07:00
Shelvacu
d80f4b3a02 all da tunderbolt 2024-09-13 13:13:42 -07:00
Shelvacu
4c4c4dc675 more thunderbolt 2024-09-12 20:20:21 -07:00
Shelvacu
46dea07a6f add thunderbolt management pkg 2024-09-12 20:12:58 -07:00
Shelvacu
3e1f3b4c97 verify against permaddrs as well 2024-09-12 16:03:21 -07:00
Shelvacu
56fdf9c128 add pixel 9 pro nix-on-droid key 2024-09-12 15:52:48 -07:00
Shelvacu
a459afdad2 verify system, no more oopsies hopefully 2024-09-11 09:32:57 -07:00
Shelvacu
94e08bc6fe wip 2024-09-10 23:46:16 -07:00
Shelvacu
def7296ec7 formatter run 2024-09-10 20:05:01 -07:00
shelvacu
82819646b1 nix flake update + yeet devver 2024-09-09 20:30:09 -07:00
shelvacu
c31446e3cb coopdx: put baserom in the right spot 2024-09-07 17:28:17 -07:00
Shelvacu
b707e6ae8d add sm64coopdx 2024-09-05 15:10:25 -07:00
Shelvacu
420a2d8d02 aaaaaaa 2024-09-04 23:37:53 -07:00
Shelvacu
0c546acefd nixvim initial 2024-09-04 15:59:08 -07:00
Shelvacu
1b13226c50 F O R M A T 2024-09-03 04:29:32 -07:00
Shelvacu
4876654145 fix initial ps1 2024-09-02 22:57:11 -07:00
shelvacu
9ed4e80418 add bootstrap 2024-09-02 22:44:09 -07:00
shelvacu
46ec04a967 update flake inputs 2024-09-02 02:44:28 -07:00
Shelvacu
311fbb0904 Merge branch 'master' of git.uninsane.org:shelvacu/nix-stuff 2024-09-02 02:24:35 -07:00
Shelvacu
6453c4cdf0 give all the machines different color shells. yay! 2024-09-02 01:50:35 -07:00
Shelvacu
1a74b58b44 stuff 2024-09-01 10:30:31 -07:00
Shelvacu
4f256663ae reorg 2024-08-29 19:35:53 -07:00
shelvacu
4c6df8c5e5 unify some inputs 2024-08-29 09:18:43 -07:00
shelvacu
7312aab991 update flake 2024-08-28 23:11:43 -07:00
shelvacu
c56a26ff6d all is now all all 2024-08-28 22:43:46 -07:00
Shelvacu
88af0f1e93 add curl 2024-08-28 17:17:27 -07:00
Shelvacu
1b3aa80fe9 Merge branch 'restricted-inputs' 2024-08-28 17:15:01 -07:00
shelvacu
fccda582ef gimp 2024-08-23 10:49:20 -07:00
Shelvacu
addf748d1f wip 2024-08-21 17:11:38 -07:00
78 changed files with 3651 additions and 2012 deletions
Expand all files Collapse all files

15
.sops.yaml
View File

@@ -34,6 +34,21 @@ creation_rules:
- *j
- *k
- *liam
- path_regex: ^secrets/triple-dezert/
key_groups:
- age:
- *a
- *b
- *c
- *d
- *e
- *f
- *g
- *h
- *i
- *j
- *k
- *trip
- path_regex: ^tests/test_secrets/
key_groups:
- age:

18
README.md
View File

@@ -1,13 +1,31 @@
more just notes for now
---
deploy:
```sh
nixos-rebuild switch --flake .#triple-dezert --target-host trip.shelvacu.com --use-remote-sudo
```
---
build flake on remote machine, including eval:
```sh
git add . && ssh trip nix flake check $(nix flake archive --to ssh://trip --json | jq .path -r)
```
---
search for string in closure
```sh
rg search_str $(nix path-info --recursive ./result)
```
or
```sh
rg search_str $(nix path-info --recursive .#qb.trip)
```

86
common/commands.nix
View File

@@ -1,86 +0,0 @@
{ config, lib, pkgs, ... }: let
inherit (lib) mkOption types;
cfg = builtins.attrValues config.vacu.shell.functions;
enabled = builtins.filter (o: o.enable) cfg;
writeShellFunction = name: text: pkgs.writeTextFile {
inherit name;
executable = false;
destination = "/share/vacufuncs/${name}";
text = ''
${text}
'';
checkPhase = ''
${pkgs.stdenv.shellDryRun} "$target"
'';
};
in {
options = {
vacu.shell.functionsDir = mkOption {
type = types.path;
};
vacu.shell.interactiveLines = mkOption {
type = types.lines;
default = "";
};
vacu.shell.functions = mkOption {
default = {};
type = types.attrsOf (types.submodule ({ name, config, options, ... }: {
options = {
name = mkOption {
type = types.str;
default = name;
readonly = true;
};
content = mkOption {
type = types.str;
default = "";
};
enable = mkOption {
type = types.bool;
default = config.content != "";
defaultText = ''${name}.content != ""'';
};
};
}));
};
};
config = {
_module.args.vaculib.writeShellFunction = writeShellFunction;
vacu.shell.interactiveLines = ''
if [[ $- == *i* ]] && [[ -f ${config.vacu.shell.functionsDir}/vacureload ]]; then
function __vacushell_load() { eval "$(cat ${config.vacu.shell.functionsDir}/vacureload)"; }
__vacushell_load
unset __vacushell_load
fi
'';
vacu.packages.vacureload.enable = true;
vacu.packages.vacureload.package = let
inherit (config.vacu.shell) functionsDir;
in writeShellFunction "vacureload" ''
declare -gA vacuShellFunctionsLoaded
if ! [[ -f ${functionsDir}/vacureload ]]; then
echo "vacureload: I think that's my cue to leave (${functionsDir}/vacureload not found, assuming vacureload-less config has been loaded and unloading myself)" 1>&2
for funcname in "''${!vacuShellFunctionsLoaded[@]}"; do
unset -f $funcname
done
return
fi
for funcname in "''${!vacuShellFunctionsLoaded[@]}"; do
if ! [[ -f ${functionsDir}/$funcname ]]; then
unset -f $funcname
fi
done
for fullPath in ${functionsDir}/*; do
local funcname="$(basename "$fullPath")"
local followedPath="$(readlink -f "$fullPath")"
if [[ "''${vacuShellFunctionsLoaded[$funcname]}" != "$followedPath" ]]; then
unset -f $funcname
eval "function ''${funcname}() { if [[ -f '$fullPath' ]]; then eval "'"$'"(cat '$fullPath')"'"'"; else echo '$funcname is no longer there, kindly removing myself.' 1>&2; unset $funcname; return 1; fi }"
vacuShellFunctionsLoaded[$funcname]=$followedPath
fi
unset followedPath
unset funcname
done
'';
};
}

79
common/defaultPackages.nix Normal file
View File

@@ -0,0 +1,79 @@
{
pkgs,
config,
inputs,
lib,
...
}: lib.mkMerge [
(lib.mkIf (!config.vacu.minimal) {
vacu.packages =
(with pkgs; [
home-manager
nix-index
rclone
termscp
man
neovim
nmap
ruby
])
++ [
inputs.nix-search-cli.packages.${pkgs.system}.default
inputs.nix-inspect.packages.${pkgs.system}.default
];
}) {
vacu.packages =
with pkgs; [
nixos-rebuild
which
nano
vim
wget
screen
tmux
lsof
htop
mosh
dnsutils
iperf3
rsync
ethtool
sshfs
ddrescue
pciutils
ncdu
pv
unzip
file
ripgrep
jq
units
tree
iputils
ssh-to-age
sops
inetutils
diffutils
findutils
utillinux
tzdata
hostname
gnugrep
gnused
gnutar
bzip2
gzip
xz
zip
unzip
openssh
dig
bash
usbutils
psutils
killall
git
curl
];
}
]

6
common/home.nix
View File

@@ -1,5 +1,7 @@
{ ... }: let
{ ... }:
let
in {
in
{
imports = [ ./common-but-not.nix ];
}

45
common/minimal-nixos.nix Normal file
View File

@@ -0,0 +1,45 @@
{
config,
pkgs,
lib,
...
}: let
inherit (lib) mkIf mkDefault;
in
{
config = mkIf config.vacu.minimal {
programs.git.lfs.enable = false;
programs.git.package = pkgs.gitMinimal;
# mostly copied from nixos's /profiles/minimal.nix
environment.noXlibs = mkDefault true;
documentation.enable = mkDefault false;
documentation.doc.enable = mkDefault false;
documentation.info.enable = mkDefault false;
documentation.man.enable = mkDefault false;
documentation.nixos.enable = mkDefault false;
# Perl is a default package.
environment.defaultPackages = mkDefault [ ];
environment.stub-ld.enable = false;
# The lessopen package pulls in Perl.
programs.less.lessopen = mkDefault null;
programs.command-not-found.enable = mkDefault false;
services.logrotate.enable = mkDefault false;
services.udisks2.enable = mkDefault false;
xdg.autostart.enable = mkDefault false;
xdg.icons.enable = mkDefault false;
xdg.mime.enable = mkDefault false;
xdg.sounds.enable = mkDefault false;
};
}

169
common/module.nix
View File

@@ -1,93 +1,63 @@
{ config, pkgs, lib, inputs, ... }: let
{
config,
pkgs,
lib,
inputs,
...
}:
let
inherit (lib) mkOption types;
inherit (inputs) self;
in {
imports = [ ./package-set.nix ./not-aliases.nix ./ssh.nix ];
in
{
imports = [
./package-set.nix
./shell
./nixvim.nix
./ssh.nix
./nix.nix
./verify-system
./defaultPackages.nix
];
options = {
vacu.nix.extraSubstituters = mkOption { type = types.listOf types.str; };
vacu.nix.extraTrustedKeys = mkOption { type = types.listOf types.str; };
vacu.rootCAs = mkOption { type = types.listOf types.str; };
vacu.versionId = mkOption { type = types.str; readOnly = true; };
vacu.versionId = mkOption {
type = types.str;
readOnly = true;
};
vacu.versionInfo = mkOption { readOnly = true; };
vacu.hostName = mkOption { type = types.str; };
vacu.shortHostName = mkOption {
type = types.str;
default = config.vacu.hostName;
};
vacu.nixvimPkg = mkOption { readOnly = true; };
vacu.minimal = lib.mkEnableOption "minimal system";
};
config = {
vacu.packages = with pkgs; [
home-manager
nixos-rebuild
which
nano
vim
wget
screen
tmux
lsof
htop
mosh
dnsutils
iperf3
nmap
rsync
ethtool
sshfs
ddrescue
pciutils
ncdu
nix-index
git
pv
unzip
file
ripgrep
jq
units
tree
rclone
iputils
ssh-to-age
sops
inetutils
neovim
diffutils
findutils
utillinux
tzdata
hostname
man
gnugrep
gnused
gnutar
bzip2
gzip
xz
zip
unzip
openssh
dig
bash
termscp
usbutils
ruby
psutils
killall
git
inputs.nix-search-cli.packages.${pkgs.system}.default
inputs.nix-inspect.packages.${pkgs.system}.default
];
vacu.versionId = toString (self.shortRev or self.dirtyShortRev);
vacu.versionInfo = {
id = config.vacu.versionId;
id = self.rev or self.dirtyRev;
flakePath = self.outPath;
inherit inputs;
} // (if config.nixpkgs ? flake then { nixpkgs = config.nixpkgs.flake.source; } else {});
vacu.nix.caches.nixcache-shelvacu = {
url = "https://nixcache.shelvacu.com/";
keys = [ "nixcache.shelvacu.com:73u5ZGBpPRoVZfgNJQKYYBt9K9Io/jPwgUfuOLsJbsM=" ];
};
vacu.nix.caches.nix-community = {
url = "https://nix-community.cachix.org/";
keys = [ "nix-community.cachix.org-1:mB9FSh9qf2dCimDSUo8Zy7bkq5CX+/rkCWyvRCYg3Fs=" ];
};
vacu.nix.caches.nix-on-droid = {
url = "https://nix-on-droid.cachix.org/";
keys = [ "nix-on-droid.cachix.org-1:56snoMJTXmDRC1Ei24CmKoUqvHJ9XCp+nidK7qkMQrU=" ];
};
vacu.nix.caches.nixos = {
url = "https://cache.nixos.org/";
keys = [ "cache.nixos.org-1:6NCHdD59X431o0gWypbMrAURkbJ16ZPMQFGspcDShjY=" ];
};
vacu.nix.extraSubstituters = [
"https://nixcache.shelvacu.com/"
"https://nix-community.cachix.org/"
"https://nix-on-droid.cachix.org/"
];
vacu.nix.extraTrustedKeys = [
"nix-community.cachix.org-1:mB9FSh9qf2dCimDSUo8Zy7bkq5CX+/rkCWyvRCYg3Fs="
"nixcache.shelvacu.com:73u5ZGBpPRoVZfgNJQKYYBt9K9Io/jPwgUfuOLsJbsM="
"nix-on-droid.cachix.org-1:56snoMJTXmDRC1Ei24CmKoUqvHJ9XCp+nidK7qkMQrU="
];
vacu.rootCAs = [
''
-----BEGIN CERTIFICATE-----
@@ -113,9 +83,9 @@ in {
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOtwtao/TXbiuQOYJbousRPVesVcb/2nP0PCFUec0Nv8" # triple-dezert (root)
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAxAFFxQMXAgi+0cmGaNE/eAkVfEl91wafUqFIuAkI5I" # compute-deck (root)
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDcRDekd8ZOYfQS5X95/yNof3wFYIbHqWeq4jY0+ywQX" # pro1x nix-on-droid
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIExSObd1lZprdqAFLqFhtxDEckV0q/vZZIYqrYFKfkoC" # devver
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGHLPOxRd68+DJ/bYmqn0wsgwwIcMSMyuU1Ya16hCb/m" # fw (root)
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINQ2c0GzlVMjV06CS7bWbCaAbzG2+7g5FCg/vClJPe0C" # fw
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINznGot+L8kYoVQqdLV/R17XCd1ILMoDCILOg+I3s5wC" # pixel9pro nix-on-droid
];
vacu.ssh.config = ''
Host deckvacu
@@ -169,12 +139,16 @@ in {
"ostiary" = {
publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBSYyd1DGPXGaV4mD34tUbXvbtIi/Uv2otoMUsCkxRse";
};
"habitat" = { # previously known as zigbee-hub
"habitat" = {
# previously known as zigbee-hub
extraHostNames = [ "10.78.79.114" ];
publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBJxwUYddOxgViJDOiokfaQ6CsCx/Sw+b3IisdJv8zFN";
};
"vnopn" = {
extraHostNames = [ "10.78.79.1" "vnopn.t2d.lan" ];
extraHostNames = [
"10.78.79.1"
"vnopn.t2d.lan"
];
publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEMgJE8shlTYF3nxKR/aILd1SzwDwhtCrjz9yHL7lgSZ";
};
@@ -186,22 +160,36 @@ in {
#personal hosts
trip = {
extraHostNames = [ "triple-dezert" "trip.shelvacu.com" "[trip.shelvacu.com]:6922" ];
extraHostNames = [
"triple-dezert"
"trip.shelvacu.com"
"[trip.shelvacu.com]:6922"
];
publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGUQux9V0mSF5IauoO1z311NXR7ymEbwRMzT+OaaNQr+";
};
servacu = {
extraHostNames = [ "mail.dis8.net" "servacu.shelvacu.com" ];
extraHostNames = [
"mail.dis8.net"
"servacu.shelvacu.com"
];
publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIE+E6na7np0HnBV2X7owno+Fg+bNNRSHLxO6n1JzdUTV";
};
finaltask = {
extraHostNames = [ "rsb" "finaltask.xyz" "[finaltask.xyz]:2222" ];
extraHostNames = [
"rsb"
"finaltask.xyz"
"[finaltask.xyz]:2222"
];
publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPTx8WBNNKBVRV98HgDChpd59SHbreJ87SXU+zOKan6y";
};
compute-deck = {
publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGt43GmXCxkl5QjgPQ/QimW11lKfXmV4GFWvlxQSf4TQ";
};
"2esrever" = {
extraHostNames = [ "10.4.5.218" "10.244.46.71" ];
extraHostNames = [
"10.4.5.218"
"10.244.46.71"
];
publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIH0LnPrJxAdffZ//uRe3NBiIfFCBNMLqKVylkyU0llvT";
};
awoo = {
@@ -212,13 +200,12 @@ in {
publicKey = "ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBEa8qpFkIlLLJkH8rmEAn6/MZ9ilCGmEQWC3CeFae7r1kOqfwRk0nq0oyOGJ50uIh+PpwEh3rbgq6mLfpRfsFmM=";
};
liam = {
extraHostNames = [ "liam.dis8.net" "178.128.79.152" ];
extraHostNames = [
"liam.dis8.net"
"178.128.79.152"
];
publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHOqJYVHOIFmEA5uRbbirIupWvyBLAFwic/8EZQRdN/c";
};
devver = {
extraHostNames = [ "devver.t2d.lan" "10.78.79.10" ];
publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFeFaH2tzWIiCPdKNmxl3NqCnPTdmVIOBinauUAEl+UU";
};
fw = {
extraHostNames = [ "fw.t2d.lan" ];
publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIA6lX25mCy35tf1NpcHMAdeRgvT7l0Dw0FWBH3eX4TE2";

13
common/nix-on-droid.nix
View File

@@ -1,16 +1,21 @@
{ config, ... }:
{ config, lib, ... }:
let
inherit (lib) mkDefault;
in
{
imports = [
./module.nix
./commands.nix
./common-but-not.nix
];
environment.packages = config.vacu.packageList;
environment.etc."ssh/ssh_config".text = config.vacu.ssh.config;
nix.substituters = config.vacu.nix.extraSubstituters;
nix.trustedPublicKeys = config.vacu.nix.extraTrustedKeys;
nix.substituters = lib.mkForce config.vacu.nix.substituterUrls;
nix.trustedPublicKeys = lib.mkForce config.vacu.nix.trustedKeys;
vacu.shell.functionsDir = "${config.user.home}/.nix-profile/share/vacufuncs";
environment.etc.bashrc.text = config.vacu.shell.interactiveLines;
environment.etc.profile.text = config.vacu.shell.interactiveLines;
environment.etc."vacu.json".text = builtins.toJSON config.vacu.versionInfo;
vacu.hostName = mkDefault "nix-on-droid";
vacu.shortHostName = mkDefault "nod";
}

36
common/nix.nix Normal file
View File

@@ -0,0 +1,36 @@
{ lib, config, ... }:
let
inherit (lib) mkOption types;
caches = builtins.attrValues config.vacu.nix.caches;
enabledCaches = builtins.filter (c: c.enable) caches;
in
{
options = {
vacu.nix.caches = mkOption {
type = types.attrsOf (
types.submodule (
{ name, ... }:
{
options = {
url = mkOption { type = types.str; };
keys = mkOption {
type = types.listOf types.str;
default = [ ];
};
enable = mkOption {
default = true;
type = types.bool;
};
};
}
)
);
};
vacu.nix.substituterUrls = mkOption { readOnly = true; };
vacu.nix.trustedKeys = mkOption { readOnly = true; };
vacu.nix.plainOptions = mkOption { };
};
config.vacu.nix.substituterUrls = map (c: c.url) enabledCaches;
config.vacu.nix.trustedKeys = builtins.concatMap (c: c.keys) enabledCaches;
config.vacu.nix.plainOptions.allowUnfree = true;
}

33
common/nixos-rebuild.nix Normal file
View File

@@ -0,0 +1,33 @@
{
pkgs,
config,
lib,
...
}:
let
nixos-rebuild = pkgs.nixos-rebuild.override { nix = config.nix.package.out; };
in
{
options.vacu.alwaysUseRemoteSudo =
(lib.mkEnableOption "always deploy to this machine with --use-remote-sudo")
// {
default = true;
};
config = lib.mkIf config.vacu.alwaysUseRemoteSudo {
system.build.nixos-rebuild = lib.mkForce (
pkgs.runCommandLocal "nixos-rebuild-wrapped"
{
nativeBuildInputs = [ pkgs.makeShellWrapper ];
meta.mainProgram = "nixos-rebuild";
}
''
runHook preInstall
mkdir -p $out/bin
makeShellWrapper ${lib.getExe nixos-rebuild} $out/bin/nixos-rebuild --add-flags "--use-remote-sudo"
runHook postInstall
''
);
};
}

67
common/nixos.nix
View File

@@ -1,49 +1,64 @@
{ lib, pkgs, config, inputs, utils, ... }:
{
imports = [ ./module.nix ./commands.nix ./common-but-not.nix ];
lib,
pkgs,
config,
utils,
...
}:
{
imports = [
./module.nix
./common-but-not.nix
./verify-system/nixos.nix
./nixos-rebuild.nix
./minimal-nixos.nix
];
options.vacu.underTest = lib.mkOption {
default = false;
type = lib.types.bool;
};
options.vacu.acmeCertDependencies = lib.mkOption {
default = {};
default = { };
example = ''
vacu.acmeCertDependencies."mail.example.com" = [ "postfix.service" ];
'';
type = lib.types.attrsOf (lib.types.listOf utils.systemdUtils.lib.unitNameType);
};
config = let
for-systemd-services = lib.concatMapAttrs
(cert: units:
{
config =
let
for-systemd-services = lib.concatMapAttrs (cert: units: {
"acme-selfsigned-${cert}" = {
wantedBy = units;
before = units;
};
}
)
config.vacu.acmeCertDependencies;
for-security-acme-certs = lib.concatMapAttrs
(cert: units:
{
}) config.vacu.acmeCertDependencies;
for-security-acme-certs = lib.concatMapAttrs (cert: units: {
${cert}.reloadServices = units;
}
)
config.vacu.acmeCertDependencies;
in {
}) config.vacu.acmeCertDependencies;
in
{
# the security warning might as well have said "its insecure maybe but there's nothing you can do about it"
# presumably needed by nheko
nixpkgs.config.permittedInsecurePackages = [ "olm-3.2.16" ];
console = {
keyMap = lib.mkDefault "us";
};
networking.hostName = config.vacu.hostName;
vacu.packages."xorg-xev" = {
enable = config.services.xserver.enable;
package = pkgs.xorg.xev;
};
environment.systemPackages = config.vacu.packageList;
programs.git = {
programs.git = lib.mkDefault {
enable = true;
lfs.enable = true;
};
system.nixos.tags = [ "vacu${config.vacu.versionId}" ];
programs.nix-ld.enable = true;
system.nixos.tags = [
"vacu${config.vacu.versionId}"
config.vacu.hostName
];
environment.etc."vacu.json".text = builtins.toJSON config.vacu.versionInfo;
i18n.defaultLocale = lib.mkDefault "en_US.UTF-8";
@@ -72,16 +87,21 @@
termcapinfo xterm* ti@:te@
maptimeout 5
'';
} // (if config.system.nixos.release == "23.11" then {} else { enable = true; });
} // (if config.system.nixos.release == "23.11" then { } else { enable = true; });
programs.tmux.enable = true;
programs.tmux.extraConfig = "setw mouse";
programs.tmux.clock24 = true;
nix.settings = {
experimental-features = [ "nix-command" "flakes" ];
substituters = config.vacu.nix.extraSubstituters;
trusted-public-keys = config.vacu.nix.extraTrustedKeys;
experimental-features = [
"nix-command"
"flakes"
];
substituters = lib.mkForce config.vacu.nix.substituterUrls;
extra-substituters = lib.mkForce [ ];
trusted-public-keys = lib.mkForce config.vacu.nix.trustedKeys;
extra-trusted-public-keys = lib.mkForce [ ];
};
nixpkgs.config.allowUnfree = lib.mkDefault true;
@@ -95,5 +115,6 @@
environment.pathsToLink = [ "/share/vacufuncs" ];
vacu.shell.functionsDir = "/run/current-system/sw/share/vacufuncs";
programs.bash.interactiveShellInit = config.vacu.shell.interactiveLines;
programs.bash.promptInit = lib.mkForce "";
};
}

15
common/nixvim.nix Normal file
View File

@@ -0,0 +1,15 @@
{
pkgs,
config,
inputs,
lib,
...
}:
{
vacu.nixvimPkg = inputs.self.packages.${pkgs.system}.nixvim;
vacu.shell.functions = lib.mkIf (!config.vacu.minimal) {
nvim-plain = ''${pkgs.neovim}/bin/nvim "$@"'';
nvim-nixvim = ''${config.vacu.nixvimPkg}/bin/nvim "$@"'';
nvim = ''nvim-nixvim "$@"'';
};
}

56
common/package-set.nix
View File

@@ -1,9 +1,21 @@
{ config, pkgs, lib, ... }: let
{
config,
pkgs,
lib,
...
}:
let
inherit (lib) mkOption types;
pkgOptions = builtins.attrValues config.vacu.packages;
enabledOptions = builtins.filter (o: o.enable) pkgOptions;
enabledPkgs = builtins.map (o: o.package) enabledOptions;
packagesSetType = types.attrsOf (types.submodule ({ name, config, options, ... }: {
packagesSetType = types.attrsOf (
types.submodule (
{
name,
...
}:
{
options = {
enable = mkOption {
type = types.bool;
@@ -15,20 +27,42 @@
defaultText = "pkgs.${name}";
};
};
}));
packageListToSet = (from: let
keyvals = map (val:
}
)
);
packageListToSet = (
from:
let
keyvals = map (
val:
if builtins.isString val then
{ name = val; value = { package = pkgs."${val}"; enable = lib.mkDefault true; }; }
{
name = val;
value = {
package = pkgs."${val}";
enable = lib.mkDefault true;
};
}
else
{ name = val.name; value = { package = val; enable = lib.mkDefault true; }; }
{
name = val.pname or val.name;
value = {
package = lib.mkDefault val;
enable = lib.mkDefault true;
};
}
) from;
in builtins.listToAttrs keyvals);
in {
in
builtins.listToAttrs keyvals
);
in
{
options = {
vacu.packages = mkOption {
default = {};
type = types.coercedTo (types.listOf (types.either types.str types.package)) packageListToSet packagesSetType;
default = { };
type = types.coercedTo (types.listOf (
types.either types.str types.package
)) packageListToSet packagesSetType;
};
vacu.packageList = mkOption {
type = types.listOf types.package;

95
common/shell/default.nix Normal file
View File

@@ -0,0 +1,95 @@
{
config,
lib,
pkgs,
vaculib,
...
}:
let
inherit (lib) mkOption types;
cfg = config.vacu.shell;
writeShellFunction =
name: text:
pkgs.writeTextFile {
inherit name;
executable = false;
destination = "/share/vacufuncs/${name}";
text = ''
${text}
'';
checkPhase = ''
${pkgs.stdenv.shellDryRun} "$target"
'';
};
functionPackages = lib.mapAttrsToList writeShellFunction cfg.functions;
in
{
imports = [
./not-aliases.nix
./ps1.nix
];
options = {
vacu.shell.functionsDir = mkOption { type = types.path; };
vacu.shell.interactiveLines = mkOption {
type = types.lines;
default = "";
};
vacu.shell.idempotentShellLines = mkOption {
type = types.lines;
default = "";
};
vacu.shell.color = mkOption { type = types.enum (builtins.attrNames vaculib.shellColors); };
vacu.shell.functions = mkOption { type = types.attrsOf types.str; };
};
config = {
_module.args.vaculib = {
# https://en.wikipedia.org/wiki/ANSI_escape_code#Colors
shellColors = {
black = 30;
red = 31;
green = 32;
yellow = 33;
blue = 34;
magenta = 35;
cyan = 36;
white = 37;
};
};
vacu.shell.interactiveLines = ''
if [[ $- == *i* ]] && [[ -f ${cfg.functionsDir}/vacureload ]]; then
function __vacushell_load() { eval "$(cat ${cfg.functionsDir}/vacureload)"; }
__vacushell_load
unset __vacushell_load
fi
'';
vacu.shell.functions."vacureload" = ''
declare -gA vacuShellFunctionsLoaded
if ! [[ -f ${cfg.functionsDir}/vacureload ]]; then
echo "vacureload: I think that's my cue to leave (${cfg.functionsDir}/vacureload not found, assuming vacureload-less config has been loaded and unloading myself)" 1>&2
for funcname in "''${!vacuShellFunctionsLoaded[@]}"; do
unset -f $funcname
done
return
fi
for funcname in "''${!vacuShellFunctionsLoaded[@]}"; do
if ! [[ -f ${cfg.functionsDir}/$funcname ]]; then
unset -f $funcname
fi
done
for fullPath in ${cfg.functionsDir}/*; do
local funcname="$(basename "$fullPath")"
local followedPath="$(readlink -f "$fullPath")"
if [[ "''${vacuShellFunctionsLoaded[$funcname]}" != "$followedPath" ]]; then
unset -f $funcname
eval "function ''${funcname}() { if [[ -f '$fullPath' ]]; then eval "'"$'"(cat '$fullPath')"'"'"; else echo '$funcname is no longer there, kindly removing myself.' 1>&2; unset $funcname; return 1; fi }"
vacuShellFunctionsLoaded[$funcname]=$followedPath
fi
unset followedPath
unset funcname
done
__set_idempotents
'';
vacu.shell.functions."__set_idempotents" = cfg.idempotentShellLines;
vacu.packages = functionPackages;
};
}

29
common/not-aliases.nix → common/shell/not-aliases.nix
View File

@@ -1,10 +1,20 @@
# These are the things that might in a simpler time go in ~/.bashrc as aliases. But they're not aliases, cuz aliases are bad
{ pkgs, vaculib, ... }: let
{ pkgs, ... }:
let
inherit (pkgs) writeScriptBin;
inherit (vaculib) writeShellFunction;
in {
in
{
vacu.packages = [
(writeScriptBin "ms" ''
set -e
if [[ $# != 1 ]]; then
echo "wrong number of args" 1>&2
exit 1
fi
set -x
mosh -- $1 screen -Rd
'')
(writeScriptBin "mss" ''
set -e
if [[ $# != 1 ]]; then
echo "wrong number of args" 1>&2
@@ -21,14 +31,15 @@ in {
exit 1
fi
done
rm $@
rm "$@"
'')
(writeShellFunction "nd" ''
];
vacu.shell.functions = {
nd = ''
declare -a args
args=("$@")
mkdir "''${args[@]}" && cd "''${args[-1]}"
'')
(writeShellFunction "td" ''pushd $(mktemp "$@")'')
];
'';
nt = ''pushd $(mktemp -d "$@")'';
};
}

36
common/shell/ps1.nix Normal file
View File

@@ -0,0 +1,36 @@
{
config,
lib,
vaculib,
...
}:
let
cfg = config.vacu.shell;
# https://en.wikipedia.org/wiki/ANSI_escape_code#Colors
colors = vaculib.shellColors;
# https://man.archlinux.org/man/bash.1#PROMPTING
# \[ and \] begins and ends "a sequence of non-printing characters"
set_color = colornum: ''\[\e[1;${toString colornum}m\]'';
set_inverted_color = colornum: ''\[\e[1;37;${toString (colornum + 10)}m\]'';
reset_color = ''\[\e[0m\]'';
colornum = colors.${cfg.color};
root_text = root: lib.optionalString root "ROOT@";
final = root: if root then (set_inverted_color colors.red) + "!!" else "$";
default_ps1 =
root:
''\n''
+ (set_color colornum)
+ ''${root_text root}${config.vacu.shortHostName}:\w''
+ (final root)
+ reset_color
+ " ";
in
{
vacu.shell.idempotentShellLines = ''
if [ $UID = 0 ]; then
export PS1=${lib.escapeShellArg (default_ps1 true)}
else
export PS1=${lib.escapeShellArg (default_ps1 false)}
fi
'';
}

73
common/ssh.nix
View File

@@ -1,31 +1,57 @@
{ pkgs, lib, config, ... }: let
inherit (lib) mkOption types flip concatMapStringsSep optionalString concatStringsSep readFile mapAttrsToList literalExpression;
{
pkgs,
lib,
config,
...
}:
let
inherit (lib)
mkOption
types
flip
concatMapStringsSep
optionalString
concatStringsSep
readFile
mapAttrsToList
literalExpression
;
inherit (builtins) attrValues;
cfg = config.vacu;
knownHosts = attrValues cfg.ssh.knownHosts;
knownHostsText = (flip (concatMapStringsSep "\n") knownHosts
(h: assert h.hostNames != [];
optionalString h.certAuthority "@cert-authority " + concatStringsSep "," h.hostNames + " "
knownHostsText =
(flip (concatMapStringsSep "\n") knownHosts (
h:
assert h.hostNames != [ ];
optionalString h.certAuthority "@cert-authority "
+ concatStringsSep "," h.hostNames
+ " "
+ (if h.publicKey != null then h.publicKey else readFile h.publicKeyFile)
)) + "\n";
in {
))
+ "\n";
in
{
options = {
vacu.ssh.knownHostsText = mkOption {
type = types.str;
readOnly = true;
default = knownHostsText;
};
vacu.ssh.authorizedKeys = mkOption {
type = types.listOf types.str;
};
vacu.ssh.config = mkOption {
type = types.lines;
};
vacu.ssh.authorizedKeys = mkOption { type = types.listOf types.str; };
vacu.ssh.config = mkOption { type = types.lines; };
# Straight copied from nixpkgs
# https://github.com/NixOS/nixpkgs/blob/46397778ef1f73414b03ed553a3368f0e7e33c2f/nixos/modules/programs/ssh.nix
vacu.ssh.knownHosts = mkOption {
default = {};
type = types.attrsOf (types.submodule ({ name, config, options, ... }: {
default = { };
type = types.attrsOf (
types.submodule (
{
name,
config,
options,
...
}:
{
options = {
certAuthority = mkOption {
type = types.bool;
@@ -51,7 +77,7 @@ in {
};
extraHostNames = mkOption {
type = types.listOf types.str;
default = [];
default = [ ];
description = ''
A list of additional host names and/or IP numbers used for
accessing the host's ssh service. This list is ignored if
@@ -84,7 +110,9 @@ in {
'';
};
};
}));
}
)
);
description = ''
The set of system-wide known SSH hosts. To make simple setups more
convenient the name of an attribute in this set is used as a host name
@@ -107,10 +135,13 @@ in {
}
'';
};
config.assertions = lib.flip lib.mapAttrsToList config.vacu.ssh.knownHosts (name: data: {
assertion = (data.publicKey == null && data.publicKeyFile != null) ||
(data.publicKey != null && data.publicKeyFile == null);
config.assertions = lib.flip lib.mapAttrsToList config.vacu.ssh.knownHosts (
name: data: {
assertion =
(data.publicKey == null && data.publicKeyFile != null)
|| (data.publicKey != null && data.publicKeyFile == null);
message = "knownHost ${name} must contain either a publicKey or publicKeyFile";
});
}
);
};
}

60
common/verify-system/default.nix Normal file
View File

@@ -0,0 +1,60 @@
{
pkgs,
lib,
config,
...
}:
let
inherit (lib) mkOption mkEnableOption types;
cfg = config.vacu.verifySystem;
in
{
options.vacu.verifySystem = {
enable = (mkEnableOption "verify system is what is expected") // {
default = true;
};
verifiers = mkOption {
default = { };
type = types.attrsOf (
types.submodule (
{ name, config, ... }:
{
options = {
enable = mkEnableOption "Enable system ident check ${name}";
name = mkOption {
type = types.str;
default = name;
};
script = mkOption {
type = types.lines;
default = "## system ident check ${config.name}";
};
};
}
)
);
};
verifyAllScript =
let
verifiers = (builtins.attrValues cfg.verifiers);
enabled = builtins.filter (s: s.enable) verifiers;
files = map (s: pkgs.writeText "vacu-verify-system-${s.name}.sh" s.script) enabled;
script = ''
## vacu verify-system
for f in ${lib.concatStringsSep " " files}; do
echo "verifying system with $f"
if ! source $f; then
echo "ERR: $f failed" >&2
return 1
fi
done
'';
scriptFile = pkgs.writeText "vacu-verify-system-all.sh" script;
in
mkOption {
readOnly = true;
default = scriptFile;
};
};
}

65
common/verify-system/nixos.nix Normal file
View File

@@ -0,0 +1,65 @@
{
lib,
config,
pkgs,
...
}:
let
inherit (lib) mkOption types;
in
{
options.vacu.verifySystem.expectedMac = mkOption {
type = types.nullOr (types.strMatching "[A-Fa-f0-9]{2}(:[A-Fa-f0-9]{2}){5}");
default = null;
};
config = lib.mkIf config.vacu.verifySystem.enable {
# system.activationScripts."00-verify-system" = {
# text = "if ! source ${config.vacu.verifySystem.verifyAllScript}; then exit $?; fi";
# supportsDryActivation = true;
# };
system.extraSystemBuilderCmds = ''
mv $out/bin/switch-to-configuration $out/bin/.switch-to-configuration-unverified
cat <<EOF > $out/bin/switch-to-configuration
#!${pkgs.bash}/bin/bash
oldpath="$PATH"
export PATH="${pkgs.coreutils}/bin"
if ! source ${config.vacu.verifySystem.verifyAllScript}; then exit \$?; fi
export PATH="$oldpath"
exec $out/bin/.switch-to-configuration-unverified "\$@"
EOF
${pkgs.coreutils}/bin/chmod a+x $out/bin/switch-to-configuration
'';
vacu.verifySystem.verifiers = {
hostname = {
enable = lib.mkDefault config.vacu.verifySystem.expectedMac == null;
script = ''
expected=${config.networking.hostName}
actual=$(cat /proc/sys/kernel/hostname)
if [[ "$expected" != "$actual" ]]; then
echo "ERR: unexpected hostname; Trying to deploy to $expected but this is $actual" >&2
return 1
fi
'';
};
expectedMac = {
enable = config.vacu.verifySystem.expectedMac != null;
script = ''
expected=${lib.toUpper config.vacu.verifySystem.expectedMac}
declare -a actual=($(${pkgs.iproute2}/bin/ip -j link | ${pkgs.jq}/bin/jq 'map([.permaddr, .address] | map(strings | ascii_upcase)) | flatten | join("\n")' -r))
for ifMac in "''${actual[@]}"; do
if [[ "$ifMac" == "$expected" ]]; then
# all is well
return 0
fi
done
echo "ERR: Interface MAC address $expected not present, this may not be the system you intend to deploy to." >&2
echo " Found MAC addresses: ''${actual[*]}" >&2
return 1
'';
};
};
};
}

9
compute-deck/bluetooth.nix
View File

@@ -1,6 +1,7 @@
{ ... }: {
hardware.bluetooth.enable = true;
hardware.bluetooth.powerOnBoot = true;
{ ... }:
{
hardware.bluetooth.enable = true;
hardware.bluetooth.powerOnBoot = true;
services.blueman.enable = true;
services.blueman.enable = true;
}

14
compute-deck/default.nix
View File

@@ -1,4 +1,11 @@
{ config, pkgs, lib, jovian, inputs, ... }:
{
config,
pkgs,
lib,
jovian,
inputs,
...
}:
{
imports = [
@@ -12,7 +19,6 @@
./padtype.nix
../common/nixos.nix
];
system.nixos.tags = [ "host-${config.networking.hostName}" ];
boot.loader.systemd-boot.enable = false;
boot.loader.efi.efiSysMountPoint = "/boot/EFI";
@@ -23,7 +29,9 @@
boot.binfmt.emulatedSystems = [ "aarch64-linux" ];
networking.hostName = "compute-deck";
vacu.hostName = "compute-deck";
vacu.shortHostName = "cd";
vacu.shell.color = "blue";
networking.hostId = "e595d9b0";
boot.supportedFilesystems = [ "zfs" ];

33
compute-deck/hardware.nix
View File

@@ -1,16 +1,26 @@
{ config, lib, pkgs, modulesPath, ... }:
{
config,
lib,
pkgs,
modulesPath,
...
}:
{
imports =
[ (modulesPath + "/installer/scan/not-detected.nix")
];
imports = [ (modulesPath + "/installer/scan/not-detected.nix") ];
boot.initrd.availableKernelModules = [ "nvme" "xhci_pci" "usbhid" "sdhci_pci" "dwc3_pci" ];
boot.initrd.availableKernelModules = [
"nvme"
"xhci_pci"
"usbhid"
"sdhci_pci"
"dwc3_pci"
];
boot.initrd.kernelModules = [ ];
boot.kernelModules = [ "kvm-amd" ];
boot.extraModulePackages = [ ];
/*
/*
fileSystems."/" =
{ device = "/dev/disk/by-uuid/63f25199-ee0b-4991-8861-c3ba3b464ef2";
fsType = "btrfs";
@@ -34,16 +44,15 @@
fsType = "btrfs";
options = [ "subvol=boot" ];
};
*/
*/
fileSystems."/boot" =
{ device = "/dev/disk/by-uuid/2aad8cab-7b97-47de-8608-fe9f12e211a4";
fileSystems."/boot" = {
device = "/dev/disk/by-uuid/2aad8cab-7b97-47de-8608-fe9f12e211a4";
fsType = "ext4";
};
fileSystems."/boot/EFI" =
{ device = "/dev/disk/by-uuid/C268-79C8";
fileSystems."/boot/EFI" = {
device = "/dev/disk/by-uuid/C268-79C8";
fsType = "vfat";
};

4
compute-deck/home.nix
View File

@@ -2,9 +2,7 @@
{
home-manager.users.shelvacu = {
# these make vscode-remote work
imports = [
inputs.vscode-server.homeModules.default
];
imports = [ inputs.vscode-server.homeModules.default ];
services.vscode-server.enable = true;
home.stateVersion = "23.11";

6
compute-deck/padtype.nix
View File

@@ -1,6 +1,8 @@
{ inputs, ... }: let
{ inputs, ... }:
let
padtype-pkg = inputs.padtype.packages."x86_64-linux".default;
in {
in
{
environment.systemPackages = [ padtype-pkg ];
systemd.services."padtype" = {

23
compute-deck/partitioning.nix
View File

@@ -14,20 +14,29 @@
subvolumes = {
"/root" = {
mountpoint = "/";
mountOptions = [ "compress=zstd" "noatime" ];
mountOptions = [
"compress=zstd"
"noatime"
];
};
"/home" = {
mountpoint = "/home";
mountOptions = [ "compress=zstd" "noatime" ];
mountOptions = [
"compress=zstd"
"noatime"
];
};
"/nix" = {
mountpoint = "/nix";
mountOptions = [ "compress=zstd" "noatime" ];
mountOptions = [
"compress=zstd"
"noatime"
];
};
# "/swap" = {
# mountpoint = "/.swapvol";
# swap.swapfile.size = "20M";
# };
# "/swap" = {
# mountpoint = "/.swapvol";
# swap.swapfile.size = "20M";
# };
};
};
};

104
coopdx.nix Normal file
View File

@@ -0,0 +1,104 @@
{
callPackage,
fetchFromGitHub,
autoPatchelfHook,
zlib,
curl,
libcxx,
stdenvNoCC,
nixpkgs ? <nixpkgs>,
writeTextFile,
lib,
bash,
enableTextureFix ? true,
enableDiscord ? false,
}:
let
libc_hack = writeTextFile {
name = "libc-hack";
# https://stackoverflow.com/questions/21768542/libc-h-no-such-file-or-directory-when-compiling-nanomsg-pipeline-sample
text = ''
#include <unistd.h>
#include <string.h>
#include <pthread.h>
'';
destination = "/include/libc.h";
};
target = stdenvNoCC.targetPlatform;
bits =
if target.is64bit then
"64"
else if target.is32bit then
"32"
else
throw "unspported bits";
pname = "sm64coopdx";
version = "1.0.3";
region = "us"; # dx removed support for other regions
in
(callPackage "${nixpkgs}/pkgs/games/sm64ex/generic.nix" {
inherit pname version region;
src = fetchFromGitHub {
owner = "coop-deluxe";
repo = pname;
rev = "v${version}";
hash = "sha256-cIH3escLFMcHgtFxeSKIo5nZXvaknti+EVt72uB4XXc=";
};
extraNativeBuildInputs = [ autoPatchelfHook ];
extraBuildInputs = [
zlib
curl
libcxx
libc_hack
];
# Normally there's no need to set TARGET_ARCH, but if we don't it adds -march=native which is impure
compileFlags = [
"BREW_PREFIX=/not-exist"
"TARGET_ARCH=generic"
"TARGET_BITS=${bits}"
"DISCORD_SDK=${if enableDiscord then "1" else "0"}"
"TEXTURE_FIX=${if enableTextureFix then "1" else "0"}"
];
extraMeta = {
mainProgram = pname;
homepage = "https://sm64coopdx.com/";
description = "Super Mario 64 online co-op mod, forked from sm64ex";
};
}).overrideAttrs
{
installPhase =
let
sharedLib = target.extensions.sharedLibrary;
in
''
runHook preInstall
local built=$PWD/build/${region}_pc
share=$out/share/${pname}
mkdir -p $share
cp $built/${pname} $share/${pname}-unwrapped
cp -r $built/{dynos,lang,mods,palettes} $share
cp ./baserom.*.z64 $share
${lib.optionalString enableDiscord ''
cp $built/libdiscord_game_sdk${sharedLib} $share
''}
mkdir -p $out/bin
(
echo '#!${bash}/bin/bash'
echo "cd $out/share/${pname}"
echo 'exec ./${pname}-unwrapped "$@"'
) > $out/bin/${pname}
chmod a+x $out/bin/${pname}
runHook postInstall
'';
}

70
deterministic-certs.nix
View File

@@ -1,4 +1,7 @@
{ nixpkgs ? import <nixpkgs> }: let
{
nixpkgs ? import <nixpkgs>,
}:
let
pkgs = nixpkgs;
lib = nixpkgs.lib;
defaultCertTemplate = {
@@ -6,41 +9,76 @@
activation_date = "1970-01-01 00:00:00 UTC";
expiration_date = "2500-01-01 00:00:00 UTC";
};
keyValToConfigLines = (key: value:
if (builtins.isString value) || (builtins.isPath value) then "${key} = \"${value}\"" else
if builtins.isInt value then "${key} = ${builtins.toString value}" else
if builtins.isList value then map (innerValue: keyValToConfigLines key innerValue) else
if builtins.isBool value then (if value then "${key}" else "# no ${key}") else
keyValToConfigLines = (
key: value:
if (builtins.isString value) || (builtins.isPath value) then
"${key} = \"${value}\""
else if builtins.isInt value then
"${key} = ${builtins.toString value}"
else if builtins.isList value then
map (innerValue: keyValToConfigLines key innerValue)
else if builtins.isBool value then
(if value then "${key}" else "# no ${key}")
else
throw "don't know how to handle ${builtins.typeOf value}"
);
mkTemplateConfig = config: lib.concatStringsSep "\n" (lib.lists.flatten (lib.attrsets.mapAttrsToList keyValToConfigLines config));
mkTemplateConfig =
config:
lib.concatStringsSep "\n" (
lib.lists.flatten (lib.attrsets.mapAttrsToList keyValToConfigLines config)
);
certCfg = pkgs.writeText "deterministic-cert.cfg" ''
serial = 1
activation_date = "1970-01-01 00:00:00 UTC"
expiration_date = "2500-01-01 00:00:00 UTC"
'';
privKeyFile = name: let
privKeyFile =
name:
let
keySizeBits = 256;
keySizeHex = builtins.toString (keySizeBits / 4);
in pkgs.runCommand "deterministic-privkey-${name}.pem" {} ''
in
pkgs.runCommand "deterministic-privkey-${name}.pem" { } ''
seed=$(echo ${lib.escapeShellArg (builtins.toJSON name)} | ${pkgs.ruby_3_2}/bin/ruby -rjson -e 'name = JSON.parse(STDIN.gets); print name.unpack("H*")[0].ljust(${keySizeHex}, "0")')
${pkgs.gnutls}/bin/certtool --generate-privkey --outfile=$out --key-type=rsa --sec-param=high --seed=$seed
'';
generateCert = { name, config, args, preCommands ? "" }: let
deriv = pkgs.runCommand "deterministic-cert-${name}" {} ''
generateCert =
{
name,
config,
args,
preCommands ? "",
}:
let
deriv = pkgs.runCommand "deterministic-cert-${name}" { } ''
mkdir -p $out
cd $out
ln -s ${privKeyFile name} privkey.pem
ln -s ${pkgs.writeText "${name}-template.cfg" (mkTemplateConfig (defaultCertTemplate // config))} template.cfg
ln -s ${
pkgs.writeText "${name}-template.cfg" (mkTemplateConfig (defaultCertTemplate // config))
} template.cfg
${preCommands}
${pkgs.gnutls}/bin/certtool ${lib.escapeShellArgs args} --load-privkey=privkey.pem --outfile=cert.pem --template=template.cfg
'';
in deriv // { privateKeyPath = "${deriv}/privkey.pem"; certificatePath = "${deriv}/cert.pem"; };
in
deriv
// {
privateKeyPath = "${deriv}/privkey.pem";
certificatePath = "${deriv}/cert.pem";
};
in {
in
{
inherit privKeyFile;
selfSigned = name: config: generateCert { inherit name config; args = [ "--generate-self-signed" ]; };
caSigned = name: ca: config: generateCert {
selfSigned =
name: config:
generateCert {
inherit name config;
args = [ "--generate-self-signed" ];
};
caSigned =
name: ca: config:
generateCert {
inherit name config;
preCommands = ''
ln -s ${ca.privateKeyPath} ca-privkey.pem

57
devver/default.nix
View File

@@ -1,57 +0,0 @@
{ config, pkgs, lib, inputs, modulesPath, ... }:
{
imports = [
inputs.home-manager.nixosModules.default
../common/nixos.nix
(modulesPath + "/profiles/qemu-guest.nix")
];
boot.initrd.availableKernelModules = [ "virtio_pci" "usbhid" "virtio_blk" "9pnet_virtio" "9p" "autofs4" ];
boot.initrd.kernelModules = [ ];
boot.kernelModules = [ "kvm-intel" "9pnet_virtio" "9p" "autofs4" ];
boot.extraModulePackages = [ ];
system.nixos.tags = [ "host-${config.networking.hostName}" ];
networking.hostName = "devver";
boot.loader.external.enable = true;
boot.loader.external.installHook = pkgs.writeShellScript "vacuDirectBootInstaller" ''
PATH="$PATH:${pkgs.coreutils}/bin:${pkgs.gnused}/bin"
set -xev
mkdir -p /boot
cp $1/kernel /boot/kernel
cp $1/initrd /boot/initrd
cp $1/kernel-params /boot/kernel-params
sed -i "1 s|$| init=$1/sw/bin/init|" /boot/kernel-params
'';
users.users.root.shell = pkgs.bashInteractive;
fileSystems."/boot" = {
fsType = "9p";
device = "boot";
options = [
"trans=virtio"
"access=any"
"version=9p2000.L"
"posixacl"
"cache=mmap"
"nofail"
"noauto"
];
};
fileSystems."/" = {
device = "/dev/disk/by-uuid/a373835d-b942-4232-85fe-922cb1880af3";
fsType = "ext4";
};
#boot.binfmt.emulatedSystems = [ "aarch64-linux" ];
services.openssh.enable = true;
vacu.packages.nix-inspect.enable = false; #its broken for some reason I don't understand
system.stateVersion = "23.11";
}

647
flake.lock generated
View File

@@ -34,6 +34,48 @@
"type": "github"
}
},
"devshell": {
"inputs": {
"nixpkgs": [
"nixvim",
"nixpkgs"
]
},
"locked": {
"lastModified": 1722113426,
"narHash": "sha256-Yo/3loq572A8Su6aY5GP56knpuKYRvM2a1meP9oJZCw=",
"owner": "numtide",
"repo": "devshell",
"rev": "67cce7359e4cd3c45296fb4aaf6a19e2a9c757ae",
"type": "github"
},
"original": {
"owner": "numtide",
"repo": "devshell",
"type": "github"
}
},
"devshell_2": {
"inputs": {
"nixpkgs": [
"nixvim-unstable",
"nixpkgs"
]
},
"locked": {
"lastModified": 1722113426,
"narHash": "sha256-Yo/3loq572A8Su6aY5GP56knpuKYRvM2a1meP9oJZCw=",
"owner": "numtide",
"repo": "devshell",
"rev": "67cce7359e4cd3c45296fb4aaf6a19e2a9c757ae",
"type": "github"
},
"original": {
"owner": "numtide",
"repo": "devshell",
"type": "github"
}
},
"disko-unstable": {
"inputs": {
"nixpkgs": [
@@ -41,11 +83,11 @@
]
},
"locked": {
"lastModified": 1723685519,
"narHash": "sha256-GkXQIoZmW2zCPp1YFtAYGg/xHNyFH/Mgm79lcs81rq0=",
"lastModified": 1726325969,
"narHash": "sha256-Mlw7009cdFry9OHpS6jy294lXhb+gcRa0iS2hYhkC6s=",
"owner": "nix-community",
"repo": "disko",
"rev": "276a0d055a720691912c6a34abb724e395c8e38a",
"rev": "3632080c41d7a657995807689a08ef6c4bcb2c72",
"type": "github"
},
"original": {
@@ -102,28 +144,6 @@
"type": "github"
}
},
"fenix": {
"inputs": {
"nixpkgs": [
"microvm",
"nixpkgs"
],
"rust-analyzer-src": "rust-analyzer-src"
},
"locked": {
"lastModified": 1722580276,
"narHash": "sha256-VaNcSh7n8OaFW/DJsR6Fm23V+EGpSei0DyF71RKB+90=",
"owner": "nix-community",
"repo": "fenix",
"rev": "286f371b3cfeaa5c856c8e6dfb893018e86cc947",
"type": "github"
},
"original": {
"owner": "nix-community",
"repo": "fenix",
"type": "github"
}
},
"flake-compat": {
"flake": false,
"locked": {
@@ -156,6 +176,92 @@
"type": "github"
}
},
"flake-compat_3": {
"locked": {
"lastModified": 1696426674,
"narHash": "sha256-kvjfFW7WAETZlt09AgDn1MrtKzP7t90Vf7vypd3OL1U=",
"rev": "0f9255e01c2351cc7d116c072cb317785dd33b33",
"revCount": 57,
"type": "tarball",
"url": "https://api.flakehub.com/f/pinned/edolstra/flake-compat/1.0.1/018afb31-abd1-7bff-a5e4-cff7e18efb7a/source.tar.gz"
},
"original": {
"type": "tarball",
"url": "https://flakehub.com/f/edolstra/flake-compat/1.tar.gz"
}
},
"flake-compat_4": {
"flake": false,
"locked": {
"lastModified": 1696426674,
"narHash": "sha256-kvjfFW7WAETZlt09AgDn1MrtKzP7t90Vf7vypd3OL1U=",
"owner": "edolstra",
"repo": "flake-compat",
"rev": "0f9255e01c2351cc7d116c072cb317785dd33b33",
"type": "github"
},
"original": {
"owner": "edolstra",
"repo": "flake-compat",
"type": "github"
}
},
"flake-compat_5": {
"locked": {
"lastModified": 1696426674,
"narHash": "sha256-kvjfFW7WAETZlt09AgDn1MrtKzP7t90Vf7vypd3OL1U=",
"rev": "0f9255e01c2351cc7d116c072cb317785dd33b33",
"revCount": 57,
"type": "tarball",
"url": "https://api.flakehub.com/f/pinned/edolstra/flake-compat/1.0.1/018afb31-abd1-7bff-a5e4-cff7e18efb7a/source.tar.gz"
},
"original": {
"type": "tarball",
"url": "https://flakehub.com/f/edolstra/flake-compat/1.tar.gz"
}
},
"flake-parts": {
"inputs": {
"nixpkgs-lib": [
"nixvim",
"nixpkgs"
]
},
"locked": {
"lastModified": 1725234343,
"narHash": "sha256-+ebgonl3NbiKD2UD0x4BszCZQ6sTfL4xioaM49o5B3Y=",
"owner": "hercules-ci",
"repo": "flake-parts",
"rev": "567b938d64d4b4112ee253b9274472dc3a346eb6",
"type": "github"
},
"original": {
"owner": "hercules-ci",
"repo": "flake-parts",
"type": "github"
}
},
"flake-parts_2": {
"inputs": {
"nixpkgs-lib": [
"nixvim-unstable",
"nixpkgs"
]
},
"locked": {
"lastModified": 1726153070,
"narHash": "sha256-HO4zgY0ekfwO5bX0QH/3kJ/h4KvUDFZg8YpkNwIbg1U=",
"owner": "hercules-ci",
"repo": "flake-parts",
"rev": "bcef6817a8b2aa20a5a6dbb19b43e63c5bf8619a",
"type": "github"
},
"original": {
"owner": "hercules-ci",
"repo": "flake-parts",
"type": "github"
}
},
"flake-utils": {
"inputs": {
"systems": "systems"
@@ -192,69 +298,104 @@
"type": "github"
}
},
"flake-utils_3": {
"locked": {
"lastModified": 1676283394,
"narHash": "sha256-XX2f9c3iySLCw54rJ/CZs+ZK6IQy7GXNY4nSOyu2QG4=",
"owner": "numtide",
"repo": "flake-utils",
"rev": "3db36a8b464d0c4532ba1c7dda728f4576d6d073",
"type": "github"
},
"original": {
"owner": "numtide",
"repo": "flake-utils",
"type": "github"
}
},
"flake-utils_4": {
"locked": {
"lastModified": 1676283394,
"narHash": "sha256-XX2f9c3iySLCw54rJ/CZs+ZK6IQy7GXNY4nSOyu2QG4=",
"owner": "numtide",
"repo": "flake-utils",
"rev": "3db36a8b464d0c4532ba1c7dda728f4576d6d073",
"type": "github"
},
"original": {
"owner": "numtide",
"repo": "flake-utils",
"type": "github"
}
},
"flake-utils_5": {
"git-hooks": {
"inputs": {
"systems": "systems_3"
"flake-compat": "flake-compat_4",
"gitignore": "gitignore",
"nixpkgs": [
"nixvim",
"nixpkgs"
],
"nixpkgs-stable": [
"nixvim",
"nixpkgs"
]
},
"locked": {
"lastModified": 1681202837,
"narHash": "sha256-H+Rh19JDwRtpVPAWp64F+rlEtxUWBAQW28eAi3SRSzg=",
"owner": "numtide",
"repo": "flake-utils",
"rev": "cfacdce06f30d2b68473a46042957675eebb3401",
"lastModified": 1724857454,
"narHash": "sha256-Qyl9Q4QMTLZnnBb/8OuQ9LSkzWjBU1T5l5zIzTxkkhk=",
"owner": "cachix",
"repo": "git-hooks.nix",
"rev": "4509ca64f1084e73bc7a721b20c669a8d4c5ebe6",
"type": "github"
},
"original": {
"owner": "numtide",
"repo": "flake-utils",
"owner": "cachix",
"repo": "git-hooks.nix",
"type": "github"
}
},
"flake-utils_6": {
"git-hooks_2": {
"inputs": {
"systems": "systems_4"
"flake-compat": [
"nixvim-unstable",
"flake-compat"
],
"gitignore": "gitignore_2",
"nixpkgs": [
"nixvim-unstable",
"nixpkgs"
],
"nixpkgs-stable": [
"nixvim-unstable",
"nixpkgs"
]
},
"locked": {
"lastModified": 1681202837,
"narHash": "sha256-H+Rh19JDwRtpVPAWp64F+rlEtxUWBAQW28eAi3SRSzg=",
"owner": "numtide",
"repo": "flake-utils",
"rev": "cfacdce06f30d2b68473a46042957675eebb3401",
"lastModified": 1725513492,
"narHash": "sha256-tyMUA6NgJSvvQuzB7A1Sf8+0XCHyfSPRx/b00o6K0uo=",
"owner": "cachix",
"repo": "git-hooks.nix",
"rev": "7570de7b9b504cfe92025dd1be797bf546f66528",
"type": "github"
},
"original": {
"owner": "numtide",
"repo": "flake-utils",
"owner": "cachix",
"repo": "git-hooks.nix",
"type": "github"
}
},
"gitignore": {
"inputs": {
"nixpkgs": [
"nixvim",
"git-hooks",
"nixpkgs"
]
},
"locked": {
"lastModified": 1709087332,
"narHash": "sha256-HG2cCnktfHsKV0s4XW83gU3F57gaTljL9KNSuG6bnQs=",
"owner": "hercules-ci",
"repo": "gitignore.nix",
"rev": "637db329424fd7e46cf4185293b9cc8c88c95394",
"type": "github"
},
"original": {
"owner": "hercules-ci",
"repo": "gitignore.nix",
"type": "github"
}
},
"gitignore_2": {
"inputs": {
"nixpkgs": [
"nixvim-unstable",
"git-hooks",
"nixpkgs"
]
},
"locked": {
"lastModified": 1709087332,
"narHash": "sha256-HG2cCnktfHsKV0s4XW83gU3F57gaTljL9KNSuG6bnQs=",
"owner": "hercules-ci",
"repo": "gitignore.nix",
"rev": "637db329424fd7e46cf4185293b9cc8c88c95394",
"type": "github"
},
"original": {
"owner": "hercules-ci",
"repo": "gitignore.nix",
"type": "github"
}
},
@@ -315,11 +456,11 @@
]
},
"locked": {
"lastModified": 1720042825,
"narHash": "sha256-A0vrUB6x82/jvf17qPCpxaM+ulJnD8YZwH9Ci0BsAzE=",
"lastModified": 1725703823,
"narHash": "sha256-tDgM4d8mLK0Hd6YMB2w1BqMto1XBXADOzPEaLl10VI4=",
"owner": "nix-community",
"repo": "home-manager",
"rev": "e1391fb22e18a36f57e6999c7a9f966dc80ac073",
"rev": "208df2e558b73b6a1f0faec98493cb59a25f62ba",
"type": "github"
},
"original": {
@@ -336,11 +477,11 @@
]
},
"locked": {
"lastModified": 1723399884,
"narHash": "sha256-97wn0ihhGqfMb8WcUgzzkM/TuAxce2Gd20A8oiruju4=",
"lastModified": 1726357542,
"narHash": "sha256-p4OrJL2weh0TRtaeu1fmNYP6+TOp/W2qdaIJxxQay4c=",
"owner": "nix-community",
"repo": "home-manager",
"rev": "086f619dd991a4d355c07837448244029fc2d9ab",
"rev": "e524c57b1fa55d6ca9d8354c6ce1e538d2a1f47f",
"type": "github"
},
"original": {
@@ -352,16 +493,38 @@
"home-manager_2": {
"inputs": {
"nixpkgs": [
"nix-on-droid",
"nixvim",
"nixpkgs"
]
},
"locked": {
"lastModified": 1709445365,
"narHash": "sha256-DVv6nd9FQBbMWbOmhq0KVqmlc3y3FMSYl49UXmMcO+0=",
"lastModified": 1720042825,
"narHash": "sha256-A0vrUB6x82/jvf17qPCpxaM+ulJnD8YZwH9Ci0BsAzE=",
"owner": "nix-community",
"repo": "home-manager",
"rev": "4de84265d7ec7634a69ba75028696d74de9a44a7",
"rev": "e1391fb22e18a36f57e6999c7a9f966dc80ac073",
"type": "github"
},
"original": {
"owner": "nix-community",
"ref": "release-24.05",
"repo": "home-manager",
"type": "github"
}
},
"home-manager_3": {
"inputs": {
"nixpkgs": [
"nixvim-unstable",
"nixpkgs"
]
},
"locked": {
"lastModified": 1726308872,
"narHash": "sha256-d4vwO5N4RsLnCY7k5tY9xbdYDWQsY3RDMeUoIa4ms2A=",
"owner": "nix-community",
"repo": "home-manager",
"rev": "6c1a461a444e6ccb3f3e42bb627b510c3a722a57",
"type": "github"
},
"original": {
@@ -378,11 +541,11 @@
]
},
"locked": {
"lastModified": 1723916191,
"narHash": "sha256-wbkh2Tyo1dUwY+35OtF2117u1QqdVAlvDx4vgaW/InU=",
"lastModified": 1726115155,
"narHash": "sha256-VDylz5VX4JD4/TZv6xUJDwuvNdgLRGoOpue1dlZGdIQ=",
"owner": "Jovian-Experiments",
"repo": "Jovian-NixOS",
"rev": "dcc9afeea9d086cde9731ca90362c7bda62db6d0",
"rev": "02cf60ce20b6034fc0459e5116cec7016aaff6e4",
"type": "github"
},
"original": {
@@ -391,29 +554,6 @@
"type": "github"
}
},
"microvm": {
"inputs": {
"fenix": "fenix",
"flake-utils": "flake-utils",
"nixpkgs": [
"nixpkgs"
],
"spectrum": "spectrum"
},
"locked": {
"lastModified": 1723470968,
"narHash": "sha256-W76xLG4thxkENM3MOoXWYqKPrgk1WgUWzTixUyuw/co=",
"owner": "astro",
"repo": "microvm.nix",
"rev": "69e8ac63a7a4d40bb65e73af41ba60df2eba0419",
"type": "github"
},
"original": {
"owner": "astro",
"repo": "microvm.nix",
"type": "github"
}
},
"mk-naked-shell": {
"flake": false,
"locked": {
@@ -448,7 +588,9 @@
},
"most-winningest": {
"inputs": {
"flake-utils": "flake-utils_2",
"flake-utils": [
"flake-utils"
],
"nixpkgs": [
"nixpkgs"
]
@@ -521,6 +663,48 @@
"type": "github"
}
},
"nix-darwin": {
"inputs": {
"nixpkgs": [
"nixvim",
"nixpkgs"
]
},
"locked": {
"lastModified": 1725189302,
"narHash": "sha256-IhXok/kwQqtusPsoguQLCHA+h6gKvgdCrkhIaN+kByA=",
"owner": "lnl7",
"repo": "nix-darwin",
"rev": "7c4b53a7d9f3a3df902b3fddf2ae245ef20ebcda",
"type": "github"
},
"original": {
"owner": "lnl7",
"repo": "nix-darwin",
"type": "github"
}
},
"nix-darwin_2": {
"inputs": {
"nixpkgs": [
"nixvim-unstable",
"nixpkgs"
]
},
"locked": {
"lastModified": 1726188813,
"narHash": "sha256-Vop/VRi6uCiScg/Ic+YlwsdIrLabWUJc57dNczp0eBc=",
"owner": "lnl7",
"repo": "nix-darwin",
"rev": "21fe31f26473c180390cfa81e3ea81aca0204c80",
"type": "github"
},
"original": {
"owner": "lnl7",
"repo": "nix-darwin",
"type": "github"
}
},
"nix-formatter-pack": {
"inputs": {
"nixpkgs": [
@@ -615,7 +799,9 @@
},
"nix-on-droid": {
"inputs": {
"home-manager": "home-manager_2",
"home-manager": [
"home-manager"
],
"nix-formatter-pack": "nix-formatter-pack",
"nixpkgs": [
"nixpkgs"
@@ -625,11 +811,11 @@
"nmd": "nmd"
},
"locked": {
"lastModified": 1721670745,
"narHash": "sha256-rjTQ14dqQ90EaHQy4g/mGylrJ1aZJYc3wCXc4A3GHJg=",
"lastModified": 1725658585,
"narHash": "sha256-P29z4Gt89n5ps1U7+qmIrj0BuRXGZQSIaOe2+tsPgfw=",
"owner": "nix-community",
"repo": "nix-on-droid",
"rev": "248cc0806120fac9214f503dee0eaf0f47740dd0",
"rev": "5d88ff2519e4952f8d22472b52c531bb5f1635fc",
"type": "github"
},
"original": {
@@ -641,7 +827,9 @@
"nix-search-cli": {
"inputs": {
"flake-compat": "flake-compat",
"flake-utils": "flake-utils_3",
"flake-utils": [
"flake-utils"
],
"gomod2nix": "gomod2nix",
"nixpkgs": [
"nixpkgs"
@@ -664,7 +852,9 @@
"nix-search-cli-unstable": {
"inputs": {
"flake-compat": "flake-compat_2",
"flake-utils": "flake-utils_4",
"flake-utils": [
"flake-utils"
],
"gomod2nix": "gomod2nix_2",
"nixpkgs": [
"nixpkgs-unstable"
@@ -686,11 +876,11 @@
},
"nixos-hardware": {
"locked": {
"lastModified": 1723310128,
"narHash": "sha256-IiH8jG6PpR4h9TxSGMYh+2/gQiJW9MwehFvheSb5rPc=",
"lastModified": 1725885300,
"narHash": "sha256-5RLEnou1/GJQl+Wd+Bxaj7QY7FFQ9wjnFq1VNEaxTmc=",
"owner": "nixos",
"repo": "nixos-hardware",
"rev": "c54cf53e022b0b3c1d3b8207aa0f9b194c24f0cf",
"rev": "166dee4f88a7e3ba1b7a243edb1aca822f00680e",
"type": "github"
},
"original": {
@@ -701,11 +891,11 @@
},
"nixpkgs": {
"locked": {
"lastModified": 1723920526,
"narHash": "sha256-USs6A60raDKZ/8BEpqja1XjZIsRzADX+NtWKH6wIxIw=",
"lastModified": 1726341164,
"narHash": "sha256-2RdFaah7wwLKlJ5DO/BBNQOpZW/nfRYGLoPrDGfKAcE=",
"owner": "NixOS",
"repo": "nixpkgs",
"rev": "1cbd3d585263dc620c483e138d352a39b9f0e3ec",
"rev": "10b0c212b6bd2b8155f7cdf03e5018dbd50c7cb6",
"type": "github"
},
"original": {
@@ -748,11 +938,11 @@
},
"nixpkgs-stable": {
"locked": {
"lastModified": 1721524707,
"narHash": "sha256-5NctRsoE54N86nWd0psae70YSLfrOek3Kv1e8KoXe/0=",
"lastModified": 1725762081,
"narHash": "sha256-vNv+aJUW5/YurRy1ocfvs4q/48yVESwlC/yHzjkZSP8=",
"owner": "NixOS",
"repo": "nixpkgs",
"rev": "556533a23879fc7e5f98dd2e0b31a6911a213171",
"rev": "dc454045f5b5d814e5862a6d057e7bb5c29edc05",
"type": "github"
},
"original": {
@@ -764,11 +954,11 @@
},
"nixpkgs-unstable": {
"locked": {
"lastModified": 1723637854,
"narHash": "sha256-med8+5DSWa2UnOqtdICndjDAEjxr5D7zaIiK4pn0Q7c=",
"lastModified": 1726062873,
"narHash": "sha256-IiA3jfbR7K/B5+9byVi9BZGWTD4VSbWe8VLpp9B/iYk=",
"owner": "NixOS",
"repo": "nixpkgs",
"rev": "c3aa7b8938b17aebd2deecf7be0636000d62a2b9",
"rev": "4f807e8940284ad7925ebd0a0993d2a1791acb2f",
"type": "github"
},
"original": {
@@ -777,6 +967,62 @@
"type": "indirect"
}
},
"nixvim": {
"inputs": {
"devshell": "devshell",
"flake-compat": "flake-compat_3",
"flake-parts": "flake-parts",
"git-hooks": "git-hooks",
"home-manager": "home-manager_2",
"nix-darwin": "nix-darwin",
"nixpkgs": [
"nixpkgs"
],
"treefmt-nix": "treefmt-nix"
},
"locked": {
"lastModified": 1725350106,
"narHash": "sha256-TaMMlI2KPJ3wCyxJk6AShOLhNuTeabHCnvYRkLBlEFs=",
"owner": "nix-community",
"repo": "nixvim",
"rev": "0f2c31e6a57a83ed4e6fa3adc76749620231055d",
"type": "github"
},
"original": {
"owner": "nix-community",
"ref": "nixos-24.05",
"repo": "nixvim",
"type": "github"
}
},
"nixvim-unstable": {
"inputs": {
"devshell": "devshell_2",
"flake-compat": "flake-compat_5",
"flake-parts": "flake-parts_2",
"git-hooks": "git-hooks_2",
"home-manager": "home-manager_3",
"nix-darwin": "nix-darwin_2",
"nixpkgs": [
"nixpkgs-unstable"
],
"nuschtosSearch": "nuschtosSearch",
"treefmt-nix": "treefmt-nix_2"
},
"locked": {
"lastModified": 1726359833,
"narHash": "sha256-JyGswMj/u+AtrHHuI5ISADw9SpGLvThbNkEPwUbNnFk=",
"owner": "nix-community",
"repo": "nixvim",
"rev": "61be7a6eed7b6e70db9731cdf32d6a3e163cee73",
"type": "github"
},
"original": {
"owner": "nix-community",
"repo": "nixvim",
"type": "github"
}
},
"nmd": {
"inputs": {
"nixpkgs": [
@@ -815,6 +1061,28 @@
"type": "gitlab"
}
},
"nuschtosSearch": {
"inputs": {
"flake-utils": "flake-utils_2",
"nixpkgs": [
"nixvim-unstable",
"nixpkgs"
]
},
"locked": {
"lastModified": 1726208959,
"narHash": "sha256-Bq2YtXyHhDpBrqDlJysQgbhvauyiYTQXt7d6xxZdRck=",
"owner": "NuschtOS",
"repo": "search",
"rev": "4267d5c5b51591a9553eefbd12172da050ee3433",
"type": "github"
},
"original": {
"owner": "NuschtOS",
"repo": "search",
"type": "github"
}
},
"padtype-unstable": {
"inputs": {
"nixpkgs": [
@@ -1006,10 +1274,10 @@
"root": {
"inputs": {
"disko-unstable": "disko-unstable",
"flake-utils": "flake-utils",
"home-manager": "home-manager",
"home-manager-unstable": "home-manager-unstable",
"jovian-unstable": "jovian-unstable",
"microvm": "microvm",
"most-winningest": "most-winningest",
"nix-inspect": "nix-inspect",
"nix-inspect-unstable": "nix-inspect-unstable",
@@ -1019,29 +1287,14 @@
"nixos-hardware": "nixos-hardware",
"nixpkgs": "nixpkgs",
"nixpkgs-unstable": "nixpkgs-unstable",
"nixvim": "nixvim",
"nixvim-unstable": "nixvim-unstable",
"padtype-unstable": "padtype-unstable",
"sops-nix": "sops-nix",
"vscode-server": "vscode-server",
"vscode-server-unstable": "vscode-server-unstable"
}
},
"rust-analyzer-src": {
"flake": false,
"locked": {
"lastModified": 1722521768,
"narHash": "sha256-FvJ4FaMy1kJbZ3Iw1RyvuiUAsbHJXoU2HwylzaFzj1o=",
"owner": "rust-lang",
"repo": "rust-analyzer",
"rev": "f149dc5029d8406fae8b2c541603bcac06e30deb",
"type": "github"
},
"original": {
"owner": "rust-lang",
"ref": "nightly",
"repo": "rust-analyzer",
"type": "github"
}
},
"rust-overlay": {
"flake": false,
"locked": {
@@ -1146,11 +1399,11 @@
"nixpkgs-stable": "nixpkgs-stable"
},
"locked": {
"lastModified": 1723501126,
"narHash": "sha256-N9IcHgj/p1+2Pvk8P4Zc1bfrMwld5PcosVA0nL6IGdE=",
"lastModified": 1726218807,
"narHash": "sha256-z7CoWbSOtsOz8TmRKDnobURkKfv6nPZCo3ayolNuQGc=",
"owner": "Mic92",
"repo": "sops-nix",
"rev": "be0eec2d27563590194a9206f551a6f73d52fa34",
"rev": "f30b1bac192e2dc252107ac8a59a03ad25e1b96e",
"type": "github"
},
"original": {
@@ -1159,22 +1412,6 @@
"type": "github"
}
},
"spectrum": {
"flake": false,
"locked": {
"lastModified": 1720264467,
"narHash": "sha256-xzM92n3Q9L90faJIJrkrTtTx+JqCGRHMkHWztkV4PuY=",
"ref": "refs/heads/main",
"rev": "fb59d42542049f586c84b0f8bb86ff3be338e9d3",
"revCount": 674,
"type": "git",
"url": "https://spectrum-os.org/git/spectrum"
},
"original": {
"type": "git",
"url": "https://spectrum-os.org/git/spectrum"
}
},
"systems": {
"locked": {
"lastModified": 1681028828,
@@ -1205,36 +1442,6 @@
"type": "github"
}
},
"systems_3": {
"locked": {
"lastModified": 1681028828,
"narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=",
"owner": "nix-systems",
"repo": "default",
"rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e",
"type": "github"
},
"original": {
"owner": "nix-systems",
"repo": "default",
"type": "github"
}
},
"systems_4": {
"locked": {
"lastModified": 1681028828,
"narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=",
"owner": "nix-systems",
"repo": "default",
"rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e",
"type": "github"
},
"original": {
"owner": "nix-systems",
"repo": "default",
"type": "github"
}
},
"treefmt": {
"inputs": {
"nixpkgs": [
@@ -1257,6 +1464,48 @@
"type": "github"
}
},
"treefmt-nix": {
"inputs": {
"nixpkgs": [
"nixvim",
"nixpkgs"
]
},
"locked": {
"lastModified": 1724833132,
"narHash": "sha256-F4djBvyNRAXGusJiNYInqR6zIMI3rvlp6WiKwsRISos=",
"owner": "numtide",
"repo": "treefmt-nix",
"rev": "3ffd842a5f50f435d3e603312eefa4790db46af5",
"type": "github"
},
"original": {
"owner": "numtide",
"repo": "treefmt-nix",
"type": "github"
}
},
"treefmt-nix_2": {
"inputs": {
"nixpkgs": [
"nixvim-unstable",
"nixpkgs"
]
},
"locked": {
"lastModified": 1725271838,
"narHash": "sha256-VcqxWT0O/gMaeWTTjf1r4MOyG49NaNxW4GHTO3xuThE=",
"owner": "numtide",
"repo": "treefmt-nix",
"rev": "9fb342d14b69aefdf46187f6bb80a4a0d97007cd",
"type": "github"
},
"original": {
"owner": "numtide",
"repo": "treefmt-nix",
"type": "github"
}
},
"treefmt_2": {
"inputs": {
"nixpkgs": [
@@ -1281,7 +1530,9 @@
},
"vscode-server": {
"inputs": {
"flake-utils": "flake-utils_5",
"flake-utils": [
"flake-utils"
],
"nixpkgs": [
"nixpkgs"
]
@@ -1302,7 +1553,9 @@
},
"vscode-server-unstable": {
"inputs": {
"flake-utils": "flake-utils_6",
"flake-utils": [
"flake-utils"
],
"nixpkgs": [
"nixpkgs-unstable"
]

245
flake.nix
View File

@@ -3,7 +3,18 @@
inputs = {
nixpkgs.url = "nixpkgs/nixos-24.05-small";
# nixpkgs.url = "github:nixos/nixpkgs/be0ec1a45fe1a6f6534c451b935724ab48405f26";
nixpkgs-unstable.url = "nixpkgs/nixos-unstable";
flake-utils.url = "github:numtide/flake-utils";
nixvim = {
url = "github:nix-community/nixvim/nixos-24.05";
inputs.nixpkgs.follows = "nixpkgs";
};
nixvim-unstable = {
url = "github:nix-community/nixvim";
inputs.nixpkgs.follows = "nixpkgs-unstable";
};
nix-inspect = {
url = "github:bluskript/nix-inspect";
inputs.nixpkgs.follows = "nixpkgs";
@@ -15,16 +26,20 @@
vscode-server-unstable = {
url = "github:nix-community/nixos-vscode-server";
inputs.nixpkgs.follows = "nixpkgs-unstable";
inputs.flake-utils.follows = "flake-utils";
};
vscode-server = {
url = "github:nix-community/nixos-vscode-server";
inputs.nixpkgs.follows = "nixpkgs";
inputs.flake-utils.follows = "flake-utils";
};
nix-on-droid = {
url = "github:nix-community/nix-on-droid";
inputs.nixpkgs.follows = "nixpkgs";
inputs.home-manager.follows = "home-manager";
};
jovian-unstable = { # there is no stable jovian :cry:
jovian-unstable = {
# there is no stable jovian :cry:
url = "github:Jovian-Experiments/Jovian-NixOS";
inputs.nixpkgs.follows = "nixpkgs-unstable";
};
@@ -43,10 +58,12 @@
nix-search-cli-unstable = {
url = "github:peterldowns/nix-search-cli";
inputs.nixpkgs.follows = "nixpkgs-unstable";
inputs.flake-utils.follows = "flake-utils";
};
nix-search-cli = {
url = "github:peterldowns/nix-search-cli";
inputs.nixpkgs.follows = "nixpkgs";
inputs.flake-utils.follows = "flake-utils";
};
padtype-unstable = {
url = "gitlab:shelvacu/padtype";
@@ -56,32 +73,61 @@
url = "github:Mic92/sops-nix";
inputs.nixpkgs.follows = "nixpkgs";
};
microvm = {
url = "github:astro/microvm.nix";
inputs.nixpkgs.follows = "nixpkgs";
};
nixos-hardware.url = "github:nixos/nixos-hardware";
most-winningest = {
url = "github:captain-jean-luc/most-winningest";
inputs.nixpkgs.follows = "nixpkgs";
inputs.flake-utils.follows = "flake-utils";
};
};
outputs = { self, nixpkgs, nix-on-droid, home-manager, ... }@inputs: let
defaultInputs = { inherit (inputs) self nix-search-cli nix-inspect; };
defaultArgs = { inputs = defaultInputs; };
in {
debug.isoDeriv = (import "${inputs.nixpkgs}/nixos/release-small.nix" { nixpkgs = ({ revCount = 0; } // inputs.nixpkgs); });
outputs =
{
self,
nixpkgs,
nix-on-droid,
home-manager,
...
}@inputs:
let
lib = import "${nixpkgs}/lib";
pkgs = import nixpkgs {
system = "x86_64-linux";
config.allowUnfree = true;
};
defaultInputs = {
inherit (inputs)
self
nix-search-cli
nix-inspect
nixvim
;
};
defaultArgs = {
inputs = defaultInputs;
};
in
{
debug.isoDeriv = (
import "${inputs.nixpkgs}/nixos/release-small.nix" {
nixpkgs = ({ revCount = 0; } // inputs.nixpkgs);
}
);
nixosConfigurations.triple-dezert = nixpkgs.lib.nixosSystem {
system = "x86_64-linux";
modules = [ ./triple-dezert ];
specialArgs = { inputs = defaultInputs // { inherit (inputs) most-winningest; }; };
specialArgs = {
inputs = defaultInputs // {
inherit (inputs) most-winningest sops;
};
};
};
nixosConfigurations.compute-deck = inputs.nixpkgs-unstable.lib.nixosSystem {
system = "x86_64-linux";
modules = [ ./compute-deck ];
specialArgs = { inputs = {
specialArgs = {
inputs = {
jovian = inputs.jovian-unstable;
home-manager = inputs.home-manager-unstable;
vscode-server = inputs.vscode-server-unstable;
@@ -89,14 +135,20 @@
padtype = inputs.padtype-unstable;
nix-search-cli = inputs.nix-search-cli-unstable;
nix-inspect = inputs.nix-inspect-unstable;
nixvim = inputs.nixvim-unstable;
self = inputs.self;
}; };
};
};
};
nixosConfigurations.liam = nixpkgs.lib.nixosSystem {
system = "x86_64-linux";
modules = [ ./liam ];
specialArgs = { inputs = defaultInputs // { inherit (inputs) sops-nix; }; };
specialArgs = {
inputs = defaultInputs // {
inherit (inputs) sops-nix;
};
};
};
nixosConfigurations.lp0 = nixpkgs.lib.nixosSystem {
@@ -111,21 +163,33 @@
specialArgs = defaultArgs;
};
nixosConfigurations.devver = nixpkgs.lib.nixosSystem {
system = "x86_64-linux";
modules = [ ./devver ];
specialArgs = { inputs = defaultInputs // { inherit (inputs) home-manager; }; };
};
nixosConfigurations.fw = nixpkgs.lib.nixosSystem {
system = "x86_64-linux";
modules = [ ./fw ];
specialArgs = { inputs = defaultInputs // { inherit (inputs) nixos-hardware; }; };
specialArgs = {
inputs = defaultInputs // {
inherit (inputs) nixos-hardware;
};
};
};
nixosConfigurations.legtop = nixpkgs.lib.nixosSystem {
system = "x86_64-linux";
modules = [ ./legtop ];
specialArgs = {
inputs = defaultInputs // {
inherit (inputs) nixos-hardware;
};
};
};
nixOnDroidConfigurations.default = nix-on-droid.lib.nixOnDroidConfiguration {
modules = [ ./nix-on-droid ];
extraSpecialArgs = defaultArgs;
extraSpecialArgs = {
inputs = defaultInputs // {
inherit (inputs) nixpkgs;
};
};
pkgs = import nixpkgs { system = "aarch64-linux"; };
};
@@ -137,47 +201,48 @@
pkgs = import nixpkgs { system = "aarch64-linux"; };
};
checks = nixpkgs.lib.genAttrs [ "x86_64-linux" ] (system:
checks = nixpkgs.lib.genAttrs [ "x86_64-linux" ] (
system:
let
pkgs = nixpkgs.legacyPackages.${system};
pkgs = import nixpkgs { inherit system; };
config = {
node.pkgs = pkgs;
node.pkgsReadOnly = false;
node.specialArgs.selfPackages = self.packages.${system};
#node.specialArgs.inputs = defaultInputs;
};
in
{
liam = nixpkgs.lib.nixos.runTest {
hostPkgs = pkgs;
imports = [ config ./tests/liam.nix { node.specialArgs.inputs = self.nixosConfigurations.liam._module.specialArgs.inputs; } ];
imports = [
config
./tests/liam.nix
{ node.specialArgs.inputs = self.nixosConfigurations.liam._module.specialArgs.inputs; }
];
};
trip = nixpkgs.lib.nixos.runTest {
hostPkgs = pkgs;
imports = [ config ./tests/triple-dezert.nix { node.specialArgs.inputs = self.nixosConfigurations.triple-dezert._module.specialArgs.inputs; } ];
imports = [
config
./tests/triple-dezert.nix
{ node.specialArgs.inputs = self.nixosConfigurations.triple-dezert._module.specialArgs.inputs; }
];
};
}
);
nixosModules.common = import ./common/module.nix;
packages.x86_64-linux.snmpb = nixpkgs.legacyPackages.x86_64-linux.libsForQt5.callPackage ./packages/snmpb/package.nix {};
packages.x86_64-linux.snmp-mibs-downloader = nixpkgs.legacyPackages.x86_64-linux.callPackage ./packages/snmp-mibs-downloader.nix {};
packages.x86_64-linux.digitalOceanImage = import ./generic-digitalocean-nixos.nix { inherit inputs; };
packages.x86_64-linux.authorizedKeys = let
pkgs = nixpkgs.legacyPackages.x86_64-linux;
in pkgs.writeText "authorizedKeys" (pkgs.lib.concatStringsSep "\n" self.nixosConfigurations.fw.config.vacu.ssh.authorizedKeys);
packages.aarch64-linux.authorizedKeys = let
pkgs = nixpkgs.legacyPackages.aarch64-linux;
in pkgs.writeText "authorizedKeys" (pkgs.lib.concatStringsSep "\n" self.nixOnDroidConfigurations.default.config.vacu.ssh.authorizedKeys);
qb = /* qb is "quick build" */ let
qb = # qb is "quick build"
let
toplevelOf = name: self.nixosConfigurations.${name}.config.system.build.toplevel;
deterministicCerts = import ./deterministic-certs.nix { nixpkgs = inputs.nixpkgs.legacyPackages.x86_64-linux; };
pkgs = nixpkgs.legacyPackages.x86_64-linux;
in rec {
# nix-on-droid is impure >:(
# nod = self.nixOnDroidConfigurations.default.activationPackage;
deterministicCerts = import ./deterministic-certs.nix { nixpkgs = pkgs; };
renamedAarchPackages = lib.mapAttrs' (
name: value: lib.nameValuePair (name + "-aarch64") value
) self.packages.aarch64-linux;
packages = self.packages.x86_64-linux // renamedAarchPackages;
in
rec {
fw = toplevelOf "fw";
triple-dezert = toplevelOf "triple-dezert";
trip = triple-dezert;
@@ -185,32 +250,98 @@
cd = compute-deck;
liam = toplevelOf "liam";
lp0 = toplevelOf "lp0";
devver = toplevelOf "devver";
legtop = toplevelOf "legtop";
lt = legtop;
shel-installer = toplevelOf "shel-installer";
iso = self.nixosConfigurations.shel-installer.config.system.build.isoImage;
do = self.packages.x86_64-linux.digitalOceanImage;
snmpb = self.packages.x86_64-linux.snmpb;
check-triple-dezert = self.checks.x86_64-linux.trip.driver;
check-trip = check-triple-dezert;
check-liam = self.checks.x86_64-linux.liam.driver;
authorizedKeys = self.packages.x86_64-linux.authorizedKeys;
authorizedKeysAarch = self.packages.aarch64-linux.authorizedKeys;
ak = authorizedKeys;
nix-on-droid = self.nixOnDroidConfigurations.default.activationPackage;
nod = nix-on-droid;
nod-bootstrap-x86_64 = inputs.nix-on-droid.packages.x86_64-linux.bootstrapZip-x86_64;
nod-bootstrap-aarch64 = inputs.nix-on-droid.packages.x86_64-linux.bootstrapZip-aarch64;
dc-priv = deterministicCerts.privKeyFile "test";
dc-cert = deterministicCerts.selfSigned "test" {};
};
dc-cert = deterministicCerts.selfSigned "test" { };
all = let
pkgs = nixpkgs.legacyPackages.x86_64-linux;
symlinkCommands = pkgs.lib.mapAttrsToList (name: pkg: "ln -s ${pkg} ${name}") self.qb;
in pkgs.runCommand "nix-stuff-all" {} ''
sm64 = packages.sm64coopdx;
ak = packages.authorizedKeys;
}
// packages;
brokenBuilds = [ "sm64coopdx-aarch64" ];
all =
pkgs.runCommand "nix-stuff-all"
{
__structuredAttrs = true;
links = removeAttrs self.qb self.brokenBuilds;
}
''
mkdir $out
cd $out
${pkgs.lib.concatStringsSep "\n" symlinkCommands}
eval "$(${pkgs.jq}/bin/jq '.links | to_entries | map("ln -s "+.value+" "+.key) | join("\n")' /build/.attrs.json -r)"
'';
allWithBuildDeps = nixpkgs.legacyPackages.x86_64-linux.closureInfo { rootPaths = [ self.all.drvPath ]; };
allPure = self.all.overrideAttrs (prev: {
links = removeAttrs prev.links [
"nix-on-droid"
"nod"
"nod-bootstrap-x86_64"
"nod-bootstrap-aarch64"
];
});
archive =
let
# We don't want iso/img derivations here because they de-dupe terribly. Any change anywhere requires generating a new iso/img file.
allButImgs = self.all.overrideAttrs (prev: {
links = removeAttrs prev.links [ "iso" ];
});
isoContents = lib.concatStringsSep "\n" (
map (
c: "${c.source} => ${c.target}"
) self.nixosConfigurations.shel-installer.config.isoImage.contents
);
isoContentsPkg = pkgs.writeText "iso-contents" isoContents;
info = pkgs.closureInfo { rootPaths = [ allButImgs.drvPath ]; };
in
allButImgs.overrideAttrs (prev: {
links = prev.links // {
iso-contents = isoContentsPkg;
build-deps = info;
};
});
}
// (inputs.flake-utils.lib.eachDefaultSystem (
system:
let
pkgs = import nixpkgs {
inherit system;
config.allowUnfree = true;
};
in
{
formatter = pkgs.nixfmt-rfc-style;
packages = {
sm64coopdx = pkgs.callPackage ./coopdx.nix { inherit nixpkgs; };
# snmpb = pkgs.libsForQt5.callPackage ./packages/snmpb/package.nix { };
# snmp-mibs-downloader = pkgs.callPackage ./packages/snmp-mibs-downloader.nix { };
authorizedKeys = pkgs.writeText "authorizedKeys" (
lib.concatStringsSep "\n" self.nixosConfigurations.fw.config.vacu.ssh.authorizedKeys
);
nixvim = inputs.nixvim.legacyPackages.${system}.makeNixvimWithModule {
extraSpecialArgs = {
inputs = { };
};
module = {
imports = [ ./nixvim ];
};
};
};
}
));
}

3
fw/android.nix
View File

@@ -1,4 +1,5 @@
{ pkgs, ... }: {
{ pkgs, ... }:
{
vacu.packages = pkgs.androidStudioPackages.stable.all;
users.users.shelvacu.extraGroups = [ "kvm" ];
}

20
fw/apex.nix
View File

@@ -1,20 +1,30 @@
# everything to interact with my apex flex, pcsc stuff, fido2 stuff, etc
{ pkgs, ... }: {
{ pkgs, config, ... }:
let
# to match package used in config.services.pcscd, unfortunately not exposed like usual
pcsclite-pkg = if config.security.polkit.enable then pkgs.pcscliteWithPolkit else pkgs.pcsclite;
in
{
# apparently this is already enabled??
# nixpkgs.overlays = [ ( final: prev: {
# libfido2 = prev.libfido2.override { withPcsclite = true; };
# } ) ];
vacu.packages = with pkgs; [
vacu.packages =
(with pkgs; [
libfido2
pcsclite
pcsc-tools
scmccid
opensc
];
])
++ [ pcsclite-pkg ];
services.pcscd.enable = true;
# conflicts with pcscd, see https://stackoverflow.com/questions/55144458/unable-to-claim-usb-interface-device-or-resource-busy-stuck
boot.blacklistedKernelModules = [ "pn533_usb" "pn533" "nfc" ];
boot.blacklistedKernelModules = [
"pn533_usb"
"pn533"
"nfc"
];
# bunch of stuff from https://wiki.nixos.org/wiki/Web_eID

84
fw/default.nix
View File

@@ -1,19 +1,33 @@
{ config, inputs, pkgs, lib, ... }: {
{
config,
inputs,
pkgs,
...
}:
{
imports = [
../common/nixos.nix
inputs.nixos-hardware.nixosModules.framework-16-7040-amd
./apex.nix
./android.nix
./thunderbolt.nix
./fwupd.nix
./zfs.nix
#./experiment.nix
];
#boot.loader.grub.configurationLimit = 5;
system.nixos.tags = [ "host-${config.networking.hostName}" ];
vacu.hostName = "fw"; # Define your hostname.
vacu.shell.color = "magenta";
vacu.verifySystem.expectedMac = "e8:65:38:52:5c:59";
boot.binfmt.emulatedSystems = [ "aarch64-linux" ];
networking.networkmanager.enable = true;
# boot.kernelParams = [ "nvme.noacpi=1" ]; # DONT DO IT: breaks shit even more
services.fprintd.enable = false; #kinda broken
services.fprintd.enable = false; # kinda broken
vacu.packages = with pkgs; [
vacu.packages =
(with pkgs; [
bitwarden-desktop
nheko
librewolf
@@ -37,16 +51,17 @@
dino
aircrack-ng
libreoffice-qt6-fresh
gimp
# null actually means everything https://github.com/NixOS/nixpkgs/commit/5efd65b2d94b0ac0cf155e013b6747fa22bc04c3
(inkscape-with-extensions.override { inkscapeExtensions = null; })
libsmi
net-snmp
];
android-tools
ghidra
])
++ [ inputs.self.packages.${pkgs.system}.sm64coopdx ];
services.fwupd.enable = true;
#fwupd gets confused by the multiple EFI partitions, I think I just have to pick one
#update: it didn't work, I dunno why. Leaving this here anyways
services.fwupd.daemonSettings.EspLocation = lib.mkForce "/boot0";
networking.firewall.enable = false;
services.xserver.enable = true;
services.displayManager.sddm.enable = true;
@@ -68,34 +83,43 @@
}
];
networking.hostName = "fw"; # Define your hostname.
networking.hostId = "c6e309d5";
boot.zfs.extraPools = [ "fw" ];
boot.kernelPackages = config.boot.zfs.package.latestCompatibleLinuxPackages;
systemd.services.zfs-mount.enable = false;
services.openssh.enable = true;
system.stateVersion = "23.11"; # Did you read the comment?
boot.initrd.availableKernelModules = [ "nvme" "xhci_pci" "thunderbolt" "usb_storage" "usbhid" "sd_mod" ];
boot.initrd.kernelModules = [ ];
boot.initrd.availableKernelModules = [
"nvme"
"xhci_pci"
"thunderbolt"
"usb_storage"
"usbhid"
"sd_mod"
];
#boot.initrd.kernelModules = [ ];
boot.kernelModules = [ "kvm-amd" ];
boot.extraModulePackages = [ ];
#boot.extraModulePackages = [ ];
fileSystems."/" =
{ device = "fw/root";
fileSystems."/" = {
device = "fw/root";
fsType = "zfs";
};
fileSystems."/boot0" =
{ device = "/dev/disk/by-label/BOOT0";
fileSystems."/boot0" = {
device = "/dev/disk/by-label/BOOT0";
fsType = "vfat";
options = [ "fmask=0022" "dmask=0022" ];
options = [
"fmask=0022"
"dmask=0022"
];
};
fileSystems."/boot1" =
{ device = "/dev/disk/by-label/BOOT1";
fileSystems."/boot1" = {
device = "/dev/disk/by-label/BOOT1";
fsType = "vfat";
options = [ "fmask=0022" "dmask=0022" ];
options = [
"fmask=0022"
"dmask=0022"
];
};
hardware.cpu.amd.updateMicrocode = true;
@@ -103,7 +127,10 @@
hardware.opengl = {
driSupport = true;
driSupport32Bit = true;
extraPackages = [ pkgs.rocmPackages.clr.icd pkgs.amdvlk ];
extraPackages = [
pkgs.rocmPackages.clr.icd
pkgs.amdvlk
];
};
programs.nix-ld.enable = true;
programs.steam = {
@@ -121,6 +148,7 @@
hardware.bluetooth.powerOnBoot = true;
services.blueman.enable = true;
services.postgresql.enable = true; #for development
}
services.postgresql.enable = true; # for development
virtualisation.waydroid.enable = true;
}

38
fw/experiment.nix Normal file
View File

@@ -0,0 +1,38 @@
{
pkgs,
config,
lib,
...
}: let
version = "6.10.4";
hash = "sha256:1y2m2pqrvsgr9ng72nnh4yvsprkvkznhnmn4p8g78350bzyrvip2";
customKernel = pkgs.linux_6_10.override {
inherit version;
src = pkgs.fetchurl {
url = "mirror://kernel/linux/kernel/v${lib.versions.major version}.x/linux-${version}.tar.xz";
inherit hash;
};
modDirVersion = lib.versions.pad 3 version;
};
customKernelPackages = pkgs.linuxPackagesFor customKernel;
in {
system.nixos.tags = ["EXPERIMENT" "kernel-${config.boot.kernelPackages.kernel.version}"];
boot.kernelPackages = lib.mkForce customKernelPackages;
# boot.zfs.extraPools = lib.mkForce [];
# fileSystems."/".fsType = lib.mkForce "ext4";
vacu.packages.sm64coopdx.enable = false;
vacu.verifySystem.expectedMac = lib.mkForce null;
}
# good:
# Linux fw 6.6.50 #1-NixOS SMP PREEMPT_DYNAMIC Sun Sep 8 05:54:49 UTC 2024 x86_64 GNU/Linux
# Linux fw 6.8.12 #1-NixOS SMP PREEMPT_DYNAMIC Thu May 30 07:49:53 UTC 2024 x86_64 GNU/Linux
# linux-6.9.12
# 6.10.4 (maybe?? sus)
# Linux fw 6.10.10 #1-NixOS SMP PREEMPT_DYNAMIC Thu Sep 12 09:13:13 UTC 2024 x86_64 GNU/Linux (but this was supposed to be 6.10.4....)
# bad:
# Linux fw 6.10.10-gnu #1-NixOS SMP PREEMPT_DYNAMIC Tue Jan 1 00:00:00 UTC 1980 x86_64 GNU/Linux
# linux linux-6.10.10

8
fw/fwupd.nix Normal file
View File

@@ -0,0 +1,8 @@
{ config, lib, ... }:
{
vacu.packages = [ config.services.fwupd.package ];
services.fwupd.enable = true;
#fwupd gets confused by the multiple EFI partitions, I think I just have to pick one
#update: it didn't work, I dunno why. Leaving this here anyways
services.fwupd.daemonSettings.EspLocation = lib.mkForce "/boot0";
}

10
fw/thunderbolt.nix Normal file
View File

@@ -0,0 +1,10 @@
{ pkgs, config, ... }:
{
services.hardware.bolt.enable = true;
vacu.packages = [
pkgs.thunderbolt
config.services.hardware.bolt.package
pkgs.kdePackages.plasma-thunderbolt
];
}

21
fw/zfs.nix Normal file
View File

@@ -0,0 +1,21 @@
{
config,
pkgs,
lib,
...
}: let
# latestCompatibleLinuxPackages = lib.pipe pkgs.linuxKernel.packages [
# builtins.attrValues
# (builtins.filter (kPkgs: (builtins.tryEval kPkgs).success && kPkgs ? kernel && kPkgs.kernel.pname == "linux" && kernelCompatible kPkgs.kernel))
# (builtins.sort (a: b: (lib.versionOlder a.kernel.version b.kernel.version)))
# lib.last
# ];
in
{
boot.zfs.extraPools = [ "fw" ];
# config.boot.zfs.package.latestCompatibleLinuxPackages is fucked, if there are multiple compatible linuxes of the same version, it picks effectively an arbitrary one
boot.kernelPackages = pkgs.linuxKernel.packages.linux_6_10;
systemd.services.zfs-mount.enable = false;
# see also fileSystems."/"
}

10
generic-digitalocean-nixos.nix
View File

@@ -1,10 +0,0 @@
{ inputs, system ? "x86_64-linux" }:
let
pkgs = inputs.nixpkgs.legacyPackages.${system};
config = { config, ... }: {
imports = [ "${inputs.nixpkgs}/nixos/modules/virtualisation/digital-ocean-image.nix" ];
system.stateVersion = config.system.nixos.release;
};
in
(pkgs.nixos config).digitalOceanImage

11
installer.nix
View File

@@ -1,4 +1,11 @@
{ config, inputs, modulesPath, lib, ... }: {
{
config,
inputs,
modulesPath,
lib,
...
}:
{
imports = [
"${modulesPath}/installer/cd-dvd/installation-cd-minimal.nix"
./common/nixos.nix
@@ -7,6 +14,8 @@
system.stateVersion = config.system.nixos.version;
isoImage.isoBaseName = "nixos-shel-installer";
services.openssh.settings.PermitRootLogin = lib.mkForce "yes";
vacu.hostName = "vacuInstaller";
vacu.shell.color = "red";
# boot.kernelPatches = [{
# name = "foo";
# patch = null;

7
legtop/bluetooth.nix Normal file
View File

@@ -0,0 +1,7 @@
{ ... }:
{
hardware.bluetooth.enable = true;
hardware.bluetooth.powerOnBoot = true;
services.blueman.enable = true;
}

76
legtop/default.nix Normal file
View File

@@ -0,0 +1,76 @@
{
pkgs,
inputs,
...
}: {
imports = [
../common/nixos.nix
inputs.nixos-hardware.nixosModules.gpd-micropc
./hardware.nix
./bluetooth.nix
];
vacu.hostName = "legtop";
vacu.shortHostName = "lt";
vacu.shell.color = "blue";
vacu.verifySystem.expectedMac = "30:9e:90:33:01:07";
system.stateVersion = "24.05";
boot.binfmt.emulatedSystems = [ "aarch64-linux" ];
networking.networkmanager.enable = true;
vacu.packages =
(with pkgs; [
bitwarden-desktop
nheko
librewolf
brave
thunderbird
wl-clipboard
nextcloud-client
signal-desktop
iio-sensor-proxy
power-profiles-daemon
acpi
jellyfin-media-player
vlc
dmidecode
prismlauncher
ffmpeg_7-full
wireshark
obsidian
dino
aircrack-ng
libreoffice-qt6-fresh
gimp
# null actually means everything https://github.com/NixOS/nixpkgs/commit/5efd65b2d94b0ac0cf155e013b6747fa22bc04c3
(inkscape-with-extensions.override { inkscapeExtensions = null; })
libsmi
net-snmp
android-tools
ghidra
])
++ [ inputs.self.packages.${pkgs.system}.sm64coopdx ];
services.openssh.enable = true;
services.xserver.enable = true;
services.displayManager.sddm.enable = true;
services.desktopManager.plasma6.enable = true;
boot.loader.grub.enable = true;
boot.loader.grub.efiSupport = true;
boot.loader.grub.device = "nodev";
hardware.cpu.intel.updateMicrocode = true;
hardware.enableAllFirmware = true;
services.fwupd.enable = true;
services.pipewire = {
enable = true;
alsa.enable = true;
alsa.support32Bit = true;
pulse.enable = true;
};
}

25
legtop/hardware.nix Normal file
View File

@@ -0,0 +1,25 @@
{
...
}:
{
boot.initrd.availableKernelModules = [ "ahci" "xhci_pci" "usbhid" "usb_storage" "sd_mod" "sdhci_pci" ];
boot.initrd.kernelModules = [ ];
boot.kernelModules = [ "kvm-intel" ];
boot.extraModulePackages = [ ];
fileSystems."/" =
{ device = "/dev/disk/by-uuid/e3aebf24-be76-4064-a9f5-3930c8cd1382";
fsType = "ext4";
};
boot.initrd.luks.devices."root".device = "/dev/disk/by-uuid/7fd2ca2d-7faf-4d40-8cde-ce531fa679b5";
fileSystems."/boot" =
{ device = "/dev/disk/by-uuid/4C47-D9A3";
fsType = "vfat";
options = [ "fmask=0022" "dmask=0022" ];
};
nixpkgs.hostPlatform = "x86_64-linux";
hardware.cpu.intel.updateMicrocode = true;
}

32
liam/default.nix
View File

@@ -1,4 +1,10 @@
{ modulesPath, config, lib, ... }: {
{
modulesPath,
config,
lib,
...
}:
{
imports = [
(modulesPath + "/installer/scan/not-detected.nix")
(modulesPath + "/virtualisation/digital-ocean-config.nix")
@@ -12,9 +18,16 @@
./network.nix
];
options = let
mkReadOnly = val: lib.options.mkOption { default = val; readOnly = true; };
in {
options =
let
mkReadOnly =
val:
lib.options.mkOption {
default = val;
readOnly = true;
};
in
{
vacu.liam = {
shel_domains = mkReadOnly [
"shelvacu.com"
@@ -40,16 +53,21 @@
};
config = {
system.nixos.tags = [ "host-${config.networking.hostName}" ];
networking.hostName = "liam";
vacu.hostName = "liam";
vacu.shell.color = "cyan";
networking.domain = "dis8.net";
vacu.minimal = true;
hardware.enableAllFirmware = false;
hardware.enableRedistributableFirmware = false;
# networking.interfaces."ens3".useDHCP = false;
services.openssh.enable = true;
virtualisation.digitalOcean.setSshKeys = false;
users.users.root.openssh.authorizedKeys.keys = config.users.users.shelvacu.openssh.authorizedKeys.keys;
users.users.root.openssh.authorizedKeys.keys =
config.users.users.shelvacu.openssh.authorizedKeys.keys;
system.stateVersion = "23.11";
};

12
liam/dkim.nix
View File

@@ -1,7 +1,13 @@
{ config, pkgs, lib, ... }:
{
config,
pkgs,
lib,
...
}:
let
inherit (config.vacu.liam) domains;
in {
inherit (config.vacu.liam) domains;
in
{
services.opendkim = {
enable = true;
keyPath = "/run/secrets/dkimkeys";

13
liam/dovecot.nix
View File

@@ -1,4 +1,9 @@
{ config, pkgs, lib, ... }:
{
config,
pkgs,
lib,
...
}:
{
networking.firewall.allowedTCPPorts = [ 993 ];
systemd.tmpfiles.settings.whatever."/var/lib/mail".d = {
@@ -17,7 +22,11 @@
sslServerKey = config.security.acme.certs."liam.dis8.net".directory + "/key.pem";
sslServerCert = config.security.acme.certs."liam.dis8.net".directory + "/full.pem";
enablePAM = false;
protocols = lib.mkForce [ "imap" "lmtp" "sieve" ];
protocols = lib.mkForce [
"imap"
"lmtp"
"sieve"
];
modules = [ pkgs.dovecot_pigeonhole ];
mailUser = "vmail";
mailGroup = "vmail";

72
liam/mail.nix
View File

@@ -1,10 +1,25 @@
{ config, lib, pkgs, ... }: let
inherit (config.vacu.liam) shel_domains julie_domains domains relayhost;
{
config,
lib,
pkgs,
...
}:
let
inherit (config.vacu.liam)
shel_domains
julie_domains
domains
relayhost
;
debug = false;
fqdn = config.networking.fqdn;
dovecot_transport = "lmtp:unix:private/dovecot-lmtp";
in {
networking.firewall.allowedTCPPorts = [ 25 465 ];
in
{
networking.firewall.allowedTCPPorts = [
25
465
];
vacu.acmeCertDependencies."liam.dis8.net" = [ "postfix.service" ];
services.postfix = {
@@ -13,11 +28,14 @@ in {
# this goes into virtual_alias_maps
# "Note: for historical reasons, virtual_alias_maps apply to recipients in all domain classes, not only the virtual alias domain class."
virtual = ''
virtual =
''
julie@shelvacu.com julie
mom@shelvacu.com julie
psv@shelvacu.com psv
'' + (lib.concatMapStringsSep "\n" (d: "@${d} shelvacu") shel_domains) + "\n"
''
+ (lib.concatMapStringsSep "\n" (d: "@${d} shelvacu") shel_domains)
+ "\n"
+ (lib.concatMapStringsSep "\n" (d: "@${d} julie") julie_domains);
transport = ''
@@ -33,8 +51,15 @@ in {
rootAlias = "shelvacu";
enableSubmission = false;
enableSubmissions = true;
mapFiles.header_checks = pkgs.writeText "header-checks" ("/./ INFO checker headers\n" + (lib.concatMapStringsSep "\n" (d: "/^(from|x-original-from|return-path|mail-?from):.*@${lib.escape [ "." ] d}\\s*>?\\s*$/ REJECT") domains));
mapFiles.sender_access = pkgs.writeText "sender-access" (lib.concatMapStringsSep "\n" (d: "${d} REJECT") domains);
mapFiles.header_checks = pkgs.writeText "header-checks" (
"/./ INFO checker headers\n"
+ (lib.concatMapStringsSep "\n" (
d: "/^(from|x-original-from|return-path|mail-?from):.*@${lib.escape [ "." ] d}\\s*>?\\s*$/ REJECT"
) domains)
);
mapFiles.sender_access = pkgs.writeText "sender-access" (
lib.concatMapStringsSep "\n" (d: "${d} REJECT") domains
);
# hack to get postfix to add a X-Original-To header
mapFiles.add_envelope_to = pkgs.writeText "addenvelopeto" "/(.+)/ PREPEND X-Envelope-To: $1";
mapFiles.sender_transport = pkgs.writeText "sender-transport" "@shelvacu.com relayservice";
@@ -76,28 +101,36 @@ in {
# smtp_bind_address = 10.46.0.7
# inet_interfaces = all
# inet_protocols = ipv4
${lib.optionalString config.services.opendkim.enable (assert (config.services.opendkim.socket == "local:/run/opendkim/opendkim.sock"); ''
${lib.optionalString config.services.opendkim.enable (
assert (config.services.opendkim.socket == "local:/run/opendkim/opendkim.sock");
''
smtpd_milters = unix:/run/opendkim/opendkim.sock
non_smtpd_milters = unix:/run/opendkim/opendkim.sock
'')}
''
)}
'';
masterConfig."relayservice" = {
command = "smtp";
type = "unix";
args = [
"-o" "smtp_sasl_auth_enable=yes"
"-o" "smtp_sasl_security_options=noanonymous"
"-o" "smtp_tls_security_level=secure"
"-o" "smtp_sasl_password_maps=texthash:${config.sops.secrets.relay_creds.path}"
"-o" "smtp_tls_wrappermode=no"
"-o"
"smtp_sasl_auth_enable=yes"
"-o"
"smtp_sasl_security_options=noanonymous"
"-o"
"smtp_tls_security_level=secure"
"-o"
"smtp_sasl_password_maps=texthash:${config.sops.secrets.relay_creds.path}"
"-o"
"smtp_tls_wrappermode=no"
#"-o" "relayhost=${relayhost}"
] ++ (if debug then ["-v"] else []);
] ++ (if debug then [ "-v" ] else [ ]);
};
masterConfig.qmgr = lib.mkIf debug { args = ["-v"]; };
masterConfig.cleanup = lib.mkIf debug { args = ["-v"]; };
masterConfig.smtpd = lib.mkIf debug { args = ["-v"]; };
masterConfig.qmgr = lib.mkIf debug { args = [ "-v" ]; };
masterConfig.cleanup = lib.mkIf debug { args = [ "-v" ]; };
masterConfig.smtpd = lib.mkIf debug { args = [ "-v" ]; };
submissionsOptions = {
smtpd_tls_key_file = config.security.acme.certs."liam.dis8.net".directory + "/key.pem";
smtpd_tls_cert_file = config.security.acme.certs."liam.dis8.net".directory + "/full.pem";
@@ -124,6 +157,5 @@ in {
tls_preempt_cipherlist = "no";
};
};
}

20
liam/network.nix
View File

@@ -1,4 +1,5 @@
{ lib, config, ... }: let
{ lib, config, ... }:
let
# from `curl -fsSL http://169.254.169.254/metadata/v1.json | jq '.interfaces.public[0].anchor_ipv4'`
# {
# "ip_address": "10.46.0.7",
@@ -7,20 +8,25 @@
# }
interface_conf = {
useDHCP = true;
ipv4.addresses = [{
ipv4.addresses = [
{
address = "10.46.0.7";
prefixLength = 24;
}];
ipv4.routes = [{
}
];
ipv4.routes = [
{
address = "0.0.0.0";
prefixLength = 0;
via = "10.46.0.1";
options.scope = "global";
options.src = "10.46.0.7";
options.metric = "1200";
}];
}
];
};
in {
in
{
networking.interfaces."ens3" = lib.mkIf (!config.vacu.underTest) interface_conf;
networking.interfaces."eth0" = lib.mkIf ( config.vacu.underTest) interface_conf;
networking.interfaces."eth0" = lib.mkIf (config.vacu.underTest) interface_conf;
}

9
liam/nginx.nix
View File

@@ -1,16 +1,19 @@
{ config, ... }:
let
domains = [
domains = [
"smtp.shelvacu.com"
"imap.shelvacu.com"
"mail.shelvacu.com"
"autoconfig.shelvacu.com"
"mail.dis8.net"
"liam.dis8.net"
];
];
in
{
networking.firewall.allowedTCPPorts = [ 80 443 ];
networking.firewall.allowedTCPPorts = [
80
443
];
security.acme.acceptTerms = true;
security.acme.defaults.webroot = "/var/lib/acme/acme-challenge";
security.acme.defaults.email = "shelvacu@gmail.com";

67
liam/sieve.nix
View File

@@ -1,4 +1,12 @@
{ config, pkgs, lib, ... }: with lib.strings; with lib.lists; let
{
config,
pkgs,
lib,
...
}:
with lib.strings;
with lib.lists;
let
email_folders = [
"24nm-domain@shelvacu.com"
"agora@shelvacu.com"
@@ -32,30 +40,51 @@
"xn--tulp-yoa.info"
];
valid_ish_domain = domain: match "[a-z0-9][a-z0-9-]*(\\.[a-z0-9][a-z0-9-]*)+" domain != null;
mk_domain_folder_name = domain: assert valid_ish_domain domain; concatStringsSep "." (reverseList (splitString "." domain));
mk_email_folder_name = email: let
mk_domain_folder_name =
domain:
assert valid_ish_domain domain;
concatStringsSep "." (reverseList (splitString "." domain));
mk_email_folder_name =
email:
let
parts = splitString "@" email;
domain_part = assert (length parts) == 2; elemAt parts 1;
user_part = assert (length parts) == 2; elemAt parts 0;
domain_part =
assert (length parts) == 2;
elemAt parts 1;
user_part =
assert (length parts) == 2;
elemAt parts 0;
domain_folder = mk_domain_folder_name domain_part;
folder_name = domain_folder + ".@" + user_part;
in folder_name;
in
folder_name;
is_quoteable = s: match "[ -~]*" s != null;
sieve_quote_string = s: assert is_quoteable s; "\"" + (replaceStrings ["\"" "\\"] ["\\\"" "\\\\"] s) + "\"";
email_filters = map (e:
''
sieve_quote_string =
s:
assert is_quoteable s;
"\""
+ (replaceStrings
[
"\""
"\\"
]
[
"\\\""
"\\\\"
]
s
)
+ "\"";
email_filters = map (e: ''
elsif header :is "X-Envelope-To" ${sieve_quote_string e} {
fileinto :create ${sieve_quote_string (mk_email_folder_name e)};
}
''
) email_folders;
domain_filters = map (d:
''
'') email_folders;
domain_filters = map (d: ''
elsif header :matches "X-Envelope-To" ${sieve_quote_string ("*@" + d)} {
fileinto :create ${sieve_quote_string (mk_domain_folder_name d)};
}
''
) domain_folders;
'') domain_folders;
sieve_text = ''
require ["fileinto", "mailbox"];
@@ -70,7 +99,11 @@
${concatStrings domain_filters}
}
'';
in {
services.dovecot2.sieve.extensions = [ "fileinto" "mailbox" ];
in
{
services.dovecot2.sieve.extensions = [
"fileinto"
"mailbox"
];
services.dovecot2.sieve.scripts.before = pkgs.writeText "blargsieve" sieve_text;
}

11
liam/sops.nix
View File

@@ -1,8 +1,11 @@
{ inputs, lib, config, ... }:
{
imports = [
inputs.sops-nix.nixosModules.sops
];
inputs,
lib,
config,
...
}:
{
imports = [ inputs.sops-nix.nixosModules.sops ];
options.vacu.secretsFolder = lib.mkOption {
type = lib.types.path;

5
lp0/default.nix
View File

@@ -9,7 +9,9 @@
boot.loader.systemd-boot.enable = true;
boot.loader.efi.canTouchEfiVariables = true;
networking.hostName = "lp0onfire"; # Define your hostname.
vacu.hostName = "lp0onfire"; # Define your hostname.
vacu.shortHostName = "lp0";
vacu.shell.color = "green";
# Set your time zone.
time.timeZone = "America/Los_Angeles";
@@ -73,4 +75,3 @@
# internalInterfaces = [ "ztrf26rjvk" ];
# };
}

28
lp0/hardware-config.nix
View File

@@ -1,25 +1,35 @@
# Do not modify this file! It was generated by nixos-generate-config
# and may be overwritten by future invocations. Please make changes
# to /etc/nixos/configuration.nix instead.
{ config, lib, pkgs, modulesPath, ... }:
{
config,
lib,
pkgs,
modulesPath,
...
}:
{
imports =
[ (modulesPath + "/installer/scan/not-detected.nix")
];
imports = [ (modulesPath + "/installer/scan/not-detected.nix") ];
boot.initrd.availableKernelModules = [ "xhci_pci" "ahci" "usb_storage" "usbhid" "sd_mod" ];
boot.initrd.availableKernelModules = [
"xhci_pci"
"ahci"
"usb_storage"
"usbhid"
"sd_mod"
];
boot.initrd.kernelModules = [ ];
boot.kernelModules = [ "kvm-intel" ];
boot.extraModulePackages = [ ];
fileSystems."/" =
{ device = "/dev/disk/by-uuid/51a9c6de-3231-469f-a292-ada7d2531d63";
fileSystems."/" = {
device = "/dev/disk/by-uuid/51a9c6de-3231-469f-a292-ada7d2531d63";
fsType = "ext4";
};
fileSystems."/boot" =
{ device = "/dev/disk/by-uuid/36B4-78A2";
fileSystems."/boot" = {
device = "/dev/disk/by-uuid/36B4-78A2";
fsType = "vfat";
};

12
nix-on-droid/default.nix
View File

@@ -1,4 +1,10 @@
{ config, lib, pkgs, inputs, ... }:
{
config,
lib,
pkgs,
inputs,
...
}:
{
imports = [
@@ -6,6 +12,8 @@
./flake-registry.nix
];
vacu.shell.color = "white";
environment.etc."resolv.conf".text = lib.mkForce ''
# nameserver 10.78.79.1
nameserver 9.9.9.10
@@ -25,7 +33,7 @@
experimental-features = nix-command flakes
'';
environment.sessionVariables."PS1" = "\\w $ ";
#environment.sessionVariables."PS1" = "\\w $ ";
# Set your time zone
time.timeZone = "America/Los_Angeles";

2
nix-on-droid/flake-registry.nix
View File

@@ -5,5 +5,5 @@
type = "path";
path = inputs.nixpkgs.outPath;
};
nix.nixPath = [ "nxipkgs=flake:nixpkgs" ];
nix.nixPath = [ "nixpkgs=flake:nixpkgs" ];
}

35
nixvim/default.nix Normal file
View File

@@ -0,0 +1,35 @@
{ ... }:
let
in
{
opts = {
smartindent = true;
expandtab = true;
shiftwidth = 2;
softtabstop = -1;
};
plugins.comment.enable = true;
plugins.surround.enable = true;
plugins.lsp = {
enable = true;
onAttach = builtins.readFile ./nixd-init.lua;
servers = {
bashls.enable = true;
jsonls.enable = true;
# nil-ls.enable = true;
nixd = {
enable = true;
};
pyright.enable = true;
tsserver.enable = true;
lua-ls.enable = true;
rust-analyzer = {
enable = true;
installCargo = false;
installRustc = false;
};
html.enable = true;
yamlls.enable = true;
};
};
}

22
nixvim/nixd-init.lua Normal file
View File

@@ -0,0 +1,22 @@
--@param client vim.lsp.Client
local function init_per_dir_nixd(client)
if client.workspace_folders == nil then
return
end
local path = client.workspace_folders[1].name
local command = client.config.cmd[1]
local name = string.gsub(command, "(.*/)(.*)", "%2")
local is_nixd = name == "nixd"
local is_nix_stuff = (path == '/home/shelvacu/dev/nix-stuff' or path == '/home/shelvacu/nix-stuff' or path == '/data/data/com.termux.nix/files/home/nix-stuff')
if is_nixd and is_nix_stuff then
local get_flake = "(builtins.getFlake \"" .. path .. "\")"
client.config.settings["nixd"].options = {
nixos = { expr = get_flake .. ".nixosConfigurations.fw.options", },
["home-manager"] = { expr = get_flake .. ".homeConfigurations.\"nix-on-droid\".options", },
["nix-on-droid"] = { expr = get_flake .. ".nixOnDroidConfigurations.default.options", },
}
client.notify("workspace/didChangeConfiguration", { settings = client.config.settings, })
end
end
init_per_dir_nixd(client)

32
packages/snmp-mibs-downloader.nix
View File

@@ -15,7 +15,9 @@
writeText,
lib,
}@args:
stdenv.mkDerivation (self: let
stdenv.mkDerivation (
self:
let
# this script depends on an old version of libsmi's smistrip
libsmi = stdenv.mkDerivation rec {
pname = "libsmi";
@@ -39,7 +41,8 @@ stdenv.mkDerivation (self: let
platforms = lib.platforms.linux ++ lib.platforms.darwin;
};
};
in rec {
in
rec {
pname = "snmp-mibs-downloader";
version = "1.6";
@@ -68,7 +71,10 @@ in rec {
preInstall = ''
mkdir -p $out/usr/bin $out/etc/snmp-mibs-downloader $out/usr/share/snmp/mibs-downloader/mib{rfcs,iana} $out/usr/share/snmp/mibs
'';
installFlags = [ "INSTALL=install" "DESTDIR=$(out)" ];
installFlags = [
"INSTALL=install"
"DESTDIR=$(out)"
];
postInstall = ''
mv $out/usr/* $out
rmdir $out/usr
@@ -77,7 +83,20 @@ in rec {
mv $out/bin/download-mibs $out/bin/.download-mibs-unwrapped
cat <<EOF > $out/bin/download-mibs
#!${bash}/bin/bash
PATH=${lib.escapeShellArg (lib.concatStringsSep ":" (lib.flip map [ coreutils gzip gnutar unzip wget gnupatch ] (p: "${p}/bin")))}
PATH=${
lib.escapeShellArg (
lib.concatStringsSep ":" (
lib.flip map [
coreutils
gzip
gnutar
unzip
wget
gnupatch
] (p: "${p}/bin")
)
)
}
SMISTRIP=${libsmi}/bin/smistrip
CONFDIR=$out/etc/snmp-mibs-downloader
source $out/bin/.download-mibs-unwrapped
@@ -85,7 +104,7 @@ in rec {
chmod u+x $out/bin/download-mibs
'';
env.NIX_DEBUG="7";
env.NIX_DEBUG = "7";
# solutions.default = {
# scripts = [ "bin/download-mibs" ];
# interpreter = "${bash}/bin/bash";
@@ -101,4 +120,5 @@ in rec {
meta = {
mainProgram = "download-mibs";
};
})
}
)

23
packages/snmpb/package.nix
View File

@@ -12,7 +12,9 @@
breakpointHook,
}@args:
stdenv.mkDerivation (finalAttrs: let
stdenv.mkDerivation (
finalAttrs:
let
# ./configure --disable-shared --disable-yang --with-pathseparator=';' --with-dirseparator='/' --with-smipath=${INSTALL_PREFIX}'/${SHARE}/snmpb/mibs;'${INSTALL_PREFIX}'/${SHARE}/snmpb/pibs'
libsmi = finalAttrs.passthru.libsmi;
# $(INSTALL) -m 444 ${ROOT_OWNER} libsmi/mibs/iana/* ${INSTALL_PREFIX}/${SHARE}/snmpb/mibs
@@ -21,7 +23,8 @@ stdenv.mkDerivation (finalAttrs: let
# $(INSTALL) -m 444 ${ROOT_OWNER} libsmi/pibs/ietf/* ${INSTALL_PREFIX}/${SHARE}/snmpb/pibs
# $(INSTALL) -m 444 ${ROOT_OWNER} libsmi/pibs/tubs/* ${INSTALL_PREFIX}/${SHARE}/snmpb/pibs
in {
in
{
pname = "snmpb";
version = "0.9pre1";
@@ -31,14 +34,19 @@ in {
proFile = "${finalAttrs.pname}.pro";
makeFile = "makefile.${finalAttrs.pname}";
smipath = "${finalAttrs.passthru.libsmi-data}/share/snmpb/mibs;${finalAttrs.passthru.libsmi-data}/share/snmpb/pibs";
libsmi = args.libsmi.overrideAttrs (final: prev: {
libsmi = args.libsmi.overrideAttrs (
final: prev: {
#preConfigure = (prev.preConfigure or "") + "\n" + ''
# appendToVar configureFlags --prefix=$out/ --disable-yang --with-pathseparator=';' --with-dirseparator='/'
#'';
configureFlags = (prev.configureFlags or []) ++ ["--with-pathseparator=;" "--with-smipath=${finalAttrs.passthru.smipath}"];
env.NIX_DEBUG="2";
configureFlags = (prev.configureFlags or [ ]) ++ [
"--with-pathseparator=;"
"--with-smipath=${finalAttrs.passthru.smipath}"
];
env.NIX_DEBUG = "2";
pname = prev.pname + "-for-snmpb";
});
}
);
libsmi-data = stdenv.mkDerivation {
name = "libsmi-snmpb-data";
phases = "unpackPhase installPhase";
@@ -121,4 +129,5 @@ in {
description = "GUI SNMP browser and MIB editor wrtten with Qt";
};
})
}
)

120
secrets/triple-dezert/main.yaml Normal file
View File

@@ -0,0 +1,120 @@
wireguard_key: ENC[AES256_GCM,data:Ioqe0/obRUgMNJsM/R92HB+OMsyRbQxvzjI7we6X4gOw7B+QlsP3ofAd4HI=,iv:tcw8FSYKh3yIKDivM7TRD832KiFFbr2NA9UrUjo74D4=,tag:st6P6iYXxg4aPO7a2g9gIQ==,type:str]
sops:
kms: []
gcp_kms: []
azure_kv: []
hc_vault: []
age:
- recipient: age1y4zp4ddq6xyffd8fgmn2jkl78qfh4m94gcls2cu6vvjnwwznx5uqywjekm
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBmZGlscG0ySERXNU44cWFu
a2NYL1NGMjlNeUVpbTZkWWVFRk5aMUVGTGxVCm50ditHM3JHUnBzTWxvVnRvblhq
YjhQQWZOeXIwUUxEeVlhVlJyM1I3c0UKLS0tIEVHcDFTa0c0YUd2OEcxSG5Pd3V3
Sm45MXdxbDlnME00OU14NWROQkIzbkUKa047XyOqiwi/x8pf2zOk1j3jBCxGdU2e
vL1csTIcipPN1RVdoauCzQd5KPTsRXUarD44eHVIz1VS8WZZuXoOfw==
-----END AGE ENCRYPTED FILE-----
- recipient: age1g9sh8u6s344569d3cg8h30g9h7thld5pexcwzc4549jc84jvceqqjt9cfh
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBReXh1SW1SUVJBaGowTjhp
NnE1NHZzeE1KUGFJSWs5a085NW9MT0JZYUVBCktxMWlHeEN1SDJISEFqM1prSEdY
cTFSMFVVNDRQMGd2TkhMcWoySDJ6OWsKLS0tIGl4eXdFR1dBVWMyeWVsVHlaWlZU
OG95ZUV0M0g2YlBpY2pnT3FRczhtUFEKaOMBpksiSZx4QD8WbwuHEvPV4QkOKriG
MIMxbs6C5aAmvS9PwbBwpYCntI+tnuZyvKU+rFzxs4yQO8Al+hf/XA==
-----END AGE ENCRYPTED FILE-----
- recipient: age1t5s3txyj403rfecdhq5q2z3cnavy6m543gzyhkl2nu5t8fz0zctqtvm2tj
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB0UkFQSXROaGpONGNYbCtD
NzBVcjY0SHVQS0FUaWFZYUFSR1luRWpaY3gwCmI0N3FpbGNReGRQTVMzMmtOTGdS
MFFLbnhwWUdueHFUUVBDbVREL3JYZ0UKLS0tIG4zK3dHejBWeDljckp6ZlVVeXpp
TjZIZTllaEJDQ3hGcTFoMm1LYzh1bG8KLs2VVtIaM6iLON8HYpR+YUKFZe2MKYZH
z4pIVN1LGu5pQ3woN341FD7U4ewhMFkDy/LveQ6Q99VjnyTmeHEhlg==
-----END AGE ENCRYPTED FILE-----
- recipient: age1dzdf4rgep3ctk3dnrmrqtdgrchaa8nszfc4dp29gqwsst3z6jyrq57vfsj
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBhUXVZQjdEZWxzemdmTTVF
cVhvYzJFbWkvdERLdjJBblpWUHJXdmpzS1RzCkdlNXpxYm1DWTUxZVVHcmtmT2Zx
cUZlSXoyOWMzSnhzOStmbHA4YlJBcGMKLS0tIDhqSG0rUWRKMzJISjlWSzRoVDQ3
NjJwbUlaK0JoMi9kU0FyM3NGUEVzazQKXzxR+hFpk8zQD7OMvf6ub7OG4BXsLRXJ
aHXwbu0DcEvBm66CDDkmvAJVrZ+dntyWt9CRD7WRgJ1C36qq8l2eMQ==
-----END AGE ENCRYPTED FILE-----
- recipient: age197a33mlf5294amjx59hycctu6wm4l3cu3w7n9rv3fs9340ql64rqjzpr7s
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAyaDdBZytQc1ZHU2drVmdQ
c25kbmhEajlQOVB0dEZHK3FFV2lIL1E4R0VvCjdoK2NaNlE4aVZPOFNQbWxxNjBv
b3diWFJ3c0g0cnN0aWFPODlHVExiejgKLS0tIEwvMlR0aG94QWRsazEwTm9xdFM2
ZDExY3UwRzcrNCtybFJUbW5Ga3JkcmMK2U2GtnIfUHTpqW2nikOVqCMjynLiRyv+
qFu5i7gpf/O5pzEOoTOO6ezFwY4WbnUJydbjAEFQ8Zymr1cWaR5g5Q==
-----END AGE ENCRYPTED FILE-----
- recipient: age1sqj8z3feqm2dk3gj8mxpfn5dpqnsmus862e8ayd0d4cdresqffdswcf9ru
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAxUE8yRzNCbnhGQ2FXTWJS
M2M0cDl5R2NxT1ZKNXMwaHlDdUorbmRtWGdzCmdocnh2a29LczZ5czhUTHJpYlVE
NkFOUE50SGZMZXFjRXZueEk3bnpzNXcKLS0tIDBvZkNyWHdMNzVkbzZRK212VW1M
WkFXaGZEOGdsbjN4UnNUYVZ0MTdNN0EKPMY1BU1RpECDLvGY0TJKtTdXuRX8HTtW
i+VTbWFsw92itL5Sjy3dAYBECpopQWQRNFz9WYH8LpfUOO9jhAGNyQ==
-----END AGE ENCRYPTED FILE-----
- recipient: age1rz75dqzfd6gulwh270ukmt5amcau6j8dpxgzx8fm6u8sjkyx9usq69y4s2
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSArd1hwM2FQUUZkMDZIcS9G
UGVESCs5UzhYaTFXMkxaWTdYdGFEMnZVZFNzCm1ubXF2Ulpkek0zVytkRU9KOGZF
Qzc1M0lpN0ZyVE5tZWZHOTRhYk8yZjAKLS0tIFFMMWU0MzFSNVBxbS9JL2RlS0xm
Y01DWlBqVW9UbGI0bnR3Z0dnOHpDM28KzmIZ130SqrzrDHt/T7EuRcrhDudxkaWg
uOquZK6CmGhI0ZvLWwpCvANj6drTL7c+aVcATxOsrOp1FNi4c5jzoA==
-----END AGE ENCRYPTED FILE-----
- recipient: age148huz6rc3q9xx5t873ncx75sja2sazlescwspxl7lsmxsqkz0apsy8cldp
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBncjBwUUl6blJTTXBNRHpo
U1VKYlV5OS9SWkN2UlpQUGdFZWU5OG5KT1ZrCnpkeXA2WnlrSm0zQUJJVFRuNXY5
SFFiMnp3alJxOCtRQTdpM0JGb0s2cGsKLS0tIDFHVFhXb211ZXVHNUgrYkJQTTdY
elZzWGVLamN5dVVBQmhURGdVdWhxQ2MKbeFLihAg/OfeAiEgtCL+FBBGrzwNIijS
oNAjQiMN+g2+5P1Z6J9KN+zU3tVPeHk2vSTceZQA2kbRdOOZUYsunA==
-----END AGE ENCRYPTED FILE-----
- recipient: age1ck6lhd8thjcrdcnkn2epc8npztg0sfswahunjkwcf57rr0xaevys8fh0x6
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBHQk8xVnVxaVNPTXdWOGl4
N2hLdFpNMDlPQUF1bXU0eXFBRDFKVEZ3bERRCkNWektSK3kzOGdIQjF3K0xUc08x
MHRkUUx1U0hBUmhoSUprUWNsd3BNUHMKLS0tIE9scFhHcWtNM0I1M05jVEh4OE92
R1BYdGRqemNLRHhsK1NtM3JIempuUzQKWwGrRKR3rtynmqqYgvQiyg3YZhpppfmS
7e5YYCGTcrKgexXF1NYpsHqx3Fu4g1l2a1axmBKEmSkadxh/q+yeiQ==
-----END AGE ENCRYPTED FILE-----
- recipient: age13j6l33g0ghk4vezn0qwfal2qmcgqwkv89ejwezpe3n47mw8yxyuslj6y7d
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSByUEpaUnloOHEwaXoxMGpy
Z0s2YUlRQUMrQ0FYREFzL2hqbWZiSFpPMUFFCk1pT2ZKczNCRjRnelpFKy9GTGgv
MFZIdTFtbjVQdEc2QnRKZkhWMmI4TDgKLS0tIGlTWU9CM1E2aXoxOUFDSWtmQTF0
RTFQZ3VWejFKcFZwcHo2NDh0Zlh6NTgKCVV5rjpJYzO/l3Ys0N765CIUaUMwqlv2
7DGu9Wrn+Hlgeu3hxggau1tOBBYWIMywjn/aEM/dK6mrZGgkiddoOg==
-----END AGE ENCRYPTED FILE-----
- recipient: age13x0f3glnz4jvqty2v92cxrrnjcna6ed4qegrhulw9jjy08zuy3aqzvrfc6
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBya1c5ay80d1ZhRVZHc0Mw
K25oWjFrNGVhSFFKdEJ0VW8vaEEvUG1rbW00CmUrL1FsYUdBa2lEd2liakREaE1X
YkcrNC9OdkJEM2VLU3ZNNmdkQmlsYkEKLS0tIDNlbXJsNnhEZEw4bWticE1JTlZO
MEhjMTRyN1BnODN2UGNnN3lhdzROSFUK7XPx0X7GDM5IHFjQ0L8gxKBRoSouwPND
rgrz/a3Wm0dJhZ/dmGVM0SK0E2etAif/odNZdzydQphU9jfOd8DQ2A==
-----END AGE ENCRYPTED FILE-----
- recipient: age10lv32k2guszr5y69sez3z5xj92wzmdxvfejd6hm8xr0pmclw2cvq0hk6pe
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA4UHpKN2dMTUNBL3BVZlRC
cUM2ZkMzK1drbTdZbUJwN3I3Vk5CdGxUQ2pJCkVCZ2hqLzN0OFBGSWIzcXMwbGdW
OVRibnpiSkFWcWtyNlBGSnYrOW90Nk0KLS0tIDFObnRuV1NwYWVTL2xqakVISExW
M3poNGc3TU1lQVBkWXVkUXpWMnpCZ2cKdtJQTIXfjb7KS4Twsv3+ecZdMl0uw8Bo
IlzM681gtSJzv9ONW5dyjUb/MxqhOkaMTnh7fV0bnCOo9Q7YBNg6Gw==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2024-09-12T00:54:14Z"
mac: ENC[AES256_GCM,data:oUKTbXa8vaQKWiySoNNRp5wbSJXRYXzrwoWSc8u9Hg8fmala6YIYj1+rb/YkS+DFzsT8/C6XqD1XYMpFgiJJLtZ4aa3LbuHqKw/pESqgKhsssT/wvnV7svgmlUXJhTtKY1wWcF5nE++nOLDMmyaIzfCkBPnX1OmbSZiveEDBDgI=,iv:S6UAXB0bNEcZv1Sb76oWQCcRMnDt5MRsFFG9/zZWf7g=,tag:2tdlnyF1SsPyQAcuD9McEg==,type:str]
pgp: []
unencrypted_suffix: _unencrypted
version: 3.8.1

109
tests/liam.nix
View File

@@ -1,7 +1,17 @@
{ pkgs, nodes, lib, ... }: let
{
pkgs,
nodes,
lib,
...
}:
let
certs = import ../deterministic-certs.nix { nixpkgs = pkgs; };
relayDomain = "relay.test.example.com";
rootCA = certs.selfSigned "liam-test" { ca = true; cert_signing_key = true; cn = "Liam test CA"; };
rootCA = certs.selfSigned "liam-test" {
ca = true;
cert_signing_key = true;
cn = "Liam test CA";
};
relayCert = certs.caSigned "liam-relay" rootCA {
ca = false;
signing_key = true;
@@ -20,7 +30,14 @@
testAgeSecretFile = pkgs.writeText "test-age-key" testAgeSecret;
sopsTestSecrets = {
"dovecot-passwd" = (lib.concatStringsSep "\n" (map (name: "${name}:{plain}${name}::::::") [ "shelvacu" "julie" ])) + "\nbackup:::::::";
"dovecot-passwd" =
(lib.concatStringsSep "\n" (
map (name: "${name}:{plain}${name}::::::") [
"shelvacu"
"julie"
]
))
+ "\nbackup:::::::";
dkim_key = ''
-----BEGIN PRIVATE KEY-----
MIICdwIBADANBgkqhkiG9w0BAQEFAASCAmEwggJdAgEAAoGBANn62hMdcFw4znAB
@@ -41,21 +58,28 @@
'';
relay_creds = "[${relayDomain}]:587 ${relayUser}:${relayPass}";
};
sopsTestSecretsYaml = pkgs.writeText "test-secrets-plain.json.yaml" (builtins.toJSON sopsTestSecrets);
sopsTestSecretsFolder = pkgs.runCommand "test-secrets-encrypted" {} ''
sopsTestSecretsYaml = pkgs.writeText "test-secrets-plain.json.yaml" (
builtins.toJSON sopsTestSecrets
);
sopsTestSecretsFolder = pkgs.runCommand "test-secrets-encrypted" { } ''
mkdir -p $out/liam
SOPS_AGE_KEY="${testAgeSecret}" ${pkgs.sops}/bin/sops --verbose -e --age "$(echo "${testAgeSecret}" | ${pkgs.age}/bin/age-keygen -y)" ${sopsTestSecretsYaml} --output-type yaml > $out/liam/main.yaml
'';
in {
in
{
name = "liam-receives-mail";
nodes.ns = { lib, nodes, ... }: let
nodes.ns =
{ lib, nodes, ... }:
let
liam_config = nodes.liam;
in {
in
{
networking.firewall.allowedUDPPorts = [ 53 ];
services.bind.enable = true;
services.bind.extraOptions = "empty-zones-enable no;";
services.bind.zones = [{
services.bind.zones = [
{
name = ".";
master = true;
file = pkgs.writeText "root.zone" ''
@@ -63,30 +87,35 @@ in {
. IN SOA ns. fake-hostmaster.example.com. ( 1 1 1 1 1 )
. IN NS ns.
${relayDomain}. IN A ${nodes.relay.networking.primaryIPAddress}
${lib.concatMapStringsSep "\n"
(node: "${node.networking.hostName}. IN A ${node.networking.primaryIPAddress}")
(builtins.attrValues nodes)
}
${lib.concatMapStringsSep "\n"
(d: ''
${lib.concatMapStringsSep "\n" (
node: "${node.networking.hostName}. IN A ${node.networking.primaryIPAddress}"
) (builtins.attrValues nodes)}
${lib.concatMapStringsSep "\n" (d: ''
${d}. IN A ${nodes.liam.networking.primaryIPAddress}
${d}. IN MX 0 ${d}.
${d}. IN TXT ( "v=spf1 mx -all" ) ;
${liam_config.services.opendkim.selector}._domainkey.${d}. IN TXT ( "v=DKIM1; k=rsa; "
"p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDZ+toTHXBcOM5wAQirYejeCQ/F6zXswmG78q1HFaRpJDF90wvbBMmYBlemNgrPydkOoympAuO513m81RHZP5FrAKY+Cez0JeLfxt739a3XyAkMdaSLKbJqkCrGLoFBtfBLoBGc3pWot/p+FMKrHneOedWkbcGsLPHSUHjzhBKtQQIDAQAB" )
'')
liam_config.vacu.liam.domains
}
'') liam_config.vacu.liam.domains}
'';
}];
}
];
};
nodes.relay = { lib, pkgs, config, ... }: let
nodes.relay =
{
lib,
pkgs,
config,
...
}:
let
mailpit = pkgs.mailpit;
dir = "/var/lib/mailpit";
in {
in
{
networking.firewall.enable = false;
users.groups.mailpit = {};
users.groups.mailpit = { };
users.users.mailpit = {
isSystemUser = true;
home = dir;
@@ -107,19 +136,27 @@ in {
# serviceConfig.Restart = "always";
serviceConfig.User = config.users.users.mailpit.name;
serviceConfig.Group = config.users.groups.mailpit.name;
serviceConfig.AmbientCapabilities = ["CAP_NET_BIND_SERVICE"];
serviceConfig.AmbientCapabilities = [ "CAP_NET_BIND_SERVICE" ];
wantedBy = [ "multi-user.target" ];
};
};
nodes.liam = { lib, ... }: {
nodes.liam =
{ lib, ... }:
{
imports = [ ../liam ];
vacu.underTest = true;
#systemd.tmpfiles.settings."69-whatever"."/run/secretKey".L.argument = "${testAgeSecretFile}";
systemd.services."acme-liam.dis8.net".enable = lib.mkForce false;
systemd.timers."acme-liam.dis8.net".enable = lib.mkForce false;
systemd.services."acme-selfsigned-liam.dis8.net".wantedBy = [ "postfix.service" "dovecot2.service" ];
systemd.services."acme-selfsigned-liam.dis8.net".before = [ "postfix.service" "dovecot2.service" ];
systemd.services."acme-selfsigned-liam.dis8.net".wantedBy = [
"postfix.service"
"dovecot2.service"
];
systemd.services."acme-selfsigned-liam.dis8.net".before = [
"postfix.service"
"dovecot2.service"
];
vacu.secretsFolder = "${sopsTestSecretsFolder}";
vacu.liam.relayhost = "[badhost.blarg]:587 [${relayDomain}]:587";
system.activationScripts.sopsHack.text = "ln -s ${testAgeSecretFile} /run/secretKey";
@@ -140,12 +177,21 @@ in {
security.pki.certificateFiles = [ rootCA.certificatePath ];
};
nodes.checker = { pkgs, lib, ... }: {
nodes.checker =
{ pkgs, lib, ... }:
{
environment.systemPackages = [
pkgs.wget
pkgs.python311Packages.imap-tools
pkgs.python311
(pkgs.writers.writePython3Bin "mailtest" { libraries = with pkgs.python3Packages; [ imap-tools requests ]; } ''
(pkgs.writers.writePython3Bin "mailtest"
{
libraries = with pkgs.python3Packages; [
imap-tools
requests
];
}
''
# flake8: noqa
# #!${pkgs.python311}/bin/python
import sys
@@ -154,7 +200,8 @@ in {
#sys.path.append("${pkgs.python311Packages.urllib3}/lib/python3.11/site-packages")
#sys.path.append("${pkgs.python311Packages.requests}/lib/python3.11/site-packages")
${builtins.readFile ./mailtest.py}
'')
''
)
];
networking.nameservers = lib.mkForce (lib.singleton nodes.ns.networking.primaryIPAddress);
};
@@ -166,7 +213,9 @@ in {
liam.wait_for_unit("nginx.service")
liam.wait_for_open_port(80)
liam.copy_from_host("${pkgs.writeText "acme-test" "test"}", "${nodes.liam.security.acme.defaults.webroot + "/.well-known/acme-challenge/test"}")
liam.copy_from_host("${pkgs.writeText "acme-test" "test"}", "${
nodes.liam.security.acme.defaults.webroot + "/.well-known/acme-challenge/test"
}")
checker.succeed("wget http://liam.dis8.net/.well-known/acme-challenge/test")
liam.wait_for_unit("postfix.service")

25
tests/triple-dezert.nix
View File

@@ -1,18 +1,26 @@
{ pkgs, nodes, ... }: {
{ pkgs, nodes, ... }:
{
name = "trip-megatest";
nodes.triple-dezert = { lib, config, ... }: let
nodes.triple-dezert =
{ lib, config, ... }:
let
domains = builtins.attrNames config.security.acme.certs;
disableAcmes = builtins.listToAttrs (
map (d: {
name = "acme-${d}";
value = { enable = lib.mkForce false; };
value = {
enable = lib.mkForce false;
};
}) domains
);
reEnableSelfsigned = builtins.listToAttrs (
map (d: {
name = "acme-selfsigned-${d}";
value = { wantedBy = [ "container@frontproxy.service" ]; before = [ "container@frontproxy.service" ]; };
value = {
wantedBy = [ "container@frontproxy.service" ];
before = [ "container@frontproxy.service" ];
};
}) domains
);
unitsToDisable = [
@@ -23,17 +31,20 @@
disableUnits = builtins.listToAttrs (
map (u: {
name = u;
value = { enable = lib.mkForce false; };
value = {
enable = lib.mkForce false;
};
}) unitsToDisable
);
in {
in
{
imports = [ ../triple-dezert ];
vacu.underTest = true;
systemd.services = disableAcmes // reEnableSelfsigned;
systemd.units = disableUnits;
#vacu.secretsFolder = ./test_secrets;
#sops.age.sshKeyPaths = [ ./test_key ];
boot.zfs.extraPools = lib.mkForce [];
boot.zfs.extraPools = lib.mkForce [ ];
security.acme.defaults.email = lib.mkForce "me@example.org";
security.acme.defaults.server = lib.mkForce "https://example.com"; # self-signed only
};

16
triple-dezert/awootrip.nix
View File

@@ -1,13 +1,23 @@
{ config, pkgs, inputs, lib, ... }:
{
config,
pkgs,
inputs,
lib,
...
}:
let
prefix = "10.16.237.";
tripAddr = prefix + "2";
awooAddr = prefix + "1";
devName = "at4"; # It was my fourth attempt before it worked...
tunnelName = "awootrip";
in {
in
{
systemd.network.netdevs.${devName} = {
netdevConfig = { Kind = "tun"; Name = devName; };
netdevConfig = {
Kind = "tun";
Name = devName;
};
enable = true;
};

42
triple-dezert/database.nix
View File

@@ -1,24 +1,37 @@
{ config, lib, pkgs, ... }:
{
config,
lib,
pkgs,
...
}:
with lib;
let
cfg = config.vacu;
databases = attrValues cfg.databases;
authText = flip (concatMapStringsSep "\n") databases
(d:
authText = flip (concatMapStringsSep "\n") databases (
d:
if d.authByIp != null then
# host database user address auth-method [auth-options]
''host "${d.name}" "${d.user}" ${d.authByIp}/32 trust''
else
# local database user auth-method [auth-options]
''local "${d.name}" "${d.user}" peer'')
;
''local "${d.name}" "${d.user}" peer''
);
in
{
options.vacu.databases = mkOption {
default = {};
default = { };
description = "Databases that should be created and how they should be accessed";
type = types.attrsOf (types.submodule ({ name, config, options, ... }: {
type = types.attrsOf (
types.submodule (
{
name,
config,
options,
...
}:
{
options = {
name = mkOption {
type = types.str;
@@ -41,7 +54,9 @@ in
description = "If true, user is authenticated based on connecting to the unix socket from a process running as the user";
};
};
}));
}
)
);
};
config = {
@@ -55,9 +70,7 @@ in
package = pkgs.postgresql_16;
dataDir = "/var/postgres/data/${package.psqlSchema}";
enableJIT = true;
initdbArgs = [
"--waldir=/var/postgres/wal/${package.psqlSchema}"
];
initdbArgs = [ "--waldir=/var/postgres/wal/${package.psqlSchema}" ];
ensureUsers = [
{
name = "root";
@@ -74,6 +87,11 @@ in
'';
};
systemd.services.postgresql.postStart = "\n#START stuff from database.nix\n" + (concatMapStringsSep "\n" (d: ''$PSQL -tAc 'ALTER DATABASE "${d.name}" OWNER TO "${d.user}";' '') databases) + "\n#END stuff from database.nix\n";
systemd.services.postgresql.postStart =
"\n#START stuff from database.nix\n"
+ (concatMapStringsSep "\n" (
d: ''$PSQL -tAc 'ALTER DATABASE "${d.name}" OWNER TO "${d.user}";' ''
) databases)
+ "\n#END stuff from database.nix\n";
};
}

33
triple-dezert/default.nix
View File

@@ -1,6 +1,6 @@
{ config, pkgs, inputs, lib, ... }: {
imports =
[
{ config, pkgs, ... }:
{
imports = [
../common/nixos.nix
./hardware-configuration.nix
./awootrip.nix
@@ -14,13 +14,10 @@
./static-stuff.nix
#./vms.nix
./networking.nix
./devver-host.nix
./emily.nix
./jellyfin.nix
];
system.nixos.tags = [ "host-${config.networking.hostName}" ];
boot.loader.systemd-boot.enable = true;
boot.loader.efi.canTouchEfiVariables = true;
#todo: increase boot partition size
@@ -34,16 +31,22 @@
boot.binfmt.emulatedSystems = [ "aarch64-linux" ];
networking.hostName = "triple-dezert";
vacu.hostName = "triple-dezert";
vacu.shortHostName = "trip";
vacu.shell.color = "yellow";
vacu.verifySystem.expectedMac = "b8:ca:3a:68:15:c8";
services.xserver.enable = false;
vacu.packages = with pkgs; [
vacu.packages =
(with pkgs; [
zfs
smartmontools
openvpn
nvme-cli
tshark
])
++ [
config.services.postgresql.package
(pkgs.writeScriptBin "into-nix-cache" ''
if [[ $UID -ne 0 ]]; then exec sudo $0 "$@";fi
@@ -54,7 +57,10 @@
"$@"
'')
];
hardware.opengl.extraPackages = [ pkgs.intel-compute-runtime pkgs.ocl-icd ];
hardware.opengl.extraPackages = [
pkgs.intel-compute-runtime
pkgs.ocl-icd
];
services.openssh = {
enable = true;
@@ -62,14 +68,6 @@
ports = [ 6922 ];
};
system.copySystemConfiguration = false;
# This value determines the NixOS release from which the default
# settings for stateful data, like file locations and database versions
# on your system were taken. Its perfectly fine and recommended to leave
# this value at the release version of the first install of this system.
# Before changing this value read the documentation for this option
# (e.g. man configuration.nix or on https://nixos.org/nixos/options.html).
system.stateVersion = "22.05"; # Did you read the comment?
boot.kernelPackages = config.boot.zfs.package.latestCompatibleLinuxPackages;
@@ -81,4 +79,3 @@
networking.hostId = "c871875e";
hardware.enableAllFirmware = true;
}

140
triple-dezert/devver-host.nix
View File

@@ -1,140 +0,0 @@
{ pkgs, lib, config, inputs, ... }: let
qemu-pkg = pkgs.qemu_kvm;
#rootPath = "/trip/devver-vm/root";
bootPath = "/trip/devver-vm/boot";
installer = inputs.self.nixosConfigurations.shel-installer;
installerIsoDeriv = installer.config.system.build.isoImage;
installerIsoPath = "${installerIsoDeriv}/iso/${installerIsoDeriv.name}";
bootInstaller = false;
tapdev = "qemu-devver";
tapdev-int = "qemu-devver-int";
commonArgs = [
"${qemu-pkg}/bin/qemu-kvm"
"-name" "devver"
# https://www.qemu.org/docs/master/system/i386/microvm.html
# "microvm" is basically no-batteries-included, and should allow including only the things we need
"-machine" "microvm,accel=kvm,dump-guest-core=off,mem-merge=off,acpi=on,pcie=on,pic=off,pit=off,usb=off"
"-m" "8G"
"-smp" "12"
"-nodefaults"
"-no-user-config"
"-chardev" "stdio,id=stdio,signal=off"
"-serial" "chardev:stdio"
"-monitor" "none"
"-device" "virtio-rng-pci"
"-enable-kvm"
"-cpu" "host,-sgx"
"-usb"
"-device" "usb-kbd"
"-nographic"
# do I need/want QMP here?
"-device" "virtio-balloon"
"-object" "memory-backend-memfd,id=mem,size=8G,share=off"
"-numa" "node,memdev=mem"
# I don't understand, the docs for "-drive" says it's a shortcut for -blockdev and -device, but all the real-world code has -drive and -device
#"-drive" "file=/trip/devver-vm/disk-image/root.img,discard=unmap,if=none,format=raw,cache=none,id=root-disk"
"-blockdev" "driver=raw,node-name=root-disk,file.driver=file,file.filename=/trip/devver-vm/disk-image/root.img,discard=unmap,cache.direct=on"
"-device" "virtio-blk-device,drive=root-disk,write-cache=off"
"-fsdev" "local,id=fs0,path=${bootPath},security_model=mapped-xattr,fmode=0600,dmode=0700"
"-device" "virtio-9p-pci,fsdev=fs0,mount_tag=boot"
"-netdev" "tap,id=vm-devver,ifname=${tapdev},script=no,downscript=no"
#Why 34? No idea! Best hint I could find is in the mailing list about the serial driver: https://lists.nongnu.org/archive/html/qemu-devel/2013-01/msg05952.html
"-device" "virtio-net-pci,netdev=vm-devver,mac=02:19:07:A2:15:72,romfile=,mq=on,vectors=34"
"-netdev" "tap,id=vm-devver2,ifname=${tapdev-int},script=no,downscript=no"
"-device" "virtio-net-pci,netdev=vm-devver2,romfile=,mq=on,vectors=34"
];
installerArgs = [
# "-boot" "once=d"
# "-cdrom" "${installerIsoPath}"
"-drive" "if=virtio,media=cdrom,driver=raw,node-name=disk,file.driver=file,file.filename=${installerIsoPath},file.locking=off,read-only=on"
"-kernel" "${installer.config.system.build.kernel}/${installer.config.system.boot.loader.kernelFile}"
"-initrd" "${installer.config.system.build.initialRamdisk}/${installer.config.system.boot.loader.initrdFile}"
"-append" "${lib.concatStringsSep " " installer.config.boot.kernelParams} init=${installer.config.system.build.toplevel}/init earlyprintk=ttyS0 console=ttyS0 debug"
];
mainArgs = [
"-kernel" "${bootPath}/kernel"
"-initrd" "${bootPath}/initrd"
"-append" "earlyprintk=ttyS0 console=ttyS0"
];
runScript = ''
set -ev
declare -a args
if [ "x$1" == "x--installer" ]; then
args=(${lib.escapeShellArgs (commonArgs ++ installerArgs)})
else
args=(${lib.escapeShellArgs (commonArgs ++ mainArgs)}" $(cat ${bootPath}/kernel-params)")
fi
d=`mktemp -d --tmpdir qemu-devver-XXXXXXXXX`
cd $d
"''${args[@]}"
'';
in {
users.groups.devver = {};
users.users.devver = {
isSystemUser = true;
group = config.users.groups.devver.name;
};
environment.systemPackages = [(pkgs.writeScriptBin "run-devver" runScript) qemu-pkg];
systemd.network.netdevs.${tapdev} = {
netdevConfig = {
Kind = "tap";
Name = tapdev;
};
tapConfig = {
User = config.users.users.devver.name;
Group = config.users.groups.devver.name;
PacketInfo = true;
# KeepCarrier = true;
};
};
systemd.network.netdevs.${tapdev-int} = {
netdevConfig = {
Kind = "tap";
Name = tapdev-int;
};
tapConfig = {
User = config.users.users.devver.name;
Group = config.users.groups.devver.name;
PacketInfo = true;
# KeepCarrier = true;
};
};
systemd.network.networks."02-vm-devver".extraConfig = ''
Bridge = ${config.vacu.network.lan_bridge}
[Match]
Name = ${tapdev}
[Link]
RequiredForOnline = no
'';
systemd.network.networks."02-vm-devver-int".extraConfig = ''
Address = 10.110.171.204/31
DHCP = no
DNS = no
LLDP = no
[Match]
Name = ${tapdev-int}
[Link]
RequiredForOnline = no
'';
# networking.firewall.extraCommands = ''
# if ! (iptables -t nat -n --list devver-prerouting > /dev/null 2>&1); then
# iptables -t nat -N devver-prerouting
# fi
# iptables -t nat -F devver-prerouting
# iptables -t nat -A devver-prerouting -p tcp -m tcp --dport 5022 -j DNAT --to-destination 10.78.79.10
# iptables -t nat -I PREROUTING 1 -j devver-prerouting
# '';
# networking.firewall.extraStopCommands = ''
# iptables -t nat -D PREROUTING -j devver-prerouting || true
# '';
}

16
triple-dezert/emily.nix
View File

@@ -1,13 +1,17 @@
{ config, ... }: let
{ config, ... }:
let
sshPort = 32767;
container = config.containers.emily;
in {
in
{
networking.firewall.allowedTCPPorts = [ sshPort ];
networking.nat.forwardPorts = [{
networking.nat.forwardPorts = [
{
destination = container.localAddress;
proto = "tcp";
sourcePort = sshPort;
}];
}
];
containers.emily = {
privateNetwork = true;
@@ -22,7 +26,9 @@ in {
isReadOnly = false;
};
config = { config, ... }: {
config =
{ config, ... }:
{
system.stateVersion = "24.05";
services.openssh.enable = true;

53
triple-dezert/frontproxy.nix
View File

@@ -1,4 +1,10 @@
{ config, pkgs, inputs, lib, ... }:
{
config,
pkgs,
inputs,
lib,
...
}:
let
# How to register a new domain in acme-dns before deploying the nix config:
# From trip:
@@ -12,7 +18,8 @@ let
"pwrhs.win"
"jf.finaltask.xyz"
];
in {
in
{
security.acme.acceptTerms = true;
security.acme.defaults = {
email = "nix-acme@shelvacu.com";
@@ -24,7 +31,14 @@ in {
postRun = "${pkgs.nixos-container}/bin/nixos-container run frontproxy -- systemctl reload haproxy";
};
security.acme.certs = builtins.listToAttrs (map (d: { name = d; value = { extraDomainNames = ["*.${d}"]; }; }) domains);
security.acme.certs = builtins.listToAttrs (
map (d: {
name = d;
value = {
extraDomainNames = [ "*.${d}" ];
};
}) domains
);
users.groups.acme.gid = 993;
@@ -33,25 +47,32 @@ in {
after = [ "network-online.target" ];
};
networking.firewall.allowedTCPPorts = [ 80 443 ];
networking.firewall.allowedTCPPorts = [
80
443
];
networking.firewall.allowedUDPPorts = [ 443 ]; # quic!
containers.frontproxy = let outer_config = config; in {
containers.frontproxy =
let
outer_config = config;
in
{
autoStart = true;
restartIfChanged = true;
ephemeral = true;
bindMounts = builtins.listToAttrs (map (d: { name = "/certs/${d}"; value = {
bindMounts = builtins.listToAttrs (
map (d: {
name = "/certs/${d}";
value = {
hostPath = outer_config.security.acme.certs.${d}.directory;
isReadOnly = true;
}; }) domains);
config = { config, pkgs, ... }:
let
haproxySrc = pkgs.runCommand "extract-haproxy" {} ''
cd `mktemp -d`
tar -xf ${config.services.haproxy.package.src}
mv * $out
'';
in {
};
}) domains
);
config =
{ config, pkgs, ... }:
{
system.stateVersion = "23.11";
users.groups.acme.gid = outer_config.users.groups.acme.gid;
users.users.haproxy.extraGroups = [ config.users.groups.acme.name ];
@@ -60,7 +81,7 @@ in {
# # ssl keylogging
# global
# tune.ssl.keylog on
# lua-load ${ pkgs.writeText "sslkeylog.lua" (builtins.readFile ./sslkeylog.lua) }
# lua-load ${pkgs.writeText "sslkeylog.lua" (builtins.readFile ./sslkeylog.lua)}
# haproxy-config.cfg
${builtins.readFile ./haproxy-config.cfg}

30
triple-dezert/hardware-configuration.nix
View File

@@ -1,22 +1,34 @@
{ config, lib, pkgs, modulesPath, ... }:
{
config,
lib,
pkgs,
modulesPath,
...
}:
{
imports =
[ (modulesPath + "/installer/scan/not-detected.nix")
];
imports = [ (modulesPath + "/installer/scan/not-detected.nix") ];
boot.initrd.availableKernelModules = [ "ehci_pci" "ahci" "mpt3sas" "nvme" "usb_storage" "usbhid" "sd_mod" ];
boot.initrd.availableKernelModules = [
"ehci_pci"
"ahci"
"mpt3sas"
"nvme"
"usb_storage"
"usbhid"
"sd_mod"
];
boot.initrd.kernelModules = [ ];
boot.kernelModules = [ "kvm-intel" ];
boot.extraModulePackages = [ ];
fileSystems."/" =
{ device = "/dev/disk/by-uuid/a4d6a30b-a8b1-460c-9f90-554e61b112fe";
fileSystems."/" = {
device = "/dev/disk/by-uuid/a4d6a30b-a8b1-460c-9f90-554e61b112fe";
fsType = "f2fs";
};
fileSystems."/boot" =
{ device = "/dev/disk/by-uuid/4F4C-7557";
fileSystems."/boot" = {
device = "/dev/disk/by-uuid/4F4C-7557";
fsType = "vfat";
};

20
triple-dezert/jellyfin.nix
View File

@@ -1,8 +1,8 @@
{ config, pkgs, ... }: let
{ ... }:
let
name = "jellyfin";
contain = config.containers.${name};
in {
in
{
systemd.tmpfiles.settings.${name}."/trip/${name}".d = {
mode = "0755";
};
@@ -20,7 +20,9 @@ in {
isReadOnly = false;
};
config = { pkgs, ... }: {
config =
{ pkgs, config, ... }:
{
system.stateVersion = "24.05";
networking.useHostResolvConf = false;
@@ -32,10 +34,10 @@ in {
dataDir = "/${name}";
};
environment.systemPackages = with pkgs; [
jellyfin
jellyfin-web
jellyfin-ffmpeg
environment.systemPackages = [
config.services.jellyfin.package
pkgs.jellyfin-web
pkgs.jellyfin-ffmpeg
];
};
};

34
triple-dezert/jl-stats.nix
View File

@@ -1,10 +1,19 @@
{ config, pkgs, inputs, lib, ... }:
{
config,
pkgs,
inputs,
lib,
...
}:
let
name = "jl-stats";
contain = config.containers.${name};
pg = config.services.postgresql.package;
most-winningest = inputs.most-winningest.packages."${config.nixpkgs.system}".default.override { postgresql = pg; };
in {
name = "jl-stats";
contain = config.containers.${name};
pg = config.services.postgresql.package;
most-winningest = inputs.most-winningest.packages."${config.nixpkgs.system}".default.override {
postgresql = pg;
};
in
{
vacu.databases.${name}.authByIp = contain.localAddress;
networking.firewall.extraCommands = ''
@@ -31,7 +40,9 @@ in {
isReadOnly = false;
};
config = { pkgs, ... }: {
config =
{ pkgs, ... }:
{
system.stateVersion = "23.11";
networking.useHostResolvConf = false;
@@ -54,7 +65,12 @@ in {
};
script = ''
cd ${most-winningest.src}
${pkgs.diesel-cli.override { sqliteSupport = false; mysqlSupport = false; }}/bin/diesel migration run --locked-schema
${
pkgs.diesel-cli.override {
sqliteSupport = false;
mysqlSupport = false;
}
}/bin/diesel migration run --locked-schema
cd /${name}
${most-winningest}/bin/${most-winningest.pname}
'';
@@ -67,7 +83,7 @@ in {
};
environment.systemPackages = [
pg #provides psql binary, helpful for debugging
pg # provides psql binary, helpful for debugging
];
};
};

19
triple-dezert/kanidm.nix
View File

@@ -1,4 +1,11 @@
{ config, pkgs, inputs, lib, ... }: {
{
config,
pkgs,
inputs,
lib,
...
}:
{
networking.firewall.allowedTCPPorts = [ 636 ];
services.postgresql = {
@@ -8,9 +15,7 @@
ensureDBOwnership = true;
}
];
ensureDatabases = [
"kanidm"
];
ensureDatabases = [ "kanidm" ];
};
environment.systemPackages = [ config.services.kanidm.package ]; # adds the binary to the PATH
@@ -26,7 +31,11 @@
users.users.kanidm.extraGroups = [ "acme" ];
services.kanidm = let tls_dir = config.security.acme.certs."shelvacu.com".directory; in rec {
services.kanidm =
let
tls_dir = config.security.acme.certs."shelvacu.com".directory;
in
rec {
package = inputs.nixpkgs-unstable.legacyPackages.x86_64-linux.kanidm;
enableServer = true;
serverSettings = {

24
triple-dezert/keycloak.nix
View File

@@ -1,5 +1,13 @@
{ config, pkgs, inputs, lib, ... }:
let contain = config.containers.keycloak; in
{
config,
pkgs,
inputs,
lib,
...
}:
let
contain = config.containers.keycloak;
in
{
vacu.databases.keycloak.authByIp = contain.localAddress;
@@ -19,7 +27,17 @@ let contain = config.containers.keycloak; in
ephemeral = false;
restartIfChanged = true;
config = let outer_config = config; in { config, pkgs, lib, ... }: {
config =
let
outer_config = config;
in
{
config,
pkgs,
lib,
...
}:
{
system.stateVersion = "23.11";
networking.firewall.enable = false;

29
triple-dezert/networking.nix
View File

@@ -1,14 +1,21 @@
# Partially based on https://astro.github.io/microvm.nix/simple-network.html
{ config, lib, ... }: let
{ config, lib, ... }:
let
bridge = config.vacu.network.lan_bridge;
lan_port = "eno1";
in {
doof-wg = config.vacu.network.doof-wg;
in
{
options = {
vacu.network.lan_bridge = lib.mkOption {
type = lib.types.str;
default = "br-main";
readOnly = true;
};
vacu.network.doof-wg = lib.mkOption {
default = "doof-wg";
readOnly = true;
};
};
config = {
networking.useNetworkd = true;
@@ -28,6 +35,22 @@ in {
};
};
systemd.network.netdevs.${doof-wg} = {
netdevConfig = {
Name = doof-wg;
Kind = "wireguard";
};
extraConfig = ''
[WireGuard]
PrivateKeyFile = ${config.sops.secrets.wireguard_key.path}
[WireGuardPeer]
PublicKey = shel/wMBU/Ut2rhAZymW/AYG3ycGfaEN6R2LsEpkqDU=
AllowedIPs = 0.0.0.0/0
Endpoint = tun-sea.doof.net:53263
'';
};
systemd.network.networks."01-lan-bridge".extraConfig = ''
DHCP = no
Address = 172.83.159.53/32
@@ -52,7 +75,7 @@ in {
networking.nat = {
enable = true;
internalInterfaces = ["ve-+"];
internalInterfaces = [ "ve-+" ];
externalInterface = bridge;
enableIPv6 = false;
};

16
triple-dezert/nix-cache-nginx.nix
View File

@@ -2,7 +2,8 @@
#
# to build&copy to binary cache:
# nix copy --to 'file:///trip/nix-binary-cache?parallel-compression=true&secret-key=/root/cache-priv-key.pem&want-mass-query=true&write-nar-listing=true' .#nixosConfigurations."compute-deck".config.system.build.toplevel
{ config, ... }: {
{ config, lib, ... }:
{
containers.nix-cache-nginx = {
privateNetwork = true;
hostAddress = "192.168.100.12";
@@ -16,7 +17,17 @@
isReadOnly = true;
};
config = let outer_config = config; in { config, pkgs, lib, ... }: {
config =
let
outer_config = config;
in
{
config,
pkgs,
lib,
...
}:
{
system.stateVersion = "23.11";
networking.firewall.enable = false;
services.nginx.enable = true;
@@ -27,4 +38,5 @@
};
};
};
vacu.nix.caches.nixcache-shelvacu.url = lib.mkForce "file:///trip/nix-binary-cache";
}

20
triple-dezert/sops.nix Normal file
View File

@@ -0,0 +1,20 @@
{
inputs,
lib,
config,
...
}:
{
imports = [ inputs.sops-nix.nixosModules.sops ];
options.vacu.secretsFolder = lib.mkOption {
type = lib.types.path;
default = ../secrets;
};
config = {
sops.defaultSopsFile = config.vacu.secretsFolder + "/${config.vacu.hostName}/main.yaml";
sops.age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];
sops.secrets.wireguard_key = {};
};
}

17
triple-dezert/static-stuff.nix
View File

@@ -1,7 +1,14 @@
{ config, pkgs, inputs, lib, ... }:
{
config,
pkgs,
inputs,
lib,
...
}:
let
contain = config.containers.keycloak;
in {
contain = config.containers.keycloak;
in
{
systemd.tmpfiles.settings.asdf."/trip/static-stuff".d = {
mode = "0744";
};
@@ -19,7 +26,9 @@ in {
isReadOnly = true;
};
config = { pkgs, ... }: {
config =
{ pkgs, ... }:
{
system.stateVersion = "23.11";
networking.firewall.enable = false;

22
triple-dezert/vacustore.nix
View File

@@ -1,4 +1,5 @@
{ config, ... }: {
{ config, ... }:
{
vacu.databases.nextcloud = {
user = "ncadmin";
authByIp = config.containers.vacustore.localAddress;
@@ -24,7 +25,17 @@
isReadOnly = false;
};
config = let outer_config = config; in { config, pkgs, lib, ... }: {
config =
let
outer_config = config;
in
{
config,
pkgs,
lib,
...
}:
{
system.stateVersion = "22.05";
networking.firewall.enable = false;
@@ -48,7 +59,12 @@
database.createLocally = false;
extraApps = {
inherit (config.services.nextcloud.package.packages.apps) calendar notes tasks contacts;
inherit (config.services.nextcloud.package.packages.apps)
calendar
notes
tasks
contacts
;
# appointments = pkgs.fetchNextcloudApp {
# appName = "appointments";
# url = "https://github.com/SergeyMosin/Appointments/raw/v2.1.4/build/artifacts/appstore/appointments.tar.gz";

26
triple-dezert/vms.nix
View File

@@ -1,26 +0,0 @@
# https://astro.github.io/microvm.nix/host.html
{ pkgs, inputs, config, self, ... }: {
imports = [
inputs.microvm.nixosModules.host
];
microvm.host.enable = true;
# https://gitlab.com/virtio-fs/virtiofsd/-/issues/121
microvm.virtiofsd.inodeFileHandles = "mandatory";
assertions = [{
assertion = config.networking.useNetworkd;
message = "microvm setup requires networkd";
}];
microvm.vms.devver2 = {
autostart = true;
flake = inputs.self;
updateFlake = "git+file:///etc/nixos#devver";
};
# systemd.network.networks."20-devver" = {
# matchConfig.name = "vm-devver";
# networkConfig.Bridge = config.vacu.network.lan_bridge;
# };
}